[cabfpub] Contingency planning for Quantum Cryptanalysis

Phillip Hallam-Baker philliph at comodo.com
Tue Apr 19 21:49:05 UTC 2016

> On Apr 19, 2016, at 5:27 PM, Adam Langley <agl at google.com> wrote:
> On Tue, Apr 19, 2016 at 10:41 AM, Phillip Hallam-Baker <philliph at comodo.com <mailto:philliph at comodo.com>> wrote:
> There are in fact ways that it is possible to construct a WebPKI type infrastructure using hash signatures and we may even end up having to resort to using some of them, particularly for low power devices. In particular:
> * Distribute Merkle trees of public key values. 
> * Adopt a ‘use one, make one’ approach to distribution.
> * Engage hash chain logs to provide reference truth.
> * Use GPU farms and/or bitcoin mining equipment to construct large Merkle trees, the hardware using the trees can be more modest.
> There is no need to expend large amounts of computational power to generate large Merkle trees of public keys. "Forest" schemes go back to CMSS (https://eprint.iacr.org/2006/320.pdf <https://eprint.iacr.org/2006/320.pdf>). A modern synthesis of all the best tricks in this space can be found in https://sphincs.cr.yp.to/ <https://sphincs.cr.yp.to/>. (Although note that signatures are ~40KB. The smaller signatures are from stateful schemes which are unsuitable for use in a PKI.)

At this point, I would just like the options on the table. The stateless schemes are another option, but not one I have looked into the IPR on yet. If we can get a proof of feasibility at this point, it would be something.

Probably the thing to do would be to hold an interim meeting under some relevant SDO Note Well in the Cambridge MA area and invite folk from MIT. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160419/8acd11c7/attachment-0003.html>

More information about the Public mailing list