slides - Andreas Hülsing

Report
Practical Forward Secure
Signatures using Minimal
Security Assumptions
PhD Defense
Andreas Hülsing
23.09.2013 | TU Darmstadt | Andreas Hülsing | 1
Digital Signatures are Important!
Software updates
E-Commerce
… and many others
23.09.2013 | TU Darmstadt | Andreas Hülsing | 2
Forward Secure Signatures
[And97]
23.09.2013 | TU Darmstadt | Andreas Hülsing | 3
Forward Secure Signatures
pk
classical
sk
pk
forward sec
sk
Key gen.
sk1
sk2
ski
t1
t2
ti
Goal : Sig  ( , j ), j  i
23.09.2013 | TU Darmstadt | Andreas Hülsing | 4
skT
tT
time
What if…
23.09.2013 | TU Darmstadt | Andreas Hülsing | 5
Post-Quantum Signatures
Lattice, MQ, Coding
Signature and/or key sizes
y 1  x1  x1 x 2  x1 x 4  x 3
2
Runtimes
Secure parameters
no forward secure signatures
23.09.2013 | TU Darmstadt | Andreas Hülsing | 6
y 2  x 3  x 2 x 3  x 2 x 4  x1  1
2
y 3  ...
Hash-based Signature Schemes
[Mer89]
Post quantum
Only secure hash function
Security well understood
Fast
Forward secure (inefficient)
23.09.2013 | TU Darmstadt | Andreas Hülsing | 7
Cryptographic Hash Functions
Η
 { H K : { 0 ,1}  { 0 ,1} | K  { 0 ,1} }
m
n
n
Collision Resistance
(CR)
n'
•Cryptomania
•AC O(2n/2)
Second-preimage
Resistance (SPR)
•Minicrypt
•AC O(2n)
One-wayness
•Minicrypt
•AC O(2n)
Undetectability (UD)
•Minicrypt
•AC O(2n)
Pseudorandomness
(PRF)
•Minicrypt
•AC O(2n)
23.09.2013 | TU Darmstadt | Andreas Hülsing | 8
{0,1}n
H
{0,1}m
Hash-based Signatures
PK
H
H
SIG = (i=2,
,
,
H
OTS
H
,
H
H
H
H
H
H
H
H
H
H
H
OTS
OTS
OTS
OTS
OTS
OTS
OTS
OTS
23.09.2013 | TU Darmstadt | Andreas Hülsing | 9
SK
,
)
Challenges & Achievements
Minimal security
assumptions XOR Efficient
Efficient
Forward secure XOR Efficient
Minimal security assumptions
Large signatures
„Small signatures"
No full smartcard
implementation
Forward secure
Full smartcard
implementation
23.09.2013 | TU Darmstadt | Andreas Hülsing | 10
Contribution
Chapter 3
New Variants of the Winternitz
One Time Signature Scheme
• WOTS+ & WOTS$
Chapter 4
XMSS
• „A practical, forward secure
signature scheme based on minimal
security assumptions“
Chapter 5
XMSSMT
• „XMSS with Virtually Unlimited
Signature Capacity”
23.09.2013 | TU Darmstadt | Andreas Hülsing | 11
Chapter 6
Choosing Optimal Parameters
for XMSS∗
Chapter 7
XMSS∗ in Practice
• Implementation
• Experimental results (CPU &
smartcard)
Chapter 3
New Variants of the
Winternitz One Time
Signature Scheme
OTS
23.09.2013 | TU Darmstadt | Andreas Hülsing | 12
Winternitz OTS (WOTS)
[Mer89; EGM96]
SIG = (i,
|
1.
|=|
= f(
|=m*|
,
,
,
,
)
|
)
2. Trade-off between runtime and signature size
|
| ~ m/log w * |
|
23.09.2013 | TU Darmstadt | Andreas Hülsing | 13
WOTS
Function Chain
Function family: F n  { F K : {0 ,1} n  { 0 ,1} n | K  {0 ,1} n ' }
Formerly: c ( x )  F K ( c
i
i 1
( x ))  F K  F K    F K ( x ) , K  { 0 ,1}
     

