Denis Butin

State Management for Hash-Based Signatures

The unavoidable transition to post-quantum cryptography requires dependable quantum-safe digital signature schemes. Hash-based signatures are well-understood and promising candidates, and the object of current standardization efforts. In the scope of this standardization process, the most commonly raised concern is statefulness, due to the use of one-time signature schemes. While the theory of hash-based signatures is mature, a discussion of the system security issues arising from the concrete management of their state has been lacking. In this paper, we analyze state management in N-time hash-based signature schemes, considering both security and performance, and categorize the security issues that can occur due to state synchronization failures. We describe a state reservation and nonvolatile storage, and show that it can be naturally realized in a hierarchical signature scheme. To protect against unintentional copying of the private key state, we consider a hybrid stateless/stateful scheme, which provides a graceful security degradation in the face of unintentional copying, at the cost of increased signature size. Compared to a completely stateless scheme, the hybrid approach realizes the essential benefits, with smaller signatures and faster signing.

Hash-Based Signatures: State of Play

Quantum computers haven’t yet arrived, but a history of inertia in the wide-scale adoption of new cryptographic schemes means that standardization of postquantum signature schemes—particularly hash-based ones—is both timely and urgent.

A guide to end-to-end privacy accountability

Accountability is considered a tenet of privacy management, yet implementing it effectively is no easy task. It requires a systematic approach with an overarching impact on the design and operation of IT systems. This article, which results from a multidisciplinary project involving lawyers, industry players and computer scientists, presents guidelines for the implementation of consistent sets of accountability measures in organisations. It is based on a systematic analysis of the Draft General Data Protection Regulation. We follow a systematic approach covering the whole life cycle of personal data and considering the three levels of privacy proposed by Bennett, namely accountability of policy, accountability of procedures and accountability of practice.

Differential Power Analysis of XMSS and SPHINCS

Quantum computing threatens conventional public-key cryptography. In response, standards bodies such as NIST increasingly focus on post-quantum cryptography. In particular, hash-based signature schemes are notable candidates for deployment. No rigorous side-channel analysis of hash-based signature schemes has been conducted so far. This work bridges this gap. We analyse the stateful hash-based signature schemes XMSS and \(\text {XMSS}^{MT}\), which are currently undergoing standardisation at IETF, as well as SPHINCS—the only practical stateless hash-based scheme. While timing and simple power analysis attacks are unpromising, we show that the differential power analysis resistance of XMSS can be reduced to the differential power analysis resistance of the underlying pseudorandom number generator. This first systematic analysis helps to further increase confidence in XMSS, supporting current standardisation efforts. Furthermore, we show that at least a 32-bit chunk of the SPHINCS secret key can be recovered using a differential power analysis attack due to its stateless construction. We present novel differential power analyses on a SHA-2-based pseudorandom number generator for XMSS and a BLAKE-256-based pseudorandom function for SPHINCS-256 in the Hamming weight model. The first attack is not threatening current versions of XMSS, unless a customised pseudorandom number generator is used. The second one compromises the security of a hardware implementation of SPHINCS-256. Our analysis is supported by a power simulator implementation of SHA-2 for XMSS and a hardware implementation of BLAKE for SPHINCS. We also provide recommendations for XMSS implementers.

Function-Dependent Commitments for Verifiable Multi-party Computation

In cloud computing, delegated computing raises the security issue of guaranteeing data authenticity during a remote computation. Existing solutions do not simultaneously provide fast correctness verification, strong security properties, and information-theoretic confidentiality. We introduce a novel approach, in the form of function-dependent commitments, that combines these strengths. We also provide an instantiation of function-dependent commitments for linear functions that is unconditionally, i.e. information-theoretically, hiding and relies on standard hardness assumptions. This powerful construction can for instance be used to build verifiable computing schemes providing information-theoretic confidentiality. As an example, we introduce a verifiable multi-party computation scheme for shared data providing public verifiability and unconditional privacy towards the servers and parties verifying the correctness of the result. Our scheme can be used to perform verifiable computations on secret shares while requiring only a single party to compute the audit data for verification. Furthermore, our verification procedure is asymptotically even more efficient than performing operations locally on the shared data. Thus, our solution improves the state of the art for authenticated computing, verifiable computing and multi-party computation.

CHQS: Publicly Verifiable Homomorphic Signatures Beyond the Linear Case

Sensitive data is often outsourced to cloud servers, with the server performing computation on the data. Computational correctness must be efficiently verifiable by a third party while the input data remains confidential. We introduce CHQS, a homomorphic signature scheme from bilinear groups fulfilling these requirements. CHQS is the first such scheme to be both context hiding and publicly verifiable for arithmetic circuits of degree 2. It also achieves amortized efficiency: after a precomputation, verification can be faster than the circuit evaluation itself.

Formal Policy-Based Provenance Audit

Data processing within large organisations is often complex, impeding both the traceability of data and the compliance of processing with usage policies. The chronology of the ownership, custody, or location of data—its provenance—provides the necessary information to restore traceability. However, to be of practical use, provenance records should include sufficient expressiveness by design with a posteriori analysis in mind, e.g. the verification of their compliance with usage policies. Additionally, they ought to be combined with systematic reasoning about their correctness. In this paper, we introduce a formal framework for policy-based provenance audit. We show how it can be used to demonstrate correctness, consistency, and compliance of provenance records with machine-readable usage policies. We also analyse the suitability of our framework for the special case of privacy protection. A formalised perspective on provenance is also useful in this area, but it must be integrated into a larger accountability process involving data protection authorities to be effective. The practical applicability of our approach is demonstrated using a provenance record involving medical data and corresponding privacy policies with personal data protection as a goal.

Formal Accountability for Biometric Surveillance: A Case Study

Surveillance, especially using biometric systems, threatens the privacy of individuals. Accountability is an established approach to supporting privacy in general, but it must follow a rigorous process and involve close scrutiny of actual data handling practice to be effective. In this paper, we consider a specific, real-world biometric surveillance system, based on camcorders and bodyprint identification. We show how formalisation can be used to achieve the required level of rigour and exemplify how our formal approach to accountability — in the sense of verifiable compliance with personal data handling policies — supports the privacy of individuals monitored by the system. The formal accountability framework is general enough to be reusable in other settings.

Real-World Post-Quantum Digital Signatures

Digital signatures are ubiquitous in modern security infrastructures. Their lack of diversity in industrial settings makes most contemporary systems susceptible to quantum computer-aided attacks. Alternatives exist, among which a family of well-understood schemes with minimal security requirements: hash-based signatures. In addition to being quantum-safe, hash-based signatures are modular, providing long-term security. They are not yet being used in practice. We discuss the reasons for this gap between theory and practice and outline a strat- egy to bridge it. We then detail our work to realise the described plan.