State Management for Hash-Based Signatures � David McGrew, Panos Kampanakis, Scott Fluhrer, Stefan-Lukas Gazdag , Denis Butin, Johannes Buchmann � {mcgrew,pkampana,sfmuhrer}@cisco.com � stefan-lukas_gazdag@genua.eu � {dbutin,buchmann}@cdc.informatik.tu-darmstadt.de SSR 2016
What's so great about HBS? ● Well understood ● Post-Quantum ● No further intractability assumptions other than cryptographic hash functions ● Minimal security requirements feasible � ● Forward secure constructions possible � 12/06/16 2
Intro: Hash-Based Signatures � 0 1 0 1 0 1 signature private key random data random data random data random data random data random data f f f f f f hash hash hash hash hash hash public key 12/06/16 3
Intro: Hash-Based Signatures 12/06/16 4
Statefulness � ● Private key has to be updated – Any copy may reveal secrets – Interrupts may threaten consistency – Key is critical resource – Data to be updated difgers by implementation decisions (Starting from single index to several nodes) 12/06/16 5
How about stateless schemes? � ● SPHINCS (https://sphincs.cr.yp.to/) – Signatures size ~ 41 KB – Slower signing times Sig Size (B) Pub Key Size (B) LMS 2828 100 Defjnitely working for some use cases! XMSS 2820 68 But stateful schemes sometimes still the HSS 8688 112 better choice. XMSS^MT 8392 68 SPHINCS 41k 1056 Similar parameter sets, total height of 30 for LMS and XMSS, 12/06/16 6 total height of 60 for HSS, XMSS^MT and SPHINCS.
How about stateless schemes? � ● SPHINCS (https://sphincs.cr.yp.to/) – Signatures size ~ 41 KB – Slower signing times Defjnitely working for some use cases! But stateful schemes are sometimes still the better choice. 12/06/16 7
What's in line for standardization? � 12/06/16 8
12/06/16 9
12/06/16 10 �
12/06/16 11 �
How can we cope with statefulness? � 12/06/16 12 �
State Synchronization ● Synchronization delay affects performance ● Synchronization failure may occur ● Several copies may exist => Special case of cloning 12/06/16 13 �
12/06/16 14 The Linux Storage Stack Diagram http://www.thomas-krenn.com/en/wiki/Linux_Storage_Stack_Diagram Created by Werner Fischer and Georg Sc hönberger License: CC-BY-SA 3.0, see http://creativecommons.org/licenses/by-sa/3.0/
12/06/16 15 The Linux Storage Stack Diagram http://www.thomas-krenn.com/en/wiki/Linux_Storage_Stack_Diagram Created by Werner Fischer and Georg Sc hönberger License: CC-BY-SA 3.0, see http://creativecommons.org/licenses/by-sa/3.0/
A classic digital signature � Scheme = (Key Generation, Signing, Verifjcation) 12/06/16 16 �
A stateful digital signature � Scheme = (Key Generation, Reservation , Signing, Verifjcation) � 12/06/16 17
Reservation ● Keys (pre-) generated in bulk ● Easy access management to critical resource ● Key synchronization and read/write operations alleviated ● Use case specific key pool feasible 12/06/16 18 �
Hierarchical Signatures / Key Reservation � 12/06/16 19
Hierarchical Signatures / Key Reservation � ● Synchronization delay � ● Synchronization failure ● Unintended cloning – Nonvolatile – Volatile 12/06/16 20 �
Hierarchical Signatures / Key Reservation � ● Synchronization delay ● Synchronization failure ● Unintended cloning – Nonvolatile – Volatile 12/06/16 21
Hybrid Scheme and Reservation � 12/06/16 22
Hybrid Scheme and Reservation � ● Synchronization delay � ● Synchronization failure ● Unintended cloning – Nonvolatile – Volatile 12/06/16 23 �
Hybrid Scheme and Reservation � ● Synchronization delay ● Synchronization failure ● Unintended cloning – Nonvolatile – Volatile 12/06/16 24
Hybrid Scheme and Reservation � ● Synchronization delay ● Synchronization failure ● Unintended cloning – Nonvolatile ? – Volatile 12/06/16 25
Hybrid Scheme and Reservation � ● Synchronization delay ● Synchronization failure ● Unintended cloning – Nonvolatile Breaks so much more: – Volatile - Entropy pools and PRNGs - Deterministic IVs and Nonces - Encryption counters - Digital signature seeds - One Time Passwords (OTP) - TCP sequence numbers - ... 12/06/16 26
Conclusion ● First official standards available soon ● Safe deployment / good performance feasible ● Future work: standardization document on HBS deployment 12/06/16 27 �
Any questions? � {mcgrew,pkampana,sfmuhrer}@cisco.com � stefan-lukas_gazdag@genua.eu � {dbutin,buchmann}@cdc.informatik.tu-darmstadt.de � 12/06/16 28 �
Recommend
More recommend