hash-based signatures: an outline for a new standard
TRANSCRIPT
![Page 1: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/1.jpg)
Hash-based Signatures: An outline for a new standard
A. Hülsing, D. Butin, S.-L. Gazdag
![Page 2: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/2.jpg)
Hash-based Signatures: An outline for a new standard
A. Hülsing, D. Butin, S.-L. Gazdag
![Page 3: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/3.jpg)
XMSS: Extended Hash-Based Signatures
(draft-huelsing-cfrg-hash-sig-xmss)
A. Hülsing, D. Butin, S.-L. Gazdag, A. Mohaisen
![Page 4: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/4.jpg)
Hash-based Signature Schemes[Mer89]
24-3-2015 PAGE 3
Only secure hash function
Security well understood
Post quantum
Fast
![Page 5: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/5.jpg)
Security
30-3-2015 PAGE 4
Intractability assumption
Digital signature scheme
Collision resistant hash function
![Page 6: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/6.jpg)
Post-Quantum Security
n-bit hash function
Grover‘96:
Preimage finding 𝑶(𝟐𝒏) → 𝑶(𝟐𝒏
𝟐)
Brassard et al. 1998:
Collision finding 𝑶(𝟐𝒏
𝟐) → 𝑶(𝟐𝒏
𝟑)
Aaronson & Shi’04:
Quantum collision finding 𝟐𝒏
𝟑 is lower bound
30-3-2015 PAGE 5
![Page 7: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/7.jpg)
Advanced Applications
• Forward Secure Signatures• Security of old signatures after key compromise
• Delegatable / Proxy Signatures• Securely delegate signing rights
→ Require specific pseudorandom key gen
31-3-2015 PAGE 6
![Page 8: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/8.jpg)
Merkle’s Hash-based Signatures
30-3-2015 PAGE 7
OTS OTS OTS OTS OTS OTS OTSOTS
![Page 9: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/9.jpg)
Merkle’s Hash-based Signatures
30-3-2015 PAGE 8
OTS OTS OTS OTS OTS OTS OTS
HH H H H H H H
H H H H
H H
H
PK
OTS
![Page 10: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/10.jpg)
Merkle’s Hash-based Signatures
30-3-2015 PAGE 9
OTS OTS OTS OTS OTS OTS OTS
HH H H H H H H
H H H H
H H
H
PK
OTS
![Page 11: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/11.jpg)
Merkle’s Hash-based Signatures
30-3-2015 PAGE 10
OTS OTS OTS OTS OTS OTS OTS
HH H H H H H H
H H H H
H H
H
PK
OTS
SK
![Page 12: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/12.jpg)
Merkle’s Hash-based Signatures
30-3-2015 PAGE 11
OTS OTS OTS OTS OTS OTS OTS
HH H H H H H H
H H H H
H H
H
PK
SIG = (i=2, , , , , )
OTS
SK
![Page 13: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/13.jpg)
Merkle’s Hash-based Signatures
30-3-2015 PAGE 12
OTS OTS OTS OTS OTS OTS OTS
HH H H H H H H
H H H H
H H
H
PK
SIG = (i=2, , , , , )
OTS
SK
![Page 14: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/14.jpg)
Merkle’s Hash-based Signatures
30-3-2015 PAGE 13
OTS OTS OTS OTS OTS OTS OTS
HH H H H H H H
H H H H
H H
H
PK
SIG = (i=2, , , , , )
OTS
SK
![Page 15: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/15.jpg)
McGrew & Curcio‘2014
30-3-2015 PAGE 14
![Page 16: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/16.jpg)
Why another I-D?
