Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PDF document

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-10 1 Outline Recap: one-time signatures From EUF-naCMA security to EUF-CMA security Interlude: proof strategies Security proof (Many-time) signatures from one-time signatures RSA-based signature schemes Digital Signatures 2020-03-10 2

Attack on dlog-based one-time sigs ( not in notes ) Assume G = � g � , g , p = | G | • Gen (1 k ) : x ← Z ∗ h := g x , c := g ω p , ω ← Z p sk = ( x , ω ) pk = ( g , h , c ) • Sign ( sk , m ) : σ = ω − m (mod p ) x • Vfy ( pk , m , σ ) : c ? = g m h σ Attack using σ 1 , σ 2 for m 1 � = m 2 : then σ 1 � = σ 2 and g m 1 h σ 1 g m 2 h σ 2 = c = ⇔ m 1 + x σ 1 ≡ m 2 + x σ 2 (mod p ) m 1 − m 2 ⇔ ≡ x (mod p ) σ 2 − σ 1 ⇒ adversary can compute x . = Digital Signatures 2020-03-10 3 Attack on dlog-based one-time sigs ( not in notes ) Assume G = � g � , g , p = | G | • Gen (1 k ) : x ← Z ∗ h := g x , c := g ω p , ω ← Z p sk = ( x , ω ) pk = ( g , h , c ) • Sign ( sk , m ) : σ = ω − m (mod p ) x • Vfy ( pk , m , σ ) : c ? = g m h σ Given x , m und σ : g ω = c = g m h σ ⇔ ω = m + x · σ (mod p ) ⇒ adversary can compute full secret key sk = ( x , ω ) = ⇒ adversary can forge signatures for any m ∗ = Digital Signatures 2020-03-10 3

Attack on RSA-based one-time sigs ( not in notes ) • Gen (1 k ) : choose N , e , d suitably J , c ← Z n sk = d pk = ( N , e , J , c ) � d � c • Sign ( sk , m ) : σ = (mod N ) J m ? ≡ J m σ e (mod N ) • Vfy ( pk , m , σ ) : c Attack using σ 1 , σ 2 for m 1 � = m 2 : J m 1 σ e J m 2 σ e = c = (mod N ) 1 2 � e J m 1 − m 2 � σ 2 /σ 1 ⇔ ≡ (mod N ) ⇒ Shamir’s trick yields x ∈ Z N with x e ≡ J (mod N ) = Digital Signatures 2020-03-10 4 Attack on RSA-based one-time sigs ( not in notes ) • Gen (1 k ) : J , c ← Z n choose N , e , d suitably sk = d pk = ( N , e , J , c ) � d � c • Sign ( sk , m ) : σ = (mod N ) J m ? ≡ J m σ e (mod N ) • Vfy ( pk , m , σ ) : c Given x , m , σ and any m ∗ , it is σ ∗ := σ x m − m ∗ (mod N ) a valid signature for m ∗ : J m ∗ ( σ ∗ ) e J m ∗ σ e ( x e ) m − m ∗ J m ∗ ( σ x m − m ∗ ) e ≡ ≡ J m σ e ≡ c J m ∗ σ e J m − m ∗ ≡ ≡ (mod N ) ⇒ adversary can compute σ ∗ for any m ∗ = Digital Signatures 2020-03-10 4

From EUF-naCMA security to EUF-CMA security • Given an EUF-naCMA secure signature scheme Σ ′ , and • an EUF-1-naCMA secure one-time signature scheme Σ (1) , • construct an EUF-CMA secure signature scheme Σ . Digital Signatures 2020-03-10 6 Transformation Let Σ ′ = ( Gen ′ , Sign ′ , Vfy ′ ) and Σ (1) = ( Gen (1) , Sign (1) , Vfy (1) ) be digital signature schemes. We construct Σ = ( Gen , Sign , Vfy ) : • Gen (1 k ): ( pk , sk ) := ( pk ′ , sk ′ ) ← Gen ′ (1 k ) Digital Signatures 2020-03-10 7

