alizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins Brent Waters UT Austin
Feb 08, 2016
Realizing Hash and Sign Signaturesunder Standard Assumptions
Susan Hohenberger Johns Hopkins
Brent Waters UT Austin
Digital SignaturesWhen, in thecourse of…
1976 Diffie-Hellman: dream of digital signatures
Digital SignaturesWhen, in the course of…
1976 Diffie-Hellman: dream of digital signatures1978 Rivest-Shamir-Adleman: first implementation
1adh84naf89hq32nvsd8puwqhevhphvdfp9ufew7u2rasdfohaqsedhfdasjf;
Signatures Today
“Hash-and-Sign” Signatures-- [RSA78, E84, S91, O92, BR93, PS96, GHR99, CS00, CL01, BLS04, BB04, CL04, W05, GJKW07, GPV08, ...]-- what practioners expect-- short signatures and short public keys
Tree-Based Signatures-- [GMR85, G86, M89, DN89, BM90, NY94, R90, CD95, CD96, ...]
Two classes:
Focus on ‘’Hash-and-Sign’’
Strong Assumptions-- Strong RSA [GHR99, CS00]-- q-Strong Diffie-Hellman [BB04]-- LRSW [CL04]
Random Oracle Model-- RSA [RSA78]-- Discrete logarithm [E84,S91]-- Lattices [GPV08]
Again, most things fall into two classes:
Our goal: Hash-and-sign from standardassumptions in the standard model.
Strong AssumptionsRSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = xe mod N.
Strong Assumptions
Computational Diffie-Hellman Given (g, ga, gb), find gab.q-Strong Diffie-Hellman Given (g, ga, ga^2, ..., ga^q), find any (c, g1/(a+c)) s.t. c >0.
RSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = xe mod N.
One AnomalyWaters Signatures [W05]
+ Short (signature = 2 group elements)+ Stateless+ Standard Model+ Secure under CDH assumption
- Public Key requires O(k) group elements, where k is a sec. parameter
Prior and New Contributions
W’05HW’09
PK Size Sig SizeO(k) 2
Short signatures from standard assumptions.Stateless?
CDHAssump.
CDHRSA
HW’09O(1)
834
nono
yes
Let k be the security parameter. Size in group elements (roughly).
Design from RSARSA: Given (N,y,e), find the x s.t. xe = y mod N.
Different exponent per signature [GHR,CS]
Problem: In proof, how can we force adversary to forge with exponent e?Space of ei‘s is exponential ) Strong RSAIf it was polynomial, we’d be all set.
For ith signature:•ei = random•ei = F(mi)
Design from RSARSA: Given (N,y,e), find the x s.t. xe = y mod N.
Problem: In proof, how can we force adversary to forge with exponent e?
Sign(SK, i, m)
Different exponent per signature [GHR,CS]For ith signature:•ei = random•ei = F(mi)•ei = F(i)
What if adversary forges on state
i=2163?
New StrategyProblem: must bound i in adversary’s forgery.
Let x = #signatures issuedType I: using state i* > 2lg(x).
Type II: using state i* <= 2lg(x).
New Idea: sign (m, i) and d lg(i) e
Adversary must forge sig on d lg(i*) e
i* must come from polynomial range 1 to 2lg(x) !
For security parameter 2K, only K distinct d lg(i) e
…But signer might need to sign with i* (solve with ChamHash).
Chameleon HashFormalized by Krawcyzk and Rabin in 2000.
H(m, r) 1. Collision-resistant i.e., hard to find (m,r) != (m’,r’) s.t. H(m,r) = H(m’,r’).
2. With trapdoor, given any y and m, can find r s.t. H(m,r) = y
Exist DL, RSA realizations
ConstructionSign(SK, i, m)• e = F(i). • Choose r, x = ChamHash(m,r).• s1 = (uxh)1/e mod N• s2 = lg(i)th square root of v mod N Sig= (s1, s2, r, i).
Proof idea: Type I: forgery i is “big” ) square roots ) factor N.
Type II: forgery i is “small” ) simulator can guess i) F(i) = e from RSA challenge .....
PK = (N, u, h, v, F, ChamHash), where F maps to primes.
Can “squish” s1, s2
Computational DH -- Overview
• Sigs ~ Boneh-Boyen IBE keys•Sign State; C.H. on master key
• No need to find primes!
VK = g ,ga, h, u, v,w 2 G (bilinear) + ChamHash Sign(SK, M, i) = (ux h)a ( ui vlg(i) w)t, gt
x = ChamHash(M,r) , t 2 Zp
Handling State•Timer: State = Machine Time --- Careful!
•Do not roll back•Always one tick
•Multiple Machines•Coordinate??•Machine k signs: i ¢ n +k
Better not to have state
Our ContributionsShort signatures with short keys with statein the standard model from:-- RSA-- Computational DH
State = a counter of # of sigs issued.
Thank you
BackgroundChameleon hashes exist under RSA, factoring and discrete log.
A signature scheme is secureif for all ppt A, the following is negligible:Full Definition [GMR88]Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) :Verify(PK,m,s)=1 andm not queried to signing oracle Osk].Weak Definition [...,BB04]Pr[ (m1, ..., mq) <- A(1k), (PK,SK) <- KeyGen(1k), si=Sign(SK, mi), (m,s) <- A(PK, s1, ..., sq) :Verify(PK,m,s)=1 and m not equal to m1, ..., mq].
Theorem [...,ST01]: Weak Sig Scheme + Chameleon Hash = Full Sig Scheme.
Digital SignaturesAlgorithmsKeyGen(1k) --> (PK, SK).Sign(SK, m) --> s.Verify(PK, m, s) --> 1/0.
Dear UT,Happy April!
--JohnDefinition [GMR88]A signature scheme is secureif for all ppt A, the following is negligible:Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) :Verify(PK,m,s)=1 andm not queried to signing oracle Osk].
Digital SignaturesAlgorithmsKeyGen(1k) --> (PK, SK).Sign(SK, m) --> s.Verify(PK, m, s) --> 1/0.
When, in thecourse of…
1976 Diffie-Hellman: dream of digital signatures
Digital SignaturesAlgorithmsKeyGen(1k) --> (PK, SK).Sign(SK, m) --> s.Verify(PK, m, s) --> 1/0.
When, in the course of…
1976 Diffie-Hellman: dream of digital signatures1978 Rivest-Shamir-Adleman: first implementation
1adh84naf89hq32nvsd8puwqhevhphvdfp9ufew7u2rasdfohaqsedhfdasjf;
Design from RSARSA: Given (N,y,e), find the x s.t. xe = y mod N.
Problem: In proof, how can we force adversary to forge with exponent e?
Signer will use different exponent for each sig.For ith signature, perhapsei is chosen at random, orei is derived from the message mi,ei is derived from the signer’s state i.
Sign(SK, i, m)
Construction #1PK = (N, u, h, v, F, ChamHash), where F maps to primes. Sign(SK, i, m):1. Increment i := i+1.2. Compute e = F(i). 3. Choose random r, compute x = ChamHash(m,r).4. Compute s1 = (uxh)1/e mod N,
s2 = lg(i)th square root of v mod N.5. Output signature (s1, s2, r, i).
Verify(PK, m, s): straightforward.
Type I: using state i* > 2lg(x).
Type II: using state i* <= 2lg(x).
Let x = # signatures
New StrategyProblem: must bound i in adversary’s forgery.New Idea: sign ( m, i ) and dlg(i)e.