digital signatures are important !
DESCRIPTION
Practical Forward Secure Signatures using Minimal Security Assumptions Andreas Hülsing, Erik Dahmen , Johannes Buchmann. Digital Signatures are Important !. E-Commerce. … and many others. Software updates. Forward Secure Signatures [And97]. Forward Secure Signatures. pk. classical. sk. - PowerPoint PPT PresentationTRANSCRIPT
23.09.2013 | TU Darmstadt | Andreas Hülsing | 1
Practical Forward Secure Signatures using Minimal Security AssumptionsAndreas Hülsing, Erik Dahmen, Johannes Buchmann
Digital Signatures are Important!
Software updates
E-Commerce
… and many others
23.09.2013 | TU Darmstadt | Andreas Hülsing | 2
Forward Secure Signatures[And97]
23.09.2013 | TU Darmstadt | Andreas Hülsing | 3
Forward Secure Signatures
time
classicalpk
sk
Key gen.
forward secpk
sksk1 sk2 ski skT
t1 t2 ti tT
ijjSigGoal ),,(:
23.09.2013 | TU Darmstadt | Andreas Hülsing | 4
What if…
23.09.2013 | TU Darmstadt | Andreas Hülsing | 5
Post-Quantum Signatures
Lattice, MQ, Coding
Signature and/or key sizes
Runtimes
Secure parameters
no forward secure signatures
...1
3
14232232
34121211
yxxxxxxy
xxxxxxy
23.09.2013 | TU Darmstadt | Andreas Hülsing | 6
Hash-based Signature Schemes[Mer89]
Post quantum
Only secure hash function
Security well understood
Fast
Forward secure (inefficient)23.09.2013 | TU Darmstadt | Andreas Hülsing | 7
Cryptographic Hash Functions
H
{0,1}m
{0,1}n
}}1,0{|}1,0{}1,0{:{ 'nnmKn KH Η
•Cryptomania•AC O(2n/2)Collision Resistance
(CR)
•Minicrypt•AC O(2n)Second-preimage
Resistance (SPR)
•Minicrypt•AC O(2n)
One-wayness
•Minicrypt•AC O(2n)
Undetectability (UD)
•Minicrypt•AC O(2n)Pseudorandomness
(PRF)
23.09.2013 | TU Darmstadt | Andreas Hülsing | 8
Hash-based Signatures
OTS
OTS OTS OTS OTS OTS OTS OTS
HH H H H H H H
H H H H
H H
H
PK
SIG = (i=2, , , , , )
23.09.2013 | TU Darmstadt | Andreas Hülsing | 9
OTSSK
Challenges & Achievements
Minimal security assumptions XOR Efficient
Forward secure XOR Efficient
Large signatures
No full smartcard implementation
23.09.2013 | TU Darmstadt | Andreas Hülsing | 10
Efficient
Minimal security assumptions
„Small signatures"
Forward secure
Full smartcard implementation
New Variants of the Winternitz One Time Signature Scheme
23.09.2013 | TU Darmstadt | Andreas Hülsing | 11
OTS
Winternitz OTS (WOTS) [Mer89; EGM96]
| | = | | = m * | |
1. = f( )
2. Trade-off between runtime and signature size | | ~ m/log w * | |
SIG = (i, , , , , )
23.09.2013 | TU Darmstadt | Andreas Hülsing | 12
Function family:
Formerly:
WOTS+
For w ≥ 2 select R = (r1, …, rw-1)
WOTSFunction Chain
c0(x) = x
c1(x) = cw-1 (x)
}}1,0{|}1,0{}1,0{:{ 'nnnKn KF F
'1 }1,0{,}1,0{ nwn K
ri
KF
23.09.2013 | TU Darmstadt | Andreas Hülsing | 13
)( 1rxFK
'1 }1,0{,)())(()( n
timesi
KKKi
Ki KxFFFxcFxc
))(()( 1i
iK
i rxcFxc ci-1 (x) ci (x)
Winternitz parameter w, security parameter n, message length m, function family
Key Generation: Compute l , sample K, sample R
WOTS+
[Hül13]
c0(skl ) = skl
c1(skl ) pkl = cw-1(skl )
}}1,0{|}1,0{}1,0{:{ 'nnnKn KF F
c0(sk1) = sk1
c1(sk1)
pk1 = cw-1(sk1)
23.09.2013 | TU Darmstadt | Andreas Hülsing | 14
WOTS+ Signature generation
M
b1 b2 b3 b4 … … … … … … … bl 1 bl 1+1 bl 1+2 … … bl
C
c0(skl ) = skl
pkl = cw-1(skl )
c0(sk1) = sk1pk1 = cw-1(sk1)
σ1=cb1(sk1)
σl =cbl (skl )
23.09.2013 | TU Darmstadt | Andreas Hülsing | 15
Main result
Theorem 3.9 (informally):W-OTS+ is strongly unforgeable under chosen message attacks if F
is a 2nd-preimage resistant, undetectable one-way function family
23.09.2013 | TU Darmstadt | Andreas Hülsing | 16
Security ProofReduction
23.09.2013 | TU Darmstadt | Andreas Hülsing | 17
Intuition
Oracle Response: (σ, M); M →(b1,…,bl ) Forgery: (σ*, M*); M* →(b1*,…, bl*)
Observations:1.Checksum: 2. Verification cw-1-bα*
(σ*α) = pkα = cw-1-bα (σα)
“quasi-inversion”
bbthsl *..},..,1{
c0(skα) = skα
pkασα
pk*ασ*α
=
??????? !?
