Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel)
Digital Signatures 2020-02-25 1
Outline
Recap: security experiments
Message space extension
One-time signatures
One-time signatures from one-way functions
Digital Signatures 2020-02-25 2
Security definitions
Security definition =̂ adversarial goal + adversarial capabilities
Interesting combinations:
• EUF-CMA
• EUF-naCMA
Digital Signatures 2020-02-25 3
Security experiments
Tool to formalize security definitions: security experiments
Interactive process between two parties:
• Adversary A• Challenger C
• A plays against C• A wins iff he reaches his goal.
Digital Signatures 2020-02-25 4
Security definitions
Current research:
• Leakage resilience (what if adversary gets to see parts ofsigning key?)
• Functional signatures (signing keys limited to certainmessages)
• Aggregatable signatures (combine many signatures into oneshort one)
• Many-user scenario (only asymptotically equivalent to one-userscenario)
• Different key infrastructures (secret-key, identity-based,certificateless, . . . )
Digital Signatures 2020-02-25 5
Message space extension
Easier (and common) to construct signatures with small messagespace, e.g.,
• Zp = {0, ... , p − 1}, p prime
• {0, 1}q(k ), q polynomial, k security parameter
Goal: signatures with larger message space, e.g., {0, 1}∗
Digital Signatures 2020-02-25 6
Hash functions
Def. 14: (Cryptographic hash function)A (cryptographic) hash function H = (GenH , EvalH ) consists of twoPPT algorithms:
• GenH (1k ) outputs a parameter t that defines a function
Ht : {0, 1}∗ →Mt
• EvalH (1k , t , x) computes Ht (x).
Notation: H instead of t , H(x) for EvalH (1k , t , x).
Digital Signatures 2020-02-25 7
Hash functions
Def. 14: (Cryptographic hash function)A (cryptographic) hash function H = (GenH , EvalH ) consists of twoPPT algorithms:
• GenH (1k ) outputs a parameter t that defines a function
Ht : {0, 1}∗ →Mt
• EvalH (1k , t , x) computes Ht (x).
Notation: H instead of t , H(x) for EvalH (1k , t , x).
Digital Signatures 2020-02-25 7
Hash functions
Def. 14: (Cryptographic hash function)A (cryptographic) hash function H = (GenH , EvalH ) consists of twoPPT algorithms:
• GenH (1k ) outputs a parameter t that defines a function
Ht : {0, 1}∗ →Mt
• EvalH (1k , t , x) computes Ht (x).
Notation: H instead of t , H(x) for EvalH (1k , t , x).
Digital Signatures 2020-02-25 7
Collision resistance
Def. 15: (Collision resistance)A hash function H = (GenH , EvalH ) is collision-resistant iff fort ← GenH (1k ) and all PPT A we have that
Pr[A(1k , t) = (x , x ′) : Ht (x) = Ht (x ′) ∧ x 6= x ′]
is negligible.
Digital Signatures 2020-02-25 8
Construction: signatures with unboundedmessage space
Assume
• Σ′ = (Gen′, Sign′, Vfy′) with message spaceM• collision-resistant hash function H : {0, 1}∗ →M
Construct digital signature scheme Σ = (Gen, Sign, Vfy) withunbounded message space:
• Ideas?
Digital Signatures 2020-02-25 9
Construction: signatures with unboundedmessage space
Assume
• Σ′ = (Gen′, Sign′, Vfy′) with message spaceM• collision-resistant hash function H : {0, 1}∗ →M
Construct digital signature scheme Σ = (Gen, Sign, Vfy) withunbounded message space:
• Gen(1k ) computes (pk , sk )← Gen′(1k )
• Sign(sk , m) computes σ ← Sign′(sk , H(m))
• Vfy(pk , m,σ) outputs Vfy′(pk , H(m),σ).
Digital Signatures 2020-02-25 9
Security of the construction
Theorem 17:For every EUF-CMA adversary A on Σ with runtime tA and successprobability εA, there are adversaries B1,B2 with runtime tB ≈ tAsuch that
• B1 breaks the collision resistance of H with probability ≥ εA/2,
• or B2 breaks the EUF-CMA security of Σ′ with probability≥ εA/2.
