A Server-Assisted Hash-Based Signature Scheme

  • Ahto Buldas
  • Risto Laanoja
  • Ahto TruuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10674)


We present a practical digital signature scheme built from a cryptographic hash function and a hash-then-publish digital time-stamping scheme. We also provide a simple proof of existential unforgeability against adaptive chosen-message attack (EUF-ACM) in the random oracle (RO) model.


  1. 1.
    Anderson, R.J., Bergadano, F., Crispo, B., Lee, J.-H., Manifavas, C., Needham, R.M.: A new family of authentication protocols. Oper. Syst. Rev. 32(4), 9–20 (1998)CrossRefGoogle Scholar
  2. 2.
    Bayer, D., Haber, S., Stornetta, W.S.: Improving the efficiency and reliability of digital time-stamping. In: Capocelli, R., De Santis, A., Vaccaro, U. (eds.) Sequences II, Proceedings. LNCS, vol. 9056, pp. 329–334. Springer, Heidelberg (1992). doi: 10.1007/978-1-4613-9323-8_24 Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM CCS 1993, Proceedings, pp. 62–73. ACM (1993)Google Scholar
  4. 4.
    Bernstein, D.J., Buchmann, J.A., Dahmen, E. (eds.): Post-Quantum Cryptography. Springer, Heidelberg (2009). doi: 10.1007/978-3-540-88702-7 zbMATHGoogle Scholar
  5. 5.
    Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_15
  6. 6.
    Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25385-0_3 CrossRefGoogle Scholar
  7. 7.
    Brassard, G., Høyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998). doi: 10.1007/BFb0054319
  8. 8.
    Buchmann, J.A., Coronado García, L.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved Merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006). doi: 10.1007/11941378_25 CrossRefGoogle Scholar
  9. 9.
    Buchmann, J.A., Dahmen, E., Ereth, S., Hülsing, A., Rückert, M.: On the security of the Winternitz one-time signature scheme. IJACT 3(1), 84–96 (2013)CrossRefzbMATHMathSciNetGoogle Scholar
  10. 10.
    Buchmann, J.A., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25405-5_8 CrossRefGoogle Scholar
  11. 11.
    Buchmann, J.A., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-72738-5_3 CrossRefGoogle Scholar
  12. 12.
    Buldas, A., Kroonmaa, A., Laanoja, R.: Keyless signatures’ infrastructure: how to build global distributed hash-trees. In: Nielson, H.R., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 313–320. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-41488-6_21
  13. 13.
    Buldas, A., Laanoja, R.: Security proofs for hash tree time-stamping using hash functions with small output size. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 235–250. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39059-3_16 CrossRefGoogle Scholar
  14. 14.
    Buldas, A., Laanoja, R., Laud, P., Truu, A.: Bounded pre-image awareness and the security of hash-tree keyless signatures. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 130–145. Springer, Cham (2014). doi: 10.1007/978-3-319-12475-9_10 Google Scholar
  15. 15.
    Buldas, A., Niitsoo, M.: Optimally tight security proofs for hash-then-publish time-stamping. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 318–335. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14081-5_20 CrossRefGoogle Scholar
  16. 16.
    Buldas, A., Saarepera, M.: On provably secure time-stamping schemes. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 500–514. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_35 CrossRefGoogle Scholar
  17. 17.
    Coronado García, L.C.: Provably secure and practical signature schemes. Ph.D. thesis, Darmstadt University of Technology, Germany (2005)Google Scholar
  18. 18.
    Dahmen, E., Okeya, K., Takagi, T., Vuillaume, C.: Digital signatures out of second-preimage resistant hash functions. In: Buchmann, J.A., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 109–123. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88403-3_8 CrossRefGoogle Scholar
  19. 19.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  20. 20.
    Diffie, W., Hellman, M.E.: Privacy and authentication: an introduction to cryptography. Proc. IEEE 67(3), 397–427 (1979)CrossRefGoogle Scholar
  21. 21.
    Dods, C., Smart, N.P., Stam, M.: Hash based digital signature schemes. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 96–115. Springer, Heidelberg (2005). doi: 10.1007/11586821_8 CrossRefGoogle Scholar
