Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PowerPoint PPT Presentation

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung)

Digital Signatures 2020-05-12 1

Outline

Recap: programmable hash functions Waters’ PHF Waters signatures

Digital Signatures 2020-05-12 2

Programmable hash functions

Motivation:

• RO proofs use programmability of RO (RSA-FDH, BLS, . . . )
• Problem: ROs do not exist, leads to heuristic arguments
• Goal: imitate necessary programming operations with

standard-model hash function Closer look:

• PHF maps bitstrings m to group elements H(m)
• PHF trapdoor gives decomposition H(m) = hamgbm
• Later: am = 0 ⇔ reduction can sign m
• Want am = 0 often (sig. queries), am = 0 sometimes (forgery)

Digital Signatures 2020-05-12 3

Programmable hash functions

Def.: A group hash function (Gen, Eval) is (v, w, γ)-programmable (for v, w ∈ N, γ ∈ [0, 1]), if there are two PPT algorithms as follows:

• TrapGen(g, h) → (κ, τ): trapdoor key generation
• TrapEval(τ, m) → (am, bm) with

hamgbm = Hκ(m) (deterministic) that fulfill the following two requirements:

• κ from Gen statistically close to κ from TrapGen
• TrapEval has (v, w, γ)-well-distributed outputs (next slide)

A (v, w, γ)-PHF is a (v, w, γ)-programmable group hash function.

Digital Signatures 2020-05-12 4

Programmable hash functions

Well-distributedness condition of TrapEval’s outputs:

• (v, w, γ)-well-distributed (for v, w ∈ N, γ ∈ [0, 1]):

For all

– generators g, h of G, – m∗

1, ... m∗ v ∈ {0, 1}ℓ,

– m1, ... , mw ∈ {0, 1}ℓ (s.t. ∀i, j : m∗

i = mj)

– κ in the range of TrapGen’s first output

we have: Pr

• am∗

i = 0

for i = 1, ... , v

∧

amj = 0 for j = 1, ... , w

• ≥ γ,

where Pr is over τ from (κ, τ) ← TrapGen(g, h) (cond. on κ)

Digital Signatures 2020-05-12 5

Outline

Recap: programmable hash functions Waters’ PHF Waters signatures

Digital Signatures 2020-05-12 6

Waters’ programmable hash function

Waters’ group hash function (used earlier for different purpose):

• Gen(1k): choose u0, ... , uk ← G.

κ = (u0, ... , uk)

Digital Signatures 2020-05-12 7

Waters’ programmable hash function

Waters’ group hash function (used earlier for different purpose):

• Gen(1k): choose u0, ... , uk ← G.

κ = (u0, ... , uk)

• Eval(κ, m = m(1) · · · m(k)): compute

Hκ(m) = u0

k

• i=1

um(i)

i

(m(i) ∈ {0, 1})

Digital Signatures 2020-05-12 7

Waters’ programmable hash function

Waters’ group hash function (used earlier for different purpose):

• Gen(1k): choose u0, ... , uk ← G.

κ = (u0, ... , uk)

• Eval(κ, m = m(1) · · · m(k)): compute

Hκ(m) = u0

k

• i=1

um(i)

i

(m(i) ∈ {0, 1}) Theorem: Let q = q(k) be a polynomial. Then, Waters’ group hash function is (1, q, γ)-programmable for γ = 1/O(q

√

k).

Digital Signatures 2020-05-12 7

Waters’ programmable hash function

Proof sketch:

• TrapGen(g, h): choose

ai ∈ Zp suitably, bi ← Zp. Let ui := h

aig bi

for i ∈ {0, ... , k},

κ = (u0, ... , uk), τ = (

a0, ... , ak, b0, ... , bk).

Digital Signatures 2020-05-12 8

Waters’ programmable hash function

Proof sketch:

• TrapGen(g, h): choose

ai ∈ Zp suitably, bi ← Zp. Let ui := h

aig bi

for i ∈ {0, ... , k},

κ = (u0, ... , uk), τ = (

a0, ... , ak, b0, ... , bk).

• TrapEval(τ, m = m(1) · · · m(k)): compute

am =

• a0 + k

i=1 m(i)

ai and bm =

• b0 + k

i=1 m(i)

bi.

Digital Signatures 2020-05-12 8

Waters’ programmable hash function

Proof sketch:

• TrapGen(g, h): choose

ai ∈ Zp suitably, bi ← Zp. Let ui := h

aig bi

for i ∈ {0, ... , k},

κ = (u0, ... , uk), τ = (

a0, ... , ak, b0, ... , bk).

• TrapEval(τ, m = m(1) · · · m(k)): compute

am =

• a0 + k

i=1 m(i)

ai and bm =

• b0 + k

i=1 m(i)

bi. Then: hamgbm =

Digital Signatures 2020-05-12 8

Waters’ programmable hash function

Proof sketch:

• TrapGen(g, h): choose

ai ∈ Zp suitably, bi ← Zp. Let ui := h

aig bi

for i ∈ {0, ... , k},

κ = (u0, ... , uk), τ = (

a0, ... , ak, b0, ... , bk).

• TrapEval(τ, m = m(1) · · · m(k)): compute

am =

• a0 + k

i=1 m(i)

ai and bm =

• b0 + k

i=1 m(i)

bi. Then: hamgbm = h

a0 k

• i=1

h

aim(i) · g b0 k

• i=1

g

bim(i)

Digital Signatures 2020-05-12 8

Waters’ programmable hash function

Proof sketch:

• TrapGen(g, h): choose

ai ∈ Zp suitably, bi ← Zp. Let ui := h

aig bi

for i ∈ {0, ... , k},

κ = (u0, ... , uk), τ = (

a0, ... , ak, b0, ... , bk).

• TrapEval(τ, m = m(1) · · · m(k)): compute

am =

• a0 + k

i=1 m(i)

ai and bm =

• b0 + k

i=1 m(i)

bi. Then: hamgbm = h

a0 k

• i=1

h

aim(i) · g b0 k

• i=1

g

bim(i) = (h a0g b0) · k

• i=1

(h

aig bi) m(i)

Digital Signatures 2020-05-12 8

Waters’ programmable hash function

Proof sketch:

• TrapGen(g, h): choose

ai ∈ Zp suitably, bi ← Zp. Let ui := h

aig bi

for i ∈ {0, ... , k},

κ = (u0, ... , uk), τ = (

a0, ... , ak, b0, ... , bk).

• TrapEval(τ, m = m(1) · · · m(k)): compute

am =

• a0 + k

i=1 m(i)

ai and bm =

• b0 + k

i=1 m(i)

bi. Then: hamgbm = h

a0 k

• i=1

h

aim(i) · g b0 k

• i=1

g

bim(i) = (h a0g b0)

• u0

·

k

• i=1

(h

aig bi) m(i)

Digital Signatures 2020-05-12 8

Waters’ programmable hash function

Proof sketch:

• TrapGen(g, h): choose

ai ∈ Zp suitably, bi ← Zp. Let ui := h

aig bi

for i ∈ {0, ... , k},

κ = (u0, ... , uk), τ = (

a0, ... , ak, b0, ... , bk).

• TrapEval(τ, m = m(1) · · · m(k)): compute

am =

• a0 + k

i=1 m(i)

ai and bm =

• b0 + k

i=1 m(i)

bi. Then: hamgbm = h

a0 k

• i=1

h

aim(i) · g b0 k

• i=1

g

bim(i) = (h a0g b0)

• u0

·

k

• i=1

(h

aig bi) ui m(i)

Digital Signatures 2020-05-12 8

Waters’ programmable hash function

Proof sketch:

• TrapGen(g, h): choose

ai ∈ Zp suitably, bi ← Zp. Let ui := h

aig bi

for i ∈ {0, ... , k},

κ = (u0, ... , uk), τ = (

a0, ... , ak, b0, ... , bk).

• TrapEval(τ, m = m(1) · · · m(k)): compute

am =

• a0 + k

i=1 m(i)

ai and bm =

• b0 + k

i=1 m(i)

bi. Then: hamgbm = h

a0 k

• i=1

h

aim(i) · g b0 k

• i=1

g

bim(i) = (h a0g b0)

• u0

·

k

• i=1

(h

aig bi) ui m(i)

= Hκ(m)

Digital Signatures 2020-05-12 8

Waters’ programmable hash function

• Distribution of (real/trapdoor) κ?

