digital signaturesdigital signatures dennis hofheinz (slides based on slides by björn kaidel)...

Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel)

Digital Signatures 2020-03-03 1

Outline

Why assumptions?

Efficient one-time signatures


Recap: Lamport

• EUF-1-CMA secure

• Requires only one-way function (weak assumption)• Not very efficient

– Many evaluations of one-way function– Large keys


Uselessness of UUF-NMA (not in lecture notes)

Use one-way function f to construct UUF-NMA secure signaturescheme:

• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )

• Sign(sk , m) = sk

• Vfy(pk , m,σ): f (σ) ?= pk

• Actually EUF-NMA secure. . .

• . . . but useless (message-independent signatures)


Why assumptions? (not in lecture notes)

We made assumptions so far to construct signature schemes:

• Existence of collision-resistant hash functions

• Existence of one-way functions

• More to come. . .

Why make assumptions in the first place?


Why assumptions? (2) (not in lecture notes)

Theorem:Let Σ = (Gen, Sign, Vfy) be a UUF-NMA secure signature scheme.Then P 6= NP .


Proof: ∃UUF-NMA⇒ P 6= NP (not in lecturenotes)

• Consider the language

LΣ = {(pk , m,σ) : ∃σ s.t. σ is prefix of σ and Vfy(pk , m,σ) = 1}

• We have LΣ ∈ NP (witness: σ)

• Assume for contradiction that P = NP . Then ∃B that decidesLΣ in polynomial time.


Proof: ∃UUF-NMA⇒ P 6= NP (2) (not in lecturenotes)

LΣ = {(pk , m,σ) : ∃σ s.t. σ is prefix of σ and Vfy(pk , m,σ) = 1}.

UUF-NMA adversary from B:

• Use B to find σ given m, pk (bit-by-bit search)

• Signatures are short, hence runtime is polynomial

• Always finds valid σ

Hence: P = NP implies that Σ is not UUF-NMA secure.(Contradiction.)


Discrete-log-based one-time signatures

Setting:

• Cyclic group G = 〈g〉 of prime order |G| = p

• G may (should) depend on security parameter (we usually donot make this explicit)


DLog problem/assumption

DLog problem:

• Given generator g and y ← G, find x ∈ Zp with gx = y .

DLog assumption:

• ∀ PPT A:

Pr

[x ← Zp

x ′ ← A(1k , g, gx ): x ′ = x

]negligible.


DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:

Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp

h := gx

c := gω σ = ω−mx c ?= gmhσ

pk = (g, h, c)sk = (x ,ω)

Correctness:




h := gx


pk = (g, h, c)sk = (x ,ω)

Correctness:Ideas?




h := gx


pk = (g, h, c)sk = (x ,ω)

Correctness:

gmhσ = gm+xσ = gm+x ω−mx = gω = c


DLog one-time signature: security

Theorem 28:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the DLogproblem in G that runs in time tB ≈ tA and has success probabilityεB ≥ εA.



• Details: blackboard.

• Overview:

CDlog B A

Dlog problem EUF-1-naCMA

x ← Zp

h := gx

g, hm ∈ Zp

Compute c,σ suitablypk = (g, h, c),σ

1

m∗,σ∗

x 2




• Overview:

CDlog B A


x ← Zp

h := gx

g, h

m ∈ Zp


1

m∗,σ∗

x 2




• Overview:

CDlog B A


x ← Zp

h := gx

g, hm ∈ Zp


1

m∗,σ∗

x 2


One-time signatures based on RSA

Setting:

• N = P · Q, for large primes P, Q

• ϕ(N) = (P − 1)(Q − 1) = |Z∗N |• Choose e ∈ N uniformly between 1 and ϕ(N) with

gcd(e,ϕ(N)) = 1.

• Then d ∈ N with e · d ≡ 1 mod ϕ(N) can be found efficientlyfrom ϕ(N) and e.

• For x ∈ ZN , we have xe·d ≡ x mod N.


RSA problem/assumption

RSA problem:

• Given N, e as above and y ← ZN , find x ∈ ZN withxe ≡ y mod N.

RSA assumption:

• ∀ PPT A:

Pr

N, e as abovey ← ZN

x ← A(1k , N, e, y ): xe = y mod N

negligible.


RSA one-time signature

Σ = (Gen, Sign, Vfy) with message space {0, ... , 2n − 1}:

Gen(1k ) :

• choose primes P, Q, set N := P · Q• uniformly choose prime e with 2n < e < ϕ(N) (and

gcd(e,ϕ(N)) = 1)

• d := e−1 mod ϕ(N)

• J, c ← ZN

• pk = (N, e, J, c)

• sk = d


RSA one-time signature: Sign & Vfy

pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)

Sign(sk , m):

σ ≡(

cJm

)dmod N

Vfy(pk , m,σ) :

c?≡ Jmσe mod N

Correctness:




Sign(sk , m):

σ ≡(

cJm

)dmod N

Vfy(pk , m,σ) :

c?≡ Jmσe mod N

Correctness:Ideas?




Sign(sk , m):

σ ≡(

cJm

)dmod N

Vfy(pk , m,σ) :

c?≡ Jmσe mod N

Correctness:

Jmσe ≡ Jm(

cJm

)e·d≡ Jm · c

Jm ≡ c mod N


RSA one-time signature: security

Prime-e-RSA problem/assumption: like RSA problem andassumption, but with e chosen as prime between 2n and ϕ(N).(Asymptotically: RSA assumption⇒ prime-e-RSA assumption!)

Theorem 30:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the prime-e-RSAassumption that computes x ∈ ZN with xe ≡ y mod N in timetB ≈ tA with success probability εB ≥ εA.


Shamir’s trick

Lemma 31:Let J, S ∈ ZN and e, f ∈ Z with

• gcd(e, f ) = 1

• J f ≡ Se mod N.

Then, given N ∈ Z und (J, S, e, f ) ∈ Z2N × Z2 it is possible to

efficiently compute x ∈ ZN with xe ≡ J mod N.

Proof: blackboard.


RSA one-time signatures: security

• Details: see blackboard.

• Overview:

CRSA B A

prime-e-RSA EUF-1-naCMA

N = P · Qe > 2n

y ← ZN

N, e, ym ∈ [0, 2n − 1]

Compute J, c,σ suitablypk = (N, e, J, c),σ

1

m∗ ,σ∗

x 2




• Overview:

CRSA B A


N = P · Qe > 2n

y ← ZN

N, e, y

m ∈ [0, 2n − 1]


1

m∗ ,σ∗

x 2




• Overview:

CRSA B A


N = P · Qe > 2n

y ← ZN

N, e, ym ∈ [0, 2n − 1]


1

m∗ ,σ∗

x 2


One-time signatures: current research

Example: Tightly Secure Signatures and Public-Key Encryption[HofJag12]

• One-time signatures⇒ many-time signatures⇒ public-keyencryption

• Special feature: security reduction scales to manyusers/instances without loss of reduction success


digital signaturesdigital signatures dennis hofheinz (slides based on slides by björn kaidel)...

Documents