Post-Quantum Signatures

23.09.2013 | TU Darmstadt | Andreas Hülsing | 1

XMSS Practical Hash-Based Signatures

Andreas Hülsingjoint work with Johannes Buchmann and Erik Dahmen

Lattice, MQ, Coding

Signature and/or key sizes

Runtimes

Secure parameters ...1

14232232

34121211

yxxxxxxy

xxxxxxy

Hash-based Signature Schemes[Mer89]

Post quantum

Only secure hash function

Security well understood

Inherently forward secure

Hash-based Signatures

OTS OTS OTS OTS OTS OTS OTS

HH H H H H H H

H H H H

SIG = (i=2, , , , , )

Results

Datum | Fachbereich nn | Institut nn | Prof. nn | 6

Efficient

Minimal security assumptions

„Small signatures"

Forward secure

Full smartcard implementation

New Variants of the Winternitz One Time Signature Scheme

Winternitz OTS (WOTS)[Mer89; EGM96]

| | = | | = m * | |

1. = f( )

2. Trade-off between runtime and signature size | | ~ m/log w * | |

SIG = (i, , , , , )

WOTS+[Hül13]

Theorem 3.9 (informally):W-OTS+ is strongly unforgeable under chosen message attacks if F

is a 2nd-preimage resistant, undetectable one-way function family

XMSS[BDH11]

Lamport-Diffie / WOTS WOTS+

Tree construction [DOTV08]

Pseudorandom key generation

FSPRG FSPRG FSPRG FSPRG FSPRG

XMSS* in Practice

XMSS ImplementationsC Implementation [BDH11]

C Implementation, using OpenSSLSign (ms)

Verify (ms)

Signature (bit) Public Key (bit)

Secret Key (byte)

Bit Security Comment

XMSS-SHA-2 35.60 1.98 16,672 13,600 3,364 157 h = 20,w = 64,

XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 h = 20,w = 4

XMSS-AES 1.06 0.11 19,616 7,328 1,684 84 h = 20,w = 4

RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 512 87

Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI

XMSS ImplementationsSmartcard Implementation [HBB12]

Sign (ms)

Verify (ms)

Keygen(ms)

Signature (byte)

Public Key (byte)

Secret Key (byte)

Bit Sec. Comment

XMSS 134 23 925,400 2,388 800 2,448 92 H = 16,w = 4

XMSS+ 106 25 5,600 3,476 544 3,760 94 H = 16,w = 4

RSA 2048

190 7 11,000 ≤ 256 ≤ 512 ≤ 512 87

Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor

NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles (h=20)

Conclusion

FastConservative Security

CompactForward secure

Future Work

Main Drawback: State

Easy Migration? Interfaces

Key Management

Thank you!Questions?

Post-Quantum Signatures

Documents

Quantum Resistant Ledger (QRL) - Bravenewcoin Resistant Ledger (QRL) ... Hash-based digital signatures are well studied and represent the primary candidate for post-quantum signatures

Introduction to post-quantum cryptography · \Post-Quantum Cryptography Standardization Project". Solicits submissions on signatures and encryption. Tanja Lange Introduction to post-quantum

Signatures of quantum mechanics in chaotic systems · 2018-04-01 · Signatures of quantum mechanics in chaotic systems 2 classical physics, chaos is yet to be rigorously established

Experimental Tests and Signatures of Modified and Quantum

Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum

Update on the NIST Post-Quantum Cryptography Project · Update on the NIST Post-Quantum Cryptography Project ... • Guest researchers and invited speakers ... • Post-quantum cryptography

Preparing for post-quantum cryptography in TLS · Assumptions for post-quantum KEMs –Learning with errors, ring-LWE ... TLS:DIV •2017-04-30 Preparing for post-quantum cryptography

Post-quantum cryptography · 2016-09-13 · Post-quantum crypto is crypto that resists attacks by quantum computers. I PQCrypto 2006: International Workshop on Post-Quantum Cryptography

Equivalence of quantum heat machines, and quantum-thermodynamic signatures

Quantum Learning Algorithms and Post-Quantum Cryptography · Quantum Learning Algorithms and Post-Quantum ... 7.1 The Quantum Fourier Transform over ... to a popular science article

Sharing the LUOV: Threshold Post-Quantum Signatures...Sharing the LUOV: Threshold Post-Quantum Signatures Daniele Cozzo1[0000 0001 5289 3769] and Nigel P. Smart1;2[0000 0003 3567 3304]

Post-quantum TLS without handshake signatures · Post-quantum TLS without handshake signatures Full version, May 7, 2020 Peter Schwabe Radboud University peter@cryptojedi.org Douglas

Towards Post-Quantum Bitcoin - LeonIn chapter 3, digital signatures are introduced and their importance in Bitcoin is explained. Two widely-used digital signature schemes, RSA and

Post-Quantum Zero-Knowledge and Signatures from ...Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives Melissa Chase Microsoft Research melissac@microsoft.com

Post-Quantum Cryptography - QCrypt 20182018.qcrypt.net/wp-content/uploads/2018/slides... · Multivariate Cryptography •First proposal 1988 •Only signatures -> (new proposal for

Quantum signatures of charge ﬂipping vortices in the …liu.diva-portal.org/smash/get/diva2:1057481/FULLTEXT01.pdf · Quantum signatures of charge ﬂipping vortices in the

Post quantum cryptography

Post-Quantum Zero-Knowledge and Signatures from Symmetric ... · Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives ... non-interactive zero-knowledge proof

Post-quantum cryptography · Post-Quantum Cryptography. Quantum-secure problems Credits: Buchmann, Bindel 2015. Conjectured quantum-secure problems •Solving multivariate quadratic

Observational Signatures of Quantum Gravity in Interferometers