[Cryptography] What standards are there for post-quantum certificates?

Jeff Burdges burdges at gnunet.org
Sat Apr 9 17:37:40 EDT 2016


On Sat, 2016-04-09 at 12:13 -0700, Ryan Carboni wrote:
> What standards are there for post-quantum certificates? Can't find
> any.

Arguably, we do not have the primitives sorted out well enough to deploy
post-quantum systems for all authentication purposes yet.  

If you build a certificate chain based on SPHINCS, then that's 41kb per
link in the chain.  It's mostly all good otherwise.

There are many people who'd consider Ring-LWE too new for certificate
chains, but actually using it sounds roughly comparable to RSA, so
perfectly workable.  

Isogeny based crypto is very new and the signature schemes have unusual
properties.  I donno about signature schemes using code based crypto but
the signature size would be worse than SPHINCS. 


Alternatively, one could attempt to find a domain specific hash based
signature scheme that avoids the "huge foot cannon" a typical stateful
hash based scheme represents, while still being more efficient than
SPHINCS. 

I'm doubtful that makes sense for certificates, but maybe another
application, like :
  A DVCs whose repositories are keys that continually signs itself.

If one were designing a new distributed version control system, lets say
because "everything should be rewritten in Rust" or whatever, then one
might wish to integrate signatures, not using an external signing tool,
but by making repositories themselves into keys.  In other words, all
repositories automatically signed their commits, other repositories with
whome they interact, like submodules or forks, and any builds they
produce, especially reproducible ones.

You want post-quantum today because the authentication might actually
matter decades into the future, but you do not like SPHINCS 41kb per
commit.  Is there a safe way that each commit could issue a new signed
hash based signature key valid for only a few future commits?  There are
however many trade offs one could try here like throwing away the old
SPHINCS signatures using the repository structure itself along with
newer signatures.  Is there any forward secrecy value in trashing the
old exhausted private keys though?  etc. 

Jeff


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160409/ce549792/attachment.sig>


More information about the cryptography mailing list