from identification to signatures tightly a framework and
play

From Identification to Signatures, Tightly: A Framework and Generic - PowerPoint PPT Presentation

Feb 14, 2024 •402 likes •647 views

From Identification to Signatures, Tightly: A Framework and Generic Transforms Mihir Bellare, Bertram Poettering , Douglas Stebila UCSD / Ruhr University Bochum / McMaster ASIACRYPT 2016, Hanoi December 6, 2016 Signature schemes In a nutshell

  1. From Identification to Signatures, Tightly: A Framework and Generic Transforms Mihir Bellare, Bertram Poettering , Douglas Stebila UCSD / Ruhr University Bochum / McMaster ASIACRYPT 2016, Hanoi December 6, 2016

  2. Signature schemes In a nutshell • digital analogue to written signatures • easy to create and verify • security goal: unforgeability sk m vk m Sign σ σ 0 / 1 Vrf Examples and applications • 2 × PKCS#1, DSA, ECDSA, EdDSA, ECSchnorr • message authentication (emails), entity authentication (TLS, . . . ) From Identification to Signatures, Tightly: A Framework and Generic Transforms 2 / 20

  3. Fiat-Shamir: Identification scheme → signature scheme FS transform is versatile • Fiat-Shamir from FACT • Guillou-Quisquater from RSA • Schnorr from DLP Standardized instantiations of FS/Schnorr • EdDSA • ECSchnorr • DSA/ECDSA Evolution of security argument (always ROM) • [FS] purely heuristic • [PS] from ZK • [OO,AABN] from ID scheme From Identification to Signatures, Tightly: A Framework and Generic Transforms 3 / 20

  4. Our contributions Observations • FS reduction inherently untight ◮ due to forking/reset lemma ◮ consequence: large keys and signatures • exception: FACT-based ad-hoc variant Swap [MR] Contributions • ID schemes with trapdoors ◮ instantiations from GQ, MR, CFP • new transforms: (trapdoor) ID → signature ◮ depend on new security requirements for ID ◮ tight reductions in all cases • understanding Swap ◮ finding the right abstraction boundaries From Identification to Signatures, Tightly: A Framework and Generic Transforms 4 / 20

  5. Security of signature schemes sk m vk m σ σ Sign 0 / 1 Vrf Unforgeability (UF) • signature oracle signs any message • goal of adversary: craft signature on new message Unique unforgeability (UUF) • signature oracle signs any message at most once • goal of adversary: craft signature on new message Transforms UUF → UF? • exist with tight reduction • new goal: construct UUF signatures From Identification to Signatures, Tightly: A Framework and Generic Transforms 5 / 20

  6. Transforms UUF → UF DR: Removing randomness • idea: derandomize signing algorithm • consequence: at most one signing query per message w.l.o.g. • use private RO: r ← H ( sk , m ); σ ← Sign( sk , m ; r ) • advantage: same signature size and verification procedure • disadvantage: requires one more RO AR: Adding randomness • idea: make messages unique by randomizing them • consequence: at most one signing query per message effectively • add salt to messages: s ← $; σ ′ ← Sign( sk , m � s ); σ ← σ ′ � s • advantage: standard model • disadvantage: larger signatures Security • in both cases: tight reductions From Identification to Signatures, Tightly: A Framework and Generic Transforms 6 / 20

  7. Identification schemes Prover ( pk , sk ) Verifier ( pk ) Y (commitment) ( Y , y ) ← $ Cmt c (challenge) c ← $ (response) z z ← Rsp( sk , y , c ) Vrf( pk , Y � c � z ) = 0 / 1 From Identification to Signatures, Tightly: A Framework and Generic Transforms 7 / 20

  8. Identification schemes with trapdoor Prover ( pk , sk , tk ) Verifier ( pk ) Y (commitment) Y ← $ CmtSp y ← Cmt − 1 ( tk , Y ) c (challenge) c ← $ (response) z z ← Rsp( sk , y , c ) Vrf( pk , Y � c � z ) = 0 / 1 Trapdoor property • given trapdoor tk , algorithm Cmt − 1 ( tk , · ) computes y from Y • compatible distributions: Y ← $ CmtSp; y ← Cmt − 1 ( tk , Y ) ( Y , y ) ← $ Cmt ≈ From Identification to Signatures, Tightly: A Framework and Generic Transforms 8 / 20

