SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, Zooko Wilcox-O’Hearn

Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 18-4-2019

Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast Stateful 18-4-2019

Basic Construction 18-4-2019

Lamport-Diffie OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig * sk1,0 sk1,1 skm,0 skm,1 Mux b1 Mux b2 Mux bm H H H H H H pk1,0 pk1,1 pkm,0 pkm,1 sk1,b1 skm,bm 18-4-2019

Merkle’s Hash-based Signatures Digital Signature PK SIG = (i=2, , , , , ) Encryption H OTS H H Cryptography H H H H H H H H H Legality H H H Hash Function OTS OTS OTS OTS OTS OTS OTS OTS MAC SK 18-4-2019

Known Improvements 18-4-2019

WOTS Function Chain 18. April 2019 Function family: Formerly: WOTS+ For w ≥ 2 select R = (r1, …, rw-1) ri ci-1 (x) ci (x) c0(x) = x cw-1 (x) c1(x) = |

WOTS+ 18. April 2019 Winternitz parameter w, security parameter n, message length m, function family Key Generation: Compute l , sample K, sample R c0(sk1) = sk1 pk1 = cw-1(sk1) c1(sk1) One promissing group of candidates are hash-based signature schemes They start from an OTS – a signature scheme where a key pair can only be used for one signature. The central idea – proposed by Merkle - is to authenticate many OTS keypairs using a binary hash tree These schemes have many advantages over the beforementioned Quantum computers do not harm their security – the best known quantum attack is Grovers algorithm – allowing exhaustiv search in a set with n elements in time squareroot of n using log n space. They are provably secure in the standard model And they can be instantiated using any secure hash function. On the downside, they produce long signatures. c1(skl ) pkl = cw-1(skl ) c0(skl ) = skl |

WOTS+ Signature generation 18. April 2019 M b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bm‘+2 … … bl c0(sk1) = sk1 pk1 = cw-1(sk1) C σ1=cb1(sk1) Signature: σ = (σ1, …, σl ) Well, this work is concerned with the OTS. There are several OTS schemes. LD, Merkle-OTS which is a specific instance of the W-OTS, the BM-OTS and Biba and HORS. The most interesting one is the Winternitz OTS as it allows for a time-memory trade-off and even more important - It is possible to compute the public verification key given a signature. This reduces the signature size of a hash based signature scheme as normaly the public key of the OTS has to be included in a signature of the scheme. Now for WOTS this isn‘t necessary anymore. pkl = cw-1(skl ) c0(skl ) = skl σl =cbl (skl ) |

WOTS+ Signature Verification 18. April 2019 Verifier knows: M, w b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bl 1+2 … … bl c1 (σ1) c3(σ1) pk1 =? σ1 c2(σ1) cw-1-b1(σ1) Signature: σ = (σ1, …, σl ) Well, this work is concerned with the OTS. There are several OTS schemes. LD, Merkle-OTS which is a specific instance of the W-OTS, the BM-OTS and Biba and HORS. The most interesting one is the Winternitz OTS as it allows for a time-memory trade-off and even more important - It is possible to compute the public verification key given a signature. This reduces the signature size of a hash based signature scheme as normaly the public key of the OTS has to be included in a signature of the scheme. Now for WOTS this isn‘t necessary anymore. pkl =? σl cw-1-bl (σl ) |

MSS-SPR [DOTV08] Hashing one-time PK‘s using tree bi Hashing one-time PK‘s using tree Requirements: CRHF -> SPRHF PK includes ~h additional values

Requires computation of 2h nodes in Merkle tree XMSS Public Key Generation = Requires computation of 2h nodes in Merkle tree h

Requires computation of 2*2h/2 nodes in Merkle trees Two Layer Key generation Requires computation of 2*2h/2 nodes in Merkle trees

About the state Used for security: Used for efficiency: Problems: Stores index i ⇒ Prevents using one-time keys twice. Used for efficiency: Stores intermediate results for fast Auth computation. Problems: Load-balancing Multi-threading Backups Virtual-machine images ... “Huge foot-cannon” (Adam Langley, Google) Not only a hash-based issue! 18-4-2019

How to Eliminate the State

Protest? 18-4-2019

Stateless hash-based signatures [NY89,Gol87,Gol04] Goldreich’s approach [Gol04]: Security parameter 𝜆=128 Use binary tree as in Merkle, but... …for security pick index i at random; requires huge tree to avoid index collisions (e.g., height h=2𝜆=256). …for efficiency: use binary certification tree of OTS; all OTS secret keys are generated pseudorandomly. OTS OTS OTS OTS OTS OTS OTS OTS OTS 18-4-2019

