ON THE SECURITY OF THE WOTS-PRF SIGNATURE SCHEME

. We identify a ﬂaw in the security proof and a ﬂaw in the concrete security analysis of the WOTS-PRF variant of the Winternitz one-time signature scheme, and discuss the implications to its concrete security.


Introduction
The Winternitz one-time signature (WOTS) scheme (see [22,8]) is an optimization of a one-time signature scheme first described by Lamport [20]; the latter is now called the Lamport-Diffie one-time signature scheme. The WOTS scheme is widely believed to be resistant to attacks by large-scale quantum computers, and therefore is a prime candidate for inclusion in emerging standards for post-quantum cryptography.
Several variants of WOTS have been proposed and studied in the literature. The original WOTS scheme used a one-way function and was analyzed by Dods et al. [6]. The Leighton and Micali scheme WOTS-LM is described in an IETF Internet-Draft [21], and has been analyzed in the random oracle model [17] and the quantum random oracle model [7]. Buchmann et al. [4] (see also [3,11]) proposed a variant, called WOTS-PRF, that uses a pseudorandom function (PRF) instead of a hash function. Another hash-based WOTS variant, called WOTS + , was proposed by Hülsing [12] and has been included in an IETF standard [14]. In [16], a modification of WOTS + specifically designed to resist multi-target attacks was studied.
The practicality of a one-time signature scheme is enhanced by using a Merkle tree [22] to simultaneously authenticate many public keys for the one-time signature scheme. Merkle tree-based signature schemes that use a WOTS variant as the underlying one-time signature scheme include the eXtended Merkle Signature Scheme (XMSS) [5], XMSS + [13], XMSS M T [15], and XMSS-T [16].
The most attractive feature of WOTS-PRF is that it has a reductionist security proof with minimal assumptions [4], namely the existence of a secure PRF whose existence in turn is guaranteed by the existence of one-way functions [9,10]. This is unlike, say, WOTS-LM whose only known security proof assumes that the underlying hash function is a purely random function [17], or WOTS + whose security proof assumes the existence of a one-way function that is also second-preimage resistant and 'undetectable' [12].
In this paper, we show that the security proof for WOTS-PRF in [4] is flawed. Furthermore, we show that even if the flaw can be repaired, the concrete security analysis in [4] is incorrect since it underestimates the possible number of "key collisions" for the PRF by using an unconstructible reductionist argument to relate this number to PRF security. We show that this underestimation leads to a drastic overestimation of the concrete security of WOTS-PRF and the Merkle signature schemes that employ it including XMSS and XMSS + .
The remainder of the paper is organized as follows. The WOTS-PRF signature scheme is described in §2. In §3 we identify a flaw in the reductionist security proof. The flaw in the concrete security analysis and its implications are presented in §4. We make some concluding remarks in §5.

The WOTS-PRF signature scheme
The WOTS-PRF signature scheme [4] has the following ingredients: 1. A security parameter n ∈ N. 2. The bitlength m of messages. 3. A Winternitz parameter w ∈ N, which for simplicity we will take to be a power of two: , and so on. We next present the WOTS-PRF signature scheme. Key generation. Each user A does the following: . . , f w−1 ski (x)) is called the i-th Winternitz hash chain. 4. A's public signature verification key is pk = (pk 0 , pk 1 , . . . , pk ) where pk 0 = x.
3. Accept the signature if and only if pk i = pk i for all i = 1, 2, . . . , .

The WOTS-PRF security proof
This section presents the WOTS-PRF reductionist security proof from [4] and the flaw we observed in the analysis of its success probability. We begin with the definitions of a secure one-time signature scheme, a secure pseudorandom function, and the maximum and minimum number of key collisions.
Definition 3.1. A one-time signature scheme S is said to be (t, )-secure if all adversaries A S whose running times are bounded by t have success probability less than in the following game: A S is given a public key pk for S and can query a signing oracle (with respect to pk) for the signature σ of one message M of its choosing; A S 's challenge is to generate a valid signed message (M * , σ * ) with M * = M . The security level of S is log 2 (t/ ) bits.
all adversaries A f whose running times are bounded by t have advantage less than in the following game: A f is given blackbox access to an oracle O(·) that with equal probability is either f k (·) for hidden key k ∈ R {0, 1} n or else a random function R : The security level of f is log 2 (t/ ) bits.
Then the maximum number κ and minimum number κ of key collisions are Observe that N k,x ≥ 1, and so 1 ≤ κ ≤ κ. We note that the definition of κ in [4] is incorrect, as are the definitions of κ and κ in [3]. Our definitions of κ and κ are equivalent to those given in [11].
In [4], the following notion of a key one-way (KOW) function is introduced.
if all adversaries A KOW whose running times are bounded by t have advantage less than in the following game: Proposition 2.7 in [4] shows that a (t, )-secure PRF is a (t − 2, /(1/κ − 1/2 n ))-KOW. The following is the main security claim in [4]. We include a summary of the proof from [4].
where t Kg and t Vf denotes the running times of the WOTS-PRF key generation and verification algorithms, respectively.
Summary of proof from [4]. Suppose that A WOTS is a forger that runs in time t and produces a WOTS-PRF forgery with probability at least . We construct an adversary A KOW that uses A WOTS to solve the KOW challenge.
The adversary A KOW is given a KOW challenge (x, y). It begins by generating a WOTS-PRF key pair as specified in §2 with one exception. It selects random indices α ∈ R [1, ] and β ∈ R [1, w − 1]. Instead of selecting the secret key component sk α and computing pk α = f w−1 skα (x), A KOW sets pk α = f w−1−β y (x); i.e., it inserts y at position β in the Winternitz hash chain that an honest execution of the key generation algorithm would have produced to determine pk α .
Next, A KOW invokes A WOTS with public key pk and answers its signing oracle query M as follows. If b α < β, then A KOW terminates the experiment since it doesn't know the first β entries of the α'th Winternitz hash chain. Otherwise, if b α ≥ β, then A WOTS produces the required signature σ on M as specified in §2 except that it sets σ α = f bα−β   A KOW 's success probability KOW is assessed as follows. The probability that b α ≥ β is at least ( w) −1 . The probability that A WOTS succeeds is at least subject to the condition that pk is a valid public key, i.e., there exists sk α ∈ {0, 1} n such that f β skα (x) = y. This happens with probability at least 1/κ β according to Definition 3.3. The probability that b α < β is at least ( w) −1 . The probability that This is because there exists at most κ w−1 keys mapping x to pk α after w − 1 iterations of f and only κ β of these keys maps x to y after β iterations.
The flaw is in the claim that the probability that y = f k (x) holds is at least 1/κ w−1−β . Consider the tree of all w-keychains to pk α ; see Figure 2. By definition of κ, there exist at most κ w−1−β (w − β)-keychains to pk α . Note that y is the first coordinate of one of these keychains. Now, since b α < β, the (w − b α )-keychain to pk α beginning at σ α must connect with one of the (w − β)-keychains to pk α . If the connecting keychain is selected uniformly at random, then the probability that the connecting keychain begins with y (and thus y = f k (x)) is indeed at least 1/κ w−1−β . However, there is no justification for assuming that A WOTS selects a connecting chain uniformly at random. Indeed, since A WOTS knows σ α , it is conceivable that it always selects σ α so that the (w − b α )-keychain beginning at σ α does not pass through σ α , and thus never connects with y; in this event, the probability that y = f k (x) holds is zero.

Concrete security of WOTS-PRF
In [4], the following relationship between the security level of the PRF f and the maximum number of key collisions κ for f is proven. Proof, paraphrased from [4]. Suppose that κ > 2 n−b + 1 and let (x, y) ∈ {0, 1} n × {0, 1} n be a pair for which there exist κ keys k for which f k (x) = y. We construct a PRF-adversary A f as follows.
. Clearly A f 's runs in time t = 1. Furthermore, Pr Hence A f 's advantage is > 2 −b , which contradicts the assumed PRF security level of b for f .
Since the only way for the adversary of a good PRF f to gain an advantage is to guess the hidden key, the authors of [4] conclude that f can be expected to have security level b = n, whence κ ≤ 2. However, we will argue that κ = 2 is a severe underestimation of the maximum number of key collisions for f . The problem with the proof of Lemma 4.1 is that the adversary A f described is non-constructive since no efficient method for determining the pair (x, y) for f may be known. On the other hand, the security level b of the PRF f is usually assessed by considering all known constructible algorithms for the PRF security game in Definition 3.2. Thus, A f 's advantage > 2 −b in the proof does not contradict the assumed security level of f .
We show in §4.1 that κ can be expected to be considerably larger than 2 even for 'good' PRFs. The implications of the underestimation of κ to the concrete security guarantees for WOTS-PRF are explored in §4.2.

Remark 1.
As argued in [18,19] (see also [2]), the security level of a PRF f against attacks that might be unconstructible is expected to be significantly lower that when only constructible attacks are considered. In particular, if f is a good PRF with security level n against constructible attacks, then f can be expected to have security level no more than n/2 against unconstructible attacks. Furthermore, determining the exact security level of f against unconstructible attacks is expected to be a very challenging undertaking. The significance of the difference in the constructible and unconstructible security levels of f to the concrete security guarantees of Bellare's security proof [1] for the HMAC authentication scheme is discussed in [18,19].
Remark 2. A one-time signature scheme S is said to be (t, )-strongly secure if, in addition to satisfying Definition 3.1, it is required that the signed message (M * , σ * ) produced by the adversary A S satisfies (M * , σ * ) = (M, σ). Theorem 3.5 of [4] proves that WOTS-PRF is strongly secure assuming that the underlying PRF f is second-key resistant (SKR) or key-collision resistant (KCR). Furthermore, it is assumed that the minimum number of key collisions κ for f (see Definition 3.3) satisfies κ ≥ 2. However, since it is highly unlikely that κ = 1 for PRFs f used in practice. Indeed, one would expect with overwhelming probability that N k,x = 1 for at least one pair (k, x) for a function f selected uniformly at random from the space of all functions from {0, 1} n × {0, 1} n to {0, 1} n . Thus, the claim that WOTS-PRF is strongly secure if κ ≥ 2 is vacuous for common constructions of PRFs.

Moreover,
Clearly the value ln N/ ln ln N can be made arbitrarily large. Hence, for any t ∈ N one can produce values 0 < α < 1 and N ∈ N such that α ln N/ ln ln N ≥ t. Thus, even though the PRF f is not uniformly random, this gives strong evidence that κ ≤ 2 is in general false.

4.2.
Concrete security assurances of WOTS-PRF and XMSS. Theorem 3.5 states that if f is a (t , )-secure PRF, then WOTS-PRF is a (t, )-secure onetime signature scheme with t ≈ t and ≤ 2 w 2 κ w−1 /(1/κ − 1/2 n ). The tightness gap in the security reduction of Theorem 3.5 is which is sensitive to the value to κ. For example, suppose that the PRF f is instantiated using AES with 128-bit keys, whereby it is reasonable to assume that it has a security level of 128 bits. The authors of [4], take κ = 2, m = 128, w = 16 and conclude that Theorem 1 guarantees a security level of at least 91 bits for WOTS-PRF. However, since one expects that κ ≥ ln(2 128 ) ln(ln(2 128 )) ≈ 20, Theorem 3.5 can guarantee a security level of at most 39 bits for WOTS-PRF, which is insufficient in practice. As a second example, consider XMSS when instantiated with WOTS-PRF. The security proof in [11] yields an XMSS security level of where h is the height of the XMSS tree. Taking n = m = 256, w = 64, κ = 2 and h = 16, Table 7.1 concludes that XMSS has a security level of at least 161 bits. However, since one expects that κ ≥ ln(2 256 ) ln(ln(2 256 )) ≈ 34.3, the security bound (3) can at best guarantee that b > −100, which is vacuous. Similar conclusions can be drawn about the concrete security levels given for XMSS in [5] and XMSS + in [13].

Concluding remarks
We emphasize that our observations on the WOTS-PRF security proof have no bearing on the security proofs for other variants of WOTS such as WOTS-LM and WOTS + . Furthermore, our remarks in §4.2 on the concrete security bounds for XMSS and XMSS + only apply when these signature schemes are instantiated with WOTS-PRF. In particular, they are not applicable to XMSS as described in the IETF RFC [14] where WOTS + is the underlying one-time signature scheme.
An open problem is to devise a (tight) reductionist security proof for WOTS-PRF (or a variant of it) under the sole assumption that f is a secure PRF.