Simplified security arguments for hash-based signatures Andreas Hülsing Eindhoven University of Technology
The quantum threat • Shor’s algorithm breaks RSA, (EC)DSA, (EC)DH,… • Grover’s algorithm asymptotically reduces complexity of brute-force search attacks by a square-root factor. 18.06.2019 https://huelsing.net 2
Why care today • EU launched a one billion Euro project on quantum technologies • Similar range is spent in China • US administration passed a bill on spending $1.275 billion US dollar on quantum computing research • Google , IBM , Microsoft , Alibaba , and others run their own research programs. 18.06.2019 https://huelsing.net 3
It‘s a question of risk assessment 18.06.2019 https://huelsing.net 4
Real world cryptography development Select best Integrate Analyze Develop Implement systems and systems into Role out secure Analyze security implementation systems systems standardize products & products security them protocols 18.06.2019 https://huelsing.net 5
Who would store all encrypted data traffic? That must be expensive! 18.06.2019 https://huelsing.net 6
Long-lived systems • Development time easily 10+ years • Lifetime easily 10+ years • At least make sure you got a secure update channel! 18.06.2019 https://huelsing.net 7
Hash-based signatures [Lam79,Mer89] No new hardness assumptions* Provably (post-quantum) secure if (post-quantum) secure hash function is used Basic concept extremely easy Stateful * We only assume hash functions do not show non-random behaviour. 18.06.2019 https://huelsing.net 8
Basic construction 18.06.2019 https://huelsing.net 9
Lamport OTS [Lam79] Message M = b1,…,bm, OWF H = n bit * SK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H PK pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux b2 Mux bm Mux Sig sk 1,b1 sk m,bm 18.06.2019 https://huelsing.net 10
Merkle’s Hash-based Signatures PK SIG = ( i=2 , , , , , ) H H H OTS H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK 18.06.2019 https://huelsing.net 11
Winternitz-OTS 18.06.2019 https://huelsing.net 12
Lamport-OTS in MSS SIG = ( i=2 , , , , , ) Verification: 1. Verify 2. Verify authenticity of We can do better! 18.06.2019 https://huelsing.net 13
WOTS in MSS X SIG = ( i=2 , , , , , ) Verification: 1. Compute from 2. Verify authenticity of Steps 1 + 2 together verify 18.06.2019 https://huelsing.net 14
Function chains Hash function ℎ ∶ {0,1} 𝑜 → {0,1} 𝑜 Parameter 𝑥 Chain: 𝑑 𝑗 𝑦 = ℎ 𝑑 𝑗−1 𝑦 = ℎ ∘ ℎ ∘ ⋯ ∘ ℎ(𝑦) i-times c 0 ( x ) = x 𝒅 𝒙−𝟐 (𝑦) 𝑑 1 (𝑦) = ℎ(𝑦) 18.06.2019 https://huelsing.net 15
WOTS Winternitz parameter w (usually a power of 2), security parameter n , message length m , hash function ℎ Key Generation: Compute 𝑚 , sample ℎ 𝑙 pk 1 = c w -1 (sk 1 ) c 0 (sk 1 ) = sk 1 c 1 (sk 1 ) c 1 (sk l pk l = c w -1 (sk l l ) l ) c 0 (sk l l ) = sk l l 18.06.2019 https://huelsing.net 16
WOTS Signature generation M b 1 b 2 b 3 b 4 b m‘ … … b l b m ‘ +1 b m‘+2 … … … … … … … pk 1 = c w -1 (sk 1 ) c 0 (sk 1 ) = sk 1 C σ 1 = c b1 (sk 1 ) Signature: σ = ( σ 1 , …, σ l ) pk l = c w -1 (sk l l ) σ l = c b l (sk l ) c 0 (sk l l ) = sk l l 18.06.2019 https://huelsing.net 17
WOTS Signature Verification Verifier knows: M, w b 1 b 2 b 3 b 4 b m‘ … … b l b m‘+1 b l 1+2 … … … … … … … 𝒅 𝟐 ( σ 1 ) 𝒅 𝟒 ( σ 1 ) pk 1 = ? σ 1 𝒅 𝟑 ( σ 1 ) 𝒅 𝒙−𝟐−𝒄 𝟐 ( σ 1 ) Signature: σ = ( σ 1 , …, σ l ) pk l = ? 𝒅 𝒙−𝟐−𝒄 𝒎 ( σ l ) σ l 18.06.2019 https://huelsing.net 18
Multi-Tree MSS 18.06.2019 https://huelsing.net 19
Multi-Tree MSS / Hypertree Uses multiple layers of trees to reduce key generation time -> Key state generation & stateless signing (= Building one tree on each layer) Θ 2 ℎ → Θ 𝑒2 ℎ/𝑒 -> Worst-case stateful signing times Θ ℎ/2 → Θ ℎ/2𝑒 -> Increases signature size by d-1 one-time signatures 18.06.2019 https://huelsing.net 20
SPHINCS Joint work with Daniel J. Bernstein, Daira Hopwood, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, and Zooko Wilcox- O’Hearn 21.06.2019 https://huelsing.net 21
Stateless hash-based signatures [NY89,Gol87,Gol04] OTS Goldreich’s approach [Gol04]: Security parameter 𝜇 = 128 OTS OTS Use binary tree as in Merkle, but... • …for security OTS OTS • pick index i at random; • requires huge tree to avoid index OTS OTS collisions (e.g., height h = 2𝜇 = 256 ). • …for efficiency: • use binary certification tree of OTS key pairs (= Hypertree with 𝑒 = ℎ), • all OTS secret keys are OTS OTS generated pseudorandomly. 18-6-2019 PAGE 22
SPHINCS [BHH + 15] • Select index pseudo-randomly • Use a few-time signature key-pair on leaves to sign messages • Few index collisions allowed • Allows to reduce tree height • Use hypertree: Use d << h. 18.06.2019 https://huelsing.net 23
Security arguments 18.06.2019 https://huelsing.net 24
Requirements Reductions should lead to • collision-resilience, • multi-target attack protection, • tight security reductions, and allow for • easy verification, and • maintainability. 18.06.2019 https://huelsing.net 25
Multi-target attacks • WOTS & Lamport need hash function ℎ to be one-way • Hypertree of total height 60 with WOTS (w=16) leads > 2 60 ∙ 67 ≈ 2 66 images. • Inverting one of them allows existential forgery (at least massively reduces complexity) • q-query brute-force succeeds with probability 𝑟 2 𝑟 Θ 2 𝑜−66 conventional and Θ 2 𝑜−66 quantum • We loose 66 bits of security! (33 bits quantum) 18.06.2019 https://huelsing.net 26
Multi-target attacks: Mitigation • Mitigation: Separate targets [HRS16] • Common approach: • In addition to hash function description and „input“ take • Hash „Address“ (uniqueness in key pair) • Hash „key“ used for all hashes of one key pair (uniqueness among key pairs) 18.06.2019 https://huelsing.net 27
Multi-target attacks: Mitigation • Mitigation: Separate targets [HRS16] • Common approach: • In addition to hash function description and „input“ take • Hash „Address“ (uniqueness in key pair) • Hash „key“ used for all hashes of one key pair (uniqueness among key pairs) 18.06.2019 https://huelsing.net 28
New intermediate abstraction: Tweakable Hash Function [SPHINCS+] • Tweakable Hash Function: 𝐔𝐢 𝑄, 𝑈, 𝑁 → 𝑁𝐸 P: Public parameters (one per key pair) T: Tweak (one per hash call) M: Message MD: Message Digest • Security in two steps: 1. Prove security of SPHINCS(+), XMSS, LMS,..... using tweakable hash functions 2. Prove tweakable hash function security So what properties do we need? 18.06.2019 https://huelsing.net 29
Single-function multi-target collision resistance for distinct tweaks • Intuition: • Adversary gets black box access to 𝐔𝐢(𝑄 , ⋅ , ⋅ ) for random P. • Adversary can adapatively query with restriction to use each tweak only once. • Adversary receives P and has to find second-preimage for one of its previous queries (such that P and T are the same). • This is what the hashing in [HRS16] already tightly achieves! • Generating pseudorandom bitmasks & function keys from P and T. 18.06.2019 https://huelsing.net 30
Decisional second-preimage resistance (https://ia.cr/2019/492) • (actually: Single-function multi-target decisional second preimage resistance for distinct tweaks) • [HRS16] required statistical property: Every message input has to have a sibling (colliding value) under 𝐔𝐢(𝑄 , ⋅ , ⋅ ) for the length- preserving case (|M| = |MD|). • Reason: Want reduction using SPR instead of OW. 21.06.2019 https://huelsing.net 31
WOTS reduction from PRE (assume adversary that always inverts one of the signature query elements) b 1 b 2 b 3 b 4 b m‘ … … b l b m ‘ +1 b m‘+2 … … … … … … … pk 1 = c w -1 (sk 1 ) σ 1 = target1 Signature: σ = ( σ 1 , …, σ l ) pk l = c w -1 (sk l l ) σ l = target l 18.06.2019 https://huelsing.net 32
Decisional second-preimage resistance (https://ia.cr/2019/492) • (actually: Single-function multi-target decisional second preimage resistance for distinct tweaks) • HRS16 required statistical property: Every message input has to have a sibling (colliding value) under 𝐔𝐢(𝑄 , ⋅ , ⋅ ) for the length- preserving case (|M| = |MD|). • Reason: Want reduction using SPR instead of OW. • WOTS reduction fails if guess was incorrect (Recall, in SPHINCS we have to make ≈ 2 66 guesses) • When reducing SPR, we know full chain -> no guesses • WOTS reduction gives us Inverter with non-negligible success probability 21.06.2019 https://huelsing.net 33
Recommend
More recommend
![Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]](https://c.sambuz.com/970279/long-term-secure-signatures-s.jpg)
