Citation Context

...ds to find the one that was used to generate the key. The True Random Number Generator included in the SLE78 should be applicable for this function, as it meets the quality criteria defined in AIS-31 =-=[SK]-=-. 3.3.3 Non-Volatile Memory Non-Volatile Memory (NVM) is used to store persistent data that must be available in the next session, even when the card is unpowered. It is organized in sectors which con...

Citation Context

...ended Merkle scheme also comes with an interesting property called Forward Security. The idea of Forward Security for digital signature schemes was originally proposed in [And02] and later defined in =-=[BM99]-=-. It means that even if a signature key is compromised at some point in time, an attacker is not able to forge previously generated signatures. Therefore signatures issued before this point can remain...

Citation Context

... hash function. It was introduced by Ralph Merkle in [Mer89]. An overview of the complete scheme and description of the algorithms for tree hashing and authentication path computation can be found in =-=[BBD08]-=-. This also includes the extensions CMSS and GMSS explained later. The Merkle scheme uses a binary hash tree of height H as shown in figure 2.1, where every leaf node corresponds to the hash value of ...

Citation Context

...le-Block-Length Constructions AES supports only a block length of 128 bit. In order to achieve a security level of 128 bit and more, it could be used in a double-block-length construction like Hirose =-=[Hir06]-=-. This would probably increase run times and memory requirements by a factor of two. 7.1.4 Parameter Combinations The signature scheme has four parameters, which determine the number of possible signa...

Citation Context

...The security level in bit of symmetric key algorithms compared to key sizes in Finite Field Cryptography (FFC), Integer Factorization Cryptography (IFC) and Elliptic Curve Cryptography (ECC). Source: =-=[NIS07]-=- Table 6.4 shows a comparison of the security level of cryptographic algorithm classes as proposed by the National Institute of Standards and Technology (NIST) in section 5.6.1 of its Special Publicat...

Citation Context

...for h = 1, . . . , H. The signature is valid, iff the output n H equals the root of the Merkle public key. 2.4 Extended Merkle Signature Scheme The Extended Merkle Signature Scheme (XMSS) proposed in =-=[BH11]-=- differs from the original scheme in the generation of leaf and parent nodes. Additionally the computation of one-time seeds is modified in section 2.4.1 using the forward secure pseudo-random-generat...

Citation Context

...Parent where the left and right child nodes are concatenated. 8 2 Hash-based Signatures2.2 Winternitz One-Time Signature Scheme The Winternitz One-Time Signature Scheme (WOTS) was first described in =-=[Mer89]-=-. My implementation uses a slightly modified version from [BDE + 11]. As described in this paper, the required one-way function is implemented with a PRF family where the input x ∈ {0, 1} n is chosen ...

Citation Context

...ime. After 2 H steps the root is the only remaining node on the stack. 2.3.3 Authentication Path Generation The authentication path for the next leaf s + 1 is generated with algorithm 2.2 proposed in =-=[BDS08]-=- from the current algorithm state, including the previous authentication path. First we define τ as the height of the first ancestor of the current leaf s, which is a left node. If s itself is a left ...

Citation Context

...dds forward security to the complete scheme. The necessary signature order follows directly from their numbering. The idea to insert random bit masks into the tree construction was first described in =-=[DOTC08]-=-. With this extension it can be proven that the signature scheme is existentially unforgeable, provided that the used hash function is second-preimage resistant. This is a significant advantage over t...

Citation Context

...ia EAL5+ certification. Figure 3.4 shows its architecture in a block diagram. All following information including the diagram are taken from the Programmer’s [Inf11] and the Hardware Reference Manual =-=[Inf10]-=- for the SLx70 family. Core Memories Coprocessors MMU ROM RAM EEPROM Flash SCP Crypto @2304T CPU Cache EDU MED ITP IMM Power Unit Clock Unit RF PRNG TRNG UART Timers Control Peripherals Figure 3.4: Bl...

Citation Context

...y Infineon Technologies with Common Criteria EAL5+ certification. Figure 3.4 shows its architecture in a block diagram. All following information including the diagram are taken from the Programmer’s =-=[Inf11]-=- and the Hardware Reference Manual [Inf10] for the SLx70 family. Core Memories Coprocessors MMU ROM RAM EEPROM Flash SCP Crypto @2304T CPU Cache EDU MED ITP IMM Power Unit Clock Unit RF PRNG TRNG UART...