scheme sphincs 256
play

SCHEME SPHINCS-256 Dorian Amiet 1 , Andreas Curiger 2 and Paul - PowerPoint PPT Presentation

Dec 11, 2023 •243 likes •525 views

IMES FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256 Dorian Amiet 1 , Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule fr Technik, Rapperswil, Switzerland 2 Securosys SA, Zrich, Switzerland CHES 2018 12.09.2018

  1. IMES FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256 Dorian Amiet 1 , Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule für Technik, Rapperswil, Switzerland 2 Securosys SA, Zürich, Switzerland CHES 2018 12.09.2018

  2. Quantum Computer Progress www.qubitcounter.com 2 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  3. Impact on Current Algorithms Key length/ Security level (bits) Quantum Function Algorithm Hash length Algorithm Classical Quantum (bits) RSA-3072 3072 128 0 Shor PKI: Signing, Key Exchange.... ECC-256 256 128 0 Shor AES-128 128 128 64 Grover Symmetric Encryption AES-256 256 256 128 Grover SHA-256 256 256 128 Grover Hash SHA3-512 512 512 256 Grover 3 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  4. Agenda  Hash-based signatures  OTS (one-time signature)  Merkle trees  SPHINCS-256  SPHINCS-256 FPGA implementation  Adjustments to SPHINCS+  SPHINCS+ FPGA implementation New, unpublished results!  Performance results 4 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  5. Post- Quantum Signature Algorithms…  …enable secure signing while an adversary has a quantum computer  Several approaches:  Lattice-based  Code-based  Supersingular isogeny  Others 5 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  6. Post- Quantum Signature Algorithms…  …enable secure signing while an adversary has a quantum computer  Several approaches:  Lattice-based  Code-based All signing protocols need a hash function (message digest)  Supersingular isogeny  Others 6 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  7. Post- Quantum Signature Algorithms…  …enable secure signing while an adversary has a quantum computer  Several approaches:  Lattice-based  Code-based All signing protocols need a hash function (message digest)  Supersingular isogeny  Others  Hash based signature schemes  Security relies on hardness of (second-) pre-image attack  Cryptanalysis: Hash functions are very well analyzed and understood  If hash functions are broken, all signing protocols are broken => Simply the most conservative choice in terms of security 7 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  8. Lamport One-Time Signature (OTS) Example: OTS with 256 bit security rand 0 rand 1 Generate 2x256 random numbers, each 256 bits long 1. X 0,0 X 0,1  X 0,0 , X 0,1 , X 2,0 …X 255,1 X 1,0 X 1,1  X i,j = private key X 2,0 X 2,1 X …,0 X …,1 X 255,0 X 255,1 8 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  9. Lamport One-Time Signature (OTS) Example: OTS with 256 bit security rand 0 h (rand 0) rand 1 h (rand1) Generate 2x256 random numbers, each 256 bits long 1. X 0,0 Y 0,0 X 0,1 Y 0,1  X 0,0 , X 0,1 , X 2,0 …X 255,1 X 1,0 Y 1,0 X 1,1 Y 1,1  X i,j = private key 2. Calculate all digests from random numbers X 2,0 Y 2,0 X 2,1 Y 2,1  Y 0,0 = h(X 0,0 ), Y 0,1 = h(X 0,1 ),…,Y 255,1 = h(X 255,1 ) X …,0 Y …,0 X …,1 Y …,1  Y i,j = public key X 255,0 Y 255,0 X 255,1 Y 255,1 9 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  10. Lamport One-Time Signature (OTS) Example: OTS with 256 bit security rand 0 h (rand 0) rand 1 h (rand1) Generate 2x256 random numbers, each 256 bits long 1. X 0,0 Y 0,0 X 0,1 Y 0,1  X 0,0 , X 0,1 , X 2,0 …X 255,1 X 1,0 Y 1,0 X 1,1 Y 1,1  X i,j = private key 2. Calculate all digests from random numbers X 2,0 Y 2,0 X 2,1 Y 2,1  Y 0,0 = h(X 0,0 ), Y 0,1 = h(X 0,1 ),…,Y 255,1 = h(X 255,1 ) X …,0 Y …,0 X …,1 Y …,1  Y i,j = public key X 255,0 Y 255,0 X 255,1 Y 255,1 Sign: 3. Calculate digest from message d = h(m) 1. 2. For i = 0 to 255 h(m) = 0b010…1 If d i = 0 , then ʋ i <= X i,0 1. => Signature(m) = ( X 0,0 , X 1,1 , X 2,0 ,…, Y 255,1 ) Else ʋ i <= X i,1 2. 10 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  11. W-OTS+ Shorter Signatures for Hash-Based Signature Schemes  Sign a few bits per random number  Increases processing time  Decreases key and signature sizes 11 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  12. W-OTS+ + Signature system which security is based only on security of hash function + Quantum secure + Very fast – One signature per key pair 12 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  13. Merkle Tree Public key for 4 signatures N 1,1 = h(N 2,0 || N 3,0 ) N 3,0 = h(Y 3 ) 4 W-OTS+ key pairs 13 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  14. Merkle Tree Public key for 4 signatures N 1,1 = h(N 2,0 || N 3,0 ) N 3,0 = h(Y 3 ) 4 W-OTS+ key pairs 14 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  15. Merkle Tree + Signature system which security is based only on security of hash function + Quantum secure + Fast operations – State-based => Check-list required: Which W-OTS+ key pairs (leaves of the tree) are already used? 15 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  16. SPHINCS  Make a hyper-tree (tree of trees)  Increases number of leaves dramatically  Use a FTS (few-time signature) at bottom layer instead of OTS  Choose starting point at random 16 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  17. SPHINCS  Make a hyper-tree (tree of trees)  Increases number of leaves dramatically  Use a FTS (few-time signature) at bottom layer instead of OTS  Choose starting point at random Source: https://sphincs.cr.yp.to/ => Stateless, practical, hash-based, incredibly nice cryptographic signatures (SPHINCS) 17 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  18. SPHINCS-256 Operation Count Function Signing Verification Part Start HORST WOTS Overhead Total Total BLAKE-256 0 1 384 12 397 0 ChaCha12 0 32,768 13,056 408 46,232 0 π ChaCha ≈9000 ≈9000 0 193,410 437,352 640,000 BLAKE-512 2 0 0 0 2 1 18 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  19. SPHINCS-256 Core Top 19 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  20. Simple Power Analysis 20 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  21. SPHINCS+  Submitted to the NIST post-quantum project  Some adjustments to SPHINCS-256  Few-Time signature is now more efficient (security, processing time, signature size)  Change underlying hash function  Masks are generated (PRNG) => reduces key sizes  Several instances  Security level 1, 3, and 5 ( ≙ 128, 192, and 256 bit)  Different hash functions  SHAKE-256 (SHA-3)  SHA-256  Haraka  Always a fast (larger signature) and a small (slower processing) version 21 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  22. SPHINCS+ Core Top N = 128, 192, or 256 22 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  23. Performance Results Instance Sign FPGA Resources Sign Clock T sign T verify [KByte] LUT FF BRAM [clks] [MHz] [ms] [ms] 19k 38k 36 805k 525 SPHINCS-256 40 1.53 0.07 5,275k 300* SPHINCS+-SHAKE256-128s 7.9 49k 73k 15.5 17.58 0.09 SPHINCS+-SHAKE256-128f 16.6 47k 73k 15.5 410k 300* 1.37 0.19 SPHINCS+-SHAKE256-192s 16.7 50k 74k 22.5 9,569k 300* 31.90 0.12 530k 300* SPHINCS+-SHAKE256-192f 34.8 50k 74k 22.5 1.77 0.25 9,025k 300* SPHINCS+-SHAKE256-256s 29.1 50k 76k 30 30.08 0.17 1,169k 300* SPHINCS+-SHAKE256-256f 48 52k 76k 30 3.90 0.28 *Clock frequency of SHAKE-256 pipeline runs at 600 MHz All results are related to Xilinx Kintex-7 device (XC7K325T-2) 23 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  24. Performance Comparison 24 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  25. Summary  FPGA Implementation SPHINCS-256  >600 sign/s, >15000 verifications/s for SPHINCS-256  FPGA Implementation SPHINCS+-SHAKE256-128f  >700 sign/s, >5000 verifications/s for  SPA: Protected  DPA: Robust  We tried hard, but could not extract any key bits. 25 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  26. Thank you This work was supported by Innosuisse 26 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  27. Why is SPHINCS+ slower than SPHINCS-256?  Factor two is lost due to the mask computation  The hash function SHAKE-256 needs more computational effort than ChaCha12  L-tree computation is faster than the calculation of SHAKE-256 with a long input.  The latter holds only for our highly pipelined FPGA implementation and is caused by pipeline stalls. 27 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

