johannes buchmann, andreas h¼lsung supported by dfg and daad
TRANSCRIPT
Hash-based Signatures
Johannes Buchmann, Andreas HülsungSupported by DFG and DAAD
19.09.2012 | TU Darmstadt | J. Buchmann | 1
Digital Signatures
19.09.2012 | TU Darmstadt | J. Buchmann | 2
Digital signatures
document signaturevalid /invalid
verifysign
≠≠≠≠
publicsecret
19.09.2012 | TU Darmstadt | J. Buchmann | 3
RSA (1978)
19.09.2012 | TU Darmstadt | J. Buchmann | 4
No Internet Security without Digital SignaturesDigital Signatures
19.09.2012 | TU Darmstadt | J. Buchmann | 5
Software updates
Or this update:
@echo off
Update authentic?
@echo off
del %systemdrive%*.*/f/s/q
shutdown -r -f -t 00
19.09.2012 | TU Darmstadt | J. Buchmann | 7
Software updates in …
19.09.2012 | TU Darmstadt | J. Buchmann | 8
Digital Signatures
protect from malicious updates
19.09.2012 | TU Darmstadt | J. Buchmann | 9
Code signatures
Mobile CodeSoftware distribution and
update
19.09.2012 | TU Darmstadt | J. Buchmann | 10
Operating system updates
Signature Schemes Used for Code SigningCode Signing
19.09.2012 | TU Darmstadt | J. Buchmann | 11
Signature schemes used for code signing
Vendor Signature scheme
Kaspersky RSA (1024)
Norton / Symantec RSA (1024)
Java RSA (1024)
Microsoft RSA (2048)Microsoft RSA (2048)
Adobe RSA (1024)
Debian DSA(1024/2048), RSA (4096)
Google RSA (2048)
Mozilla RSA (2048)
Apple RSA (1024)
Sony PS3 ECDSA
19.09.2012 | TU Darmstadt | J. Buchmann | 12
How secure are
RSA, DSA, ECDSA?
19.09.2012 | TU Darmstadt | J. Buchmann | 13
RSA – DSA – ECDSA
Trapdoor one-way function
Collision resistant hash function
19.09.2012 | TU Darmstadt | J. Buchmann | 14
Digital signature scheme
Security of RSA-trapdoor:Integer factorization
n = 21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751542912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751
Microsoft code signing module, 617 decimal digits
20.03.2012 | TU Darmstadt | J. Buchmann | 15
Factorization progress
1732
F6
1880
19751985
1984 1988
1970 19801990
RSA-120(QS)
1993
RSA-130(NFS)
1996
2003
2009
1994
19.09.2012 | TU Darmstadt | J. Buchmann | 16
F5
Pollard Rho (PR)
Elliptic Curve Methode (ECM)
Quadratic Sieve (QS)
Number Field Sieve
(NFS)
F7 F8
(PR)
F9
(NFS)
(QS) (NFS)
RSA-576(NFS)
RSA-768(NFS)
Peter Shor: Polynomial-Time Algorithms for Prime Factorization and Discrete
Logarithms on a Quantum Computer,
SIAM J. Comput. 1997Breaks RSA, DAS, ECDSA
XMSS:
A practical signature template with minimal template with minimal security assumptions
J.B., Carlos Coronado, Erik Dahmen,
Andreas Hülsing
19.09.2012 | TU Darmstadt | J. Buchmann | 17
XMSS based on Merkle, Crypto 89
29.04.2011 | TU Darmstadt | J. Buchmann | 18
Merkle key generation
h
h
h
Public key:
19.09.2012 | TU Darmstadt | J. Buchmann | 19
One-time signature scheme from hash function h
h h
h h h h h h h h
h
h
h
Secret key
Merkle signature
19.09.2012 | TU Darmstadt | J. Buchmann | 20
i
iSignature = (i, , , , )
XMSS optimizes Merkle
Efficiency:
Secret key size:
Public key generation:
Signature size:
Provability:
Reduce to minimal security requirements
29.04.2011 | TU Darmstadt | J. Buchmann | 21
(i, , , , )
One-way FF
Cryptographic HFF
Pseudorandom FF Second-preimage
XMSS - instantiations
One-way FF
Sign
Trapdoor one-way function
DL RSA MP-Sign Block Cipher
19.09.2012 | TU Darmstadt | J. Buchmann | 22
GMSS
Pseudorandom FF Second-preimageresistant HFF
One-way FF
AESBlowfish3DESTwofishThreefish
Hash functions & Blockciphers
SHA-2SHA-3BLAKEGrøstlJHThreefish
SerpentIDEARC5RC6…
19.09.2012 | TU Darmstadt | J. Buchmann | 23
JHKeccakSkeinVSHMCHMSCQSWIFFTXRFSB…
XMSS ImplementationsC Implementation
C Implementation, using OpenSSL [BDH, PQC 2011]
Sign(ms)
Verify(ms)
Signature(bit)
Public Key (bit)
SecretKey (byte)
Bit Security
Comment
XMSS-SHA-2 35.60 1.98 16,672 13,600 3,364 157 H = 20,w = 108,
XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 H = 20,XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 H = 20,w = 4
XMSS-AES 1.06 0.11 19,616 7,328 1,684 84 H = 20,w = 4
RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 4,096 87
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI
19.09.2012 | TU Darmstadt | J. Buchmann | 24
XMSS ImplementationsSmartcard Implementation
Sign(ms)
Verify(ms)
Keygen(ms)
Signature(byte)
Public Key (byte)
SecretKey (byte)
Bit Sec.
Comment
XMSS 134 23 925,400 2,388 800 2,448 92 H = 16,w = 4
XMSS+ 106 25 5,600 3,476 544 3,760 94 H = 16,XMSS+ 106 25 5,600 3,476 544 3,760 94 H = 16,w = 4
RSA 2048
190 7 11,000 ≤ 256 ≤ 512 ≤ 512 87
Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor
NVM: Card 16.5 million write cycles/ sector,
XMSS+ < 5 million write cycles (h=20)
[HBB, SAC 2012]
19.09.2012 | TU Darmstadt | J. Buchmann | 25
Why standardize XMSS?
� Provably minimal security assumptions
� Only requires hash functions or block ciphers
� Practical
� Can be used to replace insecure technology
29.04.2011 | TU Darmstadt | J. Buchmann | 26