[cabfpub] Contingency planning for Quantum Cryptanalysis

[Peter Bowen]

> On Apr 19, 2016, at 2:49 PM, Phillip Hallam-Baker <philliph at comodo.com> wrote:
> 
> 
>> On Apr 19, 2016, at 5:27 PM, Adam Langley <agl at google.com> wrote:
>> 
>> On Tue, Apr 19, 2016 at 10:41 AM, Phillip Hallam-Baker <philliph at comodo.com> wrote:
>> There are in fact ways that it is possible to construct a WebPKI type infrastructure using hash signatures and we may even end up having to resort to using some of them, particularly for low power devices. In particular:
>> 
>> * Distribute Merkle trees of public key values. 
>> * Adopt a ‘use one, make one’ approach to distribution.
>> * Engage hash chain logs to provide reference truth.
>> * Use GPU farms and/or bitcoin mining equipment to construct large Merkle trees, the hardware using the trees can be more modest.
>> 
>> There is no need to expend large amounts of computational power to generate large Merkle trees of public keys. "Forest" schemes go back to CMSS (https://eprint.iacr.org/2006/320.pdf). A modern synthesis of all the best tricks in this space can be found in https://sphincs.cr.yp.to/. (Although note that signatures are ~40KB. The smaller signatures are from stateful schemes which are unsuitable for use in a PKI.)
> 
> At this point, I would just like the options on the table. The stateless schemes are another option, but not one I have looked into the IPR on yet. If we can get a proof of feasibility at this point, it would be something.
> 
> Probably the thing to do would be to hold an interim meeting under some relevant SDO Note Well in the Cambridge MA area and invite folk from MIT. 

I honestly don’t think CAB Forum is the right venue for this work. I would hope the IETF would define the technical specification and then the CAB Forum can work to define things like how keys are stored, generation process, and such.  I also hope that browsers will agree on the scheme they will support so CAs don’t go to a bunch of work for something no one will use.

Thanks,
Peter