rfc9021xml2.original.xml   rfc9021.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="UTF-8"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
.2119.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8174.xml">
<!ENTITY RFC8152 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8152.xml">
<!ENTITY RFC4086 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4086.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds
might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-atkins-suit-cose-walnutdsa-07" ipr="trust200
902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: full3667, noModification3667, noDerivatives3667
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** --> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-atkins-suit-cose-
walnutdsa-07" number="9021" ipr="trust200902" obsoletes="" updates="" submission
Type="independent" category="info"
xml:lang="en" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" vers
ion="3">
<front> <front>
<!-- The abbreviated title is used in the page header - it is only necessary
if the
full title is longer than 39 characters -->
<title abbrev="WalnutDSA COSE Sigs">Use of the Walnut Digital Signature Algo rithm with CBOR Object Signing and Encryption (COSE) </title> <title abbrev="WalnutDSA COSE Sigs">Use of the Walnut Digital Signature Algo rithm with CBOR Object Signing and Encryption (COSE) </title>
<seriesInfo name="RFC" value="9021"/>
<!-- add 'role="editor"' below for the editors if appropriate --> <author fullname="Derek Atkins" initials="D" surname="Atkins">
<!-- Another author who claims to be an editor -->
<author fullname="Derek Atkins" initials="D.A." surname="Atkins">
<organization>Veridify Security</organization> <organization>Veridify Security</organization>
<address> <address>
<postal> <postal>
<street>100 Beard Sawmill Rd, Suite 350</street> <street>100 Beard Sawmill Rd, Suite 350</street>
<!-- Reorder these if your country does things differently -->
<city>Shelton</city> <city>Shelton</city>
<region>CT</region> <region>CT</region>
<code>06484</code> <code>06484</code>
<country>US</country> <country>United States of America</country>
</postal> </postal>
<phone>+1 617 623 3745</phone> <phone>+1 617 623 3745</phone>
<email>datkins@veridify.com</email> <email>datkins@veridify.com</email>
<!-- uri and facsimile elements may also be added -->
</address> </address>
</author> </author>
<date month="May" year="2021"/>
<date month="January" year="2021" />
<!-- If the month and year are both specified and are the current ones, xml2
rfc will fill
in the current day for you. If only the current year is specified, xml2
rfc will fill
in the current day and month for you. If the year is not the current one
, it is
necessary to specify at least a month (xml2rfc assumes day="1" if not sp
ecified for the
purpose of calculating the expiry date). With drafts it is normally suf
ficient to
specify just the year. -->
<!-- Meta-data Declarations -->
<area>Security</area> <area>Security</area>
<workgroup>Internet Engineering Task Force</workgroup> <workgroup>Internet Engineering Task Force</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. --
>
<keyword>COSE</keyword> <keyword>COSE</keyword>
<keyword>WalnutDSA</keyword> <keyword>WalnutDSA</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract> <abstract>
<t>This document specifies the conventions for using the Walnut <t>This document specifies the conventions for using the Walnut Digital
Digital Signature Algorithm (WalnutDSA) for digital signatures Signature Algorithm (WalnutDSA) for digital signatures with the CBOR
with the CBOR Object Signing and Encryption (COSE) syntax. Object Signing and Encryption (COSE) syntax. WalnutDSA is a
WalnutDSA is a lightweight, quantum-resistant signature scheme lightweight, quantum-resistant signature scheme based on Group Theoretic
based on Group Theoretic Cryptography <!-- (see <xref target="WALNUTDSA" / Cryptography with implementation and computational efficiency of
> signature verification in constrained environments, even on 8- and
and <xref target="WALNUTSPEC" />) --> with implementation and 16-bit platforms.</t>
computational efficiency of signature verification in constrained
environments, even on 8- and 16-bit platforms.</t>
<t>The goal of this publication is to document a way to use the <t>The goal of this publication is to document a way to use the
lightweight, quantum-resistant WalnutDSA signature algorithm in lightweight, quantum-resistant WalnutDSA signature algorithm in
COSE in a way that would allow multiple developers to build COSE in a way that would allow multiple developers to build
compatible implementations. As of this publication, the compatible implementations. As of this publication, the
security properties of WalnutDSA have not been evaluated by the security properties of WalnutDSA have not been evaluated by the
IETF and its use has not been endorsed by the IETF. IETF and its use has not been endorsed by the IETF.
</t> </t>
<t>WalnutDSA and the Walnut Digital Signature Algorithm are
<t>WalnutDSA(TM) and Walnut Digital Signature Algorithm(TM) are trademarks of Veridify Security Inc.</t>
trademarks of Veridify Security Inc..</t>
</abstract> </abstract>
</front>
</front>
<middle> <middle>
<section title="Introduction"> <section numbered="true" toc="default">
<t>This document specifies the conventions for using the Walnut <name>Introduction</name>
Digital Signature Algorithm (WalnutDSA) <xref target="WALNUTDSA" <t>This document specifies the conventions for using the Walnut Digital
/> for digital signatures with the CBOR Object Signing and Signature Algorithm (WalnutDSA) <xref target="WALNUTDSA"
Encryption (COSE) <xref target="RFC8152" /> syntax. WalnutDSA format="default"/> for digital signatures with the CBOR Object Signing
is a Group-Theoretic <xref target="GTC" /> signature scheme and Encryption (COSE) syntax <xref target="RFC8152" format="default"/>.
where signature validation is both computationally- and WalnutDSA is a Group Theoretic signature scheme <xref target="GTC" format=
space-efficient, even on very small processors. Unlike many "default"/> where signature validation is both computationally and
hash-based signatures, there is no state required and no limit space efficient, even on very small processors. Unlike many hash-based
on the number of signatures that can be made. WalnutDSA private signatures, there is no state required and no limit on the number of
and public keys are relatively small; however, the signatures signatures that can be made. WalnutDSA private and public keys are
are larger than RSA and ECC, but still smaller than most all relatively small; however, the signatures are larger than RSA and
other quantum-resistant schemes (including all hash-based Elliptic Curve Cryptography (ECC), but still smaller than most all other
schemes).</t> quantum-resistant schemes (including all hash-based schemes).</t>
<t>COSE provides a lightweight method to encode structured data. <t>COSE provides a lightweight method to encode structured data.
