IETF Logo Mail Archive

Re: [Crypto-panel] [CFRG] Can I have a review of draft-fluhrer-lms-more-parm-sets?

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Sat, 13 February 2021 04:13 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C76273A0C87 for <crypto-panel@ietfa.amsl.com>; Fri, 12 Feb 2021 20:13:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=hBDV8Vwb; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=PpOaO+IZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y5zUbL-kNfXO for <crypto-panel@ietfa.amsl.com>; Fri, 12 Feb 2021 20:13:14 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FFF43A0C98 for <crypto-panel@irtf.org>; Fri, 12 Feb 2021 20:13:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4813; q=dns/txt; s=iport; t=1613189594; x=1614399194; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Qw+y8ZPkOlqsNgROyetCi54BL3HakukUcBfzbgSq1Uw=; b=hBDV8Vwboxxa0yVktSkd6dn6iAZ6rj7vxcayfJWaNpi3urh1SyN6pDWm XIQNNDywtCh/6KRhklqAAZG/Ig77CvvDBpwCt9FojQ+SccgbrJDI/pQHc 8jxWy+0QWnEEvU3sm7H3034kR4vy95e7bCgnN/n/QYT68jqwIZDvlYWAv s=;
X-IPAS-Result: A0CjAAAcUSdgmIkNJK1iGwEBAQEBAQEBBQEBARIBAQEDAwEBAUCBT4FTUX1aNjEKAYd+A44HA4ofjn2BQoERA1QLAQEBDQEBKAoCBAEBhEwCggcCJTgTAgMBAQEDAgMBAQEBBQEBAQIBBgQUAQEBAQEBAQGGNg2GRAEBAQICOgYBATcBCwQCAQgRBAEBAR4QIREdCAEBBAENBQiCaAGCVQMuAQ6lNwKKJXSBNIMEAQEGgTMBE0GDEw0LghIDBoE4gnaFEoQbgR8mHIFBQYERQ4IoLj6CG0ICAQEBAYEhPINIgiuBWGxqBC8kgQUTeiqba5xSCTBbCoJ6iTeNKoVLgzGKR5U0lDiLLIMBjniEVQICAgIEBQIOAQEGgWwhgVlwFYMkUBcCDY4fCQIBDgkUgzqFFIVFcwI1AgYKAQEDCXyKCAExXQEB
IronPort-PHdr: 9a23:kRUFyB8N4Qr6LP9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+7ZRKN7vxpiFbSG4LB5KEMh+nXtvXmXmoNqdaEvWsZeZNBHxkClY0NngMmDcLEbC+zLPPjYyEgWsgXUlhj8iKwOExREd24YEfd8TW+6DcIEUD5Mgx4bu3+Bo/ViZGx0Oa/s53eaglFnnyze7R3eR63tg7W8MIRhNhv
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,175,1610409600"; d="scan'208";a="669707087"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 Feb 2021 04:13:13 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 11D4DDdY004397 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 13 Feb 2021 04:13:13 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 12 Feb 2021 22:13:12 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.792.3; Fri, 12 Feb 2021 22:13:12 -0600
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 12 Feb 2021 22:13:12 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RaPU5Giclc1+xSh7SnyI1Pu7YQHPJ0+BCgpomVJV5z4QLchBjTNQHgQde3jRR/Tnfm5ts+C72ig+/wquwLaH2BDys463mMKjtaVYDHAfL2sLcLq0ncpH8pGJVvNMdPDoMOYDLAojZYSAr+r6eojVWLjRY5s2on4bBm8DRDFoIEiKiACl8BwlTjhqNjEcOFi9I6yTOLBpI2al2GW5Aq7OPmXHwe0Xe94MH7nmnZhUAbUMQx8k/4k7rT53+vnBOtV9RU/WojUImEHspG1FjGAXbW8wV6EUnHcA0UYy2fvnBe5+9gW4x39DsQW3tCWFvB3ZCSsxdJJ28ePnKrWFkxRy6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hiKwRPzCysPOioSngU1dUC3rd8KhoP1QENpD56M2Dns=; b=neryVni9ssPECQSWY368qH6Uv+bZ45fJvNo7uvR2e0cS5ISMVGXPps/1rg8jl1fJ5Hx42lO0S+Hjhn6Wx0LDABj+ZMrwf54DIGI4Bp4S3ygGhUvmOAW34vdRtqsrgnOKG155k/8b2LAs+mzaU0vRzwxG+AFAfHrOzcIU+iDhC7HR7ZHZZ/DXGThcamowZm1MvNoOM4OBpczGuZRqwt+c1Q3WphWRRhI2jyK5QKI6Q9G7y3Bl++5YHu2pvPiOsP/5b5Z8bQH7Y0NDTaL2vBOEJR0gqNQ7ktD01W6W5b+Fxj6H2a/20ptDGy8qnsDW+ctGmp37omloY+9ql618F5eAvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hiKwRPzCysPOioSngU1dUC3rd8KhoP1QENpD56M2Dns=; b=PpOaO+IZRAwzcCiL0qBq8ko8R4RO1vJM7LBOz+/ddn4Tuw3Udy5C0Sr5/hGrU1ZxbQhwslWpziw3/r5VE9syXx4NX42mDWhn7/E16swNxJ15SNPdiX85xO4hmeKC21bi2joHJ3ENU9IBDCd5SHA7mq7BvuwuLcQJHRa5OG5aXNw=
Received: from BN7PR11MB2641.namprd11.prod.outlook.com (2603:10b6:406:b1::25) by BN6PR11MB1426.namprd11.prod.outlook.com (2603:10b6:405:b::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.29; Sat, 13 Feb 2021 04:13:11 +0000
Received: from BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::4543:b45a:9f32:bde0]) by BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::4543:b45a:9f32:bde0%7]) with mapi id 15.20.3846.026; Sat, 13 Feb 2021 04:13:10 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Jon Callas <jon@callas.org>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
CC: "crypto-panel@irtf.org" <crypto-panel@irtf.org>, "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>, Russ Housley <housley@vigilsec.com>
Thread-Topic: [Crypto-panel] [CFRG] Can I have a review of draft-fluhrer-lms-more-parm-sets?
Thread-Index: Adb+Jt9TjiOuqW6cRRiwxSMfcjtiJAA4/iGAAKhsz4AAA/Uw8A==
Date: Sat, 13 Feb 2021 04:13:10 +0000
Message-ID: <BN7PR11MB2641B951100EB5C8AD3023A2C18A9@BN7PR11MB2641.namprd11.prod.outlook.com>
References: <BN7PR11MB264152C19ECEFD79A61E7DDDC18F9@BN7PR11MB2641.namprd11.prod.outlook.com> <CAMr0u6nG-APMtEOn=xYdjBF0q3So6UEp-Nu0aB8tNEr154KNoA@mail.gmail.com> <EA7EDC73-C399-4089-B89A-0B6EF89EDC21@callas.org>
In-Reply-To: <EA7EDC73-C399-4089-B89A-0B6EF89EDC21@callas.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: callas.org; dkim=none (message not signed) header.d=none;callas.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.80]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dc249918-75b1-4dec-2a43-08d8cfd5ace5
x-ms-traffictypediagnostic: BN6PR11MB1426:
x-microsoft-antispam-prvs: <BN6PR11MB1426916DA7E537D3B2419628C18A9@BN6PR11MB1426.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rgWGGTC9AObPRbf0qmU8D5yVaQhskoy3+f534+rIwMzXnbLQ1haSPX5D6TBjA2TYxqMLPUTEW/D4HUEed6l0v2uptfJeBvzMJg1zq87um7CHtNzloVA/HRuzG4o3cXubYxT7cTIWoQJ1K22820arz7Bw+WWcOS4yNkMTF2nJEXCKEC198tVjbYnmXQjjqOfKZ+4PCzXB0/mOJBTLNiRo2Z1Dh5jXPFrPc7MhLuMFa5bXd0aulxjDS3rWPsRKcgDD8pB2sNc5u6YaBqcYGiRic0VpLFgRcU7Zs/UVNcWURZcYGWYBNoRQquz2wxGMsY+xsHpfcSkDMnvVQ2Tzzz4o3qKEZdKTqzhdo+lPjKlbyYS4XSAx3Ur3boTQWKlQFpJxbVUj/wIAObw+FrFxFzlx+cGMaHBY5Ew6iGHrt2PQiy4laFOz3oEvtMKZTeIFAFg3r24t7qrys3JRATb37jwKfs7wij9OkUR2QsTF9KXkY9/c75H2fSlPud2aFQM4PVg79lto/d77PbLG4ioma7gE7nB7Y9jR6dOD1HP4vD93z+/Wc/hlaAQheWZuUQK8bvZDNd2h+as1vqkSRnjoa2zzGSU1evEa3cSboyxVtrBwNZW98oe/LnMUh3FSfqAa73GARlabYTxLYp4JRS2t591PnQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2641.