C F R G HashBased Signatures Update and
C F R G Hash-Based Signatures Update and Batch Message Signing David Mc. Grew, Scott Fluhrer, Michael Curcio, Panos Kampanakis {mcgrew, sfluhrer, mcurcio, pkampana}@cisco. com
HBS Quick Recap • Good – Relies on only one security conjecture Given Y=SHA 256(X), attacker cannot find X – Can be postquantum secure • Bad – Big signatures, big key generation time – Stateful signing • Standards development – CFRG, ETSI, NIST 11/13/16 CFRG @ IETF 97 2
One-Time Signatures § 1 Signature § 2144 Bytes 11/13/16 Merkle Hierarchical Merkle CFRG @ IETF 97 3
One-Time Signatures Merkle Hierarchical Merkle § 1 Signature § 220 Signatures § 2144 Bytes § 2828 Bytes 11/13/16 CFRG @ IETF 97 4
One-Time Signatures Merkle Hierarchical Merkle § 1 Signature § 220 Signatures § 240 Signatures § 2144 Bytes § 2828 Bytes § 5727 Bytes 11/13/16 CFRG @ IETF 97 5
One-Time Signatures Merkle Hierarchical Merkle § 1 Signature § 220 Signatures § 240 Signatures § 2144 Bytes § 2828 Bytes § 5727 Bytes LMOTS 11/13/16 LMS CFRG @ IETF 97 HSS 6
Issues and Solutions for Private State Management for Hash Based Signatures, Mc. Grew, Kampanakis, Fluhrer, Gazdag, Butin, Buchmann, to appear at Security Standardization Research (SSR) 2016. https: //eprint. iacr. org/2016/357 11/13/16 CFRG @ IETF 97 7
Managing Private Key State Disk Cache File System Cache KN KN KN+1 M write KN+1 ok sign M with KN KN+1 11/13/16 CFRG @ IETF 97 8
N-time Signatures with Reservation KN KN+R MN write KN+R ok sign MN with KN MN+1 sign MN+1 with KN+1 MN+2 sign MN+2 with KN+2 11/13/16 CFRG @ IETF 97 9
Hierarchical Signatures and Reservation Nonvolatile Volatile 11/13/16 CFRG @ IETF 97 10
Hierarchical Signatures and Reservation § Synchronization delay § Synchronization failure § Unintended cloning Nonvolatile Volatile 11/13/16 CFRG @ IETF 97 11
Vulnerability: Unintended Cloning 1011 0110 Snapshot or Backup Clone or Restore 1011 0110 11/13/16 CFRG @ IETF 97 12
Stateless Hash Based Signatures § Idea: avoid security issues with state management § Bernstein et. al. SPHINCS: Practical Stateless Hash-Based Signatures, EUROCRYPT 2015 Huge signatures (45 KB) § Huge key generation time § 11/13/16 CFRG @ IETF 97 13
Hybrid Signatures Stateless N 1 -time signature method Stateful N 2 -time signature method N 1 x N 2 time signature method with no backup vulnerability Hierarchical Signatures with Stateless Root, Mc. Grew and Fluhrer, preprint, 2016. 11/13/16 CFRG @ IETF 97 14
Draft-mcgrew-hash-sigs-05 History 00 - Originally based on Merkle’s original work 03 - Used as basis of XMSS draft 04 - Evolved to use Leighton and Micali’s 1995 patent 05 - Added volatile level requirement - Made it possible to use hybrid (stateless root) - Identifiers are now independent at each hierarchical level - Postquantum secure parameters only - Github implementation 11/13/16 CFRG @ IETF 97 15
Comparison § XMSS draft-huelsing-cfrg-hash-sig-xmss Moving to RFC § Provably secure § § Concrete security model, asymptotic analysis Cathedral HSS/LMS draft-mcgrew-hash-sigs Evolving to meet emerging requirements § Provably secure (though proof incomplete) § § Random oracle model (Optional) PRF generation of OTS private keys § Bazaar § 11/13/16 CFRG @ IETF 97 16
Criteria and Comparison HLMS XMSS 240 § Number of signatures § Signature size § Signature generation time 1005 § Allows hybrid Yes 11/13/16 5727 B CFRG @ IETF 97 5603 B 3015 (98%) (300%) No 17
Parameter Choices 11/13/16 Values Effect LMOTS_SHA 256_N 32_W 1 LMOTS_SHA 256_N 32_W 2 LMOTS_SHA 256_N 32_W 4 LMOTS_SHA 256_N 32_W 8 Signature size versus time LMS_SHA 256_M 32_H 5 LMS_SHA 256_M 32_H 10 LMS_SHA 256_M 32_H 15 LMS_SHA 256_M 32_H 20 Number of signatures versus key generation time HSS 2, 3, 4, 5, 6, 7, 8 Number of signatures versus signature sizes CFRG @ IETF 97 18
Anti-Copying Token in Private Key Files def check_string(path): return H(os. path. abspath(path)) def verify_check_string(path, buffer): if buffer[0: 32] != check_string(path): print "error: file "" + path + "" has been copied” sys. exit(1) else: return buffer[32: ] 11/13/16 CFRG @ IETF 97 19
https: //github. com/davidmcgrew/hash-sigs 11/13/16 CFRG @ IETF 97 20
11/13/16 CFRG @ IETF 97 21
----------------------HSS public key levels-1 00000001 ----------------------LMS public key LMS type 00000001 # LMS_SHA 256_M 32_H 5 LMOTS_type 00000004 # LMOTS_SHA 256_N 32_W 8 I c 0 b 0 d 7 e 50162265 fd 7 c 82025 b 21467 ad 2619 effdcc 0 f 5 ba 240 fd 9 c 6 efaefe 593 6 bd 8 e 63 c 310 b 2 df 90560 f 55 e 31 e 12 86 ecc 4248825 b 31 f 8 facdf 7831254976 K 1 f 834958 e 43 c 79737395 b 083617 ebb 86 c 04699 e 91 ef 7 c 2474 de 48768 ce 2 ea 21 c -------------------------------------------- 11/13/16 CFRG @ IETF 97 22
Batch Signing • Goal: make lower N livable • Idea for signing a batch of messages: – Compute Merkle tree over message hashes – Include the path-siblings in the messages Christopher J. Pavlovski , Colin Boyd, Efficient Batch Signature Generation Using Tree Structures, 1999. http: //citeseerx. ist. psu. edu/viewdoc/summary? doi=10. 1. 1. 30. 3884 11/13/16 CFRG @ IETF 97 23
11/13/16 OTS 1 OTS 2 OTS 3 OTS 4 OTS 5 OTS 6 OTS 7 OTS 8 Msg 1 Msg 2 Msg 3 Msg 4 Msg 5 Msg 6 Msg 7 Msg 8 CFRG @ IETF 97 24
OTS 1 Msg 1 11/13/16 Msg 2 Msg 3 Msg 4 OTS 2 Msg 5 CFRG @ IETF 97 OTS 3 Msg 6 OTS 4 Msg 7 Msg 8 25
EOF 11/13/16 CFRG @ IETF 97 26
- Slides: 26