| TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing

Digital Signatures are Important! | TU Darmstadt | Andreas Hülsing | 2 Software updates E-Commerce … and many others

What if… | TU Darmstadt | Andreas Hülsing | 3 IBM 2012: „…optimism about superconducting qubits and the possibilities for a future quantum computer are rapidely growing.“

Post-Quantum Signatures Based on Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters | TU Darmstadt | Andreas Hülsing | 4

Hash-based Signature Schemes [Merkle, Crypto‘89] Hash-based signatures are… … not only “post-quantum” … fast, also without HW-acceleration … strong security guarantees … forward secure But… … signature size ~2-3kB | TU Darmstadt | Andreas Hülsing | 5

Hash-based Signatures OTS hh h hh hh h hh hh h h h PK | TU Darmstadt | Andreas Hülsing | 6 SK SIG = (i,,,,, )

Winternitz OTS [Merkle, Crypto‘89; Even et al., JoC‘96] 1. = f( ) 2. Trade-off between runtime and signature size, controlled by parameter w 3. Minimal security requirements (PRF) [Buchmann et al.,Africacrypt’11] 4. Used in XMSS & XMSS+ [Buchmann et al., PQ Crypto’11; Hülsing et al., SAC’12] | TU Darmstadt | Andreas Hülsing | 7 SIG = (i,,,,, )

WOTS +  “Winternitz-Type” OTS  Security based on 2 nd -preimage resistance, one-wayness & undetectability of function family, even for SU-CMA  Tight security reduction w/o collision resistance  Allows for more signature compression, i.e. greater w | TU Darmstadt | Andreas Hülsing | 8

XMSS with WOTS + XMSS and XMSS + on Infineon SLE78 [HBB12] | TU Darmstadt | Andreas Hülsing | 9

Construction | TU Darmstadt | Andreas Hülsing | 10

Use function family Previous schemes used WOTS + For w ≥ 2 select R = (r 1, …, r w-1 ) Function Chain c 0 (x) = x c 1 (x) c w-1 (x) | TU Darmstadt | Andreas Hülsing | 11 riri

Winternitz parameter w, security parameter n, message length m, function family Key Generation: Compute l, sample k, sample R WOTS + c 0 (sk l ) = sk l c 1 (sk l ) pk l = c w-1 (sk l ) c 0 (sk 1 ) = sk 1 c 1 (sk 1 ) pk 1 = c w-1 (sk 1 ) | TU Darmstadt | Andreas Hülsing | 12

WOTS + Signature generation M b1b1 b2b2 b3b3 b4b4 ………………… b l 1 b l 1+1 b l 1+2 ……blbl C c 0 (sk l ) = sk l pk l = c w-1 (sk l ) c 0 (sk 1 ) = sk 1 pk 1 = c w-1 (sk 1 ) σ 1 =c b 1 (sk 1 ) σ l =c b l (sk l ) | TU Darmstadt | Andreas Hülsing | 13

Security Proof Reduction | TU Darmstadt | Andreas Hülsing | 14

Main result Theorem: W-OTS + is strongly unforgeable under chosen message attacks if F is a 2 nd -preimage resistant, undetectable one-way function family | TU Darmstadt | Andreas Hülsing | 15

EU-CMA for OTS PK, 1 n SIGN SK M (σ, M) (σ*, M*) Success if M* ≠ M and Verify(pk,σ*,M*) = Accept | TU Darmstadt | Andreas Hülsing | 16

Intuition Oracle Response : (σ, M); M →(b 1,…,b l ) Forgery: (σ*, M*);M* →(b 1 *,…, b l *) Observations: 1. because of checksum 2. c w-1-b α * (σ* α ) = pk α = c w-1-b α (σ α ), because of verification Adversary “quasi-inverted” chain c c 0 (sk α ) = sk α pk α σασα pk* α σ*ασ*α = = = = = = = = ? ?? ? ??? ! | TU Darmstadt | Andreas Hülsing | 17

Intuition, cont‘d Oracle Response : (σ, M); M →(b 1,…,b l ) Forgery: (σ*, M*);M* →(b 1 *,…, b l *) Observations: Adversary “quasi-inverted” chain c Pigeon hole principle: c 0 (sk α ) = sk α pk α σασα σ*ασ*α β | TU Darmstadt | Andreas Hülsing | 18 second-preimage riri preimage

Conclusion We … … tightened security proof … → allows for smaller signatures … (… achieve stronger security) It makes sense to tighten security proofs! Take Home Message: Hash-based signatures are practical | TU Darmstadt | Andreas Hülsing | 19

Thank you!