Skip to main content

An Intermediate Secret-Guessing Attack on Hash-Based Signatures

  • Conference paper
  • First Online:
Advances in Information and Computer Security (IWSEC 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12835))

Included in the following conference series:

  • 456 Accesses

Abstract

Digital signature schemes form the basis of trust in Internet communication. Shor (FOCS 1994) proposed quantum algorithms that can be used by a quantum computer to break the security of today’s widely used digital signature schemes, and this has fuelled intensive research on the design and implementation of post-quantum digital signatures. Hash-based digital signatures base their security on one-way functions that in practice are instantiated by hash functions. Hash-based signatures are widely studied and are part of NIST’s post-quantum standardization effort.

In this paper we present a multi-target attack that we call Intermediate Secret-Guessing attack on two hash-based signatures: XMSSMT (Draft SP 800-208 that was considered by NIST for standardization), and K2SN-MSS (AsiaCCS 2019). The attack allows an adversary to forge a signature on an arbitrary message. We describe the intuition behind the attack and give details of its application on the attacked schemes together with corresponding theoretical analysis. The attack implies that the effective security levels of XMSS (a special case of XMSSMT), XMSSMT, and K2SN-MSS are 10, 39 and 12 bits lower than their designed security levels given access to \(2^{20}\), \(2^{60}\), and \(2^{20}\) signatures, respectively.

We implement the attack for each scheme, and give our results for reduced security parameters that validate our theoretical analysis. We also show that the attack can be avoided by modifying the application of a pseudorandom function for key generation. Our work shows the subtleties of replacing randomness with pseudo-randomness in the key generation of hash-based signatures, and the need for careful analysis of such designs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Note that XMSSMT is slightly more complicated since we have more than q OTS signatures from q queried signatures. See Sect. 3 for more detail.

  2. 2.

    ETSI CyberSupport only outlined the idea of matching a guessed seed with the real seed but did not develop the idea into a full attack.

  3. 3.

    Security level is calculated as \(\log _2(\tau /\epsilon )\), where \(\tau \) is the runtime and \(\epsilon \) is the success probability of ISG attack.

  4. 4.

    https://csrc.nist.gov/projects/post-quantum-cryptography.

  5. 5.

    This is not compulsory in our attack on XMSSMT, which randomizes the message before signing it.

  6. 6.

    For XMSSMT, we use the commit “fb7e3f8edce8d412a707f522d597ab3546863202” that is published on Apr 24, 2019 as the weakness was fixed in later commits.

References

  1. Public comments on draft sp 800–208. https://csrc.nist.gov/CSRC/media/Publications/sp/800-208/draft/documents/sp800-208-draft-comments-received.pdf. Accessed 12 Oct 2020

  2. Anderson, R.: Two remarks on public key cryptology. Unpublished (1997). http://www.cl.cam.ac.uk/users/rja14

  3. Aumasson, J.P., et al.: Sphincs (2020). round 3 Submisstion to NIST Post Quantum Project

    Google Scholar 

  4. Aumasson, J., Endignoux, G.: Clarifying the subset-resilience problem. IACR Cryptol. ePrint Arch. 2017, 909 (2017)

    Google Scholar 

  5. Aumasson, J.-P., Endignoux, G.: Improving stateless hash-based signatures. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 219–242. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_12

    Chapter  Google Scholar 

  6. Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_28

    Chapter  Google Scholar 

  7. Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_15

    Chapter  Google Scholar 

  8. Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The sphincs\(^{\text{+}}\) signature framework. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) CCS 2019, pp. 2129–2146. ACM (2019)

    Google Scholar 

  9. Booth, R., Karati, S.: Isg attack, December 2020. https://github.com/rmbooth2/isg-attack. Accessed 16 Jun 2021

  10. Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_8

    Chapter  Google Scholar 

  11. Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_3

    Chapter  Google Scholar 

  12. Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_5

    Chapter  Google Scholar 

  13. Buchmann, J., García, L.C.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved Merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006). https://doi.org/10.1007/11941378_25

    Chapter  Google Scholar 

  14. Chase, M., et al.: Picnic: A family of post-quantum secure digital signature algorithms. https://microsoft.github.io/Picnic/

  15. Cooper, D.A., Apon, D.C., Dang, Q.H., Davidson, M.S., Dworkin, M.J., Miller, C.A.: Recommendation for stateful hash-based signature schemes. NIST Special Publication (SP) 800–208 draft (2019). https://doi.org/10.6028/NIST.SP.800-208-draft

  16. Cooper, D.A., Apon, D.C., Dang, Q.H., Davidson, M.S., Dworkin, M.J., Miller, C.A.: Recommendation for stateful hash-based signature schemes. NIST Special Publication (SP) 800–208 (2020). https://doi.org/10.6028/NIST.SP.800-208

