Re: [CFRG] Can I have a review of draft-fluhrer-lms-more-parm-sets?

John Mattsson <john.mattsson@ericsson.com> Wed, 10 February 2021 13:04 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E8213A0F47 for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2021 05:04:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.35
X-Spam-Level:
X-Spam-Status: No, score=-2.35 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ux_o1q3r1u70 for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2021 05:04:53 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50064.outbound.protection.outlook.com [40.107.5.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5C1A3A0F46 for <cfrg@irtf.org>; Wed, 10 Feb 2021 05:04:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OV9ZGxwbeIToFF0LQYQGr97ugAOuHw/9kQRjx+ZV62gjfpPmbVxSNCwzKBr9bdsFx12FeODKlp7CXYXbskSo3TF4w/SfjdfPxissniivcDbAg7Ug7FCqI3WdMg/Xmauv5SUTKfjb3SqeQPoVZyKRqkVQO/x1C9oUV7HZ9bMOL2WNMdqRAc3Xhru2Whr0UEPdmhGrVpeG85/MEXA6bwAxSsNXBz9EubxuUbflfoEKu6723XVOQwDdwwZC3FfA5QqfDEAnGgmdYFrpgIAdlztZaf5HUPbf8xv2rB2gLT4jE84qaiOhNpKwCiW4LdABDqjQSBoMdfIeFzNnGg81cnZC2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AW8b/D6JVZowLHsGNZX33cDzGn2oOj9pLGfVm8MwibM=; b=PMYQGK4gJMuE3+DDZEthBrSGloaY7cx883ot6WPOdpr6QmTdpiGtDAwqALxDDkeOY7zsZ9ST4ZPIDRu4qKo56X1xQcr1lqci4UztN+t/8ZwXElD0WKr2x6dwiA1PGuXLrgelEgwPYJlsKTnkN7p8eBWAl9s/PI2nUd5oiDL+LHPH0S6wUkGXtvSeDFuSwLqss9nDs1JjU3/NMlMzim3fGsXcjq3ElvKxp6/1969XIm0IGMdUX3j5aEMR3inz2a10KZDzuyTllrY+QZZtGr7LdZGUQD+XMggp7pqum7+Eb7MsNVa4MnEQgGvuA7zlufbvwfG9rKBd2SDW8JOU/ietGQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AW8b/D6JVZowLHsGNZX33cDzGn2oOj9pLGfVm8MwibM=; b=PnWo1WIkNO97dJ1Qssys4gUYUrVOtloU1+szNEP+6uPNzE19rSbpRN5d1vA94dp6ljsqGta2hpjsc+8g+Logeb34Rgtc5mS/OUXdNaTKq15M3OinXfZYTU4zMjzpTEDsuC/ijal4Im5AU2lTtF0ZABkpaITklGjzkvFwDTo/AsQ=
Received: from (2603:10a6:3:4b::8) by HE1PR0702MB3834.eurprd07.prod.outlook.com (2603:10a6:7:8c::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.26; Wed, 10 Feb 2021 13:04:47 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268%11]) with mapi id 15.20.3846.027; Wed, 10 Feb 2021 13:04:47 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Russ Housley <housley@vigilsec.com>, IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Can I have a review of draft-fluhrer-lms-more-parm-sets?
Thread-Index: Adb+Jt9TjiOuqW6cRRiwxSMfcjtiJAABbe0AAGJGYIA=
Date: Wed, 10 Feb 2021 13:04:47 +0000
Message-ID: <E999CD4F-AE23-4B8F-88B4-0AFA04B338F9@ericsson.com>
References: <BN7PR11MB264152C19ECEFD79A61E7DDDC18F9@BN7PR11MB2641.namprd11.prod.outlook.com> <0F708F7B-1A0B-4966-9B7C-9E34A5688C8E@vigilsec.com>
In-Reply-To: <0F708F7B-1A0B-4966-9B7C-9E34A5688C8E@vigilsec.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fdf08d36-5c2b-4da9-2094-08d8cdc471b3
x-ms-traffictypediagnostic: HE1PR0702MB3834:
x-microsoft-antispam-prvs: <HE1PR0702MB3834386A181777EF23B00FD8898D9@HE1PR0702MB3834.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AndETQR0JTPZ9Y1TyHezlOFzZi1djFT00+KeEDzvGafj2LWmWiCULw35fCAt9zb3NmkGpdqUkXhvKoddlnBBWIo2UlqDyeV4x3j1cegOKxWKDJAk+JjBsd7UWJ3iR9O31Rm3p2Pas36B2uosDk0YIEah4AvVF8syQ6maIaxGyiQNx1LMl2CALUybYYvLMqfnY5nx9j76rRI6EDzTt255kbfZdZ6lSz8dJOoLXP8rtcTB/jUkVAiZcE4B4d2Edk5cZS1Sbtza3453o8gDprx6Z10EkZS1YKc0P2G6xO+OcIzHAQqnT+nBWa1IwrJc/2VaSAgiXaxbtnwDZRyyfrj9fOw+tfdfTmnhVc2l3lV0ILfRBigkFHhz5sNMGWADnWQ852jSmGCMMButM92bm7JPsqjLYKNxB5iCFxff/E0Y4ouSU5wkvJZe1FmfBlWIoYKmxQ7kvx0DFFyunC3g3nKEFX1sjIBOh9ApIETY56rKKCUWE/+IRrn2HP8hHqeoKeeBKH8gCAepEFNdv0f+IHuCwNcPsQJSf8y7MvmBcvNQ7+JKxZZpFR7R70eLsEsrgR2SmPp9EijNZkc5bLxB18kF/4wVaPxxgJcNW7uKk976CUTE/6ZHi1sAdcLLa4yMlFIM1l7CBgOchsUfSpzCIjLUgXG1eleuPVhLgIy53yGbtZQQYsjoHpGihgwgtsAtgtnaBG/FzVPxu+oiq/e1vHi/SA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(346002)(39860400002)(396003)(366004)(86362001)(2616005)(966005)(83080400002)(33656002)(66476007)(66446008)(66556008)(64756008)(66946007)(478600001)(76116006)(6512007)(44832011)(2906002)(5660300002)(8676002)(36756003)(71200400001)(6506007)(53546011)(186003)(26005)(316002)(6486002)(8936002)(83380400001)(110136005)(45980500001)(554374003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?SDF3TWwvVDVpbW9DYjBsZkJjUVZpMUtjeUd4WitmRVJsdjRmWEtIZGdaSlht?= =?utf-8?B?dEJwQ1IzUERGelp6TUs2R2tiSE5yQ3lqckhQMmhxeWlUOUd0Z2JHNzc5d0Rw?= =?utf-8?B?dzhNQllueUdTUWdPSXlsUTN6ZWFuZ3hTM1l1KzVTbzhKL1RmZnRPaE16VzNE?= =?utf-8?B?SHQyajlTWFNkbmxaOUl3VlJLck1Mem1ISHowaEJmWkswTmVmRTlzRHc0aEJK?= =?utf-8?B?N09iZExnazFJOTI0TUJCb1dVTmZwL3JIT3NaRk1RMzkvQXkvT3drS2NoZDdm?= =?utf-8?B?OHpJMFRZL2ozUllVQzQxZit2U2Nkd2grVFM3QVBtMGIyM0tBdkxyUnhNQ3RL?= =?utf-8?B?UkYxOVhuNnBnd0VKQlVCbWRmZGYvcGhYc2IxRUV6ODJJbGpRcmFoeUZ4OS9y?= =?utf-8?B?dmxNelcyV2dhb25SdU5RanI1dGtVbkxNbndoLzl6QzJkNGk2VFhpM2NCVCtU?= =?utf-8?B?SkhyQ1FDV2Rad1B3YWF1cVlaVnY5RlRDWXE1Um5scUk3a1dTU0lVeHlpNFB6?= =?utf-8?B?YkZIQmxBWFpLYzFRTkkyd296Uk9PUUlFWVNxMy9ydC9rc2ZoOExRT3VHL1Iz?= =?utf-8?B?N3VEaFJpZFZ3bDRXQStGNFRZbGxKNEpzc0d4UkNIQjFlTGhUSFJFSENiSVNK?= =?utf-8?B?UXlsMkxBUVdFVTVLMkpQTWVUMGZyR2FieWVHRzYrVnQ5UHl6ckI3SEc2dEpx?= =?utf-8?B?cTBoR2dNRU96b3ZoS3pUbTdKN0N3Zk1VeWRTK1dsazdIKzRqc3J6VnhTRW5y?= =?utf-8?B?anZ0NHNIcGZFSXpWZ2NJMXZQcFg3ZDlDOEpibTlIVi9SMzFBc0JzcjBEamhk?= =?utf-8?B?U3lYemF2UXFFQktMc3A2bkdwZzVHZkRFTlVOeHFCbTc1YkhMZXhaeVFRc3Yy?= =?utf-8?B?Y2VYOTlDYms5SFM2MnJGK2k0dkMwUkRFN3NaYnJyWVQ2elF6ZzlXZDBSbEVy?= =?utf-8?B?eFBZT2k0TU5OQUZMeXlGY0pCOEhqczRUN1ZCbFVNWEF0TkFsM3FUOVNRdnVB?= =?utf-8?B?T3BVd0tWdURzNHhabldVQUcyVWpSMjJzLzlwLy9jaVpXUHFtN2lWZVFOcGMw?= =?utf-8?B?THpKY0dpSk0zdHBpUHBQMStkWFltWG1sM0FYOXhBYjVxM2RnS3h6TWgyaW1l?= =?utf-8?B?NitST2dqanltT1dBM2VuRWd6TlM2VnVSNC96SCtFUzlvYkxsZndjK0QvYmNW?= =?utf-8?B?aEgxVytXVFdGQ1dVekd3NUNyajluSDNyOXptcEVGaUhVbmRwVWxVaUNLcHl3?= =?utf-8?B?cUJtME1sNkxOQVFvYmVCSHNZbXArdFUyTGRRdkY3WG80aHFyd1YxODc5ckpK?= =?utf-8?B?M2xFcVl4L3VWVzVQN1l1NkpzOWNxcDVIcVVXZTc2bkM3VTlsaXpoT0pqWndL?= =?utf-8?B?TnBSQ1JYM3h6SC9rektxZVo4UmJJUTJsWkVnWnJZbVVvVlpPeEx4SnBYMDg3?= =?utf-8?B?ZzRKcit6OTlQcWk5UFl4NkFSTVRjcG1xVmpJZU1GeU4ra21COWNZclNQem5h?= =?utf-8?B?L3I4Zk1HZ25mT1A1R0cramRhYjJRUnJ3cDJHdHN6S21LbUNpU2VlenpTbWdx?= =?utf-8?B?MHlkSEFxdXFkeStJY09NTXVabVJoU3VLTTZBcmZqbTlzaFhaa040Q3VIRWdJ?= =?utf-8?B?a05meWVwTEtWbTM2dnIyRk1iU3F0am5mMEVpWVBPSWR0b0FDVjQyY3RyTnU3?= =?utf-8?B?TzB1b2MxMk9ITk82cWVnUmIwY3pleGcySjJsM3VmY2VZNENLRWFaZWpSQTB1?= =?utf-8?Q?ckIPy2G9snVDE6Ka/FM8c+UPkTYFxZoVEwdI2Pt?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_E999CD4FAE234B8F88B40AFA04B338F9ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fdf08d36-5c2b-4da9-2094-08d8cdc471b3
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2021 13:04:47.6534 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pGV+5zYJYwayUNLG4HVfXC9LNATd79UqgY5OT+Uptz4hwep2TzfulMvwD0XTB32vsJ1CJ0/drP0Zsd+aKLJH8eHXvN65vRtW0vdNaAQ2oAk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3834
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/bfRK1HYdk4j-8ncwE0M6QcfKz2E>
Subject: Re: [CFRG] Can I have a review of draft-fluhrer-lms-more-parm-sets?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2021 13:04:57 -0000

Hi,

I have reviewed the draft. Solutions to reduce signature size is welcome. The design choices make a lot of sense to me. I strongly support IANA registration of these parameters.

- I think the draft should have a reference to NIST SP 800-208, which already specifies these parameters. I think it is very useful to know that these parameters align with NIST SP 800-208.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf

- My understanding is that NIST SP 800-208 fulfills the requirements for IANA registration and this this draft is not strictly needed for IANA registration. Having the draft anyway is of course ok.

- "are efficient to compute"
I guess it depends of what you compare with. My understanding is that hash-based signatures are slower than lattice-based, multivariate, and ECC, but faster than RSA.
- I think the draft should mention how the 192-bit hashes affect the resistance to generic collision searches as described in NIST SP 800-208:
“Consequently, one trade-off for the use of 192-bit hash functions in LMS and XMSS is the weakening of the verifier’s assurance that the signer will not be able to change the message once the signature is revealed. This possibility does not affect the formal security properties of the schemes because it remains the case that only the signer could produce a valid signature on a message.”

- "take more time than is likely to be acceptable to any attacker"
Likely also acceptable by the user of the signatures. Given that quantum computers after error-correction currently are significantly slower that classical computers, the attacker would be dead a long time ago. It seems non-trivial to run a quantum computer for hundereds of years without interuption or to transfer its state.

- "SHA259/192"

- "SHAKE256" or "SHAKE-256"

- "SHAKE256-256" or "SHAKE256/256"

- "SHAKE256-192" or "SHAKE256/192"

John

From: CFRG <cfrg-bounces@irtf.org> on behalf of Russ Housley <housley@vigilsec.com>
Date: Monday, 8 February 2021 at 16:11
To: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Can I have a review of draft-fluhrer-lms-more-parm-sets?

I have reviewed the document, and I would like to see it move forward quickly.  SUIT could really use this.

Russ



On Feb 8, 2021, at 9:39 AM, Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org<mailto:sfluhrer=40cisco.com@dmarc.ietf.org>> wrote:

Hi,

   Quynh Dang and I are trying to reserve IANA code points for the additional parameter sets within draft-fluhrer-lms-more-parm_sets.  The goal of these parameter sets is to reduce the signature size (by about a third on average) while maintaining a reasonably conservative security level (192 bits of security).

  One requirement for this to happen is found in the text of RFC 8554, which states (in section 8, IANA Considerations):

   Additions to these registries require that a specification be
   documented in an RFC or another permanent and readily available
   reference in sufficient detail that interoperability between
   independent implementations is possible [RFC8126].  IANA MUST verify
   that all applications for additions to these registries have first
   been reviewed by the IRTF Crypto Forum Research Group (CFRG).

   I am formally requesting such a review take place.

   Thank you