Decisional secondpreimage resistance When does SPR imply PRE

Decisional secondpreimage resistance When does SPR imply PRE? Daniel J. Bernstein, Andreas Hülsing

Motivation This work • answers a long standing subtle question about the relation of hash function properties • provides a tool that enables tight security proofs for hash-based signatures 11/29/2019 https: //sphincs. org 2

Cryptographic hash functions • 3

Collision resistance • 4

Second-preimage resistance (SPR) • 5

Security properties: Preimage resistance / One-wayness • 6

Relations Assumption / Attacks Stronger assumption / easier to break weaker assumption/ harder to break 11/29/2019 Collision-Resistance 2 nd-Preimage. Resistance One-way https: //sphincs. org 7

CR implies SPR? • 8

SPR implies PRE? • Where is the problem? 9

Positive result • 11/29/2019 https: //sphincs. org 10

Negative result The identity function demonstrates that SPR cannot generally imply PRE. 11/29/2019 https: //sphincs. org 11

The gap • Exactly the ones we use in hash-based OTS Are we doomed? 11/29/2019 https: //sphincs. org 12

The general case • 11/29/2019 https: //sphincs. org 13

Fooling the reduction • 11/29/2019 https: //sphincs. org 14

Decisional second-preimage resistance to the rescue! • 11/29/2019 https: //sphincs. org 15

11/29/2019 https: //sphincs. org 16

Some intuition about DSPR • 11/29/2019 https: //sphincs. org 17

Some intuition about DSPR • 11/29/2019 https: //sphincs. org 18

DSPR at work • 11/29/2019 https: //sphincs. org 19

Application to hash-based signatures • Variants of this naturally arise in security proof of WOTS, and L-OTS 11/29/2019 https: //sphincs. org 20

• Reduction loss of 1/T! 11/29/2019 https: //sphincs. org 21

Multi-target DSPR 11/29/2019 https: //sphincs. org 22

• 11/29/2019 https: //sphincs. org 23

More in paper • 11/29/2019 https: //sphincs. org 24

Questions? Paper(s) available at https: //sphincs. org/resources. html 11/29/2019 https: //sphincs. org 25