State Machine Model for The Update Framework (TUF)

TL;DR

The paper addresses the challenge of evaluating the impact of post-quantum signature algorithms on TUF-based software update deployment. It introduces a state machine model implemented in Python that simulates TUF operations, tracking cumulative signature counts, rollover events, and associated costs while ignoring file sizes to enable rapid comparisons. Key contributions include a flexible, CSV-driven simulator for SHBS-enabled TUF deployments and a framework for comparing diverse signature configurations under a fixed update sequence. The work enables informed design decisions for deploying post-quantum update security in bandwidth- and compute-constrained environments.

Abstract

The Update Framework or TUF was developed to address several known weaknesses that have been observed in software update distribution and validation systems. Unlike conventional secure software distribution methods where there may be a single digital signature applied to each update, TUF introduces four distinct roles each with one or more signing key, that must participate in the update process. This approach increases the total size of each update package and increases the number of signatures that each client system must validate. As system architects consider the transition to post-quantum algorithms, understanding the impact of new signature algorithms on a TUF deployment becomes a significant consideration. In this work we introduce a state machine model that accounts for the cumulative impact of of signature algorithm selection when used with TUF for software updates.