On 5/15/26 18:33, Watson Ladd wrote:
> Dear NIST,
>
> It's great to see the third round proposals come out. I would like to
> shed light on some cases where we need very small keys+signature, and
> can afford some CPU time, so SQISign would be of great interest.
>
> One is Roughtime. Recently an RFC, this specification tries to address
> bootstrapping of nodes without real time clocks in a secure way. For
> ecosystem reasons it requires the use of a single signature algorithm
> by all servers, and uses two keys, one a long lasting key, the other
> rotating. It also transmits a very small amount of data, and has
> mechanisms for batching signatures together via Merkel trees. If we
> were to use ML-DSA, we would have a tremendous expansion of the size
> of packets, that would likely force the use of a TCP transport to
> authenticate what is just 64 bits of data. Most protocols don't have
> these rather stringent constraints.
>
> Sincerely,
> Watson
DNSSEC is another case where very small signatures and keys are
important. SQISign level I is smaller than RSA-2048, and SQISign
level V is smaller than RSA-4096. DNSSEC signing can be done offline,
though it is sometimes done online. However, verification performance
might well be a serious problem.
DNS is increasingly being transported over TLS, HTTPS, or QUIC for
privacy reasons. Those transports don't have an MTU limit. Therefore,
connection-oriented transports for DNS provide a serious alternative.
This is especially the case for end-user devices, which can maintain
a long-lived connection to a public recursive resolver.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/c20c222b-6cd6-4712-aae7-c6ad1840fa49n%40list.nist.gov.
- No, symmetric keys don't work - have to use at least some variant of PK for identity management due to the number of organizations involved.
--Derek Atkins
Does Kerberos have built-in MFA capabilities out of the box? Let’s not even mention multi channel authentication.
From: 'Derek Atkins' via pqc-forum <pqc-...@list.nist.gov>
Sent: June 29, 2026 8:45 AM
To: ppat...@gmail.com; ond...@sury.org
Cc: pqc-...@list.nist.gov; watso...@gmail.com; demio...@gmail.com
Subject: Re: [pqc-forum] Use cases for small signatures and keys
|
⚠️CAUTION: This email is from an external source. Verify sender before opening links and attachments.⚠️ |
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/9edbab470e19f1c6013b1fc3fd5a3f42a6a5e912.camel%40Veridify.com.
We are getting into the realm of Von Neumann vs Harvard architecture.
Von Neumann uses a single, shared memory space for both program instructions and data.
Harvard uses physically separate memory units and buses for instructions and data
To my knowledge, Windows NT 3.5 was the last OS which used a multi-channel event queue.
For a given channel, I would have a minimum of two layers
>> HOWEVER, you can ALSO plug in a Kerberos-style (symmetric-only) solution, and it fits just as correctly.
Affirmative.
Pre-shared keys work wonders.
Squirt in the key(s), tag it, slap on some tamper proof tape, a squirt a dab of epoxy, et voila!
Auditors rejoice everywhere!
Until an asset goes walkabout – say the Dever airport parking lot.
--
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/32cc03ae-2ed4-4852-9f9b-66a32650bbc1n%40list.nist.gov.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/YT2PR01MB577454D41CD1F5F503770C89FAF72%40YT2PR01MB5774.CANPRD01.PROD.OUTLOOK.COM.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/20260701075443.151069.qmail%40cr.yp.to.
Hi Patrick,
some comments inline.
On Wed, 2026-07-01 at 10:03 -0400, Patrick Patterson wrote:
> However, since folks are interested in some more details:
>
> 1) The avionics components are using old platforms - I still see some boxes
> that are based on MIPS and PowerPC, although those are going to be replaced
> with slightly more modern systems - as I said above, certification times
> (which can be measured in years), means that the BEST we can hope for are
> processors and average memory from 10-15 years ago. Storage on the radios
> will be measurable in MB, Operating systems tend to be one of a handful of
> certified Real-Time Operating Systems. Ground side systems can be
> considered to be using modern OS, processor, memory, and storage, and have
> good connectivity for getting things like OCSP, CRL, etc. in a PKI scenario.
I assume you can always stick multiple CPUs if needed (yes it means
more $$) ?
> 2) The main concern is the inverse of ADS-B - the aircraft needs to
> authenticate the sender of the message, to ascertain if it is a "good"
> ground station that is sending information to the aircraft. So think of an
> airplane from any airline, and any Air Traffic Control center worldwide.
