state management for hash-based signatures
TRANSCRIPT
State Management for Hash-Based Signatures
David McGrew, Panos Kampanakis, Scott Fluhrer, Stefan-Lukas Gazdag, Denis Butin, Johannes Buchmann
{mcgrew,pkampana,sfluhrer}@[email protected]
{dbutin,buchmann}@cdc.informatik.tu-darmstadt.de
SSR 2016
12/06/16 2
What's so great about HBS?
● Well understood● Post-Quantum● No further intractability assumptions
other than cryptographic hash functions● Minimal security requirements feasible● Forward secure constructions possible
12/06/16 3
Intro: Hash-Based Signatures
random data random data random data random data random data random data
hash hash hash hash hash hash
f f f f f f
private key
0
public key
00 1 1 1
signature
12/06/16 4
Intro: Hash-Based Signatures
12/06/16 5
Statefulness
● Private key has to be updated– Any copy may reveal secrets
– Interrupts may threaten consistency
– Key is critical resource
– Data to be updated differs by
implementation decisions
(Starting from single index to several nodes)
12/06/16 6
How about stateless schemes?
● SPHINCS (https://sphincs.cr.yp.to/
– Signatures size ~ 41 KB– Slower signing times
Definitely working for some use cases!
But stateful schemes sometimes still the
better choice.
Sig Size (B) Pub Key Size (B)
LMS 2828 100
XMSS 2820 68
HSS 8688 112
XMSS^MT 8392 68
SPHINCS 41k 1056
Similar parameter sets,total height of 30 for LMS and XMSS,total height of 60 for HSS, XMSS^MT and SPHINCS.
12/06/16 7
How about stateless schemes?
● SPHINCS (https://sphincs.cr.yp.to/)
– Signatures size ~ 41 KB
– Slower signing times
Definitely working for some use cases!
But stateful schemes are sometimes still
the better choice.
12/06/16 8
What's in line for standardization?
12/06/16 9
12/06/16 10
12/06/16 11
12/06/16 12
How can we cope with statefulness?
12/06/16 13
State Synchronization
● Synchronization delay affects performance
● Synchronization failure may occur
● Several copies may exist
=> Special case of cloning
12/06/16 14
Th
e L
inux S
tor a
ge S
tack
Dia
gra
mhtt
p:/
/ww
w.t
hom
as-
kre
nn
.com
/en
/wik
i/Li
nux_S
tora
ge_S
tack
_Dia
gra
mC
reate
d b
y W
ern
er
Fisc
her
and
Georg
Sc
hön
berg
er
Lice
nse
: C
C-B
Y -S
A 3
.0, se
e h
t tp
://c
reati
veco
mm
ons.
org
/lic
en
ses/
by-
sa/3
.0/
12/06/16 15
Th
e L
inux S
tor a
ge S
tack
Dia
gra
mhtt
p:/
/ww
w.t
hom
as-
kre
nn
.com
/en
/wik
i/Li
nux_S
tora
ge_S
tack
_Dia
gra
mC
reate
d b
y W
ern
er
Fisc
her
and
Georg
Sc
hön
berg
er
Lice
nse
: C
C-B
Y -S
A 3
.0, se
e h
t tp
://c
reati
veco
mm
ons.
org
/lic
en
ses/
by-
sa/3
.0/
12/06/16 16
A classic digital signature
Scheme = (Key Generation, Signing, Verification)
12/06/16 17
A stateful digital signature
Scheme = (Key Generation, Reservation, Signing, Verification)
12/06/16 18
Reservation
● Keys (pre-) generated in bulk● Easy access management to critical resource● Key synchronization and read/write operations
alleviated● Use case specific key pool feasible
12/06/16 19
Hierarchical Signatures / Key Reservation
12/06/16 20
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– Volatile
Hierarchical Signatures / Key Reservation
12/06/16 21
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– Volatile
Hierarchical Signatures / Key Reservation
12/06/16 22
Hybrid Scheme and Reservation
12/06/16 23
Hybrid Scheme and Reservation
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– Volatile
12/06/16 24
Hybrid Scheme and Reservation
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– Volatile
12/06/16 25
Hybrid Scheme and Reservation
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– Volatile ?
12/06/16 26
Hybrid Scheme and Reservation
● Synchronization delay● Synchronization failure● Unintended cloning
– Nonvolatile
– VolatileBreaks so much more:
- Entropy pools and PRNGs- Deterministic IVs and Nonces- Encryption counters- Digital signature seeds- One Time Passwords (OTP)- TCP sequence numbers- ...
12/06/16 27
Conclusion
● First official standards available soon● Safe deployment / good performance feasible● Future work:
standardization document on HBS deployment
12/06/16 28
Any questions?
{mcgrew,pkampana,sfluhrer}@[email protected]
{dbutin,buchmann}@cdc.informatik.tu-darmstadt.de