[COSE] Re: Support for draft-ietf-cose-falcon

Russ Housley <housley@vigilsec.com> Thu, 25 July 2024 23:29 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB9EDC14F604 for <cose@ietfa.amsl.com>; Thu, 25 Jul 2024 16:29:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YRCL6L1CqOwd for <cose@ietfa.amsl.com>; Thu, 25 Jul 2024 16:29:17 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9451EC14F5EA for <cose@ietf.org>; Thu, 25 Jul 2024 16:29:17 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id DF6CA12C6A4; Thu, 25 Jul 2024 19:29:16 -0400 (EDT)
Received: from smtpclient.apple (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 9D5FE12C168; Thu, 25 Jul 2024 19:29:16 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <AE70EE3F-3E48-405E-91D0-2557606D92DF@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_38B28391-2CC2-4D5C-9E75-6E0232E991E6"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
Date: Thu, 25 Jul 2024 19:29:05 -0400
In-Reply-To: <CAPmVn1MfHBFw4nYGFyxijiZ5V3bjMFzV+2m9BY+12noNOGWpFQ@mail.gmail.com>
To: Brendan Moran <Brendan.Moran@arm.com>
References: <CAPmVn1O5ib_OUOKAbdXMc6P1yLEgj00EuPqRSq2UGrfgdzdn8g@mail.gmail.com> <3415CE52-43F7-4F00-90BD-42DE0EF059E3@vigilsec.com> <CAPmVn1MfHBFw4nYGFyxijiZ5V3bjMFzV+2m9BY+12noNOGWpFQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=from:message-id:content-type:mime-version:subject:date:in-reply-to:cc:to:references; s=pair-202402141609; bh=scXTzx5LdBRYReu7WFIUIIw+/Sba9q9AHk5LQ8BB2RM=; b=MaY6haeg8d3dhP8qU8wEjyUfy2PRp5BET8XVT1kCng53o9eQP8FALkCLp0wGgbNnu0uw0lkhLoetU5U8hKdrpyfEiK7JV8CtWoEpy5XRn/vS/RbfGRwTWLv1EDbW/gPL0k1XW2H+X38MuFHSXJ3u8Ry8PpcM+C3E9YWYyY56MqzpsnrrbDpli8vFmhRVAYwVwgkZR9P4G8qkbNyBVxpU1lvFVCB5KnqRhyFEG4MA1oKiwyDFOWDPCg0q1Dix1xG+LXJFVGYhXKAWkK1bmfACdlNefZ4tTIvRIsTQb39WZM2jDu9GGLRNzxudIvuRdF5BTVzOJSEvkQa6Bu1ptTqMKA==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Message-ID-Hash: CSJ7OZ6VMSK24JJXYQH2MNEWVPQ22BDC
X-Message-ID-Hash: CSJ7OZ6VMSK24JJXYQH2MNEWVPQ22BDC
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cose <cose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [COSE] Re: Support for draft-ietf-cose-falcon
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/LI236QfuRuEQKao4vhkomVSpCLA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Owner: <mailto:cose-owner@ietf.org>
List-Post: <mailto:cose@ietf.org>
List-Subscribe: <mailto:cose-join@ietf.org>
List-Unsubscribe: <mailto:cose-leave@ietf.org>

Brendan:

I thought that ECDSA and EdDSA were the algorithms that people expected to use for signing reports.

Russ

> On Jul 25, 2024, at 7:26 PM, Brendan Moran <brendan.moran.ietf@gmail.com> wrote:
> 
> Hi Russ,
> 
> Yes, I’m absolutely referring to constrained devices verifying signatures. This is there primary reason for my support.
> 
> That said, I think it’s an open question whether HSS-LMS or Falcon is more appropriate for a constrained device signing reports in response to firmware loading. HSS-LMS has a fixed number of reports and a strategy key, while Falcon may have a timing side-channel, depending on implementation.
> 
> I don’t think it’s clear that one or the other is preferable.
> 
> Brendan
> 
> 
> On Thu, 25 Jul 2024 at 16:21, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>> Brendan:
>> 
>> Are you talking about verification of Falcon signatures for code signing?  That seems reasonable.
>> 
>> If you are talking about constrained devices signing reports when firmware is loaded, then I think that the Falcon floating point operations associated with key generation will be a problem.
>> 
>> Russ
>> 
>> 
>> > On Jul 25, 2024, at 6:58 PM, Brendan Moran <brendan.moran.ietf@gmail.com <mailto:brendan.moran.ietf@gmail.com>> wrote:
>> > 
>> > I want to voice my support for draft-ietf-cose-falcon.
>> > 
>> > To give some context, constrained devices currently are limited to
>> > ECDSA, EDDSA, or HSS-LMS. For those deploying devices with PQC
>> > support, there is only one option: HSS-LMS. This presents a big
>> > problem: HSS-LMS requires stateful private keys that have race
>> > conditions in backup scenarios. In other words, HSS-LMS is risky but
>> > it's the best option we have.
>> > 
>> > I think Falcon would be a much better option for constrained device
>> > code signing. To be clear, what we're discussing here is constrained
>> > devices verifying signatures, with the signers potentially air-gapped,
>> > so side channels & floating point are a non-issue.
>> > 
>> > The signature size is smaller than HSS-LMS with an equivalent number
>> > of bits of security and there's no state on the private key.
>> > 
>> > This makes Falcon ideal for delivering firmware updates and secure
>> > boot of constrained devices, where the cost of delivering a SPHINCS+
>> > signature, for example, would be prohibitive.
>> > 
>> > Best Regards,
>> > Brendan
>> 
>> _______________________________________________
>> COSE mailing list -- cose@ietf.org <mailto:cose@ietf.org>
>> To unsubscribe send an email to cose-leave@ietf.org <mailto:cose-leave@ietf.org>