From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8061723C4FF for ; Tue, 3 Feb 2026 13:35:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770125733; cv=none; b=F3DTotCeb1uGeRRB1ibej/C4etdVRnfE7p8zqbqA7/sdpt/07jlysGIM2pelb1RjWEaO9P6o13F3k4YNBRau30O1qVigAGIEVWd6NtdXt/Y7yHMPPa5eDx6P5UVXUBGEpd8+57DPeXY+fVcGnfi+WZWJm62UnWJG7nXbMhhULCQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770125733; c=relaxed/simple; bh=io/EYxv7ttfZ5c/LLL9VvcayFvS43ID701JLwnZ6lKY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ABA9Q85I8+6EK1z75hNGG9SQ8yHDYvFpVLlWekD1QJjGa2BVsDHu3q/sPDcxfn7EzYYn9IkwqEbxQHI5pP2ntq5jlQrv0+FF8BVtjJepk88Xvgvki1VAoWhJ8NiK5KPz2/572nm3ioX0zoXTz6BbUCnAe2ol9n96+8StJZdvkGI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=QiJnDg6U; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=eqSIPJm1; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="QiJnDg6U"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="eqSIPJm1" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1770125730; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4BpfLzNQISMcvb3bYUowH+LAX7zmYdRcPREXRs4s810=; b=QiJnDg6UXFxtbxwBEXQ5YENl2maUyrTN/KNVm2zkoaYxxHXLZY4DRSmH9SGsWEsfPXaqLx 1RwzZ9hC5OZMEm50jQuwrRw0qtKpkc0VsOvNod/dwFWcAnVMeZTkpQ7iLCdEUqdkf2h/5R rYEMkoLJ4l4ZJhe0NmEWkxZijvA0u2Q= Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-411-zmvD7VFSMVGbEUoCMxJGSQ-1; Tue, 03 Feb 2026 08:35:28 -0500 X-MC-Unique: zmvD7VFSMVGbEUoCMxJGSQ-1 X-Mimecast-MFC-AGG-ID: zmvD7VFSMVGbEUoCMxJGSQ_1770125728 Received: by mail-pl1-f198.google.com with SMTP id d9443c01a7336-2a79164b686so57624075ad.0 for ; Tue, 03 Feb 2026 05:35:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1770125728; x=1770730528; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=4BpfLzNQISMcvb3bYUowH+LAX7zmYdRcPREXRs4s810=; b=eqSIPJm1IEPtAKuJgMYkmciccWFm+OK6snB5o1ANqJdSAxHCAWPnR8ibGVu88NVmGa Mpn/x1sB4wR11mourpup4+O9ALmoWFZxCwXSgpQ6F8WEyTw3Hkkfp+TSJAZ/fMpKB7uZ 1m/YJrRv1S3/3eHmbTrVgCsoCWqmPqaWBTBL4Dete0RWyunoLVHLm20OoswnJ9xh44gZ ZAzMwhwtue8hSwgJn4HLbxtUCp8Y7MUIXD2qfzYg2qmpNHNC/A2BEv4rW08T8ED76F1t 34n3dRvSaQWkiOVHUt9quF69IONh0zDAfuBrr+PDHiPhuPu1OzQ6Mngz9TpWxgeHwXtm zhvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770125728; x=1770730528; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4BpfLzNQISMcvb3bYUowH+LAX7zmYdRcPREXRs4s810=; b=XU/zh6MIQYn0qs1TSCPRJwRv53FBvpB5j1bYQ64ZORFG+W2Tbt+aksnBWEHHjD7WrI L8zEEJ7bzNNzwEUwi4a+3vk/W4VPsbORUVVdTTvDrfUblxS55eNPX/npL/E7yBF4aY1E 1kd+ocFt8cUtV7fxfeOLAhQYtdr/rYtz6kePMYvEWZ6+OMl1HDB05xMI6Fa+bCEBXOCU znx7VMC2nBbZ74FXl9Tgulj+8CnJnM+dFpchVNZVdo9yPNGya1PoMEb09jMCZzdYwgp3 3Qdcrv1d1TCO3FNQ0ZcSbkf+XBUgX0sJSdBzRjxcg++RY2cgEYD4x4pZ4yvCxg/edx70 uISQ== X-Forwarded-Encrypted: i=1; AJvYcCX4h9ckabl0kXQ//MOtukEbZbEDaAMVMxV1/mhMvPQoNvKTFuovGFUFkM4jXqD+fQCSDGei6Yn2VvZXabQ=@vger.kernel.org X-Gm-Message-State: AOJu0Ywyck5n1ZF2XPwElG/hg4WN3kKH47gzVEYHejaVBvpDkqIW29Uc 1mW/da4pY2QYI/zTIBpzx0iYnrHXQxRsLSibn+ow9+iV91lZCICh0kRJHTnVLhB8qva8LfW95zU T7/o1gXwM9A9nRnDscVJ6kNu1Aog2zoFs2G9nKLf/n4B6Bqup/+ed3jfunJNq3q1BHw== X-Gm-Gg: AZuq6aJgrdVSIInJWH8QehkwDhDFi/gjbL1j6gjt3Lq6k55Cd1JX/wszVlemNOvQ3UA v7ETfpdbMoAbHLz7YtE3AK90ntc257v1C/6P235dgfNk2CCwfNZFRTP4PSxLdYn+ERiZkmZGZ06 auGNatuWo7oLDs55Qm3dcGdtUg/TZKRrM2HoJ3kZUSTS3fx3hYcoTwI9rvfLApwry4ToRRu2UEl odGjtOUSBNXylWlGJwx04BZamA7olf1NA2SnFo4TGKCJiW+bVFW92nNKR9MKe2riT207W4PI0ZB KKfVcD4hvn4ZFqBA4rHJ9+rlBDwmGZ0DoPAuEKgqkrZmY0sg5Gj2fCKv5R2nv5DBgsEKrOaKOzx y X-Received: by 2002:a17:902:e891:b0:2a0:d662:7285 with SMTP id d9443c01a7336-2a8d8945522mr156161705ad.0.1770125727238; Tue, 03 Feb 2026 05:35:27 -0800 (PST) X-Received: by 2002:a17:902:e891:b0:2a0:d662:7285 with SMTP id d9443c01a7336-2a8d8945522mr156161175ad.0.1770125726520; Tue, 03 Feb 2026 05:35:26 -0800 (PST) Received: from localhost ([209.132.188.88]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a88b4c3df6sm177027765ad.49.2026.02.03.05.35.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Feb 2026 05:35:25 -0800 (PST) Date: Tue, 3 Feb 2026 21:32:44 +0800 From: Coiby Xu To: Johannes =?utf-8?B?V2llc2LDtmNr?= Cc: dhowells@redhat.com, dmitry.kasatkin@gmail.com, ebiggers@kernel.org, eric.snowberg@oracle.com, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-modules@vger.kernel.org, roberto.sassu@huawei.com, simo@redhat.com, zohar@linux.ibm.com, michael.weiss@aisec.fraunhofer.de Subject: Re: IMA and PQC Message-ID: References: <20260130203126.662082-1-johannes.wiesboeck@aisec.fraunhofer.