5. 5
• Some Symmetric key schemes are also broken in poly-time
by quantum computers in some specific situations
Quantum attacks on Symmetric Key Schemes
• Even-Mansour
• Chaskey
• Minalpher-MAC
• Full-state keyed
sponge
• CBC-like MAC
• PMAC-like MAC
• LightMAC
• 3R-Feistel
• LRW, XEX, XE
• Chaskey-B
6. 6
• Some Symmetric key schemes are also broken in poly-time
by quantum computers in some specific situations
Quantum attacks on Symmetric Key Schemes
• Even-Mansour
• Chaskey
• Minalpher-MAC
• Full-state keyed
sponge
• CBC-like MAC
• PMAC-like MAC
• LightMAC
• 3R-Feistel
• LRW, XEX, XE
• Chaskey-B
Depends on attack models
10. 10
Poly-time attacks are in Q2 model
(quantum superposition query attack)
ClassPoly
Q2
: 𝑂𝑂(𝑛𝑛) quantum queries
• Even-Mansour
• Chaskey
• Minalpher-MAC
• Full-state keyed
sponge
• CBC-like MAC
• PMAC-like MAC
• LightMAC
• 3R-Feistel
• LRW, XEX, XE
• Chaskey-B
11. 11
Poly-time attacks are in Q2 model
(quantum superposition query attack)
ClassPoly
Q2
: 𝑂𝑂(𝑛𝑛) quantum queries
• Even-Mansour
• Chaskey
• Minalpher-MAC
• Full-state keyed
sponge
• CBC-like MAC
• PMAC-like MAC
• LightMAC
• 3R-Feistel
• LRW, XEX, XE
• Chaskey-B
・ Poly-time attacks can be realized in Q2 model
・ Q2 model is theoretically interesting
・ However, Q1 is more realistic model than Q2
・ Q1 should receive much more attention…
13. 13
• If hardware becomes large, architecture
significantly affects running time of algorithms
a. free communication model [Ber09,BB17]
any qubit can interact with any qubit
b. realistic communication model [Ber09,BB17]
a qubit can interact with only near qubits
c. independent small processors without
communication
Quantum Hardware Models
16. 16
Classical Online-Offline MITM attacks
𝑓𝑓𝑠𝑠
𝑛𝑛
𝑥𝑥𝑠𝑠
𝑦𝑦𝑠𝑠
𝑥𝑥𝑥
Online: query 𝐷𝐷
many 𝑥𝑥𝑠𝑠
Offline: compute 2𝑛𝑛/𝐷𝐷
many 𝑥𝑥𝑥
𝑓𝑓𝑝𝑝
𝑛𝑛
𝑦𝑦𝑦𝑓𝑓𝑠𝑠
′ 𝑓𝑓𝑝𝑝
𝑛𝑛 𝑛𝑛
𝑓𝑓𝑠𝑠
𝑥𝑥
𝑥𝑥𝑥
𝑧𝑧
Online: query 𝐷𝐷 distinct 𝑥𝑥
Offline: guess 2𝑛𝑛
/𝐷𝐷 distinct x′
Pattern 2Pattern 1
Conditions to Apply On-Off MITM
1. 𝑓𝑓𝑠𝑠 can be calculated only by making online queries
(𝑓𝑓𝑠𝑠 has some secret information)
2. 𝑓𝑓𝑝𝑝 can be calculated offline
3. If we find 𝒙𝒙, 𝒙𝒙′s.t. 𝒇𝒇𝒔𝒔 𝒙𝒙 = 𝒇𝒇𝒑𝒑 𝒙𝒙′ , then we can get
some secret information on a crypto scheme
30. 30
• Chaskey[Mou15] is a lightweight MAC
Attack on Chaskey
Classical online-offline MITM attack
can be applied to Chaskey
(Classical tradeoff: 𝑇𝑇 ⋅ 𝐷𝐷 = 2128
if n=128)
31. 31
• Chaskey[Mou15] is a lightweight MAC
Attack on Chaskey
Classical online-offline MITM attack
can be applied to Chaskey
(Classical tradeoff: 𝑇𝑇 ⋅ 𝐷𝐷 = 2128
if n=128)
Chaskey claims 80-bit security
by restricting 𝐷𝐷 to be < 248
It claims security up to T ≈ 280
(n is set as n=128)
32. 32
• If 𝐷𝐷 < 248 queries are allowed, then attack complexity
becomes…
Attack on Chaskey
𝑇𝑇 is overwhelmingly smaller than 280
of classical attack
T D Q M
Classical 280
248 − 248
Case 1a (Exp. qubits,
free communication) 232
232
232
232
Case 1b (Exp. qubits,
realistic communication) 237
237
237
237
Case 1c (Exp. qubits,
any communication) 239 239 239 239
Case 2 (Poly. qubits) 256 248 (27
) 216
39. 39
• MITM attack with Online Classical and Offline quantum
computations (quantum attack in Q1 model)
• New tradeoffs between D and T in 4 models
• Some existing schemes claim BBB security on T by limiting
the maximum number of D following the classical tradeoff
DT=N, but such claims are broken by our attacks
Summary
Thank you!!
