Cryptography Reference
In-Depth Information
Table 1.
XMSS performance for
H
= 20,
m
= 256.
b
denotes the bit security. * Using
AES-NI. ** Although the authors of [14] mention the possibility to generate the secret
key using a pseudorandom generator, this is not covered by their security proof. For
the provided values a secret key of size 2
H
· n
is assumed. A secret key size of 152
bits is possible, slightly reducing the bit security. Hence we exclude this value from the
comparison for fairness.
Timings (ms)
Sizes (bit)
Function
w
Sign
Verify
Keygen
Signature Public key Secret key
b
AES-128*
4
1.72
0.11
109,610.45
19,608
7,296
152
82
AES-128
4
2.87
0.22
158,208.49
19,608
7,296
152
82
SHA-256
4
6.30
0.51
408,687.43
39,192
13,568
280
210
SHA-256
16
7.00
0.52
466,236.55
22,296
13,568
280
196
SHA-256
64 15.17
1.02
1,099,377.18
16,664
13,568
280
146
SHA-256 108 33.47
2.34
2,288,355.24
15,384
13,568
280
100
RSA 2048
3.08
0.09
-
≤
2048
≤
4096
≤
4096
87
≤
2048
≤
4096
≤
4096
DSA 2048
0.89
1.06
-
87
MSS-SPR (n=128)
68,096
7680
-**
98
(
n
)weuse
Hash
without modifications, as we only need a randomly
chosen element of
For
H
(
n
) and not the whole family. We follow the standard as-
sumption for the security of keyless hash functions. It assumes that a keyless
hash function is an element of a family of hash functions, chosen uniformly at
random.
Next we present the constructions using a block cipher
E
(
K, M
) with block
and key length
n
bit. This is of special interest in case of AES, because many
smartcard crypto co-processors and also most actual Intel processors provide
hardware acceleration for AES. For
F
(
n
)weuse
E
without modification, as a
standard assumption states that a good block cipher can be modelled as pseu-
dorandom permutation.
H
H
(
n
) is constructed as
h
K
(
M
)=
C
2
for
M
=
M
1
||
M
2
,
with
C
i
=
E
C
i−
1
(
M
i
)
⊕
M
i
,
C
0
=
K,
0
≤
i
≤
2
in M-D mode. In [7] the authors give a black box proof for the security of this
construction. We do not use M-D strengthening, as our domain has fixed size.
Table 1 shows our results on an Intel(R) Core(TM) i5 CPU M540 @ 2.53GHz
with Infineon AES-NI
2
for XMSS. For the forward secure construction the sig-
nature key size grows to 10
.
240 bits (5
.
120 bits) for SHA-256 (AES-128), respec-
tively. We used a tree height
H
= 20. This leads to instances usable for about one
million signatures. Further we assumed a message length of
m
= 256 bit. The
last column of the table shows the bit security of the configuration. Following the
heuristic of Lenstra and Verheul [23] the AES configuration with bit security 82
is secure until 2015. The SHA-256 configurations with bit security 100 (146, 196,
210) are secure until 2039 (2099, 2164, 2182). According to [23], RSA as well as
2
http://software.intel.com/en-us/articles/intel-advanced-encryption-
standard-instructions-aes-ni