1 / 23

Forward Secure Signatures on Smart Cards

Forward Secure Signatures on Smart Cards. A . Hülsing , J. Buchmann, C. Busold. Forward Secure Digital Signatures. Forward Secure Digital Signatures. pk. classical. sk. pk. forward sec. sk. sk 1. sk 2. sk T. sk i. time. t T. t i. t 1. t 2. Key gen.

lajos
Download Presentation

Forward Secure Signatures on Smart Cards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forward Secure Signatures on Smart Cards A. Hülsing, J. Buchmann, C. Busold 16.08.2012 | TU Darmstadt | A. Hülsing| 1

  2. Forward Secure Digital Signatures 02.12.2011 | TU Darmstadt | A. Huelsing | 2

  3. Forward Secure Digital Signatures pk classical sk pk forward sec sk sk1 sk2 skT ski time tT ti t1 t2 Key gen. 02.12.2011 | TU Darmstadt | A. Huelsing | 3

  4. Forward Secure Digital Signatures Pros: • Fulfill intuition of signature • Replace timestamps • Cuts of some attack vectors for Side-Channel Attacks • Especially interesting for document signatures and PKI Cons: • Stateful • Less efficient than standard signature schemes 02.12.2011 | TU Darmstadt | A. Huelsing | 4

  5. The eXtended Merkle SignatureScheme XMSS 02.12.2011 | TU Darmstadt | A.Huelsing | 5

  6. The eXtended Merkle SignatureScheme (XMSS)[Buchmann et al., 2011] • “Hash-based” forward secure signature scheme • Provable secure in standard model • Minimal complexity theoretic assumptions (SPR & PRF) • Generic construction (No specific hardness assumption) • Efficient (comparable to RSA) 02.12.2011 | TU Darmstadt | A. Huelsing | 6

  7. Hash-basedSignatureSchemes PK h OTS OTS OTS OTS OTS OTS OTS OTS h h h h h h h h h h h h h h Secret Key 14.06.2012 | TU Darmstadt | A. Huelsing | 7

  8. Goal / Challenges Goal • Implement XMSS on smartcard Challenges • On-card Key generation too expensive [Rohde et al., 2008] • Stateful / NVM wear out 02.12.2011 | TU Darmstadt | A.Huelsing | 8

  9. Construction 02.12.2011 | TU Darmstadt | A. Huelsing | 9

  10. OTS / Key generation • Winternitz OTS [Buchmann et al., 2011] and forward secure PRG • Both use pseudorandom function family • OTS requires to compute many PRF-chains • OTS-PK can be computed given signature 02.12.2011 | TU Darmstadt | A.Huelsing | 10

  11. XMSS signature b0 b0 b0 b0 b1 b1 b2 i , , ) Signature = (i, , i 02.12.2011 | TU Darmstadt | A. Huelsing | 11

  12. BDS-TreeTraversal[Buchmann et al., 2008] • Computes authentication paths • Store most expensive nodes • Left nodes are cheap • Distribute costs • (h-k)/2 updates per round # 2h-1 k # 2h-2 h 02.12.2011 | TU Darmstadt | A.Huelsing | 12

  13. Accelerate key generationTree Chaining [Buchmann et al., 2006] 2h+1 → 2*2 h/2+1 = 2 h/2+2 j i But: Larger signatures! 29.04.2011 | TU Darmstadt | J. Buchmann | 13

  14. Distributed Signature Generation Initial proposal [Buchmann et al.,2007]: • Distribute signature costs equally among all signatures in lower tree This work: • Use observation: BDS spends more updates than needed • Use unused updates to compute authentication path & signature 02.12.2011 | TU Darmstadt | A.Huelsing | 14

  15. Implementation 02.12.2011 | TU Darmstadt | A.Huelsing | 15

  16. Hash function & PRF Useplain AES for PRF Use AES withMatyas-Meyer-Oseas in Merkle-Damgårdmodeforhashfunction 02.12.2011 | TU Darmstadt | A. Huelsing | 16

  17. Results Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles 24.05.2012 | TU Darmstadt | A.Huelsing | 17

  18. Conclusion 02.12.2011 | TU Darmstadt | A.Huelsing | 18

  19. Conclusion & futurework Forward secure signature schemes can be implemented on Smartcards, … … hash-based signatures with on-card key generation, too … performance is comparable to RSA, DSA, ECDSA … … higher provable security level requires tighter security proof or different block cipher / hash-function 02.12.2011 | TU Darmstadt | A.Huelsing | 19

  20. Thank you,Questions? 02.12.2011 | TU Darmstadt | A.Huelsing | 20

  21. XMSS – Winternitz OTS[Buchmann et al. 2011] - Uses pseudorandom function family - Winternitz parameter w, message length m, random value x sk1 pk1 x l skl pkl x w 02.12.2011 | TU Darmstadt | A. Huelsing | 21

  22. XMSS – secret key For multiple signatures use many key pairs. Generated using forward secure pseudorandom generator (FSPRG), build using PRFF Fn: Secret key: Random SEED for pseudorandom generation of current signature key. FSPRG PRG PRG PRG PRG PRG FSPRG FSPRG FSPRG FSPRG 02.12.2011 | TU Darmstadt | A. Huelsing | 22

  23. XMSS – public key Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function = ( , b0, b1, b2, h) Public key b0 b0 b0 b0 b1 b1 bh 02.12.2011 | TU Darmstadt | A. Huelsing | 23

More Related