Digital SignaturesOutline Logistics Overview Introduction Definition Security Security experiments...
Transcript of Digital SignaturesOutline Logistics Overview Introduction Definition Security Security experiments...
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel)
Digital Signatures 2020-02-18 1
Outline
Logistics
Overview
Introduction
Definition
Security
Security experiments
Formal security definition
Relations among security definitions
Digital Signatures 2020-02-18 2
Organization
• Lecture: Tuesdays, 10:00-12:00, ML E12
• Exam: oral, 15 minutes
• Contact: [email protected]
• Speaking hours: whenever my door (CAB H33.3) is open
• Website: todo
Digital Signatures 2020-02-18 3
Supporting materials
• Lecture notes (German) by Tibor Jager:https://www.tiborjager.de/DigitaleSignaturen.pdf
• Book “Digital Signatures” by Jonathan Katz
• Slides (on website) and occasional whiteboard writeup
Digital Signatures 2020-02-18 4
Overview
• What are (digital) signatures?
• Which security properties do we want from signatures?
• How do we construct and prove signatures?
• Outlook towards current research
Digital Signatures 2020-02-18 5
Content
• Motivation/definitions
• One-time signatures→ tree-based signatures
• RSA-based signatures
• Interlude: chameleon hashing
• Pairing-based signatures
• . . . (?)
Not here: “symmetric signatures” (MACs)
Digital Signatures 2020-02-18 6
Motivation
• Goal: “Digital analogue of (physical) signatures.”
• What do we want to sign? Bitstrings from {0, 1}∗
• Examples: code/programs, websites, emails, . . .• Technical goals:
– Authenticity: document is actually signed by that person– Integrity: document has not been changed since signing
(desirable, but not actually guaranteed by physical signatures)
Digital Signatures 2020-02-18 7
What are signature schemes?
Informally:
• Asymmetric cryptographic mechanisms
• Every participant has a keypair (pk , sk )
• Secret key sk used to sign (a message m), result: signature σ
• Public/verification key pk allows to verify that σ is valid for m
Digital Signatures 2020-02-18 8
Signatures are no. . .
Signatures are no encryption schemes
• Signatures do not hide m (use encryption for that)
Signatures are no “inverse” public-key encryption schemes
• As in: signing=decrypting, verifying=encrypting
• Works (to some extent) for RSA, but not for other schemes
Digital Signatures 2020-02-18 9
Signatures are no. . .
Signatures are no encryption schemes
• Signatures do not hide m (use encryption for that)
Signatures are no “inverse” public-key encryption schemes
• As in: signing=decrypting, verifying=encrypting
• Works (to some extent) for RSA, but not for other schemes
Digital Signatures 2020-02-18 9
Applications of signatures
Ideas?
Digital Signatures 2020-02-18 10
Applications of signatures
• Program updates/apps
• E-commerce (signed websites)
• Certificates (digitally signed signature/encryption keys)
• Identity cards
• Building block in more complex cryptographic systems
• . . .
Digital Signatures 2020-02-18 10
Definition: digital signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
Definition: digital signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
Definition: digital signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
Definition: digital signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
Correctness
Correctness: “The scheme works.”
Formally:
∀k ∀(pk , sk )← Gen(1k ) ∀m : Vfy(pk , m, Sign(sk , m)) = 1.
Digital Signatures 2020-02-18 12
Digitale Signaturen: Soundness
Soundness: “The scheme is secure.”
Formally:
• What is security?
• We need a definition!
Digital Signatures 2020-02-18 13
Digitale Signaturen: Soundness
Soundness: “The scheme is secure.”
Formally:
• What is security?
• We need a definition!
