Presentation is loading. Please wait.

Presentation is loading. Please wait.

Long-term secure signatures for the IoT

Published byGlenna Gunawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Long-term secure signatures for the IoT"— Presentation transcript:

1 Long-term secure signatures for the IoT
Andreas Hülsing

2 Hash-based Signature Schemes [Mer89]
Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash function

3 Lamport-Diffie OTS [Lam79]
Message M = b1,…,bm, OWF H = n bit SK PK Sig * sk1,0 sk1,1 skm,0 skm,1 Mux b1 Mux b2 Mux bm H H H H H H pk1,0 pk1,1 pkm,0 pkm,1 sk1,b1 skm,bm

4 One-time signatures Can only be used once Basic building block
Secret keys can be generated pseudorandomly WOTS+ [Hue13] Shorter signatures Size-speed trade-off

5 Chain-based OTS PK H H H H H H H OTS OTS OTS OTS OTS OTS OTS SK

6 Chain-based OTS [NY89] Extremely fast signing via „pebbeling“
Extremely fast verification of sequential signatures Small keys Small sigs (for sequential signatures) Extremely useful in combination with aggregator Stateful See e.g. Dahmen, Krauss. Short Hash-Based Signatures for Wireless Sensor Networks. CANS 2009.

7 Merkle’s signature scheme
PK SIG = (i=2, , , , , ) H OTS H H H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK

8 Merkle‘s signature scheme
Fast signing via „tree traversal algorithms“ Extremely fast verification Small keys Medium size sigs Stateful Latest: XMSS-T (Hülsing, Rijneveld, Song. Mitigating Multi-Target Attacks in Hash-based Signatures. PKC ‘16)

9 Multi-Tree XMSS [MMM02] Uses multiple layers of trees -> Key generation (= Building first tree on each layer) Θ(2h) → Θ(d*2h/d) -> Allows to reduce worst-case signing times Θ(h/2) → Θ(h/2d)

10 SPHINCS [BHH+15] Stateless Scheme
XMSSMT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys

11 Performance on small devices
STM32L100C development board: Cortex M3, 32MHz, 32-bit architecture, 256KB Flash, 16KB RAM Issue: SPHINCS sigs (41KB) don‘t fit single APDU KeyGen Sign Verify XMSSMT 278.80s 0.61s 0.16s SPHINCS 0.88s 18.41s 0.51s

12 Future XMSS Internet Draft in IRSG poll
At least two SPHINCS submissions for NIST Faster / smaller signatures Several works on dedicated hash functions (Haraka, Siempira)

13 Thank you! Questions?

Download ppt "Long-term secure signatures for the IoT"

Similar presentations

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advanced Security Constructions and Key Management Class 16.

Advanced Security Constructions and Key Management Class 16.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2

Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2
Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven.

Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
The Generic Transformation from Standard Signatures to Identity-Based Aggregate Signatures Bei Liang, Hongda Li, Jinyong Chang.

The Generic Transformation from Standard Signatures to Identity-Based Aggregate Signatures Bei Liang, Hongda Li, Jinyong Chang.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!

Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters.

1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters.
Hash-Based Signatures Johannes Buchmann, Andreas Hülsung Supported by DFG and DAAD Part XI: XMSS in Practice.

Hash-Based Signatures Johannes Buchmann, Andreas Hülsung Supported by DFG and DAAD Part XI: XMSS in Practice.

Similar presentations

Ads by Google