<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 07/12/2016 09:30 AM, Adam Langley
wrote:<br>
</div>
<blockquote
cite="mid:CAL9PXLy4dSVkSbAi_9pf-iNStxsAzKTgvaP7YGSfn-pQF79jpA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>I agree that we do not have a great post-quantum,
public-key signature scheme available yet and that
hash-based signatures are a good idea in some contexts.</div>
<div><br>
</div>
<div>Did you envision that software would start supporting
these signatures immediately? If so, then any certificate
chains that take advantage of that would have to be
hash-based from top to bottom because that's the only PQ
primitive that would be supported. You've also specified a
stateful signature scheme were doing things like moving a
CA key from one HSM to another, or installing a leaf
certificate on multiple servers, compromises the private
key. (And that's assuming that there exist any HSMs that
support hash-based signatures, which I don't think is the
case.)</div>
</div>
</div>
</div>
</blockquote>
<br>
I share Adam's concern here. We need to have standards defined and
accepted and software needs to support these signatures before we
start deploying them.<br>
<br>
I personally think hash-based signatures are some of the most
promising post-quantum crypto algorithms, we just need some on the
ground testing before we start deploying new roots.<br>
<blockquote
cite="mid:CAL9PXLy4dSVkSbAi_9pf-iNStxsAzKTgvaP7YGSfn-pQF79jpA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>If software isn't going to support it immediately then
I don't see the point in putting these hashes in root
certificates. A software update to verifiers would be
needed and, if you can do that, then you can add
hash-based roots at the same time anyway.</div>
<div><br>
</div>
<div>So I think that PKI roots are the wrong place to be
focusing. It's software-update keys that are really the
roots of trust, and those keys should be seriously looking
at using hash-based signatures, even today. </div>
</div>
</div>
</div>
</blockquote>
<blockquote
cite="mid:CAL9PXLy4dSVkSbAi_9pf-iNStxsAzKTgvaP7YGSfn-pQF79jpA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>But, <a moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-06">stateful</a> signatures
are very fragile, so <a moz-do-not-send="true"
href="https://sphincs.cr.yp.to/">stateless</a> ones are
to be much prefered. (That's not to say that stateful
schemes are useless because, at the very least, they
generally form the core of stateless schemes.)</div>
</div>
</div>
</div>
</blockquote>
<br>
The one application of stateful signatures I see is actually root
and intermediate certificates. It's one area where we are likely to
have good control over the private keys and can make sure any copies
can access the current state and where you can get reasonable upper
bounds to the number of signatures you will make over the lifetime
of the CA.<br>
<blockquote
cite="mid:CAL9PXLy4dSVkSbAi_9pf-iNStxsAzKTgvaP7YGSfn-pQF79jpA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>For software that cannot be updated we would want to
start the process of rolling something out ASAP but we
have a problem: stateless hash-based signatures work, but
at ~40KB per signature, it's not clear that they would be
viable for a full chain. So if you really want to be
deploying software today that's going to work for decades,
you have to start thinking about certificates that specify
their own verification algorithm as code for a VM or
something.</div>
</div>
</div>
</div>
</blockquote>
<br>
Right, how big a cert chain can we have before SSL breaks, for
instance.<br>
<br>
This primarily why NIST is taking the 'bump your RSA key size for
now' approach, under the assumption that if your RSA key size is
large enough it can resist quantum computers for long enough to get<br>
<blockquote
cite="mid:CAL9PXLy4dSVkSbAi_9pf-iNStxsAzKTgvaP7YGSfn-pQF79jpA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div><br>
</div>
<div>Cheers</div>
<div><br>
</div>
<div>AGL</div>
</div>
</div>
</div>
</blockquote>
<br>
bob<br>
</body>
</html>