Final Report Abstract

In this project, we made significant advances towards the real-world use of hash-based signature schemes. A major achievement of the project is the upcoming first RFC about post-quantum cryptography. This RFC fully describes XMSS and XMSSMT and will foster deployment by providing a standardised and detailed specification. The RFC will also further the standardisation of hash-based signatures beyond IETF. NIST has already announced that the standardisation of stateful hash-based signature schemes will be handled in direct coordination with IETF standardisation, and outside the ongoing NIST selection process for post-quantum cryptographic schemes. Our RFC therefore stands a significant chance to be recommended by NIST. These advances in standardisation also addressed the issue of parameter selection. We suggested both concrete parameter sets and specific hash functions, reducing confusion and risks for implementers. On the open-source implementation front, we have supported the widespread distribution of XMSS and XMSSMT by integrating both schemes in official Bouncy Castle releases. Beyond the stand-alone implementation of these schemes, they are now also part of Bouncy Castle’s BCPQC provider (a JCE compliant provider that is a wrapper built on top of the light-weight API), facilitating their use in the security protocols supported by Bouncy Castle. These implementations strictly follow the specification from the upcoming RFC. In terms of security, we have provided a detailed analysis of the side-channel resistance of XMSS, XMSSMT and SPHINCS. Our analysis both maps out potential risks, yields countermeasures for implementers and supports the progress of standardisation processes by showing that the specified versions of XMSS and XMSSMT are not vulnerable to differential power analysis attacks provided the pseudorandom number generator suggested by the Internet-Draft is selected. We also found that optimised authentication path computation (e.g., using the BDS algorithm) greatly decreases the side-channel leakage of XMSS because it minimises the accesses to the secret keys. Although this optimisation is deemed optional by the XMSS Internet-Draft, every implementation should use it.

Publications

• Hash-based Signatures: An Outline for a New Standard. NIST Workshop on Cybersecurity in a Post- Quantum World (2015)
  Hülsing, A., Gazdag, S.L., Butin, D., Buchmann, J.
  
• Real-World Post-Quantum Digital Signatures. In: Cleary, F., Felici, M. (eds.) Cyber Security and Privacy — 4th Cyber Security and Privacy Innovation Forum, CSP Innovation Forum 2015. Communications in Computer and Information Science, vol. 530, pp. 41–52. Springer (2015)
  Butin, D., Gazdag, S., Buchmann, J.A.
  (See online at https://doi.org/10.1007/978-3-319-25360-2_4)
• State Management for Hash-Based Signatures. In: Chen, L., McGrew, D.A., Mitchell, C.J. (eds.) Security Standardisation Research — Third International Conference, SSR 2016. Lecture Notes in Computer Science, vol. 10074, pp. 244–260. Springer (2016)
  McGrew, D.A., Kampanakis, P., Fluhrer, S.R., Gazdag, S.L., Butin, D., Buchmann, J.A.
  (See online at https://doi.org/10.1007/978-3-319-49100-4_11)
• "Post-quantum authentication in OpenSSL with hash-based signatures," 2017 Tenth International Conference on Mobile Computing and Ubiquitous Network (ICMU), 2017, pp. 1-6
  Butin, D., Wälde, J., Buchmann, J.A.
  (See online at https://doi.org/10.23919/ICMU.2017.8330093)
• Hash-based signatures: State of play. IEEE Security & Privacy 15(4), 37–43 (2017)
  Butin, D.
  (See online at https://doi.org/10.1109/MSP.2017.3151334)
• (2018) Differential Power Analysis of XMSS and SPHINCS. In: Fan J., Gierlichs B. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2018. Lecture Notes in Computer Science, vol 10815. Springer, Cham. S. 168-188
  Kannwischer, M.J., Genêt, A., Butin, D., Krämer, J., Buchmann, J.A.