hash based signatures
play

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer - PowerPoint PPT Presentation

Sep 06, 2022 •538 likes •949 views

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1 eXtended Merkle Signature Scheme 2 eXtended Merkle Signature Scheme Why should we look

  1. Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 – Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1

  2. eXtended Merkle Signature Scheme 2

  3. eXtended Merkle Signature Scheme Why should we look into XMSS? Hash-based signatures have many advantages: • Based on well understood security notions » Cryptographic hash functions are hard to invert, also for quantum computers » Merkle trees well studied since the 1980ies • Hash functions are well understood (especially after SHA-3 competition) • Fast signing and verification operations possible • Relatively easy to understand and implement 3

  4. eXtended Merkle Signature Scheme Why should we look into XMSS? XMSS is a promising candidate for • Applications with relatively low amount of signatures • One- or many-times firmware updates • Digital signatures for documents (e.g. contracts, email) • Long-term archival of important digital assets • PKI Certificates (e.g. Root CA) 4

  5. eXtended Merkle Signature Scheme Why should we look into XMSS? IRTF is part of IETF • Oriented towards research and long-term trends Important trend – PQC • Quantum computer attacks are likely • Design of replacements for traditional public key crypto Standardization needed • Interoperability • Implementation Guidelines 5

  6. eXtended Merkle Signature Scheme Our Contribution Implementation experience • Benchmarking against other schemes • Learn good trade-offs for different application scenarios, cost reductions, side-channels, etc. Target Platform: Hardware, i.e. FPGAs and ASICs Cooperation: • Yale University in New Haven, US • Fraunhofer SIT in Darmstadt, Germany • Fraunhofer Singapore 6

  7. Recap Winternitz One-Time Signatures 7

  8. Winternitz One-Time Scheme+ Basic Principle – Public Key Generation Public Key Chain 3 Chain 2 Chain 1 Chain 0 Public Seed 8 Private Key

  9. Winternitz One-Time Scheme+ Basic Principle – Signature Generation Signature Chain 3 Chain 2 Chain 1 Chain 0 Public Seed 9 Private Key

  10. Winternitz One-Time Scheme+ Basic Principle – Signature Verification Output == Public Key? Chain 3 Chain 2 Chain 1 Chain 0 Public Seed 10

  11. Winternitz One-Time Scheme+ Basic Principle Problem: Signer reveals how to sign other messages with Chain 3 the same key Chain 2 Chain 1 Chain 0 Seed 11

  12. Winternitz One-Time Scheme+ Basic Principle Message Checksum Solution: Checksum Chain Chain 0,3 1,3 Chain Chain 0,2 1,2 Chain Chain 0,1 1,1 Chain Chain 0,0 1,0 Seed Seed 12 SK1 SK0

  13. Winternitz One-Time Scheme+ Chaining Function for XMSS Output ‘Key’ Hash Address PRF F ‘Mask’ PRF Seed PRF – Pseudorandom function F – Keyed hash function Input 13

  14. eXtended Merkle Signature Scheme 14

  15. eXtended Merkle Signature Scheme L-Tree – Public Key Generation Compressed WOTS+ Public Key PK0 PK1 PK2 PK3 PK4 PK5 PK6 PK7 PK8 15

  16. eXtended Merkle Signature Scheme XMSS Tree – Public Key Generation XMSS Public Key Tree height h=3 Up to 2 3 =8 signature generations L-Tree L-Tree L-Tree L-Tree L-Tree L-Tree L-Tree L-Tree 16

  17. eXtended Merkle Signature Scheme The Complete Picture – Public Key Generation XMSS Public Key 2 h times SK0 SK1 SK2 SK3 SK4 SK5 SK6 SK7 SK8 17

  18. eXtended Merkle Signature Scheme rand_hash Output ‘Key’ Hash Address PRF H ‘Mask0’ PRF Seed PRF – Pseudorandom function ‘Mask1’ H – Keyed hash function PRF Left Right 18

  19. eXtended Merkle Signature Scheme Signature Generation – Message 1 WOTS+ Signature Merkle Tree Authentication Path Node to be computed SK0 SK1 SK2 SK3 SK4 SK5 SK6 SK7 SK8 19

  20. eXtended Merkle Signature Scheme Signature Generation – Message 1 SK0 SK1 SK2 SK3 SK4 SK5 SK6 SK7 SK8 20

  21. eXtended Merkle Signature Scheme Signature Generation – Message 2 WOTS+ Signature Merkle Tree Authentication Path Node to be computed SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 21

  22. eXtended Merkle Signature Scheme Signature Verification – Message 2 Output == XMSS Public Key? WOTS+ Signature Merkle Tree Authentication Path Node to be computed 22

  23. Performance Estimates 23

  24. Performace Consideration Public Key Generation – WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 24

  25. Performace Consideration Public Key Generation – WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 3 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 25

  26. Performace Consideration Public Key Generation – WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 3*w = 48 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 26

  27. Performace Consideration Public Key Generation – WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 48*67 = 3216 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 27

  28. Performace Consideration Public Key Generation – WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 3216*2 h Hash Function Calls 2 h times SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 28

  29. Performace Consideration Public Key Generation – L-Tree IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 4 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 29

  30. Performace Consideration Public Key Generation – L-Tree IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 4*65 = 268 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 30

  31. Performace Consideration Public Key Generation – L-Tree IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 260*2 h Hash Function Calls 2 h times SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 31

  32. Performace Consideration Public Key Generation – XMSS IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 4*(2 h -1) = 4*2 h -4 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 32

  33. Performace Consideration Public Key Generation – XMSS IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 3480*2 h -4 Total Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 33

