
Hash-based Signatures: An illustrated Primer - chmaynard
https://blog.cryptographyengineering.com/2018/04/07/hash-based-signatures-an-illustrated-primer/
======
dsacco
This is a pretty good primer, and I think Matt Green is generally good at
tutorials that reduce the technical complexity to make material more
accessible.

I'll add a couple of notes:

1\. Hash-based cryptography is not capable of providing public-key encryption,
so unfortunately these are only useful for quantum-resistant digital signature
schemes. But they're still very good at that.

2\. Since collision resistance is a stronger notion of security than preimage
resistance and second preimage resistance, achieving collision resistance
achieves all three. I just wanted to make this point explicit. Likewise,
_indistinguishability_ is an even stronger notion and subsumes all three.

3\. The current state of the art in quantum-resistant hash-based signatures is
the SPHINCS family and its variants, including SPHINCS+ and Gravity-SPHINCS
[1,2,3]. One of the really interesting innovations here is a transition to
trees with _few-time_ signatures instead of _one-time_ signatures underlying
them.

A good, reasonably up to date source for a technical overview of the current
research landscape is the PQCrypto Conference's 2017 Summer School,
specifically the two "Hash-based signatures" videos/slides [4].

____________________

1\.
[https://sphincs.cr.yp.to/papers.html](https://sphincs.cr.yp.to/papers.html)

2\. [https://sphincs.org/](https://sphincs.org/)

3\. [https://research.kudelskisecurity.com/2017/12/01/our-
submiss...](https://research.kudelskisecurity.com/2017/12/01/our-submission-
to-nists-post-quantum-project-gravity-sphincs/)

4\.
[https://2017.pqcrypto.org/school/schedule.html](https://2017.pqcrypto.org/school/schedule.html)

~~~
EthanHeilman
>Since collision resistance is a stronger notion of security than preimage
resistance and second preimage resistance, achieving collision resistance
achieves all three.

Under what assumptions and definitions is this true? For instance the function
f(x) = x is not preimage resistant but is very collision resistant. I've never
heard the claim that collision resistance implies preimage resistance,
although clearly collision resistance implies second-preimage resistance since
a second-preimage is a collision.

~~~
a785236
It's true as long as the function f is sufficiently "shrinking." The domain of
the function (where the x's live) must be sufficiently larger than its range
(where the f(x)'s live). For example, if the domain is size N, a range of size
0.99 _N is enough to guarantee that collision resistance implies preimage or
second-preimage resistance.

Said another way, if there are many collisions and you _still* have a hard
time finding them (collision resistance), then you can prove that it's also
hard to find preimages or second preimages.

Your example, f(x) = x is not shrinking at all: there are no collisions.

A fundamental property of hash functions is that they're shrinking---so much
so that it often goes without mention in informal settings. Hash functions are
typically defined in two ways: shrinking arbitrary length inputs to a constant
length (e.g., n bits to 256 bits) or shrinking arbitrary length inputs by some
constant amount (e.g., n bits to n-1 bits, or n/2 bits). Even shrinking by one
bit serves to halve the domain, guaranteeing many collisions and ruling out
counter-examples like the one you gave.

~~~
EthanHeilman
Rogaway and Shrimpton specifically used collision resistance not implying
preimage resistance as an example of the importance of definition and
assumptions:

>Informal treatments of cryptographic hash functions can lead to a lot of
ambiguity, with informal notions that might be formalized in very different
ways and claims that might correspondingly be true or false. Consider, for
example, the following quotes, taken from our favorite reference on
cryptography [..] "collision resistance does not guarantee preimage
resistance" \- [0]

They go on to show the definitions under which collision resistance does and
does not imply preimage resistance.

[0]:
[http://web.cs.ucdavis.edu/~rogaway/papers/relates.pdf](http://web.cs.ucdavis.edu/~rogaway/papers/relates.pdf)

~~~
dsacco
The paper you cite is a good one, but it's actually demonstrating that the
person you're responding to is correct (and you two are agreeing). In fact,
Rogaway and Shrimpton specifically state that their constructions may appear
somewhat contrived; this is because collision resistance _does_ imply
provisional preimage resistance, and in the real world it's quite difficult to
construct (useful) collision resistance without preimage resistance.

