Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPHINCS: Practical Stateless Hash-based Signatures

Published byPreston Hensley Modified over 6 years ago

Similar presentations

Presentation on theme: "SPHINCS: Practical Stateless Hash-based Signatures"— Presentation transcript:

1 SPHINCS: Practical Stateless Hash-based Signatures

2 Overview Using hash-based signatures (OTS → MTS)
Going from stateful to stateless HORST What is SPHINCS SPHINCS construction “Virtual” overview on tree constuction KeyGen Signature Verification

3 Using hash-based signatures (OTS → MTS)
SPHINCS makes use of hash-based signature schemes (Mainly OTS → MTS) Uses Merkle trees To construct MTS, MSS authenticates 2h OTS key pairs using binary hash tree of height h Leaves of tree are hashes of OTS pk The OTS sk becomes sk of the new scheme and root of the tree MTS are also known as full signatures Contain index of the used OTS key pairs in the tree, the OTS pk, signature and authentication path WOTS allows the pk to be omitted since it can be computed from the signature

4 Using hash-based signatures (OTS → MTS) cont.
To guarantee each OTS key pair is used only once, each key pair are used in a predefined order Using leaves from left to right To verify Verify OTS signature on the message Verify authenticity of OTS key pair by checking if the pk is consistent with the Auth path and hash of OTS pk Allows to generate small signatures and sk and pk Sk's are generated using PRG Downside is that KeyGen and Sign time are exponential in h Due to the whole tree being build in the KeyGen phase

5 Using hash-based signatures (OTS → MTS) cont.
Downsides can be fixed by introducing a hyper-tree Tree of trees Reduces KeyGen time Use a certification tree where a single hash tree (height h) is used to sign the pks of 2h1 key pairs and so on During the KeyGen only one tree needs to be generated per layer d layers lead to trees of height h/d Reduced KeyGen time from O(2h) → O(d2h/d) When using stateful algorithms we can exploit ordered use of key pairs, reducing sign time from O(2h) → O(h) Combining with hyper-tree we can do better and sign at O(h/d)

6 Going from stateful to stateless
Goldreich proposed a stateless hash-based signature scheme Each OTS key pair corresponding to non-leaf node is used to sign the hash of pks of its two child nodes Leaf OTS key pairs are used to sign the message Pk of root node become overall pk Sk is a seed that used with a PRG

7 Going from stateful to stateless
It is very important to ensure that a single OTS key pair is never used more than once We take a message and hash it to obtain an index and use that index to sign Full signature contains all OTS pks in path from leaf h to the root, all pks of sibling nodes on the path, and OTS on the message and pks in the path Goldreich also proposed randomizing leaf selection Instead of using hashing of message to select leaf node or using left to right method of hash-based signatures

8 Going from stateful to stateless
Random selection allows us to safely select a total tree height that is somewhat smaller than the hash output length This is important because: Tree height protects against accidental collisions in indices chosen by the signer Hash output length protects against offline computations We can choose a height of 128 instead of 256 This saves a factor of 2 in signature size and signing speed Still allowing us to have 2-30 chance of reusing an OTS within 250 signatures

9 HORST Used to sign many signatures but security decreases as key pairs are used multiple times HORST improves upon HORS by using a binary hash-tree to reduce pk size from tn bits to n bits

10 HORST m – message Uses k and t = 2τ KeyGen (pk ← HORST.kg(S,Q)) Kτ = m
For SPHINCS-256; t = 216, k = 32 KeyGen (pk ← HORST.kg(S,Q)) Seed S Є {0,1}n Bitmask Q Є {0,1}2n x log t Sk = (sk1, … , skt) ← Gt(S) Leaves are computed: Li = F(ski) for i Є {t-1} Pk is the root node of the binary tree of height log t

11 HORST Signature Algorithm: (σ, pk) ← HORST.sign(M, S, Q)
M ε {0,1}m – message S ε {0,1}n – seed Q ε {0,1}2n x log t – bitmask M = (M0, … , Mk-1) K is the number of strings of length log t bits σ = (σ1, … , σk-1, σk) Consists of k blocks of σi = (skM, AuthMi) Authentication path: (A0, …, Aτ-1-x) Σk contains all 2x nodes of the binary tree on level τ-x (N0, τ-x, …, N2^x-1, τ-x)

