IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt

Watson Ladd <watsonbladd@gmail.com> Sat, 23 July 2016 16:03 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3C0312D552 for <cfrg@ietfa.amsl.com>; Sat, 23 Jul 2016 09:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8_DcCkEWhQY for <cfrg@ietfa.amsl.com>; Sat, 23 Jul 2016 09:03:40 -0700 (PDT)
Received: from mail-vk0-x22c.google.com (mail-vk0-x22c.google.com [IPv6:2607:f8b0:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45BE012D556 for <cfrg@irtf.org>; Sat, 23 Jul 2016 09:03:40 -0700 (PDT)
Received: by mail-vk0-x22c.google.com with SMTP id w127so194561245vkh.2 for <cfrg@irtf.org>; Sat, 23 Jul 2016 09:03:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=i4b6QueIS1ub0LkxYnCn0IMix6N8iwf+FYmnpdLQZOQ=; b=x1VsLs0MXD8jEmtkwKTYSocXmVwUss7GS/2V4Rdx1k13K2pgPM/hc21wkq+slUyfXU rpI7DEyHyviEBzF0lrFPKLvGcu4XIFd2+2GY4ipapM1paqvKYuWyVRtXsxE3QvafJnBg TprWE/5xtk6uaeZ340z70vVRhm2A53GJs3Xu0j/VLqtSh4rEy9/DIUWZW5R1tAiIi2Bu MMWSc43ou2A0zpnwmzm4YlEycoYVHpPROW99EbDyxZZCjE4i2W276Me9FG7aCmbVOYG6 sqCw2/V6DrUC8bWQPon354d8Amt+s4WnZWvHKV6Jc3Q3In/6bxxNkFwmpnsU0PCLBqvU eCpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=i4b6QueIS1ub0LkxYnCn0IMix6N8iwf+FYmnpdLQZOQ=; b=HSOyPkiGlJaMOUyLDlomJS38I+kDncyXxqcq6uSNLbcDOpbkGZm2nflrWcM0jvb1sM 9O5s+T3F83k3/6CQIoiuTvA/BOo0M+GmQAwX0YEXZgsxXzS1StrTrlvjSIPqD9mvhijk W/yC8xf8TYd1S3nf0uahIlD9NKO5PPaN9N8b1u1HM1gxntN9xAH+hJWAADQD7kX9q9jo sFYgb9wU+zbn6XV07laic6ekkfssFcvxyzKrcDOSQO5juv3xXAYig9Qcf9548tmBN3HF 4DQFTt8ze28w8zASSl3GgMgIGySnwKm1zHPC9iMhD7C9s96GU6gtR9ZUCvr2hbz3O3xM nFLg==
X-Gm-Message-State: AEkooutvnRNwya1on7iYa4QNf0lfk6hVEkKYkJOzl0vlPfoXOHeKj6PZdpNtA5ayScxp3V3hulzgH1CoEKCw1A==
X-Received: by 10.159.33.201 with SMTP id 67mr4850472uac.90.1469289818838; Sat, 23 Jul 2016 09:03:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.39.194 with HTTP; Sat, 23 Jul 2016 09:03:38 -0700 (PDT)
In-Reply-To: <D3B93AC9.7187E%kenny.paterson@rhul.ac.uk>
References: <20160706144508.25995.18605.idtracker@ietfa.amsl.com> <577D1B6E.1020506@huelsing.net> <D3B93AC9.7187E%kenny.paterson@rhul.ac.uk>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 23 Jul 2016 09:03:38 -0700
Message-ID: <CACsn0cn-tpMnLjYFH7a6NT8N3tbYob2W=CCycXRwhTn=3J7e4Q@mail.gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/YzwNBM9cH9zUk98dQD9wXgfKqSk>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2016 16:03:43 -0000

