tightly secure signatures from chameleon hash functions
play

Tightly-Secure Signatures from Chameleon Hash Functions NIST, - PowerPoint PPT Presentation

May 06, 2023 •277 likes •725 views

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1 , Saqib A. Kakvi 2 , Eike Kiltz 2 , Jiaxin Pan 2 1 University of Limoges, France 2 Ruhr University Bochum, Germany Keywords 1. Signatures 2. Tight

  1. Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1 , Saqib A. Kakvi 2 , Eike Kiltz 2 , Jiaxin Pan 2 1 University of Limoges, France 2 Ruhr University Bochum, Germany

  2. Keywords 1. Signatures 2. Tight Security 3. Chameleon Hash Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 2/30

  3. Signature ⊲ ( pk , sk ) ← $ Gen ⊲ σ ← $ Sign ( sk , M ) ⊲ 0 / 1 ← Ver ( pk , M , σ ) Correctness: ∀ ( pk , sk ) ← $ Gen , Ver ( pk , M , Sign ( sk , M )) = 1 Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 3/30

  4. UF-CMA Security Challenger Adversary ( pk , sk ) ← $ Gen pk M i σ i ← $ Sign ( sk , M i ) σ i ( M , σ ) Adversary wins: Ver ( pk , M , σ ) = 1 ∧ M / ∈ { M 1 , . . . , M Q } Q is the number of signing queries. Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 4/30

  5. Provable Security g, A ← $ G Adversary DLOG Reduction a ∈ Z p A = g a Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 5/30

  6. Provable Security g, A ← $ G “ DLOG problem is hard ⇒ scheme is secure” Adversary DLOG Reduction a ∈ Z p A = g a Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 5/30

  7. ◮ Let k be the security parameter, Adv [ Sig ] < f ( k ) · Adv [ DLOG ] Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 6/30

  8. Tight Security Adv [ Sig ] < f ( k ) · Adv [ DLOG ] ◮ “Tight” if f ( k ) = O (1) ◮ “Loose” if f ( k ) = O ( Q ) Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 7/30

  9. Why “tight”? ◮ In practice: ◦ We want efficient schemes! ◦ Smaller security parameters! Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 8/30

  10. For example ◮ We want 80-bit security and Q = 2 40 Tight scheme ⊲ Adv [ Sig ] < Adv [ DLOG ] < 2 − 80 = ⇒ We need DLOG problem with 80-bit security = ⇒ | p | = 160 (by the best DLOG attack) Loose Scheme ⊲ Adv [ Sig ] < 2 40 · Adv [ DLOG ] < 2 − 80 ⇒ Adv [ DLOG ] < 2 − 120 = = ⇒ We need DLOG problem with 120-bit security = ⇒ | p | = 240 (by the best DLOG attack) Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 9/30

  11. Signatures in the Standard Model ◮ Loose Reduction ◦ e.g. Waters ’05 ◮ Non-standard/“ Q -Type” Assumptions ◦ e.g. Boneh-Boyen ’04 ◮ Exceptions: . . . Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 10/30

  12. Tight Signatures from Standard Assumptions ◮ CRYPTO ’96 Cramer-Damgård: RSA ◮ PKC ’05 Catalano-Gennaro: Factoring ◮ CRYPTO ’12 Hofheinz-Jager: DLIN Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 11/30

  13. Tight Signatures from Standard Assumptions ◮ CRYPTO ’96 Cramer-Damgård: RSA ◮ PKC ’05 Catalano-Gennaro: Factoring ◮ CRYPTO ’12 Hofheinz-Jager: DLIN Question Generic constructions for tight signatures? Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 11/30

  14. Our Contribution TSIG[DLOG] DLOG TSIG[SIS] SIS TSIG[CDH] CDH Transformation TSIG[DLIN] DLIN TSIG[RSA] RSA . . . TSIG[. . .] Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 12/30

  15. Our Contribution Two-Tier Signature Tight Signature Chameleon Hash . . . DLOG SIS FAC Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 13/30

  16. Our Contribution [BS07] Two-Tier Signature Tight Signature Chameleon Hash . . . DLOG SIS FAC Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 13/30

  17. Two-Tier Signature ◮ Proposed by Bellare and Shoup at PKC ’07 Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 14/30

  18. Two-Tier Signature Two-Tier Signature Signature ◮ ( ppk , psk ) ← $ PrimaryGen ◮ ( pk , sk ) ← $ Gen ◮ ( spk , ssk ) ← $ SecondaryGen ◮ σ ← $ Sign ( sk , M ) ◮ σ ← $ TTSign ( sk , ssk , M ) ◮ 0 / 1 ← Ver ( pk , M , σ ) ◮ 0 / 1 ← TTVer ( pk , spk , M , σ ) Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 15/30

  19. Security of two-tier signature Challenger Adversary pk ( ppk , psk ) ← $ PrimaryGen M i ( spk i , ssk i ) ← $ SecondaryGen σ i ← $ TTSign ( sk , ssk i , M i ) ( σ i , spk i ) ( M , σ, spk ) Adversary wins: TTVer ( ppk , spk , M , σ ) = 1 ∧ M / ∈ { M 1 , . . . , M Q } ∧ spk = spk i for some i Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 16/30

  20. Two-Tier Signature → Standard Signature . . . . . . . . . . . . . . . . . . . . . . . . Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30

  21. Two-Tier Signature → Standard Signature spk i ← $ SecondaryGen . . . . . . . . . . . . . . . . . . . . . . . . Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30

  22. Two-Tier Signature → Standard Signature spk i ← $ SecondaryGen . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30

  23. Gen of Tree Signature ◮ ( ppk , psk ) ← $ PrimaryGen Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30

  24. Gen of Tree Signature ◮ ( ppk , psk ) ← $ PrimaryGen ◮ ( spk root , ssk root ) ← $ SecondaryGen . . . . . . . . . . . . Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30

  25. Gen of Tree Signature ◮ ( ppk , psk ) ← $ PrimaryGen ◮ ( spk root , ssk root ) ← $ SecondaryGen ◮ PK = ( ppk , spk root ) , sk = ( psk , ssk root ) Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30

  26. Sign( sk ,M) ◮ Step 1: Nodes Generation ◮ Step 2: Path Authentication Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 19/30

  27. Step 1: Node Generation . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30

  28. Step 1: Node Generation . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30

  29. Step 1: Node Generation . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30

  30. Step 1: Node Generation . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30

  31. Step 1: Node Generation . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30

  32. Step 2: Path Authentication . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 21/30

  33. Step 2: Path Authentication ◮ σ = TTSign ( psk , ssk parent , ( LChild || RChild )) Parent LChild RChild Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 22/30

  34. Step 2: Path Authentication Use Two-Tier Sig to authenticate the path σ 0 . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30

  35. Step 2: Path Authentication Use Two-Tier Sig to authenticate the path σ 0 σ 1 . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30

  36. Step 2: Path Authentication Use Two-Tier Sig to authenticate the path σ 0 σ 1 . . . . . . . . . . . . . . . . . . . . . . . . σ L M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30

  37. Signatures ◮ Define signature := (path, σ 1 , . . . , σ L ) ◮ Verify: ◦ Check if ( σ 1 , . . . , σ L ) are valid two-tier signatures on path Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 24/30

  38. Security Theorem 1 Our construction is tightly secure, if the underlying two-tier signature is tightly-secure. Particularly, ◮ Adv[TreeSig] = Adv[Two-TierSig] Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 25/30

  39. Proof Idea ◮ Simulate the signature without sk : ◦ Use two-tier signing oracle ◮ Tightly extract the two-tier forgery: ◦ Observation: ◮ Forgery path differs from signing paths ◦ “Splitting” node: the valid two-tier forgery Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 26/30

  40. “Splitting” Node . . . . . . . . . . . . . . . . . . . . . . . . . . . M ∗ Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 27/30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis Ho&lt;einz and Tibor Jager Karlsruhe Ins,tute of Technology CRYPTO 2012 1 Tight

477 views • 15 slides
Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

CSS441 Hash Functions Hash Functions Authentication Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

1.04k views • 24 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.37k views • 120 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

627 views • 52 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

785 views • 29 slides
Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn,

360 views • 34 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-07 1 Outline Chameleon Signatures CH functions are one-time signatures sEUF-CMA from chameleon hashing Digital

585 views • 44 slides
Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements

Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements

Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements intermission Introduction to Computer Security Crypto combined slides Public-key crypto basics Public key encryption and signatures Stephen McCamant

588 views • 9 slides
Hashes &amp; MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions

Hashes &amp; MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions

Hashes &amp; MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions Trivial (very inefficient) solution (to sign a single n bit message): r 10 r 20 r 30 Key: 2n random strings (each k-bit long) (r i0 ,r i1 ) i=1..n r 11

