Presentation is loading. Please wait.

Presentation is loading. Please wait.

24.06.2013 | TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing.

Published byLoreen Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "24.06.2013 | TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing."— Presentation transcript:

1 24.06.2013 | TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing

2 Digital Signatures are Important! 24.06.2013 | TU Darmstadt | Andreas Hülsing | 2 Software updates E-Commerce … and many others

3 What if… 24.06.2013 | TU Darmstadt | Andreas Hülsing | 3 IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing.“

4 Post-Quantum Signatures Based on Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 24.06.2013 | TU Darmstadt | Andreas Hülsing | 4

5 Hash-based Signature Schemes [Merkle, Crypto‘89] Hash-based signatures are… … not only “post-quantum” … fast, also without HW-acceleration … strong security guarantees … forward secure But… … signature size ~2-3kB 24.06.2013 | TU Darmstadt | Andreas Hülsing | 5

6 Hash-based Signatures OTS hh h hh hh h hh hh h h h PK 24.06.2013 | TU Darmstadt | Andreas Hülsing | 6 SK SIG = (i,,,,, )

7 Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96] 1. = f( ) 2. Trade-off between runtime and signature size, controlled by parameter w 3. Minimal security requirements (PRF) [Buchmann et al.,Africacrypt’11] 4. Used in XMSS & XMSS+ [Buchmann et al., PQ Crypto’11; Hülsing et al., SAC’12] 24.06.2013 | TU Darmstadt | Andreas Hülsing | 7 SIG = (i,,,,, )

8 WOTS +  “Winternitz-Type” OTS  Security based on 2 nd -preimage resistance, one-wayness & undetectability of function family, even for SU-CMA  Tight security reduction w/o collision resistance  Allows for more signature compression, i.e. greater w 24.06.2013 | TU Darmstadt | Andreas Hülsing | 8

9 XMSS with WOTS + XMSS and XMSS + on Infineon SLE78 [HBB12] 24.06.2013 | TU Darmstadt | Andreas Hülsing | 9

10 Construction 24.06.2013 | TU Darmstadt | Andreas Hülsing | 10

11 Use function family Previous schemes used WOTS + For w ≥ 2 select R = (r 1, …, r w-1 ) Function Chain c 0 (x) = x c 1 (x) c w-1 (x) 24.06.2013 | TU Darmstadt | Andreas Hülsing | 11 riri

12 Winternitz parameter w, security parameter n, message length m, function family Key Generation: Compute l, sample k, sample R WOTS + c 0 (sk l ) = sk l c 1 (sk l ) pk l = c w-1 (sk l ) c 0 (sk 1 ) = sk 1 c 1 (sk 1 ) pk 1 = c w-1 (sk 1 ) 24.06.2013 | TU Darmstadt | Andreas Hülsing | 12

13 WOTS + Signature generation M b1b1 b2b2 b3b3 b4b4 ………………… b l 1 b l 1+1 b l 1+2 ……blbl C c 0 (sk l ) = sk l pk l = c w-1 (sk l ) c 0 (sk 1 ) = sk 1 pk 1 = c w-1 (sk 1 ) σ 1 =c b 1 (sk 1 ) σ l =c b l (sk l ) 24.06.2013 | TU Darmstadt | Andreas Hülsing | 13

14 Security Proof Reduction 24.06.2013 | TU Darmstadt | Andreas Hülsing | 14

15 Main result Theorem: W-OTS + is strongly unforgeable under chosen message attacks if F is a 2 nd -preimage resistant, undetectable one-way function family 24.06.2013 | TU Darmstadt | Andreas Hülsing | 15

16 EU-CMA for OTS PK, 1 n SIGN SK M (σ, M) (σ*, M*) Success if M* ≠ M and Verify(pk,σ*,M*) = Accept 24.06.2013 | TU Darmstadt | Andreas Hülsing | 16

17 Intuition Oracle Response : (σ, M); M →(b 1,…,b l ) Forgery: (σ*, M*);M* →(b 1 *,…, b l *) Observations: 1. because of checksum 2. c w-1-b α * (σ* α ) = pk α = c w-1-b α (σ α ), because of verification Adversary “quasi-inverted” chain c c 0 (sk α ) = sk α pk α σασα pk* α σ*ασ*α = = = = = = = = ? ?? ? ??? ! 24.06.2013 | TU Darmstadt | Andreas Hülsing | 17

18 Intuition, cont‘d Oracle Response : (σ, M); M →(b 1,…,b l ) Forgery: (σ*, M*);M* →(b 1 *,…, b l *) Observations: Adversary “quasi-inverted” chain c Pigeon hole principle: c 0 (sk α ) = sk α pk α σασα σ*ασ*α β 24.06.2013 | TU Darmstadt | Andreas Hülsing | 18 second-preimage riri preimage

19 Conclusion We … … tightened security proof … → allows for smaller signatures … (… achieve stronger security) It makes sense to tighten security proofs! Take Home Message: Hash-based signatures are practical 24.06.2013 | TU Darmstadt | Andreas Hülsing | 19

20 Thank you!

Download ppt "24.06.2013 | TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing."

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advanced Security Constructions and Key Management Class 16.

Advanced Security Constructions and Key Management Class 16.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.

Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins.

Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.

Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.

Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.

Similar presentations

Ads by Google