forward secure hash based signatures on smartcards
Download
Skip this Video
Download Presentation
Forward Secure Hash-based Signatures on Smartcards

Loading in 2 Seconds...

play fullscreen
1 / 24

Forward Secure Hash-based Signatures on Smartcards - PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on

Forward Secure Hash-based Signatures on Smartcards. A. Hülsing , J. Buchmann, C. Busold. Digital Signatures are Important!. E-Commerce. … and many others. Software updates. What if….

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Forward Secure Hash-based Signatures on Smartcards' - fran


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
forward secure hash based signatures on smartcards

Forward Secure Hash-based Signatures on Smartcards

A. Hülsing, J. Buchmann, C. Busold

16.08.2012 | TU Darmstadt | A. Hülsing| 1

digital signatures are important
Digital Signatures are Important!

E-Commerce

… and many others

Software updates

04.09.2013 | TU Darmstadt | Andreas Hülsing| 2

what if
What if…

IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing.“

04.09.2013 | TU Darmstadt | Andreas Hülsing| 3

post quantum signatures
Post-Quantum Signatures

Based on Lattice, MQ, Coding

Signature and/or key sizes

Runtimes

Secure parameters

04.09.2013 | TU Darmstadt | Andreas Hülsing| 4

hash based signature schemes merkle crypto 89
Hash-based Signature Schemes[Merkle, Crypto‘89]

04.09.2013 | TU Darmstadt | Andreas Hülsing| 5

slide6

Forward Secure Signatures

04.09.2013 | TU Darmstadt | Andreas Hülsing| 6

forward secure signatures
Forward Secure Signatures

pk

classical

sk

pk

forward sec

sk

sk1

sk2

skT

ski

time

tT

ti

t1

t2

Key gen.

04.09.2013 | TU Darmstadt | Andreas Hülsing| 7

forward secure digital signatures
Forward Secure Digital Signatures

02.12.2011 | TU Darmstadt | A. Huelsing | 8

construction
Construction

02.12.2011 | TU Darmstadt | A. Huelsing | 9

hash based signatures
Hash-based Signatures

PK

SIG = (i, , , , , )

H

OTS

OTS

OTS

OTS

OTS

OTS

OTS

OTS

H

H

H

H

H

H

H

H

H

H

H

H

H

H

SK

04.09.2013 | TU Darmstadt | Andreas Hülsing| 10

winternitz ots merkle crypto 89 even et al joc 96
Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96]

1. = f( )

2. Trade-off between runtime and signature size, controlled by parameter w

3. Minimal security requirements [Buchmann et al.,Africacrypt’11]

4. Uses PRFF F

SIG = (i, , , , , )

04.09.2013 | TU Darmstadt | Andreas Hülsing| 11

xmss secret key
XMSS – secret key

Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F:

Secret key: Random SEED for pseudorandom generation of current signature key.

FSPRG

PRG

PRG

PRG

PRG

PRG

FSPRG

FSPRG

FSPRG

FSPRG

04.09.2013 | TU Darmstadt | Andreas Hülsing| 12

bds tree traversal buchmann et al 2008
BDS-TreeTraversal[Buchmann et al., 2008]
  • Computes authentication paths
  • Store most expensive nodes
  • Left nodes are cheap
  • Distribute costs
    • (h-k)/2 updates per round

# 2h-1

k

# 2h-2

h

02.12.2011 | TU Darmstadt | A.Huelsing | 13

accelerate key generation tree chaining buchmann et al 2006
Accelerate key generationTree Chaining [Buchmann et al., 2006]

2h+1 → 2*2 h/2+1 = 2 h/2+2

j

i

But: Larger signatures!

29.04.2011 | TU Darmstadt | J. Buchmann | 14

distributed signature generation
Distributed Signature Generation

Initial proposal [Buchmann et al.,2007]:

  • Distribute signature costs equally among all signatures in lower tree

This work:

  • Use observation: BDS spends more updates than needed
  • Use unused updates to compute authentication path & signature

02.12.2011 | TU Darmstadt | A.Huelsing | 15

implementation
Implementation

02.12.2011 | TU Darmstadt | A.Huelsing | 16

slide17

Hash function &

PRF

Useplain AES for PRF

Use AES withMatyas-Meyer-Oseas in Merkle-Damgårdmodeforhashfunction

02.12.2011 | TU Darmstadt | A. Huelsing | 17

slide18

Results

Infineon SLE78 [email protected], 8KB RAM, TRNG, sym. & asym. co-processor

NVM: Card 16.5 million write cycles/ sector,

XMSS+ < 5 million write cycles

24.05.2012 | TU Darmstadt | A.Huelsing | 18

conclusion
Conclusion

02.12.2011 | TU Darmstadt | A.Huelsing | 19

conclusion future work
Conclusion & futurework

Forward secure signature schemes can be implemented on Smartcards, …

… hash-based signatures with on-card key generation, too

… performance is comparable to RSA, DSA, ECDSA …

… higher provable security level requires different block cipher / hash-function

02.12.2011 | TU Darmstadt | A.Huelsing | 20

thank you questions
Thank you,Questions?

02.12.2011 | TU Darmstadt | A.Huelsing | 21

xmss winternitz ots buchmann et al 2011
XMSS – Winternitz OTS[Buchmann et al. 2011]

- Uses pseudorandom function family

- Winternitz parameter w, message length m, random value x

sk1

pk1

x

l

skl

pkl

x

w

02.12.2011 | TU Darmstadt | A. Huelsing | 22

xmss secret key1
XMSS – secret key

For multiple signatures use many key pairs.

Generated using forward secure pseudorandom generator (FSPRG), build using PRFF Fn:

Secret key: Random SEED for pseudorandom generation of current signature key.

FSPRG

PRG

PRG

PRG

PRG

PRG

FSPRG

FSPRG

FSPRG

FSPRG

02.12.2011 | TU Darmstadt | A. Huelsing | 23

xmss public key
XMSS – public key

Modified Merkle Tree [Dahmen et al 2008]

h second preimage resistant hash function

= ( , b0, b1, b2, h)

Public key

b0

b0

b0

b0

b1

b1

bh

02.12.2011 | TU Darmstadt | A. Huelsing | 24

ad