– Gen(1k): all ui uniform over G

Digital Signatures 2020-05-12 9

Waters’ programmable hash function

• Distribution of (real/trapdoor) κ?

– Gen(1k): all ui uniform over G – TrapGen(g, h):

Digital Signatures 2020-05-12 9

Waters’ programmable hash function

• Distribution of (real/trapdoor) κ?

– Gen(1k): all ui uniform over G – TrapGen(g, h): ◮

bi uniform over Zp

Digital Signatures 2020-05-12 9

Waters’ programmable hash function

• Distribution of (real/trapdoor) κ?

– Gen(1k): all ui uniform over G – TrapGen(g, h): ◮

bi uniform over Zp ◮ = ⇒ g

bi uniform over G (g generator!) Digital Signatures 2020-05-12 9

Waters’ programmable hash function

• Distribution of (real/trapdoor) κ?

– Gen(1k): all ui uniform over G – TrapGen(g, h): ◮

bi uniform over Zp ◮ = ⇒ g

bi uniform over G (g generator!)

◮ = ⇒ ui = h

ai g bi uniform over G Digital Signatures 2020-05-12 9

Waters’ programmable hash function

• Distribution of (real/trapdoor) κ?

– Gen(1k): all ui uniform over G – TrapGen(g, h): ◮

bi uniform over Zp ◮ = ⇒ g

bi uniform over G (g generator!)

◮ = ⇒ ui = h

ai g bi uniform over G

• (v, w, γ)-well-distribution:

Digital Signatures 2020-05-12 9

Waters’ programmable hash function

• Distribution of (real/trapdoor) κ?

– Gen(1k): all ui uniform over G – TrapGen(g, h): ◮

bi uniform over Zp ◮ = ⇒ g

bi uniform over G (g generator!)

◮ = ⇒ ui = h

ai g bi uniform over G

• (v, w, γ)-well-distribution:

– Need to define ai suitably (next slide)

Digital Signatures 2020-05-12 9

Waters’ programmable hash function

Closer look at (v, w, γ)-well-distribution:

• Recall: am =

a0 +

i m(i)

ai

• Idea: set up all

ai as random walks of length L = Θ(q2):

• ai =

L

• j=1
• ai,j

for

• ai,j ← {−1, 0, 1}

Digital Signatures 2020-05-12 10

Waters’ programmable hash function

Closer look at (v, w, γ)-well-distribution:

• Recall: am =

a0 +

i m(i)

ai

• Idea: set up all

ai as random walks of length L = Θ(q2):

• ai =

L

• j=1
• ai,j

for

• ai,j ← {−1, 0, 1}
• Random walks: back at origin after n steps with prob. 1/Θ(√n)

Digital Signatures 2020-05-12 10

Waters’ programmable hash function

Closer look at (v, w, γ)-well-distribution:

• Recall: am =

a0 +

i m(i)

ai

• Idea: set up all

ai as random walks of length L = Θ(q2):

• ai =

L

• j=1
• ai,j

for

• ai,j ← {−1, 0, 1}
• Random walks: back at origin after n steps with prob. 1/Θ(√n)
• Hence: 1/Θ(q

√

k) ≤ Pr[am = 0] ≤ 1/Θ(q) for any m

Digital Signatures 2020-05-12 10

Waters’ programmable hash function

Closer look at (v, w, γ)-well-distribution:

• Recall: am =

a0 +

i m(i)

ai

• Idea: set up all

ai as random walks of length L = Θ(q2):

• ai =

L

• j=1
• ai,j

for

• ai,j ← {−1, 0, 1}
• Random walks: back at origin after n steps with prob. 1/Θ(√n)
• Hence: 1/Θ(q

√

k) ≤ Pr[am = 0] ≤ 1/Θ(q) for any m

• In fact: Pr[am = 0|am∗ = 0] ≥ 1 − 1/(2q) for any m = m∗ (and

for a suitable choice of L = Θ(q2))

