forward secure signatures on smart cards
DESCRIPTION
Forward Secure Signatures on Smart Cards. A . Hülsing , J. Buchmann, C. Busold. Forward Secure Digital Signatures. Forward Secure Digital Signatures. pk. classical. sk. pk. forward sec. sk. sk 1. sk 2. sk T. sk i. time. t T. t i. t 1. t 2. Key gen. - PowerPoint PPT PresentationTRANSCRIPT
Forward Secure Signatures on Smart CardsA. Hülsing, J. Buchmann, C. Busold
16.08.2012 | TU Darmstadt | A. Hülsing | 1
Forward Secure Digital Signatures
02.12.2011 | TU Darmstadt | A. Huelsing | 2
Forward Secure Digital Signatures
02.12.2011 | TU Darmstadt | A. Huelsing | 3
time
classicalpk
sk
Key gen.
forward secpk
sksk1 sk2 ski skT
t1 t2 ti tT
ijjMGoal ),,(:
Forward Secure Digital SignaturesPros:Fulfill intuition of signatureReplace timestampsCuts of some attack vectors for Side-Channel AttacksEspecially interesting for document signatures and PKI
Cons:StatefulLess efficient than standard signature schemes
02.12.2011 | TU Darmstadt | A. Huelsing | 4
The eXtended Merkle Signature Scheme XMSS
02.12.2011 | TU Darmstadt | A.Huelsing | 5
The eXtended Merkle Signature Scheme (XMSS)[Buchmann et al., 2011]
“Hash-based” forward secure signature scheme
Provable secure in standard model
Minimal complexity theoretic assumptions (SPR & PRF)
Generic construction (No specific hardness assumption)
Efficient (comparable to RSA)
02.12.2011 | TU Darmstadt | A. Huelsing | 6
Hash-based Signature Schemes
14.06.2012 | TU Darmstadt | A. Huelsing | 7
OTS
OTS OTS OTS OTS OTS OTS OTS
hh h h h h h h
h h h h
h h
h
PK
Secret Key
Goal / Challenges
Goal
Implement XMSS on smartcard
Challenges
On-card Key generation too expensive [Rohde et al., 2008]
Stateful / NVM wear out
02.12.2011 | TU Darmstadt | A.Huelsing | 8
Construction
02.12.2011 | TU Darmstadt | A. Huelsing | 9
OTS / Key generation
Winternitz OTS [Buchmann et al., 2011] and forward secure PRG Both use pseudorandom function family
OTS requires to compute many PRF-chains
OTS-PK can be computed given signature
02.12.2011 | TU Darmstadt | A.Huelsing | 10
}}1,0{|}1,0{}1,0{:{ nnnkn kfF
XMSS signature
02.12.2011 | TU Darmstadt | A. Huelsing | 11
i
i Signature = (i, , , , )
b0 b0 b0 b0
b1 b1
b2
BDS-Tree Traversal[Buchmann et al., 2008]
Computes authentication paths
Store most expensive nodes
02.12.2011 | TU Darmstadt | A.Huelsing | 12
h
# 2h-1
# 2h-2
k
Left nodes are cheap Distribute costs
(h-k)/2 updates per round
29.04.2011 | TU Darmstadt | J. Buchmann | 13
i
j
Accelerate key generationTree Chaining [Buchmann et al., 2006]
2h+1 → 2*2 h/2+1 = 2 h/2+2
But: Larger signatures!
Distributed Signature GenerationInitial proposal [Buchmann et al.,2007]:
Distribute signature costs equally among all signatures in lower tree
This work:
Use observation: BDS spends more updates than needed
Use unused updates to compute authentication path & signature
02.12.2011 | TU Darmstadt | A.Huelsing | 14
Implementation
02.12.2011 | TU Darmstadt | A.Huelsing | 15
02.12.2011 | TU Darmstadt | A. Huelsing | 16
Hash function &PRF
Use plain AES for PRF
Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for hash function
}}1,0{|}1,0{}1,0{:{ nnnkn kfF
ResultsSign (ms)
Verify (ms)
Keygen(ms)
Signature (byte)
Public Key (byte)
Secret Key (byte)
Bit Sec.
Comment
XMSS 134 23 925,400 2,388 800 2,448 86 h = 16,w = 4, k = 4
XMSS+ 106 25 5,600 3,476 544 3,760 85 H = 16,w = 4, k = 2
XMSS+ 105 21 5,800 2,436 512 3,376 81 H = 16,w = 8, k = 2
XMSS+ 106 25 22,200 3,540 608 4,304 81 H = 20,w = 4, k = 4
RSA 2048
190 7 11,000 ≤ 256 ≤ 512 ≤ 512 87
Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor
24.05.2012 | TU Darmstadt | A.Huelsing | 17
NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles
Conclusion
02.12.2011 | TU Darmstadt | A.Huelsing | 18
Conclusion & future work
Forward secure signature schemes can be implemented on Smartcards, …
… hash-based signatures with on-card key generation, too
… performance is comparable to RSA, DSA, ECDSA …
… higher provable security level requires tighter security proof or different block cipher / hash-function
02.12.2011 | TU Darmstadt | A.Huelsing | 19
Thank you,Questions?
02.12.2011 | TU Darmstadt | A.Huelsing | 20
XMSS – Winternitz OTS[Buchmann et al. 2011]
- Uses pseudorandom function family
- Winternitz parameter w, message length m, random value x
02.12.2011 | TU Darmstadt | A. Huelsing | 21
sk1 )(11xf sk pk1
x
skl )(1 xflsk
pkl
x
w
l
}}1,0{|}1,0{}1,0{:{ nnnkn kfF
For multiple signatures use many key pairs.Generated using forward secure pseudorandom generator
(FSPRG), build using PRFF Fn:
Secret key: Random SEED for pseudorandom generation of current signature key.
XMSS – secret key
02.12.2011 | TU Darmstadt | A. Huelsing | 22
PRG
PRG
PRG
PRG
PRG
FSPRG FSPRG FSPRG FSPRG FSPRG
02.12.2011 | TU Darmstadt | A. Huelsing | 23
= ( , b0, b1, b2, h)
h h h h h h h h
XMSS – public key
b0 b0 b0 b0
b1 b1
bh
h h
h
h
h
h
h
Modified Merkle Tree [Dahmen et al 2008] h second preimage resistant hash function
Public key