1. XMSS Practical Hash-Based Signatures Andreas Hülsing joint work with Johannes Buchmann and Erik Dahmen
| TU Darmstadt | Andreas Hülsing | 1
1. Januar 2019 |

2. Post-Quantum Signatures
Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters
| TU Darmstadt | Andreas Hülsing | 2
1. Januar 2019 |

3. Hash-based Signature Schemes [Mer89]
Post quantum
Only secure hash function
Security well understood
Fast
Inherently forward secure
| TU Darmstadt | Andreas Hülsing | 3
1. Januar 2019 |

4. Hash-based SignaturesPK
SIG = (i=2, , , , , ) H
OTS H H H H H H H H H H H H H H
OTS
OTS
OTS
OTS
OTS
OTS
OTS
OTS SK
| TU Darmstadt | Andreas Hülsing | 4
1. Januar 2019 |

5. XMSS
| TU Darmstadt | Andreas Hülsing | 5

6. Results Efficient Minimal security assumptions „Small signatures"
Forward secure
Full smartcard implementation
Datum | Fachbereich nn | Institut nn | Prof. nn | 6

7. New Variants of the Winternitz One Time Signature Scheme
OTS
| TU Darmstadt | Andreas Hülsing | 7

8. Winternitz OTS (WOTS) [Mer89; EGM96]
= f( )
2. Trade-off between runtime and signature size | | ~ m/log w * | |
SIG = (i, , , , , )
| TU Darmstadt | Andreas Hülsing | 8
1. Januar 2019 |

9. WOTS+ [Hül13]
Theorem 3.9 (informally):
W-OTS+ is strongly unforgeable under chosen message attacks if F is a 2nd-preimage resistant, undetectable one-way function family
In our work we showed that we can slightly change the original WOTS construction, such that it uses a function family instead of the hash function family. The resulting scheme is existentially unforgeable under chosen message attacks, if the function family is pseudorandom.
This result has two implications:
| TU Darmstadt | Andreas Hülsing | 9
1. Januar 2019 |

10. XMSS [BDH11] Lamport-Diffie / WOTS WOTS+ Tree construction
[DOTV08]
Pseudorandom key generation bi
PRG
FSPRG
| TU Darmstadt | Andreas Hülsing | 10

11. XMSS* in Practice
| TU Darmstadt | Andreas Hülsing | 11

12. XMSS Implementations C Implementation [BDH11]
C Implementation, using OpenSSL
Sign (ms)
Verify (ms)
Signature (bit)
Public Key (bit)
Secret Key (byte)
Bit Security
Comment
XMSS-SHA-2
35.60
1.98
16,672
13,600
3,364
157
h = 20,
w = 64,
XMSS-AES-NI
0.52
0.07
19,616
7,328
1,684 84
w = 4
XMSS-AES
1.06
0.11
RSA 2048
3.08
0.09
≤ 2,048
≤ 4,096
≤ 512 87
2013: 80 bit
84 -> 2019
87 -> 2022
157 -> 2113
Intel(R) Core(TM) i5-2520M 2.50GHz with Intel AES-NI
| TU Darmstadt | Andreas Hülsing | 12
1. Januar 2019 |

13. XMSS Implementations Smartcard Implementation [HBB12]
Sign (ms)
Verify (ms)
Keygen
(ms)
Signature (byte)
Public Key (byte)
Secret Key (byte)
Bit Sec.
Comment
XMSS
134 23
925,400
2,388
800
2,448 92
H = 16,
w = 4
XMSS+
106 25
5,600
3,476
544
3,760 94
RSA 2048
190 7
11,000
≤ 256
≤ 512 87
Tkg:
- similar to RSA 2048 (11 s)
- slower than ECDSA 256 (95ms).
Tsign:
- comparable to RSA 2048 (190ms) and ECDSA 256 (100ms).
Tverify: - slightly slower than RSA 2048 (7ms)
- faster than ECDSA 256 (58ms).
ECDSA: PK=256~SK, Sig= 512,
The security level of RSA 2048 and ECDSA 256 is 95 and 128 bits, respectively
92 -> 2028
94 -> 2031
Infineon SLE78 8KB RAM, TRNG, sym. & asym. co-processor
NVM: Card million write cycles/ sector,
XMSS+ < 5 million write cycles (h=20)
| TU Darmstadt | Andreas Hülsing | 13
1. Januar 2019 |

14. Conclusion 23.09.2013 | TU Darmstadt | Andreas Hülsing | 14
1. Januar 2019 |

15. Conservative Security
Conclusion
Fast
Conservative Security
Compact
Forward secure
| TU Darmstadt | Andreas Hülsing | 15

16. Main Drawback: State Easy Migration? Future Work Interfaces
Key Management
| TU Darmstadt | Andreas Hülsing | 16

17. Thank you! Questions?