Kagermeier, T. (2020):
Practicability of XMSS on JavaCards
Advancements in the field of quantum computing pose a threat to cryptographic systems used today. As a result, alternatives for all kinds of cryptographic algorithms need to be found, with digital signatures being one of them. However, with the transition to quantum-secure signature schemes a number of challenges arise. The increased computational effort necessary for signature generation and the associated key sizes are especially problematic when executed on devices with limited resources like SmartCards. Since they are a crucial building block in modern security systems, it is important to bring quantum-secure schemes onto them. A special kind of SmartCard are JavaCards. While not being able to provide the same level of performance as native cards programmed in C or Assembler, the usage of the Java Virtual Machine allows applications to run manufacturer and hardware independent. This can be an important factor when it comes to widespread distribution of a new quantum-secure signature scheme.
A promising candidate regarding quantum-secure signature algorithms is XMSS. This hash based scheme solely relies on the security of the underlying hash function. However it comes with a high computational cost of repeated hash function evaluations. The goal of this thesis is to implement this scheme on a JavaCard and analyze its real-world practicability. The implementation uses the BDS tree traversal algorithm, providing a trade-off between memory usage and runtimes. By decoupling the computationally most expensive part of XMSS into an independent subroutine, operations necessary for the creation of signatures are minimized. The provided API allows signature generation with minimal communication between SmartCard and host. A parameter set optimized for fast runtimes is found and the resulting measurements are compared to requirements derived from possible use-cases.
The results show that real-world applicability can only be achieved to a limited degree with runtimes significantly longer than the ones of conventional signature algorithms.