Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PowerPoint PPT Presentation

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung)

Digital Signatures 2020-04-28 1

Outline

Pairings Boneh-Lynn-Shacham (BLS) signatures

Digital Signatures 2020-04-28 2

Pairings

Definition 78 (Pairings): Let G1, G2, GT be groups of prime order p. A pairing is a map e : G1 × G2 → GT with the following properties:

Digital Signatures 2020-04-28 3

Pairings

Definition 78 (Pairings): Let G1, G2, GT be groups of prime order p. A pairing is a map e : G1 × G2 → GT with the following properties: 1) Bilinearity: ∀g1, g′

1 ∈ G1, g2, g′ 2 ∈ G2 :

e(g1 · g′

1, g2) = e(g1, g2) · e(g′ 1, g2)

e(g1, g2 · g′

2) = e(g1, g2) · e(g1, g′ 2)

Digital Signatures 2020-04-28 3

Pairings

Definition 78 (Pairings): Let G1, G2, GT be groups of prime order p. A pairing is a map e : G1 × G2 → GT with the following properties: 1) Bilinearity: ∀g1, g′

1 ∈ G1, g2, g′ 2 ∈ G2 :

e(g1 · g′

1, g2) = e(g1, g2) · e(g′ 1, g2)

e(g1, g2 · g′

2) = e(g1, g2) · e(g1, g′ 2)

⇒ e(ga

1, g2) = e(g1, g2)a = e(g1, ga 2)

enables one multiplication in the exponent.

Digital Signatures 2020-04-28 3

Pairings

2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2: e(g1, g2) generates GT

• |GT |prime

⇐ ⇒

e(g1, g2) = 1

• Digital Signatures

2020-04-28 4

Pairings

2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2: e(g1, g2) generates GT

• |GT |prime

⇐ ⇒

e(g1, g2) = 1

• 3) e efficiently computable

Digital Signatures 2020-04-28 4

Pairings

2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2: e(g1, g2) generates GT

• |GT |prime

⇐ ⇒

e(g1, g2) = 1

• 3) e efficiently computable

Note: there are also pairings over groups of non-prime order.

Digital Signatures 2020-04-28 4

Pairings: remarks

• G1, G2 often elliptic curves (“source groups”)
• GT ⊆ F∗

Q (“target group”)

• Pairing operation less efficient than exponentiation

Digital Signatures 2020-04-28 5

Pairings: remarks

• G1, G2 often elliptic curves (“source groups”)
• GT ⊆ F∗

Q (“target group”)

• Pairing operation less efficient than exponentiation

Original (cryptographic) application:

• Cryptanalysis
• Example: assuming DLog easier in GT than in Gi, then e helps

to “lift/push” DLog problem from Gi to GT

– given gx

1 ∈ G1, find x

– compute e(gx

1, g2) = e(g1, g2)x, and then DLog of e(g1, g2)x in

GT

• Some assumptions (like DDH) do not hold in G1 if G1 = G2

Digital Signatures 2020-04-28 5

Types of Pairings

Type 1: G1 = G2, “symmetric pairing” e : G × G → GT

Digital Signatures 2020-04-28 6

Types of Pairings

Type 1: G1 = G2, “symmetric pairing” e : G × G → GT Type 2: G1 = G2, “asymmetric pairing” There is an efficient nontrivial homomorphism

ψ : G2 → G1

Digital Signatures 2020-04-28 6

Types of Pairings

Type 1: G1 = G2, “symmetric pairing” e : G × G → GT Type 2: G1 = G2, “asymmetric pairing” There is an efficient nontrivial homomorphism

ψ : G2 → G1

Type 3: G1 = G2, “asymmetric pairing” There is no efficient nontrivial homomorphism

ψ : G2 → G1

Digital Signatures 2020-04-28 6

Types of Pairings

Type 1: G1 = G2, “symmetric pairing” e : G × G → GT Type 2: G1 = G2, “asymmetric pairing” There is an efficient nontrivial homomorphism

ψ : G2 → G1

Type 3: G1 = G2, “asymmetric pairing” There is no efficient nontrivial homomorphism

ψ : G2 → G1

Note: here, we mainly consider type-1 pairings

Digital Signatures 2020-04-28 6

Pairings: research

• Pairings already very powerful (we will see examples)
• Multilinear maps (for more source groups) would be even more

powerful

• 2012: Garg, Gentry, Halevi “Candidate Multilinear Maps from

Ideal Lattices and Applications”

• Since then many MLM candidates, attacks, improvements,
• applications. . .

