IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt

"A. Huelsing" <ietf@huelsing.net> Mon, 25 July 2016 14:18 UTC

Return-Path: <ietf@huelsing.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED47312D8B7 for <cfrg@ietfa.amsl.com>; Mon, 25 Jul 2016 07:18:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HQrooPVQUqNK for <cfrg@ietfa.amsl.com>; Mon, 25 Jul 2016 07:18:18 -0700 (PDT)
Received: from www363.your-server.de (www363.your-server.de [78.46.179.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98D412D8BB for <cfrg@irtf.org>; Mon, 25 Jul 2016 07:18:17 -0700 (PDT)
Received: from [88.198.220.130] (helo=sslproxy01.your-server.de) by www363.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85_2) (envelope-from <ietf@huelsing.net>) id 1bRghw-0005II-Ei; Mon, 25 Jul 2016 16:18:12 +0200
Received: from [131.155.68.224] by sslproxy01.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <ietf@huelsing.net>) id 1bRghw-0002We-89; Mon, 25 Jul 2016 16:18:12 +0200
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Watson Ladd <watsonbladd@gmail.com>
References: <20160706144508.25995.18605.idtracker@ietfa.amsl.com> <577D1B6E.1020506@huelsing.net> <D3B93AC9.7187E%kenny.paterson@rhul.ac.uk> <994C5976EA09B556.08963792-86E6-4CE4-95FB-23F0F6046EC0@mail.outlook.com> <C6F5FDF9-6A09-4ECB-AAF5-985BF06F0F83@rhul.ac.uk> <69e0bf26-c079-75fb-0a5c-751bf3581016@cs.tcd.ie> <CACsn0cnU1UM1_4Y7at7ov0rr94-YWm0Boogs7R916P2Lk_BpPw@mail.gmail.com> <21d8f293-d302-6ead-66d9-cc05db238348@cs.tcd.ie> <454b1115-787b-f148-1448-58e7de1620c7@huelsing.net> <d8c335ef-f486-708f-5736-03a1a3a947f0@cs.tcd.ie>
From: "A. Huelsing" <ietf@huelsing.net>
Message-ID: <037bc196-3ddd-4f36-b5d6-3d3e65aefee8@huelsing.net>
Date: Mon, 25 Jul 2016 16:18:12 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <d8c335ef-f486-708f-5736-03a1a3a947f0@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: ietf@huelsing.net
X-Virus-Scanned: Clear (ClamAV 0.99.2/21967/Mon Jul 25 13:06:08 2016)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dXKTCPLJS_pyfN15fhOxV9832ik>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-xmss-hash-based-signatures-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2016 14:18:20 -0000


On 07/25/16 15:36, Stephen Farrell wrote:
>
> On 25/07/16 14:26, A. Huelsing wrote:
>> I have the slight feeling that we get several things mixed up in this
>> discussion.
> Such is life:-)
Yeah, life... :-)
>
> I mostly agree with your characterisation below but that omits two
> important things: 1) cfrg will be defining other PQ schemes as those
> reach the relevant level of maturity and 2) any PQ scheme RFC will
> very likely lead to some folks demanding/asking that it be deployed,
> when that may be premature, and esp. if the RFC doesn't give good
> guidance about that topic.
>
> So I think it's important to try to get to a consensus statement
> about the deployability of PQ schemes in general, and not only for
> this less-risky scheme. That way we can have the hard part of this
> discussion once and then cut'n'paste the text into other drafts
> for so long as that text is still good. (*)
>
> That's why I'm arguing that we should have a fairly conservative
> statement that can be included in more or less all PQ scheme RFCs
> that are developed for the next while.
>
> I've no problem at all if that short statement is followed by one
> that sets this particular scheme into that context.
I agree that it is important for cfrg to find a position in this. However,
I do not think that a generic statement solves the issue. The reason
being that the required solution differs. E.g., for lattice-based
key-exchange where we still got some doubts on the actual security
of specific parameter sets, the solution is to deploy it right now in
combination with a non-pq but classically secure scheme. That way,
we at least get the same security as before... For the XMSS, I think
it is more about people getting used to the state handling. Which
requires being extremely careful implementing key handling.
This is also the reason why we are first (also referring to (*)), because
we do not have these issues.

