Decisional secondpreimage resistance When does SPR imply PRE
- Slides: 25
Decisional secondpreimage resistance When does SPR imply PRE? Daniel J. Bernstein, Andreas Hülsing
Motivation This work • answers a long standing subtle question about the relation of hash function properties • provides a tool that enables tight security proofs for hash-based signatures 11/29/2019 https: //sphincs. org 2
Cryptographic hash functions • 3
Collision resistance • 4
Second-preimage resistance (SPR) • 5
Security properties: Preimage resistance / One-wayness • 6
Relations Assumption / Attacks Stronger assumption / easier to break weaker assumption/ harder to break 11/29/2019 Collision-Resistance 2 nd-Preimage. Resistance One-way https: //sphincs. org 7
CR implies SPR? • 8
SPR implies PRE? • Where is the problem? 9
Positive result • 11/29/2019 https: //sphincs. org 10
Negative result The identity function demonstrates that SPR cannot generally imply PRE. 11/29/2019 https: //sphincs. org 11
The gap • Exactly the ones we use in hash-based OTS Are we doomed? 11/29/2019 https: //sphincs. org 12
The general case • 11/29/2019 https: //sphincs. org 13
Fooling the reduction • 11/29/2019 https: //sphincs. org 14
Decisional second-preimage resistance to the rescue! • 11/29/2019 https: //sphincs. org 15
11/29/2019 https: //sphincs. org 16
Some intuition about DSPR • 11/29/2019 https: //sphincs. org 17
Some intuition about DSPR • 11/29/2019 https: //sphincs. org 18
DSPR at work • 11/29/2019 https: //sphincs. org 19
Application to hash-based signatures • Variants of this naturally arise in security proof of WOTS, and L-OTS 11/29/2019 https: //sphincs. org 20
• Reduction loss of 1/T! 11/29/2019 https: //sphincs. org 21
Multi-target DSPR 11/29/2019 https: //sphincs. org 22
• 11/29/2019 https: //sphincs. org 23
More in paper • 11/29/2019 https: //sphincs. org 24
Questions? Paper(s) available at https: //sphincs. org/resources. html 11/29/2019 https: //sphincs. org 25