Abstract
This work presents new speed records for XMSS (RFC 8391) signature verification on embedded devices. For this we make use of a probabilistic method recently proposed by Perin, Zambonin, Martins, Custódio, and Martina (PZMCM) at ISCC 2018, that changes the XMSS signing algorithm to search for rapidly verifiable signatures. We improve the method, ensuring that the added signing cost for the search is independent of the message length. We provide a statistical analysis of the resulting verification speed and support it by experiments. We present a record setting RFC compatible implementation of XMSS verification on the ARM Cortex-M4. At a signing time of about one minute on a general purpose CPU, we create signatures that are verified about 1.44 times faster than traditionally generated signatures. Adding further well-known implementation optimizations to the verification algorithm we reduce verification time by over a factor two from 13.85 million to 6.56 million cycles. In contrast to previous works, we provide a detailed security analysis of the resulting signature scheme under classical and quantum attacks that justifies our selection of parameters. On the way, we fill a gap in the security analysis of XMSS as described in RFC 8391 proving that the modified message hashing in the RFC does indeed mitigate multi-target attacks. This was not shown before and might be of independent interest.
Highlights
Digital signatures are the necessary means to establish message authentication in settings where establishing a shared key is not a viable option
With the rise of the Internet of Things (IoT), digital signatures have to be available on resource-constrained devices
In this work we focus on XMSS, but we expect the results to translate to other schemes, especially LMS, with little to no changes since the results are independent of how nodes in the one-time signature schemes (OTS) or the tree are computed
Summary
Digital signatures are the necessary means to establish message authentication in settings where establishing a shared key is not a viable option. The aim of [CKRS20] differs from our work as it targets a comparison of XMSS and LMS on embedded devices In this context the authors analyze the impact of applying changes to the hashing constructions, recently proposed in [BHK+19] in the context of SPHINCS+. For a received message and signature, the verifier can recompute the checksum, derive the chain lengths, apply F iteratively to complete each chain to its full length w, and compute a candidate WOTS+ public key. This can be compared to the n-bit public key
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
