Update on Hash-based Signatures and Trapdoor Identification
Explore the latest advancements in hash-based signatures and trapdoor identification schemes, including post-quantum security measures and intractability assumptions. Dive into topics such as Merkle's hash-based signatures and Winternitz-OTS, understanding the functions and generations behind these cryptographic techniques. Stay informed about the evolving landscape of signature schemes and secure parameters up to 2025 with detailed insights and comprehensive visuals.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
An update on Hash-based Signatures Andreas H lsing
Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes = + + + 2 1 y x x x x x x 1 1 2 1 4 3 x = + + + + 2 3 1 y x x x x x 2 2 3 2 4 1 = ... y 3 Runtimes Secure parameters 4-4-2025 PAGE 2
Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 4-4-2025 PAGE 3
RSA DSA EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, Digital signature scheme 4-4-2025 PAGE 4
Basic Construction 4-4-2025 PAGE 5
Lamport-Diffie OTS [Lam79] Message M = b1, ,bm, OWF H = n bit * SK sk1,0 sk1,1 skm,0 skm,1 H H H H H H PK pk1,0 pk1,1 pkm,0 pkm,1 bm b1 b2 Mux Mux Mux Sig sk1,b1 skm,bm 4-4-2025 PAGE 6
Merkles Hash-based Signatures PK SIG = (i=2, , , , , ) H H H OTS H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK 4-4-2025 PAGE 7
Function chains Function family: ?? ?:{0,1}? {0,1}? ? Parameter ? Chain: k c h x c = ( ) ( $?? = 1 i i ( )) ( ) x h h h x k k k times i c0(x) = x ?? ?(?) ?1(?) = ?(?)
WOTS Winternitz parameter w, security parameter n, message length m, function family ?? Key Generation: Compute ?, sample ? c0(sk1) = sk1 pk1 = cw-1(sk1) c1(sk1) c1(skll ) pkll= cw-1(skll ) c0(skll ) = skll
WOTS Signature generation M b1 b2 b3 b4 bm bll bm +1 bm +2 pk1 = cw-1(sk1) c0(sk1) = sk1 C 1=cb1(sk1) Signature: = ( 1, , ll) pkll= cw-1(skll ) c0(skll ) = skll ll=cbll(skll)
WOTS Signature Verification Verifier knows: M, w b1 b2 b3 b4 bm bll bm +1 bll 1+2 pk1 ??( 1) ??( 1) =? 1 ??( 1) ?? ? ??( 1) Signature: = ( 1, , ll) pkll =? ?? ? ??( ll) ll
WOTS Function Chains For ? 0,1?define ?0? = ? and WOTS: ??? = ?(?? 1? ) WOTS$: ??? = ?? 1?(?) WOTS+: ??? = ?(?? 1? ??)
WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if ?? is a collision resistant family of undetectable one-way functions. W-OTS$is existentially unforgeable under chosen message attacks if ?? is a pseudorandom function family. W-OTS+is strongly unforgeable under chosen message attacks if ?? is a 2nd-preimage resistant family of undetectable one-way functions.
Standardizing hash-based signatures. The case of XMSS
XMSS Tree: Uses bitmasks H Leafs: Use binary tree with bitmasks H OTS: WOTS+ bi Mesage digest: Randomized hashing Collision-resilient -> signature size halved
Multi-Tree XMSS Uses multiple layers of trees -> Key generation (= Building first tree on each layer) (2h) (d*2h/d) -> Allows to reduce worst-case signing times (h/2) (h/2d)
Multi-target attacks What is the bit security of XMSS using a n = 256 bit hash function? 256 bit? No!
Multi-target attacks It suffices to invert ?on one out of ~? ? ? different values. (For N= #WOTS key pairs, m = message length, w = Winternitz parameter, l = |WOTS message encoding|) Attack complexity: 2? log(???) For n = m = 256,? = 220,? = 16,?~64 approx. 226 bit security Similar problem applies for second-preimage resistance.
Multi-target attacks Attack complexity: 2? log(???) Reason: - Many targets for same function - Each hash query can be used for all targets - Dependent problems
Solution? Use different elements from function family for each hash (and different bitmasks). - Makes problems independent - Each hash query can only be used for one target!
XMSS-Draft since -01 Each hash function call (excl. message hash) takes now a key and a bitmask. Issue: Order of ? ? ? keys and bitmasks that have to be published. Put them into PK? Impractical Solution: PRG + Seed in PK
XMSS-Draft since -01 Solution: PRG + Seed in PK Security: - Not really standard model. - Natural but new assumption ( Generating the public values using a PRG, the scheme does not get less secure if seed is published. ), - Or ROM
SPHINCS: practical stateless hash- based signatures joint work with Daniel J. Bernstein, Daira Hopwood, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, Zooko Wilcox O Hearn
Protest? PAGE 26 4-4-2025
Few-Time Signature Schemes 4-4-2025 PAGE 27
HORS [RR02] Message M, OWF H, CRHF H = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * SK sk1 sk2 skt-1 skt H H H H H H PK pk1 pk1 pkt-1 pkt 4-4-2025 PAGE 28
HORS mapping function Message M, OWF H, CRHF H = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * M H b1 b2 ba bar ik i1 4-4-2025 PAGE 29
HORS Message M, OWF H, CRHF H = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * SK sk1 sk2 skt-1 skt H H H H H H PK pk1 pk1 pkt-1 pkt H (M) b1 b2 ba ba+1 bka-2bka-1 bka i1 ik Mux Mux skik ski1 4-4-2025 PAGE 30
HORS Security ? mapped to ? element index set ?? {1, ,?}? Each signature publishes ? out of ? secrets Either break one-wayness or ?for ? r-Subset-Resilience: After seeing index sets ?? messages ????,1 ? ?, hard to find ????+1 ???? such that ??+1 1 ? ??? ?. ? ? ?? ? Best generic attack: Succr-SSR(?,?) = ? Security shrinks with each signature! 4-4-2025 PAGE 31
HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK New PK = Root Publish Authentication Paths for HORS signature values PK can be computed from Sig With optimizations: tn (k(log t x + 1) + 2x)n E.g. SPHINCS-256: 2 MB 16 KB Use randomized message hash 4-4-2025 PAGE 32
SPHINCS Stateless Scheme XMSSMT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys
Thank you! Questions? For references & further literature see https://huelsing.wordpress.com/hash-based-signature-schemes/literature/ 4-4-2025 PAGE 34
(Hash) function families ?? ?:{0,1}? ? {0,1}? {0,1}? ?(?) ? ? efficient {0,1}? ?
One-wayness ?? ?:{0,1}? ? {0,1}? ??,? $?? ${0,1}? ? ? ? ?? ?? Success if ?? = ?? ?
Collision resistance ?? ?:{0,1}? ? {0,1}? ? $?? ? Success if ??1 = ??2 ,?2 ) (?1
Second-preimage resistance ?? ?:{0,1}? ? {0,1}? ??,? $?? ${0,1}? ? ? ?? Success if ??? = ?? ?
Undetectability ?? ?:{0,1}? ? {0,1}? ? ? If ? = 1 ${0,1}? ? ?? ?(?) else ${0,1}? ??,? $?? ${0,1} ? ?* ??
Pseudorandomness ?? ?:{0,1}? ? {0,1}? 1? ? If ? = 1 $?? else $?? ? ,? ? ? g ? = ?(?) ? ?*
