Presentation is loading. Please wait.

Presentation is loading. Please wait.

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

Published byBethanie Maxwell Modified over 9 years ago

Similar presentations

Presentation on theme: "XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |"— Presentation transcript:

1 XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt | A. Huelsing | 1

2 Digital Signature Schemes 02.12.2011 | TU Darmstadt | A. Huelsing | 2

3 RSA – DSA – EC-DSA - … 02.12.2011 | TU Darmstadt | A. Huelsing | 3 Trapdoor one- way function Digital signature scheme Collision resistant hash function RSA, DH, SVP, MQ, …

4 Digital Signature Schemes -Strong complexity theoretic assumption (Trapdoor one-way function) hard to fulfill -Specific hardness assumptions Quantum computers, new algorithms + efficient but mostly in ROM 02.12.2011 | TU Darmstadt | A. Huelsing | 4

5 The eXtended Merkle Signature Scheme XMSS 02.12.2011 | TU Darmstadt | A.Huelsing | 5

6 The eXtended Merkle Signature Scheme (XMSS)  Minimal complexity theoretic assumptions  Generic construction (No specific hardness assumption)  Efficient (comparable to RSA)  Forward secure 02.12.2011 | TU Darmstadt | A. Huelsing | 6

7 02.12.2011 | TU Darmstadt | A. Huelsing | 7 Target-collision resistant HFF One-way FF XMSS Pseudorandom FF Second-preimage resistant HFF Minimal complexity theoretic assumptions Naor, Yung 1989 Rompel 1990 Håstad, Impagliazzo, Levin, Luby 1999 Goldreich, Goldwasser, Micali 1986 Digital signature scheme Rompel 1990 Existential unforgable under chosen message attacks

8 Output length of hash functions Hash function h:{0,1}* → {0,1} m Assume: - only generic attacks, - security level n Collision resistance required: → generic attack = birthday attack → m = 2n Second-preimage resistance required: → generic attack = exhaustive search → m = n 02.12.2011 | TU Darmstadt | A. Huelsing | 8

9 Forward Secure Digital Signatures 02.12.2011 | TU Darmstadt | A. Huelsing | 9 time classical pk sk Key gen. forward sec pk sk sk 1 sk 2 sk i sk T t1t1 t2t2 titi tTtT

10 Construction 02.12.2011 | TU Darmstadt | A. Huelsing | 10

11 XMSS – Winternitz OTS [Buchmann et al. 2011] - Uses pseudorandom function family - Winternitz parameter w, message length m, random value x 02.12.2011 | TU Darmstadt | A. Huelsing | 11 sk 1 pk 1 x sk l pk l x w l

12 For multiple signatures use many key pairs. Generated using pseudorandom generator (PRG), build using PRFF F n : Secret key: Random SEED for pseudorandom generation of current signature key. XMSS – secret key 02.12.2011 | TU Darmstadt | A. Huelsing | 12 PRG

13 02.12.2011 | TU Darmstadt | A. Huelsing | 13 = (, b 0, b 1, b 2, h) XMSS – public key b0b0 b0b0 b0b0 b0b0 b1b1 b1b1 bhbh Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function Public key

14 XMSS signature 02.12.2011 | TU Darmstadt | A. Huelsing | 14 i i Signature = (i,,,,) b0b0 b0b0 b0b0 b0b0 b1b1 b1b1 b2b2

15 XMSS forward secure 02.12.2011 | TU Darmstadt | A. Huelsing | 15 FSPRG PRG FSPRG: Forward secure PRG using PRFF F n

16 Security Proof - Idea Tree construction and W-OTS are provably secure. Given Adversary A against pseudorandom Scheme can be used against the random scheme. → Inputs are the same Input distribution differs → We can bound success probability against random scheme We can use A to distinguish PRG See full version on iacr eprint (report 2011/484) 02.12.2011 | TU Darmstadt | A.Huelsing | 16

17 XMSS in practice 02.12.2011 | TU Darmstadt | A.Huelsing | 17

18 02.12.2011 | TU Darmstadt | A. Huelsing | 18 Cryptographic HFF XMSS Pseudorandom FF Second-preimage resistant HFF XMSS - Instantiations Trapdoor one- way function DL RSA MP-Sign Trapdoor one- way function DL RSA MP-Sign Block Cipher

19 AES Blowfish 3DES Twofish Threefish Serpent IDEA RC5 RC6 … 02.12.2011 | TU Darmstadt | A. Huelsing | 19 Hash functions & Blockciphers SHA-2 BLAKE Grøstl JH Keccak Skein VSH SWIFFTX RFSB …

20 XMSS Implementations C Implementation, using OpenSSL Sign (ms) Verify (ms) Signature (bit) Public Key (bit) Secret Key (byte) Bit Security Comment XMSS-SHA-215.171.0216,66413,568280146H = 20, w = 64 XMSS-SHA-233.472.3415,38413,568280100H = 20, w = 108 XMSS-AES-NI1.720.1119,6087,29615282H = 20, w = 4 XMSS-AES2.870.2219,6087,29615282H = 20, w = 4 MSS-SPR (n=128) --68,0967,680-98H = 20 RSA 20483.080.09≤ 2,048≤ 4,096 87 Intel(R) Core(TM) i5 CPU M540 @ 2.53GHz with Intel AES-NI 02.12.2011 | TU Darmstadt | A. Huelsing | 20

21 Conclusion 02.12.2011 | TU Darmstadt | A.Huelsing | 21

22 XMSS … needs minimal security assumptions … is forward secure … can be used with any hash function or block cipher … performance is comparable to RSA, DSA, ECDSA … 02.12.2011 | TU Darmstadt | A.Huelsing | 22

Download ppt "XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |"

Similar presentations

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.

HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
Encryption Schemes Second Pass Brice Toth 21 November 2001.

Encryption Schemes Second Pass Brice Toth 21 November 2001.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

Similar presentations

Ads by Google