Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses,...
Transcript of Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses,...
![Page 1: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/1.jpg)
PracticalHashBasedSignatures:Uses,statusquo,challenges,andgoingforward
4thETSI/IQCWorkshoponQuantum-SafeCryptography
![Page 2: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/2.jpg)
§ Security§ Minimumconjecture:hashfunctionnotinvertible§ Quantumresistant
§ Adaptability§ Compactverifier
WhyHashBasedSignatures?
![Page 3: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/3.jpg)
§ FirmwareSigning 220
§ FPGABitstream Signing 220
§ SoftwareImageSigning 230
§ OperatingSystemPackageSigning 230
§ EntityAuthenticationforCommunicationSecurity 240
UseCasesSignaturesPerKey
![Page 4: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/4.jpg)
1-timesignatureofonebit
x1x0PrivateKey
![Page 5: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/5.jpg)
1-timesignatureofonebit
x1x0
y1y0
f
PrivateKey
PublicKey
f
![Page 6: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/6.jpg)
1-timesignatureofonebit
x1x0
y1y0
f
PrivateKey
PublicKey
fSignatureforMessage0x0
f
Verification
![Page 7: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/7.jpg)
One-TimeSignatures Merkle HierarchicalMerkle
§ 1Signature
§ 2144Bytes
![Page 8: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/8.jpg)
One-TimeSignatures Merkle HierarchicalMerkle
§ 1Signature
§ 2144Bytes
§ 220Signatures
§ 2828Bytes
![Page 9: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/9.jpg)
One-TimeSignatures Merkle HierarchicalMerkle
§ 1Signature
§ 2144Bytes
§ 240 Signatures
§ 5727Bytes
§ 220Signatures
§ 2828Bytes
![Page 10: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/10.jpg)
One-TimeSignatures Merkle HierarchicalMerkle
§ 1Signature
§ 2144Bytes
§ 240 Signatures
§ 5727Bytes
§ 220Signatures
§ 2828BytesHLMS
![Page 11: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/11.jpg)
ManagingPrivateKeyState
StateManagementforHashBasedSignatures,McGrew,Kampanakis,Fluhrer,Gazdag,Butin,Buchmann,toappearatSecurityStandardizationResearch(SSR)2016.https://eprint.iacr.org/2016/357
![Page 12: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/12.jpg)
DiskCache
FileSystemCache
ManagingPrivateKeyState
write KN+1
oksign M with KN
KN
KN+1
KN
KN+1
M
![Page 13: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/13.jpg)
N-timeSignatureswithReservation
write KN+Rok
sign MN with KN
KN
KN+RMN
MN+1
MN+2
sign MN+1 with KN+1
sign MN+2 with KN+2
![Page 14: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/14.jpg)
HierarchicalSignaturesandReservation
Nonvolatile
Volatile
![Page 15: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/15.jpg)
§ Synchronizationdelay
§ Synchronizationfailure
§ Unintendedcloning
HierarchicalsignaturesandReservation
Nonvolatile
Volatile
![Page 16: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/16.jpg)
Vulnerability:UnintendedCloning
10110110
SnapshotorBackup
10110110
10110110
10110110
CloneorRestore
![Page 17: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/17.jpg)
§ Idea:avoidsecurityissueswithstatemanagement
§ Bernsteinet.al.SPHINCS:PracticalStatelessHash-BasedSignatures,EUROCRYPT2015§ Largesignatures(45KB)§ Largekeygenerationtime
StatelessHashBasedSignatures
![Page 18: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/18.jpg)
Hybridsignatures
HierarchicalSignatureswithStatelessRoot,McGrewandFluhrer,preprint,2016.
StatelessN1-timesignaturemethod
StatefulN2-timesignaturemethod
N1xN2timesignaturemethodwithnobackupvulnerability
![Page 19: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/19.jpg)
§ XMSS§ MovingtoRFC§ Provablysecure(thoughproofnotapplicabletodraft)
§ Concretesecuritymodel,asymptoticanalysis
§ HLMS§ Evolvingtomeetemergingrequirements§ Provablysecure(thoughproofincomplete)
§ Randomoraclemodel
Draftstandards
draft-mcgrew-hash-sigs
draft-huelsing-cfrg-hash-sig-xmss
![Page 20: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/20.jpg)
§ Numberofsignatures 240 240
§ Signaturesize 5727B 5603B (98%)
§ Signaturegenerationtime 1005 3015 (300%)
§ Allowshybrid Yes No
CriteriaandComparisonHLMS XMSS
![Page 21: Practical Hash Based Signatures: Uses, status quo ......Practical Hash Based Signatures: Uses, status quo, challenges, and going forward David McGrew Cisco Systems mcgrew@cisco.com](https://reader035.fdocuments.net/reader035/viewer/2022062505/5eddb0bdad6a402d6668da09/html5/thumbnails/21.jpg)
ThankYou
4thETSI/IQCWorkshoponQuantum-SafeCryptography