1 / 46

(To be) standardized hash-based signature schemes

Explore Merkle and Lamport OTS schemes, Winternitz-OTS, security risks of quantum computing, and Tweakable Hash Functions for multi-tree MSS. Understand the impact on RSA, DSA, DH, and key generations based on SHA-2. Stay ahead with CFRG standardizations.

colemannancy
Download Presentation

(To be) standardized hash-based signature schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. (To be) standardized hash-based signature schemes Andreas HülsingEindhoven University of Technology SSR 2018

  2. The quantum threat • Shor’s algorithm breaks RSA, (EC)DSA, (EC)DH,… • Grover’s algorithm asymptotically reduces complexity of brute-force search attacks by a square-root factor. https://huelsing.net

  3. Why care today • EU launched a one billion Euro project on quantum technologies • Similar range is spent in China • US administration passed a bill on spending $1.275 billion US dollar on quantum computing research • Google, IBM, Microsoft, Alibaba, and others run their own research programs. https://huelsing.net

  4. It‘s a question of risk assessment https://huelsing.net

  5. Long-lived systems • Development time easily 10+ years • Lifetime easily 10+ years • At least make sure you got a secure update channel! https://huelsing.net

  6. Merkle‘s hash-based signatures [Lam79,Mer89] https://huelsing.net

  7. Basic Construction https://huelsing.net

  8. Lamport OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig * sk1,0 • sk1,1 skm,0 • skm,1 H H H H H H Mux Mux Mux bm b1 b2 pk1,0 • pk1,1 pkm,0 • pkm,1 sk1,b1 • skm,bm https://huelsing.net

  9. Merkle’s Hash-based Signatures PK SIG = (i=2, , , , , ) H OTS OTS OTS OTS OTS OTS OTS OTS OTS H H H H H H H H H H H H H H SK https://huelsing.net

  10. Winternitz-OTS https://huelsing.net

  11. Lamport-OTS in MSS SIG = (i=2, , , , , ) Verification: 1. Verify 2. Verify authenticity of We can do better! https://huelsing.net

  12. WOTS in MSS X SIG = (i=2, , , , , ) Verification: 1. Compute from 2. Verify authenticity of Steps 1 + 2 together verify https://huelsing.net

  13. Function chains Hash function Parameter Chain: i-times c0(x) = x https://huelsing.net

  14. WOTS Winternitz parameter w (usually a power of 2), security parameter n, message length m, hash function Key Generation: Compute , sample pk1= cw-1(sk1) c0(sk1) = sk1 c1(sk1) c1(skl ) pkl= cw-1(skl ) c0(skl ) = skl https://huelsing.net

  15. WOTS Signature generation M b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bm‘+2 … … bl pk1= cw-1(sk1) c0(sk1) = sk1 C σ1=cb1(sk1) Signature: σ = (σ1, …,σl) pkl= cw-1(skl ) c0(skl ) = skl σl=cbl(skl) https://huelsing.net

  16. WOTS Signature Verification • Verifier knows: M, w b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bl1+2 … … bl (σ1) pk1 (σ1) =? σ1 (σ1) (σ1) Signature: σ = (σ1, …,σl) pkl =? (σl) σl https://huelsing.net

  17. Multi-Tree MSS https://huelsing.net

  18. Multi-Tree MSS Uses multiple layers of trees to reduce key generation time -> Key generation(= Building first tree on each layer) (2h) → (d*2h/d) -> Worst-case signing times(h/2) → (h/2d) -> Increases signature size by d-1 one-time signatures https://huelsing.net

  19. Standardization in CFRG(adoption by NIST announced) https://huelsing.net

  20. Competing proposals in IRTF‘s CFRG XMSS (RFC 8391) LMS (draft-mcgrew-hash-sigs-13) WOTS + MSS + Multi-tree(WOTS-LM + LMS + HSS=MT) w = 2, 4, 16, 256 h = 5, 10, 15, 20, 25 6 HSS combinations with two trees of independent height Only SHA2-256 • WOTS + MSS + Multi-tree(WOTS-T + XMSS-T + MT) • w = 16 • h = 10, 16, 20 • 8 MT (h,d) combinations (trees on all layers have same height) • SHA2-256 required; SHA2-512, SHAKE-128, SHAKE-256 optional https://huelsing.net

  21. Intermezzo: Multi-target attacks • WOTS & Lamport need hash function to be one-way • Multi-tree of total height 60 with WOTS (w=16) leads images. • Inverting one of them allows existential forgery (at least massively reduces complexity) • q-query brute-force succeeds with probability conventional and quantum • We loose 66 bits of security! (33 bits quantum) https://huelsing.net

  22. New abstraction: Tweakable Hash Function • Mitigation: Separate targets • Common approach: • In addition to hash function and „input“ take • Hash „Address“ (uniqueness in key pair) • Hash „key“ used for all hashes of one key pair (uniqueness among key pairs) • Tweakable Hash Function:PP: Public parametersTW: TweakMSG: MessageMD: Message Digest https://huelsing.net

  23. Security of tweakable hashes • Necessary notion: Single-function multi-target-collision resistance for distinct tweaks • Intuition: • Adversary gets black box access to for random PP. • Adversary can adapatively query with restriction to use each tweak only once. • Adversary receives PP and has to find second-preimage for one of its previous queries (such that PP and TW are the same). • For length-preserving case: A property to guarantees that a preimage finder outputs a „new preimage“. E.g., assume that T is almost regular. (Subject of ongoing research) https://huelsing.net

