lms vs xmss comparison of stateful hash based signature
play

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on - PowerPoint PPT Presentation

Feb 08, 2024 •95 likes •399 views

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th International Conference on Cryptology, Africacrypt 2020 Fabio Campos 1 Tim Kohlstadt 1 Steffen Reith 1 ottinger 2 Marc St July 19, 2020 1 RheinMain

  1. LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th International Conference on Cryptology, Africacrypt 2020 Fabio Campos 1 Tim Kohlstadt 1 Steffen Reith 1 ottinger 2 Marc St¨ July 19, 2020 1 RheinMain University of Applied Sciences, Germany 2 Continental AG, Germany

  2. Motivation

  3. Assumptions Fig.1: Assumptions of schemes used in practice today. 2

  4. Quantum impact Fig.2: Due to Shor’s and Grover’s algorithm (and variants). 3

  5. The NIST PQC (not a) competition 1 • 2016: NIST calls for proposals for key encapsulation and digital signatures • 2017: 69 schemes accepted for the first round of evaluation • 01.2019: 26 schemes (9 digital signature) advance to round 2 • 08.2019: Second NIST PQC Standardization Conference • 2022-2024: NIST PQC standards 1 https://csrc.nist.gov/Projects/Post-Quantum-Cryptography 4

  6. Recommendation 2 for stateful hash-based signature schemes • NIST: ” ... NIST is proposing to supplement FIPS 186 by approving the use of two stateful hash-based signature schemes: the eXtended Merkle Signature Scheme (XMSS) and the Leighton-Micali Signature system (LMS) ... Stateful hash-based signature schemes are not suitable for general use since they require careful state management in order to ensure their security. ... An application that may fit this profile is firmware updates for constrained devices.” • We: ”So, let’s try it! 2 https://csrc.nist.gov/News/2019/ draft-sp-800-208-stateful-hash-based-sig-schemes 5

  7. Embedded PQC • pqm4 3 : Post-quantum crypto library for the ARM Cortex-M4 • STM32F4DISCOVERY-Board • ARM Cortex-M4 (recommended by NIST for PQC evaluation) • 32-bit, 192 KiB RAM, 168 MHz • ARMv7E-M • cheap ( < $30) • Challenge: Do LMS/XMSS even fit in limited RAM + Flash? 3 https://github.com/mupq/pqm4 6

  8. Background

  9. Many-time Signature Schemes Fig. Fig.3: Balanced binary tree (Merkle Tree) enables the use of a single public key (root of the tree) for verifying several messages. Grey nodes represents the one-time signatures. LMS and XMSS use variants of the Winternitz One-time Signature Scheme (WOTS). 7

  10. Construction

  11. Tweakable hash function Definition 1 : Let n , α ∈ N , P be the public parameters space, and T be the tweak space. A tweakable hash function is an efficient function Th : P × T × { 0 , 1 } α → { 0 , 1 } n , MD ← Th( P , T , M ) mapping an α -bit message M to an n-bit hash value MD using a public parameter P ∈ P , also called function key, and a tweak T ∈ T . 8

  12. LMS / prefix construction Construction 1 : Given a hash function H : { 0 , 1 } 2 n + α → { 0 , 1 } n , we construct Th with P = T = { 0 , 1 } n , as Th( P , T , M ) = H ( P || T || M ) . 9

  13. XMSS / prefix and bitmask construction Construction 2 : Given two hash functions H 1 : { 0 , 1 } 2 n × { 0 , 1 } α → { 0 , 1 } n with 2 n-bit keys, and H 2 : { 0 , 1 } 2 n → { 0 , 1 } α , we construct Th with P = T = { 0 , 1 } n , as Th( P , T , M ) = H 1 ( P || T , M ⊕ ) , with M ⊕ = M ⊕ H 2 ( P || T ) . 10

  14. XMSS / WOTS public key compression with L-trees Fig.4: Overview with L-trees and WOTS chains. Grey nodes are the private keys and the black nodes the public keys of the WOTS chains. The black node at the top is the public key. 11

  15. LMS / WOTS public key compression w/o L-trees Fig.5: Overview without L-trees. Grey nodes are the private keys and the black nodes the public keys of the WOTS chains. The black node at the top is the public key. 12

  16. Speeding up XMSS

  17. Hash pre-computation For a given key pair and a security parameter n , the first 2 n -bit block of the input to the pseudo-random function is the same for all calls. Fig.6: Hash pre-computation within Keccak - f [800] with a rate of 512 bits. 13

  18. Implemented variants of XMSS Based on the different constructions presented, we implemented and evaluated the following XMSS variants: bitmask-less hashing 4 design multi-tree tree-less WOTS pre-computation XMSS ROBUST XMSS SIMPLE x x x x x XMSS SIMPLE+PRE XMSS MT ROBUST x XMSS MT SIMPLE x x x XMSS MT SIMPLE+PRE x x x x 4 ≈ Construction 1: LMS / prefix construction 14

