Mitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song

Size: px

Start display at page:

Download "Mitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song"

Francis McBride
5 years ago
Views:

1 Mitigating Multi-Target-Attacks in Hash-based Signatures Andreas Hülsing joint work with Joost Rijneveld, Fang Song

2 A brief motivation

3 Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters PAGE y x x x x x x y x x x x x x y

4 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast PAGE 4

5 RSA DSA EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, Digital signature scheme PAGE 5

6 Basic Construction PAGE 6

7 Lamport-Diffie OTS [Lam79] Message M = b1,,bm, OWF H * = n bit SK PK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux b2 Mux bm Mux Sig sk 1,b1 sk m,bm PAGE 7

8 Merkle s Hash-based Signatures PK H SIG = (i=2,,,,, ) H OTS H H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK PAGE 8

9 Minimizing security assumptions... [BHH+15,BDE+11,BDH11, DOTV08,Hül13,HRB13]

10 Assumption / Attacks Hash-function properties stronger / easier to break Collision-Resistance 2 nd -Preimage- Resistance weaker / harder to break One-way Pseudorandom PAGE 10

11 Attacks on Hash Functions MD5 Collisions (theo.) MD5 Collisions (practical!) SHA-1 Collisions (theo.) MD5 & SHA-1 No (Second-) Preimage Attacks! PAGE 11

12 ...and dealing with the consequences [HRS16]

13 Multi-target attacks What is the bit security of a protocol using a n = 256 bit hash function that requires one-wayness? 256 bit? Not necessarily!

14 Multi-target attacks Consider H n {h k : 0,1 m 0,1 n k 0,1 n } Assume protocol Π that uses h k p times Break Π invert h k on one out of p different values. Attack complexity: Θ(2 n log p ) (generic attacks) Bit security: n log p Similar problem applies for SPR, etcr,...

15 Formalizing the issue One-wayness: for any classical q-query A Single-function, multi-target one-wayness

16 Solution? Use different elements from function family for each hash. - Makes problems independent - Each hash query can only be used for one target!

17 Multi-function, multi-target OW Seems trivial, right? What about the quantum case? Still trivial?

18 Results

19 Implications Tight security for MSS that rely on multi-function properties. New function (key) for each call. New bitmask too for SPR No solution for message digest, yet (see etcr)

20 Part II: Details on Hashbased signatures

21 Winternitz-OTS [Mer90,BDE+11,Hül13]

22 Recap LD-OTS [Lam79] Message M = b1,,bm, OWF H * = n bit SK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H PK pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux b2 Mux bn Mux Sig sk 1,b1 sk m,bm

23 LD-OTS in MSS SIG = (i=2,,,,, ) Verification: 1. Verify 2. Verify authenticity of We can do better!

24 Trivial Optimization Message M = b1,,bm, OWF H * = n bit SK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H PK pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux Mux b1 bm Mux Mux bm Sig sig 1,0 sig 1,1 sig m,0 sig m,1

25 Optimized LD-OTS in MSS Verification: X SIG = (i=2,,,,, ) 1. Compute from 2. Verify authenticity of Steps together verify

26 Let s sort this! Message M = b 1,,b m, OWF H SK: sk 1,,sk m,sk m+1,,sk 2m PK: H(sk 1 ),,H(sk m ),H(sk m+1 ),,H(sk 2m ) Encode M: M = M M = b 1,,b m, b 1,, b m (instead of b 1, b 1,,b m, b m ) Sig: sig i = sk i, if b i = 1 H(sk i ), otherwise Checksum with bad performance!

27 Optimized LD-OTS [Mer90] Message M = b 1,,b m, OWF H SK: sk 1,,sk m,sk m+1,,sk m+1+log m PK: H(sk 1 ),,H(sk m ),H(sk m+1 ),,H(sk m+1+log m ) Encode M: M = b 1,,b m, 1 m b i Sig: sig i = sk i, if b i = 1 H(sk i ), otherwise IF one b i is flipped from 1 to 0, another b j will flip from 0 to 1

28 Function chains Function family: H n h k : {0,1} n {0,1} n h k $ H n Parameter w Chain: c i ( x) i 1 h k ( c ( x)) hk hk hk ( x) i times c 0 (x) = x c 1 (x) = h k (x) c w 1 (x)

29 WOTS Winternitz parameter w, security parameter n, message length m, function family H n c 0 (sk 1 ) = sk 1 Key Generation: Compute l, sample h k pk 1 = c w-1 (sk 1 ) c 1 (sk 1 ) c 1 (sk l ) pk l = c w-1 (sk l ) c 0 (sk l ) = sk l

30 WOTS Signature generation M b 1 b 2 b 3 b 4 b m b m +1 b m +2 b l c 0 (sk 1 ) = sk 1 pk 1 = c w-1 (sk 1 ) C σ 1 =c b 1(sk 1 ) Signature: σ = (σ 1,, σ l ) pk l = c w-1 (sk l ) c 0 (sk l ) = sk l σ l =c b l (sk l )

31 WOTS Signature Verification Verifier knows: M, w b 1 b 2 b 3 b 4 b m b m +1 b l 1+2 b l σ 1 Signature: σ = (σ 1,, σ l ) c 1 (σ 1 ) c 2 (σ 1 ) c 3 (σ 1 ) σ l pk 1 =? c w 1 b 1 (σ 1 ) pk l =? c w 1 b l (σ l )

32 WOTS Function Chains For x 0,1 n define c 0 x = x and WOTS: c i x = h k (c i 1 x ) WOTS $ : c i x = h c i 1 x (r) WOTS + : c i x = h k (c i 1 x r i )

33 WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if H n is a collision resistant family of undetectable one-way functions. W-OTS $ is existentially unforgeable under chosen message attacks if H n is a pseudorandom function family. W-OTS + is strongly unforgeable under chosen message attacks if H n is a 2 nd -preimage resistant family of undetectable one-way functions.

34 extended Merkle Signature Scheme (XMSS) joint work with Johannes Buchmann, Erik Dahmen

35 XMSS Tree: Uses bitmasks Leafs: Use binary tree with bitmasks OTS: WOTS + Mesage digest: Randomized hashing Collision-resilient -> signature size halved H b i H

36 Multi-Tree XMSS Uses multiple layers of trees -> Key generation (= Building first tree on each layer) Θ(2 h ) Θ(d*2 h/d ) -> Allows to reduce worst-case signing times Θ(h/2) Θ(h/2d)

37 XMSS-Draft since -01 Each hash function call (excl. message hash) takes now a key and a bitmask. Issue: Order of N w l keys and bitmasks that have to be published. Put them into PK? Impractical Solution: PRG + Seed in PK

38 XMSS-Draft since -01 Solution: PRG + Seed in PK Security: - Not really standard model. - Natural but new assumption ( Generating the public values using a PRG, the scheme does not get less secure if seed is published. ), - Or ROM

39 SPHINCS: practical stateless hashbased signatures joint work with Daniel J. Bernstein, Daira Hopwood, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, Zooko Wilcox O Hearn

40 How to Eliminate the State

41 Protest? PAGE

42 Few-Time Signature Schemes PAGE 42

43 Recap LD-OTS Message M = b1,,bn, OWF H * = n bit SK PK sk 1,0 sk 1,1 sk n,0 sk n,1 H H H H H H pk 1,0 pk 1,1 pk n,0 pk n,1 b1 Mux b2 Mux bn Mux Sig sk 1,b1 sk n,bn PAGE 43

44 HORS [RR02] Message M, OWF H, CRHF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t PAGE 44

45 HORS mapping function Message M, OWF H, CRHF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * M H b 1 b 2 b a b ar i 1 i k PAGE 45

46 HORS Message M, OWF H, CRHF H * = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t H (M) b 1 b 2 b a b a+1 b ka-2 b ka-1 b ka i 1 Mux Mux i k sk i1 sk ik PAGE 46

47 HORS Security M mapped to k element index set M i {1,, t} k Each signature publishes k out of t secrets Either break one-wayness or r-subset-resilience: After seeing index sets M i j for r messages msg j, 1 j r, hard to find msg r+1 i msg j such that M r+1 1 j r M i j. Best generic attack: Succ r-ssr (A, q) = q rk t Security shrinks with each signature! k PAGE 47

48 HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK New PK = Root Publish Authentication Paths for HORS signature values PK can be computed from Sig With optimizations: tn (k(log t x + 1) + 2 x )n E.g. SPHINCS-256: 2 MB 16 KB Use randomized message hash PAGE 48

49 SPHINCS Stateless Scheme XMSS MT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys

50 Thank you! Questions? For references & further literature see PAGE 50

51 (Hash) function families H n h k : {0,1} m n {0,1} n m(n) n efficient {0,1} n h k m n {0,1}

52 One-wayness H n h k : {0,1} m n {0,1} n y c, k h $ k H n x $ {0,1} h k x y c m n Success if h k x = y c x

53 Collision resistance H n h k : {0,1} m n {0,1} n k h k $ H n Success if h k x 1 = h k x 2 (x 1, x 2 )

54 Second-preimage resistance H n h k : {0,1} m n {0,1} n x c, k h $ k H n x $ m n c {0,1} Success if h k x c = h k x x

55 Undetectability H n h k : {0,1} m n {0,1} n h k $ H n b $ {0,1} If b = 1 else x $ m n {0,1} y c h k (x) y c $ {0,1} n y c, k b*

56 Pseudorandomness H n h k : {0,1} m n {0,1} n 1 n b x y = g(x) g If b = 1 g $ H n else g $ U m n,n b*

An update on Hash-based Signatures. Andreas Hülsing

An update on Hash-based Signatures Andreas Hülsing Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 9-9-2015 PAGE 2... 1