Abstract
Hash-based signatures are gaining attention as one of the alternatives that can replace current digital signatures that are not secure against an attack by quantum computers along with lattice-based signatures, multivariate signatures, and code-based signatures. Up to now, all hash-based signatures have used binary representations to generate signatures. In this paper, we propose using the nonadjacent form (NAF) when generating signatures in hash-based signatures. Concretely, we propose a hash-based signature scheme, WSS-N, which is obtained by applying nonadjacent forms (NAF) to the Winternitz signature scheme. We prove that WSS-N is existentially unforgeable under chosen message attacks in the standard model. And we show that WSS-N needs less hash function calls compared to the Winternitz signature scheme using the binary representation, WSS-B. For a specific parameter with a 256-bit security, we can see that WSS-N generates signatures faster than WSS-B by 8%. Finally, we implement both WSS-N and WSS-B and show that WSS-N generates signatures faster than WSS-B on a desktop computer.
1. Introduction
Recent research progress on quantum computers has brought postquantum cryptography to the forefront to protect against attacks by quantum computers. Once quantum computers are developed, most modern cryptographic systems will become insecure. Particularly, it would cause catastrophic damage to public key cryptography. Most modern public key cryptographic algorithms are secure under the assumption that the integer factorization and the discrete logarithm problem are computationally infeasible. However, quantum computers can solve these problems using Shor’s algorithm [1] in polynomial time. Therefore, the advent of quantum computers will make modern public key cryptographic systems insecure.
In this situation, cryptographic society put spurs to develop postquantum cryptography. The NIST (National Institute of Standards and Technology) started a process to standardize postquantum cryptographic algorithms. Moreover, the NSA (National Security Agency) has announced preliminary plans for transitioning algorithms approved for protecting the classified and unclassified national security systems of the United States to quantum-resistant algorithms.
The leading fields of postquantum cryptography are lattice-based cryptography, code-based cryptography, multivariate cryptography, and hash-based digital signatures. In this paper, we propose a new technique that could increase the efficiency of hash-based digital signatures. Hash-based digital signatures are slower than digital signatures that are based on a lattice, code, and multivariate polynomials. However, hash-based digital signatures provide stronger security guarantees than those of other categories because hash-based digital signatures are secure under only one assumption that the underlying hash functions are secure. Therefore, hash-based signatures are considered to be the most promising alternative in the short-term. Hash-based digital signatures have been researched continuously since the Lamport digital signature [2] such as LMS [3] and SPHINCS [4].
All hash-based digital signatures use binary representations to generate signatures up to now. In this paper, we propose using the nonadjacent form (NAF) representation when generating signatures. Specifically, this paper proposes WSS-N by applying the NAF to W-OTS+ [5]. W-OTS+ is a Winternitz-type one-time signature scheme (the Winternitz signature is a one-time digital signature that can be used as a component of recent hash-based digital signatures that are capable of signing many messages. Particularly, the Winternitz signature is used as a building block of XMSS, SPHINCS, etc.) [6] that was proposed by Hülsing in 2013. It allows reducing the signature size more than previous Winternitz-type one-time signature schemes and is proven to be strongly unforgeable under chosen message attacks in the standard model.
We prove that WSS-N is existentially unforgeable under adaptive chosen message attacks, if the used hash function family is second preimage-resistant, undetectable, and one-way. And we also analyze the performance of WSS-N and compare it with WSS-B.
The NAF uses signed digits 0, 1, and −1 while the binary representation uses bits 0 and 1. While the binary representation has a uniform distribution, the NAF representation has a biased distribution. It makes the Winternitz signature scheme require less hash function calls when generating a signature. For a specific parameter with a 256-bit security, the Winternitz signature using the NAF requires 8% less hash function calls (thus generates signatures 8% faster) than that using the binary representation. However, the key generation and signature verification time of the Winternitz signature using the NAF become longer than that using the binary representation. We analyzed these trade-offs in detail.
