Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel)...
Transcript of Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel)...
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel)
Digital Signatures 2020-03-03 1
Outline
Why assumptions?
Efficient one-time signatures
Digital Signatures 2020-03-03 2
Recap: Lamport
• EUF-1-CMA secure
• Requires only one-way function (weak assumption)• Not very efficient
– Many evaluations of one-way function– Large keys
Digital Signatures 2020-03-03 3
Uselessness of UUF-NMA (not in lecture notes)
Use one-way function f to construct UUF-NMA secure signaturescheme:
• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )
• Sign(sk , m) = sk
• Vfy(pk , m,σ): f (σ) ?= pk
• Actually EUF-NMA secure. . .
• . . . but useless (message-independent signatures)
Digital Signatures 2020-03-03 4
Uselessness of UUF-NMA (not in lecture notes)
Use one-way function f to construct UUF-NMA secure signaturescheme:
• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )
• Sign(sk , m) = sk
• Vfy(pk , m,σ): f (σ) ?= pk
• Actually EUF-NMA secure. . .
• . . . but useless (message-independent signatures)
Digital Signatures 2020-03-03 4
Why assumptions? (not in lecture notes)
We made assumptions so far to construct signature schemes:
• Existence of collision-resistant hash functions
• Existence of one-way functions
• More to come. . .
Why make assumptions in the first place?
Digital Signatures 2020-03-03 5
Why assumptions? (2) (not in lecture notes)
Theorem:Let Σ = (Gen, Sign, Vfy) be a UUF-NMA secure signature scheme.Then P 6= NP .
Digital Signatures 2020-03-03 6
Proof: ∃UUF-NMA⇒ P 6= NP (not in lecturenotes)
• Consider the language
LΣ = {(pk , m,σ) : ∃σ s.t. σ is prefix of σ and Vfy(pk , m,σ) = 1}
• We have LΣ ∈ NP (witness: σ)
• Assume for contradiction that P = NP . Then ∃B that decidesLΣ in polynomial time.
Digital Signatures 2020-03-03 7
Proof: ∃UUF-NMA⇒ P 6= NP (2) (not in lecturenotes)
LΣ = {(pk , m,σ) : ∃σ s.t. σ is prefix of σ and Vfy(pk , m,σ) = 1}.
UUF-NMA adversary from B:
• Use B to find σ given m, pk (bit-by-bit search)
• Signatures are short, hence runtime is polynomial
• Always finds valid σ
Hence: P = NP implies that Σ is not UUF-NMA secure.(Contradiction.)
Digital Signatures 2020-03-03 8
Discrete-log-based one-time signatures
Setting:
• Cyclic group G = 〈g〉 of prime order |G| = p
• G may (should) depend on security parameter (we usually donot make this explicit)
Digital Signatures 2020-03-03 9
DLog problem/assumption
DLog problem:
• Given generator g and y ← G, find x ∈ Zp with gx = y .
DLog assumption:
• ∀ PPT A:
Pr
[x ← Zp
x ′ ← A(1k , g, gx ): x ′ = x
]negligible.
Digital Signatures 2020-03-03 10
DLog problem/assumption
DLog problem:
• Given generator g and y ← G, find x ∈ Zp with gx = y .
DLog assumption:
• ∀ PPT A:
Pr
[x ← Zp
x ′ ← A(1k , g, gx ): x ′ = x
]negligible.
Digital Signatures 2020-03-03 10
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:
Digital Signatures 2020-03-03 11
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:
Digital Signatures 2020-03-03 11
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:Ideas?
Digital Signatures 2020-03-03 11
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:
gmhσ = gm+xσ = gm+x ω−mx = gω = c
Digital Signatures 2020-03-03 11
DLog one-time signature: security
Theorem 28:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the DLogproblem in G that runs in time tB ≈ tA and has success probabilityεB ≥ εA.
Digital Signatures 2020-03-03 12
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, hm ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, h
m ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, hm ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, hm ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
One-time signatures based on RSA
Setting:
• N = P · Q, for large primes P, Q
• ϕ(N) = (P − 1)(Q − 1) = |Z∗N |• Choose e ∈ N uniformly between 1 and ϕ(N) with
gcd(e,ϕ(N)) = 1.
• Then d ∈ N with e · d ≡ 1 mod ϕ(N) can be found efficientlyfrom ϕ(N) and e.
• For x ∈ ZN , we have xe·d ≡ x mod N.
Digital Signatures 2020-03-03 14
RSA problem/assumption
RSA problem:
• Given N, e as above and y ← ZN , find x ∈ ZN withxe ≡ y mod N.
RSA assumption:
• ∀ PPT A:
Pr
N, e as abovey ← ZN
x ← A(1k , N, e, y ): xe = y mod N
negligible.
Digital Signatures 2020-03-03 15
RSA problem/assumption
RSA problem:
• Given N, e as above and y ← ZN , find x ∈ ZN withxe ≡ y mod N.
RSA assumption:
• ∀ PPT A:
Pr
N, e as abovey ← ZN
x ← A(1k , N, e, y ): xe = y mod N
negligible.
Digital Signatures 2020-03-03 15
RSA one-time signature
Σ = (Gen, Sign, Vfy) with message space {0, ... , 2n − 1}:
Gen(1k ) :
• choose primes P, Q, set N := P · Q• uniformly choose prime e with 2n < e < ϕ(N) (and
gcd(e,ϕ(N)) = 1)
• d := e−1 mod ϕ(N)
• J, c ← ZN
• pk = (N, e, J, c)
• sk = d
Digital Signatures 2020-03-03 16
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:
Digital Signatures 2020-03-03 17
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:
Digital Signatures 2020-03-03 17
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:Ideas?
Digital Signatures 2020-03-03 17
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:
Jmσe ≡ Jm(
cJm
)e·d≡ Jm · c
Jm ≡ c mod N
Digital Signatures 2020-03-03 17
RSA one-time signature: security
Prime-e-RSA problem/assumption: like RSA problem andassumption, but with e chosen as prime between 2n and ϕ(N).(Asymptotically: RSA assumption⇒ prime-e-RSA assumption!)
Theorem 30:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the prime-e-RSAassumption that computes x ∈ ZN with xe ≡ y mod N in timetB ≈ tA with success probability εB ≥ εA.
Digital Signatures 2020-03-03 18
RSA one-time signature: security
Prime-e-RSA problem/assumption: like RSA problem andassumption, but with e chosen as prime between 2n and ϕ(N).(Asymptotically: RSA assumption⇒ prime-e-RSA assumption!)
Theorem 30:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the prime-e-RSAassumption that computes x ∈ ZN with xe ≡ y mod N in timetB ≈ tA with success probability εB ≥ εA.
Digital Signatures 2020-03-03 18
Shamir’s trick
Lemma 31:Let J, S ∈ ZN and e, f ∈ Z with
• gcd(e, f ) = 1
• J f ≡ Se mod N.
Then, given N ∈ Z und (J, S, e, f ) ∈ Z2N × Z2 it is possible to
efficiently compute x ∈ ZN with xe ≡ J mod N.
Proof: blackboard.
Digital Signatures 2020-03-03 19
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, ym ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, y
m ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, ym ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, ym ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
One-time signatures: current research
Example: Tightly Secure Signatures and Public-Key Encryption[HofJag12]
• One-time signatures⇒ many-time signatures⇒ public-keyencryption
• Special feature: security reduction scales to manyusers/instances without loss of reduction success
Digital Signatures 2020-03-03 21