Hash-based signatures & Hash-and-sign without collision-resistance

Transcription

1 Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing

2 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast PAGE 2

3 RSA DSA EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, Digital signature scheme PAGE 3

4 (Hash) function families H n h k : {0,1} m n {0,1} n m(n) n efficient {0,1} n h k m n {0,1}

5 One-wayness H n h k : {0,1} m n {0,1} n y c, k h $ k H n x $ {0,1} h k x y c m n Success if h k x = y c x

6 Collision resistance H n h k : {0,1} m n {0,1} n k h k $ H n Success if h k x 1 = h k x 2 (x 1, x 2 )

7 Second-preimage resistance H n h k : {0,1} m n {0,1} n x c, k h $ k H n x $ m n c {0,1} Success if h k x c = h k x x

8 Undetectability H n h k : {0,1} m n {0,1} n h k $ H n b $ {0,1} If b = 1 else x $ m n {0,1} y c h k (x) y c $ {0,1} n y c, k b*

9 Pseudorandomness H n h k : {0,1} m n {0,1} n 1 n b x y = g(x) g If b = 1 g $ H n else g $ U m n,n b*

10 Assumption / Attacks Hash-function properties stronger / easier to break Collision-Resistance 2 nd -Preimage- Resistance weaker / harder to break One-way Pseudorandom PAGE 10

11 Attacks on Hash Functions MD5 Collisions (theo.) MD5 Collisions (practical!) SHA-1 Collisions (theo.) MD5 & SHA-1 No (Second-) Preimage Attacks! PAGE 11

12 Basic Construction PAGE 12

13 Lamport-Diffie OTS [Lam79] Message M = b1,,bm, OWF H * = n bit SK PK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux b2 Mux bm Mux Sig sk 1,b1 sk m,bm PAGE 13

14 EU-CMA for OTS pk, 1 n sk M (σ, M) SIGN (σ, M ) Success if M M and Verify pk, σ, M = Accept TU Darmstadt Andreas Hülsing 14

15 Security Theorem: If H is one-way then LD-OTS is one-time eu-cmasecure.

16 Reduction Input: y c, k Set H h k Replace random pk i,b sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H pk 1,0 pk 1,1 y c pk m,0 pk m,1

17 Reduction Input: y c, k Set H h k Adv. Message: M = b1,,bm If bi = b return fail else return Sign(M) Replace random pk i,b? sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H pk 1,0 pk 1,1 y c pk m,0 pk m,1 b1 Mux b2 Mux bm Mux sk 1,b1 sk m,bm

18 Reduction Input: y c, k Set H h k Choose random pk i,b Forgery: M* = b1*,,bm*, σ = σ 1,, σ m If bi b return fail Else return σ i? σ i sk 1,0 sk 1,1 σ i sk m,0 sk m,1 H H H H H pk 1,0 pk 1,1 y c pk m,0 pk m,1

19 Reduction - Analysis Abort in two cases: 1. bi = b probability ½ : b is a random bit 2. bi b probability 1-1/m: At least one bit has to flip as M* M Reduction succeeds with A s success probability times 1/2m.

20 Merkle s Hash-based Signatures PK H SIG = (i=2,,,,, ) H OTS H H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK PAGE 20

21 Security Theorem: MSS is eu-cma-secure if OTS is a one-time eu-cma secure signature scheme and H is a random element from a family of collision resistant hash functions.

22 Reduction Input: k, pk OTS 1. Choose random 0 i < 2 h 2. Generate key pair using pk OTS as ith OTS public key and H h k 3. Answer all signature queries using sk or sign oracle (for index i) 4. Extract OTS-forgery or collision from forgery

23 Reduction (Step 4, Extraction) Forgery: (i, σ OTS 1. If pk OTS, pk OTS, AUTH) equals OTS pk we used for i OTS, we got an OTS forgery. Can only be used if i = i. 2. Else adversary used different OTS pk. Hence, different leaves. Still same root! Pigeon-hole principle: Collision on path to root.

