Digital Signatures · Security of the construction Proof idea: •Observation: – whenever Asuccessfully forges a signature σfor a message m, then – σis a 0-signature for H(m)

Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel)

Digital Signatures 2020-02-25 1

Outline

Recap: security experiments

Message space extension

One-time signatures

One-time signatures from one-way functions


Security definitions

Security definition =̂ adversarial goal + adversarial capabilities

Interesting combinations:

• EUF-CMA

• EUF-naCMA


Security experiments

Tool to formalize security definitions: security experiments

Interactive process between two parties:

• Adversary A• Challenger C

• A plays against C• A wins iff he reaches his goal.


Security definitions

Current research:

• Leakage resilience (what if adversary gets to see parts ofsigning key?)

• Functional signatures (signing keys limited to certainmessages)

• Aggregatable signatures (combine many signatures into oneshort one)

• Many-user scenario (only asymptotically equivalent to one-userscenario)

• Different key infrastructures (secret-key, identity-based,certificateless, . . . )


Message space extension

Easier (and common) to construct signatures with small messagespace, e.g.,

• Zp = {0, ... , p − 1}, p prime

• {0, 1}q(k ), q polynomial, k security parameter

Goal: signatures with larger message space, e.g., {0, 1}∗


Hash functions

Def. 14: (Cryptographic hash function)A (cryptographic) hash function H = (GenH , EvalH ) consists of twoPPT algorithms:

• GenH (1k ) outputs a parameter t that defines a function

Ht : {0, 1}∗ →Mt

• EvalH (1k , t , x) computes Ht (x).

Notation: H instead of t , H(x) for EvalH (1k , t , x).


Hash functions



Ht : {0, 1}∗ →Mt




Hash functions



Ht : {0, 1}∗ →Mt




Collision resistance

Def. 15: (Collision resistance)A hash function H = (GenH , EvalH ) is collision-resistant iff fort ← GenH (1k ) and all PPT A we have that

Pr[A(1k , t) = (x , x ′) : Ht (x) = Ht (x ′) ∧ x 6= x ′]

is negligible.


Construction: signatures with unboundedmessage space

Assume

• Σ′ = (Gen′, Sign′, Vfy′) with message spaceM• collision-resistant hash function H : {0, 1}∗ →M

Construct digital signature scheme Σ = (Gen, Sign, Vfy) withunbounded message space:

• Ideas?


Construction: signatures with unboundedmessage space

Assume

• Σ′ = (Gen′, Sign′, Vfy′) with message spaceM• collision-resistant hash function H : {0, 1}∗ →M

Construct digital signature scheme Σ = (Gen, Sign, Vfy) withunbounded message space:

• Gen(1k ) computes (pk , sk )← Gen′(1k )

• Sign(sk , m) computes σ ← Sign′(sk , H(m))

• Vfy(pk , m,σ) outputs Vfy′(pk , H(m),σ).


Security of the construction

Theorem 17:For every EUF-CMA adversary A on Σ with runtime tA and successprobability εA, there are adversaries B1,B2 with runtime tB ≈ tAsuch that

• B1 breaks the collision resistance of H with probability ≥ εA/2,

• or B2 breaks the EUF-CMA security of Σ′ with probability≥ εA/2.



Proof idea:• Observation:

– whenever A successfully forges a signature σ for a message m,then

– σ is a Σ′-signature for H(m).






• Furthermore,1 either H(m) has been signed before (i.e., H(m) = H(mi ) for one

of A’s previous signature queries mi ),2 or H(m) has never been Σ′-signed before.

In first case, A found H-collision, in second case A broke Σ′.One of the cases must occur with probability at least 1/2.






• Furthermore,1 either H(m) has been signed before (i.e., H(m) = H(mi ) for one

of A’s previous signature queries mi ),2 or H(m) has never been Σ′-signed before.

In first case, A found H-collision, in second case A broke Σ′.One of the cases must occur with probability at least 1/2.

• Details (construction of B1,B2): blackboard.


