Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz - - PowerPoint PPT Presentation

analysis of a proposed hash based signature standard
SMART_READER_LITE
LIVE PREVIEW

Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz - - PowerPoint PPT Presentation

Apr 04, 2024 129 likes •388 views

Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz Motivation and background Recent interest in standardization of post- quantum public-key primitives For signature schemes, several proposals based on

slide-1
SLIDE 1

Jonathan Katz

Analysis of a Proposed Hash- Based Signature Standard

slide-2
SLIDE 2

Motivation and background

  • Recent interest in standardization of “post-

quantum” public-key primitives

  • For signature schemes, several proposals

based on cryptographic hash functions

  • We study the concrete security of two versions
  • f an Internet Draft by McGrew and Curcio

– …in the random-oracle model

slide-3
SLIDE 3

McGrew-Curcio proposals

(10,000-ft view)

1-time signature scheme [LDWM] Merkle tree (stateful) many-time signature scheme

slide-4
SLIDE 4

McGrew-Curcio proposals

(10,000-ft view)

pk1 pk2 pkN-1 pkN pk*

slide-5
SLIDE 5

Key observation

  • The scheme is composed of multiple instances
  • f the 1-time scheme

⇒ Concrete security of the scheme (even in a single-user setting) depends on concrete security of the 1-time scheme in the multi-user setting

slide-6
SLIDE 6

Multi-user security

  • [Bellare, Boldyreva, Micali],

[Galbraith, Malone-Lee, Smart]

  • Attacker given N (independent) public keys

– Succeeds if it can forge a signature with respect to any of them

  • If attacker can succeed with probability ≤ ε

when attacking one scheme, can succeed with probability ≤ N·ε when attacking N schemes

– Is a tighter reduction possible?

slide-7
SLIDE 7

Our results

  • An initial version of the McGrew-Curcio draft

(v02, 2014) has only a “loose” reduction

– Because the 1-time scheme used has only a loose reduction in the multi-user setting

  • An updated version of the McGrew-Curcio

draft (v04, 2016) has a tight reduction

– Even in the multi-user setting

slide-8
SLIDE 8

The LDWM 1-time scheme (v02)

slide-9
SLIDE 9

Lamport’s scheme

x1,0 y1,0 x1,1 y1,1 x2,0 y2,0 x2,1 y2,1 xn,0 yn,0 xn,1 yn,1 Sign(01…1) = x1,0, x2,1, …, xn,1

slide-10
SLIDE 10

Improvement I

x1 y1 x2 y2 xn yn Sign(01…1) = x2, xn x’1 y’1 x’m y’m Sign(01…1 checksum(01…1)) Signature length n + log n

slide-11
SLIDE 11

Improvement II

x1 y1 yn y’1 y’m xn x’1 x’m e

Public key/signatures compressed by log e; signing/verification time increases by O(e)

slide-12
SLIDE 12

“Trivial” improvements

  • Sign H(M) rather than M
  • Set pk = H(y1…ym) instead of y1…ym
slide-13
SLIDE 13

Security analysis?

  • Let q be the number of H-queries made by the

attacker, and t be the output length of H

  • Forging a signature given pk1, …, pkN

– Find M, M’ with H(M) = H(M’)

  • Success probability O(q2/2t)

– Compute y*

1=He(x* 1), …, y* Q=He(x* Q) and find j, i1,

…, im such that pkj = H(y*

i1, …, y* im)

  • Success probability O(qN/2t)

– Find x* such that He(x*)=yij for some i, j

  • Success probability O(qN/2t)

Loose security in the multi-user setting! Would like to avoid birthday attack, also

slide-14
SLIDE 14

Note…

  • Security of the many-time scheme (even in

the single-user setting) cannot be better than multi-user security of the 1-time scheme

slide-15
SLIDE 15

The LDWM 1-time scheme (v04)

slide-16
SLIDE 16

Key ideas

  • Use domain separation so every invocation of

H is on a distinct domain [Leighton, Micali]

⇒ Each H-query of the attacker can be “charged” to at most one step of key generation/signing

  • Per-key identifier/diversification factor to

ensure domain separation for different keys

⇒ Each H-query of the attacker can be “charged” to ≤ 1 step of key generation for at most one public key

  • Use “salted” hash to prevent birthday attack
slide-17
SLIDE 17

Domain separation

x1 y1 x2 y2 xm ym 1 2 m

slide-18
SLIDE 18

Identifier/diversification factor

  • When keys are generated by multiple users

– Identifiers can be based on users’ identities – Can also incorporate random values unlikely to repeat across (honest) users

  • When multiple keys are generated by one user

– Identifier can be based on identity – Diversification factor can be based on sequence numbers to ensure distinctness

slide-19
SLIDE 19

Security theorem

  • As long as identifiers/diversification factors

are distinct across all keys, attacker’s success probability is at most 3q/2t

– Regardless of the number of keys!

  • Proof by case analysis and probabilistic

arguments treating H as a random oracle

slide-20
SLIDE 20

The many-time scheme (v04)

slide-21
SLIDE 21

Key generation (high level)

  • Generate N keys for the 1
  • time scheme

– Using a distinct diversification factor each time

  • Construct a Merkle tree over those N keys

– Ensuring domain separation at each node – Ensures that each H-query of the attacker can be “charged” to at most one node of the tree

slide-22
SLIDE 22

Security theorem

  • Attacker’s success probability is at most 3q/2

t

– Holds for multi-user setting as well

slide-23
SLIDE 23

Summary

  • Signature scheme in an initial version of the

McGrew-Curcio draft does not admit a tight security reduction

– Since the underlying 1-time signature does not admit a tight reduction in the multi-user setting

  • Modified scheme in a later version of the draft

does admit a tight security reduction to the underlying hash function

– Even in the multi-user setting

slide-24
SLIDE 24

Questions?