Digital Signatures 2020-04-28 7

Joux’s 3-party key exchange

• Like Diffie-Hellman key exchange, but for 3 parties A, B, C
• That means A, B, C end up with common shared key
• e : G × G → GT, g generates G, |G| = |GT| = p prime

Digital Signatures 2020-04-28 8

Joux’s 3-party key exchange

A B C

Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange

A B C a ← Zp b ← Zp c ← Zp

Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange

A B C a ← Zp b ← Zp c ← Zp ga g

a

ga ga

Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange

A B C a ← Zp b ← Zp c ← Zp ga gb gb gb ga, gb

Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange

A B C a ← Zp b ← Zp c ← Zp ga, gb gc gc gb, gc ga, gc

Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange

A B C a ← Zp b ← Zp c ← Zp ga, gb gb, gc ga, gc k = e(gb, gc)a = e(g, g)abc k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc

Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange

A B C a ← Zp b ← Zp c ← Zp ga, gb gb, gc ga, gc k = e(gb, gc)a = e(g, g)abc k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc

• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter
• (Multilinear map → more parties)

Digital Signatures 2020-04-28 9

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about pairings starts now!

Digital Signatures 2020-04-28 10

Boneh-Lynn-Shacham signatures

• Simple pairing-based signature scheme
• Short signatures
• EUF-CMA secure in random oracle model

In the following:

• G, GT groups, |G| = |GT| = p prime, g = G
• e : G × G → GT pairing
• Hash function H : {0, 1}∗ → G \ {1}

Digital Signatures 2020-04-28 11

BLS signatures

Gen(1k) :

• x ← Z∗

p

• pk = (g, gx), sk = x

Sign(sk, m) :

• σ := H(m)x ∈ G

Vfy(pk, m, σ) :

• e(H(m), gx) ?

= e(σ, g)

Digital Signatures 2020-04-28 12

BLS signatures

Gen(1k) :

• x ← Z∗

p

• pk = (g, gx), sk = x

Sign(sk, m) :

• σ := H(m)x ∈ G

Vfy(pk, m, σ) :

• e(H(m), gx) ?

= e(σ, g) Correctness: e(H(m), gx) = e(H(m), g)x = e(H(m)x, g) = e(σ, g)

Digital Signatures 2020-04-28 12

The computational Diffie-Hellman (CDH) problem

• Given (g, gx, gy), compute gxy (for random g and x, y ← Z∗

p).

Digital Signatures 2020-04-28 13

The computational Diffie-Hellman (CDH) problem

• Given (g, gx, gy), compute gxy (for random g and x, y ← Z∗

p).

CDH assumption:

• ∀ PPT A:

Pr[g random, x, y ← Z∗

p : A(1k, g, gx, gy) = gxy]

is negligible. Note: group G and order p may depend on security parameter k.

Digital Signatures 2020-04-28 13

BLS signatures: security

Theorem 85: Assuming H is modeled as a random oracle, then

• for every adversary A that breaks the EUF-CMA security of the

BLS signature scheme in time tA with success ǫA,

• there is an adversary B that solves the CDH problem in G in

time tB ≈ tA with success

ǫB ≥ ǫA

qH , where qH is the number of random oracle queries A makes. Proof idea: conceptually very similar to RSA-FDH, details up next.

Digital Signatures 2020-04-28 14

BLS: security proof

Simulation/reduction strategy:

• A has to explicitly query H for hash values (also for m∗)
• Intercept these queries and simulate RO for A

Digital Signatures 2020-04-28 15

BLS: security proof

Simulation/reduction strategy:

• A has to explicitly query H for hash values (also for m∗)
• Intercept these queries and simulate RO for A
• B can implement RO for A as follows:

– guess index i∗ of message for which A forges a signature (i.e., guess when m∗ is being queried) – choose hash values hi (for i = i∗) such that signature is known – embed (part of) CDH challenge into hi∗ as hi∗ = gy (for the last part of the given CDH challenge g, gx, gy)

Digital Signatures 2020-04-28 15

BLS: security proof

• Assume that A outputs valid forgery (m∗, σ∗).
• We will assume (wlog) that A has always queried H(m∗).

