Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PDF document

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel)

Digital Signatures 2020-03-10 1

Outline

Recap: one-time signatures From EUF-naCMA security to EUF-CMA security Interlude: proof strategies Security proof (Many-time) signatures from one-time signatures RSA-based signature schemes

Digital Signatures 2020-03-10 2

Attack on dlog-based one-time sigs (not in notes)

Assume G = g, g, p = |G|

• Gen(1k) :

x ← Z∗

p, ω ← Zp

h := gx, c := gω sk = (x, ω) pk = (g, h, c)

• Sign(sk, m) : σ = ω−m

x

(mod p)

• Vfy(pk, m, σ) : c ?

= gmhσ Attack using σ1, σ2 for m1 = m2: then σ1 = σ2 and gm1hσ1 = c = gm2hσ2

⇔

m1 + xσ1

≡

m2 + xσ2 (mod p)

⇔

x

≡

m1−m2

σ2−σ1

(mod p) =

⇒ adversary can compute x.

Digital Signatures 2020-03-10 3

Attack on dlog-based one-time sigs (not in notes)

Assume G = g, g, p = |G|

• Gen(1k) :

x ← Z∗

p, ω ← Zp

h := gx, c := gω sk = (x, ω) pk = (g, h, c)

• Sign(sk, m) : σ = ω−m

x

(mod p)

• Vfy(pk, m, σ) : c ?

= gmhσ Given x, m und σ: gω = c = gmhσ ⇔ ω = m + x · σ (mod p) =

⇒ adversary can compute full secret key sk = (x, ω)

=

⇒ adversary can forge signatures for any m∗

Digital Signatures 2020-03-10 3

Attack on RSA-based one-time sigs (not in notes)

• Gen(1k) :

choose N, e, d suitably J, c ← Zn sk = d pk = (N, e, J, c)

• Sign(sk, m) : σ =
• c

Jm

d

(mod N)

• Vfy(pk, m, σ) : c

?

≡ Jmσe (mod N)

Attack using σ1, σ2 for m1 = m2: Jm1σe

1

= c = Jm2σe

2

(mod N)

⇔

Jm1−m2

≡

σ2/σ1 e

(mod N) =

⇒ Shamir’s trick yields x ∈ ZN with xe ≡ J (mod N)

Digital Signatures 2020-03-10 4

Attack on RSA-based one-time sigs (not in notes)

• Gen(1k) :

choose N, e, d suitably J, c ← Zn sk = d pk = (N, e, J, c)

• Sign(sk, m) : σ =
• c

Jm

d

(mod N)

• Vfy(pk, m, σ) : c

?

≡ Jmσe (mod N)

Given x, m, σ and any m∗, it is σ∗ := σxm−m∗ (mod N) a valid signature for m∗: Jm∗(σ∗)e

≡

Jm∗(σxm−m∗)e

≡

Jm∗σe(xe)m−m∗

≡

Jm∗σeJm−m∗

≡

Jmσe ≡ c (mod N) =

⇒ adversary can compute σ∗ for any m∗

Digital Signatures 2020-03-10 4

From EUF-naCMA security to EUF-CMA security

• Given an EUF-naCMA secure signature scheme Σ′, and
• an EUF-1-naCMA secure one-time signature scheme Σ(1),
• construct an EUF-CMA secure signature scheme Σ.

Digital Signatures 2020-03-10 6

Transformation

Let

Σ′ = (Gen′, Sign′, Vfy′)

and

Σ(1) = (Gen(1), Sign(1), Vfy(1))

be digital signature schemes. We construct

Σ = (Gen, Sign, Vfy) :

• Gen(1k): (pk, sk) := (pk′, sk′) ← Gen′(1k)

Digital Signatures 2020-03-10 7

Transformation

• Sign(sk, m) :

(pk(1), sk(1))

← Gen(1)(1k) σ′ ← Sign′(sk, pk(1)) σ(1) ← Sign(1)(sk(1), m) σ

:= (pk(1), σ(1), σ′)

• Vfy(pk, m, σ) : output 1 iff

Vfy′(pk, pk(1), σ′) = 1 ∧ Vfy(1)(pk(1), m, σ(1)) = 1,

else output 0.

Digital Signatures 2020-03-10 8

Transformation

Intuition:

σ = ( pk(1), σ(1), σ′ )

fresh new key ensures: pk(1) chosen by owner of sk signs actual message (under pk(1))

Digital Signatures 2020-03-10 9

Interlude: proof strategies (not in lecture notes)

Claim: If

• Σ′ is EUF-naCMA secure
• and Σ(1) is EUF-1-naCMA secure

then

• Σ is EUF-CMA secure.
• How to use two assumptions?
• Which formal statement should be shown?

Digital Signatures 2020-03-10 10

Interlude: proof strategies (not in lecture notes)

Instructive: How do “regular” security proofs work? Let

• A be an assumption (e.g., “f is a one-way function”),
• S be a security claim (e.g., “Lamport signatures with f are

EUF-1-naCMA secure”)

• To need to show: A =

⇒ S

• We often show: ¬S =

⇒ ¬A

Digital Signatures 2020-03-10 11

Interlude: proof strategies (not in lecture notes)

Now:

• A and B assumptions

– Σ′ is EUF-naCMA secure – Σ(1) is EUF-1-naCMA secure

• S again desired security claim

– Σ is EUF-CMA secure

Need to show: (A ∧ B) =

⇒

S Equivalently:

¬S

=

⇒ ¬(A ∧ B)

Equivalently:

¬S

=

⇒

(¬A) ∨ (¬B) We now show

¬S = ⇒ (¬A) ∨ (¬B)

Digital Signatures 2020-03-10 12

Security

Theorem (32, slightly differs from lecture notes)

For every PPT adversary A that breaks Σ’s EUF-CMA security in time tA with success probability ǫA and at most q signing queries, there exist PPT adversaries B, C with runtime tB ≈ tA, tC ≈ tA and

• B breaks Σ(1)’s EUF-1-naCMA security with probability

ǫB ≥ ǫA

2q ,

• or C breaks Σ′’s EUF-naCMA security with probability

ǫC ≥ ǫA

2 .

Digital Signatures 2020-03-10 13

Reduction to security of Σ

EUF-naCMA challenger

C A

EUF-naCMA EUF-CMA choose pk(1)

i

pk

( 1 ) 1

, ... , pk

( 1 ) q

pk, σ

′ 1

, ... , σ

′ q

pk 1 m

i

compute σi

σ

i

2 m

∗

, σ

∗

pk

( 1 ) ∗

, σ

′ ∗

3

Digital Signatures 2020-03-10 14

Reduction to security of Σ(1)

EUF-1-naCMA challenger

B A

EUF-1-naCMA EUF-CMA choose pk suitably pk m

i

compute σi

σ

i

1 m

i

∗

pk

( 1 ) i

∗ , σ

( 1 ) i

∗

m

∗

, σ

∗

m

∗

, σ

( 1 ) ∗

2

Digital Signatures 2020-03-10 15

(Many-time) signatures from one-time signatures

We know:

• One-time signature scheme Σ(1)
• Advantage: efficient and easy to construct
• Disadvantage: may lose its security when used more than once

We are looking for:

• “Many-time” signature schemes

Digital Signatures 2020-03-10 17

First attempt

• Naive approach: use q keypairs (for q=# of desired sigs)
• Gen(1k) :

(pki, ski) ← Gen(1)(1k) for all i ∈ {1, ... , q} pk := (pk1, ... , pkq) sk := (sk1, ... , skq, st = 1)

– Remark: stateful (here: state is counter st ∈ {1, ... , q})

• Sign(sk, m) :

σst ← Sign(1)(skst, m) σ := (σst, st)

st := st + 1

• Vfy(pk, m, σ = (σi, i)) :

Vfy(1)(pki, m, σi) ?

= 1

Digital Signatures 2020-03-10 18

First attempt

Exercise 34:

Theorem

If Σ(1) is EUF-1-naCMA secure, then the above scheme is EUF-q-naCMA secure.

Theorem

If Σ(1) is EUF-1-CMA secure, then the above scheme is EUF-q-CMA secure. Complexity, measured in complexity of used one-time scheme:

|pk| ∈ O(q) |sk| ∈ O(q) |σ| ∈ O(1)

• Can this be done more efficiently (without a-priori bound q)?

