Security Arguments for Digital Signatures and Blind

Signatures

Journal of Cryptology, (2000) 13: 361-396

Authors: D. Pointcheval and J. Stern

Presented by J. Liu

Outline

• Introduction

• Definitions1. The random oracle model

2. Digital signature schemes

• Preliminaries 1. Complexity theory and “Oracle replay attack”

2. Distinguishability of distributions of probability

• Security arguments for digital signatures

Introduction

• Provable security has tried to provide proof in the asymptotic framework of complexity theory.

• That is, poly reductions the problem to well-established problems, such as factorization, DLP, NPC….

• One way function NP vs. P

The random oracle model

• Hash function (e.g. MD5, SHA1-2, …) long message short digest.

• Nonrepudiation it is impossible to find two different messages providing the same hash value (collision freeness)

• The hash function can be seen as an oracle which produces a truly random value for each “new” query.

Digital signature schemes

1. Key generation algo. G (probabilistic): input: k and w, output: (Kp, Ks) 2. Signing algo. Σ(may be probabilistic):

input: message m, (Kp, Ks)output: signature σ

3. Verification algo. V (not probabilistic): input: m, Kp, σoutput: accept or reject

Fig. 1. signature schemes

Example: RSA signature

• N = pq, ed = 1 mod φ(N) where e is p and d is s.

• The signature of a message m with respect to d is σ= md mod N

• It is not secure under existential forgery.

σ’ = σ2 = (md )2 = (m2 )d mod N

• Not intelligible or without the proper redundancy

Example: Schnorr signature

• p, q two large prime and q｜ p-1 with q 2≧k.

• g(Z/pZ)* of order q, y = g-x mod p

• σ= (r, e, s), where r = gK mod p with random K, e = H(m, r) mod q and s =K+ex mod q

• Verify by e = H(m, gsye mod p)

[gsye = gK+ex(g-x)e = gK+ex-ex = gK =r mod p]

No-message attack vs. known-message attack

• NMA: Attacker only knows public key of the signer.

• KMA: Attacker can access a list of (m, σ) pairs.

1) Plan known-message attack

2) Generic chosen-message attack

3) Oriented chosen-message attack

4) Adaptively chosen-message attack

強?(

少)

弱?

(

多)

Plan known-message attack

• Attacker has access to a list of signed messages, but he has not chosen them.

Generic chosen-message attack

• Attacker can choose the list of messages to be signed. This choice must be made before accessing the public key of the signer. That is the choice is independent of the signer.

Oriented chosen-message attack

• Choose the message for specific signer.

Adaptively chosen-message attack

• Having knowledge of the public key of the signer, the attacker can ask the signer to sign any message that he wants. He can then adapt his queries according to previous message-signature pairs.

Forgeries

• Total break: Disclose the secret key of the signer.

• Universal forgery: Constructing an efficient algorithm which can sign any message.

• Existential forgery: providing a new message-signature pair. (not dangerous

meaningless)∵

Secure signature scheme

• A signature scheme is secure if an existential forgery is computationally impossible, even under an adaptively chosen-message attack.

Preliminaries

• Complexity theorem and “Oracle replay attack”

• Distinguishability of distributions of probability

Complexity theorem and “Oracle replay attack”

• All participants are modeled by probabilistic polynomial time Turing machine.

• Generic reduction technique.

• Oracle replay attack: by a polynomial replay of the attacker with different random oracle.

Oracle replay attack

: random tape

• A query the random oracle Q times, i is the answer of the i-th query.

+1: the index of Q(m, 1)

Lemmas

• Splitting lemma

• Lemma 2

• Forking lemma

• Theorem 2

Splitting lemma

Lemma 2

.'such that )',', (m, and ),, (m,

signatures valid twooutputs machine thisofreplay a

1/9,'y probabilit with and ,16QT/T' me within tiThen,

).,, (m, signature valid,2/7y probabilitwith

produces,A T. bound timee within th that,assum We0.Qwith

oracle, random the toqueries Qask can which machine, Turning

timepolynomial ticprobabilis a beA Let k.parmater security

witinscheme signature digital generic a be V) , (G,Let

2121

21

hhhh

haQ k

Forking lemma

.QT/84480T' timeexpectedin ,'such that

)',', (m, and ),, (m, signatures valid twoproduces

andA over control has which machineanother is Then there

).,, (m, signature valid,2/7y probabilitwith

produces,A T. bound timee within th that,assum We0.Qwith

oracle, random the toqueries Qask can which machine, Turning

timepolynomial ticprobabilis a beA Let k.parmater security

witinscheme signature digital generic a be V) , (G,Let

2121

21

hh

hh

haQ k

Theorem 2

.84480QT/ than less timeexcepetedin solved becan

order prime of subgroupsin logrithm discrete Then the

oracle. random theask tocan A

query that ofnumber theQby denote We

7Q/q.y probabilit with signature,

Schnorr eagainst thattack message-no aunder

under forgery lexistentiaan performsA Attacker

Proof

• By forking lemma, we obtain 2 valid signatures (m, r, e, s) and (m, r, e’, s’) with e e’.

• ' 'We have, mod ,

'then log mod q

'

s e s e

yg

r g y g y p

s s

e e