Forward Secure Signatures on Smart Cards A. Hülsing, J. Buchmann, C. Busold | TU Darmstadt | A. Hülsing | 1
Forward Secure Digital Signatures | TU Darmstadt | A. Huelsing | 2
Forward Secure Digital Signatures | TU Darmstadt | A. Huelsing | 3 time classical pk sk Key gen. forward sec pk sk sk 1 sk 2 sk i sk T t1t1 t2t2 titi tTtT
Forward Secure Digital Signatures Pros: Fulfill intuition of signature Replace timestamps Cuts of some attack vectors for Side-Channel Attacks Especially interesting for document signatures and PKI Cons: Stateful Less efficient than standard signature schemes | TU Darmstadt | A. Huelsing | 4
The eXtended Merkle Signature Scheme XMSS | TU Darmstadt | A.Huelsing | 5
The eXtended Merkle Signature Scheme (XMSS) [Buchmann et al., 2011] “Hash-based” forward secure signature scheme Provable secure in standard model Minimal complexity theoretic assumptions (SPR & PRF) Generic construction (No specific hardness assumption) Efficient (comparable to RSA) | TU Darmstadt | A. Huelsing | 6
Hash-based Signature Schemes | TU Darmstadt | A. Huelsing | 7 OTS hh h hhhhh hhhh hh h PK Secret Key
Goal / Challenges Goal Implement XMSS on smartcard Challenges On-card Key generation too expensive [Rohde et al., 2008] Stateful / NVM wear out | TU Darmstadt | A.Huelsing | 8
Construction | TU Darmstadt | A. Huelsing | 9
OTS / Key generation Winternitz OTS [Buchmann et al., 2011] and forward secure PRG Both use pseudorandom function family OTS requires to compute many PRF-chains OTS-PK can be computed given signature | TU Darmstadt | A.Huelsing | 10
XMSS signature | TU Darmstadt | A. Huelsing | 11 i i Signature = (i,,,,) b0b0 b0b0 b0b0 b0b0 b1b1 b1b1 b2b2
BDS-Tree Traversal [Buchmann et al., 2008] Computes authentication paths Store most expensive nodes | TU Darmstadt | A.Huelsing | 12 h # 2 h-1 # 2 h-2 k Left nodes are cheap Distribute costs (h-k)/2 updates per round
| TU Darmstadt | J. Buchmann | 13 i j Accelerate key generation Tree Chaining [Buchmann et al., 2006] 2 h+1 → 2*2 h/2+1 = 2 h/2+2 But: Larger signatures!
Distributed Signature Generation Initial proposal [Buchmann et al.,2007]: Distribute signature costs equally among all signatures in lower tree This work: Use observation: BDS spends more updates than needed Use unused updates to compute authentication path & signature | TU Darmstadt | A.Huelsing | 14
Implementation | TU Darmstadt | A.Huelsing | 15
| TU Darmstadt | A. Huelsing | 16 Hash function & PRF Use plain AES for PRF Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for hash function
Results Sign (ms) Verify (ms) Keygen (ms) Signature (byte) Public Key (byte) Secret Key (byte) Bit Sec. Comment XMSS ,4002, ,44886h = 16, w = 4, k = 4 XMSS ,6003, ,76085H = 16, w = 4, k = 2 XMSS ,8002, ,37681H = 16, w = 8, k = 2 XMSS ,2003, ,30481H = 20, w = 4, k = 4 RSA ,000≤ 256≤ Infineon SLE78 8KB RAM, TRNG, sym. & asym. co-processor | TU Darmstadt | A.Huelsing | 17 NVM: Card 16.5 million write cycles/ sector, XMSS + < 5 million write cycles
Conclusion | TU Darmstadt | A.Huelsing | 18
Conclusion & future work Forward secure signature schemes can be implemented on Smartcards, … … hash-based signatures with on-card key generation, too … performance is comparable to RSA, DSA, ECDSA … … higher provable security level requires tighter security proof or different block cipher / hash-function | TU Darmstadt | A.Huelsing | 19
Thank you, Questions? | TU Darmstadt | A.Huelsing | 20
XMSS – Winternitz OTS [Buchmann et al. 2011] - Uses pseudorandom function family - Winternitz parameter w, message length m, random value x | TU Darmstadt | A. Huelsing | 21 sk 1 pk 1 x sk l pk l x w l
For multiple signatures use many key pairs. Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F n : Secret key: Random SEED for pseudorandom generation of current signature key. XMSS – secret key | TU Darmstadt | A. Huelsing | 22 PRG FSPRG
| TU Darmstadt | A. Huelsing | 23 = (, b 0, b 1, b 2, h) XMSS – public key b0b0 b0b0 b0b0 b0b0 b1b1 b1b1 bhbh Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function Public key