Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
"A. Huelsing" <ietf@huelsing.net> Mon, 04 July 2016 13:43 UTC
Return-Path: <ietf@huelsing.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C91212D0BA for <cfrg@ietfa.amsl.com>; Mon, 4 Jul 2016 06:43:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rx-CR_1bZWdI for <cfrg@ietfa.amsl.com>; Mon, 4 Jul 2016 06:43:54 -0700 (PDT)
Received: from www363.your-server.de (www363.your-server.de [78.46.179.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD15012D0E2 for <cfrg@irtf.org>; Mon, 4 Jul 2016 06:43:53 -0700 (PDT)
Received: from [88.198.220.132] (helo=sslproxy03.your-server.de) by www363.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85_2) (envelope-from <ietf@huelsing.net>) id 1bK4AB-0007q9-2O; Mon, 04 Jul 2016 15:43:51 +0200
Received: from [131.155.68.167] by sslproxy03.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <ietf@huelsing.net>) id 1bK4AA-000449-Ku; Mon, 04 Jul 2016 15:43:50 +0200
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Watson Ladd <watsonbladd@gmail.com>
References: <56E9B7E2.7050105@isode.com> <5772900A.8020507@cs.tcd.ie> <CACsn0ck0f_XajqcB8a3SZLudO4DQc7OrRCg06j2Zk-oyHFo-Sg@mail.gmail.com> <CACsn0cnodzDWrkXVD9uOac6_jHZFj7pKZziA3=nFJF4d-u6HkQ@mail.gmail.com> <577292D5.8000402@cs.tcd.ie>
From: "A. Huelsing" <ietf@huelsing.net>
Message-ID: <577A6816.3020907@huelsing.net>
Date: Mon, 04 Jul 2016 15:43:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <577292D5.8000402@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="------------000603060001020504000802"
X-Authenticated-Sender: ietf@huelsing.net
X-Virus-Scanned: Clear (ClamAV 0.99.2/21841/Mon Jul 4 12:30:17 2016)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cJ0OfFGFlI30iGeHsowhSktcPUE>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jul 2016 13:43:56 -0000
I agree with both of you. If the scheme is correctly implemented and especially the key-handling is done right, I have more trust in this scheme than in any other signature scheme. The reason is in theory what Watson wrote. In practice: Every other signature scheme relies on the security of a hash function AND some hard problem (RSA problem, DL, etc...). The security of this scheme JUST relies on the hardness of hash function properties that are much harder to break than collision-resistance. As we just consider parameter sets that also achieve a reasonable level of post-quantum security, the security margin for the classical setting is enormous. This is the big difference between hash-based signatures and other post-quantum cryptography (for which I would totally agree that we need a disclaimer of the kind Stephen proposed). On the other hand, I agree that it is important to note that there is not much experience yet with using stateful signature schemes in practice. So, getting the key handling right requires awareness that things are different from the setting of ECDSA, DSS, and all the other signature schemes, people might be used to. We tried to emphasize this in the draft. If CFRG thinks we did not emphasize it enough, I am happy to add another statement. Andreas Disclaimer: I did not discuss this with my co-authors yet, so I am just speaking for myself. On 06/28/16 17:08, Stephen Farrell wrote: > > On 28/06/16 16:02, Watson Ladd wrote: >> We actually have significantly more confidence in XMSS security then any >> other signature scheme. Signatures imply one way functions which are all >> XMSS needs. There is a catch with backups I don't like, but there are >> workarrounds. > That was not my only concern and nor was my concern specific to > this scheme. > > But sure, if someone wants to make a claim that this scheme is > one on which large chunks of the Internet could today safely > depend, and if that's a CFRG consensus position then saying that > would be fine. > > Personally, I'd be in rough in that case, if for no other reason > that the relatively immaturity of implementations. > > S. > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… A. Huelsing
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Watson Ladd
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Gilles Van Assche
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Alexey Melnikov
- [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-based-si… Alexey Melnikov
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Gilles Van Assche
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Russ Housley
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… A. Huelsing
- Re: [Cfrg] [MASSMAIL]Re: RGLC on draft-irtf-cfrg-… Grigory Marshalko
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Stephen Farrell