IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] pq firmware signing question

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 18 March 2024 16:58 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 797E1C18DBA0 for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2024 09:58:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T3JaKbfvsmv2 for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2024 09:58:33 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34D1EC180B4E for <Cfrg@irtf.org>; Mon, 18 Mar 2024 09:58:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id A5BD61F925 for <Cfrg@irtf.org>; Mon, 18 Mar 2024 18:58:28 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id Py_f_E3k1pq8 for <Cfrg@irtf.org>; Mon, 18 Mar 2024 18:58:28 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 78C812DD for <Cfrg@irtf.org>; Mon, 18 Mar 2024 18:58:27 +0200 (EET)
Date: Mon, 18 Mar 2024 18:58:27 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cfrg@irtf.org" <Cfrg@irtf.org>
Message-ID: <Zfhys2oSTVZz96Ol@LK-Perkele-VII2.locald>
References: <73126498-47c2-4f8a-9425-18a3d9cce22c@cs.tcd.ie> <CH0PR11MB5739FD074FF5337C8E4E3DFB9F2E2@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5444D732D1619268DB3353B8C12E2@CH0PR11MB5444.namprd11.prod.outlook.com> <5e573fc4-3d45-4757-9c3d-efda3c273ed1@cs.tcd.ie> <4C91EA88-46C3-4C9F-866C-2BCB56F08333@amongbytes.com> <799a47e0-b469-4a46-ae1f-42d7b4e7c6ec@mtg.de> <GVXPR07MB967870DE329836FA8A80E321892D2@GVXPR07MB9678.eurprd07.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <GVXPR07MB967870DE329836FA8A80E321892D2@GVXPR07MB9678.eurprd07.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/xkMqtqSJDQYWHCm491KCrTGDMTQ>
Subject: Re: [CFRG] [EXTERNAL] pq firmware signing question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 16:58:35 -0000

On Mon, Mar 18, 2024 at 03:45:00PM +0000, John Mattsson wrote:
> 
>   *   The conservative SLH-DSA is security wise quite attractive for
>       this use case but the keys are a bit big. My hardware people
>       tells me that they want to keep the amount of burned bytes
>       small. As ML-DSA is in CNSA 2.0 my feeling is that ML-DSA is
>       more commercially available. ML-DSA also have better
>       performance and smaller keys.

It appears that SLH-DSA keys are actually much smaller:

- CNSA 2.0 ML-DSA has 2592 byte public key.
- AFAICT, SLH-DSA has 64 byte public key.

It is the SLH-DSA signatures that are much larger than ML-KEM
signatures. However, the retuned sizes below are less than 2.5x the
4595 byte ML-DSA signature size.


>   *   The private key in trust anchors is typically used a small
>       amount of times. SLH-DSA tuned for much less than 2^64
>       signatures is a good fit. The signing speed is almost
>       irrelevant. The verification speed is important.

Looking at recent paper (eprint 2024/018) on retuning
SPHINCS+/SLH-DSA:

Category I, 1M signatures

h=18, d=2, a=14, k=12, w=16: Size 4304, cost 968690/762


Category III, 1M signatures:

h=24, d=3, a=13, k=16, w=16: Size 9648, cost 890349/1477


And 1M signatures seems plenty: To burn through this in a millenia
takes multiple releases per day (which is extremely fast pace, even for
single-layer setup).

Advantage of using SPHINCS+ retuned to small number of signatures over
stuff like XMSS is that there are no state-tracking problems.

However, there is certificational problem here: This will hold, but
can we get this certified enough?




-Ilari

v2.23.0 | Report a Bug | By Email