slides - Andreas Hülsing

W-OTS + – Shorter Signatures for

Hash-Based Signature Schemes

Andreas Hülsing

24.06.2013 | TU Darmstadt | Andreas Hülsing | 1

Digital Signatures are Important!

Software updates

E-Commerce

… and many others


What if…

IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing .“


Post-Quantum Signatures

Based on Lattice, MQ, Coding

Signature and/or key sizes

Runtimes

Secure parameters y

1

 y

2 y

3 x

1

2  x

1 x

2

 x

1 x

4

 x

3

2



...

 x

2 x

3

 x

2 x

4

 x

3

 x

1



1


Hash-based Signature Schemes

[Merkle, Crypto‘89]

Hash-based signatures are…

… not only “post-quantum”

… fast, also without HW-acceleration

… strong security guarantees

… forward secure

But…

… signature size ~2-3kB


Hash-based Signatures h h h h h h

OTS h

PK h

SIG = ( i , , , , , ) h h h h h h h

OTS OTS


OTS

SK

OTS OTS OTS OTS

Winternitz OTS

[Merkle, Crypto‘89; Even et al., JoC‘96]

SIG = ( i , , , , , )

1. = f( )

2. Trade-off between runtime and signature size, controlled by parameter w

3. Minimal security requirements (PRF)

[Buchmann et al.,Africacrypt’11]

4. Used in XMSS & XMSS+

[Buchmann et al., PQ Crypto’11; Hülsing et al., SAC’12]


WOTS +

 “Winternitz-Type” OTS

 Security based on 2 nd -preimage resistance, one-wayness & undetectability of function family, even for SU-CMA

 Tight security reduction w/o collision resistance

2 n

 w

~



O ( 1 ) 

2 n

~



O ( 1 )

 Allows for more signature compression, i.e. greater w


XMSS with WOTS +

XMSS and XMSS + on Infineon SLE78 [HBB12]


Construction


Function Chain

Use function family F n



Previous schemes used

{ f k

: { 0 , 1 } n 

{ 0 , 1 } n

| k



{ 0 , 1 } n '

}

WOTS +

For w ≥ 2 select R

= (r

1

, …, r w-1

) 

{ 0 , 1 } n '

 w



1

, k



{ 0 , 1 } n ' r i f k c 0 (x) = x c 1 (x)

24.06.2013 | TU Darmstadt | Andreas Hülsing | 11 c w-1 (x)

WOTS +

Winternitz parameter w, security parameter n, message length

m, function family

F n



{ f k

: { 0 , 1 } n 

{ 0 , 1 } n

| k



{ 0 , 1 } n

}

Key Generation: Compute l , sample k , sample R c 0 (sk

1

) = sk

1 pk

1

= c w-1 (sk

1

) c 1 (sk

1

) c 1 (sk l

) c 0 (sk l

) = sk l

24.06.2013 | TU Darmstadt | Andreas Hülsing | 12 pk l

= c w-1 (sk l

)

WOTS + Signature generation

M b

1 b

2 b

3 b

4 … … c 0 (sk

1

) = sk

1

σ

1

=c b1 (sk

1

)

… … … … … b l 1 b l 1+1 b l 1+2

… … b l

C pk

1

= c w-1 (sk

1

) pk l

= c w-1 (sk l

)

σ l

=c b l (sk l

) c 0 (sk l

) = sk l


Security Proof

Reduction


Main result

Theorem:

W-OTS + is strongly unforgeable under chosen message attacks if F is a 2 nd -preimage resistant, undetectable one-way function family


EU-CMA for OTS

PK, 1 n

M

( σ, M)

SK

SIGN

( σ*, M*)


Success if M* ≠ M and

Verify(pk, σ*,M*) = Accept

Intuition

Oracle Response

:

Forgery:

(σ, M); M →(b

1

,…,b l

)

(σ*, M*); M* →(b

1

*,…, b l

*)

Observations:

1.

  

{ 1 ,.., l } s .

th .

2. c w-1-b α* (σ*

α

) = pk

α b

*



 b

 because of checksum

= c w-1-b α (σ

α

), because of verification

Adversary “quasi-inverted” chain c

σ

α c 0 (sk

α

) = sk

α

?

?

?

?

?

?

σ*

α

?

pk

α

!

pk*

α


Intuition, cont‘d

Oracle Response

:

Forgery:

(σ, M);

M →(b

1

,…,b l

)

(σ*, M*);

M* →(b

1

*,…, b l

*)

Observations:

Adversary “quasi-inverted” chain c r i f k Pigeon hole principle:

σ

α

β c 0 (sk

α

) = sk

α

σ*

α second-preimage preimage pk

α


Conclusion

We …

… tightened security proof …

→ allows for smaller signatures …

(… achieve stronger security)

It makes sense to tighten security proofs!

Take Home Message:

Hash-based signatures are practical


Thank you!

slides - Andreas Hülsing

Construction

Security Proof

Thank you!

Related documents

Products

Support

slides - Andreas Hülsing

Construction

Security Proof

Thank you!

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib