Abstract
The unavoidable transition to post-quantum cryptography requires dependable quantum-safe digital signature schemes. Hash-based signatures are well-understood and promising candidates, and the object of current standardization efforts. In the scope of this standardization process, the most commonly raised concern is statefulness, due to the use of one-time signature schemes. While the theory of hash-based signatures is mature, a discussion of the system security issues arising from the concrete management of their state has been lacking. In this paper, we analyze state management in N-time hash-based signature schemes, considering both security and performance, and categorize the security issues that can occur due to state synchronization failures. We describe a state reservation and nonvolatile storage, and show that it can be naturally realized in a hierarchical signature scheme. To protect against unintentional copying of the private key state, we consider a hybrid stateless/stateful scheme, which provides a graceful security degradation in the face of unintentional copying, at the cost of increased signature size. Compared to a completely stateless scheme, the hybrid approach realizes the essential benefits, with smaller signatures and faster signing.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This allows for forward-secure constructions if used with the right schemes, e.g. special instantiations of XMSS using a forward-secure PRNG as shown by [2]. That way an attacker may get access to the secret key on a system but is not able to forge signatures using previous keys. A hash-based secret key is then to be seen just as secure as any other signing key that an attacker gets access to.
- 2.
The authentication path is the sequence of tree nodes that a verifier needs to reconstruct the path to reach the root of the tree from a leaf.
- 3.
Recall that the Winternitz parameter is used as a trade-off setting for the underlying one-time signature scheme.
- 4.
Note that either of these two levels could themselves be hierarchical signature schemes.
References
Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., Wilcox-O’Hearn, Z.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_15
Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25405-5_8
Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007). doi:10.1007/978-3-540-72738-5_3
Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88403-3_5
Buchmann, J., GarcÃa, L.C.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved Merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006). doi:10.1007/11941378_25
Chen, L., Jordan, S., Liu, Y.K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: Report on Post-quantum cryptography (NISTIR 8105 Draft) (2016). http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf. Accessed 06 June 2016
Dods, C., Smart, N.P., Stam, M.: Hash based digital signature schemes. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 96–115. Springer, Heidelberg (2005). doi:10.1007/11586821_8
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). doi:10.1007/3-540-39568-7_2
ETSI: White paper no. 8: quantum safe cryptography and security. an introduction, benefits, enablers and challenges (2015). http://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf. Accessed 06 June 2016
Everspaugh, A.C., Bose, B.: Virtual Machine Reset-Atomicity in Xen. Technical report, University of Wisconsin-Madison (2013). http://pages.cs.wisc.edu/~ace/reset-atomic/reset-paper.pdf. Accessed 06 June 2016
Garfinkel, T., Rosenblum, M.: When virtual is harder than real: security challenges in virtual machine based computing environments. In: Proceedings of HotOS 2005: 10th Workshop on Hot Topics in Operating Systems. USENIX Association (2005)
Goldreich, O.: Foundations of Cryptography. Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)
Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38553-7_10
Hülsing, A., Butin, D., Gazdag, S., Mohaisen, A.: XMSS: Extended hash-based signatures (2016). https://datatracker.ietf.org/doc/draft-irtf-cfrg-xmss-hash-based-signatures/. Internet-Draft. Accessed 06 June 2016
Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40588-4_14
Information assurance directorate at the National Security Agency: commercial national security algorithm suite (2015). https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm. Accessed 06 June 2016
Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)
Knecht, M., Meier, W., Nicola, C.U.: A space- and time-efficient implementation of the Merkle tree traversal algorithm. CoRR abs/1409.4081 (2014)
Lamport, L.: Constructing digital signatures from a one way function. Technical report, SRI International Computer Science Laboratory (1979). http://research.microsoft.com/en-us/um/people/lamport/pubs/dig-sig.pdf. Accessed 06 June 2016
Leighton, T., Micali, S.: Large provably fast and secure digital signature schemes from secure hash functions. U.S. Patent 5,432,852 (1995)
McGrew, D., Curcio, M.: Hash-based signatures (2016). https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs/. Internet-Draft. Accessed 06 June 2016
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990). doi:10.1007/0-387-34805-0_21
Monz, T., Nigg, D., Martinez, E.A., Brandl, M.F., Schindler, P., Rines, R., Wang, S.X., Chuang, I.L., Blatt, R.: Realization of a scalable Shor algorithm. Science 351(6277), 1068–1070 (2016)
Reyzin, L., Reyzin, N.: Better than BiBa: short one-time signatures with fast signing and verifying. In: Batten, L., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 144–153. Springer, Heidelberg (2002). doi:10.1007/3-540-45450-0_11
Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). The Internet Society (2010)
Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978)
Saeedi, K., Simmons, S., Salvail, J.Z., Dluhy, P., Riemann, H., Abrosimov, N.V., Becker, P., Pohl, H.J., Morton, J.J.L., Thewalt, M.L.W.: Room-temperature quantum bit storage exceeding 39 min using ionized donors in silicon-28. Science 342(6160), 830–833 (2013)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
McGrew, D., Kampanakis, P., Fluhrer, S., Gazdag, SL., Butin, D., Buchmann, J. (2016). State Management for Hash-Based Signatures. In: Chen, L., McGrew, D., Mitchell, C. (eds) Security Standardisation Research. SSR 2016. Lecture Notes in Computer Science(), vol 10074. Springer, Cham. https://doi.org/10.1007/978-3-319-49100-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-49100-4_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49099-1
Online ISBN: 978-3-319-49100-4
eBook Packages: Computer ScienceComputer Science (R0)