Digital Signatures 2020-05-12 10

Waters’ programmable hash function

Closer look at (v, w, γ)-well-distribution:

• Recall: am =

a0 +

i m(i)

ai

• Idea: set up all

ai as random walks of length L = Θ(q2):

• ai =

L

• j=1
• ai,j

for

• ai,j ← {−1, 0, 1}
• Random walks: back at origin after n steps with prob. 1/Θ(√n)
• Hence: 1/Θ(q

√

k) ≤ Pr[am = 0] ≤ 1/Θ(q) for any m

• In fact: Pr[am = 0|am∗ = 0] ≥ 1 − 1/(2q) for any m = m∗ (and

for a suitable choice of L = Θ(q2))

• ⇒ (by union bound:) Pr[∀i : ami = 0|am∗ = 0] ≥ 1/2

Digital Signatures 2020-05-12 10

Waters’ programmable hash function

Closer look at (v, w, γ)-well-distribution:

• Recall: am =

a0 +

i m(i)

ai

• Idea: set up all

ai as random walks of length L = Θ(q2):

• ai =

L

• j=1
• ai,j

for

• ai,j ← {−1, 0, 1}
• Random walks: back at origin after n steps with prob. 1/Θ(√n)
• Hence: 1/Θ(q

√

k) ≤ Pr[am = 0] ≤ 1/Θ(q) for any m

• In fact: Pr[am = 0|am∗ = 0] ≥ 1 − 1/(2q) for any m = m∗ (and

for a suitable choice of L = Θ(q2))

• ⇒ (by union bound:) Pr[∀i : ami = 0|am∗ = 0] ≥ 1/2
• ⇒ Pr[∀i : ami = 0 ∧ am∗ = 0] ≥ 1/O(q

√

k)

Digital Signatures 2020-05-12 10

Waters’ programmable hash function

Closer look at (v, w, γ)-well-distribution:

• Recall: am =

a0 +

i m(i)

ai

• Idea: set up all

ai as random walks of length L = Θ(q2):

• ai =

L

• j=1
• ai,j

for

• ai,j ← {−1, 0, 1}
• Random walks: back at origin after n steps with prob. 1/Θ(√n)
• Hence: 1/Θ(q

√

k) ≤ Pr[am = 0] ≤ 1/Θ(q) for any m

• In fact: Pr[am = 0|am∗ = 0] ≥ 1 − 1/(2q) for any m = m∗ (and

for a suitable choice of L = Θ(q2))

• ⇒ (by union bound:) Pr[∀i : ami = 0|am∗ = 0] ≥ 1/2
• ⇒ Pr[∀i : ami = 0 ∧ am∗ = 0] ≥ 1/O(q

√

k)

Digital Signatures 2020-05-12 10

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about PHFs starts now!

Digital Signatures 2020-05-12 11

Outline

Recap: programmable hash functions Waters’ PHF Waters signatures

Digital Signatures 2020-05-12 12

Waters signatures

• Gen(1k):

– gα ← G, κ ← GenPHF(1k). – sk = gα, pk = (g, κ, e(g, gα)).

Digital Signatures 2020-05-12 13

Waters signatures

• Gen(1k):

– gα ← G, κ ← GenPHF(1k). – sk = gα, pk = (g, κ, e(g, gα)).

• Sign(sk, m): choose r ← Zp. Compute

σ1 := gr σ2 := gα · Hκ(m)r .

Set σ = (σ1, σ2).

Digital Signatures 2020-05-12 13

Waters signatures

• Gen(1k):

– gα ← G, κ ← GenPHF(1k). – sk = gα, pk = (g, κ, e(g, gα)).

• Sign(sk, m): choose r ← Zp. Compute

σ1 := gr σ2 := gα · Hκ(m)r .

Set σ = (σ1, σ2).

• Vfy(pk, m, σ):

e(g, σ2) ? = e(g, g)α · e(σ1, Hκ(m))

Digital Signatures 2020-05-12 13

Waters signatures

sk = gα pk = (g, κ, e(g, gα))

σ1 := gr σ2 := gα · Hκ(m)r

Correctness: e(g, σ2) = e(g, gα · Hκ(m)r)

Digital Signatures 2020-05-12 14

Waters signatures

sk = gα pk = (g, κ, e(g, gα))

σ1 := gr σ2 := gα · Hκ(m)r

Correctness: e(g, σ2) = e(g, gα · Hκ(m)r) = e(g, gα) · e(g, Hκ(m)r)

Digital Signatures 2020-05-12 14

Waters signatures

sk = gα pk = (g, κ, e(g, gα))

σ1 := gr σ2 := gα · Hκ(m)r

Correctness: e(g, σ2) = e(g, gα · Hκ(m)r) = e(g, gα) · e(g, Hκ(m)r) = e(g, g)α · e(gr, Hκ(m))

Digital Signatures 2020-05-12 14

Waters signatures

sk = gα pk = (g, κ, e(g, gα))

σ1 := gr σ2 := gα · Hκ(m)r

Correctness: e(g, σ2) = e(g, gα · Hκ(m)r) = e(g, gα) · e(g, Hκ(m)r) = e(g, g)α · e(gr, Hκ(m)) = e(g, g)α · e(σ1, Hκ(m))

Digital Signatures 2020-05-12 14

Waters: security

Theorem (99)

Let H be a (1, q, γ)-PHF for any polynomial q. Then

• for every adversary A that breaks the EUF-CMA security of

Waters’ scheme with success ǫA in time tA with at most q signature queries,

• there is an adversary B that breaks CDH in G in time tB ≈ tA

with success

ǫB ≥ γ · ǫA.

Digital Signatures 2020-05-12 15

Waters: security proof

• B gets CDH challenge (g, gx, gy) (goal: compute gxy)

Digital Signatures 2020-05-12 16

Waters: security proof

• B gets CDH challenge (g, gx, gy) (goal: compute gxy)
• Generates parameters for H via

(κ, τ) ← TrapGen(g, gx)

Digital Signatures 2020-05-12 16

Waters: security proof

• B gets CDH challenge (g, gx, gy) (goal: compute gxy)
• Generates parameters for H via

(κ, τ) ← TrapGen(g, gx)

• Sets

pk := (g, κ, e(gx, gy)) = (g, κ, e(g, g)xy)

Digital Signatures 2020-05-12 16

Waters: security proof

• B gets CDH challenge (g, gx, gy) (goal: compute gxy)
• Generates parameters for H via

(κ, τ) ← TrapGen(g, gx)

• Sets

pk := (g, κ, e(gx, gy)) = (g, κ, e(g, g)xy)

• Implicitly this sets sk = gα = gxy und α = xy

Digital Signatures 2020-05-12 16

Waters: security proof

B hopes for event E:

• TrapEval with τ yields. . .
• . . . ami = 0 for all signature queries mi
• . . . am∗ = 0 for forgery message m∗

Digital Signatures 2020-05-12 17

Waters: security proof

B hopes for event E:

• TrapEval with τ yields. . .
• . . . ami = 0 for all signature queries mi
• . . . am∗ = 0 for forgery message m∗

Since H is (1, q, γ)-programmable, we have Pr[E] ≥ γ

Digital Signatures 2020-05-12 17

Waters: security proof

B hopes for event E:

• TrapEval with τ yields. . .
• . . . ami = 0 for all signature queries mi
• . . . am∗ = 0 for forgery message m∗

Since H is (1, q, γ)-programmable, we have Pr[E] ≥ γ We will show: if E occurs, then B can answer all signature queries and extract gxy from forgery

⇒ ǫB ≥ Pr[E] · ǫA ≥ γ · ǫA

Digital Signatures 2020-05-12 17

Waters: signing queries

Signing query for mi:

• (am, bm) ← TrapEval(τ, m)

Digital Signatures 2020-05-12 18

Waters: signing queries

Signing query for mi:

• (am, bm) ← TrapEval(τ, m)
• Then H(m) = (gx)am · gbm

Digital Signatures 2020-05-12 18

Waters: signing queries

Signing query for mi:

• (am, bm) ← TrapEval(τ, m)
• Then H(m) = (gx)am · gbm
• Choose fresh s ← Zp
• σ1 := (gy)−1/am · gs

Digital Signatures 2020-05-12 18

Waters: signing queries

Signing query for mi:

• (am, bm) ← TrapEval(τ, m)
• Then H(m) = (gx)am · gbm
• Choose fresh s ← Zp
• σ1 := (gy)−1/am · gs
• Implicitly, this sets r = −y/am + s

Digital Signatures 2020-05-12 18

Waters: signing queries

Signing query for mi:

• (am, bm) ← TrapEval(τ, m)
• Then H(m) = (gx)am · gbm
• Choose fresh s ← Zp
• σ1 := (gy)−1/am · gs
• Implicitly, this sets r = −y/am + s
• σ2 := (gx)ams · (gy)−bm/am · gbms

Digital Signatures 2020-05-12 18

Waters: signing queries

Signing query for mi:

• (am, bm) ← TrapEval(τ, m)
• Then H(m) = (gx)am · gbm
• Choose fresh s ← Zp
• σ1 := (gy)−1/am · gs
• Implicitly, this sets r = −y/am + s
• σ2 := (gx)ams · (gy)−bm/am · gbms

To show:

σ2 = gxyH(m)r

Digital Signatures 2020-05-12 18

Waters: signing queries

σ1 = (gy)−1/am · gs σ2 := (gx)ams · (gy)−bm/am · gbms

r = −y/am + s Then:

Digital Signatures 2020-05-12 19

Waters: signing queries

σ1 = (gy)−1/am · gs σ2 := (gx)ams · (gy)−bm/am · gbms

r = −y/am + s Then:

σ2 = (gx)ams · (gy)−bm/am · gbms

Digital Signatures 2020-05-12 19

Waters: signing queries

σ1 = (gy)−1/am · gs σ2 := (gx)ams · (gy)−bm/am · gbms

r = −y/am + s Then:

σ2 = (gx)ams · (gy)−bm/am · gbms

= gxams · gbm(−y/am+s)

Digital Signatures 2020-05-12 19

Waters: signing queries

σ1 = (gy)−1/am · gs σ2 := (gx)ams · (gy)−bm/am · gbms

r = −y/am + s Then:

σ2 = (gx)ams · (gy)−bm/am · gbms

= gxams · gbm(−y/am+s) = gxy(g−xygxams · gbm(−y/am+s))

Digital Signatures 2020-05-12 19

Waters: signing queries

σ1 = (gy)−1/am · gs σ2 := (gx)ams · (gy)−bm/am · gbms

r = −y/am + s Then:

σ2 = (gx)ams · (gy)−bm/am · gbms

= gxams · gbm(−y/am+s) = gxy(g−xygxams · gbm(−y/am+s)) = gxy(gxam(−y/am+s) · gbm(−y/am+s))

Digital Signatures 2020-05-12 19

Waters: signing queries

σ1 = (gy)−1/am · gs σ2 := (gx)ams · (gy)−bm/am · gbms

r = −y/am + s Then:

σ2 = (gx)ams · (gy)−bm/am · gbms

= gxams · gbm(−y/am+s) = gxy(g−xygxams · gbm(−y/am+s)) = gxy(gxam(−y/am+s) · gbm(−y/am+s)) = gxy(gxamgbm)−y/am+s

Digital Signatures 2020-05-12 19

Waters: signing queries

σ1 = (gy)−1/am · gs σ2 := (gx)ams · (gy)−bm/am · gbms

r = −y/am + s Then:

σ2 = (gx)ams · (gy)−bm/am · gbms

= gxams · gbm(−y/am+s) = gxy(g−xygxams · gbm(−y/am+s)) = gxy(gxam(−y/am+s) · gbm(−y/am+s)) = gxy(gxamgbm)−y/am+s = gxy(gxamgbm)r

Digital Signatures 2020-05-12 19

Waters: signing queries

σ1 = (gy)−1/am · gs σ2 := (gx)ams · (gy)−bm/am · gbms

r = −y/am + s Then:

