1 / 51

Hash-based Signatures

Hash-based Signatures. Andreas Hülsing. Post-Quantum Signatures. Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters. Hash- based Signature Schemes [Mer89]. RSA – DSA – EC-DSA. Intractability Assumption. Cryptographic hash function. RSA, DH, SVP, MQ, ….

pamellat
Download Presentation

Hash-based Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hash-based Signatures Andreas Hülsing

  2. Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters

  3. Hash-basedSignatureSchemes[Mer89]

  4. RSA – DSA – EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, … Digital signature scheme

  5. (Hash) function families • „efficient“

  6. One-wayness Success if

  7. Collision resistance Success if )

  8. Second-preimage resistance Success if

  9. Undetectability If else *

  10. Pseudorandomness If else g *

  11. Hash-function properties stronger / easier to break Collision-Resistance 2nd-Preimage-Resistance Assumption / Attacks Pseudorandom One-way weaker / harder to break

  12. Attacks on Hash Functions MD5 Collisions (theo.) MD5 Collisions (practical!) MD5 & SHA-1 No (Second-) Preimage Attacks! SHA-1 Collisions (theo.) 2004 2005 2008 2015

  13. Basic Construction

  14. Lamport-Diffie OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig * sk1,0 • sk1,1 skm,0 • skm,1 H H H H H H Mux Mux Mux bm b1 b2 pk1,0 • pk1,1 pkm,0 • pkm,1 sk1,b1 • skm,bm

  15. EU-CMA for OTS SIGN Success if and VerifyAccept 23.09.2013 | TU Darmstadt | Andreas Hülsing| 15

  16. Security Theorem: If H is one-way then LD-OTS is one-time eu-cma-secure.

  17. Reduction Input: Set Replace random pki,b sk1,0 • sk1,1 skm,0 • skm,1 H H H H H H pk1,0 • pk1,1 pkm,0 • pkm,1

  18. Reduction Adv. Message: M = b1,…,bm If bi = b return fail else return Sign(M) Input: Set Replace random pki,b ? sk1,0 • sk1,1 skm,0 • skm,1 H H H H H Mux Mux Mux bm b1 b2 pk1,0 • pk1,1 pkm,0 • pkm,1 sk1,b1 • skm,bm

  19. Reduction Forgery: M* = b1*,…,bm*, If bi b return fail Else return Input: Set Choose random pki,b ? sk1,0 • sk1,1 skm,0 • skm,1 H H H H H pk1,0 • pk1,1 pkm,0 • pkm,1

  20. Reduction - Analysis Abort in two cases: 1. bi = bprobability ½ : b is a random bit 2. bi b probability 1 - 1/m: At least one bit has to flip as M* M Reduction succeeds with A‘s success probability times 1/2m.

  21. Merkle’s Hash-based Signatures PK SIG = (i=2, , , , , ) H OTS OTS OTS OTS OTS OTS OTS OTS OTS H H H H H H H H H H H H H H SK

  22. Security Theorem: MSS is eu-cma-secure if OTS is a one-time eu-cma secure signature scheme and H is a random element from a family of collision resistant hash functions.

  23. Reduction Input: • Choose random • Generate key pair using as th OTS public key and • Answer all signature queries using sk or sign oracle (for index ) • Extract OTS-forgery or collision from forgery

  24. Reduction (Step 4, Extraction) Forgery: (AUTH) • If equals OTS pk we used for OTS, we got an OTS forgery. • Can only be used if • Else adversary used different OTS pk. • Hence, different leaves. • Still same root! • Pigeon-hole principle: Collision on path to root.

  25. Winternitz-OTS

  26. Recap LD-OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig * sk1,0 • sk1,1 skm,0 • skm,1 H H H H H H pk1,0 • pk1,1 pkm,0 • pkm,1 • Mux Mux • Mux b1 b2 bn sk1,b1 • skm,bm

  27. LD-OTS in MSS SIG = (i=2, , , , , ) Verification: 1. Verify 2. Verify authenticity of We can do better!

  28. Trivial Optimization Message M = b1,…,bm, OWF H = n bit * SK sk1,0 • sk1,1 skm,0 • skm,1 H H H H H H PK pk1,0 • pk1,1 pkm,0 • pkm,1 Mux Mux Mux Mux bm b1 b1 bm Sig sigm,0 sigm,1 sig1,0 sig1,1

  29. Optimized LD-OTS in MSS X SIG = (i=2, , , , , ) Verification: 1. Compute from 2. Verify authenticity of Steps 1 + 2 together verify

  30. Germans love their „Ordnung“! Message M = b1,…,bm, OWF H SK: sk1,…,skm,skm+1,…,sk2m PK: H(sk1),…,H(skm),H(skm+1),…,H(sk2m) Encode M: M‘ = M||M = b1,…,bm,b1,…,bm(instead ofb1,b1,…,bm,bm) ski , if bi = 1 Sig: sigi = H(ski) , otherwise Checksum with bad performance!

