Lamport Signature

Information about Lamport Signature

In cryptography, a Lamport signature or Lamport one-time signature scheme is a method for constructing a digital signature. Lamport signatures can be built from any cryptographically secure one-way function; usually a cryptographic hash function is used.

Although the potential development of quantum computers threatens the security of many common forms of cryptography such as RSA, it is believed that Lamport signatures with large hash functions would still be secure in that event. Unfortunately each Lamport key can only be used to sign a single message. However, combined with hash trees, a single key could be used for many messages, making this a fairly efficient digital signature scheme.

Mathematical description

Below is a short description of how Lamport signatures work, written in mathematical notation. For a plain English description see the next section. Note that the "message" in this description is a fixed sized block of reasonable size, possibly (but not necessarily) the hash result of an arbitrary long message being signed.

Keys

Let $\text{[math]}$ be a positive integer and let $\text{[math]}$ be the set of messages. Let $\text{[math]}$ be a one-way function.

For $\text{[math]}$ and $\text{[math]}$ the signer chooses $\text{[math]}$ randomly and computes $\text{[math]}$ .

The private key $\text{[math]}$ consists of $\text{[math]}$ values $\text{[math]}$ . The public key consists of the $\text{[math]}$ values $\text{[math]}$ .

Signing a message

Let $\text{[math]}$ be a message.

The signature of the message is $\text{[math]}$ .

Verifying a signature

The verifier validates a signature by checking that $\text{[math]}$ for all $\text{[math]}$ .

In order to forge a message Eve would have to invert the one-way function $\text{[math]}$ . This is assumed to be intractable for suitably sized inputs and outputs.

Plain English description

Alice has a 256-bit cryptographic hash function and some kind of secure random number generator. She wants to create and use a Lamport key pair. That is, a private key and a corresponding public key.

Making the key pair

To create the private key Alice uses the random number generator to produce 256 pairs of random numbers (2Ã—256 numbers in total), each number being 256 bits in size. That is, a total of 2Ã—256Ã—256 bits = 16 kbyte in total. This is her private key and she will store it away in a secure place for later use.

To create the public key she hashes each of the 512 random numbers in the private key. Thus creating 512 hashes, each 256 bits in size. (Also 16 kbyte in total.) This is her public key, which she will share with the world.

Signing the message

Later Alice wants to sign a message. First she hashes the message to a 256-bit hash sum. Then for each bit in the hash sum she picks a corresponding random number from her private key. If for instance the first bit in the hash sum is a 0, she picks the first number in the first pair. If the first bit instead is a 1, then she uses the second number in the first pair. And so on. This gives her 256 random numbers. That is, 256Ã—256 bits = 8 kbyte in total. These random numbers are her signature and she publishes them along with the message.

Note that now Alice's private key is used and should never be used again. The other 256 random numbers that she did not use for the signature she must never publish or use. Preferably she should delete them. Otherwise others will later be able to create false signatures.

Verifying the signature

Then Bob wants to verify Alices signature of the message. He also hashes the message to get a 256-bit hash sum. Then he uses the bits in the hash sum to pick out 256 of the hashes in Alice's public key. He picks the hashes in the same manner that Alice picked the random numbers for the signature. That is, if the first bit of the message hash is a 0, he picks the first hash in the first pair, and so on.

Then Bob hashes each of the 256 random numbers in Alice's signature. This gives him 256 hashes. If these 256 hashes exactly matches the 256 hashes he just picked from Alice's public key then the signature is ok. If not, then something is wrong.

Note that prior to that Alice has published the signature of a message no one else knows the 2Ã—256 random numbers in the private key. Thus no one else can create the proper list of 256 random numbers for the signature. And after Alice has published the signature others still do not know the other 256 random numbers and thus can not create signatures that fits other message hashes.

Security parameters

The security of Lamport signatures is based on security of the one way hash function, the length of its output and the quality of the input.

For a hash function that generates a n-bit message digest, the ideal preimage and 2nd preimage resistance on a single hash function invocation implies on the order of 2^n operations and 2^n bits of memory effort to find a collision under a classical computing model. According to Grover's algorithm, finding a preimage collision on a single invocation of an ideal hash function is upper bound on O( 2^(n/2) ) operations under a quantum computing model. In Lamport signatures, each bit of the public key and signature is based on short messages requiring only a single invocation to a hash function.

