W-OTS + – Shorter Signatures for Hash-Based Signature Schemes

1. W-OTS+ – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing 24.06.2013 | TU Darmstadt | Andreas Hülsing | 1

2. Digital Signatures are Important! E-Commerce … and many others Software updates 24.06.2013 | TU Darmstadt | Andreas Hülsing | 2

3. What if… IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing.“ 24.06.2013 | TU Darmstadt | Andreas Hülsing | 3

4. Post-Quantum Signatures Based on Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 24.06.2013 | TU Darmstadt | Andreas Hülsing | 4

5. Hash-based Signature Schemes[Merkle, Crypto‘89] Hash-based signatures are… … not only “post-quantum” … fast, also without HW-acceleration … strong security guarantees … forward secure But… … signature size ~2-3kB 24.06.2013 | TU Darmstadt | Andreas Hülsing | 5

6. Hash-based Signatures PK SIG = (i, , , , , ) h OTS OTS OTS OTS OTS OTS OTS OTS h h h h h h h h h h h h h h SK 24.06.2013 | TU Darmstadt | Andreas Hülsing | 6

7. Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96] 1. = f( ) 2. Trade-off between runtime and signature size, controlled by parameter w 3. Minimal security requirements (PRF)[Buchmann et al.,Africacrypt’11] 4. Used in XMSS & XMSS+ [Buchmann et al., PQ Crypto’11; Hülsing et al., SAC’12] SIG = (i, , , , , ) 24.06.2013 | TU Darmstadt | Andreas Hülsing | 7

8. WOTS+ • “Winternitz-Type” OTS • Security based on 2nd-preimage resistance, one-wayness & undetectability of function family, even for SU-CMA • Tight security reduction w/o collision resistance • Allows for more signature compression, i.e. greater w 24.06.2013 | TU Darmstadt | Andreas Hülsing | 8

9. XMSS with WOTS+ XMSS and XMSS+ on Infineon SLE78 [HBB12] 24.06.2013 | TU Darmstadt | Andreas Hülsing | 9

10. Construction 24.06.2013 | TU Darmstadt | Andreas Hülsing | 10

11. Function Chain Use function family Previous schemes used WOTS+ For w ≥ 2 select R =(r1, …, rw-1) ri c0(x) = x cw-1(x) c1(x) 24.06.2013 | TU Darmstadt | Andreas Hülsing | 11

12. WOTS+ Winternitz parameter w, security parameter n, message length m, function family Key Generation: Compute l , sample k, sample R pk1 = cw-1(sk1) c0(sk1) = sk1 c1(sk1) c1(skl ) pkl= cw-1(skl ) c0(skl ) = skl 24.06.2013 | TU Darmstadt | Andreas Hülsing | 12

13. WOTS+ Signature generation M b1 b2 b3 b4 … … … … … … … bl1 bl1+1 bl1+2 … … bl pk1 = cw-1(sk1) c0(sk1) = sk1 C σ1=cb1(sk1) pkl= cw-1(skl ) c0(skl ) = skl σl=cbl(skl) 24.06.2013 | TU Darmstadt | Andreas Hülsing | 13

14. Security Proof Reduction 24.06.2013 | TU Darmstadt | Andreas Hülsing | 14

15. Main result Theorem: W-OTS+ is strongly unforgeable under chosen message attacks if F is a 2nd-preimage resistant, undetectable one-way function family 24.06.2013 | TU Darmstadt | Andreas Hülsing | 15

16. EU-CMA for OTS SK PK, 1n M SIGN (σ, M) Success if M* ≠ M and Verify(pk,σ*,M*) = Accept (σ*, M*) 24.06.2013 | TU Darmstadt | Andreas Hülsing | 16

17. Intuition Oracle Response: (σ, M); M →(b1,…,bl ) Forgery: (σ*, M*); M* →(b1*,…, bl*) Observations: • because of checksum • cw-1-bα*(σ*α) = pkα = cw-1-bα(σα), because of verification Adversary “quasi-inverted” chain c σα pkα ? ? c0(skα) = skα ? ? ? ? ? ! = = = = = = = = σ*α pk*α 24.06.2013 | TU Darmstadt | Andreas Hülsing | 17

18. Intuition, cont‘d Oracle Response: (σ, M); M →(b1,…,bl) Forgery: (σ*, M*); M* →(b1*,…, bl*) Observations: Adversary “quasi-inverted” chain c Pigeon hole principle: ri σα β pkα c0(skα) = skα σ*α second-preimage preimage 24.06.2013 | TU Darmstadt | Andreas Hülsing | 18

19. Conclusion We … … tightened security proof … → allows for smaller signatures … (… achieve stronger security) It makes sense to tighten security proofs! Take Home Message: Hash-based signatures are practical 24.06.2013 | TU Darmstadt | Andreas Hülsing | 19

20. Thank you!