Call for Additional Signatures is released

855 views
Skip to first unread message

Moody, Dustin (Fed)

unread,
Sep 6, 2022, 4:16:00 PM9/6/22
to pqc-forum
All,

NIST is calling for additional digital signature proposals to be considered in the PQC standardization process. NIST is primarily interested in additional general-purpose signature schemes that are not based on structured lattices. For certain applications, such as certificate transparency, NIST may also be interested in signature schemes that have short signatures and fast verification. NIST is open to receiving additional submissions based on structured lattices, but is intent on diversifying the post-quantum signature standards. As such, any structured lattice-based signature proposal would need to significantly outperform CRYSTALS-Dilithium and FALCON in relevant applications and/or ensure substantial additional security properties to be considered for standardization.

You can find the Call, as well as instructions and requirements for submissions at:


Submission packages must be received by NIST by June 1, 2023. Submission packages received before March 1, 2023, will be reviewed for completeness by NIST; the submitters will be notified of any deficiencies by March 31, 2023, allowing time for deficient packages to be amended by the submission deadline. No amendments to packages will be permitted after the submission deadline, except at specified times during the evaluation phase.

Please let us know if you have any questions.

Dustin Moody
NIST PQC team


Paul Hoffman

unread,
Sep 6, 2022, 5:42:15 PM9/6/22
to pqc-forum
On Sep 6, 2022, at 1:15 PM, 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov> wrote:
> For certain applications, such as certificate transparency, NIST may also be interested in signature schemes that have short signatures and fast verification.

Can you say more about the motivation here? Are you forcusing on schemes that have possibly-giant keys but short signatures, or are you still hoping for schemes that have a variety of different key/signature size balances? I ask as someone who supports a protocol (DNSSEC) that is concerned with delivering both keys and signatures, so size of each will matter to us.

--Paul Hoffman

Mike Ounsworth

unread,
Sep 6, 2022, 6:23:05 PM9/6/22
to Paul Hoffman, pqc-forum
crt.sh shows that we're in the single-digit-billion certs in the index. If you were to download and integrity-check the entire thing on a regular basis, then I could see short signatures and fast verifications being a big deal.

https://crt.sh/cert-populations


That said, I'm also curious why CT was singled out as *the* motivating use-case in Dustin's announcement.

---
Mike Ounsworth
Software Security Architect, Entrust

-----Original Message-----
From: pqc-...@list.nist.gov <pqc-...@list.nist.gov> On Behalf Of Paul Hoffman
Sent: September 6, 2022 4:42 PM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [EXTERNAL] Re: [Ext] [pqc-forum] Call for Additional Signatures is released

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/13C6E198-B827-434C-9EF8-1AA8609A8DDD%40icann.org.
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

Paul Hoffman

unread,
Sep 6, 2022, 6:32:10 PM9/6/22
to Mike Ounsworth, pqc-forum
On Sep 6, 2022, at 3:22 PM, Mike Ounsworth <Mike.Ou...@entrust.com> wrote:
>
> crt.sh shows that we're in the single-digit-billion certs in the index. If you were to download and integrity-check the entire thing on a regular basis, then I could see short signatures and fast verifications being a big deal.

Absolutely! I didn't want to indicate anything negative about CT; it's a huge success. I was asking if this use case was the major focus of the next round or if more non-lattice proposals with different size weightings were also in scope.

--Paul Hoffman

Bas Westerbaan

unread,
Sep 7, 2022, 7:25:35 AM9/7/22
to Mike Ounsworth, Paul Hoffman, pqc-forum
On Wed, Sep 7, 2022 at 12:22 AM 'Mike Ounsworth' via pqc-forum <pqc-...@list.nist.gov> wrote:
crt.sh shows that we're in the single-digit-billion certs in the index. If you were to download and integrity-check the entire thing on a regular basis, then I could see short signatures and fast verifications being a big deal.

I'd say having a small-signature&fast-verification scheme is a much bigger deal for the 2+ SCTs that are in every single leaf certificate on the web. Also it's nice for the signature in the intermediate certificate. There are not that many root CAs and CT logs, so having slightly larger public keys for those keypairs could be a worthwhile trade-off.

Best,

 Bas

Blumenthal, Uri - 0553 - MITLL

unread,
Sep 7, 2022, 7:49:00 AM9/7/22
to pqc-forum

Having a small-signature && fast-verification is crucial for constrained environments (that I’m often dealing with).

I agree that a smaller signature at the cost of slightly larger public key would be a good compromise, at least for my use cases.

 

Thanks!

--

V/R,

Uri

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

--

You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.

Bo Lin

unread,
Sep 7, 2022, 5:42:23 PM9/7/22
to Blumenthal, Uri - 0553 - MITLL, pqc-forum
Yes, totally agree! There are many applications that key size overweighs performance 
 
From: pqc-...@list.nist.gov <pqc-...@list.nist.gov> on behalf of Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu>
Sent: Wednesday, September 7, 2022 12:49 pm
To: pqc-forum <pqc-...@list.nist.gov>

Edoardo Persichetti

unread,
Sep 7, 2022, 5:49:03 PM9/7/22
to Bo Lin, Blumenthal, Uri - 0553 - MITLL, pqc-forum
Hi all! I guess, for us designers, it would be great to have a more precise understanding of what are the ballparks and sizes discussed here, with reference for the various use cases, since the terms “large”, “short”, “slightly larger” and similar are very vague. Are we talking about a few bytes, a few kilobytes, a few dozen kilobytes, a few hundred kilobytes (e.g. UOV)…?

Thanks for your insight.

Best,
Edoardo


On Sep 7, 2022, at 5:42 PM, Bo Lin <crypt...@outlook.com> wrote:

  EXTERNAL EMAIL : Exercise caution when responding, opening links, or opening attachments.
 

Sofi Celi

unread,
Sep 7, 2022, 7:21:59 PM9/7/22
to Edoardo Persichetti, Bo Lin, Blumenthal, Uri - 0553 - MITLL, pqc-forum
Dear, Edoardo and all,

For DNSSEC, there is this interesting presentation from Roland van Rijswijk-Deij around which sizes and computational times might work: https://github.com/claucece/PQNet-Workshop/blob/main/slides/PQC%20and%20DNSSEC%202022.pdf (the last set of slides: from 96 onwards).
There is also the master thesis of one of his students on the matter: http://essay.utwente.nl/89509/1/Beernink_MA_EEMCS.pdf and another paper: https://conferences.sigcomm.org/sigcomm/2021/files/papers/3431832.3431838.pdf

For TLS, Douglas Stebila, Goutam Tamvada and Christian Paquin benchmarked some of the PQC algorithms: https://www.douglas.stebila.ca/research/papers/PQCrypto-PaqSteTam20/ , which provides a very nice insight.

Hope this helps,

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/489BEB1A-0041-4425-8E76-E845767A88F0%40fau.edu.


--
Sofía Celi
@claucece
Cryptographic research and implementation at many places, but specially at Brave
Reach me out at: cher...@riseup.net
74BE 6517 031D 11CC D233  3FCA 44DF 95B9 E3BC 4369

Samuel Lavery

unread,
Sep 7, 2022, 8:52:51 PM9/7/22
to Sofi Celi, Edoardo Persichetti, Bo Lin, Blumenthal, Uri - 0553 - MITLL, pqc-forum
Hi Sofi and everyone,

I’ve read a few of these before, but some were new, so thank you.  I think I have a reasonable understanding of the impacts and constraints for wired frame based protocols, but I’ve never been able to find anything about the impacts to wireless protocols.  I have very little understanding of how things like LTE and other long range wireless protocols use signatures and what their constraints are.  Have you ever come across any similar research for non-avian (RFC1149) over the air protocols?  I have some intuition about it, but haven’t been able to find any research.    

