Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Security

IWSEC 2018: Advances in Information and Computer Security pp 127–142Cite as

Is Java Card Ready for Hash-Based Signatures?

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11049))

Abstract

The current Java Card platform does not seem to allow for fast implementations of hash-based signature schemes. While the underlying implementation of the cryptographic primitives provided by the API can be fast, thanks to implementations in native code or in hardware, the cumulative overhead of the many separate API calls results in prohibitive performance for many common applications. In this work, we present an implementation of XMSS\(^{MT}\) on the current Java Card platform, and make suggestions how to improve this platform in future versions.

This work has been supported by the European Commission through the ICT program under contract ICT-645622 (PQCRYPTO), and by the Netherlands Organisation for Scientific Research (NWO) through Veni 2013 project 13114. Date: June 14, 2018.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Half of these are SIM cards; financial and governmental applications make up most of the remainder.

  2. 2.

    One could consider \(w = 4\), to speed up the computation at the cost of additional signature size. While the RFC [10] does not specify a specific parameter set, it does explicitly mention \(w=4\) as an option for this purpose.

  3. 3.

    This requires that \(m'_i \ge m_i\) for all i, but this is sufficiently likely even for random m.

  4. 4.

    A common and often more natural instantiation relies on the Keccak-based SHAKE [2].

  5. 5.

    At the time of writing, the Java Card Forum consists of Gemalto, Giesecke & Devrient, IDEMIA, Infineon, jNet ThingX, NXP Semiconductors and STMicroelectronics [8].

  6. 6.

    This would imply either computing or storing hundreds of WOTS\(^{+}\) leaf nodes per tree layer.

  7. 7.

    The physical attack of interrupting the power supply to the card, e.g., by removing it from the reader.

  8. 8.

    This is only required on layers where there is still a ‘next’ tree, which is trivially false for the top-most tree.

  9. 9.

    A WOTS\(^{+}\) signature costs 536 applications of the chaining function on average, versus 63 hash function calls in the tree.

  10. 10.

    For example, version 3.0.5 introduces support for SAC/PACE [3, 14], a protocol used in electronic passports.

  11. 11.

    For example, in the case of the PACE protocol, the choice has been made not to provide a generic API method for elliptic curve point addition, which would enable applet developers to implement PACE, but rather to provide more higher-level operations to directly provide PACE as primitive.

  12. 12.

    It is also possible to reach a similar invariance by fixing numberOfBlocks, but this still requires multiple hash-function intermediate states in transient memory.

References

  1. Bernstein, D.J., Dobraunig, C., Eichlseder, M., Fluhrer, S., Gazdag, S.-L., Hülsing, A., Kampanakis, P., Kölbl, S., Lange, T., Lauridsen, M.M., Mendel, F., Niederhagen, R., Rechberger, C., Rijneveld, J., Schwabe, P.: SPHINCS+. Submission to NIST’s post-quantum crypto standardization project (2017). https://sphincs.org

  2. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, January 2011. http://keccak.noekeon.org/

  3. Advanced Security Mechanisms for Machine Readable Travel Documents and eIDAS Token. Technical report TR-03110, German Federal Office for Information Security (BSI), Version 2.20 (2015)

    Google Scholar 

  4. Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_8. https://eprint.iacr.org/2011/484

    Chapter  Google Scholar 

  5. Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_5. https://www.cdc.informatik.tu-darmstadt.de/reports/reports/AuthPath.pdf

    Chapter  Google Scholar 

  6. Hülsing, A., Busold, C., Buchmann, J.: Forward secure signatures on smart cards. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 66–80. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6_5. https://huelsing.files.wordpress.com/2013/05/xmss-smart.pdf

    Chapter  Google Scholar 

  7. Eurosmart: Digital security industry to pass the 10 billion mark in 2018 for worldwide shipments of secure elements. Press Release (2017). http://www.eurosmart.com/news-publications/press-release/296

