Message Security Mahmoud Yehia, Riham AlTawy and T. Aaron Gulliver - - PowerPoint PPT Presentation

▶

Oct 28, 2022 577 likes •814 views

Hash-Based Signatures Revisited: A Dynamic FORS with Adaptive Chosen Message Security Mahmoud Yehia, Riham AlTawy and T. Aaron Gulliver Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC, Canada AfricaCrypt

SLIDE 1

Hash-Based Signatures Revisited: A Dynamic FORS with Adaptive Chosen Message Security

Mahmoud Yehia, Riham AlTawy and T. Aaron Gulliver Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC, Canada AfricaCrypt 2020

SLIDE 2

Outline

Hash-Based digital signature schemes

– OTS – FTS – MTS

Definitions

– r-subset cover – r-subset resilient – r-target subset resilient

HORST VS FORS
FORS Security Analysis
DFORS

– Signing and verifications – DFORS security Analysis – Comparisons with other variants – DFORS and FORS Adaptive Chosen Message attack security Comparison

Conclusion

SLIDE 3

Hash-Based digital signature schemes

One-Time Signatures OTS

– Lamport OTS – WOTS and its variants

SLIDE 4

Hash-Based digital signature schemes

One-Time Signatures OTS

– Lamport OTS – WOTS and its variants

Few-Time Signatures FTS

– Biba – HORS and its variants

SLIDE 5

Hash-Based digital signature schemes

One-Time Signatures OTS

– Lamport OTS – WOTS and its variants

Few-Time Signatures FTS

– Biba – HORS and its variants

Many-Time Signature

– Stateful signature schemes

MSS, XMSS, XMSS+, XMSS𝑁𝑈, XMSS-T

– Stateless signature schemes

SPHINCS, Gravity-SPHINCS, SPHINCS+

SLIDE 6

Definitions

r-subset cover

𝐷𝑙

𝑠(𝑛1, 𝑛2, … , 𝑛𝑠+1) ⇔ 𝑃𝑆𝑇(𝑛𝑠+1) ⊆ ራ 𝑗=1 𝑠

(𝑛𝑗) 𝑃𝑆𝑇 𝑛𝑗 = 𝑐0, 𝑐1, … , 𝑐𝑙−1 : 𝐼 𝑛𝑗 = 𝑐0 ∥ 𝑐1 ∥ … ∥ 𝑐𝑙−1 , 𝑐𝑗ϵ{0,1, … , 𝑢 − 1}

SLIDE 7

Definitions

r-subset cover
r-subset resilient

Pr[(𝑛1, 𝑛2, … , 𝑛𝑠+1) ← 𝐵(1𝑜,𝑙,𝑢): 𝐷𝑙

𝑠(𝑛1, 𝑛2, … , 𝑛𝑠+1)] ≤ 𝑜𝑓𝑕(𝑜, 𝑢)

SLIDE 8

Definitions

r-subset cover
r-subset resilient
r-target subset resilient

Pr[(𝑛𝑠+1) ← 𝐵(1𝑜,𝑙,𝑢,𝑛1,𝑛2,…,𝑛𝑠): 𝐷𝑙

𝑠(𝑛1, 𝑛2, … , 𝑛𝑠+1)] ≤ 𝑜𝑓𝑕(𝑜, 𝑢)

SLIDE 9

HORST VS FORS

HORST

– Each rectangular represent sk out of t-secret keys – The leaf nodes are the one way function of each sk (𝐺(𝑡𝑙)) – The upper nodes are the hash of the concatenation of the daughter nodes. – The top layer root is the public key.

