State Management for Hash-Based Signatures Management for Hash-Based Signatures Author: Stefan...
Transcript of State Management for Hash-Based Signatures Management for Hash-Based Signatures Author: Stefan...
-
{mcgrew,pkampana,sfluhrer}@[email protected]
{dbutin,buchmann}@cdc.informatik.tu-darmstadt.de
David McGrew, Panos Kampanakis, Scott Fluhrer,
Stefan-Lukas Gazdag, Denis Butin, Johannes Buchmann
State Management for
Hash-Based Signatures
SSR 2016
mailto:dbutin,buchmann}@cdc.informatik.tu-darmstadt.demailto:[email protected]:mcgrew,pkampana,sfluhrer}@cisco.com
-
What's so great about HBS? Well understood Post-Quantum No further intractability assumptions
other than cryptographic hash functions Minimal security requirements feasible Forward secure constructions possible
12/06/16 2
-
Intro: Hash-Based Signatures
0 1 0 1 0 1 signature private key
random data
f
random data
f
random data
f
random data random data
f f
random data
f
hash hash hash hash hash hash
public key
12/06/16 3
-
12/06/16
Intro: Hash-Based Signatures
4
-
Statefulness Private key has to be updated
Any copy may reveal secrets Interrupts may threaten consistency Key is critical resource Data to be updated differs by
implementation decisions (Starting from single index to several nodes)
12/06/16 5
-
Definitely working for some use cases! But stateful schemes sometimes still the better choice.
How about stateless schemes? SPHINCS (https://sphincs.cr.yp.to/)
Signatures size ~ 41 KB Slower signing times
Sig Size (B) Pub Key Size (B)
LMS 2828 100
XMSS 2820 68
HSS 8688 112
XMSS^MT 8392 68
SPHINCS 41k 1056
Similar parameter sets,total height of 30 for LMS and XMSS,total height of 60 for HSS, XMSS^MT and SPHINCS.
12/06/16 6
http:https://sphincs.cr.yp.to
-
How about stateless schemes? SPHINCS (https://sphincs.cr.yp.to/)
Signatures size ~ 41 KB Slower signing times
Definitely working for some use cases! But stateful schemes are sometimes still the better choice.
12/06/16 7
http:https://sphincs.cr.yp.to
-
What's in line for
standardization?
12/06/16 8
-
12/06/16 9
-
12/06/16 10
-
12/06/16 11
-
How can we cope with
statefulness?
12/06/16 12
-
State Synchronization
Synchronization delayaffects performance
Synchronization failure may occur
Several copies may exist
=> Special case of cloning
12/06/16 13
-
12/06/16 14
The
Linu
xSt
orag
eSt
ack
Diag
ram
http
://w
ww.
tho m
as-k
renn
.com
/en/
wik
i/Lin
u x_S
tora
ge_S
tack
_Dia
gram
Crea
ted
byW
e rne
rFis
cher
and
Geor
gSc
hnb
erge
rLi
cens
e:CC
-BY -
SA3.
0,se
eht
tp://
crea
tivec
o mm
ons.
org/
licen
ses/
by-s
a/3 .
0/
http://www.thomas-krenn.com/en/wiki/Linux_Storage_Stack_Diagram
-
12/06/16 15
The
Linu
xSt
orag
eSt
ack
Diag
ram
http
://w
ww.
tho m
as-k
renn
.com
/en/
wik
i/Lin
u x_S
tora
ge_S
tack
_Dia
gram
Crea
ted
byW
e rne
rFis
cher
and
Geor
gSc
hnb
erge
rLi
cens
e:CC
-BY -
SA3.
0,se
eht
tp://
crea
tivec
o mm
ons.
org/
licen
ses/
by-s
a/3 .
0/
http://www.thomas-krenn.com/en/wiki/Linux_Storage_Stack_Diagram
-
A classic digital signatureScheme = (Key Generation, Signing, Verification)
12/06/16 16
-
A stateful digital signatureScheme = (Key Generation, Reservation,
Signing, Verification)
12/06/16 17
-
Reservation
Keys (pre-) generated in bulk Easy access management to critical resource Key synchronization and read/write operations
alleviated Use case specific key pool feasible
12/06/16 18
-
Hierarchical Signatures / Key Reservation
12/06/16 19
-
Hierarchical Signatures / Key Reservation
Synchronization delay Synchronization failure Unintended cloning
Nonvolatile Volatile
12/06/16 20
-
Hierarchical Signatures / Key Reservation
Synchronization delay Synchronization failure Unintended cloning
Nonvolatile Volatile
12/06/16 21
-
Hybrid Scheme and Reservation
12/06/16 22
-
Hybrid Scheme and Reservation
Synchronization delay Synchronization failure Unintended cloning
Nonvolatile Volatile
12/06/16 23
-
Hybrid Scheme and Reservation
Synchronization delay Synchronization failure Unintended cloning
Nonvolatile Volatile
12/06/16 24
-
Hybrid Scheme and Reservation
Synchronization delay Synchronization failure Unintended cloning
Nonvolatile Volatile ?
12/06/16 25
-
- Entropy pools and PRNGs- Deterministic IVs and Nonces - Encryption counters- Digital signature seeds- One Time Passwords (OTP)- TCP sequence numbers - ...
Breaks so much more:
Hybrid Scheme and Reservation
Synchronization delay Synchronization failure Unintended cloning
Nonvolatile Volatile
12/06/16 26
-
Conclusion
First official standards available soon Safe deployment / good performance feasible Future work:
standardization document on HBS deployment
12/06/16 27
-
Any questions?{mcgrew,pkampana,sfluhrer}@cisco.com
[email protected]{dbutin,buchmann}@cdc.informatik.tu-darmstadt.de
12/06/16 28
mailto:dbutin,buchmann}@cdc.informatik.tu-darmstadt.demailto:[email protected]:mcgrew,pkampana,sfluhrer}@cisco.com
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28