Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PowerPoint PPT Presentation

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel)

Digital Signatures 2020-02-25 1

Outline

Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions

Digital Signatures 2020-02-25 2

Security definitions

Security definition ˆ = adversarial goal + adversarial capabilities Interesting combinations:

• EUF-CMA
• EUF-naCMA

Digital Signatures 2020-02-25 3

Security experiments

Tool to formalize security definitions: security experiments Interactive process between two parties:

• Adversary A
• Challenger C
• A plays against C
• A wins iff he reaches his goal.

Digital Signatures 2020-02-25 4

Security definitions

Current research:

• Leakage resilience (what if adversary gets to see parts of

signing key?)

• Functional signatures (signing keys limited to certain

messages)

• Aggregatable signatures (combine many signatures into one

short one)

• Many-user scenario (only asymptotically equivalent to one-user

scenario)

• Different key infrastructures (secret-key, identity-based,

certificateless, . . . )

Digital Signatures 2020-02-25 5

Message space extension

Easier (and common) to construct signatures with small message space, e.g.,

• Zp = {0, ... , p − 1}, p prime
• {0, 1}q(k), q polynomial, k security parameter

Goal: signatures with larger message space, e.g., {0, 1}∗

Digital Signatures 2020-02-25 6

Hash functions

• Def. 14: (Cryptographic hash function)

A (cryptographic) hash function H = (GenH, EvalH) consists of two PPT algorithms:

Digital Signatures 2020-02-25 7

Hash functions

• Def. 14: (Cryptographic hash function)

A (cryptographic) hash function H = (GenH, EvalH) consists of two PPT algorithms:

• GenH(1k) outputs a parameter t that defines a function

Ht : {0, 1}∗ → Mt

Digital Signatures 2020-02-25 7

Hash functions

• Def. 14: (Cryptographic hash function)

A (cryptographic) hash function H = (GenH, EvalH) consists of two PPT algorithms:

• GenH(1k) outputs a parameter t that defines a function

Ht : {0, 1}∗ → Mt

• EvalH(1k, t, x) computes Ht(x).

Notation: H instead of t, H(x) for EvalH(1k, t, x).

Digital Signatures 2020-02-25 7

Collision resistance

• Def. 15: (Collision resistance)

A hash function H = (GenH, EvalH) is collision-resistant iff for t ← GenH(1k) and all PPT A we have that Pr[A(1k, t) = (x, x′) : Ht(x) = Ht(x′) ∧ x = x′] is negligible.

Digital Signatures 2020-02-25 8

Construction: signatures with unbounded message space

Assume

• Σ′ = (Gen′, Sign′, Vfy′) with message space M
• collision-resistant hash function H : {0, 1}∗ → M

Construct digital signature scheme Σ = (Gen, Sign, Vfy) with unbounded message space:

• Ideas?

Digital Signatures 2020-02-25 9

Construction: signatures with unbounded message space

Assume

• Σ′ = (Gen′, Sign′, Vfy′) with message space M
• collision-resistant hash function H : {0, 1}∗ → M

Construct digital signature scheme Σ = (Gen, Sign, Vfy) with unbounded message space:

• Gen(1k) computes (pk, sk) ← Gen′(1k)
• Sign(sk, m) computes σ ← Sign′(sk, H(m))
• Vfy(pk, m, σ) outputs Vfy′(pk, H(m), σ).

Digital Signatures 2020-02-25 9

Security of the construction

Theorem 17: For every EUF-CMA adversary A on Σ with runtime tA and success probability ǫA, there are adversaries B1, B2 with runtime tB ≈ tA such that

• B1 breaks the collision resistance of H with probability ≥ ǫA/2,
• or B2 breaks the EUF-CMA security of Σ′ with probability

≥ ǫA/2.

Digital Signatures 2020-02-25 10

Security of the construction

Proof idea:

• Observation:

– whenever A successfully forges a signature σ for a message m, then – σ is a Σ′-signature for H(m).

Digital Signatures 2020-02-25 11

Security of the construction

Proof idea:

• Observation:

– whenever A successfully forges a signature σ for a message m, then – σ is a Σ′-signature for H(m).

• Furthermore,

1

either H(m) has been signed before (i.e., H(m) = H(mi) for one

• f A’s previous signature queries mi),

2

• r H(m) has never been Σ′-signed before.

In first case, A found H-collision, in second case A broke Σ′. One of the cases must occur with probability at least 1/2.

Digital Signatures 2020-02-25 11

Security of the construction

Proof idea:

• Observation:

– whenever A successfully forges a signature σ for a message m, then – σ is a Σ′-signature for H(m).

• Furthermore,

1

either H(m) has been signed before (i.e., H(m) = H(mi) for one

• f A’s previous signature queries mi),

2

• r H(m) has never been Σ′-signed before.

In first case, A found H-collision, in second case A broke Σ′. One of the cases must occur with probability at least 1/2.

