Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hash-Based Signatures

Published byHåvard Arnesen Modified over 5 years ago

Similar presentations

Presentation on theme: "Hash-Based Signatures"— Presentation transcript:

1 Hash-Based Signatures
Johannes Buchmann, Andreas Hülsung Supported by DFG and DAAD Part V: Winternitz One-Time Signature Scheme (WOTS) PhD Defense Andreas Hülsing 9. Oktober 2019 |

2 Winternitz OTS (WOTS) First idea: Winternitz (Mer89)
Full scheme: Even et al. (EGM96) Security Proofs: Hevia & Micciancio (HM02) Dods et al. (DSS05) Requires collision-resistant undetectable one-way function family. WOTS$: Buchmann et al. (BDEH+11) Requires pseudorandom function family. WOTS+: Hülsing (Hül13) Requires second preimage resistant undetectable one-way function family.

3 Recap LD-OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig H H
* sk1,0 sk1,1 skm,0 skm,1 Mux b1 Mux b2 Mux bn H H H H H H pk1,0 pk1,1 pkm,0 pkm,1 sk1,b1 skm,bm

4 Trivial Optimization Message M = b1,…,bm, OWF H = n bit SK PK Sig H H
* sk1,0 sk1,1 skm,0 skm,1 Mux b1 Mux ¬b1 Mux bm Mux ¬bm H H H H H H pk1,0 pk1,1 pkm,0 pkm,1 sig1,0 sig1,1 sigm,0 sigm,1

5 Non-trivial Optimization
Message M = b1,…,bm, OWF H SK: sk1,…,skm,skm+1,…,sk2m PK: H(sk1),…,H(skm),H(skm+1),…,H(sk2m) Encode M: M‘ = b1,…,bm,¬b1,…,¬bm ski , if bi = 1 Sig: sigi = H(ski) , otherwise Checksum with bad performance!

6 Non-trivial Optimization, cont‘d
Message M = b1,…,bm, OWF H SK: sk1,…,skm,skm+1,…,skm+log m PK: H(sk1),…,H(skm),H(skm+1),…,H(skm+log m) Encode M: M‘ = b1,…,bm,¬ 1 𝑚 𝑏 𝑖 ski , if bi = 1 Sig: sigi = H(ski) , otherwise IF one bi is flipped from 1 to 0, another bj will flip from 0 to 1

7 WOTS Function Chain Function family: Formerly: WOTS+ For w ≥ 2 select R = (r1, …, rw-1) ri ci-1 (x) ci (x) c0(x) = x cw-1 (x) c1(x) = 9. Oktober 2019 |

8 WOTS Function Chains For define and WOTS: WOTS$: WOTS+:

9 WOTS+ Winternitz parameter w, security parameter n, message length m, function family Key Generation: Compute l , sample K, sample R c0(sk1) = sk1 pk1 = cw-1(sk1) c1(sk1) One promissing group of candidates are hash-based signature schemes They start from an OTS – a signature scheme where a key pair can only be used for one signature. The central idea – proposed by Merkle - is to authenticate many OTS keypairs using a binary hash tree These schemes have many advantages over the beforementioned Quantum computers do not harm their security – the best known quantum attack is Grovers algorithm – allowing exhaustiv search in a set with n elements in time squareroot of n using log n space. They are provably secure in the standard model And they can be instantiated using any secure hash function. On the downside, they produce long signatures. c1(skl ) pkl = cw-1(skl ) c0(skl ) = skl 9. Oktober 2019 |

10 WOTS+ Signature generation
M b1 b2 b3 b4 bm‘ bm‘+1 bm‘+2 bl c0(sk1) = sk1 pk1 = cw-1(sk1) C σ1=cb1(sk1) Signature: σ = (σ1, …, σl ) Well, this work is concerned with the OTS. There are several OTS schemes. LD, Merkle-OTS which is a specific instance of the W-OTS, the BM-OTS and Biba and HORS. The most interesting one is the Winternitz OTS as it allows for a time-memory trade-off and even more important - It is possible to compute the public verification key given a signature. This reduces the signature size of a hash based signature scheme as normaly the public key of the OTS has to be included in a signature of the scheme. Now for WOTS this isn‘t necessary anymore. pkl = cw-1(skl ) c0(skl ) = skl σl =cbl (skl ) 9. Oktober 2019 |