WalnutDSA is a lightweight, quantum-resistant digital WalnutDSA is a lightweight, quantum-resistant digital
signature algorithm. The goal of this specification is to signature algorithm. The goal of this specification is to
document a method to leverage WalnutDSA in COSE in a way that document a method to leverage WalnutDSA in COSE in a way that
would allow multiple developers to build compatible would allow multiple developers to build compatible
implementations.</t> implementations.</t>
<t>As with all cryptosystems, the initial versions of WalnutDSA <t>As with all cryptosystems, the initial versions of WalnutDSA
underwent significant cryptanalysis, and in some cases, underwent significant cryptanalysis, and, in some cases, identified
identified potential issues. For more discussion on this topic, potential issues. For more discussion on this topic, a summary of all
a summary of all published cryptanalysis can be found in Section published cryptanalysis can be found in <xref
5.2. Validated issues were addressed by reparameterization in target="meth_sec"/>. Validated issues were addressed by
updated versions of WalnutDSA. Although the IETF has neither reparameterization in updated versions of WalnutDSA. Although the IETF
evaluated the security properties of WalnutDSA nor has the IETF has neither evaluated the security properties of WalnutDSA nor endorsed
endorsed WalnutDSA as of this publication, this document WalnutDSA as of this publication, this document provides a method to use
provides a method to use WalnutDSA in conjunction with IETF WalnutDSA in conjunction with IETF protocols. As always, users of any
protocols. As always, users of any security algorithm are security algorithm are advised to research the security properties of
advised to research the security properties of the algorithm and the algorithm and make their own judgment about the risks involved.</t>
make their own judgment about the risks involved.</t> <section numbered="true" toc="default">
<name>Motivation</name>
<section title="Motivation"> <t>Recent advances in cryptanalysis <xref target="BH2013"
<t>Recent advances in cryptanalysis <xref target="BH2013" /> format="default"/> and progress in the development of quantum
and progress in the development of quantum computers <xref computers <xref target="NAS2019" format="default"/> pose a threat to
target="NAS2019" /> pose a threat to widely deployed digital widely deployed digital signature algorithms. As a result, there is a
signature algorithms. As a result, there is a need to prepare need to prepare for a day that cryptosystems such as RSA and DSA,
for a day that cryptosystems such as RSA and DSA that depend which depend on discrete logarithm and factoring, cannot be depended
on discrete logarithm and factoring cannot be depended upon.</t> upon.</t>
<t>If large-scale quantum computers are ever built, these computers
<t>If large-scale quantum computers are ever built, these will be able to break many of the public key cryptosystems currently
computers will be able to break many of the public-key in use. A post-quantum cryptosystem <xref target="PQC"
cryptosystems currently in use. A post-quantum cryptosystem format="default"/> is a system that is secure against quantum
<xref target="PQC" /> is a system that is secure against computers that have more than a trivial number of quantum bits
quantum computers that have more than a trivial number of (qubits). It is open to conjecture when it will be feasible to build
quantum bits (qubits). It is open to conjecture when it will such computers; however, RSA, DSA, the Elliptic Curve Digital
be feasible to build such computers; however, RSA, DSA, ECDSA, Signature Algorithm (ECDSA), and the Edwards-Curve Digital Signature
and EdDSA are all vulnerable if large-scale quantum computers Algorithm (EdDSA) are all vulnerable if large-scale quantum computers
come to pass.</t> come to pass.</t>
<t>WalnutDSA does not depend on the difficulty of discrete <t>WalnutDSA does not depend on the difficulty of discrete
logarithm or factoring. As a result this algorithm is logarithms or factoring. As a result, this algorithm is
considered to be resistant to post-quantum attacks.</t> considered to be resistant to post-quantum attacks.</t>
<t>Today, RSA and ECDSA are often used to digitally sign
<t>Today, RSA and ECDSA are often used to digitally sign
software updates. Unfortunately, implementations of RSA and software updates. Unfortunately, implementations of RSA and
ECDSA can be relatively large, and verification can take a ECDSA can be relatively large, and verification can take a
significant amount of time on some very small processors. significant amount of time on some very small processors.
