Mitigating Multi-Target Attacks in Hash-Based Signatures

mitigating multi target attacks in hash based n.w
1 / 56
Embed
Share

Explore research on mitigating multi-target attacks in hash-based signatures, including trapdoor identification schemes, hash-based signature schemes, and intractability assumptions in cryptographic hash functions. Gain insights into Merkle's hash-based signatures and minimizing security assumptions.

  • Mitigating Attacks
  • Hash-Based Signatures
  • Cryptographic Schemes
  • Security Research
  • Intractability
rayaanacharya
farza Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Mitigating Multi-Target-Attacks in Hash-based Signatures Andreas H lsing joint work with Joost Rijneveld, Fang Song

  2. A brief motivation

  3. Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes = + + + 2 1 y x x x x x x 1 1 2 1 4 3 x = + + + + 2 3 1 y x x x x x 2 2 3 2 4 1 = ... y 3 Runtimes Secure parameters 28-4-2025 PAGE 3

  4. Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 28-4-2025 PAGE 4

  5. RSA DSA EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, Digital signature scheme 28-4-2025 PAGE 5

  6. Basic Construction 28-4-2025 PAGE 6

  7. Lamport-Diffie OTS [Lam79] Message M = b1, ,bm, OWF H = n bit * SK sk1,0 sk1,1 skm,0 skm,1 H H H H H H PK pk1,0 pk1,1 pkm,0 pkm,1 bm b1 b2 Mux Mux Mux Sig sk1,b1 skm,bm 28-4-2025 PAGE 7

  8. Merkles Hash-based Signatures PK SIG = (i=2, , , , , ) H H H OTS H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK 28-4-2025 PAGE 8

  9. Minimizing security assumptions... [BHH+15,BDE+11,BDH11, DOTV08,H l13,HRB13]

  10. Hash-function properties stronger / easier to break Collision-Resistance Assumption / 2nd-Preimage- Resistance Attacks Pseudorandom One-way weaker / harder to break 28-4-2025 PAGE 10

  11. Attacks on Hash Functions MD5 MD5 Collisions (practical!) Collisions (theo.) SHA-1 Collisions (theo.) MD5 & SHA-1 No (Second-) Preimage Attacks! 2004 2005 2008 2015 28-4-2025 PAGE 11

  12. ...and dealing with the consequences [HRS16]

  13. Multi-target attacks What is the bit security of a protocol using a n = 256 bit hash function that requires one-wayness? 256 bit? Not necessarily!

  14. Multi-target attacks Consider ?? { ?: 0,1? 0,1?|? 0,1?} Assume protocol that uses ?? times Break invert ?on one out of ? different values. Attack complexity: (2? log ?) (generic attacks) Bit security: ? log? Similar problem applies for SPR, eTCR,....

  15. Formalizing the issue One-wayness: for any classical q-query A Single-function, multi-target one-wayness

  16. Solution? Use different elements from function family for each hash. - Makes problems independent - Each hash query can only be used for one target!

  17. Multi-function, multi-target OW Seems trivial, right? What about the quantum case? Still trivial?

  18. Results

  19. Implications Tight security for MSS that rely on multi-function properties. New function (key) for each call. New bitmask too for SPR No solution for message digest, yet (see eTCR)

  20. Part II: Details on Hash- based signatures

  21. Winternitz-OTS [Mer90,BDE+11,H l13]

  22. Recap LD-OTS [Lam79] * MessageM = b1, ,bm, OWF H = n bit SK sk1,0 sk1,1 skm,0 skm,1 H H H H H H PK pk1,0 pk1,1 pkm,0 pkm,1 b1 b2 bn Mux Mux Mux sk1,b1 skm,bm Sig

  23. LD-OTS in MSS SIG = (i=2, , , , , ) Verification: 1. Verify 2. Verify authenticity of We can do better!

  24. Trivial Optimization MessageM = b1, ,bm, OWF H = n bit * SK sk1,0 sk1,1 skm,0 skm,1 H H H H H H PK pk1,0 pk1,1 pkm,0 pkm,1 bm b1 bm b1 Mux Mux Mux Mux Sig sigm,0 sig1,0 sigm,1 sig1,1

  25. Optimized LD-OTS in MSS X SIG = (i=2, , , , , ) Verification: 1. Compute from 2. Verify authenticity of Steps 1 + 2 together verify

  26. Lets sort this! Message M = b1, ,bm, OWF H SK: sk1, ,skm,skm+1, ,sk2m PK: H(sk1), ,H(skm),H(skm+1), ,H(sk2m) Encode M: M = M|| M = b1, ,bm, b1, , bm (instead of b1, b1, ,bm, bm ) ski , if bi = 1 Sig: sigi = H(ski) , otherwise Checksum with bad performance!