24 Winternitz-OTS

25 Recap LD-OTS [Lam79] Message M = b1,,bm, OWF H * = n bit SK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H PK pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux b2 Mux bn Mux Sig sk 1,b1 sk m,bm

26 LD-OTS in MSS SIG = (i=2,,,,, ) Verification: 1. Verify 2. Verify authenticity of We can do better!

27 Trivial Optimization Message M = b1,,bm, OWF H * = n bit SK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H PK pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux Mux b1 bm Mux Mux bm Sig sig 1,0 sig 1,1 sig m,0 sig m,1

28 Optimized LD-OTS in MSS Verification: X SIG = (i=2,,,,, ) 1. Compute from 2. Verify authenticity of Steps together verify

29 Germans love their Ordnung! Message M = b 1,,b m, OWF H SK: sk 1,,sk m,sk m+1,,sk 2m PK: H(sk 1 ),,H(sk m ),H(sk m+1 ),,H(sk 2m ) Encode M: M = M M = b 1,,b m, b 1,, b m (instead of b 1, b 1,,b m, b m ) Sig: sig i = sk i, if b i = 1 H(sk i ), otherwise Checksum with bad performance!

30 Optimized LD-OTS Message M = b 1,,b m, OWF H SK: sk 1,,sk m,sk m+1,,sk m+log m PK: H(sk 1 ),,H(sk m ),H(sk m+1 ),,H(sk m+log m ) Encode M: M = b 1,,b m, 1 m b i Sig: sig i = sk i, if b i = 1 H(sk i ), otherwise IF one b i is flipped from 1 to 0, another b j will flip from 0 to 1

31 Function chains Function family: H n h k : {0,1} n {0,1} n h k $ H n Parameter w Chain: c i ( x) i 1 h k ( c ( x)) hk hk hk ( x) i times c 0 (x) = x c 1 (x) = h k (x) c w 1 (x)

32 WOTS Winternitz parameter w, security parameter n, message length m, function family H n c 0 (sk 1 ) = sk 1 Key Generation: Compute l, sample h k pk 1 = c w-1 (sk 1 ) c 1 (sk 1 ) c 1 (sk l ) pk l = c w-1 (sk l ) c 0 (sk l ) = sk l

33 WOTS Signature generation M b 1 b 2 b 3 b 4 b m b m +1 b m +2 b l c 0 (sk 1 ) = sk 1 pk 1 = c w-1 (sk 1 ) C σ 1 =c b 1(sk 1 ) Signature: σ = (σ 1,, σ l ) pk l = c w-1 (sk l ) c 0 (sk l ) = sk l σ l =c b l (sk l )

34 WOTS Signature Verification Verifier knows: M, w b 1 b 2 b 3 b 4 b m b m +1 b l 1+2 b l σ 1 Signature: σ = (σ 1,, σ l ) c 1 (σ 1 ) c 2 (σ 1 ) c 3 (σ 1 ) σ l pk 1 =? c w 1 b 1 (σ 1 ) pk l =? c w 1 b l (σ l )

35 WOTS Function Chains For x 0,1 n define c 0 x = x and WOTS: c i x = h k (c i 1 x ) WOTS $ : c i x = h c i 1 x (r) WOTS + : c i x = h k (c i 1 x r i )

36 WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if H n is a collision resistant family of undetectable one-way functions. W-OTS $ is existentially unforgeable under chosen message attacks if H n is a pseudorandom function family. W-OTS + is strongly unforgeable under chosen message attacks if H n is a 2 nd -preimage resistant family of undetectable one-way functions.

37 XMSS

38 XMSS Tree: Uses bitmasks Leafs: Use binary tree with bitmasks OTS: WOTS + Mesage digest: Randomized hashing Collision-resilient -> signature size halved H b i H

39 Multi-Tree XMSS Uses multiple layers of trees -> Key generation (= Building first tree on each layer) Θ(2 h ) Θ(d2 h/d ) -> Allows to reduce worst-case signing times Θ(h/2) Θ(h/2d)

40 How to Eliminate the State

41 Protest? PAGE

42 Few-Time Signature Schemes PAGE 43

43 Recap LD-OTS Message M = b1,,bn, OWF H * = n bit SK PK sk 1,0 sk 1,1 sk n,0 sk n,1 H H H H H H pk 1,0 pk 1,1 pk n,0 pk n,1 b1 Mux b2 Mux bn Mux Sig sk 1,b1 sk n,bn PAGE 44

44 HORS [RR02] Message M, OWF H, CRHF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t PAGE 45

45 HORS mapping function Message M, OWF H, CRHF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * M H b 1 b 2 b a b ar i 1 i k PAGE 46

46 HORS Message M, OWF H, CRHF H * = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t H (M) b 1 b 2 b a b a+1 b ka-2 b ka-1 b ka i 1 Mux Mux i k sk i1 sk ik PAGE 47

47 HORS Security M mapped to k element index set M i {1,, t} k Each signature publishes k out of t secrets Either break one-wayness or r-subset-resilience: After seeing index sets M i j for r messages msg j, 1 j r, hard to find msg r+1 i msg j such that M r+1 1 j r M i j. Best generic attack: Succ r-ssr (A, q) = q rk t Security shrinks with each signature! k PAGE 48

48 HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK New PK = Root Publish Authentication Paths for HORS signature values PK can be computed from Sig With optimizations: tn (k(log t x + 1) + 2 x )n E.g. SPHINCS-256: 2 MB 16 KB Use randomized message hash PAGE 49

49 SPHINCS Stateless Scheme XMSS MT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys

50 Hash & sign without collision resistance

51 PKC with variable-length inputs Hard to build variable input length constructions (Schoolbook RSA) Direct constructions are inefficient (See the hash-based constructions for long messages) Full adversarial control over input can harm security (Schoolbook RSA) For encryption: Use hybrid encryption -> PKE only encrypts short symmetric key. For signatures: Hash-and-sign -> SIG only signs short message digest

52 Security of Hash & Sign Theorem. Given an EU-CMA-secure Signature scheme for fixed-length inputs and a collision-resistant family of hash functions. The hash & sign signature scheme for varibable-length inputs, obtained by first applying a hash function from the family and then signing the resulting digest, is EU-CMA-secure.

53 Reminder EU-CMA PK, 1 n SK q M i (σ i, M i ) SIGN (σ*, M*) Success if M* M i, Ɐ i [0, q] and Verify(pk,σ*,M*) = Accept

54 Security of Hash & Sign Reduction Input: pk & access to SIGN, hash function key k. Output: Forgery or collision. Give (pk, k) as public key to A. Answer signing queries M i computing md i = h k (M i ) and sending md i to SIGN. Given forgery (M, σ ) compute md = h k (M ) If i q: md == md i, return collision (M, M i ) Else, return forgery (md, σ )

55

56 Recall: Attacks on Hash Functions MD5 Collisions (theo.) MD5 Collisions (practical!) SHA-1 Collisions (theo.) MD5 & SHA-1 No (Second-) Preimage Attacks! PAGE 57

57 Target-collision resistance (TCR) H n h k : {0,1} m n {0,1} n Run 1 Run 2 H n x c, k, S h k $ H n Success if h k x c = h k x x c, S x

58 Assumption / Attacks Target-collision resistance stronger / easier to break Collision-Resistance 2 nd -Preimage- Resistance TCR weaker / harder to break One-way Pseudorandom

59 TCR vs. SPR TCR -> SPR: Note that A in Run 2 is just an SPR adversary! Every TCR function family must be SPR! SPR -> TCR: Per construction Given a SPR function, use key of length m Key the function by XORing key to message: h k x = h(x k)

60 TCR of XOR construction Reduction Input: SPR function h, target x c Output: Second-preimage x for x c Run TCR adversary A to obtain x c Compute k = x c x c Output x = x x c x c Note: h k x c = h x c k = h x c x c x c = h x c = h k x = h x k = h x x c x c = h(x )

61 TCR Hash & Sign Input: Fixed input-length signature scheme SIG=(KeyGen,Sign, Verify), TCR function family Output: Variable input length signature scheme SIG KeyGen = KeyGen Sign : Given M, sk sample random function key k, compute md = h k (M), compute σ = Sign((k md), sk), return σ = (k, σ) Verify : Compute md = h k (M), output Verify((k md), σ, pk)

62 Security of TCR Hash & Sign Reduction Input: pk & access to SIGN, hash function key k oracle. Output: Forgery or target-collision. Give pk as public key to A. Answer signing queries M i sending M i to oracle to get k i, computing md i = h k (M i ) and sending md i to SIGN. Given forgery (M, σ ) = (M, (k, σ )) compute md = h k (M ) If i q: md == md i, return collision (k i, M, M i ) Else, return forgery (md, σ )

63 Note: If the k i weren t signed, the second-to-last step wouldn t work! An adversary could output a forgery (M, σ ) = (M, (k, σ )) such that h k M = md = md i = h ki M i, for some i q, but k k i. Hence, (k i, M, M i ) is no target-collision! However, σ i still works as signature for md. EU-CMA of fixed-length input SIG not violated! Really need to sign keys!

64 Problem using XOR-construction: Key-length == Message-length Sign((k md), sk) We have to sign messages of length hash function key-length + digest length Even decreased possible message length!

