Post-quantum cryptography and early adoptions in · Euro project on quantum technologies •Similar...

Post-quantum cryptography and early adoptions in

cryptocurrencies

Andreas HülsingEindhoven University of Technology

Cyber Security Summer School 2019

04.07.2019 https://huelsing.net 2

The quantum threat

• Shor’s algorithm breaks RSA, (EC)DSA, (EC)DH,…

• Grover’s algorithm asymptotically reduces complexity of brute-force search attacks by a square-root factor.


Why care today

• EU launched a one billion Euro project on quantum technologies

• Similar range is spent in China

• US administration passed a bill on spending $1.275 billion US dollar on quantum computing research

• Google, IBM, Microsoft, Alibaba, and others run their own research programs.


It‘s a question of risk assessment


Real world cryptography development

Develop systems

Analyze securityImplement

systems

Analyze implementation

security

Select best systems and standardize

them

Integrate systems into products & protocols

Role out secure products

04.07.2019 6https://huelsing.net

Who would store all encrypted data traffic? That must be expensive!


Blockchain? Blockchain!

General quantum computer impact:• Finding hash function inputs such that output

fulfills some property: Squareroot speed-up• Forging digital signatures for (EC-)DSA / RSA:

Exponential speed-up. PoW blockchains: • Can change transactions not yet in a stable block• Quantum miners (more forks)PoS blockchains: • Can change arbitrary blocks! Allows to rewrite

history!


Hash-based signatures [Lam79,Mer89]

No new hardness assumptions*

Provably (post-quantum) secure if (post-quantum) securehash function is used

Basic concept extremely easy

Stateful


* We only assume hash functions do not show non-random behaviour.

Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/DSA.jpg

Digital Signature

https://huelsing.net 1004.07.2019

Basic construction

Lamport OTS [Lam79]

Message M = b1,…,bm, OWF H = n bit

SK

PK

Sig

04.07.2019

sk1,0 sk1,1 skm,0 skm,1

pk1,0 pk1,1 pkm,0 pkm,1

H H H H H H

sk1,b1 skm,bm

*

Muxb1 Muxb2 Muxbm

https://huelsing.net 12

Security

Theorem:

If H is one-way then LD-OTS is one-time (eu-cma-)secure.

02/07/2019 https://huelsing.net 13

Key pair can be used to sign one message

Merkle’s Hash-based Signatures [Mer89]

04.07.2019

OTS

OTS OTS OTS OTS OTS OTS OTS

HH H H H H H H

H H H H

H H

H

PK

SIG = (i=2, , , , , )

OTS

SK


Security

Theorem:

MSS is (eu-cma-)secure if OTS is a one-time (eu-cma) secure signature scheme and H is a collision resistant hash function.


For tree of height h key pair can be used to sign 2h message

04.07.2019

Winternitz-OTS[Mer89]

Lamport-OTS in MSS

Verification:

1. Verify

2. Verify authenticity of

We can do better!

SIG = (i=2, , , , , )


WOTS in MSS

Verification:

1. Compute from

2. Verify authenticity of

Steps 1 + 2 together verify

SIG = (i=2, , , , , )X


Function chains

Hash function ℎ ∶ {0,1}𝑛→ {0,1}𝑛

Parameter 𝑤

Chain: 𝑐𝑖 𝑥 = ℎ 𝑐𝑖−1 𝑥 = ℎ ∘ ℎ ∘ ⋯ ∘ ℎ(𝑥)

c0(x) = x

𝑐1(𝑥) = ℎ(𝑥)𝒄𝒘−𝟏(𝑥)

i-times


WOTSWinternitz parameter w (usually a power of 2), security

parameter n, message length m, hash function ℎ

Key Generation: Compute 𝑙, sample ℎ𝑘

c0(skl ) = skl

c1(skl ) pkl = cw-1(skl )

c0(sk1) = sk1

c1(sk1)

pk1 = cw-1(sk1)


WOTS Signature generation

M

b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bm‘+2 … … bl

C

c0(skl ) = skl

pkl = cw-1(skl )

c0(sk1) = sk1pk1 = cw-1(sk1)

σ1=cb1(sk1)

σl =cbl (skl )

Signature:

σ = (σ1, …, σl )


WOTS Signature Verification

b1 b2 b3 b4 … … … … … … … bm‘ bm‘+1 bl 1+2 … … bl

pkl

pk1

Signature:

σ = (σ1, …, σl )

σ1

σl

𝒄𝟏 (σ1)

𝒄𝟐(σ1)

𝒄𝟑(σ1)

𝒄𝒘−𝟏−𝒃𝟏 (σ1)

𝒄𝒘−𝟏−𝒃𝒍 (σl )

=?

=?

Verifier knows: M, w


Multi-Tree MSSMMM: Tal Malkin, Daniele Micciancio, Sara K. Miner, 2002

CMSS: Johannes Buchmann, Luis Carlos Coronado Garcia, Erik Dahmen, Martin Döring, Elena Klintsevich, 2006

Multi-Tree MSS / Hypertree

Uses multiple layers of trees to reduce key generation time

-> Key state generation & stateless signing(= Building one tree on each layer)

Θ 2ℎ → Θ 𝑑2ℎ/𝑑

-> Worst-case stateful signing timesΘ ℎ/2 → Θ ℎ/2𝑑

-> Increases signature size by d-1 one-time signatures


XMSSJoint work with Johannes Buchmann, Erik Dahmen

XMSS

Tree: Uses bitmasks

Leafs: Use binary treewith bitmasks

OTS: WOTS+

Message digest: Randomized hashing

Collision-resilient

-> signature size halved

H

bi

H

https://huelsing.net 2604.07.2019

Standards: XMSS & LMS RFCs


XMSS / XMSS-T Implementation

C Implementation, using OpenSSL [HRS16]

Sign (ms) Signature (kB) Public Key (kB)

Secret Key (kB)

Bit Securityclassical/quantum

Comment

XMSS 3.24 2.8 1.3 2.2 236 /118

h = 20,d = 1,

XMSS-T 9.48 2.8 0.064 2.2 256 /128

h = 20,d = 1

XMSS 3.59 8.3 1.3 14.6 196 /98

h = 60,d = 3

XMSS-T 10.54 8.3 0.064 14.6 256 /128

h = 60,d = 3

Intel(R) Core(TM) i7 CPU @ 3.50GHzXMSS-T uses message digest from Internet-DraftAll using SHA2-256, w = 16 and k = 2 https://huelsing.net 28

HBS in blockchain applications

Early adopters: QRL

• QRL = Quantum Resistant Ledger

• Replaces ECC signatures by XMSS (with SHA2 or SHAKE)

• Adaptive, unbalanced multi-tree mode: Can add "Slaves" -> needs transaction to publish!

• Blockchain used to track index (but warn to also keep track yourself)


Why use full MSS?

• Transaction in bitcoin works on full input.

• Why not use a OTS?

• Also seems to increase privacy!


Early adopters: IOTA

• Gained (unwanted) popularity due to “rolling their own crypto”. See e.g. http://blog.lekkertech.net/blog/2018/03/07/iota-signatures/ (gets term “WOTS” wrong but still figures out a massive issue)

However:

• Among the first to use plain OTS

• Issue: "used up“ keys


http://blog.lekkertech.net/blog/2018/03/07/iota-signatures/


Things that can get you in trouble

• Transaction in bitcoin (and most other coins) not guaranteed to get into blockchain!• Might have to increase fee -> new transaction -> new signature!

• Branching• Transaction might not get confirmed for a long time! (issue if transaction

„promotes“next key!)

• Might want long term addresses, e.g., for foundations that receive donations.• What if you receive a payment after you used your private key to sign?


BPQS [Chalkias,Brown, Hearn, Lillehagen, Nitto, Schroeter, 2018]

• BPQS = Blockchained Post-Quantum Signatures

• Combination of hash-chained scheme (BPQS-FEW)

• And certification chain (sign two pks) (BPQS-EXT)

• BPQS uses a FEW scheme where the last leave is a EXT root.

• BPQS-mixed refers to arbitrary typologies that use as last root a pk of an arbitrary scheme.


Source: [CBHLNS’18]

BPQS [Chalkias,Brown, Hearn, Lillehagen, Nitto, Schroeter, 2018]


Source: [CBHLNS’18]

Solves the used-up address issue (to some extend)

XNYSS [Hülsing, v.d.Linde, Schwabe, Yarom 2018]

• NY‘89: Proposal of generic BPQS-EXT

• XNYSS = eXtended Naor-Yung signature scheme

• XNYSS: • With each message (= transaction) signature certify k new key pairs

• If something goes wrong, we can use at least k-1 other OTS keys + possibly old back-up keys.

• Wouter’s thesis: Many practical aspects • Nodes can store list of association of long-term keys

and current OTS keys.

• Relation between k and failure probability


Solves long-term address issue

Proof-of-Stake blockchains (ongoing research)

• Want forward-secure signature scheme

• XMSS is forward-secure (with FS-PRG)

• Performance might be bottleneck.


We can overcome all these issues at once!


SPHINCSJoint work with Daniel J. Bernstein, Daira Hopwood, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, and Zooko Wilcox-O’Hearn

Stateless hash-based signatures [NY89,Gol87,Gol04]

Goldreich’s approach [Gol04]:

Security parameter 𝜆 = 128

Use binary tree as in Merkle, but...

• …for security• pick index i at random;• requires huge tree to avoid index

collisions (e.g., height h = 2𝜆 = 256).

• …for efficiency:• use binary certification tree of OTS key pairs

(= Hypertree with 𝑑 = ℎ),• all OTS secret keys are

generated pseudorandomly.

OTS

OTS OTS

OTS OTS

OTS OTS

OTS OTS


SPHINCS [BHH+15]

• Select index pseudo-randomly

• Use a few-time signature key-pair onleaves to sign messages• Few index collisions allowed

• Allows to reduce tree height

• Use hypertree: Use d << h.


SPHINCS+

Joint work with Jean-Philippe Aumasson, Daniel J. Bernstein, Christoph Dobraunig, Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Panos Kampanakis, Stefan Kölbl, Tanja Lange, Martin M. Lauridsen, Florian Mendel, Ruben Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe

SPHINCS+ (our NIST submission)

• Strengthened security gives smaller signatures

• Collision- and multi-target attack resilient (XMSS tweakable hash)

• Fixed length signatures

• Small keys, medium size signatures (lv 3: 17kB)

• Sizes can be much smaller if q_sign gets reduced

• The conservative choice

44https://huelsing.net04.07.2019

Instantiations (after second round tweaks)• SPHINCS+-SHAKE256-robust

• SPHINCS+-SHAKE256-simple

• SPHINCS+-SHA-256-robust

• SPHINCS+-SHA-256-simple

• SPHINCS+-Haraka-robust

• SPHINCS+-Haraka-simple


NEW!

NEW!

NEW!

Instantiations (small vs fast)


02/07/2019 https://huelsing.net 47

Conclusion

• Hash-based signatures can make blockchains post-quantum secure

• Care is needed because...

... Hash-based signatures can make blockchains insecure already inthe classical setting!


Thank you!

Questions?

04.07.2019 PAGE 49

For references, literature & longer lectures see https://huelsing.net

https://huelsing.net

Date post:	25-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Post-quantum cryptography and early adoptions in · Euro project on quantum technologies •Similar...

Documents