Transcript The future of digital signatures

XMSS - A Practical Forward Secure
Signature Scheme based on
Minimal Security Assumptions
J. Buchmann, E. Dahmen, A. Hülsing
02.12.2011 | TU Darmstadt | A. Huelsing | 1
Digital Signature
Schemes
02.12.2011 | TU Darmstadt | A. Huelsing | 2
RSA – DSA – EC-DSA - …
Trapdoor oneway function
RSA, DH,
SVP, MQ, …
Digital
signature
scheme
02.12.2011 | TU Darmstadt | A. Huelsing | 3
Collision
resistant hash
function
Digital Signature Schemes
- Strong complexity theoretic assumption (Trapdoor one-way
function)
hard to fulfill
- Specific hardness assumptions
Quantum computers,
new algorithms
+ efficient
but mostly in ROM
02.12.2011 | TU Darmstadt | A. Huelsing | 4
The eXtended Merkle Signature Scheme
XMSS
02.12.2011 | TU Darmstadt | A.Huelsing | 5
The eXtended Merkle Signature
Scheme (XMSS)
 Minimal complexity theoretic assumptions
 Generic construction (No specific hardness assumption)
 Efficient (comparable to RSA)
 Forward secure
02.12.2011 | TU Darmstadt | A. Huelsing | 6
Minimal complexity theoretic
assumptions
Second-preimage
resistant HFF
Target-collision
resistant HFF
Rompel
1990
Digital
signature
scheme
Naor, Yung 1989
Rompel 1990
02.12.2011 | TU Darmstadt | A. Huelsing | 7
Pseudorandom FF
XMSS
Håstad, Impagliazzo, Levin, Luby 1999
Goldreich, Goldwasser, Micali 1986
One-way FF
Existential unforgable under
chosen message attacks
Output length of hash functions
Hash function h:{0,1}* → {0,1}m
Assume:
- only generic attacks,
- security level n
Collision resistance required:
→ generic attack = birthday attack →
m = 2n
Second-preimage resistance required:
→ generic attack = exhaustive search →
02.12.2011 | TU Darmstadt | A. Huelsing | 8
m=n
Forward Secure Digital
Signatures
pk
classical
sk
pk
forward sec
sk
Key gen.
sk1
sk2
ski
t1
t2
ti
Goal :   ( M , j ), j  i
02.12.2011 | TU Darmstadt | A. Huelsing | 9
skT
tT
time
Construction
02.12.2011 | TU Darmstadt | A. Huelsing | 10
XMSS – Winternitz OTS
[Buchmann et al. 2011]
- Uses pseudorandom function family
Fn  { f k : {0,1}n {0,1}n  {0,1}n | k {0,1}n }
- Winternitz parameter w, message length m, random value x
sk1
f sk11 ( x)
pk1
f sk1 l ( x)
pkl
x
l
skl
x
w
02.12.2011 | TU Darmstadt | A. Huelsing | 11
XMSS – secret key
PRG
PRG
PRG
PRG
PRG
PRG
For multiple signatures use many key pairs.
Generated using pseudorandom generator (PRG), build using
PRFF Fn:
Secret key: Random SEED for pseudorandom generation of
current signature key.
02.12.2011 | TU Darmstadt | A. Huelsing | 12
XMSS – public key
Modified Merkle Tree [Dahmen et al 2008]
h second preimage resistant hash function
Public key
=(
h
bh
h
b1
h
b0
h
, b0, b1, b2, h)
h
b0
h
h
b1
h
02.12.2011 | TU Darmstadt | A. Huelsing | 13
h
b0
h
h
h
b0
h
h
h
XMSS signature
b2
b1
b0
b1
b0
b0
b0
i
i
02.12.2011 | TU Darmstadt | A. Huelsing | 14
Signature = (i,
,
,
,
)
XMSS forward secure
PRG
FSPRG
FSPRG
FSPRG
FSPRG
FSPRG
FSPRG: Forward secure PRG using PRFF Fn
02.12.2011 | TU Darmstadt | A. Huelsing | 15
Security Proof - Idea
Tree construction and W-OTS are provably secure.
Given Adversary A against pseudorandom Scheme can be used
against the random scheme.
→
Inputs are the same
Input distribution differs
→
We can bound success probability against random scheme
 We can use A to distinguish PRG
See full version on iacr eprint (report 2011/484)
02.12.2011 | TU Darmstadt | A.Huelsing | 16
XMSS in practice
02.12.2011 | TU Darmstadt | A.Huelsing | 17
XMSS - Instantiations
Trapdoor oneway function
DL RSA MP-Sign
Cryptographic
HFF
Second-preimage
resistant HFF
Pseudorandom FF
XMSS
02.12.2011 | TU Darmstadt | A. Huelsing | 18
Block Cipher
Hash functions &
Blockciphers
AES
Blowfish
3DES
Twofish
Threefish
Serpent
IDEA
RC5
RC6
…
02.12.2011 | TU Darmstadt | A. Huelsing | 19
SHA-2
BLAKE
Grøstl
JH
Keccak
Skein
VSH
SWIFFTX
RFSB
…
XMSS Implementations
C Implementation, using OpenSSL
Sign
(ms)
Verify
(ms)
Signature
(bit)
Public Key
(bit)
Secret
Key
(byte)
Bit
Security
Comment
XMSS-SHA-2
15.17
1.02
16,664
13,568
280
146
H = 20,
w = 64
XMSS-SHA-2
33.47
2.34
15,384
13,568
280
100
H = 20,
w = 108
XMSS-AES-NI
1.72
0.11
19,608
7,296
152
82
H = 20,
w=4
XMSS-AES
2.87
0.22
19,608
7,296
152
82
H = 20,
w=4
MSS-SPR
(n=128)
-
-
68,096
7,680
-
98
H = 20
RSA 2048
3.08
0.09
≤ 2,048
≤ 4,096
≤ 4,096
87
Intel(R) Core(TM) i5 CPU M540 @ 2.53GHz with Intel AES-NI
02.12.2011 | TU Darmstadt | A. Huelsing | 20
Conclusion
02.12.2011 | TU Darmstadt | A.Huelsing | 21
XMSS
… needs minimal security assumptions
… is forward secure
… can be used with any hash function or block cipher
… performance is comparable to RSA, DSA, ECDSA …
02.12.2011 | TU Darmstadt | A.Huelsing | 22