Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PowerPoint PPT Presentation

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung)

Digital Signatures 2020-04-07 1

Outline

Chameleon Signatures CH functions are one-time signatures sEUF-CMA from chameleon hashing

Digital Signatures 2020-04-07 2

Chameleon signatures: motivation (recap)

Customer Dealer 1 Dealer 2

Chameleon signatures: motivation (recap)

Customer Dealer 1 Dealer 2

O f f e r ? 100$, σ1

Chameleon signatures: motivation (recap)

Customer Dealer 1 Dealer 2

O f f e r ? 100$, σ1 100$, σ1 9 9 $ ,

σ

2

Digital Signatures 2020-04-07 3

Chameleon signatures: goal (recap)

Question: can we construct a signature scheme, such that. . .

• . . . C can verify the authenticity of the offer from D1, but
• . . . C cannot convince D2 that the offer came from D1?

Digital Signatures 2020-04-07 4

Chameleon hash functions (Definition, recap)

A chameleon hash function CH consists of two PPT algorithms (GenCH, TrapCollCH):

• GenCH(1k) outputs ch : M × R → N and a trapdoor τ
• TrapCollCH(τ, m, r, m′), for (m, r, m′) ∈ M × R × M,

computes r′ ∈ R with

ch(m, r) = ch(m′, r′) CH is collision-resistant iff for all PPT A,

Pr

• (ch, τ) ← GenCH(1k)

A(1k, ch) = (m, r, m′, r′) : ch(m, r) = ch(m′, r′) ∧ (m, r) = (m′, r′)

• is negligible in k.

Digital Signatures 2020-04-07 5

Chameleon signatures

• Given: CH = (GenCH, TrapCollCH), ch : M × R → N
• Given: signature scheme Σ′ = (Gen′, Sign′, Vfy′)

Construct chameleon signature Σ = (Gen, Sign, Vfy)

Digital Signatures 2020-04-07 6

Chameleon signatures

• Given: CH = (GenCH, TrapCollCH), ch : M × R → N
• Given: signature scheme Σ′ = (Gen′, Sign′, Vfy′)

Construct chameleon signature Σ = (Gen, Sign, Vfy)

Gen(1k) :

• (pk′, sk′) ← Gen′(1k)
• pk := pk′, sk := sk′

Digital Signatures 2020-04-07 6

Chameleon signatures

Sign(sk, m, ch) : (ch is CH function of receiver)

• r ← R, ch(m, r) =: y
• σ′ := Sign′(sk, y)
• σ := (σ′, r)

Digital Signatures 2020-04-07 7

Chameleon signatures

Sign(sk, m, ch) : (ch is CH function of receiver)

• r ← R, ch(m, r) =: y
• σ′ := Sign′(sk, y)
• σ := (σ′, r)

Vfy(pk, m, σ, ch) :

• Vfy′(pk, ch(m, r), σ′) ?

= 1

Digital Signatures 2020-04-07 7

EUF-CMA for chameleon signatures

CEUF-CMA A

Digital Signatures 2020-04-07 8

EUF-CMA for chameleon signatures

CEUF-CMA A (pk, sk) ← Gen(1k) (ch, τ) ← GenCH(1k) p k , ch

Digital Signatures 2020-04-07 8

EUF-CMA for chameleon signatures

CEUF-CMA A (pk, sk) ← Gen(1k) (ch, τ) ← GenCH(1k) p k , ch m

i

σi ← Sign(sk, mi, ch) σi q adaptive queries

Digital Signatures 2020-04-07 8

EUF-CMA for chameleon signatures

CEUF-CMA A (pk, sk) ← Gen(1k) (ch, τ) ← GenCH(1k) p k , ch m

i

σi ← Sign(sk, mi, ch) σi q adaptive queries m∗ , σ∗ Vfy(pk, m∗, σ∗, ch) = 1? ∧ m∗ / ∈ {m1, ... , mq}?

Digital Signatures 2020-04-07 8

EUF-CMA for chameleon signatures

CEUF-CMA A (pk, sk) ← Gen(1k) (ch, τ) ← GenCH(1k) p k , ch m

i

σi ← Sign(sk, mi, ch) σi q adaptive queries m∗ , σ∗ Vfy(pk, m∗, σ∗, ch) = 1? ∧ m∗ / ∈ {m1, ... , mq}?

A wins iff Vfy(pk, m∗, σ∗, ch) = 1 and m∗ / ∈ {m1, ... , mq}

Digital Signatures 2020-04-07 8

EUF-CMA for chameleon signatures

CEUF-CMA A (pk, sk) ← Gen(1k) (ch, τ) ← GenCH(1k) p k , ch m

i

σi ← Sign(sk, mi, ch) σi q adaptive queries m∗ , σ∗ Vfy(pk, m∗, σ∗, ch) = 1? ∧ m∗ / ∈ {m1, ... , mq}?

A wins iff Vfy(pk, m∗, σ∗, ch) = 1 and m∗ / ∈ {m1, ... , mq}

Question: is this notion “strong enough”?

