Recommendation for Stateful Hash-Based Signature Schemes

Cooper, David

doi:10.6028/nist.sp.800-208-draft

Cited by 9 publications

(7 citation statements)

References 12 publications

(49 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…All primitives we chose are NIST PQC round-3 finalists or alternate candidates, except for an instantiation of the stateful signature algorithm XMSS at NIST level 1 for signatures generated by CAs. XMSS is already defined in an RFC [55] and is being considered by NIST for a fast track to standardization [30]. The XMSS RFC only describes parameters matching NIST level 5 and higher, but the adaptation to a level-1 parameter set is rather straight-forward.…”

Section: Instantiation and Implementation 51 Choice Of Primitivesmentioning

confidence: 99%

“…We define XMSS MT s as an instantiation of XMSS MT using two trees of height 12 each, i.e., a total tree height of 24, which limits the maximum number of signatures per public key to 2 24 ≈ 16.7 M. Increasing this maximum number of signatures to, for example, 2 30 ≈ 1 billion increases signature size by only 96 bytes and has negligible impact on verification speed. It does have an impact on key-generation speed and signing latency, but as mentioned in Section 6.3, latency of signing is not very relevant when used by certificate authorities as in our paper.…”

Section: Xmss At Nist Security Levelmentioning

confidence: 99%

See 1 more Smart Citation

Post-Quantum TLS Without Handshake Signatures

Schwabe

Stebila

Wiggers

2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

We present KEMTLS, an alternative to the TLS 1.3 handshake that uses key-encapsulation mechanisms (KEMs) instead of signatures for server authentication. Among existing post-quantum candidates, signature schemes generally have larger public key/signature sizes compared to the public key/ciphertext sizes of KEMs: by using an IND-CCA-secure KEM for server authentication in post-quantum TLS, we obtain multiple benefits. A size-optimized post-quantum instantiation of KEMTLS requires less than half the bandwidth of a size-optimized post-quantum instantiation of TLS 1.3. In a speedoptimized instantiation, KEMTLS reduces the amount of server CPU cycles by almost 90% compared to TLS 1.3, while at the same time reducing communication size, reducing the time until the client can start sending encrypted application data, and eliminating code for signatures from the server's trusted code base.

show abstract

Section: Instantiation and Implementation 51 Choice Of Primitivesmentioning

confidence: 99%

Section: Xmss At Nist Security Levelmentioning

confidence: 99%

Post-Quantum TLS Without Handshake Signatures

Schwabe

Stebila

Wiggers

2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Furthermore, the GMSS key generation approach fits the construction to generate the forward-secure signature proposed in Cooper et al (2019). In consequence, we can extend the security of GMSS as follows: if GMSS is an unforgeable signature scheme and the function F used to generate the one-time keys is a secure PRF, then the GMSS is an unforgeable forward-secure signature scheme.…”

Section: • Security Commentsmentioning

confidence: 99%

Hash-based signature revisited

Wang

2022

Cybersecurity

View full text Add to dashboard Cite

The current development toward quantum attack has shocked our confidence on classical digital signature schemes. As one of the mainstreams of post quantum cryptography primitives, hash-based signature has attracted more and more concern in both cryptographic research and application in recent years. The goal of this paper is to present, classify and discuss different solutions for hash-based signature. Firstly, this paper discusses the research progress in the component of hash-based signature, i.e., one-time signature and few-time signature; then classifies the tree-based public key authentication schemes of hash-based signature into limited number and stateful schemes, unlimited number and stateful schemes and unlimited number and stateless schemes. The above discussion aims to analyze the overall design idea of different categories of hash-based signatures, as well as the construction, security reduction and performance efficiency of specific schemes. Finally, the perspectives and possible development directions of hash-based signature are briefly discussed.

show abstract

“…In order to use such one-time signature in practice several its modifications have been discussed. In particular, the W-OTS + scheme has received a sig-nificant attention in the view of standardization processes, in which one of the candidates is the XMSS signature that uses the W-OTS + [5].…”

Section: One-time and Many-time Hash-based Signaturesmentioning

confidence: 99%

“…Moreover, the overall performance of hashbased digital signatures makes them suitable for the practical use. Several many-time hash-based digital signatures schemes are under consideration for standardization by NIST [5] and IETF [6,7].…”

Section: Introductionmentioning

confidence: 99%

Security analysis of the W-OTS$^+$ signature scheme: Updating security bounds

Kudinov,

Kiktenko,

Fedorov

2020

Preprint

View full text Add to dashboard Cite

In this work, we discuss in detail a flaw in the original security proof of the W-OTS + variant of the Winternitz one-time signature scheme, which is an important component for various stateless and stateful many-time hash-based digital signature schemes. We update the security proof for the W-OTS + scheme and derive the corresponding security level. Our result is of importance for the security analysis of hash-based digital signature schemes.

show abstract

Recommendation for Stateful Hash-Based Signature Schemes

Cited by 9 publications

References 12 publications

Post-Quantum TLS Without Handshake Signatures

Post-Quantum TLS Without Handshake Signatures

Hash-based signature revisited

Security analysis of the W-OTS$^+$ signature scheme: Updating security bounds

Contact Info

Product

Resources

About