Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PowerPoint PPT Presentation

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel)

Digital Signatures 2020-03-03 1

Outline

Why assumptions? Efficient one-time signatures

Digital Signatures 2020-03-03 2

Recap: Lamport

• EUF-1-CMA secure
• Requires only one-way function (weak assumption)
• Not very efficient

– Many evaluations of one-way function – Large keys

Digital Signatures 2020-03-03 3

Uselessness of UUF-NMA (not in lecture notes)

Use one-way function f to construct UUF-NMA secure signature scheme:

• Gen(1k) : sk ← {0, 1}k, pk = f(sk)
• Sign(sk, m) = sk
• Vfy(pk, m, σ): f(σ) ?

= pk

Digital Signatures 2020-03-03 4

Uselessness of UUF-NMA (not in lecture notes)

Use one-way function f to construct UUF-NMA secure signature scheme:

• Gen(1k) : sk ← {0, 1}k, pk = f(sk)
• Sign(sk, m) = sk
• Vfy(pk, m, σ): f(σ) ?

= pk

• Actually EUF-NMA secure. . .
• . . . but useless (message-independent signatures)

Digital Signatures 2020-03-03 4

Why assumptions? (not in lecture notes)

We made assumptions so far to construct signature schemes:

• Existence of collision-resistant hash functions
• Existence of one-way functions
• More to come. . .

Why make assumptions in the first place?

Digital Signatures 2020-03-03 5

Why assumptions? (2) (not in lecture notes)

Theorem: Let Σ = (Gen, Sign, Vfy) be a UUF-NMA secure signature scheme. Then P = NP.

Digital Signatures 2020-03-03 6

Proof: ∃UUF-NMA ⇒ P = NP (not in lecture notes)

• Consider the language

LΣ = {(pk, m, σ) : ∃σ s.t. σ is prefix of σ and Vfy(pk, m, σ) = 1}

• We have LΣ ∈ NP (witness: σ)
• Assume for contradiction that P = NP. Then ∃B that decides

LΣ in polynomial time.

Digital Signatures 2020-03-03 7

Proof: ∃UUF-NMA ⇒ P = NP (2) (not in lecture notes)

LΣ = {(pk, m, σ) : ∃σ s.t. σ is prefix of σ and Vfy(pk, m, σ) = 1}.

UUF-NMA adversary from B:

• Use B to find σ given m, pk (bit-by-bit search)
• Signatures are short, hence runtime is polynomial
• Always finds valid σ

Hence: P = NP implies that Σ is not UUF-NMA secure. (Contradiction.)

Digital Signatures 2020-03-03 8

Discrete-log-based one-time signatures

Setting:

• Cyclic group G = g of prime order |G| = p
• G may (should) depend on security parameter (we usually do

not make this explicit)

Digital Signatures 2020-03-03 9

DLog problem/assumption

DLog problem:

• Given generator g and y ← G, find x ∈ Zp with gx = y.

Digital Signatures 2020-03-03 10

DLog problem/assumption

DLog problem:

• Given generator g and y ← G, find x ∈ Zp with gx = y.

DLog assumption:

• ∀ PPT A:

Pr

• x ← Zp

x′ ← A(1k, g, gx) : x′ = x

• negligible.

Digital Signatures 2020-03-03 10

DLog one-time signature

Σ = (Gen, Sign, Vfy) with message space Zp: Gen(1k) : Sign(sk, m) : Vfy(pk, m, σ) :

x ← Z∗

p

ω ← Zp

h := gx c := gω

σ = ω−m

x

c ? = gmhσ pk = (g, h, c) sk = (x, ω)

Digital Signatures 2020-03-03 11

DLog one-time signature

Σ = (Gen, Sign, Vfy) with message space Zp: Gen(1k) : Sign(sk, m) : Vfy(pk, m, σ) :

x ← Z∗

p

ω ← Zp

h := gx c := gω

σ = ω−m

x

c ? = gmhσ pk = (g, h, c) sk = (x, ω) Correctness:

Digital Signatures 2020-03-03 11

DLog one-time signature

Σ = (Gen, Sign, Vfy) with message space Zp: Gen(1k) : Sign(sk, m) : Vfy(pk, m, σ) :

x ← Z∗

p

ω ← Zp

h := gx c := gω

σ = ω−m

x

c ? = gmhσ pk = (g, h, c) sk = (x, ω) Correctness: Ideas?

Digital Signatures 2020-03-03 11

DLog one-time signature

Σ = (Gen, Sign, Vfy) with message space Zp: Gen(1k) : Sign(sk, m) : Vfy(pk, m, σ) :

x ← Z∗

p

ω ← Zp

h := gx c := gω

σ = ω−m

x

c ? = gmhσ pk = (g, h, c) sk = (x, ω) Correctness: gmhσ = gm+xσ = gm+x ω−m

x

= gω = c

Digital Signatures 2020-03-03 11

DLog one-time signature: security

Theorem 28: For every EUF-1-naCMA adversary A on Σ with runtime tA and success probability ǫA, there is an adversary B on the DLog problem in G that runs in time tB ≈ tA and has success probability

ǫB ≥ ǫA.

