1 / 22

XMSS - A Practical Forward Secure Signature Scheme

This paper discusses the eXtended Merkle Signature Scheme (XMSS), a digital signature scheme based on minimal security assumptions. It provides a generic and efficient construction for forward secure signatures.

jschulz
Download Presentation

XMSS - A Practical Forward Secure Signature Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XMSS - A Practical Forward Secure Signature Scheme based onMinimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt | A. Huelsing| 1

  2. Digital Signature Schemes 02.12.2011 | TU Darmstadt | A. Huelsing | 2

  3. RSA – DSA – EC-DSA - … Trapdoor one-way function Collision resistant hash function RSA, DH, SVP, MQ, … Digital signature scheme 02.12.2011 | TU Darmstadt | A. Huelsing | 3

  4. Digital SignatureSchemes • Strong complexity theoretic assumption (Trapdoor one-way function) hard to fulfill • Specific hardness assumptions Quantum computers, new algorithms + efficient but mostly in ROM 02.12.2011 | TU Darmstadt | A. Huelsing | 4

  5. The eXtended Merkle SignatureScheme XMSS 02.12.2011 | TU Darmstadt | A.Huelsing | 5

  6. The eXtended Merkle SignatureScheme (XMSS) • Minimal complexity theoretic assumptions • Generic construction (No specific hardness assumption) • Efficient (comparable to RSA) • Forward secure 02.12.2011 | TU Darmstadt | A. Huelsing | 6

  7. Minimal complexity theoretic assumptions Second-preimage resistant HFF Target-collision resistant HFF XMSS Pseudorandom FF Håstad, Impagliazzo, Levin, Luby 1999 Goldreich, Goldwasser, Micali 1986 Rompel 1990 Digital signature scheme Existential unforgable under chosen message attacks One-way FF Naor, Yung 1989 Rompel 1990 02.12.2011 | TU Darmstadt | A. Huelsing | 7

  8. Output lengthofhashfunctions Hash function h:{0,1}* → {0,1}m Assume: - only generic attacks, - security level n Collision resistance required: →generic attack = birthday attack →m = 2n Second-preimage resistance required: →generic attack = exhaustive search →m = n 02.12.2011 | TU Darmstadt | A. Huelsing | 8

  9. Forward Secure Digital Signatures pk classical sk pk forward sec sk sk1 sk2 skT ski time tT ti t1 t2 Key gen. 02.12.2011 | TU Darmstadt | A. Huelsing | 9

  10. Construction 02.12.2011 | TU Darmstadt | A. Huelsing | 10

  11. XMSS – Winternitz OTS[Buchmann et al. 2011] - Uses pseudorandom function family - Winternitz parameter w, message length m, random value x sk1 pk1 x l skl pkl x w 02.12.2011 | TU Darmstadt | A. Huelsing | 11

  12. XMSS – secret key For multiple signatures use many key pairs. Generated using pseudorandom generator (PRG), build using PRFF Fn: Secret key: Random SEED for pseudorandom generation of current signature key. PRG PRG PRG PRG PRG PRG 02.12.2011 | TU Darmstadt | A. Huelsing | 12

  13. XMSS – public key Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function = ( , b0, b1, b2, h) Public key b0 b0 b0 b0 b1 b1 bh 02.12.2011 | TU Darmstadt | A. Huelsing | 13

  14. XMSS signature b0 b0 b0 b0 b1 b1 b2 i , , ) Signature = (i, , i 02.12.2011 | TU Darmstadt | A. Huelsing | 14

  15. XMSS forwardsecure PRG FSPRG: Forward secure PRG using PRFF Fn FSPRG FSPRG FSPRG FSPRG FSPRG 02.12.2011 | TU Darmstadt | A. Huelsing | 15

  16. Security Proof - Idea Tree construction and W-OTS are provably secure. Given Adversary A against pseudorandom Scheme can be used against the random scheme. → Inputs are the same Input distribution differs → We can bound success probability against random scheme We can use A to distinguish PRG See full version on iacreprint (report 2011/484) 02.12.2011 | TU Darmstadt | A.Huelsing | 16

  17. XMSS in practice 02.12.2011 | TU Darmstadt | A.Huelsing | 17

  18. XMSS - Instantiations Trapdoor one-way function DL RSA MP-Sign Cryptographic HFF Block Cipher Second-preimage resistant HFF Pseudorandom FF XMSS 02.12.2011 | TU Darmstadt | A. Huelsing | 18

  19. Hash functions & Blockciphers AES Blowfish 3DES Twofish Threefish Serpent IDEA RC5 RC6 … SHA-2 BLAKE Grøstl JH Keccak Skein VSH SWIFFTX RFSB … 02.12.2011 | TU Darmstadt | A. Huelsing | 19

  20. XMSS Implementations C Implementation, usingOpenSSL Intel(R) Core(TM) i5 CPU M540 @ 2.53GHz with Intel AES-NI 02.12.2011 | TU Darmstadt | A. Huelsing | 20

  21. Conclusion 02.12.2011 | TU Darmstadt | A.Huelsing | 21

  22. XMSS … needs minimal securityassumptions … isforwardsecure … canbeusedwithanyhashfunctionor block cipher … performanceiscomparableto RSA, DSA, ECDSA … 02.12.2011 | TU Darmstadt | A.Huelsing | 22

More Related