OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: HSS strength attribute for public key

Hi all,


Something I’m hoping to discuss this afternoon:


I’m trying to decide on the best way to describe the strength of the HSS scheme in the public key. Possibilities are:


  1. Choose the level using the weakest/lowest OTS parameter, and if there is more than 1 level using that OTS parameter, choose the level that has that OTS parameter and the weakest/lowest LMOTS parameter. Describe the strength with the OTS and LMOTS parameters from this level as well as the number of HSS levels.
  2. Describe the strength with the weakest/lowest OTS parameter used in the entire scheme, and the weakest/lowest LMOTS parameter used in the entire scheme as well as the number of HSS levels.
  3. A parameter calculated from the full set of parameters describing the security strength. I haven’t been able to find a security analysis that easily maps the full HSS params to a measure of security. There was some information here: https://eprint.iacr.org/2017/553.pdf but it wasn’t clear to me how to map our parameters to the equations they came up with there.
  4. The full CKA_HSS_PARAMS as originally included (but we decided was too complicated to have the user have to determine the security from).


Then I need to come up with names for these two attributes:



Case 2) could be something like CKA_HSS_LOWEST_OTS and CKA_HSS_LOWEST_LMOTS

Case 3) could be something like the log of the probability of a forgery given some predefined conditions, CKA_HSS_STRENGTH could suffice. The problem is calculating it!

Case 4) would just be the CKA_HSS_PARAMS as originally given.


Note: I’m thinking it would be best to avoid saying anything like “LOWEST_LEVEL” anywhere since that could be taken to imply “lowest level in the HSS hierarchy”.


I’m not sure that 1) or 2) fully specify the strength of the scheme. I.e. how can we compare (without a case 3) style calculation) two schemes with the same number of HSS levels, where one has the highest possible LMS and lowest possible LMOTS and the other has the lowest possible LMS and highest possible LMOTS? This is partly why I think 4) might be necessary to give a complete picture of the security level of the scheme. I’m hoping someone with a better understanding of security analysis than me can weigh in on this!



Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]