Digital Signatures - people.inf.ethz.ch · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-21 1. Outline

Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)

Digital Signatures 2020-04-21 1

Outline

Recap from last lectures

sEUF-CMA from chameleon hashing

Pairing-based signatures



• Chameleon hash functions as a technical tool– CHFs are randomized and have special trapdoor– Trapdoor not known→ collision-resistance– Trapdoor known→ collisions can be found

• CHFs + EUF-naCMA→ EUF-CMA (chameleon) sigs

• CHFs are (i.e., can be interpreted as) one-time sigs


Outline





Stronger forms of EUF-CMA

CEUF-CMA A

(pk , sk )← Gen(1k ) pk

mi

σi

q queries

m∗,σ∗

Vfy(pk , m∗,σ∗) = 1∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}Question: what stronger form of security is conceivable?


Strong EUF-CMA (sEUF-CMA) experiment

CsEUF-CMA A

(pk , sk )← Gen(1k ) pk

mi

σi

q queries

m∗,σ∗

Vfy(pk , m∗,σ∗) = 1∧

(m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}?

A wins iff Vfy(pk , m∗,σ∗) = 1 and (m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}


Definition: sEUF-CMA

Def. 51: (sEUF-CMA)A signature scheme Σ = (Gen, Sign, Vfy) is sEUF-CMA secure ifffor all PPT A,

Pr

[ACsEUF-CMA(pk ) = (m∗,σ∗) :

Vfy(pk , m∗,σ∗) = 1∧(m∗,σ∗) /∈ {(m1,σ1), ..., (mq ,σq)}

]

is negligible.


sEUF-CMA: applications

• A can win even if m∗ has been signed before. . .

• . . . as long as σ∗ is fresh

• Mainly useful as component of more complex buildingblocks. . .

• . . . such as adaptively secure public-key encryption


CH + EUF-CMA→ sEUF-CMA (not in notes)

• Given: EUF-CMA secure Σ′ = (Gen′, Sign′, Vfy′)• Given: CHF CH = (GenCH, TrapCollCH)

Construct sEUF-CMA secure Σ = (Gen, Sign, Vfy).

Gen(1k ) :

• (pk ′, sk ′)← Gen′(1k )

• (chF , τF )← GenCH(1k )

• (chH , τH )← GenCH(1k )

• pk = (pk ′, chF , chH )

• sk = (sk ′, τH )





Gen(1k ) :

• (pk ′, sk ′)← Gen′(1k )




• sk = (sk ′, τH )





Gen(1k ) :

• (pk ′, sk ′)← Gen′(1k )




• sk = (sk ′, τH )





Gen(1k ) :

• (pk ′, sk ′)← Gen′(1k )




• sk = (sk ′, τH )


CH + EUF-CMA→ sEUF-CMA (not in notes)Let m′,σ′ be arbitrary

Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R

• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )• σ̃ ← Sign′(sk ′, m̃)• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)• σ := (σ̃, rF , rH )

Vfy(pk , m,σ): pk = (pk ′, chF , chH ), σ = (σ̃, rF , rH )• h := chH (m‖σ̃, rH )• m̃ := chF (h, rF )• Vfy′(pk ′, m̃, σ̃) ?= 1



Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )

• σ̃ ← Sign′(sk ′, m̃)• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)• σ := (σ̃, rF , rH )




Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )• σ̃ ← Sign′(sk ′, m̃)

• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)• σ := (σ̃, rF , rH )




Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )• σ̃ ← Sign′(sk ′, m̃)• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)

• σ := (σ̃, rF , rH )




Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )• σ̃ ← Sign′(sk ′, m̃)• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)• σ := (σ̃, rF , rH )




Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )• σ̃ ← Sign′(sk ′, m̃)• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)• σ := (σ̃, rF , rH )




Theorem:Assume CH is collision-resistant, and Σ′ is EUF-CMA secure. ThenΣ is sEUF-CMA secure.

Proof idea: next slides.

(Slightly different from construction in lecture notes!)



• Signatures (different order in tuple):

σ = (σ̃, rH , rF )

h

m̃Vfy′

0/1

m

• Note: two ways to break circularity– start with h, then remap preimage of h to m‖Sign′(sk ′, m̃) usingτH (this is what Sign does)

– start with m̃, then remap preimage of m̃ to h using τF



• Signatures (different order in tuple):

σ = (σ̃, rH , rF )

h

m̃Vfy′

0/1

m

• Note: two ways to break circularity– start with h, then remap preimage of h to m‖Sign′(sk ′, m̃) usingτH (this is what Sign does)

– start with m̃, then remap preimage of m̃ to h using τF



σ = (σ̃, rH , rF )

h

m̃Vfy′

0/1

m

• If we could rely on both CHFs being collision-resistant:“same m̃”⇒ “same h, rF ”⇒ “same m, σ̃, rH ”

• . . . so “same m̃”⇒ “same (m,σ)”



σ = (σ̃, rH , rF )

h

m̃Vfy′

0/1

m

• If we could rely on both CHFs being collision-resistant:“same m̃”⇒ “same h, rF ”⇒ “same m, σ̃, rH ”

• . . . so “same m̃”⇒ “same (m,σ)”



• So if both CHFs are CR, we have “same m̃”⇒ “same (m,σ)”

• We can assume that forgery contains fresh (m∗,σ∗)

• Case E0: “forgery contains reused m̃∗ = m̃i ”→ red. to CHF-CR

• Case E1: “forgery contains fresh m̃∗”→ reduce to EUF-CMA

• Problem: how can we rely on collision-resistance of bothCHFs when τH (or τF ) necessary to sign?

