Realizing Hash and Sign Signatures under Standard Assumptions

Realizing Hash and Sign Signaturesunder Standard Assumptions

Susan Hohenberger Johns Hopkins

Brent Waters UT Austin

Digital SignaturesWhen, in thecourse of…

1976 Diffie-Hellman: dream of digital signatures

Digital SignaturesWhen, in the course of…

1976 Diffie-Hellman: dream of digital signatures1978 Rivest-Shamir-Adleman: first implementation

1adh84naf89hq32nvsd8puwqhevhphvdfp9ufew7u2rasdfohaqsedhfdasjf;

Signatures Today

“Hash-and-Sign” Signatures-- [RSA78, E84, S91, O92, BR93, PS96, GHR99, CS00, CL01, BLS04, BB04, CL04, W05, GJKW07, GPV08, ...]-- what practioners expect-- short signatures and short public keys

Tree-Based Signatures-- [GMR85, G86, M89, DN89, BM90, NY94, R90, CD95, CD96, ...]

Two classes:

Focus on ‘’Hash-and-Sign’’

Strong Assumptions-- Strong RSA [GHR99, CS00]-- q-Strong Diffie-Hellman [BB04]-- LRSW [CL04]

Random Oracle Model-- RSA [RSA78]-- Discrete logarithm [E84,S91]-- Lattices [GPV08]

Again, most things fall into two classes:

Our goal: Hash-and-sign from standardassumptions in the standard model.

Strong AssumptionsRSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = xe mod N.

Strong Assumptions

Computational Diffie-Hellman Given (g, ga, gb), find gab.q-Strong Diffie-Hellman Given (g, ga, ga^2, ..., ga^q), find any (c, g1/(a+c)) s.t. c >0.

RSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = xe mod N.

One AnomalyWaters Signatures [W05]

+ Short (signature = 2 group elements)+ Stateless+ Standard Model+ Secure under CDH assumption

- Public Key requires O(k) group elements, where k is a sec. parameter

Prior and New Contributions

W’05HW’09

PK Size Sig SizeO(k) 2

Short signatures from standard assumptions.Stateless?

CDHAssump.

CDHRSA

HW’09O(1)

834

nono

yes

Let k be the security parameter. Size in group elements (roughly).

Design from RSARSA: Given (N,y,e), find the x s.t. xe = y mod N.

Different exponent per signature [GHR,CS]

Problem: In proof, how can we force adversary to forge with exponent e?Space of ei‘s is exponential ) Strong RSAIf it was polynomial, we’d be all set.

For ith signature:•ei = random•ei = F(mi)

Design from RSARSA: Given (N,y,e), find the x s.t. xe = y mod N.

Problem: In proof, how can we force adversary to forge with exponent e?

Sign(SK, i, m)

Different exponent per signature [GHR,CS]For ith signature:•ei = random•ei = F(mi)•ei = F(i)

What if adversary forges on state

i=2163?

New StrategyProblem: must bound i in adversary’s forgery.

Let x = #signatures issuedType I: using state i* > 2lg(x).

Type II: using state i* <= 2lg(x).

New Idea: sign (m, i) and d lg(i) e

Adversary must forge sig on d lg(i*) e

i* must come from polynomial range 1 to 2lg(x) !

For security parameter 2K, only K distinct d lg(i) e

…But signer might need to sign with i* (solve with ChamHash).

Chameleon HashFormalized by Krawcyzk and Rabin in 2000.

H(m, r) 1. Collision-resistant i.e., hard to find (m,r) != (m’,r’) s.t. H(m,r) = H(m’,r’).

2. With trapdoor, given any y and m, can find r s.t. H(m,r) = y

Exist DL, RSA realizations

ConstructionSign(SK, i, m)• e = F(i). • Choose r, x = ChamHash(m,r).• s1 = (uxh)1/e mod N• s2 = lg(i)th square root of v mod N Sig= (s1, s2, r, i).

Proof idea: Type I: forgery i is “big” ) square roots ) factor N.

Type II: forgery i is “small” ) simulator can guess i) F(i) = e from RSA challenge .....

PK = (N, u, h, v, F, ChamHash), where F maps to primes.

Can “squish” s1, s2

Computational DH -- Overview

• Sigs ~ Boneh-Boyen IBE keys•Sign State; C.H. on master key

• No need to find primes!

VK = g ,ga, h, u, v,w 2 G (bilinear) + ChamHash Sign(SK, M, i) = (ux h)a ( ui vlg(i) w)t, gt

x = ChamHash(M,r) , t 2 Zp

Handling State•Timer: State = Machine Time --- Careful!

•Do not roll back•Always one tick

•Multiple Machines•Coordinate??•Machine k signs: i ¢ n +k

Better not to have state

Our ContributionsShort signatures with short keys with statein the standard model from:-- RSA-- Computational DH

State = a counter of # of sigs issued.

Thank you

BackgroundChameleon hashes exist under RSA, factoring and discrete log.

A signature scheme is secureif for all ppt A, the following is negligible:Full Definition [GMR88]Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) :Verify(PK,m,s)=1 andm not queried to signing oracle Osk].Weak Definition [...,BB04]Pr[ (m1, ..., mq) <- A(1k), (PK,SK) <- KeyGen(1k), si=Sign(SK, mi), (m,s) <- A(PK, s1, ..., sq) :Verify(PK,m,s)=1 and m not equal to m1, ..., mq].

Theorem [...,ST01]: Weak Sig Scheme + Chameleon Hash = Full Sig Scheme.

Digital SignaturesAlgorithmsKeyGen(1k) --> (PK, SK).Sign(SK, m) --> s.Verify(PK, m, s) --> 1/0.

Dear UT,Happy April!

--JohnDefinition [GMR88]A signature scheme is secureif for all ppt A, the following is negligible:Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) :Verify(PK,m,s)=1 andm not queried to signing oracle Osk].

Digital SignaturesAlgorithmsKeyGen(1k) --> (PK, SK).Sign(SK, m) --> s.Verify(PK, m, s) --> 1/0.

When, in thecourse of…

1976 Diffie-Hellman: dream of digital signatures

Digital SignaturesAlgorithmsKeyGen(1k) --> (PK, SK).Sign(SK, m) --> s.Verify(PK, m, s) --> 1/0.

When, in the course of…

1976 Diffie-Hellman: dream of digital signatures1978 Rivest-Shamir-Adleman: first implementation

1adh84naf89hq32nvsd8puwqhevhphvdfp9ufew7u2rasdfohaqsedhfdasjf;

Design from RSARSA: Given (N,y,e), find the x s.t. xe = y mod N.

Problem: In proof, how can we force adversary to forge with exponent e?

Signer will use different exponent for each sig.For ith signature, perhapsei is chosen at random, orei is derived from the message mi,ei is derived from the signer’s state i.

Sign(SK, i, m)

Construction #1PK = (N, u, h, v, F, ChamHash), where F maps to primes. Sign(SK, i, m):1. Increment i := i+1.2. Compute e = F(i). 3. Choose random r, compute x = ChamHash(m,r).4. Compute s1 = (uxh)1/e mod N,

s2 = lg(i)th square root of v mod N.5. Output signature (s1, s2, r, i).

Verify(PK, m, s): straightforward.

Type I: using state i* > 2lg(x).

Type II: using state i* <= 2lg(x).

Let x = # signatures

New StrategyProblem: must bound i in adversary’s forgery.New Idea: sign ( m, i ) and dlg(i)e.