Secure Signatures for IoT: Hash-Based Schemes and OTS Overview
Dive into long-term secure signatures for the IoT, exploring hash-based signature schemes, Lamport-Diffie OTS, one-time signatures, chain-based OTS, Merkle's signature scheme, and more. Discover fast signing algorithms, small keys, and sequential signature verification methods.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Long-term secure signatures for the IoT Andreas H lsing
Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash function
Lamport-Diffie OTS [Lam79] Message M = b1, ,bm, OWF H = n bit * SK sk1,0 sk1,1 skm,0 skm,1 H H H H H H PK pk1,0 pk1,1 pkm,0 pkm,1 bm b1 b2 Mux Mux Mux Sig sk1,b1 skm,bm 3-4-2025 PAGE 3
One-time signatures Can only be used once Basic building block Secret keys can be generated pseudorandomly WOTS+[Hue13] Shorter signatures Size-speed trade-off
Chain-based OTS H H H H H H H PK OTS OTS OTS OTS OTS OTS OTS SK
Chain-based OTS [NY89] Extremely fast signing via pebbeling Extremely fast verification of sequential signatures Small keys Small sigs (for sequential signatures) Extremely useful in combination with aggregator Stateful See e.g. Dahmen, Krauss. Short Hash-Based Signatures for Wireless Sensor Networks. CANS 2009.
Merkles signature scheme PK SIG = (i=2, , , , , ) H H H OTS H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK 3-4-2025 PAGE 7
Merkles signature scheme Fast signing via tree traversal algorithms Extremely fast verification Small keys Medium size sigs Stateful Latest: XMSS-T (H lsing, Rijneveld, Song. Mitigating Multi-Target Attacks in Hash-based Signatures. PKC 16)
Multi-Tree XMSS [MMM02] Uses multiple layers of trees -> Key generation (= Building first tree on each layer) (2h) (d*2h/d) -> Allows to reduce worst-case signing times (h/2) (h/2d)
SPHINCS [BHH+15] Stateless Scheme XMSSMT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys
Performance on small devices STM32L100C development board: Cortex M3, 32MHz, 32-bit architecture, 256KB Flash, 16KB RAM KeyGen Sign Verify XMSSMT 278.80s 0.61s 0.16s SPHINCS 0.88s 18.41s 0.51s Issue: SPHINCS sigs (41KB) don t fit single APDU
Future XMSS Internet Draft in IRSG poll At least two SPHINCS submissions for NIST Faster / smaller signatures Several works on dedicated hash functions (Haraka, Siempira)
Thank you! Questions? 3-4-2025 PAGE 13