Thanks,
Sam

Brent Kimberley

unread,
Sep 7, 2022, 10:11:06 PM9/7/22
to Samuel Lavery, Sofi Celi, Edoardo Persichetti, Bo Lin, Blumenthal, Uri - 0553 - MITLL, pqc-forum
Interesting question.  Should 4G, 5G, 6G, 7G or "future mobile technologies" align with the CNSA 2.0 roadmap?  (Perhaps they already are aligned?)
From: pqc-...@list.nist.gov <pqc-...@list.nist.gov> on behalf of Samuel Lavery <sam.l...@gmail.com>
Sent: Wednesday, September 7, 2022, 8:54 p.m.
To: Sofi Celi <sofi...@gmail.com>
Cc: Edoardo Persichetti <epersi...@fau.edu>; Bo Lin <crypt...@outlook.com>; Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu>; pqc-forum <pqc-...@list.nist.gov>
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

John Mattsson

unread,
Sep 8, 2022, 12:50:22 AM9/8/22
to Brent Kimberley, Samuel Lavery, Sofi Celi, Edoardo Persichetti, Bo Lin, Blumenthal, Uri - 0553 - MITLL, pqc-forum

Just like IETF, 3GPP has had a lot of discussion about PQC. I expect 3GPP to introduce PQC in their specifications as soon as NIST has released final standards and IETF has published updates to TLS 1.3, IKEv2, X.509, and HPKE. 3GPP relies on IETF standards for almost all use of public key cryptography. 3GPP might mandate support of level 1 or 3 and have high security level 5 as should support. This is what current 3GPP documents mostly do regarding P-256/SHA-256 and P-384/SHA-384. I agree with the CNSA 2.0 statement that Kyber and Dilithium should not be used before there are final NIST standards. I think we need to make sure there are NIST and IETF standards before setting timelines for 5G.

 

3GPP RAN mostly rely on pre-shared keys for authentication and key exchange. 5G introduces the use of ECIES to encrypt identities over the air and there is 2000 bytes reserved to be able to handle PQC KEMs. HPKE with Kyber would likely be a good choice. There is also work on introducing ECDHE in AKA (see EAP-AKA' FS) to provide forward secrecy and align with zero trust principles. Always assuming breach such as key compromise (e.g., in the sim card supply chain) and minimizing the impact of breach are essential zero-trust principles. This should be a main priority for the next 5G releases. Would be good with NIST help to drive zero trust in 5G RAN.

 

https://www.ericsson.com/en/blog/2022/4/extensible-authentication-protocol-eap-networks

 

Non-constrained wireless networks will likely be impacted similarly to wired protocols, but it would be good with more research. For very constrained wireless protocols the situation is dire and Kyber and Dilithium do in many cases not work at all. I have written a position paper to the NIST Fourth PQC Standardization Conference about this that I will submit soon.

 

Cheers,

John

Blumenthal, Uri - 0553 - MITLL

unread,
Sep 8, 2022, 5:47:05 PM9/8/22
to Edoardo Persichetti, pqc-forum

Hi all! I guess, for us designers, it would be great to have a more precise understanding of what are the ballparks and sizes discussed here, with reference for the various use cases, since the terms “large”, “short”, “slightly larger” and similar are very vague.

 

OK, for you designers: my “constrained” use case prefers

 

  • signatures in ballpark of 1 Kbyte or less,
  • public keys for KEM – in ballpark of 1.5 KB or less,
  • public keys for signature – within a couple of KB, if over-the-air exchange of intermediate CA certificates required – less than 2 KB.

 

Performance for signature:

  • fast verification is a-must,
  • fast signing is preferred,
  • fast keygen is not that critical.

 

Performance for KEM: everything must be fast.

 

Hope this helps.

