Detailseite
Projekt Druckansicht

Quantencomputer-resistente Signaturverfahren für die Praxis

Fachliche Zuordnung Theoretische Informatik
Förderung Förderung von 2014 bis 2020
Projektkennung Deutsche Forschungsgemeinschaft (DFG) - Projektnummer 251300380
 
Erstellungsjahr 2018

Zusammenfassung der Projektergebnisse

In this project, we made significant advances towards the real-world use of hash-based signature schemes. A major achievement of the project is the upcoming first RFC about post-quantum cryptography. This RFC fully describes XMSS and XMSSMT and will foster deployment by providing a standardised and detailed specification. The RFC will also further the standardisation of hash-based signatures beyond IETF. NIST has already announced that the standardisation of stateful hash-based signature schemes will be handled in direct coordination with IETF standardisation, and outside the ongoing NIST selection process for post-quantum cryptographic schemes. Our RFC therefore stands a significant chance to be recommended by NIST. These advances in standardisation also addressed the issue of parameter selection. We suggested both concrete parameter sets and specific hash functions, reducing confusion and risks for implementers. On the open-source implementation front, we have supported the widespread distribution of XMSS and XMSSMT by integrating both schemes in official Bouncy Castle releases. Beyond the stand-alone implementation of these schemes, they are now also part of Bouncy Castle’s BCPQC provider (a JCE compliant provider that is a wrapper built on top of the light-weight API), facilitating their use in the security protocols supported by Bouncy Castle. These implementations strictly follow the specification from the upcoming RFC. In terms of security, we have provided a detailed analysis of the side-channel resistance of XMSS, XMSSMT and SPHINCS. Our analysis both maps out potential risks, yields countermeasures for implementers and supports the progress of standardisation processes by showing that the specified versions of XMSS and XMSSMT are not vulnerable to differential power analysis attacks provided the pseudorandom number generator suggested by the Internet-Draft is selected. We also found that optimised authentication path computation (e.g., using the BDS algorithm) greatly decreases the side-channel leakage of XMSS because it minimises the accesses to the secret keys. Although this optimisation is deemed optional by the XMSS Internet-Draft, every implementation should use it.

Projektbezogene Publikationen (Auswahl)

 
 

Zusatzinformationen

Textvergrößerung und Kontrastanpassung