Mitigating MultiTargetAttacks in Hashbased Signatures Andreas Hlsing joint

Mitigating Multi-Target-Attacks in Hash-based Signatures Andreas Hülsing joint work with Joost Rijneveld, Fang Song

A brief motivation

Trapdoor- / Identification Scheme -based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 5 -3 -2021 PAGE 3

Hash-based Signature Schemes [Mer 89] Post quantum Only secure hash function Security well understood Fast 5 -3 -2021 PAGE 4

RSA – DSA – EC-DSA. . . Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, … Digital signature scheme 5 -3 -2021 PAGE 5

Basic Construction 5 -3 -2021 PAGE 6

Lamport-Diffie OTS [Lam 79] * Message M = b 1, …, bm, OWF H = n bit SK sk 1, 0 sk 1, 1 H PK H pk 1, 0 b 1 Sig 5 -3 -2021 skm, 0 H H pk 1, 1 Mux sk 1, b 1 skm, 1 H H pkm, 0 b 2 Mux bm pkm, 1 Mux skm, bm PAGE 7

Merkle’s Hash-based Signatures PK H H SIG = (i=2, , H OTS H , H H H OTS OTS 5 -3 -2021 SK PAGE 8 )

Minimizing security assumptions. . . [BHH+15, BDE+11, BDH 11, DOTV 08, Hül 13, HRB 13]

Hash-function properties Assumption / Attacks stronger / easier to break Collision-Resistance 2 nd-Preimage. Resistance One-way Pseudorandom weaker / harder to break 5 -3 -2021 PAGE 10

Attacks on Hash Functions MD 5 Collisions (practical!) Collisions (theo. ) SHA-1 MD 5 & SHA-1 Collisions (theo. ) 2004 5 -3 -2021 2005 No (Second-) Preimage Attacks! 2008 2015 PAGE 11

. . . and dealing with the consequences [HRS 16]

Multi-target attacks What is the bit security of a protocol using a n = 256 bit hash function that requires one-wayness? 256 bit? Not necessarily!

Multi-target attacks •

Formalizing the issue One-wayness: for any classical q-query A Single-function, multi-target one-wayness

Solution? Use different elements from function family for each hash. - Makes problems independent - Each hash query can only be used for one target!

Multi-function, multi-target OW Seems trivial, right? What about the quantum case? Still trivial?

Results

Implications → Tight security for MSS that rely on multi-function properties. → New function (key) for each call. → New bitmask too for SPR → No solution for message digest, yet (see e. TCR)

Part II: Details on Hashbased signatures

Winternitz-OTS [Mer 90, BDE+11, Hül 13]

Recap LD-OTS [Lam 79] * Message M = b 1, …, bm, OWF H = n bit SK sk 1, 0 sk 1, 1 H PK Sig H pk 1, 0 b 1 skm, 0 H H H pk 1, 1 Mux sk 1, b 1 skm, 1 H pkm, 0 b 2 Mux bn pkm, 1 Mux skm, bm

LD-OTS in MSS SIG = (i=2, , , ) Verification: 1. Verify 2. Verify authenticity of We can do better!

Trivial Optimization * Message M = b 1, …, bm, OWF H = n bit SK sk 1, 0 H PK b 1 Sig sk 1, 1 skm, 0 H pk 1, 0 pk 1, 1 Mux sig 1, 0 sig 1, 1 H H bm skm, 1 H H pkm, 0 pkm, 1 Mux sigm, 0 sigm, 1

Optimized LD-OTS in MSS X SIG = (i=2, , , , Verification: 1. Compute from 2. Verify authenticity of Steps 1 + 2 together verify , )

Let‘s sort this! Checksum with bad performance!

Optimized LD-OTS [Mer 90]

Function chains • c 0(x) = x

WOTS • c 0(sk 1) = sk 1 pk 1 = cw-1(sk 1) c 1(skl ) c 0(skl ) = skl pkl = cw-1(skl )

WOTS Signature generation M b 1 b 2 b 3 b 4 … … … … c 0(sk 1) = sk 1 bm‘+1 bm‘+2 … C … bl pk 1 = cw-1(sk 1) σ1=cb 1(sk 1) Signature: σ = (σ1, …, σl ) c 0(skl ) = skl pkl = cw-1(skl ) σl =cbl (skl )

WOTS Signature Verification Verifier knows: M, w b 1 b 2 b 3 b 4 … … σ1 Signature: σ = (σ1, …, σl ) … … … bm‘+1 bl 1+2 … … bl pk 1 =? pkl =? σl

WOTS Function Chains •

WOTS Security •

e. Xtended Merkle Signature Scheme (XMSS) joint work with Johannes Buchmann, Erik Dahmen

XMSS Tree: Uses bitmasks Leafs: Use binary tree with bitmasks OTS: WOTS+ Mesage digest: Randomized hashing Collision-resilient -> signature size halved bi

Multi-Tree XMSS •

XMSS-Draft since -01 •

XMSS-Draft since -01 Solution: PRG + Seed in PK Security: - Not really standard model. - Natural but new assumption („Generating the public values using a PRG, the scheme does not get less secure if seed is published. “), - Or ROM

SPHINCS: practical stateless hashbased signatures joint work with Daniel J. Bernstein, Daira Hopwood, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, Zooko Wilcox O’Hearn

How to Eliminate the State

Protest? PAGE 41 5 -3 -2021

Few-Time Signature Schemes 5 -3 -2021 PAGE 42

Recap LD-OTS * Message M = b 1, …, bn, OWF H = n bit SK sk 1, 0 sk 1, 1 H PK H pk 1, 0 b 1 Sig 5 -3 -2021 skn, 0 H H H pk 1, 1 Mux sk 1, b 1 skn, 1 H pkn, 0 b 2 Mux bn pkn, 1 Mux skn, bn PAGE 43

HORS [RR 02] * Message M, OWF H, CRHF H’ = n bit Parameters t=2 a, k, with m = ka (typical a=16, k=32) SK sk 1 sk 2 H PK pk 1 skt-1 H pk 1 H H skt H pkt-1 H pkt 5 -3 -2021 PAGE 44

HORS mapping function * Message M, OWF H, CRHF H’ = n bit Parameters t=2 a, k, with m = ka (typical a=16, k=32) M H’ b 1 b 2 ba i 1 5 -3 -2021 bar ik PAGE 45

HORS * Message M, OWF H, CRHF H’ = n bit Parameters t=2 a, k, with m = ka (typical a=16, k=32) SK sk 1 sk 2 H PK H’(M) 5 -3 -2021 H pk 1 b 1 skt-1 H H H pk 1 b 2 H pkt-1 ba i 1 skt ba+1 pkt bka-2 bka-1 Mux ski 1 skik ik PAGE 46 bka

HORS Security • 5 -3 -2021 PAGE 47

HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK • New PK = Root • Publish Authentication Paths for HORS signature values • PK can be computed from Sig • With optimizations: tn → (k(log t − x + 1) + 2 x)n • E. g. SPHINCS-256: 2 MB → 16 KB • Use randomized message hash 5 -3 -2021 PAGE 48

SPHINCS • Stateless Scheme • XMSSMT + HORST + (pseudo-)random index • Collision-resilient • Deterministic signing • SPHINCS-256: • • 128 -bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys

Thank you! Questions? For references & further literature see https: //huelsing. wordpress. com/hash-based-signature-schemes/literature/ 5 -3 -2021 PAGE 50

(Hash) function families •

One-wayness •

Collision resistance

Second-preimage resistance •

Undetectability •

Pseudorandomness • g