SPHINCS: Practical Stateless Hash-based Signatures

Overview Using hash-based signatures (OTS → MTS) Going from stateful to stateless HORST What is SPHINCS SPHINCS construction “Virtual” overview on tree constuction KeyGen Signature Verification

Using hash-based signatures (OTS → MTS) SPHINCS makes use of hash-based signature schemes (Mainly OTS → MTS) Uses Merkle trees To construct MTS, MSS authenticates 2h OTS key pairs using binary hash tree of height h Leaves of tree are hashes of OTS pk The OTS sk becomes sk of the new scheme and root of the tree MTS are also known as full signatures Contain index of the used OTS key pairs in the tree, the OTS pk, signature and authentication path WOTS allows the pk to be omitted since it can be computed from the signature

Using hash-based signatures (OTS → MTS) cont. To guarantee each OTS key pair is used only once, each key pair are used in a predefined order Using leaves from left to right To verify Verify OTS signature on the message Verify authenticity of OTS key pair by checking if the pk is consistent with the Auth path and hash of OTS pk Allows to generate small signatures and sk and pk Sk's are generated using PRG Downside is that KeyGen and Sign time are exponential in h Due to the whole tree being build in the KeyGen phase

Using hash-based signatures (OTS → MTS) cont. Downsides can be fixed by introducing a hyper-tree Tree of trees Reduces KeyGen time Use a certification tree where a single hash tree (height h) is used to sign the pks of 2h1 key pairs and so on During the KeyGen only one tree needs to be generated per layer d layers lead to trees of height h/d Reduced KeyGen time from O(2h) → O(d2h/d) When using stateful algorithms we can exploit ordered use of key pairs, reducing sign time from O(2h) → O(h) Combining with hyper-tree we can do better and sign at O(h/d)

Going from stateful to stateless Goldreich proposed a stateless hash-based signature scheme Each OTS key pair corresponding to non-leaf node is used to sign the hash of pks of its two child nodes Leaf OTS key pairs are used to sign the message Pk of root node become overall pk Sk is a seed that used with a PRG

Going from stateful to stateless It is very important to ensure that a single OTS key pair is never used more than once We take a message and hash it to obtain an index and use that index to sign Full signature contains all OTS pks in path from leaf h to the root, all pks of sibling nodes on the path, and OTS on the message and pks in the path Goldreich also proposed randomizing leaf selection Instead of using hashing of message to select leaf node or using left to right method of hash-based signatures

Going from stateful to stateless Random selection allows us to safely select a total tree height that is somewhat smaller than the hash output length This is important because: Tree height protects against accidental collisions in indices chosen by the signer Hash output length protects against offline computations We can choose a height of 128 instead of 256 This saves a factor of 2 in signature size and signing speed Still allowing us to have 2-30 chance of reusing an OTS within 250 signatures

HORST Used to sign many signatures but security decreases as key pairs are used multiple times HORST improves upon HORS by using a binary hash-tree to reduce pk size from tn bits to n bits

HORST m – message Uses k and t = 2τ KeyGen (pk ← HORST.kg(S,Q)) Kτ = m For SPHINCS-256; t = 216, k = 32 KeyGen (pk ← HORST.kg(S,Q)) Seed S Є {0,1}n Bitmask Q Є {0,1}2n x log t Sk = (sk1, … , skt) ← Gt(S) Leaves are computed: Li = F(ski) for i Є {t-1} Pk is the root node of the binary tree of height log t

HORST Signature Algorithm: (σ, pk) ← HORST.sign(M, S, Q) M ε {0,1}m – message S ε {0,1}n – seed Q ε {0,1}2n x log t – bitmask M = (M0, … , Mk-1) K is the number of strings of length log t bits σ = (σ1, … , σk-1, σk) Consists of k blocks of σi = (skM, AuthMi) Authentication path: (A0, …, Aτ-1-x) Σk contains all 2x nodes of the binary tree on level τ-x (N0, τ-x, …, N2^x-1, τ-x)

HORST Verification Algorithm: pk ← HORST.vf(M, σ, Q) M ε {0,1}m – message σ – signature Q ε {0,1}2n x log t – bitmask Compute Mi as done in signature generation Yi = floor(Mi/2τ – x) This computes N'yi, τ-x for index Mi Lmi = F(σ1i) and AuthMi = σ2i Then it checks N'yi, τ-x = Nyi, τ-x This is checking that the computed nodes match the ones in σk

What is SPHINCS Hash-based signature scheme Quantum computer resistant Mixture of different signature schemes XMSS/XMSS-MT, WOTS+, HORST FTS scheme at leaves instead of OTS Stateless signature scheme Used idea from Goldreich Creates hyper-tree construction Quantum computer resistant

SPHINCS construction SPHINCS makes use of WOTS+ For the binary tree construction, XMSS is used WOTS+ and XMSS make up the majority of SPHINCS HORST and XMSS make up the rest of SPHINCS Usage of HORST is how we obtain a MTS

SPHINCS construction Finally we can put everything together and see how it all works A SPHINCS key pair defines a “virtual” structure SPHINCS works on a hyper-tree of height h that consists of d layers Each tree in the hyper-tree is of height h/d Construction of each tree is as follows: Leaves: 2h/d L-Tree root nodes that each compress pk of a WOTS+ key pair Tree can be looked at as a key pair that is used to sign 2h/d messages

SPHINCS construction Hyper-tree is constructed into d layers Layer d-1 (top most layer) has a single tree Layer d-2 has 2h/d trees Each layer i consists of 2(d-1-i)(h/d) trees The roots of these tress are signed using WOTS+ key pairs of the trees on layer i+1 Layer 0 (bottom most layer) each WOTS+ key pair is used to sign a HORST pk