  9. Identification schemes: classical security notions Prover ( pk , sk , tk ) Verifier ( pk ) Y (commitment) Y ← $ CmtSp y ← Cmt − 1 ( tk , Y ) c (challenge) c ← $ (response) z z ← Rsp( sk , y , c ) Vrf( pk , Y � c � z ) = 0 / 1 Impersonation resilience • adversary has access to ◮ public key pk ◮ transcript oracle: provides fresh Y , c , z ◮ challenge oracle: on input Y provides fresh c , expects z • goal of adversary: forge valid transcript • transcript oracle models passive attack • IMP-PA of [AABN] allows at most one challenge query From Identification to Signatures, Tightly: A Framework and Generic Transforms 9 / 20

  10. Identification schemes: obtaining signatures Prover ( pk , sk , tk ) Verifier ( pk ) Y (commitment) Y ← $ CmtSp y ← Cmt − 1 ( tk , Y ) c (challenge) c ← $ (response) z z ← Rsp( sk , y , c ) Vrf( pk , Y � c � z ) = 0 / 1 Signatures from IMP-PA • via Fiat-Shamir transform • reduction from IMP-PA not tight: reset lemma loses factor q H Observations • untight because of single challenge query • untight because of free choice of commitment • alternative notions that allow for tight reductions/instantiations? From Identification to Signatures, Tightly: A Framework and Generic Transforms 10 / 20

  11. Identification schemes: new security notions Constrained impersonation framework • four variants: CIMP- xy with xy ∈ { CC , CU , UC , UU } • adversary has access to ◮ public key pk ◮ transcript oracle: provides fresh Y , c , z ◮ challenge oracle of type xy • goal of adversary: forge valid transcript • multiple queries allowed to both oracles Meaning of xy ∈ { CC , CU , UC , UU } • C for ‘chosen’, U for ‘unchosen’ • x = C : commitment chosen by adversary • x = U : commitment reused from honest transcript • y = C : challenge chosen by adversary • y = U : challenge picked honestly (at random) Note CIMP-CU is multi-challenge version of IMP-PA From Identification to Signatures, Tightly: A Framework and Generic Transforms 11 / 20

  12. Identification schemes: new security notions Games for CIMP- { CU , CC , UC , UU } Game CIMP Ch ( Y , c ) CC Ch ( i , c ) UC ( pk , sk ) ← KGen Return Y � c � Y ← Y i z ← A Tr , Ch ( pk ) Return Y � c � v ← Vrf( pk , Y � c � z ) Ch ( Y ) CU Output v c ← $ Ch ( i ) UU Return Y � c � Y ← Y i Tr () c ← $ ( Y , y ) ← Cmt Return Y � c � c ← $ z ← Rsp( sk , y , c ) Return Y � c � z From Identification to Signatures, Tightly: A Framework and Generic Transforms 12 / 20

  13. Identification schemes: new security notions Games for CIMP- { CU , CC , UC , UU } Game CIMP Ch ( Y , c ) CC Ch ( i , c ) UC ( pk , sk ) ← KGen Return Y � c � Y ← Y i z ← A Tr , Ch ( pk ) Return Y � c � v ← Vrf( pk , Y � c � z ) Ch ( Y ) CU Output v c ← $ Ch ( i ) UU Return Y � c � Y ← Y i Tr () c ← $ ( Y , y ) ← Cmt Return Y � c � c ← $ z ← Rsp( sk , y , c ) Return Y � c � z From Identification to Signatures, Tightly: A Framework and Generic Transforms 12 / 20

  14. CC Identification schemes: new security notions CU UC UU Games for CIMP- { CU , CC , UC , UU } Game CIMP Ch ( Y , c ) CC Ch ( i , c ) UC ( pk , sk ) ← KGen Return Y � c � Y ← Y i z ← A Tr , Ch ( pk ) Return Y � c � v ← Vrf( pk , Y � c � z ) Ch ( Y ) CU Output v c ← $ Ch ( i ) UU Return Y � c � Y ← Y i Tr () c ← $ ( Y , y ) ← Cmt Return Y � c � c ← $ z ← Rsp( sk , y , c ) Return Y � c � z From Identification to Signatures, Tightly: A Framework and Generic Transforms 12 / 20

  15. CC Signatures from ID schemes CU UC UU Fiat-Shamir (our view on it) • no restriction on commitment Y , challenge c from RO • corresponds to CIMP- CU notion • no trapdoor required for ID scheme Sign ( sk , m ) Vrf ( vk , m , σ ) ( Y , y ) ← $ Cmt ( Y , z ) ← σ c ← H ( Y , m ) c ← H ( Y , m ) z ← Rsp( sk , y , c ) T ← Y � c � z σ ← ( Y , z ) v ← Vrf( vk , T ) Security • UF tightly reduces to CIMP- CU From Identification to Signatures, Tightly: A Framework and Generic Transforms 13 / 20

