Re: [CFRG] [EXTERNAL] pq firmware signing question
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 18 March 2024 16:58 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 797E1C18DBA0 for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2024 09:58:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T3JaKbfvsmv2 for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2024 09:58:33 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34D1EC180B4E for <Cfrg@irtf.org>; Mon, 18 Mar 2024 09:58:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id A5BD61F925 for <Cfrg@irtf.org>; Mon, 18 Mar 2024 18:58:28 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id Py_f_E3k1pq8 for <Cfrg@irtf.org>; Mon, 18 Mar 2024 18:58:28 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 78C812DD for <Cfrg@irtf.org>; Mon, 18 Mar 2024 18:58:27 +0200 (EET)
Date: Mon, 18 Mar 2024 18:58:27 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cfrg@irtf.org" <Cfrg@irtf.org>
Message-ID: <Zfhys2oSTVZz96Ol@LK-Perkele-VII2.locald>
References: <73126498-47c2-4f8a-9425-18a3d9cce22c@cs.tcd.ie> <CH0PR11MB5739FD074FF5337C8E4E3DFB9F2E2@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5444D732D1619268DB3353B8C12E2@CH0PR11MB5444.namprd11.prod.outlook.com> <5e573fc4-3d45-4757-9c3d-efda3c273ed1@cs.tcd.ie> <4C91EA88-46C3-4C9F-866C-2BCB56F08333@amongbytes.com> <799a47e0-b469-4a46-ae1f-42d7b4e7c6ec@mtg.de> <GVXPR07MB967870DE329836FA8A80E321892D2@GVXPR07MB9678.eurprd07.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <GVXPR07MB967870DE329836FA8A80E321892D2@GVXPR07MB9678.eurprd07.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/xkMqtqSJDQYWHCm491KCrTGDMTQ>
Subject: Re: [CFRG] [EXTERNAL] pq firmware signing question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 16:58:35 -0000
On Mon, Mar 18, 2024 at 03:45:00PM +0000, John Mattsson wrote: > > * The conservative SLH-DSA is security wise quite attractive for > this use case but the keys are a bit big. My hardware people > tells me that they want to keep the amount of burned bytes > small. As ML-DSA is in CNSA 2.0 my feeling is that ML-DSA is > more commercially available. ML-DSA also have better > performance and smaller keys. It appears that SLH-DSA keys are actually much smaller: - CNSA 2.0 ML-DSA has 2592 byte public key. - AFAICT, SLH-DSA has 64 byte public key. It is the SLH-DSA signatures that are much larger than ML-KEM signatures. However, the retuned sizes below are less than 2.5x the 4595 byte ML-DSA signature size. > * The private key in trust anchors is typically used a small > amount of times. SLH-DSA tuned for much less than 2^64 > signatures is a good fit. The signing speed is almost > irrelevant. The verification speed is important. Looking at recent paper (eprint 2024/018) on retuning SPHINCS+/SLH-DSA: Category I, 1M signatures h=18, d=2, a=14, k=12, w=16: Size 4304, cost 968690/762 Category III, 1M signatures: h=24, d=3, a=13, k=16, w=16: Size 9648, cost 890349/1477 And 1M signatures seems plenty: To burn through this in a millenia takes multiple releases per day (which is extremely fast pace, even for single-layer setup). Advantage of using SPHINCS+ retuned to small number of signatures over stuff like XMSS is that there are no state-tracking problems. However, there is certificational problem here: This will hold, but can we get this certified enough? -Ilari
- [CFRG] pq firmware signing question Stephen Farrell
- Re: [CFRG] [EXTERNAL] pq firmware signing question Mike Ounsworth
- Re: [CFRG] [EXTERNAL] pq firmware signing question Stephen Farrell
- Re: [CFRG] pq firmware signing question Dr. Pala
- Re: [CFRG] [EXT] Re: [EXTERNAL] pq firmware signi… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXT] Re: [EXTERNAL] pq firmware signi… Orie Steele
- Re: [CFRG] [EXTERNAL] pq firmware signing question Stephen Farrell
- Re: [CFRG] [EXTERNAL] pq firmware signing question Kris Kwiatkowski
- Re: [CFRG] [EXT] Re: [EXTERNAL] pq firmware signi… Scott Fluhrer (sfluhrer)
- Re: [CFRG] [EXTERNAL] pq firmware signing question Scott Fluhrer (sfluhrer)
- Re: [CFRG] [EXTERNAL] pq firmware signing question Falko Strenzke
- Re: [CFRG] [EXTERNAL] pq firmware signing question John Mattsson
- Re: [CFRG] [EXTERNAL] pq firmware signing question Ilari Liusvaara
- Re: [CFRG] [EXTERNAL] pq firmware signing question Sophie Schmieg
- Re: [CFRG] [EXTERNAL] pq firmware signing question Scott Fluhrer (sfluhrer)
- Re: [CFRG] [EXTERNAL] pq firmware signing question Michael StJohns