Therefore, we desire a digital signature scheme that verifies Therefore, we desire a digital signature scheme that verifies
faster with less code. Moreover, in preparation for a day faster with less code. Moreover, in preparation for a day
when RSA, DSA, and ECDSA cannot be depended upon, a digital when RSA, DSA, and ECDSA cannot be depended upon, a digital
signature algorithm is needed that will remain secure even if signature algorithm is needed that will remain secure even if
there are significant cryptoanalytic advances or a large-scale there are significant cryptanalytic advances or a large-scale
quantum computer is invented. WalnutDSA, specified in <xref quantum computer is invented. WalnutDSA, specified in <xref target="WALN
target="WALNUTSPEC" />, is a quantum-resistant algorithm UTSPEC" format="default"/>, is a quantum-resistant algorithm
that addresses these requirements.</t> that addresses these requirements.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Trademark Notice"> <name>Trademark Notice</name>
<t>WalnutDSA(TM) and Walnut Digital Signature Algorithm(TM) are <t>WalnutDSA and the Walnut Digital Signature Algorithm are
trademarks of Veridify Security Inc..</t> trademarks of Veridify Security Inc.</t>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<name>Terminology</name>
<t>
The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 <xref target="RFC2119" />
<xref target="RFC8174" /> when, and only when,
they appear in all capitals, as shown here.</t>
</section> </section>
<section anchor="alg_overview" numbered="true" toc="default">
<section title="WalnutDSA Algorithm Overview" anchor="alg_overview"> <name>WalnutDSA Algorithm Overview</name>
<t>This specification makes use of WalnutDSA signatures as <t>This specification makes use of WalnutDSA signatures as
described in <xref target="WALNUTDSA" /> and more concretely described in <xref target="WALNUTDSA" format="default"/> and more concrete
specified in <xref target="WALNUTSPEC" />. WalnutDSA is a ly
Group-Theoretic cryptographic signature scheme that leverages specified in <xref target="WALNUTSPEC" format="default"/>. WalnutDSA is a
Group Theoretic cryptographic signature scheme that leverages
infinite group theory as the basis of its security and maps that infinite group theory as the basis of its security and maps that
to a one-way evaluation of a series of matrices over small to a one-way evaluation of a series of matrices over small
finite fields with permuted multiplicants based on the group finite fields with permuted multiplicants based on the group
input. WalnutDSA leverages the SHA2-256 and SHA2-512 one-way input. WalnutDSA leverages the SHA2-256 and SHA2-512 one-way
hash algorithms <xref target="SHA2" /> in a hash-then-sign hash algorithms <xref target="SHA2" format="default"/> in a hash-then-sign
process.</t> process.</t>
<t>WalnutDSA is based on a one-way function, E-multiplication,
<t>WalnutDSA is based on a one-way function, E-Multiplication,
which is an action on the infinite group. A single which is an action on the infinite group. A single
E-Multiplication step takes as input a matrix and permutation, a E-multiplication step takes as input a matrix and permutation, a
generator in the group, and a set of T-values (entries in the generator in the group, and a set of T-values (entries in the
finite field) and outputs a new matrix and permutation. To finite field) and outputs a new matrix and permutation. To
process a long string of generators (like a WalnutDSA process a long string of generators (like a WalnutDSA
signature), E-Multiplication is iterated over each generator. signature), E-multiplication is iterated over each generator.
Due to its structure, E-Multiplication is extremely easy to Due to its structure, E-multiplication is extremely easy to
implement.</t> implement.</t>
<t>In addition to being quantum-resistant, the two main benefits <t>In addition to being quantum resistant, the two main benefits
of using WalnutDSA are that the verification implementation is of using WalnutDSA are that the verification implementation is
very small and WalnutDSA signature verification is extremely very small and WalnutDSA signature verification is extremely
fast, even on very small processors (including 16- and even fast, even on very small processors (including 16- and even
8-bit MCUs). This lends it well to use in constrained and/or 8-bit microcontrollers). This lends it well to use in constrained and/or
time-sensitive environments.</t> time-sensitive environments.</t>
<t>WalnutDSA has several parameters required to process a signature.
<t>WalnutDSA has several parameters required to process a The main parameters are N and q. The parameter N defines the size of
signature. The main parameters are N and q. The parameter N the group by defining the number of strands in use and implies working
defines the size of the group by defining the number of strands in use, in an NxN matrix. The parameter q defines the number of elements in the
and implies working in an NxN finite field. Signature verification also requires a set of T-values,
matrix. The parameter q defines the number of elements in the finite fiel which is an ordered list of N entries in the finite field F_q.</t>
d.
Signature verification also requires a set of
T-values, which is an ordered list of N entries in the finite
field F_q.</t>
<t>A WalnutDSA signature is just a string of generators in the <t>A WalnutDSA signature is just a string of generators in the
infinite group, packed into a byte string.</t> infinite group, packed into a byte string.</t>
</section> </section>
<section anchor="alg_ids" numbered="true" toc="default">
<section title="WalnutDSA Algorithm Identifiers" anchor="alg_ids"> <name>WalnutDSA Algorithm Identifiers</name>
<t>The CBOR Object Signing and Encryption (COSE) <xref <t>The CBOR Object Signing and Encryption (COSE) syntax <xref target="RFC8
target="RFC8152" /> supports two signature algorithm schemes. 152" format="default"/> supports two signature algorithm schemes.
This specification makes use of the signature with appendix This specification makes use of the signature with appendix scheme for
scheme for WalnutDSA signatures.</t> WalnutDSA signatures.</t>
<t>The signature value is a large byte string. The byte string is <t>The signature value is a large byte string. The byte string is
designed for easy parsing, and it includes a length (number of designed for easy parsing, and it includes a length (number of
generators) and type codes that indirectly provide all of the generators) and type codes that indirectly provide all of the
information that is needed to parse the byte string during information that is needed to parse the byte string during
signature validation.</t> signature validation.</t>
<t>When using a COSE key for this algorithm, the following checks are <t>When using a COSE key for this algorithm, the following checks are
made:</t> made:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>The "kty" field <bcp14>MUST</bcp14> be present, and it
<t>The 'kty' field MUST be present, and it MUST be 'WalnutDSA'.</t> <bcp14>MUST</bcp14> be "WalnutDSA".</li>
<t>If the 'alg' field is present, and it MUST be 'WalnutDSA'.</t> <li>If the "alg" field is present, it <bcp14>MUST</bcp14> be "WalnutDSA"
<t>If the 'key_ops' field is present, it MUST include 'sign' when .</li>
creating a WalnutDSA signature.</t> <li>If the "key_ops" field is present, it <bcp14>MUST</bcp14> include "s
<t>If the 'key_ops' field is present, it MUST include 'verify' ign" when
when verifying a WalnutDSA signature.</t> creating a WalnutDSA signature.</li>
<t>If the 'kid' field is present, it MAY be used to identify the <li>If the "key_ops" field is present, it <bcp14>MUST</bcp14> include "v
WalnutDSA Key.</t> erify"
</list></t> when verifying a WalnutDSA signature.</li>
<li>If the "kid" field is present, it <bcp14>MAY</bcp14> be used to iden
tify the
WalnutDSA Key.</li>
</ul>
</section> </section>
<section anchor="sec_consider" numbered="true" toc="default">
<section title="Security Considerations" anchor="sec_consider"> <name>Security Considerations</name>
<section title="Implementation Security Considerations"> <section numbered="true" toc="default">
<t>Implementations MUST protect the private keys. Use of a hardware <name>Implementation Security Considerations</name>
<t>Implementations <bcp14>MUST</bcp14> protect the private keys. Use of
a hardware
security module (HSM) is one way to protect the private keys. security module (HSM) is one way to protect the private keys.
