1. SPHINCS: practical stateless hash-based signatures
Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, Zooko Wilcox-O’Hearn

2. Post-Quantum Signatures
Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters

3. Hash-based Signature Schemes [Mer89]
Post quantum
Only secure hash function
Security well understood
Fast
Stateful

4. Basic Construction

5. Lamport-Diffie OTS [Lam79]
Message M = b1,…,bm, OWF H = n bit SK PK Sig *
sk1,0
sk1,1
skm,0
skm,1
Mux b1
Mux b2
Mux bm H H H H H H
pk1,0
pk1,1
pkm,0
pkm,1
sk1,b1
skm,bm

6. Merkle’s Hash-based Signatures
Digital Signature PK
SIG = (i=2, , , , , )
Encryption H
OTS H H
Cryptography H H H H H H H H H
Legality H H H
Hash Function
OTS
OTS
OTS
OTS
OTS
OTS
OTS
OTS
MAC SK

7. Known Improvements

8. WOTS Function Chain
18. April 2019
Function family: Formerly: WOTS+ For w ≥ 2 select R = (r1, …, rw-1) ri
ci-1 (x)
ci (x)
c0(x) = x
cw-1 (x)
c1(x) = |

9. WOTS+
18. April 2019
Winternitz parameter w, security parameter n, message length m, function family Key Generation: Compute l , sample K, sample R
c0(sk1) = sk1
pk1 = cw-1(sk1)
c1(sk1)
One promissing group of candidates are hash-based signature schemes
They start from an OTS – a signature scheme where a key pair can only be used for one signature.
The central idea – proposed by Merkle - is to authenticate many OTS keypairs using a binary hash tree
These schemes have many advantages over the beforementioned
Quantum computers do not harm their security – the best known quantum attack is Grovers algorithm – allowing exhaustiv search in a set with n elements in time squareroot of n using log n space.
They are provably secure in the standard model
And they can be instantiated using any secure hash function.
On the downside, they produce long signatures.
c1(skl )
pkl = cw-1(skl )
c0(skl ) = skl |

10. WOTS+ Signature generation
18. April 2019 M b1 b2 b3 b4 … … … … … … …
bm‘
bm‘+1
bm‘+2 … … bl
c0(sk1) = sk1
pk1 = cw-1(sk1) C
σ1=cb1(sk1)
Signature: σ = (σ1, …, σl )
Well, this work is concerned with the OTS.
There are several OTS schemes. LD, Merkle-OTS which is a specific instance of the W-OTS, the BM-OTS and Biba and HORS.
The most interesting one is the Winternitz OTS as it allows for a time-memory trade-off and even more important
- It is possible to compute the public verification key given a signature. This reduces the signature size of a hash based signature scheme as normaly the public key of the OTS has to be included in a signature of the scheme. Now for WOTS this isn‘t necessary anymore.
pkl = cw-1(skl )
c0(skl ) = skl
σl =cbl (skl ) |

11. WOTS+ Signature Verification
18. April 2019
Verifier knows: M, w b1 b2 b3 b4 … … … … … … …
bm‘
bm‘+1
bl 1+2 … … bl
c1 (σ1)
c3(σ1)
pk1 =? σ1
c2(σ1)
cw-1-b1(σ1)
Signature: σ = (σ1, …, σl )
Well, this work is concerned with the OTS.
There are several OTS schemes. LD, Merkle-OTS which is a specific instance of the W-OTS, the BM-OTS and Biba and HORS.
The most interesting one is the Winternitz OTS as it allows for a time-memory trade-off and even more important
- It is possible to compute the public verification key given a signature. This reduces the signature size of a hash based signature scheme as normaly the public key of the OTS has to be included in a signature of the scheme. Now for WOTS this isn‘t necessary anymore.
pkl =? σl
cw-1-bl (σl ) |

12. MSS-SPR [DOTV08] Hashing one-time PK‘s using treebi
Hashing one-time PK‘s using tree
Requirements: CRHF -> SPRHF
PK includes ~h additional values

13. Requires computation of 2h nodes in Merkle tree
XMSS Public Key Generation =
Requires computation of 2h nodes in Merkle tree h

14. Requires computation of 2*2h/2 nodes in Merkle trees
Two Layer
Key generation
Requires computation of 2*2h/2 nodes in Merkle trees

15. About the state Used for security: Used for efficiency: Problems:
Stores index i ⇒ Prevents using one-time keys twice.
Used for efficiency:
Stores intermediate results for fast Auth computation.
Problems:
Load-balancing
Multi-threading
Backups
Virtual-machine images
...
“Huge foot-cannon” (Adam Langley, Google)
Not only a hash-based issue!

16. How to Eliminate the State

17. Protest?

18. Stateless hash-based signatures [NY89,Gol87,Gol04]
Goldreich’s approach [Gol04]:
Security parameter 𝜆=128
Use binary tree as in Merkle, but...
…for security
pick index i at random;
requires huge tree to avoid index collisions (e.g., height h=2𝜆=256).
…for efficiency:
use binary certification tree of OTS;
all OTS secret keys are generated pseudorandomly.
OTS
OTS
OTS
OTS
OTS
OTS
OTS
OTS
OTS

19. It works, but signature are painfully long
0.6 MB for Goldreich signature using short-public-key Winternitz-16 one-time signatures.
Would dominate traffic in typical applications, and add user-visible latency on typical network connections.
Example:
Debian operating system is designed for frequent upgrades.
At least one new signature for each upgrade.
Typical upgrade: one package or just a few packages.
1.2 MB average package size.
0.08 MB median package size.
HTTPS typically sends multiple signatures per page.
1.8 MB average web page in Alexa Top

20. Few-Time Signature Schemes

21. Recap LD-OTS Message M = b1,…,bn, OWF H = n bit SK PK Sig H H H H H H*
sk1,0
sk1,1
skn,0
skn,1
Mux b1
Mux b2
Mux bn H H H H H H
pk1,0
pk1,1
pkn,0
pkn,1
sk1,b1
skn,bn

22. HORS [RR02]
Message M, OWF H, CRHF H’ = n bit Parameters t=2a,k, with m = ka (typical a=16, k=32) SK PK *
sk1
sk2
skt-1
skt H H H H H H
pk1
pk1
pkt-1
pkt

23. HORS mapping function
Message M, OWF H, CRHF H’ = 𝑛 bit Parameters 𝑡=2𝑎,𝑘, with 𝑚 = 𝑘𝑎 (typical 𝑎=16, 𝑘=32) * M H’ b1 b2 ba
bar i1 ik

24. HORS
Message M, OWF H, CRHF H’ = 𝑛 bit Parameters 𝑡=2𝑎,𝑘, with 𝑚 = 𝑘𝑎 (typical 𝑎=16, 𝑘=32) SK PK H’(M) Sig *
sk1
sk2
skt-1
skt H H H H H H
pk1
pk1
pkt-1
pkt b1 b2 ba
ba+1
bka-2
bka-1
bka
Mux
Mux i1 ik
ski1
skik

25. HORS Security 𝑀 mapped to 𝑘 element index set 𝑀 𝑖 ∈ {1,…,𝑡} 𝑘
Each signature publishes 𝑘 out of 𝑡 secrets
Either break one-wayness or…
r-Subset-Resilience: After seeing index sets 𝑀 𝑗 𝑖 for 𝑟 messages 𝑚𝑠𝑔 𝑗 , 1 ≤𝑗≤𝑟, hard to find 𝑚𝑠𝑔 𝑟+1 ≠ 𝑚𝑠𝑔 𝑗 such that 𝑀 𝑟+1 𝑖 ∈ ⋃ 1 ≤𝑗≤𝑟 𝑀 𝑗 𝑖 .
Best generic attack: Succr-SSR(A,q) = q(rk / t)k
→ Security shrinks with each signature!

26. HORST
Using HORS with MSS requires adding PK (𝑡𝑛 bits) to MSS signature. (SPHINCS-256: 𝑛 = 256, 𝑡 = , 𝑘=32)
HORST: Merkle Tree on top of HORS-PK
New PK = Root
Publish Auth-Paths for HORS signature values
PK can be computed from Sig
With optimizations: 𝑡𝑛 → (𝑘(𝑙𝑜𝑔⁡𝑡 − 𝑥 + 1) + 2𝑥)𝑛
E.g. SPHINCS-256: 2 MB → 16 KB
Use randomized message hash

27. Assembling SPHINCS

28. The SPHINCS Approach Use a “hyper-tree” of total height h
Parameter 𝑑 ≥1, such that 𝑑 | ℎ
Each (Merkle) tree has height ℎ/𝑑
(ℎ/𝑑)-ary certification tree

29. The SPHINCS Approach Pick index (pseudo-)randomly
Messages signed with few-time signature scheme
Significantly reduce total tree height
Require
𝑟∈[0,∞] (Pr⁡[ 𝑟−𝑡𝑖𝑚𝑒𝑠 𝑖𝑛𝑑𝑒𝑥 𝑐𝑜𝑙𝑙𝑖𝑠𝑖𝑜𝑛] ∗ 𝑆𝑢𝑐𝑐 𝑟−𝑆𝑆𝑅 (𝐴)) = 𝑛𝑒𝑔𝑙(𝑛)

30. And now more from Peter...

31. Thank you! Questions?
For references & further literature see

32. SPHINCS Sign Select (pseudo-)random HORST sk
Sign message using this HORST sk
Build parent tree
Use tree to sign HORST pk
If tree != top, goto 3.
Output Sig:
Index
HORST signature
XMSS signature chain

33. Long-Standing Problem: Statefulness
No problem in many cases.
Qualified signatures,
Keys on smartcard, ...
Necessary for forward-security!
But:
Key back-ups undermine security
Parallel use of key problematic
Multi-threading,
Load balancing...
Do not fit standard API