State Management for Hash-Based Signatures David McGrew, Panos - - PowerPoint PPT Presentation

state management for hash based signatures
SMART_READER_LITE
LIVE PREVIEW

State Management for Hash-Based Signatures David McGrew, Panos - - PowerPoint PPT Presentation

Nov 21, 2022 408 likes •708 views

State Management for Hash-Based Signatures David McGrew, Panos Kampanakis, Scott Fluhrer, Stefan-Lukas Gazdag , Denis Butin, Johannes Buchmann {mcgrew,pkampana,sfmuhrer}@cisco.com stefan-lukas_gazdag@genua.eu

slide-1
SLIDE 1

{mcgrew,pkampana,sfmuhrer}@cisco.com stefan-lukas_gazdag@genua.eu {dbutin,buchmann}@cdc.informatik.tu-darmstadt.de

David McGrew, Panos Kampanakis, Scott Fluhrer, Stefan-Lukas Gazdag, Denis Butin, Johannes Buchmann

State Management for Hash-Based Signatures

SSR 2016

slide-2
SLIDE 2

What's so great about HBS?

  • Well understood
  • Post-Quantum
  • No further intractability assumptions
  • ther than cryptographic hash functions
  • Minimal security requirements feasible
  • Forward secure constructions possible

12/06/16 2

slide-3
SLIDE 3

Intro: Hash-Based Signatures

1 1 1

signature private key random data f random data f random data f random data random data f f random data f hash hash hash hash hash hash public key

12/06/16 3

slide-4
SLIDE 4

12/06/16

Intro: Hash-Based Signatures

4

slide-5
SLIDE 5

Statefulness

  • Private key has to be updated

– Any copy may reveal secrets – Interrupts may threaten consistency – Key is critical resource – Data to be updated difgers by

implementation decisions (Starting from single index to several nodes)

12/06/16 5

slide-6
SLIDE 6

Defjnitely working for some use cases! But stateful schemes sometimes still the better choice.

How about stateless schemes?

  • SPHINCS (https://sphincs.cr.yp.to/)

– Signatures size ~ 41 KB – Slower signing times

Sig Size (B) Pub Key Size (B) LMS 2828 100 XMSS 2820 68 HSS 8688 112 XMSS^MT 8392 68 SPHINCS 41k 1056 Similar parameter sets, total height of 30 for LMS and XMSS, total height of 60 for HSS, XMSS^MT and SPHINCS.

12/06/16 6

slide-7
SLIDE 7

How about stateless schemes?

  • SPHINCS (https://sphincs.cr.yp.to/)

– Signatures size ~ 41 KB – Slower signing times

Defjnitely working for some use cases! But stateful schemes are sometimes still the better choice.

12/06/16 7

slide-8
SLIDE 8

What's in line for standardization?

12/06/16 8

slide-9
SLIDE 9

12/06/16 9

slide-10
SLIDE 10

12/06/16 10

slide-11
SLIDE 11

12/06/16 11

slide-12
SLIDE 12

How can we cope with statefulness?

12/06/16 12

slide-13
SLIDE 13

State Synchronization

  • Synchronization delay

affects performance

  • Synchronization failure

may occur

  • Several copies may exist

=> Special case of cloning

12/06/16 13

slide-14
SLIDE 14

12/06/16 14

The Linux Storage Stack Diagram http://www.thomas-krenn.com/en/wiki/Linux_Storage_Stack_Diagram Created by Werner Fischer and Georg Sc hönberger License: CC-BY-SA 3.0, see http://creativecommons.org/licenses/by-sa/3.0/

slide-15
SLIDE 15

12/06/16 15

The Linux Storage Stack Diagram http://www.thomas-krenn.com/en/wiki/Linux_Storage_Stack_Diagram Created by Werner Fischer and Georg Sc hönberger License: CC-BY-SA 3.0, see http://creativecommons.org/licenses/by-sa/3.0/

slide-16
SLIDE 16

A classic digital signature

Scheme = (Key Generation, Signing, Verifjcation)

12/06/16 16

slide-17
SLIDE 17

A stateful digital signature

Scheme = (Key Generation, Reservation, Signing, Verifjcation)

12/06/16 17

slide-18
SLIDE 18

Reservation

  • Keys (pre-) generated in bulk
  • Easy access management to critical resource
  • Key synchronization and read/write operations

alleviated

  • Use case specific key pool feasible

12/06/16 18

slide-19
SLIDE 19

Hierarchical Signatures / Key Reservation

12/06/16 19

slide-20
SLIDE 20

Hierarchical Signatures / Key Reservation

  • Synchronization delay
  • Synchronization failure
  • Unintended cloning

– Nonvolatile – Volatile

12/06/16 20

slide-21
SLIDE 21

Hierarchical Signatures / Key Reservation

  • Synchronization delay
  • Synchronization failure
  • Unintended cloning

– Nonvolatile – Volatile

12/06/16 21

slide-22
SLIDE 22

Hybrid Scheme and Reservation

12/06/16 22

slide-23
SLIDE 23

Hybrid Scheme and Reservation

  • Synchronization delay
  • Synchronization failure
  • Unintended cloning

– Nonvolatile – Volatile

12/06/16 23

slide-24
SLIDE 24

Hybrid Scheme and Reservation

  • Synchronization delay
  • Synchronization failure
  • Unintended cloning

– Nonvolatile – Volatile

12/06/16 24

slide-25
SLIDE 25

Hybrid Scheme and Reservation

  • Synchronization delay
  • Synchronization failure
  • Unintended cloning

– Nonvolatile – Volatile

?

12/06/16 25

slide-26
SLIDE 26
  • Entropy pools and PRNGs
  • Deterministic IVs and Nonces
  • Encryption counters
  • Digital signature seeds
  • One Time Passwords (OTP)
  • TCP sequence numbers
  • ...

Breaks so much more:

Hybrid Scheme and Reservation

  • Synchronization delay
  • Synchronization failure
  • Unintended cloning

– Nonvolatile – Volatile

12/06/16 26

slide-27
SLIDE 27

Conclusion

  • First official standards available soon
  • Safe deployment / good performance feasible
  • Future work:

standardization document on HBS deployment

12/06/16 27

slide-28
SLIDE 28

Any questions?

{mcgrew,pkampana,sfmuhrer}@cisco.com stefan-lukas_gazdag@genua.eu {dbutin,buchmann}@cdc.informatik.tu-darmstadt.de

12/06/16 28