digital signatures · 2020-04-28 · digital signatures dennis hofheinz (slides based on slides by...

Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)

Digital Signatures 2020-04-28 1

Outline

Pairings

Boneh-Lynn-Shacham (BLS) signatures

Pairings

Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map

e : G1 ×G2 → GT

with the following properties:

1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :

e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)

e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)

⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga

2 )enables one multiplication in the exponent.

Pairings

e : G1 ×G2 → GT

e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)

e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)

⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga

Pairings

e : G1 ×G2 → GT

e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)

e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)

⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga

Pairings

2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:

e(g1, g2) generates GT

(|GT |prime⇐⇒ e(g1, g2) 6= 1

3) e efficiently computable

Note: there are also pairings over groups of non-prime order.

Pairings

(|GT |prime⇐⇒ e(g1, g2) 6= 1

Pairings

(|GT |prime⇐⇒ e(g1, g2) 6= 1

Pairings: remarks

• G1,G2 often elliptic curves (“source groups”)

• GT ⊆ F∗Q (“target group”)

• Pairing operation less efficient than exponentiation

Original (cryptographic) application:

• Cryptanalysis• Example: assuming DLog easier in GT than in Gi , then e helps

to “lift/push” DLog problem from Gi to GT

– given gx1 ∈ G1, find x

– compute e(gx1 , g2) = e(g1, g2)x , and then DLog of e(g1, g2)x in

• Some assumptions (like DDH) do not hold in G1 if G1 = G2

Pairings: remarks

• G1,G2 often elliptic curves (“source groups”)

• GT ⊆ F∗Q (“target group”)

• Pairing operation less efficient than exponentiation

Original (cryptographic) application:

• Cryptanalysis• Example: assuming DLog easier in GT than in Gi , then e helps

to “lift/push” DLog problem from Gi to GT

– given gx1 ∈ G1, find x

– compute e(gx1 , g2) = e(g1, g2)x , and then DLog of e(g1, g2)x in

• Some assumptions (like DDH) do not hold in G1 if G1 = G2

Types of Pairings

Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT

Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism

ψ : G2 → G1

Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism

ψ : G2 → G1

Note: here, we mainly consider type-1 pairings

Types of Pairings

ψ : G2 → G1

Types of Pairings

ψ : G2 → G1

Types of Pairings

ψ : G2 → G1

Pairings: research

• Pairings already very powerful (we will see examples)

• Multilinear maps (for more source groups) would be even morepowerful

• 2012: Garg, Gentry, Halevi “Candidate Multilinear Maps fromIdeal Lattices and Applications”

• Since then many MLM candidates, attacks, improvements,applications. . .

Joux’s 3-party key exchange

• Like Diffie-Hellman key exchange, but for 3 parties A, B, C

• That means A, B, C end up with common shared key

• e : G×G→ GT , g generates G, |G| = |GT | = p prime

a← Zp

b ← Zp c ← Zp

ga g a

ga, gb

gb, gc

ga, gc

k = e(gb, gc)a = e(g, g)abc

k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc

• Shared key is k = e(g, g)abc

• Order of exchanged messages does not matter• (Multilinear map→ more parties)

a← Zp

b ← Zp c ← Zp

ga g a

ga, gb

gb, gc

ga, gc

a← Zp

b ← Zp c ← Zp

ga g a

ga, gb

gb, gc

ga, gc

a← Zp

b ← Zp c ← Zp

ga g a

ga, gb

gb, gc

ga, gc

a← Zp

b ← Zp c ← Zp

ga g a

ga, gb

gb, gc

ga, gc

a← Zp

b ← Zp c ← Zp

ga g a

ga, gb

gb, gc

ga, gc

a← Zp

b ← Zp c ← Zp

ga g a

ga, gb

gb, gc

ga, gc

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• Quiz about pairings starts now!

Boneh-Lynn-Shacham signatures

• Simple pairing-based signature scheme

• Short signatures

• EUF-CMA secure in random oracle model

In the following:

• G,GT groups, |G| = |GT | = p prime, 〈g〉 = G• e : G×G→ GT pairing

• Hash function H : {0, 1}∗ → G \ {1}

BLS signatures

Gen(1k ) :

• x ← Z∗p• pk = (g, gx ), sk = x

Sign(sk , m) :

• σ := H(m)x ∈ G

Vfy(pk , m,σ) :

• e(H(m), gx ) ?= e(σ, g)

Correctness:

e(H(m), gx ) = e(H(m), g)x = e(H(m)x , g) = e(σ, g)

BLS signatures

Gen(1k ) :

• x ← Z∗p• pk = (g, gx ), sk = x

Sign(sk , m) :

• σ := H(m)x ∈ G

Vfy(pk , m,σ) :

• e(H(m), gx ) ?= e(σ, g)

Correctness:

e(H(m), gx ) = e(H(m), g)x = e(H(m)x , g) = e(σ, g)

The computational Diffie-Hellman (CDH) problem

• Given (g, gx , gy ), compute gxy (for random g and x , y ← Z∗p).

