[cabfpub] Contingency planning for Quantum Cryptanalysis

Tim Hollebeek THollebeek at trustwave.com
Wed Apr 20 13:50:39 UTC 2016

FWIW ANSI X9F1 is planning to work on writing a standard for this.  I can keep people up to date on what they come up with, although it will probably take a year or two.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Tuesday, April 19, 2016 6:19 PM
To: Phillip Hallam-Baker
Subject: Re: [cabfpub] Contingency planning for Quantum Cryptanalysis

> On Apr 19, 2016, at 2:49 PM, Phillip Hallam-Baker <philliph at comodo.com> wrote:
>> On Apr 19, 2016, at 5:27 PM, Adam Langley <agl at google.com> wrote:
>> On Tue, Apr 19, 2016 at 10:41 AM, Phillip Hallam-Baker <philliph at comodo.com> wrote:
>> There are in fact ways that it is possible to construct a WebPKI type infrastructure using hash signatures and we may even end up having to resort to using some of them, particularly for low power devices. In particular:
>> * Distribute Merkle trees of public key values.
>> * Adopt a ‘use one, make one’ approach to distribution.
>> * Engage hash chain logs to provide reference truth.
>> * Use GPU farms and/or bitcoin mining equipment to construct large Merkle trees, the hardware using the trees can be more modest.
>> There is no need to expend large amounts of computational power to generate large Merkle trees of public keys. "Forest" schemes go back to CMSS (http://scanmail.trustwave.com/?c=4062&d=ma-W17kJ-qjlfXD5bO1ym_FnWl4wPZbOSpZDmN8zyg&s=5&u=https%3a%2f%2feprint%2eiacr%2eorg%2f2006%2f320%2epdf%29 A modern synthesis of all the best tricks in this space can be found in http://scanmail.trustwave.com/?c=4062&d=ma-W17kJ-qjlfXD5bO1ym_FnWl4wPZbOSpNHzYkzwQ&s=5&u=https%3a%2f%2fsphincs%2ecr%2eyp%2eto%2f (Although note that signatures are ~40KB. The smaller signatures are from stateful schemes which are unsuitable for use in a PKI.)
> At this point, I would just like the options on the table. The stateless schemes are another option, but not one I have looked into the IPR on yet. If we can get a proof of feasibility at this point, it would be something.
> Probably the thing to do would be to hold an interim meeting under some relevant SDO Note Well in the Cambridge MA area and invite folk from MIT.

I honestly don’t think CAB Forum is the right venue for this work. I would hope the IETF would define the technical specification and then the CAB Forum can work to define things like how keys are stored, generation process, and such.  I also hope that browsers will agree on the scheme they will support so CAs don’t go to a bunch of work for something no one will use.

Public mailing list
Public at cabforum.org


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Public mailing list