Re: [Cfrg] Alternatives to McGrew's hash based signatures
David Leon Gil <coruus@gmail.com> Thu, 09 October 2014 17:51 UTC
Return-Path: <coruus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1F2A1AD473 for <cfrg@ietfa.amsl.com>; Thu, 9 Oct 2014 10:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6VY-qtFPXld2 for <cfrg@ietfa.amsl.com>; Thu, 9 Oct 2014 10:51:24 -0700 (PDT)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DC001AD469 for <cfrg@irtf.org>; Thu, 9 Oct 2014 10:51:24 -0700 (PDT)
Received: by mail-lb0-f171.google.com with SMTP id z12so1657802lbi.30 for <cfrg@irtf.org>; Thu, 09 Oct 2014 10:51:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=zSQjJcA0Kgg1CC4i8Jw+bLEzANzXPuqUVhuJiYstwkc=; b=LdFd3NV1SvWBz+VrdsqLPqTROEJtCwkt9Izi7sAJuwZ/WeNZsTETKgBqBj8ClphSeI lsqRWMGaJfRhjjhEakA3Q1wW5lJt3ObWpYifC9uApHEFwyPQEmDYMMnUADF0LNAPO8vT 6Aw2+vEKjubwo3vpyZSdb4uYmHWK916ILqUxwBsM+AGtSzobGxkTbEN/L+3FUJGTUS0e tUEp2FXcq/fYppmUOABgHZGbJFN4ZpFAjn6eLJcKmf6WlTh9RbXcUyvJUU1D9x5JnH/s qo+VIxk4EApnDasMi0zoaogs5S1832r/fXr00BgUDvqarPVH0l2rbOUqjty88vtxUzG1 Zgig==
X-Received: by 10.112.180.137 with SMTP id do9mr19334531lbc.63.1412877082580; Thu, 09 Oct 2014 10:51:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.218.145 with HTTP; Thu, 9 Oct 2014 10:51:02 -0700 (PDT)
In-Reply-To: <CAM_a8JxrQ3O8G6Ub6VFjB3_-14O=vgz_aSLDBUihEFJuW0VTjQ@mail.gmail.com>
References: <CACsn0cn7vhLkR0xYXMMhJvCqTUhoQT1VdXAqEDOq94KUbdSz_Q@mail.gmail.com> <CAM_a8JxrQ3O8G6Ub6VFjB3_-14O=vgz_aSLDBUihEFJuW0VTjQ@mail.gmail.com>
From: David Leon Gil <coruus@gmail.com>
Date: Thu, 09 Oct 2014 13:51:02 -0400
Message-ID: <CAA7UWsVJL6P-4bQX+1f6+0E+8i2-Qr1WwrGAT_yomQSSP+_M9A@mail.gmail.com>
To: Zooko Wilcox-OHearn <zooko@leastauthority.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Tm1JiSMRyms1zUVQNJek8Z0_xUk
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Alternatives to McGrew's hash based signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 17:51:26 -0000
On Thu, Oct 9, 2014 at 11:54 AM, Zooko Wilcox-OHearn <zooko@leastauthority.com> wrote: > To me, the idea that you have to guarantee that a state update (i.e. a > previously unused sequence number or nonce) is durably written, or > else you leak your private signing key to an attacker… that's a > show-stopper. I disbelieve that any commodity hardware and software in > use today can do that safely. I don't think this is out of reach, really; the only trick is writing the new key to durable storage before you write the signature. (In fact, I'd write the key to high-durability/availability distributed storage....wait. :) (Getting to, say, a 2^-128, or other cryptographically small, probability of failure does seem out of reach.) On Thu, Oct 9, 2014 at 4:41 AM, Alyssa Rowan <akr@akr.io> wrote: > Maybe we do: these are different schemes with different sets of desirable properties? I think these schemes can be hybridized: Take a stateful hash signature system (say tree-based); but use a small SPHINCS instance at each leaf node. In that case, the size of the SPHINCS instances only needs to be large enough for "misuse-resistance", not collision-resistance. (It seems possible to, instead, embed stateful leaves into a SPHINCS instance, but perhaps less convenient unless the leaves are chains.)
- [Cfrg] Alternatives to McGrew's hash based signat… Watson Ladd
- Re: [Cfrg] Alternatives to McGrew's hash based si… Salz, Rich
- Re: [Cfrg] Alternatives to McGrew's hash based si… Watson Ladd
- Re: [Cfrg] Alternatives to McGrew's hash based si… Alyssa Rowan
- Re: [Cfrg] Alternatives to McGrew's hash based si… Zooko Wilcox-OHearn
- Re: [Cfrg] Alternatives to McGrew's hash based si… David Leon Gil