Hash-based Signatures

Size: px

Start display at page:

Download "Hash-based Signatures"

Kenneth Grant
5 years ago
Views:

1 Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1

2 extended Merkle Signature Scheme 2

3 extended Merkle Signature Scheme Why should we look into XMSS? Hash-based signatures have many advantages: Based on well understood security notions» Cryptographic hash functions are hard to invert, also for quantum computers» Merkle trees well studied since the 1980ies Hash functions are well understood (especially after SHA-3 competition) Fast signing and verification operations possible Relatively easy to understand and implement 3

4 extended Merkle Signature Scheme Why should we look into XMSS? XMSS is a promising candidate for Applications with relatively low amount of signatures One- or many-times firmware updates Digital signatures for documents (e.g. contracts, ) Long-term archival of important digital assets PKI Certificates (e.g. Root CA) 4

5 extended Merkle Signature Scheme Why should we look into XMSS? IRTF is part of IETF Oriented towards research and long-term trends Important trend PQC Quantum computer attacks are likely Design of replacements for traditional public key crypto Standardization needed Interoperability Implementation Guidelines 5

6 extended Merkle Signature Scheme Our Contribution 6 Implementation experience Benchmarking against other schemes Learn good trade-offs for different application scenarios, cost reductions, side-channels, etc. Target Platform: Hardware, i.e. FPGAs and ASICs Cooperation: Yale University in New Haven, US Fraunhofer SIT in Darmstadt, Germany Fraunhofer Singapore

7 Recap Winternitz One-Time Signatures 7

8 Winternitz One-Time Scheme+ Basic Principle Public Key Generation Public Key Public Seed 0 8 Private Key

9 Winternitz One-Time Scheme+ Basic Principle Signature Generation Signature Public Seed 0 9 Private Key

10 Winternitz One-Time Scheme+ Basic Principle Signature Verification Output == Public Key? Public Seed 0 10

11 Winternitz One-Time Scheme+ Basic Principle Problem: Signer reveals how to sign other messages with the same key Seed 0 11

12 Winternitz One-Time Scheme+ Basic Principle Solution: Checksum Message 0,3 Checksum 1,3 0,2 1,2 0,1 1,1 Seed 0,0 Seed 1,0 12 SK0 SK1

13 Winternitz One-Time Scheme+ ing Function for XMSS Key Hash Address Mask PRF Output F Seed PRF PRF Pseudorandom function F Keyed hash function Input 13

14 extended Merkle Signature Scheme 14

15 extended Merkle Signature Scheme L-Tree Public Key Generation Compressed WOTS+ Public Key PK0 PK1 PK2 PK3 PK4 PK5 PK6 PK7 PK8 15

16 extended Merkle Signature Scheme XMSS Tree Public Key Generation XMSS Public Key Tree height h=3 Up to 2 3 =8 signature generations L-Tree L-Tree L-Tree L-Tree L-Tree L-Tree L-Tree L-Tree 16

17 extended Merkle Signature Scheme The Complete Picture Public Key Generation XMSS Public Key 2 h times 17 SK0 SK1 SK2 SK3 SK4 SK5 SK6 SK7 SK8

18 extended Merkle Signature Scheme rand_hash Key Hash Address Mask0 PRF Output H Seed Mask1 PRF PRF PRF Pseudorandom function H Keyed hash function Left Right 18

19 extended Merkle Signature Scheme Signature Generation Message 1 WOTS+ Signature Merkle Tree Authentication Path Node to be computed 19 SK0 SK1 SK2 SK3 SK4 SK5 SK6 SK7 SK8

20 extended Merkle Signature Scheme Signature Generation Message 1 20 SK0 SK1 SK2 SK3 SK4 SK5 SK6 SK7 SK8

21 extended Merkle Signature Scheme Signature Generation Message 2 WOTS+ Signature Merkle Tree Authentication Path Node to be computed 21 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