Figure 1 gives the intuition of WSS-N showing better signature generation performance than WSS-B. Concretely, the graph shows the number of blocks by the number of hash function calls when WSS-B and WSS-N, each having a hashed message length of 256 bits and a block length of 4 bits, generate a signature. That is, the point of the graph means that when WSS-B or WSS-N generates signatures for hashed messages, the total number of blocks that call the hash function times is . In addition, the blue and red vertical dotted lines of the graph represent the number of hash function evaluations that each block calls on average when WSS-B and WSS-N generate signatures, respectively. As can be seen from the graph, the maximum number of hash function calls of the WSS-N block is larger than that of WSS-B. However, in the case of WSS-N, since the number of blocks making a small number of hash function calls is larger than that of WSS-B, on average, WSS-N requires less hash function calls than WSS-B. So, WSS-N generates signatures faster than WSS-B on average.
Now let us look at the usage and the meaning of WSS-N. Basically, WSS-N can be used when signature generation time is more important than key generation time. Generally, the bottleneck of a one-time digital signature is not the signature generation time but the key generation time, but there will certainly be a situation where the signature generation time is more critical. Devices that sense data that do not happen frequently but need a quick response, such as seismic sensors, fire sensors, and so forth, should generate a signature as soon as possible if an event occurs. They can generate a key pair in the wait time. Also, in situations where we need to send measurement data on a regular basis (e.g., every 5 minutes), we will be able to generate a key pair between data measurements and wait for signature generation. Note that efforts to reduce signature generation time have been around for a long time [7, 8]. And the most important contribution of the paper is that it shows the possibility of a numeral system that can provide better performance than a binary representation.
The rest of this paper is organized as follows. Section 2 presents some preliminaries. In Section 3, the properties of the NAF that are required to analyze the efficiency of the Winternitz signature using the NAF are given and proven. In Section 4, we present WSS-N, the Winternitz signature using the NAF, and prove that it is existentially unforgeable under chosen message attacks in the standard model. We compare the efficiency of the Winternitz signatures using the NAF and the binary representation in Section 5. And we give implementation results comparing WSS-N and WSS-B in Section 6. Finally, we conclude the paper in Section 7.
2. Preliminaries
This section gives some notation and formal definitions. We follow the notation of [5]. From now on, the notation means that is randomly chosen from the set using the uniform distribution. We will denote by the uniform distribution over . We follow the definition of a digital signatures scheme in [5]. Let denote a signature scheme with a security parameter . We also adopt the definitions of the EU-CMA security of and in [5].
Using this, we define EU-CMA in the following way.
Definition 1 (EU-CMA [5]). Let be a digital signature scheme with a security parameter . is -existentially unforgeable under an adaptive chosen message attack if , the maximum success probability of all possibly probabilistic -time adversaries making at most queries to Sign in the above experiment, is at most ;
WSS-N uses a family of functions with a key space . It can be viewed as a cryptographic hash function family that is noncompressing. Using , we define the following chaining function.
For [5], for given a value , an iteration counter , a key , and randomization elements with , the chaining function works in the following way. In case , returns . For , we define recursively as The subset of will be denoted by . When , we define to be the empty string. It is assumed that the function family is publicly known.
Throughout the paper, we measure all runtimes by counting the number of the evaluations of elements from . In what follows, we use the (distinguishing) advantage of an adversary [5].
Functions [5]. We use three properties for families of functions. The first two of them are the one-wayness and the second preimage resistance of the family and the success probability of adversaries against them are defined as and [5].
To define the other property, undetectability, consider the two distributions, and , over . A sample from is obtained by sampling and . A sample from is obtained by sampling and then evaluating on a uniformly random -bit string, that is, . The advantage of an adversary against the undetectability of is as follows: Using this, we define the undetectability as follows.
Definition 2 (undetectability (UD) [5]). Let and be a family of functions as described above. is -undetectable if the advantage of any -time adversary against the undetectability of is at most :
Now we provide some more notation and formal definitions regarding the NAF. First, we give the formal definition of the NAF and related definitions that are useful to describe our results.
Definition 3. Let be an integer. A signed binary representation of is an equation of the form , where for all . A signed binary representation of an integer is said to be in nonadjacent form provided that no two consecutive ’s are nonzero. Such a representation is denoted as a NAF representation.
Note that the NAF representation of an integer is unique.
Definition 4. Let be a set of all the NAFs, which consists of signed digits and for . And let and . Furthermore, let and .
Proposition 5 shows the explicit formula for and a recurrence relation of .
Proposition 5. For an integer , and .
The functions defined in the following definition give an order on .
