Skip to main content
SpringerLink
Log in

Post-quantum Hash-Based Signatures for Secure Boot

  • Conference paper
  • First Online:
Silicon Valley Cybersecurity Conference (SVCC 2020)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1383))

Included in the following conference series:

Abstract

The potential development of large-scale quantum computers is raising concerns among IT and security research professionals due to their ability to solve (elliptic curve) discrete logarithm and integer factorization problems in polynomial time. All currently used, public-key cryptography algorithms would be deemed insecure in a Post-quantum setting. In response, the United States National Institute of Standards and Technology has initiated a process to standardize quantum-resistant cryptographic algorithms, focusing primarily on their security guarantees. Additionally, the Internet Engineering Task Force has published two quantum-secure signature schemes and has been looking into adding quantum-resistant algorithms in protocols. In this work, we investigate two post-quantum, hash-based signature schemes published by the Internet Engineering Task Force and submitted to the National Institute of Standards and Technology for use in secure boot. We evaluate various parameter sets for the use-cases in question and we prove that Post-quantum signatures would not have material impact on image signing. We also study the hierarchical design of these signatures in different scenarios of hardware secure boot.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Ando, M., Guttman, J.D., Papaleo, A.R., Scire, J.: Hash-based TPM signatures for the quantum world. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 77–94. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_5

    Chapter  Google Scholar 

  2. Aumasson, J.P., et al.: SPHINCS+ - Submission to the 2nd round of the NIST post-quantum project. https://sphincs.org/data/sphincs+-round2-specification.pdf (2019). Specification document (part of the submission package)

  3. Basu, K., Soni, D., Nabeel, M., Karri, R.: Nist post-quantum cryptography- a hardware evaluation study. Cryptology ePrint Archive, Report 2019/047 (2019). https://eprint.iacr.org/2019/047

  4. Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Advances in Cryptology - EUROCRYPT 2015–34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 368–397 (2015). https://doi.org/10.1007/978-3-662-46800-5_15

  5. Boneh, D., Gueron, S.: Surnaming schemes, fast verification, and applications to SGX technology. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 149–164. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_9

    Chapter  Google Scholar 

  6. Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_8

    Chapter  Google Scholar 

  7. Buchmann, J.A., Butin, D., Göpfert, F., Petzoldt, A.: Post-quantum cryptography: state of the art. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 88–108. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49301-4_6

    Chapter  MATH  Google Scholar 

  8. Cisco: Cisco Secure Boot and Trust Anchor Module differentiation solution overview (2017). https://www.cisco.com/c/en/us/products/collateral/security/cloud-access-security/secure-boot-trust.html

  9. ETSI: ETSI TC Cyber Working Group for Quantum-Safe Cryptography. https://portal.etsi.org/TBSiteMap/CYBER/CYBERQSCToR.aspx (2017). Accessed 25 July 2019

  10. Fluhrer, S.: LMS hash based signature open-source implementation (2019). https://github.com/cisco/hash-sigs

  11. Fluhrer, S., Dang, Q.: Additional Parameter Sets for LMS Hash-based Signatures. Internet-Draft draft-fluhrer-lms-more-parm-sets-00, Internet Engineering Task Force, September 2019. https://datatracker.ietf.org/doc/html/draft-fluhrer-lms-more-parm-sets-00, work in Progress

  12. Fluhrer, S., McGrew, D., Kampanakis, P., Smyslov, V.: Postquantum Preshared Keys for IKEv2. Internet-Draft draft-ietf-ipsecme-qr-ikev2-08, Internet Engineering Task Force, March 2019. https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-qr-ikev2-08, work in Progress

  13. Ghosh, S., Misoczki, R., Sastry, M.R.: Lightweight post-quantum-secure digital signature approach for IoT motes. Cryptology ePrint Archive, Report 2019/122 (2019). https://eprint.iacr.org/2019/122

  14. Stateful Hash-Based Signatures - Public Comments on Misuse Resistance (2019). https://csrc.nist.gov/CSRC/media/Projects/Stateful-Hash-Based-Signatures/documents/stateful-HBS-misuse-resistance-public-comments-April2019.pdf

