An update on Hash-based Signatures. Andreas Hülsing

Size: px

Start display at page:

Download "An update on Hash-based Signatures. Andreas Hülsing"

Oliver Cook
5 years ago
Views:

1 An update on Hash-based Signatures Andreas Hülsing

2 Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters PAGE y x x x x x x y x x x x x x y

3 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast PAGE 3

4 RSA DSA EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, Digital signature scheme PAGE 4

5 Basic Construction PAGE 5

6 Lamport-Diffie OTS [Lam79] Message M = b1,,bm, OWF H * = n bit SK PK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux b2 Mux bm Mux Sig sk 1,b1 sk m,bm PAGE 6

7 Merkle s Hash-based Signatures PK H SIG = (i=2,,,,, ) H OTS H H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK PAGE 7

8 Winternitz-OTS

9 Function chains Function family: H n h k : {0,1} n {0,1} n h k $ H n Parameter w Chain: c i ( x) i 1 h k ( c ( x)) hk hk hk ( x) i times c 0 (x) = x c 1 (x) = h k (x) c w 1 (x)

10 WOTS Winternitz parameter w, security parameter n, message length m, function family H n c 0 (sk 1 ) = sk 1 Key Generation: Compute l, sample h k pk 1 = c w-1 (sk 1 ) c 1 (sk 1 ) c 1 (sk l ) pk l = c w-1 (sk l ) c 0 (sk l ) = sk l

11 WOTS Signature generation M b 1 b 2 b 3 b 4 b m b m +1 b m +2 b l c 0 (sk 1 ) = sk 1 pk 1 = c w-1 (sk 1 ) C σ 1 =c b 1(sk 1 ) Signature: σ = (σ 1,, σ l ) pk l = c w-1 (sk l ) c 0 (sk l ) = sk l σ l =c b l (sk l )

12 WOTS Signature Verification Verifier knows: M, w b 1 b 2 b 3 b 4 b m b m +1 b l 1+2 b l σ 1 Signature: σ = (σ 1,, σ l ) c 1 (σ 1 ) c 2 (σ 1 ) c 3 (σ 1 ) σ l pk 1 =? c w 1 b 1 (σ 1 ) pk l =? c w 1 b l (σ l )

13 WOTS Function Chains For x 0,1 n define c 0 x = x and WOTS: c i x = h k (c i 1 x ) WOTS $ : c i x = h c i 1 x (r) WOTS + : c i x = h k (c i 1 x r i )

14 WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if H n is a collision resistant family of undetectable one-way functions. W-OTS $ is existentially unforgeable under chosen message attacks if H n is a pseudorandom function family. W-OTS + is strongly unforgeable under chosen message attacks if H n is a 2 nd -preimage resistant family of undetectable one-way functions.

15 Standardizing hash-based signatures. The case of XMSS

16 XMSS Tree: Uses bitmasks Leafs: Use binary tree with bitmasks OTS: WOTS + Mesage digest: Randomized hashing Collision-resilient -> signature size halved H b i H

17 Multi-Tree XMSS Uses multiple layers of trees -> Key generation (= Building first tree on each layer) Θ(2 h ) Θ(d*2 h/d ) -> Allows to reduce worst-case signing times Θ(h/2) Θ(h/2d)

18 Multi-target attacks What is the bit security of XMSS using a n = 256 bit hash function? 256 bit? No!

19 Multi-target attacks It suffices to invert h k on one out of ~N w l different values. (For N= #WOTS key pairs, m = message length, w = Winternitz parameter, l = WOTS message encoding ) Attack complexity: 2n log(nwl) For n = m = 256, N = 2 20, w = 16, l~64 approx. 226 bit security Similar problem applies for second-preimage resistance.

20 Multi-target attacks Attack complexity: 2n log(nwl) Reason: - Many targets for same function - Each hash query can be used for all targets - Dependent problems

21 Solution? Use different elements from function family for each hash (and different bitmasks). - Makes problems independent - Each hash query can only be used for one target!

22 XMSS-Draft since -01 Each hash function call (excl. message hash) takes now a key and a bitmask. Issue: Order of N w l keys and bitmasks that have to be published. Put them into PK? Impractical Solution: PRG + Seed in PK

23 XMSS-Draft since -01 Solution: PRG + Seed in PK Security: - Not really standard model. - Natural but new assumption ( Generating the public values using a PRG, the scheme does not get less secure if seed is published. ), - Or ROM

24 SPHINCS: practical stateless hashbased signatures joint work with Daniel J. Bernstein, Daira Hopwood, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, Zooko Wilcox O Hearn

25 How to Eliminate the State

26 Protest? PAGE

27 Few-Time Signature Schemes PAGE 27

28 HORS [RR02] Message M, OWF H, CRHF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t PAGE 28

29 HORS mapping function Message M, OWF H, CRHF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * M H b 1 b 2 b a b ar i 1 i k PAGE 29

30 HORS Message M, OWF H, CRHF H * = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t H (M) b 1 b 2 b a b a+1 b ka-2 b ka-1 b ka i 1 Mux Mux i k sk i1 sk ik PAGE 30

31 HORS Security M mapped to k element index set M i {1,, t} k Each signature publishes k out of t secrets Either break one-wayness or r-subset-resilience: After seeing index sets M i j for r messages msg j, 1 j r, hard to find msg r+1 i msg j such that M r+1 1 j r M i j. Best generic attack: Succ r-ssr (A, q) = q rk t Security shrinks with each signature! k PAGE 31

32 HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK New PK = Root Publish Authentication Paths for HORS signature values PK can be computed from Sig With optimizations: tn (k(log t x + 1) + 2 x )n E.g. SPHINCS-256: 2 MB 16 KB Use randomized message hash PAGE 32

33 SPHINCS Stateless Scheme XMSS MT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys

34 Thank you! Questions? For references & further literature see PAGE 34

35 (Hash) function families H n h k : {0,1} m n {0,1} n m(n) n efficient {0,1} n h k m n {0,1}

36 One-wayness H n h k : {0,1} m n {0,1} n y c, k h $ k H n x $ {0,1} h k x y c m n Success if h k x = y c x

37 Collision resistance H n h k : {0,1} m n {0,1} n k h k $ H n Success if h k x 1 = h k x 2 (x 1, x 2 )

38 Second-preimage resistance H n h k : {0,1} m n {0,1} n x c, k h $ k H n x $ m n c {0,1} Success if h k x c = h k x x

39 Undetectability H n h k : {0,1} m n {0,1} n h k $ H n b $ {0,1} If b = 1 else x $ m n {0,1} y c h k (x) y c $ {0,1} n y c, k b*

40 Pseudorandomness H n h k : {0,1} m n {0,1} n 1 n b x y = g(x) g If b = 1 g $ H n else g $ U m n,n b*

Mitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song

Mitigating Multi-Target-Attacks in Hash-based Signatures Andreas Hülsing joint work with Joost Rijneveld, Fang Song A brief motivation Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ,