1 / 83

Hash-based Signatures

This text explores hash-based signature schemes, including RSA, DSA, and EC-DSA, and their properties such as intractability assumptions, cryptographic hash functions, pseudorandomness, and generic security.

jmcconnell
Download Presentation

Hash-based Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hash-based Signatures Andreas Hülsing

  2. Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters

  3. Hash-basedSignatureSchemes[Mer89]

  4. RSA – DSA – EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, … Digital signature scheme

  5. Hash function families

  6. (Hash) function families • „efficient“

  7. One-wayness Success if

  8. Collision resistance Success if and )

  9. Second-preimage resistance Success if and

  10. Undetectability If else *

  11. Pseudorandomness If else g *

  12. Generic security • „Black Box“ security (best we can do without looking at internals) • For hash functions: Security of random function family • (Often) expressed in #queries (query complexity) • Hash functions not meeting generic security considered insecure

  13. Generic Security - OWF Classically: • No query: Output random guess • One query: Guess, check, output new guess • q-queries: Guess, check, repeat q-times, output new guess • Query bound: )

  14. Generic Security - OWF Quantum: • More complex • Reduction from quantum search for random • Know lower & upper bounds for quantum search! • Query bound: ) • Upper bound uses variant of Grover (Disclaimer: Currently only proof for )

  15. Generic Security * conjectured, no proof

  16. Hash-function properties stronger / easier to break Collision-Resistance 2nd-Preimage-Resistance Assumption / Attacks Pseudorandom One-way weaker / harder to break

  17. Attacks on Hash Functions MD5 Collisions (theo.) MD5 Collisions (practical!) MD5 & SHA-1 No (Second-) Preimage Attacks! SHA-1 Collisions (theo.) 2004 2005 2008 2015

  18. Basic Construction

  19. Lamport-Diffie OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig * sk1,0 • sk1,1 skm,0 • skm,1 H H H H H H Mux Mux Mux bm b1 b2 pk1,0 • pk1,1 pkm,0 • pkm,1 sk1,b1 • skm,bm

  20. EU-CMA for OTS SIGN Success if and VerifyAccept

  21. Security Theorem: If H is one-way then LD-OTS is one-time eu-cma-secure.

  22. Reduction Input: Set Replace random pki,b sk1,0 • sk1,1 skm,0 • skm,1 H H H H H H pk1,0 • pk1,1 pkm,0 • pkm,1

  23. Reduction Adv. Message: M = b1,…,bm If bi = b return fail else return Sign(M) Input: Set Replace random pki,b ? sk1,0 • sk1,1 skm,0 • skm,1 H H H H H Mux Mux Mux bm b1 b2 pk1,0 • pk1,1 pkm,0 • pkm,1 sk1,b1 • skm,bm

  24. Reduction Forgery: M* = b1*,…,bm*, If bi b return fail Else return Input: Set Choose random pki,b ? sk1,0 • sk1,1 skm,0 • skm,1 H H H H H pk1,0 • pk1,1 pkm,0 • pkm,1

  25. Reduction - Analysis Abort in two cases: 1. bi = bprobability ½ : b is a random bit 2. bi b probability 1 - 1/m: At least one bit has to flip as M* M Reduction succeeds with A‘s success probability times 1/2m.

  26. Merkle’s Hash-based Signatures PK SIG = (i=2, , , , , ) H OTS OTS OTS OTS OTS OTS OTS OTS OTS H H H H H H H H H H H H H H SK

  27. Security Theorem: MSS is eu-cma-secure if OTS is a one-time eu-cma secure signature scheme and H is a random element from a family of collision resistant hash functions.

  28. Reduction Input: • Choose random • Generate key pair using as th OTS public key and • Answer all signature queries using sk or sign oracle (for index ) • Extract OTS-forgery or collision from forgery

  29. Reduction (Step 4, Extraction) Forgery: (AUTH) • If equals OTS pk we used for OTS, we got an OTS forgery. • Can only be used if • Else adversary used different OTS pk. • Hence, different leaves. • Still same root! • Pigeon-hole principle: Collision on path to root.

