SPHINCS+ Approach Overview

SPHINCS+ is a post-quantum cryptography approach submitted to the NIST project. It utilizes a hyper-tree structure with specific parameters to enhance security and reduce the tree height. The approach involves picking indices randomly to sign messages efficiently and incorporates modifications to resist multi-target attacks. Tweakable hash functions are used for generating new keys, and discussions on collision resistance and FORS shortcomings are addressed in the context of the scheme.

• SPHINCS+
• post-quantum
• cryptography
• NIST project
• security

ybhag Follow

Uploaded on Sep 27, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. SPHINCS+ Submission to the NIST post-quantum project Daniel J. Bernstein, Christoph Dobraunig, Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Andreas H lsing, Panos Kampanakis, Stefan K lbl, Tanja Lange, Martin M. Lauridsen, Florian Mendel, Ruben Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe

2. The SPHINCS Approach Use a hyper-tree of total height h Parameter ? 1, such that ? | Each (Merkle) tree has height /? ( /?)-ary certification tree https://sphincs.org 2

3. The SPHINCS Approach Pick index (pseudo-)randomly Messages signed with few-time signature scheme Significantly reduce total tree height Require ? [0, ](Pr[r times index collision] ????EU CMA HORST(?,? = ?)) = negl(?) https://sphincs.org 3

4. SPHINCS+ modifications https://sphincs.org 4

5. Adding multi-target attack resilience Preimage search: Multi-target preimage search: Multi-function multi-target preimage search https://sphincs.org 5

6. Tweakable hash functions ??: ?? ?32 ?? ??, md ??(??.seed,????,?) Generates new keys and bitmasks for each call from PK.seed and ADRS. Allows to embed one challenge per call in reduction https://sphincs.org 6

7. Why not collision resistance? Bernstein, SHARCS 09: pq-collision finding costs at least 2?/2 Same as cost for pq-(second-)preimage finding? No! Comparing apples and oranges. Compares cost for pq-(second-)preimage finding in query complexity model to cost for pq-collision finding in more realistic model. Also stronger complexity-theoretic assumption! (Minicrypt vs (conj.) Cryptomania) https://sphincs.org 7

8. FORS Shortcomings of HORST index collisions Allows to search for weak messages (no impact on SPHINCS as hash randomized) Still reduces security Indices are in unordered list Authentication paths will most likely contain redundant nodes Variable size signatures could go lower but requires complicated algorithm (and protocols have to reserve worst-case size) -> see Gravity-SPHINCS s Octopus https://sphincs.org 8

9. FORS FORS (Forest of random subsets) No index collisions One tree per index Ordered list of indices Signature size same as worst-case variable signature size ( at same security level ) Only need authpaths in small trees Simple to compute https://sphincs.org 9

10. FORS Parameters t, a = log t, k such that ka = m ... ... ... ... ... https://sphincs.org 10

11. Verifiable index selection (and optionally non-deterministic randomness) SPHINCS: (idx||?) = ???(??.prf,?) md = ?msg(?,PK,?) SPHINCS+: ? = ???(??.prf,OptRand,?) (md||idx) = ?msg(?,PK,?) https://sphincs.org 11

12. Optionally non-deterministic randomness Non-deterministic randomness complicates side- channel attacks Bad randomness in worst-case still leads to secure pseudorandom value https://sphincs.org 12

13. Verifiable index selection Improves FORS security SPHINCS: Attacks could target weakest HORST key pair SPHINCS+: Every hash query ALSO selects FORS key pair Leads to notion of interleaved target subset resilience https://sphincs.org 13

14. Instantiations SPHINCS+-SHAKE256 SPHINCS+-SHA-256 SPHINCS+-Haraka https://sphincs.org 14

15. Instantiations (small vs fast) https://sphincs.org 15

16. Pro / Con Con: Signature size / speed Pro: Only secure hash needed Pro: Collision-resilient Pro: Attacks are well understood (also quantum) Pro: Small keys Pro: Overlap with XMSS Pro: Reuse of established building blocks https://sphincs.org 16

17. Summary of SPHINCS+ Strengthened security gives smaller signatures Collision- and multi-target attack resilient Fixed length signatures (far easier to compute than Octopus (-> Gravity-SPHINCS)) Small keys, medium size signatures (lv 3: 17kB) Sizes can be much smaller if q_sign gets reduced THE conservative choice No citable speeds yet https://sphincs.org 17

18. Thank you! Questions? Visit us at https://sphincs.org https://sphincs.org 18