I want to voice my support for draft-ietf-cose-falcon. To give some context, constrained devices currently are limited to ECDSA, EDDSA, or HSS-LMS. For those deploying devices with PQC support, there is only one option: HSS-LMS. This presents a big problem: HSS-LMS requires stateful private keys that have race conditions in backup scenarios. In other words, HSS-LMS is risky but it's the best option we have.
I think Falcon would be a much better option for constrained device code signing. To be clear, what we're discussing here is constrained devices verifying signatures, with the signers potentially air-gapped, so side channels & floating point are a non-issue. The signature size is smaller than HSS-LMS with an equivalent number of bits of security and there's no state on the private key. This makes Falcon ideal for delivering firmware updates and secure boot of constrained devices, where the cost of delivering a SPHINCS+ signature, for example, would be prohibitive. Best Regards, Brendan _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
