Re: [Cfrg] [MASSMAIL] Re: New Version Notification for draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
"Grigory Marshalko" <marshalko_gb@tc26.ru> Thu, 12 May 2016 18:28 UTC
Return-Path: <marshalko_gb@tc26.ru>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC22512D0CD for <cfrg@ietfa.amsl.com>; Thu, 12 May 2016 11:28:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.997
X-Spam-Level:
X-Spam-Status: No, score=-2.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tc26.ru
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mbDx6SXYpCjF for <cfrg@ietfa.amsl.com>; Thu, 12 May 2016 11:28:34 -0700 (PDT)
Received: from mail.tc26.ru (mail.tc26.ru [188.40.163.82]) by ietfa.amsl.com (Postfix) with ESMTP id 0131512D0F4 for <cfrg@irtf.org>; Thu, 12 May 2016 11:28:33 -0700 (PDT)
Received: from mail.tc26.ru (localhost [127.0.0.1]) by mail.tc26.ru (Postfix) with ESMTPSA id A08343003AA; Thu, 12 May 2016 21:28:21 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tc26.ru A08343003AA
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tc26.ru; s=mx; t=1463077712; bh=9moOSrTrILR44lX6BfxXTMLyHUn+k9vpVa8tflg4Qeg=; h=Date:From:Subject:To:In-Reply-To:References:From; b=Hqf+ua72F6y4H5T9fiGO11zSuTjG0Lv13DQ9y0/3EOc82XEO+xURxqSALuZqmih5W HUTh9yTKNu0w5ypTYQbB8HVXMXcIiOVsvLaUU0tvd7dK8CCJSYhmhpv0HmqC5Y40YO k1v0lpCyPQQ8uTNygmY7+9TDdqavO/GJSZxmk0rk=
Mime-Version: 1.0
Date: Thu, 12 May 2016 18:28:21 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <1c560f574874dabc9a28a8fa0835335f@mail.tc26.ru>
X-Mailer: RainLoop/1.9.4.402
From: Grigory Marshalko <marshalko_gb@tc26.ru>
To: "A. Huelsing" <ietf@huelsing.net>, cfrg@irtf.org
In-Reply-To: <56C1BCB1.5070907@huelsing.net>
References: <56C1BCB1.5070907@huelsing.net>
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 96291 [May 12 2016]
X-KLMS-AntiSpam-Version: 5.5.9.33
X-KLMS-AntiSpam-Envelope-From: marshalko_gb@tc26.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Moebius-Timestamps: 4122357, 4122389, 4120988
X-KLMS-AntiSpam-Info: LuaCore: 459 459 d9a823b968d03d8b4cacdb3f15a8079dba078ab5, mail.tc26.ru:7.1.1; www.irtf.org:7.1.1; d41d8cd98f00b204e9800998ecf8427e.com:7.1.1; 127.0.0.199:7.1.2; tc26.ru:7.1.1, Auth:dkim=none
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, 2016/05/11 13:19:55
X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server, version 8.0.1.721, bases: 2016/05/12 11:05:00 #7671273
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/h6kJ_hxjKtq9aiEWLYokVqJ0NjI>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: Re: [Cfrg] [MASSMAIL] Re: New Version Notification for draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 18:28:38 -0000
Hi,
started reading the draft, and I think that the general security considerations in clause 8 about bit security are a little bit misleading. If we recall Shannon definition of "practical" security, which is defined as "the average
amount (the expectation) of work to determine the right key", we can see that it follows from quite natural algorithm for key guessing: take the first key, check it, it is correct key with probability 1/N (N - is the number of keys), if not - take the second key, it is correct with the same probability ... etc. So we can get the average amount of work as \sum_{i=1}^{N}i/N=(N+1)/2~N/2, and this is, I think, the right description of a bit security with parameter b (2^b=N) - not as stated in the draft. Or you have in mind smth. different?
Regards,
Grigory Marshalko,
expert,
Technical committee for standardisation "Cryptography and security mechanisms" (TC 26)
www.tc26.ru
15 февраля 2016 г., 14:55, "A. Huelsing" <ietf@huelsing.net> написал:
> Hi,
>
> we pushed a new version of the XMSS draft for hash-based signatures. The
> two main changes are
> 1. We incorporate the index of a signature to compute the message
> representative: M' = H(idx || R || M). This allows to mitigate speed-ups
> for attacks that collect many signatures and then try to forge a new
> signature, finding a colliding (M,R) pair.
> 2. We changed the address format to be more implementation friendly,
> i.e., fields do not cross byte or word boundaries anymore (one exception
> is a 40 bit field that simply does not fit a single word).
> Besides we did some minor remaining fixes. A complete change log can be
> found at the end of the draft.
>
>> From our side, the content of the draft is done with this update. We are
>
> only considering to publish one more update with test vectors. However,
> we are not entirely sure if this makes sense for such a scheme as it
> would easily become 50 - 100 pages (we would have to add all signatures
> for a key pair...). We would instead prefer to accompany the draft with
> a reference implementation that can be used to validate implementations.
>
> We currently got two independent reference implementations of the last
> version of the draft that were tested against each other. We will update
> them during the coming days to meet this version.
>
> Cheers,
>
> Stefan, Denis & Andreas
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] New Version Notification for draft-irt… A. Huelsing
- Re: [Cfrg] New Version Notification for draft-irt… A. Huelsing
- Re: [Cfrg] [MASSMAIL] Re: New Version Notificatio… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL] Re: New Version Notificatio… A. Huelsing