Proof-of-forgery for hash-based signatures
This work addresses the need for crypto-agility by providing a mechanism to alert when cryptographic hash functions become insecure, enabling timely replacement of schemes.
The paper tackles the problem of detecting forgeries in hash-based signatures by proving that Lamport and Winternitz one-time signature schemes can exhibit forgery detection availability, where a successful forgery likely results in a hash collision that serves as evidence.
In the present work, a peculiar property of hash-based signatures allowing detection of their forgery event is explored. This property relies on the fact that a successful forgery of a hash-based signature most likely results in a collision with respect to the employed hash function, while the demonstration of this collision could serve as convincing evidence of the forgery. Here we prove that with properly adjusted parameters Lamport and Winternitz one-time signatures schemes could exhibit a forgery detection availability property. This property is of significant importance in the framework of crypto-agility paradigm since the considered forgery detection serves as an alarm that the employed cryptographic hash function becomes insecure to use and the corresponding scheme has to be replaced.