Embed Size (px)
Citation preview
SPHINCS: practical stateless
hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing,
T. Lange, R. Niederhagen, L. Papachristodoulou,
P. Schwabe, and Z. Wilcox O'Hearn
Digital Signatures are Important!
PAGE 1 15-7-2014
Software updates
E-Commerce
… and many others
What if…
PAGE 2 15-7-2014
Problem?
RSA
PAGE 3 15-7-2014
DH
DL
Pairings
…
PAGE 4 15-7-2014
IBM 2012: „…optimism about superconducting qubits
and the possibilities for a future quantum computer are
rapidely growing.“
Post-Quantum Signatures
PAGE 5 15-7-2014
Lattice, MQ, Coding
Signature and/or key sizes
Runtimes
Secure parameters
...
1
3
14232
2
32
34121
2
11
y
xxxxxxy
xxxxxxy
Hash-based Signature Schemes [Mer89]
PAGE 6 15-7-2014
Post quantum
Only secure hash function
Security well understood
Fast
Stateful
Lamport-Diffie OTS [Lam79]
Message M = b1,…,bn, OWF H = n bit
SK
PK
Sig
PAGE 7 15-7-2014
sk1,0 sk1,1 skn,0 skn,1
pk1,0 pk1,1 pkn,0 pkn,1
H H H H H H
sk1,b1 skn,bn
*
Mux b1 Mux b2 Mux bn
Merkle’s Hash-based Signatures
PAGE 8 15-7-2014
Cryptography
Digital Signature
Encryption
Hash Function
MAC
Legality
OTS
OTS OTS OTS OTS OTS OTS OTS
H H H H H H H H
H H H H
H H
H
PK
SIG = (i=2, , , , , )
OTS
SK
Known Improvements [BGD+06]
PAGE 9 15-7-2014
• Pseudorandom Key Generation:
SK
• Hypertree:
Key generation (== Building Trees on one path)
O(2h) → O(d2h/d)
F F
F
F
F
F
nnh 2
Known Improvements, cont’d
• Winternitz OTS [Mer‘89, …, BDE+11,Hül13]
• Smaller Sigs
• Minimum Security Assumptions
• Minimum Security Assumptions / Collision-Resilient Scheme
[BDH11]
• XMSS requires only PRF & SPR
PAGE 10 15-7-2014
SPHINCS: Stateless Practical Hash-based
Incredibly Nice Cryptographic Signatures
PAGE 11 15-7-2014
Goals
• Stateless
• 128bit Quantum Security
• Practical Speed
• Practical Signature Size
PAGE 12 15-7-2014
How to Eliminate the State
PAGE 13 15-7-2014
Trial & Error:
• Run MSS without State
PAGE 14 15-7-2014
MAC
SIG = (i=2, , , , , )
Cryptography
Digital Signature
Encryption
Hash Function Legality
OTS OTS OTS OTS OTS OTS OTS
H H H H H H H H
H H H H
H H
H
PK
OTS
SK
Approach 1: Goldreich
i = Integer.getValue(Hash(Message));
128bit Quantum Sec.
→ n = 256 bit Hash [Ber09]
→ #Indices = 2256
→ h = n = 256
h depends on n!
PAGE 15 15-7-2014
Approach 1, cont’d
• d > 1, otherwise
tSign = exp(n)
PAGE 16 15-7-2014
Approach 1, cont’d
i = Integer.getValue(Hash(Message));
h = n = 256
Impossible to make this efficient:
tSign ≈ d2n/d (tHash + tOTS_KeyGen) ≈ d2n/dn tHash
|Sig| ≈ d |OTS_Sig| (+ n2, if d<n) ≈ dn2
E.g. d = n / log n:
tSign ≈ n3 / log n tHash; |Sig| ≈ n3 / log n Goldreich: d = n
tSign ≈ 2n2 tHash; |Sig| ≈ n3
|Sig| > 1MB for n = 256
PAGE 17 15-7-2014
Approach 2: Random Index
PAGE 18 15-7-2014
IndicesU#$I
128bit Quantum Sec.
→ Sampled by Signer
→ #Indices determined by collision prob.
