Abstract
This work presents a novel machine-checked tight security proof for \(\textrm{XMSS} \)—a stateful hash-based signature scheme that is (1) standardized in RFC 8391 and NIST SP 800-208, and (2) employed as a primary building block of \(\mathrm {SPHINCS^{+}} \), one of the signature schemes recently selected for standardization as a result of NIST’s post-quantum competition.
In 2020, Kudinov, Kiktenko, and Fedoro pointed out a flaw affecting the tight security proofs of \(\mathrm {SPHINCS^{+}} \) and \(\textrm{XMSS} \). For the case of \(\mathrm {SPHINCS^{+}} \), this flaw was fixed in a subsequent tight security proof by Hülsing and Kudinov. Unfortunately, employing the fix from this proof to construct an analogous tight security proof for \(\textrm{XMSS} \) would merely demonstrate security with respect to an insufficient notion.
At the cost of modeling the message-hashing function as a random oracle, we complete the tight security proof for \(\textrm{XMSS} \) and formally verify it using the EasyCrypt proof assistant. (Note that this merely extends the use of the random oracle model, as this model is already required in other parts of the security analysis to justify the currently standardized parameter values). As part of this endeavor, we formally verify the crucial step common to the security proofs of \(\mathrm {SPHINCS^{+}} \) and \(\textrm{XMSS} \) that was found to be flawed before, thereby confirming that the core of the aforementioned security proof by Hülsing and Kudinov is correct.
As this is the first work to formally verify proofs for hash-based signature schemes in EasyCrypt, we develop several novel libraries for the fundamental cryptographic concepts underlying such schemes—e.g., hash functions and digital signature schemes—establishing a common starting point for future formal verification efforts. These libraries will be particularly helpful in formally verifying proofs of other hash-based signature schemes such as \(\textrm{LMS} \) or \(\mathrm {SPHINCS^{+}} \).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The parameter space of THFs is analogous to the key space of KHFs.
- 2.
For example, \(\textrm{XMSS} \) employs multiple instances of \(\textrm{WOTS} \text {-}\textrm{TW} \), each of which is provided an address to perform its operations with. Since each instance manipulates and uses the same part of the provided address in an identical manner, \(\textrm{XMSS} \) ensures the part that is not considered by the \(\textrm{WOTS} \text {-}\textrm{TW} \) instances is different for each instance in order to still guarantee the uniqueness of the utilized addresses between instances.
- 3.
Although one could consider the \(\textrm{SEUF}\text {-}\textrm{CMA}\) security notion for \(\textrm{XMSS} \text {-}\textrm{TW} \) (which is slightly stronger than \(\textrm{EUF}\text {-}\textrm{CMA}\)), we refrain from doing so because this would clutter the overall proof (and formal verification) without providing novel insights or being particularly relevant for most applications.
- 4.
In [13], the authors introduce this property as \(\textrm{D}\text {-}\textrm{EF}\text {-}\textrm{naCMA}\).
- 5.
Consequently, in practice, it may be the case that, e.g., the chain index and the tree height index refer to the same location of an address.
- 6.
Whether the nodes along the reconstructed path are left or right children can be determined from the value of i.
- 7.
For example, as previously mentioned, an address may contain additional indices that differentiate the context in an encompassing structure.
- 8.
As such, it suffices to consider l simultaneous \(\textrm{WOTS} \text {-}\textrm{TW} ^{\$}\) instances and, accordingly, only allow l queries to the challenge oracle.
- 9.
Thus, allowing for at most l targets is sufficient, as this is precisely the number of considered \(\textrm{WOTS} \text {-}\textrm{TW} ^{\$}\) public keys.
- 10.
Hence, allowing for at most \(l - 1\) targets is sufficient, since this is exactly the number of nodes in the Merkle tree (excluding the leaves).
- 11.
In the final bound, we get an extra one in the numerator. This is merely a proof artifact caused by the reduction adversary having to make a final query to verify the forgery.
