Practical Forward Secure Signatures using Minimal Security Assumptions

23.09.2013 | TU Darmstadt | Andreas Hülsing | 1

PhD DefenseAndreas Hülsing

Digital Signatures are Important!

Software updates

E-Commerce

… and many others

Forward Secure Signatures[And97]

Forward Secure Signatures

classicalpk

Key gen.

forward secpk

sksk1 sk2 ski skT

t1 t2 ti tT

ijjSigGoal ),,(:

What if…

Post-Quantum Signatures

Lattice, MQ, Coding

Signature and/or key sizes

Runtimes

Secure parameters

no forward secure signatures

14232232

34121211

yxxxxxxy

xxxxxxy

Hash-based Signature Schemes[Mer89]

Post quantum

Only secure hash function

Security well understood

Forward secure (inefficient)23.09.2013 | TU Darmstadt | Andreas Hülsing | 7

Cryptographic Hash Functions

{0,1}m

{0,1}n

}}1,0{|}1,0{}1,0{:{ 'nnmKn KH Η

•Cryptomania•AC O(2n/2)Collision Resistance

•Minicrypt•AC O(2n)Second-preimage

Resistance (SPR)

•Minicrypt•AC O(2n)

One-wayness

•Minicrypt•AC O(2n)

Undetectability (UD)

•Minicrypt•AC O(2n)Pseudorandomness

Hash-based Signatures

OTS OTS OTS OTS OTS OTS OTS

HH H H H H H H

H H H H

SIG = (i=2, , , , , )

Challenges & Achievements

Minimal security assumptions XOR Efficient

Forward secure XOR Efficient

Large signatures

No full smartcard implementation

Efficient

Minimal security assumptions

„Small signatures"

Forward secure

Full smartcard implementation

Contribution

Chapter 3New Variants of the Winternitz One Time Signature Scheme• WOTS+ & WOTS$

Chapter 4XMSS • „A practical, forward secure

signature scheme based on minimal security assumptions“

Chapter 5XMSSMT

• „XMSS with Virtually Unlimited Signature Capacity”

Chapter 6 Choosing Optimal Parameters for XMSS∗

Chapter 7XMSS∗ in Practice• Implementation• Experimental results (CPU &

smartcard)

Chapter 3

New Variants of the Winternitz One Time Signature Scheme

Winternitz OTS (WOTS) [Mer89; EGM96]

| | = | | = m * | |

1. = f( )

2. Trade-off between runtime and signature size | | ~ m/log w * | |

SIG = (i, , , , , )

Function family:

Formerly:

For w ≥ 2 select R = (r1, …, rw-1)

WOTSFunction Chain

c0(x) = x

c1(x) = cw-1 (x)

}}1,0{|}1,0{}1,0{:{ 'nnnKn KF F

'1 }1,0{,}1,0{ nwn K

)( 1rxFK

'1 }1,0{,)())(()( n

timesi

Ki KxFFFxcFxc

))(()( 1i

i rxcFxc ci-1 (x) ci (x)

Winternitz parameter w, security parameter n, message length m, function family

Key Generation: Compute l , sample K, sample R

[Hül13]

c0(skl ) = skl

c1(skl ) pkl = cw-1(skl )

}}1,0{|}1,0{}1,0{:{ 'nnnKn KF F

c0(sk1) = sk1

c1(sk1)

pk1 = cw-1(sk1)

WOTS+ Signature generation

b1 b2 b3 b4 … … … … … … … bl 1 bl 1+1 bl 1+2 … … bl

c0(skl ) = skl

pkl = cw-1(skl )

c0(sk1) = sk1pk1 = cw-1(sk1)

σ1=cb1(sk1)

σl =cbl (skl )

Main result

Theorem 3.9 (informally):W-OTS+ is strongly unforgeable under chosen message attacks if F

is a 2nd-preimage resistant, undetectable one-way function family

Security ProofReduction

Intuition

Oracle Response: (σ, M); M →(b1,…,bl ) Forgery: (σ*, M*); M* →(b1*,…, bl*)

Observations:1.Checksum: 2. Verification cw-1-bα*

(σ*α) = pkα = cw-1-bα (σα)

“quasi-inversion”

bbthsl *..},..,1{

c0(skα) = skα

pkασα

pk*ασ*α

??????? !?

Intuition, cont‘d

Oracle Response: (σ, M); M →(b1,…,bl ) Forgery: (σ*, M*); M* →(b1*,…, bl*)

Given:“quasi-inversion” of c

c0(skα) = skα

pkασα

second-preimage

preimage

Result

Old [DSS05]

CR, UD, OW Fn

Cryptomania

|Sig| = l *2b

WOTS$[BDEHR11]

PRF Fn

Minicrypt

|Sig| = l *(b+w)

WOTS+[Hül13]

SPR, UD, OWFn

Conj. Minicrypt

|Sig| = l *(b+log w)

Chapter 4

XMSS[BDH11]

Lamport-Diffie / WOTS WOTS+ / WOTS$

Tree construction [DOTV08]

Pseudorandom key generation

FSPRG FSPRG FSPRG FSPRG FSPRG

Result

SPR-MSS [DOTV08]

Minicrypt

|SK| = 2h+1bm + TTA

|SIG|~2bm + hb

GMSS (Single Tree)[BDK+07]

Cryptomania

Not FSS

|SK| = b + TTA

|SIG|~2b(m/log w) + h2b

XMSS[BDH11]

Minicrypt

|SK| = b + TTA

|SIG|~ b(m/log w) + hb

Chapter 7

XMSS* in Practice

XMSS ImplementationsC Implementation

C Implementation, using OpenSSL [BDH2011] Sign (ms)

Verify (ms)

Signature (bit) Public Key (bit)

Secret Key (byte)

Bit Security Comment

XMSS-SHA-2 35.60 1.98 16,672 13,600 3,364 157 h = 20,w = 64,

XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 h = 20,w = 4

XMSS-AES 1.06 0.11 19,616 7,328 1,684 84 h = 20,w = 4

RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 512 87

Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI

XMSS ImplementationsSmartcard Implementation

Sign (ms)

Verify (ms)

Keygen(ms)

Signature (byte)

Public Key (byte)

Secret Key (byte)

Bit Sec. Comment

XMSS 134 23 925,400 2,388 800 2,448 92 H = 16,w = 4

XMSS+ 106 25 5,600 3,476 544 3,760 94 H = 16,w = 4

RSA 2048

190 7 11,000 ≤ 256 ≤ 512 ≤ 512 87

Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor

NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles (h=20)

[HBB12]

Conclusion

Efficient

Minimal security assumptions

„Small signatures"

Forward secure

Full smartcard implementation

Future Work

FSS in the wildStatefullness in Practice

Stateless SignaturesFew-time WOTS

Thank you!Questions?

Publications[1] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On

the security of the Winternitz one-time signature scheme. In A. Nitaj and D. Pointcheval (Eds), Africacrypt 2011, LNCS 6737, pp 363-378. Springer Berlin / Heidelberg, 2011.

[2] J. Buchmann, E. Dahmen, and A. Hülsing. XMSS - a practical forward secure signature scheme based on minimal security assumptions. In Bo-Yin Yang (Ed), Post-Quantum Cryptography, LNCS 7071, pp 117-129. Springer Berlin / Heidelberg, 2011.

[3] A. Hülsing, A. Petzoldt, M. Schneider, and S.M. El Yousfi Alaoui. Postquantum Signaturverfahren Heute. In Ulrich Waldmann (Ed), 22. SIT-Smartcard Workshop 2012, IHK Darmstadt, Feb 2012. Fraunhofer Verlag Stuttgart.

[4] A. Hülsing, C. Busold, and J. Buchmann. Forward secure signatures on smart cards. In Lars R. Knudsen and Huapeng Wu (Eds), Selected Areas in Cryptography, LNCS 7707, pp 66–80. Springer Berlin Heidelberg, 2013.

[5] J. Braun, A. Hülsing, A. Wiesmaier, M. A. G. Vigil, and J. Buchmann. How to avoid the breakdown of public key infrastructures - forward secure signatures for certificate authorities. In S. Capitani di Vimercati and C. Mitchell (Eds), EuroPKI 2012, LNCS 7868, pp 53-68. Springer Berlin Heidelberg, 2013.

[6] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On the security of the Winternitz one-time signature scheme. Journal of Applied Cryptography, 3(1):84–96, 2013.

[7] A. Hülsing. W-OTS+ — shorter signatures for hash-based signature schemes. In A.Youssef, A. Nitaj, and A.E. Hassanien (Eds), Africacrypt 2013, LNCS 7918, pp 173–188. Springer Berlin Heidelberg, 2013.

[8] M. M. Olembo, T. Kilian, S. Stockhardt, A. Hülsing, and M. Volkamer. Developing and testing a visual hash scheme. In N. Clarke, S.Furnell, and V.Katos (Eds), Proceedings of the European Information Security Multi-Conference (EISMC 2013). Plymouth University, April 2013.

[9] P. Weiden, A. Hülsing, D. Cabarcas, and J. Buchmann. Instantiating treeless signature schemes. Cryptology ePrint Archive, Report 2013/065, 2013. http://eprint.iacr.org/.

[10] A. Hülsing, J. Braun. Langzeitsichere Signaturen durch den Einsatz hashbasierter Signaturverfahren. In Tagungsband zum 13. Deutschen IT-Sicherheitskongress 2013, Herausgeber: BSI, Secu-Media Verlag, Gau-Algesheim, 2013.

[11] J. Braun, M. Horsch, A. Hülsing. Effiziente Umsetzung des Kettenmodells unter Verwendung vorwärtssicherer Signaturverfahren. In Tagungsband zum 13. Deutschen IT-Sicherheitskongress 2013, Herausgeber: BSI, Secu-Media Verlag, Gau-Algesheim, 2013.

[12] A. Hülsing, L. Rausch, and J. Buchmann. Optimal parameters for XMSSMT. In A. Cuzzocrea, C. Kittl, D. E. Simos, E. Weippl, and L. Xu, (Eds), Security Engineering and Intelligence Informatics, LNCS 8128, pp 194–208. Springer Berlin Heidelberg, 2013.

[13] J. Buchmann, D. Cabarcas, F. Göpfert, A. Hülsing, and P. Weiden. Discrete ziggurat: A time-memory trade-off for sampling from a gaussian distribution over the integers. In Selected Areas in Cryptography 2013 (SAC’13), to appear.

[14] J. Braun, F. Kiefer, and A. Hülsing. Revocation & non-repudiation: When the first destroys the latter. In EuroPKI 2013, to appear.

Quantum Computing Progress

IBM 2012: “Scientists at IBM Research … have achieved major advances in quantum computing

device performance that may accelerate the realization of a practical, full-scale quantum computer.“

Chapter 5

XMSSMT

Tree Chaining [BGD+06,BDK+07]

Improved distributed signature generation [HBB12,HRB13]

)2()2(: / dhhKG OOt

Result

GMSS [BDK+07]

Cryptomania

Not FSS

tSIG = h/2=Σ hi/2

XMSSMT[HBB12,HRB13]

Minicrypt

tSIG = h0/2

Security Level aka. Bit Security

Exact Proof:

„ In general, a cryptographic system offers security level λ if a successful generic attack can be expected to require effort approximately 2λ−1. “ [Len04]

Solve for t:

Using = =

Security Level aka. Bit Security(Quantum Case)

Exact Proof:

„ In general, a cryptographic system offers security level λ if a successful generic attack can be expected to require effort approximately 2λ−1. “ [Len04]

Solve for t:

Using = =

EU-CMA for OTS

PK, 1n

(σ, M)

(σ*, M*) Success if M* ≠ M and Verify(pk,σ*,M*) = Accept

Quantum-secure Signatures

PK, 1n

mm m m ,

q-times

11},{ q

mi im :)])(1,1[,(ifSuccess, jiqji

1),,Verify(pkand imiji mmm

BDS-Tree Traversal[BDS08]

Computes authentication paths

Store most expensive nodes

# 2h-1

# 2h-2

Left nodes are cheap Distribute costs

(h-k)/2 updates per round

Target-collision resistant HFF

One-way FF

Pseudorandom FF

Second-preimage resistant HFF

Minimal Security Assumptions

Digital signature scheme

[Rom90]

Pseudorandom Generator

[GGM86]

[NaYu89][Rom90]

[HILL99]

From Fixed to Arbitrary Length Messages

„Hash and Sign“Collision-

Resistant HFF

Efficient Cryptomania

Target Collision-Resistant HFF

Inefficient Minicrypt

Minimal Security Assumptions - Why?

