Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1

Outline More on BLS signatures Programmable Hash Functions Waters’ PHF Digital Signatures 2020-05-05 2

Recap: pairings Definition 78 (Pairings): Let G 1 , G 2 , G T be groups of prime order p . A pairing is a map e : G 1 × G 2 → G T with the following properties: 1) Bilinearity: ∀ g 1 , g ′ 1 ∈ G 1 , g 2 , g ′ 2 ∈ G 2 : e ( g 1 · g ′ 1 , g 2 ) = e ( g 1 , g 2 ) · e ( g ′ 1 , g 2 ) e ( g 1 , g 2 · g ′ 2 ) = e ( g 1 , g 2 ) · e ( g 1 , g ′ 2 ) 2) Non-degeneracy: � e ( g 1 , g 2 ) � = G T for any gens. g 1 , g 2 3) e efficiently computable. Note: Here, G 1 = G 2 (symmetric or “type-1” pairings). Digital Signatures 2020-05-05 3

Remark/addendum to previous lecture • Claim: self-bilinear map ( G T = G 1 = G 2 ) breaks CDH Digital Signatures 2020-05-05 4

Remark/addendum to previous lecture • Claim: self-bilinear map ( G T = G 1 = G 2 ) breaks CDH • Not (completely) trivial Digital Signatures 2020-05-05 4

Remark/addendum to previous lecture • Claim: self-bilinear map ( G T = G 1 = G 2 ) breaks CDH • Not (completely) trivial • Given g , g x , g y , compute g xy Digital Signatures 2020-05-05 4

Remark/addendum to previous lecture • Claim: self-bilinear map ( G T = G 1 = G 2 ) breaks CDH • Not (completely) trivial • Given g , g x , g y , compute g xy • Pairing gives e ( g x , g y ) = e ( g , g ) xy = g α xy for fixed α Digital Signatures 2020-05-05 4

Remark/addendum to previous lecture • Claim: self-bilinear map ( G T = G 1 = G 2 ) breaks CDH • Not (completely) trivial • Given g , g x , g y , compute g xy • Pairing gives e ( g x , g y ) = e ( g , g ) xy = g α xy for fixed α • Problem: e ( g , g ) � = g (i.e., α � = 1) in general Digital Signatures 2020-05-05 4

Remark/addendum to previous lecture • Claim: self-bilinear map ( G T = G 1 = G 2 ) breaks CDH • Not (completely) trivial • Given g , g x , g y , compute g xy • Pairing gives e ( g x , g y ) = e ( g , g ) xy = g α xy for fixed α • Problem: e ( g , g ) � = g (i.e., α � = 1) in general • Solution: (requires group order p = | G T | = | G 1 | = | G 2 | ) Digital Signatures 2020-05-05 4

Remark/addendum to previous lecture • Claim: self-bilinear map ( G T = G 1 = G 2 ) breaks CDH • Not (completely) trivial • Given g , g x , g y , compute g xy • Pairing gives e ( g x , g y ) = e ( g , g ) xy = g α xy for fixed α • Problem: e ( g , g ) � = g (i.e., α � = 1) in general • Solution: (requires group order p = | G T | = | G 1 | = | G 2 | ) g α p − 3 = g α − 2 mod p – Compute g α = e ( g , g ) square-and-mult. using e − → Digital Signatures 2020-05-05 4

Remark/addendum to previous lecture • Claim: self-bilinear map ( G T = G 1 = G 2 ) breaks CDH • Not (completely) trivial • Given g , g x , g y , compute g xy • Pairing gives e ( g x , g y ) = e ( g , g ) xy = g α xy for fixed α • Problem: e ( g , g ) � = g (i.e., α � = 1) in general • Solution: (requires group order p = | G T | = | G 1 | = | G 2 | ) g α p − 3 = g α − 2 mod p – Compute g α = e ( g , g ) square-and-mult. using e − → – Compute e ( g α xy , g α − 2 ) = g xy Digital Signatures 2020-05-05 4

Recap: BLS signatures Gen (1 k ) : • x ← Z ∗ p • pk = ( g , g x ), sk = x Sign ( sk , m ) : • σ := H ( m ) x ∈ G Vfy ( pk , m , σ ) : • e ( H ( m ), g x ) ? = e ( σ , g ) EUF-CMA secure in ROM under CDH assumption Digital Signatures 2020-05-05 5

BLS: extra properties Problem: • U 1 , ..., U N senders (e.g., in a sensor network) • Each U i has their own pk i = ( g , g x i ) Straightforward (but expensive!) solution: U 1 with ( pk 1 , sk 1 ) → m 1 , σ 1 U 2 with ( pk 2 , sk 2 ) → m 2 , σ 2 ( m 1 , σ 1 ), ... , ( m n , σ n ) Verifier . ∀ i : Vfy ( pk i , m i , σ i ) ? . = 1 . U n with ( pk n , sk n ) → m n , σ n Digital Signatures 2020-05-05 6

Better solution: aggregable signature scheme U 1 m 1 , σ 1 m 1 , ... , m n , σ Agg m 2 , σ 2 aggregator U 2 Verifier . . . Vfy ( pk 1 , ... , pk n , m 1 , ... , m n , σ Agg ) ? = 1 m n , σ n . . . U n • Algorithm that aggregates signatures • | σ Agg | = | σ | • Vfy of single aggregated signature more efficient than Vfy of many single signatures Digital Signatures 2020-05-05 7