  8. Java Card Forum: About the JCF (2018). https://javacardforum.com. Accessed 12 Mar 2018

  9. Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_10. https://eprint.iacr.org/2017/965

    Chapter  Google Scholar 

  10. Hülsing, A., Butin, D., Gazdag, S.-L., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle Signature Scheme. Request for Comments 8391 (2018). https://tools.ietf.org/html/rfc8391

  11. Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40588-4_14. https://eprint.iacr.org/2017/966

    Chapter  Google Scholar 

  12. Hülsing, A., Rijneveld, J., Schwabe, P.: ARMed SPHINCS – computing a 41 KB signature in 16 KB of RAM. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 446–470. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_17. https://eprint.iacr.org/2015/1042

    Chapter  Google Scholar 

  13. Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15. https://eprint.iacr.org/2015/1256

    Chapter  Google Scholar 

  14. Supplemental Access Control for Machine Readable Travel Documents. Technical report, International Civil Aviation Organization (ICAO), Version 1.1 (2014)

    Google Scholar 

  15. Kannwischer, M.J., Genêt, A., Butin, D., Krämer, J., Buchmann, J.: Differential power analysis of XMSS and SPHINCS. In: Fan, J., Gierlichs, B. (eds.) COSADE 2018. LNCS, vol. 10815, pp. 168–188. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89641-0_10. https://kannwischer.eu/papers/2018_hbs_sca.pdf

    Chapter  Google Scholar 

  16. Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21. www.merkle.com/papers/Certified1979.pdf

    Chapter  Google Scholar 

  17. NIST: Post-quantum cryptography: NIST’s plan for the future (2016). http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/pqcrypto-2016-presentation.pdf

  18. Rohde, S., Eisenbarth, T., Dahmen, E., Buchmann, J., Paar, C.: Fast hash-based signatures on constrained devices. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 104–117. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85893-5_8. https://www-old.cdc.informatik.tu-darmstadt.de/reports/reports/REDBP08.pdf

    Chapter  Google Scholar 

  19. Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of the Twenty-Second Annual ACM Symposium on Theory of Computing, pp. 387–394. ACM (1990). https://www.cs.princeton.edu/courses/archive/spr08/cos598D/Rompel.pdf

  20. Safran Identity & Security: The impact of Java Card technology yesterday and tomorrow: Safran Identity & Security celebrates 20 years with the Java Card Forum. Press Release. https://www.morpho.com/en/media/impact-java-card-technology-yesterday-and-tomorrow-safran-identity-security-celebrates-20-years-java-card-forum-20170302. Accessed 12 Mar 2018

Download references

Author information

Authors and Affiliations

  1. Netherlands National Communication Security Agency (NLNCSA), The Hague, The Netherlands

    Ebo van der Laan & Jan Verschuren

  2. Digital Security Group, Radboud University, Nijmegen, The Netherlands

    Erik Poll, Joost Rijneveld, Joeri de Ruiter & Peter Schwabe

Authors
  1. Ebo van der Laan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Erik Poll
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Joost Rijneveld
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Joeri de Ruiter
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Peter Schwabe
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jan Verschuren
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Joost Rijneveld .

Editor information

Editors and Affiliations

  1. Tokyo Denki University, Tokyo, Japan

    Atsuo Inomata

  2. Nippon Telegraph and Telephone Corporation, Tokyo, Japan

    Kan Yasuda

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

van der Laan, E., Poll, E., Rijneveld, J., de Ruiter, J., Schwabe, P., Verschuren, J. (2018). Is Java Card Ready for Hash-Based Signatures?. In: Inomata, A., Yasuda, K. (eds) Advances in Information and Computer Security. IWSEC 2018. Lecture Notes in Computer Science(), vol 11049. Springer, Cham. https://doi.org/10.1007/978-3-319-97916-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-97916-8_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-97915-1

  • Online ISBN: 978-3-319-97916-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation