1 / 19

Optimal Parameters for XMSS MT

Optimal Parameters for XMSS MT. Andreas Hülsing , Lea Rausch, and Johannes Buchmann. Digital Signatures are Important!. E-Commerce. … and many others. Software updates. What if….

misty
Download Presentation

Optimal Parameters for XMSS MT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Optimal Parameters for XMSSMT Andreas Hülsing, Lea Rausch, and Johannes Buchmann 04.09.2013 | TU Darmstadt | Andreas Hülsing| 1

  2. Digital Signatures are Important! E-Commerce … and many others Software updates 04.09.2013 | TU Darmstadt | Andreas Hülsing| 2

  3. What if… IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing.“ 04.09.2013 | TU Darmstadt | Andreas Hülsing| 3

  4. Post-Quantum Signatures Based on Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 04.09.2013 | TU Darmstadt | Andreas Hülsing| 4

  5. Hash-based Signature Schemes[Merkle, Crypto‘89] 04.09.2013 | TU Darmstadt | Andreas Hülsing| 5

  6. Forward Secure Signatures 04.09.2013 | TU Darmstadt | Andreas Hülsing| 6

  7. Forward Secure Signatures pk classical sk pk forward sec sk sk1 sk2 skT ski time tT ti t1 t2 Key gen. 04.09.2013 | TU Darmstadt | Andreas Hülsing| 7

  8. Construction 04.09.2013 | TU Darmstadt | Andreas Hülsing| 8

  9. Hash-based Signatures Parameter h PK SIG = (i, , , , , ) H H OTS OTS OTS OTS OTS OTS OTS OTS H H h H H H H H H H H H H H H SK 04.09.2013 | TU Darmstadt | Andreas Hülsing| 9

  10. Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96] Parameter h 1. = f( ) 2. Trade-off between runtime and signature size, controlled by parameter w 3. Minimal security requirements [Buchmann et al.,Africacrypt’11] 4. Uses PRFF F SIG = (i, , , , , ) H w F 04.09.2013 | TU Darmstadt | Andreas Hülsing| 10

  11. XMSS – secret key Parameter h Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F: Secret key: Random SEED for pseudorandom generation of current signature key. H w F FSPRG PRG PRG PRG PRG PRG FSPRG FSPRG FSPRG FSPRG 04.09.2013 | TU Darmstadt | Andreas Hülsing| 11

  12. BDS-TreeTraversal[Buchmann et al., 2008] Parameter h • Computes authentication paths • Left nodes are cheap • Store most expensive nodes • Distribute costs • (h-k)/2 updates per round H w F k # 2h-1 k # 2h-2 h 04.09.2013 | TU Darmstadt | Andreas Hülsing| 12

  13. Accelerate key generationTree Chaining [Buchmann et al., 2006] Parameter h H wi w F j k ki d hi i Generalized distributed signature generation from [Huelsing et al., SAC’12] 04.09.2013 | TU Darmstadt | Andreas Hülsing| 13

  14. Parameter Selection 04.09.2013 | TU Darmstadt | Andreas Hülsing| 14

  15. Trade-Offs 04.09.2013 | TU Darmstadt | Andreas Hülsing| 15

  16. Linear Optimization Input: h, bmin, TF, TH Output: b, d, (h,w,k)i Obj. Minimizeweightedsumofruntimes & sizes • Linearization: Generalizedlambdamethod [Moritz, 2007] • Complexityreduction: Split into sub-problems 04.09.2013 | TU Darmstadt | Andreas Hülsing| 16

  17. Conclusion 04.09.2013 | TU Darmstadt | Andreas Hülsing| 17

  18. 04.09.2013 | TU Darmstadt | Andreas Hülsing| 18

  19. Thank you!

More Related