1. Hash-based signatures & Hash-and-sign without collision-resistance
Andreas Hülsing

2. Basic Construction

3. Lamport-Diffie OTS [Lam79]
Message M = b1,…,bm, OWF H = n bit SK PK Sig *
sk1,0
sk1,1
skm,0
skm,1
Mux b1
Mux b2
Mux bm H H H H H H
pk1,0
pk1,1
pkm,0
pkm,1
sk1,b1
skm,bm

4. Merkle’s Hash-based SignaturesPK
SIG = (i=2, , , , , ) H
OTS H H H H H H H H H H H H H H
OTS
OTS
OTS
OTS
OTS
OTS
OTS
OTS SK

5. Security
Theorem: MSS is eu-cma-secure if OTS is a one-time eu-cma secure signature scheme and H is a random element from a family of collision resistant hash functions.

6. Reduction Input: 𝑘, 𝑝𝑘 𝑂𝑇𝑆 Choose random 0≤𝑖< 2 ℎ
Generate key pair using 𝑝𝑘 𝑂𝑇𝑆 as 𝑖th OTS public key and 𝐻← ℎ 𝑘
Answer all signature queries using sk or sign oracle (for index 𝑖)
Extract OTS-forgery or collision from forgery

7. Reduction (Step 4, Extraction)
Forgery: ( 𝑖 ∗ ,𝜎 𝑂𝑇𝑆 ∗ , 𝑝𝑘 𝑂𝑇𝑆 ∗ , AUTH)
If 𝑝𝑘 𝑂𝑇𝑆 ∗ equals OTS pk we used for 𝑖 ∗ OTS, we got an OTS forgery.
Can only be used if 𝑖 ∗ =𝑖.
Else adversary used different OTS pk.
Hence, different leaves.
Still same root!
Pigeon-hole principle: Collision on path to root.

8. Winternitz-OTS

9. Recap LD-OTS [Lam79] Message M = b1,…,bm, OWF H = n bit SK PK Sig H H*
sk1,0
sk1,1
skm,0
skm,1
Mux b1
Mux b2
Mux bn H H H H H H
pk1,0
pk1,1
pkm,0
pkm,1
sk1,b1
skm,bm

10. LD-OTS in MSS Verification: 1. Verify 2. Verify authenticity of
SIG = (i=2, , , , , )
Verification:
1. Verify
2. Verify authenticity of
We can do better!

11. Trivial Optimization Message M = b1,…,bm, OWF H = n bit SK H H H H H H* SK
sk1,0
sk1,1
skm,0
skm,1
Mux b1
Mux
¬b1
Mux bm
Mux
¬bm H H H H H H PK
pk1,0
pk1,1
pkm,0
pkm,1
Sig
sig1,0
sig1,1
sigm,0
sigm,1

12. Optimized LD-OTS in MSSX
SIG = (i=2, , , , , )
Verification:
1. Compute from
2. Verify authenticity of
Steps together verify

13. Germans love their „Ordnung“!
Message M = b1,…,bm, OWF H
SK: sk1,…,skm,skm+1,…,sk2m
PK: H(sk1),…,H(skm),H(skm+1),…,H(sk2m)
Encode M: M‘ = M||¬M = b1,…,bm,¬b1,…,¬bm (instead of b1, ¬b1,…,bm, ¬bm )
ski , if bi = 1
Sig: sigi =
H(ski) , otherwise
Checksum with bad performance!

14. Optimized LD-OTS Message M = b1,…,bm, OWF H
SK: sk1,…,skm,skm+1,…,skm+log m
PK: H(sk1),…,H(skm),H(skm+1),…,H(skm+log m)
Encode M: M‘ = b1,…,bm,¬ 1 𝑚 𝑏 𝑖
ski , if bi = 1
Sig: sigi =
H(ski) , otherwise
IF one bi is flipped from 1 to 0, another bj will flip from 0 to 1

15. 12. November 2018
Function chains
Function family: 𝐻 𝑛 ≔ ℎ 𝑘 : {0,1} 𝑛 → {0,1} 𝑛 ℎ 𝑘 $ 𝐻 𝑛 Parameter 𝑤 Chain:
c0(x) = x
𝒄 𝒘−𝟏 (𝑥)
𝑐1(𝑥) = ℎ 𝑘 (𝑥) |

16. 12. November 2018
WOTS
Winternitz parameter w, security parameter n, message length m, function family 𝐻 𝑛 Key Generation: Compute 𝑙, sample ℎ 𝑘
c0(sk1) = sk1
pk1 = cw-1(sk1)
c1(sk1)
One promissing group of candidates are hash-based signature schemes
They start from an OTS – a signature scheme where a key pair can only be used for one signature.
The central idea – proposed by Merkle - is to authenticate many OTS keypairs using a binary hash tree
These schemes have many advantages over the beforementioned
Quantum computers do not harm their security – the best known quantum attack is Grovers algorithm – allowing exhaustiv search in a set with n elements in time squareroot of n using log n space.
They are provably secure in the standard model
And they can be instantiated using any secure hash function.
On the downside, they produce long signatures.
c1(skl )
pkl = cw-1(skl )
c0(skl ) = skl |

17. WOTS Signature generation
12. November 2018
WOTS Signature generation M b1 b2 b3 b4 … … … … … … …
bm‘
bm‘+1
bm‘+2 … … bl
c0(sk1) = sk1
pk1 = cw-1(sk1) C
σ1=cb1(sk1)
Signature: σ = (σ1, …, σl )
Well, this work is concerned with the OTS.
There are several OTS schemes. LD, Merkle-OTS which is a specific instance of the W-OTS, the BM-OTS and Biba and HORS.
The most interesting one is the Winternitz OTS as it allows for a time-memory trade-off and even more important
- It is possible to compute the public verification key given a signature. This reduces the signature size of a hash based signature scheme as normaly the public key of the OTS has to be included in a signature of the scheme. Now for WOTS this isn‘t necessary anymore.
pkl = cw-1(skl )
c0(skl ) = skl
σl =cbl (skl ) |

18. WOTS Signature Verification
12. November 2018
WOTS Signature Verification
Verifier knows: M, w b1 b2 b3 b4 … … … … … … …
bm‘
bm‘+1
bl 1+2 … … bl
𝒄 𝟏 (σ1)
𝒄 𝟑 (σ1)
pk1 =? σ1
𝒄 𝟐 (σ1)
𝒄 𝒘−𝟏− 𝒃 𝟏 (σ1)
Signature: σ = (σ1, …, σl )
Well, this work is concerned with the OTS.
There are several OTS schemes. LD, Merkle-OTS which is a specific instance of the W-OTS, the BM-OTS and Biba and HORS.
The most interesting one is the Winternitz OTS as it allows for a time-memory trade-off and even more important
- It is possible to compute the public verification key given a signature. This reduces the signature size of a hash based signature scheme as normaly the public key of the OTS has to be included in a signature of the scheme. Now for WOTS this isn‘t necessary anymore.
pkl =? σl
𝒄 𝒘−𝟏− 𝒃 𝒍 (σl ) |

19. WOTS Function Chains For 𝑥∈ 0,1 𝑛 define 𝑐 0 𝑥 =𝑥 and

20. WOTS Security Theorem (informally):
12. November 2018
WOTS Security
Theorem (informally):
W-OTS is strongly unforgeable under chosen message attacks if 𝐻 𝑛 is a collision resistant family of undetectable one-way functions.
W-OTS$ is existentially unforgeable under chosen message attacks if 𝐻 𝑛 is a pseudorandom function family.
W-OTS+ is strongly unforgeable under chosen message attacks if 𝐻 𝑛 is a 2nd-preimage resistant family of undetectable one-way functions.
In our work we showed that we can slightly change the original WOTS construction, such that it uses a function family instead of the hash function family. The resulting scheme is existentially unforgeable under chosen message attacks, if the function family is pseudorandom.
This result has two implications: |

21. XMSS

22. XMSS
Tree: Uses bitmasks Leafs: Use binary tree with bitmasks OTS: WOTS+ Mesage digest: Randomized hashing Collision-resilient -> signature size halved bi

23. Multi-Tree XMSS
Uses multiple layers of trees -> Key generation (= Building first tree on each layer) Θ(2h) → Θ(d2h/d) -> Allows to reduce worst-case signing times Θ(h/2) → Θ(h/2d)

