Real-World Post-Quantum Digital Signatures

Transcription

1 Real-World Post-Quantum Digital Signatures Denis Butin 1, Stefan-Lukas Gazdag 2, and Johannes Buchmann 1 1 TU Darmstadt 2 genua mbh CSP Forum 2015, Brussels 1 / 14

2 Post-Quantum Digital Signatures 2 / 14

3 Post-Quantum Digital Signatures 1/2 Digital signatures ubiquitous: software update authentication, secure web browsing with HTTPS... Most commonly used digital signature schemes: RSA, DSA, ECDSA All rely on hardness of number-theoretic problems: integer factoring & discrete logarithm computation 3 / 14

4 Post-Quantum Digital Signatures 2/2 Development of quantum computing accelerating. NSA $80M Penetrating Hard Targets project (Snowden) Quantum computers would break RSA, DSA & ECDSA (Shor s algorithm, 1994) Different categories of post-quantum (quantum-safe) digital signature schemes have already been described theoretically Many kinds of post-quantum digital signatures: hash-based, code-based (McEliece), lattice-based (NTRU), multivariate (Rainbow) 4 / 14

5 1/2 Initial idea introduced by Merkle (1979), many improvements since (CMSS, GMSS, XMSS, XMSS MT... ). Very well understood security proofs. Minimal security requirement: secure hash function. 5 / 14

6 2/2 Use one-time signature (OTS) schemes such as Winternitz can only be used to sign once! Must keep track of key index. Use binary tree and secure hash function to combine many OTS key pairs into single structure MT version: multiple layers of binary hash trees Global public key is value at root of binary tree Advanced schemes like XMSS (2011) and XMSS MT reduce signature key size and allow up to 2 80 OTS key pairs 6 / 14

7 1/2 Lack of standardisation necessary for interoperability, canonical parameter sets, formats, increased expert scrutiny. Current commonly used digital signatures are all standardised. Unavailability in major cryptographic libraries ad hoc implementations are error-prone, impractical and costly 7 / 14

8 2/2 Lack of parameter selection recommendations. Obstacle made greater by large number of parameters in schemes like XMSS MT No notable real-world use lack of concrete examples and deployment experience 8 / 14

9 Cryptographic Library Integration (1/2) Stand-alone implementations of XMSS and XMSS MT already exist but are not integrated with libraries Libraries considered: OpenSSL (possibly variants) and Bouncy Castle Protocols being tackled: TLS (e.g. HTTPS), SSH (e.g. remote login), S/MIME ( authentication) 9 / 14

10 Cryptographic Library Integration (2/2) TLS and SSH in OpenSSL first core implementation, then protocol-level integration S/MIME in Bouncy Castle also two-step process. Simplified core implementation exists (GMSS). OpenSSL module will be used in real-world application by project partner genua 10 / 14

11 Standardisation 2014 IETF Internet-Draft by McGrew and Curcio supports plain Merkle signatures We recently proposed an Internet-Draft with Hülsing (TU Eindhoven) and Mohaisen (Verisign) supporting advanced hash-based signature schemes Provides starting point for future standardisation of stateless hash-based schemes like SPHINCS (no state handling issues, but performance impact) draft-huelsing-cfrg-hash-sig-xmss 11 / 14

12 Parameter Recommendations Digital signatures appear in use cases with very different requirements, e.g. signing frequency must be very fast for TLS/HTTPS, not so critical for software update authentication No one size fits all different variants (XMSS, XMSS MT ) optimal for different use cases Large number of parameter sets suggested in Internet-Draft. Too many? All scenarios covered? Feedback appreciated. 12 / 14

13 Post-quantum digital signature deployment necessary to counter quantum computing threat Hash-based signatures well understood by research community, practical use must be fostered Standardisation in progress currently IETF, more planned Use cases and parameter recommendations to be refined Crypto library integration and proof-of-concept deployment underway 13 / 14

14 Thank you Questions & feedback welcome! 14 / 14