Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PowerPoint PPT Presentation

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung)

Digital Signatures 2020-03-31 1

Outline

Gennaro-Halevi-Rabin signatures Chameleon hash functions

Digital Signatures 2020-03-31 2

RSA signatures so far: issues

• Schemes so far: either inefficient, or only heuristic security

(ROM)

• Goal (hard!): EUF-CMA-secure signature scheme based on
• RSA. . .

– that is efficient (i.e., usable in practice) – whose security requires no random oracles.

• “Workaround”: Strong RSA assumption

Digital Signatures 2020-03-31 3

Strong RSA assumption

RSA problem:

• given N, e and y ← ZN, find x ∈ ZN with xe ≡ y mod N.

RSA assumption:

• ∀ PPT A:

Pr

• N = P · Q, e ← Z∗

ϕ(N),

y ← ZN, x ← A(1k, N, e, y) : xe ≡ y mod N

• is negligible in k.

Digital Signatures 2020-03-31 4

Strong RSA assumption

Strong RSA problem:

• given N and y ← ZN, find x ∈ ZN , e > 1 with xe ≡ y mod N.

Strong RSA assumption:

• ∀ PPT A:

Pr

• N = P · Q,

y ← ZN, (x, e) ← A(1k, N, y) : xe ≡ y mod N ∧ e > 1

• is negligible in k.

Digital Signatures 2020-03-31 4

Strong RSA: naming

• Strong RSA assumption stronger assumption than RSA

assumption

– We give adversary more control, easier to win game – We assume that it’s still hard for adversary to win

Digital Signatures 2020-03-31 5

Strong RSA: naming

• Strong RSA assumption stronger assumption than RSA

assumption

– We give adversary more control, easier to win game – We assume that it’s still hard for adversary to win

• But: strong RSA problem easier than RSA problem

Digital Signatures 2020-03-31 5

Strong RSA: naming

• Strong RSA assumption stronger assumption than RSA

assumption

– We give adversary more control, easier to win game – We assume that it’s still hard for adversary to win

• But: strong RSA problem easier than RSA problem

Strong RSA assumption ⇒ RSA assumption, converse implication not obvious at all

Digital Signatures 2020-03-31 5

Gennaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)

Digital Signatures 2020-03-31 6

Gennaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)

Gen(1k) :

• Choose N = P · Q, P, Q prime as with RSA
• s ← ZN
• We will assume ∀m ∈ {0, 1}∗ : gcd(h(m), ϕ(N)) = 1

– Can be enforced, e.g., by letting h only output large primes

• pk := (N, s, h)
• sk := (pk, ϕ(N)) = (pk, (P − 1)(Q − 1))

Digital Signatures 2020-03-31 6

Gennaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)

Gen(1k) :

• Choose N = P · Q, P, Q prime as with RSA
• s ← ZN
• We will assume ∀m ∈ {0, 1}∗ : gcd(h(m), ϕ(N)) = 1

– Can be enforced, e.g., by letting h only output large primes

• pk := (N, s, h)
• sk := (pk, ϕ(N)) = (pk, (P − 1)(Q − 1))

Sign(sk, m) :

• σ := s1/h(m) mod N

Digital Signatures 2020-03-31 6

Gennaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)

Gen(1k) :

• Choose N = P · Q, P, Q prime as with RSA
• s ← ZN
• We will assume ∀m ∈ {0, 1}∗ : gcd(h(m), ϕ(N)) = 1

– Can be enforced, e.g., by letting h only output large primes

• pk := (N, s, h)
• sk := (pk, ϕ(N)) = (pk, (P − 1)(Q − 1))

Sign(sk, m) :

• σ := s1/h(m) mod N

Vfy(pk, m, σ) : σh(m) ? ≡ s mod N

Digital Signatures 2020-03-31 6

GHR signatures: security

Theorem 70: For every PPT A that breaks the EUF-naCMA security of Σ in time tA with success ǫA, there is a PPT B that runs in time tB ≈ tA and which

• either breaks the collision-resistance of h with success

ǫcoll ≥ ǫA/2,

• or solves the strong RSA problem with success

ǫsRSA ≥ ǫA/2.

