IETF Logo Mail Archive

Re: [Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 11 June 2020 19:12 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3E7C3A0528 for <crypto-panel@ietfa.amsl.com>; Thu, 11 Jun 2020 12:12:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.596
X-Spam-Level:
X-Spam-Status: No, score=-9.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=c9OD/BkI; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=mzzA8GVZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLAE7owuTQZI for <crypto-panel@ietfa.amsl.com>; Thu, 11 Jun 2020 12:12:32 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05A0B3A03EA for <crypto-panel@irtf.org>; Thu, 11 Jun 2020 12:12:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=24468; q=dns/txt; s=iport; t=1591902752; x=1593112352; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=oGOHJgviZaG91tfLyd9VEK6sRryj4rc4X30+UbScrgc=; b=c9OD/BkIbiugkCaayPCOZcN/893937roJOE/UJ0L8sBCbhg0svcqSeBh 7ukKm80KKmhTTuQZMUwti04tKWDauN3qyyoakuvGd3lbhnoToU/skCxMo kjdlHxGa6woYD3grlasSOOpdJ+4YyqPZYdlbdOic1mLW+bHjv1O46uWAq Q=;
IronPort-PHdr: 9a23:XJ0OPhMiAYiR7RMIQz8l6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEvKwx3lDMVITfrflDjrmev6PhXDkG5pCM+DAHfYdXXhAIwcMRg0Q7AcGDBEG6SZyibyEzEMlYElMw+Xa9PBtaHc//YxvZpXjhpTIXEw/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CAAADDgOJe/5tdJa1mGQEBAQEBAQEBAQEBAQEBAQEBARIBAQEBAQEBAQEBAQGCCoEjLykpB29YLywKhBqBXYFpA406k2qEaIFCgRADVQsBAQEMAQEjCgIEAQGDDoE2AheCCwIkOBMCAwEBCwEBBQEBAQIBBgRthVsMhXIBAQEBAxIRChMBATcBDwIBBgIRAwEBASgDAgICMBQJCAIEAQ0FCBqDBYF+TQMuAQ6YGJBnAoE5iGF2gTKDAQEBBYUpGIIOAwaBOAGCY4cbgQiBRBqBQT+BEUOCTT6BBIMQPB4NCYJeM4ItjxEngmmGNoMGmF4KglmZNYJviRiFFo0/kROeKAIEAgQFAg4BAQWBaiKBVnAVGoMKUBcCDY4eCwEXgQIBCIJDhRSFQnQCNQIGAQcBAQMJfI0VLYEGAYEPAQE
X-IronPort-AV: E=Sophos;i="5.73,500,1583193600"; d="scan'208,217";a="505630920"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Jun 2020 19:12:30 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 05BJCU8V029745 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 11 Jun 2020 19:12:30 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 11 Jun 2020 14:12:30 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 11 Jun 2020 15:12:28 -0400
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 11 Jun 2020 15:12:29 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JbKikc/qnzkNh1+B6tq7E10zEWq+a5zZRRdNIYnS1uDXYUqX0Lde7aZ7XcS+8dtoCeamryM/70+G9w2kbvCnIk6LEvfQZSDq1wAwu3MOp+SYiVHtXlu9n/Ih48Q/fBTR/fNLqYx3scXA8V2aOEx4yIaW2BpbqznxDd14k73wsQfnWZti8CbJMCjXvO762fJ5say540vRJ+KNphBFSOFNYBo6Yvc1JFrDIAANInGVxC1G9awQ6RxYIGe6V9Fpv5zSsl/hdNKrO7wcEnSDMSQjxdWrplq0X6XXUCJRhvPX+p77KceL/cJnKTZDaa2rU0Fjm2tODyYkn5rLIpO3jmSgKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oGOHJgviZaG91tfLyd9VEK6sRryj4rc4X30+UbScrgc=; b=BdR3izSxuzzn4mPZi6WTQ1YNIsDLBOILKtg1nxTYYG5y7H//Hb0xQb4UR9w8tJGZZ969BuwtpjVkWbsxyzkf78mjCapNm+oSvoSFYli35W5cQZL5H5Gq4n0FZF0MT0MDEJWNGMKqRLm7yOyklgbMlM9aX53LP+D2as1G8YkGCf2ZKuLeMJioTaNCAF6XxbCxAsfZyNW1MZWysMYcq+6KMtrV91IucJbDsdHCcZv0BPot+n4raXxyNQs25IZqKKdjD3gtueKhnptBwibuLceMwmFQMkrNOeSXBrV9RUKeXqawxKs9F2L2VGRipk3fW92cWRV4MVSRgDYsANP1TcOrXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oGOHJgviZaG91tfLyd9VEK6sRryj4rc4X30+UbScrgc=; b=mzzA8GVZ9kaD5I18v+9Pvphuy+F2PFIr0F1JRw3VMziQPjNZfAUwTr4SnJp6q7qfBHm/Jql/tHtAl0tizRzt1C8U6t+//FcQ1xQkjtCB7RoaPm1R7q02i6nWEljuADIn6gFMACvqVWUPam0TRBZLfZORrd5P0QLzuBvBOngQpig=
