Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PowerPoint PPT Presentation

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel)

Digital Signatures 2020-02-18 1

Outline

Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among security definitions

Digital Signatures 2020-02-18 2

Organization

• Lecture: Tuesdays, 10:00-12:00, ML E12
• Exam: oral, 15 minutes
• Contact: hofheinz@inf.ethz.ch
• Speaking hours: whenever my door (CAB H33.3) is open
• Website: todo

Digital Signatures 2020-02-18 3

Supporting materials

• Lecture notes (German) by Tibor Jager:

https://www.tiborjager.de/DigitaleSignaturen.pdf

• Book “Digital Signatures” by Jonathan Katz
• Slides (on website) and occasional whiteboard writeup

Digital Signatures 2020-02-18 4

Overview

• What are (digital) signatures?
• Which security properties do we want from signatures?
• How do we construct and prove signatures?
• Outlook towards current research

Digital Signatures 2020-02-18 5

Content

• Motivation/definitions
• One-time signatures → tree-based signatures
• RSA-based signatures
• Interlude: chameleon hashing
• Pairing-based signatures
• . . . (?)

Not here: “symmetric signatures” (MACs)

Digital Signatures 2020-02-18 6

Motivation

• Goal: “Digital analogue of (physical) signatures.”
• What do we want to sign? Bitstrings from {0, 1}∗
• Examples: code/programs, websites, emails, . . .
• Technical goals:

– Authenticity: document is actually signed by that person – Integrity: document has not been changed since signing

(desirable, but not actually guaranteed by physical signatures)

Digital Signatures 2020-02-18 7

What are signature schemes?

Informally:

• Asymmetric cryptographic mechanisms
• Every participant has a keypair (pk, sk)
• Secret key sk used to sign (a message m), result: signature σ
• Public/verification key pk allows to verify that σ is valid for m

Digital Signatures 2020-02-18 8

Signatures are no. . .

Signatures are no encryption schemes

• Signatures do not hide m (use encryption for that)

Digital Signatures 2020-02-18 9

Signatures are no. . .

Signatures are no encryption schemes

• Signatures do not hide m (use encryption for that)

Signatures are no “inverse” public-key encryption schemes

• As in: signing=decrypting, verifying=encrypting
• Works (to some extent) for RSA, but not for other schemes

Digital Signatures 2020-02-18 9

Applications of signatures

Ideas?

Digital Signatures 2020-02-18 10

Applications of signatures

• Program updates/apps
• E-commerce (signed websites)
• Certificates (digitally signed signature/encryption keys)
• Identity cards
• Building block in more complex cryptographic systems
• . . .

Digital Signatures 2020-02-18 10

Definition: digital signature scheme

• Def. 1: (Digital signature scheme)

A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) of probabilistic polynomial-time algorithms:

Digital Signatures 2020-02-18 11

Definition: digital signature scheme

• Def. 1: (Digital signature scheme)

A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) of probabilistic polynomial-time algorithms:

• Gen(1k) → (pk, sk) (k ∈ N security parameter → asymptotic definition)

Digital Signatures 2020-02-18 11

Definition: digital signature scheme

• Def. 1: (Digital signature scheme)

A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) of probabilistic polynomial-time algorithms:

• Gen(1k) → (pk, sk) (k ∈ N security parameter → asymptotic definition)
• Sign(sk, m) → σ (with m ∈ {0, 1}∗)

Digital Signatures 2020-02-18 11

Definition: digital signature scheme

• Def. 1: (Digital signature scheme)

A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) of probabilistic polynomial-time algorithms:

• Gen(1k) → (pk, sk) (k ∈ N security parameter → asymptotic definition)
• Sign(sk, m) → σ (with m ∈ {0, 1}∗)
• Vfy(pk, m, σ) ∈ {0, 1} (intuitively: 1 iff σ valid)

Digital Signatures 2020-02-18 11

Correctness

Correctness: “The scheme works.” Formally:

∀k ∀(pk, sk) ← Gen(1k) ∀m : Vfy(pk, m, Sign(sk, m)) = 1.

Digital Signatures 2020-02-18 12

Digitale Signaturen: Soundness

Soundness: “The scheme is secure.” Formally:

Digital Signatures 2020-02-18 13

Digitale Signaturen: Soundness

Soundness: “The scheme is secure.” Formally:

• What is security?
• We need a definition!

