Hashbased Signatures Andreas Hlsing Eindhoven University of Technology

Hash-based Signatures Andreas Hülsing Eindhoven University of Technology Executive School on Post-Quantum Cryptography July 2019, TU Eindhoven

Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 02/07/2019 https: //huelsing. net PAGE 2

Hash-based Signature Schemes [Mer 89] Post quantum Only secure hash function Security well understood Fast 02/07/2019 https: //huelsing. net PAGE 3

RSA – DSA – EC-DSA. . . Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, … Digital signature scheme 02/07/2019 https: //huelsing. net PAGE 4

Hash function families

(Hash) function families (aka. keyed functions) • 02/07/2019 https: //huelsing. net 6

One-wayness • 02/07/2019 https: //huelsing. net 7

Collision resistance 02/07/2019 https: //huelsing. net 8

Second-preimage resistance • Decisional version: Does a valid response exist? 02/07/2019 https: //huelsing. net NEW ! 9

Undetectability • 02/07/2019 https: //huelsing. net 10

Pseudorandomness • g 02/07/2019 https: //huelsing. net 11

Generic security • „Black Box“ security (best we can do without looking at internals) • For hash functions: Security of random function family • (Often) expressed in #queries (query complexity) • Hash functions not meeting generic security considered insecure 02/07/2019 https: //huelsing. net 12

Generic Security - OWF • 02/07/2019 https: //huelsing. net 13

Generic Security - OWF • 02/07/2019 https: //huelsing. net 14

Generic Security OW SPR CR UD* PRF* Classical Quantum * conjectured, no proof 02/07/2019 https: //huelsing. net 15

Hash-function properties Assumption / Attacks stronger / easier to break Collision-Resistance 2 nd-Preimage. Resistance One-way Pseudorandom weaker / harder to break 02/07/2019 https: //huelsing. net 16

Attacks on Hash Functions MD 5 Collisions (practical!) Collisions (theo. ) SHA 1 02/07/2019 2005 Collisions (practical!) MD 5 & SHA-1 Collisions (theo. ) 2004 SHA 1 No (Second-) Preimage Attacks! 2008 https: //huelsing. net 2017 17

Basic Construction

Lamport-Diffie OTS [Lam 79] * Message M = b 1, …, bm, OWF H = n bit SK sk 1, 0 sk 1, 1 H PK H pk 1, 0 b 1 Sig 02/07/2019 skm, 0 H H H pk 1, 1 Mux skm, 1 H pkm, 0 b 2 Mux sk 1, b 1 bm pkm, 1 Mux skm, bm https: //huelsing. net 19

EU-CMA for OTS SIGN 02/07/2019 https: //huelsing. net 20

Security Theorem: If H is one-way then LD-OTS is one-time eu-cmasecure. 02/07/2019 https: //huelsing. net 21

Merkle’s Hash-based Signatures PK H H SIG = (i=2, , H OTS H , H H H OTS OTS 02/07/2019 SK https: //huelsing. net 22 )

Security Theorem: MSS is eu-cma-secure if OTS is a one-time eu-cma secure signature scheme and H is a random element from a family of collision resistant hash functions. 02/07/2019 https: //huelsing. net 23

Winternitz-OTS 02/07/2019 https: //huelsing. net 24

Recap LD-OTS [Lam 79] * Message M = b 1, …, bm, OWF H = n bit SK sk 1, 0 sk 1, 1 H PK H pk 1, 0 b 1 Sig 02/07/2019 skm, 0 H H H pk 1, 1 Mux skm, 1 H pkm, 0 b 2 Mux sk 1, b 1 bn pkm, 1 Mux skm, bm https: //huelsing. net 25

LD-OTS in MSS SIG = (i=2, , , ) Verification: 1. Verify 2. Verify authenticity of We can do better! 02/07/2019 https: //huelsing. net 26

