[Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Thu, 11 June 2020 17:57 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F6BA3A0D4B for <crypto-panel@ietfa.amsl.com>; Thu, 11 Jun 2020 10:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vgw3ZWCOGT1s for <crypto-panel@ietfa.amsl.com>; Thu, 11 Jun 2020 10:57:15 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBA713A0D48 for <crypto-panel@irtf.org>; Thu, 11 Jun 2020 10:57:14 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id 9so7998140ljc.8 for <crypto-panel@irtf.org>; Thu, 11 Jun 2020 10:57:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VWufz+9wD2MKdr9Lyskb5A22bDLwQhM3DWmTwxTmk9s=; b=lh2YL4WiUl5m+HCZttEQP2Gp1KwbD5QXG4RyaOzMWPg5f/iyYN3UZ40m9XyoRRuLVx VQVX9bBR6E9UAhQyVDvTftevKE181bp0CsqcrJZyW7u0oKiRIVttN3DlafAUFvcZI5Ex OJPI3skmnIc6YbY1kXGCrK4MJQtjBU+esWsWj/1JkbhQv+2GM7IC7Nrhy3VkHMIk61ZE dD9nXQTl8WvGMj+hjyFlDPpBJpju2bNiAojMgls6VsdumcuEuEIGM4iTPGhqcnz/a/Ci XOyCfff6Y3w5gNVNcsvPr8KwPKvPFAOKXxhedQ3UJ4dB1fItHxrUNBDiFGfWPcf3g/bC 3znQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VWufz+9wD2MKdr9Lyskb5A22bDLwQhM3DWmTwxTmk9s=; b=qzfpIEMcIOeRMaAD5g9PwlHC/8QO26oQ7HtEiYgSux4xVnlB/dyKPNmKexHGDo1QgL 3jwiR2hl2PuohqEvoz9C8MnpDLxoKV/PKv/0ssM3daP/8Nr+G61IbVIaSeH/YL607fwl sYVKU4v8oAigdUX7F55jhhsb7Tkn+kpumpt3FfzBRbEFBu/151S21HuV/hmkvmo+ewSe bRd5ghZChNBvC/qdTFGBjlak6dnqJh4pnx55eUADSC/3rjRppqPKzK83SQd9Fsk+hli6 B+DmXoeJFj6kz5lR9CrwfHvJF/tV5i77oz52fz4oN8MPDhVyXzoe67WpsMKV+G8kXeUN kIXQ==
X-Gm-Message-State: AOAM532mzfvKHmVE+mIarGa6LTi0k+HAOo9KaXS26DT2YqA+METIc3Yh tCljbvSL9Npdm1Qz645IyszMRUlGN5d5HnNrZjZmDA==
X-Google-Smtp-Source: ABdhPJxm+6x8hUDXbjW6s/KXaxSB/w9W0dTDxZ0mxLyDoAFfyYitzpX7OKegyQg9kki/QvxPNNgcajhubwH8c7eleKA=
X-Received: by 2002:a2e:8347:: with SMTP id l7mr5147957ljh.182.1591898232729; Thu, 11 Jun 2020 10:57:12 -0700 (PDT)
MIME-Version: 1.0
References: <20200318130152.57FD7F4071D@rfc-editor.org> <C7F982AB-F281-4AD2-BBB4-3C494CAED996@csperkins.org>
In-Reply-To: <C7F982AB-F281-4AD2-BBB4-3C494CAED996@csperkins.org>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Thu, 11 Jun 2020 20:57:01 +0300
Message-ID: <CAMr0u6=Qy-LRg7Ge5+TuaEivNAfSp_ncG9D2_nOQKOC=89RjtA@mail.gmail.com>
To: "crypto-panel@irtf.org" <crypto-panel@irtf.org>
Cc: "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ae343d05a7d2b044"
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/I8-8_c2-WHcuyb58Uv7sQUYrCYk>
Subject: [Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2020 17:57:17 -0000

Dear Crypto Review Panel members,

There is a need to validate the following errata:
https://www.rfc-editor.org/errata/eid6024

Any volunteers?

