Long-term secure signatures for the IoT Andreas Hlsing Hash-based - - PowerPoint PPT Presentation

long term secure signatures
SMART_READER_LITE
LIVE PREVIEW

Long-term secure signatures for the IoT Andreas Hlsing Hash-based - - PowerPoint PPT Presentation

Aug 22, 2023 150 likes •289 views

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

slide-1
SLIDE 1

Long-term secure signatures for the IoT

Andreas Hülsing

slide-2
SLIDE 2

Hash-based Signature Schemes

[Mer89]

Long-term secure

  • Only needs secure hash function
  • Post-quantum
  • Possibility of hash combiners

IoT compatible?

  • Only needs secure

hash function

slide-3
SLIDE 3

Lamport-Diffie OTS [Lam79]

Message M = b1,…,bm, OWF H = n bit SK PK Sig

6-11-2017 PAGE 3

sk1,0 sk1,1 skm,0 skm,1 pk1,0 pk1,1 pkm,0 pkm,1

H H H H H H

sk1,b1 skm,bm * Mux b1 Mux b2 Mux bm

slide-4
SLIDE 4

One-time signatures

  • Can only be used once
  • Basic building block
  • Secret keys can be generated pseudorandomly

WOTS+ [Hue13]

  • Shorter signatures
  • Size-speed trade-off
slide-5
SLIDE 5

Chain-based OTS

OTS OTS OTS OTS OTS OTS OTS H H H H H H H

PK

SK

slide-6
SLIDE 6

Chain-based OTS [NY89]

  • Extremely fast signing via „pebbeling“
  • Extremely fast verification of sequential signatures
  • Small keys
  • Small sigs (for sequential signatures)
  • Extremely useful in combination with aggregator
  • Stateful

See e.g. Dahmen, Krauss. Short Hash-Based Signatures for Wireless Sensor Networks. CANS 2009.

slide-7
SLIDE 7

Merkle’s signature scheme

6-11-2017 PAGE 7

OTS

OTS OTS OTS OTS OTS OTS OTS H H H H H H H H H H H H H H H PK

SIG = (i=2, , , , , )

OTS

SK

slide-8
SLIDE 8

Merkle‘s signature scheme

  • Fast signing via „tree traversal algorithms“
  • Extremely fast verification
  • Small keys
  • Medium size sigs
  • Stateful

Latest: XMSS-T

(Hülsing, Rijneveld, Song. Mitigating Multi-Target Attacks in Hash-based

  • Signatures. PKC ‘16)
slide-9
SLIDE 9

Multi-Tree XMSS [MMM02]

Uses multiple layers of trees

  • > Key generation

(= Building first tree on each layer)

Θ(2h) → Θ(d*2h/d)

  • > Allows to reduce

worst-case signing times Θ(h/2) → Θ(h/2d)

slide-10
SLIDE 10

SPHINCS [BHH+15]

  • Stateless Scheme
  • XMSSMT + HORST

+ (pseudo-)random index

  • Collision-resilient
  • Deterministic signing
  • SPHINCS-256:
  • 128-bit post-quantum secure
  • Hundrest of signatures / sec
  • 41 kb signature
  • 1 kb keys
slide-11
SLIDE 11

Performance on small devices

  • STM32L100C development board: Cortex M3,

32MHz, 32-bit architecture, 256KB Flash, 16KB RAM

  • Issue: SPHINCS sigs (41KB) don‘t fit single APDU

KeyGen Sign Verify XMSSMT 278.80s 0.61s 0.16s SPHINCS 0.88s 18.41s 0.51s

slide-12
SLIDE 12

Future

  • XMSS Internet Draft in IRSG poll
  • At least two SPHINCS submissions for NIST
  • Faster / smaller signatures
  • Several works on dedicated hash functions (Haraka,

Siempira)

slide-13
SLIDE 13

Thank you! Questions?

9-10-2017 PAGE 13