On Sat, Jan 13, 2024 at 01:04:17PM -0600, Orie Steele wrote: > AFAIK, there are still no proposals on the table to register hybrid > signature schemes for JOSE or COSE. > > I suppose we are lucky that we can't go faster than NIST on signatures > anyway : )
>From LAMPS discussion about hybrid signatures, turns out hybrid signatures are hard. Much more complicated than hybrid KEMs, and especially Xwing (and derivates). > Since it's been a while since we presented these drafts, when they were > adopted by COSE we agreed to hold them until the dust settles. > > For now, we are just trying to keep them aligned with the name and > parameter set changes that have happened since they were adopted. Unfortunately there may be a nasty surprise (pre-hashing) ahead... I think best way to hedge against that would be to work on native COSE and JOSE mechanisms on pre-hashing (via "manifests") and then use that instead of pre-hashing on the signature algorithm. Such mechanism would also help on Ed25519 and Ed448. > I'm reading between the lines here, that perhaps I should wait to add the > full parameter set for SPHINCS+ ? * crosses fingers hoping for a yes * Well, the full parameter set is not even known yet. :-/ And the s vs. f is a pretty annoying tradeoff: Smaller signatures, but much slower signing versus larger signatures and much faster signing. And the two are not compatible. -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