Definition 6. We define five functions on which give orders on . (1)Let be an injective function such that (2)Let be a bijective function such that if , where .(3)Let be a bijective function such that for .(4)Let be an injective function such that for .(5)Let be an injective function such that for .
3. Properties of the NAF
In this section, we give some properties of the NAF. They will have a crucial role in analyzing the efficiency of WSS-N.
Let and be positive integers such that divides . For , let be the NAF of . Here, we assume that is always equal to 0. And let(i) for and ;(ii) for and
for .
We compute the numbers of the elements in and for all and . First, the numbers of the elements in and are as follows.
Lemma 7. For all , (1)(2)
Proof. First, suppose that . Because should be 0 for , . Additionally, because and for , .
Next, suppose that . If there is an element in , should be 0. Then represents a negative integer. This contradicts our assumption. Hence, . In the same manner, we can see that .
We are now in a position to calculate the numbers of the elements in and for all and .
Theorem 8. For all and , (1)(2)
Proof. See Appendix A.
4. Winternitz Signature Scheme Using the NAF
In this section, we propose WSS-N, a Winternitz signature scheme that uses the NAF representation. WSS-N is parameterized by the security parameter , the message length , and the Winternitz parameter . And let Algorithms 1–3 describe the key generation, signature generation, and signature verification algorithms of WSS-N.
| ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||
| ||||||||||
Note that distinct messages will yield distinct values and that the checksum guarantees that given corresponding to a message, corresponding to another message include at least one such that .
The following theorem shows that WSS-N is existentially unforgeable under chosen message attacks, provided that a second preimage-resistant and undetectable one-way function family is used.
Theorem 9. Let , , and be a second preimage-resistant and undetectable one-way function family. Then, , the insecurity of WSS-N against an EU-CMA attack, is bounded by with and .
Proof. It may be proven in much the same way as Theorem 1 in [5]. The only difference between them is that the heights of the chains to compute public keys of WSS-N and W-OTS+ [5] are different. Since the heights of the chains in WSS-N are not constant, the proof becomes a bit more complicated. However, the main idea of the proof does not change. For the detailed proof, we refer the reader to Appendix B.
Remark 10. The length of the signatures of the WSS-N can be reduced by using a secure pseudorandom generator. For example, a -bit seed of a secret key can be used to generate the -bit secret key using the pseudorandom generator based on an AES counter mode. Naturally, the length of the signatures of the WSS-B can be reduced in a similar way.
5. Comparisons
In this section, we compare the Winternitz signature using the NAF with that using the binary representation. When is the security parameter, is the message length and is the Winternitz parameter; let WSS-N and WSS-B denote the Winternitz signatures using the NAF and the binary representation, respectively. We compare WSS-N with WSS-B in terms of efficiency.
First, we compare the number of hash function calls that are needed to generate a WSS-N signature and a WSS-B signature. We show that WSS-N needs less hash function calls than WSS-B to generate a signature when and . For the ease of the analysis, we only consider the case where divides in this section.
Before counting the numbers of the hash function calls that are needed in the signature generation steps, we give a lemma concerning the lengths of the count fields.
Lemma 11. Let be the security parameter, let be the message length, and let be the bit length of the block, the Winternitz parameter. And suppose that divides . The difference between the block length of the count field of WSS-B and that of WSS-N is less than or equal to 1 when .
Proof. The block length of the count field of WSS-B is And the block length of the count field of WSS-N is Thus, it is enough to show that It is equivalent to Because when , we can see that when . This completes the proof.
Now we count the numbers of hash function calls that are needed in the signature generation steps of the Winternitz signature schemes using the binary representation and the NAF representation.
Theorem 12. Let and be the numbers of hash function calls that are needed to generate a WSS-B signature and a WSS-N signature on average, respectively, where is the security parameter, is the Winternitz parameter, and is the message length. And suppose that divides . Then when and .
Proof. First, we compute . The first and second terms correspond to the numbers of the hash function calls that are needed for the message and count fields, respectively.
Next, we compute . The first six and the last terms correspond to the numbers of hash calls that are needed for the message and count fields, respectively.
