Machine-Checked Security for XMSS as in RFC 8391 and SPHINCS+

Manuel Barbosa; François Dupressoir; Benjamin Grégoire; Andreas Hülsing; Matthias Meijers; Pierre-Yves Strub

doi:10.1007/978-3-031-38554-4_14

Machine-Checked Security for XMSS as in RFC 8391 and SPHINCS+

Manuel Barbosa, François Dupressoir, Benjamin Grégoire, Andreas Hülsing, Matthias Meijers, Pierre-Yves Strub

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

3 Citations (Scopus)

Abstract

This work presents a novel machine-checked tight security proof for XMSS —a stateful hash-based signature scheme that is (1) standardized in RFC 8391 and NIST SP 800-208, and (2) employed as a primary building block of SPHINCS ⁺, one of the signature schemes recently selected for standardization as a result of NIST’s post-quantum competition. In 2020, Kudinov, Kiktenko, and Fedoro pointed out a flaw affecting the tight security proofs of SPHINCS ⁺ and XMSS. For the case of SPHINCS ⁺, this flaw was fixed in a subsequent tight security proof by Hülsing and Kudinov. Unfortunately, employing the fix from this proof to construct an analogous tight security proof for XMSS would merely demonstrate security with respect to an insufficient notion. At the cost of modeling the message-hashing function as a random oracle, we complete the tight security proof for XMSS and formally verify it using the EasyCrypt proof assistant. (Note that this merely extends the use of the random oracle model, as this model is already required in other parts of the security analysis to justify the currently standardized parameter values). As part of this endeavor, we formally verify the crucial step common to the security proofs of SPHINCS ⁺ and XMSS that was found to be flawed before, thereby confirming that the core of the aforementioned security proof by Hülsing and Kudinov is correct. As this is the first work to formally verify proofs for hash-based signature schemes in EasyCrypt, we develop several novel libraries for the fundamental cryptographic concepts underlying such schemes—e.g., hash functions and digital signature schemes—establishing a common starting point for future formal verification efforts. These libraries will be particularly helpful in formally verifying proofs of other hash-based signature schemes such as LMS or SPHINCS ⁺.

Original language	English
Title of host publication	Advances in Cryptology – CRYPTO 2023
Subtitle of host publication	43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20–24, 2023, Proceedings, Part V
Editors	Helena Handschuh, Anna Lysyanskaya
Place of Publication	Cham
Publisher	Springer
Chapter	14
Pages	421-454
Number of pages	34
ISBN (Electronic)	978-3-031-38554-4
ISBN (Print)	978-3-031-38553-7
DOIs	https://doi.org/10.1007/978-3-031-38554-4_14
Publication status	Published - 2023
Event	43rd Annual International Cryptology Conference, CRYPTO 2023 - Santa Barbara, United States Duration: 20 Aug 2023 → 24 Aug 2023 Conference number: 43

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	14085
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	43rd Annual International Cryptology Conference, CRYPTO 2023
Abbreviated title	CRYPTO 2023
Country/Territory	United States
City	Santa Barbara
Period	20/08/23 → 24/08/23

Funding

Acknowledgments. Andreas Hülsing and Matthias Meijers are funded by an NWO VIDI grant (Project No. VI.Vidi.193.066). We thank the Formosa Crypto consortium for support and discussions.

Keywords

Computer-Aided Cryptography
EasyCrypt
Formal Verification
Machine-Checked Proofs
SPHINCS
XMSS

Access to Document

10.1007/978-3-031-38554-4_14

Cite this

Barbosa, M., Dupressoir, F., Grégoire, B., Hülsing, A., Meijers, M., & Strub, P.-Y. (2023). Machine-Checked Security for XMSS as in RFC 8391 and SPHINCS+. In H. Handschuh, & A. Lysyanskaya (Eds.), Advances in Cryptology – CRYPTO 2023: 43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20–24, 2023, Proceedings, Part V (pp. 421-454). (Lecture Notes in Computer Science; Vol. 14085). Springer. https://doi.org/10.1007/978-3-031-38554-4_14

Barbosa, Manuel ; Dupressoir, François ; Grégoire, Benjamin et al. / Machine-Checked Security for XMSS as in RFC 8391 and SPHINCS+. Advances in Cryptology – CRYPTO 2023: 43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20–24, 2023, Proceedings, Part V. editor / Helena Handschuh ; Anna Lysyanskaya. Cham : Springer, 2023. pp. 421-454 (Lecture Notes in Computer Science).

