Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-12 1
Outline Recap: programmable hash functions Waters’ PHF Waters signatures Digital Signatures 2020-05-12 2
Programmable hash functions Motivation: • RO proofs use programmability of RO (RSA-FDH, BLS, . . . ) • Problem: ROs do not exist, leads to heuristic arguments • Goal: imitate necessary programming operations with standard-model hash function Closer look: • PHF maps bitstrings m to group elements H ( m ) • PHF trapdoor gives decomposition H ( m ) = h a m g b m • Later: a m � = 0 ⇔ reduction can sign m • Want a m � = 0 often (sig. queries), a m = 0 sometimes (forgery) Digital Signatures 2020-05-12 3
Programmable hash functions Def.: A group hash function ( Gen , Eval ) is ( v , w , γ ) -programmable (for v , w ∈ N , γ ∈ [0, 1]), if there are two PPT algorithms as follows: • TrapGen ( g , h ) → ( κ , τ ): trapdoor key generation • TrapEval ( τ , m ) → ( a m , b m ) with h a m g b m = H κ ( m ) (deterministic) that fulfill the following two requirements: • κ from Gen statistically close to κ from TrapGen • TrapEval has ( v , w , γ )-well-distributed outputs (next slide) A ( v , w , γ ) -PHF is a ( v , w , γ )-programmable group hash function. Digital Signatures 2020-05-12 4
Programmable hash functions Well-distributedness condition of TrapEval ’s outputs: • ( v , w , γ ) -well-distributed (for v , w ∈ N , γ ∈ [0, 1]): For all – generators g , h of G , v ∈ { 0, 1 } ℓ , – m ∗ 1 , ... m ∗ – m 1 , ... , m w ∈ { 0, 1 } ℓ (s.t. ∀ i , j : m ∗ i � = m j ) – κ in the range of TrapGen ’s first output we have: � � a m ∗ i = 0 for i = 1, ... , v ∧ ≥ γ , Pr a m j � = 0 for j = 1, ... , w where Pr is over τ from ( κ , τ ) ← TrapGen ( g , h ) (cond. on κ ) Digital Signatures 2020-05-12 5
Outline Recap: programmable hash functions Waters’ PHF Waters signatures Digital Signatures 2020-05-12 6
Waters’ programmable hash function Waters’ group hash function (used earlier for different purpose): • Gen (1 k ): choose u 0 , ... , u k ← G . κ = ( u 0 , ... , u k ) Digital Signatures 2020-05-12 7
Waters’ programmable hash function Waters’ group hash function (used earlier for different purpose): • Gen (1 k ): choose u 0 , ... , u k ← G . κ = ( u 0 , ... , u k ) • Eval ( κ , m = m (1) · · · m ( k ) ): compute k � ( m ( i ) ∈ { 0, 1 } ) u m ( i ) H κ ( m ) = u 0 i i =1 Digital Signatures 2020-05-12 7
Waters’ programmable hash function Waters’ group hash function (used earlier for different purpose): • Gen (1 k ): choose u 0 , ... , u k ← G . κ = ( u 0 , ... , u k ) • Eval ( κ , m = m (1) · · · m ( k ) ): compute k � ( m ( i ) ∈ { 0, 1 } ) u m ( i ) H κ ( m ) = u 0 i i =1 Theorem: Let q = q ( k ) be a polynomial. Then, Waters’ group hash √ function is (1, q , γ )-programmable for γ = 1 / O ( q k ). Digital Signatures 2020-05-12 7
Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). Digital Signatures 2020-05-12 8
Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Digital Signatures 2020-05-12 8
Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: h a m g b m = Digital Signatures 2020-05-12 8
Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: � k � k a i m ( i ) · g � g � h a m g b m = h � h � b i m ( i ) a 0 b 0 i =1 i =1 Digital Signatures 2020-05-12 8
Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: � k � k � k m ( i ) a i m ( i ) · g � b i m ( i ) = ( h � g � a 0 g � a i g � h a m g b m = h � h � ( h � a 0 b 0 b 0 ) · b i ) i =1 i =1 i =1 Digital Signatures 2020-05-12 8
Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: � k � k � k m ( i ) a i m ( i ) · g � b i m ( i ) = ( h � g � a 0 g � a i g � h a m g b m = h � h � ( h � a 0 b 0 b 0 ) b i ) · � �� � i =1 i =1 i =1 u 0 Digital Signatures 2020-05-12 8
Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: � k � k � k m ( i ) a i m ( i ) · g � b i m ( i ) = ( h � g � a 0 g � a i g � h a m g b m = h � h � ( h � a 0 b 0 b 0 ) b i ) · � �� � � �� � i =1 i =1 i =1 u 0 u i Digital Signatures 2020-05-12 8
Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: � k � k � k m ( i ) a i m ( i ) · g � b i m ( i ) = ( h � g � a 0 g � a i g � h a m g b m = h � h � ( h � a 0 b 0 b 0 ) b i ) · = H κ ( m ) � �� � � �� � i =1 i =1 i =1 u 0 u i Digital Signatures 2020-05-12 8
Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G Digital Signatures 2020-05-12 9
Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): Digital Signatures 2020-05-12 9
Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): ◮ � b i uniform over Z p Digital Signatures 2020-05-12 9
Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): ◮ � b i uniform over Z p ⇒ g � b i uniform over G ( g generator!) ◮ = Digital Signatures 2020-05-12 9
Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): ◮ � b i uniform over Z p ⇒ g � b i uniform over G ( g generator!) ◮ = ⇒ u i = h � a i g � b i uniform over G ◮ = Digital Signatures 2020-05-12 9
Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): ◮ � b i uniform over Z p ⇒ g � b i uniform over G ( g generator!) ◮ = ⇒ u i = h � a i g � b i uniform over G � ◮ = • ( v , w , γ )-well-distribution: Digital Signatures 2020-05-12 9
Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): ◮ � b i uniform over Z p ⇒ g � b i uniform over G ( g generator!) ◮ = ⇒ u i = h � a i g � b i uniform over G � ◮ = • ( v , w , γ )-well-distribution: – Need to define � a i suitably (next slide) Digital Signatures 2020-05-12 9
Recommend
More recommend
