Re: [Crypto-panel] [CFRG] Can I have a review of draft-fluhrer-lms-more-parm-sets?
Jon Callas <jon@callas.org> Sat, 13 February 2021 02:04 UTC
Return-Path: <jon@callas.org>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7044B3A11EA for <crypto-panel@ietfa.amsl.com>; Fri, 12 Feb 2021 18:04:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=callas.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oi62Sf5ctiQi for <crypto-panel@ietfa.amsl.com>; Fri, 12 Feb 2021 18:04:25 -0800 (PST)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B25F23A11E9 for <crypto-panel@irtf.org>; Fri, 12 Feb 2021 18:04:25 -0800 (PST)
Received: by mail-pl1-x62a.google.com with SMTP id x9so767342plb.5 for <crypto-panel@irtf.org>; Fri, 12 Feb 2021 18:04:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=callas.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=I9s/VEf0cvL6qy6ZAGndY68d0uJ0cDQ4xRSCvBHEPMQ=; b=ZCiIhZnQsopqsc7Cm1ob/JZoEQavFZ7NAtR4/89XtZEognFTZn+gYP6z5S62tD/zzk f4DASaCOtWYRID0r4A+JRrN2PMibYdS/AiFZhYef8cTCJcAh9DKYVGsxfsLdlpPMrG2a I50cFlvkANwmpqNJaVKARFjdai+JWwFUOCC8lhLuSzTLHZcnv/bvFxQhe+blyCFJ51r0 A8WchBUqc+FpjPGSTh6XG1Zaeho5GmjS0JnLsx+VAFhAXB7WenE0Y2tCTdRZS0KOhd/q pAutFSLmsXeNnzCQ48jyKaW+xnxInlkYrjuck14HR8dgV7b3VwxYdMGatcxb+nv6dp3x U7gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=I9s/VEf0cvL6qy6ZAGndY68d0uJ0cDQ4xRSCvBHEPMQ=; b=tppvfrC4M6+3u68sumx+MMaEfF5hzjKaaYzjS2Q952lciUwLqSvcBUOt6282QZviwQ kfFD4i7kpb2pXS2/IGC292E2WGaWA9PPnOsSGDeaPiXwIJ15m/SUCQDnzYlieKpM2Y2o zhBJbzYIi9r45BodTctUKRP8PZebeMDFRfs65J3ZKq6Ei/xm9FPchwqNXuGUPxVsIQsG ewt2W+4TlTsH9yjtRie5tt4759AUoxMNlXPCro+q7xGUIzGF7BJ/9F5OMStbjZWiTXvI kVvjb6se9/5UiO9bB24EOtpg/DVePSB4UGgkLEYkafvZ8joEG5hg35FYeMK5kudaaA8m n5SQ==
X-Gm-Message-State: AOAM532nKHgG5+uaiP9UQ5OQ9xgpykw0pxTNdKEYWGA64+IuOkqv3rUa s/I4MSTCOy+GwLc4wFNB8kYHVg==
X-Google-Smtp-Source: ABdhPJzVBMlZzgWYhTFqpbALSKkYqrPrrFYFvxt4EMfoGpIGKCqOJIw0FjAsrl0wJLceEaZlqVosXw==
X-Received: by 2002:a17:902:d48e:b029:e2:efbc:5fed with SMTP id c14-20020a170902d48eb02900e2efbc5fedmr5329533plg.53.1613181863915; Fri, 12 Feb 2021 18:04:23 -0800 (PST)
Received: from ?IPv6:2600:1700:38c4:12bf:3592:2265:db32:cb0? ([2600:1700:38c4:12bf:3592:2265:db32:cb0]) by smtp.gmail.com with ESMTPSA id c24sm10042728pfo.209.2021.02.12.18.04.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Feb 2021 18:04:23 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <CAMr0u6nG-APMtEOn=xYdjBF0q3So6UEp-Nu0aB8tNEr154KNoA@mail.gmail.com>
Date: Fri, 12 Feb 2021 18:04:21 -0800
Cc: Jon Callas <jon@callas.org>, crypto-panel@irtf.org, cfrg-chairs@ietf.org, Russ Housley <housley@vigilsec.com>, Scott Fluhrer <sfluhrer@cisco.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EA7EDC73-C399-4089-B89A-0B6EF89EDC21@callas.org>
References: <BN7PR11MB264152C19ECEFD79A61E7DDDC18F9@BN7PR11MB2641.namprd11.prod.outlook.com> <CAMr0u6nG-APMtEOn=xYdjBF0q3So6UEp-Nu0aB8tNEr154KNoA@mail.gmail.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/zBjyGDLz3Gzo2u09hjOlzcZlbqI>
Subject: Re: [Crypto-panel] [CFRG] Can I have a review of draft-fluhrer-lms-more-parm-sets?
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Feb 2021 02:04:27 -0000
> On Feb 9, 2021, at 9:41 AM, Stanislav V. Smyshlyaev <smyshsv@gmail.com> wrote: > > Dear Crypto Review Panel members, > > We would like to ask you to review additional parameter sets for LMS defined in https://datatracker.ietf.org/doc/draft-fluhrer-lms-more-parm-sets/ > > We have already obtained support from Russ Housley (thanks a lot, Russ!); could we ask for one more review? > Summary: It's great, I approve. Two comments follow; one on consistency of terminology that I believe is important and a one about algorithm choice that I don't expect to be addressed, but I had to make. Consistency in Editing: In general, the draft uses "SHA256/192" for the truncated SHA256, and "SHAKE256-xxx" for a SHAKE hash. That is to say, a slash is used with SHA and a hyphen with SHAKE. Sometimes this is inconsistent and it caused me consternation when my brain interpreted a slash to mean SHA and a hyphen to mean SHAKE. Given that SHAKE starts with SHA and there's lots of 256s being thrown around, it's really, really important to get this right, else someone's going to make a mistake that will cause tears. I would even support something too clever by half like using "SHA" to mean "SHA256/192" for further aid to the mildly dyslexic like me. There are also places where "SHA256" is written as "SHA-256." For example, Section 6 has all of these inconsistencies. Please be consistent. Whiny suggestion: There's a construction for a variable-length output version SHA512 called "SHA512/t" which is documented in <https://eprint.iacr.org/2010/548.pdf>. One a 64-bit processor, SHA512 is faster than SHA256, often like 30-40% faster. SHA512/t has changes to IVs to give different outputs. Section 3.1 of this draft explains why IV changes aren't needed, so this draft could easily have an option for a 192-bit truncation of SHA512. I know that at this date, it's a big ask and arguably gilding the lily. It might even be a fine thing for another document that throws that in, too. It might also be entirely too much to have even more options. I was unable to pull my hands back from the keyboard, though, because the whole point of this draft is for smaller, faster signatures and the performance improvement of SHA512 leaps to mind. If you wanted to add that in, I'd smile -- after all, the name of the draft is "more parameters." I don't expect it. All in all, a nicely done, elegant draft. Jon
- [Crypto-panel] Fwd: [CFRG] Can I have a review of… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] [CFRG] Can I have a review of … Jon Callas
- Re: [Crypto-panel] [CFRG] Can I have a review of … Stanislav V. Smyshlyaev
- Re: [Crypto-panel] [CFRG] Can I have a review of … Jon Callas
- Re: [Crypto-panel] [CFRG] Can I have a review of … Scott Fluhrer (sfluhrer)
- Re: [Crypto-panel] [CFRG] Can I have a review of … Jon Callas
- Re: [Crypto-panel] [CFRG] Can I have a review of … Stanislav V. Smyshlyaev