IETF Logo Mail Archive

Re: [Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Mon, 15 June 2020 11:58 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF8443A0CE0 for <crypto-panel@ietfa.amsl.com>; Mon, 15 Jun 2020 04:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=g4jgqPwI; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=wumNhrjo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Umt684nDX3bb for <crypto-panel@ietfa.amsl.com>; Mon, 15 Jun 2020 04:58:36 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB5443A0D18 for <crypto-panel@irtf.org>; Mon, 15 Jun 2020 04:58:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=35196; q=dns/txt; s=iport; t=1592222316; x=1593431916; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=mUot0nVMksronVOfIIiImUA+bxA91ZYiZ8PRcOQjnm4=; b=g4jgqPwI0p7eNFuuOZ/Lx9UCaHTPJWZgmyVfmJ32Wju7capwHohCQ30o V4jeHB6DFVAyo/LouM0YPVnH2PobeGuYrTI4bc75+NwaEiWjKflS3dkMk k+jqhTFliD1ijHtGOtKZ6v/FvY5Ezut82NvRDLcnNV+NKMoltTZoSb4ar c=;
IronPort-PHdr: 9a23:j+rCfRSgSFVv6RFikRDG0HapQdpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQBNmJ5PdNiu6QuKflCiQM4peE5XYFdpEEFxoIkt4fkAFoBsmZQVb6I/jnY21ffoxCWVZp8mv9PR1TH8DzNFLXq3y2qzUVH0a3OQ98PO+gHInUgoy+3Pyz/JuGZQJOiXK9bLp+IQ/wox/Ws5wdgJBpLeA6zR6arw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CEAACOYede/4oNJK1mGQEBAQEBAQEBAQEBAQEBAQEBARIBAQEBAQEBAQEBAQGCCoEjLykoB29YLywKhBqDRgONPYl/jlOBQoEQA1ULAQEBDAEBIwoCBAEBgw6BNgIXghgCJDgTAgMBAQsBAQUBAQECAQYEbYVbDIVyAQEBAQMSEQoTAQE3AQ8CAQYCEQMBAQEhBwMCAgIfERQJCAIEDgUIGoMFgX5NAy4BDpgBkGgCgTmIYXaBMoMBAQEFhSgNC4IOAwaBOAGCY4cbgQiBQxqBQT+BEUOCTT6BBIEWgWk8Hg0Jgl4zgi2PEyeCaYY3gweYFEwKglmUNIUHgnCJGoUajUOddJFQAgQCBAUCDgEBBYFqIoFWcBUagwpQFwINjh4LGIECAQiCQ4UUhUJ0AjUCBgEHAQEDCXyNVC2BBgGBEAEB
X-IronPort-AV: E=Sophos;i="5.73,514,1583193600"; d="scan'208,217";a="767477797"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Jun 2020 11:58:35 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 05FBwZ4h029933 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 15 Jun 2020 11:58:35 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 15 Jun 2020 06:58:34 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 15 Jun 2020 06:58:34 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 15 Jun 2020 06:58:33 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W1mz3T2N6UbZzoU3e5MQ+CdaLmMbg2CRplQQSza/b+0NYYoCOSYcln/62We/HtmWf5U7D7b1837/y1O87FIYMjBNV5nnTAwBTHML/DyqS1+F2VS7xpXr1Qc+PmA114EsVBPdt+IgZucXA0G9DzmgdaYAOR2DdmMxzcb7DtOuu9Nppg5ov3UB/dhejVK/in4/7fwngum20g3YelB2EhNzJ7NWuK+FTpieYi4bcYT2GLBWBdpK02H7XlyKElHuBSvGnlxI5kRXva7UNueWsqZ3HQ2/plGQ0tzGp17mZdEfl4qepYq/8aW4bhoBGcOk70AXPM25MRXpsrtSYmIcSk72JA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mUot0nVMksronVOfIIiImUA+bxA91ZYiZ8PRcOQjnm4=; b=ZRsPQyLkULYVwDNHDd/+nUUYFm9qkysLqzK0CcmyKNJ798tTrOCPCCs1kmyEYaGFmrOg2C4TCfVlsNMBGuLkDkGrGNHPhH6Vy4PVZkE4G15cGmmuh7M1oJgTSkDxAqHUl4fMrAzuftLGLxMGwbbQS6AVYlXD8HjLQ5rXqAt6gL8fTfEdnzbcFwNLwYvX4IUCMQzPrWjRNMuCZ2aNhtKGQvUMlEkY0zmpAE8eYwnAY8UYXZiWIuwJ7ONCphdAZFDm1UMd02w4/NFfKm1En8XvQl2hZzUbXxkwP4QB0r66qVBzRokFchmPYOVzy67R+sH8wsRDCLn3C5DFj79g3kftSg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mUot0nVMksronVOfIIiImUA+bxA91ZYiZ8PRcOQjnm4=; b=wumNhrjoEm1dblzB/4cimNrbhdcI64zsCyuTQk6APQOE+D+YOZiJ3PiuhAntT2z4TD2rK8Ovh4YwfUfVF8M/5YNknfVxgnVaEuI0iV5s6QEpAIZM94YfkXGhZXTlSu4BfGIeuFVO/l2JkHObl1CTQ0zAICd0eVR4PFhRrojZlSo=
Received: from BN7PR11MB2641.namprd11.prod.outlook.com (2603:10b6:406:b1::25) by BN8PR11MB3652.namprd11.prod.outlook.com (2603:10b6:408:87::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.21; Mon, 15 Jun 2020 11:58:33 +0000
Received: from BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5]) by BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5%5]) with mapi id 15.20.3088.029; Mon, 15 Jun 2020 11:58:32 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
CC: "crypto-panel@irtf.org" <crypto-panel@irtf.org>, "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
Thread-Topic: [Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)
Thread-Index: AQHWQBnJJGAZ+rJ0+0mRx3PaVn0UH6jTyyvggAWK8gCAAEFzQA==
Date: Mon, 15 Jun 2020 11:58:32 +0000
Message-ID: <BN7PR11MB2641D883BEAB8B248ABCF910C19C0@BN7PR11MB2641.namprd11.prod.outlook.com>
References: <20200318130152.57FD7F4071D@rfc-editor.org> <C7F982AB-F281-4AD2-BBB4-3C494CAED996@csperkins.org> <CAMr0u6=Qy-LRg7Ge5+TuaEivNAfSp_ncG9D2_nOQKOC=89RjtA@mail.gmail.com> <BN7PR11MB2641199090BA16B1DE9C1375C1800@BN7PR11MB2641.namprd11.prod.outlook.com> <CAMr0u6mg91h6DTWrmY7FmLnX3KP8LO+UEgvds9O9o_sD0M7syw@mail.gmail.com>
In-Reply-To: <CAMr0u6mg91h6DTWrmY7FmLnX3KP8LO+UEgvds9O9o_sD0M7syw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.76]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c3b628e1-985f-4c32-0c02-08d811236d68
x-ms-traffictypediagnostic: BN8PR11MB3652:
x-microsoft-antispam-prvs: <BN8PR11MB365239F0ADF05BC7CB4B8960C19C0@BN8PR11MB3652.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 04359FAD81
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +54SWCRslswCAhAo8r1jWMwbaSlHr3ge78bgQINyzA8pxfzziTW5No6zXtw9sz0WAKfw9mTo/wMQtSaUpkVoE5Sq6HNqWMSUfzuwV4PtzhrDremCZHbxTUXNMBkjeR9I2DQB3uU8YleTcPj4Vvoem5pdphXbkWPb8QQWqrMUw1CCKKmotpZ5ET/U7huzRCc6YZYJAxTDOqdEc3BSKUt1sL8QI8bOhJ+Dv+tTiedJrwXPN+q10DckCV7d97TOJMgH8lhtg5OLaey+qtve8/xX2y1dCqLPRYqYSP3MW8NNMmvjStuvopIHJJF1ZYWmRfkLUAwVC5eIkC/FXlYKA8d35j5jUm6tcOAprTAO+6kJWu25giCfKzylsPE7c6EKpiGJd0TDcn613yzFNmgVnG/NKQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2641.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(366004)(39860400002)(376002)(396003)(346002)(7696005)(53546011)(6506007)(33656002)(6916009)(316002)(54906003)(8936002)(8676002)(66574014)(83380400001)(66446008)(4326008)(64756008)(66556008)(66476007)(66946007)(478600001)(9686003)(76116006)(166002)(5660300002)(55016002)(52536014)(186003)(86362001)(26005)(966005)(71200400001)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: N81MGRa+GKk0hyyhGv65oS3snNAdnKJee9BO6WQsxRG1goWnLbzDMT3Q5PT/DdtG1bFKCmqv72V3gm80Jbn5/+Y+zGD8njWm+KccTXz36Z7NnZslelbDn9Ye4Qr8/c90OBFu2W2Rca/yC1UwcMLn7QUodjvRqfyxImX5PlDZpU+Mcie/XAc7CTg0r4xjUQlmiTcomyVUcYcatsDMiEUCsRtVwPE6bVvYtQ9fLJjvf2kWTqL2rdwVceYCB4UEsTHVueznTIfIunGNl+I4M4Wj17L4gdm4vA9syHTxtjH6ltHSntQ07OqtM8WyFacgyl5k5qZH5fMN+KTh4yH3rBLaz+JDc8dxHfMd1uYAWVm6XQbiUwtM7ZrpUV+hLY3G3xKU1Nfpks7G4QSFAktwv5antQCTkDPjgMCvW8RRckOI9OiJSKlBYs0jbnIQHLQjp9Ff04pORgEB2v5iWXwC59g5n3bkb/0qH0pgPvpgM1FghhA=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB2641D883BEAB8B248ABCF910C19C0BN7PR11MB2641namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c3b628e1-985f-4c32-0c02-08d811236d68
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jun 2020 11:58:32.8448 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WJBBTMF7wKObt1VsSsLm23l2wNX2BEiqRjS6zGDnaD+y5nz5ydOkPNYtqsbV2Zp+xLoaJU/wmgYHre9vrTwHJA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3652
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/Inc4mRT2TCibfI2wEIsIWm6RZeE>
Subject: Re: [Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2020 11:58:41 -0000

Actually, I’d be happy either way (as these are ‘nits’, not real problems).  Those changes would be my suggestion.

From: Stanislav V. Smyshlyaev <smyshsv@gmail.com>
Sent: Monday, June 15, 2020 4:01 AM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Cc: crypto-panel@irtf.org; cfrg-chairs@ietf.org
Subject: Re: [Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)

Many thanks, Scott!

Therefore, you will be happy if the proposed change is applied, with the revised version of notes, dropping the sentences "The same applies for SHA3 ... " and "(Any attack that breaks...", – right?

Regards,
Stanislav


On Thu, 11 Jun 2020 at 22:48, Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>> wrote:
The text looks correct, however I do have a few nits about the notes.  One is the reference to SHA3, which on a quick read might be misleading; here is some alterative text:

The reason is that SHAKE allows for meet-in-the-middle preimage attacks that reduce to a collision search on the internal state. These internal collision attacks do not affect the security of SHA3, because of the larger capacity used.

Alternatively, just drop the reference to SHA3, which isn’t relevent to XMSS.

The other nit is with the sentence that starts:

Any attack that breaks the relevant security definition must require computational resources…

That sort of statement always has an implicit assumption of the form “unless someone has a cryptographical result against the SHA-3 permutation”; while we are used to that sort of assumption, a causal reader might not be.  I don’t see what that sentence brings to the table; I’d suggest dropping it.

From: Crypto-panel <crypto-panel-bounces@irtf.org<mailto:crypto-panel-bounces@irtf.org>> On Behalf Of Stanislav V. Smyshlyaev
Sent: Thursday, June 11, 2020 1:57 PM
To: crypto-panel@irtf.org<mailto:crypto-panel@irtf.org>
Cc: cfrg-chairs@ietf.org<mailto:cfrg-chairs@ietf.org>
Subject: [Crypto-panel] Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)

Dear Crypto Review Panel members,

There is a need to validate the following errata:
https://www.rfc-editor.org/errata/eid6024<https://www.rfc-editor..org/errata/eid6024>

Any volunteers?

Regards,
CFRG chairs



---------- Пересылаемое сообщение ---------
От: Colin Perkins <csp@csperkins.org<mailto:csp@csperkins.org>>
Дата: сб, 6 июня 2020 г. в 16:03
Тема: Fwd: [irsg] [Technical Errata Reported] RFC8391 (6024)
Кому: <cfrg-chairs@ietf.org<mailto:cfrg-chairs@ietf.org>>

Hi CFRG chairs,

Can you discuss, and review with the RG if necessary, and let me know  if the following errata should be marked as verified.

Thanks,
Colin



Begin forwarded message:

From: RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>
Subject: [irsg] [Technical Errata Reported] RFC8391 (6024)
Date: 18 March 2020 at 13:01:52 GMT
To: ietf@huelsing.net<mailto:ietf@huelsing.net>, dbutin@cdc.informatik.tu-darmstadt.de<mailto:dbutin@cdc.informatik.tu-darmstadt.de>, ietf@gazdag.de<mailto:ietf@gazdag.de>, ietf@joostrijneveld.nl<mailto:ietf@joostrijneveld.nl>, mohaisen@ieee.org<mailto:mohaisen@ieee.org>, irsg@irtf.org<mailto:irsg@irtf.org>
Cc: ietf@huelsing.net<mailto:ietf@huelsing.net>, rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>

The following errata report has been submitted for RFC8391,
"XMSS: eXtended Merkle Signature Scheme".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6024

--------------------------------------
Type: Technical
Reported by: Andreas Hülsing <ietf@huelsing.net<mailto:ietf@huelsing.net>>

Section: 5

Original Text
-------------
This section provides basic parameter sets that are assumed to cover most relevant applications.  Parameter sets for two classical security levels are defined.  Parameters with n = 32 provide a classical security level of 256 bits.  Parameters with n = 64 provide a classical security level of 512 bits.  Considering quantum-computer-aided attacks, these output sizes yield post-quantum security of 128 and 256 bits, respectively.

Corrected Text
--------------
This section provides basic parameter sets that are assumed to cover most relevant applications. Parameter sets for two classical security levels are defined using the cryptographic functions SHA2 and SHAKE.  Parameters with SHA2 and n = 32 provide a classical security level of 256 bits. Parameters with SHA2 and n = 64 provide a classical security level of 512 bits.  Considering quantum-computer-aided attacks, these parameters yield post-quantum security of 128 and 256 bits, respectively. Parameters with SHAKE and n = 32 provide a classical security level of 128 bits.  Parameters with SHAKE and n = 64 provide a classical security level of 256 bits.  Considering quantum-computer-aided attacks, these parameters yield post-quantum security of 86 and 170 bits, respectively.

Notes
-----
Traditionally, a hash function with n-bit outputs is assumed to have n-bit security against classical preimage and second-preimage attacks, and n/2-bit security against classical collision attacks. For adversaries with access to a quantum computer, these bounds change to n/2 and n/3 bits when only counting queries to the hash function. This also applies to SHA2 and SHA3. In contrast, SHAKE follows a different reasoning. SHAKE with an internal state of n bits and an output length of n bits achieves n/2 bit security against classical preimage, second-preimage and collision attacks. For quantum attacks security changes to n/3 bits. The reason is that SHAKE allows for meet-in-the-middle preimage attacks that reduce to a collision search on the internal state. The same applies for SHA3 but for SHA3 a bigger internal state is used.

In consequence, SHAKE-128 cannot provide more security than NIST post-quantum security level II (Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for collision search on a 256-bit hash function (e.g. SHA256 / SHA3-256)).

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC8391 (draft-irtf-cfrg-xmss-hash-based-signatures-12)
--------------------------------------
Title               : XMSS: eXtended Merkle Signature Scheme
Publication Date    : May 2018
Author(s)           : A. Huelsing, D. Butin, S. Gazdag, J. Rijneveld, A.. Mohaisen
Category            : INFORMATIONAL
Source              : Crypto Forum Research Group
Area                : N/A
Stream              : IRTF
Verifying Party     : IRSG

v2.23.0 | Report a Bug | By Email