So to answer your original question succinctly: collision resistance implies
provisional preimage resistance, which is the setting for most real world hash
functions, including post-quantum hash-based signatures.

------
taeric
I think this focuses on the wrong reason for why signatures are important.
Sometimes, you can't or don't care to secure the channel you are using to
communicate. A signature doesn't hide the messages, so it is unsecured, but it
does give a guarantee of who it came from.

I know this is touched at the beginning. But the odd shift at the end to
"quantum will break all crypto" seems out of nowhere and makes this sound like
a hypothetical tool.

~~~
dsacco
This article isn't focusing on why _signatures_ are important, it's explaining
why _hash-based signatures_ are important. In other words it's not discussing
the difference between message confidentiality and message
authentication/nonrepudiation.

The reason Green talks about quantum computers is because hash-based
signatures are one of five or so primary research areas for developing
quantum-resistant public-key cryptography. They cannot accommodate public-key
encryption, but they are one of the oldest forms of digital signatures. In
fact, blockchains and post-quantum resistance are the two major reasons for
the renewed research interest in hash-based signatures.

~~~
DoctorOetker
"They cannot accommodate public-key encryption"

I take it you mean that there are no known hash-based public key encryption
systems. I assume you don't intend to say they are provably impossible to
construct?

I remember when I first learned about hash-based cryptography I was amazed how
hashing was the only cryptographic primitive used. Ever since I regularly
(once or twice a year) try to google "hash-based public key" and other
combinations in the hope that someday someone will have worked out how to
found public key encryption on cryptographic hashing...

It feels impossible but so felt hash-based signatures before learning how to
sign a single bit and then generalize to more...

~~~
Ar-Curunir
Impagliazzo and Rudich proved that one can't construct PKE from one way
functions in a black box manner:

[https://www.researchgate.net/profile/Russell_Impagliazzo/pub...](https://www.researchgate.net/profile/Russell_Impagliazzo/publication/2477849_Limits_on_the_Provable_Consequences_of_One-
way_Permutations/links/09e41511133b689298000000/Limits-on-the-Provable-
Consequences-of-One-way-Permutations.pdf)

~~~
DoctorOetker
I am reading the paper now, and had a weird thought, but probably it is a
brainfart:

Keep in mind Monte Carlo algorithms versus Las Vegas algorithmms.

Keep also in mind that since cryptographic one way permutations are available,
both Alice and Bob can sign their messages on the public channel, and Eve can
only read them (for injecting a message would require forging a signature).

Consider the following (absurd) Las Vegas algorithm: both Alice and Bob
seperately generate a random secret key. Then they sign the hash of the secret
key and inform each other with this <Hash(secret),Signature(Hash(secret))>
message.

The Las Vegas secret key exchange protocol succesfully finishes if they read
the same hash as they generated, and returns the bottom element or failure if
they don't match.

So provably with a (very) low probability they can establish a common secret
in a Las Vegas protocol, which begs the question if a dual (necessarily
interactive) Monte Carlo protocol can slowly grow an n-bit common secret.

I suspect you can confirm that this is just a brainfart indeed?

~~~
Ar-Curunir
If by the hashing operation you mean application of the OWP, keep in mind that
inverting the OWP is supposed to be hard, and furthermore, since it's a OWP,
if Alice and Bob start with different secret keys, they won't hit the same
"hash" as the output of the OWP.

For this to work, they'd have to start off with the same secret key already,
which makes the key exchange pointless.

You mention using this approach to slowly grow a secret key, by performing
many iterations of this protocol, but if you do it bit-by-bit, the adversary
can easily brute force invert the OWP over {0, 1}, and thereby learn the
secret key