12 HORST Verification Algorithm: pk ← HORST.vf(M, σ, Q)
M ε {0,1}m – message σ – signature Q ε {0,1}2n x log t – bitmask Compute Mi as done in signature generation Yi = floor(Mi/2τ – x) This computes N'yi, τ-x for index Mi Lmi = F(σ1i) and AuthMi = σ2i Then it checks N'yi, τ-x = Nyi, τ-x This is checking that the computed nodes match the ones in σk

13 What is SPHINCS Hash-based signature scheme Quantum computer resistant
Mixture of different signature schemes XMSS/XMSS-MT, WOTS+, HORST FTS scheme at leaves instead of OTS Stateless signature scheme Used idea from Goldreich Creates hyper-tree construction Quantum computer resistant

14 SPHINCS construction SPHINCS makes use of WOTS+
For the binary tree construction, XMSS is used WOTS+ and XMSS make up the majority of SPHINCS HORST and XMSS make up the rest of SPHINCS Usage of HORST is how we obtain a MTS

15 SPHINCS construction Finally we can put everything together and see how it all works A SPHINCS key pair defines a “virtual” structure SPHINCS works on a hyper-tree of height h that consists of d layers Each tree in the hyper-tree is of height h/d Construction of each tree is as follows: Leaves: 2h/d L-Tree root nodes that each compress pk of a WOTS+ key pair Tree can be looked at as a key pair that is used to sign 2h/d messages

16 SPHINCS construction Hyper-tree is constructed into d layers
Layer d-1 (top most layer) has a single tree Layer d-2 has 2h/d trees Each layer i consists of 2(d-1-i)(h/d) trees The roots of these tress are signed using WOTS+ key pairs of the trees on layer i+1 Layer 0 (bottom most layer) each WOTS+ key pair is used to sign a HORST pk

17 SPHINCS construction A simple addressing scheme is used for pseudorandom key generation A = ceiling(log(d + 1)) + (d-1)(h/d) + (h/d) = ceiling(log(d + 1)) + h The address of a WOTS+ key pair is obtained by encoding the layer of the tree where it belongs to as a log(d+1)-bit string Then we append the index of the tree in the layer encoded as a (d-1)(h/d)-bit string Finally we append the index of the WOTS+ key pair within the tree encoded as (h/d)-bit string The address of the HORST key pair is obtained using the address of the WOTS+ key pair that is used to sign its pk and placing d as the layer value in the address string, it is encoded as ceiling(log(d+1))-bit string In SPHINCS-256 the address needs to be 64 bits

18 SPHINCS construction (KeyGen)
KeyGen Algorithm: (sk, pk) ← kg(1n) The algorithm generates two sk values; sk1, sk2 Sk1 is used for pseudorandom key generation Sk2 is used to generate an unpredictable index in sign and pseudorandom values to randomize the message hash in sign Kg generates the root node of the tree on layer d-1 The see for key pair with address a = (d-1||0||i), where i ε [2h/d-1] is SA ← Fa(A, sk1) WOTS+ pk => pkA ← WOTS.kg(SA, QWOTS+) Finally the hash tree is built using the constructed leaves and the root becomes pk1

19 SPHINCS construction (KeyGen)
In summary: Sk = (SK1, SK2, Q) Pk = (pk1, Q) Kg returns key pair (sk, pk)

20 SPHINCS construction (Signature)
Signature Algorithm: Σ ← sign(M, SK) M = message Sk – secret key (sk1, sk2, Q) Sign computes a randomized message digest R = (R1, R2) is computed as R ← F(M, sk2) D ← H(R1, M) Randomized hash of M using first n bits of R for randomness The second n bits are used for selecting a HORST key pair

21 SPHINCS construction (Signature)
HORST key pair with address AHORST = (d||i(0,(d- 1)h/d)||i((d-1)h/d,h/d)) is used to sign message digest D First (d-1)h/d bits of i are used as tree index The remaining bits for the index within the tree HORST sig and pk (σH, pkH) ← (D, SAHORST, QHORST) Q is HORST bitmask SAHORST ← Fa(AHORST, sk1)

22 SPHINCS construction (Signature)
SPHINCS signature Σ = (I, R1, σH, σW,0, AuthA0, …, σW, d-1, AuthAd-1) I – index R1 – randomness σH – HORST signature σw,i,AuthAi,i – WOTS+ signature and one authentication path per layer, i ε |d-2|

