On the security of the Winternitz one-time signature scheme

Self Cite

102

Abstract. This work introduces XMSS-T, a new stateful hash-based signature scheme with tight security. Previous hash-based signatures are facing a loss of security, linear in performance parameters such as the total tree height. Our new scheme can achieve the same security level but using hash functions with a smaller output length, which immediately leads to a smaller signature size. The same techniques also apply directly to the recent stateless hash-based signature scheme SPHINCS (Eurocrypt 2015), and the signature size is reduced as well. Being a little more specific and technical, the tight security stems from new multi-target notions of hash-function properties which we define and analyze. We show precise complexity for breaking these security properties under both classical and quantum generic attacks, thus establishing a reliable estimate for the quantum security of XMSS-T. In particular, we prove quantum query complexity tailored for cryptographic applications, which overcomes some limitations of standard techniques in quantum query complexity such as only considering worst-case complexity. Our proof techniques may be useful elsewhere. We also implement XMSS-T and compare its performance to that of XMSS (PQCrypto 2011), the most recent stateful hash-based signature scheme before our work.

Section: Xmss-tmentioning

confidence: 99%

“…In recent years several works focused on basing security on milder assumptions [16,12,13,23,25,6], such as second-preimage resistance and one-wayness. There are two fundamental reasons driving this trend.…”

Section: Introductionmentioning

confidence: 99%

Mitigating Multi-target Attacks in Hash-Based Signatures

Hülsing

Rijneveld

Song

2016

Self Cite

102

“…MT uses the Winternitz-OTS (W-OTS) from [2]. W-OTS uses the function family F n and a value X ∈ {0, 1} n that is chosen during XMSS key generation.…”

Section: Xmssmentioning

confidence: 99%

“…The runtimes for key generation, signature generation and signature verification are all bounded by (w − 1) evaluations of elements from F n . The Winternitz parameter w controls a time -space trade-off, as shrinks logarithmically in w. For more detailed information see [2].…”

Section: Xmssmentioning

confidence: 99%

Optimal Parameters for XMSS MT

Hülsing

Rausch

Buchmann

2013

Self Cite

Abstract. We introduce Multi Tree XMSS (XMSSMT ), a hash-based signature scheme that can be used to sign a virtually unlimited number of messages. It is provably forward and hence EU-CMA secure in the standard model and improves key and signature generation times compared to previous schemes. XMSSMT has -like all practical hash-based signature schemes -a lot of parameters that control different trade-offs between security, runtimes and sizes. Using linear optimization, we show how to select provably optimal parameter sets for different use cases.

“…For increased efficiency (and shorter signatures) we chose Winternitz OTS rather than the classic Lamport-Diffie OTS. The security of the Winternitz one-time signatures is discussed in [5,8,10]. The findings in [5] and [10] show that Winternitz OTS are CMA-secure if used with pseudo-random functions or collision-resistant, undetectable one-way functions, respectively.…”

Section: Security Of Mssmentioning

confidence: 99%

A Performance Boost for Hash-Based Signatures

Eisenbarth

Maurich

Paar

et al. 2013

Abstract. Digital signatures have become a key component of many embedded system solutions and are facing strong security and efficiency requirements. In this work, algorithmic improvements for the authentication path computation decrease the average signature computation time by close to 50 % when compared to state-of-the-art algorithms. The proposed scheme is implemented on an Intel Core i7 CPU and an AVR ATxmega microcontroller with optimized versions for the respective target platform. The theoretical algorithmic improvements are verified and cryptographic hardware accelerators are used to achieve competitive performance.