Hash-based cryptography: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 03:08, 11 October 2021 edit 2601:647:5a00:3140:dc00:5ce0:69fa:ec14 (talk) Add ZKP and Range Proofs ← Previous edit		Latest revision as of 05:01, 24 August 2025 edit undo InternetArchiveBot (talk \| contribs) Bots, Pending changes reviewers 5,672,301 edits Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.9.5
(31 intermediate revisions by 18 users not shown)
Line 1: {{Short description\|Concept in cryptography}} '''Hash-based cryptography''' is the generic term for constructions of [[cryptographic primitive]]s based on the security of [[hash function]]s. It is of interest as a type of [[post-quantum cryptography]]. So far, hash-based cryptography is used to construct [[digital signature]]s schemes such as the [[Merkle signature scheme]], zero knowledge and computationally integrity proofs, such as ~~the~~ the zk-STARK<ref name="bensasson2018">Ben-Sasson, Eli and Bentov, Iddo and Horesh, Yinon and Riabzev, Michael, 2018. [https://eprint.iacr.org/2018/046 Scalable, transparent, and post-quantum secure computational integrity,].</ref> ~~Ben~~proof system and range proofs over issued credentials via the HashWires<ref name="kchalkias2021">{{Cite journal \|last1=Chalkias \|first1=Konstantinos \|last2=Cohen \|first2=Shir \|last3=Lewi \|first3=Kevin \|last4=Moezinia \|first4=Fredric \|last5=Romailler \|first5=Yolan \|year=2021 \|title=HashWires: Hyperefficient Credential-~~Sasson~~Based Range Proofs \|url=https://eprint.iacr.org/2021/297 \|journal=Privacy Enhancing Technologies Symposium (PETS) 2021}}</ref> protocol. Hash-based signature schemes combine a one-time signature scheme, ~~Eli~~such ~~and~~as ~~Bentov~~a [[Lamport signature]], ~~Iddo~~with ~~and~~a ~~Horesh~~[[Merkle tree]] structure. Since a one-time signature scheme key can only sign a single message securely, ~~Yinon~~it ~~and~~is ~~Riabzev~~practical to combine many such keys within a single, ~~Michael~~larger structure. A Merkle tree structure is used to this end. In this hierarchical data structure, ~~2018~~a hash function and concatenation are used repeatedly to compute tree nodes. </ref> proof system and range proofs over issued credentials via the HashWires <ref name=kchalkias2021>{{cite journal\|last1=Chalkias\|first1=Konstantinos\|last2=Cohen\|first2=Shir\|last3=Lewi\|first3=Kevin\|last4=Moezinia\|first4=Fredric\|last5=Romailler\|first5=Yolan\|title=HashWires: Hyperefficient Credential-Based Range Proofs\|journal=Privacy Enhancing Technologies Symposium (PETS) 2021\|year=2021}}</ref> protocol. Hash-based signature schemes combine a one-time signature scheme with a [[Merkle tree]] structure. Since a one-time signature scheme key can only sign a single message securely, it is practical to combine many such keys within a single, larger structure. A Merkle tree structure is used to this end. In this hierarchical data structure, a hash function and concatenation are used repeatedly to compute tree nodes. [[Lamport signature]]s are an example of a one-time signature scheme that can be combined with a Merkle tree structure. One consideration with hash-based signature schemes is that they can only sign a limited number of messages securely, because of their use of one-time signature schemes. The US [[National Institute of Standards and Technology]] (NIST), specified that algorithms in its [[post-quantum cryptography]] competition support a minimum of 2{{Superscript\|64}} signatures safely.<ref>{{Cite web \|title=Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process \|url=https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf \|website=NIST CSRC}}</ref> In 2019, the US [[National Institute of Standards and Technology]] announced its intention to promulgate standards for stateful hash-based cryptography based on the [[eXtended Merkle Signature Scheme]] (XMSS) and [[Leighton-Micali Signatures]] (LMS), which are applicable in different circumstances.