E-mail: hosoyamada.akinori@lab.ntt.co.jp
41. Improving Stateless Hash-Based Signatures
CT-RSA 2018
Jean-Philippe Aumasson1
, Guillaume Endignoux2
Wednesday 18th
April, 2018
1Kudelski Security
2Work done while at Kudelski Security and EPFL
1
42. Hash-based signatures
What are hash-based signatures?
• Good hash functions are hard to invert = preimage-resistance.
• We can use this property to create signature schemes1.
1
Whitfield Diffie and Martin E. Hellman. New directions in cryptography. 1976
2
43. Hash-based signatures
What are hash-based signatures?
• Good hash functions are hard to invert = preimage-resistance.
• We can use this property to create signature schemes1.
S0
H
P0
S1
H
P1
Secret key
Public key
First step: scheme to sign 1-bit message.
• Key generation: commit to 2 secrets with H
• Sign bit b: reveal σ = Sb
• Verify signature σ: compare H(σ) with Pb
1
Whitfield Diffie and Martin E. Hellman. New directions in cryptography. 1976
2
44. Hash-based signatures
Second step: sign n-bit message ⇒ n copies of the previous scheme.
S0,0
H
P0,0
S0,1
H
P0,1
S1,0
H
P1,0
S1,1
H
P1,1
· · ·
Sn,0
H
Pn,0
Sn,1
H
Pn,1
Figure 1: Lamport signatures.
3
45. Hash-based signatures
Second step: sign n-bit message ⇒ n copies of the previous scheme.
S0,0
H
P0,0
S0,1
H
P0,1
S1,0
H
P1,0
S1,1
H
P1,1
· · ·
Sn,0
H
Pn,0
Sn,1
H
Pn,1
Figure 1: Lamport signatures.
However, this is a one-time signature scheme.
3
46. Hash-based signatures
More constructions:
• WOTS (Winternitz one-time signatures) = compact version of the n-bit message
scheme.
• Merkle trees = stateful multiple-time signatures.
• HORS = stateless few-time signatures.
• HORST = HORS with Merkle tree.
4
47. Hash-based signatures
SPHINCS = stateless many-time signatures (up to 250
messages).
• Hyper-tree of WOTS signatures ≈ certificate chain
• Hyper-tree of height H = 60, divided in 12 layers of
{Merkle tree + WOTS}
Sign message M:
• Select index 0 ≤ i < 260
• Sign M with i-th HORST instance
• Chain of WOTS signatures.
Merkle
. . .
. . .
Merkle
. . .
. . .
HORST
WOTS
Hyper-tree
Figure 2: SPHINCS.
5
48. Hash-based signatures
Hash-based signatures in a nutshell:
• Post-quantum security well understood ⇒ Grover’s algorithm: preimage-search
in O(2n/2) instead of O(2n) for n-bit hash function.
• Signature size is quite large: 41 KB for SPHINCS (stateless), 8 KB for XMSS
(stateful).
6
49. Contributions
We propose improvements to reduce signature size of SPHINCS:
• PRNG to obtain a random subset (PORS)
• Octopus: optimized multi-authentication in Merkle trees
• Secret key caching
• Non-masked hashing
7
51. From HORS to PORS
Sign a message M with HORS:
• Hash the message H(M) = 28c5c...
• Split the hash to obtain indices {2, 8, c, 5, c, . . .} and reveal values S2, S8, . . .
M H
i SPHINCS leaf
2 8 c 5 c
S0
H
P0
S1
H
P1
S2
H
P2
S3
H
P3
S4
H
P4
S5
H
P5
S6
H
P6
S7
H
P7
S8
H
P8
S9
H
P9
S10
H
P10
S11
H
P11
S12
H
P12
S13
H
P13
S14
H
P14
S15
H
P15
Secret key
Public key
8
52. From HORS to PORS
Sign a message M with HORS:
• Hash the message H(M) = 28c5c...
• Split the hash to obtain indices {2, 8, c, 5, c, . . .} and reveal values S2, S8, . . .
M H
i SPHINCS leaf
2 8 c 5 c
Problems:
• Some indices may be the same ⇒ fewer values revealed ⇒ lower security...
• Attacker is free to choose the hyper-tree index i ⇒ larger attack surface.
8
53. From HORS to PORS
PORS = PRNG to obtain a random subset.
• Seed a PRNG from the message.
• Generate the hyper-tree index.
• Ignore duplicated indices.
M G i
SPHINCS leaf
2 8 c 5 c e
Significant security improvement for the same parameters!
9
54. From HORS to PORS
Advantages of PORS:
• Significant security improvement for the same parameters!
• Smaller hyper-tree than SPHINCS for same security level ⇒ Signatures are 4616
bytes smaller.
• Performance impact of PRNG vs. hash function is negligible ⇒ For SPHINCS,
generate only 32 distinct values.
10
56. Octopus
Merkle tree of height h = compact way to authenticate any of 2h values.
• Small public value = root
• Small proofs of membership = h authentication nodes
11
57. Octopus
How to authenticate k values?
• Use k independent proofs = kh nodes.
• This is suboptimal! Many redundant values...
12
59. Octopus
How many bytes does it save?
• It depends on the shape of the “octopus”!
• Examples for h = 4 and k = 4: between 2 and 8 authentication nodes.
14
60. Octopus
Theorem
Given a Merkle tree of height h and k leaves to authenticate, the minimal number of
authentication nodes n verifies:
h − log2 k ≤ n ≤ k(h − log2 k )
⇒ For k > 1, this is always better than the kh nodes for k independent proofs!
15
61. Octopus
In the case of SPHINCS, k = 32 uniformly distributed leaves, tree of height h = 16.
In our paper, recurrence relation to compute average number of authentication nodes.
Method Number of auth. nodes
Independent proofs 512
SPHINCS2 384
Octopus (worst case) 352
Octopus (average) 324
⇒ Octopus authentication saves 1909 bytes for SPHINCS signatures on average.
2
SPHINCS has a basic optimization to avoid redundant nodes close to the root.
16
62. Octopus algorithm
• Bottom-up algorithm to compute the optimal authentication nodes.
• Formal specification in the paper, let’s see an example.
17
63. Octopus algorithm
• Bottom-up algorithm to compute the optimal authentication nodes.
• Formal specification in the paper, let’s see an example.
17
64. Octopus algorithm
• Bottom-up algorithm to compute the optimal authentication nodes.
• Formal specification in the paper, let’s see an example.
17
65. Octopus algorithm
• Bottom-up algorithm to compute the optimal authentication nodes.
• Formal specification in the paper, let’s see an example.
17
66. Octopus algorithm
• Bottom-up algorithm to compute the optimal authentication nodes.
• Formal specification in the paper, let’s see an example.
17
67. Octopus algorithm
• Bottom-up algorithm to compute the optimal authentication nodes.
• Formal specification in the paper, let’s see an example.
17
68. Octopus algorithm
• Bottom-up algorithm to compute the optimal authentication nodes.
• Formal specification in the paper, let’s see an example.
17
69. Octopus algorithm
• Bottom-up algorithm to compute the optimal authentication nodes.
• Formal specification in the paper, let’s see an example.
17
71. Take-aways
• Octopus + PORS = great improvement over HORST.
• These modifications are simple to understand ⇒ low risk of implementation bugs.
• More improvements in the paper.
18
72. Implementation
Two open-source implementations:
• Reference C implementation, proposed for NIST pqcrypto standardization
https://github.com/gravity-postquantum/gravity-sphincs
• Rust implementation with focus on clarity and testing
https://github.com/gendx/gravity-rs
19
74. Secret key caching
WOTS signatures to “connect” Merkle trees
are large (≈ 2144 bytes per WOTS).
Figure 3: SPHINCS.
21
75. Secret key caching
⇒ We use a larger root
Merkle tree, and cache more
values in private key.
cached key
(re)computed
at signing
time
computed
at key
generation
time
Figure 4: Secret key caching.
22
76. Non-masked hashing
• In SPHINCS, Merkle trees have a XOR-and-hash construction, to use a
2nd-preimage-resistant hash function H.
• Various masks, depending on location in hyper-tree; all stored in the public key.
• Post-quantum preimage search is faster with Grover’s algorithm ⇒ We remove the
masks and rely on collision-resistant H.
H
mi
(a) Masked hashing in SPHINCS.
H
(b) Mask off.
23