Digital Signatures 2020-02-18 13

Security

• Concrete security definition combines two things:

– Adversarial capabilities – Adversarial goal

Digital Signatures 2020-02-18 14

Security

• Concrete security definition combines two things:

– Adversarial capabilities – Adversarial goal

• Now: overview
• Later: formal definitions

Digital Signatures 2020-02-18 14

Adversarial capabilities

1 a) no-message attack (NMA)

• Adversary gets only pk

Digital Signatures 2020-02-18 15

Adversarial capabilities

1 a) no-message attack (NMA)

• Adversary gets only pk

1 b) non-adaptive chosen-message attack (naCMA)

• Adversary chooses m1, ... , mq. . .
• . . . then obtains pk and signatures σ1, ..., σq

Digital Signatures 2020-02-18 15

Adversarial capabilities

1 a) no-message attack (NMA)

• Adversary gets only pk

1 b) non-adaptive chosen-message attack (naCMA)

• Adversary chooses m1, ... , mq. . .
• . . . then obtains pk and signatures σ1, ..., σq

1 c) (adaptive) chosen-message attack (CMA)

• Adversary gets pk, then chooses m1, ..., mq and
• btains σ1, ..., σq adaptively (i.e., one mi at a

time, so mi+1 may depend on pk and σ1, ... , σi)

Digital Signatures 2020-02-18 15

Angreiferziele

General goal: forge/generate signatures

Digital Signatures 2020-02-18 16

Angreiferziele

General goal: forge/generate signatures 2 a) “ Universal Unforgeability” (UUF)

• Adversary has to generate valid signature for

externally given m

• m chosen at random (not by adversary!)

Digital Signatures 2020-02-18 16

Angreiferziele

General goal: forge/generate signatures 2 a) “ Universal Unforgeability” (UUF)

• Adversary has to generate valid signature for

externally given m

• m chosen at random (not by adversary!)

2 b) “ Existential Unforgeablility” (EUF)

• Adversary has to generate valid signature for any

message m not signed before

Digital Signatures 2020-02-18 16

Security definition

Security definition ˆ = adversarial goal + adversarial capabilities Interesting combinations:

• EUF-CMA
• EUF-naCMA

Digital Signatures 2020-02-18 17

Security experiments

Tool to formalize security definitions: security experiments Interactive process between two parties:

• Adversary A
• Challenger C
• A plays against C
• A wins iff he reaches his goal.

Digital Signatures 2020-02-18 18

EUF-CMA security experiment

CEUF-CMA A

Digital Signatures 2020-02-18 19

EUF-CMA security experiment

CEUF-CMA A (pk, sk) ← Gen(1k) p k

Digital Signatures 2020-02-18 19

EUF-CMA security experiment

CEUF-CMA A (pk, sk) ← Gen(1k) p k m

i

σi

Digital Signatures 2020-02-18 19

EUF-CMA security experiment

CEUF-CMA A (pk, sk) ← Gen(1k) p k m

i

σi

• queries
• q = q(k) queries
• q polynomial (dep. on A)

Digital Signatures 2020-02-18 19

EUF-CMA security experiment

CEUF-CMA A (pk, sk) ← Gen(1k) p k m

i

σi

• queries
• q = q(k) queries
• q polynomial (dep. on A)

m∗ , σ∗ Ver(pk, m∗, σ∗) = 1? ∧ m∗ / ∈ {m1, ... , mq}?

A wins iff Vfy(pk, m∗, σ∗) = 1 and m∗ / ∈ {m1, ..., mq}

Digital Signatures 2020-02-18 19

Why is A allowed arbitrary signing queries?

• Question: why is A allowed arbitrary signing queries?

Digital Signatures 2020-02-18 20

Why is A allowed arbitrary signing queries?

• Question: why is A allowed arbitrary signing queries?
• Answer: yields strong and universal (application-independent)

definition

(Attack may yield signatures for unforeseeable messages)

Digital Signatures 2020-02-18 20

Definition: EUF-CMA

• Def. 2: (EUF-CMA)

A digital signature scheme Σ = (Gen, Sign, Vfy) is EUF-CMA secure iff for all PPT A, the function

Digital Signatures 2020-02-18 21

Definition: EUF-CMA

• Def. 2: (EUF-CMA)

A digital signature scheme Σ = (Gen, Sign, Vfy) is EUF-CMA secure iff for all PPT A, the function Pr [A wins EUF-CMA experiment] = Pr

• ACEUF-CMA(pk) = (m∗, σ∗) : Vfy(pk, m∗, σ∗) = 1

∧ m∗ / ∈ {m1, ..., mq}

• is negligible.

Digital Signatures 2020-02-18 21

Definition: negligible

Def.: (Negligible) A function negl : N → [0, 1] is negligible iff

∀c ∈ N ∃k0 ∈ N ∀k ≥ k0 : negl(k) < 1/kc.

Digital Signatures 2020-02-18 22

Definition: negligible

Def.: (Negligible) A function negl : N → [0, 1] is negligible iff

∀c ∈ N ∃k0 ∈ N ∀k ≥ k0 : negl(k) < 1/kc.

Examples: 1/2k and 1/klog k negligible, 1/k2 not.

Digital Signatures 2020-02-18 22

UUF-NMA security experiment

Ideas?