Digital Signatures 2020-03-31 7

GHR signatures: proof

EUF-naCMA: Denote with m1, ... , mq the signature queries, and with (m∗, σ∗) the forgery of A Two possibilities:

• E0 : A successful and there is an mi with h(mi) = h(m∗).
• E1 : A successful and for all i ∈ {1, ... , q}, we have

h(mi) = h(m∗)

Digital Signatures 2020-03-31 8

GHR signatures: proof

EUF-naCMA: Denote with m1, ... , mq the signature queries, and with (m∗, σ∗) the forgery of A Two possibilities:

• E0 : A successful and there is an mi with h(mi) = h(m∗).
• E1 : A successful and for all i ∈ {1, ... , q}, we have

h(mi) = h(m∗) Successful A causes E0 or E1, hence

ǫA ≤ Pr[E0] + Pr[E1] ⇒ Pr[E0] ≥ ǫA/2 or Pr[E1] ≥ ǫA/2

Digital Signatures 2020-03-31 8

GHR signatures: proof – event E0

E0 : There is an mi with h(mi) = h(m∗).

• mi and m∗ form an h-collision.
• Reduce to the collision-resistance of h.
• Reduction B gets as input h, chooses (pk, sk) ← Gen(1k),

runs A, . . .

Digital Signatures 2020-03-31 9

GHR signatures: proof – event E1

E1 : For all i ∈ {1, ... , q}, we have h(mi) = h(m∗).

• Reduce to strong RSA assumption.
• Assume for contradiction: there is a PPT A that breaks

EUF-naCMA, . . .

• . . . construct B that breaks strong RSA. . .

Digital Signatures 2020-03-31 10

GHR signatures: proof – event E1

E1 : For all i ∈ {1, ... , q}, we have h(mi) = h(m∗).

• Reduce to strong RSA assumption.
• Assume for contradiction: there is a PPT A that breaks

EUF-naCMA, . . .

• . . . construct B that breaks strong RSA. . .
• B gets as input (N, y) and needs to find (x, e) with

– e > 1 – xe ≡ y mod N.

Digital Signatures 2020-03-31 10

GHR signatures: sRSA reduction

Recall:

Gen(1k) : s ← ZN

pk := (N, s, h) sk := (pk, ϕ(N))

σ = s1/h(m) mod N

• B uses (N, y) and sets up

s := yΠi∈{1,...,q}h(mi) mod N

Digital Signatures 2020-03-31 11

GHR signatures: sRSA reduction

Recall:

Gen(1k) : s ← ZN

pk := (N, s, h) sk := (pk, ϕ(N))

σ = s1/h(m) mod N

• B uses (N, y) and sets up

s := yΠi∈{1,...,q}h(mi) mod N (gcd(h(m), ϕ(N)) = 1 ensures that s “well-distributed”, i.e., uniform over ZN!)

Digital Signatures 2020-03-31 11

GHR signatures: sRSA reduction

Recall:

Gen(1k) : s ← ZN

pk := (N, s, h) sk := (pk, ϕ(N))

σ = s1/h(m) mod N

• B uses (N, y) and sets up

s := yΠi∈{1,...,q}h(mi) mod N (gcd(h(m), ϕ(N)) = 1 ensures that s “well-distributed”, i.e., uniform over ZN!)

• Signature for mj:

σj := yΠi∈{1,...,q}\{j}h(mi) mod N

Digital Signatures 2020-03-31 11

GHR signatures: sRSA reduction – forgery

E1 occurs: A outputs valid forgery (m∗, σ∗) with

• h(m∗) = h(mi) for all i ∈ {1, ... , q}, and
• (σ∗)h(m∗) ≡ s ≡ yΠi∈{1,...,q}h(mi) mod N

Additionally, we have gcd(h(m∗), Πi∈{1,...,q}h(mi)) = 1, since h maps to prime numbers, and since E1 occurred.

Digital Signatures 2020-03-31 12

GHR signatures: use Shamir’s trick

(σ∗)h(m∗) ≡ s ≡ yΠi∈{1,...,q}h(mi) mod N

Digital Signatures 2020-03-31 13

GHR signatures: use Shamir’s trick

(σ∗)h(m∗) ≡ s ≡ yΠi∈{1,...,q}h(mi) mod N Lemma 31: Let J, S ∈ ZN and e, f ∈ Z with

• gcd(e, f) = 1
• Jf ≡ Se mod N.

Then, given N ∈ Z und (J, S, e, f) ∈ Z2

N × Z2 it is possible to

efficiently compute x ∈ ZN with xe ≡ J mod N.

Digital Signatures 2020-03-31 13

GHR signatures: use Shamir’s trick

(σ∗)h(m∗) ≡ s ≡ yΠi∈{1,...,q}h(mi) mod N Lemma 31: Let J, S ∈ ZN and e, f ∈ Z with

• gcd(e, f) = 1
• Jf ≡ Se mod N.

Then, given N ∈ Z und (J, S, e, f) ∈ Z2

N × Z2 it is possible to

efficiently compute x ∈ ZN with xe ≡ J mod N. xh(m∗) ≡ y mod N Hence: (x, h(m∗)) is the desired sRSA solution

Digital Signatures 2020-03-31 13

Goal: EUF-CMA from (non-strong) RSA

• In Chapter 4.4 of lecture notes (not here)
• There: construction of EUF-CMA signatures from RSA (no

ROM!)

• Very high-level overview:

– Show: GHR selectively secure under RSA assumption (A needs to commit to all mi and m∗ before seeing pk) – Transformation: selective security → EUF-naCMA – Leads to EUF-naCMA-secure Hohenberger-Waters signatures – Transformation: EUF-naCMA → EUF-CMA – Result: compact signatures, not very efficient (like GHR)

Digital Signatures 2020-03-31 14

Open problems

• Construction of efficient EUF-CMA secure signatures from

RSA

– Hohenberger-Waters not very efficient – Many exponentiations, need to find many primes

• Construction of compact EUF-CMA secure signatures from

factoring assumption

Digital Signatures 2020-03-31 15

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• First quiz (about the GHR signature scheme) starts now!

Digital Signatures 2020-03-31 16

Chameleon signatures: motivation

Customer Dealer 1 Dealer 2

Chameleon signatures: motivation

Customer Dealer 1 Dealer 2

O f f e r ? 100$, σ1

Chameleon signatures: motivation

Customer Dealer 1 Dealer 2

O f f e r ? 100$, σ1 100$, σ1 9 9 $ ,

σ

2

Digital Signatures 2020-03-31 17

Chameleon signatures: goal

Question: can we construct a signature scheme, such that. . .

• . . . C can verify the authenticity of the offer from D1, but
• . . . C cannot convince D2 that the offer came from D1?

Digital Signatures 2020-03-31 18

Chameleon hash functions (Definition)

• Def. (Chameleon hash function):

A chameleon hash function CH consists of two PPT algorithms (GenCH, TrapCollCH):

Digital Signatures 2020-03-31 19

Chameleon hash functions (Definition)

• Def. (Chameleon hash function):

A chameleon hash function CH consists of two PPT algorithms (GenCH, TrapCollCH): GenCH(1k) : outputs (ch, τ):

• ch is a function ch : M × R → N

– M message space – R randomness space – N target space – M, R, N may depend on concrete CH!

• τ is a trapdoor (or secret key).

Digital Signatures 2020-03-31 19

Chameleon hash functions (Definition)

TrapCollCH(τ, m, r, m′), for (m, r, m′) ∈ M × R × M, computes

r′ ∈ R with

ch(m, r) = ch(m′, r′)

Digital Signatures 2020-03-31 20

Chameleon hash functions (Definition)

TrapCollCH(τ, m, r, m′), for (m, r, m′) ∈ M × R × M, computes

r′ ∈ R with

ch(m, r) = ch(m′, r′)

• Owner of τ can compute collisions
• Hence the name “chameleon” hash function
• Output “changes preimage” (like a chameleon changes color)

Digital Signatures 2020-03-31 20

Collision-resistance

• Def. 39 (Collision-resistance for chameleon hash functions):

A chameleon hash function CH = (GenCH, TrapCollCH) is collision-resistant iff for all PPT A,

Digital Signatures 2020-03-31 21

Collision-resistance

• Def. 39 (Collision-resistance for chameleon hash functions):

A chameleon hash function CH = (GenCH, TrapCollCH) is collision-resistant iff for all PPT A, Pr

• (ch, τ) ← GenCH(1k)

A(1k, ch) = (m, r, m′, r′) : ch(m, r) = ch(m′, r′) ∧ (m, r) = (m′, r′)

• is negligible in k.

Digital Signatures 2020-03-31 21

Chameleon hashing based on DLog

As usual:

• G group, |G| = p prime, g generator of G

Digital Signatures 2020-03-31 22

Chameleon hashing based on DLog

As usual:

• G group, |G| = p prime, g generator of G

Gen(1k) :

• x ← Z∗

p

• h := gx
• ch := (g, h)
• τ := x

Digital Signatures 2020-03-31 22

Chameleon hashing based on DLog

As usual:

• G group, |G| = p prime, g generator of G

Gen(1k) :

• x ← Z∗

p

• h := gx
• ch := (g, h)
• τ := x

ch defines function: ch : Zp × Zp → G ch(m, r) := gm · hr

Digital Signatures 2020-03-31 22

Chameleon hashing based on DLog

ch(m, r) = gm · hr TrapColl(τ, m, r, m∗) :

Digital Signatures 2020-03-31 23

Chameleon hashing based on DLog

ch(m, r) = gm · hr TrapColl(τ, m, r, m∗) : Compute r∗ with

m + x · r = m∗ + x · r∗ modp

Digital Signatures 2020-03-31 23

Chameleon hashing based on DLog

ch(m, r) = gm · hr TrapColl(τ, m, r, m∗) : Compute r∗ with

m + x · r = m∗ + x · r∗ modp

⇔ r∗

= m − m∗ x + r modp

Digital Signatures 2020-03-31 23

Chameleon hashing based on DLog

ch(m, r) = gm · hr TrapColl(τ, m, r, m∗) : Compute r∗ with

m + x · r = m∗ + x · r∗ modp

⇔ r∗

= m − m∗ x + r modp This implies:

ch(m, r) = gm · hr = gm+xr = gm∗+xr∗ = gm∗ · hr∗ = ch(m∗, r∗)

Digital Signatures 2020-03-31 23

Chameleon hashing based on DLog – security

Theorem 40: For every PPT A that, upon input ch = (g, h) ← Gen(1k), outputs a tuple (m, r, m∗, r∗) with (m, r) = (m∗, r∗) and ch(m, r) = ch(m∗, r∗) in time tA and with success ǫA, there exists a PPT B that breaks the DLog problem in G in time tB ≈ tA with success ǫB ≥ ǫA. Proof: Like proof of DLog-based one-time signatures (Theorem 28).

Digital Signatures 2020-03-31 24

Chameleon hashing based on RSA

Gen(1k) :

• N = P · Q, P, Q prime
• Prime e > 2N with gcd(e, ϕ(N)) = 1
• d = e−1 mod ϕ(N)
• J ← ZN
• ch := (N, e, J)
• τ := d

ch : ZN × ZN → ZN ch(m, r) := Jm · r e mod N

Digital Signatures 2020-03-31 25

Chameleon hashing based on RSA

ch(m, r) := Jm · r e mod N TrapColl(τ, m, r, m∗):

Digital Signatures 2020-03-31 26

Chameleon hashing based on RSA

ch(m, r) := Jm · r e mod N TrapColl(τ, m, r, m∗): Compute r∗ as

r∗ = (Jm−m∗ · r e)d mod N

Digital Signatures 2020-03-31 26

Chameleon hashing based on RSA

ch(m, r) := Jm · r e mod N TrapColl(τ, m, r, m∗): Compute r∗ as

r∗ = (Jm−m∗ · r e)d mod N

ch(m, r) = Jm · r e mod N = Jm∗ · (r∗)e mod N = ch(m∗, r∗)

Digital Signatures 2020-03-31 26

Chameleon hashing based on RSA – security

Theorem 42: For every PPT A that, upon input (N, e, J), outputs a tuple (m, r, m∗, r∗) with (m, r) = (m∗, r∗) and ch(m, r) = ch(m∗, r∗) in time tA and with success ǫB, there is a PPT B that breaks the prime-e-RSA problem in time tB ≈ tA and with success ǫB ≥ ǫA. Proof: Like proof of RSA-based one-time signatures (Theorem 30).

Digital Signatures 2020-03-31 27

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Second quiz (about chameleon hash functions) starts now!

Digital Signatures 2020-03-31 28