  19. Evaluation

  20. Setup • STM32F4DISCOVERY board • reference implementation of LMS 5 and XMSS 6 • based on pqm4 framework • optimised assembly implementations of: • Gimli-Hash • Keccak ( Keccak - p [800 , 22] and Keccak - p [800 , 12]) • SHAKE256, and • SHA-256 5 https://github.com/cisco/hash-sigs , commit 5efb1d0 6 https://github.com/joostrijneveld/xmss-reference , commit fb7e3f8 15

  21. Selected parameter sets 1/2 symbol meaning XMSS LMS n security parameter ≃ length of the hash digest (in bits) n n height of the tree or hypertree in a multi-tree variant h h h d number of Merkle Trees in the multi-tree variant d L 2 w Winternitz parameter w w ℓ number of Winternitz chains used in a single OTS operation len p 16

  22. Selected parameter sets 1/2 scheme n w h layer signature size (bits) LMS 256 16 5 1 2352 LMS 256 256 5 1 1296 LMS 256 16 10 1 2512 LMS 256 256 10 1 1456 XMSS 256 16 5 1 2340 XMSS 256 16 10 1 2500 HSS 256 16 10 2 4756 HSS 256 256 10 2 2644 XMSS MT 256 16 10 2 4642 HSS = multi-tree LMS (Hierarchical Signature System) XMSS MT = multi-tree XMSS 17

  23. Speedup in XMSS and XMSS MT exemplary with SHA-256 design w h layer key gen sign verify 16 5 1 738.46 747.85 13.84 XMSS ROBUST 16 5 1 243.25 247.72 3.20 XMSS SIMPLE speedup factor 3.03 3.01 4.32 16 5 1 237.27 241.02 3.73 XMSS SIMPLE+PRE speedup factor 3.11 3.10 3.71 16 10 1 23631.70 23642.03 13.07 XMSS ROBUST XMSS SIMPLE 16 10 1 7784.50 7788.56 3.67 speedup factor 3.03 3.03 3.56 16 10 1 7586.15 7589.49 4.20 XMSS SIMPLE+PRE speedup factor 3.11 3.11 3.11 XMSS MT ROBUST 16 10 2 738.43 1498.06 27.67 XMSS MT SIMPLE 16 10 2 243.49 494.55 7.77 speedup factor 3.03 3.03 3.56 XMSS MT SIMPLE+PRE 16 10 2 237.26 481.73 7.77 speedup factor 3.11 3.11 3.56 All results (apart from speedup) are given in 10 6 clock cycles. 18

  24. Performance comparison LMS vs XMSS ratio 7 ratio 8 ratio 9 LMS XMSS ROBUST XMSS SIMPLE XMSS SIMPLE+PRE key gen 3774.88 23631.70 6.26 7792.23 2.06 7586.15 2.01 sign 3791.15 23642.03 6.23 7796.39 2.05 7596.24 2.00 verify 2.65 13.07 4.93 3.57 1.34 4.20 1.58 All results for SHA-256, n = 256, w = 16, and h = 10 are given in 10 6 clock cycles. 7 XMSS ROBUST /LMS 8 XMSS SIMPLE /LMS 9 XMSS SIMPLE+PRE /LMS 19

  25. ? LMS = XMSS SIMPLE ratio 10 XMSS MT SIMPLE ratio 11 LMS XMSS SIMPLE HSS key gen 1105990 1100800 0.99 34566 34400 0.99 sign 2216417 2202194 0.99 112542 104371 0.93 verify 2217208 2202686 0.99 113493 105359 0.93 Number of hash operations for SHA-256, n = 256, and w = 16. 10 XMSS SIMPLE /LMS 11 XMSS MT SIMPLE /HSS 20

  26. Speed in clock cycles for XMSS and LMS for h = 5 design hash type w h d key gen sign verify Gimli-Hash 16 5 1 1048850892 1063994437 17850167 XMSS ROBUST Gimli-Hash 16 5 1 345097734 351135622 4843341 XMSS SIMPLE XMSS SIMPLE+PRE Gimli-Hash 16 5 1 35652023 341236863 4991976 LMS Gimli-Hash 16 5 1 210439959 226186258 4601931 Keccak - p [800, 22] 16 5 1 1162653236 1179847660 19384572 XMSS ROBUST Keccak - p [800, 22] 16 5 1 380333946 387149205 5183652 XMSS SIMPLE XMSS SIMPLE+PRE Keccak - p [800, 22] 16 5 1 369894358 375718141 5838576 LMS Keccak - p [800, 22] 16 5 1 180384764 193651049 4108963 Keccak - p [800, 12] 16 5 1 699127232 709176591 11945544 XMSS ROBUST Keccak - p [800, 12] 16 5 1 230594112 234234392 3625308 XMSS SIMPLE Keccak - p [800, 12] 16 5 1 225063121 228715963 3444956 XMSS SIMPLE+PRE LMS Keccak - p [800, 12] 16 5 1 106406966 114348011 2325050 SHAKE256 16 5 1 1569880839 1593969977 25282729 XMSS ROBUST XMSS SIMPLE SHAKE256 16 5 1 515089881 523679528 7643266 LMS SHAKE256 16 5 1 482690432 519083330 10541350 SHA-256 16 5 1 738461396 747855715 13842083 XMSS ROBUST SHA-256 16 5 1 243254582 247726301 3207473 XMSS SIMPLE XMSS SIMPLE+PRE SHA-256 16 5 1 237275019 241026688 3735483 LMS SHA-256 16 5 1 117988963 126516806 2576515 21

  27. Stack memory usage (bytes) for XMSS and LMS for h = 5 hash type 12 design w h layer key gen sign verify Gimli-Hash 16 5 1 3784 3832 3604 XMSS ROBUST XMSS SIMPLE Gimli-Hash 16 5 1 3712 3760 3556 Gimli-Hash 16 5 1 3728 3776 3572 XMSS SIMPLE+PRE LMS Gimli-Hash 16 5 1 3528 2240 876 Keccak - p [800, x ] 16 5 1 3896 3944 3720 XMSS ROBUST Keccak - p [800, x ] 16 5 1 3824 3872 3672 XMSS SIMPLE Keccak - p [800, x ] 16 5 1 3840 3888 3688 XMSS SIMPLE+PRE LMS Keccak - p [800, x ] 16 5 1 3644 2356 988 SHAKE256 16 5 1 4224 4272 4088 XMSS ROBUST SHAKE256 16 5 1 4176 4200 4024 XMSS SIMPLE LMS SHAKE256 16 5 1 3844 2532 1164 SHA-256 16 5 1 4032 4080 3912 XMSS ROBUST XMSS SIMPLE SHA-256 16 5 1 3984 4032 3832 SHA-256 16 5 1 3976 4016 3840 XMSS SIMPLE+PRE LMS SHA-256 16 5 1 3764 2460 1044 12 Results for Keccak valid for Keccak - p [800, 22] and Keccak - p [800, 12]. 22

  28. Conclusion

Recommend

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1 eXtended Merkle Signature Scheme 2 eXtended Merkle Signature Scheme Why should we look

949 views • 39 slides
Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz Motivation and background

Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz Motivation and background

Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz Motivation and background Recent interest in standardization of post- quantum public-key primitives For signature schemes, several proposals based on

383 views • 24 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Digital Signature And Hash Function

Digital Signature And Hash Function

Digital Signature And Hash Function 1 Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Biometric Signature

894 views • 52 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11 December 2007 1 Why? Maintaining state allows for decisions to be made based on runtime conditions. State based policy can be more concise

576 views • 18 slides
Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Hash-Based Indexing Torsten Grust Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static Hashing Hash Functions Architecture and Implementation of Database Systems Extendible Hashing Summer 2016

930 views • 39 slides
3-509

3-509

3-509 liuzhen@sjtu.edu.cn 1 Digital Signature Hash Function Message Authentication Code 2 Digital Signature There is an electronic document to be sent

738 views • 24 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

I5020 Computer Security Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License.

740 views • 53 slides
References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding Cryptography by Paar &amp; Pelzl. &amp; Mathematical Cryptography , by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf , pages 9899. Signature

255 views • 10 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on Post-Quantum Cryptography July 2019, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes 2 y

1.22k views • 101 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David Malone and Josh Tobin. 2008-12-11 1 Hash Table Lookup scheme to avoid cost of searching full list. carrot zuchinni . . . . . . apricot apple

406 views • 16 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit,

Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit,

ECRYPT Hash Workshop 2007 Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit, and Nicolas Sendrier The Original FSB Hash Function [Augot, Finiasz, Sendrier - Mycrypt 05] Based on the Merkle-Damg

303 views • 19 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Comparison of the metabolomic signature of diabetes and the oral glucose tolerance test lvaro

Comparison of the metabolomic signature of diabetes and the oral glucose tolerance test lvaro

Comparison of the metabolomic signature of diabetes and the oral glucose tolerance test lvaro Gonzlez-Domnguez 1,2 , Alfonso Mara Lechuga-Sancho 1,2,3 , Ral Gonzlez- Domnguez 4,5* 1 Department of Pediatrics, Hospital Universitario

271 views • 11 slides
Distance to the Measure Offset Recon- struction Geometric inference for measures based on

Distance to the Measure Offset Recon- struction Geometric inference for measures based on

Distance to the Measure Zhengchao Wan DTM Distance to the Measure Offset Recon- struction Geometric inference for measures based on distance DTM functions signature The DTM-signature for a geometric comparison of Statistical test

557 views • 31 slides
Applying Hash-based Indexing in Text-based Information Retrieval Benno Stein and Martin Potthast

Applying Hash-based Indexing in Text-based Information Retrieval Benno Stein and Martin Potthast

Applying Hash-based Indexing in Text-based Information Retrieval Benno Stein and Martin Potthast Bauhaus University Weimar Web-Technology and Information Systems Introduction Hash-based Indexing Methods Comparative Study DIR07 Mar.

474 views • 21 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides

More recommend