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(39860400002)(376002)(136003)(366004)(396003)(6506007)(53546011)(66476007)(5660300002)(8936002)(316002)(8676002)(52536014)(86362001)(26005)(83380400001)(7696005)(2906002)(54906003)(186003)(110136005)(966005)(4326008)(71200400001)(478600001)(33656002)(9686003)(76116006)(55016002)(66946007)(66446008)(66556008)(64756008)(21314003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 1n2xr8hKq35NghL5FrzNRdVrQP6ID7Fhfp2sBkXOV5xu7Y3Kkk18vJHxYK2J8zBHOW3wFiWiGLFdI+VZtvmkMZsWG9eTFFdxiICikGPoAPTG0m8DHWGpmAfRlp7oqgEK5AUzngTYgZ1Iyt1Ri0BrQG4u8HcnQ6f60QzdI8znDuZz8sViL+XU1tpJVzjawW9dY5r2OACcJgkL0hqIzund+qaLDQcVyj/GT1nKXRYA6GCRaHqEZXY0rrWwzwxj/7fNpntdevSkb4nxhfc8i94qpR5Jg3h03j/qagyH2pqGaCytIdLRiJxw2GJV6BKXCtgjb+i+UrL3WRhnwV9Y57Mt8MH9c/Z6tW0Dn8C1AcUZj9HuT6NZ6s70e4U+b3ZOvMBOkblXeFkYJXUqM17mYwy0tNIlUcM3jDQtkaOzP9mAzcVqb/rt+tprp8EMgYwzLABSbW3On0M6OMOFeqCcuzNAZsDlJCBDmAEp4qGUOtKNuJBxFLGjcB8VLdqdNi6h8WwNY+AcDrR8wXF0AVkMjGj6wTF4bBpejdLJmxRWXv8Jv4rvXxMRKbXPbv8QYWzkPcdPDZKY64kTw0c7c2ahKlkT8WQ+BM2G1CDObx7xZyxQm2RCL93jMAMvaOS/YtONUOSM/ebHWK8P2jZ5uvVMR1PPds/CJZQpc8txNHg0LNiLuniT42ceOsIO7DpS3n/gsbRLhCY+HdrU8IICMZoqUfK2NVL/m61q+fLXf6Kf81dK16uEcGySg/ZJSyjs+6LAJxFNd9dxzUyXJz5eJ7xd+T9KKX87uajnCcJyA08gJnZoxgbU2kNgsmATqNw49YLflIftS514WHwDXrAtVoiEx3LhkVU3AJtQnBPX1SuBjr2Sq2aIxau+esw5WcOoZDWitdqhqF+2WtrSzCc+EqXF4DCny0QTqXItBfQhoqQSo2kOaw8mU5+FQ2iZDqPGgDqX+L3Qe/G2sGBGnBkPJUu71pY0PqwZBFXxugxmzSKQRWYVEDIhAKrrDa4SlSZjpIA8UDjIJvpeAr6JlmlIuTic4RzpOyvBspibhHM+36kvu+w6kIePhvmf0TwImuyG/UaYmoB8RYvyQ7GMdBqzMSAuo9hULGMu11HjPtDHhghf+83E0EarELMX0QlXDL0MMHK3cjenmvWKvZD3+GdkLmjIP4QtVQmRF6jyFVvq2CUZzSpsXYCvtyQBz9aeFaQtRpUsH9cNmAC1QxhjDSPTCeKmN39tsObWFLbCjpPGD+G0MeZQW02inVqKOdM4IQQnwEzWWSpVuM/UZeUBQGlxKlzExm4NEnlSRz6lhQAGb9I+Cnp+Ji14KKIRa0hj91yBeZirlLE5
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2641.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dc249918-75b1-4dec-2a43-08d8cfd5ace5
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2021 04:13:10.7809 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xuZTbXH/ok9adPubxrLnCWW8jDqMIN4nrPvuGjtfMPU9AVQGSlzZq1x028iE2HRZgMw4ATHsfMcFVab8bIIKcw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1426
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/6m0EcLvMr77Vcn83xO761fcgC8s>
Subject: Re: [Crypto-panel] [CFRG] Can I have a review of draft-fluhrer-lms-more-parm-sets?
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Feb 2021 04:13:18 -0000