SPHINCS construction A simple addressing scheme is used for pseudorandom key generation A = ceiling(log(d + 1)) + (d-1)(h/d) + (h/d) = ceiling(log(d + 1)) + h The address of a WOTS+ key pair is obtained by encoding the layer of the tree where it belongs to as a log(d+1)-bit string Then we append the index of the tree in the layer encoded as a (d-1)(h/d)-bit string Finally we append the index of the WOTS+ key pair within the tree encoded as (h/d)-bit string The address of the HORST key pair is obtained using the address of the WOTS+ key pair that is used to sign its pk and placing d as the layer value in the address string, it is encoded as ceiling(log(d+1))-bit string In SPHINCS-256 the address needs to be 64 bits

SPHINCS construction (KeyGen) KeyGen Algorithm: (sk, pk) ← kg(1n) The algorithm generates two sk values; sk1, sk2 Sk1 is used for pseudorandom key generation Sk2 is used to generate an unpredictable index in sign and pseudorandom values to randomize the message hash in sign Kg generates the root node of the tree on layer d-1 The see for key pair with address a = (d-1||0||i), where i ε [2h/d-1] is SA ← Fa(A, sk1) WOTS+ pk => pkA ← WOTS.kg(SA, QWOTS+) Finally the hash tree is built using the constructed leaves and the root becomes pk1

SPHINCS construction (KeyGen) In summary: Sk = (SK1, SK2, Q) Pk = (pk1, Q) Kg returns key pair (sk, pk)

SPHINCS construction (Signature) Signature Algorithm: Σ ← sign(M, SK) M = message Sk – secret key (sk1, sk2, Q) Sign computes a randomized message digest R = (R1, R2) is computed as R ← F(M, sk2) D ← H(R1, M) Randomized hash of M using first n bits of R for randomness The second n bits are used for selecting a HORST key pair

SPHINCS construction (Signature) HORST key pair with address AHORST = (d||i(0,(d- 1)h/d)||i((d-1)h/d,h/d)) is used to sign message digest D First (d-1)h/d bits of i are used as tree index The remaining bits for the index within the tree HORST sig and pk (σH, pkH) ← (D, SAHORST, QHORST) Q is HORST bitmask SAHORST ← Fa(AHORST, sk1)

SPHINCS construction (Signature) SPHINCS signature Σ = (I, R1, σH, σW,0, AuthA0, …, σW, d-1, AuthAd-1) I – index R1 – randomness σH – HORST signature σw,i,AuthAi,i – WOTS+ signature and one authentication path per layer, i ε |d-2|

SPHINCS construction (Signature) The signaure is computed as follows: WOTS+ key pair with address A0 signs pkH A0 is the address obtained by taking AHORST and setting the first ceiling(log(d+1)) bits to zero This is done by running σW,1 ← (pkH, SA0, QWOTS+) using WOTS+ bitmasks Authentication path of the WOTS+ key pair is computed Authi((d-1)h/d,h/d) Next WOTS+ pk, pkw,0, is computed Pkw,0 ← WOTS.vf(pkH, σW,0, QWOTS+) Root0 is computed by first compressing pkw,0 using an L-Tree After all this is computed, we take WOTS+ key pair within the tree, the root of the L-Tree and Authi((d- 1)h/d,h/d) and feed it into an algorithm for root computation

SPHINCS construction (Signature) This is done for all layers from 1 to d-1 with two differences Layers 1 ≤ j < d, WOTS+ is used to sign Rootj-1, which is the root computed at the end of previous iteration The address of WOTS+ key pair used on layer j is computed as: Aj = (j||i(0,(d-1-j)h/d)||i((d-1-j)h/d,h/d)) Each layer the last h/d bits of the trees address becomes the new leaf address and the remaining bits become the new tree address

SPHINCS Construction (Verification) Verification Algorithm: b ← vf(M, Σ, PK) M – message Σ – signature PK – public key Algorithm computes the message digest D ← H(R1, M) R1 - randomness that is in the signature Message digest and HORST bitmasks from PK are used to compute HORST pk from HORST signature PkH ← HORST.vf(D, σH, QHORST) We then use the HORST pk with WOTS+ bitmasks and the WOTS+ signature to compute the first WOTS+ pk Pkw,0 ← WOTS.vf(pkH, σw,0, QWOTS+)

SPHINCS construction (Verification) An L-Tree is use to compute the leaf corresponding to pkw,0 Li((d-1)h/d, h/d) Then the root, Root0, of the respective tree is computed using root computation algorithm with index, leaf and authentication path Index = i((d-1)h/d, h/d) Leaf = Li((d-1)h/d, h/d) Authentication path = Auth0

SPHINCS construction (Verification) This is repeated for layers 1 to d-1 with two differences First, layers 1 ≤ j < d the root of the previous tree is used to comput the WOTS+ pkw,j Second, the leaf computed from pkw,j using an L-Tree Li((d-1-j)h/d, h/d) The index of the leaf within the tree can be computed by cutting off the last j(h/d) bits of I and then using the last (h/d) bits of the resulting bit string The result on layer d-1 is the value Rootd-1 for the root node of the tree on the top layer This value is then compared to the first element of the pk, pk1 = Rootd-1

Summary Using hash-based signatures (OTS → MTS) Going from stateful to stateless HORST What is SPHINCS SPHINCS construction “Virtual” overview on tree constuction KeyGen Signature Verification