Short Signatures Without Random Oracles and the SDH Assumption in

Bilinear Groups (Part 1.)Dan Boneh and Xavier BoyenJ. Cryptol. (2008) 21: 149–177

Presenter: Yu-Chi Chen

About this paper

• One of the authors, Dan Boneh, is a well-known researcher in the areas of applied cryptography.

• The previous version (Eurocrypt 2004), cite: 600+. This paper is a full one (J. Cryptol.).

• His website: http://crypto.stanford.edu/~dabo/

Summary

• Part 1: Background of the security proof• Part 2: Background of the security proof• Part 3: BB-weakly secure short signature

scheme with its security proof• Part 4: BB-full short signature scheme with its

security proof• Part 5: (undecided)

Outline

• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions

Introduction

• Cryptographic scheme

• Security argument vs. Security proof

• Before 2000 vs. After 2000.

• M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols– in Proceedings of the 1st ACM conference on

Computer and communications security, 1993.– Cite: 2800+

ROM: Random oracle model

• An adversary can ask to “Oracle” for it’s queries.

• Oracle is like a function: H:{0,1}*→{0,1}k.– Ex: H(x) = y

• If the input, x, has been queried, Oracle will return the same value, y, as before.

ROM

• If the input, x, has never been queried, Oracle will randomly output y.

• The outputted values are uniform distribution.

Comments

• ROM vs. Standard model– Hardness assumptions– Attacks– Security goals– Efficiency

Comments

• Hardness assumptions:– The RSA problem (formal)– The variant RSA problem (informal)– The CDH problem (formal)–…

• Attacks– Chosen message attack– Adaptive chosen message attack–Weak chosen message attack– CPA, CCA, CCA-2,…

• Security goals– Existential unforgeability– Strong unforgeability–…

• Efficiency– Computation– Communication–…

Outline

• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions

Secure signature

• (BB-SS, page 3)• KeyGen: Outputs a random key pair (pk, sk).• Sign: Takes sk and a message M, then returns a

signature σ.• Verify: Takes pk and a signed message (σ ,

M), then returns valid or invalid.

Secure signature (cont.)

• (BB-SS, page 4)• The signature scheme is said to be correct if

the following property is satisfied.

.1]valid),,(VerifyPr[:),(Sign

(),KeyGen),(,~

MpkMsk

skpkMM

Signature scheme

• KeyGen:

• Sign:• Verify:

xskHeXgpk

gXGg

GHGGGex

:},,,{:

,

}1,0{:,:

1

1*

211

),(:

)(

MSignQ

MHQx

))(,(?),( MHXege

Outline

• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions

Existential unforgeability

• Existential unforgeability– Given n valid signatures of (M1,…,Mn), to output a

forged signature of M* where M* not in {M1,…,Mn}.

• We construct a security game to model an attack to forge a signature existentially.

Roles

• A: the adversary– Break the scheme–Win this game

• C: the challenger– Solve a hard problem– Be an oracle to respond A’s request.

Security game

• Setup• Attack• Forgery

Setup

Attack

Queries

ResponseAdversary Challenger

Adversary Challenger

Forgery

Forgery

Solve a hard problem

Computational Diffie-Hellman

• Given

• Compute

ba ggGg ,,1

abg

Security proof

• Setup:

• C returns pk to A.

},,,{:,

}1,0{:,:

1

1*

211

HeXgpkgXGg

GHGGGea

Security proof

• Setup• Attack:– H queries.– Sign queries.

• Forgery

H queries.

• A can query H(Mi).• C maintains H-table, <M, Q, α, c>.• If H(Mi) has been queried before, C will return

H(Mi) as before.

H queries.

• If not, C will randomly pick a coinwith Pr[ci=0]=1/qS.– If ci=0, C randomly chooses

and returns . – If ci=1, C randomly chooses

and returns .• Finally, C inserts (Mi, Qi, αi, ci) into H-table.

}1,0{ic

*Zqi ib

i gQ )(*Zqi

igQi

Sign queries.

• A can query a signature of a message Mi.• If the message Mi maps to ci=0 in H-table, C

will abort and terminate.• If not, C will compute the signature

where αi is from H-table.– σi is a valid signature without doubt.

iXi

Security proof

• Setup• Attack:• Forgery

Forgery

• A forges a signature σ* on M*.• If M* does not map to c*=0, C will abort and

terminate.• The forged signature is valid, whereas the

following equation holds.

• C can use A’s forgery to solve the CDH problem.

*

)(* abg

*1

*)( abg

Security proof

• We conclude that A wins this game if and only if C does not abort in Attack and Forgery.

• Two events are as follows.– E1: C does not abort in Attack such as Sign

queries.– E2: C does not abort in Forgery.

• Thus, we have– The probability of A winning this game is .– The probability of C winning this game is .

]Pr[]Pr[' 21 EE'

Outline

• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions

A new assumption

• According to the above proof, we can obtain a new assumption.

• Given

• Find a pair where

},{},...,,{,, 111

kk abbabba gggggGg

},{** abb gg },...,{ 1

*kbbb

Conclusions

• We give a simple signature scheme to introduce the security proof.