Upload
fran
View
54
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Forward Secure Hash-based Signatures on Smartcards. A. Hülsing , J. Buchmann, C. Busold. Digital Signatures are Important!. E-Commerce. … and many others. Software updates. What if…. - PowerPoint PPT Presentation
Citation preview
Forward Secure Hash-based Signatures on SmartcardsA. Hülsing, J. Buchmann, C. Busold
16.08.2012 | TU Darmstadt | A. Hülsing | 1
Digital Signatures are Important!
Software updates
E-Commerce
… and many others
04.09.2013 | TU Darmstadt | Andreas Hülsing | 2
What if…
IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are
rapidely growing.“
04.09.2013 | TU Darmstadt | Andreas Hülsing | 3
Post-Quantum Signatures
Based on Lattice, MQ, Coding
Signature and/or key sizes
Runtimes
Secure parameters...
1
3
14232232
34121211
yxxxxxxy
xxxxxxy
04.09.2013 | TU Darmstadt | Andreas Hülsing | 4
Hash-based Signature Schemes[Merkle, Crypto‘89]
Not only “post-quantum”Fast, also without HW-accelerationStrong security guaranteesForward secure
Restricted number of signaturesSlow Key Generation
04.09.2013 | TU Darmstadt | Andreas Hülsing | 5
Forward Secure Signatures
04.09.2013 | TU Darmstadt | Andreas Hülsing | 6
Forward Secure Signatures
time
classicalpk
sk
Key gen.
forward secpk
sksk1 sk2 ski skT
t1 t2 ti tT
ijjMGoal ),,(:
04.09.2013 | TU Darmstadt | Andreas Hülsing | 7
Forward Secure Digital Signatures
Fulfill intuition of signature
Replace timestamps
Side-Channel Resistance
Document signatures and PKI
Stateful
Less efficient than standard signature schemes
02.12.2011 | TU Darmstadt | A. Huelsing | 8
Construction
02.12.2011 | TU Darmstadt | A. Huelsing | 9
Hash-based Signatures
OTS
OTS OTS OTS OTS OTS OTS OTS
HH H H H H H H
H H H H
H H
H
PK
SK
SIG = (i, , , , , )
04.09.2013 | TU Darmstadt | Andreas Hülsing | 10
Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96]
1. = f( )
2. Trade-off between runtime and signature size, controlled by parameter w
3. Minimal security requirements [Buchmann et al.,Africacrypt’11]
4. Uses PRFF F
SIG = (i, , , , , )
04.09.2013 | TU Darmstadt | Andreas Hülsing | 11
Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F:
Secret key: Random SEED for pseudorandom generation of current signature key.
XMSS – secret key
PRG
PRG
PRG
PRG
PRG
FSPRG FSPRG FSPRG FSPRG FSPRG
04.09.2013 | TU Darmstadt | Andreas Hülsing | 12
BDS-Tree Traversal[Buchmann et al., 2008]
Computes authentication paths
Store most expensive nodes
02.12.2011 | TU Darmstadt | A.Huelsing | 13
h
# 2h-1
# 2h-2
k
Left nodes are cheap Distribute costs
(h-k)/2 updates per round
29.04.2011 | TU Darmstadt | J. Buchmann | 14
i
j
Accelerate key generationTree Chaining [Buchmann et al., 2006]
2h+1 → 2*2 h/2+1 = 2 h/2+2
But: Larger signatures!
Distributed Signature GenerationInitial proposal [Buchmann et al.,2007]:
Distribute signature costs equally among all signatures in lower tree
This work:
Use observation: BDS spends more updates than needed
Use unused updates to compute authentication path & signature
02.12.2011 | TU Darmstadt | A.Huelsing | 15
Implementation
02.12.2011 | TU Darmstadt | A.Huelsing | 16
02.12.2011 | TU Darmstadt | A. Huelsing | 17
Hash function &PRF
Use plain AES for PRF
Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for hash function
}}1,0{|}1,0{}1,0{:{ nnnkn kfF
ResultsSign (ms)
Verify (ms)
Keygen(ms)
Signature (byte)
Public Key (byte)
Secret Key (byte)
Bit Sec.
Comment
XMSS 134 23 925,400 2,388 800 2,448 97 h = 16,w = 4, k = 4
XMSS+ 106 25 5,600 3,476 544 3,760 96 H = 16,w = 4, k = 2
XMSS+ 105 21 5,800 2,436 512 3,376 95 H = 16,w = 8, k = 2
XMSS+ 106 25 22,200 3,540 608 4,304 92 H = 20,w = 4, k = 4
RSA 2048
190 7 11,000 ≤ 256 ≤ 512 ≤ 512 87
Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor
24.05.2012 | TU Darmstadt | A.Huelsing | 18
NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles
Conclusion
02.12.2011 | TU Darmstadt | A.Huelsing | 19
Conclusion & future work
Forward secure signature schemes can be implemented on Smartcards, …
… hash-based signatures with on-card key generation, too
… performance is comparable to RSA, DSA, ECDSA …
… higher provable security level requires different block cipher / hash-function
02.12.2011 | TU Darmstadt | A.Huelsing | 20
Thank you,Questions?
02.12.2011 | TU Darmstadt | A.Huelsing | 21
XMSS – Winternitz OTS[Buchmann et al. 2011]
- Uses pseudorandom function family
- Winternitz parameter w, message length m, random value x
02.12.2011 | TU Darmstadt | A. Huelsing | 22
sk1 )(11xf sk pk1
x
skl )(1 xflsk
pkl
x
w
l
}}1,0{|}1,0{}1,0{:{ nnnkn kfF
For multiple signatures use many key pairs.Generated using forward secure pseudorandom generator
(FSPRG), build using PRFF Fn:
Secret key: Random SEED for pseudorandom generation of current signature key.
XMSS – secret key
02.12.2011 | TU Darmstadt | A. Huelsing | 23
PRG
PRG
PRG
PRG
PRG
FSPRG FSPRG FSPRG FSPRG FSPRG
02.12.2011 | TU Darmstadt | A. Huelsing | 24
= ( , b0, b1, b2, h)
h h h h h h h h
XMSS – public key
b0 b0 b0 b0
b1 b1
bh
h h
h
h
h
h
h
Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function
Public key