xmss - a practical forward secure signature scheme based on minimal security assumptions j....
TRANSCRIPT
XMSS - A Practical Forward Secure Signature Scheme based onMinimal Security AssumptionsJ. Buchmann, E. Dahmen, A. Hülsing
02.12.2011 | TU Darmstadt | A. Huelsing | 1
Digital Signature Schemes
02.12.2011 | TU Darmstadt | A. Huelsing | 2
RSA – DSA – EC-DSA - …
02.12.2011 | TU Darmstadt | A. Huelsing | 3
Trapdoor one-way function
Digital signature scheme
Collision resistant hash
function
RSA, DH, SVP, MQ, …
Digital Signature Schemes
- Strong complexity theoretic assumption (Trapdoor one-way function)
hard to fulfill
- Specific hardness assumptionsQuantum computers,new algorithms
+ efficientbut mostly in ROM
02.12.2011 | TU Darmstadt | A. Huelsing | 4
The eXtended Merkle Signature Scheme XMSS
02.12.2011 | TU Darmstadt | A.Huelsing | 5
The eXtended Merkle Signature Scheme (XMSS)
Minimal complexity theoretic assumptions
Generic construction (No specific hardness assumption)
Efficient (comparable to RSA)
Forward secure
02.12.2011 | TU Darmstadt | A. Huelsing | 6
02.12.2011 | TU Darmstadt | A. Huelsing | 7
Target-collision resistant HFF
One-way FF
XMSSPseudorandom FF
Second-preimage resistant HFF
Minimal complexity theoretic assumptions
Naor, Yung 1989Rompel 1990
Håstad, Impagliazzo, Levin, Luby 1999Goldreich, Goldwasser, Micali 1986
Digital signature scheme
Rompel 1990
Existential unforgable under chosen message attacks
Output length of hash functions
Hash function h:{0,1}* → {0,1}m
Assume: - only generic attacks,- security level n
Collision resistance required:
→ generic attack = birthday attack → m = 2n
Second-preimage resistance required:
→ generic attack = exhaustive search → m = n
02.12.2011 | TU Darmstadt | A. Huelsing | 8
Forward Secure Digital Signatures
02.12.2011 | TU Darmstadt | A. Huelsing | 9
time
classical
pk
sk
Key g
en.
forward sec
pk
sk
sk1 sk2 skiskT
t1 t2 titT
ijjMGoal ),,(:
Construction
02.12.2011 | TU Darmstadt | A. Huelsing | 10
XMSS – Winternitz OTS[Buchmann et al. 2011]
- Uses pseudorandom function family
- Winternitz parameter w, message length m, random value x
02.12.2011 | TU Darmstadt | A. Huelsing | 11
sk1 )(1
1xf sk pk1
x
skl )(1 xflsk
pkl
x
w
l
}}1,0{|}1,0{}1,0{}1,0{:{ nnnnkn kfF
For multiple signatures use many key pairs.Generated using pseudorandom generator (PRG), build using
PRFF Fn:
Secret key: Random SEED for pseudorandom generation of current signature key.
XMSS – secret key
02.12.2011 | TU Darmstadt | A. Huelsing | 12
PRG
PRG
PRG
PRG
PRG
PRG
02.12.2011 | TU Darmstadt | A. Huelsing | 13
= ( , b0, b1, b2, h)
h h h h h h h h
XMSS – public key
b0 b0 b0 b0
b1 b1
bh
h h
h
h
h
h
h
Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function
Public key
XMSS signature
02.12.2011 | TU Darmstadt | A. Huelsing | 14
i
i Signature = (i, , , , )
b0 b0 b0 b0
b1 b1
b2
XMSS forward secure
02.12.2011 | TU Darmstadt | A. Huelsing | 15
FSPRG FSPRG FSPRG FSPRGFSPRG
PRG
FSPRG: Forward secure PRG using PRFF Fn
Security Proof - Idea
Tree construction and W-OTS are provably secure.Given Adversary A against pseudorandom Scheme can be used
against the random scheme.
→ Inputs are the same
Input distribution differs
→ We can bound success probability against random scheme
We can use A to distinguish PRG
See full version on iacr eprint (report 2011/484)
02.12.2011 | TU Darmstadt | A.Huelsing | 16
XMSS in practice
02.12.2011 | TU Darmstadt | A.Huelsing | 17
02.12.2011 | TU Darmstadt | A. Huelsing | 18
Cryptographic HFF
XMSS
Pseudorandom FF Second-preimage resistant HFF
XMSS - Instantiations
Trapdoor one-way function
DL RSA MP-Sign Block Cipher
AESBlowfish3DESTwofishThreefishSerpentIDEARC5RC6…
02.12.2011 | TU Darmstadt | A. Huelsing | 19
Hash functions &Blockciphers
SHA-2BLAKEGrøstlJHKeccakSkeinVSHSWIFFTXRFSB…
XMSS Implementations
C Implementation, using OpenSSL
Sign (ms)
Verify (ms)
Signature (bit)
Public Key (bit)
Secret Key (byte)
Bit Security
Comment
XMSS-SHA-2 15.17 1.02 16,664 13,568 280 146 H = 20,w = 64
XMSS-SHA-2 33.47 2.34 15,384 13,568 280 100 H = 20,w = 108
XMSS-AES-NI 1.72 0.11 19,608 7,296 152 82 H = 20,w = 4
XMSS-AES 2.87 0.22 19,608 7,296 152 82 H = 20,w = 4
MSS-SPR (n=128)
- - 68,096 7,680 - 98 H = 20
RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 4,096 87
Intel(R) Core(TM) i5 CPU M540 @ 2.53GHz with Intel AES-NI
02.12.2011 | TU Darmstadt | A. Huelsing | 20
Conclusion
02.12.2011 | TU Darmstadt | A.Huelsing | 21
XMSS
… needs minimal security assumptions
… is forward secure
… can be used with any hash function or block cipher
… performance is comparable to RSA, DSA, ECDSA …
02.12.2011 | TU Darmstadt | A.Huelsing | 22