24. How to Eliminate the State

25. Protest?

26. Few-Time Signature Schemes

27. Recap LD-OTS Message M = b1,…,bn, OWF H = n bit SK PK Sig H H H H H H*
sk1,0
sk1,1
skn,0
skn,1
Mux b1
Mux b2
Mux bn H H H H H H
pk1,0
pk1,1
pkn,0
pkn,1
sk1,b1
skn,bn

28. HORS [RR02]
Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) SK PK *
sk1
sk2
skt-1
skt H H H H H H
pk1
pk1
pkt-1
pkt

29. HORS mapping function
Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * M H’ b1 b2 ba
bar i1 ik

30. HORS
Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) * SK
sk1
sk2
skt-1
skt H H H H H H PK
pk1
pk1
pkt-1
pkt
H’(M) b1 b2 ba
ba+1
bka-2
bka-1
bka
Mux
Mux i1 ik
ski1
skik

31. HORS Security 𝑀 mapped to 𝑘 element index set 𝑀 𝑖 ∈ {1,…,𝑡} 𝑘
Each signature publishes 𝑘 out of 𝑡 secrets
Either break one-wayness or…
r-Subset-Resilience: After seeing index sets 𝑀 𝑗 𝑖 for 𝑟 messages 𝑚𝑠𝑔 𝑗 , 1 ≤𝑗≤𝑟, hard to find 𝑚𝑠𝑔 𝑟+1 ≠ 𝑚𝑠𝑔 𝑗 such that 𝑀 𝑟+1 𝑖 ∈ ⋃ 1 ≤𝑗≤𝑟 𝑀 𝑗 𝑖 .
Best generic attack: Succr-SSR(𝐴,𝑞) = 𝑞 𝑟𝑘 𝑡 𝑘
→ Security shrinks with each signature!

32. HORST Using HORS with MSS requires adding PK (tn) to MSS signature.
HORST: Merkle Tree on top of HORS-PK
New PK = Root
Publish Authentication Paths for HORS signature values
PK can be computed from Sig
With optimizations: tn → (k(log t − x + 1) + 2x)n
E.g. SPHINCS-256: 2 MB → 16 KB
Use randomized message hash

33. SPHINCS Stateless Scheme XMSSMT + HORST + (pseudo-)random index
Collision-resilient
Deterministic signing
SPHINCS-256:
128-bit post-quantum secure
Hundrest of signatures / sec
41 kb signature
1 kb keys

34. Hash & sign without collision resistance

35. PKC with variable-length inputs
Hard to build variable input length constructions (Schoolbook RSA)
Direct constructions are inefficient (See the hash-based constructions for long messages)
Full adversarial control over input can harm security (Schoolbook RSA)
For encryption: Use hybrid encryption -> PKE only encrypts “short” symmetric key.
For signatures: Hash-and-sign -> SIG only signs “short” message digest

36. Security of Hash & Sign
Theorem. Given an EU-CMA-secure Signature scheme for fixed-length inputs and a collision-resistant family of hash functions. The hash & sign signature scheme for varibable-length inputs, obtained by first applying a hash function from the family and then signing the resulting digest, is EU-CMA-secure.

37. Reminder EU-CMA PK, 1n SK q Mi SIGN (σi, Mi) (σ*, M*)
Success if M* ≠ Mi , Ɐ i ∈ [0,q] and Verify(pk,σ*,M*) = Accept

38. Security of Hash & Sign Reduction
Input: pk & access to SIGN, hash function key k.
Output: Forgery or collision.
Give (pk, k) as public key to A.
Answer signing queries 𝑀 𝑖 computing 𝑚𝑑 𝑖 = ℎ 𝑘 ( 𝑀 𝑖 ) and sending 𝑚 𝑑 𝑖 to SIGN.
Given forgery ( 𝑀 ∗ , 𝜎 ∗ ) compute 𝑚 𝑑 ∗ = ℎ 𝑘 ( 𝑀 ∗ )
If ∃𝑖≤𝑞:𝑚 𝑑 ∗ ==𝑚 𝑑 𝑖 , return collision ( 𝑀 ∗ , 𝑀 𝑖 )
Else, return forgery (𝑚 𝑑 ∗ , 𝜎 ∗ )

