Donald: Thanks for the review. > All my comments below are minor to very minor. > > Section 6, Security Considerations, 1st paragraph. Why is it that > compromise of the private keys only "may" lead to the ability to > forge? "May" seems right for something like "result in forged > signatures" but doesn't compromise of the private key lead pretty > certainly to the *ability* to forge a signature? I changed "may" to "will" in my edit buffer. > Somehow the presence of "non-volatile" is a bit jarring. I understand > that you are talking about exceptional problems but perhaps it would > be good to also say the "volatile" storage must not be used? I do not agree. NIST has a specification of HSS/LMS that prohibits backup, and some vendors are pushing back against that wording. Here, I have tried to explain the consequences of various implementation choices without imposing any specific requirements. > Section 1.3, 3rd paragraph: Would it be reasonable to add just before > the comma in the first sentence "but on the difficulty of finding > pre-images of a strong hash function" or something like that? While I > believe it, is there a reference for the "considered to be > post-quantum secure" statement? How about: Since the HSS/LMS signature algorithm does not depend on the difficulty of discrete logarithms or factoring, but on a second-preimage-resistant cryptographic hash function, the HSS/LMS signature algorithm is considered to be post-quantum secure. Section 1.1 of RFC 8554 contains a CFRG Note on Post-Quantum Cryptography. Given the vast number of references to this RFC, I think that part is covered. > Section 2.1, last sentence: While it is somewhat a matter of taste, > arguably, except in the most surprising cases, the words "Note that" > are mostly superfluous noise. (Ditto for two more "Note that"s in > Section 4.) Agree. However, it seems awkward to start a sentence with the name of a variable. I will remove the ones in Section 3.3 and Section 4. Russ -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
