Abstract
We introduce a new cryptographic primitive that we call surnaming, which is closely related to digital signatures, but has different syntax and security requirements. While surnaming can be constructed from a digital signature, we show that a direct construction can be somewhat simpler.
We explain how surnaming plays a central role in Intel’s new Software Guard Extensions (SGX) technology, and present its specific surnaming implementation as a special case. These results explain why SGX does not require a PKI or pinned keys for authorizing enclaves.
SGX motivates an interesting question in digital signature design: for reasons explained in the paper, it requires a digital signature scheme where verification must be as fast as possible, the public key must be short, but signature size is less important. We review the RSA-based method currently used in SGX and evaluate its performance.
Finally, we propose a new hash-based signature scheme where verification time is much faster than the RSA scheme used in SGX. Our scheme can be scaled to provide post-quantum security, thus offering a viable alternative to the current SGX surnaming system, for a time when post-quantum security becomes necessary.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The author (\(\texttt {A}\)) may decide which parts of the \(\texttt {CDM}\) should be baked into the enclave’s identity, by specifying the pages to be measured. For example, non-initialized data, or SSA pages, can be skipped.
- 2.
This is a conceptual flow, but actual software might implement a different one.
- 3.
For RSA3072, using \(\texttt {SHA256}\) hash, the PKCS1 pad is (see [17]):
$$\begin{aligned} {\textsc {PKCS1pad} = \texttt {00\ ||\ 01\ ||\ FF[330B]\ ||\ 00\ ||\ 3031300D060960864801650304020105000420}}.\end{aligned}$$ - 4.
\(\texttt {EINIT}\) executes the correct padding check anyway, but security does not depend on the padding check.
- 5.
Buchmann et al. [9] show that when using a 128-bit function f, Winternitz security for a chain of depth 4 and 8 is slightly less than \(2^{128}\). This is because the composition of random functions is slightly easier to invert than inverting the base function f.
References
An attack on RSA digital signature. A NIST document (2006). http://csrc.nist.gov/groups/ST/toolkit/documents/dss/RSAstatement_10-12-06.pdf
Intel\(^{\textregistered }\) Software Guard Extensions Programming Reference (2014). https://software.intel.com/en-us/isa-extensions/intel-sgx
Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, vol. 13 (2013)
Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). doi:10.1007/3-540-68339-9_34
Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., Wilcox-O’Hearn, Z.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_15
Bleichenbacher, D., Maurer, U.: On the efficiency of one-time digital signatures. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 145–158. Springer, Heidelberg (1996). doi:10.1007/BFb0034843
Boneh, D., Gueron, S.: Surnaming schemes, fast verification, and applications to SGX technology (2016). http://crypto.stanford.edu/~dabo/pubs/abstracts/surnaming.html
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004)
Buchmann, J., Dahmen, E., Ereth, S., Hülsing, A., Rückert, M.: On the security of the Winternitz one-time signature scheme. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 363–378. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21969-6_23
Gueron, S.: Quick verification of RSA signatures. In: 2011 Eighth International Conference on Information Technology: New Generations (ITNG), pp. 382–386, April 2011
Gueron, S.: A memory encryption engine suitable for general purpose processors. Cryptology ePrint Archive, Report 2016/204 (2016). http://eprint.iacr.org/
Gueron, S., Krasnov, V.: Improved P256 ECC performance by means of a dedicated function for modular inversion modulo the P256 group order. OpenSSL patch (2015). https://mta.openssl.org/pipermail/openssl-dev/2015-December/003821.html
Gueron, S., Mouha, N.: Simpira v2: a family of efficient permutations using the AES round function. Cryptology ePrint Archive, Report 2016/122 (2016)
Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006). doi:10.1007/11818175_3
Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., Del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP 2013, p. 11:1. ACM, New York (2013)
Johnson, S., Scarlata, V., Rozas, C., Brickell, E., Mckeen, F.: Extensions, Intel\(^{\textregistered }\) Software Guard: EPID provisioning and attestation services. White Paper (2016)
Kaliski, B.S.: Public-Key Cryptography Standards (PKCS) #1: RSA CryptographySpecifications Version 2.1. RFC 3447, October 2015
McKeen, F., Alexandrovich, I., Berenzon, A., Rozas, C.V., Shafi, H., Shanbhogue, V., Savagaonkar, U.R.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP 2013, p. 10:1. ACM, New York (2013)
Menezes, A.: Another look at HMQV. Cryptology ePrint Archive, Report 2005/205 (2005). http://eprint.iacr.org/
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990). doi:10.1007/0-387-34805-0_21
Nyberg, K., Rueppel, A.: A new signature scheme based on the DSA giving message recovery. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 1993 (1993)
Reyzin, L., Reyzin, N.: Better than BiBa: short one-time signatures with fast signing and verifying. In: Batten, L., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 144–153. Springer, Heidelberg (2002). doi:10.1007/3-540-45450-0_11
Rivest, R.L., Hellman, M.E., Anderson, J.C., Lyons, J.W.: Responses to NIST’s proposal. Commun. ACM 35(7), 41–54 (1992)
Acknowledgments
The first author is supported by NSF, DARPA, the Simons foundation, and a grant from ONR. Opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of DARPA. The second author is supported by the PQCRYPTO project, which is partially funded by the European Commission Horizon 2020 research Programme, grant #645622, by the Blavatnik Interdisciplinary Cyber Research Center (ICRC) at the Tel Aviv University, and by the ISRAEL SCIENCE FOUNDATION (grant No. 1018/16).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Boneh, D., Gueron, S. (2017). Surnaming Schemes, Fast Verification, and Applications to SGX Technology. In: Handschuh, H. (eds) Topics in Cryptology – CT-RSA 2017. CT-RSA 2017. Lecture Notes in Computer Science(), vol 10159. Springer, Cham. https://doi.org/10.1007/978-3-319-52153-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-52153-4_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-52152-7
Online ISBN: 978-3-319-52153-4
eBook Packages: Computer ScienceComputer Science (R0)