190 likes | 363 Views
Optimal Parameters for XMSS MT. Andreas Hülsing , Lea Rausch, and Johannes Buchmann. Digital Signatures are Important!. E-Commerce. … and many others. Software updates. What if….
E N D
Optimal Parameters for XMSSMT Andreas Hülsing, Lea Rausch, and Johannes Buchmann 04.09.2013 | TU Darmstadt | Andreas Hülsing| 1
Digital Signatures are Important! E-Commerce … and many others Software updates 04.09.2013 | TU Darmstadt | Andreas Hülsing| 2
What if… IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing.“ 04.09.2013 | TU Darmstadt | Andreas Hülsing| 3
Post-Quantum Signatures Based on Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 04.09.2013 | TU Darmstadt | Andreas Hülsing| 4
Hash-based Signature Schemes[Merkle, Crypto‘89] 04.09.2013 | TU Darmstadt | Andreas Hülsing| 5
Forward Secure Signatures 04.09.2013 | TU Darmstadt | Andreas Hülsing| 6
Forward Secure Signatures pk classical sk pk forward sec sk sk1 sk2 skT ski time tT ti t1 t2 Key gen. 04.09.2013 | TU Darmstadt | Andreas Hülsing| 7
Construction 04.09.2013 | TU Darmstadt | Andreas Hülsing| 8
Hash-based Signatures Parameter h PK SIG = (i, , , , , ) H H OTS OTS OTS OTS OTS OTS OTS OTS H H h H H H H H H H H H H H H SK 04.09.2013 | TU Darmstadt | Andreas Hülsing| 9
Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96] Parameter h 1. = f( ) 2. Trade-off between runtime and signature size, controlled by parameter w 3. Minimal security requirements [Buchmann et al.,Africacrypt’11] 4. Uses PRFF F SIG = (i, , , , , ) H w F 04.09.2013 | TU Darmstadt | Andreas Hülsing| 10
XMSS – secret key Parameter h Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F: Secret key: Random SEED for pseudorandom generation of current signature key. H w F FSPRG PRG PRG PRG PRG PRG FSPRG FSPRG FSPRG FSPRG 04.09.2013 | TU Darmstadt | Andreas Hülsing| 11
BDS-TreeTraversal[Buchmann et al., 2008] Parameter h • Computes authentication paths • Left nodes are cheap • Store most expensive nodes • Distribute costs • (h-k)/2 updates per round H w F k # 2h-1 k # 2h-2 h 04.09.2013 | TU Darmstadt | Andreas Hülsing| 12
Accelerate key generationTree Chaining [Buchmann et al., 2006] Parameter h H wi w F j k ki d hi i Generalized distributed signature generation from [Huelsing et al., SAC’12] 04.09.2013 | TU Darmstadt | Andreas Hülsing| 13
Parameter Selection 04.09.2013 | TU Darmstadt | Andreas Hülsing| 14
Trade-Offs 04.09.2013 | TU Darmstadt | Andreas Hülsing| 15
Linear Optimization Input: h, bmin, TF, TH Output: b, d, (h,w,k)i Obj. Minimizeweightedsumofruntimes & sizes • Linearization: Generalizedlambdamethod [Moritz, 2007] • Complexityreduction: Split into sub-problems 04.09.2013 | TU Darmstadt | Andreas Hülsing| 16
Conclusion 04.09.2013 | TU Darmstadt | Andreas Hülsing| 17