Embed Size (px)
Citation preview
PracticalHashBasedSignatures:Uses,statusquo,challenges,andgoingforward
4thETSI/IQCWorkshoponQuantum-SafeCryptography
§ Security§ Minimumconjecture:hashfunctionnotinvertible§ Quantumresistant
§ Adaptability§ Compactverifier
WhyHashBasedSignatures?
§ FirmwareSigning 220
§ FPGABitstream Signing 220
§ SoftwareImageSigning 230
§ OperatingSystemPackageSigning 230
§ EntityAuthenticationforCommunicationSecurity 240
UseCasesSignaturesPerKey
1-timesignatureofonebit
x1x0PrivateKey
1-timesignatureofonebit
x1x0
y1y0
f
PrivateKey
PublicKey
f
1-timesignatureofonebit
x1x0
y1y0
f
PrivateKey
PublicKey
fSignatureforMessage0x0
f
Verification
One-TimeSignatures Merkle HierarchicalMerkle
§ 1Signature
§ 2144Bytes
One-TimeSignatures Merkle HierarchicalMerkle
§ 1Signature
§ 2144Bytes
§ 220Signatures
§ 2828Bytes
One-TimeSignatures Merkle HierarchicalMerkle
§ 1Signature
§ 2144Bytes
§ 240 Signatures
§ 5727Bytes
§ 220Signatures
§ 2828Bytes
One-TimeSignatures Merkle HierarchicalMerkle
§ 1Signature
§ 2144Bytes
§ 240 Signatures
§ 5727Bytes
§ 220Signatures
§ 2828BytesHLMS
ManagingPrivateKeyState
StateManagementforHashBasedSignatures,McGrew,Kampanakis,Fluhrer,Gazdag,Butin,Buchmann,toappearatSecurityStandardizationResearch(SSR)2016.https://eprint.iacr.org/2016/357
DiskCache
FileSystemCache
ManagingPrivateKeyState
write KN+1
oksign M with KN
KN
KN+1
KN
KN+1
M
N-timeSignatureswithReservation
write KN+Rok
sign MN with KN
KN
KN+RMN
MN+1
MN+2
sign MN+1 with KN+1
sign MN+2 with KN+2
HierarchicalSignaturesandReservation
Nonvolatile
Volatile
§ Synchronizationdelay
§ Synchronizationfailure
§ Unintendedcloning
HierarchicalsignaturesandReservation
Nonvolatile
Volatile
Vulnerability:UnintendedCloning
10110110
SnapshotorBackup
10110110
10110110
10110110
CloneorRestore
§ Idea:avoidsecurityissueswithstatemanagement
§ Bernsteinet.al.SPHINCS:PracticalStatelessHash-BasedSignatures,EUROCRYPT2015§ Largesignatures(45KB)§ Largekeygenerationtime
StatelessHashBasedSignatures
Hybridsignatures
HierarchicalSignatureswithStatelessRoot,McGrewandFluhrer,preprint,2016.
StatelessN1-timesignaturemethod
StatefulN2-timesignaturemethod
N1xN2timesignaturemethodwithnobackupvulnerability
§ XMSS§ MovingtoRFC§ Provablysecure(thoughproofnotapplicabletodraft)
§ Concretesecuritymodel,asymptoticanalysis
§ HLMS§ Evolvingtomeetemergingrequirements§ Provablysecure(thoughproofincomplete)
§ Randomoraclemodel
Draftstandards
draft-mcgrew-hash-sigs
draft-huelsing-cfrg-hash-sig-xmss
§ Numberofsignatures 240 240
§ Signaturesize 5727B 5603B (98%)
§ Signaturegenerationtime 1005 3015 (300%)
§ Allowshybrid Yes No
CriteriaandComparisonHLMS XMSS
ThankYou
4thETSI/IQCWorkshoponQuantum-SafeCryptography
