-
{mcgrew,pkampana,sfluhrer}@[email protected]
{dbutin,buchmann}@cdc.informatik.tu-darmstadt.de
David McGrew, Panos Kampanakis, Scott Fluhrer,
Stefan-Lukas Gazdag, Denis Butin, Johannes Buchmann
State Management for
Hash-Based Signatures
SSR 2016
mailto:dbutin,buchmann}@cdc.informatik.tu-darmstadt.demailto:[email protected]:mcgrew,pkampana,sfluhrer}@cisco.com
-
What's so great about HBS? Well understood Post-Quantum No
further intractability assumptions
other than cryptographic hash functions Minimal security
requirements feasible Forward secure constructions possible
12/06/16 2
-
Intro: Hash-Based Signatures
0 1 0 1 0 1 signature private key
random data
f
random data
f
random data
f
random data random data
f f
random data
f
hash hash hash hash hash hash
public key
12/06/16 3
-
12/06/16
Intro: Hash-Based Signatures
4
-
Statefulness Private key has to be updated
Any copy may reveal secrets Interrupts may threaten consistency
Key is critical resource Data to be updated differs by
implementation decisions (Starting from single index to several
nodes)
12/06/16 5
-
Definitely working for some use cases! But stateful schemes
sometimes still the better choice.
How about stateless schemes? SPHINCS
(https://sphincs.cr.yp.to/)
Signatures size ~ 41 KB Slower signing times
Sig Size (B) Pub Key Size (B)
LMS 2828 100
XMSS 2820 68
HSS 8688 112
XMSS^MT 8392 68
SPHINCS 41k 1056
Similar parameter sets,total height of 30 for LMS and XMSS,total
height of 60 for HSS, XMSS^MT and SPHINCS.
12/06/16 6
http:https://sphincs.cr.yp.to
-
How about stateless schemes? SPHINCS
(https://sphincs.cr.yp.to/)
Signatures size ~ 41 KB Slower signing times
Definitely working for some use cases! But stateful schemes are
sometimes still the better choice.
12/06/16 7
http:https://sphincs.cr.yp.to
-
What's in line for
standardization?
12/06/16 8
-
12/06/16 9
-
12/06/16 10
-
12/06/16 11
-
How can we cope with
statefulness?
12/06/16 12
-
State Synchronization
Synchronization delayaffects performance
Synchronization failure may occur
Several copies may exist
=> Special case of cloning
12/06/16 13
-
12/06/16 14
The
Linu
xSt
orag
eSt
ack
Diag
ram
http
://w
ww.
tho m
as-k
renn
.com
/en/
wik
i/Lin
u x_S
tora
ge_S
tack
_Dia
gram
Crea
ted
byW
e rne
rFis
cher
and
Geor
gSc
hnb
erge
rLi
cens
e:CC
-BY -
SA3.
0,se
eht
tp://
crea
tivec
o mm
ons.
org/
licen
ses/
by-s
a/3 .
0/
http://www.thomas-krenn.com/en/wiki/Linux_Storage_Stack_Diagram
-
12/06/16 15
The
Linu
xSt
orag
eSt
ack
Diag
ram
http
://w
ww.
tho m
as-k
renn
.com
/en/
wik
i/Lin
u x_S
tora
ge_S
tack
_Dia
gram
Crea
ted
byW
e rne
rFis
cher
and
Geor
gSc
hnb
erge
rLi
cens
e:CC
-BY -
SA3.
0,se
eht
tp://
crea
tivec
o mm
ons.
org/
licen
ses/
by-s
a/3 .
0/
http://www.thomas-krenn.com/en/wiki/Linux_Storage_Stack_Diagram
-
A classic digital signatureScheme = (Key Generation, Signing,
Verification)
12/06/16 16
-
A stateful digital signatureScheme = (Key Generation,
Reservation,
Signing, Verification)
12/06/16 17
-
Reservation
Keys (pre-) generated in bulk Easy access management to critical
resource Key synchronization and read/write operations
alleviated Use case specific key pool feasible
12/06/16 18
-
Hierarchical Signatures / Key Reservation
12/06/16 19
-
Hierarchical Signatures / Key Reservation
Synchronization delay Synchronization failure Unintended
cloning
Nonvolatile Volatile
12/06/16 20
-
Hierarchical Signatures / Key Reservation
Synchronization delay Synchronization failure Unintended
cloning
Nonvolatile Volatile
12/06/16 21
-
Hybrid Scheme and Reservation
12/06/16 22
-
Hybrid Scheme and Reservation
Synchronization delay Synchronization failure Unintended
cloning
Nonvolatile Volatile
12/06/16 23
-
Hybrid Scheme and Reservation
Synchronization delay Synchronization failure Unintended
cloning
Nonvolatile Volatile
12/06/16 24
-
Hybrid Scheme and Reservation
Synchronization delay Synchronization failure Unintended
cloning
Nonvolatile Volatile ?
12/06/16 25
-
- Entropy pools and PRNGs- Deterministic IVs and Nonces -
Encryption counters- Digital signature seeds- One Time Passwords
(OTP)- TCP sequence numbers - ...
Breaks so much more:
Hybrid Scheme and Reservation
Synchronization delay Synchronization failure Unintended
cloning
Nonvolatile Volatile
12/06/16 26
-
Conclusion
First official standards available soon Safe deployment / good
performance feasible Future work:
standardization document on HBS deployment
12/06/16 27
-
Any questions?{mcgrew,pkampana,sfluhrer}@cisco.com
[email protected]{dbutin,buchmann}@cdc.informatik.tu-darmstadt.de
12/06/16 28
mailto:dbutin,buchmann}@cdc.informatik.tu-darmstadt.demailto:[email protected]:mcgrew,pkampana,sfluhrer}@cisco.com
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide
9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide
17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide
25Slide 26Slide 27Slide 28
![digsig uk 13 · Digital Signatures Nicolas T. Courtois, 2006-2009 40 [Cryptographic] Hash Function: A hash function (or hash algorithm) is a reproducible method of turning data (usually](https://img.pdfslide.us/doc/110x75/5f6116e97c4e3f43ce3caeeb/digsig-uk-digital-signatures-nicolas-t-courtois-2006-2009-40-cryptographic-hash.jpg)
![An update on Hash-based Signatures - Andreas Hülsing 10, 2015 · Hash-based Signature Schemes [Mer89] 9-9-2015 PAGE 3 Post quantum Only secure hash function Security well understood](https://img.pdfslide.us/doc/110x75/5ad59aa17f8b9a075a8d1806/an-update-on-hash-based-signatures-andreas-hlsing-10-2015hash-based-signature.jpg)
![Hash-based Signatures and SPHINCS · Hash-based Signature Schemes [Mer89] 20-1-2015 PAGE 2 Post quantum Only secure hash function Security well understood Fast Stateful](https://img.pdfslide.us/doc/110x75/5f793c2642b102565c187ab3/hash-based-signatures-and-sphincs-hash-based-signature-schemes-mer89-20-1-2015.jpg)
