Digital Signature Schemes Based on Hash Functions

Cryptographers and security experts around the world have been awakened to the reality that one day (potentially soon) large-scale quantum computers may be available. Most of the public-key cryptosystems employed today on the Internet, in both software and in hardware, are based on number-theoretic problems which are thought to be intractable on a classical (non-quantum) computer and hence are considered secure. The most popular such examples are the RSA encryption and signature schemes, and the Elliptic Curve Diffie-Hellman (ECDH) key-exchange protocol employed widely in the SSL/TLS protocols. However, these schemes offer essentially zero security against an adversary in possession of a large-scale quantum computer. Thus, there is an urgent need to develop, analyze and implement cryptosystems and algorithms that are secure against such adversaries. It is widely believed that cryptographic hash functions are naturally resilient to attacks by a quantum adversary, and thus, signature schemes have been developed whose security relies on this belief. The goal of this thesis is to give an overview of hash-based cryptography. We describe the most important hash-based signature schemes as well as the schemes and protocols used as subroutines within them. We give a juxtaposition between stateful and stateless signature schemes, discussing the pros and cons of both while including detailed examples. Furthermore, we detail serious flaws in the security proof for the WOTS-PRF signature scheme. This scheme had the feature that its security proof was based on minimal security assumptions, namely the pseudorandomness of the underlying function family. We explore how this flawed security argument affects the other signature schemes that utilize WOTS-PRF

Hash-based signatures for the internet of things

While numerous digital signature schemes exist in the literature, most real-world system rely on RSA-based signature schemes or on the digital signature algorithm (DSA), including its elliptic curve cryptography variant ECDSA. In this position paper we review a family of alternative signature schemes, based on hash functions, and we make the case for their application in Internet of Things (IoT) settings. Hash-based signatures provide postquantum security, and only make minimal security assumptions, in general requiring only a secure cryptographic hash function. This makes them extremely flexible, as they can be implemented on top of any hash function that satisfies basic security properties. Hash-based signatures also feature numerous parameters defining aspects such as signing speed and key size, that enable trade-offs in constrained environments. Simplicity of implementation and customization make hash based signatures an attractive candidate for the IoT ecosystem, which is composed of a number of diverse, constrained devices

Quantum attacks on Bitcoin, and how to protect against them

The key cryptographic protocols used to secure the internet and financial transactions of today are all susceptible to attack by the development of a sufficiently large quantum computer. One particular area at risk are cryptocurrencies, a market currently worth over 150 billion USD. We investigate the risk of Bitcoin, and other cryptocurrencies, to attacks by quantum computers. We find that the proof-of-work used by Bitcoin is relatively resistant to substantial speedup by quantum computers in the next 10 years, mainly because specialized ASIC miners are extremely fast compared to the estimated clock speed of near-term quantum computers. On the other hand, the elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027, by the most optimistic estimates. We analyze an alternative proof-of-work called Momentum, based on finding collisions in a hash function, that is even more resistant to speedup by a quantum computer. We also review the available post-quantum signature schemes to see which one would best meet the security and efficiency requirements of blockchain applications.Comment: 21 pages, 6 figures. For a rough update on the progress of Quantum devices and prognostications on time from now to break Digital signatures, see https://www.quantumcryptopocalypse.com/quantum-moores-law

Practical Forward Secure Signatures using Minimal Security Assumptions

Digital signatures are one of the most important cryptographic primitives in practice. They are an enabling technology for eCommerce and eGovernment applications and they are used to distribute software updates over the Internet in a secure way. In this work we introduce two new digital signature schemes: XMSS and its extension XMSS^MT. We present security proofs for both schemes in the standard model, analyze their performance, and discuss parameter selection. Both our schemes have certain properties that make them favorable compared to today's signature schemes. Our schemes are forward secure, meaning even in case of a key compromise, previously generated signatures can be trusted. This is an important property whenever a signature has to be verifiable in the mid- or long-term. Moreover, our signature schemes are generic constructions that can be instantiated using any hash function. Thereby, if a used hash function becomes insecure for some reason, we can simply replace it by a secure one to obtain a new secure instantiation. The properties we require the hash function to provide are minimal. This implies that as long as there exists any complexity-based cryptography, there exists a secure instantiation for our schemes. In addition, our schemes are secure against quantum computer aided attacks, as long as the used hash functions are. We analyze the performance of our schemes from a theoretical and a practical point of view. On the one hand, we show that given an efficient hash function, we can obtain an efficient instantiation for our schemes. On the other hand, we provide experimental data that show that the performance of our schemes is comparable to that of today's signature schemes. Besides, we show how to select optimal parameters for a given use case that provably reach a given level of security. On the way of constructing XMSS and XMSS^MT, we introduce two new one-time signature schemes (OTS): WOTS+ and WOTS$. One-time signature schemes are signature schemes where a key pair may only be used once. WOTS+ is currently the most efficient hash-based OTS and WOTS$ the most efficient hash-based OTS with minimal security assumptions. One-time signature schemes have many more applications besides constructing full fledged signature schemes, including authentication in sensor networks and the construction of chosen-ciphertext secure encryption schemes. Hence, WOTS+ and WOTS$ are contributions on their own. Altogether, this work shows the practicality and usability of forward secure signatures on the one hand and hash-based signatures on the other hand

