State Management for Hash-Based Signatures

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10074)


The unavoidable transition to post-quantum cryptography requires dependable quantum-safe digital signature schemes. Hash-based signatures are well-understood and promising candidates, and the object of current standardization efforts. In the scope of this standardization process, the most commonly raised concern is statefulness, due to the use of one-time signature schemes. While the theory of hash-based signatures is mature, a discussion of the system security issues arising from the concrete management of their state has been lacking. In this paper, we analyze state management in N-time hash-based signature schemes, considering both security and performance, and categorize the security issues that can occur due to state synchronization failures. We describe a state reservation and nonvolatile storage, and show that it can be naturally realized in a hierarchical signature scheme. To protect against unintentional copying of the private key state, we consider a hybrid stateless/stateful scheme, which provides a graceful security degradation in the face of unintentional copying, at the cost of increased signature size. Compared to a completely stateless scheme, the hybrid approach realizes the essential benefits, with smaller signatures and faster signing.


Post-quantum cryptography Hash-based signatures Statefulness System integration 


  1. 1.
    Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., Wilcox-O’Hearn, Z.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_15 Google Scholar
  2. 2.
    Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25405-5_8 CrossRefGoogle Scholar
  3. 3.
    Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-72738-5_3 CrossRefGoogle Scholar
  4. 4.
    Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88403-3_5 CrossRefGoogle Scholar
  5. 5.
    Buchmann, J., García, L.C.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved Merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006). doi: 10.1007/11941378_25 CrossRefGoogle Scholar
  6. 6.
    Chen, L., Jordan, S., Liu, Y.K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: Report on Post-quantum cryptography (NISTIR 8105 Draft) (2016). Accessed 06 June 2016
  7. 7.
    Dods, C., Smart, N.P., Stam, M.: Hash based digital signature schemes. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 96–115. Springer, Heidelberg (2005). doi: 10.1007/11586821_8 CrossRefGoogle Scholar
  8. 8.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). doi: 10.1007/3-540-39568-7_2 CrossRefGoogle Scholar
  9. 9.
    ETSI: White paper no. 8: quantum safe cryptography and security. an introduction, benefits, enablers and challenges (2015). Accessed 06 June 2016
  10. 10.
    Everspaugh, A.C., Bose, B.: Virtual Machine Reset-Atomicity in Xen. Technical report, University of Wisconsin-Madison (2013). Accessed 06 June 2016
  11. 11.
    Garfinkel, T., Rosenblum, M.: When virtual is harder than real: security challenges in virtual machine based computing environments. In: Proceedings of HotOS 2005: 10th Workshop on Hot Topics in Operating Systems. USENIX Association (2005)Google Scholar
  12. 12.
    Goldreich, O.: Foundations of Cryptography. Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)CrossRefzbMATHGoogle Scholar
  13. 13.
    Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38553-7_10 CrossRefGoogle Scholar
  14. 14.
    Hülsing, A., Butin, D., Gazdag, S., Mohaisen, A.: XMSS: Extended hash-based signatures (2016). Internet-Draft. Accessed 06 June 2016
  15. 15.
    Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40588-4_14 CrossRefGoogle Scholar
  16. 16.
    Information assurance directorate at the National Security Agency: commercial national security algorithm suite (2015). Accessed 06 June 2016
  17. 17.
    Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)CrossRefGoogle Scholar
  18. 18.
    Knecht, M., Meier, W., Nicola, C.U.: A space- and time-efficient implementation of the Merkle tree traversal algorithm. CoRR abs/1409.4081 (2014)Google Scholar
  19. 19.
    Lamport, L.: Constructing digital signatures from a one way function. Technical report, SRI International Computer Science Laboratory (1979). Accessed 06 June 2016
  20. 20.
    Leighton, T., Micali, S.: Large provably fast and secure digital signature schemes from secure hash functions. U.S. Patent 5,432,852 (1995)Google Scholar
  21. 21.
    McGrew, D., Curcio, M.: Hash-based signatures (2016). Internet-Draft. Accessed 06 June 2016
  22. 22.
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990). doi: 10.1007/0-387-34805-0_21 CrossRefGoogle Scholar
  23. 23.
    Monz, T., Nigg, D., Martinez, E.A., Brandl, M.F., Schindler, P., Rines, R., Wang, S.X., Chuang, I.L., Blatt, R.: Realization of a scalable Shor algorithm. Science 351(6277), 1068–1070 (2016)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Reyzin, L., Reyzin, N.: Better than BiBa: short one-time signatures with fast signing and verifying. In: Batten, L., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 144–153. Springer, Heidelberg (2002). doi: 10.1007/3-540-45450-0_11 CrossRefGoogle Scholar
  25. 25.
    Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). The Internet Society (2010)Google Scholar
  26. 26.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Saeedi, K., Simmons, S., Salvail, J.Z., Dluhy, P., Riemann, H., Abrosimov, N.V., Becker, P., Pohl, H.J., Morton, J.J.L., Thewalt, M.L.W.: Room-temperature quantum bit storage exceeding 39 min using ionized donors in silicon-28. Science 342(6160), 830–833 (2013)CrossRefGoogle Scholar
  28. 28.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Cisco SystemsSan JoseUSA
  2. 2.genua GmbHMunichGermany
  3. 3.TU DarmstadtDarmstadtGermany

Personalised recommendations