  28. Implementation Results 28 Dorian Amiet, FPGA-based Accelerator for SPHINCS-256, CHES 2018, 12.09.2018

Recommend

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical University of Denmark, Cybercrypt SPHINCS SPHINCS Hash-based signature scheme Stateless 128-bit post-quantum security Sizes: Public

692 views • 55 slides
Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe Aumasson 1 , Guillaume

Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe Aumasson 1 , Guillaume

Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe Aumasson 1 , Guillaume Endignoux 2 Wednesday 11 th April, 2018 1 Kudelski Security 2 Work done while at Kudelski Security and EPFL 1 Introduction: SPHINCS Hash-based signatures

725 views • 35 slides
A new submission to the SNAKE OIL CRYPTO competition Roberto Avanzi @FakeIACR (ad hodorem)

A new submission to the SNAKE OIL CRYPTO competition Roberto Avanzi @FakeIACR (ad hodorem)

A new submission to the SNAKE OIL CRYPTO competition Roberto Avanzi @FakeIACR (ad hodorem) Diego Aranha (our network expert) ANNOUNCEMENT After SPHINCS and SPHINCS-Haraka we are introducing a third variant of this

482 views • 4 slides
Transient Capability of a Multi-group Pin Homogenized SP 3 Code SPHINCS Hyun Ho Cho 1) , Junsu Kang

Transient Capability of a Multi-group Pin Homogenized SP 3 Code SPHINCS Hyun Ho Cho 1) , Junsu Kang

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Transient Capability of a Multi-group Pin Homogenized SP 3 Code SPHINCS Hyun Ho Cho 1) , Junsu Kang 1) , Joo Il Yoon 2) and Han Gyu Joo 1)* Seoul National University,

272 views • 4 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas Hlsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 28 April 2015 Hash-based

586 views • 33 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H ulsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 2 April 2015 Traditional hash-based

288 views • 10 slides
What can Scheme learn from JavaScript? Scheme Workshop 2014 Andy Wingo Me and Scheme Guile

What can Scheme learn from JavaScript? Scheme Workshop 2014 Andy Wingo Me and Scheme Guile

What can Scheme learn from JavaScript? Scheme Workshop 2014 Andy Wingo Me and Scheme Guile co-maintainer since 2009 Publicly fumbling towards good Scheme compilers at wingolog.org Scheme rules everything around me Me and JS 2011:

528 views • 52 slides
Hokio Drainage Scheme Scheme Facts Scheme Assets. 4 floodgated culverts 45 km of

Hokio Drainage Scheme Scheme Facts Scheme Assets. 4 floodgated culverts 45 km of

Hokio Drainage Scheme Scheme Facts Scheme Assets. 4 floodgated culverts 45 km of drainage channels 1 weir Total Asset Value: $444,926. Scheme Area 6,100ha. Majority of the catchment discharges directly in

440 views • 18 slides
Government Pension Scheme (LGPS) Scheme Administration Defined Benefit Scheme National

Government Pension Scheme (LGPS) Scheme Administration Defined Benefit Scheme National

Introduction to the Local Government Pension Scheme (LGPS) Scheme Administration Defined Benefit Scheme National Scheme administered locally by 89 individual funds in England and Wales Administering Authority is responsible for

393 views • 11 slides
WHANGAEHU-MANGAWHERO SCHEME and TURAKINA SCHEME Strategic Direction The focus of the Scheme over

WHANGAEHU-MANGAWHERO SCHEME and TURAKINA SCHEME Strategic Direction The focus of the Scheme over

WHANGAEHU-MANGAWHERO SCHEME and TURAKINA SCHEME Strategic Direction The focus of the Scheme over the next 3 years is to continue to maintain river banks in a vegetation state that maximises flow rates and minimises erosion scour. Aim To

640 views • 28 slides
PyScheme - A Scheme in Python Danny Yoo (dyoo@hkn.eecs.berkeley.edu) What is Scheme?

PyScheme - A Scheme in Python Danny Yoo (dyoo@hkn.eecs.berkeley.edu) What is Scheme?

PyScheme - A Scheme in Python Danny Yoo (dyoo@hkn.eecs.berkeley.edu) What is Scheme? (lisp-like? scheme) ==&gt; #t isLikePython(scheme) ==&gt; True Used in quite a few schools as the intro language to computer science. What

338 views • 19 slides
Scheme Announcements Scheme Scheme is a Dialect of Lisp What are people saying about Lisp?

Scheme Announcements Scheme Scheme is a Dialect of Lisp What are people saying about Lisp?

Scheme Announcements Scheme Scheme is a Dialect of Lisp What are people saying about Lisp? &quot;If you don't know Lisp, you don't know what it means for a programming language to be powerful and elegant.&quot; - Richard Stallman, created

276 views • 23 slides
LOCAL ORGANISATIONS GET INVOLVED IN THE KICKSTART SCHEME 2 What is the Kickstart Scheme? The

LOCAL ORGANISATIONS GET INVOLVED IN THE KICKSTART SCHEME 2 What is the Kickstart Scheme? The

HOW TO HELP LOCAL ORGANISATIONS GET INVOLVED IN THE KICKSTART SCHEME 2 What is the Kickstart Scheme? The Kickstart Scheme helps young people at risk of long term unemployment get into the job market by providing government funding for

429 views • 13 slides
EU Settlement Scheme What? Who? Why? How? www.strongertogetherni.org EU Settlement Scheme What

EU Settlement Scheme What? Who? Why? How? www.strongertogetherni.org EU Settlement Scheme What

EU Settlement Scheme What? Who? Why? How? www.strongertogetherni.org EU Settlement Scheme What does it mean for me? EU/EEA citizens and their family members need to apply to the EU Settlement Scheme to continue living in the UK. The

282 views • 12 slides
Graing Trees: a Fault Aack against the SPHINCS framework Laurent Castelnovi Ange

Graing Trees: a Fault Aack against the SPHINCS framework Laurent Castelnovi Ange

Introducon Hash-based signatures Graing trees Conclusion Graing Trees: a Fault Aack against the SPHINCS framework Laurent Castelnovi Ange Marnelli Thomas Prest Introducon Hash-based signatures Graing trees Conclusion

447 views • 21 slides
Vouchers Scheme WHAT IS THE BROADBAND CONNECTION VOUCHER SCHEME? WHAT IS THE BROADBAND

