OFFICIAL COMMENT: DualModeMS
107 views
Skip to first unread message
AE Louisy
Aug 21, 2018, 12:01:36 PM8/21/18
to pqc-co...@nist.gov, pqc-...@list.nist.gov
Dear DualModeMS team,
I have two questions concerning your scheme:
In order to obtain EUF-CMA security, a modification is made to the Inner Layer. This modification is based on adding an l-long bit string to the original digest to compute a new one. I was wondering what value of l is chosen for the three parameter sets given.
I also wanted to know how exactly the choice to make 2^delta trees instead of one changes the size of the public key. I understand that having several trees means that each root needs a tag to identify it, but that results in public key sizes still slightly smaller than the ones given in the supporting documentation.
Sincerely,
A-E. Louisy,
Student in cryptography at Versailles University
Jocelyn Ryckeghem
Sep 10, 2018, 9:49:59 AM9/10/18
to pqc-co...@nist.gov, AE Louisy, pqc-...@list.nist.gov, Jean-Charles Faugere, Ludovic Perret
Dear Louisy,
In DualModeMS, 2^delta is the number of Merkle trees. Each root is
stored in the public key, so the size of the public key is 2^delta
SHA3 hash. Moreover, we add in the public key a seed of K bits (K is
the level of security in bits). It is used to generate Z, a set of tau
elements of GF(2^k).
So, the size of the public key is:
for K=128, 2^4 * 256 bits + 128 bits = 528 bytes.
for K=192, 2^5 * 384 bits + 192 bits = 1560 bytes.
for K=256, 2^5 * 512 bits + 256 bits = 2080 bytes.
In the specification, the size of the public for K=256 is noted as
2112 bytes. This is a typo, the true size is 2080 bytes.
About the EUF-CMA security of the Inner layer, our implementation does
not propose this functionality. However, as also mentioned in the
GeMSS specification, there is a standard technique that allows to
obtain EUF-CMA security for the Inner layer. The length l of a random
salt should be 128 bits (for the three parameter sets) since the
number of signature requests is assumed limited to 2^64.
Best regards,
the DualModeMS team.
> --
> You received this message because you are subscribed to the Google
> Groups "pqc-forum" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to pqc-forum+...@list.nist.gov.
> Visit this group at
> https://groups.google.com/a/list.nist.gov/group/pqc-forum/.
>
In DualModeMS, 2^delta is the number of Merkle trees. Each root is
stored in the public key, so the size of the public key is 2^delta
SHA3 hash. Moreover, we add in the public key a seed of K bits (K is
the level of security in bits). It is used to generate Z, a set of tau
elements of GF(2^k).
So, the size of the public key is:
for K=128, 2^4 * 256 bits + 128 bits = 528 bytes.
for K=192, 2^5 * 384 bits + 192 bits = 1560 bytes.
for K=256, 2^5 * 512 bits + 256 bits = 2080 bytes.
In the specification, the size of the public for K=256 is noted as
2112 bytes. This is a typo, the true size is 2080 bytes.
About the EUF-CMA security of the Inner layer, our implementation does
not propose this functionality. However, as also mentioned in the
GeMSS specification, there is a standard technique that allows to
obtain EUF-CMA security for the Inner layer. The length l of a random
salt should be 128 bits (for the three parameter sets) since the
number of signature requests is assumed limited to 2^64.
Best regards,
the DualModeMS team.
> You received this message because you are subscribed to the Google
> Groups "pqc-forum" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to pqc-forum+...@list.nist.gov.
> Visit this group at
> https://groups.google.com/a/list.nist.gov/group/pqc-forum/.
>
Reply all
Reply to author
Forward
0 new messages