Trivial Optimization * Message M = b 1, …, bm, OWF H = n bit SK sk 1, 0 H PK b 1 Sig sk 1, 1 H pk 1, 0 pk 1, 1 Mux sig 1, 0 sig 1, 1 02/07/2019 skm, 0 H H bm https: //huelsing. net skm, 1 H H pkm, 0 pkm, 1 Mux sigm, 0 sigm, 1 27

Optimized LD-OTS in MSS X SIG = (i=2, , , ) Verification: 1. Compute from 2. Verify authenticity of Steps 1 + 2 together verify 02/07/2019 https: //huelsing. net 28

Let‘s sort this Checksum with bad performance! 02/07/2019 https: //huelsing. net 29

Optimized LD-OTS 02/07/2019 https: //huelsing. net 30

Function chains • i-times c 0(x) = x 02/07/2019 https: //huelsing. net 31

WOTS • pk 1 = cw-1(sk 1) c 0(sk 1) = sk 1 c 1(sk 1) c 1(skl ) pkl = cw-1(skl ) c 0(skl ) = skl 02/07/2019 https: //huelsing. net 32

WOTS Signature generation M b 1 b 2 b 3 b 4 … … … … c 0(sk 1) = sk 1 bm‘+1 bm‘+2 … C … bl pk 1 = cw-1(sk 1) σ1=cb 1(sk 1) Signature: σ = (σ1, …, σl ) c 0(skl ) = skl 02/07/2019 pkl = cw-1(skl ) σl =cbl (skl ) https: //huelsing. net 33

WOTS Signature Verification Verifier knows: M, w b 1 b 2 b 3 b 4 … … σ1 Signature: σ = (σ1, …, σl ) … … … bm‘+1 bl 1+2 … … bl pk 1 =? pkl =? σl 02/07/2019 https: //huelsing. net 34

WOTS Function Chains • 02/07/2019 https: //huelsing. net 35

WOTS Security • 02/07/2019 https: //huelsing. net 36

XMSS

XMSS Tree: Uses bitmasks Leafs: Use binary tree with bitmasks OTS: WOTS+ bi Message digest: Randomized hashing Collision-resilient -> signature size halved 02/07/2019 https: //huelsing. net 38

Multi-Tree XMSS • 02/07/2019 https: //huelsing. net 39

Multi-target attacks

Multi-target attacks • 02/07/2019 https: //huelsing. net 41

Multi-target attacks: Mitigation • Mitigation: Separate targets [HRS 16] • Common approach: • In addition to hash function description and „input“ take • Hash „Address“ (uniqueness in key pair) • Hash „key“ used for all hashes of one key pair (uniqueness among key pairs) 02/07/2019 https: //huelsing. net 42

Multi-target attacks: Mitigation • Mitigation: Separate targets [HRS 16] • Common approach: • In addition to hash function description and „input“ take • Hash „Address“ (uniqueness in key pair) • Hash „key“ used for all hashes of one key pair (uniqueness among key pairs) 02/07/2019 https: //huelsing. net 43

New intermediate abstraction: Tweakable Hash Function • 25. 09. 2020 https: //huelsing. net 44

XMSS in practice

RFC 8391 -- XMSS: e. Xtended Merkle Signature Scheme • Protecting against multi-target attacks / tight security • n-bit hash => n bit security • Small public key (2 n bit) • At the cost of (Q)ROM for proving PK compression secure • Function families based on SHA 2 & SHAKE (SHA 3) • Equal to XMSS-T [HRS 16] up-to message digest 02/07/2019 https: //huelsing. net 46