> Hence my originally proposed text.
>
> Cheers,
> S.
>
> (*) It is a bit unfortunate that yours is the 1st such document,
> and apologies again for this slowing you down, but I think overall
> getting this done now is well worthwhile.
>
>> To me it looks as if there are several topics on the table:
>>
>> 1. "Cryptographic security": I think people on the list agree by now
>> that the
>> chances that XMSS will be broken by cryptanalysis is not higher than for
>> any deployed signature scheme (in fact, I personally would claim that it is
>> strictly more secure than any deployed signature scheme that can handle
>> arbitrary length messages, as such schemes need a secure cryptographic
>> hash function at least in the strongest sense that is used by XMSS, i.e.
>> extended target collision resistant). Note that the above also includes the
>> non-quantum attacks case!
>>
>> 2. "Implementation security": No one disagreed on the fact that there is
>> hardly any experience with implementing stateful signature schemes. We
>> emphasize this through out the draft and it was discussed here a lot. I am
>> totally happy to add a special "note to IETF working groups"  to the draft
>> where we repeat this once more, writing e.g. something along the lines
>> of what Kenny suggested.
>>
>> 3. "Politics": Should we deploy post-quantum crypto now, possibly at the
>> cost of not deploying advanced "classical" crypto. This is an issue that in
>> my opinion should not be mixed with the above two but the decision on
>> this should be motivated by the answers to the above. I think we got here
>> a special case for hash-based signatures as -- in contrast to other
>> pq-proposals -- we do not introduce new hardness assumptions.
>> This being said, I understand that there are other reasons that motivate
>> people not to deploy any pq-crypto right now. However, in that case we
>> should debate about these reasons and don't start a mock debate (hope
>> this is the proper English word) about the XMSS draft.
>>
>> Looking forward to a fruitful discussion,
>>
>> Andreas
>>
>>
>>
>> On 07/24/16 14:09, Stephen Farrell wrote:
>>> On 23/07/16 23:27, Watson Ladd wrote:
>>>> On Sat, Jul 23, 2016 at 1:56 PM, Stephen Farrell
>>>> <stephen.farrell@cs.tcd.ie> wrote:
>>>>> On 23/07/16 20:14, Paterson, Kenny wrote:
>>>>>> Your other point regarding state is well made.
>>>>> So that, and the fact that implementations are going to be
>>>>> brand new and hence quite likely buggy implies to me that
>>>>> the more cautious text I suggested takes the right approach.
>>>> If we go by that metric, 
>>> I wasn't suggesting a metric, it's an argument for caution with
>>> new stuff.
>>>
>>>> OpenSSL's BN code will never have security
>>>> relevant bugs, and ref10. Oh wait, that's not true at all, because we
>>>> can verify ref10's correctness, and the BN code actually had bugs.
>>>> Maybe we should try solving the problem of writing code to not have
>>>> bugs (newsflash: it has been solved, the methods are not expensive,
>>>> and crypto is an excellent place to apply them)
>>> Now you're being wildly optimistic with "been solved" :-) We don't
>>> control how developers implement our stuff and we do know that a lot
>>> of systems and developers will end up using buggy things, and all
>>> the moreso the newer the technology involved.
>>>
>>>> We've extremely clearly documented the stateful nature of the scheme.
>>>> This implementation question is different from whether the scheme
>>>> meets the security goals it claims. We can try to design schemes to
>>>> avoid common programing issues, and encourage the usage of more robust
>>>> schemes.
>>>>
>>> All good things yes.
>>>
>>>>> Even if we're cryptographically confident of this particular
>>>>> scheme, we are IMO far from wanting the Internet to depend
>>>>> upon it (or any other proposed PQ scheme).
>>>> Isn't this because we aren't sure if we can deploy it safely/the
>>>> desirablity ? 
>>> Right. I think those are unquestionably good arguments even after
>>> we're very confident in the specific scheme.
>>>
>>> Additionally, but less convincing, I see a danger that people divert
>>> deployment effort to such schemes, when that'd, for now, be better
>>> devoted to improving and better deploying current technology. IOW,
>>> premature effort devoted to PQ deployment is IMO a shiny-new-thing
>>> danger. I do think we need text to provide readers with the right
>>> guidance on that. Otherwise, even those who think it premature to
>>> deploy PQ schemes may be pressured by their customers to do so now.
>>> (Note: deployment is what I consider premature, not engineering or
>>> research.)
>>>
>>>> Do you actually think that XMSS is insecure against
>>>> quantum computers? 
>>> I think my initial note in this thread made it clear that I am not
>>> making any such claim.
>>>
>>>> To be clear, if there is no hash function that isTher
>>>> secure against QM, game over: signatures imply hash functions.
>>>>
>>>> Of course, key exchanges are more dangerous then signatures, CA
>>>> hoodwinking of customers aside. We don't need to post-quantum
>>>> transition signatures now.
>>> Sorta. We do need such signature schemes to be researched and
>>> developed. I agree we don't yet need 'em deployed.
>>>
>>> S.
>>>
>>>>> Cautious text is better here now, rather than overly optimistic
>>>>> text.
>>>>>
>>>>> S.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Cfrg mailing list
>>>>> Cfrg@irtf.org
>>>>> https://www.irtf.org/mailman/listinfo/cfrg
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>>

v2.23.0 | Report a Bug | By Email