CDH assumption:

• ∀ PPT A:

Pr[g random, x , y ← Z∗p : A(1k , g, gx , gy ) = gxy ]

is negligible.

Note: group G and order p may depend on security parameter k .

The computational Diffie-Hellman (CDH) problem

• Given (g, gx , gy ), compute gxy (for random g and x , y ← Z∗p).

CDH assumption:

• ∀ PPT A:

Pr[g random, x , y ← Z∗p : A(1k , g, gx , gy ) = gxy ]

is negligible.

Note: group G and order p may depend on security parameter k .

BLS signatures: security

Theorem 85:Assuming H is modeled as a random oracle, then

• for every adversary A that breaks the EUF-CMA security of theBLS signature scheme in time tA with success εA,

• there is an adversary B that solves the CDH problem in G intime tB ≈ tA with success

εB ≥εA

where qH is the number of random oracle queries A makes.

Proof idea: conceptually very similar to RSA-FDH, details up next.

BLS: security proof

Simulation/reduction strategy:

• A has to explicitly query H for hash values (also for m∗)

• Intercept these queries and simulate RO for A

• B can implement RO for A as follows:– guess index i∗ of message for which A forges a signature (i.e.,

guess when m∗ is being queried)– choose hash values hi (for i 6= i∗) such that signature is known– embed (part of) CDH challenge into hi∗ as hi∗ = gy (for the last

part of the given CDH challenge g, gx , gy )

BLS: security proof

Simulation/reduction strategy:

• A has to explicitly query H for hash values (also for m∗)

• Intercept these queries and simulate RO for A

• B can implement RO for A as follows:– guess index i∗ of message for which A forges a signature (i.e.,

guess when m∗ is being queried)– choose hash values hi (for i 6= i∗) such that signature is known– embed (part of) CDH challenge into hi∗ as hi∗ = gy (for the last

part of the given CDH challenge g, gx , gy )

BLS: security proof

• Assume that A outputs valid forgery (m∗,σ∗).• We will assume (wlog) that A has always queried H(m∗).

– Given an A that sometimes does not query H(m∗), canconstruct an A′ that always does before submitting forgery

BLS: reduction to CDH problem

CCDH B A

CDH problem EUF-CMA

choose g, x , y g, gx, gy

pk = (g, gx)

H(m) = ?

1choose H(m) suitablyH(m)

Sign(sk , m) = ?

2compute σ suitablyσ

m∗,σ∗

CCDH B A

CDH problem EUF-CMA

pk = (g, gx)

H(m) = ?

Sign(sk , m) = ?

m∗,σ∗

CCDH B A

CDH problem EUF-CMA

pk = (g, gx)

H(m) = ?

Sign(sk , m) = ?

m∗,σ∗

CCDH B A

CDH problem EUF-CMA

pk = (g, gx)

H(m) = ?

choose H(m) suitablyH(m)

Sign(sk , m) = ?

m∗,σ∗

CCDH B A

CDH problem EUF-CMA

pk = (g, gx)

H(m) = ?

Sign(sk , m) = ?

m∗,σ∗

CCDH B A

CDH problem EUF-CMA

pk = (g, gx)

H(m) = ?

Sign(sk , m) = ?

compute σ suitablyσ

m∗,σ∗

CCDH B A

CDH problem EUF-CMA

pk = (g, gx)

H(m) = ?

Sign(sk , m) = ?

m∗,σ∗

CCDH B A

CDH problem EUF-CMA

pk = (g, gx)

H(m) = ?

Sign(sk , m) = ?

m∗,σ∗

CCDH B A

CDH problem EUF-CMA

pk = (g, gx)

H(m) = ?

Sign(sk , m) = ?

m∗,σ∗

BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi

– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge

(since σ = H(m)x = gxy mod N)

• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy

• Problem: not known which mi are asked to be signed andwhich hash query is m∗

• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗

(Reason for loss qH of reduction)

(Reason for loss qH of reduction)Digital Signatures 2020-04-28 18

BLS: detailed full reduction

CCDH B A

CDH problem EUF-CMA

pk = (g, gx)

H(mi) = ?

1i 6= i∗ : H(mi ) := gyi

i = i∗ : H(mi ) := gy H(mi )

Sign(sk , mi) = ?