23.09.2013 | TU Darmstadt | Andreas Hülsing | 18
Intuition, cont‘d
Oracle Response: (σ, M); M →(b1,…,bl ) Forgery: (σ*, M*); M* →(b1*,…, bl*)
Given:“quasi-inversion” of c
c0(skα) = skα
pkασα
σ*α
β
second-preimage
rβ
KF
preimage
23.09.2013 | TU Darmstadt | Andreas Hülsing | 19
Result
Old [DSS05]
CR, UD, OW Fn
Cryptomania
|Sig| = l *2b
WOTS$[BDEHR11]
PRF Fn
Minicrypt
|Sig| = l *(b+w)
WOTS+[Hül13]
SPR, UD, OWFn
Conj. Minicrypt
|Sig| = l *(b+log w)
23.09.2013 | TU Darmstadt | Andreas Hülsing | 20
XMSS
23.09.2013 | TU Darmstadt | Andreas Hülsing | 21
XMSS[BDH11]
Lamport-Diffie / WOTS WOTS+ / WOTS$
Tree construction [DOTV08]
Pseudorandom key generation
H biH
PRG
PRG
PRG
PRG
PRG
FSPRG FSPRG FSPRG FSPRG FSPRG
23.09.2013 | TU Darmstadt | Andreas Hülsing | 22
Result
SPR-MSS [DOTV08]
Minicrypt
FSS
|SK| = 2h+1bm + TTA|SIG|
~2bm + hb
GMSS (Single Tree)[BDK+07]
Cryptomania
Not FSS
|SK| = b + TTA
|SIG|~2b(m/log w) + h2b
XMSS[BDH11]
Minicrypt
FSS
|SK| = b + TTA
|SIG|~ b(m/log w) + hb
23.09.2013 | TU Darmstadt | Andreas Hülsing | 23
Chapter 5
XMSSMT
23.09.2013 | TU Darmstadt | Andreas Hülsing | 24
i
j
Tree Chaining [BGD+06,BDK+07]
Improved distributed signature generation [HBB12,HRB13]
)2()2(: / dhhKG OOt
23.09.2013 | TU Darmstadt | Andreas Hülsing | 25
Result
GMSS [BDK+07]
Cryptomania
Not FSS
tSIG = h/2=Σ hi/2
XMSSMT[HBB12,HRB13]
Minicrypt
FSS
tSIG = h0/2
23.09.2013 | TU Darmstadt | Andreas Hülsing | 26
XMSS* in Practice
23.09.2013 | TU Darmstadt | Andreas Hülsing | 27
XMSS ImplementationsC Implementation
C Implementation, using OpenSSL [BDH2011] Sign (ms)
Verify (ms)
Signature (bit) Public Key (bit)
Secret Key (byte)
Bit Security Comment
XMSS-SHA-2 35.60 1.98 16,672 13,600 3,364 157 h = 20,w = 64,
XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 h = 20,w = 4
XMSS-AES 1.06 0.11 19,616 7,328 1,684 84 h = 20,w = 4
RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 512 87
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI
23.09.2013 | TU Darmstadt | Andreas Hülsing | 28
XMSS ImplementationsSmartcard Implementation
Sign (ms)
Verify (ms)
Keygen(ms)
Signature (byte)
Public Key (byte)
Secret Key (byte)
Bit Sec. Comment
XMSS 134 23 925,400 2,388 800 2,448 92 H = 16,w = 4
XMSS+ 106 25 5,600 3,476 544 3,760 94 H = 16,w = 4
RSA 2048
190 7 11,000 ≤ 256 ≤ 512 ≤ 512 87
Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor
NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles (h=20)
[HBB12]
23.09.2013 | TU Darmstadt | Andreas Hülsing | 29
Conclusion
23.09.2013 | TU Darmstadt | Andreas Hülsing | 30
Conclusion
23.09.2013 | TU Darmstadt | Andreas Hülsing | 31
Efficient
Minimal security assumptions
„Small signatures"
Forward secure
Full smartcard implementation
Future Work
23.09.2013 | TU Darmstadt | Andreas Hülsing | 32
Main Drawback: State
Easy Migration? Interfaces
Key Management
Thank you!Questions?