460 likes | 473 Views
Explore the practical implementation of secure digital signatures with minimal security assumptions, ensuring forward security for software updates and e-commerce security.|
E N D
Practical Forward Secure Signatures using Minimal Security Assumptions PhD Defense Andreas Hülsing 23.09.2013 | TU Darmstadt | Andreas Hülsing| 1
Digital SignaturesareImportant! E-Commerce … and many others Software updates 23.09.2013 | TU Darmstadt | Andreas Hülsing| 2
Forward Secure Signatures[And97] 23.09.2013 | TU Darmstadt | Andreas Hülsing| 3
Forward Secure Signatures pk classical sk pk forward sec sk sk1 sk2 skT ski time tT ti t1 t2 Key gen. 23.09.2013 | TU Darmstadt | Andreas Hülsing| 4
Whatif… 23.09.2013 | TU Darmstadt | Andreas Hülsing| 5
Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters no forward secure signatures 23.09.2013 | TU Darmstadt | Andreas Hülsing| 6
Hash-basedSignatureSchemes[Mer89] 23.09.2013 | TU Darmstadt | Andreas Hülsing| 7
Cryptographic Hash Functions {0,1}n H {0,1}m 23.09.2013 | TU Darmstadt | Andreas Hülsing| 8
Hash-based Signatures PK SIG = (i=2, , , , , ) H OTS OTS OTS OTS OTS OTS OTS OTS OTS H H H H H H H H H H H H H H SK 23.09.2013 | TU Darmstadt | Andreas Hülsing| 9
Challenges & Achievements 23.09.2013 | TU Darmstadt | Andreas Hülsing| 10
Contribution Chapter 3New Variants of the Winternitz One Time Signature Scheme • WOTS+ & WOTS$ Chapter 4XMSS • „A practical, forward secure signature scheme based on minimal security assumptions“ Chapter 5XMSSMT • „XMSS with Virtually Unlimited Signature Capacity” Chapter 6 Choosing Optimal Parameters for XMSS∗ Chapter 7XMSS∗ in Practice • Implementation • Experimental results (CPU & smartcard) 23.09.2013 | TU Darmstadt | Andreas Hülsing| 11
Chapter 3New Variants of the Winternitz One Time Signature Scheme OTS 23.09.2013 | TU Darmstadt | Andreas Hülsing| 12
Winternitz OTS (WOTS) [Mer89; EGM96] | | = | | = m * | | 1. = f( ) 2. Trade-off between runtime and signature size | | ~ m/log w * | | SIG = (i, , , , , ) 23.09.2013 | TU Darmstadt | Andreas Hülsing| 13
WOTSFunction Chain Function family: Formerly: WOTS+ For w ≥ 2 select R =(r1, …, rw-1) ri ci(x) ci-1(x) c0(x) = x cw-1(x) c1(x) = 23.09.2013 | TU Darmstadt | Andreas Hülsing| 14
WOTS+ [Hül13] Winternitz parameter w, security parameter n, message length m, function family Key Generation: Compute l , sample K, sample R pk1= cw-1(sk1) c0(sk1) = sk1 c1(sk1) c1(skl) pkl= cw-1(skl) c0(skl) = skl 23.09.2013 | TU Darmstadt | Andreas Hülsing| 15
WOTS+ Signature generation M b1 b2 b3 b4 … … … … … … … bl1 bl1+1 bl1+2 … … bl pk1= cw-1(sk1) c0(sk1) = sk1 C σ1=cb1(sk1) pkl= cw-1(skl) c0(skl) = skl σl=cbl(skl) 23.09.2013 | TU Darmstadt | Andreas Hülsing| 16
Main result Theorem 3.9 (informally): W-OTS+ is strongly unforgeable under chosen message attacks if F is a 2nd-preimage resistant, undetectable one-way function family 23.09.2013 | TU Darmstadt | Andreas Hülsing| 17
Security Proof Reduction 23.09.2013 | TU Darmstadt | Andreas Hülsing| 18
Intuition Oracle Response: (σ, M); M →(b1,…,bl) Forgery: (σ*, M*); M* →(b1*,…, bl*) Observations: • Checksum: • Verification cw-1-bα*(σ*α) = pkα = cw-1-bα(σα) “quasi-inversion” σα pkα c0(skα) = skα ! ? = ? ? ? ? ? ? ? pk*α σ*α 23.09.2013 | TU Darmstadt | Andreas Hülsing| 19