Transformation • Sign ( sk , m ) : Gen (1) (1 k ) ( pk (1) , sk (1) ) ← σ ′ Sign ′ ( sk , pk (1) ) ← Sign (1) ( sk (1) , m ) σ (1) ← ( pk (1) , σ (1) , σ ′ ) σ := • Vfy ( pk , m , σ ) : output 1 iff Vfy ′ ( pk , pk (1) , σ ′ ) = 1 ∧ Vfy (1) ( pk (1) , m , σ (1) ) = 1, else output 0. Digital Signatures 2020-03-10 8 Transformation Intuition: signs actual message (under pk (1) ) σ ′ ) σ = ( pk (1) , σ (1) , fresh new key ensures: pk (1) chosen by owner of sk Digital Signatures 2020-03-10 9

Interlude: proof strategies ( not in lecture notes ) Claim: If • Σ ′ is EUF-naCMA secure • and Σ (1) is EUF-1-naCMA secure then • Σ is EUF-CMA secure. • How to use two assumptions? • Which formal statement should be shown? Digital Signatures 2020-03-10 10 Interlude: proof strategies ( not in lecture notes ) Instructive: How do “regular” security proofs work? Let • A be an assumption (e.g., “ f is a one-way function”), • S be a security claim (e.g., “Lamport signatures with f are EUF-1-naCMA secure”) • To need to show: A = ⇒ S • We often show: ¬ S = ⇒ ¬ A Digital Signatures 2020-03-10 11

Interlude: proof strategies ( not in lecture notes ) Now: • A and B assumptions – Σ ′ is EUF-naCMA secure – Σ (1) is EUF-1-naCMA secure • S again desired security claim – Σ is EUF-CMA secure Need to show: ( A ∧ B ) = ⇒ S ¬ S ⇒ ¬ ( A ∧ B ) Equivalently: = Equivalently: ¬ S = ⇒ ( ¬ A ) ∨ ( ¬ B ) We now show ¬ S = ⇒ ( ¬ A ) ∨ ( ¬ B ) Digital Signatures 2020-03-10 12 Security Theorem (32, slightly differs from lecture notes) For every PPT adversary A that breaks Σ ’s EUF-CMA security in time t A with success probability ǫ A and at most q signing queries, there exist PPT adversaries B , C with runtime t B ≈ t A , t C ≈ t A and • B breaks Σ (1) ’s EUF-1-naCMA security with probability ǫ B ≥ ǫ A 2 q , • or C breaks Σ ′ ’s EUF-naCMA security with probability ǫ C ≥ ǫ A . 2 Digital Signatures 2020-03-10 13

Reduction to security of Σ EUF-naCMA EUF-CMA EUF-naCMA challenger C A choose pk (1) ( 1 ) 1 ) ( , ... , pk pk q i 1 ′ pk , σ ′ , ... , σ 1 1 q pk m i compute σ i 2 σ i ∗ ∗ , σ m ′ ∗ ∗ ( 1 ) , σ pk 3 Digital Signatures 2020-03-10 14 Reduction to security of Σ (1) EUF-1-naCMA EUF-CMA EUF-1-naCMA challenger B A choose pk suitably pk m i m i ∗ ( 1 ) ( 1 ) pk ∗ , σ i 1 i ∗ compute σ i σ i ∗ ∗ , σ m ( 1 ) ∗ ∗ , σ m 2 Digital Signatures 2020-03-10 15

(Many-time) signatures from one-time signatures We know: • One-time signature scheme Σ (1) • Advantage: efficient and easy to construct • Disadvantage: may lose its security when used more than once We are looking for: • “Many-time” signature schemes Digital Signatures 2020-03-10 17 First attempt • Naive approach: use q keypairs (for q =# of desired sigs) • Gen (1 k ) : ( pk i , sk i ) ← Gen (1) (1 k ) for all i ∈ { 1, ... , q } pk := ( pk 1 , ... , pk q ) sk := ( sk 1 , ... , sk q , st = 1) – Remark: stateful (here: state is counter st ∈ { 1, ... , q } ) • Sign ( sk , m ) : σ st ← Sign (1) ( sk st , m ) σ := ( σ st , st ) st := st + 1 • Vfy ( pk , m , σ = ( σ i , i )) : Vfy (1) ( pk i , m , σ i ) ? = 1 Digital Signatures 2020-03-10 18

