Efficient Implementation of Hash-Sequence Signatures Ahto Truu, - PowerPoint PPT Presentation

Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University of Technology This is joint work with Ahto Buldas and Risto Laanoja The presenter has received the Skype and IT Academy PhD Student’s Scholarship for the academic year 2015/16, funded by Estonian Information Technology Foundation and Skype Technologies OÜ January 29, 2016 Estonian Computer Science Theory Days at Käo 1 Introduction to BLT

Quantum Computers • Most current signature systems will become • Quantum Cryptography inherently insecure with the arrival of quantum • Solutions that take advantage of quantum effects computers • Mostly theoretical research for now, as no general- • Each user has a private signing key and a purpose quantum computers are available corresponding public verification key • Only quantum key distribution possible in practice • The two keys are mathematically related • Post-Quantum Cryptography • Using that relationship to derive the private key from the public one requires solving a problem that • Solutions that can be run on classical computers, is intractable for classical computers but are resistant to attacks by quantum computers • However, the derivation would be relatively easy • Our work falls to this category with a quantum computer 2 Introduction to BLT

Adding Non-Repudiation to KSI • Keyless data signatures (hash-linked time-stamps) • Repudiation are quantum-resistant, but lack non-repudiation • Disowning your signature and consequently • KSI is based on one-way hash functions which are denying your responsibility for it not reversible even by quantum computers (at least • Non-repudiation according to current knowledge of their capabilities) • Property of a signature system that prevents this • However, a client could contest a signature by denial by a signer claiming server created it without client’s request • Usually achieved by designing the system so that • Because the client-server communication in KSI is creation of the signature needs something no-one authenticated in symmetric manner, neither client else beside the signer has access to nor server can prove their claims to a third party • Then the existence of the signature means the • For many use cases, non-repudiation is needed signer must have participated in the signing 3 Introduction to BLT

Hash Functions • One-way functions that take arbitrarily-sized data as input and generate unique fixed-size bit sequences as output • Preimage resistance Given Y, infeasible to find X such that H(X)=Y • Second preimage resistance Given X, infeasible to find X’≠X such that H(X’)=H(X) • Collision resistance Infeasible to find X 1 ≠X 2 such that H(X 1 )=H(X 2 ) • Hash values often used as representatives of data when the data is too large or confidential to handle directly 4 Introduction to BLT

Message Authentication Codes • Hash functions can authenticate messages • However… • Sender and recipient pre-agree on a secret key K • Even though hash functions are one-way, the process is symmetric for sender and recipient • To send a message M, sender • Recipient, also knowing the key, can make up any • Computes X=H(M,K) message and compute an authentication code indistinguishable from what would have been • Sends (M,X) computed by the sender • Recipient, knowing K • Sender can use the above to deny messages it • Computes H(M,K) from received M actually did send • If the result matches received X, M is from sender • Neither party could prove their claims or disprove the claims of the other to a third party • An attacker who wants to send M’ would need to also send matching X’, but can’t do this without knowing K 5 Introduction to BLT

Using Time to Break Symmetry • To commit a set of time-bound keys, sender • To either verify the message for itself or to prove it to a third party, recipient • Generates a key sequence K[N]=random, K[i-1]=H(K[i]) for i=N..1 • Verifies that S correctly signs H(M,K[i]) • Publishes K[0] along with a starting time T, but • Uses iterated hashing to check that K[i] is indeed keeps the remaining keys secret i-th member of the sender’s key sequence • To sign a message M at time T+i, sender • Uses S to check that K[i] was indeed used at the designated time T+i and not later • Computes X=H(M,K[i]) • It is safe for sender to reveal K[i] as part of the • Gets KSI signature S (time-stamp) on X signature, as its time slot has passed and it can’t be used for signing any further messages • Sends (M,K[i],S) 6 Introduction to BLT

Hash Trees • Binary trees of hash values • Input hash values in leaves • Each parent is the hash of the concatenation of the child values R N0 N1 N00 N01 N10 N11 L000 L001 L010 L011 L100 L101 L110 L111 7 Introduction to BLT

Hash Chains L N1 R N00 • Proof of participation of a leaf in L L011 the tree • Re-computation of the values on the path from the leaf to the root R R • Needs only the sibling values and concatenation order, taking log 2 (N) steps for N leaves N0 N1 N0 N1 N00 N01 N10 N11 N00 N01 L000 L001 L010 L011 L100 L101 L110 L111 L010 L011 8 Introduction to BLT

More Efficient Commitments • To commit a set of time-bound keys, sender • To either verify the message for itself or to prove it to a third party, recipient • Generates a key sequence K[1..n] • Verifies that S correctly signs H(M,K[i]) • Builds a hash tree on top of the sequence • Uses C to check that K[i] is indeed i-th member of • Publishes the root hash R of the tree along with a the sender’s key sequence starting time T, but keeps the keys secret • Uses S to check that K[i] was indeed used at the • To sign a message M at time T+i, sender designated time T+i and not later • Computes X=H(M,K[i]) • It is safe for sender to reveal K[i] as part of the signature, as its time slot has passed and it can’t be • Gets KSI signature (time-stamp) S on X used for signing any further messages • Sends (M,K[i],S,C), where C is the hash chain connecting K[i] to R 9 Introduction to BLT

More Efficient Evidence Extraction • Need to walk the key sequence in reverse order • Quite efficient signing • Keep all the keys, O(N) memory • O(log 2 (N)) memory to keep the key material, of which only O(log(N)) is really secret • Re-compute each key from the seed, O(N) time • O(log 2 (N)) time to extract the next key and the • Keep a few intermediate values (pebbles) corresponding hash chain • Can get by with O(log(N)) memory and O(log(N)) • Very efficient verification computation time per reverse step • O(log(N)) signature size • We generalize the technique to hash trees • O(log(N)) time to verify the hash chain • Keep O(log(N)) hash chains, for total O(log 2 (N)) memory and O(log 2 (N)) computations per step 10 Introduction to BLT

Optimizing Memory Requirements • Sparse global sequence • Dense local sequences whose keys are generated on the fly and roots signed with keys from the global sequence • Reduces memory requirement to approximately half of the original 11 Introduction to BLT

Servers vs Personal Signing Devices • The protocol as described so far Server-type signatures Client-type signatures is suitable for servers that create • The signing device is always on • The signing device may be a lot of signatures and have and has access to reliable time powered only intermittently, may accurate clocks and no security lack independent communication breaches; personal computers • Most efficient to pre-assign each channels and reliable clock are nothing like that key to a specific time slot • Most efficient to use server- • Personal signing keys are rarely • Multiple items could be signed supported protocol that ensures used and for security reasons with a single key within that time each key is used at most once are often managed in dedicated slot devices like smart cards or dongles 12 Introduction to BLT

Server-Supported One-Time Keys • Both client and server keep track of used keys • To save space, instead of full signatures, hashed sequence of signing times can be kept • When client wants to sign with key K[i] • If K[i] is used at time T[i], then instead of (X,i,ID), • Computes X=H(M,K[i]) server signs (Y[i-1],X,i,ID), where Y[j] summarizes the sequence of signing times: Y[j]=H(Y[j-1],T[j]) • Sends to server (X,i,ID) • To further save space on the client, if the server is • Server responds with a signature on (X,i,ID) to obligated to keep the full time list, the client only need confirm that K[i] has not been used before to keep the last signature • To keep each other honest, both client and server • This indirectly protects the whole sequence of keep list of those signed confirmations signing times 13 Introduction to BLT