40. Recall: Attacks on Hash Functions
MD5
Collisions
(theo.)
MD5
Collisions
(practical!)
MD5 & SHA-1
No (Second-) Preimage Attacks!
SHA-1
Collisions
(theo.)
2004
2005
2008
2015

41. Target-collision resistance (TCR)
𝐻 𝑛 ≔ ℎ 𝑘 : {0,1} 𝑚 𝑛 → {0,1} 𝑛
ℎ 𝑘 $ 𝐻 𝑛
Success if
ℎ 𝑘 𝑥 𝑐 = ℎ 𝑘 𝑥 ∗
Run 1
Run 2
𝑥 𝑐 ,𝑘, 𝑆
𝐻 𝑛
𝑥 𝑐 , 𝑆
𝑥 ∗

42. Target-collision resistance
stronger / easier to break
Collision-Resistance
Assumption / Attacks
2nd-Preimage-Resistance
TCR
One-way
Pseudorandom
weaker /
harder to break

43. TCR vs. SPR
TCR -> SPR: Note that A in „Run 2“ is just an SPR adversary!
Every TCR function family must be SPR!
SPR -> TCR: Per construction
Given a SPR function, use key of length 𝑚
Key the function by XORing key to message:
ℎ 𝑘 ′ 𝑥 =ℎ(𝑥⊕k)

44. TCR of „XOR construction“ Reduction
Input: SPR function ℎ, target 𝑥 𝑐
Output: Second-preimage 𝑥 ∗ for 𝑥 𝑐
Run TCR adversary A to obtain 𝑥 𝑐 ′
Compute 𝑘= 𝑥 𝑐 ′ ⊕ 𝑥 𝑐
Run A on 𝑘 to obtain 𝑥 ∗ ′
Output 𝑥 ∗ = 𝑥 ∗ ′ ⊕𝑘
Note:
ℎ 𝑘 ′ 𝑥 𝑐 ′ =ℎ 𝑥 𝑐 ′ ⊕k = ℎ 𝑥 𝑐 ′ ⊕ 𝑥 𝑐 ′ ⊕ 𝑥 𝑐 =ℎ 𝑥 𝑐
= ℎ 𝑘 ′ 𝑥 ∗ ′ =ℎ 𝑥 ∗ ′⊕k = ℎ( 𝑥 ∗ )

45. TCR Hash & Sign
Input: Fixed input-length signature scheme SIG=(KeyGen,Sign, Verify), TCR function family
Output: Variable input length signature scheme SIG‘
KeyGen‘ = KeyGen
Sign‘: Given 𝑀,𝑠𝑘 sample random function key 𝑘, compute 𝑚𝑑= ℎ 𝑘 (𝑀), compute 𝜎= 𝑆𝑖𝑔𝑛((𝑘||𝑚𝑑),𝑠𝑘), return 𝜎′=(𝑘,𝜎)
Verify‘: Compute 𝑚𝑑= ℎ 𝑘 (𝑀), output 𝑉𝑒𝑟𝑖𝑓𝑦((𝑘||𝑚𝑑),𝜎,𝑝𝑘)

46. Security of TCR Hash & Sign Reduction
Input: pk & access to SIGN, hash function key k „oracle“.
Output: Forgery or target-collision.
Give pk as public key to A.
Answer signing queries 𝑀 𝑖 sending 𝑀 𝑖 to oracle to get 𝑘 𝑖 , computing 𝑚𝑑 𝑖 = ℎ 𝑘 𝑖 ( 𝑀 𝑖 ) and sending ( k i ,𝑚 𝑑 𝑖 ) to SIGN.
Given forgery ( 𝑀 ∗ , 𝜎 ∗ )=( 𝑀 ∗ ,( 𝑘 ∗ , 𝜎 ∗ ′)) compute 𝑚 𝑑 ∗ = ℎ 𝑘 ∗ ( 𝑀 ∗ )
If ∃𝑖≤𝑞:𝑚 𝑑 ∗ ==𝑚 𝑑 𝑖 & 𝑘 𝑖 == 𝑘 ∗ , return collision ( 𝑘 𝑖 , 𝑀 ∗ , 𝑀 𝑖 )
Else, return forgery (( 𝑘 ∗ ||𝑚 𝑑 ∗ ), 𝜎 ∗ )

47. Note:
If the 𝑘 𝑖 weren’t signed, the second-to-last step wouldn’t work!
An adversary could output a forgery ( 𝑀 ∗ , 𝜎 ∗ )= ( 𝑀 ∗ ,( 𝑘 ∗ , 𝜎 ∗ ′)) such that
ℎ 𝑘 ∗ 𝑀 ∗ =𝑚 𝑑 ∗ =𝑚 𝑑 𝑖 = ℎ 𝑘 𝑖 𝑀 𝑖 ,
for some 𝑖≤𝑞, but 𝑘 ∗ ≠ 𝑘 𝑖 . Hence, ( 𝑘 𝑖 , 𝑀 ∗ , 𝑀 𝑖 ) is no target-collision! However, 𝜎 𝑖 still works as signature for 𝑚 𝑑 ∗ .
⇒ EU-CMA of fixed-length input SIG not violated!
Really need to sign keys!

48. Problem using XOR-construction: Key-length == Message-length
𝑆𝑖𝑔𝑛((𝑘||𝑚𝑑),𝑠𝑘)
We have to sign messages of length hash function key-length + digest length
Even decreased possible message length!

49. Bellare & Rogway: XOR-tree
Reduce key-length to 2𝑛 log 2 𝑚 𝑛 . (m-bit message, n-bit digest)
Given SPR hash ℎ: 0,1 2𝑛 → 0,1 𝑛 split message into 𝑚 𝑛 , 𝑛-bit blocks
Build binary hash tree of height t= log 2 𝑚 𝑛 using message blocks as leaves. (Assume t is integer)
Keying:
Split key into t 2n-bit blocks 𝑏 𝑗 called bitmasks.
XOR values on level j with j-th bitmask before applying ℎ
𝑚𝑑 is root of tree

51. XOR-tree Reduction Input: SPR function ℎ, target 𝑥 𝑐
Output: Second-preimage 𝑥 ∗ for 𝑥 𝑐
Select random node 𝑁 𝑖 ′ , 𝑗 ′ in tree
Given message 𝑀, compute tree up to children 𝑁 2𝑖 ′ , 𝑗 ′ −1 , 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 of 𝑁 𝑖 ′ , 𝑗 ′ , sampling the required 𝑏 𝑗 at random.
Select 𝑏 𝑗 ′ =( 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 )⊕ 𝑥 𝑐

52. XOR-tree Reduction, cont‘d
Input: SPR function ℎ, target 𝑥 𝑐
Output: Second-preimage 𝑥 ∗ for 𝑥 𝑐
Select 𝑏 𝑗 ′ =( 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 )⊕ 𝑥 𝑐
⇒ 𝑁 𝑖 ′ , 𝑗 ′ =h 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 ⊕ 𝑏 𝑗 ′ =h 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 ⊕( 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 )⊕ 𝑥 𝑐 =ℎ( 𝑥 𝑐 )

53. XOR-tree Reduction, cont‘d
Select remaining 𝑏 𝑗 at random
Run 𝑀 ∗ =𝐴(𝑀,𝑘,𝑆) with 𝑘= (𝑏 1 ,…, 𝑏 𝑡 )
Compute 𝑥 ∗ = 𝑁 2𝑖 ′ , 𝑗 ′ −1 ∥ 𝑁 2𝑖 ′ +1, 𝑗 ′ −1 ⊕ 𝑏 𝑗 ′ from 𝑀 ∗ and output it.
Remember MSS reduction? As 𝑀 ∗ ≠𝑀 but ℎ 𝑘 𝑀 ∗ = ℎ 𝑘 𝑀 there must exist at least one node which is equal in both trees but has different children in the trees obtained from 𝑀 ∗ and 𝑀.
We selected a random node, so hit it with probability (#𝑛𝑜𝑑𝑒 𝑠) −1 = 2𝑚 𝑛 −1 −1

54. XOR-tree 2𝑛 log 2 𝑚 𝑛 still pretty large!
Can be improved, but not asymptotically.
For a large group of constructions, key length 𝒪 log 2 𝑚 is optimal!

56. Approach 1: ROM
An RO, keyed by prefixing with key, is a TCR hash function.
No way to get TCR from Merkle-Damgard construction without (implicitly) assuming collision resistance.

57. Approach 2: eTCR 𝐻 𝑛 ≔ ℎ 𝑘 : {0,1} 𝑚 𝑛 → {0,1} 𝑛 ℎ 𝑘 $ 𝐻 𝑛 Success if
𝐻 𝑛 ≔ ℎ 𝑘 : {0,1} 𝑚 𝑛 → {0,1} 𝑛
ℎ 𝑘 $ 𝐻 𝑛
Success if
ℎ 𝑘 𝑥 𝑐 = ℎ 𝑘 ∗ 𝑥 ∗
Run 1
Run 2
𝑥 𝑐 ,𝑘, 𝑆
𝐻 𝑛
𝑥 𝑐 , 𝑆
𝑘 ∗ , 𝑥 ∗

58. Still need to send key along with signature!
Note:
If the 𝑘 𝑖 weren’t signed, the second-to-last step wouldn’t work!
An adversary could output a forgery ( 𝑀 ∗ , 𝜎 ∗ )= ( 𝑀 ∗ ,( 𝑘 ∗ , 𝜎 ∗ ′)) such that
ℎ 𝑘 ∗ 𝑀 ∗ =𝑚 𝑑 ∗ =𝑚 𝑑 𝑖 = ℎ 𝑘 𝑖 𝑀 𝑖 ,
for some 𝑖≤𝑞, but 𝑘 ∗ ≠ 𝑘 𝑖 . Hence, ( 𝑘 𝑖 , 𝑀 ∗ , 𝑀 𝑖 ) is no target-collision! However, 𝜎 𝑖 still works as signature for 𝑚 𝑑 ∗ .
⇒ EU-CMA of fixed-length input SIG not violated!
Really need to sign keys!
Now ok!
Don‘t need to sign keys!
Still need to send key along with signature!

59. Approach 2: eTCR
Can get short-key-constructions in standard model (from pretty strong, non-common assumptions)
RO with prefixed key has this property
Just require it as property from new hash functions (SHA-3 competition).

60. Real life version: Randomized Hashing
eTCR-hash & sign: 𝑆𝐼𝐺𝑁′ 𝑀,𝑠𝑘 = 𝑅, 𝑆𝐼𝐺𝑁 𝐻 𝑅∥𝑀 ,𝑠 𝑘 𝑎 where 𝑅=𝑃𝑅𝐹(𝑠 𝑘 𝑏 ,𝑀)
Not “provably weaker assumption than collision resistance”.
In practice: Known collision does not help as R is unpredictable.

61. The multi-target issue
What‘s the attack target?
A special single Person?
Wouldn‘t anyone in the company work?
Wouldn‘t the ability to forge for any of Google‘s servers be sufficient?
...

63. The multi-target issue
Neglected in EU-CMA model
Relevant in practice!
Can significantly harm security!
Assume security of signature relies on hardness of finding preimage...
... Finding single preimage takes 𝒪( 2 𝑛 ) time
... Finding one out of p preimages takes 𝒪 2 𝑛 𝑝 time

64. Multi-target eTCR attack
Collect as many signatures of as many possible vicitims as possible.
Store the message digests used in the sigs in sorted DB
Start search for 𝑘, 𝑥 such that h 𝑘 𝑥 matches entry in DB
Complexity goes down from 𝒪( 2 𝑛 ) to 𝒪 2 𝑛 𝑝

65. Preventing multi-target attacks, state of the art
Not known how to prevent this for single user (without state / signing k)
Can reduce #targets p: 𝑆𝐼𝐺𝑁′ 𝑀,𝑠𝑘 = 𝑅, 𝑆𝐼𝐺𝑁 𝐻 𝑅∥𝑝𝑘∥𝑀 ,𝑠 𝑘 𝑎 where 𝑅=𝑃𝑅𝐹(𝑠 𝑘 𝑏 ,𝑀)
Makes hash depending on pk
For „good“ hash function H, attacker has to decide on target for each evaluation of H.
For stateful schemes: Also add signature index.

66. Multi-target attack prevention
Used in recent Internet Drafts (e.g. draft-irtf-cfrg- eddsa-08, draft-irtf-cfrg-xmss-hash-based- signatures-07)
If scheme already uses randomness (EC-DSA: 𝑅= 𝑟 𝐵) might reuse that -> authenticates R!
Price for avoiding collision resistance...

67. Thank you! Questions?
For references & further literature see