Digital Signatures 2020-04-07 8

Chameleon signatures: security (not in notes)

Question: is this notion “strong enough”?

Digital Signatures 2020-04-07 9

Chameleon signatures: security (not in notes)

Question: is this notion “strong enough”? Answer: no!

• Not realistic: adversary has “no control” over CH function in

signing queries (recall: CH function of receiver should be used)

• Such control could help forging signatures
• Realistic adversary might choose/use own CH function

Digital Signatures 2020-04-07 9

Attack in case of DLog-based CH (not in notes)

Suppose A can choose CH function for signature queries:

• DLog-based CH used (ch(m, r) = gm · hr)
• A receives ch = (g, h) from challenger

Digital Signatures 2020-04-07 10

Attack in case of DLog-based CH (not in notes)

Suppose A can choose CH function for signature queries:

• DLog-based CH used (ch(m, r) = gm · hr)
• A receives ch = (g, h) from challenger
• A chooses chA := (ga, h), (a = 1 chosen by A)

– Valid CH function (A needs not prove knowledge of trapdoor)!

• A queries signature of m under chA and obtains σ = (σ′, r).

Digital Signatures 2020-04-07 10

Attack in case of DLog-based CH (not in notes)

• Then:

1 = Vfy(pk, m, σ = (σ′, r), chA) = Vfy′(pk, chA(m, r), σ′) = Vfy′(pk, ch(a · m, r), σ′) = Vfy(pk, a · m, σ, ch)

• Since a = 1, we have m = a · m
• Hence, (a · m, σ) is a valid forgery under ch

Note: similar attack possible with RSA-based CH function

Digital Signatures 2020-04-07 11

EUF-CMA for chameleon sigs (not in notes)

EUF-CMA variant 1

CEUF-CMA A (pk, sk) ← Gen(1k) (ch, τ) ← GenCH(1k) p k , ch m

i

σi ← Sign(sk, mi, ch) σi q adaptive queries m∗ , σ∗ Vfy(pk, m∗, σ∗, ch) = 1? ∧ m∗ / ∈ {m1, ... , mq}?

A wins iff Vfy(pk, m∗, σ∗, ch) = 1 and m∗ / ∈ {m1, ... , mq}

Digital Signatures 2020-04-07 12

EUF-CMA for chameleon sigs (not in notes)

EUF-CMA variant 2

CEUF-CMA A (pk, sk) ← Gen(1k) (ch, τ) ← GenCH(1k) p k , ch m

i

, ch

i

σi ← Sign(sk, mi, chi) σi q adaptive queries m∗ , σ∗ Vfy(pk, m∗, σ∗, ch) = 1? ∧ m∗ / ∈ {m1, ... , mq}?

A wins iff Vfy(pk, m∗, σ∗, ch) = 1 and m∗ / ∈ {m1, ... , mq}

Digital Signatures 2020-04-07 12

EUF-CMA

• In the following: only variant 1
• Variant 2 also achievable, but a little more difficult (need to

make signatures depend on used CH)

Digital Signatures 2020-04-07 13

Chameleon signatures: security

Theorem 45: For every PPT adversary A(pk, ch) that breaks the EUF-CMA security of Σ in time tA with success ǫA, there is a PPT adversary B that runs in time tB ≈ tA and. . .

• breaks the collision resistance of ch with success

ǫch ≥ ǫA

2 ,

• or breaks the EUF-naCMA security of Σ′ with probability

ǫ′ ≥ ǫA

2 .

Digital Signatures 2020-04-07 14

Chameleon signatures: proof

EUF-CMA: Let m1, ... , mq be A’s queries, σi = (σ′

i, ri) the replies, and

(m∗, σ∗ = (σ′∗, r∗)) A’s forgery

Digital Signatures 2020-04-07 15

Chameleon signatures: proof

EUF-CMA: Let m1, ... , mq be A’s queries, σi = (σ′

i, ri) the replies, and

(m∗, σ∗ = (σ′∗, r∗)) A’s forgery Two events:

• E0 : There is an i with ch(mi, ri) = ch(m∗, r∗).
• E1 : For all i ∈ {1, ... , q}, we have ch(mi, ri) = ch(m∗, r∗).

Digital Signatures 2020-04-07 15

Chameleon signatures: proof

EUF-CMA: Let m1, ... , mq be A’s queries, σi = (σ′

i, ri) the replies, and

(m∗, σ∗ = (σ′∗, r∗)) A’s forgery Two events:

• E0 : There is an i with ch(mi, ri) = ch(m∗, r∗).
• E1 : For all i ∈ {1, ... , q}, we have ch(mi, ri) = ch(m∗, r∗).

