Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-07 1 Outline Chameleon Signatures CH functions are one-time signatures sEUF-CMA from chameleon hashing Digital Signatures 2020-04-07 2
14
Embed
Digital Signatures · 2020-04-07 · TrapColl CH ( , m , r , m 0), for ( m , r , m 0) 2 MRM, computes r 0 2 R with ch (m , r ) = ch (m 0, r 0) CH is collision-resistant iff for all
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)
Digital Signatures 2020-04-07 1
Outline
Chameleon Signatures
CH functions are one-time signatures
sEUF-CMA from chameleon hashing
Digital Signatures 2020-04-07 2
Chameleon signatures: motivation (recap)
Customer
Dealer 1
Dealer 2
Offer?
100$, σ1
100$, σ1
99$, σ2
Digital Signatures 2020-04-07 3
Chameleon signatures: goal (recap)
Question: can we construct a signature scheme, such that. . .
• . . . C can verify the authenticity of the offer from D1, but
• . . . C cannot convince D2 that the offer came from D1?
Digital Signatures 2020-04-07 4
Chameleon hash functions (Definition, recap)A chameleon hash function CH consists of two PPT algorithms(GenCH, TrapCollCH):
• GenCH(1k ) outputs ch :M×R→ N and a trapdoor τ
• TrapCollCH(τ , m, r , m′), for (m, r , m′) ∈M×R×M,computes r ′ ∈ R with
ch(m, r ) = ch(m′, r ′)
CH is collision-resistant iff for all PPT A,
Pr
[(ch, τ )← GenCH(1k )A(1k , ch) = (m, r , m′, r ′)
:ch(m, r ) = ch(m′, r ′)∧ (m, r ) 6= (m′, r ′)
]
is negligible in k .Digital Signatures 2020-04-07 5
Sign(sk , m, ch) : (ch is CH function of receiver)
• r ← R, ch(m, r ) =: y
• σ′ := Sign′(sk , y )
• σ := (σ′, r )
Vfy(pk , m,σ, ch) :
• Vfy′(pk , ch(m, r ),σ′) ?= 1
Digital Signatures 2020-04-07 7
EUF-CMA for chameleon signatures
CEUF-CMA A(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
σi ← Sign(sk , mi , ch) σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?
Digital Signatures 2020-04-07 8
Chameleon signatures: security (not in notes)
Question: is this notion “strong enough”?
Answer: no!
• Not realistic: adversary has “no control” over CH function insigning queries (recall: CH function of receiver should be used)
• Such control could help forging signatures
• Realistic adversary might choose/use own CH function
Digital Signatures 2020-04-07 9
Attack in case of DLog-based CH (not in notes)
Suppose A can choose CH function for signature queries:
• DLog-based CH used (ch(m, r ) = gm · hr )
• A receives ch = (g, h) from challenger• A chooses chA := (ga, h), (a 6= 1 chosen by A)
– Valid CH function (A needs not prove knowledge of trapdoor)!
• A queries signature of m under chA and obtains σ = (σ′, r ).
Digital Signatures 2020-04-07 10
Attack in case of DLog-based CH (not in notes)
• Then:
1 = Vfy(pk , m,σ = (σ′, r ), chA)
= Vfy′(pk , chA(m, r ),σ′)
= Vfy′(pk , ch(a ·m, r ),σ′)
= Vfy(pk , a ·m,σ, ch)
• Since a 6= 1, we have m 6= a ·m• Hence, (a ·m,σ) is a valid forgery under ch
Note: similar attack possible with RSA-based CH function
Digital Signatures 2020-04-07 11
EUF-CMA for chameleon sigs (not in notes)
EUF-CMA variant 1CEUF-CMA A
(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
mi , chi
σi ← Sign(sk , mi , ch)
σi ← Sign(sk , mi , chi )
σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Digital Signatures 2020-04-07 12
EUF-CMA for chameleon sigs (not in notes)
EUF-CMA variant 2CEUF-CMA A
(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
mi , chi
σi ← Sign(sk , mi , ch)
σi ← Sign(sk , mi , chi ) σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Digital Signatures 2020-04-07 12
EUF-CMA
• In the following: only variant 1
• Variant 2 also achievable, but a little more difficult (need tomake signatures depend on used CH)
Digital Signatures 2020-04-07 13
Chameleon signatures: security
Theorem 45:For every PPT adversary A(pk , ch) that breaks the EUF-CMAsecurity of Σ in time tA with success εA, there is a PPT adversary Bthat runs in time tB ≈ tA and. . .