531 views • 10 slides
Short-output universal hash functions &amp; their use in fast and secure data authentication

Short-output universal hash functions &amp; their use in fast and secure data authentication

Short-output universal hash functions &amp; their use in fast and secure data authentication Long Nguyen and Bill Roscoe Oxford University Department of Computer Science -almost universal hash functions (UHF) Definition : given R is the set

515 views • 22 slides
Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE

1.07k views • 72 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Cryptocurrency Technologies Cryptography and Cryptocurrencies Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and Data Structures Block Chains Merkle Trees Digital Signatures Public

489 views • 27 slides
G.J.M. Smit Contents Efficient architectures Introduction energy-efficient systems for

G.J.M. Smit Contents Efficient architectures Introduction energy-efficient systems for

G.J.M. Smit Contents Efficient architectures Introduction energy-efficient systems for streaming applications Streaming DSP applications Tiled architectures Dynamic reconfiguration Gerard Smit Run-time mapping of streams to

626 views • 10 slides
Automation of Aircraft Pre-Design with Chameleon Arne Bachmann Simulation- and Software

Automation of Aircraft Pre-Design with Chameleon Arne Bachmann Simulation- and Software

Automation of Aircraft Pre-Design with Chameleon Arne Bachmann Simulation- and Software Technology German Aerospace Center (DLR) ADVCOMP 2009, Oct 13 th , Sliema/Malta Slide 1 ADVCOMP 2009 &gt; Arne Bachmann &gt; Markus Kunde &gt; et al. &gt;

632 views • 26 slides
AOC meeting 12 June 2018 Agenda Welcome Minute from last meeting Reports from

AOC meeting 12 June 2018 Agenda Welcome Minute from last meeting Reports from

1 AOC meeting 12 June 2018 Agenda Welcome Minute from last meeting Reports from sub-committees Information from CPH including updates on following issues: News about the recently signed PRM contract by Philip Etin Signs

683 views • 47 slides
Assessing ecological effects Kevin Honour MSc MCIEEM Director, Argus Ecology Ltd. Highthorn

Assessing ecological effects Kevin Honour MSc MCIEEM Director, Argus Ecology Ltd. Highthorn

Assessing ecological effects Kevin Honour MSc MCIEEM Director, Argus Ecology Ltd. Highthorn Workshop 4 Lynemouth, 3 June 2015 Assessing ecological effects Gather data about the site and its surroundings Collate existing data (ERIC, WeBS,

619 views • 19 slides
Kate Keahey Computation Institute, University of Chicago Argonne National Laboratory

Kate Keahey Computation Institute, University of Chicago Argonne National Laboratory

www. chameleoncloud.org CHAMELEON: A LARGE SCALE, RECONFIGURABLE EXPERIMENTAL INSTRUMENT FOR COMPUTER SCIENCE Kate Keahey Computation Institute, University of Chicago Argonne National Laboratory keahey@anl.gov 1 APRIL 23, 2018 INTRODUCING

244 views • 8 slides
WISI ISI Ch Chameleon descrambling Hering Sndor Mini Galria TV s Antenna Kft. Dig

WISI ISI Ch Chameleon descrambling Hering Sndor Mini Galria TV s Antenna Kft. Dig

WISI ISI Ch Chameleon descrambling Hering Sndor Mini Galria TV s Antenna Kft. Dig Digital Vid Video Br Broadcasting An insight into DVB Patrik Lantto What is DVB ? https://www.dvb.org/ Founded in 1993 First standard is

484 views • 12 slides
Tribology TRIBOLOGY IS EVERYWHERE Chameleon and Tiger and a strategically important research

Tribology TRIBOLOGY IS EVERYWHERE Chameleon and Tiger and a strategically important research

Tribology as a chameleon Tribology TRIBOLOGY IS EVERYWHERE Chameleon and Tiger and a strategically important research field at LTU Roland Larsson Division of Machine Elements, LTU Tribology as a chameleon Tribology as a chameleon

560 views • 4 slides
James Smith @floppy theODI.org We connect, equip and inspire people around the world to

James Smith @floppy theODI.org We connect, equip and inspire people around the world to

James Smith @floppy theODI.org We connect, equip and inspire people around the world to innovate with data We CSV We CSV http://comma-chameleon.io/ https://github.com/theodi/comma-chameleon \_( )_/ http://octopub.io/

610 views • 43 slides

More recommend