Long-term secure signatures for the IoT filem,0 sk m,1 pk 1,0 pk 1,1 pk m,0 pk m,1 H H H H H H sk...

Long-term secure signatures for the IoT

Andreas Hülsing

Hash-based Signature Schemes [Mer89]

Long-term secure

• Only needs secure hash function

• Post-quantum

• Possibility of hash combiners

IoT compatible?

• Only needs secure hash function

Lamport-Diffie OTS [Lam79]

Message M = b1,…,bm, OWF H = n bit

SK

PK

Sig

6-11-2017 PAGE 3

sk1,0 sk1,1 skm,0 skm,1

pk1,0 pk1,1 pkm,0 pkm,1

H H H H H H

sk1,b1 skm,bm

*

Muxb1 Muxb2 Muxbm

One-time signatures

• Can only be used once

• Basic building block

• Secret keys can be generated pseudorandomly

WOTS+ [Hue13]

• Shorter signatures

• Size-speed trade-off

Chain-based OTS

OTS OTS OTS OTS OTS OTS OTS

H H H H H H H PK

SK

Chain-based OTS [NY89]

• Extremely fast signing via „pebbeling“

• Extremely fast verification of sequential signatures

• Small keys

• Small sigs (for sequential signatures)

• Extremely useful in combination with aggregator

• Stateful

See e.g. Dahmen, Krauss. Short Hash-Based Signatures for Wireless Sensor Networks. CANS 2009.

Merkle’s signature scheme

6-11-2017 PAGE 7

OTS

OTS OTS OTS OTS OTS OTS OTS

HH H H H H H H

H H H H

H H

H

PK

SIG = (i=2, , , , , )

OTS

SK

Merkle‘s signature scheme

• Fast signing via „tree traversal algorithms“

• Extremely fast verification

• Small keys

• Medium size sigs

• Stateful

Latest: XMSS-T (Hülsing, Rijneveld, Song. Mitigating Multi-Target Attacks in Hash-based Signatures. PKC ‘16)

Multi-Tree XMSS [MMM02]

Uses multiple layers of trees

-> Key generation(= Building first tree on each layer)

Θ(2h) → Θ(d*2h/d)

-> Allows to reduceworst-case signing timesΘ(h/2) → Θ(h/2d)

SPHINCS [BHH+15]

• Stateless Scheme

• XMSSMT + HORST + (pseudo-)random index

• Collision-resilient

• Deterministic signing

• SPHINCS-256:• 128-bit post-quantum secure• Hundrest of signatures / sec• 41 kb signature• 1 kb keys

Performance on small devices

• STM32L100C development board: Cortex M3, 32MHz, 32-bit architecture, 256KB Flash, 16KB RAM

• Issue: SPHINCS sigs (41KB) don‘t fit single APDU

KeyGen Sign Verify

XMSSMT 278.80s 0.61s 0.16s

SPHINCS 0.88s 18.41s 0.51s

Future

• XMSS Internet Draft in IRSG poll

• At least two SPHINCS submissions for NIST• Faster / smaller signatures

• Several works on dedicated hash functions (Haraka, Siempira)

Thank you!

Questions?

9-10-2017 PAGE 13

Long-term secure signatures for the IoT filem,0 sk m,1 pk 1,0 pk 1,1 pk m,0 pk m,1 H H H H H H sk...

Documents

Transcript of Long-term secure signatures for the IoT filem,0 sk m,1 pk 1,0 pk 1,1 pk m,0 pk m,1 H H H H H H sk...