Brendan: Are you talking about verification of Falcon signatures for code signing? That seems reasonable.
If you are talking about constrained devices signing reports when firmware is loaded, then I think that the Falcon floating point operations associated with key generation will be a problem. Russ > On Jul 25, 2024, at 6:58 PM, Brendan Moran <[email protected]> > wrote: > > I want to voice my support for draft-ietf-cose-falcon. > > To give some context, constrained devices currently are limited to > ECDSA, EDDSA, or HSS-LMS. For those deploying devices with PQC > support, there is only one option: HSS-LMS. This presents a big > problem: HSS-LMS requires stateful private keys that have race > conditions in backup scenarios. In other words, HSS-LMS is risky but > it's the best option we have. > > I think Falcon would be a much better option for constrained device > code signing. To be clear, what we're discussing here is constrained > devices verifying signatures, with the signers potentially air-gapped, > so side channels & floating point are a non-issue. > > The signature size is smaller than HSS-LMS with an equivalent number > of bits of security and there's no state on the private key. > > This makes Falcon ideal for delivering firmware updates and secure > boot of constrained devices, where the cost of delivering a SPHINCS+ > signature, for example, would be prohibitive. > > Best Regards, > Brendan _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