  31. Optimized LD-OTS Message M = b1,…,bm, OWF H SK: sk1,…,skm,skm+1,…,skm+log m PK: H(sk1),…,H(skm),H(skm+1),…,H(skm+log m) Encode M: M‘ =b1,…,bm, ski , if bi = 1 Sig: sigi = H(ski) , otherwise IF one bi is flipped from 1 to 0, another bj will flip from 0 to 1

  32. Function chains Function family: Parameter Chain: c0(x) = x

  33. WOTS Winternitz parameter w, security parameter n, message length m, function family Key Generation: Compute , sample pk1= cw-1(sk1) c0(sk1) = sk1 c1(sk1) c1(skl) pkl= cw-1(skl) c0(skl) = skl

  34. WOTS Signature generation M b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bm‘+2 … … bl pk1= cw-1(sk1) c0(sk1) = sk1 C σ1=cb1(sk1) Signature: σ = (σ1, …,σl) pkl= cw-1(skl) c0(skl) = skl σl=cbl(skl)

  35. WOTS Signature Verification • Verifier knows: M, w b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bl1+2 … … bl (σ1) pk1 (σ1) =? σ1 (σ1) (σ1) Signature: σ = (σ1, …,σl) pkl =? σl (σl)

  36. WOTS Function Chains For define and • WOTS: • WOTS$: • WOTS+:

  37. WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if is a collision resistant family of undetectable one-way functions. W-OTS$is existentially unforgeable under chosen message attacks if is a pseudorandom function family. W-OTS+is strongly unforgeable under chosen message attacks if is a 2nd-preimage resistant family of undetectable one-way functions.

  38. XMSS

  39. XMSS Tree: Uses bitmasks Leafs:Use binary treewith bitmasks OTS: WOTS+ Mesage digest: Randomized hashing Collision-resilient -> signature size halved bi

  40. Multi-Tree XMSS Uses multiple layers of trees -> Key generation(= Building first tree on each layer) (2h) → (d*2h/d) -> Allows to reduceworst-case signing times(h/2) → (h/2d)

  41. How to Eliminate the State

  42. Protest?

  43. Few-Time Signature Schemes

  44. Recap LD-OTS Message M = b1,…,bn, OWF H = n bit SK PK Sig * sk1,0 • sk1,1 skn,0 • skn,1 H H H H H H Mux Mux Mux pk1,0 • pk1,1 pkn,0 • pkn,1 b1 b2 bn sk1,b1 • skn,bn

  45. HORS [RR02] Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) SK PK * sk1 • sk2 skt-1 • skt H H H H H H pk1 • pk1 pkt-1 • pkt

  46. HORS mapping function Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * M H’ b1 b2 ba bar ik i1

  47. HORS * Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) SK sk1 • sk2 skt-1 • skt H H H H H H PK pk1 • pk1 pkt-1 • pkt H’(M) b1 b2 ba ba+1 bka-2 bka-1 bka Mux Mux i1 ik skik ski1

  48. HORS Security • mapped to element index set • Each signature publishes out of secrets • Either break one-wayness or… • r-Subset-Resilience: After seeing index sets for messages , hard to find such that . • Best generic attack: Succr-SSR() = → Security shrinks with each signature!

  49. HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK • New PK = Root • Publish Authentication Paths for HORS signature values • PK can be computed from Sig • With optimizations: tn→ (k(log t − x + 1) + 2x)n • E.g. SPHINCS-256: 2 MB →16 KB • Use randomized message hash

  50. SPHINCS • Stateless Scheme • XMSSMT + HORST + (pseudo-)random index • Collision-resilient • Deterministic signing • SPHINCS-256: • 128-bit post-quantum secure • Hundrest of signatures / sec • 41 kb signature • 1 kb keys

More Related