Forward Secure Signatures on Smart Cards A. Hülsing, J. Buchmann, C. Busold 16.08.2012 | TU Darmstadt | A. Hülsing | 1.

Slides:



Advertisements
Similar presentations
Enhancing Demand Response Signal Verification in Automated Demand Response Systems Daisuke Mashima, Ulrich Herberg, and Wei-Peng Chen SEDN (Solutions for.
Advertisements

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advanced Security Constructions and Key Management Class 16.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
HASH Functions.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Basel Alomair, Krishna Sampigethaya, and Radha Poovendran University of Washington TexPoint fonts used in EMF.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili
Forward-Secure Signatures (basic + generic schemes)
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Hash-Based Signatures Johannes Buchmann, Andreas Hülsung Supported by DFG and DAAD Part XI: XMSS in Practice.
ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Multi-user Broadcast Authentication in Wireless Sensor Networks Kui Ren, Wenjing Lou, Yanchao Zhang SECON2007 Manar Mahmoud Abou elwafa.
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.
| TU Darmstadt | Andreas Hülsing | 1 Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann.
International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.
Authenticating streamed data in the presence of random packet loss February 8 th, 2001 Philippe Golle Nagendra Modadugu Stanford University.
Use or disclosure of the contents of this page is restricted by the terms on the notice page Intel Strategy for Post Quantum Crypto Ernie Brickell Presentation.
Unpredictable Software-based Attestation Solution for Node Compromise Detection in Mobile WSN Xinyu Jin 1 Pasd Putthapipat 1 Deng Pan 1 Niki Pissinou 1.
| TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing.
Research Title:Analysis of Advanced Cryptography Technologies Hash-based Post-quantum One-time Digital Signature Schemes Dr. Douglas Stebila Kaan Osmanagaoglu.
SPHINCS: Practical Stateless Hash-based Signatures
Hash-Based Signatures Update and Batch Message Signing
Hash-Based Signatures
CS/ECE 578 Cyber-Security
Digital Signature Schemes and the Random Oracle Model
Cryptographic Hash Functions Part I
Long-term secure signatures for the IoT
Hash-based signatures & Hash-and-sign without collision-resistance
ICS 454 Principles of Cryptography
Mitigating Multi-Target-Attacks in Hash-based Signatures
Digital Signature Schemes and the Random Oracle Model
SPHINCS: practical stateless hash-based signatures
CS/ECE 478 Introduction to Network Security
Hash-based Signatures
Hash-based Signatures
SPHINCS: practical stateless hash-based signatures
Towards A Standard for Practical Hash-based Signatures
XMSS Practical Hash-Based Signatures Andreas Hülsing joint work with Johannes Buchmann and Erik Dahmen | TU Darmstadt | Andreas Hülsing.
ICS 454 Principles of Cryptography
Cryptographic Hash Functions Part I
Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig
SPHINCS+ Submission to the NIST post-quantum project
Cryptography Lecture 27.
Presentation transcript:

Forward Secure Signatures on Smart Cards A. Hülsing, J. Buchmann, C. Busold | TU Darmstadt | A. Hülsing | 1

Forward Secure Digital Signatures | TU Darmstadt | A. Huelsing | 2

Forward Secure Digital Signatures | TU Darmstadt | A. Huelsing | 3 time classical pk sk Key gen. forward sec pk sk sk 1 sk 2 sk i sk T t1t1 t2t2 titi tTtT

Forward Secure Digital Signatures Pros:  Fulfill intuition of signature  Replace timestamps  Cuts of some attack vectors for Side-Channel Attacks  Especially interesting for document signatures and PKI Cons:  Stateful  Less efficient than standard signature schemes | TU Darmstadt | A. Huelsing | 4