2set σ = (gx )yi

m∗,σ∗

3gxy = σ∗

BLS signatures: pros/cons

• Short signatures (only one group element)

• Efficient algorithms (although: pairing can be expensive)

• EUF-CMA secure under well-known weak assumption

• Security proof only in random oracle model

BLS: extra properties

Problem:

• U1, ..., UN senders (e.g., in a sensor network)

• Each Ui has their own pki = (g, gxi )

Straightforward (but expensive!) solution:

U1 with (pk1, sk1)→ m1,σ1

U2 with (pk2, sk2)→ m2,σ2

Un with (pkn, skn)→ mn,σn

Verifier∀i : Vfy(pki , mi ,σi )

(m1,σ1), ... , (mn,σn)

Better solution: aggregable signature scheme

aggregator

m1 ,σ1

m2,σ2

mn,σn

VerifierVfy(pk1, ... , pkn, m1, ... , mn,σAgg) ?= 1

m1, ... , mn,σAgg

• Algorithm that aggregates signatures

• |σAgg| = |σ|• Vfy of single aggregated signature more efficient than Vfy of

many single signatures

Aggregable signatures

Advantages and (potential) applications:

• Saves bandwidth/storage

• Aggregating signatures more efficient than signing hugedataset (perhaps over and over again)• Applications:

– Sensor networks– Secure logging– (Authenticating) databases– . . .

BLS: aggregability

• Ui has BLS keypair (pki = (g, gxi ), ski = xi )

• Signatures are of the form σi = H(mi )xi

• Aggregator computes

σAgg =n∏

and sends (m1, ... , mn,σ) to the verifier

• Aggregation is public computation, no secret key necessary

BLS: aggregability

• Ui has BLS keypair (pki = (g, gxi ), ski = xi )

• Signatures are of the form σi = H(mi )xi

• Aggregator computes

σAgg =n∏

and sends (m1, ... , mn,σ) to the verifier

• Aggregation is public computation, no secret key necessary

BLS: aggregability

σAgg =n∏

• Verification of aggregated signatures:

Ideas?

• Correctness:

e(σAgg, g) = e(σ1, g) · ... · e(σn, g)

= e(H(m1)x1 , g) · ... · e(H(mn)xn , g)

e(H(mi ), gxi )

BLS: aggregability

σAgg =n∏

e(σAgg, g) ?=n∏

e(H(mi ), gxi ).

• Correctness:

e(σAgg, g) = e(σ1, g) · ... · e(σn, g)

= e(H(m1)x1 , g) · ... · e(H(mn)xn , g)

e(H(mi ), gxi )

BLS: aggregability

σAgg =n∏

e(σAgg, g) ?=n∏

e(H(mi ), gxi ).

• Correctness:

e(σAgg, g) = e(σ1, g) · ... · e(σn, g)

= e(H(m1)x1 , g) · ... · e(H(mn)xn , g)

e(H(mi ), gxi )

BLS: aggregability

• Verification time approximately halved:– No aggregation: verifying n signatures takes 2n pairing

computations– Aggregated: verifying aggregated signature for n messages

takes n + 1 pairing computations

• Scheme with aggregation EUF-CMA secure– . . . according to adapted EUF-CMA definition– Difference: allow aggregated forgery– Generalizes “ordinary” EUF-CMA

BLS: batch verification

Problem:

U with (pk , sk )Verifier∀i : Vfy(pki , mi ,σi )

(m1,σ1), ... , (mn,σn)

Solution: batch verification

• σ1, ... ,σn signatures for m1, ... , mn

• h =∏n

i=1 H(mi ), σ :=∏n

i=1 σi

• Checke(σ, g) ?= e(h, gx )

• Correctness: as with aggregation

• Only two pairing computations for n signatures

BLS: batch verification

Problem:

U with (pk , sk )Verifier∀i : Vfy(pki , mi ,σi )

(m1,σ1), ... , (mn,σn)

Solution: batch verification

• σ1, ... ,σn signatures for m1, ... , mn

• h =∏n

i=1 H(mi ), σ :=∏n

i=1 σi

• Checke(σ, g) ?= e(h, gx )

• Correctness: as with aggregation

• Only two pairing computations for n signatures

Research

• Different forms of aggregation– Sequential aggregation (→Waters signatures), full aggregation

(BLS), . . .– Reason: weaker forms of aggregation easier to achieve (without

• “Universal aggregators” (aggregation across signatureschemes)• Fault-tolerant aggregate signatures

– Aggregating an invalid signatures invalidates aggregate– But: sometimes useful to be able to tell which message has

invalid signature– → Vfy outputs list of valid signatures

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• Quiz about CDH and BLS starts now!

digital signatures · 2020-04-28 · digital signatures dennis hofheinz (slides based on slides by...

Documents