• Details (construction of B1, B2): blackboard.

Digital Signatures 2020-02-25 11

Hash-then-Sign

• Construction is called Hash-then-Sign
• Relevant in theory and practice

Digital Signatures 2020-02-25 12

Hash functions: current research

• Hash functions with special properties

– Chameleon hashing (upcoming) – Hash functions that behave like random functions

• Finding good hash functions

– MD5, SHA-1 cryptanalyses – SHA-3 standardization 2015

Digital Signatures 2020-02-25 13

Hash functions: current research

“Nontrivial” SHA-1 collisions:

Digital Signatures 2020-02-25 14

One-time signatures

• General goal: signature schemes that can sign many

messages

• Partial goal: signature schemes that can (securely) sign only
• ne message (one-time signatures)
• Can be used on many messages. . .
• . . . but may become insecure then!
• Security guarantees only when at most one message is signed

Digital Signatures 2020-02-25 15

EUF-1-CMA & EUF-1-naCMA

EUF-1-CMA C A p k m σ m∗ , σ∗ EUF-1-naCMA C A m p k , σ m∗ , σ∗

Vfy(pk, m∗, σ∗) = 1 ∧ m∗ = m?

Rest (Def., winning condition): as with EUF-CMA/-na-CMA

Digital Signatures 2020-02-25 16

Why one-time signatures?

• Useful building block for other and more secure schemes
• Comparatively easy to construct

Digital Signatures 2020-02-25 17

One-way functions

One-way function f : {0, 1}∗ → {0, 1}∗ Idea:

• Given x ∈ {0, 1}∗, easy to compute f(x)
• Given y = f(x), hard to compute any x′ in f −1(y)

Note: One-way functions fundamental primitive (imply much of secret-key cryptography)

Digital Signatures 2020-02-25 18

One-way functions: security experiment

Cone-way A

Digital Signatures 2020-02-25 19

One-way functions: security experiment

Cone-way A x ← {0, 1}k y := f(x) y

Digital Signatures 2020-02-25 19

One-way functions: security experiment

Cone-way A x ← {0, 1}k y := f(x) y x′ f(x′) = y?

A wins iff f(x′) = y.

Note: possibly x′ = x!

Digital Signatures 2020-02-25 19

One-way function (definition)

• Def. 22 (One-way function):

A function f is one-way iff f is computable in polynomial time, and for all PPT A, Pr

• x ← {0, 1}k

x′ ← A(1k, f(x)) : f(x′) = f(x)

• is negligible.

Digital Signatures 2020-02-25 20

Existence of one-way functions

• If one-way functions exist, then P = NP
• Realistically: constructions of one-way functions require

assumptions

Digital Signatures 2020-02-25 21

Existence of one-way functions

• If one-way functions exist, then P = NP
• Realistically: constructions of one-way functions require

assumptions Candidates:

• Exponentiation x → gx in suitable groups
• RSA function x → xe mod N for N = PQ, primes P, Q, random

e

Digital Signatures 2020-02-25 21

Lamport’s one-time signatures

Σ = (Gen, Sign, Vfy)

• Message space {0, 1}n, n = n(k)
• One-way function f

Digital Signatures 2020-02-25 22

Lamport’s one-time signatures

Σ = (Gen, Sign, Vfy)

• Message space {0, 1}n, n = n(k)
• One-way function f

Gen(1k) :

• Choose x1,0, x1,1, ... , xn,0, xn,1 uniformly from {0, 1}k
• ∀j ∈ {1, ... , n} : yj,0 := f(xj,0) and yj,1 := f(xj,1)

Digital Signatures 2020-02-25 22

Lamport’s one-time signatures

Σ = (Gen, Sign, Vfy)

• Message space {0, 1}n, n = n(k)
• One-way function f

Gen(1k) :

• Choose x1,0, x1,1, ... , xn,0, xn,1 uniformly from {0, 1}k
• ∀j ∈ {1, ... , n} : yj,0 := f(xj,0) and yj,1 := f(xj,1)

sk =

• x1,0

... xn,0 x1,1 ... xn,1

• pk =
• y1,0

... yn,0 y1,1 ... yn,1

• Digital Signatures

2020-02-25 22

Lamport’s one-time signatures (2)

sk =

• x1,0

... xn,0 x1,1 ... xn,1

• pk =
• y1,0

... yn,0 y1,1 ... yn,1

• Sign(sk, m) :

Ideas?

