250 likes | 455 Views
Forward Secure Hash-based Signatures on Smartcards. A. Hülsing , J. Buchmann, C. Busold. Digital Signatures are Important!. E-Commerce. … and many others. Software updates. What if….
E N D
Forward Secure Hash-based Signatures on Smartcards A. Hülsing, J. Buchmann, C. Busold 16.08.2012 | TU Darmstadt | A. Hülsing| 1
Digital Signatures are Important! E-Commerce … and many others Software updates 04.09.2013 | TU Darmstadt | Andreas Hülsing| 2
What if… IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing.“ 04.09.2013 | TU Darmstadt | Andreas Hülsing| 3
Post-Quantum Signatures Based on Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 04.09.2013 | TU Darmstadt | Andreas Hülsing| 4
Hash-based Signature Schemes[Merkle, Crypto‘89] 04.09.2013 | TU Darmstadt | Andreas Hülsing| 5
Forward Secure Signatures 04.09.2013 | TU Darmstadt | Andreas Hülsing| 6
Forward Secure Signatures pk classical sk pk forward sec sk sk1 sk2 skT ski time tT ti t1 t2 Key gen. 04.09.2013 | TU Darmstadt | Andreas Hülsing| 7
Forward Secure Digital Signatures 02.12.2011 | TU Darmstadt | A. Huelsing | 8
Construction 02.12.2011 | TU Darmstadt | A. Huelsing | 9
Hash-based Signatures PK SIG = (i, , , , , ) H OTS OTS OTS OTS OTS OTS OTS OTS H H H H H H H H H H H H H H SK 04.09.2013 | TU Darmstadt | Andreas Hülsing| 10
Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96] 1. = f( ) 2. Trade-off between runtime and signature size, controlled by parameter w 3. Minimal security requirements [Buchmann et al.,Africacrypt’11] 4. Uses PRFF F SIG = (i, , , , , ) 04.09.2013 | TU Darmstadt | Andreas Hülsing| 11
XMSS – secret key Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F: Secret key: Random SEED for pseudorandom generation of current signature key. FSPRG PRG PRG PRG PRG PRG FSPRG FSPRG FSPRG FSPRG 04.09.2013 | TU Darmstadt | Andreas Hülsing| 12
BDS-TreeTraversal[Buchmann et al., 2008] • Computes authentication paths • Store most expensive nodes • Left nodes are cheap • Distribute costs • (h-k)/2 updates per round # 2h-1 k # 2h-2 h 02.12.2011 | TU Darmstadt | A.Huelsing | 13
Accelerate key generationTree Chaining [Buchmann et al., 2006] 2h+1 → 2*2 h/2+1 = 2 h/2+2 j i But: Larger signatures! 29.04.2011 | TU Darmstadt | J. Buchmann | 14
Distributed Signature Generation Initial proposal [Buchmann et al.,2007]: • Distribute signature costs equally among all signatures in lower tree This work: • Use observation: BDS spends more updates than needed • Use unused updates to compute authentication path & signature 02.12.2011 | TU Darmstadt | A.Huelsing | 15
Implementation 02.12.2011 | TU Darmstadt | A.Huelsing | 16
Hash function & PRF Useplain AES for PRF Use AES withMatyas-Meyer-Oseas in Merkle-Damgårdmodeforhashfunction 02.12.2011 | TU Darmstadt | A. Huelsing | 17
Results Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles 24.05.2012 | TU Darmstadt | A.Huelsing | 18
Conclusion 02.12.2011 | TU Darmstadt | A.Huelsing | 19
Conclusion & futurework Forward secure signature schemes can be implemented on Smartcards, … … hash-based signatures with on-card key generation, too … performance is comparable to RSA, DSA, ECDSA … … higher provable security level requires different block cipher / hash-function 02.12.2011 | TU Darmstadt | A.Huelsing | 20
Thank you,Questions? 02.12.2011 | TU Darmstadt | A.Huelsing | 21
XMSS – Winternitz OTS[Buchmann et al. 2011] - Uses pseudorandom function family - Winternitz parameter w, message length m, random value x sk1 pk1 x l skl pkl x w 02.12.2011 | TU Darmstadt | A. Huelsing | 22
XMSS – secret key For multiple signatures use many key pairs. Generated using forward secure pseudorandom generator (FSPRG), build using PRFF Fn: Secret key: Random SEED for pseudorandom generation of current signature key. FSPRG PRG PRG PRG PRG PRG FSPRG FSPRG FSPRG FSPRG 02.12.2011 | TU Darmstadt | A. Huelsing | 23
XMSS – public key Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function = ( , b0, b1, b2, h) Public key b0 b0 b0 b0 b1 b1 bh 02.12.2011 | TU Darmstadt | A. Huelsing | 24