digital signaturesdigital signatures dennis hofheinz (slides based on slides by björn kaidel)...
TRANSCRIPT
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel)
Digital Signatures 2020-03-03 1
Outline
Why assumptions?
Efficient one-time signatures
Digital Signatures 2020-03-03 2
Recap: Lamport
• EUF-1-CMA secure
• Requires only one-way function (weak assumption)• Not very efficient
– Many evaluations of one-way function– Large keys
Digital Signatures 2020-03-03 3
Uselessness of UUF-NMA (not in lecture notes)
Use one-way function f to construct UUF-NMA secure signaturescheme:
• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )
• Sign(sk , m) = sk
• Vfy(pk , m,σ): f (σ) ?= pk
• Actually EUF-NMA secure. . .
• . . . but useless (message-independent signatures)
Digital Signatures 2020-03-03 4
Uselessness of UUF-NMA (not in lecture notes)
Use one-way function f to construct UUF-NMA secure signaturescheme:
• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )
• Sign(sk , m) = sk
• Vfy(pk , m,σ): f (σ) ?= pk
• Actually EUF-NMA secure. . .
• . . . but useless (message-independent signatures)
Digital Signatures 2020-03-03 4
Why assumptions? (not in lecture notes)
We made assumptions so far to construct signature schemes:
• Existence of collision-resistant hash functions
• Existence of one-way functions
• More to come. . .
Why make assumptions in the first place?
Digital Signatures 2020-03-03 5
Why assumptions? (2) (not in lecture notes)
Theorem:Let Σ = (Gen, Sign, Vfy) be a UUF-NMA secure signature scheme.Then P 6= NP .
Digital Signatures 2020-03-03 6
Proof: ∃UUF-NMA⇒ P 6= NP (not in lecturenotes)
• Consider the language
LΣ = {(pk , m,σ) : ∃σ s.t. σ is prefix of σ and Vfy(pk , m,σ) = 1}
• We have LΣ ∈ NP (witness: σ)
• Assume for contradiction that P = NP . Then ∃B that decidesLΣ in polynomial time.
Digital Signatures 2020-03-03 7
Proof: ∃UUF-NMA⇒ P 6= NP (2) (not in lecturenotes)
LΣ = {(pk , m,σ) : ∃σ s.t. σ is prefix of σ and Vfy(pk , m,σ) = 1}.
UUF-NMA adversary from B:
• Use B to find σ given m, pk (bit-by-bit search)
• Signatures are short, hence runtime is polynomial
• Always finds valid σ
Hence: P = NP implies that Σ is not UUF-NMA secure.(Contradiction.)
Digital Signatures 2020-03-03 8
Discrete-log-based one-time signatures
Setting:
• Cyclic group G = 〈g〉 of prime order |G| = p
• G may (should) depend on security parameter (we usually donot make this explicit)
Digital Signatures 2020-03-03 9
DLog problem/assumption
DLog problem:
• Given generator g and y ← G, find x ∈ Zp with gx = y .
DLog assumption:
• ∀ PPT A:
Pr
[x ← Zp
x ′ ← A(1k , g, gx ): x ′ = x
]negligible.
Digital Signatures 2020-03-03 10
DLog problem/assumption
DLog problem:
• Given generator g and y ← G, find x ∈ Zp with gx = y .
DLog assumption:
• ∀ PPT A:
Pr
[x ← Zp
x ′ ← A(1k , g, gx ): x ′ = x
]negligible.
Digital Signatures 2020-03-03 10
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:
Digital Signatures 2020-03-03 11
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:
Digital Signatures 2020-03-03 11
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:Ideas?
Digital Signatures 2020-03-03 11
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:
gmhσ = gm+xσ = gm+x ω−mx = gω = c
Digital Signatures 2020-03-03 11
DLog one-time signature: security
Theorem 28:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the DLogproblem in G that runs in time tB ≈ tA and has success probabilityεB ≥ εA.
Digital Signatures 2020-03-03 12
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, hm ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, h
m ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, hm ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, hm ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
One-time signatures based on RSA
Setting:
• N = P · Q, for large primes P, Q
• ϕ(N) = (P − 1)(Q − 1) = |Z∗N |• Choose e ∈ N uniformly between 1 and ϕ(N) with
gcd(e,ϕ(N)) = 1.
• Then d ∈ N with e · d ≡ 1 mod ϕ(N) can be found efficientlyfrom ϕ(N) and e.
• For x ∈ ZN , we have xe·d ≡ x mod N.
Digital Signatures 2020-03-03 14
RSA problem/assumption
RSA problem:
• Given N, e as above and y ← ZN , find x ∈ ZN withxe ≡ y mod N.
RSA assumption:
• ∀ PPT A:
Pr
N, e as abovey ← ZN
x ← A(1k , N, e, y ): xe = y mod N
negligible.
Digital Signatures 2020-03-03 15
RSA problem/assumption
RSA problem:
• Given N, e as above and y ← ZN , find x ∈ ZN withxe ≡ y mod N.
RSA assumption:
• ∀ PPT A:
Pr
N, e as abovey ← ZN
x ← A(1k , N, e, y ): xe = y mod N
negligible.
Digital Signatures 2020-03-03 15
RSA one-time signature
Σ = (Gen, Sign, Vfy) with message space {0, ... , 2n − 1}:
Gen(1k ) :
• choose primes P, Q, set N := P · Q• uniformly choose prime e with 2n < e < ϕ(N) (and
gcd(e,ϕ(N)) = 1)
• d := e−1 mod ϕ(N)
• J, c ← ZN
• pk = (N, e, J, c)
• sk = d
Digital Signatures 2020-03-03 16
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:
Digital Signatures 2020-03-03 17
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:
Digital Signatures 2020-03-03 17
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:Ideas?
Digital Signatures 2020-03-03 17
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:
Jmσe ≡ Jm(
cJm
)e·d≡ Jm · c
Jm ≡ c mod N
Digital Signatures 2020-03-03 17
RSA one-time signature: security
Prime-e-RSA problem/assumption: like RSA problem andassumption, but with e chosen as prime between 2n and ϕ(N).(Asymptotically: RSA assumption⇒ prime-e-RSA assumption!)
Theorem 30:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the prime-e-RSAassumption that computes x ∈ ZN with xe ≡ y mod N in timetB ≈ tA with success probability εB ≥ εA.
Digital Signatures 2020-03-03 18
RSA one-time signature: security
Prime-e-RSA problem/assumption: like RSA problem andassumption, but with e chosen as prime between 2n and ϕ(N).(Asymptotically: RSA assumption⇒ prime-e-RSA assumption!)
Theorem 30:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the prime-e-RSAassumption that computes x ∈ ZN with xe ≡ y mod N in timetB ≈ tA with success probability εB ≥ εA.
Digital Signatures 2020-03-03 18
Shamir’s trick
Lemma 31:Let J, S ∈ ZN and e, f ∈ Z with
• gcd(e, f ) = 1
• J f ≡ Se mod N.
Then, given N ∈ Z und (J, S, e, f ) ∈ Z2N × Z2 it is possible to
efficiently compute x ∈ ZN with xe ≡ J mod N.
Proof: blackboard.
Digital Signatures 2020-03-03 19
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, ym ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, y
m ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, ym ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, ym ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
One-time signatures: current research
Example: Tightly Secure Signatures and Public-Key Encryption[HofJag12]
• One-time signatures⇒ many-time signatures⇒ public-keyencryption
• Special feature: security reduction scales to manyusers/instances without loss of reduction success
Digital Signatures 2020-03-03 21