2019-08-14 on Usable Security, Post-Quantum Cryptography

da/sec scientific talk on Usable Security, Post-Quantum Cryptography

Topic: API Usability of Stateful Signature Schemes

by Alexander Zeier
D19/2.03a, August 14, 2019 (Wednesday), 9:00 am

Keywords — API Usability, Post-Quantum Cryptography, Stateful Signature Schemes


The rise of quantum computers poses a threat to asymmetric cryptographic schemes. With their continuing development, schemes such as DSA or ECDSA are likely to be broken in a few years‘ time. We therefore must begin to consider the use of different algorithms that would be able to withstand powerful quantum computers. Among the considered algorithms are hash-based signature schemes, some of which, including XMSS, are stateful. In comparison to stateless algorithms, these stateful schemes pose additional implementation challenges for developers, regarding error-free usage and integration into IT systems. As the correct use of cryptographic algorithms is the foundation of a secure IT system, mastering these challenges is essential. This work proposes an easy-to-use API design for stateful signature schemes, using XMSS(MT) as an example. Our design is based on findings from literature as well as on a series of interviews with software developers. It has been prototypically implemented and evaluated in small-scale user-studies. Our results show that the API can manage the stateful keys in a way that is transparent to the user. Furthermore, a preliminary online-study has shown that the API’s documentation and applicability are comprehensible. However, due to the transparent state management, many of the study’s participants were unaware of using a stateful scheme. This might lead to possible obstacles. Our current API design will serve as the basis for a larger user-study in order to review our preliminary findings in the next step.