Received: from BN7PR11MB2641.namprd11.prod.outlook.com (2603:10b6:406:b1::25) by BN6PR11MB4178.namprd11.prod.outlook.com (2603:10b6:405:84::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.21; Thu, 11 Jun 2020 19:12:28 +0000
Received: from BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5]) by BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5%5]) with mapi id 15.20.3088.022; Thu, 11 Jun 2020 19:12:28 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, "crypto-panel@irtf.org" <crypto-panel@irtf.org>
CC: "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
Thread-Topic: [Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)
Thread-Index: AQHWQBnJJGAZ+rJ0+0mRx3PaVn0UH6jTxU5w
Date: Thu, 11 Jun 2020 19:12:28 +0000
Message-ID: <BN7PR11MB2641C2A92E243A5A8E665162C1800@BN7PR11MB2641.namprd11.prod.outlook.com>
References: <20200318130152.57FD7F4071D@rfc-editor.org> <C7F982AB-F281-4AD2-BBB4-3C494CAED996@csperkins.org> <CAMr0u6=Qy-LRg7Ge5+TuaEivNAfSp_ncG9D2_nOQKOC=89RjtA@mail.gmail.com>
In-Reply-To: <CAMr0u6=Qy-LRg7Ge5+TuaEivNAfSp_ncG9D2_nOQKOC=89RjtA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.76]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4b41de5c-b505-44b6-6746-08d80e3b6203
x-ms-traffictypediagnostic: BN6PR11MB4178:
x-microsoft-antispam-prvs: <BN6PR11MB41783FECAA45ADD6CDC775D9C1800@BN6PR11MB4178.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0431F981D8
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zqk0KpxUqFkuGyCUrd//OFaptyMqiaRQ50cSjM33ZZgju2JJBsqUoW3AjOlcHn6lgpRR6h3Cw6iS7UtXyi8AWLGY5JZ5N7wXBjvrgsJr8+GeuIX37TtxuP2v5sFpDbB0S+WQPlFnxksYKug1e/mbZaDUlEvOyClg70U8lZkU6VVGX/AccXYMbcJ+GvMNaieyWuTHv4H/glbpdZeiEqDEwJ70G5nauaQhiW/cKZcI+L3hLeBFEYfe2MHhUebkFqoj9sARSx/yHUnAgtQV2tDuDniUZ7QquvpTivT7sOHOkI8oMjuf2fYGUhrWTThZM4B4SDBvnB8IbPoIAZG0In91yT7y0oaZTAjUp6PFmPL3aF/5/9PgNKD8QetruZnBc0T1PQewpnTv/FiJ1MKDMOxsaA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2641.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(39860400002)(376002)(346002)(366004)(66946007)(52536014)(66476007)(83380400001)(66556008)(66446008)(64756008)(110136005)(66574014)(166002)(71200400001)(33656002)(7696005)(186003)(5660300002)(53546011)(26005)(316002)(86362001)(2906002)(6506007)(966005)(8676002)(8936002)(76116006)(4326008)(9686003)(55016002)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Bhle8xHCr1vK64xstZquD7PDMCIs2IGlR5Dli/HUo4CHpzxz6o4MzHjhZZ10+8REOI8Aru7HXrvjfK5TjyQw3cwiwew61em3PM02shK241cjcHHJuxtJ/KG5EnQhh62zFhf/unyOPVXj4ukdA6s1z17ww79cdA/QF/FiIcS10SkYyJTJz+hVww16Kp6hzbZNGdos2QnuiYGISQzpD2zS1V4qufBGwXeqPwZOaI+9XsvjdD3WpsRGfUfIp2Bz7yS0Kweqor3u/BLi/DgYMWdVxtR/+Ad5ukEyfSu1/bHXTCqX+S/VqVDqGcsZmgEwG86/QQAzkBg781b4rDt3F8dQfrUcezdCmhsQJJtkhfZs/c7zodGWwQQNGwa6ttnwwJaB28UoN5YvEtNHAMhNMslUJ9yqY2l8Np1dCMA3/OGFqZPdiLN82vpbFyXAqSPPDpu6tcBRJ5JRgPnk1MybGhfXNlcWjSOfpZmh5m302iokOaY=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB2641C2A92E243A5A8E665162C1800BN7PR11MB2641namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4b41de5c-b505-44b6-6746-08d80e3b6203
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2020 19:12:28.2475 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2RyOhXUhI9p4Yn+9De/+bfwLz3tbwkiV+PCJzLNkOg/4uF3wegnfFdi9dwanuQ/NGhrIeUAFs7aVU52RDrCQdQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB4178
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/ITgAeZNKhvGlUfQAJFPOqaLNZdE>
Subject: Re: [Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2020 19:12:42 -0000

I volunteer; however I can’t read the link.  Did you send it correctly?