For each private key $\text{[math]}$ and its corresponding $\text{[math]}$ public key pair, the private key length must be selected so performing a preimage attack on the length of the input is not faster than performing a preimage attack on the length of the output. For example, in a degenerate case, if each private key $\text{[math]}$ element was only 16 bits in length, it is trivial to exhaustively search all 2^16 possible private key combinations in 2^15 operations to find a match with the output, irrespective of the message digest length. Therefore a balanced system design ensures both lengths are approximately equal.

Based on Grover's algorithm, a quantum secure system, the length of the public key elements $\text{[math]}$ , the private key elements $\text{[math]}$ and the signature elements $\text{[math]}$ must be no less than 2 times larger than the security rating of the system. That is:

A 80-bit secure system uses element lengths of no less than 160 bit;
A 128-bit secure systems uses element lengths of no less than 256 bit;

However caution should be taken as the idealistic work estimates above assume an ideal (perfect) hash function and are limited to attacks that target only a single preimage at a time. It is known under a conventional computing model that if 2^(3n/5) preimages are searched, the full cost per preimage decreases from 2^n to 2^(2n/5) ^[1]. Selecting the optimum element size taking into account the collection of multiple message digests is an open problem. Selection of larger element sizes and stronger hash functions, such as 512-bit elements and SHA-512, ensures greater security margins to manage these unknowns.

Optimisations and variants

Short private key

Instead of creating and storing all the random numbers of the private key a single key of sufficient size can be stored. (Usually the same size as one of the random numbers in the private key.) The single key can then be used as the seed for a cryptographically secure pseudorandom number generator (CSPRNG) to create all the random numbers in the private key when needed.

In the same manner a single key can be used together with a CSPRNG to create many Lamport keys. Preferably then some kind of random access CSPRNG should be used.

Short public key

A Lamport signature can be combined with a hash list, making it possible to only publish a single hash instead of all the hashes in the public key. That is, instead of the $\text{[math]}$ values $\text{[math]}$ . To be able to verify the random numbers in a signature against the single hash all the unused hashes in the public key then needs to be included in the signatures, resulting in signatures of about twice the size, but results in significantly shorter public keys. That is, the values $\text{[math]}$ for all $\text{[math]}$ needs to be included.

Public key for multiple messages

Main article: hash tree

Each Lamport public key can only be used to sign one single message, which means many keys have to be published if many messages are to be signed. But a hash tree can be used on those public keys, publishing the top hash of the hash tree instead. This increases the size of the resulting signature, since parts of the hash tree have to be included in the signature, but it makes it possible to publish a single hash that then can be used to verify any given number of future signatures.

Hashing the message

Unlike some other signature schemes (e.g. RSA) the Lamport signature scheme does not require that the message m is hashed before it is signed. A system for signing long messages can use a collision resistant hash function h and sign h(m) instead of m.

References

1. ^ Bart Preneel, "Design Principles for Iterated Hash Functions Revised" [1]

L. Lamport, Constructing digital signatures from a one-way function, Technical Report SRI-CSL-98, SRI International Computer Science Laboratory, Oct. 1979.
Efficient Use of Merkle Trees - RSA labs explanation of the original purpose of Merkle trees + Lamport signatures, as an efficient one-time signature scheme.

External links

Flexiprovider - Open source java implementation of Merkle tree signature.

Public-key cryptography • • [ e]
Algorithms: Cramer-Shoup \| DH \| DSA \| ECDH \| ECDSA \| EKE \| ElGamal \| GMR \| IES \| Lamport \| MQV \| NTRUEncrypt \| NTRUSign \| Paillier \| Rabin \| RSA \| Schnorr \| SPEKE \| SRP \| XTR
Theory: Discrete logarithm \| Elliptic curve cryptography \| RSA problem
Standardization: ANS X9F1 \| CRYPTREC \| IEEE P1363 \| NESSIE \| NSA Suite B Misc: Digital signature \| Fingerprint \| PKI \| Web of trust \| Key size
Cryptography • • [ e]
History of cryptography \| Cryptanalysis \| \| Topics in cryptography
Symmetric-key algorithm \| Block cipher \| Stream cipher \| Public-key cryptography \| Cryptographic hash function \| Message authentication code \| Random numbers

Cryptography (or cryptology; derived from Greek κρυπτός kryptÃ³s "hidden," and the verb γράφω grÃ¡fo "write" or λεγειν legein
..... Click the link for more information.

digital signature or digital signature scheme is a type of asymmetric cryptography used to simulate the security properties of a signature in digital, rather than written, form.
..... Click the link for more information.