> The secondary concern is for the ground to auth the aircraft.
Do they need to authenticate other aircraft too? (eg for collision
avoidance data?)
> 3) Aircraft are under strict change control and maintenance, so doing
> things like provisioning a set of keys based on routes has already been
> examined, and the decision was made to try very hard to find any other
> solution, as that would be almost impossible to get working.
This fails also because in emergencies you are not necessarily
following the established route and distributing keys to all the
possible alternative grounds in alternate routes becomes hard pretty
fast.
> 4) In the event of a failure to authenticate, one option is to fall back to
> voice (same thing we've been doing since we started having ATC), but
> increasing traffic at major hubs means that this is not at all desirable.
One option could be to consider the data not fully trusted until
confirmed via some checksum code that is generated on both sides and
confirmed by voice. That would be much faster than having the whole
communication via voice, but then again, voice is not necessarily more
trusted ...
The entire idea behind ATN-IPS is to keep voice comms to a minimum (and eliminate them entirely if possible, except in emergencies). So having any "human in the loop" is against the design principles. Also, when you have a cyclinder moving through the air at 800+ km/h, and they receive a transmission to change altitude, the assumption is that they will do it very quickly, not call up ATC and ask for a Checksum before complying with the instruction.
Do you have a statement about what is this authentication protecting,
or what are the threats of un-authenticated communication?
On 7/1/26 10:03, Patrick Patterson wrote:
> Hi all,
>
> Thanks for all of the feedback on this - my original intent was to
> highlight that there are systems that do not appear to have gotten very
> much thought as to how PQC could work in constrained environments. While I
> agree that the focus should be on where we get the most "bang for the
> buck", (i.e.: assume modern processors, memory, and storage, along with
> relatively high bandwidth communications), I haven't really heard of anyone
> putting a lot of work into a standardized implementation that will work in
> applications such as ATN-IPS.
>
> There are some very smart people in the aerospace world that are looking at
> how we can use approaches such as those already described, but I was hoping
> to add a voice to those calling for more work on fully standardized PQC
> systems that will work for constrained use cases.
Is this something that ICAO could hire a team of cryptographers for?
I expect that civil aviation has a sufficient budget for this to be
feasible, and a bespoke protocol is likely necessary.
> However, since folks are interested in some more details:
>
> 1) The avionics components are using old platforms - I still see some boxes
> that are based on MIPS and PowerPC, although those are going to be replaced
> with slightly more modern systems - as I said above, certification times
> (which can be measured in years), means that the BEST we can hope for are
> processors and average memory from 10-15 years ago. Storage on the radios
> will be measurable in MB, Operating systems tend to be one of a handful of
> certified Real-Time Operating Systems.
Is the following a reasonably accurate description?
- Confidentiality of the transmitted traffic is not important.
This means that forward secrecy is not required.
- Integrity of the traffic *is* important.
- The link is a short-range wireless link with negligible latency
(significantly less than 0.1 seconds) but very limited bandwidth.
- Because of the low latency, multiple round-trips are acceptable.
- There is some overhead for forward error correction (FEC).
- Each ground station will have a certificate issued by the local CAA.
- The number of CAAs is very small (less than 250). Therefore:
- The radio can *definitely* hold a list of CAA public key hashes.
This takes 32 * 250 = 8000 bytes.
- The radio *may* be able to hold a list of CAA public keys. For
Falcon-512, this takes 897 * 250 = 224250 bytes.
- The ground station *definitely* can hold all of the CAA public keys,
even for UOV.
- The ground station can be periodically updated with new PKI information,
but it should not need connectivity when setting up a connection.
- The ground station *might* be able to hold a Classic McEliece key for
every single radio (~1MiB * few million aircraft = few TiB).
This makes authenticating the radio much simpler, as the radio only
- Bespoke certificate formats are acceptable. It's not necessary to use
X.509.
- Patents are not a major concern. The cost of licensing is negligible
compared to the cost of the aircraft or ground station.
- The use of algorithms with less conservative assumptions is acceptable.
It is not necessary to use a standardized algorithm.
- If the aircraft needs to generate a key, this can be done as a
low-priority background task before a connection must be established.
- Isogeny-based cryptography is too slow, even for the ground station.
- Algorithms must be guaranteed to complete promptly. Algorithms that
require too many retries are not acceptable.
We're trying to use as close to standard X.509 as possible, with a few cheats along the way to reduce over the air transmission sizes.
--Derek Atkins