Aggregable signatures Advantages and (potential) applications: • Saves bandwidth/storage • Aggregating signatures more efficient than signing huge dataset (perhaps over and over again) • Applications: – Sensor networks – Secure logging – (Authenticating) databases – . . . Digital Signatures 2020-05-05 8

BLS: aggregability • U i has BLS keypair ( pk i = ( g , g x i ), sk i = x i ) • Signatures are of the form σ i = H ( m i ) x i Digital Signatures 2020-05-05 9

BLS: aggregability • U i has BLS keypair ( pk i = ( g , g x i ), sk i = x i ) • Signatures are of the form σ i = H ( m i ) x i • Aggregator computes n � σ Agg = σ i i =1 and sends ( m 1 , ... , m n , σ ) to the verifier • Aggregation is public computation, no secret key necessary Digital Signatures 2020-05-05 9

BLS: aggregability n � σ Agg = σ i i =1 • Verification of aggregated signatures: Ideas? Digital Signatures 2020-05-05 10

BLS: aggregability n � σ Agg = σ i i =1 • Verification of aggregated signatures: n � e ( σ Agg , g ) ? e ( H ( m i ), g x i ). = i =1 Digital Signatures 2020-05-05 10

BLS: aggregability n � σ Agg = σ i i =1 • Verification of aggregated signatures: n � e ( σ Agg , g ) ? e ( H ( m i ), g x i ). = i =1 • Correctness: e ( σ Agg , g ) = e ( σ 1 , g ) · ... · e ( σ n , g ) = e ( H ( m 1 ) x 1 , g ) · ... · e ( H ( m n ) x n , g ) n � e ( H ( m i ), g x i ) = i =1 Digital Signatures 2020-05-05 10

BLS: aggregability • Verification time approximately halved: – No aggregation: verifying n signatures takes 2 n pairing computations – Aggregated: verifying aggregated signature for n messages takes n + 1 pairing computations • Scheme with aggregation EUF-CMA secure – . . . according to adapted EUF-CMA definition – Difference: allow aggregated forgery – Generalizes “ordinary” EUF-CMA Digital Signatures 2020-05-05 11

BLS: batch verification Problem: ( m 1 , σ 1 ), ... , ( m n , σ n ) Verifier U with ( pk , sk ) ∀ i : Vfy ( pk i , m i , σ i ) ? = 1 Digital Signatures 2020-05-05 12

BLS: batch verification Problem: ( m 1 , σ 1 ), ... , ( m n , σ n ) Verifier U with ( pk , sk ) ∀ i : Vfy ( pk i , m i , σ i ) ? = 1 Solution: batch verification • σ 1 , ... , σ n signatures for m 1 , ... , m n • h = � n i =1 H ( m i ), σ := � n i =1 σ i • Check e ( σ , g ) ? = e ( h , g x ) • Correctness: as with aggregation • Only two pairing computations for n signatures Digital Signatures 2020-05-05 12

Research • Different forms of aggregation – Sequential aggregation ( → Waters signatures), full aggregation (BLS), . . . – Reason: weaker forms of aggregation easier to achieve (without RO) • “Universal aggregators” (aggregation across signature schemes) • Fault-tolerant aggregate signatures – Aggregating an invalid signature (and valid ones) invalidates aggregate – But: sometimes useful to be able to tell which message has invalid signature – → Vfy outputs list of valid signatures Digital Signatures 2020-05-05 13

Socrative Self-checking with quizzes • Use following URL: https://b.socrative.com/login/student • . . . and enter room “HOFHEINZ8872” • Will also be in chat (so you can click on link) • No registration necessary • Quiz about CDH and BLS starts now! Digital Signatures 2020-05-05 14

Outline More on BLS signatures Programmable Hash Functions Waters’ PHF Digital Signatures 2020-05-05 15

Waters signatures • Pairing-based signature • EUF-CMA secure under CDH in standard model (w/o ROs) • Tool: “programmable hash functions” (PHFs) Note: • Waters’ paper did not call this “PHFs” • Abstraction only found later on • PHFs make presentation more modular Digital Signatures 2020-05-05 16

Programmable hash functions Motivation: • RO proofs use programmability of RO (RSA-FDH, BLS, . . . ) • Problem: ROs do not exist, leads to heuristic arguments • Goal: imitate necessary programming operations with standard-model hash function Digital Signatures 2020-05-05 17

Programmable hash functions Motivation, closer look: • In BLS proof: H ( m ) programmed in reduction so that Digital Signatures 2020-05-05 18

Programmable hash functions Motivation, closer look: • In BLS proof: H ( m ) programmed in reduction so that – Most of the time, H ( m ) = g y i for known y i Digital Signatures 2020-05-05 18

Programmable hash functions Motivation, closer look: • In BLS proof: H ( m ) programmed in reduction so that – Most of the time, H ( m ) = g y i for known y i – Once, H ( m ) = g y for unknown y Digital Signatures 2020-05-05 18

Programmable hash functions Motivation, closer look: • In BLS proof: H ( m ) programmed in reduction so that – Most of the time, H ( m ) = g y i for known y i – Once, H ( m ) = g y for unknown y • Can be viewed as “partitioning” set of messages m into Digital Signatures 2020-05-05 18