Re: [Cfrg] Topics for hash-based signatures (draft-huelsing-cfrg-hash-sig-xmss) for Friday
Василий Долматов <vdolmatov@gmail.com> Thu, 07 April 2016 18:38 UTC
Return-Path: <vdolmatov@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 036CB12D6AE for <cfrg@ietfa.amsl.com>; Thu, 7 Apr 2016 11:38:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6iv4FTYBQHv for <cfrg@ietfa.amsl.com>; Thu, 7 Apr 2016 11:38:23 -0700 (PDT)
Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB75F12D5E7 for <cfrg@irtf.org>; Thu, 7 Apr 2016 11:38:22 -0700 (PDT)
Received: by mail-qg0-x233.google.com with SMTP id f105so47277797qge.2 for <cfrg@irtf.org>; Thu, 07 Apr 2016 11:38:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=s+HjeYSHH+JDP8rU9r+LOVlyRm67KhNpG4QgJDE9aWg=; b=RlHIWTryF7SsiC+Ld6jZPG+Q8ONzQB4rPeAPFv69AF+HbodmRd4G+JUMLZ2SDS3dSn tUWzyE0CRwiGB1MtMgDe49frPR4BO/6pWHi/e9Rw76pksIa2ksSrQUmFo9TSmRHe5oiW WT0MjfGNYSXhhD+4Q8mp0N8CZHWMUeK7jvU23opT3auNVStzrUCihNCfKFEoNgY8/nLw 8UNHaGSx9JPD/QZIZ1MJXN5cSTGDfoWAf6yRcWHl9jiArstzQqs941/v4kY4tJZdADEj dkDFOXtHNXSlEf35PLn4kruzUkUQSs5+5vCJ+GhCcthTb34zbt0yK804WffG2kLMRpES /M7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=s+HjeYSHH+JDP8rU9r+LOVlyRm67KhNpG4QgJDE9aWg=; b=gMG41G+Eo7MPwZ7MiqtsgvMtzrsS3vjbWCWIbQqd1FsrFVCzQEJPY+QRgxgvIeRNqL 6s6lGOsPCVy3R09c2H+J/3/jImqM4+fN5Z6fkAb+cs1mc95sRIAP+CtPCvZydleei+i/ Me3A+3aUHMOuDtHnoh7aCZM+pAeWPDRg+3ITwdXGp3QdWN1w28LM7CDivdONov0rIgad XR7WSaGsqiJUc19cAWwX0WdrOzUURmwH4EXxAoLabs8KzFgEKk7S9Q89BtygktUavCN9 pBXKxedjB5NAHFv8gje1sEOmsylpw36TlRROi1rhsZyqu97p6seX61Bz4wJG0MgZxKR0 ZpZA==
X-Gm-Message-State: AD7BkJIaCZJQfNDGs1YjmPlZfdtXP2yrkgKWmOr8JX6aSUuFqthSX3ue9aWp3LP6DqPbaQ==
X-Received: by 10.140.146.142 with SMTP id 136mr6296075qhs.30.1460054301823; Thu, 07 Apr 2016 11:38:21 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:160:1c0e:f6a8:d453:299c? ([2001:67c:370:160:1c0e:f6a8:d453:299c]) by smtp.gmail.com with ESMTPSA id l188sm3908310qhc.10.2016.04.07.11.38.19 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 07 Apr 2016 11:38:20 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_84C6C3D7-1164-4A90-B1BE-5D3A9939F2B7"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Василий Долматов <vdolmatov@gmail.com>
In-Reply-To: <57066319.5050606@huelsing.net>
Date: Thu, 07 Apr 2016 15:38:18 -0300
Message-Id: <B39A8F29-2175-4A4A-88E3-06387589D44B@gmail.com>
References: <57066319.5050606@huelsing.net>
To: "A. Huelsing" <ietf@huelsing.net>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/gDNOkVToiiDVUHTQZc1kFEzaX10>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Topics for hash-based signatures (draft-huelsing-cfrg-hash-sig-xmss) for Friday
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 18:38:30 -0000
As it was already noted in this list, it is reasonable to start with the list of existing hashes and then define the criteria for the choosing from this list. Current list of active hashes is SHA2, SHA3, BLAKE2, STREEBOG. I propose to consider them and criteria for choosing. dol@ > 7 апр. 2016 г., в 10:39, A. Huelsing <ietf@huelsing.net> написал(а): > > Hi, > in preparation for Friday we want to point you at the topics we'd like to discuss. > > 1. Instantiation aka choice of hash function > ------------------------------------------------------- > This was already briefly discussed on the list and we got some further direct feedback on this. > We think the important parameter set is for 256 bit classical / 128 bit quantum security. > Currently this is implemented using SHA2-256 for everything besides the PRG which uses ChaCha20. > Besides, the draft proposes a 512 bit classical / 256 bit quantum secure implementation using SHA2-512. > > The main comments we got were > 1. Why no SHA3 > 2. Why no plain SHA2 implementation (code size) > > As we do not want to blow up the number of possibilities, our proposal would be > > 1.) Plain SHA2-256 implementation as mandatory > 2.) SHA2-512 optional > 3.) SHA3-(256/512) optional > > > 2. Addresses > ------------------ > We simplified the address format in the last version such that fields do not cross byte boundaries. > However, this leaves not enough space for large tree indices. Currently, the address format only > supports tree indices up to 40 bit. Preventing parameters with e.g. 12 layers of trees of height 5 > as used in SPHINCS. > > We suggest to increase the address size to 32 byte. This is another motivation to remove the SHA2/ChaCha implementation > as this was not possible with ChaCha20 because nonce + counter just give us 16 byte. > > > 3. Randomness for message hash > --------------------------------------------- > According to the current draft R = PRF(SK_PRF, M), > i.e. the randomness is obtained, applying a PRF to the message, > keyed with a dedicated secret key. The reason is that this is a common > way to derandomize this step. > > However, as XMSS is stateful anyway, we could just do > R = PRF(SK_PRF, idx) > using the idx of the used one-time key pair. For long messages this prevents > processing the message twice. > > -------------------------------------------- > > Any feedback also before the meeting tomorrow is welcome. > > Andreas > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Topics for hash-based signatures (draft-hu… A. Huelsing
- Re: [Cfrg] Topics for hash-based signatures (draf… Василий Долматов