Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-07 1

Outline Chameleon Signatures CH functions are one-time signatures sEUF-CMA from chameleon hashing Digital Signatures 2020-04-07 2

Chameleon signatures: motivation (recap) Dealer 1 Customer Dealer 2

Chameleon signatures: motivation (recap) Dealer 1 ? r e f f O 100$, σ 1 Customer Dealer 2

Chameleon signatures: motivation (recap) Dealer 1 ? r e f f O 100$, σ 1 Customer 100$, σ 1 9 9 $ , σ 2 Dealer 2 Digital Signatures 2020-04-07 3

Chameleon signatures: goal (recap) Question: can we construct a signature scheme, such that. . . • . . . C can verify the authenticity of the offer from D 1 , but • . . . C cannot convince D 2 that the offer came from D 1 ? Digital Signatures 2020-04-07 4

Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms ( Gen CH , TrapColl CH ): • Gen CH (1 k ) outputs ch : M × R → N and a trapdoor τ • TrapColl CH ( τ , m , r , m ′ ), for ( m , r , m ′ ) ∈ M × R × M , computes r ′ ∈ R with ch ( m , r ) = ch ( m ′ , r ′ ) CH is collision-resistant iff for all PPT A , � � A (1 k , ch ) = ( m , r , m ′ , r ′ ) : ch ( m , r ) = ch ( m ′ , r ′ ) ( ch , τ ) ← Gen CH (1 k ) Pr ∧ ( m , r ) � = ( m ′ , r ′ ) is negligible in k . Digital Signatures 2020-04-07 5

Chameleon signatures • Given: CH = ( Gen CH , TrapColl CH ), ch : M × R → N • Given: signature scheme Σ ′ = ( Gen ′ , Sign ′ , Vfy ′ ) Construct chameleon signature Σ = ( Gen , Sign , Vfy ) Digital Signatures 2020-04-07 6

Chameleon signatures • Given: CH = ( Gen CH , TrapColl CH ), ch : M × R → N • Given: signature scheme Σ ′ = ( Gen ′ , Sign ′ , Vfy ′ ) Construct chameleon signature Σ = ( Gen , Sign , Vfy ) Gen (1 k ) : • ( pk ′ , sk ′ ) ← Gen ′ (1 k ) • pk := pk ′ , sk := sk ′ Digital Signatures 2020-04-07 6

Chameleon signatures Sign ( sk , m , ch ) : ( ch is CH function of receiver ) • r ← R , ch ( m , r ) =: y • σ ′ := Sign ′ ( sk , y ) • σ := ( σ ′ , r ) Digital Signatures 2020-04-07 7

Chameleon signatures Sign ( sk , m , ch ) : ( ch is CH function of receiver ) • r ← R , ch ( m , r ) =: y • σ ′ := Sign ′ ( sk , y ) • σ := ( σ ′ , r ) Vfy ( pk , m , σ , ch ) : • Vfy ′ ( pk , ch ( m , r ), σ ′ ) ? = 1 Digital Signatures 2020-04-07 7

EUF-CMA for chameleon signatures C EUF-CMA A Digital Signatures 2020-04-07 8

EUF-CMA for chameleon signatures C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) Digital Signatures 2020-04-07 8

EUF-CMA for chameleon signatures C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) m i q adaptive queries σ i σ i ← Sign ( sk , m i , ch ) Digital Signatures 2020-04-07 8

EUF-CMA for chameleon signatures C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) m i q adaptive queries σ i σ i ← Sign ( sk , m i , ch ) , σ ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ , ch ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? Digital Signatures 2020-04-07 8

EUF-CMA for chameleon signatures C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) m i q adaptive queries σ i σ i ← Sign ( sk , m i , ch ) , σ ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ , ch ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? A wins iff Vfy ( pk , m ∗ , σ ∗ , ch ) = 1 and m ∗ / ∈ { m 1 , ... , m q } Digital Signatures 2020-04-07 8

EUF-CMA for chameleon signatures C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) m i q adaptive queries σ i σ i ← Sign ( sk , m i , ch ) , σ ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ , ch ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? A wins iff Vfy ( pk , m ∗ , σ ∗ , ch ) = 1 and m ∗ / ∈ { m 1 , ... , m q } Question: is this notion “strong enough”? Digital Signatures 2020-04-07 8

Chameleon signatures: security (not in notes) Question: is this notion “strong enough”? Digital Signatures 2020-04-07 9

Chameleon signatures: security (not in notes) Question: is this notion “strong enough”? Answer: no! • Not realistic: adversary has “no control” over CH function in signing queries (recall: CH function of receiver should be used) • Such control could help forging signatures • Realistic adversary might choose/use own CH function Digital Signatures 2020-04-07 9

Attack in case of DLog-based CH (not in notes) Suppose A can choose CH function for signature queries: • DLog-based CH used ( ch ( m , r ) = g m · h r ) • A receives ch = ( g , h ) from challenger Digital Signatures 2020-04-07 10

Attack in case of DLog-based CH (not in notes) Suppose A can choose CH function for signature queries: • DLog-based CH used ( ch ( m , r ) = g m · h r ) • A receives ch = ( g , h ) from challenger • A chooses ch A := ( g a , h ), ( a � = 1 chosen by A ) – Valid CH function ( A needs not prove knowledge of trapdoor)! • A queries signature of m under ch A and obtains σ = ( σ ′ , r ). Digital Signatures 2020-04-07 10

