TY - GEN
T1 - “Oops, I did it again” – Security of one-time signatures under two-message attacks
AU - Groot Bruinderink, L.
AU - Hülsing, A.T.
N1 - Conference code: 24
PY - 2018
Y1 - 2018
N2 - One-time signatures (OTS) are called one-time, because the accompanying security reductions only guarantee security under single-message attacks. However, this does not imply that efficient attacks are possible under two-message attacks. Especially in the context of hash-based OTS (which are basic building blocks of recent standardization proposals) this leads to the question if accidental reuse of a one-time key pair leads to immediate loss of security or to graceful degradation. In this work we analyze the security of the most prominent hash-based OTS, Lamport’s scheme, its optimized variant, and WOTS, under different kinds of two-message attacks. Interestingly, it turns out that the schemes are still secure under two message attacks, asymptotically. However, this does not imply anything for typical parameters. Our results show that for Lamport’s scheme, security only slowly degrades in the relevant attack scenarios and typical parameters are still somewhat secure, even in case of a two-message attack. As we move on to optimized Lamport and its generalization WOTS, security degrades faster and faster, and typical parameters do not provide any reasonable level of security under two-message attacks.
AB - One-time signatures (OTS) are called one-time, because the accompanying security reductions only guarantee security under single-message attacks. However, this does not imply that efficient attacks are possible under two-message attacks. Especially in the context of hash-based OTS (which are basic building blocks of recent standardization proposals) this leads to the question if accidental reuse of a one-time key pair leads to immediate loss of security or to graceful degradation. In this work we analyze the security of the most prominent hash-based OTS, Lamport’s scheme, its optimized variant, and WOTS, under different kinds of two-message attacks. Interestingly, it turns out that the schemes are still secure under two message attacks, asymptotically. However, this does not imply anything for typical parameters. Our results show that for Lamport’s scheme, security only slowly degrades in the relevant attack scenarios and typical parameters are still somewhat secure, even in case of a two-message attack. As we move on to optimized Lamport and its generalization WOTS, security degrades faster and faster, and typical parameters do not provide any reasonable level of security under two-message attacks.
KW - Few-time signatures
KW - Hash-based signatures
KW - One-time signatures
KW - Post-quantum cryptography
KW - Two-message attacks
UR - http://www.scopus.com/inward/record.url?scp=85041804020&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-72565-9_15
DO - 10.1007/978-3-319-72565-9_15
M3 - Conference contribution
AN - SCOPUS:85041804020
SN - 978-3-319-72564-2
T3 - Lecture Notes in Computer Science
SP - 299
EP - 322
BT - Selected Areas in Cryptography – SAC 2017
A2 - Adams , Carlisle
A2 - Camenisch, Jan
PB - Springer
CY - Cham
T2 - 24th International Conference on Selected Areas in Cryptography (SAC 2017)
Y2 - 16 August 2017 through 18 August 2017
ER -