Applying Lemma 11 yieldsWe shall have established the theorem if we prove that the right-hand side of the above inequality is greater than or equal to 0 when and . The right-hand side can be rewritten as Because and , we can show that the right-hand side is greater than or equal to 0. This finishes the proof, and the detailed verification of the right-hand side being greater than or equal to 0 is left to the reader.
The above theorem states that WSS-N needs less hash function calls to generate a signature than WSS-B on average when and . Note that when .
We proceed to show the numbers of hash function calls that are needed in the key generation steps of WSS-B and WSS-N. It is easily seen that hash function calls are needed to generate a WSS-B key pair. Similarly, we see thathash function calls are needed to generate a WSS-N key pair.
What is left is to count the numbers of hash function calls that are required to verify a WSS-B signature and a WSS-N signature. An analysis similar to that in the proof of Theorem 12 shows that hash function calls are needed to verify a WSS-B signature. Similarly, we obtain that hash function calls are needed to verify a WSS-N signature.
Now, we give the concrete result of the efficiency analysis (Table 1) that compares WSS-N and WSS-B. The numbers in the public key, secret key, and signature columns are byte lengths and those in the key generation, signature generation, and signature verification columns are the number of hash function calls. Additionally, the numbers with the dagger mark are average values. Table 1 shows that the number of hash function calls to generate a Winternitz signature is reduced by about 8% when using the NAF representation compared to that with the binary representation. However, generating a key pair and verifying a signature need more hash function calls when using the NAF compared to the binary representation.
Remark 13. WSS-N needs less hash function calls when generating a signature than that of WSS-B. By giving the other orders on , one can make the Winternitz signature scheme need less hash function calls when verifying a signature. However, we will not cover this feature in this paper.
6. Benchmarks and Comparison
In this section, we provide benchmarking results of WSS-N and WSS-B. Concretely, we implement WSS-N and WSS-B and compare their software performances. The specific parameters and functions are summarized in Table 2. We use SHA-256 in OpenSSL [9].
Table 3 shows implementation results of WSS-N and WSS-B. It gives the average clock cycle counts of 1,000,000 runs for key generation, signing, and verification. All results in Table 3 were obtained on an Intel Core i7-6700 running at 3.40 GHz. We used the compiler gcc-5.4.0 with the options "-O3," "-march=broadwell," and "-mtune=generic" to compile our C program.
We can see that WSS-N generates signatures faster than WSS-B by about 8% on a general desktop computer. However, the key generation and the signature verification of WSS-N are slower than those of WSS-B as expected. The source code that benchmarks WSS-N and WSS-B can be found in the supplementary materials (available here).
7. Conclusions
In this paper, we proposed a hash-based signature using the NAF, WSS-N. It is existentially unforgeable under chosen message attacks in the standard model. And we proved that WSS-N requires less hash function calls than WSS-B when generating a signature on average. In a concrete example, WSS-N makes the signature generation time 8% shorter than that of the WSS-B. And we also gave benchmarking results on a regular desktop computer and it could be seen that the signature generation of WSS-N can be implemented faster than that of WSS-B. However, it takes longer to generate the keys and verify the signatures.
WSS-N is the first hash-based signature that uses a numeral system other than the binary representation. Applying the NAF to hash-based signatures has trade-offs between the key generation time, the signature generation time, and the signature verification time. It would be interesting to determine what other trade-offs occur when applying numeral systems other than the binary representation and the NAF.
Appendix
A. Proof of Theorem 8
In this section, we give the proof of Theorem 8.
Proof. The proof is by induction on . As a base case, we compute for given . When , if and only if . It follows that if . And when , if and only if . Consequently, if . Furthermore, it is clear that for all .
For the inductive step, let be an integer and assume that the theorem holds for . We first have for all , provided . In the same manner, we have for all , provided .
We next have for all , provided . In the same manner, we have for all , provided .
Thus, the theorem holds for , and this completes the proof.
B. Security Proof of WSS-N
In this section, we give the proof of Theorem 9. It can be proven in much the same way as [5].
Proof. Suppose that there exists a forger that -breaks existential unforgeability of WSS-N, where . We construct an algorithm , by interacting with with a possibly different input distribution, which breaks either the second preimage resistance or one-wayness of (Algorithm 4).