Compromise of the private keys may result in the ability to forge Compromising the private keys may result in the ability to forge
signatures. As a result, when a private key signatures. As a result, when a private key
is stored on non-volatile media or stored in a virtual machine is stored on non-volatile media or stored in a virtual machine
environment, care must be taken to preserve confidentiality and environment, care must be taken to preserve confidentiality and
integrity.</t> integrity.</t>
<t>The generation of private keys relies on random numbers. The use of
<t>The generation of private keys relies on random numbers. The use of inadequate pseudorandom number generators (PRNGs) to generate these
inadequate pseudo-random number generators (PRNGs) to generate these
values can result in little or no security. An attacker may find it values can result in little or no security. An attacker may find it
much easier to reproduce the PRNG environment that produced the keys, much easier to reproduce the PRNG environment that produced the keys,
searching the resulting small set of possibilities, rather than brute searching the resulting small set of possibilities, rather than brute
force searching the whole key space. The generation of quality force searching the whole key space. The generation of quality
random numbers is difficult, and <xref target="RFC4086" /> random numbers is difficult, and <xref target="RFC4086" format="default"/ >
offers important guidance in this area.</t> offers important guidance in this area.</t>
<t>The generation of WalnutDSA signatures also depends on random
<t>The generation of WalnutDSA signatures also depends on random numbers. While the consequences of an inadequate PRNG to generate
numbers. While the consequences of an inadequate pseudo-random these values are much less severe than the generation of private keys,
number generator (PRNG) to generate these values is much less severe the guidance in <xref target="RFC4086" format="default"/> remains
than the generation of private keys, the guidance in <xref target="RFC408 important.</t>
6" />
remains important.</t>
</section> </section>
<section numbered="true" toc="default" anchor="meth_sec">
<section title="Method Security Considerations"> <name>Method Security Considerations</name>
<t>The Walnut Digital Signature Algorithm has undergone <t>The Walnut Digital Signature Algorithm has undergone
significant cryptanalysis since it was first introduced, and significant cryptanalysis since it was first introduced, and
several weaknesses were found in early versions of the method, several weaknesses were found in early versions of the method,
resulting in the description of several attacks with exponential resulting in the description of several attacks with exponential
computational complexity. computational complexity.
A full writeup of all the analysis can be found in A full writeup of all the analysis can be found in
<xref target="WalnutDSAAnalysis" />. In summary, <xref target="WalnutDSAAnalysis" format="default"/>. In summary,
the original suggested parameters (N=8, q=32) were too small, leading to the original suggested parameters (N=8, q=32) were too small, leading to
many of these exponential-growth attacks being practical. However, curre nt many of these exponential-growth attacks being practical. However, curre nt
parameters render these attacks impractical. The following parameters render these attacks impractical. The following
paragraphs summarize the analysis and how the current paragraphs summarize the analysis and how the current
parameters defeat all the previous attacks.</t> parameters defeat all the previous attacks.</t>
<t>First, the team of Hart et al found a universal forgery <t>First, the team of Hart et al. found a universal forgery attack
attack based on a group factoring problem that runs in based on a group-factoring problem that runs in O(q<sup>(N-1)/2</sup>)
O(q^((N-1)/2)) with a memory complexity of log_2(q) N^2 with a memory complexity of log_2(q) N<sup>2</sup>
q^((N-1)/2). With parameters N=10 and q=M31 (the Mersenne prime 2^31 - 1 q<sup>(N-1)/2</sup>. With parameters N=10 and q=M31 (the Mersenne
), the prime 2<sup>31</sup> - 1), the runtime is 2<sup>139</sup> and memory
runtime is 2^139 and memory complexity is 2^151. W. Beullens complexity is 2<sup>151</sup>. W.&nbsp;Beullens found a modification
found a modification of this attack but its runtime is even of this attack but its runtime is even longer.</t>
longer.</t> <t>Next, Beullens and Blackburn found several issues with the
original method and parameters. First, they used a Pollard-Rho
<t>Next, Beullens and Blackburn found several issues with the
original method and parameters. First they used a Pollard-Rho
attack and discovered the original public key space was too attack and discovered the original public key space was too
small. Specifically they require that q^(N(N-1)-1) > small. Specifically, they require that q<sup>N(N-1)-1</sup> &gt;
2^(2*Security Level). One can clearly see that N=10, q=M31 2<sup>2*Security Level</sup>. One can clearly see that (N=10, q=M31)
provides 128-bit security and N=10, q=M61 provides 256-bit provides 128-bit security and (N=10, q=M61) provides 256-bit
security.</t> security.</t>
<t>Beullens and Blackburn also found two issues with the
<t>Beullens and Blackburn also found two issues with the
original message encoder of WalnutDSA. First, the original original message encoder of WalnutDSA. First, the original
encoder was non-injective, which reduced the available encoder was non-injective, which reduced the available
signature space. This was repaired in an update. Second, signature space. This was repaired in an update. Second,
they pointed out that the dimension of the vector space they pointed out that the dimension of the vector space
generated by the encoder was too small. Specifically, they generated by the encoder was too small. Specifically, they
require that q^dimension > 2^(2*Security Level). With N=10, require that q<sup>dimension</sup> &gt; 2<sup>(2*Security Level)</sup>.
