hash based signatures
play

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer - PowerPoint PPT Presentation

Sep 06, 2022 •538 likes •949 views

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1 eXtended Merkle Signature Scheme 2 eXtended Merkle Signature Scheme Why should we look

  1. Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 – Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1

  2. eXtended Merkle Signature Scheme 2

  3. eXtended Merkle Signature Scheme Why should we look into XMSS? Hash-based signatures have many advantages: • Based on well understood security notions » Cryptographic hash functions are hard to invert, also for quantum computers » Merkle trees well studied since the 1980ies • Hash functions are well understood (especially after SHA-3 competition) • Fast signing and verification operations possible • Relatively easy to understand and implement 3

  4. eXtended Merkle Signature Scheme Why should we look into XMSS? XMSS is a promising candidate for • Applications with relatively low amount of signatures • One- or many-times firmware updates • Digital signatures for documents (e.g. contracts, email) • Long-term archival of important digital assets • PKI Certificates (e.g. Root CA) 4

  5. eXtended Merkle Signature Scheme Why should we look into XMSS? IRTF is part of IETF • Oriented towards research and long-term trends Important trend – PQC • Quantum computer attacks are likely • Design of replacements for traditional public key crypto Standardization needed • Interoperability • Implementation Guidelines 5

  6. eXtended Merkle Signature Scheme Our Contribution Implementation experience • Benchmarking against other schemes • Learn good trade-offs for different application scenarios, cost reductions, side-channels, etc. Target Platform: Hardware, i.e. FPGAs and ASICs Cooperation: • Yale University in New Haven, US • Fraunhofer SIT in Darmstadt, Germany • Fraunhofer Singapore 6

  7. Recap Winternitz One-Time Signatures 7

  8. Winternitz One-Time Scheme+ Basic Principle – Public Key Generation Public Key Chain 3 Chain 2 Chain 1 Chain 0 Public Seed 8 Private Key

  9. Winternitz One-Time Scheme+ Basic Principle – Signature Generation Signature Chain 3 Chain 2 Chain 1 Chain 0 Public Seed 9 Private Key

  10. Winternitz One-Time Scheme+ Basic Principle – Signature Verification Output == Public Key? Chain 3 Chain 2 Chain 1 Chain 0 Public Seed 10

  11. Winternitz One-Time Scheme+ Basic Principle Problem: Signer reveals how to sign other messages with Chain 3 the same key Chain 2 Chain 1 Chain 0 Seed 11

  12. Winternitz One-Time Scheme+ Basic Principle Message Checksum Solution: Checksum Chain Chain 0,3 1,3 Chain Chain 0,2 1,2 Chain Chain 0,1 1,1 Chain Chain 0,0 1,0 Seed Seed 12 SK1 SK0

  13. Winternitz One-Time Scheme+ Chaining Function for XMSS Output ‘Key’ Hash Address PRF F ‘Mask’ PRF Seed PRF – Pseudorandom function F – Keyed hash function Input 13

  14. eXtended Merkle Signature Scheme 14

  15. eXtended Merkle Signature Scheme L-Tree – Public Key Generation Compressed WOTS+ Public Key PK0 PK1 PK2 PK3 PK4 PK5 PK6 PK7 PK8 15

  16. eXtended Merkle Signature Scheme XMSS Tree – Public Key Generation XMSS Public Key Tree height h=3 Up to 2 3 =8 signature generations L-Tree L-Tree L-Tree L-Tree L-Tree L-Tree L-Tree L-Tree 16

  17. eXtended Merkle Signature Scheme The Complete Picture – Public Key Generation XMSS Public Key 2 h times SK0 SK1 SK2 SK3 SK4 SK5 SK6 SK7 SK8 17

  18. eXtended Merkle Signature Scheme rand_hash Output ‘Key’ Hash Address PRF H ‘Mask0’ PRF Seed PRF – Pseudorandom function ‘Mask1’ H – Keyed hash function PRF Left Right 18

  19. eXtended Merkle Signature Scheme Signature Generation – Message 1 WOTS+ Signature Merkle Tree Authentication Path Node to be computed SK0 SK1 SK2 SK3 SK4 SK5 SK6 SK7 SK8 19

