That’s what I get for replying on a mobile device. That said, I think it’s an open question whether HSS-LMS or Falcon is more appropriate for a constrained device signing reports in response to firmware loading. HSS-LMS has a fixed number of reports and a stateful key, while Falcon may have a timing side-channel, depending on implementation.
Brendan On Thu, 25 Jul 2024 at 16:26, Brendan Moran <[email protected]> wrote: > Hi Russ, > > Yes, I’m absolutely referring to constrained devices verifying signatures. > This is there primary reason for my support. > > That said, I think it’s an open question whether HSS-LMS or Falcon is more > appropriate for a constrained device signing reports in response to > firmware loading. HSS-LMS has a fixed number of reports and a strategy key, > while Falcon may have a timing side-channel, depending on implementation. > > I don’t think it’s clear that one or the other is preferable. > > Brendan > > > On Thu, 25 Jul 2024 at 16:21, Russ Housley <[email protected]> wrote: > >> Brendan: >> >> Are you talking about verification of Falcon signatures for code >> signing? That seems reasonable. >> >> If you are talking about constrained devices signing reports when >> firmware is loaded, then I think that the Falcon floating point operations >> associated with key generation will be a problem. >> >> Russ >> >> >> > On Jul 25, 2024, at 6:58 PM, Brendan Moran < >> [email protected]> wrote: >> > >> > I want to voice my support for draft-ietf-cose-falcon. >> > >> > To give some context, constrained devices currently are limited to >> > ECDSA, EDDSA, or HSS-LMS. For those deploying devices with PQC >> > support, there is only one option: HSS-LMS. This presents a big >> > problem: HSS-LMS requires stateful private keys that have race >> > conditions in backup scenarios. In other words, HSS-LMS is risky but >> > it's the best option we have. >> > >> > I think Falcon would be a much better option for constrained device >> > code signing. To be clear, what we're discussing here is constrained >> > devices verifying signatures, with the signers potentially air-gapped, >> > so side channels & floating point are a non-issue. >> > >> > The signature size is smaller than HSS-LMS with an equivalent number >> > of bits of security and there's no state on the private key. >> > >> > This makes Falcon ideal for delivering firmware updates and secure >> > boot of constrained devices, where the cost of delivering a SPHINCS+ >> > signature, for example, would be prohibitive. >> > >> > Best Regards, >> > Brendan >> >> _______________________________________________ >> COSE mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
