"Oops, I Did It Again" - Security of One-Time Signatures Under Two-Message Attacks

One-time signatures (OTS) are called one-time, because the accompanying security reductions only guarantee security under single-message attacks. However, this does not imply that efficient attacks are possible under two-message attacks. Especially in the context of hash-based OTS (which are basic building blocks of recent standardization proposals) this leads to the question if accidental reuse of a one-time key pair leads to immediate loss of security or to graceful degradation.

[1]  Scott R. Fluhrer,et al.  Hash-Based Signatures , 2019 .

[2]  Johannes A. Buchmann,et al.  On the Security of the Winternitz One-Time Signature Scheme , 2011, AFRICACRYPT.

[3]  Peter Schwabe,et al.  SPHINCS: Practical Stateless Hash-Based Signatures , 2015, EUROCRYPT.

[4]  Lea Rausch,et al.  Optimal Parameters for XMSS MT , 2013, CD-ARES Workshops.

[5]  Leonid Reyzin,et al.  Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying , 2002, ACISP.

[6]  Johannes A. Buchmann,et al.  CMSS - An Improved Merkle Signature Scheme , 2006, INDOCRYPT.

[7]  Leslie Lamport,et al.  Constructing Digital Signatures from a One Way Function , 2016 .

[8]  Andreas Hülsing,et al.  W-OTS+ - Shorter Signatures for Hash-Based Signature Schemes , 2013, AFRICACRYPT.

[9]  Johannes A. Buchmann,et al.  XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions , 2011, IACR Cryptol. ePrint Arch..

[10]  Fang Song,et al.  Mitigating Multi-Target Attacks in Hash-based Signatures , 2016, IACR Cryptol. ePrint Arch..

[11]  Johannes A. Buchmann,et al.  Merkle Signatures with Virtually Unlimited Signature Capacity , 2007, ACNS.

[12]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[13]  Bo-Yin Yang,et al.  Design Principles for HFEv- Based Multivariate Signature Schemes , 2015, ASIACRYPT.

[14]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[15]  Scott R. Fluhrer,et al.  State Management for Hash-Based Signatures , 2016, SSR.

[16]  Silvio Micali,et al.  On-line/off-line digital signatures , 1996, Journal of Cryptology.

[17]  Denis Butin,et al.  XMSS: Extended Hash-Based Signatures , 2015 .

[18]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.