Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PowerPoint PPT Presentation

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung)

Digital Signatures 2020-05-19 1

Outline

Waters signatures Overview over course topics General remarks

Digital Signatures 2020-05-19 2

Recap: Waters signatures

• Gen(1k):

– gα ← G, κ ← GenPHF(1k). – sk = gα, pk = (g, κ, e(g, gα)).

• Sign(sk, m): choose r ← Zp. Compute

σ1 := gr σ2 := gα · Hκ(m)r .

Set σ = (σ1, σ2).

• Vfy(pk, m, σ):

e(g, σ2) ? = e(g, g)α · e(σ1, Hκ(m))

Digital Signatures 2020-05-19 3

Recap: security of Waters signatures

Theorem (99)

Let H be a (1, q, γ)-PHF for any polynomial q. Then

• for every adversary A that breaks the EUF-CMA security of

Waters’ scheme with success ǫA in time tA with at most q signature queries,

• there is an adversary B that breaks CDH in G in time tB ≈ tA

with success

ǫB ≥ γ · ǫA.

Digital Signatures 2020-05-19 4

Waters: summary

• Less efficient than BLS signatures (+1 group element)
• But: proof in standard model, PHFs central tool

– Historical context: Waters IBE (2005) = Boneh-Boyen IBE (2004) + PHFs

• PHFs influential, many “partitioning proofs” with similar

techniques

Digital Signatures 2020-05-19 5

Current research

• Better PHFs (but inherent combinatorial limitations)
• Different partitioning techniques (→ tight security)
• Tradeoff: more efficiency ↔ weaker assumptions
• (With pairings:) identity-based encryption → attribute-based

encryption → functional encryption

Digital Signatures 2020-05-19 6

Socrative

Self-checking with quizzes

• Last time
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about Waters signatures starts now!

Digital Signatures 2020-05-19 7

Outline

Waters signatures Overview over course topics General remarks

Digital Signatures 2020-05-19 8

Introduction

Goal: “Digital version of physical signature.” We want:

• Authenticity

– Document signed by specific person/entity

• Integrity

– Signed document not changed after signing

Digital Signatures 2020-05-19 9

Definition: digital signature scheme

• Def. 1: (Digital signature scheme)

A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) of probabilistic polynomial-time algorithms:

• Gen(1k) → (pk, sk) (k ∈ N security parameter → asymptotic definition)
• Sign(sk, m) → σ, (with m ∈ {0, 1}∗)
• Vfy(pk, m, σ) ∈ {0, 1} (intuitively: 1 iff σ valid)

Correctness: “the scheme works.”

Digital Signatures 2020-05-19 10

Security

• Concrete security definition combines two things:

– Adversarial capabilities (e.g., naCMA, CMA) – Adversarial goal (e.g., EUF, sEUF , UUF)

• Definition by security experiment (e.g., EUF-CMA)
• We need assumptions (no unconditionally secure schemes)!

Digital Signatures 2020-05-19 11

Hash-then-Sign

• Goal: extend message space of signature scheme
• Idea: sign H(m) instead of m

– H collision-resistant hash function

• This modification preserves security
• Sometimes even improves security (RSA-FDH)

Digital Signatures 2020-05-19 12

One-time signatures

• Stepping stone towards construction of signature schemes
• Remain secure if one signature is known

(EUF-1-CMA/EUF-1-naCMA)

• Constructions based on. . .

– . . . one-way functions (Lamport) – . . . hardness of discrete logarithm problem – . . . hardness of RSA problem – (first encounter with Shamir’s trick)

Digital Signatures 2020-05-19 13

Transformations

• . . . from EUF-(1-)naCMA to EUF-(1-)CMA security

– Trick: σ = (σ′

pk1, pk1, σ(1) m )

– Reduction(s) to two assumptions

• . . . from EUF-1-CMA to EUF-CMA security

– Use binary tree of hash functions (one-time signatures) – Each node authenticates/signs the two child nodes – Every leaf used only once (to sign message)

Digital Signatures 2020-05-19 14

RSA-based schemes

• Textbook RSA (σ = md mod N): don’t use this!
• PKCS #1 v1.5 (“naive” padding of m): security unclear
• RSA-FDH (σ = H(m)d mod N): secure in ROM
• RSA-PSS (clever padding of m): secure in ROM

– Better concrete security guarantees than RSA-FDH – → Better parameter choices, more efficiency – Many σ for each m, reduction knows only one

• GHR: standard-model proof under stronger assumption

Digital Signatures 2020-05-19 15

Chameleon hash functions

• Hash function with trapdoor (to find collisions)
• Can be viewed as one-time signature schemes
• Constructions based on DLog and RSA

– Essentially same as DLog-/RSA-based one-time sigs

• Immediate application: chameleon signatures
• Technical application: EUF-CMA→sEUF-CMA

– CHFs resolve circular dependency in construction

Digital Signatures 2020-05-19 16

Pairing-based signatures

• Pairing: bilinear map e : G1 × G2 → GT
• Allows one multiplication in exponent

– Price: moving to a different group (GT)

• Allows tripartite key exchange
• BLS signatures: pk = gx, σ = H(m)x

– Pairing helps to verify signatures – Proof under CDH in ROM, similar to RSA-FDH

Digital Signatures 2020-05-19 17

Programmable hashing and Waters signatures

• Programmable hash functions: mimic ROM (but without
• racles)
• Tool to obtain ROM-like proofs in standard model
• PHF is hash function H : {0, 1}ℓ → G with trapdoor
• Trapdoor allows to explain H(m) as H(m) = hamgbm
• Hope that am = 0 most of the time, am = 0 sometimes
• Leads to Waters signatures:

– Here, reduction can sign iff am = 0

Digital Signatures 2020-05-19 18

Outline

Waters signatures Overview over course topics General remarks

Digital Signatures 2020-05-19 19

General remarks

• Exam: concepts important, also proof strategies/tricks

– Exam is discussion, goal: find out if you understood things

• Lecture: interaction very much appreciated, thank you!
• Similar courses/parts of courses/labs on the way
• <blink>OPPORTUNITY</blink>

– Your feedback influences future course design!

Digital Signatures 2020-05-19 20