IETF Logo Mail Archive

Re: [Suit] NIST selected PQM algorithms

Russ Housley <housley@vigilsec.com> Mon, 11 July 2022 21:28 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D794C188726 for <suit@ietfa.amsl.com>; Mon, 11 Jul 2022 14:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9JYdE9pGOs2 for <suit@ietfa.amsl.com>; Mon, 11 Jul 2022 14:28:41 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2699C188724 for <suit@ietf.org>; Mon, 11 Jul 2022 14:28:41 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 96041110EA8; Mon, 11 Jul 2022 17:28:39 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 8124C110EA5; Mon, 11 Jul 2022 17:28:39 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <548CEB7A-28D9-4001-9C9D-A0DF1F89291D@arm.com>
Date: Mon, 11 Jul 2022 17:28:39 -0400
Cc: Koen Zandberg <koen.zandberg@inria.fr>, "suit@ietf.org" <suit@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CF144EA0-C4F2-4434-B771-80A84B3009FC@vigilsec.com>
References: <5ccdaef9-1e28-9d4e-8ab5-28179454b09f@inria.fr> <9EBE36DB-4E12-4849-ABA1-538330A778B2@vigilsec.com> <35BEE00D-AA5A-40CC-BBF1-867DDE21D597@arm.com> <219AA8B1-AEBB-49CC-BF1A-2FA670FFC5C5@vigilsec.com> <ED134EF2-86CC-474E-8970-F7AE04063358@arm.com> <6756AF00-6A54-4317-9732-829FA5F42B93@vigilsec.com> <548CEB7A-28D9-4001-9C9D-A0DF1F89291D@arm.com>
To: Brendan Moran <Brendan.Moran@arm.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/qMzFHGky8Ar10QtA5BqtBSvn4C0>
Subject: Re: [Suit] NIST selected PQM algorithms
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2022 21:28:45 -0000

Like HSS/LMS. the SPHINCS+ signature is quite large, but it is very fast to validate and only depends upon the hash function.

Russ


> On Jul 11, 2022, at 5:25 PM, Brendan Moran <Brendan.Moran@arm.com> wrote:
> 
> What about the other parameters of SPHINCS+? Do you know if it is suitable for constrained networks and constrained nodes? For example, it would be good to understand the signature, public, RAM, and code sizes, and how expensive is verification in cycles.
> 
> Brendan
> 
>> On 11 Jul 2022, at 21:48, Russ Housley <housley@vigilsec.com> wrote:
>> 
>> I like the lack of state needed for the SPHINCS+ hash-based signature.  This is preferable over the stageful HSS/LMS hash-based signature that we have been discussing.
>> 
>> Russ
>> 
>>> On Jul 11, 2022, at 2:36 PM, Brendan Moran <Brendan.Moran@arm.com> wrote:
>>> 
>>> Hi Russ,
>>> 
>>> Thank you for clarifying. I thought you were expressing a specific preference for SPHINCS+ above other Round 3 winners and I was hoping to get some insight as to why that was.
>>> 
>>> Best Regards,
>>> Brendan
>>> 
>>> 
>>>> On 11 Jul 2022, at 15:23, Russ Housley <housley@vigilsec.com> wrote:
>>>> 
>>>> I am not opposed to any of the NIST Round 3 Signature winners, but I gather it will be another year before there will be NIST standards.
>>>> 
>>>> Russ
>>>> 
>>>> 
>>>>> On Jul 10, 2022, at 4:37 PM, Brendan Moran <Brendan.Moran@arm.com> wrote:
>>>>> 
>>>>> Hi Russ,
>>>>> 
>>>>> Are you opposed to Falcon for SUIT? If so, is it just the maturity of the algorithm? It seems to have an excellent set of tradeoffs. Bearing in mind that we are only looking at the verify operation, there shouldn’t be any concern about constant time implementations or side channels.
>>>>> 
>>>>> Best regards,
>>>>> Brendan
>>>>> 
>>>>>> On 8 Jul 2022, at 16:51, Russ Housley <housley@vigilsec.com> wrote:
>>>>>> 
>>>>>> I think SUIT needs to look at SPHINCS+ as an alternative to HSS/LMS for the hash-based signature algorithm, but the NIST standard for SPHINCS+ will probably not be available for a year.
>>>>>> 
>>>>>> Russ
>>>>>> 
>>>>>> 
>>>>>>> On Jul 8, 2022, at 7:25 AM, Koen Zandberg <koen.zandberg@inria.fr> wrote:
>>>>>>> 
>>>>>>> Hi all,
>>>>>>> 
>>>>>>> NIST announced the first four quantum resistant cryptographic algorithms a few days back. Matching the earlier discussions on this list, NIST also selected FALCON for the case where smaller signatures are required.
>>>>>>>> From what I understand of the process there is still a document that
>>>>>>> should be released soon(tm) with the exact parameters that should be used for the algorithms. In any case I think this is good news for us as one of the selected algorithms matches what was preferred from the SUIT side.
>>>>>>> 
>>>>>>> To be complete, the other algorithms selected are Dilithium and SPHINCS+, where Dilithium has large signatures (2.5 KB) and SPHINCS+ has even larger signatures (17 KB).
>>>>>>> 
>>>>>>> Best Regards,
>>>>>>> Koen Zandberg
>>>>>>> 
>>>>>>> [1]: https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms
>>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Suit mailing list
>>>>>> Suit@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/suit
>>>>> 
>>>>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>>>>> _______________________________________________
>>>>> Suit mailing list
>>>>> Suit@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/suit
>>>> 
>>>> _______________________________________________
>>>> Suit mailing list
>>>> Suit@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/suit
>>> 
>>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>>> _______________________________________________
>>> Suit mailing list
>>> Suit@ietf.org
>>> https://www.ietf.org/mailman/listinfo/suit
>> 
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email