1 / 33

Digital Signatures are Important !

Practical Forward Secure Signatures using Minimal Security Assumptions Andreas Hülsing, Erik Dahmen , Johannes Buchmann. Digital Signatures are Important !. E-Commerce. … and many others. Software updates. Forward Secure Signatures [And97]. Forward Secure Signatures. pk. classical. sk.

vito
Download Presentation

Digital Signatures are Important !

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Forward Secure Signatures using Minimal Security AssumptionsAndreas Hülsing, Erik Dahmen, Johannes Buchmann 23.09.2013 | TU Darmstadt | Andreas Hülsing| 1

  2. Digital SignaturesareImportant! E-Commerce … and many others Software updates 23.09.2013 | TU Darmstadt | Andreas Hülsing| 2

  3. Forward Secure Signatures[And97] 23.09.2013 | TU Darmstadt | Andreas Hülsing| 3

  4. Forward Secure Signatures pk classical sk pk forward sec sk sk1 sk2 skT ski time tT ti t1 t2 Key gen. 23.09.2013 | TU Darmstadt | Andreas Hülsing| 4

  5. Whatif… 23.09.2013 | TU Darmstadt | Andreas Hülsing| 5

  6. Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters no forward secure signatures 23.09.2013 | TU Darmstadt | Andreas Hülsing| 6

  7. Hash-basedSignatureSchemes[Mer89] 23.09.2013 | TU Darmstadt | Andreas Hülsing| 7

  8. Cryptographic Hash Functions {0,1}n H {0,1}m 23.09.2013 | TU Darmstadt | Andreas Hülsing| 8

  9. Hash-based Signatures PK SIG = (i=2, , , , , ) H OTS OTS OTS OTS OTS OTS OTS OTS OTS H H H H H H H H H H H H H H SK 23.09.2013 | TU Darmstadt | Andreas Hülsing| 9

  10. Challenges & Achievements 23.09.2013 | TU Darmstadt | Andreas Hülsing| 10

  11. New Variants of the Winternitz One Time Signature Scheme OTS 23.09.2013 | TU Darmstadt | Andreas Hülsing| 11

  12. Winternitz OTS (WOTS) [Mer89; EGM96] | | = | | = m * | | 1. = f( ) 2. Trade-off between runtime and signature size | | ~ m/log w * | | SIG = (i, , , , , ) 23.09.2013 | TU Darmstadt | Andreas Hülsing| 12

  13. WOTSFunction Chain Function family: Formerly: WOTS+ For w ≥ 2 select R =(r1, …, rw-1) ri ci(x) ci-1(x) c0(x) = x cw-1(x) c1(x) = 23.09.2013 | TU Darmstadt | Andreas Hülsing| 13

  14. WOTS+ [Hül13] Winternitz parameter w, security parameter n, message length m, function family Key Generation: Compute l , sample K, sample R pk1= cw-1(sk1) c0(sk1) = sk1 c1(sk1) c1(skl) pkl= cw-1(skl) c0(skl) = skl 23.09.2013 | TU Darmstadt | Andreas Hülsing| 14

  15. WOTS+ Signature generation M b1 b2 b3 b4 … … … … … … … bl1 bl1+1 bl1+2 … … bl pk1= cw-1(sk1) c0(sk1) = sk1 C σ1=cb1(sk1) pkl= cw-1(skl) c0(skl) = skl σl=cbl(skl) 23.09.2013 | TU Darmstadt | Andreas Hülsing| 15

  16. Main result Theorem 3.9 (informally): W-OTS+ is strongly unforgeable under chosen message attacks if F is a 2nd-preimage resistant, undetectable one-way function family 23.09.2013 | TU Darmstadt | Andreas Hülsing| 16

  17. Security Proof Reduction 23.09.2013 | TU Darmstadt | Andreas Hülsing| 17

  18. Intuition Oracle Response: (σ, M); M →(b1,…,bl) Forgery: (σ*, M*); M* →(b1*,…, bl*) Observations: • Checksum: • Verification cw-1-bα*(σ*α) = pkα = cw-1-bα(σα) “quasi-inversion” σα pkα c0(skα) = skα ! ? = ? ? ? ? ? ? ? pk*α σ*α 23.09.2013 | TU Darmstadt | Andreas Hülsing| 18

  19. Intuition, cont‘d Oracle Response: (σ, M); M →(b1,…,bl) Forgery: (σ*, M*); M* →(b1*,…, bl*) Given: “quasi-inversion” of c rβ σα β pkα c0(skα) = skα σ*α second-preimage preimage 23.09.2013 | TU Darmstadt | Andreas Hülsing| 19

  20. Result 23.09.2013 | TU Darmstadt | Andreas Hülsing| 20

  21. XMSS 23.09.2013 | TU Darmstadt | Andreas Hülsing| 21

  22. XMSS[BDH11] • Lamport-Diffie / WOTS WOTS+ / WOTS$ • Treeconstruction • [DOTV08] • Pseudorandomkeygeneration bi FSPRG PRG PRG PRG PRG PRG FSPRG FSPRG FSPRG FSPRG 23.09.2013 | TU Darmstadt | Andreas Hülsing| 22

  23. Result 23.09.2013 | TU Darmstadt | Andreas Hülsing| 23

  24. Chapter 5XMSSMT 23.09.2013 | TU Darmstadt | Andreas Hülsing| 24

  25. Tree Chaining [BGD+06,BDK+07] j i Improved distributed signature generation [HBB12,HRB13] 23.09.2013 | TU Darmstadt | Andreas Hülsing| 25

  26. Result 23.09.2013 | TU Darmstadt | Andreas Hülsing| 26

  27. XMSS* in Practice 23.09.2013 | TU Darmstadt | Andreas Hülsing| 27

  28. XMSS Implementations • C Implementation C Implementation, usingOpenSSL [BDH2011] Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI 23.09.2013 | TU Darmstadt | Andreas Hülsing| 28

  29. XMSS Implementations • Smartcard Implementation Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles (h=20) [HBB12] 23.09.2013 | TU Darmstadt | Andreas Hülsing| 29

  30. Conclusion 23.09.2013 | TU Darmstadt | Andreas Hülsing| 30

  31. Conclusion 23.09.2013 | TU Darmstadt | Andreas Hülsing| 31

  32. Future Work Main Drawback: State Easy Migration? Interfaces Key Management 23.09.2013 | TU Darmstadt | Andreas Hülsing| 32

  33. Thank you! Questions?

More Related