1 / 17

Post-Quantum Signatures

XMSS Practical Hash-Based Signatures Andreas Hülsing joint work with Johannes Buchmann and Erik Dahmen. Post-Quantum Signatures. Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters. Hash- based Signature Schemes [Mer89]. Hash-based Signatures. PK.

chet
Download Presentation

Post-Quantum Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XMSS Practical Hash-Based Signatures Andreas Hülsingjoint work with Johannes Buchmann and Erik Dahmen 23.09.2013 | TU Darmstadt | Andreas Hülsing| 1

  2. Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23.09.2013 | TU Darmstadt | Andreas Hülsing| 2

  3. Hash-basedSignatureSchemes[Mer89] 23.09.2013 | TU Darmstadt | Andreas Hülsing| 3

  4. Hash-based Signatures PK SIG = (i=2, , , , , ) H OTS OTS OTS OTS OTS OTS OTS OTS OTS H H H H H H H H H H H H H H SK 23.09.2013 | TU Darmstadt | Andreas Hülsing| 4

  5. XMSS 23.09.2013 | TU Darmstadt | Andreas Hülsing| 5

  6. Results Datum | Fachbereich nn | Institut nn | Prof. nn | 6

  7. New Variants of the Winternitz One Time Signature Scheme OTS 23.09.2013 | TU Darmstadt | Andreas Hülsing| 7

  8. Winternitz OTS (WOTS)[Mer89; EGM96] | | = | | = m * | | 1. = f( ) 2. Trade-off between runtime and signature size | | ~ m/log w * | | SIG = (i, , , , , ) 23.09.2013 | TU Darmstadt | Andreas Hülsing| 8

  9. WOTS+[Hül13] Theorem 3.9 (informally): W-OTS+ is strongly unforgeable under chosen message attacks if F is a 2nd-preimage resistant, undetectable one-way function family 23.09.2013 | TU Darmstadt | Andreas Hülsing| 9

  10. XMSS[BDH11] • Lamport-Diffie / WOTS WOTS+ • Treeconstruction • [DOTV08] • Pseudorandomkeygeneration bi FSPRG PRG PRG PRG PRG PRG FSPRG FSPRG FSPRG FSPRG 23.09.2013 | TU Darmstadt | Andreas Hülsing| 10

  11. XMSS* in Practice 23.09.2013 | TU Darmstadt | Andreas Hülsing| 11

  12. XMSS Implementations • C Implementation [BDH11] C Implementation, usingOpenSSL Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI 23.09.2013 | TU Darmstadt | Andreas Hülsing| 12

  13. XMSS Implementations • Smartcard Implementation [HBB12] Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles (h=20) 23.09.2013 | TU Darmstadt | Andreas Hülsing| 13

  14. Conclusion 23.09.2013 | TU Darmstadt | Andreas Hülsing| 14

  15. Conclusion 23.09.2013 | TU Darmstadt | Andreas Hülsing| 15

  16. Future Work Main Drawback: State Easy Migration? Interfaces Key Management 23.09.2013 | TU Darmstadt | Andreas Hülsing| 16

  17. Thank you! Questions?

More Related