<ref>{{Cite web\|url=https://csrc.nist.gov/news/2019/stateful-hbs-request-for-public-comments\|title=Request for Public Comments on Stateful HBS {{!}} CSRC\|last=Computer Security Division\|first=Information Technology Laboratory\|date=2019-02-01\|website=CSRC {{!}} NIST\|language=EN-US\|access-date=2019-02-04}}</ref> NIST standardized stateful hash-based cryptography based on the [[eXtended Merkle Signature Scheme]] (XMSS) and [[Leighton–Micali Signatures]] (LMS),<ref name="rfc8554" /> which are applicable in different circumstances, in 2020, but noted that the requirement to maintain state when using them makes them more difficult to implement in a way that avoids misuse.<ref>{{Cite web \|last=Computer Security Division \|first=Information Technology Laboratory \|date=2019-02-01 \|title=Request for Public Comments on Stateful HBS {{!}} CSRC \|url=https://csrc.nist.gov/news/2019/stateful-hbs-request-for-public-comments \|access-date=2019-02-04 \|website=CSRC {{!}} NIST \|language=EN-US}}</ref><ref>{{Cite journal \|last1=Alagic \|first1=Gorjan \|last2=Apon \|first2=Daniel \|last3=Cooper \|first3=David \|last4=Dang \|first4=Quynh \|last5=Dang \|first5=Thinh \|last6=Kelsey \|first6=John \|last7=Lichtinger \|first7=Jacob \|last8=Miller \|first8=Carl \|last9=Moody \|first9=Dustin \|last10=Peralta \|first10=Rene \|last11=Perlner \|first11=Ray \|date=2022-07-05 \|title=Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process \|url=https://csrc.nist.gov/publications/detail/nistir/8413/final \|journal=NIST Ir 8413 \|language=en \|doi=10.6028/NIST.IR.8413-upd1\|doi-access=free }}</ref><ref>{{Cite journal \|last1=Cooper \|first1=David \|last2=Apon \|first2=Daniel \|last3=Dang \|first3=Quynh \|last4=Davidson \|first4=Michael \|last5=Dworkin \|first5=Morris \|last6=Miller \|first6=Carl \|date=2020-10-29 \|title=Recommendation for Stateful Hash-Based Signature Schemes \|url=https://csrc.nist.gov/publications/detail/sp/800-208/final \|journal=NIST Special Publication 800-208 \|language=en \|doi=10.6028/NIST.SP.800-208}}</ref> ==History==▼ [[Leslie Lamport]] invented hash-based signatures in 1979. The XMSS (eXtended Merkle Signature Scheme)<ref name="BuchmannDahmen2011">{{cite journal\|last1=Buchmann\|first1=Johannes\|last2=Dahmen\|first2=Erik\|last3=Hülsing\|first3=Andreas\|title=XMSS - A Practical Forward Secure Signature Scheme Based on Minimal Security Assumptions\|journal=Lecture Notes in Computer Science\|volume=7071\|pages=117–129\|issue=Post-Quantum Cryptography. PQCrypto 2011\|year=2011\|issn=0302-9743\|doi=10.1007/978-3-642-25405-5_8\|citeseerx=10.1.1.400.6086}}</ref> and SPHINCS<ref>{{Cite book\|issue=Advances in Cryptology -- EUROCRYPT 2015\|last=Bernstein\|first=Daniel J.\|last2=Hopwood\|first2=Daira\|last3=Hülsing\|first3=Andreas\|last4=Lange\|first4=Tanja\|author4-link=Tanja Lange\|last5=Niederhagen\|first5=Ruben\|last6=Papachristodoulou\|first6=Louiza\|last7=Schneider\|first7=Michael\|last8=Schwabe\|first8=Peter\|last9=Wilcox-O’Hearn\|first9=Zooko\|title=SPHINCS: practical stateless hash-based signatures\|year=2015\|publisher=Springer Berlin Heidelberg\|isbn=9783662467992\|editor-last=Oswald\|editor-first=Elisabeth\|editor-link= Elisabeth Oswald \|series=Lecture Notes in Computer Science\|volume=9056\|pages=368–397\|language=en\|doi=10.1007/978-3-662-46800-5_15\|editor-last2=Fischlin\|editor-first2=Marc\|citeseerx = 10.1.1.690.6403}}</ref><ref>{{cite web\|title=SPHINCS: Introduction\|url=http://sphincs.cr.yp.to/}}</ref> hash-based signature schemes were introduced in 2011 and 2015, respectively. XMSS was developed by a team of researchers under the direction of [[Johannes Buchmann]] and is based both on Merkle's seminal scheme and on the 2007 Generalized Merkle Signature Scheme (GMSS).<ref>{{cite journal\|last1=Buchmann\|first1=Johannes\|last2=Dahmen\|first2=Erik\|last3=Klintsevich\|first3=Elena\|last4=Okeya\|first4=Katsuyuki\|last5=Vuillaume\|first5=Camille\|title=Merkle Signatures with Virtually Unlimited Signature Capacity\|journal=Lecture Notes in Computer Science\|date=2007\|volume=4521\|issue=Applied Cryptography and Network Security\|pages=31–45\|doi=10.1007/978-3-540-72738-5_3\|language=en}}</ref> A multi-tree variant of XMSS, XMSS<sup>''MT''</sup>, was described in 2013.<ref>{{cite book\|last1=Hülsing\|first1=Andreas\|last2=Rausch\|first2=Lea\|last3=Buchmann\|first3=Johannes\|title=Optimal Parameters for XMSSMT\|journal=Lecture Notes in Computer Science\|date=2013\|volume=8128\|issue=Security Engineering and Intelligence Informatics\|pages=194–208\|doi=10.1007/978-3-642-40588-4_14\|language=en\|isbn=978-3-642-40587-7}}</ref>▼ In 2022, NIST announced [[SPHINCS+]] as one of three algorithms to be standardized for digital signatures.<ref>{{Cite web \|date=2022-07-05 \|title=NIST announces four quantum-resistant algorithms \|url=https://venturebeat.com/2022/07/05/nist-post-quantum-cryptography-standard/ \|access-date=2022-07-10 \|website=VentureBeat \|language=en-US}}</ref> and in 2024 NIST announced the Stateless Hash-Based Digital Signature Standard (SLH-DSA)<ref>{{Cite journal \|date=August 2024 \|title=Stateless Hash-Based Digital Signature Standard \|url=https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf \|website=[[NIST.gov]] \|doi=10.6028/NIST.FIPS.205}}</ref> based on SPHINCS+. ==One-time signature schemes==▼ ▲== History == ▲[[Leslie Lamport]] invented hash-based signatures in 1979. The XMSS (eXtended Merkle Signature Scheme)<ref name="BuchmannDahmen2011">{{~~cite~~Cite book ~~journal~~\|last1=Buchmann \|first1=Johannes \|title=Post-Quantum Cryptography \|last2=Dahmen \|first2=Erik \|last3=Hülsing \|first3=Andreas \|~~title~~year=~~XMSS~~2011 \|isbn=978-3-642-25404-8 ~~A Practical Forward Secure Signature Scheme Based on Minimal Security Assumptions~~\|~~journal~~series=Lecture Notes in Computer Science \|volume=7071 \|pages=117–129 \|~~issue~~chapter=~~Post-Quantum~~XMSS ~~Cryptography.~~– ~~PQCrypto~~A Practical Forward Secure Signature Scheme Based on Minimal Security Assumptions ~~2011~~\|~~year~~citeseerx=~~2011\|issn=0302-9743~~10.1.1.400.6086 \|doi=10.1007/978-3-642-25405-5_8 \|~~citeseerx~~issn=~~10.1.1.400.6086~~0302-9743}}</ref> and SPHINCS<ref>{{Cite book \|~~issue~~last1=Bernstein \|first1=Daniel J. \|title=Advances in Cryptology -- EUROCRYPT 2015~~\|last=Bernstein\|first=Daniel~~ J.\|last2=Hopwood \|first2=Daira \|last3=Hülsing \|first3=Andreas \|last4=Lange \|first4=Tanja \|~~author4~~author-~~link~~link4=Tanja Lange \|last5=Niederhagen \|first5=Ruben \|last6=Papachristodoulou \|first6=Louiza \|last7=Schneider \|first7=Michael \|last8=Schwabe \|first8=Peter \|last9=Wilcox-O’Hearn \|first9=Zooko \|~~title~~publisher=~~SPHINCS:~~Springer ~~practical~~Berlin ~~stateless hash-based~~Heidelberg ~~signatures~~\|year=2015~~\|publisher=Springer Berlin~~ ~~Heidelberg~~\|isbn=9783662467992 \|editor-last=Oswald \|editor-first=Elisabeth \|editor-link= Elisabeth Oswald \|series=Lecture Notes in Computer Science \|volume=9056 \|pages=368–397 \|language=en \|chapter=SPHINCS: Practical Stateless Hash-Based Signatures \|citeseerx=10.1.1.690.6403 \|doi=10.1007/978-3-662-46800-5_15 \|editor-last2=Fischlin \|editor-first2=Marc~~\|citeseerx = 10.1.1.690.6403~~}}</ref><ref>{{~~cite~~Cite web \|title=SPHINCS: Introduction \|url=http://sphincs.cr.yp.to/}}</ref> hash-based signature schemes were introduced in 2011 and 2015, respectively. XMSS was developed by a team of researchers under the direction of [[Johannes Buchmann]] and is based both on Merkle's seminal scheme and on the 2007 Generalized Merkle Signature Scheme (GMSS).