SPHINCS: practical stateless hash-based signatures

Size: px

Start display at page:

Download "SPHINCS: practical stateless hash-based signatures"

Herbert Wilson
6 years ago
Views:

1 SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn

2 Digital Signatures are Important! Software updates E-Commerce and many others PAGE 1

3 What if PAGE 2

4 Problem? RSA DL Pairings DH PAGE 3

5 IBM 2012: optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing. PAGE 4

6 Post-Quantum Signatures PAGE 5 Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters y x x x x x x y x x x x x x y

7 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast Stateful PAGE 6

8 Lamport-Diffie OTS [Lam79] Message M = b1,,bn, OWF H * = n bit SK sk 1,0 sk 1,1 sk n,0 sk n,1 H H H H H H PK pk 1,0 pk 1,1 pk n,0 pk n,1 b1 Mux b2 Mux bn Mux Sig sk 1,b1 sk n,bn PAGE 7

9 Merkle s Hash-based Signatures Encryption H Digital Signature PK H Cryptography OTS Hash Function SIG = (i=2,,,,, ) H H H H Legality H H H H H H H H H OTS MAC OTS OTS OTS OTS OTS OTS OTS SK PAGE 8

10 Known Improvements [BGD + 06] Pseudorandom Key Generation: h SK 2 n n F F F F F F Hypertree: Key generation (== Building Trees on one path) O(2 h ) O(d2 h/d ) PAGE 9

11 Known Improvements, cont d Winternitz OTS [Mer 89,, BDE + 11,Hül13] Smaller Sigs Minimum Security Assumptions Minimum Security Assumptions / Collision-Resilient Scheme [BDH11] XMSS requires only PRF & SPR PAGE 10

12 SPHINCS: Stateless Practical Hash-based Incredibly Nice Cryptographic Signatures PAGE 11

13 Goals Stateless 128bit Quantum Security Practical Speed Practical Signature Size PAGE 12

14 How to Eliminate the State PAGE 13

15 Trial & Error: Run MSS without State Encryption H Digital Signature PK SIG = (i=2,,,,, ) Cryptography Hash Function Legality H H H H H H H H H H H H H H OTS MAC OTS OTS OTS OTS OTS OTS OTS SK PAGE 14

16 Approach 1: Goldreich i = Integer.getValue(Hash(Message)); 128bit Quantum Sec. n = 256 bit Hash [Ber09] #Indices = h depends on n! h = n = 256 PAGE 15

17 Approach 1, cont d d > 1, otherwise t Sign = exp(n) PAGE 16

18 Approach 1, cont d i = Integer.getValue(Hash(Message)); h = n = 256 Impossible to make this efficient: t Sign d2 n/d (t Hash + t OTS_KeyGen ) d2 n/d n t Hash Sig d OTS_Sig (+ n 2, if d<n) dn 2 E.g. d = n / log n: t Sign n 3 / log n t Hash ; Sig n3 / log n Goldreich: d = n t Sign 2n 2 t Hash ; Sig n3 Sig > 1MB for n = 256 PAGE 17

19 Approach 2: Random Index I $ U #Indices 128bit Quantum Sec. Sampled by Signer #Indices determined by collision prob. #Indices = h = 256 Impossible to make this efficient, again BUT h independent of n Statistical collision probability NOT collision resistance PAGE 18

20 Sphincs Approach 2 + Few-Time Signature Scheme (FTS) Next: Introduce new FTS HORS with Trees (HORST) Preview: Allows h = 60 for any n t Sign d2 60/d (t Hash + t OTS_KeyGen ) d2 60/d n t Hash Sig d OTS_Sig (+ n 2, if d<n) dn 2 E.g. d = 12: t Sign 384n t Hash ; Sig 12n2 (without HORST) PAGE 19

21 Few-Time Signature Schemes PAGE 20

22 Recap LD-OTS Message M = b1,,bn, OWF H * = n bit SK sk 1,0 sk 1,1 sk n,0 sk n,1 H H H H H H PK pk 1,0 pk 1,1 pk n,0 pk n,1 b1 Mux b2 Mux bn Mux Sig sk 1,b1 sk n,bn PAGE 21

23 HORS [RR02] Message M = b 1,,b m, OWF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t M b 1 b 2 b a b a+1 b ka-2 b ka-1 b ka i 1 Mux Mux i k Sig sk i1 sk ik PAGE 22

24 HORS Security Message M = Hash(msg) M mapped to k element index set M i є {1,..,t} k Each signature publishes k out of t secrets Either break one-wayness or r-subset-resilience: After seeing index sets M i j for r messages msg j, 1 <= j <= r, hard to find msg r+1 msg j such that M i r+1 є U 1<=j<=r M i j. Best generic attack: Succ r-ssr (A,q) = q(rk / t) k Security shrinks with each signature! PAGE 23

25 HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Build a Merkle Tree on top of PK PK = Root Publish Authentication Paths for HORS signature values PK can be computed from Sig With optimizations: tn (k(log t x + 1) + 2 x )n E.g. SPHINCS-256: 2 MB 16 KB PAGE 24

26 SPHINCS PAGE 25

27 SPHINCS Signature PAGE 26

28 SPHINCS Key Ideas Use HORST key pairs to sign messages Authenticate HORST key pairs using hypertree (of MSS trees) Use random index Select h,k,t,m such that sum r є [0, ) (Pr[r-times index collision] * Succ r-ssr (A)) = negl(n) PAGE 27

29 SPHINCS-256 PAGE 28

30 SPHINCS-256 Speed Key generation: Verification: Signature: 3,051,562 cycles 1,369,060 cycles 47,466,005 cycles Still hundreds of messages per second on a modern 4-core 3.5GHz Intel CPU (13ms / Sig) PAGE 29

31 In Paper (online soon) + Standard model security reduction without collision resistance + Complexity of generic quantum attacks + Efficient fixed-input length hashing + Optimized implementation PAGE 30

32 Conclusion Stateless Hash-based Signatures Performance like RSA or BLISS? No! First stateless signature scheme with post-quantum secure parameters Practical Speed and Sizes PAGE 31

33 Thank you! Questions? PAGE 32

An update on Hash-based Signatures. Andreas Hülsing

An update on Hash-based Signatures Andreas Hülsing Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 9-9-2015 PAGE 2... 1