Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-02-25 1

Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital Signatures 2020-02-25 2

Security definitions Security definition ˆ = adversarial goal + adversarial capabilities Interesting combinations: • EUF-CMA • EUF-naCMA Digital Signatures 2020-02-25 3

Security experiments Tool to formalize security definitions: security experiments Interactive process between two parties: • Adversary A • Challenger C • A plays against C • A wins iff he reaches his goal. Digital Signatures 2020-02-25 4

Security definitions Current research: • Leakage resilience (what if adversary gets to see parts of signing key?) • Functional signatures (signing keys limited to certain messages) • Aggregatable signatures (combine many signatures into one short one) • Many-user scenario (only asymptotically equivalent to one-user scenario) • Different key infrastructures (secret-key, identity-based, certificateless, . . . ) Digital Signatures 2020-02-25 5

Message space extension Easier (and common) to construct signatures with small message space, e.g., • Z p = { 0, ... , p − 1 } , p prime • { 0, 1 } q ( k ) , q polynomial, k security parameter Goal: signatures with larger message space, e.g., { 0, 1 } ∗ Digital Signatures 2020-02-25 6

Hash functions Def. 14: (Cryptographic hash function) A (cryptographic) hash function H = ( Gen H , Eval H ) consists of two PPT algorithms: Digital Signatures 2020-02-25 7

Hash functions Def. 14: (Cryptographic hash function) A (cryptographic) hash function H = ( Gen H , Eval H ) consists of two PPT algorithms: • Gen H (1 k ) outputs a parameter t that defines a function H t : { 0, 1 } ∗ → M t Digital Signatures 2020-02-25 7

Hash functions Def. 14: (Cryptographic hash function) A (cryptographic) hash function H = ( Gen H , Eval H ) consists of two PPT algorithms: • Gen H (1 k ) outputs a parameter t that defines a function H t : { 0, 1 } ∗ → M t • Eval H (1 k , t , x ) computes H t ( x ). Notation: H instead of t , H ( x ) for Eval H (1 k , t , x ). Digital Signatures 2020-02-25 7

Collision resistance Def. 15: (Collision resistance) A hash function H = ( Gen H , Eval H ) is collision-resistant iff for t ← Gen H (1 k ) and all PPT A we have that Pr[ A (1 k , t ) = ( x , x ′ ) : H t ( x ) = H t ( x ′ ) ∧ x � = x ′ ] is negligible. Digital Signatures 2020-02-25 8

Construction: signatures with unbounded message space Assume • Σ ′ = ( Gen ′ , Sign ′ , Vfy ′ ) with message space M • collision-resistant hash function H : { 0, 1 } ∗ → M Construct digital signature scheme Σ = ( Gen , Sign , Vfy ) with unbounded message space: • Ideas? Digital Signatures 2020-02-25 9

Construction: signatures with unbounded message space Assume • Σ ′ = ( Gen ′ , Sign ′ , Vfy ′ ) with message space M • collision-resistant hash function H : { 0, 1 } ∗ → M Construct digital signature scheme Σ = ( Gen , Sign , Vfy ) with unbounded message space: • Gen (1 k ) computes ( pk , sk ) ← Gen ′ (1 k ) • Sign ( sk , m ) computes σ ← Sign ′ ( sk , H ( m )) • Vfy ( pk , m , σ ) outputs Vfy ′ ( pk , H ( m ), σ ). Digital Signatures 2020-02-25 9

Security of the construction Theorem 17: For every EUF-CMA adversary A on Σ with runtime t A and success probability ǫ A , there are adversaries B 1 , B 2 with runtime t B ≈ t A such that • B 1 breaks the collision resistance of H with probability ≥ ǫ A / 2, • or B 2 breaks the EUF-CMA security of Σ ′ with probability ≥ ǫ A / 2. Digital Signatures 2020-02-25 10

Security of the construction Proof idea: • Observation: – whenever A successfully forges a signature σ for a message m , then – σ is a Σ ′ -signature for H ( m ). Digital Signatures 2020-02-25 11

Security of the construction Proof idea: • Observation: – whenever A successfully forges a signature σ for a message m , then – σ is a Σ ′ -signature for H ( m ). • Furthermore, either H ( m ) has been signed before (i.e., H ( m ) = H ( m i ) for one 1 of A ’s previous signature queries m i ), or H ( m ) has never been Σ ′ -signed before. 2 In first case, A found H -collision, in second case A broke Σ ′ . One of the cases must occur with probability at least 1/2. Digital Signatures 2020-02-25 11

Security of the construction Proof idea: • Observation: – whenever A successfully forges a signature σ for a message m , then – σ is a Σ ′ -signature for H ( m ). • Furthermore, either H ( m ) has been signed before (i.e., H ( m ) = H ( m i ) for one 1 of A ’s previous signature queries m i ), or H ( m ) has never been Σ ′ -signed before. 2 In first case, A found H -collision, in second case A broke Σ ′ . One of the cases must occur with probability at least 1/2. • Details (construction of B 1 , B 2 ): blackboard. Digital Signatures 2020-02-25 11