  16. CC Signatures from ID schemes CU UC UU MdCmt (message-dependent commitment) • commitment Y from RO, no restriction on challenge c • corresponds to CIMP- UC notion • needs ID scheme with trapdoor Sign ( sk , m ) Vrf ( vk , m , σ ) Y ← H ( m ) ( c , z ) ← σ y ← Cmt − 1 ( tk , Y ) Y ← H ( m ) c ← $ T ← Y � c � z z ← Rsp( sk , y , c ) v ← Vrf( vk , T ) σ ← ( c , z ) Security • UUF tightly reduces to CIMP- UC From Identification to Signatures, Tightly: A Framework and Generic Transforms 14 / 20

  17. CC Signatures from ID schemes CU UC UU MdCmtCh (message-dependent commitment and challenge) • commitment Y and challenge c from RO • corresponds to CIMP- UU notion • needs ID scheme with trapdoor Sign ( sk , m ) Vrf ( vk , m , σ ) Y ← H 1 ( m ) ( b , z ) ← σ y ← Cmt − 1 ( tk , Y ) Y ← H 1 ( m ) b ← $ { 0 , 1 } c ← H 2 ( m � b ) c ← H 2 ( m � b ) T ← Y � c � z z ← Rsp( sk , y , c ) v ← Vrf( vk , T ) σ ← ( b , z ) Security • UUF tightly reduces to CIMP- UU From Identification to Signatures, Tightly: A Framework and Generic Transforms 15 / 20

  18. CC Signatures from ID schemes CU UC UU MdCh (message-dependent challenge) • no restriction on commitment Y , challenge c from RO • salt added to message • no trapdoor required for ID scheme Sign ( sk , m ) Vrf ( vk , m , σ ) ( Y , y ) ← $ Cmt ( Y , s , z ) ← σ s ← $ c ← H ( m � s ) c ← H ( m � s ) T ← Y � c � z z ← Rsp( sk , y , c ) v ← Vrf( vk , T ) σ ← ( Y , s , z ) Security • UF tightly reduces to CIMP- CC From Identification to Signatures, Tightly: A Framework and Generic Transforms 16 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis Ho<einz and Tibor Jager Karlsruhe Ins,tute of Technology CRYPTO 2012 1 Tight

477 views • 15 slides
Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1 , Saqib A. Kakvi 2 , Eike Kiltz 2 , Jiaxin Pan 2 1 University of Limoges, France 2 Ruhr University Bochum, Germany Keywords 1. Signatures 2. Tight

725 views • 44 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn,

360 views • 34 slides
Identification of Gene Signatures Associated With Response in a Phase 2 Trial of Entinostat (ENT)

Identification of Gene Signatures Associated With Response in a Phase 2 Trial of Entinostat (ENT)

Identification of Gene Signatures Associated With Response in a Phase 2 Trial of Entinostat (ENT) Plus Pembrolizumab (PEMBRO) in Non-Small Cell Lung Cancer (NSCLC) Patients Whose Disease Has Progressed on or After Anti-PD-(L)1 Therapy Suresh

383 views • 16 slides
From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform:

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform:

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform: Application to the BLISS Signature Pauline Bert and Adeline Roux-Langlois Journes C2 2018 Univ Rennes, CNRS, IRISA 1 Contribution Fiat-Shamir

326 views • 19 slides
Improving gene signatures by the identification of differentially expressed modules in molecular

Improving gene signatures by the identification of differentially expressed modules in molecular

Improving gene signatures by the identification of differentially expressed modules in molecular networks : a local-score approach. Marine Jeanmougin JOBIM 2012, Rennes July 4th, 2012 1 Outline Introduction 1 Microarray experiments

685 views • 41 slides
From 5-pass MQ -based identification to MQ -based signatures Ming-Shing Chen 1 , 2 , Andreas

From 5-pass MQ -based identification to MQ -based signatures Ming-Shing Chen 1 , 2 , Andreas

From 5-pass MQ -based identification to MQ -based signatures Ming-Shing Chen 1 , 2 , Andreas Hlsing 3 , Joost Rijneveld 4 , Simona Samardjiska 5 , Peter Schwabe 4 National Taiwan University 1 / Academia Sinica 2 , Taipei, Taiwan Eindhoven

707 views • 44 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

M. Kutyowski Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital Signatures Qualified Signatures and Legal Framework Validity of the Signature Standard Implementation Risk Issues Reasons of

436 views • 42 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
PARADIS PAssive RAdiometric Device Identification System : Identifying Transmitters via