Digital Signatures 2020-02-18 23

UUF-NMA security experiment

CUUF-NMA A (pk, sk) ← Gen(1k) m∗ ← {0, 1}p(k) p k , m∗

Digital Signatures 2020-02-18 23

UUF-NMA security experiment

CUUF-NMA A (pk, sk) ← Gen(1k) m∗ ← {0, 1}p(k) p k , m∗ σ∗ Ver(pk, m∗, σ∗) = 1?

A wins iff Vfy(pk, m∗, σ∗) = 1

Digital Signatures 2020-02-18 23

EUF-CMA ⇒ UUF-NMA

• Def. 4 (UUF-NMA):

A digital signature scheme Σ = (Gen, Sign, Vfy) is UUF-NMA secure iff for all PPT A, Pr[ACUUF-NMA(pk, m∗) = σ∗ : Vfy(pk, m∗, σ∗) = 1] is negligible.

Digital Signatures 2020-02-18 24

EUF-CMA ⇒ UUF-NMA

• Def. 4 (UUF-NMA):

A digital signature scheme Σ = (Gen, Sign, Vfy) is UUF-NMA secure iff for all PPT A, Pr[ACUUF-NMA(pk, m∗) = σ∗ : Vfy(pk, m∗, σ∗) = 1] is negligible. Theorem: Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. If Σ is EUF-CMA secure, then Σ is also UUF-NMA secure.

Digital Signatures 2020-02-18 24

Proof: EUF-CMA ⇒ UUF-NMA (1)

Proof outline

• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction

Digital Signatures 2020-02-18 25

Proof: EUF-CMA ⇒ UUF-NMA (1)

Proof outline

• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.

Digital Signatures 2020-02-18 25

Proof: EUF-CMA ⇒ UUF-NMA (1)

Proof outline

• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.
• Then: ∃ PPT adversary AUUF-NMA with non-negligible

Pr[ACUUF-NMA

UUF-NMA(pk, m∗) = σ∗ : Vfy(pk, m∗, σ∗) = 1]

Digital Signatures 2020-02-18 25

Proof: EUF-CMA ⇒ UUF-NMA (2)

• Idea: use AUUF-NMA to build a successful adversary AEUF-CMA
• n the EUF-CMA security of Σ
• AEUF-CMA usually uses AUUF-NMA as subroutine

Digital Signatures 2020-02-18 26

Proof: EUF-CMA ⇒ UUF-NMA (2)

• Idea: use AUUF-NMA to build a successful adversary AEUF-CMA
• n the EUF-CMA security of Σ
• AEUF-CMA usually uses AUUF-NMA as subroutine
• Existence of (successful) AEUF-CMA contradicts assumed

EUF-CMA security. . .

• . . . hence such an AUUF-NMA cannot exist

Digital Signatures 2020-02-18 26

Proof: EUF-CMA ⇒ UUF-NMA (3)

Proof: whiteboard

Digital Signatures 2020-02-18 27

Proof: EUF-CMA ⇒ UUF-NMA (4)

Remark:

• AEUF-CMA makes no signature queries. . .
• . . . hence we have actually shown

EUF-NMA ⇒ UUF-NMA

Digital Signatures 2020-02-18 28

UUF-NMA: useful?

Question: how useful is UUF-NMA security? Answer: later

Digital Signatures 2020-02-18 29

EUF-naCMA security experiment

CEUF-naCMA A

Digital Signatures 2020-02-18 30

EUF-naCMA security experiment

CEUF-naCMA A m

1

, . . . , m

q

• q = q(k) messages
• q polynomial

Digital Signatures 2020-02-18 30

EUF-naCMA security experiment

CEUF-naCMA A m

1

, . . . , m

q

• q = q(k) messages
• q polynomial

(pk, sk) ← Gen(1k) ∀i : σi ← Sign(sk, mi) p k , σ

1

, . . . , σ

q Digital Signatures 2020-02-18 30

EUF-naCMA security experiment

CEUF-naCMA A m

1

, . . . , m

q

• q = q(k) messages
• q polynomial

(pk, sk) ← Gen(1k) ∀i : σi ← Sign(sk, mi) p k , σ

1

, . . . , σ

q

m∗ , σ∗ Ver(pk, m∗, σ∗) = 1? ∧ m∗ / ∈ {m1, ... , mq}?

A wins iff Vfy(pk, m∗, σ∗) = 1 and m∗ / ∈ {m1, ..., mq}

Def.: Like Def. 2 (with EUF-naCMA experiment)

Digital Signatures 2020-02-18 30

Relations among security definitions

UUF-NMA

<

UUF-naCMA

<

UUF-CMA

< < <

EUF-NMA

<

EUF-naCMA

<

EUF-CMA Generally:

• UUF < EUF
• NMA < naCMA < CMA

Proof by counterexample schemes (e.g., assume EUF-naCMA secure

scheme, modify it such that it is still EUF-naCMA but not EUF-CMA secure)

Digital Signatures 2020-02-18 31