Hash-Based SignaturesJohannes Buchmann, Andreas HülsungSupported by DFG and DAAD

Part X: XMSS Security

XMSS has Minimal Security Requirements

Security Requirements of Current Signature Schemes

Intractability assumption

Digital signature scheme

Collision resistant hash function

Minimal Security Requirement of Signatures

One-way FFNaor, Yung 1989

Rompel 1990

Digital signature scheme

Target-collision resistant HFF

One-way FF

XMSSPseudorandom FF

Second-preimage resistant HFF

XMSS has minimal security requirements

Naor, Yung 1989Rompel 1990

Håstad, Impagliazzo, Levin, Luby 1999Goldreich, Goldwasser, Micali 1986

Digital signature scheme

Rompel 1990

XMSS Existential unforgeable under chosen message attacks

Security proof

PRFF

SPR-HFF

WOTS$ is EU-CMA

XMSS-Tree + WOTS is EU-CMA

[BDEHR., Africacrypt 2011]

[ DOTV,PQC 2008]

XMSS is EU-CMA

XMSS is forward secure

[BDH, PQC 2011]

[BDH, PQC 2011]