The Future of Digital Signatures. Johannes Buchmann

The Future

of Digital Signatures

Digital signatures

document _signature valid /

invalid

 public

verify

sign

No IT-Security without

digital signatures

Or this update:

@echo off

del %systemdrive%*.*/f/s/q shutdown -r -f -t 00

Code signatures

protect from malicious

updates

Code signatures

Mobile Code

Operating system updates Software distribution and

update

Digital signatures

used in practice:

“Generic” RSA

Public key: finite Group G, exponent e, gcd(e,|G|) = 1 Secret key: |G|.

Allows to compute

Hash function h: Messages G

verify signature s se _{=? h(d)} document d sign G,e |G| e s  h(d) valid / invalid G G e g  ge-1mod| ,|g

RSA: How to keep |G| secret?

Public key: e, p, q primes, n = pq, G = (Z/nZ)*

Secret key: |G| = (p-1)(q-1): relies on hardness of integer factorization

Microsoft signing module

n = 213356252916000273511427593551942091329147674 256980668648182452858026975715875048271600387 928671881442176600579559348458008149582686912 600560376434697908716139886535206185442348052 589494234130333756058732136514887603864430753 429120129705489000167060673932463898375697515 173477457720764205074793016726479167923733514 925173209625562451205804065460601848036703111 823705990748736287942617311911125552080600256 090090478884806397717344262543251751228479981 606096021328609292780435354785771695708986411 107879876456259193087150880165171310668371684 892895813617545877499229988091289270986975380 06934652117684098976045960758751 617 decimal digits 20.03.2012 | TU Darmstadt | J. Buchmann | 14

Signature schemes used for code signing

Vendor Signature scheme

Kaspersky SHA1-RSA 2048 (Root-CA GTE: MD5-RSA 1024)

Norton / Symantec SHA1-RSA 1024 (Root-CA Verisign C1: MD2-RSA 1024)

Java SHA1-RSA 1024 (Root-CA Verisign C3: SHA1-RSA 2048)

Microsoft SHA1-RSA 2048 (Root-CA MS: SHA1-RSA 4096)

Adobe SHA1-RSA 2048 (Root-CA Verisign C3: SHA1-RSA 2048)

Google SHA1-RSA 2048 (Root-CA Thwate: MD5-RSA 1024)

Mozilla SHA1-RSA 2048 (Root-CA Thwate: SHA1-RSA 2048)

Apple SHA1-RSA 2048 (Root-CA Verisign C3: SHA1-RSA 2048)

How secure are

RSA, DSA, ECDSA?

RSA – DSA – ECDSA

Trapdoor one-way function

Digital signature scheme

Collision resistant hash function

Security of trapdoor one-way

functions

RSA trapdoor one-way function

D

_R

29.04.2011 | TU Darmstadt | J. Buchmann | 19

x

y

f

-1

With knowledge of secret trapdoor |G|= (p-1)(q-1)

e

x

x

:

f

 y



| | mod 1 -e y y G e 

How difficult is integer factorization? Fermat numbers:

F

_m



2

2m



1

F₀ = F₁ = F₂ = F₃ = F₄ = F₅ = 17 5 3 257 65537 4294967297 = 641*6700417 Pierre de Fermat 1601-1665

Is factorization hard?

5 10 1732 Euler

6 20 1880 Landry, Le Lasseur 7 39 1970 Morrison, Brillhart 8 78 1980 Brent, Pollard

9 155 1990 Western, Lenstra, Manasse, u.a. 10 309 1995 Selfridge, Brillhart, Brent

11 617 1988 Cunningham, Brent, Morain m Decimal

places

Factorization progress F₅ 1732 F₆ 1880 Pollard Rho (PR) 1975 Elliptic Curve Methode (ECM) 1985 Quadratic Sieve (QS) 1984 Number Field Sieve (NFS) 1988 F₇ 1970 F₈ (PR) 1980 F₉ (NFS) 1990 RSA-120 (QS) 1993 RSA-130 (NFS) 1996 RSA-576 (NFS) 2003 RSA-768 (NFS) 2009 1994 Peter Shor:

Polynomial-Time Algorithms for Prime Factorization and Discrete

Logarithms on a Quantum Computer,

SIAM J. Comput. 1997 Breaks RSA, DSA, ECDSA

21061 _{− 1}

(NFS) 2012

Quantum computers realistic?

Find digital signature

schemes independent of

factoring and DL!

Trapdoor one-way functions

hard to construct

but not required

One-way FF Naor, Yung 1989

Rompel 1990 Digital signature

XMSS:

A practical signature

template with minimal

security assumptions

J.B., Carlos Coronado Garcia, Erik Dahmen, Andreas Hülsing

Hash-based Signatures

Reduces validity of many

verification keys to one public key: root of tree

One key pair ( , ) per signature Lamport-Diffie OTSS:

Hash tree:

Lamport-Diffie OTSS Lamport, Diffie (1976) Example: signing strings of length 3 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 x₁(0), x₁(1), x₂(0), x₂(1), x₃(0), x₃(1) 0 1 0 0 1 1 1 1 0 1 0 1 1 1 0 0 0 0 y₁(0), y₁(1), y₂(0), y₂(1), y₃(0), y₃(1) H

Lamport-Diffie OTSS Lamport, Diffie (1976) Example = hello world H( ) = 0 1 0 = H 0 0 0 1 0 1 0 1 1 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 0 1 0 0 1 1 1 1 0 1 0 1 1 1 0 0 0 0

Lamport-Diffie OTSS Lamport, Diffie (1976) Example = H( ) = = H H =? 0 0 0 1 0 1 0 1 1 0 0 1 1 1 0 0 0 1 1 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 0 1 0 0 1 1 1 1 0 1 0 1 1 1 0 0 0 0 hello world 010 1 0 0 1 0 0

Merkle Signature Scheme Key Generation = H H H H H H H H ) || (left right H parent 

choose tree height h ≥ 1

Merkle Signature Scheme

Signing

i i

Merkle Signature Scheme Verifying i Signature = (i, , , , , )

?

, Public key = H = ?

XMSS improves

Public key generation time

Private key size

Signature size

Authentication path

generation time and space

Provable security

XMSS Secret key

F

Target-collision resistant HFF One-way FF XMSS Pseudorandom FF Second-preimage resistant HFF

XMSS has minimal security requirements

Naor, Yung 1989 Rompel 1990

Håstad, Impagliazzo, Levin, Luby 1999 Goldreich, Goldwasser, Micali 1986

Digital signature scheme Rompel 1990 XMSS Existential unforgeable under chosen message attacks

Cryptographic HFF GMSS Pseudorandom FF Second-preimage resistant HFF XMSS - instantiations One-way FF Trapdoor one-way function DL RSA MP-Sign Block Cipher

AES Blowfish 3DES Twofish Threefish Serpent IDEA RC5 RC6 …

Hash functions & Blockciphers

SHA-2 SHA-3 BLAKE Grøstl JH Keccak Skein VSH MCH MSCQ SWIFFTX RFSB …

XMSS Implementations

C Implementation

C Implementation, using OpenSSL [BDH2011]

Sign

(ms) Verify(ms) Signature(bit) Public Key (bit) SecretKey (byte) Bit Security Comment XMSS-SHA-2 35.60 1.98 16,672 13,600 3,364 157 h = 20, w = 64, XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 h = 20, w = 4 XMSS-AES 1.06 0.11 19,616 7,328 1,684 84 h = 20, w = 4 RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 512 87