Erik Dahmen

Post-Quantum Cryptography

Cryptography is essential for the security of online communication, cars and implanted medical devices. However, many commonly used cryptosystems will be completely broken once large quantum computers exist. Post-quantum cryptography is cryptography under the assumption that the attacker has a large quantum computer; post-quantum cryptosystems strive to remain secure even in this scenario. This relatively young research area has seen some successes in identifying mathematical operations for which quantum algorithms offer little advantage in speed, and then building cryptographic systems around those. The central challenge in post-quantum cryptography is to meet demands for cryptographic usability and flexibility without sacrificing confidence.

XMSS - a practical forward secure signature scheme based on minimal security assumptions

We present the hash-based signature scheme XMSS. It is the first provably (forward) secure and practical signature scheme with minimal security requirements: a pseudorandom and a second preimage resistant (hash) function family. Its signature size is reduced to less than 25% compared to the best provably secure hash based signature scheme.

CMSS: an improved merkle signature scheme

The Merkle signature scheme (MSS) is an interesting alternative for well established signature schemes such as RSA, DSA, and ECDSA. The security of MSS only relies on the existence of cryptographically secure hash functions. MSS has a good chance of being quantum computer resistant. In this paper, we propose CMSS, a variant of MSS, with reduced private key size, key pair generation time, and signature generation time. We demonstrate that CMSS is competitive in practice by presenting a highly efficient implementation within the Java Cryptographic Service Provider FlexiProvider. We present extensive experimental results and show that our implementation can for example be used to sign messages in Microsoft Outlook.

Merkle Signatures with Virtually Unlimited Signature Capacity

We propose GMSS, a new variant of the Merkle signature scheme. GMSS is the first Merkle-type signature scheme that allows a cryptographically unlimited(280) number of documents to be signed with one key pair. Compared to recent improvements of the Merkle signature scheme, GMSS reduces the signature size as well as the signature generation cost.

Merkle Tree Traversal Revisited

We propose a new algorithm for computing authentication paths in the Merkle signature scheme. Compared to the best algorithm for this task, our algorithm reduces the worst case running time considerably.

Fast Hash-Based Signatures on Constrained Devices

Digital signatures are one of the most important applications of microprocessor smart cards. The most widely used algorithms for digital signatures, RSA and ECDSA, depend on finite field engines. On 8-bit microprocessors these engines either require costly coprocessors, or the implementations become very large and very slow. Hence the need for better methods is highly visible. One alternative to RSA and ECDSA is the Merkle signature scheme which provides digital signatures using hash functions only, without relying on any number theoretic assumptions. In this paper, we present an implementation of the Merkle signature scheme on an 8-bit smart card microprocessor. Our results show that the Merkle signature scheme provides comparable timings compared to state of the art implementations of RSA and ECDSA, while maintaining a smaller code size.

Affine precomputation with sole inversion in elliptic curve cryptography

This paper presents a new approach to precompute all odd points [3]P, [5]P,..., [2k -1]P, k ge; 2 on an elliptic curve over Fp. Those points are required for the efficient evaluation of a scalar multiplication, the most important operation in elliptic curve cryptography. The proposed method precomputes the points in affine coordinates and needs only one single field inversion for the computation. The new method is superior to all known methods that also use one field inversion. Compared to methods that require several field inversions for the precomputation, the proposed method is faster for a broad range of ratios of field inversions and field multiplications. The proposed method benefits especially from ratios as they occur on smart cards.

On the security of the Winternitz one-time signature scheme

We show that the Winternitz one-time signature scheme is existentially unforgeable under adaptive chosen message attacks when instantiated with a family of pseudorandom functions. Our result halves the signature size at the same security level, compared to previous results, which require a collision resistant hash function. We also consider security in the strong sense and show that the Winternitz one-time signature scheme is strongly unforgeable assuming additional properties of the pseudorandom function family. In this context we formally define several key-based security notions for function families and investigate their relation to pseudorandomness. All our reductions are exact and in the standard model and can directly be used to estimate the output length of the hash function required to meet a certain security level.

Short Hash-Based Signatures for Wireless Sensor Networks

We present a hash-based signature scheme customized for wireless sensor networks. For message lengths required by instructions or queries from the base station or single measurements like the temperature, signature generation is 7 times faster and verification is 158 times faster than state-of-the-art implementations of ECDSA at the same security level. For message lengths sufficient for most sensor network applications, the signature generation time is comparable to ECDSA, while signature verification remains 20 times faster. Our scheme can be used to authenticate messages exchanged between sensor nodes, as well as for securing broadcast authentication. Our scheme minimizes the overhead introduced in the network by the signature verification done by each sensor before relaying the message.

Digital Signatures Out of Second-Preimage Resistant Hash Functions

We propose a new construction for Merkle authentication trees which does not require collision resistant hash functions; in contrast with previous constructions that attempted to avoid the dependency on collision resistance, our technique enjoys provable security assuming the well-understood notion of second-preimage resistance. The resulting signature scheme is existentially unforgeable when the underlying hash function is second-preimage resistant, yields shorter signatures, and is affected neither by birthday attacks nor by the recent progresses in collision-finding algorithms.