  20. eXtended Merkle Signature Scheme Signature Generation – Message 1 SK0 SK1 SK2 SK3 SK4 SK5 SK6 SK7 SK8 20

  21. eXtended Merkle Signature Scheme Signature Generation – Message 2 WOTS+ Signature Merkle Tree Authentication Path Node to be computed SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 21

  22. eXtended Merkle Signature Scheme Signature Verification – Message 2 Output == XMSS Public Key? WOTS+ Signature Merkle Tree Authentication Path Node to be computed 22

  23. Performance Estimates 23

  24. Performace Consideration Public Key Generation – WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 24

  25. Performace Consideration Public Key Generation – WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 3 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 25

  26. Performace Consideration Public Key Generation – WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 3*w = 48 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 26

  27. Performace Consideration Public Key Generation – WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 48*67 = 3216 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 27

  28. Performace Consideration Public Key Generation – WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 3216*2 h Hash Function Calls 2 h times SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 28

  29. Performace Consideration Public Key Generation – L-Tree IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 4 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 29

  30. Performace Consideration Public Key Generation – L-Tree IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 4*65 = 268 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 30

  31. Performace Consideration Public Key Generation – L-Tree IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 260*2 h Hash Function Calls 2 h times SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 31

  32. Performace Consideration Public Key Generation – XMSS IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 4*(2 h -1) = 4*2 h -4 Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 32

  33. Performace Consideration Public Key Generation – XMSS IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h=20 256 Bit Hashes (e.g. SHA-256) 3480*2 h -4 Total Hash Function Calls SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17 33

  34. Performance Consideration Hash Function Calls h=10 h=16 h=20 Signatures 1024 65,536 1,048,576 Public Key 3,563,520 228,065,280 3,649,044,480 Generation Signature ~5,560 ~263,684 ~4,195,828 Generation Signature ~1,908 ~1,932 ~1,948 Verification 34

  35. Performance with SHA-256 h=10 h=16 h=20 Signatures 1024 65,536 1,048,576 27*10 9 434*10 9 Public Key 423,099,648 Generation clock cycles clock cycles clock cycles With 400 <1.1 s <70 s <1085 s MHz Sign < 2 ms < 70 ms < 1 s Verify < 1 ms < 1 ms < 1 ms 35

  36. Performance with SHA-3 h=10 h=16 h=20 Signatures 1024 65,536 1,048,576 5*10 9 81*10 9 Public Key 79,159,200 Generation clock cycles clock cycles clock cycles With 400 < 200 ms <12.5 s < 203 s MHz Sign < 1 ms < 12.5 ms < 200 ms Verify < 1 ms < 1 ms < 1 ms 36

  37. Comparison with ECC FPGA Implementation Estimates (Virtex-5) Ed25519 XMSS-SHA3 h=10 Public Key < 1 ms < 200 ms Generation Sign < 1 ms < 1 ms Verify < 2 ms < 1 ms 37

  38. Optimisations and Trade-Offs Parallelization and Caching • Parallelization • WOTS+ trivial to compute in parallel • L-Tree and XMSS more difficult to parallelize • More/Less Caching • More caching of XMSS for authentication path (costs more memory) è Improves the signing performance • Less caching to save memory è In the worst case, signing almost as slow as public key generation è Useful for lightweight applications with low memory 38

  39. Thank you for your attention! 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University of Technology 20 July 2020 Benefits of hash-based signatures Old idea: 1979 Lamport one-time signatures. 1979 Merkle extends to more

659 views • 40 slides
Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018

Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018

Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Just one talk on hash-based signatures . . . ? Post-quantum crypto so far 1. Take some hard problem,

1.02k views • 85 slides
Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume Endignoux 2 Wednesday 18 th April, 2018 1 Kudelski Security 2 Work done while at Kudelski Security and EPFL 1 Hash-based signatures What are hash-based

370 views • 36 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas Hlsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 28 April 2015 Hash-based

586 views • 33 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H ulsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 2 April 2015 Traditional hash-based

288 views • 10 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on Post-Quantum Cryptography July 2019, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes 2 y

1.22k views • 101 slides
for hash-based signatures Andreas Hlsing Eindhoven University of Technology The quantum threat

for hash-based signatures Andreas Hlsing Eindhoven University of Technology The quantum threat