Do one-way functions exist?

A one-way function is a function that is easy to compute but "hard to invert" (in the sense defined below). "Easy to compute" means that some algorithm can compute the function in polynomial time (in the input size).
..... Click the link for more information.

In cryptography, a cryptographic hash function is a transformation that takes an input and returns a fixed-size string, which is called the hash value. Hash functions with this property are used for a variety of computational purposes, including cryptography.
..... Click the link for more information.

quantum computer is any device for computation that makes direct use of distinctively quantum mechanical phenomena, such as superposition and entanglement, to perform operations on data.
..... Click the link for more information.

RSA is an algorithm for public-key cryptography. It was the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography.
..... Click the link for more information.

Hash trees or Merkle trees are a type of data structure which contains a tree of summary information about a larger piece of data – for instance a file – used to verify its contents.
..... Click the link for more information.

∞ in several typefaces.]] Mathematical notation is used in mathematics, and throughout the physical sciences, engineering, and economics. The complexity of such notation ranges from relatively simple symbolic representations, such as numbers 1 and 2; function symbols
..... Click the link for more information.

Plain English (sometimes known, more broadly, as plain language) is a communication style that focuses on considering the audience's needs when writing. It recommends avoiding unnecessary words and avoiding jargon, technical terms, and long and ambiguous sentences.
..... Click the link for more information.

Do one-way functions exist?

The names Alice and Bob are commonly used placeholders for archetypal characters in fields such as cryptography and physics. The names are used for convenience, since explanations such as "Person A wants to send a message to person B
..... Click the link for more information.

A random number generator (often abbreviated as RNG) is a computational or physical device designed to generate a sequence of numbers or symbols that lack any pattern, i.e. appear random.
..... Click the link for more information.

Grover's algorithm is a quantum algorithm for searching an unsorted database with N entries in O(N^1/2) time and using O(logN) storage space (see big O notation). It was invented by Lov Grover in 1996.
..... Click the link for more information.

A cryptographically secure pseudo-random number generator (CSPRNG) is a pseudo-random number generator (PRNG) with properties that make it suitable for use in cryptography.
..... Click the link for more information.

random access is the ability to access an arbitrary element of a sequence in equal time. The opposite is sequential access, where a remote element takes longer time to access.
..... Click the link for more information.

In computer science, a hash list is typically a list of hashes of the data blocks in a file or set of files. Lists of hashes are used for many different purposes, such as fast table lookup (hash tables) and distributed databases (distributed hash tables).
..... Click the link for more information.

Dr. Leslie Lamport (born February 7, 1941 in New York City) is an American computer scientist. A graduate of the Bronx High School of Science, he received a B.S. in mathematics from the Massachusetts Institute of Technology in 1960, and M.A. and Ph.D.
..... Click the link for more information.

RSA, The Security Division of EMC

Division (organization) of EMC Corporation
Founded 1986
Headquarters Bedford, Massachusetts

Key people Arthur W. Coviello, Jr.
..... Click the link for more information.

Public-key cryptography, also known as asymmetric cryptography, is a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed.
..... Click the link for more information.

The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions.
..... Click the link for more information.

Diffie-Hellman (D-H) key exchange is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel.
..... Click the link for more information.

The Digital Signature Algorithm (DSA) is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS)
..... Click the link for more information.

Elliptic Curve Diffie-Hellman (ECDH) is a key agreement protocol that allows two parties to estabilish a shared secret key over an insecure channel^[1] ^[2]. This key can then be used to encrypt subsequent communications using a symmetric key cipher.
..... Click the link for more information.

Elliptic Curve DSA (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which operates on elliptic curve groups. As with Elliptic Curve Cryptography in general, the bit size of the public key believed to be needed for ECDSA is about twice the size of the security level, in
..... Click the link for more information.

Encrypted Key Exchange (also known as EKE) is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt ^[1].
..... Click the link for more information.

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman key agreement. It was described by Taher Elgamal in 1984^[1].
..... Click the link for more information.

This article is copied from an article on Wikipedia.org - the free encyclopedia created and edited by online user community. The text was not checked or edited by anyone on our staff. Although the vast majority of the wikipedia encyclopedia articles provide accurate and timely information please do not assume the accuracy of any particular article. This article is distributed under the terms of GNU Free Documentation License.

Herod_Archelaus