Attack in case of DLog-based CH (not in notes) • Then: 1 = Vfy ( pk , m , σ = ( σ ′ , r ), ch A ) = Vfy ′ ( pk , ch A ( m , r ), σ ′ ) = Vfy ′ ( pk , ch ( a · m , r ), σ ′ ) = Vfy ( pk , a · m , σ , ch ) • Since a � = 1, we have m � = a · m • Hence, ( a · m , σ ) is a valid forgery under ch Note: similar attack possible with RSA-based CH function Digital Signatures 2020-04-07 11

EUF-CMA for chameleon sigs (not in notes) EUF-CMA variant 1 C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) m i q adaptive queries σ i σ i ← Sign ( sk , m i , ch ) , σ ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ , ch ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? A wins iff Vfy ( pk , m ∗ , σ ∗ , ch ) = 1 and m ∗ / ∈ { m 1 , ... , m q } Digital Signatures 2020-04-07 12

EUF-CMA for chameleon sigs (not in notes) EUF-CMA variant 2 C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) , ch m i i q adaptive queries σ i σ i ← Sign ( sk , m i , ch i ) , σ ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ , ch ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? A wins iff Vfy ( pk , m ∗ , σ ∗ , ch ) = 1 and m ∗ / ∈ { m 1 , ... , m q } Digital Signatures 2020-04-07 12

EUF-CMA • In the following: only variant 1 • Variant 2 also achievable, but a little more difficult (need to make signatures depend on used CH) Digital Signatures 2020-04-07 13

Chameleon signatures: security Theorem 45: For every PPT adversary A ( pk , ch ) that breaks the EUF-CMA security of Σ in time t A with success ǫ A , there is a PPT adversary B that runs in time t B ≈ t A and. . . • breaks the collision resistance of ch with success ǫ ch ≥ ǫ A 2 , • or breaks the EUF-naCMA security of Σ ′ with probability ǫ ′ ≥ ǫ A 2 . Digital Signatures 2020-04-07 14

Chameleon signatures: proof EUF-CMA: Let m 1 , ... , m q be A ’s queries, σ i = ( σ ′ i , r i ) the replies, and ( m ∗ , σ ∗ = ( σ ′∗ , r ∗ )) A ’s forgery Digital Signatures 2020-04-07 15

Chameleon signatures: proof EUF-CMA: Let m 1 , ... , m q be A ’s queries, σ i = ( σ ′ i , r i ) the replies, and ( m ∗ , σ ∗ = ( σ ′∗ , r ∗ )) A ’s forgery Two events: • E 0 : There is an i with ch ( m i , r i ) = ch ( m ∗ , r ∗ ). • E 1 : For all i ∈ { 1, ... , q } , we have ch ( m i , r i ) � = ch ( m ∗ , r ∗ ). Digital Signatures 2020-04-07 15

Chameleon signatures: proof EUF-CMA: Let m 1 , ... , m q be A ’s queries, σ i = ( σ ′ i , r i ) the replies, and ( m ∗ , σ ∗ = ( σ ′∗ , r ∗ )) A ’s forgery Two events: • E 0 : There is an i with ch ( m i , r i ) = ch ( m ∗ , r ∗ ). • E 1 : For all i ∈ { 1, ... , q } , we have ch ( m i , r i ) � = ch ( m ∗ , r ∗ ). Successful A causes E 0 or E 1 , hence ǫ A ≤ Pr[ E 0 ] + Pr[ E 1 ] ⇒ Pr[ E 0 ] ≥ ǫ A / 2 or Pr[ E 1 ] ≥ ǫ A / 2 Digital Signatures 2020-04-07 15

Chameleon signatures: proof • E 0 : reduction to collision-resistance of CH – As usual, no surprises • E 1 : reduction to EUF-naCMA security of Σ ′ – Also straightforward, details on next slide Digital Signatures 2020-04-07 16

Proof strategy to bound Pr[ E 1 ] • Overview: C Σ ′ B A m ′ 1 , . . . , m ′ q pk ′ generate (ch , τ ) ( pk := pk ′ , ch) m i generate signature σ i for m i (choose r i , generate Σ ′ -signature for ch( m i , r i )) σ i ( m ∗ , σ ∗ ) extract Σ ′ -forgery ( m ′∗ , σ ′∗ ) ( m ′∗ , σ ′∗ ) • Need to fill in details Digital Signatures 2020-04-07 17

Proof strategy to bound Pr[ E 1 ] • How to sign m i for A – Need to choose r i , then Σ ′ -sign ch ( m i , r i ) – Problem: no Σ ′ -signing oracle ( m ′ i chosen in advance) Digital Signatures 2020-04-07 18

Proof strategy to bound Pr[ E 1 ] • How to sign m i for A – Need to choose r i , then Σ ′ -sign ch ( m i , r i ) – Problem: no Σ ′ -signing oracle ( m ′ i chosen in advance) – Solution: use τ to generate r i with ch ( m i , r i ) = m ′ i – This requires to set up m ′ i := ch ( M i , R i ) for arbitrary M i and random R i in advance Digital Signatures 2020-04-07 18