Vouchers Scheme WHAT IS THE BROADBAND CONNECTION VOUCHER SCHEME? WHAT IS THE BROADBAND

Broadband Connection Vouchers Scheme WHAT IS THE BROADBAND CONNECTION VOUCHER SCHEME? WHAT IS THE BROADBAND CONNECTION VOUCHER SCHEME? UK Government scheme to enable 40,000,000 grant fund companies to overcome the cost

432 views • 14 slides
THE TRAINING LAYOFF SCHEME THE TRAINING LAYOFF SCHEME 1 October 2009 The Training Layoff Scheme

THE TRAINING LAYOFF SCHEME THE TRAINING LAYOFF SCHEME 1 October 2009 The Training Layoff Scheme

THE TRAINING LAYOFF SCHEME THE TRAINING LAYOFF SCHEME 1 October 2009 The Training Layoff Scheme - October 2009 1 Background to the training layoff scheme Countries across the world, including South Africa, are affected by the deepest &amp;

394 views • 35 slides
EU Settlement Scheme Employer briefing sessions January 2019 EU Settlement Scheme Agenda

EU Settlement Scheme Employer briefing sessions January 2019 EU Settlement Scheme Agenda

EU Settlement Scheme Employer briefing sessions January 2019 EU Settlement Scheme Agenda Welcome and introductions EU Settlement Scheme &amp; application process Piloting the scheme Communications and support available to employers ? Next

255 views • 10 slides
S 3 : the Small Scheme Stack A Scheme TCP/IP Stack Targeting Small Embedded Applications Vincent

S 3 : the Small Scheme Stack A Scheme TCP/IP Stack Targeting Small Embedded Applications Vincent

S 3 : the Small Scheme Stack A Scheme TCP/IP Stack Targeting Small Embedded Applications Vincent St-Amour Universit e de Montr eal Joint work with Lysiane Bouchard and Marc Feeley Scheme and Functional Programming Workshop September 20,

651 views • 37 slides
overview of pilot scheme for secondary care February 2018 Background to the scheme In 2015

overview of pilot scheme for secondary care February 2018 Background to the scheme In 2015

Whistleblowers Support Scheme overview of pilot scheme for secondary care February 2018 Background to the scheme In 2015 Freedom to speak up a review of whistleblowing in the NHS provided advice and recommendations to ensure that

341 views • 9 slides
County Clare Property Marking Scheme 2019 Progress What is the Property Marking Scheme? The

County Clare Property Marking Scheme 2019 Progress What is the Property Marking Scheme? The

County Clare Property Marking Scheme 2019 Progress What is the Property Marking Scheme? The scheme is a community led crime prevention program. The program involves marking property with a unique identifier. Our scheme offers a number

168 views • 13 slides
The Cheltenham CCTV Scheme 1. History The Cheltenham Borough Council CCTV Scheme commenced in

The Cheltenham CCTV Scheme 1. History The Cheltenham Borough Council CCTV Scheme commenced in

The Cheltenham CCTV Scheme 1. History The Cheltenham Borough Council CCTV Scheme commenced in 1994 when 5 cameras were installed at key locations within the town centre, the scheme has since grown considerably to a current level of 60. All of

200 views • 3 slides
Countryside Stewardship Scheme Farm Update North Events Overview and Update on scheme for 2018

Countryside Stewardship Scheme Farm Update North Events Overview and Update on scheme for 2018

Countryside Stewardship Scheme Farm Update North Events Overview and Update on scheme for 2018 www.gov.uk/natural-england Scheme Overview and Design Overview of Countryside Stewardship Scheme Integrated scheme delivered by NE and Forestry

347 views • 22 slides
Support Staff Mentoring Scheme Thinking about mentoring About our scheme Your

Support Staff Mentoring Scheme Thinking about mentoring About our scheme Your

Briefing Session Support Staff Mentoring Scheme Thinking about mentoring About our scheme Your expectations LUNCH Feedback from past mentees/mentors Mentoring demonstration Next steps and mentoring contracts Cat

366 views • 5 slides

More recommend