Presentation is loading. Please wait.

Presentation is loading. Please wait.

04.09.2013 | TU Darmstadt | Andreas Hülsing | 1 Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann.

Published byThomasine Hall Modified over 8 years ago

Similar presentations

Presentation on theme: "04.09.2013 | TU Darmstadt | Andreas Hülsing | 1 Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann."— Presentation transcript:

1 04.09.2013 | TU Darmstadt | Andreas Hülsing | 1 Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann

2 Digital Signatures are Important! Software updates E-Commerce … and many others 04.09.2013 | TU Darmstadt | Andreas Hülsing | 2

3 What if… IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing.“ 04.09.2013 | TU Darmstadt | Andreas Hülsing | 3

4 Post-Quantum Signatures Based on Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 04.09.2013 | TU Darmstadt | Andreas Hülsing | 4

5 Hash-based Signature Schemes [Merkle, Crypto‘89] Not only “post-quantum”Fast, also without HW-accelerationStrong security guaranteesForward secureRestricted number of signaturesMany parameters 04.09.2013 | TU Darmstadt | Andreas Hülsing | 5

6 Forward Secure Signatures 04.09.2013 | TU Darmstadt | Andreas Hülsing | 6

7 Forward Secure Signatures time classical pk sk Key gen. forward sec pk sk sk 1 sk 2 sk i sk T t1t1 t2t2 titi tTtT 04.09.2013 | TU Darmstadt | Andreas Hülsing | 7

8 Construction 04.09.2013 | TU Darmstadt | Andreas Hülsing | 8

9 Hash-based Signatures OTS HH H HH HH H HH HH H H H PK SK SIG = (i,,,,, ) h h H Parameter 04.09.2013 | TU Darmstadt | Andreas Hülsing | 9

10 Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96] 1. = f( ) 2. Trade-off between runtime and signature size, controlled by parameter w 3. Minimal security requirements [Buchmann et al.,Africacrypt’11] 4. Uses PRFF F SIG = (i,,,,, ) w F h H Parameter 04.09.2013 | TU Darmstadt | Andreas Hülsing | 10

11 Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F: Secret key: Random SEED for pseudorandom generation of current signature key. XMSS – secret key PRG FSPRG w F h H Parameter 04.09.2013 | TU Darmstadt | Andreas Hülsing | 11

12 BDS-Tree Traversal [Buchmann et al., 2008]  Computes authentication paths  Left nodes are cheap h # 2 h-1 # 2 h-2 k  Store most expensive nodes  Distribute costs  (h-k)/2 updates per round k w F h H Parameter 04.09.2013 | TU Darmstadt | Andreas Hülsing | 12

13 i j Accelerate key generation Tree Chaining [Buchmann et al., 2006] Generalized distributed signature generation from [Huelsing et al., SAC’12] d k w F h H Parameter wiwi kiki hihi 04.09.2013 | TU Darmstadt | Andreas Hülsing | 13

14 Parameter Selection 04.09.2013 | TU Darmstadt | Andreas Hülsing | 14

15 Trade-Offs hHwFkd T Sig T Ver T Kg |Sig| |SK| |PK| Security # Sigs 04.09.2013 | TU Darmstadt | Andreas Hülsing | 15

16 Linear Optimization Input: h, b min, T F, T H Output: b, d, (h,w,k) i Obj. Minimize weighted sum of runtimes & sizes  Linearization: Generalized lambda method [Moritz, 2007]  Complexity reduction: Split into sub-problems 04.09.2013 | TU Darmstadt | Andreas Hülsing | 16

17 Conclusion 04.09.2013 | TU Darmstadt | Andreas Hülsing | 17

18 complex flexible XMSS MT other (pq-)schemes Optimization 04.09.2013 | TU Darmstadt | Andreas Hülsing | 18

19 Thank you!

Download ppt "04.09.2013 | TU Darmstadt | Andreas Hülsing | 1 Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann."

Similar presentations

14. Aug. 2013 Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.

14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.
Introduction to Computer Science 2 Lecture 7: Extended binary trees

Introduction to Computer Science 2 Lecture 7: Extended binary trees
Advanced Security Constructions and Key Management Class 16.

Advanced Security Constructions and Key Management Class 16.
External Memory Hashing. Model of Computation Data stored on disk(s) Minimum transfer unit: a page = b bytes or B records (or block) N records -> N/B.

External Memory Hashing. Model of Computation Data stored on disk(s) Minimum transfer unit: a page = b bytes or B records (or block) N records -> N/B.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
A Framework for Secure Data Aggregation in Sensor Networks Yi Yang Xinran Wang, Sencun Zhu and Guohong Cao The Pennsylvania State University MobiHoc’ 06.

A Framework for Secure Data Aggregation in Sensor Networks Yi Yang Xinran Wang, Sencun Zhu and Guohong Cao The Pennsylvania State University MobiHoc’ 06.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.
B+-tree and Hashing.

B+-tree and Hashing.
Generic Object Detection using Feature Maps Oscar Danielsson Stefan Carlsson

Generic Object Detection using Feature Maps Oscar Danielsson Stefan Carlsson
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.

Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.

Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
SIA: Secure Information Aggregation in Sensor Networks Dhiman Barman Authors: Bartosz Przydateck, Dawn Song, and Adrian Perrig CMU SenSys 2003.

SIA: Secure Information Aggregation in Sensor Networks Dhiman Barman Authors: Bartosz Przydateck, Dawn Song, and Adrian Perrig CMU SenSys 2003.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
Reliability of Wireless Sensors with Code Attestation for Intrusion Detection Presented by: Yating Wang.

Reliability of Wireless Sensors with Code Attestation for Intrusion Detection Presented by: Yating Wang.
Cryptography in a Post Quantum Computing World Máire O’Neill.

Cryptography in a Post Quantum Computing World Máire O’Neill.
Basel Alomair, Krishna Sampigethaya, and Radha Poovendran University of Washington TexPoint fonts used in EMF.

Basel Alomair, Krishna Sampigethaya, and Radha Poovendran University of Washington TexPoint fonts used in EMF.
CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.

CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.

Similar presentations

Ads by Google