The eXtended Merkle Signature Scheme XMSS | TU Darmstadt | A.Huelsing | 5

The eXtended Merkle Signature Scheme (XMSS) [Buchmann et al., 2011]  “Hash-based” forward secure signature scheme  Provable secure in standard model  Minimal complexity theoretic assumptions (SPR & PRF)  Generic construction (No specific hardness assumption)  Efficient (comparable to RSA) | TU Darmstadt | A. Huelsing | 6

Hash-based Signature Schemes | TU Darmstadt | A. Huelsing | 7 OTS hh h hhhhh hhhh hh h PK Secret Key

Goal / Challenges Goal  Implement XMSS on smartcard Challenges  On-card Key generation too expensive [Rohde et al., 2008]  Stateful / NVM wear out | TU Darmstadt | A.Huelsing | 8

Construction | TU Darmstadt | A. Huelsing | 9

OTS / Key generation  Winternitz OTS [Buchmann et al., 2011] and forward secure PRG  Both use pseudorandom function family  OTS requires to compute many PRF-chains  OTS-PK can be computed given signature | TU Darmstadt | A.Huelsing | 10

XMSS signature | TU Darmstadt | A. Huelsing | 11 i i Signature = (i,,,,) b0b0 b0b0 b0b0 b0b0 b1b1 b1b1 b2b2

BDS-Tree Traversal [Buchmann et al., 2008]  Computes authentication paths  Store most expensive nodes | TU Darmstadt | A.Huelsing | 12 h # 2 h-1 # 2 h-2 k  Left nodes are cheap  Distribute costs  (h-k)/2 updates per round

| TU Darmstadt | J. Buchmann | 13 i j Accelerate key generation Tree Chaining [Buchmann et al., 2006] 2 h+1 → 2*2 h/2+1 = 2 h/2+2 But: Larger signatures!

Distributed Signature Generation Initial proposal [Buchmann et al.,2007]:  Distribute signature costs equally among all signatures in lower tree This work:  Use observation: BDS spends more updates than needed  Use unused updates to compute authentication path & signature | TU Darmstadt | A.Huelsing | 14

Implementation | TU Darmstadt | A.Huelsing | 15

| TU Darmstadt | A. Huelsing | 16 Hash function & PRF Use plain AES for PRF Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for hash function

Results Sign (ms) Verify (ms) Keygen (ms) Signature (byte) Public Key (byte) Secret Key (byte) Bit Sec. Comment XMSS ,4002, ,44886h = 16, w = 4, k = 4 XMSS ,6003, ,76085H = 16, w = 4, k = 2 XMSS ,8002, ,37681H = 16, w = 8, k = 2 XMSS ,2003, ,30481H = 20, w = 4, k = 4 RSA ,000≤ 256≤ Infineon SLE78 8KB RAM, TRNG, sym. & asym. co-processor | TU Darmstadt | A.Huelsing | 17 NVM: Card 16.5 million write cycles/ sector, XMSS + < 5 million write cycles

Conclusion | TU Darmstadt | A.Huelsing | 18

Conclusion & future work Forward secure signature schemes can be implemented on Smartcards, … … hash-based signatures with on-card key generation, too … performance is comparable to RSA, DSA, ECDSA … … higher provable security level requires tighter security proof or different block cipher / hash-function | TU Darmstadt | A.Huelsing | 19

Thank you, Questions? | TU Darmstadt | A.Huelsing | 20

XMSS – Winternitz OTS [Buchmann et al. 2011] - Uses pseudorandom function family - Winternitz parameter w, message length m, random value x | TU Darmstadt | A. Huelsing | 21 sk 1 pk 1 x sk l pk l x w l

For multiple signatures use many key pairs. Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F n : Secret key: Random SEED for pseudorandom generation of current signature key. XMSS – secret key | TU Darmstadt | A. Huelsing | 22 PRG FSPRG

| TU Darmstadt | A. Huelsing | 23 = (, b 0, b 1, b 2, h) XMSS – public key b0b0 b0b0 b0b0 b0b0 b1b1 b1b1 bhbh Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function Public key