slides - Andreas Hülsing

advertisement

W-OTS + – Shorter Signatures for

Hash-Based Signature Schemes

Andreas Hülsing

24.06.2013 | TU Darmstadt | Andreas Hülsing | 1

Digital Signatures are Important!

Software updates

E-Commerce

… and many others

24.06.2013 | TU Darmstadt | Andreas Hülsing | 2

What if…

IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing .“

24.06.2013 | TU Darmstadt | Andreas Hülsing | 3

Post-Quantum Signatures

Based on Lattice, MQ, Coding

Signature and/or key sizes

Runtimes

Secure parameters y

1

 y

2 y

3 x

1

2  x

1 x

2

 x

1 x

4

 x

3

2

...

 x

2 x

3

 x

2 x

4

 x

3

 x

1

1

24.06.2013 | TU Darmstadt | Andreas Hülsing | 4

Hash-based Signature Schemes

[Merkle, Crypto‘89]

Hash-based signatures are…

… not only “post-quantum”

… fast, also without HW-acceleration

… strong security guarantees

… forward secure

But…

… signature size ~2-3kB

24.06.2013 | TU Darmstadt | Andreas Hülsing | 5

Hash-based Signatures h h h h h h

OTS h

PK h

SIG = ( i , , , , , ) h h h h h h h

OTS OTS

24.06.2013 | TU Darmstadt | Andreas Hülsing | 6

OTS

SK

OTS OTS OTS OTS

Winternitz OTS

[Merkle, Crypto‘89; Even et al., JoC‘96]

SIG = ( i , , , , , )

1. = f( )

2. Trade-off between runtime and signature size, controlled by parameter w

3. Minimal security requirements (PRF)

[Buchmann et al.,Africacrypt’11]

4. Used in XMSS & XMSS+

[Buchmann et al., PQ Crypto’11; Hülsing et al., SAC’12]

24.06.2013 | TU Darmstadt | Andreas Hülsing | 7

WOTS +

 “Winternitz-Type” OTS

 Security based on 2 nd -preimage resistance, one-wayness & undetectability of function family, even for SU-CMA

 Tight security reduction w/o collision resistance

2 n

 w

~

O ( 1 ) 

2 n

~

O ( 1 )

 Allows for more signature compression, i.e. greater w

24.06.2013 | TU Darmstadt | Andreas Hülsing | 8

XMSS with WOTS +

XMSS and XMSS + on Infineon SLE78 [HBB12]

24.06.2013 | TU Darmstadt | Andreas Hülsing | 9

Construction

24.06.2013 | TU Darmstadt | Andreas Hülsing | 10

Function Chain

Use function family F n

Previous schemes used

{ f k

: { 0 , 1 } n 

{ 0 , 1 } n

| k

{ 0 , 1 } n '

}

WOTS +

For w ≥ 2 select R

= (r

1

, …, r w-1

) 

{ 0 , 1 } n '

 w

1

, k

{ 0 , 1 } n ' r i f k c 0 (x) = x c 1 (x)

24.06.2013 | TU Darmstadt | Andreas Hülsing | 11 c w-1 (x)

WOTS +

Winternitz parameter w, security parameter n, message length

m, function family

F n

{ f k

: { 0 , 1 } n 

{ 0 , 1 } n

| k

{ 0 , 1 } n

}

Key Generation: Compute l , sample k , sample R c 0 (sk

1

) = sk

1 pk

1

= c w-1 (sk

1

) c 1 (sk

1

) c 1 (sk l

) c 0 (sk l

) = sk l

24.06.2013 | TU Darmstadt | Andreas Hülsing | 12 pk l

= c w-1 (sk l

)

WOTS + Signature generation

M b

1 b

2 b

3 b

4 … … c 0 (sk

1

) = sk

1

σ

1

=c b1 (sk

1

)

… … … … … b l 1 b l 1+1 b l 1+2

… … b l

C pk

1

= c w-1 (sk

1

) pk l

= c w-1 (sk l

)

σ l

=c b l (sk l

) c 0 (sk l

) = sk l

24.06.2013 | TU Darmstadt | Andreas Hülsing | 13

Security Proof

Reduction

24.06.2013 | TU Darmstadt | Andreas Hülsing | 14

Main result

Theorem:

W-OTS + is strongly unforgeable under chosen message attacks if F is a 2 nd -preimage resistant, undetectable one-way function family

24.06.2013 | TU Darmstadt | Andreas Hülsing | 15

EU-CMA for OTS

PK, 1 n

M

( σ, M)

SK

SIGN

( σ*, M*)

24.06.2013 | TU Darmstadt | Andreas Hülsing | 16

Success if M* ≠ M and

Verify(pk, σ*,M*) = Accept

Intuition

Oracle Response

:

Forgery:

(σ, M); M →(b

1

,…,b l

)

(σ*, M*); M* →(b

1

*,…, b l

*)

Observations:

1.

  

{ 1 ,.., l } s .

th .

2. c w-1-b α* (σ*

α

) = pk

α b

*

 b

 because of checksum

= c w-1-b α (σ

α

), because of verification

Adversary “quasi-inverted” chain c

σ

α c 0 (sk

α

) = sk

α

?

?

?

?

?

?

σ*

α

?

pk

α

!

pk*

α

24.06.2013 | TU Darmstadt | Andreas Hülsing | 17

Intuition, cont‘d

Oracle Response

:

Forgery:

(σ, M);

M →(b

1

,…,b l

)

(σ*, M*);

M* →(b

1

*,…, b l

*)

Observations:

Adversary “quasi-inverted” chain c r i f k Pigeon hole principle:

σ

α

β c 0 (sk

α

) = sk

α

σ*

α second-preimage preimage pk

α

24.06.2013 | TU Darmstadt | Andreas Hülsing | 18

Conclusion

We …

… tightened security proof …

→ allows for smaller signatures …

(… achieve stronger security)

It makes sense to tighten security proofs!

Take Home Message:

Hash-based signatures are practical

24.06.2013 | TU Darmstadt | Andreas Hülsing | 19

Thank you!

Download