n'
i  times
WOTS+
For w ≥ 2 select
ci-1 (x)
R = (r1, …, rw-1) {0 ,1} n  w 1 , K  {0 ,1} n '
ri
ci (x)
FK
c ( x )  FK ( c
i
i 1
( x )  ri )
c0(x) = x
c1(x)
= F K ( x  r1 )
23.09.2013 | TU Darmstadt | Andreas Hülsing | 14
cw-1 (x)
WOTS+
[Hül13]
Winternitz parameter w, security parameter n, message length m,
n
n
n'
function family
F n  { F K : {0 ,1}  { 0 ,1} | K  { 0 ,1} }
Key Generation: Compute l , sample K, sample
c0(sk1) = sk1
R
pk1 = cw-1(sk1)
c1(sk1)
c1(skl )
c0(skl ) = skl
23.09.2013 | TU Darmstadt | Andreas Hülsing | 15
pkl = cw-1(skl )
WOTS+ Signature generation
M
b1
b2
b3
b4
…
…
…
…
…
…
…
c0(sk1) = sk1
bl 1
bl 1+1
bl 1+2
…
C
…
bl
pk1 = cw-1(sk1)
σ1=cb1(sk1)
pkl = cw-1(skl )
c0(skl ) = skl
23.09.2013 | TU Darmstadt | Andreas Hülsing | 16
σl =cbl (skl )
Main result
Theorem 3.9 (informally):
W-OTS+ is strongly unforgeable under chosen message attacks if F
is a 2nd-preimage resistant, undetectable one-way function family
23.09.2013 | TU Darmstadt | Andreas Hülsing | 17
Security Proof
Reduction
23.09.2013 | TU Darmstadt | Andreas Hülsing | 18
Intuition
Oracle Response:
Forgery:
(σ, M);
(σ*, M*);
M →(b1,…,bl )
M* →(b1*,…, bl*)
Observations:
*
1.Checksum:    {1,.., l } s .th . b  b
2. Verification cw-1-bα* (σ*α) = pkα = cw-1-bα (σα)
“quasi-inversion”
σα
?
σ*α
23.09.2013 | TU Darmstadt | Andreas Hülsing | 19
?
?
?
?
?
?
?
=
c0(skα) = skα
pkα
!
pk*α
Intuition, cont‘d
Oracle Response:
Forgery:
(σ, M);
(σ*, M*);
M →(b1,…,bl )
M* →(b1*,…, bl*)
Given:
“quasi-inversion” of c
rβ
FK
σα
β
pkα
c0(skα) = skα
σ*α
23.09.2013 | TU Darmstadt | Andreas Hülsing | 20
second-preimage
preimage
Result
Old
[DSS05]
CR, UD, OW
Fn
Cryptomania
|Sig| =
*2b
l
23.09.2013 | TU Darmstadt | Andreas Hülsing | 21
WOTS$
[BDEHR11]
PRF Fn
WOTS+
[Hül13]
SPR, UD, OW
Fn
Minicrypt
Conj.
Minicrypt
|Sig| = l
*(b+w)
|Sig| = l
*(b+log w)
Chapter 4
XMSS
23.09.2013 | TU Darmstadt | Andreas Hülsing | 22
XMSS
[BDH11]
WOTS+ / WOTS$
Lamport-Diffie / WOTS
Tree construction
[DOTV08]
H
H
bi
FSPRG
23.09.2013 | TU Darmstadt | Andreas Hülsing | 23
FSPRG
PRG
PRG
PRG
PRG
PRG
Pseudorandom key generation
FSPRG
FSPRG
FSPRG
Result
GMSS
SPR-MSS
(Single Tree)
[DOTV08]
[BDK+07]
XMSS
[BDH11]
Minicrypt
Cryptomania
Minicrypt
FSS
Not FSS
FSS
|SK| = 2h+1bm + TTA
|SK| = b + TTA
|SK| = b + TTA
|SIG|
~2bm + hb
|SIG|
~2b(m/log w) + h2b
|SIG|
~ b(m/log w) + hb
23.09.2013 | TU Darmstadt | Andreas Hülsing | 24
Chapter 7
XMSS* in Practice
23.09.2013 | TU Darmstadt | Andreas Hülsing | 25
XMSS Implementations
C Implementation
C Implementation, using OpenSSL [BDH2011]
Sign
(ms)
Verify
(ms)
Signature
(bit)
Public Key
(bit)
Secret
Key
(byte)
Bit
Security
Comment
XMSS-SHA-2
35.60
1.98
16,672
13,600
3,364
157
h = 20,
w = 64,
XMSS-AES-NI
0.52
0.07
19,616
7,328
1,684
84
h = 20,
w=4
XMSS-AES
1.06
0.11
19,616
7,328
1,684
84
h = 20,
w=4
RSA 2048
3.08
0.09
≤ 2,048
≤ 4,096
≤ 512
87
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI
23.09.2013 | TU Darmstadt | Andreas Hülsing | 26
XMSS Implementations
Smartcard Implementation
Sign
(ms)
Verify
(ms)
Keygen
(ms)
Signature
(byte)
Public Key
(byte)
Secret
Key
(byte)
Bit
Sec.
Comment
XMSS
134
23
925,400
2,388
800
2,448
92
H = 16,
w=4
XMSS+
106
25
5,600
3,476
544
3,760
94
H = 16,
w=4
RSA
2048
190
7
11,000
≤ 256
≤ 512
≤ 512
87
Infineon SLE78 [email protected], 8KB RAM, TRNG, sym. & asym. co-processor
NVM:
Card
16.5 million write cycles/ sector,
XMSS+ < 5 million write cycles (h=20)
[HBB12]
23.09.2013 | TU Darmstadt | Andreas Hülsing | 27
Conclusion
23.09.2013 | TU Darmstadt | Andreas Hülsing | 28
Conclusion
Efficient
Minimal security assumptions
„Small signatures"
Forward secure
Full smartcard
implementation
23.09.2013 | TU Darmstadt | Andreas Hülsing | 29
Future Work
FSS in the wild
Statefullness in Practice
Stateless Signatures
Few-time WOTS
23.09.2013 | TU Darmstadt | Andreas Hülsing | 30
Thank you!
Questions?
Publications
[1] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On