65 Bellare & Rogway: XOR-tree m Reduce key-length to 2n log 2. (m-bit message, n-bit n digest) Given SPR hash h: 0,1 2n 0,1 n split message into m, n-bit blocks n m Build binary hash tree of height t = log 2 using n message blocks as leaves. (Assume t is integer) Keying: Split key into t 2n-bit blocks b j called bitmasks. XOR values on level j with j-th bitmask before applying h md is root of tree

66 NODE i,j j = H h b l,j XOR XOR b r,j j = 0 NODE 2i,j-1 NODE 2i+1,j-1

67 XOR-tree Reduction Input: SPR function h, target x c Output: Second-preimage x for x c Select random node N i,j in tree Given message M, compute tree up to children N 2i,j 1, N 2i +1,j 1 of N i,j, sampling the required b j at random. Select b j = (N 2i,j 1 N 2i +1,j 1 ) x c

68 XOR-tree Reduction, cont d Input: SPR function h, target x c Output: Second-preimage x for x c Select b j = (N 2i,j 1 N 2i +1,j 1 ) x c N i,j = h N 2i,j 1 N 2i +1,j 1 b j = h N 2i,j 1 N 2i +1,j 1 (N 2i,j 1 N 2i +1,j 1 ) x c = h(x c )

69 XOR-tree Reduction, cont d Select remaining b j at random Run M = A(M, k, S) with k = (b 1,, b t ) Compute x = N 2i,j 1 N 2i +1,j 1 b j from M and output it. Remember MSS reduction? As M M but h k M = h k M there must exist at least one node which is equal in both trees but has different children in the trees obtained from M and M. We selected a random node, so hit it with probability (#nodes) 1 = 2m 1 1 n

70 XOR-tree 2n log 2 m n still pretty large! Can be improved, but not asymptotically. For a large group of constructions, key length O log 2 m is optimal!

71

72 Approach 1: ROM An RO, keyed by prefixing with key, is a TCR hash function. No way to get TCR from Merkle-Damgard construction without (implicitly) assuming collision resistance.

73 Approach 2: etcr H n h k : {0,1} m n {0,1} n Run 1 Run 2 H n x c, k, S h k $ H n Success if h k x c = h k x x c, S k, x

74 Note: If the k i weren t signed, the second-to-last step wouldn t work! An adversary could Now output ok! a forgery (M, σ ) = (M, (k, σ )) such Don t that need to sign keys! h k M = md = md i = h ki M i, for some i q, but k k i. Hence, (k i, M, M i ) is no target-collision! However, σ i still works as signature for md. Still need to send key along with signature! EU-CMA of fixed-length input SIG not violated! Really need to sign keys!

75 Approach 2: etcr Can get short-key-constructions in standard model (from pretty strong, non-common assumptions) RO with prefixed key has this property Just require it as property from new hash functions (SHA-3 competition).

76 Real life version: Randomized Hashing etcr-hash & sign: SIGN M, sk = R, SIGN H R M, sk a R = PRF(sk b, M) where Not provably weaker assumption than collision resistance. In practice: Known collision does not help as R is unpredictable.

77 The multi-target issue What s the attack target? A special single Person? Wouldn t anyone in the company work? Wouldn t the ability to forge for any of Google s servers be sufficient?...

78 Cert 1 Cert 2 Cert 3 Cert 4

79 The multi-target issue Neglected in EU-CMA model Relevant in practice! Can significantly harm security! Assume security of signature relies on hardness of finding preimage Finding single preimage takes O(2 n ) time... Finding one out of p preimages takes O 2n p time

80 Multi-target etcr attack Collect as many signatures of as many possible vicitims as possible. Store the message digests used in the sigs in sorted DB Start search for k, x such that h k x matches entry in DB Complexity goes down from O(2 n ) to O 2n p

81 Preventing multi-target attacks, state of the art Not known how to prevent this for single user (without state / signing k) Can reduce #targets p: SIGN M, sk = R, SIGN H R pk M, sk a where R = PRF(sk b, M) Makes hash depending on pk For good hash function H, attacker has to decide on target for each evaluation of H. For stateful schemes: Also add signature index.

82 Multi-target attack prevention Used in recent Internet Drafts (e.g. draft-irtf-cfrgeddsa-08, draft-irtf-cfrg-xmss-hash-basedsignatures-07) If scheme already uses randomness (EC-DSA: R = r B) might reuse that -> authenticates R! Price for avoiding collision resistance...

83 Thank you! Questions? For references & further literature see PAGE 84