Introduc�on Hash-based signatures Gra�ing trees Conclusion Gra�ing Trees: a Fault A�ack against the SPHINCS framework Laurent Castelnovi Ange Mar�nelli Thomas Prest
Introduc�on Hash-based signatures Gra�ing trees Conclusion Introduc�on Hash-based signatures: ➳ Signatures based on the collision or preimage resistance of hash func�ons ➳ Op�mal from a security perspec�ve [Rom90] ➳ Post quantum: two proposals to NIST’s CFP [AE17, BDE + 17] Obvious ques�on: do they resist to fault a�acks? ➳ Short answer: No. ➳ This talk: a fault a�ack against schemes of the SPHINCS family: ➵ The original SPHINCS [BHH + 15] ➵ Gravity-SPHINCS [AE17] ➵ SPHINCS + [BDE + 17] Let’s fault stuff!
Introduc�on Hash-based signatures Gra�ing trees Conclusion Outline of this talk 1 Introduc�on 2 Hash-based signatures 1 One-�me signatures (OTS) 2 Merkle’s construc�on 3 Goldreich’s construc�on 5 The SPHINCS framework 3 Gra�ing trees 1 Outline of the a�ack 2 Faul�ng step 3 Gra�ing step 4 Specifics of each scheme 4 Conclusion
For WOTS(+), the OTS used in schemes of the SPHINCS family: one signature existen�ally unforgeable two signatures existen�al forgery for a propor�on of the messages Feature common to all hash-based signatures: From a valid signature, one can recover the public key. Introduc�on Hash-based signatures Gra�ing trees Conclusion One-�me signatures (OTS) from hash func�ons A toy example: ➳ sk = ( s 1 , s 2 ) ∈ { 0 , 1 } 256 × 2 ➳ pk = ( p 1 , p 2 ) = ( H N ( s 1 ) , H N ( s 2 )) ➳ Sign ( m ∈ { 0 , . . . , N } ) : sig ( m ) = ( σ 1 , σ 2 ) = ( H m ( s 1 ) , H N − m ( s 2 )) (1) ➳ Verify ( m , sig ) : accept if and only if ( H N − m ( σ 1 ) , H m ( σ 2 ) ) = pk ➳ one signature ⇒ existen�ally unforgeable ➳ two signatures ⇒ existen�al forgery for a propor�on ≈ | m 1 − m 2 | of the messages N
Introduc�on Hash-based signatures Gra�ing trees Conclusion One-�me signatures (OTS) from hash func�ons A toy example: ➳ sk = ( s 1 , s 2 ) ∈ { 0 , 1 } 256 × 2 ➳ pk = ( p 1 , p 2 ) = ( H N ( s 1 ) , H N ( s 2 )) ➳ Sign ( m ∈ { 0 , . . . , N } ) : sig ( m ) = ( σ 1 , σ 2 ) = ( H m ( s 1 ) , H N − m ( s 2 )) (1) ➳ Verify ( m , sig ) : accept if and only if ( H N − m ( σ 1 ) , H m ( σ 2 ) ) = pk ➳ one signature ⇒ existen�ally unforgeable ➳ two signatures ⇒ existen�al forgery for a propor�on ≈ | m 1 − m 2 | of the messages N For WOTS(+), the OTS used in schemes of the SPHINCS family: ➳ one signature ⇒ existen�ally unforgeable ➳ two signatures ⇒ existen�al forgery for a propor�on 2 − 34 of the messages Feature common to all hash-based signatures: From a valid signature, one can recover the public key.
deduced from Signature( m ) Signature( m ) m H H H sk pk m sk H H sk pk Introduc�on Hash-based signatures Gra�ing trees Conclusion Merkle’s construc�on [Mer90] H Secret key H 0 H 1 Public key H 00 H 01 H 10 H 11 OTS keypair pk 000 pk 001 pk 010 pk 011 pk 100 pk 101 pk 110 pk 111 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111
deduced from Signature( m ) m H H H sk pk Introduc�on Hash-based signatures Gra�ing trees Conclusion Merkle’s construc�on [Mer90] H Signature( m ) Secret key H 0 H 1 H 1 Public key H 00 H 01 H 01 H 10 H 11 OTS keypair pk 000 pk 001 pk 001 pk 010 pk 011 pk 100 pk 101 pk 110 pk 111 sk 000 sk 001 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 σ sk 000 ( m )
m H Introduc�on Hash-based signatures Gra�ing trees Conclusion Merkle’s construc�on [Mer90] deduced from Signature( m ) H Signature( m ) Secret key H 0 H 0 H 1 H 1 Public key H 00 H 00 H 01 H 01 H 10 H 11 OTS keypair pk 000 pk 000 pk 001 pk 001 pk 010 pk 011 pk 100 pk 101 pk 110 pk 111 sk 000 sk 000 sk 001 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 σ sk 000 ( m )
Introduc�on Hash-based signatures Gra�ing trees Conclusion Goldreich’s construc�on (abstract) [Gol86] Merkle tree OTS keypair
H H m Introduc�on Hash-based signatures Gra�ing trees Conclusion Goldreich’s construc�on (detailed) deduced from Signature( m ) Signature( m ) pk 0 pk 0 pk 1 pk 1 sk 0 sk 0 sk 1 sk 1 σ sk 0 ( H 0 ) Secret key H 0 H 0 H 1 Public key pk 00 pk 00 pk 01 pk 01 pk 10 pk 11 sk 00 sk 00 sk 01 sk 01 sk 10 sk 11 OTS keypair σ sk 00 ( H 00 ) H 00 H 00 H 01 H 10 H 11 pk 000 pk 000 pk 001 pk 001 pk 010 pk 011 pk 100 pk 101 pk 110 pk 111 sk 000 sk 000 sk 001 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 σ sk 000 ( m )
Introduc�on Hash-based signatures Gra�ing trees Conclusion The SPHINCS framework Merkle tree OTS keypair FTS FTS keypair FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS ➳ Common to SPHINCS [BHH + 15], Gravity-SPHINCS [AE17] and SPHINCS + [BDE + 17] ➳ Typical parameters: layers = 8, height of each Merkle tree = 8, total height = 64
Introduc�on Hash-based signatures Gra�ing trees Conclusion Outline of the a�ack Observa�ons useful for our a�ack: ➳ In all hash-based signatures: [a valid signature σ sk ( m ) ] ⇒ [one can recover pk ] ➳ For the OTS used in SPHINCS: [2 signatures] ⇒ [one can forge for 1 message over 2 34 ] Outline of our a�ack: 1 Faul�ng step. We provoke a fault to make an OTS sign two different values 2 Gra�ing step. We use the compromised OTS to obtain an universal forgery
Features of this fault: One fault Li�le precision required Stealthy m Introduc�on Hash-based signatures Gra�ing trees Conclusion The faul�ng step The faul�ng step: Merkle tree ➳ One normal sig ( m ), one faulted sig ( m ) ➳ Target the Merkle tree just below the top OTS keypair ➳ We may fault any computa�on ”below” the ... FTS FTS keypair . . . authen�ca�on path . . . . . . Signature( m ) Regular vs faulted signature: ➳ Two ̸ = values are computed for the root of the Fault area ... . . . faulted Merkle tree . . . . . . ➳ The top OTS signs two ̸ = values ... . . . FTS . . . . . . ...
m Introduc�on Hash-based signatures Gra�ing trees Conclusion The faul�ng step The faul�ng step: Merkle tree ➳ One normal sig ( m ), one faulted sig ( m ) ➳ Target the Merkle tree just below the top OTS keypair ➳ We may fault any computa�on ”below” the ... FTS FTS keypair . . . authen�ca�on path . . . . . . Signature( m ) Regular vs faulted signature: ➳ Two ̸ = values are computed for the root of the Fault area ... . . . faulted Merkle tree . . . . . . ➳ The top OTS signs two ̸ = values ... Features of this fault: . . . FTS ➳ One fault . . . . . . ... ➳ Li�le precision required ➳ Stealthy
m Introduc�on Hash-based signatures Gra�ing trees Conclusion The gra�ing step Gra�ed tree, generated by Goal of the a�acker: the a�acker ➳ Sign his own tree with the compromised OTS ?? . . . . . . . . . Naïve approach: ➳ Generate trees un�l a suitable one is found ... . . . ➳ Time: 2 34 × (generate a tree) . . . . . . Adap�ve approach: ... ➳ Only modify the top of the . . . FTS FTS gra�ed tree . . . . . . ... ➳ Time: 2 34 + (generate a tree)
Introduc�on Hash-based signatures Gra�ing trees Conclusion Specifics of each scheme and countermeasures Selec�on of the FTS index: 1 SPHINCS: idx ← H ( r, m ) , where r is private ⇒ very easy 2 Gravity-SPHINCS: idx ← H ( r, m ) , where r ← H ( sk , m ) ⇒ easy 3 SPHINCS + : idx ← H ( r, pk , m ) , where r ← H ( sk , $ , m ) ⇒ no control on the FTS index anymore, but s�ll easy Height of the top Merkle tree: 1 SPHINCS and SPHINCS + : no more than 8 2 Gravity-SPHINCS: 20 Countermeasures: 1 Generic: redundancy 2 Specific: ?
Related works: This work was based on Laurent Castelnovi’s Master thesis [Cas17] Independently studied by Genêt [Gen17] and Kannwischer [Kan17] Introduc�on Hash-based signatures Gra�ing trees Conclusion Conclusion Key takeaways: 1 A fault a�ack on schemes of the SPHINCS family 2 Universal forgery with one fault 3 Fault model is very weak: li�le to no control on the �me of the fault 1 li�le to no control on the precision of the fault 2 independent of underlying hash func�on(s) 3 4 Stealthy 5 Specific countermeasures are ineffec�ve (to our knowledge)
Recommend
More recommend