Hash-then-Sign

• Construction is called Hash-then-Sign

• Relevant in theory and practice


Hash functions: current research

• Hash functions with special properties– Chameleon hashing (upcoming)– Hash functions that behave like random functions

• Finding good hash functions– MD5, SHA-1 cryptanalyses– SHA-3 standardization 2015


Hash functions: current research

“Nontrivial” SHA-1 collisions:


One-time signatures

• General goal: signature schemes that can sign manymessages

• Partial goal: signature schemes that can (securely) sign onlyone message (one-time signatures)

• Can be used on many messages. . .

• . . . but may become insecure then!

• Security guarantees only when at most one message is signed


EUF-1-CMA & EUF-1-naCMA

EUF-1-CMAC A

pk

m

σ

m∗,σ∗

EUF-1-naCMAC A

m

pk ,σ

m∗,σ∗

Vfy(pk , m∗,σ∗) = 1 ∧m∗ 6= m?

Rest (Def., winning condition): as with EUF-CMA/-na-CMA


Why one-time signatures?

• Useful building block for other and more secure schemes

• Comparatively easy to construct


One-way functions

One-way function f : {0, 1}∗ → {0, 1}∗

Idea:

• Given x ∈ {0, 1}∗, easy to compute f (x)

• Given y = f (x), hard to compute any x ′ in f−1(y )

Note: One-way functions fundamental primitive (imply much ofsecret-key cryptography)


One-way functions: security experiment

Cone-way A

x ← {0, 1}k

y := f (x)

y

x′

f (x ′) = y?

A wins iff f (x ′) = y .

Note: possibly x ′ 6= x !



Cone-way A

x ← {0, 1}k

y := f (x)

y

x′

f (x ′) = y?





Cone-way A

x ← {0, 1}k

y := f (x)

y

x′

f (x ′) = y?




One-way function (definition)

Def. 22 (One-way function):A function f is one-way iff f is computable in polynomial time, andfor all PPT A,

Pr

[x ← {0, 1}k

x ′ ← A(1k , f (x)): f (x ′) = f (x)

]

is negligible.


Existence of one-way functions

• If one-way functions exist, then P 6= NP• Realistically: constructions of one-way functions require

assumptions

Candidates:

• Exponentiation x 7→ gx in suitable groups

• RSA function x 7→ xe mod N for N = PQ, primes P, Q, randome


Existence of one-way functions

• If one-way functions exist, then P 6= NP• Realistically: constructions of one-way functions require

assumptions

Candidates:

• Exponentiation x 7→ gx in suitable groups

• RSA function x 7→ xe mod N for N = PQ, primes P, Q, randome


Lamport’s one-time signatures

Σ = (Gen, Sign, Vfy)

• Message space {0, 1}n, n = n(k )

• One-way function f

Gen(1k ) :

• Choose x1,0, x1,1, ... , xn,0, xn,1 uniformly from {0, 1}k

• ∀j ∈ {1, ... , n} : yj ,0 := f (xj ,0) and yj ,1 := f (xj ,1)

sk =

(x1,0 ... xn,0

x1,1 ... xn,1

)pk =

(y1,0 ... yn,0

y1,1 ... yn,1

)






Gen(1k ) :



sk =

(x1,0 ... xn,0

x1,1 ... xn,1

)pk =

(y1,0 ... yn,0

y1,1 ... yn,1

)






Gen(1k ) :



sk =

(x1,0 ... xn,0

x1,1 ... xn,1

)pk =

(y1,0 ... yn,0

y1,1 ... yn,1

)


Lamport’s one-time signatures (2)

sk =

(x1,0 ... xn,0

x1,1 ... xn,1

)pk =

(y1,0 ... yn,0

y1,1 ... yn,1

)Sign(sk , m) :

Ideas?



sk =

(x1,0 ... xn,0

x1,1 ... xn,1

)pk =

(y1,0 ... yn,0

y1,1 ... yn,1

)Sign(sk , m) :

• m = m1‖m2‖ ... ‖mn ∈ {0, 1}n

• σ = (x1,m1 , x2,m2 , ... , xn,mn )



sk =

(x1,0 ... xn,0

x1,1 ... xn,1

)pk =

(y1,0 ... yn,0

y1,1 ... yn,1

)Sign(sk , m) :

• m = m1‖m2‖ ... ‖mn ∈ {0, 1}n

• σ = (x1,m1 , x2,m2 , ... , xn,mn )

