Analysis of a Proposed Hash-Based Signature Standard
We analyze the concrete security of a hash-based signature scheme described in a recent series of Internet Drafts by McGrew and Curcio. We show that an original version of their proposal achieves only a “loose” security bound, but that the latest version can be proven to have tighter security in the random-oracle model.
I thank Laurie E. Law and Jerome A. Solinas for their encouragement and suggestions, as well as for bringing the Leighton-Micali patent  to my attention.
- 4.Hülsing, A., Butin, D., Gazdag, S., Mohaisen, A.: XMSS: extended hash-based signatures. Internet Draft draft-irtf-cfrg-xmss-hash-based-signatures-06, 6 July 2016. http://datatracker.ietf.org
- 7.Lamport, L.: Constructing digital signatures from a one-way function. Tehcnical Report SRI-CSL-98, SRI Intl. Computer Science Laboratory (1979)Google Scholar
- 8.Leighton, F.T., Micali, S.: Large provably fast and secure digital signature schemes based on secure hash functions. U.S. Patent 5,432,852, 11 July 1995Google Scholar
- 9.McGrew, D., Curcio, M.: Hash-based signatures. Internet Draft draft-mcgrew-hash-sigs-02, 4 July 2014. https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs/02
- 10.McGrew, D., Curcio, M.: Hash-based signatures. Internet Draft draft-mcgrew-hash-sigs-04, 21 March 2016. https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs
- 11.Merkle, R.C.: Secrecy, authentication, and public-key systems. Ph.D. Thesis, Stanford University (1979)Google Scholar
- 13.Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of 21st Annual Symposium on Theory of Computing (STOC), pp. 33–44. ACM (1989)Google Scholar
- 14.Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of 22nd Annual ACM Symposium on Theory of Computing (STOC), pp. 387–394. ACM (1990)Google Scholar