  30. Winternitz-OTS

  31. Recap LD-OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig * sk1,0 • sk1,1 skm,0 • skm,1 H H H H H H pk1,0 • pk1,1 pkm,0 • pkm,1 • Mux Mux • Mux b1 b2 bn sk1,b1 • skm,bm

  32. LD-OTS in MSS SIG = (i=2, , , , , ) Verification: 1. Verify 2. Verify authenticity of We can do better!

  33. Trivial Optimization Message M = b1,…,bm, OWF H = n bit * SK sk1,0 • sk1,1 skm,0 • skm,1 H H H H H H PK pk1,0 • pk1,1 pkm,0 • pkm,1 Mux Mux Mux Mux bm b1 b1 bm Sig sigm,0 sigm,1 sig1,0 sig1,1

  34. Optimized LD-OTS in MSS X SIG = (i=2, , , , , ) Verification: 1. Compute from 2. Verify authenticity of Steps 1 + 2 together verify

  35. Germans love their „Ordnung“! Message M = b1,…,bm, OWF H SK: sk1,…,skm,skm+1,…,sk2m PK: H(sk1),…,H(skm),H(skm+1),…,H(sk2m) Encode M: M‘ = M||M = b1,…,bm,b1,…,bm(instead ofb1,b1,…,bm,bm) ski , if bi = 1 Sig: sigi = H(ski) , otherwise Checksum with bad performance!

  36. Optimized LD-OTS Message M = b1,…,bm, OWF H SK: sk1,…,skm,skm+1,…,skm+1+log m PK: H(sk1),…,H(skm),H(skm+1),…,H(skm+1+log m) Encode M: M‘ =b1,…,bm, ski , if bi = 1 Sig: sigi = H(ski) , otherwise IF one bi is flipped from 1 to 0, another bj will flip from 0 to 1

  37. Function chains Function family: Parameter Chain: c0(x) = x

  38. WOTS Winternitz parameter w, security parameter n, message length m, function family Key Generation: Compute , sample pk1= cw-1(sk1) c0(sk1) = sk1 c1(sk1) c1(skl) pkl= cw-1(skl) c0(skl) = skl

  39. WOTS Signature generation M b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bm‘+2 … … bl pk1= cw-1(sk1) c0(sk1) = sk1 C σ1=cb1(sk1) Signature: σ = (σ1, …,σl) pkl= cw-1(skl) c0(skl) = skl σl=cbl(skl)

  40. WOTS Signature Verification • Verifier knows: M, w b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bl1+2 … … bl (σ1) pk1 (σ1) =? σ1 (σ1) (σ1) Signature: σ = (σ1, …,σl) pkl =? σl (σl)

  41. WOTS Function Chains For define and • WOTS: • WOTS$: • WOTS+:

  42. WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if is a collision resistant family of undetectable one-way functions. W-OTS$is existentially unforgeable under chosen message attacks if is a pseudorandom function family. W-OTS+is strongly unforgeable under chosen message attacks if is a 2nd-preimage resistant family of undetectable one-way functions.

  43. XMSS

  44. XMSS Tree: Uses bitmasks Leafs:Use binary treewith bitmasks OTS: WOTS+ Mesage digest: Randomized hashing Collision-resilient -> signature size halved bi

  45. Multi-Tree XMSS Uses multiple layers of trees -> Key generation(= Building first tree on each layer) (2h) → (d*2h/d) -> Allows to reduceworst-case signing times(h/2) → (h/2d)

  46. Authentication path computation

  47. TreeHash(Mer89)

  48. TreeHash • TreeHash(v,i): Computes node on level v with leftmostdescendant Li • Public Key Generation: Run TreeHash(h,0) • L0 L1 L2 L3 . . . L7 = v = h = 3 v = 2 h v = 1 v = 0

  49. TreeHash • TreeHash(v,i) • 1: Init Stack, N1, N2 • 2: For j = i to i+2v-1 do • 3: N1 = LeafCalc(j) • 4: While N1.level() == Stack.top().level() do • 5: N2 = Stack.pop() • 6: N1 = ComputeParent( N2, N1 ) • 7: Stack.push(N1) • 8: Return Stack.pop()

  50. TreeHash TreeHash(v,i) • Li Li+1 . . . Li+2v-1

More Related