σ2 = (gx)ams · (gy)−bm/am · gbms

= gxams · gbm(−y/am+s) = gxy(g−xygxams · gbm(−y/am+s)) = gxy(gxam(−y/am+s) · gbm(−y/am+s)) = gxy(gxamgbm)−y/am+s = gxy(gxamgbm)r = gxyH(m)r

Digital Signatures 2020-05-12 19

Waters: signing queries

σ1 = (gy)−1/am · gs σ2 := (gx)ams · (gy)−bm/am · gbms

r = −y/am + s Then:

σ2 = (gx)ams · (gy)−bm/am · gbms

= gxams · gbm(−y/am+s) = gxy(g−xygxams · gbm(−y/am+s)) = gxy(gxam(−y/am+s) · gbm(−y/am+s)) = gxy(gxamgbm)−y/am+s = gxy(gxamgbm)r = gxyH(m)r Question: why does this only work for am = 0?

Digital Signatures 2020-05-12 19

Waters: extracting from the forgery

• A outputs forgery m∗, σ∗ = (σ∗

1, σ∗ 2).

Digital Signatures 2020-05-12 20

Waters: extracting from the forgery

• A outputs forgery m∗, σ∗ = (σ∗

1, σ∗ 2).

• (a∗, b∗) = TrapEval(τ, m∗)
• Assuming E occurs, we have

H(m∗) = (gx)a∗gb∗ = (gx)0gb∗ = gb∗

Digital Signatures 2020-05-12 20

Waters: extracting from the forgery

• A outputs forgery m∗, σ∗ = (σ∗

1, σ∗ 2).

• (a∗, b∗) = TrapEval(τ, m∗)
• Assuming E occurs, we have

H(m∗) = (gx)a∗gb∗ = (gx)0gb∗ = gb∗

• σ∗ valid, hence

σ∗

1 = gr∗

σ∗

2 = gxy · H(m∗)r∗

• Thus:

σ∗

2 · (σ∗ 1)−b∗ = gxy · H(m∗)r∗ · g−b∗r∗

Digital Signatures 2020-05-12 20

Waters: extracting from the forgery

• A outputs forgery m∗, σ∗ = (σ∗

1, σ∗ 2).

• (a∗, b∗) = TrapEval(τ, m∗)
• Assuming E occurs, we have

H(m∗) = (gx)a∗gb∗ = (gx)0gb∗ = gb∗

• σ∗ valid, hence

σ∗

1 = gr∗

σ∗

2 = gxy · H(m∗)r∗

• Thus:

σ∗

2 · (σ∗ 1)−b∗ = gxy · H(m∗)r∗ · g−b∗r∗

= gxy · gb∗r∗ · g−b∗r∗

Digital Signatures 2020-05-12 20

Waters: extracting from the forgery

• A outputs forgery m∗, σ∗ = (σ∗

1, σ∗ 2).

• (a∗, b∗) = TrapEval(τ, m∗)
• Assuming E occurs, we have

H(m∗) = (gx)a∗gb∗ = (gx)0gb∗ = gb∗

• σ∗ valid, hence

σ∗

1 = gr∗

σ∗

2 = gxy · H(m∗)r∗

• Thus:

σ∗

2 · (σ∗ 1)−b∗ = gxy · H(m∗)r∗ · g−b∗r∗

= gxy · gb∗r∗ · g−b∗r∗ = gxy

Digital Signatures 2020-05-12 20

Waters: summary

• Less efficient than BLS signatures (+1 group element)
• But: proof in standard model, PHFs central tool

– Historical context: Waters IBE (2005) = Boneh-Boyen IBE (2004) + PHFs

• PHFs influential, many “partitioning proofs” with similar

techniques

Digital Signatures 2020-05-12 21

Current research

• Better PHFs (but inherent combinatorial limitations)
• Different partitioning techniques (→ tight security)
• Tradeoff: more efficiency ↔ weaker assumptions
• (With pairings:) identity-based encryption → attribute-based

encryption → functional encryption

Digital Signatures 2020-05-12 22

Socrative

Self-checking with quizzes

• Last time
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about Waters signatures starts now!

Digital Signatures 2020-05-12 23