Digital Signatures 2020-02-25 10
Security of the construction
Proof idea:• Observation:
– whenever A successfully forges a signature σ for a message m,then
– σ is a Σ′-signature for H(m).
Digital Signatures 2020-02-25 11
Security of the construction
Proof idea:• Observation:
– whenever A successfully forges a signature σ for a message m,then
– σ is a Σ′-signature for H(m).
• Furthermore,1 either H(m) has been signed before (i.e., H(m) = H(mi ) for one
of A’s previous signature queries mi ),2 or H(m) has never been Σ′-signed before.
In first case, A found H-collision, in second case A broke Σ′.One of the cases must occur with probability at least 1/2.
Digital Signatures 2020-02-25 11
Security of the construction
Proof idea:• Observation:
– whenever A successfully forges a signature σ for a message m,then
– σ is a Σ′-signature for H(m).
• Furthermore,1 either H(m) has been signed before (i.e., H(m) = H(mi ) for one
of A’s previous signature queries mi ),2 or H(m) has never been Σ′-signed before.
In first case, A found H-collision, in second case A broke Σ′.One of the cases must occur with probability at least 1/2.
• Details (construction of B1,B2): blackboard.
Digital Signatures 2020-02-25 11
Hash-then-Sign
• Construction is called Hash-then-Sign
• Relevant in theory and practice
Digital Signatures 2020-02-25 12
Hash functions: current research
• Hash functions with special properties– Chameleon hashing (upcoming)– Hash functions that behave like random functions
• Finding good hash functions– MD5, SHA-1 cryptanalyses– SHA-3 standardization 2015
Digital Signatures 2020-02-25 13
Hash functions: current research
“Nontrivial” SHA-1 collisions:
Digital Signatures 2020-02-25 14
One-time signatures
• General goal: signature schemes that can sign manymessages
• Partial goal: signature schemes that can (securely) sign onlyone message (one-time signatures)
• Can be used on many messages. . .
• . . . but may become insecure then!
• Security guarantees only when at most one message is signed
Digital Signatures 2020-02-25 15
EUF-1-CMA & EUF-1-naCMA
EUF-1-CMAC A
pk
m
σ
m∗,σ∗
EUF-1-naCMAC A
m
pk ,σ
m∗,σ∗
Vfy(pk , m∗,σ∗) = 1 ∧m∗ 6= m?
Rest (Def., winning condition): as with EUF-CMA/-na-CMA
Digital Signatures 2020-02-25 16
Why one-time signatures?
• Useful building block for other and more secure schemes
• Comparatively easy to construct
Digital Signatures 2020-02-25 17
One-way functions
One-way function f : {0, 1}∗ → {0, 1}∗
Idea:
• Given x ∈ {0, 1}∗, easy to compute f (x)
• Given y = f (x), hard to compute any x ′ in f−1(y )
Note: One-way functions fundamental primitive (imply much ofsecret-key cryptography)
Digital Signatures 2020-02-25 18
One-way functions: security experiment
Cone-way A
x ← {0, 1}k
y := f (x)
y
x′
f (x ′) = y?
A wins iff f (x ′) = y .
Note: possibly x ′ 6= x !
Digital Signatures 2020-02-25 19
One-way functions: security experiment
Cone-way A
x ← {0, 1}k
y := f (x)
y
x′
f (x ′) = y?
A wins iff f (x ′) = y .
Note: possibly x ′ 6= x !
Digital Signatures 2020-02-25 19
One-way functions: security experiment
Cone-way A
x ← {0, 1}k
y := f (x)
y
x′
f (x ′) = y?
A wins iff f (x ′) = y .
Note: possibly x ′ 6= x !
Digital Signatures 2020-02-25 19
One-way function (definition)
Def. 22 (One-way function):A function f is one-way iff f is computable in polynomial time, andfor all PPT A,
Pr
[x ← {0, 1}k
x ′ ← A(1k , f (x)): f (x ′) = f (x)
]
is negligible.
Digital Signatures 2020-02-25 20
Existence of one-way functions
• If one-way functions exist, then P 6= NP• Realistically: constructions of one-way functions require
assumptions
Candidates:
• Exponentiation x 7→ gx in suitable groups
• RSA function x 7→ xe mod N for N = PQ, primes P, Q, randome
Digital Signatures 2020-02-25 21
Existence of one-way functions
• If one-way functions exist, then P 6= NP• Realistically: constructions of one-way functions require
assumptions
Candidates:
• Exponentiation x 7→ gx in suitable groups
• RSA function x 7→ xe mod N for N = PQ, primes P, Q, randome
Digital Signatures 2020-02-25 21
Lamport’s one-time signatures
Σ = (Gen, Sign, Vfy)
• Message space {0, 1}n, n = n(k )
• One-way function f
Gen(1k ) :
• Choose x1,0, x1,1, ... , xn,0, xn,1 uniformly from {0, 1}k
• ∀j ∈ {1, ... , n} : yj ,0 := f (xj ,0) and yj ,1 := f (xj ,1)
sk =
(x1,0 ... xn,0
x1,1 ... xn,1
)pk =
(y1,0 ... yn,0
y1,1 ... yn,1
)
Digital Signatures 2020-02-25 22
Lamport’s one-time signatures
Σ = (Gen, Sign, Vfy)
• Message space {0, 1}n, n = n(k )
• One-way function f
Gen(1k ) :
• Choose x1,0, x1,1, ... , xn,0, xn,1 uniformly from {0, 1}k
• ∀j ∈ {1, ... , n} : yj ,0 := f (xj ,0) and yj ,1 := f (xj ,1)
sk =
(x1,0 ... xn,0
x1,1 ... xn,1
)pk =
(y1,0 ... yn,0
y1,1 ... yn,1
)
Digital Signatures 2020-02-25 22
Lamport’s one-time signatures
Σ = (Gen, Sign, Vfy)
• Message space {0, 1}n, n = n(k )
• One-way function f
Gen(1k ) :
• Choose x1,0, x1,1, ... , xn,0, xn,1 uniformly from {0, 1}k
• ∀j ∈ {1, ... , n} : yj ,0 := f (xj ,0) and yj ,1 := f (xj ,1)
sk =
(x1,0 ... xn,0
x1,1 ... xn,1
)pk =
(y1,0 ... yn,0
y1,1 ... yn,1
)
Digital Signatures 2020-02-25 22
Lamport’s one-time signatures (2)
sk =
(x1,0 ... xn,0
x1,1 ... xn,1
)pk =
(y1,0 ... yn,0
y1,1 ... yn,1
)Sign(sk , m) :
Ideas?
Digital Signatures 2020-02-25 23
Lamport’s one-time signatures (2)
sk =
(x1,0 ... xn,0
x1,1 ... xn,1
)pk =
(y1,0 ... yn,0
y1,1 ... yn,1
)Sign(sk , m) :
• m = m1‖m2‖ ... ‖mn ∈ {0, 1}n
• σ = (x1,m1 , x2,m2 , ... , xn,mn )
Digital Signatures 2020-02-25 23
Lamport’s one-time signatures (2)
sk =
(x1,0 ... xn,0
x1,1 ... xn,1
)pk =
(y1,0 ... yn,0
y1,1 ... yn,1
)Sign(sk , m) :
• m = m1‖m2‖ ... ‖mn ∈ {0, 1}n
• σ = (x1,m1 , x2,m2 , ... , xn,mn )
Vfy(pk , m,σ) :
Digital Signatures 2020-02-25 23
Lamport’s one-time signatures (2)
sk =
(x1,0 ... xn,0
x1,1 ... xn,1
)pk =
(y1,0 ... yn,0
y1,1 ... yn,1
)Sign(sk , m) :
• m = m1‖m2‖ ... ‖mn ∈ {0, 1}n
• σ = (x1,m1 , x2,m2 , ... , xn,mn )
Vfy(pk , m,σ) :
Ideas?
Digital Signatures 2020-02-25 23
Lamport’s one-time signatures (2)
sk =
(x1,0 ... xn,0
x1,1 ... xn,1
)pk =
(y1,0 ... yn,0
y1,1 ... yn,1
)Sign(sk , m) :
• m = m1‖m2‖ ... ‖mn ∈ {0, 1}n
• σ = (x1,m1 , x2,m2 , ... , xn,mn )
Vfy(pk , m,σ) :
• m = m1‖ ... ‖mn, σ = (x ′1, x ′2, ... , x ′n)• Check that for all i ∈ {1, ... , n}, we have
f (x ′i )?= yi ,mi
Digital Signatures 2020-02-25 23
Lamport: security
Theorem 23:For every EUF-1-naCMA PPT adversary A with runtime tA andsuccess probability εA, there is a PPT adversary B on f withruntime tB ≈ tA and success probability εB ≥ εA/n.