the current encoder produces a dimension of 66 which clearly With N=10,
the current encoder produces a dimension of 66, which clearly
provides sufficient security with q=M31 or q=M61.</t> provides sufficient security with q=M31 or q=M61.</t>
<t>The final issue discovered by Beullens and Blackburn was a process
<t>The final issue discovered by Beullens and Blackburn was a to theoretically "reverse" E-multiplication. First, their process
process to theoretically "reverse" E-Multiplication. First, their requires knowing the initial matrix and permutation (which are known
process requires knowing the initial matrix and permutation for WalnutDSA). But more importantly, their process runs at
(which is known for WalnutDSA). But more importantly, their O(q<sup>((N-1)/2)</sup>), which for (N=10, q=M31) is greater than
process runs at O(q^((N-1)/2)) which, for N=10, q=M31 is 2<sup>128</sup>.</t>
greater than 2^128.</t> <t>A team at Steven's Institute leveraged a length-shortening
<t>A team at Steven's Institute leveraged a length-shortening
attack that enabled them to remove the cloaking elements and attack that enabled them to remove the cloaking elements and
then solve a conjugacy search problem to derive the private then solve a conjugacy search problem to derive the private
keys. Their attack requires both knowledge of the permutation keys. Their attack requires both knowledge of the permutation
being cloaked and also that the cloaking elements themselves being cloaked and also that the cloaking elements themselves
are conjugates. By adding additional concealed cloaking are conjugates. By adding additional concealed cloaking
elements the attack requires an N! search for each cloaking elements, the attack requires an N! search for each cloaking
element. By inserting k concealed cloaking elements, this element. By inserting k concealed cloaking elements, this
requires the attacker to perform (N!)^k work. This allows requires the attacker to perform (N!)<sup>k</sup> work. This allows
k to be set to meet the desired security level.</t> k to be set to meet the desired security level.</t>
<t>Finally, Merz and Petit discovered that using a Garside
<t>Finally, Merz and Petit discovered that using a Garside
Normal Form of a WalnutDSA signature enabled them to find Normal Form of a WalnutDSA signature enabled them to find
commonalities with the Garside Normal Form of the encoded commonalities with the Garside Normal Form of the encoded
message. Using those commonalities they were able to splice message. Using those commonalities, they were able to splice
into a signature and create forgeries. Increasing the number into a signature and create forgeries. Increasing the number
of cloaking elements, specifically within the encoded message, of cloaking elements, specifically within the encoded message,
sufficiently obscures the commonalities and blocks this sufficiently obscures the commonalities and blocks this
attack.</t> attack.</t>
<t>In summary, most of these attacks are exponential in run <t>In summary, most of these attacks are exponential in runtime and it
time and can be shown that current parameters put the runtime can be shown that current parameters put the runtime beyond the
beyond the desired security level. The final two attacks are desired security level. The final two attacks are also sufficiently
also sufficiently blocked to the desired security level.</t> blocked to the desired security level.</t>
</section> </section>
</section> </section>
<!-- Possibly a 'Contributors' section ... --> <section anchor="IANA" numbered="true" toc="default">
<name>IANA Considerations</name>
<section anchor="IANA" title="IANA Considerations"> <t>IANA has added entries for WalnutDSA signatures in the
<t>IANA is requested to add entries for WalnutDSA signatures in the
"COSE Algorithms" registry and WalnutDSA public keys in the "COSE "COSE Algorithms" registry and WalnutDSA public keys in the "COSE
Key Types" and "COSE Key Type Parameters" registries.</t> Key Types" and "COSE Key Type Parameters" registries.</t>
<section numbered="true" toc="default">
<name>COSE Algorithms Registry Entry</name>
<t>The following new entry has been registered in the "COSE Algorithms"
registry:</t>
<section title="COSE Algorithms Registry Entry"> <dl>
<t>The new entry in the "COSE Algorithms" registry has the following <dt>Name:
columns:</t> </dt>
<t><list> <dd>WalnutDSA
<t>Name: WalnutDSA</t> </dd>
<t>Value: TBD1 (Value between -65536 to -257 or 256-65535 to be assig
ned by IANA)</t> <dt>Value:
<t>Description: WalnutDSA signature</t> </dt>
<t>Reference: This document (Number to be assigned by RFC Editor)</t> <dd>-260
<t>Recommended: No</t> </dd>
</list></t>
</section> <dt>Description:
</dt>
<dd>WalnutDSA signature
</dd>
<dt>Reference:
</dt>
<dd>RFC 9021
</dd>
<dt>Recommended:
</dt>
<dd>No
</dd>
</dl>
<section title="COSE Key Types Registry Entry">
<t>The new entry in the "COSE Key Types" registry has the following
columns:</t>
<t><list>
<t>Name: WalnutDSA</t>
<t>Value: TBD2 (Value to be assigned by IANA)</t>
<t>Description: WalnutDSA public key</t>
<t>Reference: This document (Number to be assigned by RFC Editor)</t>
</list></t>
</section> </section>
<section numbered="true" toc="default">
<name>COSE Key Types Registry Entry</name>
<t>The following new entry has been registered in the "COSE Key Types" r
egistry:</t>
