Re: [Cfrg] draft-fluhrer-lms-more-parm-sets-01

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 23 April 2020 21:18 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14E823A13DE for <cfrg@ietfa.amsl.com>; Thu, 23 Apr 2020 14:18:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=j42sQ4JR; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Uo6XzGUr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZcdXj9_A6Zm for <cfrg@ietfa.amsl.com>; Thu, 23 Apr 2020 14:18:13 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DB253A13DD for <cfrg@irtf.org>; Thu, 23 Apr 2020 14:18:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2169; q=dns/txt; s=iport; t=1587676693; x=1588886293; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=KS2r6fwE7kwbwvJWBAGKmJJ7CPIdF6UBS8T3KQWIemE=; b=j42sQ4JRR14u9Mqdxm+DyipL6ax1KiKpztdpuUzJ6gTE4z90sf+PAg7p S/o7I/XxeddBAZiwnY0Xkw11pyvXbNX0qK65NDCNYGcSnEuJyJppIsXga l5hkIkmi1/QJy604fzfKzICzoe1AJ/leBHBjHm6L9RJDaKvc3O9ibZpVm Q=;
IronPort-PHdr: 9a23:MwsY0BKoVMd65OWhqtmcpTVXNCE6p7X5OBIU4ZM7irVIN76u5InmIFeBvKd2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUgMdz8AfngguGsmAXFb1KOPqdSEgNM9DT1RiuXq8NBsdFQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BJAAAaBaJe/51dJa1mHAEBAQEBBwEBEQEEBAEBgWcHAQELAYFTUQWBRCAECyoKh1sDhFmGFoJfmDCBLoEkA1QKAQEBDAEBLQIEAQGERAKCJiQ0CQ4CAwEBCwEBBQEBAQIBBQRthVYMhXEBAQEBAgESKAYBATcBCwQCAQgRBAEBHxAyHQgCBA4FCBqFUAMOIAGnCQKBOYhigieDAAEBBYUbGIIOCYE4AYJiiVYagUE/gVSCTT6EUINCgi2OEKMTfAqCRZgUnGuPdZx5AgQCBAUCDgEBBYFSOYFWcBWDJFAYDZE0CQIYg1CKVnSBKYtULIEJAYEPAQE
X-IronPort-AV: E=Sophos;i="5.73,309,1583193600"; d="scan'208";a="483802597"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Apr 2020 21:18:12 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 03NLICF3022756 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 23 Apr 2020 21:18:12 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 23 Apr 2020 16:18:12 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 23 Apr 2020 16:18:11 -0500
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 23 Apr 2020 17:18:11 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cwGNltgNEHk3/+YkVTgB0jmFbC6Dt/6ceJ/CsgUn4QX5tHbtjFgF6Xxj5dl8JZDuumTbwSAUoE7TOeHcTHyou7djnaeU6O+0y1PeaE30Ig9zEKA7J9XhsvQ98sSKmgT//ho3jeBhkUja+QfkIGCEx43T0dbBb3aVIXsFE1r2oNYUd8kJBlxGuGuF1R+Gv+CltyOZJHysI3R4nxlTChQBx3lXWuxtUT/PLztXeFmYtTAVqdi2yDrKSHERd8OZ0s95vHUjwmPXiqJJMKSTu8fApdl3lh2PMnVFhZd8MhPdQsVx0gznvoL3BJGU0kCRla1JPMvetfDMUr+z78/Tt0htJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OJvWVlgKWuee4qV3BiNHcpwW8QDhfrRnHBO/sphHCoc=; b=a+7AH7MDI5Ubcc1o+DD9qetCcmKWDr1l9UaFEYrgh2u/1lEDLNc9GE7JlYJVyOrtuuJK+qYzi0JnqldcYBVT1QQYoI1dk0/9G8Oq9aZQ809oCV/+a2esQy/soTTe9JgvugkzLawom7cn8EGauzpAcMUhAVxhSOtBMuiNxKmk3isyhg2hz8O7HDMTByC9Y3gh02BeEuJ1Pyp5DVEXd0bqMNw4EHCx2hUKxtPZlgwRCAiZ7RV6gre5d3ownie9RudR+FIIxjVvjXsIczWQExPVumBi8R+zx/IM9OxPfnuw0ZxENXbLULPXrxaPb9eks+G9Wz6ZLKVvgZUGpzTpEjv9ug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OJvWVlgKWuee4qV3BiNHcpwW8QDhfrRnHBO/sphHCoc=; b=Uo6XzGUrzzZHIMNGpl4A7Jb6ZyfqZQ9c92MDkqjFDHdvtP397HmlGEGjAfqG7pWgSHW5X9DRVJ+wDqt+2B8GFUtnS5ZrMKI5krI72G09d9qRDjuECnIGEVh63FwTlb9DzMRCl0sSk69l2NOilivfC/jJGBAbEKCbOf/WRuw4hfY=
Received: from MN2PR11MB3936.namprd11.prod.outlook.com (2603:10b6:208:13f::15) by MN2PR11MB4334.namprd11.prod.outlook.com (2603:10b6:208:18e::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.27; Thu, 23 Apr 2020 21:18:09 +0000
Received: from MN2PR11MB3936.namprd11.prod.outlook.com ([fe80::40a5:ee00:396d:b922]) by MN2PR11MB3936.namprd11.prod.outlook.com ([fe80::40a5:ee00:396d:b922%4]) with mapi id 15.20.2921.030; Thu, 23 Apr 2020 21:18:08 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Russ Housley <housley@vigilsec.com>, "Dang, Quynh (Fed) (quynh.dang@nist.gov)" <quynh.dang@nist.gov>
CC: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: draft-fluhrer-lms-more-parm-sets-01
Thread-Index: AQHWGaGmqld9TBfumEevLTUB7Uk8aKiHMxJA
Date: Thu, 23 Apr 2020 21:18:08 +0000
Message-ID: <MN2PR11MB3936EF98AC1A6E300AF0D020C1D30@MN2PR11MB3936.namprd11.prod.outlook.com>
References: <3F99CED3-A810-4CF6-98AC-A55E29000D1F@vigilsec.com>
In-Reply-To: <3F99CED3-A810-4CF6-98AC-A55E29000D1F@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com;
x-originating-ip: [173.38.117.70]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1bbf303d-61a9-455a-3564-08d7e7cbd258
x-ms-traffictypediagnostic: MN2PR11MB4334:
x-microsoft-antispam-prvs: <MN2PR11MB4334B84C7D1650EF5EE818DFC1D30@MN2PR11MB4334.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03827AF76E
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3936.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(39860400002)(136003)(396003)(346002)(376002)(366004)(71200400001)(26005)(6506007)(4326008)(7696005)(316002)(33656002)(110136005)(9686003)(66556008)(52536014)(55016002)(76116006)(66946007)(66476007)(64756008)(66446008)(2906002)(478600001)(53546011)(86362001)(186003)(81156014)(8676002)(8936002)(5660300002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: b+DMvTjJsbX12/xPPwupJltyMBSu3wUt+CFyxQzlTJpFbv227Vzj9XBzbq/d+rLv7nwn1rxprSP7iRzLv2vvHwrifAlSs3eij13xJ09qCYxS/awl997RJTUidNS99aR08bUSvhC1eJsZlFbK5U3LqMCTziyKEEjNRdT1TfAmBwb4i1W/NWuso3rcrhWyPQdkCT2zpbpnu1lAw0ZLsA7LaKxROJkxo7LgTCAe8TMwgXAcL9smewiACMtLnwCAqybk5QhtRkUZbNCS8SgUID0zt2608l2EJFZe6OUYI8PpxWqNxCfSZQq3wxGhEUVmvSZnyo6TsvAF3O3GcuFzhb1AiTlDUgDd7GbGHZpmNHlVhoOWqrSaFJ7ulcaxsoCxrlNST2yCnYhES5PdlAtlaZ2DantMDwFk083SxPwrgyk3m/wpQ2irANHHXQg/IrnMzE4K
x-ms-exchange-antispam-messagedata: SiGDAuSmiEAAfCRArp2EAp4n7SYeMd/D0Z/3uK3vA6bzDUyc7ibfa2I1NqXqanV/Lwgye7bNb8bxv2cw++NVzHIUminGqzbcZByYCQKUJZBAzNjJs23z4Eof8bndw+yC6rb7vNQvCzPuNNyKqslp8Q==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 1bbf303d-61a9-455a-3564-08d7e7cbd258
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2020 21:18:08.7829 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0IVjZTQZBucSLCfbrz7YoB7TsejeaygoarLphYoKIx6VdxOCczZ0E0yl8x+y96sCIXHZtGhrKJDgx3BhSfHYpQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4334
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Tvn0SeE9RAnDxTNgWS_6NzTw50I>
Subject: Re: [Cfrg] draft-fluhrer-lms-more-parm-sets-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 21:18:15 -0000

