Practical Forward Secure Signatures using Minimal Security Assumptions PhD Defense Andreas Hülsing 23.09.2013 | TU Darmstadt | Andreas Hülsing | 1 Digital Signatures are Important! Software updates E-Commerce … and many others 23.09.2013 | TU Darmstadt | Andreas Hülsing | 2 Forward Secure Signatures [And97] 23.09.2013 | TU Darmstadt | Andreas Hülsing | 3 Forward Secure Signatures pk classical sk pk forward sec sk Key gen. sk1 sk2 ski t1 t2 ti Goal : Sig ( , j ), j i 23.09.2013 | TU Darmstadt | Andreas Hülsing | 4 skT tT time What if… 23.09.2013 | TU Darmstadt | Andreas Hülsing | 5 Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters no forward secure signatures 23.09.2013 | TU Darmstadt | Andreas Hülsing | 6 y1 x12 x1 x2 x1 x4 x3 y2 x32 x2 x3 x2 x4 x1 1 y3 ... Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast Forward secure (inefficient) 23.09.2013 | TU Darmstadt | Andreas Hülsing | 7 Cryptographic Hash Functions Η n {H K : {0,1} {0,1} | K {0,1} } m n Collision Resistance (CR) n' •Cryptomania •AC O(2n/2) Second-preimage Resistance (SPR) •Minicrypt •AC O(2n) One-wayness •Minicrypt •AC O(2n) Undetectability (UD) •Minicrypt •AC O(2n) Pseudorandomness (PRF) •Minicrypt •AC O(2n) 23.09.2013 | TU Darmstadt | Andreas Hülsing | 8 {0,1}n H {0,1}m Hash-based Signatures PK H H SIG = (i=2, , , H OTS H , H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS 23.09.2013 | TU Darmstadt | Andreas Hülsing | 9 SK , ) Challenges & Achievements Minimal security assumptions XOR Efficient Efficient Forward secure XOR Efficient Minimal security assumptions Large signatures „Small signatures" No full smartcard implementation Forward secure Full smartcard implementation 23.09.2013 | TU Darmstadt | Andreas Hülsing | 10 Contribution Chapter 3 New Variants of the Winternitz One Time Signature Scheme • WOTS+ & WOTS$ Chapter 4 XMSS • „A practical, forward secure signature scheme based on minimal security assumptions“ Chapter 5 XMSSMT • „XMSS with Virtually Unlimited Signature Capacity” 23.09.2013 | TU Darmstadt | Andreas Hülsing | 11 Chapter 6 Choosing Optimal Parameters for XMSS∗ Chapter 7 XMSS∗ in Practice • Implementation • Experimental results (CPU & smartcard) Chapter 3 New Variants of the Winternitz One Time Signature Scheme OTS 23.09.2013 | TU Darmstadt | Andreas Hülsing | 12 Winternitz OTS (WOTS) [Mer89; EGM96] SIG = (i, | 1. |=| = f( |=m*| , , , , ) | ) 2. Trade-off between runtime and signature size | | ~ m/log w * | | 23.09.2013 | TU Darmstadt | Andreas Hülsing | 13 WOTS Function Chain Function family: F n {FK : {0,1}n {0,1}n | K {0,1}n ' } Formerly: c ( x) FK (c i i 1 ( x)) FK FK FK ( x), K {0,1}n ' i times WOTS+ For w ≥ 2 select ci-1 (x) R = (r1, …, rw-1){0,1}nw1 , K {0,1}n' ri ci (x) FK c i ( x) FK (c i 1 ( x) ri ) c0(x) = x c1(x) = FK ( x r1 ) 23.09.2013 | TU Darmstadt | Andreas Hülsing | 14 cw-1 (x) WOTS+ [Hül13] Winternitz parameter w, security parameter n, message length m, function family Fn {FK : {0,1}n {0,1}n | K {0,1}n ' } Key Generation: Compute l , sample K, sample c0(sk1) = sk1 R pk1 = cw-1(sk1) c1(sk1) c1(skl ) c0(skl ) = skl 23.09.2013 | TU Darmstadt | Andreas Hülsing | 15 pkl = cw-1(skl ) WOTS+ Signature generation M b1 b2 b3 b4 … … … … … … … c0(sk1) = sk1 bl 1 bl 1+1 bl 1+2 … C … bl pk1 = cw-1(sk1) σ1=cb1(sk1) pkl = cw-1(skl ) c0(skl ) = skl 23.09.2013 | TU Darmstadt | Andreas Hülsing | 16 σl =cbl (skl ) Main result Theorem 3.9 (informally): W-OTS+ is strongly unforgeable under chosen message attacks if F is a 2nd-preimage resistant, undetectable one-way function family 23.09.2013 | TU Darmstadt | Andreas Hülsing | 17 Security Proof Reduction 23.09.2013 | TU Darmstadt | Andreas Hülsing | 18 Intuition Oracle Response: Forgery: (σ, M); (σ*, M*); M →(b1,…,bl ) M* →(b1*,…, bl*) Observations: * 1.Checksum: {1,.., l} s.th. b b 2. Verification cw-1-bα* (σ*α) = pkα = cw-1-bα (σα) “quasi-inversion” σα ? σ*α 23.09.2013 | TU Darmstadt | Andreas Hülsing | 19 ? ? ? ? ? ? ? = c0(skα) = skα pkα ! pk*α Intuition, cont‘d Oracle Response: Forgery: (σ, M); (σ*, M*); M →(b1,…,bl ) M* →(b1*,…, bl*) Given: “quasi-inversion” of c rβ FK σα β pkα c0(skα) = skα σ*α 23.09.2013 | TU Darmstadt | Andreas Hülsing | 20 second-preimage preimage Result Old [DSS05] CR, UD, OW Fn Cryptomania |Sig| = *2b l 23.09.2013 | TU Darmstadt | Andreas Hülsing | 21 WOTS$ [BDEHR11] PRF Fn WOTS+ [Hül13] SPR, UD, OW Fn Minicrypt Conj. Minicrypt |Sig| = l *(b+w) |Sig| = l *(b+log w) Chapter 4 XMSS 23.09.2013 | TU Darmstadt | Andreas Hülsing | 22 XMSS [BDH11] WOTS+ / WOTS$ Lamport-Diffie / WOTS Tree construction [DOTV08] H H bi FSPRG 23.09.2013 | TU Darmstadt | Andreas Hülsing | 23 FSPRG PRG PRG PRG PRG PRG Pseudorandom key generation FSPRG FSPRG FSPRG Result GMSS SPR-MSS (Single Tree) [DOTV08] [BDK+07] XMSS [BDH11] Minicrypt Cryptomania Minicrypt FSS Not FSS FSS |SK| = 2h+1bm + TTA |SK| = b + TTA |SK| = b + TTA |SIG| ~2bm + hb |SIG| ~2b(m/log w) + h2b |SIG| ~ b(m/log w) + hb 23.09.2013 | TU Darmstadt | Andreas Hülsing | 24 Chapter 7 XMSS* in Practice 23.09.2013 | TU Darmstadt | Andreas Hülsing | 25 XMSS Implementations C Implementation C Implementation, using OpenSSL [BDH2011] Sign (ms) Verify (ms) Signature (bit) Public Key (bit) Secret Key (byte) Bit Security Comment XMSS-SHA-2 35.60 1.98 16,672 13,600 3,364 157 h = 20, w = 64, XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 h = 20, w=4 XMSS-AES 1.06 0.11 19,616 7,328 1,684 84 h = 20, w=4 RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 512 87 Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI 23.09.2013 | TU Darmstadt | Andreas Hülsing | 26 XMSS Implementations Smartcard Implementation Sign (ms) Verify (ms) Keygen (ms) Signature (byte) Public Key (byte) Secret Key (byte) Bit Sec. Comment XMSS 134 23 925,400 2,388 800 2,448 92 H = 16, w=4 XMSS+ 106 25 5,600 3,476 544 3,760 94 H = 16, w=4 RSA 2048 190 7 11,000 ≤ 256 ≤ 512 ≤ 512 87 Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles (h=20) [HBB12] 23.09.2013 | TU Darmstadt | Andreas Hülsing | 27 Conclusion 23.09.2013 | TU Darmstadt | Andreas Hülsing | 28 Conclusion Efficient Minimal security assumptions „Small signatures" Forward secure Full smartcard implementation 23.09.2013 | TU Darmstadt | Andreas