Abstract
We analyze the concrete security of a hash-based signature scheme described in a recent series of Internet Drafts by McGrew and Curcio. We show that an original version of their proposal achieves only a “loose” security bound, but that the latest version can be proven to have tighter security in the random-oracle model.
Work performed under a consultancy agreement with University Technical Services, Inc. on behalf of the National Security Agency. Portions of this work were also supported by a gift from the Cisco University Research Program Fund, a corporate advised fund of Silicon Valley Community Foundation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It is easy to see that if no attack (subject to some time bound T) targeting a single user can succeed with probability better than \(\epsilon \), then no attack (subject to roughly the same time bound) can succeed in attacking one out of N independent users of that scheme with probability better than \(N\cdot \epsilon \). But we are interested in settings where N is large and we do not want to lose the factor of N in the security bound.
- 2.
A precise calculation depends on the messages that have already been signed.
- 3.
In [10] the result is expressed as a 16-bit integer, but only the top wv bits are used.
- 4.
The purpose of I and q will become clear later, when we describe the many-time scheme based on LM-OTS.
- 5.
These identifiers could be chosen adaptively by the attacker (subject to being distinct) without any significant change to the proof in the following section, but for simplicity we treat them as fixed in advance. When LM-OTS is subsequently used in the many-time signature scheme, the identifiers will be fixed in advance.
References
Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_15
Buchmann, J., Dahmen, E., Szydlo, M.: Hash-based digital signature schemes. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 35–93. Springer, Heidelberg (2009)
Galbraith, S.D., Malone-Lee, J., Smart, N.: Public-key signatures in the multi-user setting. Inf. Process. Lett. 83(5), 263–266 (2002)
Hülsing, A., Butin, D., Gazdag, S., Mohaisen, A.: XMSS: extended hash-based signatures. Internet Draft draft-irtf-cfrg-xmss-hash-based-signatures-06, 6 July 2016. http://datatracker.ietf.org
Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. Chapman & Hall/CRC Press, New York (2014)
Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53008-5_2
Lamport, L.: Constructing digital signatures from a one-way function. Tehcnical Report SRI-CSL-98, SRI Intl. Computer Science Laboratory (1979)
Leighton, F.T., Micali, S.: Large provably fast and secure digital signature schemes based on secure hash functions. U.S. Patent 5,432,852, 11 July 1995
McGrew, D., Curcio, M.: Hash-based signatures. Internet Draft draft-mcgrew-hash-sigs-02, 4 July 2014. https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs/02
McGrew, D., Curcio, M.: Hash-based signatures. Internet Draft draft-mcgrew-hash-sigs-04, 21 March 2016. https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs
Merkle, R.C.: Secrecy, authentication, and public-key systems. Ph.D. Thesis, Stanford University (1979)
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990). doi:10.1007/0-387-34805-0_21
Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of 21st Annual Symposium on Theory of Computing (STOC), pp. 33–44. ACM (1989)
Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of 22nd Annual ACM Symposium on Theory of Computing (STOC), pp. 387–394. ACM (1990)
Acknowledgments
I thank Laurie E. Law and Jerome A. Solinas for their encouragement and suggestions, as well as for bringing the Leighton-Micali patent [8] to my attention.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Katz, J. (2016). Analysis of a Proposed Hash-Based Signature Standard. In: Chen, L., McGrew, D., Mitchell, C. (eds) Security Standardisation Research. SSR 2016. Lecture Notes in Computer Science(), vol 10074. Springer, Cham. https://doi.org/10.1007/978-3-319-49100-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-49100-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49099-1
Online ISBN: 978-3-319-49100-4
eBook Packages: Computer ScienceComputer Science (R0)