  27. Optimized LD-OTS [Mer90] Message M = b1, ,bm, OWF H SK: sk1, ,skm,skm+1, ,skm+1+log m PK: H(sk1), ,H(skm),H(skm+1), ,H(skm+1+log m) Encode M: M = b1, ,bm, 1 ? ?? ski , if bi = 1 Sig: sigi = H(ski) , otherwise IF one biis flipped from 1 to 0, another bjwill flip from 0 to 1

  28. Function chains Function family: ?? ?:{0,1}? {0,1}? ? Parameter ? Chain: k c h x c = ( ) ( $?? = 1 i i ( )) ( ) x h h h x k k k times i c0(x) = x ?? ?(?) ?1(?) = ?(?)

  29. WOTS Winternitz parameter w, security parameter n, message length m, function family ?? Key Generation: Compute ?, sample ? c0(sk1) = sk1 pk1 = cw-1(sk1) c1(sk1) c1(skll ) pkll= cw-1(skll ) c0(skll ) = skll

  30. WOTS Signature generation M b1 b2 b3 b4 bm bll bm +1 bm +2 pk1 = cw-1(sk1) c0(sk1) = sk1 C 1=cb1(sk1) Signature: = ( 1, , ll) pkll= cw-1(skll ) c0(skll ) = skll ll=cbll(skll)

  31. WOTS Signature Verification Verifier knows: M, w b1 b2 b3 b4 bm bll bm +1 bll 1+2 pk1 ??( 1) ??( 1) =? 1 ??( 1) ?? ? ??( 1) Signature: = ( 1, , ll) pkll =? ?? ? ??( ll) ll

  32. WOTS Function Chains For ? 0,1?define ?0? = ? and WOTS: ??? = ?(?? 1? ) WOTS$: ??? = ?? 1?(?) WOTS+: ??? = ?(?? 1? ??)

  33. WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if ?? is a collision resistant family of undetectable one-way functions. W-OTS$is existentially unforgeable under chosen message attacks if ?? is a pseudorandom function family. W-OTS+is strongly unforgeable under chosen message attacks if ?? is a 2nd-preimage resistant family of undetectable one-way functions.

  34. eXtended Merkle Signature Scheme (XMSS) joint work with Johannes Buchmann, Erik Dahmen

  35. XMSS Tree: Uses bitmasks H Leafs: Use binary tree with bitmasks H OTS: WOTS+ bi Mesage digest: Randomized hashing Collision-resilient -> signature size halved

  36. Multi-Tree XMSS Uses multiple layers of trees -> Key generation (= Building first tree on each layer) (2h) (d*2h/d) -> Allows to reduce worst-case signing times (h/2) (h/2d)

  37. XMSS-Draft since -01 Each hash function call (excl. message hash) takes now a key and a bitmask. Issue: Order of ? ? ? keys and bitmasks that have to be published. Put them into PK? Impractical Solution: PRG + Seed in PK

  38. XMSS-Draft since -01 Solution: PRG + Seed in PK Security: - Not really standard model. - Natural but new assumption ( Generating the public values using a PRG, the scheme does not get less secure if seed is published. ), - Or ROM

  39. SPHINCS: practical stateless hash- based signatures joint work with Daniel J. Bernstein, Daira Hopwood, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, Zooko Wilcox O Hearn

  40. How to Eliminate the State

  41. Protest? PAGE 41 28-4-2025

  42. Few-Time Signature Schemes 28-4-2025 PAGE 42

  43. Recap LD-OTS Message M = b1, ,bn, OWF H = n bit * SK sk1,0 sk1,1 skn,0 skn,1 H H H H H H PK pk1,0 pk1,1 pkn,0 pkn,1 b1 b2 bn Mux Mux Mux sk1,b1 skn,bn Sig 28-4-2025 PAGE 43

  44. HORS [RR02] Message M, OWF H, CRHF H = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * SK sk1 sk2 skt-1 skt H H H H H H PK pk1 pk1 pkt-1 pkt 28-4-2025 PAGE 44

