Abstract
Digital signature schemes form the basis of trust in Internet communication. Shor (FOCS 1994) proposed quantum algorithms that can be used by a quantum computer to break the security of today’s widely used digital signature schemes, and this has fuelled intensive research on the design and implementation of post-quantum digital signatures. Hash-based digital signatures base their security on one-way functions that in practice are instantiated by hash functions. Hash-based signatures are widely studied and are part of NIST’s post-quantum standardization effort.
In this paper we present a multi-target attack that we call Intermediate Secret-Guessing attack on two hash-based signatures: XMSSMT (Draft SP 800-208 that was considered by NIST for standardization), and K2SN-MSS (AsiaCCS 2019). The attack allows an adversary to forge a signature on an arbitrary message. We describe the intuition behind the attack and give details of its application on the attacked schemes together with corresponding theoretical analysis. The attack implies that the effective security levels of XMSS (a special case of XMSSMT), XMSSMT, and K2SN-MSS are 10, 39 and 12 bits lower than their designed security levels given access to \(2^{20}\), \(2^{60}\), and \(2^{20}\) signatures, respectively.
We implement the attack for each scheme, and give our results for reduced security parameters that validate our theoretical analysis. We also show that the attack can be avoided by modifying the application of a pseudorandom function for key generation. Our work shows the subtleties of replacing randomness with pseudo-randomness in the key generation of hash-based signatures, and the need for careful analysis of such designs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Note that XMSSMT is slightly more complicated since we have more than q OTS signatures from q queried signatures. See Sect. 3 for more detail.
- 2.
ETSI CyberSupport only outlined the idea of matching a guessed seed with the real seed but did not develop the idea into a full attack.
- 3.
Security level is calculated as \(\log _2(\tau /\epsilon )\), where \(\tau \) is the runtime and \(\epsilon \) is the success probability of ISG attack.
- 4.
- 5.
This is not compulsory in our attack on XMSSMT, which randomizes the message before signing it.
- 6.
For XMSSMT, we use the commit “fb7e3f8edce8d412a707f522d597ab3546863202” that is published on Apr 24, 2019 as the weakness was fixed in later commits.
References
Public comments on draft sp 800–208. https://csrc.nist.gov/CSRC/media/Publications/sp/800-208/draft/documents/sp800-208-draft-comments-received.pdf. Accessed 12 Oct 2020
Anderson, R.: Two remarks on public key cryptology. Unpublished (1997). http://www.cl.cam.ac.uk/users/rja14
Aumasson, J.P., et al.: Sphincs (2020). round 3 Submisstion to NIST Post Quantum Project
Aumasson, J., Endignoux, G.: Clarifying the subset-resilience problem. IACR Cryptol. ePrint Arch. 2017, 909 (2017)
Aumasson, J.-P., Endignoux, G.: Improving stateless hash-based signatures. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 219–242. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_12
Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_28
Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_15
Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The sphincs\(^{\text{+}}\) signature framework. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) CCS 2019, pp. 2129–2146. ACM (2019)
Booth, R., Karati, S.: Isg attack, December 2020. https://github.com/rmbooth2/isg-attack. Accessed 16 Jun 2021
Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_8
Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_3
Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_5
Buchmann, J., García, L.C.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved Merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006). https://doi.org/10.1007/11941378_25
Chase, M., et al.: Picnic: A family of post-quantum secure digital signature algorithms. https://microsoft.github.io/Picnic/
Cooper, D.A., Apon, D.C., Dang, Q.H., Davidson, M.S., Dworkin, M.J., Miller, C.A.: Recommendation for stateful hash-based signature schemes. NIST Special Publication (SP) 800–208 draft (2019). https://doi.org/10.6028/NIST.SP.800-208-draft
Cooper, D.A., Apon, D.C., Dang, Q.H., Davidson, M.S., Dworkin, M.J., Miller, C.A.: Recommendation for stateful hash-based signature schemes. NIST Special Publication (SP) 800–208 (2020). https://doi.org/10.6028/NIST.SP.800-208
Dahmen, E., Okeya, K., Takagi, T., Vuillaume, C.: Digital signatures out of second-preimage resistant hash functions. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 109–123. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_8
Dinur, I., Nadler, N.: Multi-target attacks on the picnic signature scheme and related protocols. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 699–727. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_24
Dods, C., Smart, N.P., Stam, M.: Hash based digital signature schemes. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 96–115. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_8
Gjøsteen, K.: Comments on dual-ec-drbg/nist sp 800–90, draft December 2005, April 2006
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_10
Hülsing, A., Butin, D., Gazdag, S.L., Rijneveld, J., Mohaisen, A.: XMSS: extended Merkle signature scheme. Technical report, RFC 8391 (2018)
Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40588-4_14
Hülsing, A., Rijneveld, J., Schwabe, P.: ARMed SPHINCS - computing a 41 KB signature in 16 KB of RAM. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 446–470. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_17
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)