XMSS / XMSS-T Implementation C Implementation, using Open. SSL [HRS 16] Sign (ms) Signature (k. B) Public Key (k. B) Secret Key (k. B) Bit Security classical/ quantum Comment XMSS 3. 24 2. 8 1. 3 2. 2 236 / 118 h = 20, d = 1, XMSS-T 9. 48 2. 8 0. 064 2. 2 256 / 128 h = 20, d = 1 XMSS 3. 59 8. 3 14. 6 196 / 98 h = 60, d = 3 XMSS-T 10. 54 8. 3 0. 064 14. 6 256 / 128 h = 60, d = 3 Intel(R) Core(TM) i 7 CPU @ 3. 50 GHz XMSS-T uses message digest from Internet-Draft 02/07/2019 https: //huelsing. net All using SHA 2 -256, w = 16 and k = 2 47

The LMS proposal 02/07/2019 https: //huelsing. net 48

Instantiating the tweakable hash (for SHA 2) XMSS • LMS • MD = SHA 2(PP||TW||MSG) • QROM proof assuming SHA 2 is QRO • ROM proof assuming SHA 2 compression function is RO • Proofs are essentially tight 25. 09. 2020 https: //huelsing. net 49

Instantiating the tweakable hash • LMS is factor 3 faster but leads to slightly larger signatures at same security level • LMS makes somewhat stronger assumptions about the security properties of the used hash function • More research on direct constructions needed 25. 09. 2020 https: //huelsing. net 50

SPHINCS

About the statefulness • Works great for some settings • However. . . . back-up. . . multi-threading. . . load-balancing 02/07/2019 https: //huelsing. net 52

How to Eliminate the State

Stateless hash-based signatures [NY 89, Gol 87, Gol 04] • OTS OTS OTS 02/07/2019 https: //huelsing. net OTS OTS PAGE 54

SPHINCS [BHH 15] + • Select index pseudo-randomly • Use a few-time signature key-pair on leaves to sign messages • Few index collisions allowed • Allows to reduce tree height • Use hypertree: Use d << h. 02/07/2019 https: //huelsing. net 55

Few-Time Signature Schemes

Recap LD-OTS * Message M = b 1, …, bn, OWF H = n bit SK sk 1, 0 sk 1, 1 H PK H pk 1, 0 b 1 Sig 02/07/2019 skn, 0 H H H pk 1, 1 Mux skn, 1 H pkn, 0 b 2 Mux sk 1, b 1 bn pkn, 1 Mux skn, bn https: //huelsing. net 57

HORS [RR 02] * Message M, OWF H, CRHF H’ = n bit Parameters t=2 a, k, with m = ka (typical a=16, k=32) SK sk 1 sk 2 H PK pk 1 skt-1 H H H pk 1 skt H pkt-1 H pkt 02/07/2019 https: //huelsing. net 58

HORS mapping function * Message M, OWF H, CRHF H’ = n bit Parameters t=2 a, k, with m = ka (typical a=16, k=32) M H’ b 1 b 2 ba bar ik i 1 02/07/2019 https: //huelsing. net 59

HORS * Message M, OWF H, CRHF H’ = n bit Parameters t=2 a, k, with m = ka (typical a=16, k=32) SK sk 1 sk 2 H PK H’(M) 02/07/2019 H pk 1 b 1 skt-1 H H H pk 1 b 2 H pkt-1 ba i 1 skt ba+1 pkt bka-2 bka-1 Mux ski 1 skik https: //huelsing. net ik 60 bka

HORS Security • 02/07/2019 https: //huelsing. net 61

TREE

HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK • New PK = Root • Publish Authentication Paths for HORS signature values • PK can be computed from Sig • With optimizations: tn → (k(log t − x + 1) + 2 x)n • E. g. SPHINCS-256: 2 MB → 16 KB • Use randomized message hash 02/07/2019 https: //huelsing. net 63

SPHINCS • Stateless Scheme • XMSSMT + HORST + (pseudo-)random index • Collision-resilient • Deterministic signing • SPHINCS-256: • • 128 -bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys 02/07/2019 https: //huelsing. net 64

+ SPHINCS Joint work with Jean-Philippe Aumasson, Daniel J. Bernstein, Christoph Dobraunig, Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Panos Kampanakis, Stefan Kölbl, Tanja Lange, Martin M. Lauridsen, Florian Mendel, Ruben Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe

SPHINCS+ (our NIST submission) • Strengthened security gives smaller signatures • Collision- and multi-target attack resilient • Fixed length signatures • Small keys, medium size signatures (lv 3: 17 k. B) • Sizes can be much smaller if q_sign gets reduced • The conservative choice 02/07/2019 https: //huelsing. net 66

TREES

FORS (Forest of random subsets) • Parameters t, a = log t, k such that ka = m . . . . https: //huelsing. net 02/07/2019 68

Verifiable index selection (and optionally non-deterministic randomness) • 02/07/2019 https: //huelsing. net 69

Verifiable index selection Improves FORS security • SPHINCS: Attacks can target „weakest“ HORST key pair • SPHINCS+: Every hash query also selects FORS key pair • Leads to notion of interleaved target subset resilience 02/07/2019 https: //huelsing. net 70

Instantiations (after second round tweaks) • SPHINCS+-SHAKE 256 -robust NEW! + • SPHINCS -SHAKE 256 -simple • SPHINCS+-SHA-256 -robust • SPHINCS+-SHA-256 -simple NEW! • SPHINCS+-Haraka-robust • SPHINCS+-Haraka-simple NEW! 02/07/2019 https: //huelsing. net 71

Instantiations (small vs fast) 02/07/2019 https: //huelsing. net 72

Hash-based Signatures in NIST „Competition“ • SPHINCS+ • FORS as few-time signature • XMSS-T tweakable hash • Gravity-SPHINCS (R. I. P. ) • PORS as few-time signature • Requires collision-resistance • Vulnerable to multi-target attacks • (PICNIC) 02/07/2019 https: //huelsing. net 73

02/07/2019 https: //huelsing. net 74

Signatures via Non. Interactive Proofs: The Case of Fish & Picnic Thanks to the Fish/Picnic team for slides 02/07/2019 https: //huelsing. net 75

Interactive Proofs 02/07/2019 https: //huelsing. net 76

ZKBoo 02/07/2019 https: //huelsing. net 77

High-Level Approach • Use Low. MC v 2 to build dedicated hash function with low #AND-gates • Use ZKBoo to proof knowledge of a preimage • Use Fiat-Shamir to turn ZKP into Signature in ROM (Fish), or • Use Unruh‘s transform to turn ZKP into Signature in QROM (Picnic) 02/07/2019 https: //huelsing. net 78

Conclusion • If you can live with a state, you have PQ signatures available with XMSS & LMS • For stateless we are waiting for NIST to finish: SPHINCS+ & Picnic in second round 02/07/2019 https: //huelsing. net 79

Thank you! Questions? For references & further literature see https: //huelsing. net/wordpress/? page_id=165 02/07/2019 https: //huelsing. net 80

Authentication path computation

Tree. Hash (Mer 89)

Tree. Hash § Tree. Hash(v, i): Computes node on level v with leftmost descendant Li § Public Key Generation: Run Tree. Hash(h, 0) = v = h = 3 v = 2 h v = 1 v = 0 L 0 L 1 L 2 L 3 . . . L 7 02/07/2019 https: //huelsing. net 83

Tree. Hash(v, i) 1: Init Stack, N 1, N 2 2: For j = i to i+2 v-1 do 3: N 1 = Leaf. Calc(j) 4: While N 1. level() == Stack. top(). level() do 5: N 2 = Stack. pop() 6: N 1 = Compute. Parent( N 2, N 1 ) 7: Stack. push(N 1) 8: Return Stack. pop() 02/07/2019 https: //huelsing. net 84

Tree. Hash Tree. Hash(v, i) Li Li+1 . . . Li+2 v-1 02/07/2019 https: //huelsing. net 85