  24. Instantiating the tweakable hash (for SHA2) XMSS LMS MD = SHA2(PP||TW||MSG) QROM proof assuming SHA2 is QRO ROM proof assuming SHA2 compression function is RO Proofs are essentially tight • K = SHA2(pad(PP)||TW),BM = SHA2(pad(PP)||TW+1),MD=SHA2(pad(K)||MSG BM) • Standard model proof if K & BM were random, • (Q)ROM proof when generating K & BM as above (modeling those SHA2 invocations as RO) • Tight proof is currently under revision https://huelsing.net

  25. Instantiating the tweakable hash • LMS is factor 3 faster but leads to slightly larger signatures at same security level • LMS makes somewhat stronger assumptions about the security properties of the used hash function • More research on direct constructions needed https://huelsing.net

  26. Stateless hash based signaturesSPHINCS

  27. About the statefulness • Works great for some settings • However.... ... back-up ... multi-threading ... load-balancing https://huelsing.net

  28. How to Eliminate the State https://huelsing.net

  29. SPHINCS (2015) • Stateless Scheme • XMSSMT + HORST + (pseudo-)random index • Collision-resilient • Deterministic signing • SPHINCS-256: • 128-bit post-quantum secure • Hundrest of signatures / sec • 41 kb signature • 1 kb keys https://huelsing.net

  30. Few-Time Signature Schemes https://sphincs.org

  31. HORS [RR02] Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) SK PK * sk1 • sk2 skt-1 • skt H H H H H H pk1 • pk1 pkt-1 • pkt https://sphincs.org

  32. HORS mapping function * Message M, OWF H, CRHF H’ bit Parameters , with (typical ) M H’ b1 b2 ba bar ik i1 https://sphincs.org

  33. HORS * Message M, OWF H, CRHF H’ bit Parameters , with (typical ) SK PK H’(M) Sig sk1 • sk2 skt-1 • skt H H H H H H pk1 • pk1 pkt-1 • pkt b1 b2 ba ba+1 bka-2 bka-1 bka Mux Mux i1 ik skik ski1 https://sphincs.org

  34. HORS Security • mapped to element index set • Each signature publishes out of secrets • Either break one-wayness or… • r-Subset-Resilience: After seeing index sets for messages , hard to find such that . • Best generic attack: Succr-SSR(A,q) = q(rk/ t)k → Security shrinks with each signature! https://sphincs.org

  35. HORST Using HORS with MSS requires adding PK ( bits) to MSS signature. (SPHINCS-256: ) HORST: Merkle Tree on top of HORS-PK • New PK = Root • Publish Auth-Paths for HORS signature values • PK can be computed from Sig • With optimizations: • E.g. SPHINCS-256: 2 MB →16 KB • Use randomized message hash https://sphincs.org

  36. SPHINCS+ Joint work with Daniel J. Bernstein, Christoph Dobraunig, Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Panos Kampanakis, Stefan Kölbl, Tanja Lange, Martin M. Lauridsen, Florian Mendel, Ruben Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe https://huelsing.net

  37. SPHINCS+ (our NIST submission) • Strengthened security gives smaller signatures • Collision- and multi-target attack resilient (XMSS tweakable hash) • Fixed length signatures (far easier to compute than Octopus (-> Gravity-SPHINCS)) • Small keys, medium size signatures (lv 3: 17kB) • Sizes can be much smaller if q_sign gets reduced • THE conservative choice https://huelsing.net

  38. FORS (Forest of random subsets) • Parameters t, a = log t, k such that ka = m ... ... ... ... ... https://sphincs.org

  39. Verifiable index selection (and optionally non-deterministic randomness) • SPHINCS: • SPHINCS+: https://sphincs.org

  40. Verifiable index selection Improves FORS security • SPHINCS: Attacks could target „weakest“ HORST key pair • SPHINCS+: Every hash query ALSO selects FORS key pair • Leads to notion of interleaved target subset resilience https://sphincs.org

  41. Instantiations • SPHINCS+-SHAKE256 • SPHINCS+-SHA-256 • SPHINCS+-Haraka https://huelsing.net

  42. Instantiations (small vs fast) https://huelsing.net

  43. Comparison to SPHINCS-128 at same security level https://huelsing.net

  44. Hash-based Signatures in NIST „Competition“ • SPHINCS+ • FORS as few-time signature • XMSS-T tweakable hash • Gravity-SPHINCS • PORS as few-time signature • Requires collision-resistance -> no tweakable hash • (PICNIC) https://huelsing.net

  45. Conclusion • Standardized hash-based signatures are available • Both got their pros & cons (independent comparison would be nice) • If you can deal with state: Please play around (and tell us about) • For stateless • A lot of trade-offs • Need requirements to fine-tune • Further comparison is needed (not easy to compare security) • Fault-attacks (and mitigations) need further attention • Tweakable hash functions • Might be interesting also in other settings • Dedicated constructions would be nice https://huelsing.net

  46. Thank you! Questions? For references, literature & longer lectures see https://huelsing.net https://huelsing.net

More Related