Kalach, K., Safavi-Naini, R.: An efficient post-quantum one-time signature scheme. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 331–351. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_20
Karati, S.: K2sn-mss, June 2019. https://github.com/skarati/K2SN-MSS. Accessed 21 Jan 2020
Karati, S., Safavi-Naini, R.: K2SN-MSS: an efficient post-quantum signature. In: Galbraith, S.D., Russello, G., Susilo, W., Gollmann, D., Kirda, E., Liang, Z. (eds.) AsiaCCS 2019, pp. 501–514. ACM (2019)
Katz, J.: Analysis of a proposed hash-based signature standard. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 261–273. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49100-4_12
Lamport, L.: Constructing digital signatures from a one way function. Technical report CSL-98, October 1979. this paper was published by IEEE in the Proceedings of HICSS-43 in January 2010 (2010)
Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Ron was wrong, whit is right. IACR Cryptol. ePrint Arch. 2012, 64 (2012)
Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_4
McGrew, D., Curcio, M.: Hash-based signatures. Internet-Draft draft-mcgrew-hash-sigs-02 (2014). https://datatracker.ietf.org/doc/html/draft-mcgrew-hash-sigs-02
McGrew, D., Curcio, M., Fluhrer, S.: Leighton-Micali hash-based signatures. Technical report, RFC 8554 (2019). https://doi.org/10.17487/RFC8554
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21
Merkle, R.C.: Secrecy, authentication, and public key systems. Ph.D. thesis, Stanford University (1979)
Rijneveld, J., Hülsing, A., Cooper, D., Westerbaan, B.: XMSS-reference, April 2019. https://github.com/XMSS/xmss-reference/commit/fb7e3f8edce8d412a707f522d597ab3546863202
Schoenmakers, B., Sidorenko, A.: Cryptanalysis of the dual elliptic curve pseudorandom generator. IACR Cryptol. ePrint Arch. 2006, 190 (2006)
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: FOCS 1994, pp. 124–134. IEEE Computer Society (1994)
Strenzke, F.: An analysis of OpenSSL’s random number generator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 644–669. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_25
Yang, G., Duan, S., Wong, D.S., Tan, C.H., Wang, H.: Authenticated key exchange under bad randomness. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 113–126. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27576-0_10
Acknowledgment
The works of Roland Booth, Yanhong Xu and Reihaneh Safavi-Naini were supported in part by Alberta Innovates Strategic Chair in Information Security Grant and Natural Sciences and Engineering Research Council of Canada Discovery Grant. Roland Booth was also supported by the Natural Sciences and Engineering Research Council of Canada (NSERC), [funding reference number 551629 - 2020]. (Roland Booth a été financé par le Conseil de recherches en sciences naturelles et en génie du Canada (CRSNG), [numéro de référence 551629 - 2020].)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A Description of WOTS+
We now describe the WOTS+ used in [23, 26]. Let w be the Winternitz parameter, n be the security parameter, and \(F:\{0,1\}^n\times \{0,1\}^n\rightarrow \{0,1\}^n\) be a secure hash function. Define \(\ell _1=\left\lceil {\frac{n}{\log _2(w)}}\right\rceil \) and \(\ell _2=\left\lfloor {\frac{\log _2(l_1(w-1))}{\log _2(w)}}\right\rfloor +1\), and \(\ell =\ell _1+\ell _2\). The secret key of WOTS+ is \(\mathsf {osk}=(\mathbf {x}_1,\ldots ,\mathbf {x}_{\ell })\in (\{0,1\}^n)^{\ell }\) and the public key is \(\mathsf {opk}=(\mathbf {y}_1,\ldots ,\mathbf {y}_{\ell })\) where \(\mathbf {y}_i=c^{w-1,0}(\mathbf {x}_i,\mathbf {a}_{c_i},\textsc {PubSeed})\). Here \(\mathbf {a}_{c_i}\) is the address of the i-th chain within the OTS instance, \(\textsc {PubSeed}\) is a public seed, and \(c^{i,j}(\mathbf {x},\mathbf {a}_{c},\textsc {PubSeed})=F(k_{i,j},c^{i-1,j}(\mathbf {x},\mathbf {a}_{c},\textsc {PubSeed})\oplus r_{i,j})\) and \(c^{0,j}(\mathbf {x},\mathbf {a}_{c},\textsc {PubSeed})=\mathbf {x}\) for all \(j\in \mathbb {Z}^+\), where \(k_{i,j},r_{i,j}\) are pseudorandomly computed. To sign a message M, one first computes a base-w representation \(M=(M_1,\ldots , M_{\ell _1})\), then computes the checksum \(C=\sum _{j=1}^{\ell _1}(w-1-M_j)\) and its base-w representation \(C=(C_{1},\ldots , C_{\ell _2})\). Set \(B=(b_1,\ldots , b_{\ell })=M\Vert C\). The signature of M is
The signature \(\sigma =(\mathbf {z}_1,\ldots , \mathbf {z}_{\ell })\) is considered valid if for all \(j\in [1,\ell ]\): \(\mathbf {y}_{j}=c^{w-1-b_j,b_j}(\mathbf {z}_j,\mathbf {a}_{c_j},\textsc {PubSeed})\).
B Deferred Details of the ISG Attack on XMSSMT
Lower Bound on P . Consider a WOTS+ signature \(\sigma \) on a random message M, let \(B=(b_1,\ldots , b_{\ell })\) be its base-w representation. The number of secret strings revealed in \(\sigma \) is the same as the number of \(b_i\) such that \(b_i=0\). Given a random message M, the probability that \(b_i=0\) for \(i\in [1,\ell _1]\) is \(\frac{1}{w}\). Unfortunately, there is no easy way to calculate the probability that \(b_i=0\) for \(i\in [\ell _1+1,\ell ]\). To this end, we provide a lower bound for P. Denote E as the number of \(b_i\) such that \(b_i=0\) for \(i\in [1,\ell ]\) and F as the number of \(b_i\) such that \(b_i=0\) for \(i\in [1,\ell _1]\), then we obtain the following:
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Booth, R., Xu, Y., Karati, S., Safavi-Naini, R. (2021). An Intermediate Secret-Guessing Attack on Hash-Based Signatures. In: Nakanishi, T., Nojima, R. (eds) Advances in Information and Computer Security. IWSEC 2021. Lecture Notes in Computer Science(), vol 12835. Springer, Cham. https://doi.org/10.1007/978-3-030-85987-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-85987-9_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-85986-2
Online ISBN: 978-3-030-85987-9
eBook Packages: Computer ScienceComputer Science (R0)