IETF Logo Mail Archive

Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-based-signatures-03.txt

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 28 June 2016 14:56 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CBA41288B8 for <cfrg@ietfa.amsl.com>; Tue, 28 Jun 2016 07:56:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P_-O2hu_NZci for <cfrg@ietfa.amsl.com>; Tue, 28 Jun 2016 07:56:14 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E9F212D0E5 for <cfrg@irtf.org>; Tue, 28 Jun 2016 07:56:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 68100BDF9; Tue, 28 Jun 2016 15:56:12 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yJepaid634Ta; Tue, 28 Jun 2016 15:56:10 +0100 (IST)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 5E72EBDCA; Tue, 28 Jun 2016 15:56:10 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1467125770; bh=PN2tnJ3FMsCSVypCH/djqYXLGqYKLUkRJHK0VVIExzE=; h=Subject:To:References:From:Date:In-Reply-To:From; b=Y7fpBZoIhvTM8Xn2YsVwOc5ed8E+sExl3wNjZkDFaTrjcIblfk80j40x5U4OW4Od2 0qD0xL0hREeQgZIUjjjio4eR5gw95asVaxP9x99mbEx4y9NFoSaZMzVjUO8vWBXZay 2Q8FGbuN60WLaSGtp9pghlxn6tq0w+3poD6llK7c=
To: Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <56E9B7E2.7050105@isode.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5772900A.8020507@cs.tcd.ie>
Date: Tue, 28 Jun 2016 15:56:10 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <56E9B7E2.7050105@isode.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms090901060207060504080504"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/siOpqnlFsSUEqxom5jzeBbHV-y0>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2016 14:56:17 -0000


Hiya,

I had a quick read of the draft. I've no comments on the
algorithm itself, but do have a strong reservation about
the text.

I would be much happier if it included some CFRG-consensus
text as to the current desirability of implementing and
deploying and depending upon any scheme that aims/claims to
be post-quantum secure (or any similar phraseology).

While a quantum computer is definitely a threat about which
we ought worry, we must also worry about people implementing
the shiny new thing badly. And about a shiny new thing that
turns out less good than expected. Or if implementing the shiny
new thing acts as a distraction to the deployment of currently
good but non quantum-resistant security or privacy mechanisms.
There may also, over time, be many shiny new things, that are
not all equal, but so that implementers lack guidance as to
which to choose. I consider all of the above are real threats
and that CFRG ought provide guidance as to how the trade-offs
between those are currently seen.

So I would really like to see a paragraph or two that is aimed
at implementers and that gives current guidance on whether or
not this is ready for prime-time. I would hope the same paragraph
could be re-used in any similar drafts.

My starting point would be to insert something like the text
below at a prominent place in the introduction:

"All quantum-resistant algorithms documented by CFRG are today
considered ready for experimentation and further engineering
development (e.g. to establish the impact of performance and sizes
on IETF protocols) but CFRG has consensus that we are not yet
sufficiently confident to the point where we would want the security
or privacy of a significant part of the Internet to be dependent on
any set of those algorithms. In future, as things mature, CFRG
intends to publish updated guidance on this topic."

If CFRG's consensus is for something much more positive than the
above, so long as that guidance is clearly justified and clearly
safe for implementers then I'll be fine with that. IOW my conservative
text above might be too conservative, but ISTM that this is a case
where do-no-harm is a good principle to follow at first.

Note: This is independent of this (or any) specific algorithm
so I hope the authors/proponents don't take this as a comment
on their algorithm. (And yes, this is sort of related text in
section 8.3, but that is IMO insufficient.)

S.

PS: The above is my comment as an individual (barely qualified:-)
participant in CFRG. As one of the current security ADs, I would
however also have to consider if the lack of some such guidance
would be something for the IESG to consider during rfc5742 conflict
review. I'm not sure if the concern above would or would not be a
valid 5742 conflict but absent some such guidance I think I'd have
to raise the issue then, so be no harm if we can resolve it now.
Apologies if I missed one before, but I think this is the first
such document to reach this stage, so now's a good time to sort
this.

PPS: That the organisation perhaps most likely to develop a QC
is also one that could potentially benefit from quantum-resistance
as a distraction, or that might have better QC based attacks, and
that that organisation is pushing us towards this kind of work, and
is also an organisation that reportedly has a gigantic (and IMO
gigantically stupid) budget for making Internet security worse...
remains a highly relevant consideration for me here. But I don't
think that that is needed to justify asking for consensus guidance
on when to depend on this stuff.



On 16/03/16 19:45, Alexey Melnikov wrote:
> This message starts 4 weeks RGLC on
> draft-irtf-cfrg-xmss-hash-based-signatures-03.txt (XMSS: Extended
> Hash-Based Signatures) which will end on April 13th. Please let chairs
> know if you think the document is ready for IRSG review (and publication
> as an RFC) or if you find any issues with it.
> 
> Best Regards,
> Kenny and Alexey
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email