<section title="COSE Key Type Parameter Registry Entries"> <dl>
<t>The following sections detail the additions to the "COSE Key Type Para <dt>Name:
meters" registry.</t> </dt>
<dd>WalnutDSA
</dd>
<section title="WalnutDSA Parameter: N"> <dt>Value:
<t>The new entry N in the "COSE Key Type Parameters" registry </dt>
has the following columns:</t> <dd>6
<t><list> </dd>
<t>Key Type: TBD2 (Value assigned by IANA above)</t>
<t>Name: N</t>
<t>Label: TBD (Value to be assigned by IANA)</t>
<t>CBOR Type: uint</t>
<t>Description: Group and Matrix (NxN) size</t>
<t>Reference: This document (Number to be assigned by RFC Editor)</t>
</list></t>
</section>
<section title="WalnutDSA Parameter: q"> <dt>Description:
<t>The new entry q in the "COSE Key Type Parameters" registry </dt>
has the following columns:</t> <dd>WalnutDSA public key
<t><list> </dd>
<t>Key Type: TBD2 (Value assigned by IANA above)</t>
<t>Name: q</t>
<t>Label: TBD (Value to be assigned by IANA)</t>
<t>CBOR Type: uint</t>
<t>Description: Finite field F_q</t>
<t>Reference: This document (Number to be assigned by RFC Editor)</t>
</list></t>
</section>
<section title="WalnutDSA Parameter: t-values"> <dt>Reference:
<t>The new entry t-values in the "COSE Key Type Parameters" registry </dt>
has the following columns:</t> <dd>RFC 9021
<t><list>
<t>Key Type: TBD2 (Value assigned by IANA above)</t>
<t>Name: t-values</t>
<t>Label: TBD (Value to be assigned by IANA)</t>
<t>CBOR Type: array (of uint)</t>
<t>Description: List of T-values, enties in F_q</t>
<t>Reference: This document (Number to be assigned by RFC Editor)</t>
</list></t>
</section>
<section title="WalnutDSA Parameter: matrix 1"> </dd>
<t>The new entry matrix 1 in the "COSE Key Type Parameters" registry
has the following columns:</t>
<t><list>
<t>Key Type: TBD2 (Value assigned by IANA above)</t>
<t>Name: matrix 1</t>
<t>Label: TBD (Value to be assigned by IANA)</t>
<t>CBOR Type: array (of array of uint)</t>
<t>Description: NxN Matrix of enties in F_q in column-major form</t>
<t>Reference: This document (Number to be assigned by RFC Editor)</t>
</list></t>
</section>
<section title="WalnutDSA Parameter: permutation 1"> </dl>
<t>The new entry permutation 1 in the "COSE Key Type Parameters" regist
ry
has the following columns:</t>
<t><list>
<t>Key Type: TBD2 (Value assigned by IANA above)</t>
<t>Name: permutation 1</t>
<t>Label: TBD (Value to be assigned by IANA)</t>
<t>CBOR Type: array (of uint)</t>
<t>Description: Permutation associated with matrix 1</t>
<t>Reference: This document (Number to be assigned by RFC Editor)</t>
</list></t>
</section>
<section title="WalnutDSA Parameter: matrix 2">
<t>The new entry matrix 2 in the "COSE Key Type Parameters" registry
has the following columns:</t>
<t><list>
<t>Key Type: TBD2 (Value assigned by IANA above)</t>
<t>Name: matrix 2</t>
<t>Label: TBD (Value to be assigned by IANA)</t>
<t>CBOR Type: array (of array of uint)</t>
<t>Description: NxN Matrix of enties in F_q in column-major form</t>
<t>Reference: This document (Number to be assigned by RFC Editor)</t>
</list></t>
</section>
</section> </section>
<section numbered="true" toc="default">
<name>COSE Key Type Parameters Registry Entries</name>
<t>The following sections detail the additions to the "COSE Key Type Par
ameters" registry.</t>
<section numbered="true" toc="default">
<name>WalnutDSA Parameter: N</name>
<t>The new entry, N, has been registered in the "COSE Key Type Paramet
ers" registry
as follows:</t>
</section> <dl>
</middle> <dt>Key Type:
</dt>
<dd>6
</dd>
<!-- *****BACK MATTER ***** --> <dt>Name:
</dt>
<dd>N
</dd>
<back> <dt>Label:
<references title="Normative References"> </dt>
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC. <dd>-1
2119.xml"?--> </dd>
&RFC2119;
&RFC8174; <dt>CBOR Type:
</dt>
<dd>uint
</dd>
&RFC8152; <dt>Description:
</dt>
<dd>Group and Matrix (NxN) size
</dd>
<reference anchor="SHA2"> <dt>Reference:
<front> </dt>
<title>FIPS Publication 180-3: Secure Hash Standard</title> <dd>RFC 9021
<author initials="" surname="" fullname=""> </dd>
<organization>National Institute of Standards and Technology (NIST)<
/organization>
</author>
<date month="October" year="2008" />
</front>
</reference>
<reference anchor="WALNUTDSA" target="https://doi.org/10.1080/23799927.202 </dl>
0.1831613">
<front>
<title>WalnutDSA(TM): A group-theoretic digital signature algorithm</t
itle>
<author initials="I.A." surname="Anshel" fullname="Iris Anshel">
<organization />
</author>
<author initials="D.A." surname="Atkins" fullname="Derek Atkins">
<organization />
</author>
<author initials="D.G." surname="Goldfeld" fullname="Dorian Goldfeld">
<organization />
</author>
<author initials="P.G." surname="Gunnells" fullname="Paul E Gunnells">
<organization />
</author>
<date month="November" year="2020" />
</front>
</reference>
</references>
<references title="Informative References"> </section>
<!-- Here we use entities that we defined at the beginning. --> <section numbered="true" toc="default">
<!-- A reference written by by an organization not a person. --> <name>WalnutDSA Parameter: q</name>
<reference anchor="WALNUTSPEC" target="https://csrc.nist.gov/projects/post <t>The new entry, q, has been registered in the "COSE Key Type Paramet
-quantum-cryptography/round-1-submissions"> ers" registry
<front> as follows:</t>
<title>The Walnut Digital Signature Algorithm Specification</title>