22 extended Merkle Signature Scheme Signature Verification Message 2 WOTS+ Signature Merkle Tree Authentication Path Node to be computed Output == XMSS Public Key? 22

23 23 Performance Estimates

24 Performace Consideration Public Key Generation WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h= Bit Hashes (e.g. SHA-256) 24 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

25 Performace Consideration Public Key Generation WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h= Bit Hashes (e.g. SHA-256) 3 Hash Function Calls 25 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

26 Performace Consideration Public Key Generation WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h= Bit Hashes (e.g. SHA-256) 3*w = 48 Hash Function Calls 26 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

27 Performace Consideration Public Key Generation WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h= Bit Hashes (e.g. SHA-256) 48*67 = 3216 Hash Function Calls 27 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

28 Performace Consideration Public Key Generation WOTS+ IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h= Bit Hashes (e.g. SHA-256) 3216*2 h Hash Function Calls 2 h times 28 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

29 Performace Consideration Public Key Generation L-Tree IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h= Bit Hashes (e.g. SHA-256) 4 Hash Function Calls 29 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

30 Performace Consideration Public Key Generation L-Tree IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h= Bit Hashes (e.g. SHA-256) 4*65 = 268 Hash Function Calls 30 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

31 Performace Consideration Public Key Generation L-Tree IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h= Bit Hashes (e.g. SHA-256) 260*2 h Hash Function Calls 2 h times 31 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

32 Performace Consideration Public Key Generation XMSS IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h= Bit Hashes (e.g. SHA-256) 4*(2 h -1) = 4*2 h -4 Hash Function Calls 32 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

33 Performace Consideration Public Key Generation XMSS IRTF Parameters: WOTS+ chain length w=16 Merkle tree height h=10, h=16, or h= Bit Hashes (e.g. SHA-256) 3480*2 h -4 Total Hash Function Calls 33 SK9 SK10 SK11 SK12 SK13 SK14 SK15 SK16 SK17

34 Performance Consideration Hash Function Calls h=10 h=16 h=20 Signatures ,536 1,048,576 Public Key Generation Signature Generation Signature Verification 3,563, ,065,280 3,649,044,480 ~5,560 ~263,684 ~4,195,828 ~1,908 ~1,932 ~1,948 34

35 Performance with SHA-256 h=10 h=16 h=20 Signatures ,536 1,048,576 Public Key Generation With 400 MHz 423,099,648 clock cycles 27*10 9 clock cycles 434*10 9 clock cycles <1.1 s <70 s <1085 s Sign < 2 ms < 70 ms < 1 s Verify < 1 ms < 1 ms < 1 ms 35

36 Performance with SHA-3 h=10 h=16 h=20 Signatures ,536 1,048,576 Public Key Generation With 400 MHz 79,159,200 clock cycles 5*10 9 clock cycles 81*10 9 clock cycles < 200 ms <12.5 s < 203 s Sign < 1 ms < 12.5 ms < 200 ms Verify < 1 ms < 1 ms < 1 ms 36

37 Comparison with ECC FPGA Implementation Estimates (Virtex-5) Ed25519 XMSS-SHA3 h=10 Public Key Generation < 1 ms < 200 ms Sign < 1 ms < 1 ms Verify < 2 ms < 1 ms 37

38 Optimisations and Trade-Offs Parallelization and Caching 38 Parallelization WOTS+ trivial to compute in parallel L-Tree and XMSS more difficult to parallelize More/Less Caching More caching of XMSS for authentication path (costs more memory) è Improves the signing performance Less caching to save memory è In the worst case, signing almost as slow as public key generation è Useful for lightweight applications with low memory

39 39 Thank you for your attention!

Summer School on Post-Quantum Cryptography 2017, TU Eindhoven Exercises on Hash-based Signature Schemes

Summer School on Post-Quantum Cryptography 2017, TU Eindhoven Exercises on Hash-based Signature Schemes 1 Lamport Consider Lamport s one-time signature scheme. Let messages be of length n and assume that