Regards,
CFRG chairs



---------- Пересылаемое сообщение ---------
От: Colin Perkins <csp@csperkins.org>
Дата: сб, 6 июня 2020 г. в 16:03
Тема: Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)
Кому: <cfrg-chairs@ietf.org>


Hi CFRG chairs,

Can you discuss, and review with the RG if necessary, and let me know  if
the following errata should be marked as verified.

Thanks,
Colin



Begin forwarded message:

*From: *RFC Errata System <rfc-editor@rfc-editor.org>
*Subject: **[irsg] [Technical Errata Reported] RFC8391 (6024)*
*Date: *18 March 2020 at 13:01:52 GMT
*To: *ietf@huelsing.net, dbutin@cdc.informatik.tu-darmstadt.de,
ietf@gazdag.de, ietf@joostrijneveld.nl, mohaisen@ieee.org, irsg@irtf.org
*Cc: *ietf@huelsing.net, rfc-editor@rfc-editor.org

The following errata report has been submitted for RFC8391,
"XMSS: eXtended Merkle Signature Scheme".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6024

--------------------------------------
Type: Technical
Reported by: Andreas Hülsing <ietf@huelsing.net>

Section: 5

Original Text
-------------
This section provides basic parameter sets that are assumed to cover most
relevant applications.  Parameter sets for two classical security levels
are defined.  Parameters with n = 32 provide a classical security level of
256 bits.  Parameters with n = 64 provide a classical security level of 512
bits.  Considering quantum-computer-aided attacks, these output sizes yield
post-quantum security of 128 and 256 bits, respectively.

Corrected Text
--------------
This section provides basic parameter sets that are assumed to cover most
relevant applications. Parameter sets for two classical security levels are
defined using the cryptographic functions SHA2 and SHAKE.  Parameters with
SHA2 and n = 32 provide a classical security level of 256 bits. Parameters
with SHA2 and n = 64 provide a classical security level of 512 bits.
Considering quantum-computer-aided attacks, these parameters yield
post-quantum security of 128 and 256 bits, respectively. Parameters with
SHAKE and n = 32 provide a classical security level of 128 bits.
Parameters with SHAKE and n = 64 provide a classical security level of 256
bits.  Considering quantum-computer-aided attacks, these parameters yield
post-quantum security of 86 and 170 bits, respectively.

Notes
-----
Traditionally, a hash function with n-bit outputs is assumed to have n-bit
security against classical preimage and second-preimage attacks, and
n/2-bit security against classical collision attacks. For adversaries with
access to a quantum computer, these bounds change to n/2 and n/3 bits when
only counting queries to the hash function. This also applies to SHA2 and
SHA3. In contrast, SHAKE follows a different reasoning. SHAKE with an
internal state of n bits and an output length of n bits achieves n/2 bit
security against classical preimage, second-preimage and collision attacks.
For quantum attacks security changes to n/3 bits. The reason is that SHAKE
allows for meet-in-the-middle preimage attacks that reduce to a collision
search on the internal state. The same applies for SHA3 but for SHA3 a
bigger internal state is used.

In consequence, SHAKE-128 cannot provide more security than NIST
post-quantum security level II (Any attack that breaks the relevant
security definition must require computational resources comparable to or
greater than those required for collision search on a 256-bit hash function
(e.g. SHA256 / SHA3-256)).

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC8391 (draft-irtf-cfrg-xmss-hash-based-signatures-12)
--------------------------------------
Title               : XMSS: eXtended Merkle Signature Scheme
Publication Date    : May 2018
Author(s)           : A. Huelsing, D. Butin, S. Gazdag, J. Rijneveld, A.
Mohaisen
Category            : INFORMATIONAL
Source              : Crypto Forum Research Group
Area                : N/A
Stream              : IRTF
Verifying Party     : IRSG