Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)

Digital Signatures 2020-03-31 1

Outline

Gennaro-Halevi-Rabin signatures

Chameleon hash functions

Digital Signatures 2020-03-31 2

RSA signatures so far: issues

• Schemes so far: either inefficient, or only heuristic security(ROM)• Goal (hard!): EUF-CMA-secure signature scheme based on

RSA. . .– that is efficient (i.e., usable in practice)– whose security requires no random oracles.

• “Workaround”: Strong RSA assumption

Digital Signatures 2020-03-31 3

Strong RSA assumption

RSA problem:

• given N, e and y ← ZN , find x ∈ ZN with xe ≡ y mod N.

RSA assumption:

• ∀ PPT A:

Pr

[N = P · Q, e← Z∗ϕ(N),

y ← ZN , x ← A(1k , N, e, y ): xe ≡ y mod N

]

is negligible in k .

Digital Signatures 2020-03-31 4

Strong RSA assumption

Strong RSA problem:

• given N and y ← ZN , find x ∈ ZN , e > 1 with xe ≡ y mod N.

Strong RSA assumption:

• ∀ PPT A:

Pr

[N = P · Q,

y ← ZN , (x , e)← A(1k , N, y ): xe ≡ y mod N ∧ e > 1

]

is negligible in k .

Digital Signatures 2020-03-31 4

Strong RSA: naming

• Strong RSA assumption stronger assumption than RSAassumption

– We give adversary more control, easier to win game– We assume that it’s still hard for adversary to win

• But: strong RSA problem easier than RSA problem

Strong RSA assumption⇒ RSA assumption,converse implication not obvious at all

Digital Signatures 2020-03-31 5

Gennaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)

Gen(1k ) :

• Choose N = P · Q, P, Q prime as with RSA

• s ← ZN

• We will assume ∀m ∈ {0, 1}∗ : gcd(h(m),ϕ(N)) = 1– Can be enforced, e.g., by letting h only output large primes

• pk := (N, s, h)

• sk := (pk ,ϕ(N)) = (pk , (P − 1)(Q − 1))

Sign(sk , m) :

• σ := s1/h(m) mod N

Vfy(pk , m,σ) : σh(m) ?≡ s mod NDigital Signatures 2020-03-31 6

GHR signatures: security

Theorem 70: For every PPT A that breaks the EUF-naCMAsecurity of Σ in time tA with success εA, there is a PPT B that runsin time tB ≈ tA and which

• either breaks the collision-resistance of h with success

εcoll ≥ εA/2,

• or solves the strong RSA problem with success

εsRSA ≥ εA/2.

Digital Signatures 2020-03-31 7

GHR signatures: proof

EUF-naCMA: Denote with m1, ... , mq the signature queries, andwith (m∗,σ∗) the forgery of A

Two possibilities:

• E0 : A successful and there is an mi with h(mi ) = h(m∗).

• E1 : A successful and for all i ∈ {1, ... , q}, we haveh(mi ) 6= h(m∗)

Successful A causes E0 or E1, hence

εA ≤ Pr[E0] + Pr[E1]⇒ Pr[E0] ≥ εA/2 or Pr[E1] ≥ εA/2

Digital Signatures 2020-03-31 8

GHR signatures: proof – event E0

E0 : There is an mi with h(mi ) = h(m∗).

• mi and m∗ form an h-collision.

• Reduce to the collision-resistance of h.

• Reduction B gets as input h, chooses (pk , sk )← Gen(1k ),runs A, . . .

Digital Signatures 2020-03-31 9

GHR signatures: proof – event E1

E1 : For all i ∈ {1, ... , q}, we have h(mi ) 6= h(m∗).

• Reduce to strong RSA assumption.

• Assume for contradiction: there is a PPT A that breaksEUF-naCMA, . . .

• . . . construct B that breaks strong RSA. . .

• B gets as input (N, y ) and needs to find (x , e) with– e > 1– xe ≡ y mod N.

Digital Signatures 2020-03-31 10

GHR signatures: sRSA reductionRecall:

Gen(1k ) : s ← ZN pk := (N, s, h) sk := (pk ,ϕ(N))

σ = s1/h(m) mod N

• B uses (N, y ) and sets up

s := yΠi∈{1,...,q}h(mi ) mod N

(gcd(h(m),ϕ(N)) = 1 ensures that s “well-distributed”, i.e.,uniform over ZN !)• Signature for mj :

σj := yΠi∈{1,...,q}\{j}h(mi ) mod N

Digital Signatures 2020-03-31 11

GHR signatures: sRSA reduction – forgery

E1 occurs: A outputs valid forgery (m∗,σ∗) with

• h(m∗) 6= h(mi ) for all i ∈ {1, ... , q}, and

• (σ∗)h(m∗) ≡ s ≡ yΠi∈{1,...,q}h(mi ) mod N

Additionally, we have

gcd(h(m∗),Πi∈{1,...,q}h(mi )) = 1,

since h maps to prime numbers, and since E1 occurred.

Digital Signatures 2020-03-31 12

GHR signatures: use Shamir’s trick

(σ∗)h(m∗) ≡ s ≡ yΠi∈{1,...,q}h(mi ) mod N

Lemma 31:Let J, S ∈ ZN and e, f ∈ Z with

• gcd(e, f ) = 1

• J f ≡ Se mod N.

