1 / 24

Forward Secure Hash-based Signatures on Smartcards

Forward Secure Hash-based Signatures on Smartcards. A. Hülsing , J. Buchmann, C. Busold. Digital Signatures are Important!. E-Commerce. … and many others. Software updates. What if….

fran
Télécharger la présentation

Forward Secure Hash-based Signatures on Smartcards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forward Secure Hash-based Signatures on Smartcards A. Hülsing, J. Buchmann, C. Busold 16.08.2012 | TU Darmstadt | A. Hülsing| 1

  2. Digital Signatures are Important! E-Commerce … and many others Software updates 04.09.2013 | TU Darmstadt | Andreas Hülsing| 2

  3. What if… IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing.“ 04.09.2013 | TU Darmstadt | Andreas Hülsing| 3

  4. Post-Quantum Signatures Based on Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 04.09.2013 | TU Darmstadt | Andreas Hülsing| 4

  5. Hash-based Signature Schemes[Merkle, Crypto‘89] 04.09.2013 | TU Darmstadt | Andreas Hülsing| 5

  6. Forward Secure Signatures 04.09.2013 | TU Darmstadt | Andreas Hülsing| 6

  7. Forward Secure Signatures pk classical sk pk forward sec sk sk1 sk2 skT ski time tT ti t1 t2 Key gen. 04.09.2013 | TU Darmstadt | Andreas Hülsing| 7

  8. Forward Secure Digital Signatures 02.12.2011 | TU Darmstadt | A. Huelsing | 8

  9. Construction 02.12.2011 | TU Darmstadt | A. Huelsing | 9

  10. Hash-based Signatures PK SIG = (i, , , , , ) H OTS OTS OTS OTS OTS OTS OTS OTS H H H H H H H H H H H H H H SK 04.09.2013 | TU Darmstadt | Andreas Hülsing| 10

  11. Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96] 1. = f( ) 2. Trade-off between runtime and signature size, controlled by parameter w 3. Minimal security requirements [Buchmann et al.,Africacrypt’11] 4. Uses PRFF F SIG = (i, , , , , ) 04.09.2013 | TU Darmstadt | Andreas Hülsing| 11

  12. XMSS – secret key Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F: Secret key: Random SEED for pseudorandom generation of current signature key. FSPRG PRG PRG PRG PRG PRG FSPRG FSPRG FSPRG FSPRG 04.09.2013 | TU Darmstadt | Andreas Hülsing| 12

  13. BDS-TreeTraversal[Buchmann et al., 2008] • Computes authentication paths • Store most expensive nodes • Left nodes are cheap • Distribute costs • (h-k)/2 updates per round # 2h-1 k # 2h-2 h 02.12.2011 | TU Darmstadt | A.Huelsing | 13

  14. Accelerate key generationTree Chaining [Buchmann et al., 2006] 2h+1 → 2*2 h/2+1 = 2 h/2+2 j i But: Larger signatures! 29.04.2011 | TU Darmstadt | J. Buchmann | 14

  15. Distributed Signature Generation Initial proposal [Buchmann et al.,2007]: • Distribute signature costs equally among all signatures in lower tree This work: • Use observation: BDS spends more updates than needed • Use unused updates to compute authentication path & signature 02.12.2011 | TU Darmstadt | A.Huelsing | 15

  16. Implementation 02.12.2011 | TU Darmstadt | A.Huelsing | 16

  17. Hash function & PRF Useplain AES for PRF Use AES withMatyas-Meyer-Oseas in Merkle-Damgårdmodeforhashfunction 02.12.2011 | TU Darmstadt | A. Huelsing | 17

  18. Results Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles 24.05.2012 | TU Darmstadt | A.Huelsing | 18

  19. Conclusion 02.12.2011 | TU Darmstadt | A.Huelsing | 19

  20. Conclusion & futurework Forward secure signature schemes can be implemented on Smartcards, … … hash-based signatures with on-card key generation, too … performance is comparable to RSA, DSA, ECDSA … … higher provable security level requires different block cipher / hash-function 02.12.2011 | TU Darmstadt | A.Huelsing | 20

  21. Thank you,Questions? 02.12.2011 | TU Darmstadt | A.Huelsing | 21

  22. XMSS – Winternitz OTS[Buchmann et al. 2011] - Uses pseudorandom function family - Winternitz parameter w, message length m, random value x sk1 pk1 x l skl pkl x w 02.12.2011 | TU Darmstadt | A. Huelsing | 22

  23. XMSS – secret key For multiple signatures use many key pairs. Generated using forward secure pseudorandom generator (FSPRG), build using PRFF Fn: Secret key: Random SEED for pseudorandom generation of current signature key. FSPRG PRG PRG PRG PRG PRG FSPRG FSPRG FSPRG FSPRG 02.12.2011 | TU Darmstadt | A. Huelsing | 23

  24. XMSS – public key Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function = ( , b0, b1, b2, h) Public key b0 b0 b0 b0 b1 b1 bh 02.12.2011 | TU Darmstadt | A. Huelsing | 24

More Related