XMSS Practical Hash-Based Signatures Andreas Hülsing joint work with Johannes Buchmann and Erik Dahmen 23.09.2013 | TU Darmstadt | Andreas Hülsing | 1 1. Januar 2019 |
Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23.09.2013 | TU Darmstadt | Andreas Hülsing | 2 1. Januar 2019 |
Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast Inherently forward secure 23.09.2013 | TU Darmstadt | Andreas Hülsing | 3 1. Januar 2019 |
Hash-based Signatures PK SIG = (i=2, , , , , ) H OTS H H H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK 23.09.2013 | TU Darmstadt | Andreas Hülsing | 4 1. Januar 2019 |
XMSS 23.09.2013 | TU Darmstadt | Andreas Hülsing | 5
Results Efficient Minimal security assumptions „Small signatures" Forward secure Full smartcard implementation Datum | Fachbereich nn | Institut nn | Prof. nn | 6
New Variants of the Winternitz One Time Signature Scheme OTS 23.09.2013 | TU Darmstadt | Andreas Hülsing | 7
Winternitz OTS (WOTS) [Mer89; EGM96] 1. = f( ) 2. Trade-off between runtime and signature size | | ~ m/log w * | | SIG = (i, , , , , ) 23.09.2013 | TU Darmstadt | Andreas Hülsing | 8 1. Januar 2019 |
WOTS+ [Hül13] Theorem 3.9 (informally): W-OTS+ is strongly unforgeable under chosen message attacks if F is a 2nd-preimage resistant, undetectable one-way function family In our work we showed that we can slightly change the original WOTS construction, such that it uses a function family instead of the hash function family. The resulting scheme is existentially unforgeable under chosen message attacks, if the function family is pseudorandom. This result has two implications: 23.09.2013 | TU Darmstadt | Andreas Hülsing | 9 1. Januar 2019 |
XMSS [BDH11] Lamport-Diffie / WOTS WOTS+ Tree construction [DOTV08] Pseudorandom key generation bi PRG FSPRG 23.09.2013 | TU Darmstadt | Andreas Hülsing | 10
XMSS* in Practice 23.09.2013 | TU Darmstadt | Andreas Hülsing | 11
XMSS Implementations C Implementation [BDH11] C Implementation, using OpenSSL Sign (ms) Verify (ms) Signature (bit) Public Key (bit) Secret Key (byte) Bit Security Comment XMSS-SHA-2 35.60 1.98 16,672 13,600 3,364 157 h = 20, w = 64, XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 w = 4 XMSS-AES 1.06 0.11 RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 512 87 2013: 80 bit 84 -> 2019 87 -> 2022 157 -> 2113 Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI 23.09.2013 | TU Darmstadt | Andreas Hülsing | 12 1. Januar 2019 |
XMSS Implementations Smartcard Implementation [HBB12] Sign (ms) Verify (ms) Keygen (ms) Signature (byte) Public Key (byte) Secret Key (byte) Bit Sec. Comment XMSS 134 23 925,400 2,388 800 2,448 92 H = 16, w = 4 XMSS+ 106 25 5,600 3,476 544 3,760 94 RSA 2048 190 7 11,000 ≤ 256 ≤ 512 87 Tkg: - similar to RSA 2048 (11 s) - slower than ECDSA 256 (95ms). Tsign: - comparable to RSA 2048 (190ms) and ECDSA 256 (100ms). Tverify: - slightly slower than RSA 2048 (7ms) - faster than ECDSA 256 (58ms). ECDSA: PK=256~SK, Sig= 512, The security level of RSA 2048 and ECDSA 256 is 95 and 128 bits, respectively 92 -> 2028 94 -> 2031 Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles (h=20) 23.09.2013 | TU Darmstadt | Andreas Hülsing | 13 1. Januar 2019 |
Conclusion 23.09.2013 | TU Darmstadt | Andreas Hülsing | 14 1. Januar 2019 |
Conservative Security Conclusion Fast Conservative Security Compact Forward secure 23.09.2013 | TU Darmstadt | Andreas Hülsing | 15
Main Drawback: State Easy Migration? Future Work Interfaces Key Management 23.09.2013 | TU Darmstadt | Andreas Hülsing | 16
Thank you! Questions?