Digital Signatures 2020-03-03 12

DLog one-time signature: security

• Details: blackboard.
• Overview:

CDlog B A Dlog problem EUF-1-naCMA

Digital Signatures 2020-03-03 13

DLog one-time signature: security

• Details: blackboard.
• Overview:

CDlog B A Dlog problem EUF-1-naCMA x ← Zp h := gx g , h

Digital Signatures 2020-03-03 13

DLog one-time signature: security

• Details: blackboard.
• Overview:

CDlog B A Dlog problem EUF-1-naCMA x ← Zp h := gx g , h m ∈ Z

p

Compute c, σ suitably

p k = ( g , h , c ) , σ 1

Digital Signatures 2020-03-03 13

DLog one-time signature: security

• Details: blackboard.
• Overview:

CDlog B A Dlog problem EUF-1-naCMA x ← Zp h := gx g , h m ∈ Z

p

Compute c, σ suitably

p k = ( g , h , c ) , σ 1 m∗ , σ∗ x 2

Digital Signatures 2020-03-03 13

One-time signatures based on RSA

Setting:

• N = P · Q, for large primes P, Q
• ϕ(N) = (P − 1)(Q − 1) = |Z∗

N|

• Choose e ∈ N uniformly between 1 and ϕ(N) with

gcd(e, ϕ(N)) = 1.

• Then d ∈ N with e · d ≡ 1 mod ϕ(N) can be found efficiently

from ϕ(N) and e.

• For x ∈ ZN, we have xe·d ≡ x mod N.

Digital Signatures 2020-03-03 14

RSA problem/assumption

RSA problem:

• Given N, e as above and y ← ZN, find x ∈ ZN with

xe ≡ y mod N.

Digital Signatures 2020-03-03 15

RSA problem/assumption

RSA problem:

• Given N, e as above and y ← ZN, find x ∈ ZN with

xe ≡ y mod N. RSA assumption:

• ∀ PPT A:

Pr    N, e as above y ← ZN x ← A(1k, N, e, y) : xe = y mod N    negligible.

Digital Signatures 2020-03-03 15

RSA one-time signature

Σ = (Gen, Sign, Vfy) with message space {0, ... , 2n − 1}: Gen(1k) :

• choose primes P, Q, set N := P · Q
• uniformly choose prime e with 2n < e < ϕ(N) (and

gcd(e, ϕ(N)) = 1)

• d := e−1 mod ϕ(N)
• J, c ← ZN
• pk = (N, e, J, c)
• sk = d

Digital Signatures 2020-03-03 16

RSA one-time signature: Sign & Vfy

pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)

Sign(sk, m): σ ≡

c Jm d mod N

Digital Signatures 2020-03-03 17

RSA one-time signature: Sign & Vfy

pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)

Sign(sk, m): σ ≡

c Jm d mod N

Vfy(pk, m, σ) :

c

?

≡ Jmσe mod N

Digital Signatures 2020-03-03 17

RSA one-time signature: Sign & Vfy

pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)

Sign(sk, m): σ ≡

c Jm d mod N

Vfy(pk, m, σ) :

c

?

≡ Jmσe mod N

Correctness: Ideas?

Digital Signatures 2020-03-03 17

RSA one-time signature: Sign & Vfy

pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)

Sign(sk, m): σ ≡

c Jm d mod N

Vfy(pk, m, σ) :

c

?

≡ Jmσe mod N

Correctness: Jmσe ≡ Jm c Jm e·d

≡ Jm · c

Jm ≡ c mod N

Digital Signatures 2020-03-03 17

RSA one-time signature: security

Prime-e-RSA problem/assumption: like RSA problem and assumption, but with e chosen as prime between 2n and ϕ(N). (Asymptotically: RSA assumption ⇒ prime-e-RSA assumption!)

Digital Signatures 2020-03-03 18

RSA one-time signature: security

Prime-e-RSA problem/assumption: like RSA problem and assumption, but with e chosen as prime between 2n and ϕ(N). (Asymptotically: RSA assumption ⇒ prime-e-RSA assumption!) Theorem 30: For every EUF-1-naCMA adversary A on Σ with runtime tA and success probability ǫA, there is an adversary B on the prime-e-RSA assumption that computes x ∈ ZN with xe ≡ y mod N in time tB ≈ tA with success probability ǫB ≥ ǫA.

Digital Signatures 2020-03-03 18

Shamir’s trick

Lemma 31: Let J, S ∈ ZN and e, f ∈ Z with

• gcd(e, f) = 1
• Jf ≡ Se mod N.

Then, given N ∈ Z und (J, S, e, f) ∈ Z2

N × Z2 it is possible to

efficiently compute x ∈ ZN with xe ≡ J mod N. Proof: blackboard.

Digital Signatures 2020-03-03 19

RSA one-time signatures: security

• Details: see blackboard.
• Overview:

CRSA B A prime-e-RSA EUF-1-naCMA

Digital Signatures 2020-03-03 20

RSA one-time signatures: security

• Details: see blackboard.
• Overview:

CRSA B A prime-e-RSA EUF-1-naCMA N = P · Q e > 2n y ← ZN N , e , y

Digital Signatures 2020-03-03 20

RSA one-time signatures: security

• Details: see blackboard.
• Overview:

CRSA B A prime-e-RSA EUF-1-naCMA N = P · Q e > 2n y ← ZN N , e , y m ∈ [ , 2

n −

1 ]

Compute J, c, σ suitably

p k = ( N , e , J , c ) , σ 1

Digital Signatures 2020-03-03 20

RSA one-time signatures: security

• Details: see blackboard.
• Overview:

CRSA B A prime-e-RSA EUF-1-naCMA N = P · Q e > 2n y ← ZN N , e , y m ∈ [ , 2

n −

1 ]

Compute J, c, σ suitably

p k = ( N , e , J , c ) , σ 1 m∗ , σ∗ x 2

Digital Signatures 2020-03-03 20

One-time signatures: current research

Example: Tightly Secure Signatures and Public-Key Encryption [HofJag12]

• One-time signatures ⇒ many-time signatures ⇒ public-key

encryption

• Special feature: security reduction scales to many

users/instances without loss of reduction success

Digital Signatures 2020-03-03 21