[PPT] - Tightly-Secure Signatures from Chameleon Hash Functions NIST, PowerPoint Presentation

SLIDE 1

Tightly-Secure Signatures from Chameleon Hash Functions

NIST, Maryland, PKC 2015 Olivier Blazy1, Saqib A. Kakvi2, Eike Kiltz2, Jiaxin Pan2

1University of Limoges, France 2Ruhr University Bochum, Germany

SLIDE 2

Keywords

1. Signatures
2. Tight Security
3. Chameleon Hash

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 2/30

SLIDE 3

Signature

⊲ (pk, sk) ←$ Gen ⊲ σ ←$ Sign(sk, M) ⊲ 0/1 ← Ver(pk, M, σ) Correctness: ∀(pk, sk) ←$ Gen, Ver(pk, M, Sign(sk, M)) = 1

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 3/30

SLIDE 4

UF-CMA Security

Challenger (pk, sk) ←$ Gen pk Mi σi ←$ Sign(sk, Mi) σi (M, σ) Adversary wins: Ver(pk, M, σ) = 1 ∧M / ∈ {M1, . . . , MQ} Adversary Q is the number of signing queries.

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 4/30

SLIDE 5

Provable Security

DLOG

g, A ←$ G

a ∈ Zp A = ga Reduction Adversary

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 5/30

SLIDE 6

Provable Security

DLOG

g, A ←$ G

a ∈ Zp A = ga Reduction Adversary “DLOG problem is hard ⇒ scheme is secure”

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 5/30

SLIDE 7

◮ Let k be the security parameter, Adv[Sig] < f(k) · Adv[DLOG]

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 6/30

SLIDE 8

Tight Security

Adv[Sig] < f(k) · Adv[DLOG] ◮ “Tight” if

f(k) = O(1)

◮ “Loose” if

f(k) = O(Q)

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 7/30

SLIDE 9

Why “tight”?

◮ In practice:

We want efficient schemes!
Smaller security parameters!

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 8/30

SLIDE 10

For example

◮ We want 80-bit security and Q = 240

Tight scheme

⊲ Adv[Sig] < Adv[DLOG] < 2−80 = ⇒ We need DLOG problem with 80-bit security = ⇒ |p| = 160 (by the best DLOG attack)

Loose Scheme

⊲ Adv[Sig] < 240 · Adv[DLOG] < 2−80 = ⇒ Adv[DLOG] < 2−120 = ⇒ We need DLOG problem with 120-bit security = ⇒ |p| = 240 (by the best DLOG attack)

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 9/30

SLIDE 11

Signatures in the Standard Model

◮ Loose Reduction

e.g. Waters ’05

◮ Non-standard/“Q-Type” Assumptions

e.g. Boneh-Boyen ’04

◮ Exceptions: . . .

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 10/30

SLIDE 12

Tight Signatures from Standard Assumptions

◮ CRYPTO ’96 Cramer-Damgård: RSA ◮ PKC ’05 Catalano-Gennaro: Factoring ◮ CRYPTO ’12 Hofheinz-Jager: DLIN

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 11/30

SLIDE 13

Tight Signatures from Standard Assumptions

◮ CRYPTO ’96 Cramer-Damgård: RSA ◮ PKC ’05 Catalano-Gennaro: Factoring ◮ CRYPTO ’12 Hofheinz-Jager: DLIN

Question

Generic constructions for tight signatures?

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 11/30

SLIDE 14

Our Contribution

Transformation DLOG SIS CDH DLIN RSA . . . TSIG[DLOG] TSIG[SIS] TSIG[CDH] TSIG[DLIN] TSIG[RSA] TSIG[. . .]

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 12/30

SLIDE 15

Our Contribution

DLOG SIS FAC . . . Chameleon Hash Two-Tier Signature Tight Signature

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 13/30

SLIDE 16

Our Contribution

DLOG SIS FAC . . . Chameleon Hash Two-Tier Signature Tight Signature [BS07]

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 13/30

SLIDE 17

Two-Tier Signature

◮ Proposed by Bellare and Shoup at PKC ’07

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 14/30

SLIDE 18

Two-Tier Signature

Signature ◮ (pk, sk) ←$ Gen ◮ σ ←$ Sign(sk, M) ◮ 0/1 ← Ver(pk, M, σ) Two-Tier Signature ◮ (ppk, psk) ←$ PrimaryGen ◮ (spk, ssk) ←$ SecondaryGen ◮ σ ←$ TTSign(sk, ssk, M) ◮ 0/1 ← TTVer(pk, spk, M, σ)

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 15/30

SLIDE 19

Security of two-tier signature

Challenger (ppk, psk) ←$ PrimaryGen pk Mi (spki, sski) ←$ SecondaryGen σi ←$ TTSign(sk, sski, Mi) (σi, spki) (M, σ, spk) Adversary wins: TTVer(ppk, spk, M, σ) = 1 ∧ M / ∈ {M1, . . . , MQ} ∧ spk = spki for some i Adversary

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 16/30

SLIDE 20

Two-Tier Signature → Standard Signature

. . . . . . . . . . . . . . . . . . . . . . . .

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30

SLIDE 21

Two-Tier Signature → Standard Signature

spki ←$ SecondaryGen . . . . . . . . . . . . . . . . . . . . . . . .

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30

SLIDE 22

Two-Tier Signature → Standard Signature

spki ←$ SecondaryGen . . . . . . . . . . . . M . . . . . . . . . . . .

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30

SLIDE 23

Gen of Tree Signature

◮ (ppk, psk) ←$ PrimaryGen

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30

SLIDE 24

Gen of Tree Signature

◮ (ppk, psk) ←$ PrimaryGen ◮ (spkroot, sskroot) ←$ SecondaryGen

. . . . . . . . . . . .

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30

SLIDE 25

Gen of Tree Signature

◮ (ppk, psk) ←$ PrimaryGen ◮ (spkroot, sskroot) ←$ SecondaryGen ◮ PK = (ppk, spkroot), sk = (psk, sskroot)

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30

SLIDE 26

Sign(sk,M)

◮ Step 1: Nodes Generation ◮ Step 2: Path Authentication

Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 19/30

SLIDE 27