Hash-Based Signatures Revisited: A Dynamic FORS with Adaptive Chosen Message Security Mahmoud Yehia, Riham AlTawy and T. Aaron Gulliver Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC, Canada AfricaCrypt 2020
Outline • Hash-Based digital signature schemes – OTS – FTS – MTS • Definitions – r-subset cover – r-subset resilient – r-target subset resilient • HORST VS FORS • FORS Security Analysis • DFORS – Signing and verifications – DFORS security Analysis – Comparisons with other variants – DFORS and FORS Adaptive Chosen Message attack security Comparison • Conclusion
Hash-Based digital signature schemes • One-Time Signatures OTS – Lamport OTS – WOTS and its variants
Hash-Based digital signature schemes • One-Time Signatures OTS – Lamport OTS – WOTS and its variants • Few-Time Signatures FTS – Biba – HORS and its variants
Hash-Based digital signature schemes • One-Time Signatures OTS – Lamport OTS – WOTS and its variants • Few-Time Signatures FTS – Biba – HORS and its variants • Many-Time Signature – Stateful signature schemes • MSS, XMSS, XMSS+, XMSS 𝑁𝑈 , XMSS-T – Stateless signature schemes • SPHINCS, Gravity-SPHINCS, SPHINCS+
Definitions • r-subset cover 𝑠 𝑠 (𝑛 1 , 𝑛 2 , … , 𝑛 𝑠+1 ) ⇔ 𝑃𝑆𝑇(𝑛 𝑠+1 ) ⊆ ራ 𝐷 𝑙 (𝑛 𝑗 ) 𝑗=1 𝑃𝑆𝑇 𝑛 𝑗 = 𝑐 0 , 𝑐 1 , … , 𝑐 𝑙−1 : 𝐼 𝑛 𝑗 = 𝑐 0 ∥ 𝑐 1 ∥ … ∥ 𝑐 𝑙−1 , 𝑐 𝑗 ϵ{0,1, … , 𝑢 − 1}
Definitions • r-subset cover • r-subset resilient Pr[ (𝑛 1 , 𝑛 2 , … , 𝑛 𝑠+1 ) ← 𝐵 (1 𝑜 ,𝑙,𝑢) : 𝐷 𝑙 𝑠 (𝑛 1 , 𝑛 2 , … , 𝑛 𝑠+1 ) ] ≤ 𝑜𝑓(𝑜, 𝑢)
Definitions • r-subset cover • r-subset resilient • r-target subset resilient Pr[ (𝑛 𝑠+1 ) ← 𝐵 (1 𝑜 ,𝑙,𝑢,𝑛 1 ,𝑛 2 ,…,𝑛 𝑠 ) : 𝐷 𝑙 𝑠 (𝑛 1 , 𝑛 2 , … , 𝑛 𝑠+1 ) ] ≤ 𝑜𝑓(𝑜, 𝑢)
HORST VS FORS • HORST – Each rectangular represent sk out of t-secret keys – The leaf nodes are the one way function of each sk ( 𝐺(𝑡𝑙)) – The upper nodes are the hash of the concatenation of the daughter nodes. – The top layer root is the public key.
HORST VS FORS • HORST • FORS 𝑄𝐿 = 𝐼(𝑠𝑝𝑝𝑢 0 ∥ 𝑠𝑝𝑝𝑢 1 ∥ ⋯ ∥ 𝑠𝑝𝑝𝑢 𝑙−1 )
FORS Security Analysis • Non adaptive chosen message attack (r-target subset resilient ) 𝑠−𝐺𝑃𝑆𝑇 𝑛 1 , 𝑛 2 , … , 𝑛 𝑠+1 𝑠 • 𝐷 𝑙 ⇔ 𝑐 𝑗 𝑛 𝑠+1 ∈ڂ 𝑘=1 𝑐 𝑗 𝑛 𝑘 – 𝑃𝑆𝑇 𝑛 𝑗 = (𝑐 0 , 𝑐 1 , … , 𝑐 𝑙−1 ) 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log 2 (𝑢/𝑠) 𝑙 = 𝑙(log 2 𝑢 − log 2 𝑠)
FORS Security Analysis • Non adaptive chosen message attack (r-target subset resilient ) 𝑠−𝐺𝑃𝑆𝑇 𝑛 1 , 𝑛 2 , … , 𝑛 𝑠+1 𝑠 • 𝐷 𝑙 ⇔ 𝑐 𝑗 𝑛 𝑠+1 ∈ڂ 𝑘=1 𝑐 𝑗 𝑛 𝑘 – 𝑃𝑆𝑇 𝑛 𝑗 = (𝑐 0 , 𝑐 1 , … , 𝑐 𝑙−1 ) 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log 2 (𝑢/𝑠) 𝑙 = 𝑙(log 2 𝑢 − log 2 𝑠) • Adaptive chosen message attack (r-subset resilient ) 𝑠 + 1 log 2 𝑢 − log 2 𝑠 + log 2 𝑠! 𝑙 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = 𝑠 + 1
Dynamic Forest of Random Subsets (DFORS) • DFORS inherits the advantage of FORS • It mitigates the offline advantages of the adaptive chosen message attack • It binds the ORS generation with the signing procedures • only the signer is able to efficiently generate an ORS
Dynamic Forest of Random Subsets (DFORS) • ORS Generation 𝑎 ℎ : ℎ 𝑘 ← {ℎ 0 ∥ ℎ 1 ∥ ⋯ ∥ ℎ 𝑙−1 }, 𝑘 = ℎ 𝑛𝑝𝑒 𝑙
Dynamic Forest of Random Subsets (DFORS) • Signature Algorithm ✓ ORS Generation ✓ σ = 𝑡𝑗 0 , 𝑡𝑗 1 , … , 𝑡𝑗 𝑙−1 = (𝑡𝑙 𝑐 0 , 𝐵𝑣𝑢ℎ 0 , 𝑡𝑙 𝑐 1 , 𝐵𝑣𝑢ℎ 1 , … , 𝑡𝑙 𝑐 𝑙−1 , 𝐵𝑣𝑢ℎ 𝑙−1 ) = (𝛕 0 , 𝐵𝑣𝑢ℎ 0 , 𝛕 1 , 𝐵𝑣𝑢ℎ 1 , … , 𝛕 𝑙−1 , 𝐵𝑣𝑢ℎ 𝑙−1 ) 𝑄𝐿 = 𝐼(𝑠𝑝𝑝𝑢 0 ∥ 𝑠𝑝𝑝𝑢 1 ∥ ⋯ ∥ 𝑠𝑝𝑝𝑢 𝑙−1 )
Dynamic Forest of Random Subsets (DFORS) • Signature Algorithm ✓ ORS Generation ✓ σ = 𝑡𝑗 0 , 𝑡𝑗 1 , … , 𝑡𝑗 𝑙−1 = (𝑡𝑙 𝑐 0 , 𝐵𝑣𝑢ℎ 0 , 𝑡𝑙 𝑐 1 , 𝐵𝑣𝑢ℎ 1 , … , 𝑡𝑙 𝑐 𝑙−1 , 𝐵𝑣𝑢ℎ 𝑙−1 ) = (𝛕 0 , 𝐵𝑣𝑢ℎ 0 , 𝛕 1 , 𝐵𝑣𝑢ℎ 1 , … , 𝛕 𝑙−1 , 𝐵𝑣𝑢ℎ 𝑙−1 ) • Verification ✓ Compute 𝑐 𝑗 = 𝑎(𝐼 𝛕 𝑗−1 (ℎ 0 ||ℎ 𝑗−1 )) it is needed to know the leaf index ✓ Each (𝑐 𝑗 , 𝛕 𝑗 , 𝐵𝑣𝑢ℎ 𝑗 ) are used to calculate the 𝑠𝑝𝑝𝑢 𝑗 ✓ 𝑄𝐿 ≟ 𝐼(𝑠𝑝𝑝𝑢 0 ∥ 𝑠𝑝𝑝𝑢 1 ∥ ⋯ ∥ 𝑠𝑝𝑝𝑢 𝑙−1 )
DFORS Security Analysis • Non adaptive chosen message attack (r-target subset resilient ) 𝑠−𝐸𝐺𝑃𝑆𝑇 𝑛 1 , 𝑛 2 , … , 𝑛 𝑠+1 𝑠 • 𝐷 𝑙 ⇔ 𝑐 𝑗 𝑛 𝑠+1 ∈ڂ 𝑘=1 𝑐 𝑗 𝑛 𝑘 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log 2 (𝑢/𝑠) 𝑙 = 𝑙(log 2 𝑢 − log 2 𝑠)
DFORS Security Analysis • Non adaptive chosen message attack (r-target subset resilient ) 𝑠−𝐸𝐺𝑃𝑆𝑇 𝑛 1 , 𝑛 2 , … , 𝑛 𝑠+1 𝑠 • 𝐷 𝑙 ⇔ 𝑐 𝑗 𝑛 𝑠+1 ∈ڂ 𝑘=1 𝑐 𝑗 𝑛 𝑘 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log 2 (𝑢/𝑠) 𝑙 = 𝑙(log 2 𝑢 − log 2 𝑠) • Adaptive chosen message attack (r-subset resilient ) 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = 𝑙 log 2 𝑢 − log 2 𝑠 While for FORS The adaptive chosen message attack bitsec 𝑠 + 1 log 2 𝑢 − log 2 𝑠 + log 2 𝑠! 𝑙 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = 𝑠 + 1
DFORS Theoretical Efficiency & comparison with HORS Variants
DFORS and FORS Adaptive Chosen Message attack security Comparison
Conclusion We have • Analysed FORS against Adaptive chosen message attack • Showed that as the number of signed messages increases, the bit security w.r.t. adaptive chosen message attack decreases significantly compared to non-adaptive chosen message attack • Presented dynamic FORS with adaptive message security. • Showed that DFORS bit security w.r.t. adaptive chosen message attack is equal to its security in a non-adaptive setting.
Thank You!
Recommend
More recommend