the security of the Winternitz one-time signature scheme. In
A. Nitaj and D. Pointcheval (Eds), Africacrypt 2011, LNCS 6737, pp
363-378. Springer Berlin / Heidelberg, 2011.
[2] J. Buchmann, E. Dahmen, and A. Hülsing. XMSS - a practical
forward secure signature scheme based on minimal security
assumptions. In Bo-Yin Yang (Ed), Post-Quantum Cryptography,
LNCS 7071, pp 117-129. Springer Berlin / Heidelberg, 2011.
[8] M. M. Olembo, T. Kilian, S. Stockhardt, A. Hülsing, and M. Volkamer.
Developing and testing a visual hash scheme. In N. Clarke,
S.Furnell, and V.Katos (Eds), Proceedings of the European
Information Security Multi-Conference (EISMC 2013). Plymouth
University, April 2013.
[9] P. Weiden, A. Hülsing, D. Cabarcas, and J. Buchmann.
Instantiating treeless signature schemes. Cryptology ePrint
Archive, Report 2013/065, 2013. http://eprint.iacr.org/.
[3] A. Hülsing, A. Petzoldt, M. Schneider, and S.M. El Yousfi Alaoui.
[10] A. Hülsing, J. Braun. Langzeitsichere Signaturen durch den
Postquantum Signaturverfahren Heute. In Ulrich Waldmann (Ed),
Einsatz hashbasierter Signaturverfahren. In Tagungsband zum
22. SIT-Smartcard Workshop 2012, IHK Darmstadt, Feb 2012.
13. Deutschen IT-Sicherheitskongress 2013, Herausgeber: BSI,
Fraunhofer Verlag Stuttgart.
Secu-Media Verlag, Gau-Algesheim, 2013.
[4] A. Hülsing, C. Busold, and J. Buchmann. Forward secure
signatures on smart cards. In Lars R. Knudsen and Huapeng Wu
(Eds), Selected Areas in Cryptography, LNCS 7707, pp 66–80.
Springer Berlin Heidelberg, 2013.
[11] J. Braun, M. Horsch, A. Hülsing. Effiziente Umsetzung des
Kettenmodells unter Verwendung vorwärtssicherer
Signaturverfahren. In Tagungsband zum 13. Deutschen ITSicherheitskongress 2013, Herausgeber: BSI, Secu-Media Verlag,
Gau-Algesheim, 2013.
[5] J. Braun, A. Hülsing, A. Wiesmaier, M. A. G. Vigil, and J. Buchmann.
How to avoid the breakdown of public key infrastructures [12] A. Hülsing, L. Rausch, and J. Buchmann. Optimal parameters for
forward secure signatures for certificate authorities. In S.
XMSSMT. In A. Cuzzocrea, C. Kittl, D. E. Simos, E. Weippl, and L. Xu,
Capitani di Vimercati and C. Mitchell (Eds), EuroPKI 2012, LNCS
(Eds), Security Engineering and Intelligence Informatics, LNCS 8128,
7868, pp 53-68. Springer Berlin Heidelberg, 2013.
pp 194–208. Springer Berlin Heidelberg, 2013.
[6] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On
the security of the Winternitz one-time signature scheme.
Journal of Applied Cryptography, 3(1):84–96, 2013.
[7] A. Hülsing. W-OTS+ — shorter signatures for hash-based
signature schemes. In A.Youssef, A. Nitaj, and A.E. Hassanien
(Eds), Africacrypt 2013, LNCS 7918, pp 173–188. Springer Berlin
Heidelberg, 2013.
[13] J. Buchmann, D. Cabarcas, F. Göpfert, A. Hülsing, and P. Weiden.
Discrete ziggurat: A time-memory trade-off for sampling from
a gaussian distribution over the integers. In Selected Areas in
Cryptography 2013 (SAC’13), to appear.
[14] J. Braun, F. Kiefer, and A. Hülsing. Revocation & nonrepudiation: When the first destroys the latter. In EuroPKI
2013, to appear.
Quantum Computing Progress
IBM 2012: “Scientists at IBM Research … have
achieved major advances in quantum computing
device performance that may accelerate the realization
of a practical, full-scale quantum computer.“
23.09.2013 | TU Darmstadt | Andreas Hülsing | 33
Chapter 5
MT
XMSS
23.09.2013 | TU Darmstadt | Andreas Hülsing | 34
Tree Chaining
[BGD+06,BDK+07]
t KG : O ( 2 )  O ( 2
h
h/d
)
j
i
Improved distributed signature generation [HBB12,HRB13]
23.09.2013 | TU Darmstadt | Andreas Hülsing | 35
Result
GMSS
XMSSMT
[BDK+07]
[HBB12,HRB13]
Cryptomania
Minicrypt
Not FSS
FSS
tSIG = h/2=Σ hi/2
tSIG = h0/2
23.09.2013 | TU Darmstadt | Andreas Hülsing | 36
Security Level aka. Bit Security
Exact Proof:
„ In general, a cryptographic system offers security level λ if a successful generic
attack can be expected to require effort approximately 2λ−1. “ [Len04]
Solve for t:
Using
1