 

TNX

Edoardo Persichetti

unread,
Sep 8, 2022, 5:49:26 PM9/8/22
to Blumenthal, Uri - 0553 - MITLL, pqc-forum
Thanks Uri, this is very accurate :)

Best,
Edoardo

Bas Westerbaan

unread,
Sep 8, 2022, 6:11:34 PM9/8/22
to Edoardo Persichetti, Blumenthal, Uri - 0553 - MITLL, pqc-forum
In TLS for the Web there are many different signatures, so I'm afraid I can't give the same simple guidance as Uri. But have a look at https://blog.cloudflare.com/sizing-up-post-quantum-signatures/

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/3199409D-8CFA-4CD3-B27A-511BC647ACA0%40fau.edu.

Moody, Dustin (Fed)

unread,
Sep 9, 2022, 12:01:25 PM9/9/22
to Paul Hoffman, pqc-forum
Paul,

As noted in my previous email, "NIST is primarily interested in additional general-purpose signature schemes that are not based on structured lattices." For applications such as DNSSEC, where both public key and signature size are a concern, these schemes would likely be the ones of most interest (in addition to those already selected).

 

Separately from the interest in general-purpose signature schemes, NIST understands that some applications would benefit from signature sizes that are substantially smaller than those of Dilithium or Falcon even if the schemes had relatively large public key sizes. Certificate transparency happens to be one example that is well known and that is part of a widely-used protocol (HTTP over TLS). As Bas noted, CT involves a small number of public keys that are distributed out-of-band and a large number of signatures (2 or more per initial TLS handshake) that are distributed in-band. There are other applications where accepting (potentially) much larger public keys in exchange for much smaller signatures would be a good tradeoff, but CT is likely the most well known and most widely used one.

 

We would expect some submissions to target the non-lattice-based general-purpose use case and some to target the small-signature use case. We were not necessarily expecting to receive any submissions that would be good general-purpose signature schemes that also had small signatures and fast verification.


Dustin


From: pqc-...@list.nist.gov on behalf of Paul Hoffman
Sent: Tuesday, September 6, 2022 5:42 PM
To: pqc-forum

Subject: Re: [Ext] [pqc-forum] Call for Additional Signatures is released

On Sep 6, 2022, at 1:15 PM, 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov> wrote:
> For certain applications, such as certificate transparency, NIST may also be interested in signature schemes that have short signatures and fast verification.

Can you say more about the motivation here? Are you forcusing on schemes that have possibly-giant keys but short signatures, or are you still hoping for schemes that have a variety of different key/signature size balances? I ask as someone who supports a protocol (DNSSEC) that is concerned with delivering both keys and signatures, so size of each will matter to us.

--Paul Hoffman

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.

Blumenthal, Uri - 0553 - MITLL

unread,
Sep 9, 2022, 12:07:08 PM9/9/22
to pqc-forum

Does it mean that NIST is not interested in lattice-based schemes?

 

I have in mind specifically https://eprint.iacr.org/2022/1155.pdf , which IMHO would be nice to see considered for Round 4.

 

Thanks!

--

V/R,

Uri

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

Fx FRT

unread,
Sep 10, 2022, 5:12:11 PM9/10/22
to Blumenthal, Uri - 0553 - MITLL, pqc-forum
Paul Hoffman <paul.h...@icann.org>, pqc-forum <pqc-...@list.nist.gov>
<>

[10/9 22:47] Fx FRT: Es computación post cuántica que creo es lattide por ataques a la GPS y drones de control etc y trazan rectas cuando aprenderán a tomar el punto más próximo entre ellos P, Q, son el producto y puntos iniciales de una trayectoria cualesquiera ahora ponemos rectas en pos de la trayectoria cualesquiera que imponga el recorrido para hacer la ruta más próxima solo hay que suponer que si el metro unidad tuviera un metro cualesquiera de rectificación y longitud es decir un medio al cuadrado más un medio al cuadrado todo raiz elevado cada medio al cuadrado en si mismo sería igual a uno ahora haz el conjugado mod 6 de un cubo el cubo mod 6 de un metro lok partes en partes iguales para que sea la cifra más grande la Grande solo hace falta mod 6 en linea con lo cual el sumatorio de un cubo mínimo sería partir de un cubo y hacer un hipercubo √(1/2) ²+(1/2) ²+(1/3) ²= 9,827 que es el hipercubo de un hexaedro de parte maxima de un metro hipercubo o por ahí de máxima longitud permisiva pero si lo quieres hacer del mínimo tamaño solo tienes que ramdom separó líneas entre matriz cúbica recuerda que esto son 6 lados y mod 6 es la parte que buscamos entre 1 mm 3 mm 3 mm 3 mm 9mm 3mm 3mm 3mm 24mm 3 mm 3mm 3mm 9mm 3mm 3mm 3mm 1mm 51 +51 = 102 y partes de 1 mm para dibujar la trayectoria más corta la cantidad 49 es la más corta y cualesquiera de las otras cantidades sería en mod 6, 6.16666666 asike en mod 6 16666666∞es la parte que corresponde menos 1 mm a la parte más corta que es un mm ya que mod (6) de (49,6.166666etc) entonces en mod(6) que se rompe de 1 en 0.98 en mod (5) tienes la respuesta por que 1,66666 el resto del cociente de mod (6) suma 0.99666666 y eso si le pones 51 encima en mod (5) es 0.99911 que más 0.99999 en mod (5) que sería 999999 también y aún así es más pequeño que un metro con lo cual he demostrado el teorema de mod 5 de computación estable de menos de 1mm de conjugado de garden
[10/9 22:48] Fx FRT: Goliot queda resuelto busca goliot o cuadrado mínimo de goliot 1mm mínimo
[10/9 22:48] Fx FRT: Para un metro unidad
[10/9 22:48] Fx FRT: Y que no sobrepase ese mm por que sino se pega la Ostia y te mata tio

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/9B454A1B-4533-49A9-A0F9-74CF81F6BEF6%40ll.mit.edu.

Fx FRT

unread,
Sep 10, 2022, 5:22:32 PM9/10/22
to Blumenthal, Uri - 0553 - MITLL, pqc-forum
Mod 6 mod 5 49 51 = 1 congugacion erronea si mod 6 se le añade mod (5) (49 51 ) =1 pero da igual por qué para añadir mod (5)  estricto hasta con añadir el conjugado mod(5) 49,49 lo cual =0.91 más 0.99 tenemos 1.9 que dividido entre 2 da 0.95
5 mm para que el GPS pase de constrictor a ataque pero a hawk company le vendra bien 👍

John Mattsson

unread,
Sep 12, 2022, 1:03:23 PM9/12/22
to pqc-forum, Edoardo Persichetti, Blumenthal, Uri - 0553 - MITLL

Hi,

 

Note that there are much more constrained networks than Uri's use case. The world "constrained" can refer to systems with several orders of magniture difference in capabilities. While constrained devices has gotten quite a lot of attention, the radio is often the most constrained part. To reduce overhead and processing in constrained radio networks, IETF has created several working groups and technologies for constrained networks such as 6lo, 6LoWPAN, 6TiSCH, ACE, CBOR, CoRE (CoAP, OSCORE), COSE, LAKE (EDHOC) ROLL (RPL), and LPWAN (SCHC).

 

Constrained radio networks are characterized by very small frame sizes on the order of tens of bytes transmitted a few times per day at ultra-low speeds, high latency, and severe duty cycles constraints. The number of different constrained radio network technologies is large and growing. Some examples of constrained network technologies are LoRaWAN, NB-IoT, Sigfox, Wi-SUN FAN, Bluetooth Low Energy, and IEEE 802.15.4. IEEE 802.15.4 is used in Zigbee, ISA100.11a, WirelessHART, MiWi, 6LoWPAN, 6TiSCH, Thread and SNAP. Low Power Wide Area Networks (LPWANs) is a huge and very quickly growing market expected to reach over 1000 billion USD globally by 2027.