→ #Indices = 2256
→ h = 256
Impossible to make this efficient, again… BUT
h independent of n
Statistical collision probability NOT collision
resistance
Sphincs
• Approach 2 + Few-Time Signature Scheme (FTS)
• Next: Introduce new FTS
HORS with Trees (HORST)
• Preview: Allows h = 60 for any n
tSign ≈ d260/d (tHash + tOTS_KeyGen) ≈ d260/dn tHash
|Sig| ≈ d |OTS_Sig| (+ n2, if d<n) ≈ dn2
E.g. d = 12:
tSign ≈ 384n tHash; |Sig| ≈ 12n2 (without HORST)
PAGE 19 15-7-2014
Few-Time Signature Schemes
PAGE 20 15-7-2014
Recap LD-OTS
Message M = b1,…,bn, OWF H = n bit
SK
PK
Sig
PAGE 21 15-7-2014
sk1,0 sk1,1 skn,0 skn,1
pk1,0 pk1,1 pkn,0 pkn,1
H H H H H H
sk1,b1 skn,bn
*
Mux b1 Mux b2 Mux bn
HORS [RR02]
Message M = b1,…,bm, OWF H = n bit
Parameters t=2a,k, with m = ka (typical a=16, k=32)
SK
PK
M
Sig
PAGE 22 15-7-2014
sk1 sk2 skt-1 skt
pk1 pk1 pkt-1 pkt
H H H H H H
*
b1 b2 ba ba+1 bka-2 bka-1 bka
i1 ik
ski1 skik
Mux Mux
HORS Security
• Message M = Hash(msg)
• M mapped to k element index set Mi є {1,..,t}k
• Each signature publishes k out of t secrets
• Either break one-wayness or…
• r-Subset-Resilience: After seeing index sets Mij for r
messages msgj, 1 <= j <= r, hard to find msgr+1 ≠ msgj
such that Mir+1 є U1<=j<=r M
ij .
• Best generic attack: Succr-SSR(A,q) = q(rk / t)k
→ Security shrinks with each signature!
PAGE 23 15-7-2014
HORST
• Using HORS with MSS requires adding PK (tn) to
MSS signature.
• HORST: Build a Merkle Tree on top of PK
• PK = Root
• Publish Authentication Paths for HORS signature
values
• PK can be computed from Sig
• With optimizations: tn → (k(log t − x + 1) + 2x)n
− E.g. SPHINCS-256: 2 MB → 16 KB
PAGE 24 15-7-2014
SPHINCS
PAGE 25 15-7-2014
SPHINCS Signature
PAGE 26 15-7-2014
SPHINCS Key Ideas
• Use HORST key pairs to sign messages
• Authenticate HORST key pairs using hypertree (of
MSS trees)
• Use random index
• Select h,k,t,m such that
sumr є [0,∞)(Pr[r-times index collision] *
Succr-SSR(A)) = negl(n)
PAGE 27 15-7-2014
SPHINCS-256
PAGE 28 15-7-2014
SPHINCS-256 Speed
• Key generation: 3,051,562 cycles
• Verification: 1,369,060 cycles
• Signature: 47,466,005 cycles
• Still hundreds of messages per second on a modern
4-core 3.5GHz Intel CPU (13ms / Sig)
PAGE 29 15-7-2014
In Paper (online soon)
+ Standard model security reduction without collision
resistance
+ Complexity of generic quantum attacks
+ Efficient fixed-input length hashing
+ Optimized implementation
PAGE 30 15-7-2014
Conclusion
• Stateless Hash-based Signatures
• Performance like RSA or BLISS? No!
• First stateless signature scheme with post-quantum
secure parameters
• Practical Speed and Sizes
PAGE 31 15-7-2014
Thank you!
Questions?
PAGE 32 15-7-2014
![Hash-based Signatures and SPHINCS · Hash-based Signature Schemes [Mer89] 20-1-2015 PAGE 2 Post quantum Only secure hash function Security well understood Fast Stateful](https://img.pdfslide.us/doc/110x75/5f793c2642b102565c187ab3/hash-based-signatures-and-sphincs-hash-based-signature-schemes-mer89-20-1-2015.jpg)