PARADIS PAssive RAdiometric Device Identification System : Identifying Transmitters via

PARADIS PAssive RAdiometric Device Identification System : Identifying Transmitters via Radiometric Signatures Sang-Ho Oh Radiometric Identification Waveform Impairments in Analog Frontend Transmitter Hardware imperfection

527 views • 13 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups

http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups

CS224W: Social and Information Network Analysis Jure Leskovec Stanford University Jure Leskovec, Stanford University http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups Network communities: Sets of

351 views • 34 slides
Scalable Kernel Correlation Filter with Sparse Feature Integration Andr es Sol s Montero,

Scalable Kernel Correlation Filter with Sparse Feature Integration Andr es Sol s Montero,

Motivation, Problems and Objectives Algorithm Overview Evaluation Methodology Results Conclusions Scalable Kernel Correlation Filter with Sparse Feature Integration Andr es Sol s Montero, Jochen Lang and Robert Lagani` ere.

346 views • 30 slides
Formation of the Colorado Commission of Indian Affairs Created in 1976 by the Colorado General

Formation of the Colorado Commission of Indian Affairs Created in 1976 by the Colorado General

Presentation to Pipeline Safety Trust Nov 3, 2017 Formation of the Colorado Commission of Indian Affairs Created in 1976 by the Colorado General Assembly CCIA lies within the Office of the Lieutenant Governor Is the official liaison

379 views • 18 slides
Status of Initiatives 10. Eliminate unnecessary duplication at Enterprise level and reassign to

Status of Initiatives 10. Eliminate unnecessary duplication at Enterprise level and reassign to

Status of Initiatives 10. Eliminate unnecessary duplication at Enterprise level and reassign to the universities COMPLETED 12. Establish public corporations COMPLETED 13. Centralize functions at Enterprise level to enhance efficiency

211 views • 8 slides
Conflicts, Confidentiality and Privilege June 6, 2018 Charles F. Regan Mayer Brown LLP Risk

Conflicts, Confidentiality and Privilege June 6, 2018 Charles F. Regan Mayer Brown LLP Risk

6/6/2018 Conflicts, Confidentiality and Privilege June 6, 2018 Charles F. Regan Mayer Brown LLP Risk Management and Conflicts Partner cregan@mayerbrown.com Speaker Chuck Regan , a partner in Mayer Browns Chicago office, currently serves

287 views • 17 slides
City of Jacksonville 117 W Duval St Jacksonville, FL 32202 Agenda Special Meeting of the

City of Jacksonville 117 W Duval St Jacksonville, FL 32202 Agenda Special Meeting of the

City of Jacksonville 117 W Duval St Jacksonville, FL 32202 Agenda Special Meeting of the Council -Honorable Lenny Curry,Mayor: 2020-2021 Annual Budget Presentation Wednesday, July 15, 2020 10:00 AM Council Chambers,1st Floor City Hall

192 views • 4 slides
Investor Presentation 15 April 2020 AGENDA FOR 2019 RESULTS PRESENTATION OVERVIEW John Deane,

Investor Presentation 15 April 2020 AGENDA FOR 2019 RESULTS PRESENTATION OVERVIEW John Deane,

2019 Results Investor Presentation 15 April 2020 AGENDA FOR 2019 RESULTS PRESENTATION OVERVIEW John Deane, Chief Executive Officer 2019 headlines 2020 Covid-19 update Strategic delivery 2019 financial highlights

745 views • 42 slides
Application of TWGrid Application of TWGrid on Taiwan Seismology on Taiwan Seismology 1 Wei 2

Application of TWGrid Application of TWGrid on Taiwan Seismology on Taiwan Seismology 1 Wei 2

ISGC 2006 Application of TWGrid Application of TWGrid on Taiwan Seismology on Taiwan Seismology 1 Wei 2 Eric Yen 2 Wen- Wen -Tzong Liang Tzong Liang 1 Wei- -Long Ueng Long Ueng 2 Eric Yen 2 Institute of Earth Sciences, Academia Sinica,

499 views • 25 slides
Congenital Cytomegalovirus (CMV) Colorados Story 1 in 3 pregnant women who become infected

Congenital Cytomegalovirus (CMV) Colorados Story 1 in 3 pregnant women who become infected

Congenital Cytomegalovirus (CMV) Colorados Story 1 in 3 pregnant women who become infected with CMV will pass the virus to their unborn child. Cytomegalovirus (CMV) CMV: cytomegalovirus is a very common virus. The majority of adults carry

249 views • 8 slides

More recommend