XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

Slides:



Advertisements
Similar presentations
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Advertisements

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
Encryption Schemes Second Pass Brice Toth 21 November 2001.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
HASH Functions.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Basel Alomair, Krishna Sampigethaya, and Radha Poovendran University of Washington TexPoint fonts used in EMF.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
CS 4/585: Cryptography Tom Shrimpton FAB
IS 302: Information Security and Trust Week 5: Integrity 2012.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
Hash-Based Signatures Johannes Buchmann, Andreas Hülsung Supported by DFG and DAAD Part XI: XMSS in Practice.
Cryptographic Hash Functions and Protocol Analysis
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
Week 4 - Friday.  What did we talk about last time?  Snow day  But you should have read about  Key management.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
Weaknesses in the Generic Group Model
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
| TU Darmstadt | Andreas Hülsing | 1 Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann.
International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.
Forward Secure Signatures on Smart Cards A. Hülsing, J. Buchmann, C. Busold | TU Darmstadt | A. Hülsing | 1.
| TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
Key Substitution Attacks on Some Provably Secure Signature Schemes
Digital Signature Schemes and the Random Oracle Model
Cryptographic Hash Functions Part I
Cryptography Lecture 13.
Hash-based signatures & Hash-and-sign without collision-resistance
ICS 454 Principles of Cryptography
Mitigating Multi-Target-Attacks in Hash-based Signatures
Digital Signature Schemes and the Random Oracle Model
CAS CS 538 Cryptography.
SPHINCS: practical stateless hash-based signatures
Hash-based Signatures
Hash-based Signatures
SPHINCS: practical stateless hash-based signatures
Towards A Standard for Practical Hash-based Signatures
Pre-image Resistance: Given a, hard to find b such that ____
XMSS Practical Hash-Based Signatures Andreas Hülsing joint work with Johannes Buchmann and Erik Dahmen | TU Darmstadt | Andreas Hülsing.
ICS 454 Principles of Cryptography
CS 394B Introduction Marco Canini.
Cryptographic Hash Functions Part I
Cryptography Lecture 14.
Cryptography Lecture 13.
Cryptography Lecture 13.
Cryptography Lecture 26.
Presentation transcript:

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt | A. Huelsing | 1

Digital Signature Schemes | TU Darmstadt | A. Huelsing | 2

RSA – DSA – EC-DSA - … | TU Darmstadt | A. Huelsing | 3 Trapdoor one- way function Digital signature scheme Collision resistant hash function RSA, DH, SVP, MQ, …

Digital Signature Schemes -Strong complexity theoretic assumption (Trapdoor one-way function) hard to fulfill -Specific hardness assumptions Quantum computers, new algorithms + efficient but mostly in ROM | TU Darmstadt | A. Huelsing | 4

The eXtended Merkle Signature Scheme XMSS | TU Darmstadt | A.Huelsing | 5

The eXtended Merkle Signature Scheme (XMSS)  Minimal complexity theoretic assumptions  Generic construction (No specific hardness assumption)  Efficient (comparable to RSA)  Forward secure | TU Darmstadt | A. Huelsing | 6

| TU Darmstadt | A. Huelsing | 7 Target-collision resistant HFF One-way FF XMSS Pseudorandom FF Second-preimage resistant HFF Minimal complexity theoretic assumptions Naor, Yung 1989 Rompel 1990 Håstad, Impagliazzo, Levin, Luby 1999 Goldreich, Goldwasser, Micali 1986 Digital signature scheme Rompel 1990 Existential unforgable under chosen message attacks

Output length of hash functions Hash function h:{0,1}* → {0,1} m Assume: - only generic attacks, - security level n Collision resistance required: → generic attack = birthday attack → m = 2n Second-preimage resistance required: → generic attack = exhaustive search → m = n | TU Darmstadt | A. Huelsing | 8

Forward Secure Digital Signatures | TU Darmstadt | A. Huelsing | 9 time classical pk sk Key gen. forward sec pk sk sk 1 sk 2 sk i sk T t1t1 t2t2 titi tTtT

Construction | TU Darmstadt | A. Huelsing | 10

XMSS – Winternitz OTS [Buchmann et al. 2011] - Uses pseudorandom function family - Winternitz parameter w, message length m, random value x | TU Darmstadt | A. Huelsing | 11 sk 1 pk 1 x sk l pk l x w l

For multiple signatures use many key pairs. Generated using pseudorandom generator (PRG), build using PRFF F n : Secret key: Random SEED for pseudorandom generation of current signature key. XMSS – secret key | TU Darmstadt | A. Huelsing | 12 PRG

| TU Darmstadt | A. Huelsing | 13 = (, b 0, b 1, b 2, h) XMSS – public key b0b0 b0b0 b0b0 b0b0 b1b1 b1b1 bhbh Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function Public key

XMSS signature | TU Darmstadt | A. Huelsing | 14 i i Signature = (i,,,,) b0b0 b0b0 b0b0 b0b0 b1b1 b1b1 b2b2

XMSS forward secure | TU Darmstadt | A. Huelsing | 15 FSPRG PRG FSPRG: Forward secure PRG using PRFF F n

Security Proof - Idea Tree construction and W-OTS are provably secure. Given Adversary A against pseudorandom Scheme can be used against the random scheme. → Inputs are the same Input distribution differs → We can bound success probability against random scheme We can use A to distinguish PRG See full version on iacr eprint (report 2011/484) | TU Darmstadt | A.Huelsing | 16

XMSS in practice | TU Darmstadt | A.Huelsing | 17

| TU Darmstadt | A. Huelsing | 18 Cryptographic HFF XMSS Pseudorandom FF Second-preimage resistant HFF XMSS - Instantiations Trapdoor one- way function DL RSA MP-Sign Trapdoor one- way function DL RSA MP-Sign Block Cipher

AES Blowfish 3DES Twofish Threefish Serpent IDEA RC5 RC6 … | TU Darmstadt | A. Huelsing | 19 Hash functions & Blockciphers SHA-2 BLAKE Grøstl JH Keccak Skein VSH SWIFFTX RFSB …

XMSS Implementations C Implementation, using OpenSSL Sign (ms) Verify (ms) Signature (bit) Public Key (bit) Secret Key (byte) Bit Security Comment XMSS-SHA ,66413, H = 20, w = 64 XMSS-SHA ,38413, H = 20, w = 108 XMSS-AES-NI ,6087, H = 20, w = 4 XMSS-AES ,6087, H = 20, w = 4 MSS-SPR (n=128) --68,0967,680-98H = 20 RSA ≤ 2,048≤ 4, Intel(R) Core(TM) i5 CPU 2.53GHz with Intel AES-NI | TU Darmstadt | A. Huelsing | 20

Conclusion | TU Darmstadt | A.Huelsing | 21

XMSS … needs minimal security assumptions … is forward secure … can be used with any hash function or block cipher … performance is comparable to RSA, DSA, ECDSA … | TU Darmstadt | A.Huelsing | 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.