– Given an A that sometimes does not query H(m∗), can construct an A′ that always does before submitting forgery

Digital Signatures 2020-04-28 16

BLS: reduction to CDH problem

CCDH B A CDH problem EUF-CMA

Digital Signatures 2020-04-28 17

BLS: reduction to CDH problem

CCDH B A CDH problem EUF-CMA choose g, x, y g , g

x

, g

y Digital Signatures 2020-04-28 17

BLS: reduction to CDH problem

CCDH B A CDH problem EUF-CMA choose g, x, y g , g

x

, g

y

p k = ( g , g

x

)

Digital Signatures 2020-04-28 17

BLS: reduction to CDH problem

CCDH B A CDH problem EUF-CMA choose g, x, y g , g

x

, g

y

p k = ( g , g

x

) H ( m ) = ? 1

Digital Signatures 2020-04-28 17

BLS: reduction to CDH problem

CCDH B A CDH problem EUF-CMA choose g, x, y g , g

x

, g

y

p k = ( g , g

x

) H ( m ) = ? 1 choose H(m) suitably H ( m )

Digital Signatures 2020-04-28 17

BLS: reduction to CDH problem

CCDH B A CDH problem EUF-CMA choose g, x, y g , g

x

, g

y

p k = ( g , g

x

) H ( m ) = ? 1 choose H(m) suitably H ( m ) Sign(sk, m) = ? 2

Digital Signatures 2020-04-28 17

BLS: reduction to CDH problem

CCDH B A CDH problem EUF-CMA choose g, x, y g , g

x

, g

y

p k = ( g , g

x

) H ( m ) = ? 1 choose H(m) suitably H ( m ) Sign(sk, m) = ? 2 compute σ suitably σ

Digital Signatures 2020-04-28 17

BLS: reduction to CDH problem

CCDH B A CDH problem EUF-CMA choose g, x, y g , g

x

, g

y

p k = ( g , g

x

) H ( m ) = ? 1 choose H(m) suitably H ( m ) Sign(sk, m) = ? 2 compute σ suitably σ m∗ , σ∗ 3

Digital Signatures 2020-04-28 17

BLS: reduction to CDH problem

CCDH B A CDH problem EUF-CMA choose g, x, y g , g

x

, g

y

p k = ( g , g

x

) H ( m ) = ? 1 choose H(m) suitably H ( m ) Sign(sk, m) = ? 2 compute σ suitably σ m∗ , σ∗ 3 g

x y Digital Signatures 2020-04-28 17

BLS: reduction details

• Choice of H(m) (reduction B can make up H(m) for A!):

Digital Signatures 2020-04-28 18

BLS: reduction details

• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(mi) = gyi mod N for known (previously chosen) yi. . . – . . . allows to later output a signature σ := (gx)yi = H(mi)x for mi

Digital Signatures 2020-04-28 18

BLS: reduction details

• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(mi) = gyi mod N for known (previously chosen) yi. . . – . . . allows to later output a signature σ := (gx)yi = H(mi)x for mi – Setting H(m) = gy for the gy from the CDH challenge. . . – . . . means that a signature σ for m solves the CDH challenge (since σ = H(m)x = gxy mod N)

Digital Signatures 2020-04-28 18

BLS: reduction details

• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(mi) = gyi mod N for known (previously chosen) yi. . . – . . . allows to later output a signature σ := (gx)yi = H(mi)x for mi – Setting H(m) = gy for the gy from the CDH challenge. . . – . . . means that a signature σ for m solves the CDH challenge (since σ = H(m)x = gxy mod N)

• Ideally: set H(mi) = gyi for known yi and all (later) signature

queries mi; also set H(m∗) = gy

Digital Signatures 2020-04-28 18

BLS: reduction details

• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(mi) = gyi mod N for known (previously chosen) yi. . . – . . . allows to later output a signature σ := (gx)yi = H(mi)x for mi – Setting H(m) = gy for the gy from the CDH challenge. . . – . . . means that a signature σ for m solves the CDH challenge (since σ = H(m)x = gxy mod N)

• Ideally: set H(mi) = gyi for known yi and all (later) signature

queries mi; also set H(m∗) = gy

• Problem: not known which mi are asked to be signed and

which hash query is m∗

Digital Signatures 2020-04-28 18

BLS: reduction details

• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(mi) = gyi mod N for known (previously chosen) yi. . . – . . . allows to later output a signature σ := (gx)yi = H(mi)x for mi – Setting H(m) = gy for the gy from the CDH challenge. . . – . . . means that a signature σ for m solves the CDH challenge (since σ = H(m)x = gxy mod N)

• Ideally: set H(mi) = gyi for known yi and all (later) signature

queries mi; also set H(m∗) = gy

• Problem: not known which mi are asked to be signed and

which hash query is m∗

• Solution (as with RSA-FDH): guess index i∗ of hash query

for which mi∗ = m∗, set H(mi) = gyi for all queries mi with i = i∗ (Reason for loss qH of reduction)

Digital Signatures 2020-04-28 18

BLS: detailed full reduction

CCDH B A CDH problem EUF-CMA choose g, x, y g , g

x

, g

y

p k = ( g , g

x

) H ( m

i

) = ? 1

i = i∗ : H(mi) := gyi i = i∗ : H(mi) := gy

H ( m

i

) Sign(sk, mi) = ? 2 set σ = (gx)yi σ m∗ , σ∗ 3 g

x y

= σ∗

Digital Signatures 2020-04-28 19

BLS signatures: pros/cons

Pros:

• Short signatures (only one group element)
• Efficient algorithms (although: pairing can be expensive)
• EUF-CMA secure under well-known weak assumption

Cons:

• Security proof only in random oracle model

Digital Signatures 2020-04-28 20

BLS: extra properties

Problem:

• U1, ..., UN senders (e.g., in a sensor network)
• Each Ui has their own pki = (g, gxi)

Straightforward (but expensive!) solution:

U1 with (pk1, sk1) → m1, σ1 U2 with (pk2, sk2) → m2, σ2 . . . Un with (pkn, skn) → mn, σn Verifier ∀i : Vfy(pki, mi, σi) ? = 1 (m1, σ1), ... , (mn, σn)

Digital Signatures 2020-04-28 21

Better solution: aggregable signature scheme

U1 U2 . . . Un aggregator m1 , σ1 m2, σ2 . . . mn, σn Verifier Vfy(pk1, ... , pkn, m1, ... , mn, σAgg) ? = 1 m1, ... , mn, σAgg

• Algorithm that aggregates signatures
• |σAgg| = |σ|
• Vfy of single aggregated signature more efficient than Vfy of

many single signatures

Digital Signatures 2020-04-28 22

Aggregable signatures

Advantages and (potential) applications:

• Saves bandwidth/storage
• Aggregating signatures more efficient than signing huge

dataset (perhaps over and over again)

• Applications:

– Sensor networks – Secure logging – (Authenticating) databases – . . .

Digital Signatures 2020-04-28 23

BLS: aggregability

• Ui has BLS keypair (pki = (g, gxi), ski = xi)
• Signatures are of the form σi = H(mi)xi

Digital Signatures 2020-04-28 24

BLS: aggregability

• Ui has BLS keypair (pki = (g, gxi), ski = xi)
• Signatures are of the form σi = H(mi)xi
• Aggregator computes

σAgg =

n

• i=1

σi

and sends (m1, ... , mn, σ) to the verifier

• Aggregation is public computation, no secret key necessary

Digital Signatures 2020-04-28 24

BLS: aggregability

σAgg =

n

• i=1

σi

• Verification of aggregated signatures:

Ideas?

Digital Signatures 2020-04-28 25

BLS: aggregability

σAgg =

n

• i=1

σi

• Verification of aggregated signatures:

e(σAgg, g) ? =

n

• i=1

e(H(mi), gxi).

Digital Signatures 2020-04-28 25

BLS: aggregability

σAgg =

n

• i=1

σi

• Verification of aggregated signatures:

e(σAgg, g) ? =

n

• i=1

e(H(mi), gxi).

• Correctness:

e(σAgg, g) = e(σ1, g) · ... · e(σn, g) = e(H(m1)x1, g) · ... · e(H(mn)xn, g) =

n

• i=1

e(H(mi), gxi)

Digital Signatures 2020-04-28 25

BLS: aggregability

• Verification time approximately halved:

– No aggregation: verifying n signatures takes 2n pairing computations – Aggregated: verifying aggregated signature for n messages takes n + 1 pairing computations

• Scheme with aggregation EUF-CMA secure

– . . . according to adapted EUF-CMA definition – Difference: allow aggregated forgery – Generalizes “ordinary” EUF-CMA

Digital Signatures 2020-04-28 26

BLS: batch verification

Problem:

U with (pk, sk) Verifier ∀i : Vfy(pki, mi, σi) ? = 1 (m1, σ1), ... , (mn, σn)

Digital Signatures 2020-04-28 27

BLS: batch verification

Problem:

U with (pk, sk) Verifier ∀i : Vfy(pki, mi, σi) ? = 1 (m1, σ1), ... , (mn, σn)

Solution: batch verification

• σ1, ... , σn signatures for m1, ... , mn
• h = n

i=1 H(mi), σ := n i=1 σi

• Check

e(σ, g) ? = e(h, gx)

• Correctness: as with aggregation
• Only two pairing computations for n signatures

Digital Signatures 2020-04-28 27

Research

• Different forms of aggregation

– Sequential aggregation (→ Waters signatures), full aggregation (BLS), . . . – Reason: weaker forms of aggregation easier to achieve (without RO)

• “Universal aggregators” (aggregation across signature

schemes)

• Fault-tolerant aggregate signatures

– Aggregating an invalid signatures invalidates aggregate – But: sometimes useful to be able to tell which message has invalid signature – → Vfy outputs list of valid signatures

Digital Signatures 2020-04-28 28

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about CDH and BLS starts now!

Digital Signatures 2020-04-28 29