Actually, the corrected text you include below looks decent (although the discussion of SHA3 may be a bit misleading – SHA-3 has more than n/2 bits of security, which someone might assume from a quick reading of “The same applies for SHA3…”).

I’d want to see the full errata before I place my seal of approval, of course.

From: Crypto-panel <crypto-panel-bounces@irtf.org> On Behalf Of Stanislav V. Smyshlyaev
Sent: Thursday, June 11, 2020 1:57 PM
To: crypto-panel@irtf.org
Cc: cfrg-chairs@ietf.org
Subject: [Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)

Dear Crypto Review Panel members,

There is a need to validate the following errata:
https://www.rfc-editor.org/errata/eid6024<https://www.rfc-editor..org/errata/eid6024>

Any volunteers?

Regards,
CFRG chairs



---------- Пересылаемое сообщение ---------
От: Colin Perkins <csp@csperkins.org<mailto:csp@csperkins.org>>
Дата: сб, 6 июня 2020 г. в 16:03
Тема: Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)
Кому: <cfrg-chairs@ietf.org<mailto:cfrg-chairs@ietf.org>>

Hi CFRG chairs,

Can you discuss, and review with the RG if necessary, and let me know  if the following errata should be marked as verified.

Thanks,
Colin




Begin forwarded message:

From: RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>
Subject: [irsg] [Technical Errata Reported] RFC8391 (6024)
Date: 18 March 2020 at 13:01:52 GMT
To: ietf@huelsing.net<mailto:ietf@huelsing.net>, dbutin@cdc.informatik.tu-darmstadt.de<mailto:dbutin@cdc.informatik.tu-darmstadt.de>, ietf@gazdag.de<mailto:ietf@gazdag.de>, ietf@joostrijneveld.nl<mailto:ietf@joostrijneveld.nl>, mohaisen@ieee.org<mailto:mohaisen@ieee.org>, irsg@irtf.org<mailto:irsg@irtf.org>
Cc: ietf@huelsing.net<mailto:ietf@huelsing.net>, rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>

The following errata report has been submitted for RFC8391,
"XMSS: eXtended Merkle Signature Scheme".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6024

--------------------------------------
Type: Technical
Reported by: Andreas Hülsing <ietf@huelsing.net<mailto:ietf@huelsing.net>>

Section: 5

Original Text
-------------
This section provides basic parameter sets that are assumed to cover most relevant applications.  Parameter sets for two classical security levels are defined.  Parameters with n = 32 provide a classical security level of 256 bits.  Parameters with n = 64 provide a classical security level of 512 bits.  Considering quantum-computer-aided attacks, these output sizes yield post-quantum security of 128 and 256 bits, respectively.

Corrected Text
--------------
This section provides basic parameter sets that are assumed to cover most relevant applications. Parameter sets for two classical security levels are defined using the cryptographic functions SHA2 and SHAKE.  Parameters with SHA2 and n = 32 provide a classical security level of 256 bits. Parameters with SHA2 and n = 64 provide a classical security level of 512 bits.  Considering quantum-computer-aided attacks, these parameters yield post-quantum security of 128 and 256 bits, respectively. Parameters with SHAKE and n = 32 provide a classical security level of 128 bits.  Parameters with SHAKE and n = 64 provide a classical security level of 256 bits.  Considering quantum-computer-aided attacks, these parameters yield post-quantum security of 86 and 170 bits, respectively.

Notes
-----
Traditionally, a hash function with n-bit outputs is assumed to have n-bit security against classical preimage and second-preimage attacks, and n/2-bit security against classical collision attacks. For adversaries with access to a quantum computer, these bounds change to n/2 and n/3 bits when only counting queries to the hash function. This also applies to SHA2 and SHA3. In contrast, SHAKE follows a different reasoning. SHAKE with an internal state of n bits and an output length of n bits achieves n/2 bit security against classical preimage, second-preimage and collision attacks. For quantum attacks security changes to n/3 bits. The reason is that SHAKE allows for meet-in-the-middle preimage attacks that reduce to a collision search on the internal state. The same applies for SHA3 but for SHA3 a bigger internal state is used.

In consequence, SHAKE-128 cannot provide more security than NIST post-quantum security level II (Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for collision search on a 256-bit hash function (e.g. SHA256 / SHA3-256)).

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC8391 (draft-irtf-cfrg-xmss-hash-based-signatures-12)
--------------------------------------
Title               : XMSS: eXtended Merkle Signature Scheme
Publication Date    : May 2018
Author(s)           : A. Huelsing, D. Butin, S. Gazdag, J. Rijneveld, A.. Mohaisen
Category            : INFORMATIONAL
Source              : Crypto Forum Research Group
Area                : N/A
Stream              : IRTF
Verifying Party     : IRSG

v2.23.0 | Report a Bug | By Email