Paper 2021/845

An Intermediate Secret-Guessing Attack on Hash-Based Signatures

Roland Booth, Yanhong Xu, Sabyasachi Karati, and Reihaneh Safavi-Naini


Digital signature schemes form the basis of trust in Internet communication. Shor (FOCS 1994) proposed quantum algorithms that can be used by a quantum computer to break the security of today’s widely used digital signature schemes, and this has fuelled intensive research on the design and implementation of post-quantum digital signatures. Hash-based digital signatures base their security on one-way functions that in practice are instantiated by hash functions. Hash-based signatures are widely studied and are part of NIST's post-quantum standardization effort. In this paper we present a multi-target attack that we call Intermediate Secret-Guessing attack on two hash-based signatures: XMSS^MT (Draft SP 800-208 that was considered by NIST for standardization), and K2SN-MSS (AsiaCCS 2019). The attack allows an adversary to forge a signature on an arbitrary message. We describe the intuition behind the attack and give details of its application on the attacked schemes together with corresponding theoretical analysis. The attack implies that the effective security levels of XMSS (a special case of XMSS^MT), XMSS^MT, and K2SN-MSS are 10, 39 and 12 bits lower than their designed security levels given access to $2^{20}$, $2^{60}$, and $2^{20}$ signatures, respectively. We implement the attack for each scheme, and give our results for reduced security parameters that validate our theoretical analysis. We also show that the attack can be avoided by modifying the application of a pseudorandom function for key generation. Our work shows the subtleties of replacing randomness with pseudo-randomness in the key generation of hash-based signatures, and the need for careful analysis of such designs.

Available format(s)
Publication info
Published elsewhere. Minor revision.IWSEC 2021
Contact author(s)
yanhong xu1 @ ucalgary ca
2021-06-21: received
Short URL
Creative Commons Attribution


      author = {Roland Booth and Yanhong Xu and Sabyasachi Karati and Reihaneh Safavi-Naini},
      title = {An Intermediate Secret-Guessing Attack on Hash-Based Signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2021/845},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.