24.06.2013 | TU Darmstadt | Andreas Hülsing | 1

W-OTS+ – Shorter Signatures for Hash-Based Signature Schemes

Andreas Hülsing

Digital Signatures are Important!

24.06.2013 | TU Darmstadt | Andreas Hülsing | 2

Software updates

E-Commerce

… and many others

What if…

24.06.2013 | TU Darmstadt | Andreas Hülsing | 3

IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are

rapidely growing.“

Post-Quantum Signatures

Based on Lattice, MQ, Coding

Signature and/or key sizes

Runtimes

Secure parameters

24.06.2013 | TU Darmstadt | Andreas Hülsing | 4

...

1

3

14232232

34121211

y

xxxxxxy

xxxxxxy

Hash-based Signature Schemes[Merkle, Crypto‘89]

Hash-based signatures are…

… not only “post-quantum”

… fast, also without HW-acceleration

… strong security guarantees

… forward secure

But…… signature size ~2-3kB

24.06.2013 | TU Darmstadt | Andreas Hülsing | 5

Hash-based Signatures

OTS

OTS OTS OTS OTS OTS OTS OTS

hh h h h h h h

h h h h

h h

h

PK

24.06.2013 | TU Darmstadt | Andreas Hülsing | 6

SK

SIG = (i, , , , , )

Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96]

1. = f( )

2. Trade-off between runtime and signature size, controlled by parameter w

3. Minimal security requirements (PRF) [Buchmann et al.,Africacrypt’11]

4. Used in XMSS & XMSS+ [Buchmann et al., PQ Crypto’11; Hülsing et al., SAC’12]

24.06.2013 | TU Darmstadt | Andreas Hülsing | 7

SIG = (i, , , , , )

WOTS+

“Winternitz-Type” OTS

Security based on 2nd-preimage resistance, one-wayness & undetectability of function family, even for SU-CMA

Tight security reduction w/o collision resistance

Allows for more signature compression, i.e. greater w

24.06.2013 | TU Darmstadt | Andreas Hülsing | 8

)1()1(~~

22 OnOwn

XMSS with WOTS+

XMSS and XMSS+ on Infineon SLE78 [HBB12]

24.06.2013 | TU Darmstadt | Andreas Hülsing | 9

Construction

24.06.2013 | TU Darmstadt | Andreas Hülsing | 10

Use function family Previous schemes used

WOTS+

For w ≥ 2 select R = (r1, …, rw-1)

Function Chain

c0(x) = x

c1(x)

cw-1 (x)

}}1,0{|}1,0{}1,0{:{ 'nnnkn kfF

24.06.2013 | TU Darmstadt | Andreas Hülsing | 11

'1' }1,0{,}1,0{ nwn k

ri

kf

Winternitz parameter w, security parameter n, message length m, function family

Key Generation: Compute l , sample k, sample R

WOTS+

c0(skl ) = skl

c1(skl ) pkl = cw-1(skl )

}}1,0{|}1,0{}1,0{:{ nnnkn kfF

c0(sk1) = sk1

c1(sk1)

pk1 = cw-1(sk1)

24.06.2013 | TU Darmstadt | Andreas Hülsing | 12

WOTS+ Signature generation

M

b1 b2 b3 b4 … … … … … … … bl 1bl 1+1 bl 1+2 … … bl

C

c0(skl ) = skl

pkl = cw-1(skl )

c0(sk1) = sk1pk1 = cw-1(sk1)

σ1=cb1(sk1)

σl =cbl (skl )

24.06.2013 | TU Darmstadt | Andreas Hülsing | 13

Security ProofReduction

24.06.2013 | TU Darmstadt | Andreas Hülsing | 14

Main result

Theorem:

W-OTS+ is strongly unforgeable under chosen message attacks if F is a 2nd-preimage resistant, undetectable one-way function family

24.06.2013 | TU Darmstadt | Andreas Hülsing | 15

EU-CMA for OTS

PK, 1n

SIGN

SK

M

(σ, M)

(σ*, M*) Success if M* ≠ M and Verify(pk,σ*,M*) = Accept

24.06.2013 | TU Darmstadt | Andreas Hülsing | 16

Intuition

Oracle Response: (σ, M); M →(b1,…,bl )

Forgery: (σ*, M*); M* →(b1*,…, bl*)

Observations:1. because of checksum2. cw-1-bα*

(σ*α) = pkα = cw-1-bα (σα), because of verification

Adversary “quasi-inverted” chain c

bbthsl *..},..,1{

c0(skα) = skα

pkασα

pk*α

σ*α

======== ??????? !

24.06.2013 | TU Darmstadt | Andreas Hülsing | 17

Intuition, cont‘d

Oracle Response: (σ, M); M →(b1,…,bl )

Forgery: (σ*, M*); M* →(b1*,…, bl*)

Observations:Adversary “quasi-inverted” chain c

Pigeon hole principle:

c0(skα) = skα

pkασα

σ*α

β

24.06.2013 | TU Darmstadt | Andreas Hülsing | 18

second-preimage

ri

kf

preimage

Conclusion

We …… tightened security proof …→ allows for smaller signatures …(… achieve stronger security)

It makes sense to tighten security proofs!

Take Home Message:

Hash-based signatures are practical

24.06.2013 | TU Darmstadt | Andreas Hülsing | 19

Thank you!