W-OTS + – Shorter Signatures for
Hash-Based Signature Schemes
Andreas Hülsing
24.06.2013 | TU Darmstadt | Andreas Hülsing | 1
Digital Signatures are Important!
Software updates
E-Commerce
… and many others
24.06.2013 | TU Darmstadt | Andreas Hülsing | 2
What if…
IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing .“
24.06.2013 | TU Darmstadt | Andreas Hülsing | 3
Post-Quantum Signatures
Based on Lattice, MQ, Coding
Signature and/or key sizes
Runtimes
Secure parameters y
1
y
2 y
3 x
1
2 x
1 x
2
x
1 x
4
x
3
2
...
x
2 x
3
x
2 x
4
x
3
x
1
1
24.06.2013 | TU Darmstadt | Andreas Hülsing | 4
Hash-based Signature Schemes
[Merkle, Crypto‘89]
Hash-based signatures are…
… not only “post-quantum”
… fast, also without HW-acceleration
… strong security guarantees
… forward secure
But…
… signature size ~2-3kB
24.06.2013 | TU Darmstadt | Andreas Hülsing | 5
Hash-based Signatures h h h h h h
OTS h
PK h
SIG = ( i , , , , , ) h h h h h h h
OTS OTS
24.06.2013 | TU Darmstadt | Andreas Hülsing | 6
OTS
SK
OTS OTS OTS OTS
Winternitz OTS
[Merkle, Crypto‘89; Even et al., JoC‘96]
SIG = ( i , , , , , )
1. = f( )
2. Trade-off between runtime and signature size, controlled by parameter w
3. Minimal security requirements (PRF)
[Buchmann et al.,Africacrypt’11]
4. Used in XMSS & XMSS+
[Buchmann et al., PQ Crypto’11; Hülsing et al., SAC’12]
24.06.2013 | TU Darmstadt | Andreas Hülsing | 7
WOTS +
“Winternitz-Type” OTS
Security based on 2 nd -preimage resistance, one-wayness & undetectability of function family, even for SU-CMA
Tight security reduction w/o collision resistance
2 n
w
~
O ( 1 )
2 n
~
O ( 1 )
Allows for more signature compression, i.e. greater w
24.06.2013 | TU Darmstadt | Andreas Hülsing | 8
XMSS with WOTS +
XMSS and XMSS + on Infineon SLE78 [HBB12]
24.06.2013 | TU Darmstadt | Andreas Hülsing | 9
24.06.2013 | TU Darmstadt | Andreas Hülsing | 10
Function Chain
Use function family F n
Previous schemes used
{ f k
: { 0 , 1 } n
{ 0 , 1 } n
| k
{ 0 , 1 } n '
}
WOTS +
For w ≥ 2 select R
= (r
1
, …, r w-1
)
{ 0 , 1 } n '
w
1
, k
{ 0 , 1 } n ' r i f k c 0 (x) = x c 1 (x)
24.06.2013 | TU Darmstadt | Andreas Hülsing | 11 c w-1 (x)
WOTS +
Winternitz parameter w, security parameter n, message length
m, function family
F n
{ f k
: { 0 , 1 } n
{ 0 , 1 } n
| k
{ 0 , 1 } n
}
Key Generation: Compute l , sample k , sample R c 0 (sk
1
) = sk
1 pk
1
= c w-1 (sk
1
) c 1 (sk
1
) c 1 (sk l
) c 0 (sk l
) = sk l
24.06.2013 | TU Darmstadt | Andreas Hülsing | 12 pk l
= c w-1 (sk l
)
WOTS + Signature generation
M b
1 b
2 b
3 b
4 … … c 0 (sk
1
) = sk
1
σ
1
=c b1 (sk
1
)
… … … … … b l 1 b l 1+1 b l 1+2
… … b l
C pk
1
= c w-1 (sk
1
) pk l
= c w-1 (sk l
)
σ l
=c b l (sk l
) c 0 (sk l
) = sk l
24.06.2013 | TU Darmstadt | Andreas Hülsing | 13
Reduction
24.06.2013 | TU Darmstadt | Andreas Hülsing | 14
Main result
Theorem:
W-OTS + is strongly unforgeable under chosen message attacks if F is a 2 nd -preimage resistant, undetectable one-way function family
24.06.2013 | TU Darmstadt | Andreas Hülsing | 15
EU-CMA for OTS
PK, 1 n
M
( σ, M)
SK
SIGN
( σ*, M*)
24.06.2013 | TU Darmstadt | Andreas Hülsing | 16
Success if M* ≠ M and
Verify(pk, σ*,M*) = Accept
Intuition
Oracle Response
:
Forgery:
(σ, M); M →(b
1
,…,b l
)
(σ*, M*); M* →(b
1
*,…, b l
*)
Observations:
1.
{ 1 ,.., l } s .
th .
2. c w-1-b α* (σ*
α
) = pk
α b
*
b
because of checksum
= c w-1-b α (σ
α
), because of verification
Adversary “quasi-inverted” chain c
σ
α c 0 (sk
α
) = sk
α
?
?
?
?
?
?
σ*
α
?
pk
α
!
pk*
α
24.06.2013 | TU Darmstadt | Andreas Hülsing | 17
Intuition, cont‘d
Oracle Response
:
Forgery:
(σ, M);
M →(b
1
,…,b l
)
(σ*, M*);
M* →(b
1
*,…, b l
*)
Observations:
Adversary “quasi-inverted” chain c r i f k Pigeon hole principle:
σ
α
β c 0 (sk
α
) = sk
α
σ*
α second-preimage preimage pk
α
24.06.2013 | TU Darmstadt | Andreas Hülsing | 18
Conclusion
We …
… tightened security proof …
→ allows for smaller signatures …
(… achieve stronger security)
It makes sense to tighten security proofs!
Take Home Message:
Hash-based signatures are practical
24.06.2013 | TU Darmstadt | Andreas Hülsing | 19