2
=
23.09.2013 | TU Darmstadt | Andreas Hülsing | 37
=

t
2
n
Security Level aka. Bit Security
(Quantum Case)
Exact Proof:
„ In general, a cryptographic system offers security level λ if a successful generic
attack can be expected to require effort approximately 2λ−1. “ [Len04]
Solve for t:
Using
1

2
=
23.09.2013 | TU Darmstadt | Andreas Hülsing | 38
=

tt
22
nn / 2
EU-CMA for OTS
PK, 1n
SK
M
(σ, M)
(σ*, M*)
23.09.2013 | TU Darmstadt | Andreas Hülsing | 39
SIGN
Success if M* ≠ M and
Verify(pk,σ*,M*) = Accept
Quantum-secure Signatures
PK, 1n
SK


m
m
m m
 m m, m
SIGN
q-times
q 1
{ m i ,  m i }1
Success, if (  i , j  [1, q  1])( i  j ) :
m i  m j and Verify(pk
23.09.2013 | TU Darmstadt | Andreas Hülsing | 40
, m i ,  mi )  1
BDS-Tree Traversal
[BDS08]
 Computes authentication
paths
 Store most expensive nodes
 Left nodes are cheap
 Distribute costs
 (h-k)/2 updates per round
# 2h-1
k
# 2h-2
h
23.09.2013 | TU Darmstadt | Andreas Hülsing | 41
Minimal Security Assumptions
[NaYu89]
[Rom90]
Digital
signature
scheme
One-way FF
[HILL99]
Pseudorandom
Generator
[GGM86]
[Rom90]
Target-collision
resistant HFF
23.09.2013 | TU Darmstadt | Andreas Hülsing | 42
Pseudorandom FF
Second-preimage
resistant HFF
XMSS
From Fixed to Arbitrary Length
Messages
„Hash and Sign“
CollisionResistant HFF
Efficient
Cryptomania
23.09.2013 | TU Darmstadt | Andreas Hülsing | 43
Target CollisionResistant HFF
Inefficient
Minicrypt
Minimal Security Assumptions Why?
Theory:
Nice
Practice:
Weaker
Assumption
Stronger
Security
Smaller
Signatures
Attack:
Weaker
Assumption
Harder to
attack
Attack less
likely
23.09.2013 | TU Darmstadt | Andreas Hülsing | 44
“Early
Warning”
… BUT WAIT !
CR for Chosen
Message Attacks
Random Message
Attacks: only SPR
Active Signing:
CMA
Stored Messages:
RMA
If CR broken:
Change HFF
23.09.2013 | TU Darmstadt | Andreas Hülsing | 45
Hash function &
PRF
n
n
n
Use plain AES for PRF F n  { F K : {0 ,1}  {0 ,1} | K  {0 ,1} }
Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for
hash function
02.12.2011 | TU Darmstadt | A. Huelsing | 46

similar documents