References
Almeida, J.B., Baritel-Ruet, C., Barbosa, M., Barthe, G., Dupressoir, F., Grégoire, B., Laporte, V., Oliveira, T., Stoughton, A., Strub, P.-Y.: Machine-checked proofs for cryptographic standards: indifferentiability of sponge and secure high-assurance implementations of SHA-3. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 1607–1622. ACM Press, Nov. (2019)
Barbosa, M., Barthe, G., Bhargavan, K., Blanchet, B., Cremers, C., Liao, K., Parno B.: SoK: computer-aided cryptography. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 777–795. IEEE Computer Society (2021)
Barbosa, M., Barthe, G., Fan, X., Grégoire, B., Hung, S.-H., Katz, J., Strub, P.-Y., Wu, X., Zhou, L.: EasyPQC: verifying post-quantum cryptography. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS 2021, New York, NY, USA, pp. 2564–2586. Association for Computing Machinery (2021)
Barthe, G., Crespo, J.M., Grégoire, B., Kunz, C., Zanella Béguelin, S.: Computer-aided cryptographic proofs. In: Beringer, L., Felty, A. (eds.) ITP 2012. LNCS, vol. 7406, pp. 11–27. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32347-8_2
Barthe, G., Grégoire, B., Lakhnech, Y., Zanella Béguelin, S.: Beyond provable security verifiable IND-CCA security of OAEP. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 180–196. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_13
Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS\(^+\) signature framework. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 2129–2146. ACM Press (2019)
Bos, J.W., Hülsing, A., Renes, J., van Vredendaal, C.: Rapidly verifiable XMSS signatures. IACR TCHES 2021(1), 137–168 (2021). https://tches.iacr.org/index.php/TCHES/article/view/8730
Cooper, D., Apon, D., Dang, Q., Davidson, M., Dworkin, M., Miller, C.: Recommendation for stateful hash-based signature schemes (2020)
Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1773–1788. ACM Press (2017)
Grilo, A.B., Hövelmanns, K., Hülsing, A., Majenz, C.: Tight adaptive reprogramming in the QROM. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 637–667. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_22
Grumbling, E., Horowitz, M.: Quantum Computing: Progress and Prospects. National Academies of Sciences, Engineering, and Medicine. The National Academies Press, 1st edn. (2019)
Huelsing, A., Butin, D., Gazdag, S.-L., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle Signature Scheme. RFC 8391 (2018)
Hülsing, A., Kudinov, M.: Recovering the tight security proof of SPHINCS\(^{+}\). In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology - ASIACRYPT 2022, pp. 3–33. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22972-5_1
Hülsing, A., Meijers, M., Strub, P.-Y.: Formal verification of Saber’s public-key encryption scheme in EasyCrypt. In: Dodis, Y., Shrimpton, T. (eds.) Advances in Cryptology - CRYPTO 2022, pp. 622–653. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15802-5_22
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15
Koblitz, N., Menezes, A.J.: Critical perspectives on provable security: fifteen years of “another look” papers. Adv. Math. Commun. 13(4), 517–558 (2019)
Kudinov, M., Kiktenko, E., Fedorov, A.: [pqc-forum] round 3 official comment: Sphincs+ (2020). https://csrc.nist.gov/CSRC/media/Projects/post-quantum-cryptography/documents/round-3/official-comments/Sphincs-Plus-round3-official-comment.pdf. Accessed 1 Feb 2022
McGrew, D., Curcio, M., Fluhrer, S.: Leighton-Micali Hash-Based Signatures. RFC 8554 (2019)
Mosca, M.: Cybersecurity in an era with quantum computers: will we be ready? IEEE Secur. Priv. 16, 38–41 (2018)
NIST. National Institute for Standards and Technology. announcing request for nominations for public-key post-quantum cryptographic algorithms (2016). https://csrc.nist.gov/News/2016/Public-Key-Post-Quantum-Cryptographic-Algorithms
NIST. National Institute for Standards and Technology. PQC standardization process: Announcing four candidates to be standardized, plus fourth round candidates (2022). https://csrc.nist.gov/News/2022/pqc-candidates-to-be-standardized-and-round-4
Perlner, R., Kelsey, J., Cooper, D.: Breaking category five SPHINCS\(^{+}\) with SHA-256. In: Cheon, J.H., Johansson, T. (eds.) Post-Quantum Cryptography. pp, pp. 501–522. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17234-2_23
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. Part II, volume 11693 of LNCS, pp. 239–268. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Acknowledgments
Andreas Hülsing and Matthias Meijers are funded by an NWO VIDI grant (Project No. VI.Vidi.193.066). We thank the Formosa Crypto consortium for support and discussions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Barbosa, M., Dupressoir, F., Grégoire, B., Hülsing, A., Meijers, M., Strub, PY. (2023). Machine-Checked Security for \(\textrm{XMSS} \) as in RFC 8391 and \(\mathrm {SPHINCS^{+}} \). In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14085. Springer, Cham. https://doi.org/10.1007/978-3-031-38554-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-38554-4_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38553-7
Online ISBN: 978-3-031-38554-4
eBook Packages: Computer ScienceComputer Science (R0)
