Financial Cryptography 2001 19-22 February 2001 Grand Cayman - PDF document

Financial Cryptography ‘ 2001 19-22 February 2001 Grand Cayman Islands - BWI Monotone Signatures Joint work with David Naccache and Christophe Tymen (Gemplus, France) David Pointcheval Département d ’Informatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/users/pointche Overview Overview ◆ Introduction ◆ Monotone Signatures ◆ Attackers ● Immediate Attacks ● Delayed Attacks ◆ Optimized Solution ◆ Conclusion David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 2

Cryptography Cryptography Cryptography proposes many solutions for ◆ Confidentiality ◆ Authentication ◆ Integrity ◆ … but often based on some secret data David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 3 Corruption Corruption However, no secret can be guaranteed for any time ◆ Corruption ◆ Kidnapping to force the authority to publish the secret data in the newspaper David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 4

E- -cash cash E We can easily prevent duplication of coins while checking double/multiple spending However, we are aware of the problem caused by the so-called Bank-Robbery Attack ⇒ protections have been found, but they are very costly David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 5 ID Cards ID Cards Previous protections (against Bank-Robbery Attacks) require an on-line context, which is not suitable to any situation such as ID-cards, Driving License, etc Another possibility: threshold signature but one cannot prevent a massive corruption of k share-holders David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 6

Achievement Achievement A Signature Scheme such that, after a corruption, one updates the verification process in such a way that only “really” valid signatures are accepted However, at the time of the corruption, the adversary “thinks” he holds the secret key David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 7 Signatures Signatures Signing Algorithm Verification Algorithm S P σ m True/False m Security: it is impossible to produce a new valid pair ( m, σ ) David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 8

Monotone Predicates Monotone Predicates The Verification Algorithm checks a predicate: ( m, σ ) = P ( m, σ ) 1 , 2 , … , Predicates n are said to be monotone if for any input x n ( x ) ⇒ n -1 ( x ) ⇒ … ⇒ 2 ( x ) ⇒ 1 ( x ) 1 ( x ) = x is an integer ● 2 ( x ) = x is even ● 3 ( x ) = x is zero ● David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 9 Monotone Signature Monotone Signature ◆ A Key Generation Algorithm � ( 1 k , 1 n ) → ( S 1 ,…, S n ; P 1 ,…, P n ) ◆ A Signing Algorithm � S 1 ,…, S n ( m ) → σ ◆ A list of n Monotone Verifying Algorithms � i P 1 ,…, P i ( m, σ ) → True/False for i =1,…, n David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 10

Properties Properties As for any Signature Scheme: ◆ Completeness: σ = � S 1 ,…, S n ( m ) ⇒ � n P 1 ,…, P n ( m, σ ) = True ◆ Soundness: (No Existential Forgery) for any adversary A, the probability of ( m, σ ) ← A( S 1 ,…, S i -1 , P 1 ,…, P i ): � i P 1 ,…, P i ( m, σ ) = True is negligible David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 11 Indistinguishability Indistinguishability Missing public keys must not change the distribution: For any i ≤ n , there exists a simulator � such that the distributions, for any m ● � S 1 ,…, S i ( m ) ● � S 1 ,…, S n ( m ) are indistinguishable for someone who does not know the S i +1 ,…, S n David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 12

Attacks Attacks As usual, one can consider ◆ no-message attacks: the adversary just knows the verification algorithm ( i.e. the public key) ◆ known-message attacks: she knows some message-signature pairs ◆ (adaptively) chosen-message attacks: she has access to a signature oracle David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 13 Corruption Corruption But we have to consider the corruption: the adversary ● gets some secret keys S 1 ,…, S j ● checks their validity w.r.t. P 1 ,…, P j ◆ immediate attacks: the adversary forges signatures before the j +1 P 1 ,…, P j +1 (thus without P j +1 ) update to ◆ delayed attacks: the adversary waits for the new verification algorithm (with P j +1 ) before starting to forge David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 14

Immediate Attacks Immediate Attacks ◆ runs the Key Generation Algorithm ( 1 k , 1 n ) → ( S 1 ,…, S n ; P 1 ,…, P n ) publishes a partial public key ( P 1 ,…, P i ) ◆ S 1 ,…, S n ( m ) → σ ◆ produces signatures ◆ Corruption: the adversary gets ( S 1 ,…, S j ) ◆ Forgeries: the adversary forges new signatures publishes new public keys ( P i+ 1 ,…) ◆ David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 15 Random- -looking Redundancy looking Redundancy Random To prevent immediate attacks, one can simply use ● subliminal channel (low bandwidth) ● secret-redundancy From a signature scheme ( � , � , � ), one signs a redundant message µ = m || r , where r “looks” random but r i = f i ( m,r 1 ,…,r i -1 ) for some i David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 16

Symmetric Monotone Signatures Symmetric Monotone Signatures The published verification key is just the public key of the basic scheme After corruption (and thus publication of the signing key), one publishes some redundancy criteria ⇒ immediate forgeries will be spotted Further corruptions (under immediate attacks) will be prevented until some secret redundancy remains. David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 17 Delayed Attacks Delayed Attacks ◆ � runs the Key Generation Algorithm ( 1 k , 1 n ) → ( S 1 ,…, S n ; P 1 ,…, P n ) ◆ � publishes a partial public key ( P 1 ,…, P i ) S 1 ,…, S n ( m ) → σ ◆ � produces signatures ◆ Corruption: the adversary gets ( S 1 ,…, S j ) ◆ � publishes new public keys ( P i+ 1 ,…) ◆ Forgeries: the adversary forges new signatures David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 18

Concatenation of Signatures Concatenation of Signatures To prevent delayed attacks, one can concatenate mixture of signatures and random strings: � S 1 ,…, S n ( m ) = � S 1 ( m ) || � S 2 ( m ) || R 3 || � S 4 ( m ) || ... || R n But then, the distributions, for any key S i , and any message m , � S i ( m ) and R ← {0,1} l must be indistinguishable David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 19 Example: Schnorr’s Schnorr’s Signature Signature Example: � = <g> of prime order q y=g x : public key x : secret key Signature of the message m : σ = ( e,s ) from a random k ∈ � q get r=g k then e=h ( m,r ) and s = k-xe mod q Verification of ( m , σ ) : test whether e=h ( m, g s y e ) Actually � ( m ) = ( e,s ) ∈ R � q × � q ⇒ indistinguishable from a random pair Don’t use ( r,s ) as output signature! David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 20

Properties Properties ◆ At least n Schnorr’s signatures to prevent up to n corruptions ◆ And about n random values as well Therefore: ◆ Cost: n times the basic computational time ● n exponentiation per signature ● 2 i exponentiations per verification ◆ Length: 2 n times the basic length ⇒ 2 n × 320 bits = 80 n Bytes David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 21 Okamoto- -Schnorr Signature Schnorr Signature Okamoto Extending the Okamoto’s variant: = <g> of order q and g 1 ,…,g n ∈ ● ( x 1 ,…,x n ) : secret key ● y=g 1 x 1 … g nx n : public key ◆ Signature of m : ● t 1 ,…,t n and then r=g 1 t 1 … g nt n ● get e=h ( m,r ) ● s i = t i -x i e mod q ◆ Verification: e=h ( m, g 1 s n y e ) s 1 … g n David Pointcheval Monotone Signatures ENS-CNRS Financial Cryptography ‘2001 - Grand Cayman Island - BWI - February 2001 - 22