The Future of Digital Signatures. Johannes Buchmann

Similar documents

Real-World Post-Quantum Digital Signatures

CMSS An Improved Merkle Signature Scheme

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor

Lecture 15 - Digital Signatures

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

A Novel Approach for Signing Multiple Messages: Hash- Based Signature

Computer Security: Principles and Practice

Introduction to Cryptography CS 355

Overview of Public-Key Cryptography

Cryptography Lecture 8. Digital signatures, hash functions

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

Table of Contents. Bibliografische Informationen digitalisiert durch

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Hash-based Digital Signature Schemes

Elements of Applied Cryptography Public key encryption

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Lukasz Pater CMMS Administrator and Developer

Digital Signatures. What are Signature Schemes?

Digital Signature. Raj Jain. Washington University in St. Louis

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute

Study of algorithms for factoring integers and computing discrete logarithms

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Signature Schemes. CSG 252 Fall Riccardo Pucella

2. Cryptography 2.4 Digital Signatures

Post-Quantum signatures. Johannes Buchmann

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

EXAM questions for the course TTM Information Security June Part 1

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

Improved Online/Offline Signature Schemes

Cryptography and Network Security

Factoring integers and Producing primes

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Digital Signatures out of Second-Preimage Resistant Hash Functions

Fast Hash-Based Signatures on Constrained Devices

DIGITAL SIGNATURES 1/1

Public Key Cryptography in Practice. c Eli Biham - May 3, Public Key Cryptography in Practice (13)

Digital Signature Standard (DSS)

A blind digital signature scheme using elliptic curve digital signature algorithm

ARCHIVED PUBLICATION

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security. Security Attacks. Normal flow: Interruption: 孫宏民 Phone: 國立清華大學資訊工程系資訊安全實驗室

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

A Factoring and Discrete Logarithm based Cryptosystem

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Public Key Cryptography. Performance Comparison and Benchmarking

CRYPTOGRAPHY IN NETWORK SECURITY

On Factoring Integers and Evaluating Discrete Logarithms

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Hash Function JH and the NIST SHA3 Hash Competition

7! Cryptographic Techniques! A Brief Introduction

The Factoring Dead Preparing for the Cryptopocalypse

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

Implementation of Elliptic Curve Digital Signature Algorithm

Quantum Computers vs. Computers

Digital signatures are one of the most important inventions/applications of modern cryptography.

Evaluation of Digital Signature Process

Smart card implementation of a digital signature scheme for Twisted Edwards curves

EXAM questions for the course TTM Information Security May Part 1

Authentication requirement Authentication function MAC Hash function Security of

Public-Key Cryptanalysis 1: Introduction and Factoring

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Cryptography and Network Security Chapter 9

Cryptographic Hash Functions Message Authentication Digital Signatures

CSCE 465 Computer & Network Security

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Introduction to post-quantum cryptography

Public Key Cryptography Overview

How To Factoring

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Digital Signatures. Prof. Zeph Grunschlag

Crittografia e sicurezza delle reti. Digital signatures- DSA

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Randomized Hashing for Digital Signatures

Public-Key Cryptanalysis

On-Line/Off-Line Digital Signatures

Digital Signatures. Nicolas T. Courtois - University College of London

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

CrypTool Claudia Eckert / Thorsten Clausius Bernd Esslinger / Jörg Schneider / Henrik Koy

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

The Mathematics of the RSA Public-Key Cryptosystem

Practice Questions. CS161 Computer Security, Fall 2008

Transcription:

The Future of Digital Signatures Johannes Buchmann

Digital Signatures

Digital signatures document sign signature verify valid / invalid secret public

No IT-Security without digital signatures

Software Updates

Update authentic? Or this update: @echo off del %systemdrive%*.*/f/s/q shutdown -r -f -t 00

Software updates in

Code signatures protect from malicious updates

Code signatures Software distribution and update Mobile Code Operating system updates Apps

Digital signatures used in practice: RSA, DAS, ECC

RSA (1978)

Generic RSA Public key: finite Group G, exponent e, gcd(e, G ) = 1 Secret key: G. -1 Allows to compute e g g e mod G, g G Hash function h: Messages G document d s sign e h(d) signature s verify s e =? h(d) valid / invalid G G,e

RSA: How to keep G secret? Public key: e, p, q primes, n = pq, G = (Z/nZ) * Secret key: G = (p-1)(q-1): relies on hardness of integer factorization Only known method to keep G secret

Microsoft signing module n = 213356252916000273511427593551942091329147674 256980668648182452858026975715875048271600387 928671881442176600579559348458008149582686912 600560376434697908716139886535206185442348052 589494234130333756058732136514887603864430753 429120129705489000167060673932463898375697515 173477457720764205074793016726479167923733514 925173209625562451205804065460601848036703111 823705990748736287942617311911125552080600256 090090478884806397717344262543251751228479981 606096021328609292780435354785771695708986411 107879876456259193087150880165171310668371684 892895813617545877499229988091289270986975380 06934652117684098976045960758751 617 decimal digits 20.03.2012 TU Darmstadt J. Buchmann 14

Signature schemes used for code signing Vendor Signature scheme Kaspersky SHA1-RSA 2048 (Root-CA GTE: MD5-RSA 1024) Norton / Symantec Java SHA1-RSA 1024 (Root-CA Verisign C1: MD2-RSA 1024) SHA1-RSA 1024 (Root-CA Verisign C3: SHA1-RSA 2048) Microsoft SHA1-RSA 2048 (Root-CA MS: SHA1-RSA 4096) Adobe Google Mozilla Apple Sony PS3 SHA1-RSA 2048 (Root-CA Verisign C3: SHA1-RSA 2048) SHA1-RSA 2048 (Root-CA Thwate: MD5-RSA 1024) SHA1-RSA 2048 (Root-CA Thwate: SHA1-RSA 2048) SHA1-RSA 2048 (Root-CA Verisign C3: SHA1-RSA 2048) ECDSA

How secure are RSA, DSA, ECDSA?