• “Weaker“ assumptions on used hash function• -> “Stronger“ security guarantees
• Virtually unlimited number of signatures / key pair(Multi-Tree version)
• Smaller signatures (approx. factor 2)
• Faster key generation & signing(Multi-Tree version)
23-3-2015 PAGE 15
![Page 17: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/17.jpg)
Schemes in the Draft
• Winternitz One Time Signature (WOTS+)
• Extended Merkle (tree) signature scheme (XMSS)
• Multi-tree XMSS (XMSS^MT)
23-3-2015 PAGE 16
![Page 18: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/18.jpg)
General Design Choices
Define as mandatory:
• Public key and signature format & semantics
• Verification
Leave implementer freedom to choose trade-offs:
• Secret key format• In consequence key generation• Many trade-offs possible• Does not affect interoperability
• Signature generation• Many trade-offs possible• Does not affect interoperability
Prepare for stateless hash-based signatures (future):
• SPHINCS uses XMSS^MT as subroutine
Efficient sig / pk encodings a la McGrew & Curcio
![Page 19: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/19.jpg)
WOTS+
Uses bitmasks
-> Collision-resilience
-> signature size halved
-> Tighter security reduction
H
bi
H
![Page 20: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/20.jpg)
XMSS
Tree: Uses bitmasks
Leafs: Use binary treewith bitmasks
OTS: WOTS+
Mesage digest: Randomized hashing
-> Collision-resilience
-> signature size halved
H
bi
H
![Page 21: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/21.jpg)
Multi-Tree XMSS
Uses multiple layers of trees
-> Key generation(= Building Trees on one path)
Θ(2h) → Θ(d*2h/d)
-> Allows to reduceworst-case signing timesΘ(h/2) → Θ(h/2d)
![Page 22: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/22.jpg)
Design Choices: Multi-tree XMSS
Same tree height and w for all internal trees
-> easier implementation
![Page 23: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/23.jpg)
Design Choices: Parameters
Parameter sets for different settings
1. Security (message digest size m, inner node size n)
m = 256, n = 128 m = n = 256 m = n = 512
Classical Security
128 bits 256 bits 512 bits
Post-QuantumSecurity
64 bits 128 bits 256 bits
Internal Hash AES-128 SHA3-256 SHA3-512
Message Digest SHA3-256 SHA3-256 SHA3-512
![Page 24: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/24.jpg)
Parameters, cont‘d
2. WOTS+: • w = 4, 8, 16 (optimal trade-off, easy implementation)
3. XMSS: • h = 10, 16, 20 (otherwise key gen too slow)
4. Multi-tree: • Single tree height = 5, 10, 20 (otherwise key gen too
slow)
• Total tree height h = 20, 40, 60 ( > 60 unnecessary)
23-3-2015 PAGE 23
![Page 25: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/25.jpg)
Parameters, cont‘d
• Many, many, many parameter sets! Too many?
• #ParameterSets• XMSS: 27 (+8)
• XMSS^MT: 72 (+48) • will remove 18 because of statistical collision probability
Every scenario covered?
• “Zero-Bitmasks“ parameters -> small PK but no collision-resilience!-> similar to McGrew & CurcioNeeded?
23-3-2015 PAGE 24
![Page 26: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/26.jpg)
IPR
• Based on scientific work (already published)
• No IPR claims from our side
• Not aware of others planning IPR claims
![Page 27: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/27.jpg)
Conclusion
XMSS: New important features
• Smaller signatures
• Faster signing & key generation
• Up to 260 signatures per key pair with proposed params
• Stronger security guarantees (collision-resilience)
• Prepares for stateless schemes
23-3-2015 PAGE 26
![Page 28: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/28.jpg)
Thank you!
Questions?
23-3-2015 PAGE 27
![Page 29: Hash-based Signatures: An outline for a new standard](https://reader031.vdocument.in/reader031/viewer/2022012002/61d8ed9ac1e1b0331b634b53/html5/thumbnails/29.jpg)
McGrew & Curcio‘2014
• Winternitz OTS ( = LDWM-OTS)
• Merkle tree scheme (MTS)
• Parameter Sets = Cipher Suites
• Efficient sig / pk encoding
• Security <= collision resistance
23-3-2015 PAGE 28