Efficient Quantum-Immune Keyless Signatures with Identity Risto - - PowerPoint PPT Presentation
Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of Technology / Guardtime AS May 17, 2014 Estonian CS Theory days at Narva-J oesuu TL; DR Built a practical signature scheme without modular
Tallinn University of Technology / Guardtime AS May 17, 2014 Estonian CS Theory days at Narva-J˜
We want to introduce identities to linking-based cryptographic time-stamping. It is possible to insert edge server identities to signed data/hash tree, e.g. in case of static Merkle tree the shape points to an “entry point” to this tree. The server may authenticate clients and add their identities as metadata. Works, but we lack non-repudiaton: the server must be blindly trusted to
We must use some secrets, known only to clients, so that later it is possible to prove that only someone in possession of a particular secret is able to create a particular signature.
PKI is a mature field – there are few successful deployments like
RSA signature algorithm is ubiquitous, reasonably efficient. If key / signature size is an issue then elliptic-curve based cryptography is a good alternative. For long-term digital signatures with non-repudiation we need following trusted services:
Each of these services use trusted time and (RSA) secret keys, security of those is critical.
these secrets leak.
must be invalid.
key was valid at this point of time.
– Signature itself – Signing certificate – All intermediate certificates up to the root CA, which is expected to be pre-distributed – Cryptographic time-stamp with signing time, everything necessary to validate it (certificates!) – OCSP response or CRL
If the signature is archived for long term then repeated re-encapsulation using archival time-stamp is necessary.
steps)
– We must use 1.5 times larger hash functions.
Good post-quantum-computer candidates (based on available information): NTRU, hash based signature schemes.
new public key.
Goal: protect the integrity of data, provide time when data was “first seen”. Hash-and publish mechanism: data items are hashed into some data structure, then hash value covering all items is published in widely witnessed medium like printed newspaper. Merkle tree is a good candidate for such a data structure. Leaves (document hashes) are paired and hashed recursively, then root r is published. For each leaf it is possible to extract compact hash chain which is sufficient for proving that this leaf participated in computing the root. This technique is proven to be secure against back-dating, assuming collision-freeness and
before signing (time-stamping) then it is not possible to change it later, without breaking the signature.
(time-stamping) server, and client ID added as metadata we get useful signature scheme (minus non-repudiation)
hierarchical hash-tree aggregation
Motivation:
History:
lightweight signing
public-key crypto, authenticates (lightweight) clients using one-time passwords
servers to do public key cryptography
Biggest problem with server-based digital signatures is too much trust on servers. But:
One-time hash passwords (Lamport 1981):
zℓ ← {0, 1}n zi ← h(zi+1) for i ∈ {ℓ − 1, ℓ − 2, . . . , 0}
Lamport’s one-time-password scheme has either
Both extremes are not exactly efficient. Naive optimization: mark few elements with “pebbles”, retain values and use as starting points. If N pebbles are evenly distributed then the worst case is O(ℓ/N) hash calculations per key.
Jakobsson (2002): traversal algorithm which amortizes h() calculations. O(log ℓ) memory and O(log ℓ) hashing steps to output a key (preimage). Pebbles are placed at positions 2j, j = 1..⌊log ℓ⌋; preimages are extracted from left. If a pebble is reached it jumps next to another, and leftover calculations at each step are used to move it gradually into position between neighbors.
traversal”: if hash chain length ℓ = 2k then storage: k + ⌈log(k + 1)⌉ and computation: ⌊k/2⌋ hashings per preimage.
binary pebbling”, general framework and algorithms (optimal traversal is depicted at right, time goes ↓)
One-time keys work great if there are only two parties:
Missing components so far:
disclosing the key earlier.
Idea was first introduced in TESLA protocol (2002), in authentication context.
Signing a document M at time t = t0 + i:
Now, the signature for M is ID, i, zi, ci, St, where ci is compact proof for validating zi (details in a moment), and zi is the i-th element of the key hash chain. Verifying signature with certificate ID, z0, r, t0, IDs:
ci
r
Signature size and verification time complexities O(ℓ) are not acceptable. Therefore we introduce a hash-tree data structure: root r is published as part of certificate, and the compact proof of participation ci is necessary data to re-compute the hash-chain from zi to r. Let’s look at z1: here c1 = (z2, r34) – this means that we have to disclose z2 too early. Same happens if tree is not balanced at right.
Extra hashing step helps to avoid disclosing values, so instead of z2 r2 is published in c (even not necessary because z1 = r2)
total storage is O(log2 ℓ)
O(log ℓ), thus computation cost for providing next key is O(log2 ℓ). (graph theory in paper)
In order to mitigate PC-related risks we introduce hardware-based Personal Security Device (e.g. USB token, smartcard), which encloses all secret material. Trivial solution: device has somewhat trusted clock and releases zi only when appropriate; we have to deal with clock drift and potential malware on host computer. Getting rid of the clock (and battery!) is possible if device and server have a shared secret, e.g. MAC key K.
Secure if service can be trusted with t and both client and server do not attack in a coordinated way.
Example instantiation: SHA2-256, one key (signature) for each second; keys are pre-generated for one year.
This is a joint work with Ahto Buldas and Ahto Truu Submitted to SCN 2014 Full paper: http://eprint.iacr.org/2014/321