Hash-then-Sign • Construction is called Hash-then-Sign • Relevant in theory and practice Digital Signatures 2020-02-25 12

Hash functions: current research • Hash functions with special properties – Chameleon hashing (upcoming) – Hash functions that behave like random functions • Finding good hash functions – MD5, SHA-1 cryptanalyses – SHA-3 standardization 2015 Digital Signatures 2020-02-25 13

Hash functions: current research “Nontrivial” SHA-1 collisions: Digital Signatures 2020-02-25 14

One-time signatures • General goal: signature schemes that can sign many messages • Partial goal: signature schemes that can (securely) sign only one message ( one-time signatures ) • Can be used on many messages. . . • . . . but may become insecure then! • Security guarantees only when at most one message is signed Digital Signatures 2020-02-25 15

EUF-1-CMA & EUF-1-naCMA EUF-1-CMA EUF-1-naCMA C A C A p k m m p k , σ σ , σ ∗ , σ ∗ m ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ ) = 1 ∧ m ∗ � = m ? Rest (Def., winning condition): as with EUF-CMA/-na-CMA Digital Signatures 2020-02-25 16

Why one-time signatures? • Useful building block for other and more secure schemes • Comparatively easy to construct Digital Signatures 2020-02-25 17

One-way functions One-way function f : { 0, 1 } ∗ → { 0, 1 } ∗ Idea: • Given x ∈ { 0, 1 } ∗ , easy to compute f ( x ) • Given y = f ( x ), hard to compute any x ′ in f − 1 ( y ) Note: One-way functions fundamental primitive (imply much of secret-key cryptography) Digital Signatures 2020-02-25 18

One-way functions: security experiment C one-way A Digital Signatures 2020-02-25 19

One-way functions: security experiment C one-way A x ← { 0, 1 } k y y := f ( x ) Digital Signatures 2020-02-25 19

One-way functions: security experiment C one-way A x ← { 0, 1 } k y y := f ( x ) x ′ f ( x ′ ) = y ? A wins iff f ( x ′ ) = y . Note: possibly x ′ � = x ! Digital Signatures 2020-02-25 19

One-way function (definition) Def. 22 (One-way function): A function f is one-way iff f is computable in polynomial time, and for all PPT A , � � x ← { 0, 1 } k x ′ ← A (1 k , f ( x )) : f ( x ′ ) = f ( x ) Pr is negligible. Digital Signatures 2020-02-25 20

Existence of one-way functions • If one-way functions exist, then P � = NP • Realistically: constructions of one-way functions require assumptions Digital Signatures 2020-02-25 21

Existence of one-way functions • If one-way functions exist, then P � = NP • Realistically: constructions of one-way functions require assumptions Candidates: • Exponentiation x �→ g x in suitable groups • RSA function x �→ x e mod N for N = PQ , primes P , Q , random e Digital Signatures 2020-02-25 21

Lamport’s one-time signatures Σ = ( Gen , Sign , Vfy ) • Message space { 0, 1 } n , n = n ( k ) • One-way function f Digital Signatures 2020-02-25 22

Lamport’s one-time signatures Σ = ( Gen , Sign , Vfy ) • Message space { 0, 1 } n , n = n ( k ) • One-way function f Gen (1 k ) : • Choose x 1,0 , x 1,1 , ... , x n ,0 , x n ,1 uniformly from { 0, 1 } k • ∀ j ∈ { 1, ... , n } : y j ,0 := f ( x j ,0 ) and y j ,1 := f ( x j ,1 ) Digital Signatures 2020-02-25 22

Lamport’s one-time signatures Σ = ( Gen , Sign , Vfy ) • Message space { 0, 1 } n , n = n ( k ) • One-way function f Gen (1 k ) : • Choose x 1,0 , x 1,1 , ... , x n ,0 , x n ,1 uniformly from { 0, 1 } k • ∀ j ∈ { 1, ... , n } : y j ,0 := f ( x j ,0 ) and y j ,1 := f ( x j ,1 ) � � � � x 1,0 ... x n ,0 y 1,0 ... y n ,0 sk = pk = x 1,1 ... x n ,1 y 1,1 ... y n ,1 Digital Signatures 2020-02-25 22

Lamport’s one-time signatures (2) � � � � x 1,0 ... x n ,0 y 1,0 ... y n ,0 sk = pk = x 1,1 ... x n ,1 y 1,1 ... y n ,1 Sign ( sk , m ) : Ideas? Digital Signatures 2020-02-25 23

Lamport’s one-time signatures (2) � � � � x 1,0 ... x n ,0 y 1,0 ... y n ,0 sk = pk = x 1,1 ... x n ,1 y 1,1 ... y n ,1 Sign ( sk , m ) : • m = m 1 � m 2 � ... � m n ∈ { 0, 1 } n • σ = ( x 1, m 1 , x 2, m 2 , ... , x n , m n ) Digital Signatures 2020-02-25 23