24
Forward Secure Hash-based Signatures on Smartcards A. Hülsing , J. Buchmann, C. Busold 16.08.2012 | TU Darmstadt | A. Hülsing | 1

Forward Secure Hash-based Signatures on Smartcards

  • Upload
    fran

  • View
    54

  • Download
    0

Embed Size (px)

DESCRIPTION

Forward Secure Hash-based Signatures on Smartcards. A. Hülsing , J. Buchmann, C. Busold. Digital Signatures are Important!. E-Commerce. … and many others. Software updates. What if…. - PowerPoint PPT Presentation

Citation preview

Page 1: Forward Secure Hash-based Signatures on Smartcards

Forward Secure Hash-based Signatures on SmartcardsA. Hülsing, J. Buchmann, C. Busold

16.08.2012 | TU Darmstadt | A. Hülsing | 1

Page 2: Forward Secure Hash-based Signatures on Smartcards

Digital Signatures are Important!

Software updates

E-Commerce

… and many others

04.09.2013 | TU Darmstadt | Andreas Hülsing | 2

Page 3: Forward Secure Hash-based Signatures on Smartcards

What if…

IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are

rapidely growing.“

04.09.2013 | TU Darmstadt | Andreas Hülsing | 3

Page 4: Forward Secure Hash-based Signatures on Smartcards

Post-Quantum Signatures

Based on Lattice, MQ, Coding

Signature and/or key sizes

Runtimes

Secure parameters...

1

3

14232232

34121211

yxxxxxxy

xxxxxxy

04.09.2013 | TU Darmstadt | Andreas Hülsing | 4

Page 5: Forward Secure Hash-based Signatures on Smartcards

Hash-based Signature Schemes[Merkle, Crypto‘89]

Not only “post-quantum”Fast, also without HW-accelerationStrong security guaranteesForward secure

Restricted number of signaturesSlow Key Generation

04.09.2013 | TU Darmstadt | Andreas Hülsing | 5

Page 6: Forward Secure Hash-based Signatures on Smartcards

Forward Secure Signatures

04.09.2013 | TU Darmstadt | Andreas Hülsing | 6

Page 7: Forward Secure Hash-based Signatures on Smartcards

Forward Secure Signatures

time

classicalpk

sk

Key gen.

forward secpk

sksk1 sk2 ski skT

t1 t2 ti tT

ijjMGoal ),,(:

04.09.2013 | TU Darmstadt | Andreas Hülsing | 7

Page 8: Forward Secure Hash-based Signatures on Smartcards

Forward Secure Digital Signatures

Fulfill intuition of signature

Replace timestamps

Side-Channel Resistance

Document signatures and PKI

Stateful

Less efficient than standard signature schemes

02.12.2011 | TU Darmstadt | A. Huelsing | 8

Page 9: Forward Secure Hash-based Signatures on Smartcards

Construction

02.12.2011 | TU Darmstadt | A. Huelsing | 9

Page 10: Forward Secure Hash-based Signatures on Smartcards

Hash-based Signatures

OTS

OTS OTS OTS OTS OTS OTS OTS

HH H H H H H H

H H H H

H H

H

PK

SK

SIG = (i, , , , , )

04.09.2013 | TU Darmstadt | Andreas Hülsing | 10

Page 11: Forward Secure Hash-based Signatures on Smartcards

Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96]

1. = f( )

2. Trade-off between runtime and signature size, controlled by parameter w

3. Minimal security requirements [Buchmann et al.,Africacrypt’11]

4. Uses PRFF F

SIG = (i, , , , , )

04.09.2013 | TU Darmstadt | Andreas Hülsing | 11

Page 12: Forward Secure Hash-based Signatures on Smartcards

Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F:

Secret key: Random SEED for pseudorandom generation of current signature key.

XMSS – secret key

PRG

PRG

PRG

PRG

PRG

FSPRG FSPRG FSPRG FSPRG FSPRG

04.09.2013 | TU Darmstadt | Andreas Hülsing | 12

Page 13: Forward Secure Hash-based Signatures on Smartcards

BDS-Tree Traversal[Buchmann et al., 2008]

Computes authentication paths

Store most expensive nodes

02.12.2011 | TU Darmstadt | A.Huelsing | 13

h

# 2h-1

# 2h-2

k

Left nodes are cheap Distribute costs

(h-k)/2 updates per round

Page 14: Forward Secure Hash-based Signatures on Smartcards

29.04.2011 | TU Darmstadt | J. Buchmann | 14

i

j

Accelerate key generationTree Chaining [Buchmann et al., 2006]

2h+1 → 2*2 h/2+1 = 2 h/2+2

But: Larger signatures!

Page 15: Forward Secure Hash-based Signatures on Smartcards

Distributed Signature GenerationInitial proposal [Buchmann et al.,2007]:

Distribute signature costs equally among all signatures in lower tree

This work:

Use observation: BDS spends more updates than needed

Use unused updates to compute authentication path & signature

02.12.2011 | TU Darmstadt | A.Huelsing | 15

Page 16: Forward Secure Hash-based Signatures on Smartcards

Implementation

02.12.2011 | TU Darmstadt | A.Huelsing | 16

Page 17: Forward Secure Hash-based Signatures on Smartcards

02.12.2011 | TU Darmstadt | A. Huelsing | 17

Hash function &PRF

Use plain AES for PRF

Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for hash function

}}1,0{|}1,0{}1,0{:{ nnnkn kfF

Page 18: Forward Secure Hash-based Signatures on Smartcards

ResultsSign (ms)

Verify (ms)

Keygen(ms)

Signature (byte)

Public Key (byte)

Secret Key (byte)

Bit Sec.

Comment

XMSS 134 23 925,400 2,388 800 2,448 97 h = 16,w = 4, k = 4

XMSS+ 106 25 5,600 3,476 544 3,760 96 H = 16,w = 4, k = 2

XMSS+ 105 21 5,800 2,436 512 3,376 95 H = 16,w = 8, k = 2

XMSS+ 106 25 22,200 3,540 608 4,304 92 H = 20,w = 4, k = 4

RSA 2048

190 7 11,000 ≤ 256 ≤ 512 ≤ 512 87

Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor

24.05.2012 | TU Darmstadt | A.Huelsing | 18

NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles

Page 19: Forward Secure Hash-based Signatures on Smartcards

Conclusion

02.12.2011 | TU Darmstadt | A.Huelsing | 19

Page 20: Forward Secure Hash-based Signatures on Smartcards

Conclusion & future work

Forward secure signature schemes can be implemented on Smartcards, …

… hash-based signatures with on-card key generation, too

… performance is comparable to RSA, DSA, ECDSA …

… higher provable security level requires different block cipher / hash-function

02.12.2011 | TU Darmstadt | A.Huelsing | 20

Page 21: Forward Secure Hash-based Signatures on Smartcards

Thank you,Questions?

02.12.2011 | TU Darmstadt | A.Huelsing | 21

Page 22: Forward Secure Hash-based Signatures on Smartcards

XMSS – Winternitz OTS[Buchmann et al. 2011]

- Uses pseudorandom function family

- Winternitz parameter w, message length m, random value x

02.12.2011 | TU Darmstadt | A. Huelsing | 22

sk1 )(11xf sk pk1

x

skl )(1 xflsk

pkl

x

w

l

}}1,0{|}1,0{}1,0{:{ nnnkn kfF

Page 23: Forward Secure Hash-based Signatures on Smartcards

For multiple signatures use many key pairs.Generated using forward secure pseudorandom generator

(FSPRG), build using PRFF Fn:

Secret key: Random SEED for pseudorandom generation of current signature key.

XMSS – secret key

02.12.2011 | TU Darmstadt | A. Huelsing | 23

PRG

PRG

PRG

PRG

PRG

FSPRG FSPRG FSPRG FSPRG FSPRG

Page 24: Forward Secure Hash-based Signatures on Smartcards

02.12.2011 | TU Darmstadt | A. Huelsing | 24

= ( , b0, b1, b2, h)

h h h h h h h h

XMSS – public key

b0 b0 b0 b0

b1 b1

bh

h h

h

h

h

h

h

Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function

Public key