Digital Signatures 2020-02-18 13
Security
• Concrete security definition combines two things:– Adversarial capabilities– Adversarial goal
• Now: overview
• Later: formal definitions
Digital Signatures 2020-02-18 14
Security
• Concrete security definition combines two things:– Adversarial capabilities– Adversarial goal
• Now: overview
• Later: formal definitions
Digital Signatures 2020-02-18 14
Adversarial capabilities
1 a) no-message attack (NMA)• Adversary gets only pk
1 b) non-adaptive chosen-message attack (naCMA)• Adversary chooses m1, ... , mq . . .• . . . then obtains pk and signatures σ1, ...,σq
1 c) (adaptive) chosen-message attack (CMA)• Adversary gets pk , then chooses m1, ..., mq and
obtains σ1, ...,σq adaptively (i.e., one mi at atime, so mi+1 may depend on pk and σ1, ... ,σi )
Digital Signatures 2020-02-18 15
Adversarial capabilities
1 a) no-message attack (NMA)• Adversary gets only pk
1 b) non-adaptive chosen-message attack (naCMA)• Adversary chooses m1, ... , mq . . .• . . . then obtains pk and signatures σ1, ...,σq
1 c) (adaptive) chosen-message attack (CMA)• Adversary gets pk , then chooses m1, ..., mq and
obtains σ1, ...,σq adaptively (i.e., one mi at atime, so mi+1 may depend on pk and σ1, ... ,σi )
Digital Signatures 2020-02-18 15
Adversarial capabilities
1 a) no-message attack (NMA)• Adversary gets only pk
1 b) non-adaptive chosen-message attack (naCMA)• Adversary chooses m1, ... , mq . . .• . . . then obtains pk and signatures σ1, ...,σq
1 c) (adaptive) chosen-message attack (CMA)• Adversary gets pk , then chooses m1, ..., mq and
obtains σ1, ...,σq adaptively (i.e., one mi at atime, so mi+1 may depend on pk and σ1, ... ,σi )
Digital Signatures 2020-02-18 15
Angreiferziele
General goal: forge/generate signatures
2 a) “ Universal Unforgeability” (UUF)• Adversary has to generate valid signature for
externally given m• m chosen at random (not by adversary!)
2 b) “ Existential Unforgeablility” (EUF)• Adversary has to generate valid signature for any
message m not signed before
Digital Signatures 2020-02-18 16
Angreiferziele
General goal: forge/generate signatures
2 a) “ Universal Unforgeability” (UUF)• Adversary has to generate valid signature for
externally given m• m chosen at random (not by adversary!)
2 b) “ Existential Unforgeablility” (EUF)• Adversary has to generate valid signature for any
message m not signed before
Digital Signatures 2020-02-18 16
Angreiferziele
General goal: forge/generate signatures
2 a) “ Universal Unforgeability” (UUF)• Adversary has to generate valid signature for
externally given m• m chosen at random (not by adversary!)
2 b) “ Existential Unforgeablility” (EUF)• Adversary has to generate valid signature for any
message m not signed before
Digital Signatures 2020-02-18 16
Security definition
Security definition =̂ adversarial goal + adversarial capabilities
Interesting combinations:
• EUF-CMA
• EUF-naCMA
Digital Signatures 2020-02-18 17
Security experiments
Tool to formalize security definitions: security experiments
Interactive process between two parties:
• Adversary A• Challenger C
• A plays against C• A wins iff he reaches his goal.
Digital Signatures 2020-02-18 18
EUF-CMA security experiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
EUF-CMA security experiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
EUF-CMA security experiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
EUF-CMA security experiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
EUF-CMA security experiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}Digital Signatures 2020-02-18 19
Why is A allowed arbitrary signing queries?
• Question: why is A allowed arbitrary signing queries?
• Answer: yields strong and universal (application-independent)definition (Attack may yield signatures for unforeseeable messages)
Digital Signatures 2020-02-18 20
Why is A allowed arbitrary signing queries?
• Question: why is A allowed arbitrary signing queries?
• Answer: yields strong and universal (application-independent)definition (Attack may yield signatures for unforeseeable messages)
Digital Signatures 2020-02-18 20
Definition: EUF-CMA
Def. 2: (EUF-CMA)A digital signature scheme Σ = (Gen, Sign, Vfy) is EUF-CMAsecure iff for all PPT A, the function
Pr [A wins EUF-CMA experiment]
= Pr
[ACEUF-CMA(pk ) = (m∗,σ∗) :
Vfy(pk , m∗,σ∗) = 1∧ m∗ /∈ {m1, ..., mq}
]
is negligible.
Digital Signatures 2020-02-18 21
Definition: EUF-CMA
Def. 2: (EUF-CMA)A digital signature scheme Σ = (Gen, Sign, Vfy) is EUF-CMAsecure iff for all PPT A, the function
Pr [A wins EUF-CMA experiment]
= Pr
[ACEUF-CMA(pk ) = (m∗,σ∗) :
Vfy(pk , m∗,σ∗) = 1∧ m∗ /∈ {m1, ..., mq}
]
is negligible.
Digital Signatures 2020-02-18 21
Definition: negligible
Def.: (Negligible)A function negl : N→ [0, 1] is negligible iff
∀c ∈ N ∃k0 ∈ N ∀k ≥ k0 : negl(k ) < 1/kc .
Examples: 1/2k and 1/k log k negligible, 1/k2 not.
Digital Signatures 2020-02-18 22
Definition: negligible
Def.: (Negligible)A function negl : N→ [0, 1] is negligible iff
∀c ∈ N ∃k0 ∈ N ∀k ≥ k0 : negl(k ) < 1/kc .
Examples: 1/2k and 1/k log k negligible, 1/k2 not.
Digital Signatures 2020-02-18 22
UUF-NMA security experiment
Ideas?