<ref>{{~~cite~~Cite book ~~journal~~\|last1=Buchmann \|first1=Johannes \|title=Applied Cryptography and Network Security \|last2=Dahmen \|first2=Erik \|last3=Klintsevich \|first3=Elena \|last4=Okeya \|first4=Katsuyuki \|last5=Vuillaume \|first5=Camille \|~~title~~date=~~Merkle~~2007 ~~Signatures with Virtually Unlimited~~\|isbn=978-3-540-72737-8 ~~Signature Capacity~~\|~~journal~~series=Lecture Notes in Computer Science~~\|date=2007~~ \|volume=4521 \|~~issue~~pages=~~Applied~~31–45 ~~Cryptography~~\|language=en ~~and~~\|chapter=Merkle ~~Network~~Signatures with Virtually Unlimited Signature Capacity ~~Security\|pages=31–45~~\|doi=10.1007/978-3-540-72738-5_3 \|~~language~~doi-access=enfree}}</ref> A multi-tree variant of XMSS, XMSS<sup>''MT''</sup>, was described in 2013.<ref>{{~~cite~~Cite book \|last1=Hülsing \|first1=Andreas \|title=Security Engineering and Intelligence Informatics \|last2=Rausch \|first2=Lea \|last3=Buchmann \|first3=Johannes \|~~title~~date=~~Optimal~~2013 ~~Parameters~~\|isbn=978-3-642-40587-7 ~~for XMSSMT~~\|~~journal~~series=Lecture Notes in Computer Science~~\|date=2013~~ \|volume=8128 \|~~issue~~pages=~~Security~~194–208 ~~Engineering~~\|language=en ~~and~~\|chapter=Optimal ~~Intelligence~~Parameters for XMSS MT ~~Informatics\|pages=194–208~~\|doi=10.1007/978-3-642-40588-4_14\|~~language~~chapter-url=~~en\|isbn=978~~https://hal.inria.fr/hal-~~3-642-40587-7~~01506577 }}</ref> ▲== One-time signature schemes == Hash-based signature schemes use one-time signature schemes as their building block. A given one-time signing key can only be used to sign a single message securely. Indeed, signatures reveal part of the signing key. The security of (hash-based) one-time signature schemes relies exclusively on the security of an underlying hash function. Commonly used one-time signature schemes include the [[Lamport signatures\|~~Lamport-Diffie~~Lamport–Diffie scheme]], the Winternitz scheme<ref>{{~~cite~~Cite book ~~journal~~\|last1=Dods \|first1=C. \|title=Cryptography and Coding \|last2=Smart \|first2=N. P. \|last3=Stam \|first3=M. \|~~title~~date=~~Hash~~2005 ~~Based Digital Signature Schemes~~\|~~issue~~isbn=~~Cryptography~~978-3-540-30276-6 ~~and Coding~~\|~~journal~~series=Lecture Notes in Computer Science \|volume=3796~~\|date=2005~~ \|pages=96–115 \|language=en \|chapter=Hash Based Digital Signature Schemes \|doi=10.1007/11586821_8~~\|language=en~~}}</ref> and its improvements, such as the W-OTS<sup>+</sup> scheme.<ref name="wotsplus">{{~~cite~~Cite book \|~~last1~~last=Hülsing \|~~first1~~first=Andreas \|title=~~W-OTS+~~Progress —in ~~Shorter~~Cryptology ~~Signatures~~– ~~for~~AFRICACRYPT ~~Hash-Based~~2013 ~~Signature~~\|date=2013 ~~Schemes~~\|~~journal~~isbn=978-3-642-38552-0 \|series=Lecture Notes in Computer Science~~\|date=2013~~ \|volume=7918 \|~~issue~~pages=~~Progress~~173–188 ~~in Cryptology~~\|chapter=W-OTS+ – ~~AFRICACRYPT~~Shorter Signatures for Hash-Based Signature Schemes ~~2013\|pages=173–188~~\|doi=10.1007/978-3-642-38553-7_10~~\|isbn=978-3-642-38552-0~~}}</ref> Unlike the seminal ~~Lamport-Diffie~~Lamport–Diffie scheme, the Winternitz scheme and variants can sign many bits at once. The number of bits to be signed at once is determined by a value: the Winternitz parameter. The existence of this parameter provides a trade-off between size and speed. Large values of the Winternitz parameter yield short signatures and keys, at the price of slower signing and verifying. In practice, a typical value for this parameter is 16. In the case of stateless hash-based signatures, few-time signature schemes are used. Such schemes allow security to decrease gradually in case a few-time key is used more than once. HORST is an example of a few-time signature scheme. == Combining many one-time key pairs into a hash-based signature scheme == The central idea of hash-based signature schemes is to combine a larger number of one-time key pairs into a single structure to obtain a practical way of signing more than once (yet a limited number of times). This is done using a Merkle tree structure, with possible variations. One public and one private key are constructed from the numerous public and private keys of the underlying one-time scheme. The global public key is the single node at the very top of the Merkle tree. Its value is an output of the selected hash function, so a typical public key size is 32 bytes. The validity of this global public key is related to the validity of a given one-time public key using a sequence of tree nodes. This sequence is called the authentication path. It is stored as part of the signature, and allows a verifier to reconstruct the node path between those two public keys. Line 25 ⟶ 29: Some hash-based signature schemes use multiple layers of tree, offering faster signing at the price of larger signatures. In such schemes, only the lowest layer of trees is used to sign messages, while all other trees sign root values of lower trees. The ~~Naor-Yung~~Naor–Yung work<ref>M. Naor, M. Yung. "Universal One-Way Hash Functions and their Cryptographic Applications". STOC 1989. [http://www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf.pdf].</ref> shows the pattern by which to transfer a limited time signature of the Merkle type family into an unlimited (regular) signature scheme. == Properties of hash-based signature schemes == Hash-based signature schemes rely on security assumptions about the underlying hash function, but any hash function fulfilling these assumptions can be used. As a consequence, each adequate hash function yields a different corresponding hash-based signature scheme. Even if a given hash function becomes insecure, it is sufficient to replace it by a different, secure one to obtain a secure instantiation of the hash-based signature scheme under consideration. Some hash-based signature schemes (such as XMSS with pseudorandom key generation) are forward secure, meaning that previous signatures remain valid if a secret key is compromised. Line 34 ⟶ 38: Because of their reliance on an underlying one-time signature scheme, hash-based signature schemes can only sign a fixed number of messages securely. In the case of the Merkle and XMSS schemes, a maximum of <math>2^h</math> messages can be signed securely, with <math>h</math> the total Merkle tree height. == Examples of hash-based signature schemes == Since Merkle's initial scheme, numerous hash-based signature schemes with performance improvements have been introduced. Recent ones include the XMSS, the ~~Leighton-Micali~~Leighton–Micali (LMS), the SPHINCS and the BPQS schemes. Most hash-based signature schemes are [[State (computer science)\|stateful]], meaning that signing requires updating the secret key, unlike conventional digital signature schemes. For stateful hash-based signature schemes, signing requires keeping state of the used one-time keys and making sure they are never reused. The XMSS, LMS and BPQS<ref>{{~~cite~~Cite journal \|last1=Chalkias \|first1=Konstantinos \|last2=Brown \|first2=James \|last3=Hearn \|first3=Mike \|last4=Lillehagen \|first4=Tommy \|last5=Nitto \|first5=Igor \|last6=Schroeter \|first6=Thomas \|year=2018 \|title=Blockchained Post-Quantum Signatures \|url=https://eprint.iacr.org/2018/658.pdf \|journal=Proceedings of the IEEE International Conference on Blockchain (Cybermatics-2018) \|pages=1196–1203~~\|year=2018\|url=https://eprint.iacr.org/2018/658.pdf~~}}</ref> schemes are stateful, while the SPHINCS scheme is stateless. SPHINCS signatures are larger than XMSS, and LMS signatures~~, while~~. BPQS has been designed specifically for blockchain systems. Additionally to the WOTS~~<sup>~~+~~</sup>~~ one-time signature scheme,<ref name="wotsplus" /> SPHINCS also uses a few-time (hash-based) signature scheme called HORST. HORST is an improvement of an older few-time signature scheme, HORS (Hash to Obtain Random Subset).