[cabfpub] Contingency planning for Quantum Cryptanalysis

Adam Langley agl at google.com
Tue Apr 19 21:27:04 UTC 2016

On Tue, Apr 19, 2016 at 10:41 AM, Phillip Hallam-Baker <philliph at comodo.com>

> There are in fact ways that it is possible to construct a WebPKI type
> infrastructure using hash signatures and we may even end up having to
> resort to using some of them, particularly for low power devices. In
> particular:
> * Distribute Merkle trees of public key values.
> * Adopt a ‘use one, make one’ approach to distribution.
> * Engage hash chain logs to provide reference truth.
> * Use GPU farms and/or bitcoin mining equipment to construct large Merkle
> trees, the hardware using the trees can be more modest.

There is no need to expend large amounts of computational power to generate
large Merkle trees of public keys. "Forest" schemes go back to CMSS (
https://eprint.iacr.org/2006/320.pdf). A modern synthesis of all the best
tricks in this space can be found in https://sphincs.cr.yp.to/. (Although
note that signatures are ~40KB. The smaller signatures are from stateful
schemes which are unsuitable for use in a PKI.)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160419/bad193b3/attachment-0003.html>

More information about the Public mailing list