  15. Hoffman, P.E.: The Transition from Classical to Post-Quantum Cryptography. Internet-Draft draft-hoffman-c2pq-05, Internet Engineering Task Force, May 2019. https://datatracker.ietf.org/doc/html/draft-hoffman-c2pq-05, work in Progress

  16. Huelsing, A., Butin, D., Gazdag, S.L., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle Signature Scheme. RFC 8391, May 2018. https://doi.org/10.17487/RFC8391, https://rfc-editor.org/rfc/rfc8391.txt

  17. Hülsing, A., Busold, C., Buchmann, J.: Forward secure signatures on smart cards. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 66–80. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6_5

    Chapter  Google Scholar 

  18. Hülsing, A., Rijneveld, J., Samardjiska, S., Schwabe, P.: From 5-pass MQ-based identification to MQ-based signatures. IACR Cryptology ePrint Archive, vol. 2016, p. 708 (2016)

    Google Scholar 

  19. Hülsing, A., Rijneveld, J., Schwabe, P.: Armed sphincs - computing a 41 kb signature in 16 kb of ram. Cryptology ePrint Archive, Report 2015/1042 (2015). https://eprint.iacr.org/2015/1042

  20. Kampanakis, P.: Slim SPHINCS\(^{+}\)open-source implementation (2019). https://github.com/csosto-pk/slim_sphincsplus/tree/master/ref

  21. Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: pqm4: testing and Benchmarking NIST PQC on ARM Cortex-M4. Cryptology ePrint Archive, Report 2019/844 (2019). https://eprint.iacr.org/2019/844

  22. Kölbl, S., Lauridsen, M.M., Mendel, F., Rechberger, C.: Haraka v2-efficient short-input hashing for post-quantum applications. IACR Trans. Symmetric Cryptol. 1–29 (2016)

    Google Scholar 

  23. Kumar, V.B.Y., Gupta, N., Chattopadhyay, A., Kaspert, M., Krauß, C., Niederhagen, R.: Post-quantum secure boot. In: Proceedings of the 23rd Conference on Design, Automation and Test in Europe, DATE 2020, EDA Consortium, San Jose, CA, USA, pp. 1582–1585 (2020)

    Google Scholar 

  24. Langley, A.: Email thread: proposed addition of hash-based signature algorithms for certificates to the LAMPS charter (2018). https://mailarchive.ietf.org/arch/msg/spasm/PgzLjPcg-jfywQFQs9gMLFcgRd8

  25. McGrew, D., Curcio, M., Fluhrer, S.: Leighton-Micali Hash-Based Signatures. RFC 8554, April 2019. https://doi.org/10.17487/RFC8554, https://rfc-editor.org/rfc/rfc8554.txt

  26. Microsoft: Windows Secure Boot Key Creation and Management Guidance (2017). https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance

  27. Mosca, M.: Cybersecurity in an era with quantum computers: will we be ready? IEEE Secur. Privacy 16(5), 38–41 (2018)

    Article  Google Scholar 

  28. Ounsworth, M., Pala, M.: Composite Keys and Signatures For Use in Internet PKI. Internet-Draft draft-ounsworth-pq-composite-sigs-01, Internet Engineering Task Force, July 2019, https://datatracker.ietf.org/doc/html/draft-ounsworth-pq-composite-sigs-01, work in Progress

  29. Panos Kampanakis, S.F.: LMS vs XMSS: a comparison of the Stateful Hash-Based Signature Proposed Standards. Cryptology ePrint Archive, Report 2017/349 (2017). http://eprint.iacr.org/2017/349

  30. Proos, J., Zalka, C.: Shor’s discrete logarithm quantum algorithm for elliptic curves. Quantum Info. Comput. 3(4), 317–344 (2003), http://dl.acm.org/citation.cfm?id=2011528.2011531

  31. Rohde, S., Eisenbarth, T., Dahmen, E., Buchmann, J., Paar, C.: Fast hash-based signatures on constrained devices. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 104–117. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85893-5_8