Digital Signatures 2020-02-25 23

Lamport’s one-time signatures (2)

sk =

• x1,0

... xn,0 x1,1 ... xn,1

• pk =
• y1,0

... yn,0 y1,1 ... yn,1

• Sign(sk, m) :
• m = m1m2 ... mn ∈ {0, 1}n
• σ = (x1,m1, x2,m2, ... , xn,mn)

Digital Signatures 2020-02-25 23

Lamport’s one-time signatures (2)

sk =

• x1,0

... xn,0 x1,1 ... xn,1

• pk =
• y1,0

... yn,0 y1,1 ... yn,1

• Sign(sk, m) :
• m = m1m2 ... mn ∈ {0, 1}n
• σ = (x1,m1, x2,m2, ... , xn,mn)

Vfy(pk, m, σ) :

Digital Signatures 2020-02-25 23

Lamport’s one-time signatures (2)

sk =

• x1,0

... xn,0 x1,1 ... xn,1

• pk =
• y1,0

... yn,0 y1,1 ... yn,1

• Sign(sk, m) :
• m = m1m2 ... mn ∈ {0, 1}n
• σ = (x1,m1, x2,m2, ... , xn,mn)

Vfy(pk, m, σ) :

Ideas?

Digital Signatures 2020-02-25 23

Lamport’s one-time signatures (2)

sk =

• x1,0

... xn,0 x1,1 ... xn,1

• pk =
• y1,0

... yn,0 y1,1 ... yn,1

• Sign(sk, m) :
• m = m1m2 ... mn ∈ {0, 1}n
• σ = (x1,m1, x2,m2, ... , xn,mn)

Vfy(pk, m, σ) :

• m = m1 ... mn, σ = (x′

1, x′ 2, ... , x′ n)

• Check that for all i ∈ {1, ... , n}, we have

f(x′

i ) ?

= yi,mi

Digital Signatures 2020-02-25 23

Lamport: security

Theorem 23: For every EUF-1-naCMA PPT adversary A with runtime tA and success probability ǫA, there is a PPT adversary B on f with runtime tB ≈ tA and success probability ǫB ≥ ǫA/n.

Digital Signatures 2020-02-25 24

Lamport: security

Theorem 23: For every EUF-1-naCMA PPT adversary A with runtime tA and success probability ǫA, there is a PPT adversary B on f with runtime tB ≈ tA and success probability ǫB ≥ ǫA/n. Proof idea:

• Reduction: EUF-1-naCMA security to one-way security of f.
• Simulation: B simulates EUF-1-naCMA experiment for A.
• Extraction: B uses A’s output to invert f.

Digital Signatures 2020-02-25 24

Lamport: security proof

• Details: blackboard
• Overview:

Cone-way B A

• ne-wayness

EUF-1-naCMA

Digital Signatures 2020-02-25 25

Lamport: security proof

• Details: blackboard
• Overview:

Cone-way B A

• ne-wayness

EUF-1-naCMA x ← {0, 1}k y := f(x) y 1

Digital Signatures 2020-02-25 25

Lamport: security proof

• Details: blackboard
• Overview:

Cone-way B A

• ne-wayness

EUF-1-naCMA x ← {0, 1}k y := f(x) y 1 m = m

1

. . . m

n

prepare pk, sk, σ suitably

p k , σ 2

Digital Signatures 2020-02-25 25

Lamport: security proof

• Details: blackboard
• Overview:

Cone-way B A

• ne-wayness

EUF-1-naCMA x ← {0, 1}k y := f(x) y 1 m = m

1

. . . m

n

prepare pk, sk, σ suitably

p k , σ 2 m∗ , σ∗ x

′

3

Digital Signatures 2020-02-25 25

Lamport: security proof

• Details: blackboard
• Overview:

Cone-way B A

• ne-wayness

EUF-1-naCMA x ← {0, 1}k y := f(x) y 1 m = m

1

. . . m

n

prepare pk, sk, σ suitably

p k , σ 2 m∗ , σ∗ x

′

3

1 + 2 = simulation, 3 = extraction.

Digital Signatures 2020-02-25 25

Lamport: security proof (summary)

• Use A to compute f −1(x) as follows:
• embed f(x) into public key pk, so that:

– B can sign m – A needs f −1(x) in his forgery with suitably high probability

Note: Lamport’s scheme actually EUF-1-CMA secure (exercise)

Digital Signatures 2020-02-25 26

Lamport: summary

• EUF-1-CMA secure
• Requires only one-way function (weak assumption)
• Not very efficient

– Many evaluations of one-way function – Large keys

Digital Signatures 2020-02-25 27

Uselessness of UUF-NMA (not in lecture notes)

Use one-way function f to construct UUF-NMA secure signature scheme:

• Gen(1k) : sk ← {0, 1}k, pk = f(sk)
• Sign(sk, m) = sk
• Vfy(pk, m, σ): f(σ) ?

= pk

Digital Signatures 2020-02-25 28

Uselessness of UUF-NMA (not in lecture notes)

Use one-way function f to construct UUF-NMA secure signature scheme:

• Gen(1k) : sk ← {0, 1}k, pk = f(sk)
• Sign(sk, m) = sk
• Vfy(pk, m, σ): f(σ) ?

= pk

• Actually EUF-NMA secure. . .
• . . . but useless (message-independent signatures)

Digital Signatures 2020-02-25 28