<author initials="I.A." surname="Anshel" fullname="Iris Anshel">
<organization />
</author>
<author initials="D.A." surname="Atkins" fullname="Derek Atkins">
<organization />
</author>
<author initials="D.G." surname="Goldfeld" fullname="Dorian Goldfeld">
<organization />
</author>
<author initials="P.G." surname="Gunnells" fullname="Paul E Gunnells">
<organization />
</author>
<date month="November" year="2018" />
</front>
</reference>
<reference anchor="GTC" target="https://www.crcpress.com/Group-Theoretic-C <dl>
ryptography/Vasco-Steinwandt/p/book/9781584888369">
<front>
<title>Group Theoretic Cryptography</title>
<author initials="M.I.G.V." surname="Vasco" fullname="Maria Isabel Gon
zalez Vasco">
<organization />
</author>
<author initials="R.S." surname="Steinwandt" fullname="Rainer Steinwan
dt">
<organization />
</author>
<date month="April" year="2015" />
</front>
</reference>
<reference anchor="WalnutDSAAnalysis" target="https://eprint.iacr.org/2019 <dt>Key Type:
/472"> </dt>
<front> <dd>6
<title>Defeating the Hart et al, Beullens-Blackburn, Kotov-Menshov-Ush </dd>
akov, and Merz-Petit Attacks on WalnutDSA(TM)</title>
<author initials="I.A." surname="Anshel" fullname="Iris Anshel">
<organization />
</author>
<author initials="D.A." surname="Atkins" fullname="Derek Atkins">
<organization />
</author>
<author initials="D.G." surname="Goldfeld" fullname="Dorian Goldfeld">
<organization />
</author>
<author initials="P.G." surname="Gunnells" fullname="Paul E Gunnells">
<organization />
</author>
<date month="May" year="2019" />
</front>
</reference>
&RFC4086; <dt>Name:
</dt>
<dd>q
</dd>
<reference anchor="BH2013" target="https://media.blackhat.com/us-13/us-13- <dt>Label:
Stamos-The-Factoring-Dead.pdf"> </dt>
<front> <dd>-2
<title>The Factoring Dead: Preparing for the Cryptopocalypse</title> </dd>
<author initials="T.P." surname="Ptacek" fullname="">
<organization />
</author>
<author initials="J.R." surname="Ritter" fullname="">
<organization />
</author>
<author initials="J.S." surname="Samuel" fullname="">
<organization />
</author>
<author initials="A.S." surname="Stamos" fullname="">
<organization />
</author>
<date month="August" year="2013" />
</front>
</reference>
<reference anchor="NAS2019" target="http://dx.doi.org/10.17226/25196"> <dt>CBOR Type:
<front> </dt>
<title>Quantum Computing: Progress and Prospects</title> <dd>uint
<author > </dd>
<organization>National Academies of Sciences, Engineering, and Medic
ine</organization>
</author>
<date year="2019" />
</front>
</reference>
<reference anchor="PQC" target="http://www.pqcrypto.org/www.springer.com/c <dt>Description:
da/content/document/cda_downloaddocument/9783540887010-c1.pdf"> </dt>
<front> <dd>Finite field F_q
<title>Introduction to post-quantum cryptography</title> </dd>
<author initials="D.B." surname="Bernstein">
<organization />
</author>
<date month="" year="2009" />
</front>
</reference>
<!-- <dt>Reference:
<reference anchor="S1997" target="http://dx.doi.org/10.1137/S0097539795293 </dt>
172"> <dd>RFC 9021
<front> </dd>
<title>Polynomial-time algorithms for prime factorization and discrete
logarithms on a quantum computer</title>
<author initials="P.S." surname="Shor" fullname="Peter Shor">
<organization />
</author>
<date year="1997" />
</front>
<seriesInfo name="SIAM Journal on Computing 26(5)," value="1484-26"/>
</reference>
-->
</references> </dl>
<section anchor="Acknowledgments" title="Acknowledgments"> </section>
<t>A big thank you to Russ Housley for his input on the concepts and text <section numbered="true" toc="default">
of this document.</t> <name>WalnutDSA Parameter: t-values</name>
<t>The new entry, t-values, has been registered in the "COSE Key Type
Parameters" registry
as follows:</t>
<dl>
<dt>Key Type:
</dt>
<dd>6
</dd>
<dt>Name:
</dt>
<dd>t-values
</dd>
<dt>Label:
</dt>
<dd>-3
</dd>
<dt>CBOR Type:
</dt>
<dd>array (of uint)
</dd>
<dt>Description:
</dt>
<dd>List of T-values, entries in F_q
</dd>
<dt>Reference:
</dt>
<dd>RFC 9021
</dd>
</dl>
</section>
<section numbered="true" toc="default">
<name>WalnutDSA Parameter: matrix 1</name>
<t>The new entry, matrix 1, has been registered in the "COSE Key Type
Parameters" registry
as follows:</t>
<dl>
<dt>Key Type:
</dt>
<dd>6
</dd>
<dt>Name:
</dt>
<dd>matrix 1
</dd>
<dt>Label:
</dt>
<dd>-4
</dd>
<dt>CBOR Type:
</dt>
<dd>array (of array of uint)
</dd>
<dt>Description:
</dt>
<dd>NxN Matrix of entries in F_q in column-major form
</dd>
<dt>Reference:
</dt>
<dd>RFC 9021
</dd>
</dl>
</section>
<section numbered="true" toc="default">
<name>WalnutDSA Parameter: permutation 1</name>
<t>The new entry, permutation 1, has been registered in the "COSE Key
Type Parameters" registry
as follows:</t>
<dl>
<dt>Key Type:
</dt>
<dd>6
</dd>
<dt>Name:
</dt>
<dd>permutation 1
</dd>
<dt>Label:
</dt>
<dd>-5
</dd>
<dt>CBOR Type:
</dt>
<dd>array (of uint)
</dd>
<dt>Description:
</dt>
<dd>Permutation associated with matrix 1
</dd>
<dt>Reference:
</dt>
<dd>RFC 9021
</dd>
</dl>
</section>
<section numbered="true" toc="default">
<name>WalnutDSA Parameter: matrix 2</name>
<t>The new entry, matrix 2, has been registered in the "COSE Key Type
Parameters" registry
as follows:</t>
<dl>
<dt>Key Type:
</dt>
<dd>6
</dd>
<dt>Name:
</dt>
<dd>matrix 2
</dd>
<dt>Label:
</dt>
<dd>-6
</dd>
<dt>CBOR Type:
</dt>
<dd>array (of array of uint)
</dd>
<dt>Description:
</dt>
<dd>NxN Matrix of entries in F_q in column-major form
</dd>
<dt>Reference:
</dt>
<dd>RFC 9021
</dd>
</dl>
</section>
</section>
</section> </section>
</middle>
<!-- <back>
<section anchor="app-additional" title="Additional Stuff"> <references>
<t>This becomes an Appendix.</t> <name>References</name>
</section> <references>
--> <name>Normative References</name>
<!-- Change Log <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.2119.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8174.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8152.xml"/>
v00 2019-03-20 DA Initial version <reference anchor="SHA2">
<front>
<title>Secure Hash Standard (SHS)</title>
<author initials="" surname="" fullname="">
<organization>National Institute of Standards and Technology (NIST
)</organization>
</author>
<date month="August" year="2015"/>
</front>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.180-4"/>
</reference>
v01 2019-11-04 DA Convert to Informational <reference anchor="WALNUTDSA">
Edits to be more in line with the Hash-Sig draft <front>
<title>WalnutDSA(TM): A group theoretic digital signature algorithm<
/title>
<author initials="I" surname="Anshel" fullname="Iris Anshel">
<organization/>
</author>
<author initials="D" surname="Atkins" fullname="Derek Atkins">
<organization/>
</author>
<author initials="D" surname="Goldfeld" fullname="Dorian Goldfeld">
<organization/>
</author>
<author initials="P" surname="Gunnells" fullname="Paul E. Gunnells">
<organization/>
</author>
<date month="November" year="2020"/>
</front>
<seriesInfo name="DOI" value="10.1080/23799927.2020.1831613"/>
</reference>
v02 2019-12-20 DA Incorporated suggestions from reviews (ISE, etc) </references>
<references>
<name>Informative References</name>
v03 2020-06-15 DA Refresh document <reference anchor="WALNUTSPEC" target="https://csrc.nist.gov/projects/post
-quantum-cryptography/round-1-submissions">
<front>
<title>The Walnut Digital Signature Algorithm Specification</title>
<author initials="I" surname="Anshel" fullname="Iris Anshel">
<organization/>
</author>
<author initials="D" surname="Atkins" fullname="Derek Atkins">
<organization/>
</author>
<author initials="D" surname="Goldfeld" fullname="Dorian Goldfeld">
<organization/>
</author>
<author initials="P" surname="Gunnells" fullname="Paul Gunnells">
<organization/>
</author>
<date month="November" year="2018"/>
</front>
<refcontent>Post-Quantum Cryptography</refcontent>
</reference>
v04 2020-07-08 DA Suggested changes from Adrian <reference anchor="GTC" target="https://www.crcpress.com/Group-Theoretic
-Cryptography/Vasco-Steinwandt/p/book/9781584888369">
<front>
<title>Group Theoretic Cryptography</title>
<author initials="M" surname="Vasco" fullname="Maria Isabel Gonzalez
Vasco">
<organization/>
</author>
<author initials="R" surname="Steinwandt" fullname="Rainer Steinwand
t">
<organization/>
</author>
<date month="April" year="2015"/>
</front>
<seriesInfo name="ISBN" value="9781584888369"/>
</reference>
v05 2020-11-05 DA More suggestions from Adrian and fixing references <reference anchor="WalnutDSAAnalysis" target="https://eprint.iacr.org/20
19/472">
<front>
<title>Defeating the Hart et al, Beullens-Blackburn, Kotov-Menshov-U
shakov, and Merz-Petit Attacks on WalnutDSA(TM)</title>
<author initials="I" surname="Anshel" fullname="Iris Anshel">
<organization/>
</author>
<author initials="D" surname="Atkins" fullname="Derek Atkins">
<organization/>
</author>
<author initials="D" surname="Goldfeld" fullname="Dorian Goldfeld">
<organization/>
</author>
<author initials="P" surname="Gunnells" fullname="Paul E Gunnells">
<organization/>
</author>
<date month="May" year="2019"/>
</front>
</reference>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4086.xml"/>
<reference anchor="BH2013" target="https://www.slideshare.net/astamos/bh
-slides">
<front>
<title>The Factoring Dead: Preparing for the Cryptopocalypse</title>
<author initials="T" surname="Ptacek" fullname="Thomas Ptacek">
<organization/>
</author>
<author initials="J" surname="Ritter" fullname="Tom Ritter, ">
<organization/>
</author>
<author initials="J" surname="Samuel" fullname="Javed Samue">
<organization/>
</author>
<author initials="A" surname="Stamos" fullname="Alex Stamos">
<organization/>
</author>
<date month="August" year="2013"/>
</front>
</reference>
<reference anchor="NAS2019">
<front>
<title>Quantum Computing: Progress and Prospects</title>
<author>
<organization>National Academies of Sciences, Engineering, and Med
icine</organization>
</author>
<date year="2019"/>
</front>
<seriesInfo name="DOI" value="10.17226/25196"/>
</reference>
<reference anchor="PQC">
<front>
<title>Introduction to post-quantum cryptography</title>
<author initials="D" surname="Bernstein" fullname="Daniel J. Bernste
in">
<organization/>
</author>
<date year="2009"/>
</front>
<seriesInfo name="DOI" value="10.1007/978-3-540-88702-7"/>
</reference>
</references>
</references>
<section anchor="Acknowledgments" numbered="false" toc="default">
<name>Acknowledgments</name>
<t>A big thank you to <contact fullname="Russ Housley"/> for his input
on the concepts and text of this document.</t>
</section>
v06 2021-01-26 DA Changes from IESG
-->
</back> </back>
</rfc> </rfc>
 End of changes. 99 change blocks. 
536 lines changed or deleted 625 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/