@inproceedings{194dfd074cea4744b202c68705f936f8,

title = "Machine-Checked Security for XMSS as in RFC 8391 and SPHINCS+",

abstract = "This work presents a novel machine-checked tight security proof for XMSS —a stateful hash-based signature scheme that is (1) standardized in RFC 8391 and NIST SP 800-208, and (2) employed as a primary building block of SPHINCS +, one of the signature schemes recently selected for standardization as a result of NIST{\textquoteright}s post-quantum competition. In 2020, Kudinov, Kiktenko, and Fedoro pointed out a flaw affecting the tight security proofs of SPHINCS + and XMSS. For the case of SPHINCS +, this flaw was fixed in a subsequent tight security proof by H{\"u}lsing and Kudinov. Unfortunately, employing the fix from this proof to construct an analogous tight security proof for XMSS would merely demonstrate security with respect to an insufficient notion. At the cost of modeling the message-hashing function as a random oracle, we complete the tight security proof for XMSS and formally verify it using the EasyCrypt proof assistant. (Note that this merely extends the use of the random oracle model, as this model is already required in other parts of the security analysis to justify the currently standardized parameter values). As part of this endeavor, we formally verify the crucial step common to the security proofs of SPHINCS + and XMSS that was found to be flawed before, thereby confirming that the core of the aforementioned security proof by H{\"u}lsing and Kudinov is correct. As this is the first work to formally verify proofs for hash-based signature schemes in EasyCrypt, we develop several novel libraries for the fundamental cryptographic concepts underlying such schemes—e.g., hash functions and digital signature schemes—establishing a common starting point for future formal verification efforts. These libraries will be particularly helpful in formally verifying proofs of other hash-based signature schemes such as LMS or SPHINCS +.",

keywords = "Computer-Aided Cryptography, EasyCrypt, Formal Verification, Machine-Checked Proofs, SPHINCS, XMSS",

author = "Manuel Barbosa and Fran{\c c}ois Dupressoir and Benjamin Gr{\'e}goire and Andreas H{\"u}lsing and Matthias Meijers and Pierre-Yves Strub",

year = "2023",

doi = "10.1007/978-3-031-38554-4_14",

language = "English",

isbn = "978-3-031-38553-7",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "421--454",

editor = "Helena Handschuh and Anna Lysyanskaya",

booktitle = "Advances in Cryptology – CRYPTO 2023",

address = "Germany",

note = "43rd Annual International Cryptology Conference, CRYPTO 2023, CRYPTO 2023 ; Conference date: 20-08-2023 Through 24-08-2023",

}

Barbosa, M, Dupressoir, F, Grégoire, B, Hülsing, A , Meijers, M & Strub, P-Y 2023, Machine-Checked Security for XMSS as in RFC 8391 and SPHINCS+. in H Handschuh & A Lysyanskaya (eds), Advances in Cryptology – CRYPTO 2023: 43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20–24, 2023, Proceedings, Part V. Lecture Notes in Computer Science, vol. 14085, Springer, Cham, pp. 421-454, 43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, California, United States, 20/08/23. https://doi.org/10.1007/978-3-031-38554-4_14

Machine-Checked Security for XMSS as in RFC 8391 and SPHINCS+. / Barbosa, Manuel; Dupressoir, François; Grégoire, Benjamin et al.
Advances in Cryptology – CRYPTO 2023: 43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20–24, 2023, Proceedings, Part V. ed. / Helena Handschuh; Anna Lysyanskaya. Cham: Springer, 2023. p. 421-454 (Lecture Notes in Computer Science; Vol. 14085).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Machine-Checked Security for XMSS as in RFC 8391 and SPHINCS+

