Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forward Secure Signatures on Smart Cards A. Hülsing, J. Buchmann, C. Busold 16.08.2012 | TU Darmstadt | A. Hülsing | 1.

Published byRandell Stafford Modified over 8 years ago

Similar presentations

Presentation on theme: "Forward Secure Signatures on Smart Cards A. Hülsing, J. Buchmann, C. Busold 16.08.2012 | TU Darmstadt | A. Hülsing | 1."— Presentation transcript:

1 Forward Secure Signatures on Smart Cards A. Hülsing, J. Buchmann, C. Busold 16.08.2012 | TU Darmstadt | A. Hülsing | 1

2 Forward Secure Digital Signatures 02.12.2011 | TU Darmstadt | A. Huelsing | 2

3 Forward Secure Digital Signatures 02.12.2011 | TU Darmstadt | A. Huelsing | 3 time classical pk sk Key gen. forward sec pk sk sk 1 sk 2 sk i sk T t1t1 t2t2 titi tTtT

4 Forward Secure Digital Signatures Pros:  Fulfill intuition of signature  Replace timestamps  Cuts of some attack vectors for Side-Channel Attacks  Especially interesting for document signatures and PKI Cons:  Stateful  Less efficient than standard signature schemes 02.12.2011 | TU Darmstadt | A. Huelsing | 4

5 The eXtended Merkle Signature Scheme XMSS 02.12.2011 | TU Darmstadt | A.Huelsing | 5

6 The eXtended Merkle Signature Scheme (XMSS) [Buchmann et al., 2011]  “Hash-based” forward secure signature scheme  Provable secure in standard model  Minimal complexity theoretic assumptions (SPR & PRF)  Generic construction (No specific hardness assumption)  Efficient (comparable to RSA) 02.12.2011 | TU Darmstadt | A. Huelsing | 6

7 Hash-based Signature Schemes 14.06.2012 | TU Darmstadt | A. Huelsing | 7 OTS hh h hhhhh hhhh hh h PK Secret Key

8 Goal / Challenges Goal  Implement XMSS on smartcard Challenges  On-card Key generation too expensive [Rohde et al., 2008]  Stateful / NVM wear out 02.12.2011 | TU Darmstadt | A.Huelsing | 8

9 Construction 02.12.2011 | TU Darmstadt | A. Huelsing | 9

10 OTS / Key generation  Winternitz OTS [Buchmann et al., 2011] and forward secure PRG  Both use pseudorandom function family  OTS requires to compute many PRF-chains  OTS-PK can be computed given signature 02.12.2011 | TU Darmstadt | A.Huelsing | 10

11 XMSS signature 02.12.2011 | TU Darmstadt | A. Huelsing | 11 i i Signature = (i,,,,) b0b0 b0b0 b0b0 b0b0 b1b1 b1b1 b2b2

12 BDS-Tree Traversal [Buchmann et al., 2008]  Computes authentication paths  Store most expensive nodes 02.12.2011 | TU Darmstadt | A.Huelsing | 12 h # 2 h-1 # 2 h-2 k  Left nodes are cheap  Distribute costs  (h-k)/2 updates per round

13 29.04.2011 | TU Darmstadt | J. Buchmann | 13 i j Accelerate key generation Tree Chaining [Buchmann et al., 2006] 2 h+1 → 2*2 h/2+1 = 2 h/2+2 But: Larger signatures!

14 Distributed Signature Generation Initial proposal [Buchmann et al.,2007]:  Distribute signature costs equally among all signatures in lower tree This work:  Use observation: BDS spends more updates than needed  Use unused updates to compute authentication path & signature 02.12.2011 | TU Darmstadt | A.Huelsing | 14

15 Implementation 02.12.2011 | TU Darmstadt | A.Huelsing | 15

16 02.12.2011 | TU Darmstadt | A. Huelsing | 16 Hash function & PRF Use plain AES for PRF Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for hash function

17 Results Sign (ms) Verify (ms) Keygen (ms) Signature (byte) Public Key (byte) Secret Key (byte) Bit Sec. Comment XMSS13423925,4002,3888002,44886h = 16, w = 4, k = 4 XMSS + 106255,6003,4765443,76085H = 16, w = 4, k = 2 XMSS + 105215,8002,4365123,37681H = 16, w = 8, k = 2 XMSS + 1062522,2003,5406084,30481H = 20, w = 4, k = 4 RSA 2048 190711,000≤ 256≤ 512 87 Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor 24.05.2012 | TU Darmstadt | A.Huelsing | 17 NVM: Card 16.5 million write cycles/ sector, XMSS + < 5 million write cycles

18 Conclusion 02.12.2011 | TU Darmstadt | A.Huelsing | 18

19 Conclusion & future work Forward secure signature schemes can be implemented on Smartcards, … … hash-based signatures with on-card key generation, too … performance is comparable to RSA, DSA, ECDSA … … higher provable security level requires tighter security proof or different block cipher / hash-function 02.12.2011 | TU Darmstadt | A.Huelsing | 19

20 Thank you, Questions? 02.12.2011 | TU Darmstadt | A.Huelsing | 20

21 XMSS – Winternitz OTS [Buchmann et al. 2011] - Uses pseudorandom function family - Winternitz parameter w, message length m, random value x 02.12.2011 | TU Darmstadt | A. Huelsing | 21 sk 1 pk 1 x sk l pk l x w l

22 For multiple signatures use many key pairs. Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F n : Secret key: Random SEED for pseudorandom generation of current signature key. XMSS – secret key 02.12.2011 | TU Darmstadt | A. Huelsing | 22 PRG FSPRG

23 02.12.2011 | TU Darmstadt | A. Huelsing | 23 = (, b 0, b 1, b 2, h) XMSS – public key b0b0 b0b0 b0b0 b0b0 b1b1 b1b1 bhbh Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function Public key

Download ppt "Forward Secure Signatures on Smart Cards A. Hülsing, J. Buchmann, C. Busold 16.08.2012 | TU Darmstadt | A. Hülsing | 1."

Similar presentations

Enhancing Demand Response Signal Verification in Automated Demand Response Systems Daisuke Mashima, Ulrich Herberg, and Wei-Peng Chen SEDN (Solutions for.

Enhancing Demand Response Signal Verification in Automated Demand Response Systems Daisuke Mashima, Ulrich Herberg, and Wei-Peng Chen SEDN (Solutions for.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advanced Security Constructions and Key Management Class 16.

Advanced Security Constructions and Key Management Class 16.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.

1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |

Similar presentations

Ads by Google