[cabfpub] Contingency planning for Quantum Cryptanalysis
Peter Bowen
pzb at amzn.com
Tue Apr 19 22:19:22 UTC 2016
> On Apr 19, 2016, at 2:49 PM, Phillip Hallam-Baker <philliph at comodo.com> wrote:
>
>
>> On Apr 19, 2016, at 5:27 PM, Adam Langley <agl at google.com> wrote:
>>
>> On Tue, Apr 19, 2016 at 10:41 AM, Phillip Hallam-Baker <philliph at comodo.com> wrote:
>> There are in fact ways that it is possible to construct a WebPKI type infrastructure using hash signatures and we may even end up having to resort to using some of them, particularly for low power devices. In particular:
>>
>> * Distribute Merkle trees of public key values.
>> * Adopt a ‘use one, make one’ approach to distribution.
>> * Engage hash chain logs to provide reference truth.
>> * Use GPU farms and/or bitcoin mining equipment to construct large Merkle trees, the hardware using the trees can be more modest.
>>
>> There is no need to expend large amounts of computational power to generate large Merkle trees of public keys. "Forest" schemes go back to CMSS (https://eprint.iacr.org/2006/320.pdf). A modern synthesis of all the best tricks in this space can be found in https://sphincs.cr.yp.to/. (Although note that signatures are ~40KB. The smaller signatures are from stateful schemes which are unsuitable for use in a PKI.)
>
> At this point, I would just like the options on the table. The stateless schemes are another option, but not one I have looked into the IPR on yet. If we can get a proof of feasibility at this point, it would be something.
>
> Probably the thing to do would be to hold an interim meeting under some relevant SDO Note Well in the Cambridge MA area and invite folk from MIT.
I honestly don’t think CAB Forum is the right venue for this work. I would hope the IETF would define the technical specification and then the CAB Forum can work to define things like how keys are stored, generation process, and such. I also hope that browsers will agree on the scheme they will support so CAs don’t go to a bunch of work for something no one will use.
Thanks,
Peter
More information about the Public
mailing list