On Sat, Jul 23, 2016 at 7:35 AM, Paterson, Kenny
<Kenny.Paterson@rhul.ac.uk> wrote:
> Dear Andreas,
>
> Thanks for pushing the new version.
>
> Stephen and I had a chat at IETF 96 this week. His original suggestion for
> text to be added was this [1]:
>
> "All quantum-resistant algorithms documented by CFRG are today
> considered ready for experimentation and further engineering
> development (e.g. to establish the impact of performance and sizes
> on IETF protocols) but CFRG has consensus that we are not yet
> sufficiently confident to the point where we would want the security
> or privacy of a significant part of the Internet to be dependent on
> any set of those algorithms. In future, as things mature, CFRG
> intends to publish updated guidance on this topic."
>
> Personally, I think this is too strong for hash-based signatures: although
> we have no deployment experience (that I know of), we do have fairly
> strong confidence in the security of hash-based signatures against quantum
> computers, given the current state of the art of research in quantum
> algorithms. I'd suggest instead that some text like this should be
> included:
>
>
> "All quantum-resistant algorithms documented by CFRG are today
> considered ready for experimentation and further engineering
> development (e.g. to establish the impact of performance and sizes
> on IETF protocols). However, at the time of writing, we do not have
> significant deployment experience with such algorithms.
> CFRG consensus is that we are confident in the security of the
> signature schemes described in this document against
>
> quantum computers, given the current state of the research
> community's knowledge about quantum algorithms. Indeed, we are
> confident that the security of a significant part of the Internet
> could be made dependent on the signature schemes defined in this
> document."
>
> I realise that's a pretty strong statement that is the opposite of what
> Stephen suggested *for these signature schemes*.
>
> So let's discuss a bit more, and see if there is consensus from CFRG for
> the statement I've made here. Happy also to receive suggestions for
> alternative, better-worded statements.

I like the second in terms of what it means.

Minor wordsmithing suggestions: Remove "given the current state of the
research community's knowledge about quantum algorithms". This caveat
applies to almost all schemes: new attacks could be discovered later.

The last sentence seems a bit too strong and redundant at the same
time. We're assuming we could make the Internet work with this, but
don't have deployment experience. How about "This scheme is
sufficiently secure for use in all Internet protocols, and it will
require deployment experience to see if its use is feasible"? I
wouldn't object to the current text either.

>
> Cheers,
>
>
> Kenny
>
> [1] https://www.ietf.org/mail-archive/web/cfrg/current/msg08315.html
>
> On 06/07/2016 15:53, "Cfrg on behalf of A. Huelsing"
> <cfrg-bounces@irtf.org on behalf of ietf@huelsing.net> wrote:
>
>>Hi,
>>
>>we pushed a new version that further simplifies the addresses due to a
>>comment we received off-list. It is a minor change that simplifies
>>implementation of addresses as u_int32 array. We did not take any action
>>regarding Stephens comment, yet. For this we want to get more feedback
>>on what we should do.
>>
>>Andreas
>>
>>
>>
>>On 07/06/16 16:45, internet-drafts@ietf.org wrote:
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>>directories.
>>> This draft is a work item of the Crypto Forum of the IETF.
>>>
>>>         Title           : XMSS: Extended Hash-Based Signatures
>>>         Authors         : Andreas Huelsing
>>>                           Denis Butin
>>>                           Stefan-Lukas Gazdag
>>>                           Aziz Mohaisen
>>>      Filename        : draft-irtf-cfrg-xmss-hash-based-signatures-06.txt
>>>      Pages           : 66
>>>      Date            : 2016-07-06
>>>
>>> Abstract:
>>>    This note describes the eXtended Merkle Signature Scheme (XMSS), a
>>>    hash-based digital signature system.  It follows existing
>>>    descriptions in scientific literature.  The note specifies the WOTS+
>>>    one-time signature scheme, a single-tree (XMSS) and a multi-tree
>>>    variant (XMSS^MT) of XMSS.  Both variants use WOTS+ as a main
>>>    building block.  XMSS provides cryptographic digital signatures
>>>    without relying on the conjectured hardness of mathematical problems.
>>>    Instead, it is proven that it only relies on the properties of
>>>    cryptographic hash functions.  XMSS provides strong security
>>>    guarantees and is even secure when the collision resistance of the
>>>    underlying hash function is broken.  It is suitable for compact
>>>    implementations, relatively simple to implement, and naturally
>>>    resists side-channel attacks.  Unlike most other signature systems,
>>>    hash-based signatures withstand attacks using quantum computers.
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>>
>>>https://datatracker.ietf.org/doc/draft-irtf-cfrg-xmss-hash-based-signatur
>>>es/
>>>
>>> There's also a htmlized version available at:
>>>
>>>https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-06
>>>
>>> A diff from the previous version is available at:
>>>
>>>https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-xmss-hash-based-signatu
>>>res-06
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of
>>>submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>>_______________________________________________
>>Cfrg mailing list
>>Cfrg@irtf.org
>>https://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email