practical and tightly secure digital signatures and
play

Practical and Tightly-Secure Digital Signatures and Authenticated - PowerPoint PPT Presentation

Feb 01, 2023 •20 likes •360 views

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn,

  1. Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjøsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn, Germany, tibor.jager@upb.de CRYPTO 2018

  2. Authenticated Key Exchange Alice Bob Alice and Bob want to exchange a key.

  3. Authenticated Key Exchange . . . Carol Dave Alice Bob Alice and Bob and Carol and . . . want to exchange keys.

  4. Authenticated Key Exchange ← Carol! . . . → k Carol Dave Bob! → → k or rnd? Alice Bob The adversary ◮ directs honest users’ key exchanges; ◮ can inspect keys or test keys (real-or-random); ◮ controls the network; ◮ and can adaptively corrupt users.

  5. Authenticated Key Exchange . . . Carol Dave Alice Bob Our goal: If ◮ Alice believes she has exchanged a key with Bob, it must be true that ◮ Bob exchanged exactly the same key exactly once with Alice; and ◮ it looks random.

  6. Why Security Proofs? A typical security proof is a reduction from some problem to attacking our crypto: A poly-time crypto adversary with non-negligible advantage gives us a poly-time problem solver with non-negligible advantage. The scheme is secure if we believe no such solver exists. Why do we want them? ◮ Why not? ◮ Ensure that our system is not trivially breakable. ◮ Help us choose security parameters.

  7. Why Security Proofs? A typical security proof is a reduction from some problem to attacking our crypto: A crypto adversary using time T 1 with advantage ǫ 1 gives us a problem solver using time T 2 with advantage ǫ 2 . The scheme is secure if we believe no such solver exists. Why do we want them? ◮ Why not? ◮ Ensure that our system is not trivially breakable. ◮ Help us choose security parameters.

  8. Why Tight Security Proofs? A typical security proof is a reduction from some problem to attacking our crypto: A crypto adversary using time T 1 with advantage ǫ 1 gives us a problem solver using time T 2 with advantage ǫ 2 . The scheme is secure if we believe no such solver exists. ◮ A reduction is tight if T 1 ≈ T 2 and ǫ 1 ≈ ǫ 2 . Why do we want them? ◮ Why not? ◮ Ensure that our system is not trivially breakable. ◮ Help us choose security parameters.

  9. Plain Diffie-Hellman No Tampering + Static Corruption = No Problem . . . x = g a x Bob! → → Alice k = y a ← y → k = x b y = g b

  10. Plain Diffie-Hellman No Tampering + Static Corruption = No Problem . . . x y x = g a Carol! → k = y a ← y When Alice talks to a corrupted Carol, we run Diffie-Hellman as usual.

  11. Plain Diffie-Hellman No Tampering + Static Corruption = No Problem . . . x x Bob! → → Alice k = z ← y y → k = z When Alice talks to an honest Bob, we simulate the conversation using a Diffie-Hellman tuple ( g , x , y , z ). Rerandomization gives us many tuples and a tight proof.

  12. Plain Diffie-Hellman No Tampering + Adaptive Corruption = Commitment Problem . . . x Carol! → The commitment problem: the adversary may corrupt the responder after we have committed by sending the first message.

  13. Plain Diffie-Hellman No Tampering + Adaptive Corruption = Commitment Problem . . . x Carol! → The commitment problem: the adversary may corrupt the responder after we have committed by sending the first message.

  14. Plain Diffie-Hellman No Tampering + Adaptive Corruption = Commitment Problem . . . x Carol! → The commitment problem: the adversary may corrupt the responder after we have committed by sending the first message. We can guess a communicating pair, but then tightness is lost.

  15. Our Modified Diffie-Hellman No Tampering + Adaptive Corruption = No Problem . . . h = H ( x = g a ) h Bob! → → Alice y y = g b k = y a ← → k = x b x x ◮ We hash the first message, and send x only after receiving the response.

  16. Our Modified Diffie-Hellman No Tampering + Adaptive Corruption = No Problem . . . h y x h Carol! → y x ◮ We hash the first message, and send x only after receiving the response. ◮ In the random oracle model, our reduction does not have to commit to x until we know if the response was honest or not. We get a tight reduction.

  17. Our Modified Diffie-Hellman No Tampering + Adaptive Corruption = No Problem . . . h y x h Carol! → y x = g a ◮ We hash the first message, and send x only after receiving the response. ◮ In the random oracle model, our reduction does not have to commit to x until we know if the response was honest or not. We get a tight reduction.