Vfy(pk , m,σ) :



sk =

(x1,0 ... xn,0

x1,1 ... xn,1

)pk =

(y1,0 ... yn,0

y1,1 ... yn,1

)Sign(sk , m) :

• m = m1‖m2‖ ... ‖mn ∈ {0, 1}n

• σ = (x1,m1 , x2,m2 , ... , xn,mn )

Vfy(pk , m,σ) :

Ideas?



sk =

(x1,0 ... xn,0

x1,1 ... xn,1

)pk =

(y1,0 ... yn,0

y1,1 ... yn,1

)Sign(sk , m) :

• m = m1‖m2‖ ... ‖mn ∈ {0, 1}n

• σ = (x1,m1 , x2,m2 , ... , xn,mn )

Vfy(pk , m,σ) :

• m = m1‖ ... ‖mn, σ = (x ′1, x ′2, ... , x ′n)• Check that for all i ∈ {1, ... , n}, we have

f (x ′i )?= yi ,mi


Lamport: security

Theorem 23:For every EUF-1-naCMA PPT adversary A with runtime tA andsuccess probability εA, there is a PPT adversary B on f withruntime tB ≈ tA and success probability εB ≥ εA/n.

Proof idea:

• Reduction: EUF-1-naCMA security to one-way security of f .

• Simulation: B simulates EUF-1-naCMA experiment for A.

• Extraction: B uses A’s output to invert f .


Lamport: security

Theorem 23:For every EUF-1-naCMA PPT adversary A with runtime tA andsuccess probability εA, there is a PPT adversary B on f withruntime tB ≈ tA and success probability εB ≥ εA/n.

Proof idea:

• Reduction: EUF-1-naCMA security to one-way security of f .

• Simulation: B simulates EUF-1-naCMA experiment for A.

• Extraction: B uses A’s output to invert f .


Lamport: security proof• Details: blackboard• Overview:

Cone-way B A

one-wayness EUF-1-naCMA

x ← {0, 1}k

y := f (x)

y1m = m1‖ ... ‖mn

prepare pk , sk ,σ suitably

pk ,σ 2

m∗,σ∗

x′ 3

1 + 2 = simulation, 3 = extraction.



Cone-way B A


x ← {0, 1}k

y := f (x)

y1

m = m1‖ ... ‖mn


pk ,σ 2

m∗,σ∗

x′ 3




Cone-way B A


x ← {0, 1}k

y := f (x)

y1m = m1‖ ... ‖mn


pk ,σ 2

m∗,σ∗

x′ 3




Cone-way B A


x ← {0, 1}k

y := f (x)

y1m = m1‖ ... ‖mn


pk ,σ 2

m∗,σ∗

x′ 3




Cone-way B A


x ← {0, 1}k

y := f (x)

y1m = m1‖ ... ‖mn


pk ,σ 2

m∗,σ∗

x′ 3



Lamport: security proof (summary)

• Use A to compute f−1(x) as follows:• embed f (x) into public key pk , so that:

– B can sign m– A needs f−1(x) in his forgery with suitably high probability

Note: Lamport’s scheme actually EUF-1-CMA secure (exercise)


Lamport: summary

• EUF-1-CMA secure

• Requires only one-way function (weak assumption)• Not very efficient

– Many evaluations of one-way function– Large keys


Uselessness of UUF-NMA (not in lecture notes)

Use one-way function f to construct UUF-NMA secure signaturescheme:

• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )

• Sign(sk , m) = sk

• Vfy(pk , m,σ): f (σ) ?= pk

• Actually EUF-NMA secure. . .

• . . . but useless (message-independent signatures)


Uselessness of UUF-NMA (not in lecture notes)

Use one-way function f to construct UUF-NMA secure signaturescheme:

• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )

• Sign(sk , m) = sk

• Vfy(pk , m,σ): f (σ) ?= pk

• Actually EUF-NMA secure. . .

• . . . but useless (message-independent signatures)


Documents

Digital Signatures · Security of the construction Proof idea: •Observation: – whenever Asuccessfully forges a signature σfor a message m, then – σis a 0-signature for H(m)