xmss - a practical forward secure signature scheme based on minimal security assumptions j....
TRANSCRIPT
![Page 1: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/1.jpg)
XMSS - A Practical Forward Secure Signature Scheme based onMinimal Security AssumptionsJ. Buchmann, E. Dahmen, A. Hülsing
02.12.2011 | TU Darmstadt | A. Huelsing | 1
![Page 2: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/2.jpg)
Digital Signature Schemes
02.12.2011 | TU Darmstadt | A. Huelsing | 2
![Page 3: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/3.jpg)
RSA – DSA – EC-DSA - …
02.12.2011 | TU Darmstadt | A. Huelsing | 3
Trapdoor one-way function
Digital signature scheme
Collision resistant hash
function
RSA, DH, SVP, MQ, …
![Page 4: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/4.jpg)
Digital Signature Schemes
- Strong complexity theoretic assumption (Trapdoor one-way function)
hard to fulfill
- Specific hardness assumptionsQuantum computers,new algorithms
+ efficientbut mostly in ROM
02.12.2011 | TU Darmstadt | A. Huelsing | 4
![Page 5: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/5.jpg)
The eXtended Merkle Signature Scheme XMSS
02.12.2011 | TU Darmstadt | A.Huelsing | 5
![Page 6: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/6.jpg)
The eXtended Merkle Signature Scheme (XMSS)
Minimal complexity theoretic assumptions
Generic construction (No specific hardness assumption)
Efficient (comparable to RSA)
Forward secure
02.12.2011 | TU Darmstadt | A. Huelsing | 6
![Page 7: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/7.jpg)
02.12.2011 | TU Darmstadt | A. Huelsing | 7
Target-collision resistant HFF
One-way FF
XMSSPseudorandom FF
Second-preimage resistant HFF
Minimal complexity theoretic assumptions
Naor, Yung 1989Rompel 1990
Håstad, Impagliazzo, Levin, Luby 1999Goldreich, Goldwasser, Micali 1986
Digital signature scheme
Rompel 1990
Existential unforgable under chosen message attacks
![Page 8: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/8.jpg)
Output length of hash functions
Hash function h:{0,1}* → {0,1}m
Assume: - only generic attacks,- security level n
Collision resistance required:
→ generic attack = birthday attack → m = 2n
Second-preimage resistance required:
→ generic attack = exhaustive search → m = n
02.12.2011 | TU Darmstadt | A. Huelsing | 8
![Page 9: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/9.jpg)
Forward Secure Digital Signatures
02.12.2011 | TU Darmstadt | A. Huelsing | 9
time
classical
pk
sk
Key g
en.
forward sec
pk
sk
sk1 sk2 skiskT
t1 t2 titT
ijjMGoal ),,(:
![Page 10: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/10.jpg)
Construction
02.12.2011 | TU Darmstadt | A. Huelsing | 10
![Page 11: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/11.jpg)
XMSS – Winternitz OTS[Buchmann et al. 2011]
- Uses pseudorandom function family
- Winternitz parameter w, message length m, random value x
02.12.2011 | TU Darmstadt | A. Huelsing | 11
sk1 )(1
1xf sk pk1
x
skl )(1 xflsk
pkl
x
w
l
}}1,0{|}1,0{}1,0{}1,0{:{ nnnnkn kfF
![Page 12: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/12.jpg)
For multiple signatures use many key pairs.Generated using pseudorandom generator (PRG), build using
PRFF Fn:
Secret key: Random SEED for pseudorandom generation of current signature key.
XMSS – secret key
02.12.2011 | TU Darmstadt | A. Huelsing | 12
PRG
PRG
PRG
PRG
PRG
PRG
![Page 13: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/13.jpg)
02.12.2011 | TU Darmstadt | A. Huelsing | 13
= ( , b0, b1, b2, h)
h h h h h h h h
XMSS – public key
b0 b0 b0 b0
b1 b1
bh
h h
h
h
h
h
h
Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function
Public key
![Page 14: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/14.jpg)
XMSS signature
02.12.2011 | TU Darmstadt | A. Huelsing | 14
i
i Signature = (i, , , , )
b0 b0 b0 b0
b1 b1
b2
![Page 15: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/15.jpg)
XMSS forward secure
02.12.2011 | TU Darmstadt | A. Huelsing | 15
FSPRG FSPRG FSPRG FSPRGFSPRG
PRG
FSPRG: Forward secure PRG using PRFF Fn
![Page 16: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/16.jpg)
Security Proof - Idea
Tree construction and W-OTS are provably secure.Given Adversary A against pseudorandom Scheme can be used
against the random scheme.
→ Inputs are the same
Input distribution differs
→ We can bound success probability against random scheme
We can use A to distinguish PRG
See full version on iacr eprint (report 2011/484)
02.12.2011 | TU Darmstadt | A.Huelsing | 16
![Page 17: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/17.jpg)
XMSS in practice
02.12.2011 | TU Darmstadt | A.Huelsing | 17
![Page 18: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/18.jpg)
02.12.2011 | TU Darmstadt | A. Huelsing | 18
Cryptographic HFF
XMSS
Pseudorandom FF Second-preimage resistant HFF
XMSS - Instantiations
Trapdoor one-way function
DL RSA MP-Sign Block Cipher
![Page 19: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/19.jpg)
AESBlowfish3DESTwofishThreefishSerpentIDEARC5RC6…
02.12.2011 | TU Darmstadt | A. Huelsing | 19
Hash functions &Blockciphers
SHA-2BLAKEGrøstlJHKeccakSkeinVSHSWIFFTXRFSB…
![Page 20: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/20.jpg)
XMSS Implementations
C Implementation, using OpenSSL
Sign (ms)
Verify (ms)
Signature (bit)
Public Key (bit)
Secret Key (byte)
Bit Security
Comment
XMSS-SHA-2 15.17 1.02 16,664 13,568 280 146 H = 20,w = 64
XMSS-SHA-2 33.47 2.34 15,384 13,568 280 100 H = 20,w = 108
XMSS-AES-NI 1.72 0.11 19,608 7,296 152 82 H = 20,w = 4
XMSS-AES 2.87 0.22 19,608 7,296 152 82 H = 20,w = 4
MSS-SPR (n=128)
- - 68,096 7,680 - 98 H = 20
RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 4,096 87
Intel(R) Core(TM) i5 CPU M540 @ 2.53GHz with Intel AES-NI
02.12.2011 | TU Darmstadt | A. Huelsing | 20
![Page 21: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/21.jpg)
Conclusion
02.12.2011 | TU Darmstadt | A.Huelsing | 21
![Page 22: XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |](https://reader036.vdocument.in/reader036/viewer/2022081516/56649dc95503460f94ac006b/html5/thumbnails/22.jpg)
XMSS
… needs minimal security assumptions
… is forward secure
… can be used with any hash function or block cipher
… performance is comparable to RSA, DSA, ECDSA …
02.12.2011 | TU Darmstadt | A.Huelsing | 22