• Solution: during reduction to CR, guess which CHF is brokenfirst, use trapdoor of other CHF to sign










































Transformations: overview (not in notes)

EUF-naCMA EUF-1-naCMA

EUF-CMA

CH

sEUF-CMA

SUF-naCMA (selective UF-naCMA)

not discussed




EUF-CMA

CH

sEUF-CMA


not discussed




EUF-CMA

CH

sEUF-CMA


not discussed




EUF-CMA

CH

sEUF-CMA


not discussed




EUF-CMA

CH

sEUF-CMA


not discussed


Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• Quiz about sEUF-CMA starts now!


https://b.socrative.com/login/student

Outline





Pairings

Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map

e : G1 ×G2 → GT

with the following properties:

1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :

e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)

e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)

⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga

2 )enables one multiplication in the exponent.


Pairings


e : G1 ×G2 → GT



e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)

e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)

⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga



Pairings


e : G1 ×G2 → GT



e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)

e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)

⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga



Pairings

2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:

e(g1, g2) generates GT

(|GT |prime⇐⇒ e(g1, g2) 6= 1

)

3) e efficiently computable

Note: there are also pairings over groups of non-prime order.


Pairings



(|GT |prime⇐⇒ e(g1, g2) 6= 1

)




Pairings



(|GT |prime⇐⇒ e(g1, g2) 6= 1

)




Pairing: remarks

• G1,G2 often elliptic curves (“source groups”)

• GT ⊆ FQ (“target group”)

Original (cryptographic) application:

• Cryptanalysis• Example: assuming DLog easier in GT than in Gi , then e helps

to “lift/push” DLog problem from Gi to GT

– given gx1 ∈ G1, find x

– compute e(gx1 , g2) = e(g1, g2)x , and then DLog of e(g1, g2)x in

GT

• Some assumptions (like DDH) do not hold in G1 if G1 = G2


Pairing: remarks

• G1,G2 often elliptic curves (“source groups”)

• GT ⊆ FQ (“target group”)

Original (cryptographic) application:

• Cryptanalysis• Example: assuming DLog easier in GT than in Gi , then e helps

to “lift/push” DLog problem from Gi to GT

– given gx1 ∈ G1, find x

– compute e(gx1 , g2) = e(g1, g2)x , and then DLog of e(g1, g2)x in

GT

• Some assumptions (like DDH) do not hold in G1 if G1 = G2


Types of Pairings

Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT

Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism

ψ : G2 → G1

Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism

ψ : G2 → G1

Note: here, we mainly consider type-1 pairings


Types of Pairings



ψ : G2 → G1


ψ : G2 → G1



Types of Pairings



ψ : G2 → G1


ψ : G2 → G1



Types of Pairings



ψ : G2 → G1


ψ : G2 → G1



Pairings: research

• Pairings already very powerful (we will see examples)

• Multilinear maps (for more source groups) would be even morepowerful

• 2012: Garg, Gentry, Halevi “Candidate Multilinear Maps fromIdeal Lattices and Applications”

• Since then many MLM candidates, attacks, improvements,applications. . .


Joux’s 3-party key exchange

• Like Diffie-Hellman key exchange, but for 3 parties A, B, C

• That means A, B, C end up with common shared key

• e : G×G→ GT , g generates G, |G| = |GT | = p prime



A

B C

a← Zp

b ← Zp c ← Zp

ga g a

ga ga

gb

gb

gb

ga, gb

g c

gc

gb, gc

ga, gc

k = e(gb, gc)a = e(g, g)abc

k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc

• Shared key is k = e(g, g)abc

• Order of exchanged messages does not matter• (Multilinear map→ more parties)



A

B C

a← Zp

b ← Zp c ← Zp

ga g a

ga ga

gb

gb

gb

ga, gb

g c

gc

gb, gc

ga, gc







A

B C

a← Zp

b ← Zp c ← Zp

ga g a

ga ga

gb

gb

gb

ga, gb

g c

gc

gb, gc

ga, gc







A

B C

a← Zp

b ← Zp c ← Zp

ga g a

ga

ga

gb

gb

gb

ga, gb

g c

gc

gb, gc

ga, gc







A

B C

a← Zp

b ← Zp c ← Zp

ga g a

ga ga

gb

gb

gb

ga, gb

g c

gc

gb, gc

ga, gc







A

B C

a← Zp

b ← Zp c ← Zp

ga g a

ga ga

gb

gb

gb

ga, gb

g c

gc

gb, gc

ga, gc







A

B C

a← Zp

b ← Zp c ← Zp

ga g a

ga ga

gb

gb

gb

ga, gb

g c

gc

gb, gc

ga, gc






Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• Quiz about pairings starts now!


https://b.socrative.com/login/student

Documents

Digital Signatures - people.inf.ethz.ch · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-21 1. Outline