On the Role of Hash-Based Signatures in Quantum-Safe Internet of Things:Current Solutions and Future Directions

The Internet of Things (IoT) is gaining ground as a pervasive presence around us by enabling miniaturized things with computation and communication capabilities to collect, process, analyze, and interpret information. Consequently, trustworthy data act as fuel for applications that rely on the data generated by these things, for critical decision-making processes, data debugging, risk assessment, forensic analysis, and performance tuning. Currently, secure and reliable data communication in IoT is based on public-key cryptosystems such as Elliptic Curve Cryptosystem (ECC). Nevertheless, reliance on the security of de-facto cryptographic primitives is at risk of being broken by the impending quantum computers. Therefore, the transition from classical primitives to quantum-safe primitives is indispensable to ensure the overall security of data en route. In this paper, we investigate applications of one of the post-quantum signatures called Hash-Based Signature (HBS) schemes for the security of IoT devices in the quantum era. We give a succinct overview of the evolution of HBS schemes with emphasis on their construction parameters and associated strengths and weaknesses. Then, we outline the striking features of HBS schemes and their significance for the IoT security in the quantum era. We investigate the optimal selection of HBS in the IoT networks with respect to their performance-constrained requirements, resource-constrained nature, and design optimization objectives. In addition to ongoing standardization efforts, we also highlight current and future research and deployment challenges along with possible solutions. Finally, we outline the essential measures and recommendations that must be adopted by the IoT ecosystem while preparing for the quantum world.Comment: 18 pages, 7 tables, 7 figure

On the security of the WOTS-PRF signature scheme

We identify a flaw in the security proof and a flaw in the concrete security analysis of the WOTS-PRF variant of the Winternitz one-time signature scheme, and discuss the implications to its concrete security

Forward Secure Signatures on Smart Cards

We introduce the forward secure signature scheme XMSS$^{+}$ and present an implementation for smart cards. It is based on the hash-based signature scheme XMSS. In contrast to the only previous implementation of a hash-based signature scheme on smart cards by Rohde et al., we solve the problem of on-card key generation. Compared to XMSS, we reduce the key generation time from $\mathcal{O}(n)$ to $\mathcal{O}(\sqrt{n})$, where $n$ is the number of signatures that can be created with one key pair. To the best of our knowledge this is the first implementation of a forward secure signature scheme and the first full implementation of a hash-based signature scheme on smart cards. The resulting runtimes are comparable to those of RSA and ECDSA on the same device. This shows the practicality of forward secure signature schemes, even on constrained devices

LMS vs XMSS: Comparion of two Hash-Based Signature Standards

Quantum computing poses challenges to public key signatures as we know them today. LMS and XMSS are two hash based signature schemes that have been proposed in the IETF as quantum secure. Both schemes are based on well-studied hash trees, but their similarities and differences have not yet been discussed. In this work, we attempt to compare the two standards. We compare their security assumptions and quantify their signature and public key sizes. We also address the computation overhead they introduce. Our goal is to provide a clear understanding of the schemes’ similarities and differences for implementers and protocol designers to be able to make a decision as to which standard to chose

Envisioning the Future of Cyber Security in Post-Quantum Era: A Survey on PQ Standardization, Applications, Challenges and Opportunities

The rise of quantum computers exposes vulnerabilities in current public key cryptographic protocols, necessitating the development of secure post-quantum (PQ) schemes. Hence, we conduct a comprehensive study on various PQ approaches, covering the constructional design, structural vulnerabilities, and offer security assessments, implementation evaluations, and a particular focus on side-channel attacks. We analyze global standardization processes, evaluate their metrics in relation to real-world applications, and primarily focus on standardized PQ schemes, selected additional signature competition candidates, and PQ-secure cutting-edge schemes beyond standardization. Finally, we present visions and potential future directions for a seamless transition to the PQ era