Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PDF document

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1

Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2

RSA signatures so far: issues • Schemes so far: either inefficient, or only heuristic security (ROM) • Goal (hard!): EUF-CMA-secure signature scheme based on RSA. . . – that is efficient (i.e., usable in practice) – whose security requires no random oracles. • “Workaround”: Strong RSA assumption Digital Signatures 2020-03-31 3

Strong RSA assumption RSA problem: • given N , e and y ← Z N , find x ∈ Z N with x e ≡ y mod N . RSA assumption: • ∀ PPT A : � � N = P · Q , e ← Z ∗ ϕ ( N ) , y ← Z N , x ← A (1 k , N , e , y ) : x e ≡ y mod N Pr is negligible in k . Digital Signatures 2020-03-31 4

Strong RSA assumption Strong RSA problem: • given N and y ← Z N , find x ∈ Z N , e > 1 with x e ≡ y mod N . Strong RSA assumption: • ∀ PPT A : � � N = P · Q , y ← Z N , ( x , e ) ← A (1 k , N , y ) : x e ≡ y mod N ∧ e > 1 Pr is negligible in k . Digital Signatures 2020-03-31 4

Strong RSA: naming • Strong RSA assumption stronger assumption than RSA assumption – We give adversary more control, easier to win game – We assume that it’s still hard for adversary to win • But: strong RSA problem easier than RSA problem Strong RSA assumption ⇒ RSA assumption, converse implication not obvious at all Digital Signatures 2020-03-31 5

Gennaro-Halevi-Rabin signatures Let h : { 0, 1 } ∗ → P be a hash function ( P = primes) Gen (1 k ) : • Choose N = P · Q , P , Q prime as with RSA • s ← Z N • We will assume ∀ m ∈ { 0, 1 } ∗ : gcd( h ( m ), ϕ ( N )) = 1 – Can be enforced, e.g., by letting h only output large primes • pk := ( N , s , h ) • sk := ( pk , ϕ ( N )) = ( pk , ( P − 1)( Q − 1)) Sign ( sk , m ) : • σ := s 1 / h ( m ) mod N Vfy ( pk , m , σ ) : σ h ( m ) ? ≡ s mod N Digital Signatures 2020-03-31 6

GHR signatures: security Theorem 70: For every PPT A that breaks the EUF-naCMA security of Σ in time t A with success ǫ A , there is a PPT B that runs in time t B ≈ t A and which • either breaks the collision-resistance of h with success ǫ coll ≥ ǫ A / 2, • or solves the strong RSA problem with success ǫ sRSA ≥ ǫ A / 2. Digital Signatures 2020-03-31 7

GHR signatures: proof EUF-naCMA: Denote with m 1 , ... , m q the signature queries, and with ( m ∗ , σ ∗ ) the forgery of A Two possibilities: • E 0 : A successful and there is an m i with h ( m i ) = h ( m ∗ ). • E 1 : A successful and for all i ∈ { 1, ... , q } , we have h ( m i ) � = h ( m ∗ ) Successful A causes E 0 or E 1 , hence ǫ A ≤ Pr[ E 0 ] + Pr[ E 1 ] ⇒ Pr[ E 0 ] ≥ ǫ A / 2 or Pr[ E 1 ] ≥ ǫ A / 2 Digital Signatures 2020-03-31 8

GHR signatures: proof – event E 0 E 0 : There is an m i with h ( m i ) = h ( m ∗ ). • m i and m ∗ form an h -collision. • Reduce to the collision-resistance of h . • Reduction B gets as input h , chooses ( pk , sk ) ← Gen (1 k ), runs A , . . . Digital Signatures 2020-03-31 9

GHR signatures: proof – event E 1 E 1 : For all i ∈ { 1, ... , q } , we have h ( m i ) � = h ( m ∗ ). • Reduce to strong RSA assumption. • Assume for contradiction: there is a PPT A that breaks EUF-naCMA, . . . • . . . construct B that breaks strong RSA. . . • B gets as input ( N , y ) and needs to find ( x , e ) with – e > 1 – x e ≡ y mod N . Digital Signatures 2020-03-31 10

GHR signatures: sRSA reduction Recall: Gen (1 k ) : s ← Z N sk := ( pk , ϕ ( N )) pk := ( N , s , h ) σ = s 1 / h ( m ) mod N • B uses ( N , y ) and sets up s := y Π i ∈{ 1,..., q } h ( m i ) mod N (gcd( h ( m ), ϕ ( N )) = 1 ensures that s “well-distributed”, i.e., uniform over Z N !) • Signature for m j : σ j := y Π i ∈{ 1,..., q }\{ j } h ( m i ) mod N Digital Signatures 2020-03-31 11

GHR signatures: sRSA reduction – forgery E 1 occurs: A outputs valid forgery ( m ∗ , σ ∗ ) with • h ( m ∗ ) � = h ( m i ) for all i ∈ { 1, ... , q } , and • ( σ ∗ ) h ( m ∗ ) ≡ s ≡ y Π i ∈{ 1,..., q } h ( m i ) mod N Additionally, we have gcd( h ( m ∗ ), Π i ∈{ 1,..., q } h ( m i )) = 1, since h maps to prime numbers, and since E 1 occurred. Digital Signatures 2020-03-31 12

GHR signatures: use Shamir’s trick ( σ ∗ ) h ( m ∗ ) ≡ s ≡ y Π i ∈{ 1,..., q } h ( m i ) mod N Lemma 31: Let J , S ∈ Z N and e , f ∈ Z with • gcd( e , f ) = 1 • J f ≡ S e mod N . N × Z 2 it is possible to Then, given N ∈ Z und ( J , S , e , f ) ∈ Z 2 efficiently compute x ∈ Z N with x e ≡ J mod N . x h ( m ∗ ) ≡ y mod N Hence: ( x , h ( m ∗ )) is the desired sRSA solution Digital Signatures 2020-03-31 13

Goal: EUF-CMA from (non-strong) RSA • In Chapter 4.4 of lecture notes (not here) • There: construction of EUF-CMA signatures from RSA (no ROM!) • Very high-level overview: – Show: GHR selectively secure under RSA assumption ( A needs to commit to all m i and m ∗ before seeing pk ) – Transformation: selective security → EUF-naCMA – Leads to EUF-naCMA-secure Hohenberger-Waters signatures – Transformation: EUF-naCMA → EUF-CMA – Result: compact signatures, not very efficient (like GHR) Digital Signatures 2020-03-31 14

Open problems • Construction of efficient EUF-CMA secure signatures from RSA – Hohenberger-Waters not very efficient – Many exponentiations, need to find many primes • Construction of compact EUF-CMA secure signatures from factoring assumption Digital Signatures 2020-03-31 15

Socrative Self-checking with quizzes • Use following URL: https://b.socrative.com/login/student • . . . and enter room “HOFHEINZ8872” • Will also be in chat (so you can click on link) • No registration necessary • First quiz (about the GHR signature scheme) starts now! Digital Signatures 2020-03-31 16

Chameleon signatures: motivation Dealer 1 Offer? σ 1 , $ 0 0 1 Customer 1 0 0 $ , σ 1 99$, σ 2 Dealer 2 Digital Signatures 2020-03-31 17

Chameleon signatures: goal Question: can we construct a signature scheme, such that. . . • . . . C can verify the authenticity of the offer from D 1 , but • . . . C cannot convince D 2 that the offer came from D 1 ? Digital Signatures 2020-03-31 18

Chameleon hash functions (Definition) Def. (Chameleon hash function): A chameleon hash function CH consists of two PPT algorithms ( Gen CH , TrapColl CH ): Gen CH (1 k ) : outputs ( ch , τ ): • ch is a function ch : M × R → N – M message space – R randomness space – N target space – M , R , N may depend on concrete CH ! • τ is a trapdoor (or secret key). Digital Signatures 2020-03-31 19

Chameleon hash functions (Definition) TrapColl CH ( τ , m , r , m ′ ), for ( m , r , m ′ ) ∈ M × R × M , computes r ′ ∈ R with ch ( m , r ) = ch ( m ′ , r ′ ) • Owner of τ can compute collisions • Hence the name “chameleon” hash function • Output “changes preimage” (like a chameleon changes color) Digital Signatures 2020-03-31 20

Collision-resistance Def. 39 (Collision-resistance for chameleon hash functions): A chameleon hash function CH = ( Gen CH , TrapColl CH ) is collision-resistant iff for all PPT A , � � A (1 k , ch ) = ( m , r , m ′ , r ′ ) : ch ( m , r ) = ch ( m ′ , r ′ ) ( ch , τ ) ← Gen CH (1 k ) Pr ∧ ( m , r ) � = ( m ′ , r ′ ) is negligible in k . Digital Signatures 2020-03-31 21

Chameleon hashing based on DLog As usual: • G group, | G | = p prime, g generator of G Gen (1 k ) : • x ← Z ∗ p • h := g x • ch := ( g , h ) • τ := x ch defines function: ch : Z p × Z p → G ch ( m , r ) := g m · h r Digital Signatures 2020-03-31 22

Chameleon hashing based on DLog ch ( m , r ) = g m · h r TrapColl ( τ , m , r , m ∗ ) : Compute r ∗ with m + x · r = m ∗ + x · r ∗ mod p = m − m ∗ ⇔ r ∗ + r mod p x This implies: ch ( m , r ) = g m · h r = g m + xr = g m ∗ + xr ∗ = g m ∗ · h r ∗ = ch ( m ∗ , r ∗ ) Digital Signatures 2020-03-31 23

Chameleon hashing based on DLog – security Theorem 40: For every PPT A that, upon input ch = ( g , h ) ← Gen (1 k ), outputs a tuple ( m , r , m ∗ , r ∗ ) with ( m , r ) � = ( m ∗ , r ∗ ) and ch ( m , r ) = ch ( m ∗ , r ∗ ) in time t A and with success ǫ A , there exists a PPT B that breaks the DLog problem in G in time t B ≈ t A with success ǫ B ≥ ǫ A . Proof: Like proof of DLog-based one-time signatures (Theorem 28). Digital Signatures 2020-03-31 24

Chameleon hashing based on RSA Gen (1 k ) : • N = P · Q , P , Q prime • Prime e > 2 N with gcd( e , ϕ ( N )) = 1 • d = e − 1 mod ϕ ( N ) • J ← Z N • ch := ( N , e , J ) • τ := d ch : Z N × Z N → Z N ch ( m , r ) := J m · r e mod N Digital Signatures 2020-03-31 25

Chameleon hashing based on RSA ch ( m , r ) := J m · r e mod N TrapColl ( τ , m , r , m ∗ ): Compute r ∗ as r ∗ = ( J m − m ∗ · r e ) d mod N ch ( m , r ) = J m · r e mod N = J m ∗ · ( r ∗ ) e mod N = ch ( m ∗ , r ∗ ) Digital Signatures 2020-03-31 26