SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas Hülsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-O’Hearn 28 April 2015
Hash-based signatures [Mer90] ◮ Security relies only on secure hash function ◮ Post-quantum ◮ Reliable security estimates ◮ Fast [BGD + 06, BDK + 07, BDH11] ◮ Stateful SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
Merkle Trees PK H H H H H H H H H H H H H H Y 000 Y 001 Y 010 Y 011 Y 100 Y 101 Y 110 Y 111 X 000 X 001 X 010 X 011 X 100 X 101 X 110 X 111 ◮ Merkle, 1979: Leverage one-time signatures to multiple messages ◮ Binary hash tree on top of OTS public keys
Merkle Trees PK Auth for i = 001 H H H H H H H H H H H H H H Y 000 Y 001 Y 010 Y 011 Y 100 Y 101 Y 110 Y 111 X 000 X 001 X 010 X 011 X 100 X 101 X 110 X 111 ◮ Use OTS keys sequentially ◮ SIG = ( i, sign( M, X i ) , Y i , Auth) SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
About the state ◮ Used for security : Stores index i ⇒ Prevents using one-time keys twice. ◮ Used for efficiency : Stores intermediate results for fast Auth computation. SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
About the state ◮ Used for security : Stores index i ⇒ Prevents using one-time keys twice. ◮ Used for efficiency : Stores intermediate results for fast Auth computation. ◮ Problems: ◮ Load-balancing ◮ Multi-threading ◮ Backups ◮ Virtual-machine images ◮ . . . SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
About the state ◮ Used for security : Stores index i ⇒ Prevents using one-time keys twice. ◮ Used for efficiency : Stores intermediate results for fast Auth computation. ◮ Problems: ◮ Load-balancing ◮ Multi-threading ◮ Backups ◮ Virtual-machine images ◮ . . . ◮ “Huge foot-cannon” (Adam Langley, Google) SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
About the state ◮ Used for security : Stores index i ⇒ Prevents using one-time keys twice. ◮ Used for efficiency : Stores intermediate results for fast Auth computation. ◮ Problems: ◮ Load-balancing ◮ Multi-threading ◮ Backups ◮ Virtual-machine images ◮ . . . ◮ “Huge foot-cannon” (Adam Langley, Google) ◮ Not only a hash-based issue! SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
Protest?
Stateless hash-based signatures [NY89, Gol87, Gol04] P K = Y X Goldreich’s approach [Gol04]: Y 0 Y 1 Security parameter λ = 128 X 0 Use binary tree as in Merkle, but... Y 00 Y 01 X 01 Y 010 Y 011 X 011 Y i ≫ 1 X i ≫ 1 Y i Y i +1 X i M SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
Stateless hash-based signatures [NY89, Gol87, Gol04] P K = Y X Goldreich’s approach [Gol04]: Y 0 Y 1 Security parameter λ = 128 X 0 Use binary tree as in Merkle, but... ◮ For security Y 00 Y 01 X 01 ◮ pick index i at random ; ◮ requires huge tree to avoid index collisions Y 010 Y 011 (e.g., height h = 2 λ = 256 ). X 011 Y i ≫ 1 X i ≫ 1 Y i Y i +1 X i M SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
Stateless hash-based signatures [NY89, Gol87, Gol04] P K = Y X Goldreich’s approach [Gol04]: Y 0 Y 1 Security parameter λ = 128 X 0 Use binary tree as in Merkle, but... ◮ For security Y 00 Y 01 X 01 ◮ pick index i at random ; ◮ requires huge tree to avoid index collisions Y 010 Y 011 (e.g., height h = 2 λ = 256 ). X 011 ◮ For efficiency: ◮ use binary certification tree of OTS; Y i ≫ 1 ◮ all OTS secret keys are generated X i ≫ 1 pseudorandomly. Y i Y i +1 X i M SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
It works, but s i g n a t u r e s a r e p a i n f u l l y l o n g ◮ 0.6 MB for Goldreich signature using short-public-key Winternitz-16 one-time signatures. ◮ Would dominate traffic in typical applications, and add user-visible latency on typical network connections. SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
It works, but s i g n a t u r e s a r e p a i n f u l l y l o n g ◮ 0.6 MB for Goldreich signature using short-public-key Winternitz-16 one-time signatures. ◮ Would dominate traffic in typical applications, and add user-visible latency on typical network connections. ◮ Example: ◮ Debian operating system is designed for frequent upgrades. ◮ At least one new signature for each upgrade. ◮ Typical upgrade: one package or just a few packages. ◮ 1.2 MB average package size. ◮ 0.08 MB median package size. SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
