Post-quantum cryptography #1099

d3zd3z · 2021-08-12T22:50:23Z

d3zd3z
Aug 12, 2021
Maintainer

MCUboot supports 2 general types of signature algorithms, those based on RSA, and those based on elliptic curves. There is some research suggesting that Shor's algorithm may be implementable on a quantum annealing computer rather than needing a general purpose quantum computer. Since these devices are already available in configurations with thousands of bits, it is not unreasonable to assume that at least RSA, and possible EC-based cryptographic algorithms will be broken in a timeframe of possible 10s of years.

The IETF SUIT working group, as well as the Mbed TLS project are both considering implementations of signature algorithms that will not be susceptible to breaks by advances in quantum computing. SUIT is even considering making implementation of a quantum-safe signature algorithm (likely HSS-LMS) to be mandatory, meaning any SUIT compliant implementation must support this signature algorithm, in addition to any other algorithms it supports. Fortunately, the signature verification aspect of HSS-LMS is a fairly small amount of code, and mostly consists of multiple invocations of an underlying hash function (which we already need).

I wanted to place this discussion here as a placeholder for us to discuss the impact of these algorithms on MCUboot. It would be possible to implement HSS-LMS in MCUboot (it would be a fairly small amount of boot code, and a little more substantial code in imgtool and the sim).

Aside from some differences in terms of signature sizes (there is a tradeoff between signature size and verification time), the most significant difference with HSS-LMS is that the private key must keep track of state. A given private key is only able to sign a fixed number of images. Most importantly, if a given state is used to sign more than one image, all security is lost, and an attacker would be able to then sign arbitrary images.