  17. Dahmen, E., Okeya, K., Takagi, T., Vuillaume, C.: Digital signatures out of second-preimage resistant hash functions. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 109–123. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_8

    Chapter  Google Scholar 

  18. Dinur, I., Nadler, N.: Multi-target attacks on the picnic signature scheme and related protocols. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 699–727. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_24

    Chapter  Google Scholar 

  19. Dods, C., Smart, N.P., Stam, M.: Hash based digital signature schemes. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 96–115. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_8

    Chapter  Google Scholar 

  20. Gjøsteen, K.: Comments on dual-ec-drbg/nist sp 800–90, draft December 2005, April 2006

    Google Scholar 

  21. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    Article  MathSciNet  Google Scholar 

  22. Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_10

    Chapter  Google Scholar 

  23. Hülsing, A., Butin, D., Gazdag, S.L., Rijneveld, J., Mohaisen, A.: XMSS: extended Merkle signature scheme. Technical report, RFC 8391 (2018)

    Google Scholar 

  24. Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40588-4_14

    Chapter  Google Scholar 

  25. Hülsing, A., Rijneveld, J., Schwabe, P.: ARMed SPHINCS - computing a 41 KB signature in 16 KB of RAM. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 446–470. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_17

    Chapter  Google Scholar 

  26. Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15

    Chapter  Google Scholar 

  27. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)

    Article  MathSciNet  Google Scholar 

  28. Kalach, K., Safavi-Naini, R.: An efficient post-quantum one-time signature scheme. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 331–351. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_20

    Chapter  Google Scholar 

  29. Karati, S.: K2sn-mss, June 2019. https://github.com/skarati/K2SN-MSS. Accessed 21 Jan 2020

  30. Karati, S., Safavi-Naini, R.: K2SN-MSS: an efficient post-quantum signature. In: Galbraith, S.D., Russello, G., Susilo, W., Gollmann, D., Kirda, E., Liang, Z. (eds.) AsiaCCS 2019, pp. 501–514. ACM (2019)

    Google Scholar 

  31. Katz, J.: Analysis of a proposed hash-based signature standard. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 261–273. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49100-4_12

    Chapter  Google Scholar 

  32. Lamport, L.: Constructing digital signatures from a one way function. Technical report CSL-98, October 1979. this paper was published by IEEE in the Proceedings of HICSS-43 in January 2010 (2010)

    Google Scholar 

  33. Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Ron was wrong, whit is right. IACR Cryptol. ePrint Arch. 2012, 64 (2012)

    Google Scholar 

  34. Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_4

    Chapter  Google Scholar 

  35. McGrew, D., Curcio, M.: Hash-based signatures. Internet-Draft draft-mcgrew-hash-sigs-02 (2014). https://datatracker.ietf.org/doc/html/draft-mcgrew-hash-sigs-02

  36. McGrew, D., Curcio, M., Fluhrer, S.: Leighton-Micali hash-based signatures. Technical report, RFC 8554 (2019). https://doi.org/10.17487/RFC8554

  37. Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21

    Chapter  Google Scholar 

  38. Merkle, R.C.: Secrecy, authentication, and public key systems. Ph.D. thesis, Stanford University (1979)

    Google Scholar 

  39. Rijneveld, J., Hülsing, A., Cooper, D., Westerbaan, B.: XMSS-reference, April 2019. https://github.com/XMSS/xmss-reference/commit/fb7e3f8edce8d412a707f522d597ab3546863202

  40. Schoenmakers, B., Sidorenko, A.: Cryptanalysis of the dual elliptic curve pseudorandom generator. IACR Cryptol. ePrint Arch. 2006, 190 (2006)

    Google Scholar 

  41. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: FOCS 1994, pp. 124–134. IEEE Computer Society (1994)

    Google Scholar 

  42. Strenzke, F.: An analysis of OpenSSL’s random number generator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 644–669. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_25

    Chapter  Google Scholar 

  43. Yang, G., Duan, S., Wong, D.S., Tan, C.H., Wang, H.: Authenticated key exchange under bad randomness. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 113–126. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27576-0_10

    Chapter  Google Scholar 

Download references

Acknowledgment

The works of Roland Booth, Yanhong Xu and Reihaneh Safavi-Naini were supported in part by Alberta Innovates Strategic Chair in Information Security Grant and Natural Sciences and Engineering Research Council of Canada Discovery Grant. Roland Booth was also supported by the Natural Sciences and Engineering Research Council of Canada (NSERC), [funding reference number 551629 - 2020]. (Roland Booth a été financé par le Conseil de recherches en sciences naturelles et en génie du Canada (CRSNG), [numéro de référence 551629 - 2020].)