It works, but s i g n a t u r e s a r e p a i n f u l l y l o n g ◮ 0.6 MB for Goldreich signature using short-public-key Winternitz-16 one-time signatures. ◮ Would dominate traffic in typical applications, and add user-visible latency on typical network connections. ◮ Example: ◮ Debian operating system is designed for frequent upgrades. ◮ At least one new signature for each upgrade. ◮ Typical upgrade: one package or just a few packages. ◮ 1.2 MB average package size. ◮ 0.08 MB median package size. ◮ Example: ◮ HTTPS typically sends multiple signatures per page. ◮ 1.8 MB average web page in Alexa Top 1000000. SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
The SPHINCS approach h/d T REE d-1 σ W,d-1 h/d T REE d-2 ◮ Use a “hyper-tree” of total σ W,d-2 height h ◮ Parameter d ≥ 1 , such that d | h ◮ Each (Merkle) tree has height h/d T REE 0 h/d ◮ ( h/d ) -ary certification tree σ W,0 log t FTS σ H SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
The SPHINCS approach h/d T REE d-1 σ W,d-1 h/d T REE d-2 ◮ Pick index (pseudo-)randomly σ W,d-2 ◮ Messages signed with few-time signature scheme ◮ Significantly reduce total tree height ◮ Require h/d T REE 0 Pr[r-times Coll] · Pr[Forgery σ W,0 after r signatures] = negl(n) log t FTS σ H SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
The SPHINCS approach h/d T REE d-1 σ W,d-1 h/d T REE d-2 ◮ Designed to be collision-resilient σ W,d-2 ◮ Trees: MSS-SPR trees [DOTV08] ◮ OTS: WOTS + [Hül13] ◮ FTS: HORST (HORS [RR02] h/d T REE 0 with tree) σ W,0 log t FTS σ H SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
SPHINCS-256 ◮ Designed for 128 bits of post-quantum security ( yes, we did the analysis! ) ◮ 12 trees of height 5 each SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
SPHINCS-256 ◮ Designed for 128 bits of post-quantum security ( yes, we did the analysis! ) ◮ 12 trees of height 5 each ◮ n = 256 bit hashes in WOTS and HORST ◮ Winternitz paramter w = 16 ◮ HORST with 2 16 expanded-secret-key chunks (total: 2 MB) SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
SPHINCS-256 ◮ Designed for 128 bits of post-quantum security ( yes, we did the analysis! ) ◮ 12 trees of height 5 each ◮ n = 256 bit hashes in WOTS and HORST ◮ Winternitz paramter w = 16 ◮ HORST with 2 16 expanded-secret-key chunks (total: 2 MB) ◮ m = 512 bit message hash (BLAKE-512 [ANWOW13]) ◮ ChaCha12 [Ber08] as PRG SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
Cost of SPHINCS-256 signing ◮ Three main componenents: ◮ PRG for HORST secret-key expansion to 2 MB ◮ Hashing in WOTS and HORS public-key generation: F : { 0 , 1 } 256 → { 0 , 1 } 256 ◮ Hashing in trees (mainly HORST public-key): H : { 0 , 1 } 512 → { 0 , 1 } 256 ◮ Overall: 451 456 invocations of F , 91 251 invocations of H SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
Cost of SPHINCS-256 signing ◮ Three main componenents: ◮ PRG for HORST secret-key expansion to 2 MB ◮ Hashing in WOTS and HORS public-key generation: F : { 0 , 1 } 256 → { 0 , 1 } 256 ◮ Hashing in trees (mainly HORST public-key): H : { 0 , 1 } 512 → { 0 , 1 } 256 ◮ Overall: 451 456 invocations of F , 91 251 invocations of H ◮ Full hash function would be overkill for F and H ◮ Construction in SPHINCS-256: ◮ F ( M 1 ) = Chop 256 ( π ( M 1 || C )) ◮ H ( M 1 || M 2 ) = Chop 256 ( π ( π ( M 1 || C ) ⊕ ( M 2 || 0 256 ))) SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
Cost of SPHINCS-256 signing ◮ Three main componenents: ◮ PRG for HORST secret-key expansion to 2 MB ◮ Hashing in WOTS and HORS public-key generation: F : { 0 , 1 } 256 → { 0 , 1 } 256 ◮ Hashing in trees (mainly HORST public-key): H : { 0 , 1 } 512 → { 0 , 1 } 256 ◮ Overall: 451 456 invocations of F , 91 251 invocations of H ◮ Full hash function would be overkill for F and H ◮ Construction in SPHINCS-256: ◮ F ( M 1 ) = Chop 256 ( π ( M 1 || C )) ◮ H ( M 1 || M 2 ) = Chop 256 ( π ( π ( M 1 || C ) ⊕ ( M 2 || 0 256 ))) ◮ Use fast ChaCha12 permutation for π ◮ All building blocks (PRG, message hash, H , F ) built from very similar permutations SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
SPHINCS-256 speed and sizes SPHINCS-256 sizes ◮ 0.041 MB signature ( ≈ 15 × smaller than Goldreich!) ◮ 0.001 MB public key ◮ 0.001 MB private key SPHINCS: practical stateless hash-based signatures http://sphincs.cr.yp.to
Recommend
More recommend
![Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]](https://c.sambuz.com/970279/long-term-secure-signatures-s.jpg)