Thank you for your review; I will be gathering together these editorial comments and updating the draft to reflect them.

I do want to make a response to your "whiny suggeston" (not that I would classify it as whiny).  It is not generally true that a truncated SHA-512 would be faster than SHA-256 on a 64 bit processor (unless the message you're signing is long).

Here's why: the SHA-512 hash compression function takes perhaps 50% more time than the SHA-256 hash compression function - however, it processes twice as much input, and so if you are hashing a long message, you end up processing it perhaps 30% faster.  That's fine for hashing long messages - LMS doesn't spend most of its time doing that.  Instead, a large majority of the hashes are done processing the LM-OTS winternitz chains, and the hashes there are carefully crafted to fit within 55 bytes (the most that SHA-256 can hash with a single hash compression call); replacing SHA-256 with SHA-512 would still have each step do a single hash compression call, but that hash compression call would take 50% longer.

Of course, there are a number of other hash functions within the hierarchy; however the LM-OTS are the large majority (unless you happen to pick a tiny W), and so you'll end up spending more time.

The only exception would be the initial message hash - if you are signing a sufficiently long message, then the bulk of the time would be spent during the initial message hash (where the superior bulk message performance of SHA-512 is relevent) - of course, if there were the case, another possibility would be to just hash the message with SHA-512, and then sign the hash using LMS with SHA-256.

> -----Original Message-----
> From: Jon Callas <jon@callas.org>
> Sent: Friday, February 12, 2021 9:04 PM
> To: Stanislav V. Smyshlyaev <smyshsv@gmail.com>
> Cc: Jon Callas <jon@callas.org>; crypto-panel@irtf.org; cfrg-chairs@ietf.org;
> Russ Housley <housley@vigilsec.com>; Scott Fluhrer (sfluhrer)
> <sfluhrer@cisco.com>
> Subject: Re: [Crypto-panel] [CFRG] Can I have a review of draft-fluhrer-lms-
> more-parm-sets?
> 
> 
> 
> > On Feb 9, 2021, at 9:41 AM, Stanislav V. Smyshlyaev <smyshsv@gmail.com>
> wrote:
> >
> > Dear Crypto Review Panel members,
> >
> > We would like to ask you to review additional parameter sets for LMS
> defined in https://datatracker.ietf.org/doc/draft-fluhrer-lms-more-parm-
> sets/
> >
> > We have already obtained support from Russ Housley (thanks a lot, Russ!);
> could we ask for one more review?
> >
> 
> Summary:
> 
> It's great, I approve. Two comments follow; one on consistency of
> terminology that I believe is important and a one about algorithm choice that
> I don't expect to be addressed, but I had to make.
> 
> Consistency in Editing:
> 
> In general, the draft uses "SHA256/192" for the truncated SHA256, and
> "SHAKE256-xxx" for a SHAKE hash. That is to say, a slash is used with SHA and
> a hyphen with SHAKE. Sometimes this is inconsistent and it caused me
> consternation when my brain interpreted a slash to mean SHA and a hyphen
> to mean SHAKE. Given that SHAKE starts with SHA and there's lots of 256s
> being thrown around, it's really, really important to get this right, else
> someone's going to make a mistake that will cause tears. I would even
> support something too clever by half like using "SHA" to mean "SHA256/192"
> for further aid to the mildly dyslexic like me. There are also places where
> "SHA256" is written as "SHA-256." For example, Section 6 has all of these
> inconsistencies. Please be consistent.
> 
> Whiny suggestion:
> 
> There's a construction for a variable-length output version SHA512 called
> "SHA512/t" which is documented in <https://eprint.iacr.org/2010/548.pdf>.
> One a 64-bit processor, SHA512 is faster than SHA256, often like 30-40%
> faster. SHA512/t has changes to IVs to give different outputs. Section 3.1 of
> this draft explains why IV changes aren't needed, so this draft could easily
> have an option for a 192-bit truncation of SHA512. I know that at this date, it's
> a big ask and arguably gilding the lily. It might even be a fine thing for another
> document that throws that in, too. It might also be entirely too much to have
> even more options. I was unable to pull my hands back from the keyboard,
> though, because the whole point of this draft is for smaller, faster signatures
> and the performance improvement of SHA512 leaps to mind. If you wanted
> to add that in, I'd smile -- after all, the name of the draft is "more
> parameters." I don't expect it.
> 
> All in all, a nicely done, elegant draft.
> 
> 	Jon

v2.23.0 | Report a Bug | By Email