Transcript slides - Andreas Hülsing

W-OTS+ – Shorter Signatures for
Hash-Based Signature Schemes
Andreas Hülsing
24.06.2013 | TU Darmstadt | Andreas Hülsing | 1
Digital Signatures are Important!
Software updates
E-Commerce
… and many others
24.06.2013 | TU Darmstadt | Andreas Hülsing | 2
What if…
IBM 2012: „…optimism about superconducting qubits
and the possibilities for a future quantum computer are
rapidely growing.“
24.06.2013 | TU Darmstadt | Andreas Hülsing | 3
Post-Quantum Signatures
Based on Lattice, MQ, Coding
Signature and/or key sizes
Runtimes
Secure parameters
24.06.2013 | TU Darmstadt | Andreas Hülsing | 4
y1  x12  x1 x2  x1 x4  x3
y2  x32  x2 x3  x2 x4  x1  1
y3  ...
Hash-based Signature Schemes
[Merkle, Crypto‘89]
Hash-based signatures are…
… not only “post-quantum”
… fast, also without HW-acceleration
… strong security guarantees
… forward secure
But…
… signature size ~2-3kB
24.06.2013 | TU Darmstadt | Andreas Hülsing | 5
Hash-based Signatures
PK
h
h
,
,
,
,
h
OTS
h
h
SIG = (i,
h
h
h
h
h
h
h
h
h
h
OTS
OTS
OTS
OTS
OTS
OTS
OTS
24.06.2013 | TU Darmstadt | Andreas Hülsing | 6
SK
)
Winternitz OTS
[Merkle, Crypto‘89; Even et al., JoC‘96]
SIG = (i,
1.
= f(
,
,
,
,
)
)
2. Trade-off between runtime and signature size, controlled by
parameter w
3. Minimal security requirements (PRF)
[Buchmann et al.,Africacrypt’11]
4. Used in XMSS & XMSS+
[Buchmann et al., PQ Crypto’11; Hülsing et al., SAC’12]
24.06.2013 | TU Darmstadt | Andreas Hülsing | 7
WOTS+
 “Winternitz-Type” OTS
 Security based on 2nd-preimage resistance, one-wayness &
undetectability of function family, even for SU-CMA
 Tight security reduction w/o collision resistance
~
~
2n wO (1)  2nO (1)
 Allows for more signature compression, i.e. greater w
24.06.2013 | TU Darmstadt | Andreas Hülsing | 8
XMSS with WOTS+
XMSS and XMSS+ on Infineon SLE78 [HBB12]
24.06.2013 | TU Darmstadt | Andreas Hülsing | 9
Construction
24.06.2013 | TU Darmstadt | Andreas Hülsing | 10
Function Chain
n
n
n'
Use function family Fn  { f k : {0,1}  {0,1} | k {0,1} }
Previous schemes used
WOTS+
For w ≥ 2 select
R = (r1, …, rw-1) {0,1}n'w1, k {0,1}n'
ri
fk
c0(x) = x
cw-1 (x)
c1(x)
24.06.2013 | TU Darmstadt | Andreas Hülsing | 11
WOTS+
Winternitz parameter w, security parameter n, message length
m, function family Fn  { f k : {0,1}n  {0,1}n | k {0,1}n }
Key Generation: Compute l , sample k, sample
c0(sk1) = sk1
R
pk1 = cw-1(sk1)
c1(sk1)
c1(skl )
c0(skl ) = skl
24.06.2013 | TU Darmstadt | Andreas Hülsing | 12
pkl = cw-1(skl )
WOTS+ Signature generation
M
b1
b2
b3
b4
…
…
…
…
…
…
…
c0(sk1) = sk1
bl 1
bl 1+1
bl 1+2
…
C
…
bl
pk1 = cw-1(sk1)
σ1=cb1(sk1)
pkl = cw-1(skl )
c0(skl ) = skl
24.06.2013 | TU Darmstadt | Andreas Hülsing | 13
σl =cbl (skl )
Security Proof
Reduction
24.06.2013 | TU Darmstadt | Andreas Hülsing | 14
Main result
Theorem:
W-OTS+ is strongly unforgeable under chosen message attacks if F
is a 2nd-preimage resistant, undetectable one-way function family
24.06.2013 | TU Darmstadt | Andreas Hülsing | 15
EU-CMA for OTS
PK, 1n
SK
M
(σ, M)
(σ*, M*)
24.06.2013 | TU Darmstadt | Andreas Hülsing | 16
SIGN
Success if M* ≠ M and
Verify(pk,σ*,M*) = Accept
Intuition
Oracle Response:
Forgery:
(σ, M);
(σ*, M*);
M →(b1,…,bl )
M* →(b1*,…, bl*)
Observations:
*
1.  {1,..,l} s.th. b  b because of checksum
2. cw-1-bα* (σ*α) = pkα = cw-1-bα (σα), because of verification
Adversary “quasi-inverted” chain c
σα
?
=
?
=
?
=
?
=
?
=
?
=
σ*α
=
?
=
c0(skα) = skα
pkα
!
pk*α
24.06.2013 | TU Darmstadt | Andreas Hülsing | 17
Intuition, cont‘d
Oracle Response:
Forgery:
(σ, M);
(σ*, M*);
M →(b1,…,bl )
M* →(b1*,…, bl*)
Observations:
Adversary “quasi-inverted” chain c
ri
fk
Pigeon hole principle:
σα
β
pkα
c0(skα) = skα
σ*α
24.06.2013 | TU Darmstadt | Andreas Hülsing | 18
second-preimage
preimage
Conclusion
We …
… tightened security proof …
→ allows for smaller signatures …
(… achieve stronger security)
It makes sense to tighten security proofs!
Take Home Message:
Hash-based signatures are practical
24.06.2013 | TU Darmstadt | Andreas Hülsing | 19
Thank you!