SLIDE 1
Gravity-SPHINCS
First PQC Standardization Conference
Jean-Philippe Aumasson1, Guillaume Endignoux2 Wednesday 11th April, 2018
1Kudelski Security 2Work done while at Kudelski Security and EPFL
Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe - - PowerPoint PPT Presentation
Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe - - PowerPoint PPT Presentation
Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe Aumasson 1 , Guillaume Endignoux 2 Wednesday 11 th April, 2018 1 Kudelski Security 2 Work done while at Kudelski Security and EPFL 1 Introduction: SPHINCS Hash-based signatures
SLIDE 2
SLIDE 3
Hash-based signatures
SPHINCS = stateless many-time signatures (up to 250 messages).
- Hyper-tree of WOTS signatures ≈ certificate chain
- Hyper-tree of height H = 60, divided in 12 layers of
{Merkle tree + WOTS} Sign message M:
- Select index 0 ≤ i < 260
- Sign M with i-th HORST instance
- Chain of WOTS signatures.
Merkle . . . . . . Merkle . . . . . . HORST WOTS Hyper-tree
Figure 1: SPHINCS.
2
SLIDE 4
Hash-based signatures
Hash-based signatures in a nutshell:
- Post-quantum security well understood ⇒ Grover’s algorithm: preimage-search
in O(2n/2) instead of O(2n) for n-bit hash function.
- Signature size is quite large: 41 KB for SPHINCS (stateless), 8 KB for XMSS
(stateful).
3
SLIDE 5
Gravity-SPHINCS
SLIDE 6
Gravity-SPHINCS
We propose improvements to reduce signature size of SPHINCS:
- PRNG to obtain a random subset (PORS)
- Octopus: optimized multi-authentication in Merkle trees
- Secret key caching
- Non-masked hashing
4
SLIDE 7
Implementation
Open-source implementations:
- Reference C implementation in the submission
- Optimized implementation for Intel (AES-NI + SSE/AVX)
https://github.com/gravity-postquantum/gravity-sphincs
- Rust implementation with focus on clarity and testing
https://github.com/gendx/gravity-rs
5
SLIDE 8
Benchmarks
Some benchmarks on our optimized implementation1 Instance S M L Key generation 0.4 s 12 s 6 s Sign 5 ms 7 ms 8 ms Verify 0.04 ms 0.12 ms 0.16 ms Signature size2 (bytes) ≤ 12640 ≤ 28929 ≤ 35168 Capacity 210 250 264
1Intel Core i5-6360U CPU @ 2.00 GHz 2Size varies depending on the message and key
6
SLIDE 9
PRNG to obtain a random subset
SLIDE 10
From HORS to PORS
Sign a message M with HORS:
- Hash the message H(M) = 28c5c...
- Split the hash to obtain indices {2, 8, c, 5, c, . . .} and reveal values S2, S8, . . .
M H i SPHINCS leaf 2 8 c 5 c
S0 H P0 S1 H P1 S2 H P2 S3 H P3 S4 H P4 S5 H P5 S6 H P6 S7 H P7 S8 H P8 S9 H P9 S10 H P10 S11 H P11 S12 H P12 S13 H P13 S14 H P14 S15 H P15 Secret key Public key
7
SLIDE 11
From HORS to PORS
Sign a message M with HORS:
- Hash the message H(M) = 28c5c...
- Split the hash to obtain indices {2, 8, c, 5, c, . . .} and reveal values S2, S8, . . .
M H i SPHINCS leaf 2 8 c 5 c
Problems:
- Some indices may be the same ⇒ fewer values revealed ⇒ lower security...
- Attacker is free to choose the hyper-tree index i ⇒ larger attack surface.
7
SLIDE 12
From HORS to PORS
PORS = PRNG to obtain a random subset.
- Seed a PRNG from the message.
- Generate the hyper-tree index.
- Ignore duplicated indices.
M G i SPHINCS leaf 2 8 c 5 c e
Significant security improvement for the same parameters!
8
SLIDE 13
From HORS to PORS
Advantages of PORS:
- Significant security improvement for the same parameters!
- Smaller hyper-tree than SPHINCS for same security level ⇒ Signatures are 4616
bytes smaller.
- Performance impact of PRNG vs. hash function is negligible ⇒ For SPHINCS,
generate only 32 distinct values.
9
SLIDE 14
Octopus: multi-authentication in Merkle trees
SLIDE 15
Octopus
Merkle tree of height h = compact way to authenticate any of 2h values.
- Small public value = root
- Small proofs of membership = h authentication nodes
10
SLIDE 16
Octopus
How to authenticate k values?
- Use k independent proofs = kh nodes.
- This is suboptimal! Many redundant values...
11
SLIDE 17
Octopus
How to authenticate k values?
- Optimal solution: compute smallest set of authentication nodes.
12
SLIDE 18
Octopus
How many bytes does it save?
- It depends on the shape of the “octopus”!
- Examples for h = 4 and k = 4: between 2 and 8 authentication nodes.
13
SLIDE 19
Octopus
Theorem Given a Merkle tree of height h and k leaves to authenticate, the minimal number of authentication nodes n verifies: h − ⌈log2 k⌉ ≤ n ≤ k(h − ⌊log2 k⌋) ⇒ For k > 1, this is always better than the kh nodes for k independent proofs!
14
SLIDE 20
Octopus
In the case of SPHINCS, k = 32 uniformly distributed leaves, tree of height h = 16. In our paper3, recurrence relation to compute average number of authentication nodes. Method Number of auth. nodes Independent proofs 512 SPHINCS4 384 Octopus (worst case) 352 Octopus (average) 324 ⇒ Octopus authentication saves 1909 bytes for SPHINCS signatures on average.
3https://eprint.iacr.org/2017/933, to appear at CT-RSA 4SPHINCS has a basic optimization to avoid redundant nodes close to the root.
15
SLIDE 21
Octopus algorithm
- Bottom-up algorithm to compute the optimal authentication nodes.
- Formal specification in the submission, let’s see an example.
16
SLIDE 22
Octopus algorithm
- Bottom-up algorithm to compute the optimal authentication nodes.
- Formal specification in the submission, let’s see an example.
16
SLIDE 23
Octopus algorithm
- Bottom-up algorithm to compute the optimal authentication nodes.
- Formal specification in the submission, let’s see an example.
16
SLIDE 24
Octopus algorithm
- Bottom-up algorithm to compute the optimal authentication nodes.
- Formal specification in the submission, let’s see an example.
16
SLIDE 25
Octopus algorithm
- Bottom-up algorithm to compute the optimal authentication nodes.
- Formal specification in the submission, let’s see an example.
16
SLIDE 26
Octopus algorithm
- Bottom-up algorithm to compute the optimal authentication nodes.
- Formal specification in the submission, let’s see an example.
16
SLIDE 27
Octopus algorithm
- Bottom-up algorithm to compute the optimal authentication nodes.
- Formal specification in the submission, let’s see an example.
16
SLIDE 28
Octopus algorithm
- Bottom-up algorithm to compute the optimal authentication nodes.
- Formal specification in the submission, let’s see an example.
16
SLIDE 29
Other optimizations
SLIDE 30
Secret key caching
WOTS signatures to “connect” Merkle trees are large (≈ 2144 bytes per WOTS).
Figure 2: SPHINCS.
17
SLIDE 31
Secret key caching
- We use a larger root
Merkle tree, and cache more values in private key.
- Removing 3 levels =
6432 bytes saved!
- This cache can be
regenerated from a small private seed (32 bytes).
cached key (re)computed at signing time computed at key generation time
Figure 3: Secret key caching.
18
SLIDE 32
Non-masked hashing
- In SPHINCS, Merkle trees have a XOR-and-hash construction, to use a
2nd-preimage-resistant hash function H.
- Various masks, depending on location in hyper-tree; all stored in the public key.
- Post-quantum preimage search is faster with Grover’s algorithm ⇒ We remove the
masks and rely on collision-resistant H.
H mi
(a) Masked hashing in SPHINCS.
H
(b) Mask off.
19
SLIDE 33
Conclusion
SLIDE 34
Take-aways
Hash-based signatures:
- well-understood security,
- fast signing, very fast verification.
What’s new in Gravity-SPHINCS?
- octopus + PORS = great improvement over HORST,
- secret-key caching = trade-off key generation time / signature size for a “powerful”
signer,
- mask-less hashing = simpler scheme.
20
SLIDE 35