First attempt Exercise 34 : Theorem If Σ (1) is EUF-1-naCMA secure, then the above scheme is EUF-q-naCMA secure. Theorem If Σ (1) is EUF-1-CMA secure, then the above scheme is EUF-q-CMA secure. Complexity, measured in complexity of used one-time scheme: | pk | ∈ O ( q ) | sk | ∈ O ( q ) | σ | ∈ O (1) • Can this be done more efficiently (without a-priori bound q )? Digital Signatures 2020-03-10 19 Intermediate scheme • H hash function • Gen (1 k ) : ( pk i , sk i ) ← Gen (1) (1 k ) for all i ∈ { 1, ... , q } pk := H ( pk 1 , ... , pk q ) sk := ( sk 1 , ... , sk q , pk 1 , ... , pk q , st = 1) • Sign ( sk , m ) : σ st ← Sign (1) ( sk st , m ) σ := ( σ st , st , pk 1 , ... , pk q ) st := st + 1 • Vfy ( pk , m , σ ) : Vfy (1) ( pk i , m , σ i ) ? H ( pk 1 , ... , pk q ) ? = 1 and = pk Digital Signatures 2020-03-10 20

Intermediate scheme Exercise: Theorem If Σ (1) is EUF-1-naCMA , and H is collision-resistant, then the above scheme is EUF-q-naCMA secure. Theorem If Σ (1) is EUF-1-CMA secure, and H is collision-resistant, then the above scheme is EUF-q-CMA secure. Complexity, measured in complexity of used one-time scheme: | pk | ∈ O (1) | sk | ∈ O ( q ) | σ | ∈ O ( q ) • now: how to save on signature size • Merkle trees Digital Signatures 2020-03-10 21 Merkle trees h 0,1 pk := contained in σ computed by Vfy h 1,1 h 1,2 h 2,1 h 2,2 h 2,3 h 2,4 h 3,1 h 3,2 h 3,3 h 3,4 h 3,5 h 3,6 h 3,7 h 3,8 pk 1 pk 2 pk 3 pk 4 pk 5 pk 6 pk 7 pk 8 Digital Signatures 2020-03-10 23

Merkle trees • Gen (1 k ) : ( pk i , sk i ) ← Gen (1) (1 k ) for all i ∈ { 1, ... , q } pk := tree-hash( pk 1 , ... , pk q ) sk := ( sk 1 , ... , sk q , pk 1 , ... , pk q , st = 1) • Sign ( sk , m ) : i := st σ i ← Sign (1) ( sk i , m ) σ := ( σ i , i , pk i , co-path) st := st + 1 Digital Signatures 2020-03-10 24 Co-path Definition The co-path to a vertex v in a binary tree with root r is the sequence of all vertices u 1 , ... , u n , such that u i is the sibling of the i -th vertex on the path from v to r . Digital Signatures 2020-03-10 25

Merkle trees pk := h 0,1 contained in σ computed by Vfy h 1,1 h 1,2 h 2,1 h 2,2 h 2,3 h 2,4 h 3,1 h 3,2 h 3,3 h 3,4 h 3,5 h 3,6 h 3,7 h 3,8 pk 1 pk 2 pk 3 pk 4 pk 5 pk 6 pk 7 pk 8 Digital Signatures 2020-03-10 26 Merkle trees • Gen (1 k ) : ( pk i , sk i ) ← Gen (1) (1 k ) for all i ∈ { 1, ... , q } pk := tree-hash( pk 1 , ... , pk q ) sk := ( sk 1 , ... , sk q , pk 1 , ... , pk q , st = 1) • Sign ( sk , m ) : i := st σ i ← Sign (1) ( sk i , m ) σ := ( σ i , i , pk i , co-path) st := st + 1 • Vfy ( pk , m , σ ) : recompute root h ′ Vfy (1) ( pk i , m , σ i ) ? h ′ ? = 1 und = pk Digital Signatures 2020-03-10 27