  18. Our Modified Diffie-Hellman No Tampering + Adaptive Corruption = No Problem . . . h = H ( x = g a ) h Bob! → → Alice y y = g b k = y a ← → k = x b x x ◮ We hash the first message, and send x only after receiving the response. ◮ Note that there is an additional message flow compared to plain Diffie-Hellman. The responder also learns the key later. This is often not a problem.

  19. Security Parameters and Performance We compare our protocol with plain Diffie-Hellman. We want 128-bit security. Our protocol will use the NIST P-256 curve.

  20. Security Parameters and Performance We compare our protocol with plain Diffie-Hellman. We want 128-bit security. Our protocol will use the NIST P-256 curve. For plain Diffie-Hellman: ◮ Small-scale: 2 16 users, 2 16 sessions and quadratic loss 2 64 : NIST P-384. ◮ Large-scale: 2 32 users, 2 32 sessions and quadratic loss 2 128 : NIST P-521. Exponentiation relative time cost: P-256 = 1, P-384 = 2 . 7, P-521 = 7 . 7.

  21. Security Parameters and Performance We compare our protocol with signed Diffie-Hellman. We want 128-bit security. Our protocol will use the NIST P-256 curve. For signed Diffie-Hellman: ◮ Small-scale: 2 16 users, 2 16 sessions and quadratic loss 2 64 : NIST P-384. ◮ Large-scale: 2 32 users, 2 32 sessions and quadratic loss 2 128 : NIST P-521. Exponentiation relative time cost: P-256 = 1, P-384 = 2 . 7, P-521 = 7 . 7. small-scale large-scale # exps. # bits time # bits time Our scheme 2 770 2 770 2 Plain DH 2 770 5.4 1044 15.4

  22. Our Modified Diffie-Hellman No Tampering + Adaptive Corruption = A Need for Signatures . . . h = H ( x = g a ) h Bob! → → Alice y y = g b k = y a ← → k = x b x x ◮ If the adversary is allowed to tamper with messages, this protocol obviously fails.

  23. Our Modified Diffie-Hellman No Tampering + Adaptive Corruption = A Need for Signatures . . . h = H ( x = g a ) h Bob! → → Alice y , σ B y = g b , σ B k = y a ← → k = x b x , σ A x , σ A ◮ If the adversary is allowed to tamper with messages, this protocol obviously fails. ◮ The natural answer is to add the usual signatures. ◮ But this requires a signature scheme with a tight reduction!

  24. Signatures with Tight Reductions The standard security notion for signatures considers only a single key pair. ◮ There is a standard reduction to many key pairs, but it is non-tight. ◮ In fact, the loss in the standard reduction is quadratic in the number of users, because of adaptive compromise.

  25. Signatures with Tight Reductions The standard security notion for signatures considers only a single key pair. ◮ There is a standard reduction to many key pairs, but it is non-tight. ◮ In fact, the loss in the standard reduction is quadratic in the number of users, because of adaptive compromise. The main obstacle to a tight reduction: ◮ We need to know every secret key to respond to compromise. ◮ We need to extract something from the eventual forgery.

  26. Signatures with Tight Reductions The standard security notion for signatures considers only a single key pair. ◮ There is a standard reduction to many key pairs, but it is non-tight. ◮ In fact, the loss in the standard reduction is quadratic in the number of users, because of adaptive compromise. The main obstacle to a tight reduction: ◮ We need to know every secret key to respond to compromise. ◮ We need to extract something from the eventual forgery. Tight reductions are impossible for schemes with unique signatures or signing keys.

  27. “Double-signature” idea The “double-signature” idea from Bader et al. (TCC 15). ◮ The user has “real” and a “fake” verification key. ◮ A signature consists of a real signature for the “real” verification key, and a fake signature for the “fake” verification key. ◮ We embed our hard problem in the “fake” verification key. ◮ If “real” and “fake” keys and signatures are indistinguishable, the adversary will produce a forgery that applies to the “fake” verification key with probability 1 / 2. This “double-signature” idea does not work for most signature schemes. The only previous construction is impractical.

  28. Our Signature Scheme Our basis is the The Goh-Jarecki signature scheme, which uses a cyclic group G and a hash function H : { 0 , 1 } ∗ → G .