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260130203126.662082-1-johannes.wiesboeck@aisec.fraunhofer.de> On Fri, Jan 30, 2026 at 09:31:26PM +0100, Johannes Wiesböck wrote: >Hi all, Hi Johannes, > >we conducted an evaluation regarding PQC use in IMA last year (see [1] for all >details) where we also considered the interplay of different PQC signatures and >file systems (ext4, btrfs, XFS, f2fs). Thanks for sharing this comprehensive study! There are many nuances in this research paper! > >Coiby Xu wrote: > >>According to my experiments done so far, for verification speed, >>ML-DSA-65 is consistently faster than ECDSA P-384 which is used by >>current CentOS/RHEL to sign files in a package. > >Regarding performance, similar to Coiby, we found that all variants of ML-DSA >consistently outperformed ECDSA P-256. Glad to know ML-DSA is also faster than ECDSA P-256! > >>The size of a single ML-DSA-65 signature indeed increases dramatically >>compared with ECDSA P-384 (3309 bytes vs ~100 bytes). But I'm not sure >>it can be a big problem when considering the storage capacity. Take >>latest fresh CentOS Stream 10 x86_64 KVM guest as example, without any >>file system optimization, extra ~189MB disk space is needed if all files >>in /usr signed using by ML-DSA-65 where the disk size is 50G. But I >>don't have enough experience to tell how users will perceive it and I'll >>try to collect more feedback. >> >>For the details of my experiments, you can check >>https://gist.github.com/coiby/41cf3a4d59cd64fb19d35b9ac42e4cd7 >>And here's the tldr; version, >>- Verification Speed: ML-DSA-65 is consistently ~10-12% faster >> at verification than ECDSA P-384 when verifying all files in /usr; >> ML-DSA-65 is 2.5x or 3x faster by "openssl speed" >> >>- Signing Speed: ML-DSA-65 appears ~25-30% slower when signing >> all files in /usr; ML-DSA-65 is 4x or 4.8x slower by "openssl speed" >> >>- Storage overhead: For ML-DSA-65, /usr will increase by 189MB and >> 430MB when there are 27346 and 58341 files respectively. But total >> size of pure IMA signatures are estimated (files x (3309+20) bytes) to >> be ~87MB and ~185MB respectively. > >Two relevant aspects we discovered regard the signature size. TL;DR: > >1. Most file systems need to be tuned to support the larger extended attributes >(signatures) if their size goes above a certain threshold (e.g. enable EA_INODE >in ext4). This influences not only disk usage but overall compatibility between >file systems and PQC signatures. A file system that would not provide the >functionality to store larger extended attributes would be incompatible with >large signatures. > >2. For most smaller signatures (like ML-DSA-44/65), we believe that the overhead >of signatures is actually compensated by fragmentation within the file systems. >For example, ext4 will allocate a full file system block for extended attributes. >As long as the signature size is below this block size, we did not observe less >free space on the file system despite the larger signatures. I think this explains why I didn't see any disk overhead when using ECDSA P-384:) > >Overall, we concluded that ML-DSA-65 provides the best combination of disk >overhead, performance and security level. Performace was good and for all >algorithms with larger signatures than ML-DSA-65, file systems would need to be >tuned. Thanks for summarizing your findings regarding the signature size and also sharing your evaluation! > >>According to >>https://www.ietf.org/archive/id/draft-salter-lamps-cms-ml-dsa-00.html >>ML-DSA-44 is intended to meet NIST's level 2 security category. Will >>NIST level 2 meet users' security requirements? > >Regarding security levels: >For security levels, we referred to NIST IR 8547 ipd [2]. >ECDSA P-256 has a classical security strength of 128bits (P-384: 192bits). >According to [2] Table 3, these levels are met by the different ML-DSA variants. >So, if you are migrating from ECDSA P-384, you need to use at least ML-DSA-65 to >meet the same security strength. This is helpful info! And thanks for sharing the perspective of migration! > >Best regards, >Johannes > >[1] https://www.wsbck.net/publications/pqc-ima.pdf >[2] https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf > -- Best regards, Coiby