First, obtains a key pair (sk, pk) by running the WSS-N Kg (Line 1). Then, selects the positions to place its challenges in the public key. It selects a random function chain choosing an index (Line 2). It chooses another index when (Line 3); otherwise it chooses (Line 4) to select a random intermediate value of this chain. places the preimage challenge at this position by setting as the th intermediate value of the chain. If is not the last position of the chain, another intermediate value between and the end of the chain is selected, sampling (Lines 5.b.(1) and 6.b.(1)). places the second preimage challenge at the input of the th evaluation of the chain continued from , replacing (Lines 5.b.(2) and 6.b.(2)). A manipulated public key is computed (Lines 5.c and Line 6.c).
Then runs on input (Line 7). We assume that asks for the signature on one message (Line 8). computes as described in Sign (Line 8.a). knows all the secret key values corresponding to except that of the chain . For the chain , can only answer the query if (Line 8.c). Otherwise, aborts (Line 8.b).
If outputs a forgery , computes (Line 9.a). The forgery is only useful if . If not, returns fail (Line 9.b). Now, there are two mutually exclusive cases. If is the last position of the chain , the forgery contains a preimage of (Lines 9.c and Line 9.d). Otherwise, there are again two mutually exclusive cases. When the chain continued from has as the th intermediate value, a preimage can be extracted (Line 9.e). And when is not the th intermediate value of the chain continued from , the chains continued from and must collide at some position between and the end ( or ). If they collide at position for the first time, the second preimage for can be extracted (Line 9.f). Otherwise, aborts (Line 10).
We proceed to compute the success probability of . We only compute the probability for a certain success case where obtained from ’s query equals . This happens with probability at least . As our modification might have changed the input distribution of , let denote the probability that returns a valid forgery when run by . Due to the check sum, leads to at least one , . With probability , this happens for and the condition in Line 9.b is fulfilled. At this point, there are two mutually exclusive cases.
Case 1. is the last position of the chain or the chain continued from has as the th intermediate value. In this case, returns a preimage for with probability 1.
Case 2. is not the last position of the chain and the chain continued from does not have as the th intermediate value. In this case, returns the second preimage for if the two chains collide for the first time at position . This happens with probability greater than .
Hence the bound of can be obtained:where the time is an upper bound for the runtime of plus the time needed to run each algorithm of WSS-N once.
At the second step, we bound the difference between and . If , we already have a contradiction. Hence, we assume that in what follows. We define two distributions, and , over . A sample follows if the entries , , , and are chosen uniformly at random and is chosen uniformly at random when and is chosen uniformly at random otherwise. A sample follows if , , and are chosen uniformly at random, is chosen uniformly at random when , and is chosen uniformly at random otherwise and . Now we construct an algorithm that distinguishes between and . We bound using the advantage of and . Then the bound of the advantage of is obtained using the undetectability of .
works in the following way. On input that is chosen from either or , generates a WSS-N key pair. Instead of using Kg, samples . It computes pk as and Then runs on input pk. When issues a chosen message query for a message , behaves the same way as . If returns a valid forgery, returns 1 and otherwise 0. The runtime of is bounded by the runtime of plus one evaluation of each algorithm of WSS-N. So we get as an upper bound.
Now we compute the advantage of . If the sample is taken from , the distribution of pk generated by is the same as the distribution of generated by . Hence outputs 1 with probability If the sample was taken from , pk generated by follows the same distribution as that generated by KG and so outputs 1 with probability So the advantage of is So we obtain the following bound on :We now bound the advantage of . For given and , we define the hybrids with , for . Given an adversary that can distinguish between and with advantage , there must exist two consecutive hybrids, and , which distinguishes with advantage . Then we can construct an algorithm that, by interacting with , distinguishes between and . Given a challenge , selects , computes , runs , and outputs .
If the sample is taken from , is uniformly random and is distributed exactly like the third element of . Otherwise, if the sample is taken from , then is an output of and we get It is equal to the third element of . Hence, the advantage of is equal to that of . So we get As the advantage of is bounded by the undetectability of , does exactly what we expect to do and the runtime of is that of plus at most evaluations of elements from ; we get where is the runtime of . As , we obtainPutting (B.1), (B.6), and (B.10) together, we obtain a bound on which leads to the required contradiction: with and .
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
Supplementary Materials
The source code that benchmarks WSS-N and WSS-B is presented. The README file contains the commands and other comments to run the program. (Supplementary Materials)