11 WOTS+ Signature Verification
Verifier knows: M, n, w, c b1 b2 b3 b4 bm‘ bm‘+1 bl 1+2 bl c1(σ1) c3(σ1) pk1 =? σ1 c2(σ1) cw-1-b1(σ1) Signature: σ = (σ1, …, σl ) Well, this work is concerned with the OTS. There are several OTS schemes. LD, Merkle-OTS which is a specific instance of the W-OTS, the BM-OTS and Biba and HORS. The most interesting one is the Winternitz OTS as it allows for a time-memory trade-off and even more important - It is possible to compute the public verification key given a signature. This reduces the signature size of a hash based signature scheme as normaly the public key of the OTS has to be included in a signature of the scheme. Now for WOTS this isn‘t necessary anymore. pkl =? σl cw-1-bl (σl ) 9. Oktober 2019 |

12 WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if F is a collision resistant, undetectable one-way function family. W-OTS$ is existentially unforgeable under chosen message attacks if F is a pseudorandom function family. W-OTS+ is strongly unforgeable under chosen message attacks if F is a 2nd-preimage resistant, undetectable one-way function family. In our work we showed that we can slightly change the original WOTS construction, such that it uses a function family instead of the hash function family. The resulting scheme is existentially unforgeable under chosen message attacks, if the function family is pseudorandom. This result has two implications: 9. Oktober 2019 |

13 WOTS Sizes and Runtimes
Lamport-Diffie WOTS WOTS$ WOTS+ Public Key Size 2bm l 2b ~ 2bm/log w l b (+b) ~ bm/log w l b ( +(w-1)b ) ~ bm/log w Secret Key Size l b ~ bm/log w Signature Size bm Key Generation Time ~ 2m l w ~ wm/log w l w ~wm/log w Security level b, Winternitz parameter w, Message Length m, l = l (w,m) ~ m / log w 9. Oktober 2019 |

Download ppt "Hash-Based Signatures"

Similar presentations

Request Dispatching for Cheap Energy Prices in Cloud Data Centers

Request Dispatching for Cheap Energy Prices in Cloud Data Centers
SpringerLink Training Kit

SpringerLink Training Kit
Luminosity measurements at Hadron Colliders

Luminosity measurements at Hadron Colliders
From Word Embeddings To Document Distances

From Word Embeddings To Document Distances
Choosing a Dental Plan Student Name

Choosing a Dental Plan Student Name
Virtual Environments and Computer Graphics

Virtual Environments and Computer Graphics
Chương 1: CÁC PHƯƠNG THỨC GIAO DỊCH TRÊN THỊ TRƯỜNG THẾ GIỚI

Chương 1: CÁC PHƯƠNG THỨC GIAO DỊCH TRÊN THỊ TRƯỜNG THẾ GIỚI
THỰC TIỄN KINH DOANH TRONG CỘNG ĐỒNG KINH TẾ ASEAN –

THỰC TIỄN KINH DOANH TRONG CỘNG ĐỒNG KINH TẾ ASEAN –
D. Phát triển thương hiệu

D. Phát triển thương hiệu
NHỮNG VẤN ĐỀ NỔI BẬT CỦA NỀN KINH TẾ VIỆT NAM GIAI ĐOẠN

NHỮNG VẤN ĐỀ NỔI BẬT CỦA NỀN KINH TẾ VIỆT NAM GIAI ĐOẠN
Điều trị chống huyết khối trong tai biến mạch máu não

Điều trị chống huyết khối trong tai biến mạch máu não
BÖnh Parkinson PGS.TS.BS NGUYỄN TRỌNG HƯNG BỆNH VIỆN LÃO KHOA TRUNG ƯƠNG TRƯỜNG ĐẠI HỌC Y HÀ NỘI Bác Ninh 2013.

BÖnh Parkinson PGS.TS.BS NGUYỄN TRỌNG HƯNG BỆNH VIỆN LÃO KHOA TRUNG ƯƠNG TRƯỜNG ĐẠI HỌC Y HÀ NỘI Bác Ninh 2013.
Nasal Cannula X particulate mask

Nasal Cannula X particulate mask
Evolving Architecture for Beyond the Standard Model

Evolving Architecture for Beyond the Standard Model
HF NOISE FILTERS PERFORMANCE

HF NOISE FILTERS PERFORMANCE
Electronics for Pedestrians – Passive Components –

Electronics for Pedestrians – Passive Components –
Parameterization of Tabulated BRDFs Ian Mallett (me), Cem Yuksel

Parameterization of Tabulated BRDFs Ian Mallett (me), Cem Yuksel
L-Systems and Affine Transformations

L-Systems and Affine Transformations
CMSC423: Bioinformatic Algorithms, Databases and Tools

CMSC423: Bioinformatic Algorithms, Databases and Tools
Some aspect concerning the LMDZ dynamical core and its use

Some aspect concerning the LMDZ dynamical core and its use

Similar presentations

Ads by Google