Simplified security arguments for hash-based signatures Andreas Hlsing Eindhoven University of Technology The quantum threat Shors algorithm breaks RSA, (EC)DSA, (EC)DH, Grovers algorithm asymptotically reduces complexity of

694 views • 48 slides
Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

CSS441 Hash Functions Hash Functions Authentication Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

1.04k views • 24 slides
State Management for Hash-Based Signatures David McGrew, Panos Kampanakis, Scott Fluhrer,

State Management for Hash-Based Signatures David McGrew, Panos Kampanakis, Scott Fluhrer,

State Management for Hash-Based Signatures David McGrew, Panos Kampanakis, Scott Fluhrer, Stefan-Lukas Gazdag , Denis Butin, Johannes Buchmann {mcgrew,pkampana,sfmuhrer}@cisco.com stefan-lukas_gazdag@genua.eu

701 views • 28 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

785 views • 29 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

627 views • 52 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

1.3k views • 97 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

441 views • 13 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-17 1 Outline RSA-based signature schemes RSA-FDH: Full Domain Hash Random Oracle Model RSA-FDH: Security Digital

944 views • 73 slides
Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Lecture 8 Hashing I 6.006 Fall 2011 Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing Hashing Chaining Simple uniform hashing Good hash functions Dictionary Problem Abstract

452 views • 21 slides
dictionaries (aka hash tables or hash maps) Genome 559: Introduction to Statistical and

dictionaries (aka hash tables or hash maps) Genome 559: Introduction to Statistical and

dictionaries (aka hash tables or hash maps) Genome 559: Introduction to Statistical and Computational Genomics Prof. James H. Thomas Review You should be comfortable with loops by now. I will post another slide showing more on loops.

357 views • 19 slides
Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;)

Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;)

Hashing: basic plan Save items in a key-indexed table (index is a function of the key). Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;) = 3 Tyler Moore 3 &quot;it&quot; ?? 4 CS 2123, The

559 views • 6 slides
CS261 Data Structures Hash Tables Concepts Goals

CS261 Data Structures Hash Tables Concepts Goals

CS261 Data Structures Hash Tables Concepts Goals Hash Func9ons Dealing with Collisions Searching...Be?er than O(log n )? Skip lists and AVL

301 views • 16 slides
CS 758/858: Algorithms http://www.cs.unh.edu/~ruml/cs758 Searching Hash Tables Hash Functions

CS 758/858: Algorithms http://www.cs.unh.edu/~ruml/cs758 Searching Hash Tables Hash Functions

CS 758/858: Algorithms http://www.cs.unh.edu/~ruml/cs758 Searching Hash Tables Hash Functions Wheeler Ruml (UNH) Class 4, CS 758 1 / 15 Searching Dictionaries Hash Tables Hash Functions Searching Wheeler Ruml (UNH) Class 4, CS

575 views • 19 slides
Introduction, Bag-of-words, and Multi-layer Perceptron Graham Neubig Site

Introduction, Bag-of-words, and Multi-layer Perceptron Graham Neubig Site

CS11-747 Neural Networks for NLP Introduction, Bag-of-words, and Multi-layer Perceptron Graham Neubig Site https://phontron.com/class/nn4nlp2020/ Language is Hard! Are These Sentences OK? Jane went to the store. store to Jane went

765 views • 61 slides
10 Things I Hate About You: Manage Windows like Linux with Ansible Matt Davis Senior Principal

10 Things I Hate About You: Manage Windows like Linux with Ansible Matt Davis Senior Principal

10 Things I Hate About You: Manage Windows like Linux with Ansible Matt Davis Senior Principal Software Engineer, Ansible Core Who am I? I LOVE WINDOWS Not SSH WinRM (HTTP-based remote shell protocol) Non-interactive logon

579 views • 26 slides
A partnership between Austria, Belgium, Hungary, Northern Ireland, Norway and Serbia This

A partnership between Austria, Belgium, Hungary, Northern Ireland, Norway and Serbia This

A partnership between Austria, Belgium, Hungary, Northern Ireland, Norway and Serbia This presentation reflects only the presenters views and that the Union is not liable for any use that may be made of the information contained therein. * 30

391 views • 18 slides

More recommend