23 SPHINCS construction (Signature)
The signaure is computed as follows: WOTS+ key pair with address A0 signs pkH A0 is the address obtained by taking AHORST and setting the first ceiling(log(d+1)) bits to zero This is done by running σW,1 ← (pkH, SA0, QWOTS+) using WOTS+ bitmasks Authentication path of the WOTS+ key pair is computed Authi((d-1)h/d,h/d) Next WOTS+ pk, pkw,0, is computed Pkw,0 ← WOTS.vf(pkH, σW,0, QWOTS+) Root0 is computed by first compressing pkw,0 using an L-Tree After all this is computed, we take WOTS+ key pair within the tree, the root of the L-Tree and Authi((d- 1)h/d,h/d) and feed it into an algorithm for root computation

24 SPHINCS construction (Signature)
This is done for all layers from 1 to d-1 with two differences Layers 1 ≤ j < d, WOTS+ is used to sign Rootj-1, which is the root computed at the end of previous iteration The address of WOTS+ key pair used on layer j is computed as: Aj = (j||i(0,(d-1-j)h/d)||i((d-1-j)h/d,h/d)) Each layer the last h/d bits of the trees address becomes the new leaf address and the remaining bits become the new tree address

25 SPHINCS Construction (Verification)
Verification Algorithm: b ← vf(M, Σ, PK) M – message Σ – signature PK – public key Algorithm computes the message digest D ← H(R1, M) R1 - randomness that is in the signature Message digest and HORST bitmasks from PK are used to compute HORST pk from HORST signature PkH ← HORST.vf(D, σH, QHORST) We then use the HORST pk with WOTS+ bitmasks and the WOTS+ signature to compute the first WOTS+ pk Pkw,0 ← WOTS.vf(pkH, σw,0, QWOTS+)

26 SPHINCS construction (Verification)
An L-Tree is use to compute the leaf corresponding to pkw,0 Li((d-1)h/d, h/d) Then the root, Root0, of the respective tree is computed using root computation algorithm with index, leaf and authentication path Index = i((d-1)h/d, h/d) Leaf = Li((d-1)h/d, h/d) Authentication path = Auth0

27 SPHINCS construction (Verification)
This is repeated for layers 1 to d-1 with two differences First, layers 1 ≤ j < d the root of the previous tree is used to comput the WOTS+ pkw,j Second, the leaf computed from pkw,j using an L-Tree Li((d-1-j)h/d, h/d) The index of the leaf within the tree can be computed by cutting off the last j(h/d) bits of I and then using the last (h/d) bits of the resulting bit string The result on layer d-1 is the value Rootd-1 for the root node of the tree on the top layer This value is then compared to the first element of the pk, pk1 = Rootd-1

28 Summary Using hash-based signatures (OTS → MTS)
Going from stateful to stateless HORST What is SPHINCS SPHINCS construction “Virtual” overview on tree constuction KeyGen Signature Verification

Download ppt "SPHINCS: Practical Stateless Hash-based Signatures"

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna

Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
QuickSort Average Case Analysis An Incompressibility Approach Brendan Lucier August 2, 2005.

QuickSort Average Case Analysis An Incompressibility Approach Brendan Lucier August 2, 2005.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
Maps A map is an object that maps keys to values Each key can map to at most one value, and a map cannot contain duplicate keys KeyValue Map Examples Dictionaries:

Maps A map is an object that maps keys to values Each key can map to at most one value, and a map cannot contain duplicate keys KeyValue Map Examples Dictionaries:
MT311 Java Application Development and Programming Languages Li Tak Sing ( 李德成 )

MT311 Java Application Development and Programming Languages Li Tak Sing ( 李德成 )
Data Structures Arrays both single and multiple dimensions Stacks Queues Trees Linked Lists.

Data Structures Arrays both single and multiple dimensions Stacks Queues Trees Linked Lists.
IP Address Lookup Masoud Sabaei Assistant professor

IP Address Lookup Masoud Sabaei Assistant professor
CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.

CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.
Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili

Certification asynchrone à grande échelle avec des arbres de vérification de certificats Josep Domingo-Ferrer Universitat Rovira i Virgili
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Forward-Secure Signatures (basic + generic schemes)

Forward-Secure Signatures (basic + generic schemes)
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Similar presentations

Ads by Google