AU - Barbosa, Manuel

AU - Dupressoir, François

AU - Grégoire, Benjamin

AU - Hülsing, Andreas

AU - Meijers, Matthias

AU - Strub, Pierre-Yves

N1 - Conference code: 43

PY - 2023

Y1 - 2023

N2 - This work presents a novel machine-checked tight security proof for XMSS —a stateful hash-based signature scheme that is (1) standardized in RFC 8391 and NIST SP 800-208, and (2) employed as a primary building block of SPHINCS +, one of the signature schemes recently selected for standardization as a result of NIST’s post-quantum competition. In 2020, Kudinov, Kiktenko, and Fedoro pointed out a flaw affecting the tight security proofs of SPHINCS + and XMSS. For the case of SPHINCS +, this flaw was fixed in a subsequent tight security proof by Hülsing and Kudinov. Unfortunately, employing the fix from this proof to construct an analogous tight security proof for XMSS would merely demonstrate security with respect to an insufficient notion. At the cost of modeling the message-hashing function as a random oracle, we complete the tight security proof for XMSS and formally verify it using the EasyCrypt proof assistant. (Note that this merely extends the use of the random oracle model, as this model is already required in other parts of the security analysis to justify the currently standardized parameter values). As part of this endeavor, we formally verify the crucial step common to the security proofs of SPHINCS + and XMSS that was found to be flawed before, thereby confirming that the core of the aforementioned security proof by Hülsing and Kudinov is correct. As this is the first work to formally verify proofs for hash-based signature schemes in EasyCrypt, we develop several novel libraries for the fundamental cryptographic concepts underlying such schemes—e.g., hash functions and digital signature schemes—establishing a common starting point for future formal verification efforts. These libraries will be particularly helpful in formally verifying proofs of other hash-based signature schemes such as LMS or SPHINCS +.

AB - This work presents a novel machine-checked tight security proof for XMSS —a stateful hash-based signature scheme that is (1) standardized in RFC 8391 and NIST SP 800-208, and (2) employed as a primary building block of SPHINCS +, one of the signature schemes recently selected for standardization as a result of NIST’s post-quantum competition. In 2020, Kudinov, Kiktenko, and Fedoro pointed out a flaw affecting the tight security proofs of SPHINCS + and XMSS. For the case of SPHINCS +, this flaw was fixed in a subsequent tight security proof by Hülsing and Kudinov. Unfortunately, employing the fix from this proof to construct an analogous tight security proof for XMSS would merely demonstrate security with respect to an insufficient notion. At the cost of modeling the message-hashing function as a random oracle, we complete the tight security proof for XMSS and formally verify it using the EasyCrypt proof assistant. (Note that this merely extends the use of the random oracle model, as this model is already required in other parts of the security analysis to justify the currently standardized parameter values). As part of this endeavor, we formally verify the crucial step common to the security proofs of SPHINCS + and XMSS that was found to be flawed before, thereby confirming that the core of the aforementioned security proof by Hülsing and Kudinov is correct. As this is the first work to formally verify proofs for hash-based signature schemes in EasyCrypt, we develop several novel libraries for the fundamental cryptographic concepts underlying such schemes—e.g., hash functions and digital signature schemes—establishing a common starting point for future formal verification efforts. These libraries will be particularly helpful in formally verifying proofs of other hash-based signature schemes such as LMS or SPHINCS +.

KW - Computer-Aided Cryptography

KW - EasyCrypt

KW - Formal Verification

KW - Machine-Checked Proofs

KW - SPHINCS

KW - XMSS

UR - http://www.scopus.com/inward/record.url?scp=85173037731&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-38554-4_14

DO - 10.1007/978-3-031-38554-4_14

M3 - Conference contribution

SN - 978-3-031-38553-7

T3 - Lecture Notes in Computer Science

SP - 421

EP - 454

BT - Advances in Cryptology – CRYPTO 2023

A2 - Handschuh, Helena

A2 - Lysyanskaya, Anna

PB - Springer

CY - Cham

T2 - 43rd Annual International Cryptology Conference, CRYPTO 2023

Y2 - 20 August 2023 through 24 August 2023

ER -

Barbosa M, Dupressoir F, Grégoire B, Hülsing A , Meijers M, Strub PY. Machine-Checked Security for XMSS as in RFC 8391 and SPHINCS+. In Handschuh H, Lysyanskaya A, editors, Advances in Cryptology – CRYPTO 2023: 43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20–24, 2023, Proceedings, Part V. Cham: Springer. 2023. p. 421-454. (Lecture Notes in Computer Science). doi: 10.1007/978-3-031-38554-4_14

Machine-Checked Security for XMSS as in RFC 8391 and SPHINCS+

Abstract

Publication series

Conference

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this