Brendan: I thought that ECDSA and EdDSA were the algorithms that people expected to use for signing reports.
Russ > On Jul 25, 2024, at 7:26 PM, Brendan Moran <[email protected]> > wrote: > > Hi Russ, > > Yes, I’m absolutely referring to constrained devices verifying signatures. > This is there primary reason for my support. > > That said, I think it’s an open question whether HSS-LMS or Falcon is more > appropriate for a constrained device signing reports in response to firmware > loading. HSS-LMS has a fixed number of reports and a strategy key, while > Falcon may have a timing side-channel, depending on implementation. > > I don’t think it’s clear that one or the other is preferable. > > Brendan > > > On Thu, 25 Jul 2024 at 16:21, Russ Housley <[email protected] > <mailto:[email protected]>> wrote: >> Brendan: >> >> Are you talking about verification of Falcon signatures for code signing? >> That seems reasonable. >> >> If you are talking about constrained devices signing reports when firmware >> is loaded, then I think that the Falcon floating point operations associated >> with key generation will be a problem. >> >> Russ >> >> >> > On Jul 25, 2024, at 6:58 PM, Brendan Moran <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > I want to voice my support for draft-ietf-cose-falcon. >> > >> > To give some context, constrained devices currently are limited to >> > ECDSA, EDDSA, or HSS-LMS. For those deploying devices with PQC >> > support, there is only one option: HSS-LMS. This presents a big >> > problem: HSS-LMS requires stateful private keys that have race >> > conditions in backup scenarios. In other words, HSS-LMS is risky but >> > it's the best option we have. >> > >> > I think Falcon would be a much better option for constrained device >> > code signing. To be clear, what we're discussing here is constrained >> > devices verifying signatures, with the signers potentially air-gapped, >> > so side channels & floating point are a non-issue. >> > >> > The signature size is smaller than HSS-LMS with an equivalent number >> > of bits of security and there's no state on the private key. >> > >> > This makes Falcon ideal for delivering firmware updates and secure >> > boot of constrained devices, where the cost of delivering a SPHINCS+ >> > signature, for example, would be prohibitive. >> > >> > Best Regards, >> > Brendan >> >> _______________________________________________ >> COSE mailing list -- [email protected] <mailto:[email protected]> >> To unsubscribe send an email to [email protected] >> <mailto:[email protected]>
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