  45. HORS mapping function Message M, OWF H, CRHF H = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * M H b1 b2 ba bar ik i1 28-4-2025 PAGE 45

  46. HORS Message M, OWF H, CRHF H = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * SK sk1 sk2 skt-1 skt H H H H H H PK pk1 pk1 pkt-1 pkt H (M) b1 b2 ba ba+1 bka-2bka-1 bka i1 ik Mux Mux skik ski1 28-4-2025 PAGE 46

  47. HORS Security ? mapped to ? element index set ?? {1, ,?}? Each signature publishes ? out of ? secrets Either break one-wayness or ?for ? r-Subset-Resilience: After seeing index sets ?? messages ????,1 ? ?, hard to find ????+1 ???? such that ??+1 1 ? ??? ?. ? ? ?? ? Best generic attack: Succr-SSR(?,?) = ? Security shrinks with each signature! 28-4-2025 PAGE 47

  48. HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK New PK = Root Publish Authentication Paths for HORS signature values PK can be computed from Sig With optimizations: tn (k(log t x + 1) + 2x)n E.g. SPHINCS-256: 2 MB 16 KB Use randomized message hash 28-4-2025 PAGE 48

  49. SPHINCS Stateless Scheme XMSSMT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys

  50. Thank you! Questions? For references & further literature see https://huelsing.wordpress.com/hash-based-signature-schemes/literature/ 28-4-2025 PAGE 50

Related


Hash Maps: A Common Data Structure

Hash Maps: A Common Data Structure

monte
Quick Hash Delivery in Ottawa Canafast.ca

Quick Hash Delivery in Ottawa Canafast.ca

Cana
Hash Join Algorithm in Database Management Systems

Hash Join Algorithm in Database Management Systems

seraphine
Cryptographic Hash Functions in Data Security: Mustansiriyah University Course Overview

Cryptographic Hash Functions in Data Security: Mustansiriyah University Course Overview

arley
Buy Playboy Hash Online - globaldrugsstore.com

Buy Playboy Hash Online - globaldrugsstore.com

Ups
Distributed Hash Tables in Peer-to-Peer Systems

Distributed Hash Tables in Peer-to-Peer Systems

dan_sty
Hash Joins and Symmetric Hash Joins in Database Queries

Hash Joins and Symmetric Hash Joins in Database Queries

makayleig
Cryptography Basics and Toolbox

Cryptography Basics and Toolbox

mhed
Cryptographic Hash Functions

Cryptographic Hash Functions

maryiahbo
Hash Functions in Data Structures

Hash Functions in Data Structures

nye_xay
Cryptographic Algorithms and Hash Collisions Overview

Cryptographic Algorithms and Hash Collisions Overview

kami477
The Relationship between Decisional Second-Preimage Resistance and Preimage Resistance in Cryptographic Hash Functions

The Relationship between Decisional Second-Preimage Resistance and Preimage Resistance in Cryptographic Hash Functions

jessabe
Foundations of Cryptography: Digital Signatures and Collision-Resistant Hash Functions

Foundations of Cryptography: Digital Signatures and Collision-Resistant Hash Functions

marschall_a
Foundations of Cryptography: Lecture 12 - Digital Signatures and Collision-Resistant Hash Functions

Foundations of Cryptography: Lecture 12 - Digital Signatures and Collision-Resistant Hash Functions

flacs
Hash Tables and Hashing Concepts in Computer Algorithms

Hash Tables and Hashing Concepts in Computer Algorithms

jay_par
Hash-Based Signatures

Hash-Based Signatures

edu_cl
Hash-Based Signatures

Hash-Based Signatures

kaylean
Hash-Based Indexes

Hash-Based Indexes

jho_go
Implementing SHA-3 Hash Submissions on NVIDIA GPU

Implementing SHA-3 Hash Submissions on NVIDIA GPU

wjon
Hash Tables

Hash Tables

jusi224
Hash Tables: Ideal Data Structure for Efficient Key-Value Retrieval

Hash Tables: Ideal Data Structure for Efficient Key-Value Retrieval

dcza
Cryptography Lecture 7: Quick Recall, Hash Functions, and Applications

Cryptography Lecture 7: Quick Recall, Hash Functions, and Applications

kamala

More Related Content