Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hash-Based Signatures Update and Batch Message Signing

Published byLambert Hawkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Hash-Based Signatures Update and Batch Message Signing"— Presentation transcript:

1 Hash-Based Signatures Update and Batch Message Signing
F R G Hash-Based Signatures Update and Batch Message Signing David McGrew, Scott Fluhrer, Michael Curcio, Panos Kampanakis

2 HBS Quick Recap Good Bad Standards development
Relies on only one security conjecture Given Y=SHA256(X), attacker cannot find X Can be postquantum secure Bad Big signatures, big key generation time Stateful signing Standards development CFRG, ETSI, NIST 11/13/16 IETF97

3 One-Time Signatures Merkle Hierarchical Merkle 1 Signature 2144 Bytes
11/13/16 IETF97

4 One-Time Signatures Merkle Hierarchical Merkle 1 Signature 2144 Bytes
11/13/16 IETF97

5 One-Time Signatures Merkle Hierarchical Merkle 1 Signature 2144 Bytes
11/13/16 IETF97

6 One-Time Signatures Merkle Hierarchical Merkle LMOTS LMS HSS
2144 Bytes 220 Signatures 2828 Bytes 240 Signatures 5727 Bytes LMOTS LMS HSS 11/13/16 IETF97

7 Issues and Solutions for Private State Management
State Management for Hash Based Signatures, McGrew, Kampanakis, Fluhrer, Gazdag, Butin, Buchmann, to appear at Security Standardization Research (SSR) 2016. 11/13/16 IETF97

8 Managing Private Key State
Disk Cache File System Cache KN KN M write KN+1 KN+1 ok sign M with KN KN+1 11/13/16 IETF97

9 N-time Signatures with Reservation
KN MN write KN+R KN+R ok sign MN with KN MN+1 sign MN+1 with KN+1 MN+2 sign MN+2 with KN+2 11/13/16 IETF97

10 Hierarchical Signatures and Reservation
Nonvolatile Volatile 11/13/16 IETF97

11 Hierarchical Signatures and Reservation
Synchronization delay Synchronization failure Unintended cloning Nonvolatile Volatile 11/13/16 IETF97

12 Vulnerability: Unintended Cloning
1011 0110 1011 0110 1011 0110 Clone or Restore Snapshot or Backup 1011 0110 11/13/16 IETF97

13 Stateless Hash Based Signatures
Idea: avoid security issues with state management Bernstein et. al. SPHINCS: Practical Stateless Hash-Based Signatures, EUROCRYPT 2015 Huge signatures (45KB) Huge key generation time 11/13/16 IETF97

14 Hybrid Signatures Stateless N1-time signature method
Stateful N2-time signature method N1 x N2 time signature method with no backup vulnerability Hierarchical Signatures with Stateless Root, McGrew and Fluhrer, preprint, 2016. 11/13/16 IETF97

15 Draft-mcgrew-hash-sigs-05 History
00 - Originally based on Merkle’s original work 03 - Used as basis of XMSS draft 04 - Evolved to use Leighton and Micali’s 1995 patent 05 - Added volatile level requirement - Made it possible to use hybrid (stateless root) - Identifiers are now independent at each hierarchical level - Postquantum secure parameters only - Github implementation 11/13/16 IETF97

16 Comparison XMSS HSS/LMS Moving to RFC Provably secure Cathedral
Concrete security model, asymptotic analysis Cathedral HSS/LMS Evolving to meet emerging requirements Provably secure (though proof incomplete) Random oracle model (Optional) PRF generation of OTS private keys Bazaar draft-huelsing-cfrg-hash-sig-xmss draft-mcgrew-hash-sigs 11/13/16 IETF97

17 Criteria and Comparison
HLMS XMSS Number of signatures Signature size B B (98%) Signature generation time (300%) Allows hybrid Yes No 11/13/16 IETF97

18 Parameter Choices Values Effect LMOTS LMOTS_SHA256_N32_W1
Signature size versus time LMS LMS_SHA256_M32_H5 LMS_SHA256_M32_H10 LMS_SHA256_M32_H15 LMS_SHA256_M32_H20 Number of signatures versus key generation time HSS 2, 3, 4, 5, 6, 7, 8 Number of signatures versus signature sizes 11/13/16 IETF97

19 Anti-Copying Token in Private Key Files
def check_string(path): return H(os.path.abspath(path)) def verify_check_string(path, buffer): if buffer[0:32] != check_string(path): print "error: file \"" + path + "\" has been copied” sys.exit(1) else: return buffer[32:] 11/13/16 IETF97

20 https://github.com/davidmcgrew/hash-sigs
11/13/16 IETF97

21 11/13/16 IETF97

22  HSS public key levels LMS public key LMS type # LMS_SHA256_M32_H5 LMOTS_type # LMOTS_SHA256_N32_W8 I c0b0d7e fd7c82025b21467ad 2619effdcc0f5ba240fd9c6efaefe593 6bd8e63c33c310b2df90560f55e31e12 86ecc b31f8facdf K 1f834958e43c b083617ebb86 c04699e91ef7c2474de48768ce2ea21c 11/13/16 IETF97

23 Batch Signing Goal: make lower N livable
Idea for signing a batch of messages: Compute Merkle tree over message hashes Include the path-siblings in the messages Christopher J. Pavlovski , Colin Boyd, Efficient Batch Signature Generation Using Tree Structures, 1999. 11/13/16 IETF97

24 11/13/16 CFRG @ IETF97 Msg 1 Msg 2 Msg 3 Msg 4 OTS 1 OTS 2 OTS 3 OTS 4

25 11/13/16 CFRG @ IETF97 Msg 1 Msg 2 Msg 3 Msg 4 OTS 1 OTS 2 OTS 3 OTS 4

26 EOF 11/13/16 IETF97

Download ppt "Hash-Based Signatures Update and Batch Message Signing"

Similar presentations

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.

Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
The google file system Cs 595 Lecture 9.

The google file system Cs 595 Lecture 9.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Temporal Indexing MVBT. Temporal Indexing Transaction time databases : update the last version, query all versions Queries: “Find all employees that worked.

Temporal Indexing MVBT. Temporal Indexing Transaction time databases : update the last version, query all versions Queries: “Find all employees that worked.
Temporal Indexing MVBT. Temporal Indexing Transaction time databases : update the last version, query all versions Queries: “Find all employees that worked.

Temporal Indexing MVBT. Temporal Indexing Transaction time databases : update the last version, query all versions Queries: “Find all employees that worked.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
On-The-Fly Verification of Rateless Erasure Codes Max Krohn (MIT CSAIL) Michael Freedman and David Mazières (NYU)

On-The-Fly Verification of Rateless Erasure Codes Max Krohn (MIT CSAIL) Michael Freedman and David Mazières (NYU)
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.

Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000.

On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000.
21-09-0059-00-0sec1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-0059-00-0sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.

sec1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.

Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.
04.09.2013 | TU Darmstadt | Andreas Hülsing | 1 Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann.

| TU Darmstadt | Andreas Hülsing | 1 Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann.

Similar presentations

Ads by Google