Hülsing | 29 Future Work FSS in the wild Statefullness in Practice Stateless Signatures Few-time WOTS 23.09.2013 | TU Darmstadt | Andreas Hülsing | 30 Thank you! Questions? Publications [1] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On the security of the Winternitz one-time signature scheme. In A. Nitaj and D. Pointcheval (Eds), Africacrypt 2011, LNCS 6737, pp 363-378. Springer Berlin / Heidelberg, 2011. [2] J. Buchmann, E. Dahmen, and A. Hülsing. XMSS - a practical forward secure signature scheme based on minimal security assumptions. In Bo-Yin Yang (Ed), Post-Quantum Cryptography, LNCS 7071, pp 117-129. Springer Berlin / Heidelberg, 2011. [8] M. M. Olembo, T. Kilian, S. Stockhardt, A. Hülsing, and M. Volkamer. Developing and testing a visual hash scheme. In N. Clarke, S.Furnell, and V.Katos (Eds), Proceedings of the European Information Security Multi-Conference (EISMC 2013). Plymouth University, April 2013. [9] P. Weiden, A. Hülsing, D. Cabarcas, and J. Buchmann. Instantiating treeless signature schemes. Cryptology ePrint Archive, Report 2013/065, 2013. http://eprint.iacr.org/. [3] A. Hülsing, A. Petzoldt, M. Schneider, and S.M. El Yousfi Alaoui. [10] A. Hülsing, J. Braun. Langzeitsichere Signaturen durch den Postquantum Signaturverfahren Heute. In Ulrich Waldmann (Ed), Einsatz hashbasierter Signaturverfahren. In Tagungsband zum 22. SIT-Smartcard Workshop 2012, IHK Darmstadt, Feb 2012. 13. Deutschen IT-Sicherheitskongress 2013, Herausgeber: BSI, Fraunhofer Verlag Stuttgart. Secu-Media Verlag, Gau-Algesheim, 2013. [4] A. Hülsing, C. Busold, and J. Buchmann. Forward secure signatures on smart cards. In Lars R. Knudsen and Huapeng Wu (Eds), Selected Areas in Cryptography, LNCS 7707, pp 66–80. Springer Berlin Heidelberg, 2013. [11] J. Braun, M. Horsch, A. Hülsing. Effiziente Umsetzung des Kettenmodells unter Verwendung vorwärtssicherer Signaturverfahren. In Tagungsband zum 13. Deutschen ITSicherheitskongress 2013, Herausgeber: BSI, Secu-Media Verlag, Gau-Algesheim, 2013. [5] J. Braun, A. Hülsing, A. Wiesmaier, M. A. G. Vigil, and J. Buchmann. How to avoid the breakdown of public key infrastructures [12] A. Hülsing, L. Rausch, and J. Buchmann. Optimal parameters for forward secure signatures for certificate authorities. In S. XMSSMT. In A. Cuzzocrea, C. Kittl, D. E. Simos, E. Weippl, and L. Xu, Capitani di Vimercati and C. Mitchell (Eds), EuroPKI 2012, LNCS (Eds), Security Engineering and Intelligence Informatics, LNCS 8128, 7868, pp 53-68. Springer Berlin Heidelberg, 2013. pp 194–208. Springer Berlin Heidelberg, 2013. [6] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On the security of the Winternitz one-time signature scheme. Journal of Applied Cryptography, 3(1):84–96, 2013. [7] A. Hülsing. W-OTS+ — shorter signatures for hash-based signature schemes. In A.Youssef, A. Nitaj, and A.E. Hassanien (Eds), Africacrypt 2013, LNCS 7918, pp 173–188. Springer Berlin Heidelberg, 2013. [13] J. Buchmann, D. Cabarcas, F. Göpfert, A. Hülsing, and P. Weiden. Discrete ziggurat: A time-memory trade-off for sampling from a gaussian distribution over the integers. In Selected Areas in Cryptography 2013 (SAC’13), to appear. [14] J. Braun, F. Kiefer, and A. Hülsing. Revocation & nonrepudiation: When the first destroys the latter. In EuroPKI 2013, to appear. Quantum Computing Progress IBM 2012: “Scientists at IBM Research … have achieved major advances in quantum computing device performance that may accelerate the realization of a practical, full-scale quantum computer.“ 23.09.2013 | TU Darmstadt | Andreas Hülsing | 33 Chapter 5 MT XMSS 23.09.2013 | TU Darmstadt | Andreas Hülsing | 34 Tree Chaining [BGD+06,BDK+07] t KG : O(2 h ) O(2 h / d ) j i Improved distributed signature generation [HBB12,HRB13] 23.09.2013 | TU Darmstadt | Andreas Hülsing | 35 Result GMSS XMSSMT [BDK+07] [HBB12,HRB13] Cryptomania Minicrypt Not FSS FSS tSIG = h/2=Σ hi/2 tSIG = h0/2 23.09.2013 | TU Darmstadt | Andreas Hülsing | 36 Security Level aka. Bit Security Exact Proof: „ In general, a cryptographic system offers security level λ if a successful generic attack can be expected to require effort approximately 2λ−1. “ [Len04] Solve for t: Using 1 2 = 23.09.2013 | TU Darmstadt | Andreas Hülsing | 37 = t n 2 Security Level aka. Bit Security (Quantum Case) Exact Proof: „ In general, a cryptographic system offers security level λ if a successful generic attack can be expected to require effort approximately 2λ−1. “ [Len04] Solve for t: Using 1 2 = 23.09.2013 | TU Darmstadt | Andreas Hülsing | 38 = tt 2 nn/ 2 EU-CMA for OTS PK, 1n SK M (σ, M) (σ*, M*) 23.09.2013 | TU Darmstadt | Andreas Hülsing | 39 SIGN Success if M* ≠ M and Verify(pk,σ*,M*) = Accept Quantum-secure Signatures PK, 1n SK m m m m m m, m SIGN q-times {mi , mi }1q 1 Success, if (i, j [1, q 1])(i j ) : mi m j and Verify(pk , mi , mi ) 1 23.09.2013 | TU Darmstadt | Andreas Hülsing | 40 BDS-Tree Traversal [BDS08] Computes authentication paths Store most expensive nodes Left nodes are cheap Distribute costs (h-k)/2 updates per round # 2h-1 k # 2h-2 h 23.09.2013 | TU Darmstadt | Andreas Hülsing | 41 Minimal Security Assumptions [NaYu89] [Rom90] Digital signature scheme One-way FF [HILL99] Pseudorandom Generator [GGM86] [Rom90] Target-collision resistant HFF 23.09.2013 | TU Darmstadt | Andreas Hülsing | 42 Pseudorandom FF Second-preimage resistant HFF XMSS From Fixed to Arbitrary Length Messages „Hash and Sign“ CollisionResistant HFF Efficient Cryptomania 23.09.2013 | TU Darmstadt | Andreas Hülsing | 43 Target CollisionResistant HFF Inefficient Minicrypt Minimal Security Assumptions Why? Theory: Nice Practice: Weaker Assumption Stronger Security Smaller Signatures Attack: Weaker Assumption Harder to attack Attack less likely 23.09.2013 | TU Darmstadt | Andreas Hülsing | 44 “Early Warning” … BUT WAIT ! CR for Chosen Message Attacks Random Message Attacks: only SPR Active Signing: CMA Stored Messages: RMA If CR broken: Change HFF 23.09.2013 | TU Darmstadt | Andreas Hülsing | 45 Hash function & PRF n n n Use plain AES for PRF Fn {FK : {0,1} {0,1} | K {0,1} } Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for hash function 02.12.2011 | TU Darmstadt | A. Huelsing | 46