    Chapter  Google Scholar 

  32. Roma, C., Tai, C.E.A., Hasan, M.A.: Energy consumption of round 2 submissions for NIST PQC standards. In: Second PQC Standardization Conference, August 2019

    Google Scholar 

  33. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)

    Article  MathSciNet  Google Scholar 

  34. Soni, D., Basu, K., Nabeel, M., Karri1, R.: A hardware evaluation study of NIST post-quantum cryptographic signature schemes. In: Second PQC Standardization Conference, August 2019

    Google Scholar 

  35. Steblia, D., Fluhrer, S., Gueron, S.: Design issues for hybrid key exchange in TLS 1.3. Internet-Draft draft-stebila-tls-hybrid-design-01, Internet Engineering Task Force, July 2019. https://datatracker.ietf.org/doc/html/draft-stebila-tls-hybrid-design-01, work in Progress

  36. SPHINCS\(^{+}\) team: SPHINCS\(^{+}\) open-source implementation (2019). https://github.com/sphincs/sphincsplus

  37. Tjhai, C., Tomlinson, M., Fluhrer, S., Geest, D.V., Garcia-Morchon, O., Smyslov, V.: Framework to Integrate Post-quantum Key Exchanges into Internet Key Exchange Protocol Version 2 (IKEv2). Internet-Draft draft-tjhai-ipsecme-hybrid-qske-ikev2-04, Internet Engineering Task Force, July 2019. https://datatracker.ietf.org/doc/html/draft-tjhai-ipsecme-hybrid-qske-ikev2-04, work in Progress. grbartle@cisco.com

  38. Xilinx: Vitis Security Library (2019). https://github.com/Xilinx/Vitis_Libraries/blob/8ee9037aeb2bdf44096c256ec6779973387e0c0f/security/docs/guide_L1/internals/rsa.rst

  39. Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A Post-Quantum Digital Signature Scheme Based on Supersingular Isogenies. Cryptology ePrint Archive, Report 2017/186 (2017). http://eprint.iacr.org/2017/186

Download references

Acknowledgments

We would like to thank Scott Fluhrer for his LMS code, his optimizations and his valuable guidance and feedback. The authors would also like to thank Jason Moore and Jim Wesselkamper from Xilinx for their sample Xilinx design data points included in this work. The LMS FPGA logic measurements were based on code developed by Md Mahbub Alam, a Ph.D. Candidate at the University of Florida at the time. Thanks to Bruno Couillard and Jim Goodman from Crypto4A for the interesting discussions about HBS and their feedback. Finally, we would like to acknowledge Joost Rijneveld for his feedback and comments regarding \({\text {SPHINCS}^+}\) parameters and the \({\text {SPHINCS}^+}\) implementation and Dimitrios Sikeridis for his help with the experiments.

Author information

Authors and Affiliations

  1. Security and Trust Organization, Cisco Systems, San Jose, USA

    Panos Kampanakis, Peter Panburana, Michael Curcio & Chirag Shroff

Authors
  1. Panos Kampanakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peter Panburana
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Curcio
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chirag Shroff
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Panos Kampanakis , Peter Panburana , Michael Curcio or Chirag Shroff .

Editor information

Editors and Affiliations

  1. San Jose State University, San Jose, CA, USA

    Younghee Park

  2. IBM Almaden Research Center, San Jose, CA, USA

    Divyesh Jadav

  3. San Jose State University, San Jose, CA, USA

    Thomas Austin

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kampanakis, P., Panburana, P., Curcio, M., Shroff, C. (2021). Post-quantum Hash-Based Signatures for Secure Boot. In: Park, Y., Jadav, D., Austin, T. (eds) Silicon Valley Cybersecurity Conference. SVCC 2020. Communications in Computer and Information Science, vol 1383. Springer, Cham. https://doi.org/10.1007/978-3-030-72725-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-72725-3_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-72724-6

  • Online ISBN: 978-3-030-72725-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation