Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-02-18 1

Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among security definitions Information-theoretic security Digital Signatures 2020-02-18 2

Organization • Lecture: Tuesdays, 10:00-12:00, ML E12 • Exam: oral, 20 minutes • Contact: hofheinz@inf.ethz.ch • Speaking hours: whenever my door (CAB H33.3) is open • Website: todo Digital Signatures 2020-02-18 3

Supporting materials • Lecture notes (German) by Tibor Jager: https://www.tiborjager.de/DigitaleSignaturen.pdf • Book “Digital Signatures” by Jonathan Katz • Slides (on website) and occasional blackboard writeup Digital Signatures 2020-02-18 4

Overview • What are (digital) signatures? • Which security properties do we want from signatures? • How do we construct and prove signatures? • Outlook towards current research Digital Signatures 2020-02-18 5

Content • Motivation/definitions • One-time signatures → tree-based signatures • RSA-based signatures • Interlude: chameleon hashing • Pairing-based signatures • . . . (?) Not here: “symmetric signatures” (MACs) Digital Signatures 2020-02-18 6

Motivation • Goal: “Digital analogue of (physical) signatures.” • What do we want to sign? Bitstrings from { 0, 1 } ∗ • Examples: code/programs, websites, emails, . . . • Technical goals: – Authenticity: document is actually signed by that person – Integrity: document has not been changed since signing (desirable, but not actually guaranteed by physical signatures) Digital Signatures 2020-02-18 7

What are signature schemes? Informally: • Asymmetric cryptographic mechanisms • Every participant has a keypair ( pk , sk ) • Secret key sk used to sign (a message m ), result: signature σ • Public/verification key pk allows to verify that σ is valid for m Digital Signatures 2020-02-18 8

Signatures are no. . . Signatures are no encryption schemes • Signatures do not hide m (use encryption for that) Digital Signatures 2020-02-18 9

Signatures are no. . . Signatures are no encryption schemes • Signatures do not hide m (use encryption for that) Signatures are no “inverse” public-key encryption schemes • As in: signing=decrypting, verifying=encrypting • Works (to some extent) for RSA, but not for other schemes Digital Signatures 2020-02-18 9

Applications of signatures Ideas? Digital Signatures 2020-02-18 10

Applications of signatures • Program updates/apps • E-commerce (signed websites) • Certificates (digitally signed signature/encryption keys) • Identity cards • Building block in more complex cryptographic systems • . . . Digital Signatures 2020-02-18 10

Definition: digitale signature scheme Def. 1: (Digital signature scheme) A digital signature scheme is a tuple Tupel Σ = ( Gen , Sign , Vfy ) of probabilistic polynomial-time algorithms: Digital Signatures 2020-02-18 11

Definition: digitale signature scheme Def. 1: (Digital signature scheme) A digital signature scheme is a tuple Tupel Σ = ( Gen , Sign , Vfy ) of probabilistic polynomial-time algorithms: • Gen (1 k ) → ( pk , sk ) ( k ∈ N security parameter → asymptotic definition) Digital Signatures 2020-02-18 11

Definition: digitale signature scheme Def. 1: (Digital signature scheme) A digital signature scheme is a tuple Tupel Σ = ( Gen , Sign , Vfy ) of probabilistic polynomial-time algorithms: • Gen (1 k ) → ( pk , sk ) ( k ∈ N security parameter → asymptotic definition) • Sign ( sk , m ) → σ , (with m ∈ { 0, 1 } ∗ ) Digital Signatures 2020-02-18 11

Definition: digitale signature scheme Def. 1: (Digital signature scheme) A digital signature scheme is a tuple Tupel Σ = ( Gen , Sign , Vfy ) of probabilistic polynomial-time algorithms: • Gen (1 k ) → ( pk , sk ) ( k ∈ N security parameter → asymptotic definition) • Sign ( sk , m ) → σ , (with m ∈ { 0, 1 } ∗ ) • Vfy ( pk , m , σ ) ∈ { 0, 1 } (intuitively: 1 iff σ valid) Digital Signatures 2020-02-18 11

Correctness Correctness: “The scheme works.” Formally: ∀ k ∀ ( pk , sk ) ← Gen (1 k ) ∀ m : Vfy ( pk , m , Sign ( sk , m )) = 1. Digital Signatures 2020-02-18 12

Digitale Signaturen: Soundness Soundness: “The scheme is secure.” Formally: Digital Signatures 2020-02-18 13

Digitale Signaturen: Soundness Soundness: “The scheme is secure.” Formally: • What is security? • We need a definition! Digital Signatures 2020-02-18 13

Security • Concrete security definition combines two things: – Adversarial capabilities – Adversarial goal Digital Signatures 2020-02-18 14

Security • Concrete security definition combines two things: – Adversarial capabilities – Adversarial goal • Now: overview • Later: formal definitions Digital Signatures 2020-02-18 14

Adversarial capabilities 1 a) no-message attack (NMA) • Adversary gets only pk . Digital Signatures 2020-02-18 15

Adversarial capabilities 1 a) no-message attack (NMA) • Adversary gets only pk . 1 b) non-adaptive chosen-message attack (naCMA) • Adversary chooses m 1 , ... , m q . . . • . . . then obtains pk and signatures σ 1 , ..., σ q Digital Signatures 2020-02-18 15

Adversarial capabilities 1 a) no-message attack (NMA) • Adversary gets only pk . 1 b) non-adaptive chosen-message attack (naCMA) • Adversary chooses m 1 , ... , m q . . . • . . . then obtains pk and signatures σ 1 , ..., σ q 1 c) (adaptive) chosen-message attack (CMA) • Adversary gets pk , then chooses m 1 , ..., m q and obtains σ 1 , ..., σ q adaptively (i.e., one m i at a time, so m i +1 may depend on pk and σ 1 , ... , σ i ) Digital Signatures 2020-02-18 15

Adversarial goals General goal: forge/generate signatures Digital Signatures 2020-02-18 16

Adversarial goals General goal: forge/generate signatures 2 a) “ Universal Unforgeability” (UUF) • Adversary has to generate valid signature for externally given m • m chosen at random (not by adversary!) Digital Signatures 2020-02-18 16

Adversarial goals General goal: forge/generate signatures 2 a) “ Universal Unforgeability” (UUF) • Adversary has to generate valid signature for externally given m • m chosen at random (not by adversary!) 2 b) “ Existential Unforgeablility” (EUF) • Adversary has to generate valid signature for any message m not signed before Digital Signatures 2020-02-18 16

Security definition Security definition ˆ = adversarial goal + adversarial capabilities Interesting combinations: • EUF-CMA • EUF-naCMA Digital Signatures 2020-02-18 17

Security experiments Tool to formalize security definitions: security experiments Interactive process between two parties: • Adversary A • Challenger C • A plays against C • A wins iff he reaches his goal. Digital Signatures 2020-02-18 18

EUF-CMA-Sicherheitsexperiment C EUF-CMA A Digital Signatures 2020-02-18 19

EUF-CMA-Sicherheitsexperiment C EUF-CMA A p k ( pk , sk ) ← Gen (1 k ) Digital Signatures 2020-02-18 19

EUF-CMA-Sicherheitsexperiment C EUF-CMA A p k ( pk , sk ) ← Gen (1 k ) m i σ i Digital Signatures 2020-02-18 19

EUF-CMA-Sicherheitsexperiment C EUF-CMA A p k ( pk , sk ) ← Gen (1 k ) m i • queries • q = q ( k ) queries σ i • q polynomial (dep. on A ) Digital Signatures 2020-02-18 19

EUF-CMA-Sicherheitsexperiment C EUF-CMA A p k ( pk , sk ) ← Gen (1 k ) m i • queries • q = q ( k ) queries σ i • q polynomial (dep. on A ) , σ ∗ m ∗ Ver ( pk , m ∗ , σ ∗ ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? A wins iff Vfy ( pk , m ∗ , σ ∗ ) = 1 and m ∗ / ∈ { m 1 , ..., m q } Digital Signatures 2020-02-18 19

Why is A allowed arbitrary signing queries? • Question: why is A allowed arbitrary signing queries? Digital Signatures 2020-02-18 20

Why is A allowed arbitrary signing queries? • Question: why is A allowed arbitrary signing queries? • Answer: yields strong and universal (application-independent) definition (Attack may yield signatures for unforeseeable messages) Digital Signatures 2020-02-18 20

Definition: EUF-CMA Def. 2: (EUF-CMA) A digital signature scheme Σ = ( Gen , Sign , Vfy ) is EUF-CMA secure iff for all PPT A , the function Digital Signatures 2020-02-18 21

Definition: EUF-CMA Def. 2: (EUF-CMA) A digital signature scheme Σ = ( Gen , Sign , Vfy ) is EUF-CMA secure iff for all PPT A , the function Pr [ A wins EUF-CMA experiment] � A C EUF-CMA ( pk ) = ( m ∗ , σ ∗ ) : Vfy ( pk , m ∗ , σ ∗ ) = 1 � = Pr ∧ m ∗ / ∈ { m 1 , ..., m q } is negligible. Digital Signatures 2020-02-18 21

Definition: negligible Def.: (Negligible) A function negl : N → [0, 1] is negligible iff ∀ c ∈ N ∃ k 0 ∈ N ∀ k ≥ k 0 : negl ( k ) < 1 / k c . Digital Signatures 2020-02-18 22

Definition: negligible Def.: (Negligible) A function negl : N → [0, 1] is negligible iff ∀ c ∈ N ∃ k 0 ∈ N ∀ k ≥ k 0 : negl ( k ) < 1 / k c . Examples: 1 / 2 k and 1 / k log k negligible, 1 / k 2 not. Digital Signatures 2020-02-18 22

UUF-NMA security experiment Ideas? Digital Signatures 2020-02-18 23