 

To work well in constrained radio networks, the message sizes need to align with the tens of bytes transmitted a few times per day that the networks are designed for. Infrequently sending a few hundred bytes is acceptable in many constrained networks but sending a thousand bytes is not feasible in more constrained networks. Note that static keys often do not need to be sent over constrained links, as they can be provisioned or accessed over non-constrained links. Moreover, signatures can in many cases be replaced by a symmetrical MAC from an Ephemeral-Static or Static-Static key exchange by changing the architecture and protocols, as long as the proving node is online.

 

As several people asked me offline, here is a copy of the paper we submitted to NIST.

https://drive.google.com/file/d/1Vky_uA8DhJMGM-keHH-ujF23xG6stUXq

 

Cheers,

John

Brent Kimberley

unread,
Sep 12, 2022, 1:20:28 PM9/12/22
to John Mattsson, pqc-forum, Edoardo Persichetti, Blumenthal, Uri - 0553 - MITLL

>> Note that static keys..

Please note, an actuary, statistician, or equivalent with operational experience should be involved when making the final determination re risk / contingency-holdback / energy budget / expected operational demand / effective headroom – especially if the systems are life-crit.

Brent Kimberley

unread,
Sep 12, 2022, 1:28:10 PM9/12/22
to John Mattsson, pqc-forum, Edoardo Persichetti, Blumenthal, Uri - 0553 - MITLL

For example bulk electric protection doesn’t permit more than one mal event per 40 years.

Blumenthal, Uri - 0553 - MITLL

unread,
Sep 12, 2022, 1:54:09 PM9/12/22
to John Mattsson, pqc-forum, Edoardo Persichetti

Note that there are much more constrained networks than Uri's use case.

 

Please note that I’ve only listed my use case constraints, fully understanding that there are other more constrained applications.

 

The world "constrained" can refer to systems with several orders of magniture difference in capabilities. While constrained devices has gotten quite a lot of attention, the radio is often the most constrained part.

 

Yes.

 

Constrained radio networks are characterized by very small frame sizes on the order of tens of bytes transmitted a few times per day at ultra-low speeds, high latency, and severe duty cycles constraints. The number of different constrained radio network technologies is large and growing. Some examples of constrained network technologies are LoRaWAN, NB-IoT, Sigfox, Wi-SUN FAN, Bluetooth Low Energy, and IEEE 802.15.4. IEEE 802.15.4 is used in Zigbee, ISA100.11a, WirelessHART, MiWi, 6LoWPAN, 6TiSCH, Thread and SNAP. Low Power Wide Area Networks (LPWANs) is a huge and very quickly growing market expected to reach over 1000 billion USD globally by 2027.

 

To work well in constrained radio networks, the message sizes need to align with the tens of bytes transmitted a few times per day that the networks are designed for. Infrequently sending a few hundred bytes is acceptable in many constrained networks but sending a thousand bytes is not feasible in more constrained networks.

 

I concur, and wonder what would be the PQ solution for those.

 

Note that static keys often do not need to be sent over constrained links, as they can be provisioned or accessed over non-constrained links.

 

I disagree. In some cases the above is true. In others, like mine – decidedly not so. The only reasonable pre-provisioning in my case is for the known-in-advance CA certs.

 

I understand that there are others who can pre-provision static keys, in which case McEliece doesn’t sound all that bad. 😉 \

Just don’t start thinking that it’s the “usual” case.

 

Moreover, signatures can in many cases be replaced by a symmetrical MAC from an Ephemeral-Static or Static-Static key exchange by changing the architecture and protocols, as long as the proving node is online.

 

Yes. Tradeoff between how much to send, how often, and who to (including how many entities to talk with during this process).

 

As several people asked me offline, here is a copy of the paper we submitted to NIST.

https://drive.google.com/file/d/1Vky_uA8DhJMGM-keHH-ujF23xG6stUXq

 

Thank you! Let me read it and get back with questions, if any.

 

TNX

Reply all
Reply to author
Forward
0 new messages