It works, but signature are painfully long 0.6 MB for Goldreich signature using short-public-key Winternitz-16 one-time signatures. Would dominate traffic in typical applications, and add user-visible latency on typical network connections. Example: Debian operating system is designed for frequent upgrades. At least one new signature for each upgrade. Typical upgrade: one package or just a few packages. 1.2 MB average package size. 0.08 MB median package size. HTTPS typically sends multiple signatures per page. 1.8 MB average web page in Alexa Top 1000000. 18-4-2019

Few-Time Signature Schemes 18-4-2019

Recap LD-OTS Message M = b1,…,bn, OWF H = n bit SK PK Sig H H H H H H * sk1,0 sk1,1 skn,0 skn,1 Mux b1 Mux b2 Mux bn H H H H H H pk1,0 pk1,1 pkn,0 pkn,1 sk1,b1 skn,bn 18-4-2019

HORS [RR02] Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) SK PK * sk1 sk2 skt-1 skt H H H H H H pk1 pk1 pkt-1 pkt 18-4-2019

HORS mapping function Message M, OWF H, CRHF H’ = 𝑛 bit Parameters 𝑡=2𝑎,𝑘, with 𝑚 = 𝑘𝑎 (typical 𝑎=16, 𝑘=32) * M H’ b1 b2 ba bar i1 ik 18-4-2019

HORS Message M, OWF H, CRHF H’ = 𝑛 bit Parameters 𝑡=2𝑎,𝑘, with 𝑚 = 𝑘𝑎 (typical 𝑎=16, 𝑘=32) SK PK H’(M) Sig * sk1 sk2 skt-1 skt H H H H H H pk1 pk1 pkt-1 pkt b1 b2 ba ba+1 bka-2 bka-1 bka Mux Mux i1 ik ski1 skik 18-4-2019

HORS Security 𝑀 mapped to 𝑘 element index set 𝑀 𝑖 ∈ {1,…,𝑡} 𝑘 Each signature publishes 𝑘 out of 𝑡 secrets Either break one-wayness or… r-Subset-Resilience: After seeing index sets 𝑀 𝑗 𝑖 for 𝑟 messages 𝑚𝑠𝑔 𝑗 , 1 ≤𝑗≤𝑟, hard to find 𝑚𝑠𝑔 𝑟+1 ≠ 𝑚𝑠𝑔 𝑗 such that 𝑀 𝑟+1 𝑖 ∈ ⋃ 1 ≤𝑗≤𝑟 𝑀 𝑗 𝑖 . Best generic attack: Succr-SSR(A,q) = q(rk / t)k → Security shrinks with each signature! 18-4-2019

HORST Using HORS with MSS requires adding PK (𝑡𝑛 bits) to MSS signature. (SPHINCS-256: 𝑛 = 256, 𝑡 = 2 16 , 𝑘=32) HORST: Merkle Tree on top of HORS-PK New PK = Root Publish Auth-Paths for HORS signature values PK can be computed from Sig With optimizations: 𝑡𝑛 → (𝑘(𝑙𝑜𝑔⁡𝑡 − 𝑥 + 1) + 2𝑥)𝑛 E.g. SPHINCS-256: 2 MB → 16 KB Use randomized message hash 18-4-2019

Assembling SPHINCS 18-4-2019

The SPHINCS Approach Use a “hyper-tree” of total height h Parameter 𝑑 ≥1, such that 𝑑 | ℎ Each (Merkle) tree has height ℎ/𝑑 (ℎ/𝑑)-ary certification tree 18-4-2019

The SPHINCS Approach Pick index (pseudo-)randomly Messages signed with few-time signature scheme Significantly reduce total tree height Require 𝑟∈[0,∞] (Pr⁡[ 𝑟−𝑡𝑖𝑚𝑒𝑠 𝑖𝑛𝑑𝑒𝑥 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛] ∗ 𝑆𝑢𝑐𝑐 𝑟−𝑆𝑆𝑅 (𝐴)) = 𝑛𝑒𝑔𝑙(𝑛) 18-4-2019

And now more from Peter... 18-4-2019

Thank you! Questions? For references & further literature see https://huelsing.wordpress.com/hash-based-signature-schemes/literature/ 18-4-2019

SPHINCS Sign Select (pseudo-)random HORST sk Sign message using this HORST sk Build parent tree Use tree to sign HORST pk If tree != top, goto 3. Output Sig: Index HORST signature XMSS signature chain 18-4-2019

Long-Standing Problem: Statefulness No problem in many cases. Qualified signatures, Keys on smartcard, ... Necessary for forward-security! But: Key back-ups undermine security Parallel use of key problematic Multi-threading, Load balancing... Do not fit standard API 18-4-2019