IETF Logo Mail Archive

Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-based-signatures-03.txt

"A. Huelsing" <ietf@huelsing.net> Mon, 04 July 2016 13:43 UTC

Return-Path: <ietf@huelsing.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C91212D0BA for <cfrg@ietfa.amsl.com>; Mon, 4 Jul 2016 06:43:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rx-CR_1bZWdI for <cfrg@ietfa.amsl.com>; Mon, 4 Jul 2016 06:43:54 -0700 (PDT)
Received: from www363.your-server.de (www363.your-server.de [78.46.179.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD15012D0E2 for <cfrg@irtf.org>; Mon, 4 Jul 2016 06:43:53 -0700 (PDT)
Received: from [88.198.220.132] (helo=sslproxy03.your-server.de) by www363.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85_2) (envelope-from <ietf@huelsing.net>) id 1bK4AB-0007q9-2O; Mon, 04 Jul 2016 15:43:51 +0200
Received: from [131.155.68.167] by sslproxy03.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <ietf@huelsing.net>) id 1bK4AA-000449-Ku; Mon, 04 Jul 2016 15:43:50 +0200
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Watson Ladd <watsonbladd@gmail.com>
References: <56E9B7E2.7050105@isode.com> <5772900A.8020507@cs.tcd.ie> <CACsn0ck0f_XajqcB8a3SZLudO4DQc7OrRCg06j2Zk-oyHFo-Sg@mail.gmail.com> <CACsn0cnodzDWrkXVD9uOac6_jHZFj7pKZziA3=nFJF4d-u6HkQ@mail.gmail.com> <577292D5.8000402@cs.tcd.ie>
From: "A. Huelsing" <ietf@huelsing.net>
Message-ID: <577A6816.3020907@huelsing.net>
Date: Mon, 04 Jul 2016 15:43:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <577292D5.8000402@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="------------000603060001020504000802"
X-Authenticated-Sender: ietf@huelsing.net
X-Virus-Scanned: Clear (ClamAV 0.99.2/21841/Mon Jul 4 12:30:17 2016)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cJ0OfFGFlI30iGeHsowhSktcPUE>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jul 2016 13:43:56 -0000

I agree with both of you. If the scheme is correctly implemented and
especially the key-handling is done right, I have more trust in this
scheme than in any other signature scheme. The reason is in theory what
Watson wrote. In practice: Every other signature scheme relies on the
security of a hash function AND some hard problem (RSA problem, DL,
etc...). The security of this scheme JUST relies on the hardness of hash
function properties that are much harder to break than
collision-resistance. As we just consider parameter sets that also
achieve a reasonable level of post-quantum security, the security margin
for the classical setting is enormous. This is the big difference
between hash-based signatures and other post-quantum cryptography (for
which I would totally agree that we need a disclaimer of the kind
Stephen proposed).

On the other hand, I agree that it is important to note that there is
not much experience yet with using stateful signature schemes in
practice. So, getting the key handling right requires awareness that
things are different from the setting of ECDSA, DSS, and all the other
signature schemes, people might be used to. We tried to emphasize this
in the draft. If CFRG thinks we did not emphasize it enough, I am happy
to add another statement.

Andreas   

Disclaimer: I did not discuss this with my co-authors yet, so I am just
speaking for myself.


On 06/28/16 17:08, Stephen Farrell wrote:
>
> On 28/06/16 16:02, Watson Ladd wrote:
>> We actually have significantly more confidence in XMSS security then any
>> other signature scheme. Signatures imply one way functions which are all
>> XMSS needs. There is a catch with backups I don't like, but there are
>> workarrounds.
> That was not my only concern and nor was my concern specific to
> this scheme.
>
> But sure, if someone wants to make a claim that this scheme is
> one on which large chunks of the Internet could today safely
> depend, and if that's a CFRG consensus position then saying that
> would be fine.
>
> Personally, I'd be in rough in that case, if for no other reason
> that the relatively immaturity of implementations.
>
> S.
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email