  22. 22.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theor. 31(4), 469–472 (1985)CrossRefzbMATHMathSciNetGoogle Scholar
  23. 23.
    Even, S., Goldreich, O., Micali, S.: On-line/Off-line digital signatures. J. Cryptol. 9(1), 35–67 (1996)CrossRefzbMATHMathSciNetGoogle Scholar
  24. 24.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)CrossRefzbMATHMathSciNetGoogle Scholar
  25. 25.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: 28th ACM STOC, Proceedings, pp. 212–219. ACM (1996)Google Scholar
  26. 26.
    Haber, S., Stornetta, W.S.: How to time-stamp a digital document. J. Cryptol. 3(2), 99–111 (1991)CrossRefzbMATHGoogle Scholar
  27. 27.
    Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38553-7_10 CrossRefGoogle Scholar
  28. 28.
    Hülsing, A., Rausch, L., Buchmann, J.A.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40588-4_14 CrossRefGoogle Scholar
  29. 29.
    Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49384-7_15 CrossRefGoogle Scholar
  30. 30.
    Johnson, D., Menezes, A., Vanstone, S.A.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)CrossRefGoogle Scholar
  31. 31.
    Lamport, L.: Constructing digital signatures from a one way function. Technical report, SRI International, Computer Science Laboratory (1979)Google Scholar
  32. 32.
    Lamport, L.: Password authentification with insecure communication. Commun. ACM 24(11), 770–772 (1981)CrossRefMathSciNetGoogle Scholar
  33. 33.
    Luby, M.: Pseudorandomness and Cryptographic Applications. Princeton University Press, Princeton (1996)zbMATHGoogle Scholar
  34. 34.
    Malkin, T., Micciancio, D., Miner, S.: Efficient generic forward-secure signatures with an unbounded number of time periods. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 400–417. Springer, Heidelberg (2002). doi: 10.1007/3-540-46035-7_27 CrossRefGoogle Scholar
  35. 35.
    Martín-López, E., Laing, A., Lawson, T., Alvarez, R., Zhou, X.-Q., O’Brien, J.L.: Experimental realization of Shor’s quantum factoring algorithm using qubit recycling. Nat. Photonics 6(11), 773–776 (2012)CrossRefGoogle Scholar
  36. 36.
    McGrew, D., Kampanakis, P., Fluhrer, S., Gazdag, S.-L., Butin, D., Buchmann, J.A.: State management for hash-based signatures. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 244–260. Springer, Cham (2016). doi: 10.1007/978-3-319-49100-4_11 CrossRefGoogle Scholar
  37. 37.
    Merkle, R.C.: Secrecy, authentication and public key systems. Ph.D. thesis, Stanford University (1979)Google Scholar
  38. 38.
    Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988). doi: 10.1007/3-540-48184-2_32 Google Scholar
  39. 39.
    Perrig, A.: The BiBa one-time signature and broadcast authentication protocol. In: ACM CCS 2001, Proceedings, pp. 28–37. ACM (2001)Google Scholar
  40. 40.
    Perrig, A., Canetti, R., Tygar, J.D., Song, D.: The TESLA broadcast authentication protocol. CryptoBytes 5(2), 2–13 (2002)Google Scholar
  41. 41.
    Reyzin, L., Reyzin, N.: Better than BiBa: short one-time signatures with fast signing and verifying. In: Batten, L., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 144–153. Springer, Heidelberg (2002). doi: 10.1007/3-540-45450-0_11 CrossRefGoogle Scholar
  42. 42.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)CrossRefzbMATHMathSciNetGoogle Scholar
  43. 43.
    Rohatgi, P.: A compact and fast hybrid signature scheme for multicast packet authentication. In: ACM CCS 1999, Proceedings, pp. 93–100. ACM (1999)Google Scholar
  44. 44.
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: 22nd ACM STOC, Proceedings, pp. 387–394. ACM (1990)Google Scholar
  45. 45.
    Schoenmakers, B.: Explicit optimal binary pebbling for one-way hash chain reversal. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 299–320. Springer, Heidelberg (2017). doi: 10.1007/978-3-662-54970-4_18 CrossRefGoogle Scholar
  46. 46.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  47. 47.
    Szydlo, M.: Merkle tree traversal in log space and time. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 541–554. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24676-3_32 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Tallinn University of TechnologyTallinnEstonia
  2. 2.Guardtime ASTallinnEstonia

Personalised recommendations