state management for hash-based signatures
TRANSCRIPT
![Page 1: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/1.jpg)
State Management for Hash-Based Signatures
David McGrew, Panos Kampanakis, Scott Fluhrer, Stefan-Lukas Gazdag, Denis Butin, Johannes Buchmann
{mcgrew,pkampana,sfluhrer}@[email protected]
{dbutin,buchmann}@cdc.informatik.tu-darmstadt.de
SSR 2016
![Page 2: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/2.jpg)
12/06/16 2
What's so great about HBS?
● Well understood● Post-Quantum● No further intractability assumptions
other than cryptographic hash functions● Minimal security requirements feasible● Forward secure constructions possible
![Page 3: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/3.jpg)
12/06/16 3
Intro: Hash-Based Signatures
random data random data random data random data random data random data
hash hash hash hash hash hash
f f f f f f
private key
0
public key
00 1 1 1
signature
![Page 4: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/4.jpg)
12/06/16 4
Intro: Hash-Based Signatures
![Page 5: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/5.jpg)
12/06/16 5
Statefulness
● Private key has to be updated– Any copy may reveal secrets
– Interrupts may threaten consistency
– Key is critical resource
– Data to be updated differs by
implementation decisions
(Starting from single index to several nodes)
![Page 6: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/6.jpg)
12/06/16 6
How about stateless schemes?
● SPHINCS (https://sphincs.cr.yp.to/
– Signatures size ~ 41 KB– Slower signing times
Definitely working for some use cases!
But stateful schemes sometimes still the
better choice.
Sig Size (B) Pub Key Size (B)
LMS 2828 100
XMSS 2820 68
HSS 8688 112
XMSS^MT 8392 68
SPHINCS 41k 1056
Similar parameter sets,total height of 30 for LMS and XMSS,total height of 60 for HSS, XMSS^MT and SPHINCS.
![Page 7: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/7.jpg)
12/06/16 7
How about stateless schemes?
● SPHINCS (https://sphincs.cr.yp.to/)
– Signatures size ~ 41 KB
– Slower signing times
Definitely working for some use cases!
But stateful schemes are sometimes still
the better choice.
![Page 8: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/8.jpg)
12/06/16 8
What's in line for standardization?
![Page 9: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/9.jpg)
12/06/16 9
![Page 10: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/10.jpg)
12/06/16 10
![Page 11: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/11.jpg)
12/06/16 11
![Page 12: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/12.jpg)
12/06/16 12
How can we cope with statefulness?
![Page 13: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/13.jpg)
12/06/16 13
State Synchronization
● Synchronization delay affects performance
● Synchronization failure may occur
● Several copies may exist
=> Special case of cloning
![Page 14: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/14.jpg)
12/06/16 14
Th
e L
inux S
tor a
ge S
tack
Dia
gra
mhtt
p:/
/ww
w.t
hom
as-
kre
nn
.com
/en
/wik
i/Li
nux_S
tora
ge_S
tack
_Dia
gra
mC
reate
d b
y W
ern
er
Fisc
her
and
Georg
Sc
hön
berg
er
Lice
nse
: C
C-B
Y -S
A 3
.0, se
e h
t tp
://c
reati
veco
mm
ons.
org
/lic
en
ses/
by-
sa/3
.0/
![Page 15: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/15.jpg)
12/06/16 15
Th
e L
inux S
tor a
ge S
tack
Dia
gra
mhtt
p:/
/ww
w.t
hom
as-
kre
nn
.com
/en
/wik
i/Li
nux_S
tora
ge_S
tack
_Dia
gra
mC
reate
d b
y W
ern
er
Fisc
her
and
Georg
Sc
hön
berg
er
Lice
nse
: C
C-B
Y -S
A 3
.0, se
e h
t tp
://c
reati
veco
mm
ons.
org
/lic
en
ses/
by-
sa/3
.0/
![Page 16: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/16.jpg)
12/06/16 16
A classic digital signature
Scheme = (Key Generation, Signing, Verification)
![Page 17: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/17.jpg)
12/06/16 17
A stateful digital signature
Scheme = (Key Generation, Reservation, Signing, Verification)
![Page 18: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/18.jpg)
12/06/16 18
Reservation
● Keys (pre-) generated in bulk● Easy access management to critical resource● Key synchronization and read/write operations
alleviated● Use case specific key pool feasible
![Page 19: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/19.jpg)
12/06/16 19
Hierarchical Signatures / Key Reservation
![Page 20: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/20.jpg)
12/06/16 20
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– Volatile
Hierarchical Signatures / Key Reservation
![Page 21: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/21.jpg)
12/06/16 21
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– Volatile
Hierarchical Signatures / Key Reservation
![Page 22: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/22.jpg)
12/06/16 22
Hybrid Scheme and Reservation
![Page 23: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/23.jpg)
12/06/16 23
Hybrid Scheme and Reservation
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– Volatile
![Page 24: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/24.jpg)
12/06/16 24
Hybrid Scheme and Reservation
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– Volatile
![Page 25: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/25.jpg)
12/06/16 25
Hybrid Scheme and Reservation
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– Volatile ?
![Page 26: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/26.jpg)
12/06/16 26
Hybrid Scheme and Reservation
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– VolatileBreaks so much more:
- Entropy pools and PRNGs- Deterministic IVs and Nonces- Encryption counters- Digital signature seeds- One Time Passwords (OTP)- TCP sequence numbers- ...
![Page 27: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/27.jpg)
12/06/16 27
Conclusion
● First official standards available soon● Safe deployment / good performance feasible● Future work:
standardization document on HBS deployment
![Page 28: State Management for Hash-Based Signatures](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8f1791ce4904ea44e43b2/html5/thumbnails/28.jpg)
12/06/16 28
Any questions?
{mcgrew,pkampana,sfluhrer}@[email protected]
{dbutin,buchmann}@cdc.informatik.tu-darmstadt.de