Forward secure hash based signatures on smartcards
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

Forward Secure Hash-based Signatures on Smartcards PowerPoint PPT Presentation


  • 73 Views
  • Uploaded on
  • Presentation posted in: General

Forward Secure Hash-based Signatures on Smartcards. A. Hülsing , J. Buchmann, C. Busold. Digital Signatures are Important!. E-Commerce. … and many others. Software updates. What if….

Download Presentation

Forward Secure Hash-based Signatures on Smartcards

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Forward secure hash based signatures on smartcards

Forward Secure Hash-based Signatures on Smartcards

A. Hülsing, J. Buchmann, C. Busold

16.08.2012 | TU Darmstadt | A. Hülsing| 1


Digital signatures are important

Digital Signatures are Important!

E-Commerce

… and many others

Software updates

04.09.2013 | TU Darmstadt | Andreas Hülsing| 2


What if

What if…

IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing.“

04.09.2013 | TU Darmstadt | Andreas Hülsing| 3


Post quantum signatures

Post-Quantum Signatures

Based on Lattice, MQ, Coding

Signature and/or key sizes

Runtimes

Secure parameters

04.09.2013 | TU Darmstadt | Andreas Hülsing| 4


Hash based signature schemes merkle crypto 89

Hash-based Signature Schemes[Merkle, Crypto‘89]

04.09.2013 | TU Darmstadt | Andreas Hülsing| 5


Forward secure hash based signatures on smartcards

Forward Secure Signatures

04.09.2013 | TU Darmstadt | Andreas Hülsing| 6


Forward secure signatures

Forward Secure Signatures

pk

classical

sk

pk

forward sec

sk

sk1

sk2

skT

ski

time

tT

ti

t1

t2

Key gen.

04.09.2013 | TU Darmstadt | Andreas Hülsing| 7


Forward secure digital signatures

Forward Secure Digital Signatures

02.12.2011 | TU Darmstadt | A. Huelsing | 8


Construction

Construction

02.12.2011 | TU Darmstadt | A. Huelsing | 9


Hash based signatures

Hash-based Signatures

PK

SIG = (i, , , , , )

H

OTS

OTS

OTS

OTS

OTS

OTS

OTS

OTS

H

H

H

H

H

H

H

H

H

H

H

H

H

H

SK

04.09.2013 | TU Darmstadt | Andreas Hülsing| 10


Winternitz ots merkle crypto 89 even et al joc 96

Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96]

1. = f( )

2. Trade-off between runtime and signature size, controlled by parameter w

3. Minimal security requirements [Buchmann et al.,Africacrypt’11]

4. Uses PRFF F

SIG = (i, , , , , )

04.09.2013 | TU Darmstadt | Andreas Hülsing| 11


Xmss secret key

XMSS – secret key

Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F:

Secret key: Random SEED for pseudorandom generation of current signature key.

FSPRG

PRG

PRG

PRG

PRG

PRG

FSPRG

FSPRG

FSPRG

FSPRG

04.09.2013 | TU Darmstadt | Andreas Hülsing| 12


Bds tree traversal buchmann et al 2008

BDS-TreeTraversal[Buchmann et al., 2008]

  • Computes authentication paths

  • Store most expensive nodes

  • Left nodes are cheap

  • Distribute costs

    • (h-k)/2 updates per round

# 2h-1

k

# 2h-2

h

02.12.2011 | TU Darmstadt | A.Huelsing | 13


Accelerate key generation tree chaining buchmann et al 2006

Accelerate key generationTree Chaining [Buchmann et al., 2006]

2h+1 → 2*2 h/2+1 = 2 h/2+2

j

i

But: Larger signatures!

29.04.2011 | TU Darmstadt | J. Buchmann | 14


Distributed signature generation

Distributed Signature Generation

Initial proposal [Buchmann et al.,2007]:

  • Distribute signature costs equally among all signatures in lower tree

    This work:

  • Use observation: BDS spends more updates than needed

  • Use unused updates to compute authentication path & signature

02.12.2011 | TU Darmstadt | A.Huelsing | 15


Implementation

Implementation

02.12.2011 | TU Darmstadt | A.Huelsing | 16


Forward secure hash based signatures on smartcards

Hash function &

PRF

Useplain AES for PRF

Use AES withMatyas-Meyer-Oseas in Merkle-Damgårdmodeforhashfunction

02.12.2011 | TU Darmstadt | A. Huelsing | 17


Forward secure hash based signatures on smartcards

Results

Infineon SLE78 [email protected], 8KB RAM, TRNG, sym. & asym. co-processor

NVM: Card 16.5 million write cycles/ sector,

XMSS+ < 5 million write cycles

24.05.2012 | TU Darmstadt | A.Huelsing | 18


Conclusion

Conclusion

02.12.2011 | TU Darmstadt | A.Huelsing | 19


Conclusion future work

Conclusion & futurework

Forward secure signature schemes can be implemented on Smartcards, …

… hash-based signatures with on-card key generation, too

… performance is comparable to RSA, DSA, ECDSA …

… higher provable security level requires different block cipher / hash-function

02.12.2011 | TU Darmstadt | A.Huelsing | 20


Thank you questions

Thank you,Questions?

02.12.2011 | TU Darmstadt | A.Huelsing | 21


Xmss winternitz ots buchmann et al 2011

XMSS – Winternitz OTS[Buchmann et al. 2011]

- Uses pseudorandom function family

- Winternitz parameter w, message length m, random value x

sk1

pk1

x

l

skl

pkl

x

w

02.12.2011 | TU Darmstadt | A. Huelsing | 22


Xmss secret key1

XMSS – secret key

For multiple signatures use many key pairs.

Generated using forward secure pseudorandom generator (FSPRG), build using PRFF Fn:

Secret key: Random SEED for pseudorandom generation of current signature key.

FSPRG

PRG

PRG

PRG

PRG

PRG

FSPRG

FSPRG

FSPRG

FSPRG

02.12.2011 | TU Darmstadt | A. Huelsing | 23


Xmss public key

XMSS – public key

Modified Merkle Tree [Dahmen et al 2008]

h second preimage resistant hash function

= ( , b0, b1, b2, h)

Public key

b0

b0

b0

b0

b1

b1

bh

02.12.2011 | TU Darmstadt | A. Huelsing | 24


  • Login