Use cases for small signatures and keys
221 views
Skip to first unread message
Watson Ladd
May 15, 2026, 6:34:15 PM (7 days ago) May 15
to pqc-...@list.nist.gov
Dear NIST,
It's great to see the third round proposals come out. I would like to
shed light on some cases where we need very small keys+signature, and
can afford some CPU time, so SQISign would be of great interest.
One is Roughtime. Recently an RFC, this specification tries to address
bootstrapping of nodes without real time clocks in a secure way. For
ecosystem reasons it requires the use of a single signature algorithm
by all servers, and uses two keys, one a long lasting key, the other
rotating. It also transmits a very small amount of data, and has
mechanisms for batching signatures together via Merkel trees. If we
were to use ML-DSA, we would have a tremendous expansion of the size
of packets, that would likely force the use of a TCP transport to
authenticate what is just 64 bits of data. Most protocols don't have
these rather stringent constraints.
Sincerely,
Watson
It's great to see the third round proposals come out. I would like to
shed light on some cases where we need very small keys+signature, and
can afford some CPU time, so SQISign would be of great interest.
One is Roughtime. Recently an RFC, this specification tries to address
bootstrapping of nodes without real time clocks in a secure way. For
ecosystem reasons it requires the use of a single signature algorithm
by all servers, and uses two keys, one a long lasting key, the other
rotating. It also transmits a very small amount of data, and has
mechanisms for batching signatures together via Merkel trees. If we
were to use ML-DSA, we would have a tremendous expansion of the size
of packets, that would likely force the use of a TCP transport to
authenticate what is just 64 bits of data. Most protocols don't have
these rather stringent constraints.
Sincerely,
Watson
Demi Marie Obenour
May 15, 2026, 11:30:34 PM (7 days ago) May 15
to Watson Ladd, pqc-...@list.nist.gov
important. SQISign level I is smaller than RSA-2048, and SQISign
level V is smaller than RSA-4096. DNSSEC signing can be done offline,
though it is sometimes done online. However, verification performance
might well be a serious problem.
DNS is increasingly being transported over TLS, HTTPS, or QUIC for
privacy reasons. Those transports don't have an MTU limit. Therefore,
connection-oriented transports for DNS provide a serious alternative.
This is especially the case for end-user devices, which can maintain
a long-lived connection to a public recursive resolver.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Reply all
Reply to author
Forward
0 new messages