Long-term secure signatures for the IoT

Slides:



Advertisements
Similar presentations
Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Advertisements

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advanced Security Constructions and Key Management Class 16.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2
Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
The Generic Transformation from Standard Signatures to Identity-Based Aggregate Signatures Bei Liang, Hongda Li, Jinyong Chang.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters.
Hash-Based Signatures Johannes Buchmann, Andreas Hülsung Supported by DFG and DAAD Part XI: XMSS in Practice.
1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research.
Multi-user Broadcast Authentication in Wireless Sensor Networks Kui Ren, Wenjing Lou, Yanchao Zhang SECON2007 Manar Mahmoud Abou elwafa.
Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,
| TU Darmstadt | Andreas Hülsing | 1 Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann.
Forward Secure Signatures on Smart Cards A. Hülsing, J. Buchmann, C. Busold | TU Darmstadt | A. Hülsing | 1.
| TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
Lightweight Cryptography for IoT
Improving Authenticated Dynamic Dictionaries
SPHINCS: Practical Stateless Hash-based Signatures
Reporter :Chien-Wen Huang
CS/ECE 578 Cyber Security Dr. Attila Altay Yavuz
CMSC 414 Computer and Network Security Lecture 15
Hash-Based Signatures Update and Batch Message Signing
Hash-Based Signatures
Chapter 8 Network Security.
Secure Group Key Distribution in Constrained Environments with IKEv2
CS/ECE 578 Cyber-Security
Digital Signature Schemes and the Random Oracle Model
Compact Energy and Delay-Aware Authentication
Practical Aspects of Modern Cryptography
Keys Campbell R. Harvey Duke University, NBER and
Campbell R. Harvey Duke University and NBER
Hash-based signatures & Hash-and-sign without collision-resistance
Mitigating Multi-Target-Attacks in Hash-based Signatures
Digital Signature Schemes and the Random Oracle Model
SPHINCS: practical stateless hash-based signatures
CS/ECE 478 Introduction to Network Security
Campbell R. Harvey Duke University and NBER
BROADCAST AUTHENTICATION
Hash-based Signatures
CS/ECE 478 Introduction to Network Security Dr. Attila Altay Yavuz
Hash-based Signatures
SPHINCS: practical stateless hash-based signatures
Towards A Standard for Practical Hash-based Signatures
Data Integrity: Applications of Cryptographic Hash Functions
XMSS Practical Hash-Based Signatures Andreas Hülsing joint work with Johannes Buchmann and Erik Dahmen | TU Darmstadt | Andreas Hülsing.
Blockchain Principles
CS 394B Introduction Marco Canini.
Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig
CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr
One Time Signature.
Leakage-resilient Signatures
Lecture 4.1: Hash Functions, and Message Authentication Codes
SPHINCS: practical stateless hash-based signatures
Basic Network Encryption
SPHINCS+ Submission to the NIST post-quantum project
An attempt to simplify security arguments for hash-based signatures
Cryptography Lecture 26.
Presentation transcript:

Long-term secure signatures for the IoT Andreas Hülsing

Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash function

Lamport-Diffie OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig * sk1,0 sk1,1 skm,0 skm,1 Mux b1 Mux b2 Mux bm H H H H H H pk1,0 pk1,1 pkm,0 pkm,1 sk1,b1 skm,bm 12-11-2018

One-time signatures Can only be used once Basic building block Secret keys can be generated pseudorandomly WOTS+ [Hue13] Shorter signatures Size-speed trade-off

Chain-based OTS PK H H H H H H H OTS OTS OTS OTS OTS OTS OTS SK

Chain-based OTS [NY89] Extremely fast signing via „pebbeling“ Extremely fast verification of sequential signatures Small keys Small sigs (for sequential signatures) Extremely useful in combination with aggregator Stateful See e.g. Dahmen, Krauss. Short Hash-Based Signatures for Wireless Sensor Networks. CANS 2009.

Merkle’s signature scheme PK SIG = (i=2, , , , , ) H OTS H H H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK 12-11-2018

Merkle‘s signature scheme Fast signing via „tree traversal algorithms“ Extremely fast verification Small keys Medium size sigs Stateful Latest: XMSS-T (Hülsing, Rijneveld, Song. Mitigating Multi-Target Attacks in Hash-based Signatures. PKC ‘16)

Multi-Tree XMSS [MMM02] Uses multiple layers of trees -> Key generation (= Building first tree on each layer) Θ(2h) → Θ(d*2h/d) -> Allows to reduce worst-case signing times Θ(h/2) → Θ(h/2d)

SPHINCS [BHH+15] Stateless Scheme XMSSMT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys

Performance on small devices STM32L100C development board: Cortex M3, 32MHz, 32-bit architecture, 256KB Flash, 16KB RAM Issue: SPHINCS sigs (41KB) don‘t fit single APDU KeyGen Sign Verify XMSSMT 278.80s 0.61s 0.16s SPHINCS 0.88s 18.41s 0.51s

Future XMSS Internet Draft in IRSG poll At least two SPHINCS submissions for NIST Faster / smaller signatures Several works on dedicated hash functions (Haraka, Siempira)

Thank you! Questions? 12-11-2018