• breaks the collision resistance of ch with success
εch ≥εA2
,
• or breaks the EUF-naCMA security of Σ′ with probability
ε′ ≥ εA2
.
Digital Signatures 2020-04-07 14
Chameleon signatures: proof
EUF-CMA:Let m1, ... , mq be A’s queries, σi = (σ′i , ri ) the replies, and(m∗,σ∗ = (σ′∗, r∗)) A’s forgery
Two events:
• E0 : There is an i with ch(mi , ri ) = ch(m∗, r∗).
• E1 : For all i ∈ {1, ... , q}, we have ch(mi , ri ) 6= ch(m∗, r∗).
• E0: reduction to collision-resistance of CH– As usual, no surprises
• E1: reduction to EUF-naCMA security of Σ′
– Also straightforward, details on next slide
Digital Signatures 2020-04-07 16
Proof strategy to bound Pr[E1]• Overview:
CΣ′ B A
m′
1, . . . ,m′
q
pk′
(pk := pk′, ch)generate (ch, τ)
mi
generate signature σi for mi
(choose ri, generate Σ′-signature for ch(mi, ri))
σi
(m∗, σ
∗)
extract Σ′-forgery (m′∗, σ
′∗)(m′∗
, σ′∗)
• Need to fill in detailsDigital Signatures 2020-04-07 17
Proof strategy to bound Pr[E1]
• How to sign mi for A– Need to choose ri , then Σ′-sign ch(mi , ri )– Problem: no Σ′-signing oracle (m′i chosen in advance)– Solution: use τ to generate ri with ch(mi , ri ) = m′i– This requires to set up m′i := ch(Mi , Ri ) for arbitrary Mi and
random Ri in advance
• How to extract a Σ′-forgery from (m∗,σ∗)– σ∗ = (r∗,σ′∗) with σ′∗ a valid signature for m′∗ = ch(m∗, r∗)– E1 implies that m′∗ 6= m′i for all i– Hence, (m′∗,σ′∗) is a valid Σ′-forgery
Digital Signatures 2020-04-07 18
CH function are one-time signatures
• Previously: constructions of CH function similar to OTSs
• Now: transformation CH function→ OTS scheme
Digital Signatures 2020-04-07 19
Transformation CH→ OTS
• Given: CH = (GenCH, TrapCollCH)
• Construct Σ = (Gen, Sign, Vfy) as follows:
Gen(1k ) :
• (ch, τ )← Gench(1k )
• (m̃, r̃ )←M×R• c := ch(m̃, r̃ )
• pk := (ch, c), sk := (τ , m̃, r̃ )
Digital Signatures 2020-04-07 20
Transformation CH→ OTS
pk := (ch, c), sk := (τ , m̃, r̃ )
Sign(sk , m) :
• r := TrapCollCH(τ , m̃, r̃ , m)
• σ := r
Vfy(pk , m,σ) :
• c ?= ch(m,σ)
Digital Signatures 2020-04-07 21
Transformation: security
Theorem 47:Σ is EUF-1-naCMA secure if CH is collision-resistant.
(without proof)
Note: applying this transformation to our DLog-/RSA-based CHs,we obtain the DLog-/RSA-based one-time signatures from earlier
Digital Signatures 2020-04-07 22
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about chameleon hashing/signatures starts now!
Digital Signatures 2020-04-07 23
Stronger forms of EUF-CMA
CEUF-CMA A(pk , sk )← Gen(1k ) pk
mi
σi
q queries
m∗,σ∗
Ver (pk , m∗,σ∗) = 1∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Question: what stronger form of security is conceivable?
Digital Signatures 2020-04-07 24
Strong EUF-CMA (sEUF-CMA) experiment
CsEUF-CMA A(pk , sk )← Gen(1k ) pk
mi
σi
q queries
m∗,σ∗
Ver (pk , m∗,σ∗) = 1∧
(m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and (m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}Digital Signatures 2020-04-07 25
Definition: sEUF-CMA
Def. 51: (sEUF-CMA)A signature scheme Σ = (Gen, Sign, Vfy) is sEUF-CMA secure ifffor all PPT A,