Digital Signatures 2020-03-10 19

Intermediate scheme

• H hash function
• Gen(1k) :

(pki, ski) ← Gen(1)(1k) for all i ∈ {1, ... , q} pk := H(pk1, ... , pkq) sk := (sk1, ... , skq, pk1, ... , pkq, st = 1)

• Sign(sk, m) :

σst ← Sign(1)(skst, m) σ := (σst, st, pk1, ... , pkq)

st := st + 1

• Vfy(pk, m, σ) :

Vfy(1)(pki, m, σi) ?

= 1 and H(pk1, ... , pkq) ? = pk

Digital Signatures 2020-03-10 20

Intermediate scheme

Exercise:

Theorem

If Σ(1) is EUF-1-naCMA, and H is collision-resistant, then the above scheme is EUF-q-naCMA secure.

Theorem

If Σ(1) is EUF-1-CMA secure, and H is collision-resistant, then the above scheme is EUF-q-CMA secure. Complexity, measured in complexity of used one-time scheme:

|pk| ∈ O(1) |sk| ∈ O(q) |σ| ∈ O(q)

• now: how to save on signature size
• Merkle trees

Digital Signatures 2020-03-10 21

Merkle trees

h0,1 h1,1 h2,1 h3,1 pk1 h3,2 pk2 h2,2 h3,3 pk3 h3,4 pk4 h1,2 h2,3 h3,5 pk5 h3,6 pk6 h2,4 h3,7 pk7 h3,8 pk8 pk := contained in σ computed by Vfy

Digital Signatures 2020-03-10 23

Merkle trees

• Gen(1k) :

(pki, ski) ← Gen(1)(1k) for all i ∈ {1, ... , q} pk := tree-hash(pk1, ... , pkq) sk := (sk1, ... , skq, pk1, ... , pkq, st = 1)

• Sign(sk, m) :

i := st

σi ← Sign(1)(ski, m) σ := (σi, i, pki, co-path)

st := st + 1

Digital Signatures 2020-03-10 24

Co-path

Definition

The co-path to a vertex v in a binary tree with root r is the sequence

• f all vertices u1, ... , un, such that ui is the sibling of the i-th vertex
• n the path from v to r.

Digital Signatures 2020-03-10 25

Merkle trees

h0,1 h1,1 h2,1 h3,1 pk1 h3,2 pk2 h2,2 h3,3 pk3 h3,4 pk4 h1,2 h2,3 h3,5 pk5 h3,6 pk6 h2,4 h3,7 pk7 h3,8 pk8 pk := contained in σ computed by Vfy

Digital Signatures 2020-03-10 26

Merkle trees

• Gen(1k) :

(pki, ski) ← Gen(1)(1k) for all i ∈ {1, ... , q} pk := tree-hash(pk1, ... , pkq) sk := (sk1, ... , skq, pk1, ... , pkq, st = 1)

• Sign(sk, m) :

i := st

σi ← Sign(1)(ski, m) σ := (σi, i, pki, co-path)

st := st + 1

• Vfy(pk, m, σ) :

recompute root h′

Vfy(1)(pki, m, σi) ?

= 1 und h′ ? = pk

Digital Signatures 2020-03-10 27

Merkle trees

h0,1 h1,1 h2,1 h3,1 pk1 h3,2 pk2 h2,2 h3,3 pk3 h3,4 pk4 h1,2 h2,3 h3,5 pk5 h3,6 pk6 h2,4 h3,7 pk7 h3,8 pk8 pk := contained in σ computed by Vfy

Digital Signatures 2020-03-10 28

Merkle trees

Theorem

If Σ(1) is EUF-1-naCMA secure, and H is collision-resistant, then the above scheme is EUF-q-naCMA secure.

Theorem

If Σ(1) is EUF-1-CMA secure, and H is collision-resistant, then the above scheme is EUF-q-CMA secure. Complexity, measured in complexity of one-time scheme:

|pk| ∈ O(1) |sk| ∈ O(q) |σ| ∈ O(log q)

• next up: saving on secret key size

Digital Signatures 2020-03-10 29

Compressing the secret key

Idea:

• Choose keypairs not randomly, but pseudorandomly
• Requires cryptographically secure pseudorandomness
• Formally: pseudorandom function (PRF)
• Disadvantage: when signing, need to recompute all relevant

keys (slow)

• (more in lecture notes/book)

Complexity, measured in complexity of one-time scheme:

|pk| ∈ O(1) |sk| ∈ O(1) |σ| ∈ O(log q)

Digital Signatures 2020-03-10 30

More improvements

Disadvantage so far:

• Runtime (of Gen and Sign) in O(q)

Solution:

• build entire tree with one-time signature scheme (no hashing)
• every vertex is an OTS keypair
• every key signs (the public keys of) the two child vertices

More improvements:

• stateless schemes
• do not use keys at leaves linearly, but use random leaf (or leaf

determined by message)

• for instance: use skm for m ∈ {0, ... , 2k − 1}

Digital Signatures 2020-03-10 31

Current research

• Merkle trees useful in many contexts:

– in cryptography (universal arguments/SNARKs), – and other areas of CS (file systems, version control)

Digital Signatures 2020-03-10 32

Recap: RSA problem/assumption

Setting:

• N = P · Q, for large primes P, Q
• ϕ(N) = (P − 1)(Q − 1) = |Z∗

N|

• Choose e ∈ N uniformly between 1 and ϕ(N) with

gcd(e, ϕ(N)) = 1.

• Then d ∈ N with e · d ≡ 1 mod ϕ(N) can be found efficiently

from ϕ(N) and e.

• For x ∈ ZN, we have xe·d ≡ x mod N.

Digital Signatures 2020-03-10 34

Recap: RSA problem/assumption

RSA problem:

• Given N, e as above and y ← ZN, find x ∈ ZN with

xe ≡ y mod N. RSA assumption:

• ∀ PPT A:

Pr

  

N, e as above y ← ZN x ← A(1k, N, e, y) : xe = y mod N

  

negligible.

Digital Signatures 2020-03-10 35

“Textbook RSA”

• Gen(1k) :

– choose P, Q, N, e as above – d := e−1 mod ϕ(N) – pk = (N, e) – sk = (N, d)

• Sign(sk, m) :

σ := md

(mod N)

• Vfy(pk, m, σ) :

σe ?

= m (mod N) Correctness:

σe ≡ (md)e ≡ mde mod ϕ(N) ≡ m1 ≡ m

(mod N)

Digital Signatures 2020-03-10 36

Security

• Not EUF-NMA secure:

– Choose σ∗ ← ZN – Compute m∗ := (σ∗)e mod N – Output (m∗, σ∗) as forgery

• (Multiplicatively) homomorphic:

– If σ1, σ2 are valid signatures for m1, m2, – then σ3 := σ1σ2 mod N is valid for m3 := m1m2 mod N:

σe

3 ≡ (σ1σ2)e ≡ σe 1σe 2 ≡ m1m2 ≡ m3

(mod N)

• Exercise:

Textbook-RSA is UUF-NMA secure if the RSA assumption holds.

Digital Signatures 2020-03-10 37

RSA-based signatures Secure signatures based on RSA

Often: suitable preprocessing/encoding of m

• RSA PKCS #1 v1.5
• RSA-FDH (Full Domain Hash)
• RSA-PSS (Probabilistic Signature Scheme, not in notes)

More schemes:

• Gennaro-Halevi-Rabin scheme:

– EUF-naCMA secure under stronger assumption

• Hohenberger-Waters-Signaturverfahren (not covered here):

– similar to GHR, but under standard RSA assumption

Digital Signatures 2020-03-10 38

RSA PKCS #1 v1.5

PKCS #1:

• Public-Key Cryptography Standard #1
• Originally developed by RSA Security
• Version 1.5: November 1993
• Today: Version 2.2 (October 2012)
• Contains also variant of RSA-PSS

– https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/ pkcs-rsa-cryptography-standard.htm – https://tools.ietf.org/html/rfc3447

Digital Signatures 2020-03-10 39

RSA PKCS #1 v1.5 (Kap. 6.3)

• Gen(1k) : as with Textbook-RSA
• Sign(sk, m) :

– let H be a collision-resistant hash function – encode m as m′ := 0x00 0x01 0xFF ... 0xFF 0x00 spec. H H(m) type of encoding: signature padding boundary which H? hash value – σ := (m′)d (mod N)

• Vfy(pk, m, σ) :

– compute m′ := σe (mod N) – check if m′ valid encoding of m

Digital Signatures 2020-03-10 40

RSA PKCS #1 v1.5: security

Security?

• not clear, but at least not (obviously) homomorphic
• no attacks known, but also no security proof
• exception: attack on implementation flaws

Why relevant?

• old, used in practice

Digital Signatures 2020-03-10 41