Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPHINCS+ Submission to the NIST post-quantum project

Published byStella Felgueiras Modified over 5 years ago

Similar presentations

Presentation on theme: "SPHINCS+ Submission to the NIST post-quantum project"β€” Presentation transcript:

1 SPHINCS+ Submission to the NIST post-quantum project
Daniel J. Bernstein, Christoph Dobraunig, Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Andreas HΓΌlsing, Panos Kampanakis, Stefan KΓΆlbl, Tanja Lange, Martin M. Lauridsen, Florian Mendel, Ruben Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe

2 The SPHINCS Approach Use a β€œhyper-tree” of total height h
Parameter 𝑑β‰₯1, such that 𝑑 | β„Ž Each (Merkle) tree has height β„Ž/𝑑 (β„Ž/𝑑)-ary certification tree

3 The SPHINCS Approach Pick index (pseudo-)randomly
Messages signed with few-time signature scheme Significantly reduce total tree height Require π‘Ÿβˆˆ[0,∞] (Pr⁑[ rβˆ’times index collision] βˆ— 𝑆𝑒𝑐𝑐 EUβˆ’CMA HORST (𝐴,π‘ž=π‘Ÿ)) = negl(𝑛)

4 SPHINCS+ modifications

5 Adding multi-target attack resilience
Preimage search: Multi-target preimage search: Multi-function multi-target preimage search

6 Tweakable hash functions
𝑇 𝑙 : 𝔹 𝑛 Γ— 𝔹 32 Γ— 𝔹 𝑛 β†’ 𝔹 𝑛 , md ← 𝑇 𝑙 (𝐏𝐊.seed, 𝐀𝐃𝐑𝐒, 𝑀) Generates new keys and bitmasks for each call from PK.seed and ADRS. Allows to embed one challenge per call in reduction

7 Why not collision resistance?
Bernstein, SHARCSβ€˜09: pq-collision finding costs at least 2 𝑛/2 Same as cost for pq-(second-)preimage finding? No! Comparing apples and oranges. Compares cost for pq-(second-)preimage finding in query complexity model to cost for pq-collision finding in more realistic model. Also stronger complexity-theoretic assumption! (Minicrypt vs (conj.) Cryptomania)

8 FORS Shortcomings of HORST β€žindex collisionsβ€œ
Allows to search for weak messages (no impact on SPHINCS as hash randomized) Still reduces security Indices are in unordered list Authentication paths will most likely contain redundant nodes Variable size signatures could go lower but requires complicated algorithm (and protocols have to reserve worst-case size) -> see Gravity-SPHINCSβ€˜s Octopus

9 FORS FORS (Forest of random subsets) No index collisions
β€žOne tree per indexβ€œ Ordered list of indices Signature size same as worst-case variable signature size ( at same security level ) Only need authpaths in small trees Simple to compute

10 FORS Parameters t, a = log t, k such that ka = m ...

11 Verifiable index selection (and optionally non-deterministic randomness)
SPHINCS: (idx||𝐑) =𝑃𝑅𝐹(π’πŠ.prf,𝑀) md= 𝐻 msg (𝐑, PK, 𝑀) SPHINCS+: 𝐑 = 𝑃𝑅𝐹(π’πŠ.prf, OptRand, 𝑀) (md||idx) = 𝐻 msg (𝐑, PK, 𝑀)

12 Optionally non-deterministic randomness
Non-deterministic randomness complicates side- channel attacks Bad randomness in worst-case still leads to secure pseudorandom value

13 Verifiable index selection
Improves FORS security SPHINCS: Attacks could target β€žweakestβ€œ HORST key pair SPHINCS+: Every hash query ALSO selects FORS key pair Leads to notion of interleaved target subset resilience

14 Instantiations SPHINCS+-SHAKE256 SPHINCS+-SHA-256 SPHINCS+-Haraka

15 Instantiations (small vs fast)

16 Pro / Con Con: Signature size / speed Pro: Only secure hash needed
Pro: Collision-resilient Pro: Attacks are well understood (also quantum) Pro: Small keys Pro: Overlap with XMSS Pro: Reuse of established building blocks

17 Summary of SPHINCS+ Strengthened security gives smaller signatures
Collision- and multi-target attack resilient Fixed length signatures (far easier to compute than Octopus (-> Gravity-SPHINCS)) Small keys, medium size signatures (lv 3: 17kB) Sizes can be much smaller if q_sign gets reduced THE conservative choice No citable speeds yet

18 Visit us at https://sphincs.org
Thank you! Questions? Visit us at

Download ppt "SPHINCS+ Submission to the NIST post-quantum project"

Similar presentations

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}* οƒ  {0,1} 160 – Input is called β€œmessage”, output is β€œdigest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}* οƒ  {0,1} 160 – Input is called β€œmessage”, output is β€œdigest”
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
β€œChinese” Attacks on Hashes March 11, 2006, Bing Wu Topic 1.Background 2.β€œChinese” collision attacks 3.Results for MD4 and MD5.

β€œChinese” Attacks on Hashes March 11, 2006, Bing Wu Topic 1.Background 2.β€œChinese” collision attacks 3.Results for MD4 and MD5.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. HΓΌlsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. HΓΌlsing | TU Darmstadt |
HASH Functions.

HASH Functions.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.

Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research.

1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research.
Week 4 - Friday. ο‚‘ What did we talk about last time? ο‚‘ Snow day ο‚‘ But you should have read about  Key management.

Week 4 - Friday. ο‚‘ What did we talk about last time? ο‚‘ Snow day ο‚‘ But you should have read about  Key management.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.

Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.

CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.

Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
1 Randomized Hashing: Secure Digital Signatures without Collision Resistance Shai Halevi and Hugo Krawczyk IBM Research

1 Randomized Hashing: Secure Digital Signatures without Collision Resistance Shai Halevi and Hugo Krawczyk IBM Research
Forward Secure Signatures on Smart Cards A. HΓΌlsing, J. Buchmann, C. Busold 16.08.2012 | TU Darmstadt | A. HΓΌlsing | 1.

Forward Secure Signatures on Smart Cards A. HΓΌlsing, J. Buchmann, C. Busold | TU Darmstadt | A. HΓΌlsing | 1.
24.06.2013 | TU Darmstadt | Andreas HΓΌlsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas HΓΌlsing.

| TU Darmstadt | Andreas HΓΌlsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas HΓΌlsing.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.

Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.

CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.

@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.

Similar presentations

Ads by Google