Digital Signatures 2020-02-18 23
UUF-NMA security experiment
CUUF-NMA A
(pk , sk )← Gen(1k )
m∗ ← {0, 1}p(k )
pk , m∗
σ∗
Ver (pk , m∗,σ∗) = 1?
A wins iff Vfy(pk , m∗,σ∗) = 1
Digital Signatures 2020-02-18 23
UUF-NMA security experiment
CUUF-NMA A
(pk , sk )← Gen(1k )
m∗ ← {0, 1}p(k )
pk , m∗
σ∗
Ver (pk , m∗,σ∗) = 1?
A wins iff Vfy(pk , m∗,σ∗) = 1
Digital Signatures 2020-02-18 23
EUF-CMA⇒ UUF-NMA
Def. 4 (UUF-NMA):A digital signature scheme Σ = (Gen, Sign, Vfy) is UUF-NMAsecure iff for all PPT A,
Pr[ACUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
is negligible.
Theorem:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. If Σ isEUF-CMA secure, then Σ is also UUF-NMA secure.
Digital Signatures 2020-02-18 24
EUF-CMA⇒ UUF-NMA
Def. 4 (UUF-NMA):A digital signature scheme Σ = (Gen, Sign, Vfy) is UUF-NMAsecure iff for all PPT A,
Pr[ACUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
is negligible.
Theorem:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. If Σ isEUF-CMA secure, then Σ is also UUF-NMA secure.
Digital Signatures 2020-02-18 24
Proof: EUF-CMA⇒ UUF-NMA (1)
Proof outline
• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.
• Then: ∃ PPT adversary AUUF-NMA with non-negligible
Pr[ACUUF-NMAUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
Digital Signatures 2020-02-18 25
Proof: EUF-CMA⇒ UUF-NMA (1)
Proof outline
• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.
• Then: ∃ PPT adversary AUUF-NMA with non-negligible
Pr[ACUUF-NMAUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
Digital Signatures 2020-02-18 25
Proof: EUF-CMA⇒ UUF-NMA (1)
Proof outline
• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.
• Then: ∃ PPT adversary AUUF-NMA with non-negligible
Pr[ACUUF-NMAUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
Digital Signatures 2020-02-18 25
Proof: EUF-CMA⇒ UUF-NMA (2)
• Idea: use AUUF-NMA to build a successful adversary AEUF-CMA
on the EUF-CMA security of Σ
• AEUF-CMA usually uses AUUF-NMA as subroutine
• Existence of (successful) AEUF-CMA contradicts assumedEUF-CMA security. . .
• . . . hence such an AUUF-NMA cannot exist
Digital Signatures 2020-02-18 26
Proof: EUF-CMA⇒ UUF-NMA (2)
• Idea: use AUUF-NMA to build a successful adversary AEUF-CMA
on the EUF-CMA security of Σ
• AEUF-CMA usually uses AUUF-NMA as subroutine
• Existence of (successful) AEUF-CMA contradicts assumedEUF-CMA security. . .
• . . . hence such an AUUF-NMA cannot exist
Digital Signatures 2020-02-18 26
Proof: EUF-CMA⇒ UUF-NMA (3)
Proof: whiteboard
Digital Signatures 2020-02-18 27
Proof: EUF-CMA⇒ UUF-NMA (4)
Remark:
• AEUF-CMA makes no signature queries. . .
• . . . hence we have actually shown
EUF-NMA⇒ UUF-NMA
Digital Signatures 2020-02-18 28
UUF-NMA: useful?
Question: how useful is UUF-NMA security?
Answer: later
Digital Signatures 2020-02-18 29
EUF-naCMA security experiment
CEUF-naCMA A
m1, ..., mq • q = q(k ) messages
• q polynomial(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)
Digital Signatures 2020-02-18 30
EUF-naCMA security experiment
CEUF-naCMA Am1, ..., mq • q = q(k ) messages
• q polynomial
(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)
Digital Signatures 2020-02-18 30
EUF-naCMA security experiment
CEUF-naCMA Am1, ..., mq • q = q(k ) messages
• q polynomial(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)
Digital Signatures 2020-02-18 30
EUF-naCMA security experiment
CEUF-naCMA Am1, ..., mq • q = q(k ) messages
• q polynomial(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)Digital Signatures 2020-02-18 30
Relations among security definitions
UUF-NMA < UUF-naCMA < UUF-CMA
< < <
EUF-NMA < EUF-naCMA < EUF-CMA
Generally:
• UUF < EUF
• NMA < naCMA < CMA
Proof by counterexample schemes (e.g., assume EUF-naCMA secure
scheme, modify it such that it is still EUF-naCMA but not EUF-CMA secure)
Digital Signatures 2020-02-18 31