Upload
gazit
View
54
Download
1
Tags:
Embed Size (px)
DESCRIPTION
W-OTS + – Shorter Signatures for Hash-Based Signature Schemes. Andreas Hülsing. Digital Signatures are Important!. E-Commerce. … and many others. Software updates. What if…. - PowerPoint PPT Presentation
Citation preview
24.06.2013 | TU Darmstadt | Andreas Hülsing | 1
W-OTS+ – Shorter Signatures for Hash-Based Signature Schemes
Andreas Hülsing
Digital Signatures are Important!
24.06.2013 | TU Darmstadt | Andreas Hülsing | 2
Software updates
E-Commerce
… and many others
What if…
24.06.2013 | TU Darmstadt | Andreas Hülsing | 3
IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are
rapidely growing.“
Post-Quantum Signatures
Based on Lattice, MQ, Coding
Signature and/or key sizes
Runtimes
Secure parameters
24.06.2013 | TU Darmstadt | Andreas Hülsing | 4
...
1
3
14232232
34121211
y
xxxxxxy
xxxxxxy
Hash-based Signature Schemes[Merkle, Crypto‘89]
Hash-based signatures are…
… not only “post-quantum”
… fast, also without HW-acceleration
… strong security guarantees
… forward secure
But…… signature size ~2-3kB
24.06.2013 | TU Darmstadt | Andreas Hülsing | 5
Hash-based Signatures
OTS
OTS OTS OTS OTS OTS OTS OTS
hh h h h h h h
h h h h
h h
h
PK
24.06.2013 | TU Darmstadt | Andreas Hülsing | 6
SK
SIG = (i, , , , , )
Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96]
1. = f( )
2. Trade-off between runtime and signature size, controlled by parameter w
3. Minimal security requirements (PRF) [Buchmann et al.,Africacrypt’11]
4. Used in XMSS & XMSS+ [Buchmann et al., PQ Crypto’11; Hülsing et al., SAC’12]
24.06.2013 | TU Darmstadt | Andreas Hülsing | 7
SIG = (i, , , , , )
WOTS+
“Winternitz-Type” OTS
Security based on 2nd-preimage resistance, one-wayness & undetectability of function family, even for SU-CMA
Tight security reduction w/o collision resistance
Allows for more signature compression, i.e. greater w
24.06.2013 | TU Darmstadt | Andreas Hülsing | 8
)1()1(~~
22 OnOwn
XMSS with WOTS+
XMSS and XMSS+ on Infineon SLE78 [HBB12]
24.06.2013 | TU Darmstadt | Andreas Hülsing | 9
Construction
24.06.2013 | TU Darmstadt | Andreas Hülsing | 10
Use function family Previous schemes used
WOTS+
For w ≥ 2 select R = (r1, …, rw-1)
Function Chain
c0(x) = x
c1(x)
cw-1 (x)
}}1,0{|}1,0{}1,0{:{ 'nnnkn kfF
24.06.2013 | TU Darmstadt | Andreas Hülsing | 11
'1' }1,0{,}1,0{ nwn k
ri
kf
Winternitz parameter w, security parameter n, message length m, function family
Key Generation: Compute l , sample k, sample R
WOTS+
c0(skl ) = skl
c1(skl ) pkl = cw-1(skl )
}}1,0{|}1,0{}1,0{:{ nnnkn kfF
c0(sk1) = sk1
c1(sk1)
pk1 = cw-1(sk1)
24.06.2013 | TU Darmstadt | Andreas Hülsing | 12
WOTS+ Signature generation
M
b1 b2 b3 b4 … … … … … … … bl 1bl 1+1 bl 1+2 … … bl
C
c0(skl ) = skl
pkl = cw-1(skl )
c0(sk1) = sk1pk1 = cw-1(sk1)
σ1=cb1(sk1)
σl =cbl (skl )
24.06.2013 | TU Darmstadt | Andreas Hülsing | 13
Security ProofReduction
24.06.2013 | TU Darmstadt | Andreas Hülsing | 14
Main result
Theorem:
W-OTS+ is strongly unforgeable under chosen message attacks if F is a 2nd-preimage resistant, undetectable one-way function family
24.06.2013 | TU Darmstadt | Andreas Hülsing | 15
EU-CMA for OTS
PK, 1n
SIGN
SK
M
(σ, M)
(σ*, M*) Success if M* ≠ M and Verify(pk,σ*,M*) = Accept
24.06.2013 | TU Darmstadt | Andreas Hülsing | 16
Intuition
Oracle Response: (σ, M); M →(b1,…,bl )
Forgery: (σ*, M*); M* →(b1*,…, bl*)
Observations:1. because of checksum2. cw-1-bα*
(σ*α) = pkα = cw-1-bα (σα), because of verification
Adversary “quasi-inverted” chain c
bbthsl *..},..,1{
c0(skα) = skα
pkασα
pk*α
σ*α
======== ??????? !
24.06.2013 | TU Darmstadt | Andreas Hülsing | 17
Intuition, cont‘d
Oracle Response: (σ, M); M →(b1,…,bl )
Forgery: (σ*, M*); M* →(b1*,…, bl*)
Observations:Adversary “quasi-inverted” chain c
Pigeon hole principle:
c0(skα) = skα
pkασα
σ*α
β
24.06.2013 | TU Darmstadt | Andreas Hülsing | 18
second-preimage
ri
kf
preimage
Conclusion
We …… tightened security proof …→ allows for smaller signatures …(… achieve stronger security)
It makes sense to tighten security proofs!
Take Home Message:
Hash-based signatures are practical
24.06.2013 | TU Darmstadt | Andreas Hülsing | 19
Thank you!