[cabfpub] Quantum Computing is now a concern.

Robert Relyea rrelyea at redhat.com
Tue Jul 12 16:51:51 MST 2016 

On 07/12/2016 09:30 AM, Adam Langley wrote:
>
> I agree that we do not have a great post-quantum, public-key signature 
> scheme available yet and that hash-based signatures are a good idea in 
> some contexts.
>
> Did you envision that software would start supporting these signatures 
> immediately? If so, then any certificate chains that take advantage of 
> that would have to be hash-based from top to bottom because that's the 
> only PQ primitive that would be supported. You've also specified a 
> stateful signature scheme were doing things like moving a CA key from 
> one HSM to another, or installing a leaf certificate on multiple 
> servers, compromises the private key. (And that's assuming that there 
> exist any HSMs that support hash-based signatures, which I don't think 
> is the case.)

I share Adam's concern here. We need to have standards defined and 
accepted and software needs to support these signatures before we start 
deploying them.

I personally think hash-based signatures are some of the most promising 
post-quantum crypto algorithms, we just need some on the ground testing 
before we start deploying new roots.
>
> If software isn't going to support it immediately then I don't see the 
> point in putting these hashes in root certificates. A software update 
> to verifiers would be needed and, if you can do that, then you can add 
> hash-based roots at the same time anyway.
>
> So I think that PKI roots are the wrong place to be focusing. It's 
> software-update keys that are really the roots of trust, and those 
> keys should be seriously looking at using hash-based signatures, even 
> today.
> But, stateful 
> <https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-06> signatures 
> are very fragile, so stateless <https://sphincs.cr.yp.to/> ones are to 
> be much prefered. (That's not to say that stateful schemes are useless 
> because, at the very least, they generally form the core of stateless 
> schemes.)

The one application of stateful signatures I see is actually root and 
intermediate certificates. It's one area where we are likely to have 
good control over the private keys and can make sure any copies can 
access the current state and where you can get reasonable upper bounds 
to the number of signatures you will make over the lifetime of the  CA.
>
> For software that cannot be updated we would want to start the process 
> of rolling something out ASAP but we have a problem: stateless 
> hash-based signatures work, but at ~40KB per signature, it's not clear 
> that they would be viable for a full chain. So if you really want to 
> be deploying software today that's going to work for decades, you have 
> to start thinking about certificates that specify their own 
> verification algorithm as code for a VM or something.

Right, how big a cert chain can we have before SSL breaks, for instance.

This primarily why NIST is taking the 'bump your RSA key size for now' 
approach, under the assumption that if your RSA key size is large enough 
it can resist quantum computers for long enough to get
>
>
> Cheers
>
> AGL

bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160712/270e110c/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4284 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20160712/270e110c/attachment.bin

More information about the Public mailing list