Then, given N ∈ Z und (J, S, e, f ) ∈ Z2N × Z2 it is possible to

efficiently compute x ∈ ZN with xe ≡ J mod N.

xh(m∗) ≡ y mod N

Hence: (x , h(m∗)) is the desired sRSA solution

Digital Signatures 2020-03-31 13

Goal: EUF-CMA from (non-strong) RSA

• In Chapter 4.4 of lecture notes (not here)

• There: construction of EUF-CMA signatures from RSA (noROM!)• Very high-level overview:

– Show: GHR selectively secure under RSA assumption(A needs to commit to all mi and m∗ before seeing pk )

– Transformation: selective security→ EUF-naCMA– Leads to EUF-naCMA-secure Hohenberger-Waters signatures– Transformation: EUF-naCMA→ EUF-CMA– Result: compact signatures, not very efficient (like GHR)

Digital Signatures 2020-03-31 14

Open problems

• Construction of efficient EUF-CMA secure signatures fromRSA

– Hohenberger-Waters not very efficient– Many exponentiations, need to find many primes

• Construction of compact EUF-CMA secure signatures fromfactoring assumption

Digital Signatures 2020-03-31 15

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• First quiz (about the GHR signature scheme) starts now!

Digital Signatures 2020-03-31 16

Chameleon signatures: motivation

Customer

Dealer 1

Dealer 2

Offer?

100$, σ1

100$, σ1

99$, σ2

Digital Signatures 2020-03-31 17

Chameleon signatures: goal

Question: can we construct a signature scheme, such that. . .

• . . . C can verify the authenticity of the offer from D1, but

• . . . C cannot convince D2 that the offer came from D1?

Digital Signatures 2020-03-31 18

Chameleon hash functions (Definition)

Def. (Chameleon hash function):A chameleon hash function CH consists of two PPT algorithms(GenCH, TrapCollCH): GenCH(1k ) : outputs (ch, τ ):

• ch is a function ch :M×R→ N– M message space– R randomness space– N target space– M,R,N may depend on concrete CH!

• τ is a trapdoor (or secret key).

Digital Signatures 2020-03-31 19

Chameleon hash functions (Definition)

TrapCollCH(τ , m, r , m′), for (m, r , m′) ∈M×R×M, computesr ′ ∈ R with

ch(m, r ) = ch(m′, r ′)

• Owner of τ can compute collisions

• Hence the name “chameleon” hash function

• Output “changes preimage” (like a chameleon changes color)

Digital Signatures 2020-03-31 20

Collision-resistance

Def. 39 (Collision-resistance for chameleon hash functions):A chameleon hash function CH = (GenCH, TrapCollCH) iscollision-resistant iff for all PPT A,

Pr

[(ch, τ )← GenCH(1k )A(1k , ch) = (m, r , m′, r ′)

:ch(m, r ) = ch(m′, r ′)∧ (m, r ) 6= (m′, r ′)

]

is negligible in k .

Digital Signatures 2020-03-31 21

Chameleon hashing based on DLogAs usual:• G group, |G| = p prime, g generator of G

Gen(1k ) :• x ← Z∗p• h := gx

• ch := (g, h)• τ := x

ch defines function:

ch : Zp × Zp → Gch(m, r ) := gm · hr

Digital Signatures 2020-03-31 22

Chameleon hashing based on DLog

ch(m, r ) = gm · hr

TrapColl(τ , m, r , m∗) : Compute r∗ with

m + x · r = m∗ + x · r∗ modp

⇔ r∗ =m −m∗

x+ r modp

This implies:

ch(m, r ) = gm · hr = gm+xr = gm∗+xr∗ = gm∗ · hr∗ = ch(m∗, r∗)

Digital Signatures 2020-03-31 23

Chameleon hashing based on DLog – security

Theorem 40:For every PPT A that, upon input ch = (g, h)← Gen(1k ), outputs atuple (m, r , m∗, r∗) with (m, r ) 6= (m∗, r∗) and ch(m, r ) = ch(m∗, r∗) intime tA and with success εA,there exists a PPT B that breaks the DLog problem in G in timetB ≈ tA with success εB ≥ εA.

Proof: Like proof of DLog-based one-time signatures (Theorem 28).

Digital Signatures 2020-03-31 24

Chameleon hashing based on RSAGen(1k ) :• N = P · Q, P, Q prime• Prime e > 2N with gcd(e,ϕ(N)) = 1• d = e−1 mod ϕ(N)• J ← ZN

• ch := (N, e, J)• τ := d

ch : ZN × ZN → ZN

ch(m, r ) := Jm · re mod N

Digital Signatures 2020-03-31 25

Chameleon hashing based on RSA

ch(m, r ) := Jm · re mod N

TrapColl(τ , m, r , m∗): Compute r∗ as

r∗ = (Jm−m∗ · re)d mod N

ch(m, r ) = Jm · re mod N = Jm∗ · (r∗)e mod N = ch(m∗, r∗)

Digital Signatures 2020-03-31 26

Chameleon hashing based on RSA – security

Theorem 42: For every PPT A that, upon input (N, e, J), outputs atuple (m, r , m∗, r∗) with (m, r ) 6= (m∗, r∗) and ch(m, r ) = ch(m∗, r∗) intime tA and with success εB,there is a PPT B that breaks the prime-e-RSA problem in timetB ≈ tA and with success εB ≥ εA.

Proof: Like proof of RSA-based one-time signatures (Theorem 30).

Digital Signatures 2020-03-31 27

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• Second quiz (about chameleon hash functions) starts now!

Digital Signatures 2020-03-31 28