RSA DSA ECDSA Trapdoor one-way function Collision resistant hash function Digital signature scheme

Security of trapdoor one-way functions

RSA trapdoor one-way function x D f :x y x e y R e y -1 y e mod G f -1 With knowledge of secret trapdoor G = (p-1)(q-1) 29.04.2011 TU Darmstadt J. Buchmann 19

How difficult is integer factorization? F m 2 2 m Fermat numbers: 1 F 0 = F 1 = 3 F 3 = 257 5 F 4 = 65537 Pierre de Fermat 1601-1665 F 2 = 17 F 5 = 4294967297 = 641*6700417

Is factorization hard? m Decimal places Year 5 10 1732 Euler Factored by 6 20 1880 Landry, Le Lasseur 7 39 1970 Morrison, Brillhart 8 78 1980 Brent, Pollard 9 155 1990 Western, Lenstra, Manasse, u.a. 10 309 1995 Selfridge, Brillhart, Brent 11 617 1988 Cunningham, Brent, Morain

Factorization progress 1732 1880 1984 1975 1970 1980 1985 1988 1990 1993 1994 1996 2003 2009 2012 F 5 F 6 F 7 F 8 (PR) RSA-120 (QS) F 9 (NFS) RSA-130 (NFS) RSA-576 (NFS) RSA-768 (NFS) 2 1061 1 (NFS) Pollard Rho (PR) Quadratic Sieve (QS) Number Field Sieve (NFS) Elliptic Curve Methode (ECM) Peter Shor: Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer, SIAM J. Comput. 1997 Breaks RSA, DSA, ECDSA

Quantum computers realistic? 20.02.2013 TU Darmstadt J. Buchmann 27

Find digital signature schemes independent of factoring and DL!

Trapdoor one-way functions hard to construct but not required Digital signature scheme Naor, Yung 1989 Rompel 1990 One-way FF

XMSS: A practical signature template with minimal security assumptions J.B., Carlos Coronado Garcia, Erik Dahmen, Andreas Hülsing

Hash-based Signatures Merkle (1979/1989)

Merkle signature scheme Lamport-Diffie OTSS: One key pair (, ) per signature Hash tree: Reduces validity of many verification keys to one public key: root of tree

Lamport-Diffie OTSS

Lamport-Diffie OTSS Lamport, Diffie (1976) Example: signing strings of length 3 x 1 (0), x 1 (1), x 2 (0), x 2 (1), x 3 (0), x 3 (1) 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 H 0 1 0 0 1 1 1 1 0 1 0 1 1 1 0 0 0 0 y 1 (0), y 1 (1), y 2 (0), y 2 (1), y 3 (0), y 3 (1)

Lamport-Diffie OTSS Lamport, Diffie (1976) Example 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 0 1 0 0 1 1 1 1 0 1 0 1 1 1 0 0 0 0 = hello world H( ) = 0 1 0 = H 0 0 0 1 0 1 0 1 1

Lamport-Diffie OTSS Lamport, Diffie (1976) Example 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 0 1 0 0 1 1 1 1 0 1 0 1 1 1 0 0 0 0 hello = world H H( ) = 010 = 0 0 0 1 0 1 0 1 1 H 0 0 1 1 1 0 0 0 1 1 1 0 1 0 0 =? 1 0 0

Merkle Signature Scheme

Merkle Signature Scheme Key Generation choose tree height h 1 = parent H ( left right) h H H H H H H H H

Merkle Signature Scheme Signing i i Signature = (i,,,,, )

Merkle Signature Scheme Verifying? = i H,? Public key = Signature = (i,,,,, )

XMSS improves Public key generation time Private key size Signature size Authentication path generation time and space Provable security Reduction

XMSS (2006-2013)

XMSS Secret key F F F F F F

XMSS has minimal security requirements Second-preimage resistant HFF XMSS Existential unforgeable under chosen message attacks Target-collision resistant HFF Pseudorandom FF XMSS Rompel 1990 Håstad, Impagliazzo, Levin, Luby 1999 Goldreich, Goldwasser, Micali 1986 Digital signature scheme Naor, Yung 1989 Rompel 1990 One-way FF

XMSS Implementations

XMSS - instantiations Trapdoor oneway function DL RSA MP-Sign Cryptographic HFF Block Cipher Pseudorandom FF One-way FF Second-preimage resistant HFF GMSS

Hash functions & Blockciphers AES Blowfish 3DES Twofish Threefish Serpent IDEA RC5 RC6 SHA-2 SHA-3 BLAKE Grøstl JH Keccak Skein VSH MCH MSCQ SWIFFTX RFSB

XMSS Implementations C Implementation C Implementation, using OpenSSL [BDH2011] Sign (ms) Verify (ms) Signature (bit) Public Key (bit) Secret Key (byte) Bit Security Comment XMSS-SHA-2 35.60 1.98 16,672 13,600 3,364 157 h = 20, w = 64, XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 h = 20, w = 4 XMSS-AES 1.06 0.11 19,616 7,328 1,684 84 h = 20, w = 4 RSA 2048 3.08 0.09 2,048 4,096 512 87 Intel(R) Core(TM) i5-2520m CPU @ 2.50GHz with Intel AES-NI