SLIDE 10

HORST VS FORS

HORST
FORS

𝑄𝐿 = 𝐼(𝑠𝑝𝑝𝑢0 ∥ 𝑠𝑝𝑝𝑢1 ∥ ⋯ ∥ 𝑠𝑝𝑝𝑢𝑙−1)

SLIDE 11

FORS Security Analysis

Non adaptive chosen message attack (r-target subset

resilient )

𝐷𝑙

𝑠−𝐺𝑃𝑆𝑇 𝑛1, 𝑛2, … , 𝑛𝑠+1

⇔ 𝑐𝑗 𝑛𝑠+1 ∈ڂ𝑘=1

𝑠

𝑐𝑗 𝑛𝑘

– 𝑃𝑆𝑇 𝑛𝑗 = (𝑐0, 𝑐1, … , 𝑐𝑙−1)

𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log2(𝑢/𝑠)𝑙= 𝑙(log2 𝑢 − log2 𝑠)

SLIDE 12

FORS Security Analysis

Non adaptive chosen message attack (r-target subset

resilient )

𝐷𝑙

𝑠−𝐺𝑃𝑆𝑇 𝑛1, 𝑛2, … , 𝑛𝑠+1

⇔ 𝑐𝑗 𝑛𝑠+1 ∈ڂ𝑘=1

𝑠

𝑐𝑗 𝑛𝑘

– 𝑃𝑆𝑇 𝑛𝑗 = (𝑐0, 𝑐1, … , 𝑐𝑙−1)

𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log2(𝑢/𝑠)𝑙= 𝑙(log2 𝑢 − log2 𝑠)

Adaptive chosen message attack (r-subset resilient )

𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = 𝑙 𝑠 + 1 log2 𝑢 − log2 𝑠 + log2 𝑠! 𝑠 + 1

SLIDE 13

Dynamic Forest of Random Subsets (DFORS)

DFORS inherits the advantage of FORS
It mitigates the offline advantages of the

adaptive chosen message attack

It binds the ORS generation with the signing

procedures

only the signer is able to efficiently generate

an ORS

SLIDE 14

Dynamic Forest of Random Subsets (DFORS)

ORS Generation

𝑎 ℎ : ℎ𝑘 ← {ℎ0 ∥ ℎ1 ∥ ⋯ ∥ ℎ𝑙−1}, 𝑘 = ℎ 𝑛𝑝𝑒 𝑙

SLIDE 15

Signature Algorithm

✓ ORS Generation ✓ σ = 𝑡𝑗𝑕0, 𝑡𝑗𝑕1, … , 𝑡𝑗𝑕𝑙−1 = (𝑡𝑙𝑐0, 𝐵𝑣𝑢ℎ0, 𝑡𝑙𝑐1, 𝐵𝑣𝑢ℎ1, … , 𝑡𝑙𝑐𝑙−1, 𝐵𝑣𝑢ℎ𝑙−1) ෍ = (𝛕0, 𝐵𝑣𝑢ℎ0, 𝛕1, 𝐵𝑣𝑢ℎ1, … , 𝛕𝑙−1, 𝐵𝑣𝑢ℎ𝑙−1)

Dynamic Forest of Random Subsets (DFORS)

𝑄𝐿 = 𝐼(𝑠𝑝𝑝𝑢0 ∥ 𝑠𝑝𝑝𝑢1 ∥ ⋯ ∥ 𝑠𝑝𝑝𝑢𝑙−1)

SLIDE 16

Signature Algorithm

✓ ORS Generation ✓ σ = 𝑡𝑗𝑕0, 𝑡𝑗𝑕1, … , 𝑡𝑗𝑕𝑙−1 = (𝑡𝑙𝑐0, 𝐵𝑣𝑢ℎ0, 𝑡𝑙𝑐1, 𝐵𝑣𝑢ℎ1, … , 𝑡𝑙𝑐𝑙−1, 𝐵𝑣𝑢ℎ𝑙−1) ෍ = (𝛕0, 𝐵𝑣𝑢ℎ0, 𝛕1, 𝐵𝑣𝑢ℎ1, … , 𝛕𝑙−1, 𝐵𝑣𝑢ℎ𝑙−1)

Dynamic Forest of Random Subsets (DFORS)

Verification

✓ Compute 𝑐𝑗 = 𝑎(𝐼𝛕𝑗−1(ℎ0||ℎ𝑗−1)) it is needed to know the leaf index ✓ Each (𝑐𝑗, 𝛕𝑗, 𝐵𝑣𝑢ℎ𝑗) are used to calculate the 𝑠𝑝𝑝𝑢𝑗

✓ 𝑄𝐿 ≟ 𝐼(𝑠𝑝𝑝𝑢0 ∥ 𝑠𝑝𝑝𝑢1 ∥ ⋯ ∥ 𝑠𝑝𝑝𝑢𝑙−1)

SLIDE 17

DFORS Security Analysis

Non adaptive chosen message attack (r-target subset

resilient )

𝐷𝑙

𝑠−𝐸𝐺𝑃𝑆𝑇 𝑛1, 𝑛2, … , 𝑛𝑠+1

⇔ 𝑐𝑗 𝑛𝑠+1 ∈ڂ𝑘=1

𝑠

𝑐𝑗 𝑛𝑘 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log2(𝑢/𝑠)𝑙= 𝑙(log2 𝑢 − log2 𝑠)

SLIDE 18

DFORS Security Analysis

Non adaptive chosen message attack (r-target subset

resilient )

𝐷𝑙

𝑠−𝐸𝐺𝑃𝑆𝑇 𝑛1, 𝑛2, … , 𝑛𝑠+1

⇔ 𝑐𝑗 𝑛𝑠+1 ∈ڂ𝑘=1

𝑠

𝑐𝑗 𝑛𝑘 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log2(𝑢/𝑠)𝑙= 𝑙(log2 𝑢 − log2 𝑠)

Adaptive chosen message attack (r-subset resilient )

𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = 𝑙 log2 𝑢 − log2 𝑠 While for FORS The adaptive chosen message attack bitsec 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = 𝑙 𝑠 + 1 log2 𝑢 − log2 𝑠 + log2 𝑠! 𝑠 + 1

SLIDE 19

DFORS Theoretical Efficiency & comparison with HORS Variants

SLIDE 20

DFORS and FORS Adaptive Chosen Message attack security Comparison

SLIDE 21

Conclusion

We have

Analysed FORS against Adaptive chosen message attack
Showed that as the number of signed messages increases,

the bit security w.r.t. adaptive chosen message attack decreases significantly compared to non-adaptive chosen message attack

Presented dynamic FORS with adaptive message security.
Showed that DFORS bit security w.r.t. adaptive chosen

message attack is equal to its security in a non-adaptive setting.

SLIDE 22

Hash-Based Signatures Revisited: A Dynamic FORS with Adaptive Chosen Message Security

Mahmoud Yehia, Riham AlTawy and T. Aaron Gulliver Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC, Canada AfricaCrypt 2020

Outline

Hash-Based digital signature schemes

– Lamport OTS – WOTS and its variants

Hash-Based digital signature schemes

– Lamport OTS – WOTS and its variants

– Biba – HORS and its variants

Hash-Based digital signature schemes

– Lamport OTS – WOTS and its variants

– Biba – HORS and its variants

– Stateful signature schemes

– Stateless signature schemes

Definitions

𝐷𝑙

(𝑛𝑗) 𝑃𝑆𝑇 𝑛𝑗 = 𝑐0, 𝑐1, … , 𝑐𝑙−1 : 𝐼 𝑛𝑗 = 𝑐0 ∥ 𝑐1 ∥ … ∥ 𝑐𝑙−1 , 𝑐𝑗ϵ{0,1, … , 𝑢 − 1}

Definitions

Pr[(𝑛1, 𝑛2, … , 𝑛𝑠+1) ← 𝐵(1𝑜,𝑙,𝑢): 𝐷𝑙

Definitions

Pr[(𝑛𝑠+1) ← 𝐵(1𝑜,𝑙,𝑢,𝑛1,𝑛2,…,𝑛𝑠): 𝐷𝑙

HORST VS FORS

– Each rectangular represent sk out of t-secret keys – The leaf nodes are the one way function of each sk (𝐺(𝑡𝑙)) – The upper nodes are the hash of the concatenation of the daughter nodes. – The top layer root is the public key.

HORST VS FORS

𝑄𝐿 = 𝐼(𝑠𝑝𝑝𝑢0 ∥ 𝑠𝑝𝑝𝑢1 ∥ ⋯ ∥ 𝑠𝑝𝑝𝑢𝑙−1)

FORS Security Analysis

resilient )

⇔ 𝑐𝑗 𝑛𝑠+1 ∈ڂ𝑘=1

𝑐𝑗 𝑛𝑘

– 𝑃𝑆𝑇 𝑛𝑗 = (𝑐0, 𝑐1, … , 𝑐𝑙−1)

𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log2(𝑢/𝑠)𝑙= 𝑙(log2 𝑢 − log2 𝑠)

FORS Security Analysis

resilient )

⇔ 𝑐𝑗 𝑛𝑠+1 ∈ڂ𝑘=1

𝑐𝑗 𝑛𝑘

– 𝑃𝑆𝑇 𝑛𝑗 = (𝑐0, 𝑐1, … , 𝑐𝑙−1)

𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log2(𝑢/𝑠)𝑙= 𝑙(log2 𝑢 − log2 𝑠)

𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = 𝑙 𝑠 + 1 log2 𝑢 − log2 𝑠 + log2 𝑠! 𝑠 + 1

Dynamic Forest of Random Subsets (DFORS)

adaptive chosen message attack

procedures

an ORS

Dynamic Forest of Random Subsets (DFORS)

𝑎 ℎ : ℎ𝑘 ← {ℎ0 ∥ ℎ1 ∥ ⋯ ∥ ℎ𝑙−1}, 𝑘 = ℎ 𝑛𝑝𝑒 𝑙

Dynamic Forest of Random Subsets (DFORS)

𝑄𝐿 = 𝐼(𝑠𝑝𝑝𝑢0 ∥ 𝑠𝑝𝑝𝑢1 ∥ ⋯ ∥ 𝑠𝑝𝑝𝑢𝑙−1)

Dynamic Forest of Random Subsets (DFORS)

✓ Compute 𝑐𝑗 = 𝑎(𝐼𝛕𝑗−1(ℎ0||ℎ𝑗−1)) it is needed to know the leaf index ✓ Each (𝑐𝑗, 𝛕𝑗, 𝐵𝑣𝑢ℎ𝑗) are used to calculate the 𝑠𝑝𝑝𝑢𝑗

✓ 𝑄𝐿 ≟ 𝐼(𝑠𝑝𝑝𝑢0 ∥ 𝑠𝑝𝑝𝑢1 ∥ ⋯ ∥ 𝑠𝑝𝑝𝑢𝑙−1)

DFORS Security Analysis

resilient )

⇔ 𝑐𝑗 𝑛𝑠+1 ∈ڂ𝑘=1

𝑐𝑗 𝑛𝑘 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log2(𝑢/𝑠)𝑙= 𝑙(log2 𝑢 − log2 𝑠)

DFORS Security Analysis

resilient )

⇔ 𝑐𝑗 𝑛𝑠+1 ∈ڂ𝑘=1

𝑐𝑗 𝑛𝑘 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = log2(𝑢/𝑠)𝑙= 𝑙(log2 𝑢 − log2 𝑠)

𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = 𝑙 log2 𝑢 − log2 𝑠 While for FORS The adaptive chosen message attack bitsec 𝐶𝑗𝑢 𝑇𝑓𝑑𝑣𝑠𝑗𝑢𝑧 = 𝑙 𝑠 + 1 log2 𝑢 − log2 𝑠 + log2 𝑠! 𝑠 + 1

DFORS Theoretical Efficiency & comparison with HORS Variants

DFORS and FORS Adaptive Chosen Message attack security Comparison

Conclusion

We have

the bit security w.r.t. adaptive chosen message attack decreases significantly compared to non-adaptive chosen message attack

message attack is equal to its security in a non-adaptive setting.

Thank You!