<ref>{{~~cite~~Cite book \|last1=Reyzin \|first1=Leonid \|title=Information Security and Privacy \|last2=Reyzin \|first2=Natan \|~~title~~date=~~Better than~~2002 ~~BiBa: Short One~~\|isbn=978-~~Time Signatures~~3-540-43861-8 ~~with Fast Signing and Verifying~~\|~~journal~~series=Lecture Notes in Computer Science~~\|date=2002~~ \|volume=2384~~\|issue=Information Security and~~ ~~Privacy~~\|pages=144–153~~\|doi=10.1007/3-540-45450-0_11~~ \|language=en \|~~isbn~~chapter=~~978-3-540~~Better than BiBa: Short One-~~43861-8~~Time Signatures with Fast Signing and Verifying \|citeseerx=10.1.1.24.7320 \|doi=10.1007/3-540-45450-0_11}}</ref> ~~Leighton~~The stateful hash-~~Micali~~based schemes XMSS and XMSS<sup>''MT''</sup> are specified in [[Request for Comments\|RFC]] 8391 (XMSS: eXtended Merkle Signature Scheme).<ref>{{Cite journal \|last1=Hülsing \|first1=Andreas \|last2=Butin \|first2=Denis \|last3=Gazdag \|first3=Stefan \|last4=Rijneveld \|first4=Joost \|last5=Mohaisen \|first5=Aziz \|date=May 2018 \|title=RFC 8391 – XMSS: eXtended Merkle Signature Scheme \|url=https://tools.ietf.org/html/rfc8391 \|language=en \|publisher=IETF \|website=tools.ietf.org}}</ref> Leighton–Micali Hash-Based Signatures are specified in [[Request for Comments\|RFC]] 8554.<ref name="rfc8554">{{~~cite~~Cite journal ~~web~~\|last1=McGrew \|first1=David \|last2=Curcio \|first2=Michael \|last3=Fluhrer \|first3=Scott \|date=April 2019 \|title=RFC 8554 -– ~~Leighton-Micali~~Leighton–Micali Hash-Based Signatures \|url=https://tools.ietf.org/html/rfc8554 \|~~website~~language=~~tools.ietf.org~~en \|publisher=IETF \|~~language~~website=entools.ietf.org}}</ref> Practical improvements have been proposed in the literature that alleviate the concerns introduced by stateful schemes.<ref>{{~~cite~~Cite book ~~journal~~\|last1=McGrew \|first1=David \|title=Security Standardisation Research \|last2=Kampanakis \|first2=Panos \|last3=Fluhrer \|first3=Scott \|last4=Gazdag \|first4=Stefan-Lukas \|last5=Butin \|first5=Denis \|last6=Buchmann \|first6=Johannes \|~~title~~date=~~State Management~~2016 ~~for Hash~~\|isbn=978-~~Based~~3-319-49099-1 ~~Signatures~~\|~~journal~~series=Lecture Notes in Computer Science~~\|date=2016~~ \|volume=10074 \|~~issue~~pages=~~Security~~244–260 ~~Standardisation~~\|language=en ~~Research~~\|~~pages~~chapter=~~244–260~~State Management for Hash-Based Signatures \|doi=10.1007/978-3-319-49100-4_11 \|chapter-url=https://pdfs.semanticscholar.org/502a/2a2f5043f0d32fec0a5818d203fb4c9cd266.pdf \|archive-url=https://web.archive.org/web/20170818214629/https://pdfs.semanticscholar.org/502a/2a2f5043f0d32fec0a5818d203fb4c9cd266.pdf~~\|url-status=dead~~ \|archive-date=2017-08-18 \|~~language~~url-status=endead \|s2cid=809073}}</ref> Hash functions appropriate for these schemes include [[SHA-2]], [[SHA-3]] and [[BLAKE (hash function)\|BLAKE]].▼ ~~The stateful hash-based schemes XMSS and XMSS<sup>''MT''</sup> are specified in [[Request for Comments\|RFC]] 8391 (XMSS: eXtended Merkle Signature Scheme)~~ .<ref>{{cite web\|last1=Hülsing\|first1=Andreas\|last2=Butin\|first2=Denis\|last3=Gazdag\|first3=Stefan\|last4=Rijneveld\|first4=Joost\|last5=Mohaisen\|first5=Aziz\|title=RFC 8391 - XMSS: eXtended Merkle Signature Scheme\|url=https://tools.ietf.org/html/rfc8391\|website=tools.ietf.org\|publisher=IETF\|language=en}}</ref> ▲Leighton-Micali Hash-Based Signatures are specified in [[Request for Comments\|RFC]] 8554.<ref>{{cite web\|last1=McGrew\|first1=David\|last2=Curcio\|first2=Michael\|last3=Fluhrer\|first3=Scott\|title=RFC 8554 - Leighton-Micali Hash-Based Signatures\|url=https://tools.ietf.org/html/rfc8554\|website=tools.ietf.org\|publisher=IETF\|language=en}}</ref> Practical improvements have been proposed in the literature that alleviate the concerns introduced by stateful schemes.<ref>{{cite journal\|last1=McGrew\|first1=David\|last2=Kampanakis\|first2=Panos\|last3=Fluhrer\|first3=Scott\|last4=Gazdag\|first4=Stefan-Lukas\|last5=Butin\|first5=Denis\|last6=Buchmann\|first6=Johannes\|title=State Management for Hash-Based Signatures\|journal=Lecture Notes in Computer Science\|date=2016\|volume=10074\|issue=Security Standardisation Research\|pages=244–260\|doi=10.1007/978-3-319-49100-4_11\|url=https://pdfs.semanticscholar.org/502a/2a2f5043f0d32fec0a5818d203fb4c9cd266.pdf\|archive-url=https://web.archive.org/web/20170818214629/https://pdfs.semanticscholar.org/502a/2a2f5043f0d32fec0a5818d203fb4c9cd266.pdf\|url-status=dead\|archive-date=2017-08-18\|language=en}}</ref> Hash functions appropriate for these schemes include [[SHA-2]], [[SHA-3]] and [[BLAKE (hash function)\|BLAKE]]. The stateless hash-based scheme SLH-DSA is specified in [https://doi.org/10.6028/NIST.FIPS.205 FIPS-205]. ==Implementations==▼ Unlike other popular [[Blockchain\|blockchain networks]] and [[Cryptocurrency\|cryptocurrencies]] that use already [[NIST]] standardized Elliptic Curve Digital Signature Algorithms ([[Elliptic Curve Digital Signature Algorithm\|ECDSA]]),<ref>{{Cite journal\|last=Wang\|first=Licheng\|last2=Shen\|first2=Xiaoying\|last3=Li\|first3=Jing\|last4=Shao\|first4=Jun\|last5=Yang\|first5=Yixian\|date=2019-02-01\|title=Cryptographic primitives in blockchains\|url=http://www.sciencedirect.com/science/article/pii/S108480451830362X\|journal=Journal of Network and Computer Applications\|volume=127\|pages=43–58\|doi=10.1016/j.jnca.2018.11.003\|issn=1084-8045\|doi-access=free}}</ref> The Quantum Resistant Ledger (QRL) is the first [[Open-source software\|open source]] network to implement eXtended Merkle Signature Scheme.<ref>{{cite web\|url=https://theqrl.org/\|title=The Quantum Resistant Ledger\|date=2019-08-24\|website=theqrl.org\|language=en}}</ref> In contrast to traditional ECDSA signatures, this stateful signature scheme is provably resistant to a sufficiently powerful quantum computer running [[Shor's algorithm]].<ref>{{cite web\|title=NIST Stateful Hash-Based Signatures\|url=https://csrc.nist.gov/CSRC/media/Projects/Stateful-Hash-Based-Signatures/documents/stateful-HBS-public-comments-June2018-rfi.pdf\|website=NIST\|language=en\|date=2019-02-04}}</ref><ref>{{Cite web\|url=https://csrc.nist.gov/Projects/Stateful-Hash-Based-Signatures\|title=Hash-Based Signatures {{!}} CSRC\|last=Computer Security Division\|first=Information Technology Laboratory\|date=2018-12-20\|website=CSRC {{!}} NIST\|language=EN-US\|access-date=2019-09-06}}</ref> ▲== Implementations == The XMSS, GMSS and SPHINCS schemes are available in the Java [[Bouncy Castle (cryptography)\|Bouncy Castle]] cryptographic APIs.<ref>{{~~cite~~Cite web \|date=2018-12-18 \|title=bcgit/bc-java \|url=https://github.com/bcgit/bc-java/tree/master/core/src/main/java/org/bouncycastle/pqc/crypto \|website=GitHub \|language=en}}</ref> LMS<ref>{{Cite web \|date=~~2018~~2024-1206-18 \|title=wolfCrypt implementations of LMS/HSS and XMSS/XMSS^MT signatures: build options and benchmarks (Intel x86) \|url=https://www.wolfssl.com/wolfcrypt-implementations-of-lms-hss-and-xmss-xmssmt-signatures-build-options-and-benchmarks-intel-x86/ \|website=wolfSSL \|language=en}}</ref> and XMSS schemes are available in the [[wolfSSL]] cryptographic APIs.<ref>{{Cite web \|date=2023-11-22 \|title=wolfSSL/wolfssl \|url=https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/wolfcrypt/lms.h \|website=GitHub \|language=en}}</ref> SPHINCS is implemented in the SUPERCOP benchmarking toolkit.