XMSS - A Practical Forward Secure Signature Scheme based onMinimal Security AssumptionsJ. Buchmann, E. Dahmen, A. Hülsing

02.12.2011 | TU Darmstadt | A. Huelsing | 1

Digital Signature Schemes

02.12.2011 | TU Darmstadt | A. Huelsing | 2

RSA – DSA – EC-DSA - …

02.12.2011 | TU Darmstadt | A. Huelsing | 3

Trapdoor one-way function

Digital signature scheme

Collision resistant hash

function

RSA, DH, SVP, MQ, …

Digital Signature Schemes

- Strong complexity theoretic assumption (Trapdoor one-way function)

hard to fulfill

- Specific hardness assumptionsQuantum computers,new algorithms

+ efficientbut mostly in ROM

02.12.2011 | TU Darmstadt | A. Huelsing | 4

The eXtended Merkle Signature Scheme XMSS

02.12.2011 | TU Darmstadt | A.Huelsing | 5

The eXtended Merkle Signature Scheme (XMSS)

Minimal complexity theoretic assumptions

Generic construction (No specific hardness assumption)

Efficient (comparable to RSA)

Forward secure

02.12.2011 | TU Darmstadt | A. Huelsing | 6

02.12.2011 | TU Darmstadt | A. Huelsing | 7

Target-collision resistant HFF

One-way FF

XMSSPseudorandom FF

Second-preimage resistant HFF

Minimal complexity theoretic assumptions

Naor, Yung 1989Rompel 1990

Håstad, Impagliazzo, Levin, Luby 1999Goldreich, Goldwasser, Micali 1986

Digital signature scheme

Rompel 1990

Existential unforgable under chosen message attacks

Output length of hash functions

Hash function h:{0,1}* → {0,1}m

Assume: - only generic attacks,- security level n

Collision resistance required:

→ generic attack = birthday attack → m = 2n

Second-preimage resistance required:

→ generic attack = exhaustive search → m = n

02.12.2011 | TU Darmstadt | A. Huelsing | 8

Forward Secure Digital Signatures

02.12.2011 | TU Darmstadt | A. Huelsing | 9

time

classical

pk

sk

Key g

en.

forward sec

pk

sk

sk1 sk2 skiskT

t1 t2 titT

ijjMGoal ),,(:

Construction

02.12.2011 | TU Darmstadt | A. Huelsing | 10

XMSS – Winternitz OTS[Buchmann et al. 2011]

- Uses pseudorandom function family

- Winternitz parameter w, message length m, random value x

02.12.2011 | TU Darmstadt | A. Huelsing | 11

sk1 )(1

1xf sk pk1

x

skl )(1 xflsk

pkl

x

w

l

}}1,0{|}1,0{}1,0{}1,0{:{ nnnnkn kfF

For multiple signatures use many key pairs.Generated using pseudorandom generator (PRG), build using

PRFF Fn:

Secret key: Random SEED for pseudorandom generation of current signature key.

XMSS – secret key

02.12.2011 | TU Darmstadt | A. Huelsing | 12

PRG

PRG

PRG

PRG

PRG

PRG

02.12.2011 | TU Darmstadt | A. Huelsing | 13

= ( , b0, b1, b2, h)

h h h h h h h h

XMSS – public key

b0 b0 b0 b0

b1 b1

bh

h h

h

h

h

h

h

Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function

Public key

XMSS signature

02.12.2011 | TU Darmstadt | A. Huelsing | 14

i

i Signature = (i, , , , )

b0 b0 b0 b0

b1 b1

b2

XMSS forward secure

02.12.2011 | TU Darmstadt | A. Huelsing | 15

FSPRG FSPRG FSPRG FSPRGFSPRG

PRG

FSPRG: Forward secure PRG using PRFF Fn

Security Proof - Idea

Tree construction and W-OTS are provably secure.Given Adversary A against pseudorandom Scheme can be used

against the random scheme.

→ Inputs are the same

Input distribution differs

→ We can bound success probability against random scheme

We can use A to distinguish PRG

See full version on iacr eprint (report 2011/484)

02.12.2011 | TU Darmstadt | A.Huelsing | 16

XMSS in practice

02.12.2011 | TU Darmstadt | A.Huelsing | 17

02.12.2011 | TU Darmstadt | A. Huelsing | 18

Cryptographic HFF

XMSS

Pseudorandom FF Second-preimage resistant HFF

XMSS - Instantiations

Trapdoor one-way function

DL RSA MP-Sign Block Cipher

AESBlowfish3DESTwofishThreefishSerpentIDEARC5RC6…

02.12.2011 | TU Darmstadt | A. Huelsing | 19

Hash functions &Blockciphers

SHA-2BLAKEGrøstlJHKeccakSkeinVSHSWIFFTXRFSB…

XMSS Implementations

C Implementation, using OpenSSL

Sign (ms)

Verify (ms)

Signature (bit)

Public Key (bit)

Secret Key (byte)

Bit Security

Comment

XMSS-SHA-2 15.17 1.02 16,664 13,568 280 146 H = 20,w = 64

XMSS-SHA-2 33.47 2.34 15,384 13,568 280 100 H = 20,w = 108

XMSS-AES-NI 1.72 0.11 19,608 7,296 152 82 H = 20,w = 4

XMSS-AES 2.87 0.22 19,608 7,296 152 82 H = 20,w = 4

MSS-SPR (n=128)

- - 68,096 7,680 - 98 H = 20

RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 4,096 87

Intel(R) Core(TM) i5 CPU M540 @ 2.53GHz with Intel AES-NI

02.12.2011 | TU Darmstadt | A. Huelsing | 20

Conclusion

02.12.2011 | TU Darmstadt | A.Huelsing | 21

XMSS

… needs minimal security assumptions

… is forward secure

… can be used with any hash function or block cipher

… performance is comparable to RSA, DSA, ECDSA …

02.12.2011 | TU Darmstadt | A.Huelsing | 22