The SPHINCS+ Signature Framework

We introduce SPHINCS+, a stateless hash-based signature framework. SPHINCS+ has significant advantages over the state of the art in terms of speed, signature size, and security, and is among the nine remaining signature schemes in the second round of the NIST PQC standardization project. One of our main contributions in this context is a new few-time signature scheme that we call FORS. Our second main contribution is the introduction of tweakable hash functions and a demonstration how they allow for a unified security analysis of hash-based signature schemes. We give a security reduction for SPHINCS+ using this abstraction and derive secure parameters in accordance with the resulting bound. Finally, we present speed results for our optimized implementation of SPHINCS+ and compare to SPHINCS-256, Gravity-SPHINCS, and Picnic.

[1]  Damien Stehlé,et al.  CRYSTALS - Dilithium: Digital Signatures from Module Lattices , 2017, IACR Cryptol. ePrint Arch..

[2]  Aziz Mohaisen,et al.  XMSS: eXtended Merkle Signature Scheme , 2018, RFC.

[3]  Zhenfei Zhang,et al.  Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU , 2019 .

[4]  Daniel Slamanig,et al.  Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives , 2017, CCS.

[5]  Martin R. Albrecht,et al.  Ciphers for MPC and FHE , 2015, IACR Cryptol. ePrint Arch..

[6]  Johannes A. Buchmann,et al.  On the security of the Winternitz one-time signature scheme , 2011, Int. J. Appl. Cryptogr..

[7]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[8]  Andreas Hülsing,et al.  W-OTS+ - Shorter Signatures for Hash-Based Signature Schemes , 2013, AFRICACRYPT.

[9]  Johannes A. Buchmann,et al.  XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions , 2011, IACR Cryptol. ePrint Arch..

[10]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[11]  Daniel J. Bernstein,et al.  Decisional second-preimage resistance: When does SPR imply PRE? , 2019, IACR Cryptol. ePrint Arch..

[12]  Fang Song,et al.  Mitigating Multi-Target Attacks in Hash-based Signatures , 2016, IACR Cryptol. ePrint Arch..

[13]  Florian Mendel,et al.  Higher-Order Cryptanalysis of LowMC , 2015, ICISC.

[14]  Andreas Hülsing,et al.  "Oops, I Did It Again" - Security of One-Time Signatures Under Two-Message Attacks , 2017, SAC.

[15]  Christian Rechberger,et al.  Cryptanalysis of Low-Data Instances of Full LowMCv2 , 2018, IACR Cryptol. ePrint Arch..

[16]  Daniel Apon,et al.  Status report on the first round of the NIST post-quantum cryptography standardization process , 2019 .

[17]  Willi Meier,et al.  Optimized Interpolation Attacks on LowMC , 2015, ASIACRYPT.

[18]  Florian Mendel,et al.  Haraka v2 - Efficient Short-Input Hashing for Post-Quantum Applications , 2017, IACR Trans. Symmetric Cryptol..

[19]  Paulo S. L. M. Barreto,et al.  The Lattice-Based Digital Signature Scheme qTESLA , 2020, IACR Cryptol. ePrint Arch..

[20]  Lea Rausch,et al.  Optimal Parameters for XMSS MT , 2013, CD-ARES Workshops.

[21]  Leonid Reyzin,et al.  Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying , 2002, ACISP.

[22]  Jean-Philippe Aumasson,et al.  Improving Stateless Hash-Based Signatures , 2017, IACR Cryptol. ePrint Arch..

[23]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[24]  Jean-Philippe Aumasson,et al.  Clarifying the subset-resilience problem , 2017, IACR Cryptol. ePrint Arch..

[25]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[26]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[27]  Aziz Mohaisen,et al.  XMSS: extended hash-based signatures. RFC 8391 , 2018 .

[28]  Scott R. Fluhrer,et al.  Leighton-Micali Hash-Based Signatures , 2019, RFC.

[29]  Dominique Unruh,et al.  Quantum Proofs of Knowledge , 2012, IACR Cryptol. ePrint Arch..

[30]  R. Hurlbert,et al.  Oops, I did it again... , 2013, World neurosurgery.

[31]  Peter Schwabe,et al.  SPHINCS: Practical Stateless Hash-Based Signatures , 2015, EUROCRYPT.

[32]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[33]  Todd Exum,et al.  Communication Security , 2007 .

[34]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[35]  Oded Goldreich,et al.  Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme , 1986, CRYPTO.

[36]  Tsuyoshi Takagi,et al.  Digital Signatures Out of Second-Preimage Resistant Hash Functions , 2008, PQCrypto.

[37]  Leslie Lamport,et al.  Constructing Digital Signatures from a One Way Function , 2016 .

[38]  Andreas Hülsing,et al.  Practical forward secure signatures using minimal security assumptions , 2013 .

[39]  Dominique Unruh,et al.  Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model , 2015, EUROCRYPT.

[40]  Dominique Unruh,et al.  Computationally Binding Quantum Commitments , 2016, EUROCRYPT.