<ref>{{~~cite~~Cite web \|title=SUPERCOP \|url=http://bench.cr.yp.to/supercop.html \|~~access~~url-~~date~~status=~~2017-05-31~~dead \|archive-url=https://web.archive.org/web/20150215055126/http://bench.cr.yp.to/supercop.html \|archive-date=2015-02-15 \|~~url~~access-~~status~~date=~~dead~~2017-05-31}}</ref> Optimised<ref>{{~~cite~~Cite web \|title=Code \|url=https://huelsing.wordpress.com/code/ \|url-status=dead \|archive-url=https://web.archive.org/web/20170822224019/https://huelsing.wordpress.com/code/ \|archive-date=2017-08-22 \|access-date=2017-05-31 \|website=Andreas Hülsing}}</ref> and unoptimised<ref>{{~~cite~~Cite web \|title=squareUP > Publications \|url=http://www.pqsignatures.org/index/publications.html#code \|website=www.pqsignatures.org \|language=en-gb}}</ref> reference implementations of the XMSS RFC exist. The LMS scheme has been implemented in Python<ref>{{~~cite~~Cite web \|~~last1~~last=David \|~~first1~~first=McGrew \|date=2018-05-29 \|title=The hash-sigs package: an implementation of the ~~Leighton-Micali~~Leighton–Micali Hierarchical Signature System (HSS). \|url=https://github.com/davidmcgrew/hash-sigs/ \|website=GitHub \|language=en~~\|date=2018-05-29~~}}</ref> and in C<ref>{{~~cite~~Cite web \|~~last1~~last=David \|~~first1~~first=McGrew \|date=2018-11-22 \|title=A full-featured implementation of the LMS and HSS Hash Based Signature Schemes from draft-mcgrew-hash-sigs-07. \|url=https://github.com/cisco/hash-sigs \|website=GitHub \|language=en~~\|date=2018-11-22~~}}</ref> following its Internet-Draft. == References == {{Reflist}} * T. Lange. "Hash-Based Signatures". Encyclopedia of Cryptography and Security, Springer USU.S., 2011. [https://link.springer.com/referenceworkentry/10.1007%2F978-1-4419-5906-5_413] * F. T. Leighton, S. Micali. "Large provably fast and secure digital signature schemes based one secure hash functions". US Patent 5,432,852, [https://~~www~~patents.google.com/~~patents~~patent/US5432852] 1995. * G. Becker. "Merkle Signature Schemes, Merkle Trees and Their Cryptanalysis", seminar 'Post Quantum Cryptology' at the Ruhr-University Bochum, Germany, 2008. [https://www.emsec.rub.de/media/crypto/attachments/files/2011/04/becker_1.pdf] {{Webarchive\|url=https://web.archive.org/web/20170830030943/http://www.emsec.rub.de/media/crypto/attachments/files/2011/04/becker_1.pdf \|date=2017-08-30 }} * E. Dahmen, M. Dring, E. Klintsevich, J. Buchmann, L. C. Coronado Garcia. "CMSS — An Improved Merkle Signature Scheme". Progress in Cryptology -– Indocrypt 2006. [https://eprint.iacr.org/2006/320.pdf] * R. Merkle. "Secrecy, authentication and public key systems / A certified digital signature". Ph.D. dissertation, Dept. of Electrical Engineering, Stanford University, 1979. [http://www.merkle.com/papers/Thesis1979.pdf] {{Webarchive\|url=https://web.archive.org/web/20180814211110/http://www.merkle.com/papers/Thesis1979.pdf \|date=2018-08-14 }} * S. Micali, M. Jakobsson, T. Leighton, M. Szydlo. "Fractal Merkle Tree Representation and Traversal". RSA-CT 03. [https://link.springer.com/chapter/10.1007/3-540-36563-X_21] * P. Kampanakis, S. Fluhrer. "LMS vs XMSS: A comparison of the Stateful Hash-Based Signature Proposed Standards". Cryptology ePrint Archive, Report 2017/349. [http://eprint.iacr.org/2017/349.pdf] * D. Naor, A. Shenhav, A. Wool. "One-Time Signatures Revisited: Practical Fast Signatures Using Fractal Merkle Tree Traversal". IEEE 24th Convention of Electrical and Electronics Engineers in Israel, 2006. [https://www.eng.tau.ac.il/~yash/Naor_Shenhav_Wool.pdf] {{Webarchive\|url=https://web.archive.org/web/20180205043107/http://www.eng.tau.ac.il/~yash/Naor_Shenhav_Wool.pdf \|date=2018-02-05 }} == External links == * [https://huelsing.net/wordpress/?page_id=165] A commented list of literature about hash-based signature schemes. * [http://pqcrypto.org/hash.html] Another list of references (uncommented).