Public-Key Cryptography – PKC 2016 pp 387-416 | Cite as

# Mitigating Multi-target Attacks in Hash-Based Signatures

## Abstract

This work introduces XMSS-T, a new stateful hash-based signature scheme with tight security. Previous hash-based signatures are facing a loss of security, linear in performance parameters such as the total tree height. Our new scheme can achieve the same security level but using hash functions with a smaller output length, which immediately leads to a smaller signature size. The same techniques also apply directly to the recent stateless hash-based signature scheme SPHINCS (Eurocrypt 2015), and the signature size is reduced as well.

Being a little more specific and technical, the tight security stems from new multi-target notions of hash-function properties which we define and analyze. We show precise complexity for breaking these security properties under both classical and quantum generic attacks, thus establishing a reliable estimate for the quantum security of XMSS-T. Especially, we prove quantum query complexity tailored for cryptographic applications, which overcome some limitations of standard techniques in quantum query complexity such as they usually only consider worst-case complexity. Our proof techniques may be useful elsewhere.

We also implement XMSS-T and compare its performance to that of XMSS (PQCrypto 2011), the most recent stateful hash-based signature scheme before our work.

## Keywords

Post-quantum cryptography Hash-based signatures Hash function security Multi-target attacks Quantum query complexity## References

- 1.Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element distinctness problems. J. ACM
**51**(4), 595–605 (2004)CrossRefMathSciNetMATHGoogle Scholar - 2.Ambainis, A.: Quantum lower bounds by quantum arguments. J. Comput. Syst. Sci.
**64**(4), 750–767 (2002)CrossRefMathSciNetMATHGoogle Scholar - 3.Beals, R., Buhrman, H., Cleve, R., Mosca, M., De Wolf, R.: Quantum lower bounds by polynomials. J. ACM
**48**(4), 778–797 (2001)CrossRefMathSciNetMATHGoogle Scholar - 4.Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.: Strengths and weaknesses of quantum computing. SIAM J. Comput.
**26**(5), 1510–1523 (1997)CrossRefMathSciNetMATHGoogle Scholar - 5.Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., Wilcox-O’Hearn, Z.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015)Google Scholar
- 6.Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011)CrossRefGoogle Scholar
- 7.Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. arXiv preprint quant-ph/9605034 (1996)Google Scholar
- 8.Brassard, G., Hoyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. Contemp. Math.
**305**, 53–74 (2002)CrossRefMathSciNetGoogle Scholar - 9.Brassard, G., Hoyer, P., Tapp, A.: Quantum algorithm for the collision problem. arXiv preprint quant-ph/9705002 (1997)Google Scholar
- 10.Brassard, G., Høyer, P., Tapp, A.: Quantum counting. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, pp. 820–831. Springer, Heidelberg (1998)CrossRefGoogle Scholar
- 11.Buchmann, J., Dahmen, E., Ereth, S., Hülsing, A., Rückert, M.: On the security of the Winternitz one-time signature scheme. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 363–378. Springer, Heidelberg (2011)CrossRefGoogle Scholar
- 12.Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011)CrossRefGoogle Scholar
- 13.Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008)CrossRefGoogle Scholar
- 14.Carter, J.L., Wegman, M.N.: Universal classes of hash functions. In: Proceedings of the Ninth Annual ACM Symposium on Theory of Computing, pp. 106–112. ACM (1977)Google Scholar
- 15.Dahmen, E., Okeya, K., Takagi, T., Vuillaume, C.: Digital signatures out of second-preimage resistant hash functions. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 109–123. Springer, Heidelberg (2008)CrossRefGoogle Scholar
- 16.Eaton, E., Song, F.: Making existential-unforgeable signatures strongly unforgeable in the quantum random-oracle model. In: 10th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 20–22 May 2015, Brussels, Belgium, pp. 147–162 (2015)Google Scholar
- 17.Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput.
**17**(2), 281–308 (1988)CrossRefMathSciNetMATHGoogle Scholar - 18.Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219. ACM (1996)Google Scholar
- 19.Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
- 20.Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013)CrossRefGoogle Scholar
- 21.Hülsing, A., Butin, D., Gazdag, S., Mohaisen, A.: Xmss: extended hash-based signatures draft-irtf-cfrg-xmss-hash-based-signatures-01. Crypto Forum Research Group Internet-Draft (2015). https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-01
- 22.Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSS\(^{\mathit{MT}}\). In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES Workshops 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013)CrossRefGoogle Scholar
- 23.Joffe, A., et al.: On a set of almost deterministic \( k \)-independent random variables. Ann. Probab.
**2**(1), 161–162 (1974)CrossRefMathSciNetMATHGoogle Scholar - 24.Karloff, H., Mansour, Y.: On construction of k-wise independent random variables. In: Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, pp. 564–573. ACM (1994)Google Scholar
- 25.Merkle, R.C.: Secrecy, authentication, and public key systems. Ph.D thesis, Stanford University (1979)Google Scholar
- 26.Mironov, I.: Collision-resistant no more: hash-and-sign paradigm revisited. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 140–156. Springer, Heidelberg (2006)CrossRefGoogle Scholar
- 27.Unruh, D.: Quantum position verification in the random oracle model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 1–18. Springer, Heidelberg (2014)Google Scholar
- 28.Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012)CrossRefGoogle Scholar
- 29.Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Inf. Comput.
**15**(78), 557–567 (2015)MathSciNetGoogle Scholar