  34. Performance Consideration Hash Function Calls h=10 h=16 h=20 Signatures 1024 65,536 1,048,576 Public Key 3,563,520 228,065,280 3,649,044,480 Generation Signature ~5,560 ~263,684 ~4,195,828 Generation Signature ~1,908 ~1,932 ~1,948 Verification 34

  35. Performance with SHA-256 h=10 h=16 h=20 Signatures 1024 65,536 1,048,576 27*10 9 434*10 9 Public Key 423,099,648 Generation clock cycles clock cycles clock cycles With 400 <1.1 s <70 s <1085 s MHz Sign < 2 ms < 70 ms < 1 s Verify < 1 ms < 1 ms < 1 ms 35

  36. Performance with SHA-3 h=10 h=16 h=20 Signatures 1024 65,536 1,048,576 5*10 9 81*10 9 Public Key 79,159,200 Generation clock cycles clock cycles clock cycles With 400 < 200 ms <12.5 s < 203 s MHz Sign < 1 ms < 12.5 ms < 200 ms Verify < 1 ms < 1 ms < 1 ms 36

  37. Comparison with ECC FPGA Implementation Estimates (Virtex-5) Ed25519 XMSS-SHA3 h=10 Public Key < 1 ms < 200 ms Generation Sign < 1 ms < 1 ms Verify < 2 ms < 1 ms 37

  38. Optimisations and Trade-Offs Parallelization and Caching • Parallelization • WOTS+ trivial to compute in parallel • L-Tree and XMSS more difficult to parallelize • More/Less Caching • More caching of XMSS for authentication path (costs more memory) è Improves the signing performance • Less caching to save memory è In the worst case, signing almost as slow as public key generation è Useful for lightweight applications with low memory 38

  39. Thank you for your attention! 39

Recommend

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University of Technology 20 July 2020 Benefits of hash-based signatures Old idea: 1979 Lamport one-time signatures. 1979 Merkle extends to more

659 views • 40 slides
Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018

Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018

Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Just one talk on hash-based signatures . . . ? Post-quantum crypto so far 1. Take some hard problem,

1.02k views • 85 slides
Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume Endignoux 2 Wednesday 18 th April, 2018 1 Kudelski Security 2 Work done while at Kudelski Security and EPFL 1 Hash-based signatures What are hash-based

370 views • 36 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas Hlsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 28 April 2015 Hash-based

586 views • 33 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H ulsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 2 April 2015 Traditional hash-based

288 views • 10 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on Post-Quantum Cryptography July 2019, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes 2 y

1.22k views • 101 slides
for hash-based signatures Andreas Hlsing Eindhoven University of Technology The quantum threat

for hash-based signatures Andreas Hlsing Eindhoven University of Technology The quantum threat

Simplified security arguments for hash-based signatures Andreas Hlsing Eindhoven University of Technology The quantum threat Shors algorithm breaks RSA, (EC)DSA, (EC)DH, Grovers algorithm asymptotically reduces complexity of

694 views • 48 slides
Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

CSS441 Hash Functions Hash Functions Authentication Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

1.04k views • 24 slides
State Management for Hash-Based Signatures David McGrew, Panos Kampanakis, Scott Fluhrer,

State Management for Hash-Based Signatures David McGrew, Panos Kampanakis, Scott Fluhrer,

State Management for Hash-Based Signatures David McGrew, Panos Kampanakis, Scott Fluhrer, Stefan-Lukas Gazdag , Denis Butin, Johannes Buchmann {mcgrew,pkampana,sfmuhrer}@cisco.com stefan-lukas_gazdag@genua.eu

701 views • 28 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

785 views • 29 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

627 views • 52 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

1.3k views • 97 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

441 views • 13 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-17 1 Outline RSA-based signature schemes RSA-FDH: Full Domain Hash Random Oracle Model RSA-FDH: Security Digital

944 views • 73 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-12 1 Outline Recap: programmable hash functions Waters PHF Waters signatures Digital Signatures 2020-05-12 2

1.02k views • 71 slides
Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1 , Saqib A. Kakvi 2 , Eike Kiltz 2 , Jiaxin Pan 2 1 University of Limoges, France 2 Ruhr University Bochum, Germany Keywords 1. Signatures 2. Tight

725 views • 44 slides
Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE &amp; CCISR, Uni

465 views • 46 slides
Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Hash-Based Indexing Torsten Grust Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static Hashing Hash Functions Architecture and Implementation of Database Systems Extendible Hashing Summer 2016

930 views • 39 slides
Hashes &amp; MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions

Hashes &amp; MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions

Hashes &amp; MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions Trivial (very inefficient) solution (to sign a single n bit message): r 10 r 20 r 30 Key: 2n random strings (each k-bit long) (r i0 ,r i1 ) i=1..n r 11

531 views • 10 slides
Graing Trees: a Fault Aack against the SPHINCS framework Laurent Castelnovi Ange

Graing Trees: a Fault Aack against the SPHINCS framework Laurent Castelnovi Ange

Introducon Hash-based signatures Graing trees Conclusion Graing Trees: a Fault Aack against the SPHINCS framework Laurent Castelnovi Ange Marnelli Thomas Prest Introducon Hash-based signatures Graing trees Conclusion

447 views • 21 slides
Bitcoin overview Joseph Bonneau This lecture Crypto background hash functions digital

Bitcoin overview Joseph Bonneau This lecture Crypto background hash functions digital

Lesson 1 Bitcoin overview Joseph Bonneau This lecture Crypto background hash functions digital signatures Intro to cryptocurrencies basic ledger-based cryptocurrency sybils and 51% attacks Lecture 1.1: Cryptographic Hash

878 views • 73 slides

More recommend