Successful A causes E0 or E1, hence

ǫA ≤ Pr[E0] + Pr[E1] ⇒ Pr[E0] ≥ ǫA/2 or Pr[E1] ≥ ǫA/2

Digital Signatures 2020-04-07 15

Chameleon signatures: proof

• E0: reduction to collision-resistance of CH

– As usual, no surprises

• E1: reduction to EUF-naCMA security of Σ′

– Also straightforward, details on next slide

Digital Signatures 2020-04-07 16

Proof strategy to bound Pr[E1]

• Overview:

CΣ′ B A

m′

1, . . . , m′ q

pk′ (pk := pk′, ch) generate (ch, τ) mi generate signature σi for mi

(choose ri, generate Σ′-signature for ch(mi, ri))

σi (m∗, σ∗) extract Σ′-forgery (m′∗, σ′∗) (m′∗, σ′∗)

• Need to fill in details

Digital Signatures 2020-04-07 17

Proof strategy to bound Pr[E1]

• How to sign mi for A

– Need to choose ri, then Σ′-sign ch(mi, ri) – Problem: no Σ′-signing oracle (m′

i chosen in advance)

Digital Signatures 2020-04-07 18

Proof strategy to bound Pr[E1]

• How to sign mi for A

– Need to choose ri, then Σ′-sign ch(mi, ri) – Problem: no Σ′-signing oracle (m′

i chosen in advance)

– Solution: use τ to generate ri with ch(mi, ri) = m′

i

– This requires to set up m′

i := ch(Mi, Ri) for arbitrary Mi and

random Ri in advance

Digital Signatures 2020-04-07 18

Proof strategy to bound Pr[E1]

• How to sign mi for A

– Need to choose ri, then Σ′-sign ch(mi, ri) – Problem: no Σ′-signing oracle (m′

i chosen in advance)

– Solution: use τ to generate ri with ch(mi, ri) = m′

i

– This requires to set up m′

i := ch(Mi, Ri) for arbitrary Mi and

random Ri in advance

• How to extract a Σ′-forgery from (m∗, σ∗)

– σ∗ = (r ∗, σ′∗) with σ′∗ a valid signature for m′∗ = ch(m∗, r ∗) – E1 implies that m′∗ = m′

i for all i

– Hence, (m′∗, σ′∗) is a valid Σ′-forgery

Digital Signatures 2020-04-07 18

CH function are one-time signatures

• Previously: constructions of CH function similar to OTSs
• Now: transformation CH function → OTS scheme

Digital Signatures 2020-04-07 19

Transformation CH → OTS

• Given: CH = (GenCH, TrapCollCH)
• Construct Σ = (Gen, Sign, Vfy) as follows:

Gen(1k) :

• (ch, τ) ← Gench(1k)
• (

m, r) ← M × R

• c := ch(

m, r)

• pk := (ch, c), sk := (τ,

m, r)

Digital Signatures 2020-04-07 20

Transformation CH → OTS

pk := (ch, c), sk := (τ, m, r)

Sign(sk, m) :

• r := TrapCollCH(τ,

m, r, m)

• σ := r

Vfy(pk, m, σ) :

• c ?

= ch(m, σ)

Digital Signatures 2020-04-07 21

Transformation: security

Theorem 47:

Σ is EUF-1-naCMA secure if CH is collision-resistant.

(without proof)

Digital Signatures 2020-04-07 22

Transformation: security

Theorem 47:

Σ is EUF-1-naCMA secure if CH is collision-resistant.

(without proof) Note: applying this transformation to our DLog-/RSA-based CHs, we obtain the DLog-/RSA-based one-time signatures from earlier

Digital Signatures 2020-04-07 22

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about chameleon hashing/signatures starts now!

Digital Signatures 2020-04-07 23

Stronger forms of EUF-CMA

CEUF-CMA A (pk, sk) ← Gen(1k) p k m

i

σi q queries m∗ , σ∗ Ver(pk, m∗, σ∗) = 1 ∧ m∗ / ∈ {m1, ... , mq}?

A wins iff Vfy(pk, m∗, σ∗) = 1 and m∗ / ∈ {m1, ..., mq}

Question: what stronger form of security is conceivable?

Digital Signatures 2020-04-07 24

Strong EUF-CMA (sEUF-CMA) experiment

CsEUF-CMA A (pk, sk) ← Gen(1k) p k m

i

σi q queries m∗ , σ∗ Ver(pk, m∗, σ∗) = 1 ∧ (m∗, σ∗) / ∈ {(m1, σ1) ... , (mq, σq)}?

A wins iff Vfy(pk, m∗, σ∗) = 1 and (m∗, σ∗) / ∈ {(m1, σ1) ... , (mq, σq)}

Digital Signatures 2020-04-07 25

Definition: sEUF-CMA

• Def. 51: (sEUF-CMA)

A signature scheme Σ = (Gen, Sign, Vfy) is sEUF-CMA secure iff for all PPT A, Pr

• ACsEUF-CMA(pk) = (m∗, σ∗) :

Vfy(pk, m∗, σ∗) = 1∧

(m∗, σ∗) /

∈ {(m1, σ1), ..., (mq, σq)}

• is negligible.

Digital Signatures 2020-04-07 26

sEUF-CMA: applications

• A can win even if m∗ has been signed before. . .
• . . . as long as σ∗ is fresh
• Mainly useful as component of more complex building
• blocks. . .
• . . . such as adaptively secure public-key encryption

Digital Signatures 2020-04-07 27