Intuition, cont‘d Oracle Response: (σ, M); M →(b1,…,bl) Forgery: (σ*, M*); M* →(b1*,…, bl*) Given: “quasi-inversion” of c rβ σα β pkα c0(skα) = skα σ*α second-preimage preimage 23.09.2013 | TU Darmstadt | Andreas Hülsing| 20
Result 23.09.2013 | TU Darmstadt | Andreas Hülsing| 21
Chapter 4XMSS 23.09.2013 | TU Darmstadt | Andreas Hülsing| 22
XMSS[BDH11] • Lamport-Diffie / WOTS WOTS+ / WOTS$ • Treeconstruction • [DOTV08] • Pseudorandomkeygeneration bi FSPRG PRG PRG PRG PRG PRG FSPRG FSPRG FSPRG FSPRG 23.09.2013 | TU Darmstadt | Andreas Hülsing| 23
Result 23.09.2013 | TU Darmstadt | Andreas Hülsing| 24
Chapter 7XMSS* in Practice 23.09.2013 | TU Darmstadt | Andreas Hülsing| 25
XMSS Implementations • C Implementation C Implementation, usingOpenSSL [BDH2011] Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI 23.09.2013 | TU Darmstadt | Andreas Hülsing| 26
XMSS Implementations • Smartcard Implementation Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles (h=20) [HBB12] 23.09.2013 | TU Darmstadt | Andreas Hülsing| 27
Conclusion 23.09.2013 | TU Darmstadt | Andreas Hülsing| 28
Conclusion 23.09.2013 | TU Darmstadt | Andreas Hülsing| 29
Future Work 23.09.2013 | TU Darmstadt | Andreas Hülsing| 30
Thank you! Questions?
Publications [1] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On the security of the Winternitz one-time signature scheme. In A. Nitaj and D. Pointcheval (Eds), Africacrypt 2011, LNCS 6737, pp 363-378. Springer Berlin / Heidelberg, 2011. [2] J. Buchmann, E. Dahmen, and A. Hülsing. XMSS - a practical forward secure signature scheme based on minimal security assumptions. In Bo-Yin Yang (Ed), Post-Quantum Cryptography, LNCS 7071, pp 117-129. Springer Berlin / Heidelberg, 2011. [3] A. Hülsing, A. Petzoldt, M. Schneider, and S.M. El YousfiAlaoui. PostquantumSignaturverfahrenHeute. In Ulrich Waldmann (Ed), 22. SIT-Smartcard Workshop 2012, IHK Darmstadt, Feb 2012. FraunhoferVerlag Stuttgart. [4] A. Hülsing, C. Busold, and J. Buchmann. Forward secure signatures on smart cards. In Lars R. Knudsen and Huapeng Wu (Eds), Selected Areas in Cryptography, LNCS 7707, pp 66–80. Springer Berlin Heidelberg, 2013. [5] J. Braun, A. Hülsing, A. Wiesmaier, M. A. G. Vigil, and J. Buchmann. How to avoid the breakdown of public key infrastructures - forward secure signatures for certificate authorities. In S. CapitanidiVimercati and C. Mitchell (Eds), EuroPKI 2012, LNCS 7868, pp 53-68. Springer Berlin Heidelberg, 2013. [6] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On the security of the Winternitz one-time signature scheme. Journal of Applied Cryptography, 3(1):84–96, 2013. [7] A. Hülsing. W-OTS+ — shorter signatures for hash-based signature schemes. In A.Youssef, A. Nitaj, and A.E. Hassanien (Eds), Africacrypt 2013, LNCS 7918, pp 173–188. Springer Berlin Heidelberg, 2013. [8] M. M. Olembo, T. Kilian, S. Stockhardt, A. Hülsing, and M. Volkamer. Developing and testing a visual hash scheme. In N. Clarke, S.Furnell, and V.Katos (Eds), Proceedings of the European Information Security Multi-Conference (EISMC 2013). Plymouth University, April 2013. [9] P. Weiden, A. Hülsing, D. Cabarcas, and J. Buchmann. Instantiating treeless signature schemes. Cryptology ePrint Archive, Report 2013/065, 2013. http://eprint.iacr.org/. [10] A. Hülsing, J. Braun. LangzeitsichereSignaturendurch den EinsatzhashbasierterSignaturverfahren. In Tagungsbandzum 13. Deutschen IT-Sicherheitskongress 2013, Herausgeber: BSI, Secu-Media Verlag, Gau-Algesheim, 2013. [11] J. Braun, M. Horsch, A. Hülsing. EffizienteUmsetzung des KettenmodellsunterVerwendungvorwärtssichererSignaturverfahren. In Tagungsbandzum 13. Deutschen IT-Sicherheitskongress 2013, Herausgeber: BSI, Secu-Media Verlag, Gau-Algesheim, 2013. [12] A. Hülsing, L. Rausch, and J. Buchmann. Optimal parameters for XMSSMT. In A. Cuzzocrea, C. Kittl, D. E. Simos, E. Weippl, and L. Xu, (Eds), Security Engineering and Intelligence Informatics, LNCS 8128, pp 194–208. Springer Berlin Heidelberg, 2013. [13] J. Buchmann, D. Cabarcas, F. Göpfert, A. Hülsing, and P. Weiden. Discrete ziggurat: A time-memory trade-off for sampling from a gaussian distribution over the integers. In Selected Areas in Cryptography 2013 (SAC’13), to appear. [14] J. Braun, F. Kiefer, and A. Hülsing. Revocation & non-repudiation: When the first destroys the latter. In EuroPKI 2013, to appear.
Quantum Computing Progress IBM 2012: “Scientists at IBM Research … have achieved major advances in quantum computing device performance that may accelerate the realization of a practical, full-scale quantum computer.“ 23.09.2013 | TU Darmstadt | Andreas Hülsing| 33
Chapter 5XMSSMT 23.09.2013 | TU Darmstadt | Andreas Hülsing| 34
Tree Chaining [BGD+06,BDK+07] j i Improved distributed signature generation [HBB12,HRB13] 23.09.2013 | TU Darmstadt | Andreas Hülsing| 35
Result 23.09.2013 | TU Darmstadt | Andreas Hülsing| 36
Security Level aka. Bit Security ExactProof: „ In general, a cryptographic system offers security level λ if a successful generic attack can be expected to require effort approximately 2λ−1. “ [Len04] Solvefort: Using = = 23.09.2013 | TU Darmstadt | Andreas Hülsing| 37
Security Level aka. Bit Security(Quantum Case) ExactProof: „ In general, a cryptographic system offers security level λ if a successful generic attack can be expected to require effort approximately 2λ−1. “ [Len04] Solvefort: Using = = 23.09.2013 | TU Darmstadt | Andreas Hülsing| 38
EU-CMA for OTS SK PK, 1n M SIGN (σ, M) Success if M* ≠ M and Verify(pk,σ*,M*) = Accept (σ*, M*) 23.09.2013 | TU Darmstadt | Andreas Hülsing| 39
Quantum-secureSignatures SK PK, 1n SIGN q-times 23.09.2013 | TU Darmstadt | Andreas Hülsing| 40
BDS-TreeTraversal[BDS08] • Computes authentication paths • Store most expensive nodes • Left nodes are cheap • Distribute costs • (h-k)/2 updates per round # 2h-1 k # 2h-2 h 23.09.2013 | TU Darmstadt | Andreas Hülsing| 41
Minimal Security Assumptions [NaYu89] [Rom90] Digital signature scheme Pseudorandom Generator [HILL99] One-way FF Pseudorandom FF [GGM86] [Rom90] XMSS Second-preimage resistant HFF Target-collision resistant HFF 23.09.2013 | TU Darmstadt | Andreas Hülsing| 42
From Fixed to Arbitrary Length Messages 23.09.2013 | TU Darmstadt | Andreas Hülsing| 43
Minimal Security Assumptions - Why? 23.09.2013 | TU Darmstadt | Andreas Hülsing| 44
… BUT WAIT ! 23.09.2013 | TU Darmstadt | Andreas Hülsing| 45
Hash function & PRF Useplain AES for PRF Use AES withMatyas-Meyer-Oseas in Merkle-Damgårdmodeforhashfunction 02.12.2011 | TU Darmstadt | A. Huelsing | 46