Proof idea:
• Reduction: EUF-1-naCMA security to one-way security of f .
• Simulation: B simulates EUF-1-naCMA experiment for A.
• Extraction: B uses A’s output to invert f .
Digital Signatures 2020-02-25 24
Lamport: security
Theorem 23:For every EUF-1-naCMA PPT adversary A with runtime tA andsuccess probability εA, there is a PPT adversary B on f withruntime tB ≈ tA and success probability εB ≥ εA/n.
Proof idea:
• Reduction: EUF-1-naCMA security to one-way security of f .
• Simulation: B simulates EUF-1-naCMA experiment for A.
• Extraction: B uses A’s output to invert f .
Digital Signatures 2020-02-25 24
Lamport: security proof• Details: blackboard• Overview:
Cone-way B A
one-wayness EUF-1-naCMA
x ← {0, 1}k
y := f (x)
y1m = m1‖ ... ‖mn
prepare pk , sk ,σ suitably
pk ,σ 2
m∗,σ∗
x′ 3
1 + 2 = simulation, 3 = extraction.
Digital Signatures 2020-02-25 25
Lamport: security proof• Details: blackboard• Overview:
Cone-way B A
one-wayness EUF-1-naCMA
x ← {0, 1}k
y := f (x)
y1
m = m1‖ ... ‖mn
prepare pk , sk ,σ suitably
pk ,σ 2
m∗,σ∗
x′ 3
1 + 2 = simulation, 3 = extraction.
Digital Signatures 2020-02-25 25
Lamport: security proof• Details: blackboard• Overview:
Cone-way B A
one-wayness EUF-1-naCMA
x ← {0, 1}k
y := f (x)
y1m = m1‖ ... ‖mn
prepare pk , sk ,σ suitably
pk ,σ 2
m∗,σ∗
x′ 3
1 + 2 = simulation, 3 = extraction.
Digital Signatures 2020-02-25 25
Lamport: security proof• Details: blackboard• Overview:
Cone-way B A
one-wayness EUF-1-naCMA
x ← {0, 1}k
y := f (x)
y1m = m1‖ ... ‖mn
prepare pk , sk ,σ suitably
pk ,σ 2
m∗,σ∗
x′ 3
1 + 2 = simulation, 3 = extraction.
Digital Signatures 2020-02-25 25
Lamport: security proof• Details: blackboard• Overview:
Cone-way B A
one-wayness EUF-1-naCMA
x ← {0, 1}k
y := f (x)
y1m = m1‖ ... ‖mn
prepare pk , sk ,σ suitably
pk ,σ 2
m∗,σ∗
x′ 3
1 + 2 = simulation, 3 = extraction.
Digital Signatures 2020-02-25 25
Lamport: security proof (summary)
• Use A to compute f−1(x) as follows:• embed f (x) into public key pk , so that:
– B can sign m– A needs f−1(x) in his forgery with suitably high probability
Note: Lamport’s scheme actually EUF-1-CMA secure (exercise)
Digital Signatures 2020-02-25 26
Lamport: summary
• EUF-1-CMA secure
• Requires only one-way function (weak assumption)• Not very efficient
– Many evaluations of one-way function– Large keys
Digital Signatures 2020-02-25 27
Uselessness of UUF-NMA (not in lecture notes)
Use one-way function f to construct UUF-NMA secure signaturescheme:
• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )
• Sign(sk , m) = sk
• Vfy(pk , m,σ): f (σ) ?= pk
• Actually EUF-NMA secure. . .
• . . . but useless (message-independent signatures)
Digital Signatures 2020-02-25 28
Uselessness of UUF-NMA (not in lecture notes)
Use one-way function f to construct UUF-NMA secure signaturescheme:
• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )
• Sign(sk , m) = sk
• Vfy(pk , m,σ): f (σ) ?= pk
• Actually EUF-NMA secure. . .
• . . . but useless (message-independent signatures)
Digital Signatures 2020-02-25 28