Efficiency? Key generation: Every node has to be computed once. cost = 2 h leaves + 2 h-1 nodes => optimal Signature: One node on each level 0 <= v < h. cost 2 h-1 leaves + 2 h-1 -h nodes. Many nodes are computed many times! (e. g. those on level v=h-1 are computed 2 h-1 times) -> Not optimal if state allowed 02/07/2019 https: //huelsing. net 86

The BDS Algorithm [BDS 08]

Motivation (for all Tree Traversal Algorithms) No Storage: Signature: Compute one node on each level 0 <= v < h. Costs: 2 h-1 leaf + 2 h-1 -h node computations. Example: XMSS with SHA 2 -256 and h = 20 -> approx. 15 min Store whole tree: 2 hn bits. Example: h=20, n=256; storage: 228 bits = 32 MB Idea: Look for time-memory trade-off! 02/07/2019 https: //huelsing. net 88

Use a State 02/07/2019 https: //huelsing. net 89

Authentication Paths 02/07/2019 https: //huelsing. net 90

Observation 1 Same node in authentication path is recomputed many times! Node on level v is recomputed for 2 v successive paths. Idea: Keep authentication path in state. -> Only have to update “new” nodes. Result Storage: h nodes Time: ~ h leaf + h node computations (average) But: Worst case still 2 h-1 leaf + 2 h-1 -h node computations! -> Keep in mind. To be solved. 02/07/2019 https: //huelsing. net 91

Observation 2 When new left node in authentication path is needed, its children have been part of previous authentication paths. 02/07/2019 https: //huelsing. net 92

Computing Left Nodes v=2 i 02/07/2019 https: //huelsing. net 93

Result Storing nodes all left nodes can be computed with one node computation / node 02/07/2019 https: //huelsing. net 94

Observation 3 Right child nodes on high levels are most costly. Computing node on level v requires 2 v leaf and 2 v-1 node computations. Idea: Store right nodes on top k levels during key generation. Result Storage: 2 k-2 n bit nodes Time: ~ h-k leaf + h-k node computations (average) Still: Worst case 2 h-k-1 leaf + 2 h-k-1 -(h-k) node computations! 02/07/2019 https: //huelsing. net 95

Distribute Computation 02/07/2019 https: //huelsing. net 96

Intuition Observation: § For every second signature only one leaf computation § Average runtime: ~ h-k leaf + h-k node computations Idea: Distribute computation to achieve average runtime in worst case. Focus on distributing computation of leaves 02/07/2019 https: //huelsing. net 97

Tree. Hash with Updates Tree. Hash. init(v, i) 1: Init Stack, N 1, N 2, j=i, j_max = i+2 v-1 2: Exit Tree. Hash. update() 1: If j <= j_max One leaf per update 2: N 1 = Leaf. Calc(j) 3: While N 1. level() == Stack. top(). level() do 5: N 2 = Stack. pop() 6: N 1 = Compute. Parent( N 2, N 1 ) 7: Stack. push(N 1) 8: Set j = j+1 9: Exit 02/07/2019 https: //huelsing. net 98

Distribute Computation Concept § Run one Tree. Hash instance per level 0 <= v < h-k § Start computation of next right node on level v when current node becomes part of authentication path. § Use scheduling strategy to guarantee that nodes are finished in time. § Distribute (h-k)/2 updates per signature among all running Tree. Hash instances 02/07/2019 https: //huelsing. net 99

Distribute Computation Worst Case Runtime Before: 2 h-k-1 leaf and 2 h-k-1 -(h-k) node computations. With distributed computation: (h-k)/2 + 1 leaf and 3(h-k-1)/2 + 1 node computations. Add. Storage Single stack of size h-k nodes for all Tree. Hash instances. + One node per Tree. Hash instance. = 2(h-k) nodes 02/07/2019 https: //huelsing. net 100

BDS Performance Storage: n bit nodes Runtime: (h−k)/2+1 leaf and 3(h−k− 1)/2+1 node computations. 02/07/2019 https: //huelsing. net 101