Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PDF document

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters’ PHF Digital Signatures 2020-05-05 2

Recap: pairings Definition 78 (Pairings): Let G 1 , G 2 , G T be groups of prime order p . A pairing is a map e : G 1 × G 2 → G T with the following properties: 1) Bilinearity: ∀ g 1 , g ′ 1 ∈ G 1 , g 2 , g ′ 2 ∈ G 2 : e ( g 1 · g ′ 1 , g 2 ) = e ( g 1 , g 2 ) · e ( g ′ 1 , g 2 ) e ( g 1 , g 2 · g ′ 2 ) = e ( g 1 , g 2 ) · e ( g 1 , g ′ 2 ) 2) Non-degeneracy: � e ( g 1 , g 2 ) � = G T for any gens. g 1 , g 2 3) e efficiently computable. Note: Here, G 1 = G 2 (symmetric or “type-1” pairings). Digital Signatures 2020-05-05 3 Remark/addendum to previous lecture • Claim: self-bilinear map ( G T = G 1 = G 2 ) breaks CDH • Not (completely) trivial • Given g , g x , g y , compute g xy • Pairing gives e ( g x , g y ) = e ( g , g ) xy = g α xy for fixed α • Problem: e ( g , g ) � = g (i.e., α � = 1) in general • Solution: (requires group order p = | G T | = | G 1 | = | G 2 | ) g α p − 3 = g α − 2 mod p – Compute g α = e ( g , g ) square-and-mult. using e − → – Compute e ( g α xy , g α − 2 ) = g xy Digital Signatures 2020-05-05 4

Recap: BLS signatures Gen (1 k ) : • x ← Z ∗ p • pk = ( g , g x ), sk = x Sign ( sk , m ) : • σ := H ( m ) x ∈ G Vfy ( pk , m , σ ) : • e ( H ( m ), g x ) ? = e ( σ , g ) EUF-CMA secure in ROM under CDH assumption Digital Signatures 2020-05-05 5 BLS: extra properties Problem: • U 1 , ..., U N senders (e.g., in a sensor network) • Each U i has their own pk i = ( g , g x i ) Straightforward (but expensive!) solution: U 1 with ( pk 1 , sk 1 ) → m 1 , σ 1 U 2 with ( pk 2 , sk 2 ) → m 2 , σ 2 ( m 1 , σ 1 ), ... , ( m n , σ n ) Verifier . ∀ i : Vfy ( pk i , m i , σ i ) ? . = 1 . U n with ( pk n , sk n ) → m n , σ n Digital Signatures 2020-05-05 6

Better solution: aggregable signature scheme U 1 m , σ 1 1 m 2 , σ 2 m 1 , ... , m n , σ Agg aggregator U 2 Verifier . . . Vfy ( pk 1 , ... , pk n , m 1 , ... , m n , σ Agg ) ? = 1 σ n , . m n . . U n • Algorithm that aggregates signatures • | σ Agg | = | σ | • Vfy of single aggregated signature more efficient than Vfy of many single signatures Digital Signatures 2020-05-05 7 Aggregable signatures Advantages and (potential) applications: • Saves bandwidth/storage • Aggregating signatures more efficient than signing huge dataset (perhaps over and over again) • Applications: – Sensor networks – Secure logging – (Authenticating) databases – . . . Digital Signatures 2020-05-05 8

BLS: aggregability • U i has BLS keypair ( pk i = ( g , g x i ), sk i = x i ) • Signatures are of the form σ i = H ( m i ) x i • Aggregator computes n � σ Agg = σ i i =1 and sends ( m 1 , ... , m n , σ ) to the verifier • Aggregation is public computation, no secret key necessary Digital Signatures 2020-05-05 9 BLS: aggregability n � σ Agg = σ i i =1 • Verification of aggregated signatures: n � e ( σ Agg , g ) ? e ( H ( m i ), g x i ). = i =1 • Correctness: e ( σ Agg , g ) = e ( σ 1 , g ) · ... · e ( σ n , g ) = e ( H ( m 1 ) x 1 , g ) · ... · e ( H ( m n ) x n , g ) n � e ( H ( m i ), g x i ) = i =1 Digital Signatures 2020-05-05 10

BLS: aggregability • Verification time approximately halved: – No aggregation: verifying n signatures takes 2 n pairing computations – Aggregated: verifying aggregated signature for n messages takes n + 1 pairing computations • Scheme with aggregation EUF-CMA secure – . . . according to adapted EUF-CMA definition – Difference: allow aggregated forgery – Generalizes “ordinary” EUF-CMA Digital Signatures 2020-05-05 11 BLS: batch verification Problem: ( m 1 , σ 1 ), ... , ( m n , σ n ) Verifier U with ( pk , sk ) ∀ i : Vfy ( pk i , m i , σ i ) ? = 1 Solution: batch verification • σ 1 , ... , σ n signatures for m 1 , ... , m n • h = � n i =1 H ( m i ), σ := � n i =1 σ i • Check e ( σ , g ) ? = e ( h , g x ) • Correctness: as with aggregation • Only two pairing computations for n signatures Digital Signatures 2020-05-05 12

Research • Different forms of aggregation – Sequential aggregation ( → Waters signatures), full aggregation (BLS), . . . – Reason: weaker forms of aggregation easier to achieve (without RO) • “Universal aggregators” (aggregation across signature schemes) • Fault-tolerant aggregate signatures – Aggregating an invalid signature (and valid ones) invalidates aggregate – But: sometimes useful to be able to tell which message has invalid signature – → Vfy outputs list of valid signatures Digital Signatures 2020-05-05 13 Waters signatures • Pairing-based signature • EUF-CMA secure under CDH in standard model (w/o ROs) • Tool: “programmable hash functions” (PHFs) Note: • Waters’ paper did not call this “PHFs” • Abstraction only found later on • PHFs make presentation more modular Digital Signatures 2020-05-05 16

Programmable hash functions Motivation: • RO proofs use programmability of RO (RSA-FDH, BLS, . . . ) • Problem: ROs do not exist, leads to heuristic arguments • Goal: imitate necessary programming operations with standard-model hash function Digital Signatures 2020-05-05 17 Programmable hash functions Motivation, closer look: • In BLS proof: H ( m ) programmed in reduction so that – Most of the time, H ( m ) = g y i for known y i – Once, H ( m ) = g y for unknown y • Can be viewed as “partitioning” set of messages m into – . . . “controlled” m for which Dlog of H ( m ) is known (to reduction) – . . . “uncontrolled” m for which Dlog of H ( m ) is not known • Goal: signature queries m controlled, forgery m ∗ uncontrolled Digital Signatures 2020-05-05 18

Programmable hash functions • Problem: without random oracle, H fixed in pk • Hence: want an algebraic object H for which – Dlog of H ( m ) computable (using trapdoor) for most m – . . . but for some m , Dlog of H ( m ) hard even given trapdoor – Hope that all signature queries controlled, forgery uncontrolled • Problem: “most DLogs known” algebraically hard to achieve – Intuition: many known DLogs of H ( m i ) tell you much about the group elements from which H is computed • Solution: refine what “controlled” means Digital Signatures 2020-05-05 19 Programmable hash functions • Solution: refine what “controlled” means • BLS: “reduction can sign m ” ⇔ “ m controlled” ⇔ Dlog of H ( m ) known (to reduction) • Now: “reduction can sign m ” ⇔ “ m controlled” ⇔ H ( m ) = h a m g b m for known g , h , a m , b m with a m � = 0 • Also: “CDH can be embedded into m ” ⇔ “ m uncontrolled” ⇔ H ( m ) = h a m g b m for known g , h , a m , b m with a m = 0 • g , h , H public, but exponents a m , b m only known to reduction • Reduction can sign if and only if H ( m ) has h -component • Requires different signature scheme, suitable H Digital Signatures 2020-05-05 20

Programmable hash functions • Let G be a finite cyclic group g , h generators Intuition: • Hash function H κ : { 0, 1 } ℓ → G • Two Gen algorithms for H : Gen and TrapGen • Gen → κ , but TrapGen → ( κ , τ ) also outputs trapdoor τ • κ -output by Gen and TrapGen indistinguishable • Trapdoor allows to represent every H -output as follows: h a m g b m = H κ ( m ) • Besides: exponents a m , b m “well-distributed”, so that – for every κ and all fixed sequences m ∗ 1 , ... , m ∗ v , m 1 , ... , m w i = 0 and a m j � = 0 for all i , j with sufficiently high – we have a m ∗ probability (over the choice of τ ) Digital Signatures 2020-05-05 21 Programmable hash functions Def.: A group hash function over a group G consists of two PPT algorithms: • Gen (1 k ) → κ (for g ∈ G ): key generation • Eval ( κ , m ) → H κ ( m ) ∈ G : evaluation (deterministic) • Interesting property of a group hash function: programmability (next slides) Digital Signatures 2020-05-05 22

Programmable hash functions Def.: A group hash function ( Gen , Eval ) is ( v , w , γ ) -programmable (for v , w ∈ N , γ ∈ [0, 1]), if there are two PPT algorithms as follows: • TrapGen ( g , h ) → ( κ , τ ): trapdoor key generation • TrapEval ( τ , m ) → ( a m , b m ) with h a m g b m = H κ ( m ) (deterministic) that fulfill the following two requirements: • κ from Gen statistically close to κ from TrapGen • TrapEval has ( v , w , γ )-well-distributed outputs (next slide) A ( v , w , γ ) -PHF is a ( v , w , γ )-programmable group hash function. Digital Signatures 2020-05-05 23 Programmable hash functions Well-distributedness condition of TrapEval ’s outputs: • ( v , w , γ ) -well-distributed (for v , w ∈ N , γ ∈ [0, 1]): For all – generators g , h of G , v ∈ { 0, 1 } ℓ , – m ∗ 1 , ... m ∗ – m 1 , ... , m w ∈ { 0, 1 } ℓ (s.t. ∀ i , j : m ∗ i � = m j ) – κ in the range of TrapGen ’s first output we have: � � ∧ a m ∗ i = 0 for i = 1, ... , v Pr ≥ γ , a m j � = 0 for j = 1, ... , w where Pr is over τ from ( κ , τ ) ← TrapGen ( g , h ) (cond. on κ ) Digital Signatures 2020-05-05 24