Theory: Nice

Practice:Weaker

Assumption Stronger Security

Smaller Signatures

Attack:Weaker

AssumptionHarder to

attackAttack less

likely“Early

Warning”

… BUT WAIT !

CR for Chosen Message AttacksRandom Message Attacks: only SPRActive Signing:

CMAStored Messages:

RMAIf CR broken: Change HFF

02.12.2011 | TU Darmstadt | A. Huelsing | 46

Hash function &PRF

Use plain AES for PRF

Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for hash function

}}1,0{|}1,0{}1,0{:{ nnnKn KF F

Practical Forward Secure Signatures using Minimal Security Assumptions

Documents

Time-release Cryptography from Minimal Circuit Assumptions · 2020-06-19 · Time-release Cryptography from Minimal Circuit Assumptions Samuel Jaques Hart Montgomeryy Arnab Royz Abstract

Realizing Hash and Sign Signatures under Standard Assumptions

EDITED BY - American Mathematical Society · 2018. 11. 16. · Existence of 1Dvectorial Absolute Minimisers in L1under minimal assumptions, 2567 Achinger, Piotr, and Maciej Zdanowicz

2010 IEEE International Conference on Bioinformatics and ...Clustering-based Methodology with Minimal User Supervision for Displaying Cell-phenotype Signatures in Image-basedScreening

FE and iO for Turing Machines from Minimal Assumptions · 2018-09-28 · from Minimal Assumptions Shweta Agrawal Monosij Maitra y Abstract We construct Indistinguishability Obfuscation

Mercurial Commitments: Minimal Assumptions and Eﬃcient ...dodis/ps/mercury.pdfMinimal Assumptions for Mercurial Commitments. Having introduced a new cryptographic primitive, it is

Minimal Coverage for Ontology Signatures · tasks can be characterised (amongst other parameters) by their signature, thus the prerequisite for performing a knowledge-based task is

A model for focal seizure onset, propagation, evolution ...A model for focal seizure onset, propagation, evolution, and progression ... we adopt an approach with minimal assumptions,

Conﬁned Guessing: New Signatures From Standard Assumptions · digital signatures, an adversary A wins if it generates a signature for a (fresh) ... round i∗ up to the next integer.)

Shorter Ring Signatures from Standard Assumptions · 2019. 1. 17. · Shorter Ring Signatures from Standard Assumptions Alonso Gonz alez1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS,

Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT

Genuinity Signatures: Designing Signatures for Verifying

Post-Quantum Attribute-Based Signatures from Lattice Assumptions · 2017-04-23 · trust negotiation, e.g. [13], attribute-based messaging, e.g. [3], and leaking secrets. Various

Nassim Nicholas Taleb's Home Page - uvm.edu...More Power-Law Mechanisms Optimization Minimal Cost Mandelbrot vs. Simon Assumptions Model Analysis Extra And the winner is...? Robustness

Computing Minimal De nition Signatures in Description ... · as SNOMED CT1 or the Foundational Model of Anatomy (FMA)2. Existing rewriting algorithms are language dependent, and thus

Optical/Thermal: Principles& Applications- Angular signatures - Spatial signatures - Temporal signatures - Other signatures (i.e., fluore scence, polarization, etc.) What we measure

STRIKE Jeopardy Strength Knowledge 1Signature 2 Signatures 3 Signatures Final Jeopardy Tolerance Empathy 1Signature 2 Signatures 3 Signatures Responsibility

Minimal Pairs and Quasi-Minimal degrees for Joint Spectra · MINIMAL PAIRS QUASI-MINIMAL DEGREE Minimal Pairs and Quasi-Minimal degrees for Joint Spectra Alexandra A. Soskova Department

Email Signatures - Exclaimerdocs.exclaimer.com/Email-Signatures-A-New... · Email Signatures: A New Communications Channel ... email signatures have to be seen as a marketing opportunity

Sup 2012 Sup ieure´ proof) Functions otocols Actions · 1 oduction ation Functions Applications 2 ools Assumptions yption Methodology 3 Signatures Introduction yption 4 yption Denitions