state management for hash-based signatures

State Management for Hash-Based Signatures

David McGrew, Panos Kampanakis, Scott Fluhrer, Stefan-Lukas Gazdag, Denis Butin, Johannes Buchmann

{mcgrew,pkampana,sfluhrer}@cisco.comstefan-lukas_gazdag@genua.eu

{dbutin,buchmann}@cdc.informatik.tu-darmstadt.de

SSR 2016

12/06/16 2

What's so great about HBS?

● Well understood● Post-Quantum● No further intractability assumptions

other than cryptographic hash functions● Minimal security requirements feasible● Forward secure constructions possible

12/06/16 3

Intro: Hash-Based Signatures

random data random data random data random data random data random data

hash hash hash hash hash hash

f f f f f f

private key

0

public key

00 1 1 1

signature

12/06/16 4

Intro: Hash-Based Signatures

12/06/16 5

Statefulness

● Private key has to be updated– Any copy may reveal secrets

– Interrupts may threaten consistency

– Key is critical resource

– Data to be updated differs by

implementation decisions

(Starting from single index to several nodes)

12/06/16 6

How about stateless schemes?

● SPHINCS (https://sphincs.cr.yp.to/

– Signatures size ~ 41 KB– Slower signing times

Definitely working for some use cases!

But stateful schemes sometimes still the

better choice.

Sig Size (B) Pub Key Size (B)

LMS 2828 100

XMSS 2820 68

HSS 8688 112

XMSS^MT 8392 68

SPHINCS 41k 1056

Similar parameter sets,total height of 30 for LMS and XMSS,total height of 60 for HSS, XMSS^MT and SPHINCS.

12/06/16 7

How about stateless schemes?

● SPHINCS (https://sphincs.cr.yp.to/)

– Signatures size ~ 41 KB

– Slower signing times

Definitely working for some use cases!

But stateful schemes are sometimes still

the better choice.

12/06/16 8

What's in line for standardization?

12/06/16 9

12/06/16 10

12/06/16 11

12/06/16 12

How can we cope with statefulness?

12/06/16 13

State Synchronization

● Synchronization delay affects performance

● Synchronization failure may occur

● Several copies may exist

=> Special case of cloning

12/06/16 14

Th

e L

inux S

tor a

ge S

tack

Dia

gra

mhtt

p:/

/ww

w.t

hom

as-

kre

nn

.com

/en

/wik

i/Li

nux_S

tora

ge_S

tack

_Dia

gra

mC

reate

d b

y W

ern

er

Fisc

her

and

Georg

Sc

hön

berg

er

Lice

nse

: C

C-B

Y -S

A 3

.0, se

e h

t tp

://c

reati

veco

mm

ons.

org

/lic

en

ses/

by-

sa/3

.0/

12/06/16 15

Th

e L

inux S

tor a

ge S

tack

Dia

gra

mhtt

p:/

/ww

w.t

hom

as-

kre

nn

.com

/en

/wik

i/Li

nux_S

tora

ge_S

tack

_Dia

gra

mC

reate

d b

y W

ern

er

Fisc

her

and

Georg

Sc

hön

berg

er

Lice

nse

: C

C-B

Y -S

A 3

.0, se

e h

t tp

://c

reati

veco

mm

ons.

org

/lic

en

ses/

by-

sa/3

.0/

12/06/16 16

A classic digital signature

Scheme = (Key Generation, Signing, Verification)

12/06/16 17

A stateful digital signature

Scheme = (Key Generation, Reservation, Signing, Verification)

12/06/16 18

Reservation

● Keys (pre-) generated in bulk● Easy access management to critical resource● Key synchronization and read/write operations

alleviated● Use case specific key pool feasible

12/06/16 19

Hierarchical Signatures / Key Reservation

12/06/16 20

● Synchronization delay● Synchronization failure● Unintended cloning

– Nonvolatile

– Volatile

Hierarchical Signatures / Key Reservation

12/06/16 21

● Synchronization delay● Synchronization failure● Unintended cloning

– Nonvolatile

– Volatile

Hierarchical Signatures / Key Reservation

12/06/16 22

Hybrid Scheme and Reservation

12/06/16 23

Hybrid Scheme and Reservation

● Synchronization delay● Synchronization failure● Unintended cloning

– Nonvolatile

– Volatile

12/06/16 24

Hybrid Scheme and Reservation

● Synchronization delay● Synchronization failure● Unintended cloning

– Nonvolatile

– Volatile

12/06/16 25

Hybrid Scheme and Reservation

● Synchronization delay● Synchronization failure● Unintended cloning

– Nonvolatile

– Volatile ?

12/06/16 26

Hybrid Scheme and Reservation

● Synchronization delay● Synchronization failure● Unintended cloning

– Nonvolatile

– VolatileBreaks so much more:

- Entropy pools and PRNGs- Deterministic IVs and Nonces- Encryption counters- Digital signature seeds- One Time Passwords (OTP)- TCP sequence numbers- ...

12/06/16 27

Conclusion

● First official standards available soon● Safe deployment / good performance feasible● Future work:

standardization document on HBS deployment

12/06/16 28

Any questions?

{mcgrew,pkampana,sfluhrer}@cisco.comstefan-lukas_gazdag@genua.eu

{dbutin,buchmann}@cdc.informatik.tu-darmstadt.de