> -----Original Message-----
> From: Russ Housley <housley@vigilsec.com>
> Sent: Thursday, April 23, 2020 3:01 PM
> To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
> Cc: IRTF CFRG <cfrg@irtf.org>
> Subject: draft-fluhrer-lms-more-parm-sets-01
> 
> Scott:
> 
> Thanks for your talk on this draft yesterday.  It raised a few questions.
> 
> 1) SHA256-192:  I like it.  Does the size of I change?  My guess is that it is still
> 16 bytes, but I want to be sure.

The size of I remains at 16 bytes.  The reason I is there is to address potential multitarget attacks; that is, where someone attacks two different public keys by hashing a single value and seeing if it matched a value from either Merkle tree/Winternitz chain.  Because two different public keys will have different I values, this doesn't yield an advantage (as the attempted hash will need to select a specific I value.

This protection doesn't have anything to do with the hash size, and so it does not change.

> 
> 2) SHAKE256-256 and SHAKE256-192:  Why use an Extendable-Output
> Function (XOF)?  Since the output in the application is always 256 bits or 192
> bits, the normal reason for picking an XOF does not seem relevant.

That's actually a Dang question; he suggested we add it, so I copied him.

On the other hand, SHAKE256 and SHA3-256 are almost the same (differing only in the end-of-message padding), and so I don't believe it really matters.

> 
> 3) Temporary code points: Why do you have collisions?  For example,
> LMOTS_SHA256_N24_W1 and LMS_SHA256_M24_H5 are the same, and RFC
> 8554 avoided overlaps between LMS and LMOTS code points.

They're not a collision; they are in different spaces  The fact that RFC 8554 happened to avoid collisions is just an accident of history (originally, that draft defined 128 bit hashes as well, and the LMSOT code points for 128 bits hashes came after the 256 bit hashes, and the LMS code points for 128 bit hashes came first.  We dropped the 128 bit hashes, but left the 256 bit code points unchanged, resulting in the current assignments.

> 
> Russ
>