  29. Our Signature Scheme Our basis is the The Goh-Jarecki signature scheme, which uses a cyclic group G and a hash function H : { 0 , 1 } ∗ → G . Verification key: y = g a . Signature: z = H ( m ) a and a proof that log H ( m ) z = log g y .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis Ho<einz and Tibor Jager Karlsruhe Ins,tute of Technology CRYPTO 2012 1 Tight

477 views • 15 slides
Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1 , Saqib A. Kakvi 2 , Eike Kiltz 2 , Jiaxin Pan 2 1 University of Limoges, France 2 Ruhr University Bochum, Germany Keywords 1. Signatures 2. Tight

725 views • 44 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
From Identification to Signatures, Tightly: A Framework and Generic Transforms Mihir Bellare,

From Identification to Signatures, Tightly: A Framework and Generic Transforms Mihir Bellare,

From Identification to Signatures, Tightly: A Framework and Generic Transforms Mihir Bellare, Bertram Poettering , Douglas Stebila UCSD / Ruhr University Bochum / McMaster ASIACRYPT 2016, Hanoi December 6, 2016 Signature schemes In a nutshell

647 views • 23 slides
Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

M. Kutyowski Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital Signatures Qualified Signatures and Legal Framework Validity of the Signature Standard Implementation Risk Issues Reasons of

436 views • 42 slides
qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1

qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1

qDSA: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1 Benjamin Smith 2 1 Radboud University 2 INRIA and Laboratoire dInformatique de l Ecole polytechnique 15 November 2017 15 November 2017 1 /

785 views • 75 slides
Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General model Foundations of security RSA, DSA, ECDSA signatures Zero knowledge (Guillo-Quisquater) One-time signature Special

675 views • 46 slides
Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s, but adversary given VK Sig SK Ver VK s i = Sign SK (M i ) Ver VK (M,s) (M,s) M i VK Advantage =

693 views • 10 slides
Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE

1.07k views • 72 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-19 1 Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 2 Recap:

250 views • 20 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

785 views • 29 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-24 1 Outline Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures Digital Signatures 2020-03-24 2 Recap Last

661 views • 53 slides
Discrete Mathematics with Applications MATH236 Dr. Hung P. Tong-Viet School of Mathematics,

Discrete Mathematics with Applications MATH236 Dr. Hung P. Tong-Viet School of Mathematics,

Discrete Mathematics with Applications MATH236 Dr. Hung P. Tong-Viet School of Mathematics, Statistics and Computer Science University of KwaZulu-Natal Pietermaritzburg Campus Semester 1, 2013 Tong-Viet (UKZN) MATH236 Semester 1, 2013 1 /

1.41k views • 108 slides
Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7 Recall : MACs y = h K (x)

Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7 Recall : MACs y = h K (x)

Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7 Recall : MACs y = h K (x) Alice Bob h K = K Attack at Dawn!! Message Digest h K K unsecure channel Message Message Attack at Dawn!! MACs allow Bob to be

696 views • 35 slides
DIGITAL SIGNATURES 1 / 74 Signing by hand ALICE Pay Bob $100 COSMO ALICE

DIGITAL SIGNATURES 1 / 74 Signing by hand ALICE Pay Bob $100 COSMO ALICE

DIGITAL SIGNATURES 1 / 74 Signing by hand ALICE Pay Bob $100 COSMO ALICE Cosmo Alice Alice Bank =? no yes pay Bob Dont 2 / 74 Signing electronically SIGFILE scan Alice 101 1

654 views • 43 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 14: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 14: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 14: 1 Chapter 1: Cryptography Chapter 14: 2 Cryptography Cryptography is the science and study of secret writing. Cryptanalysis is the science and study

854 views • 48 slides
Introduction to MiniApp (Packaging & Manifest) Yongjing Zhang zhangyongjing@huawei.com

Introduction to MiniApp (Packaging & Manifest) Yongjing Zhang zhangyongjing@huawei.com

Introduction to MiniApp (Packaging & Manifest) Yongjing Zhang zhangyongjing@huawei.com Huawei Device Co., Ltd. July 2020 MiniApp Packaging Each MiniApp package is a specialized ZIP file (to be registered as

804 views • 6 slides
IM IMPLEMENTATION OF DIG IGIT ITAL SIG IGNATURE IN IN THE AVIA IATION IN INDUSTRY 13 13

IM IMPLEMENTATION OF DIG IGIT ITAL SIG IGNATURE IN IN THE AVIA IATION IN INDUSTRY 13 13

IM IMPLEMENTATION OF DIG IGIT ITAL SIG IGNATURE IN IN THE AVIA IATION IN INDUSTRY 13 13 OCTOBER 2017 1. What is Digital Signature? 2. Why use Digital Certificate? 3. Digital Signature Act 1997 4. Digital Signature Regulations 1998

282 views • 12 slides
Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge Fehr, Christian Majenz and Christian Schaffner QIP 2020 Hilton Shenzhen Shekou Nanhai Hotel, Shenzhen, China Two facts of life Two facts of life

1.38k views • 98 slides

More recommend