Optimal Parameters for XMSS MT
19
04.09.2013 | TU Darmstadt | Andreas Hülsing | 1 Optimal Parameters for XMSS MT Andreas Hülsing , Lea Rausch, and Johannes Buchmann
description
Optimal Parameters for XMSS MT. Andreas Hülsing , Lea Rausch, and Johannes Buchmann. Digital Signatures are Important!. E-Commerce. … and many others. Software updates. What if…. - PowerPoint PPT Presentation
Transcript of Optimal Parameters for XMSS MT
04.09.2013 | TU Darmstadt | Andreas Hülsing | 1
Optimal Parameters for XMSSMT
Andreas Hülsing, Lea Rausch, and Johannes Buchmann
Digital Signatures are Important!
Software updates
E-Commerce
… and many others
04.09.2013 | TU Darmstadt | Andreas Hülsing | 2
What if…
IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are
rapidely growing.“
04.09.2013 | TU Darmstadt | Andreas Hülsing | 3
Post-Quantum Signatures
Based on Lattice, MQ, Coding
Signature and/or key sizes
Runtimes
Secure parameters...
1
3
14232232
34121211
yxxxxxxy
xxxxxxy
04.09.2013 | TU Darmstadt | Andreas Hülsing | 4
Hash-based Signature Schemes[Merkle, Crypto‘89]
Not only “post-quantum”Fast, also without HW-accelerationStrong security guaranteesForward secure
Restricted number of signaturesMany parameters
04.09.2013 | TU Darmstadt | Andreas Hülsing | 5
Forward Secure Signatures
04.09.2013 | TU Darmstadt | Andreas Hülsing | 6
Forward Secure Signatures
time
classicalpk
sk
Key gen.
forward secpk
sksk1 sk2 ski skT
t1 t2 ti tT
ijjMGoal ),,(:
04.09.2013 | TU Darmstadt | Andreas Hülsing | 7
Construction
04.09.2013 | TU Darmstadt | Andreas Hülsing | 8
Hash-based Signatures
OTS
OTS OTS OTS OTS OTS OTS OTS
HH H H H H H H
H H H H
H H
H
PK
SK
SIG = (i, , , , , )
h
h
H
Parameter
04.09.2013 | TU Darmstadt | Andreas Hülsing | 9
Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96]
1. = f( )
2. Trade-off between runtime and signature size, controlled by parameter w
3. Minimal security requirements [Buchmann et al.,Africacrypt’11]
4. Uses PRFF F
SIG = (i, , , , , )w
F
h
H
Parameter
04.09.2013 | TU Darmstadt | Andreas Hülsing | 10
Generated using forward secure pseudorandom generator (FSPRG), build using PRFF F:
Secret key: Random SEED for pseudorandom generation of current signature key.
XMSS – secret key
PRG
PRG
PRG
PRG
PRG
FSPRG FSPRG FSPRG FSPRG FSPRG
w
F
h
H
Parameter
04.09.2013 | TU Darmstadt | Andreas Hülsing | 11
BDS-Tree Traversal[Buchmann et al., 2008]
Computes authentication paths
Left nodes are cheap
h
# 2h-1
# 2h-2
k
Store most expensive nodes Distribute costs
(h-k)/2 updates per round
k
w
F
h
H
Parameter
04.09.2013 | TU Darmstadt | Andreas Hülsing | 12
i
j
Accelerate key generationTree Chaining [Buchmann et al., 2006]
Generalized distributed signature generation from [Huelsing et al., SAC’12]
d
k
w
F
h
H
Parameter
wi
ki
d
i
hh
d
ii
i
hh
1
1
22
hi
04.09.2013 | TU Darmstadt | Andreas Hülsing | 13
ParameterSelection
04.09.2013 | TU Darmstadt | Andreas Hülsing | 14
Trade-Offs
h H w F k d
TSig
TVer
TKg
|Sig|
|SK|
|PK|
Security
# Sigs
04.09.2013 | TU Darmstadt | Andreas Hülsing | 15
Linear Optimization
Input: h, bmin, TF, TH
Output: b, d, (h,w,k)i
Obj. Minimize weighted sum of runtimes & sizes
Linearization: Generalized lambda method [Moritz, 2007]
Complexity reduction: Split into sub-problems
04.09.2013 | TU Darmstadt | Andreas Hülsing | 16
Conclusion
04.09.2013 | TU Darmstadt | Andreas Hülsing | 17
•complex•flexible
XMSSMT
•other (pq-)schemes Optimization
04.09.2013 | TU Darmstadt | Andreas Hülsing | 18
Thank you!
