|
|
|
|
|
|
by agl
3030 days ago
|
|
|
XMSS is great work, but it's not clearly suitable for use in SSH: I will occasionally copy SSH private keys around, or restore them from backups. I think that's fairly common. However, with XMSS: "the signature schemes described in this document are stateful, meaning the secret key changes over time. If a secret key state is used twice, no cryptographic security guarantees remain." [1] Perhaps the SSH authors have a clever answer for this! But stateful signatures are not, in general, suitable as a drop-in replacement for traditional signature schemes and I do worry that people may miss this subtle, but critical, point. [1] https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-... |
|
|