Understanding Post-Quantum Signatures and Hash-Based Schemes

hash based signatures n.w
1 / 51
Embed
Share

Explore the intricacies of post-quantum signatures, lattice-based schemes, and hash functions in a post-quantum computing world. Delve into topics like collision resistance, second-preimage resistance, and pseudorandomness for enhanced understanding and security. Discover the vulnerabilities and strengths of different cryptographic hash functions like MD5, SHA-1, RSA, and more. Stay informed about the latest advancements and security measures in the realm of cryptographic algorithms and digital signatures.

  • Post-Quantum
  • Cryptography
  • Security
  • Hash Functions
  • Signatures
rayaanacharya
nova_1 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Hash-based Signatures Andreas H lsing

  2. Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes = + + + 2 1 y x x x x x x 1 1 2 1 4 3 x = + + + + 2 3 1 y x x x x x 2 2 3 2 4 1 = ... y 3 Runtimes Secure parameters 9-5-2025 PAGE 2

  3. Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 9-5-2025 PAGE 3

  4. RSA DSA EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, Digital signature scheme 9-5-2025 PAGE 4

  5. (Hash) function families ?? ?:{0,1}? ? {0,1}? {0,1}? ?(?) ? ? efficient {0,1}? ?

  6. One-wayness ?? ?:{0,1}? ? {0,1}? ??,? $?? ${0,1}? ? ? ? ?? ?? Success if ?? = ?? ?

  7. Collision resistance ?? ?:{0,1}? ? {0,1}? ? $?? ? Success if ??1 = ??2 ,?2 ) (?1

  8. Second-preimage resistance ?? ?:{0,1}? ? {0,1}? ??,? $?? ${0,1}? ? ? ?? Success if ??? = ?? ?

  9. Undetectability ?? ?:{0,1}? ? {0,1}? ? ? If ? = 1 ${0,1}? ? ?? ?(?) else ${0,1}? ??,? $?? ${0,1} ? ?* ??

  10. Pseudorandomness ?? ?:{0,1}? ? {0,1}? 1? ? If ? = 1 $?? else $?? ? ,? ? ? g ? = ?(?) ? ?*

  11. Hash-function properties stronger / easier to break Collision-Resistance Assumption / 2nd-Preimage- Resistance Attacks Pseudorandom One-way weaker / harder to break 9-5-2025 PAGE 11

  12. Attacks on Hash Functions MD5 MD5 Collisions (practical!) Collisions (theo.) SHA-1 Collisions (theo.) MD5 & SHA-1 No (Second-) Preimage Attacks! 2004 2005 2008 2015 9-5-2025 PAGE 12

  13. Basic Construction 9-5-2025 PAGE 13

  14. Lamport-Diffie OTS [Lam79] Message M = b1, ,bm, OWF H = n bit * SK sk1,0 sk1,1 skm,0 skm,1 H H H H H H PK pk1,0 pk1,1 pkm,0 pkm,1 bm b1 b2 Mux Mux Mux Sig sk1,b1 skm,bm 9-5-2025 PAGE 14

  15. EU-CMA for OTS ?? ??,1? ? SIGN (?,?) Success if ? ? and Verify ??,? ,? = Accept (? ,? ) 23.09.2013 | TU Darmstadt | Andreas H lsing | 15

  16. Security Theorem: If H is one-way then LD-OTS is one-time eu-cma- secure.

  17. Reduction Input: ??,? Set ? ? Replace random pki,b sk1,0 sk1,1 skm,0 skm,1 H H H H H H ?? pk1,0 pk1,1 pkm,0 pkm,1

  18. Reduction Adv. Message: M = b1, ,bm If bi = b return fail else return Sign(M) Input: ??,? Set ? ? Replace random pki,b ? sk1,0 sk1,1 skm,0 skm,1 H H H H H ?? pk1,0 pk1,1 pkm,0 pkm,1 bm b1 b2 Mux Mux Mux sk1,b1 skm,bm

  19. Reduction Forgery: M* = b1*, ,bm*, ? = ?1, ,?? If bi b return fail Else return ?? Input: ??,? Set ? ? Choose random pki,b ? ?? ?? sk1,0 sk1,1 skm,0 skm,1 H H H H H ?? pk1,0 pk1,1 pkm,0 pkm,1

  20. Reduction - Analysis Abort in two cases: 1. bi = b probability : b is a random bit 2. bi b probability 1 - 1/m: At least one bit has to flip as M* M Reduction succeeds with A s success probability times 1/2m.

  21. Merkles Hash-based Signatures PK SIG = (i=2, , , , , ) H H H OTS H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK 9-5-2025 PAGE 21

  22. Security Theorem: MSS is eu-cma-secure if OTS is a one-time eu-cma secure signature scheme and H is a random element from a family of collision resistant hash functions.

  23. Reduction Input: ?,????? 1. Choose random 0 ? < 2 2. Generate key pair using ?????as ?th OTS public key and ? ? 3. Answer all signature queries using sk or sign oracle (for index ?) 4. Extract OTS-forgery or collision from forgery

  24. Reduction (Step 4, Extraction) Forgery: (? ,???? 1. If ????? an OTS forgery. Can only be used if ? = ?. 2. Else adversary used different OTS pk. Hence, different leaves. Still same root! Pigeon-hole principle: Collision on path to root. ,????? , AUTH) equals OTS pk we used for ? OTS, we got

  25. Winternitz-OTS

  26. Recap LD-OTS [Lam79] * MessageM = b1, ,bm, OWF H = n bit SK sk1,0 sk1,1 skm,0 skm,1 H H H H H H PK pk1,0 pk1,1 pkm,0 pkm,1 b1 b2 bn Mux Mux Mux sk1,b1 skm,bm Sig

  27. LD-OTS in MSS SIG = (i=2, , , , , ) Verification: 1. Verify 2. Verify authenticity of We can do better!

  28. Trivial Optimization MessageM = b1, ,bm, OWF H = n bit * SK sk1,0 sk1,1 skm,0 skm,1 H H H H H H PK pk1,0 pk1,1 pkm,0 pkm,1 bm b1 bm b1 Mux Mux Mux Mux Sig sigm,0 sig1,0 sigm,1 sig1,1

  29. Optimized LD-OTS in MSS X SIG = (i=2, , , , , ) Verification: 1. Compute from 2. Verify authenticity of Steps 1 + 2 together verify

  30. Germans love their Ordnung! Message M = b1, ,bm, OWF H SK: sk1, ,skm,skm+1, ,sk2m PK: H(sk1), ,H(skm),H(skm+1), ,H(sk2m) Encode M: M = M|| M = b1, ,bm, b1, , bm (instead of b1, b1, ,bm, bm ) ski , if bi = 1 Sig: sigi = H(ski) , otherwise Checksum with bad performance!

  31. Optimized LD-OTS Message M = b1, ,bm, OWF H SK: sk1, ,skm,skm+1, ,skm+log m PK: H(sk1), ,H(skm),H(skm+1), ,H(skm+log m) Encode M: M = b1, ,bm, 1 ??? ski , if bi = 1 Sig: sigi = H(ski) , otherwise IF one biis flipped from 1 to 0, another bjwill flip from 0 to 1

  32. Function chains Function family: ?? ?:{0,1}? {0,1}? ? Parameter ? Chain: k c h x c = ( ) ( $?? = 1 i i ( )) ( ) x h h h x k k k times i c0(x) = x ?? ?(?) ?1(?) = ?(?)

  33. WOTS Winternitz parameter w, security parameter n, message length m, function family ?? Key Generation: Compute ?, sample ? c0(sk1) = sk1 pk1 = cw-1(sk1) c1(sk1) c1(skll ) pkll= cw-1(skll ) c0(skll ) = skll

  34. WOTS Signature generation M b1 b2 b3 b4 bm bll bm +1 bm +2 pk1 = cw-1(sk1) c0(sk1) = sk1 C 1=cb1(sk1) Signature: = ( 1, , ll) pkll= cw-1(skll ) c0(skll ) = skll ll=cbll(skll)

  35. WOTS Signature Verification Verifier knows: M, w b1 b2 b3 b4 bm bll bm +1 bll 1+2 pk1 ??( 1) ??( 1) =? 1 ??( 1) ?? ? ??( 1) Signature: = ( 1, , ll) pkll =? ?? ? ??( ll) ll

  36. WOTS Function Chains For ? 0,1?define ?0? = ? and WOTS: ??? = ?(?? 1? ) WOTS$: ??? = ?? 1?(?) WOTS+: ??? = ?(?? 1? ??)

  37. WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if ?? is a collision resistant family of undetectable one-way functions. W-OTS$is existentially unforgeable under chosen message attacks if ?? is a pseudorandom function family. W-OTS+is strongly unforgeable under chosen message attacks if ?? is a 2nd-preimage resistant family of undetectable one-way functions.

  38. XMSS

  39. XMSS Tree: Uses bitmasks H Leafs: Use binary tree with bitmasks H OTS: WOTS+ bi Mesage digest: Randomized hashing Collision-resilient -> signature size halved

  40. Multi-Tree XMSS Uses multiple layers of trees -> Key generation (= Building first tree on each layer) (2h) (d*2h/d) -> Allows to reduce worst-case signing times (h/2) (h/2d)

  41. How to Eliminate the State

  42. Protest? PAGE 43 9-5-2025

  43. Few-Time Signature Schemes 9-5-2025 PAGE 44

  44. Recap LD-OTS Message M = b1, ,bn, OWF H = n bit * SK sk1,0 sk1,1 skn,0 skn,1 H H H H H H PK pk1,0 pk1,1 pkn,0 pkn,1 b1 b2 bn Mux Mux Mux sk1,b1 skn,bn Sig 9-5-2025 PAGE 45

  45. HORS [RR02] Message M, OWF H, CRHF H = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * SK sk1 sk2 skt-1 skt H H H H H H PK pk1 pk1 pkt-1 pkt 9-5-2025 PAGE 46

  46. HORS mapping function Message M, OWF H, CRHF H = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * M H b1 b2 ba bar ik i1 9-5-2025 PAGE 47

  47. HORS Message M, OWF H, CRHF H = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * SK sk1 sk2 skt-1 skt H H H H H H PK pk1 pk1 pkt-1 pkt H (M) b1 b2 ba ba+1 bka-2bka-1 bka i1 ik Mux Mux skik ski1 9-5-2025 PAGE 48

  48. HORS Security ? mapped to ? element index set ?? {1, ,?}? Each signature publishes ? out of ? secrets Either break one-wayness or ?for ? r-Subset-Resilience: After seeing index sets ?? messages ????,1 ? ?, hard to find ????+1 ???? such that ??+1 1 ? ??? ?. ? ? ?? ? Best generic attack: Succr-SSR(?,?) = ? Security shrinks with each signature! 9-5-2025 PAGE 49

  49. HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK New PK = Root Publish Authentication Paths for HORS signature values PK can be computed from Sig With optimizations: tn (k(log t x + 1) + 2x)n E.g. SPHINCS-256: 2 MB 16 KB Use randomized message hash 9-5-2025 PAGE 50

  50. SPHINCS Stateless Scheme XMSSMT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys

Related


Hash Join Algorithm in Database Management Systems

Hash Join Algorithm in Database Management Systems

seraphine
Cryptographic Hash Functions in Data Security: Mustansiriyah University Course Overview

Cryptographic Hash Functions in Data Security: Mustansiriyah University Course Overview

arley
Buy Playboy Hash Online - globaldrugsstore.com

Buy Playboy Hash Online - globaldrugsstore.com

Ups
Salinity in Seawater: Density, Composition, and Variations

Salinity in Seawater: Density, Composition, and Variations

kyliann
Hash Joins and Symmetric Hash Joins in Database Queries

Hash Joins and Symmetric Hash Joins in Database Queries

makayleig
Cryptographic Hash Functions

Cryptographic Hash Functions

maryiahbo
Hash Functions in Data Structures

Hash Functions in Data Structures

nye_xay
The Relationship between Decisional Second-Preimage Resistance and Preimage Resistance in Cryptographic Hash Functions

The Relationship between Decisional Second-Preimage Resistance and Preimage Resistance in Cryptographic Hash Functions

jessabe
Foundations of Cryptography: Digital Signatures and Collision-Resistant Hash Functions

Foundations of Cryptography: Digital Signatures and Collision-Resistant Hash Functions

marschall_a
Pakistan-Croatia Trade Relations: An Overview of Export and Import Trends

Pakistan-Croatia Trade Relations: An Overview of Export and Import Trends

myste
Hash-Based Signatures

Hash-Based Signatures

edu_cl
Hash-Based Signatures

Hash-Based Signatures

kaylean
Hash-Based Indexes

Hash-Based Indexes

jho_go
Online Cryptography Course: Fast One-Time Signatures with Special Properties

Online Cryptography Course: Fast One-Time Signatures with Special Properties

puj_mi
Secure Hashing, Digital Signatures, and Secret Sharing Principles

Secure Hashing, Digital Signatures, and Secret Sharing Principles

lanthier_j
Hash Tables

Hash Tables

jusi224
Overview of Hash-Based Signatures and XMSS Secret Key Generation

Overview of Hash-Based Signatures and XMSS Secret Key Generation

celleenm
Digital Signatures for Message Authentication and Non-Repudiation

Digital Signatures for Message Authentication and Non-Repudiation

devo_776
Hash Tables: Ideal Data Structure for Efficient Key-Value Retrieval

Hash Tables: Ideal Data Structure for Efficient Key-Value Retrieval

dcza
Cryptography Lecture 7: Quick Recall, Hash Functions, and Applications

Cryptography Lecture 7: Quick Recall, Hash Functions, and Applications

kamala
Cryptographic Signatures: Hash, RSA, and ECDSA Explained

Cryptographic Signatures: Hash, RSA, and ECDSA Explained

annaston
Hash Functions in Data Structures

Hash Functions in Data Structures

rhan_6

More Related Content