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Roland Booth or Yanhong Xu .

Editor information

Editors and Affiliations

Appendices

A Description of WOTS+

We now describe the WOTS+ used in [23, 26]. Let w be the Winternitz parameter, n be the security parameter, and \(F:\{0,1\}^n\times \{0,1\}^n\rightarrow \{0,1\}^n\) be a secure hash function. Define \(\ell _1=\left\lceil {\frac{n}{\log _2(w)}}\right\rceil \) and \(\ell _2=\left\lfloor {\frac{\log _2(l_1(w-1))}{\log _2(w)}}\right\rfloor +1\), and \(\ell =\ell _1+\ell _2\). The secret key of WOTS+ is \(\mathsf {osk}=(\mathbf {x}_1,\ldots ,\mathbf {x}_{\ell })\in (\{0,1\}^n)^{\ell }\) and the public key is \(\mathsf {opk}=(\mathbf {y}_1,\ldots ,\mathbf {y}_{\ell })\) where \(\mathbf {y}_i=c^{w-1,0}(\mathbf {x}_i,\mathbf {a}_{c_i},\textsc {PubSeed})\). Here \(\mathbf {a}_{c_i}\) is the address of the i-th chain within the OTS instance, \(\textsc {PubSeed}\) is a public seed, and \(c^{i,j}(\mathbf {x},\mathbf {a}_{c},\textsc {PubSeed})=F(k_{i,j},c^{i-1,j}(\mathbf {x},\mathbf {a}_{c},\textsc {PubSeed})\oplus r_{i,j})\) and \(c^{0,j}(\mathbf {x},\mathbf {a}_{c},\textsc {PubSeed})=\mathbf {x}\) for all \(j\in \mathbb {Z}^+\), where \(k_{i,j},r_{i,j}\) are pseudorandomly computed. To sign a message M, one first computes a base-w representation \(M=(M_1,\ldots , M_{\ell _1})\), then computes the checksum \(C=\sum _{j=1}^{\ell _1}(w-1-M_j)\) and its base-w representation \(C=(C_{1},\ldots , C_{\ell _2})\). Set \(B=(b_1,\ldots , b_{\ell })=M\Vert C\). The signature of M is

$$\sigma =(\mathbf {z}_1,\ldots , \mathbf {z}_{\ell })=(c^{b_1,0}(\mathbf {x}_1,\mathbf {a}_{c_1},\textsc {PubSeed}),\ldots , c^{b_{\ell },0}(\mathbf {x}_{\ell },\mathbf {a}_{c_{\ell }},\textsc {PubSeed})).$$

The signature \(\sigma =(\mathbf {z}_1,\ldots , \mathbf {z}_{\ell })\) is considered valid if for all \(j\in [1,\ell ]\): \(\mathbf {y}_{j}=c^{w-1-b_j,b_j}(\mathbf {z}_j,\mathbf {a}_{c_j},\textsc {PubSeed})\).

B Deferred Details of the ISG Attack on XMSSMT

Lower Bound on P . Consider a WOTS+ signature \(\sigma \) on a random message M, let \(B=(b_1,\ldots , b_{\ell })\) be its base-w representation. The number of secret strings revealed in \(\sigma \) is the same as the number of \(b_i\) such that \(b_i=0\). Given a random message M, the probability that \(b_i=0\) for \(i\in [1,\ell _1]\) is \(\frac{1}{w}\). Unfortunately, there is no easy way to calculate the probability that \(b_i=0\) for \(i\in [\ell _1+1,\ell ]\). To this end, we provide a lower bound for P. Denote E as the number of \(b_i\) such that \(b_i=0\) for \(i\in [1,\ell ]\) and F as the number of \(b_i\) such that \(b_i=0\) for \(i\in [1,\ell _1]\), then we obtain the following:

$$\begin{aligned} P=\Pr [E\ge 2] \ge \Pr [F\ge 2]= & {} 1-\Pr [F=0]-\Pr [F=1]\\= & {} 1-(1-\frac{1}{w})^{\ell _1}-\frac{\ell _1}{w}(1-\frac{1}{w})^{\ell _1-1}. \end{aligned}$$

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Booth, R., Xu, Y., Karati, S., Safavi-Naini, R. (2021). An Intermediate Secret-Guessing Attack on Hash-Based Signatures. In: Nakanishi, T., Nojima, R. (eds) Advances in Information and Computer Security. IWSEC 2021. Lecture Notes in Computer Science(), vol 12835. Springer, Cham. https://doi.org/10.1007/978-3-030-85987-9_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-85987-9_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-85986-2

  • Online ISBN: 978-3-030-85987-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics