Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1

Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2

RSA signatures so far: issues • Schemes so far: either inefficient, or only heuristic security (ROM) • Goal (hard!): EUF-CMA-secure signature scheme based on RSA. . . – that is efficient (i.e., usable in practice) – whose security requires no random oracles. • “Workaround”: Strong RSA assumption Digital Signatures 2020-03-31 3

Strong RSA assumption RSA problem: • given N , e and y ← Z N , find x ∈ Z N with x e ≡ y mod N . RSA assumption: • ∀ PPT A : � � N = P · Q , e ← Z ∗ ϕ ( N ) , y ← Z N , x ← A (1 k , N , e , y ) : x e ≡ y mod N Pr is negligible in k . Digital Signatures 2020-03-31 4

Strong RSA assumption Strong RSA problem: • given N and y ← Z N , find x ∈ Z N , e > 1 with x e ≡ y mod N . Strong RSA assumption: • ∀ PPT A : � � N = P · Q , y ← Z N , ( x , e ) ← A (1 k , N , y ) : x e ≡ y mod N ∧ e > 1 Pr is negligible in k . Digital Signatures 2020-03-31 4

Strong RSA: naming • Strong RSA assumption stronger assumption than RSA assumption – We give adversary more control, easier to win game – We assume that it’s still hard for adversary to win Digital Signatures 2020-03-31 5

Strong RSA: naming • Strong RSA assumption stronger assumption than RSA assumption – We give adversary more control, easier to win game – We assume that it’s still hard for adversary to win • But: strong RSA problem easier than RSA problem Digital Signatures 2020-03-31 5

Strong RSA: naming • Strong RSA assumption stronger assumption than RSA assumption – We give adversary more control, easier to win game – We assume that it’s still hard for adversary to win • But: strong RSA problem easier than RSA problem Strong RSA assumption ⇒ RSA assumption, converse implication not obvious at all Digital Signatures 2020-03-31 5

Gennaro-Halevi-Rabin signatures Let h : { 0, 1 } ∗ → P be a hash function ( P = primes) Digital Signatures 2020-03-31 6

Gennaro-Halevi-Rabin signatures Let h : { 0, 1 } ∗ → P be a hash function ( P = primes) Gen (1 k ) : • Choose N = P · Q , P , Q prime as with RSA • s ← Z N • We will assume ∀ m ∈ { 0, 1 } ∗ : gcd( h ( m ), ϕ ( N )) = 1 – Can be enforced, e.g., by letting h only output large primes • pk := ( N , s , h ) • sk := ( pk , ϕ ( N )) = ( pk , ( P − 1)( Q − 1)) Digital Signatures 2020-03-31 6

Gennaro-Halevi-Rabin signatures Let h : { 0, 1 } ∗ → P be a hash function ( P = primes) Gen (1 k ) : • Choose N = P · Q , P , Q prime as with RSA • s ← Z N • We will assume ∀ m ∈ { 0, 1 } ∗ : gcd( h ( m ), ϕ ( N )) = 1 – Can be enforced, e.g., by letting h only output large primes • pk := ( N , s , h ) • sk := ( pk , ϕ ( N )) = ( pk , ( P − 1)( Q − 1)) Sign ( sk , m ) : • σ := s 1 / h ( m ) mod N Digital Signatures 2020-03-31 6

Gennaro-Halevi-Rabin signatures Let h : { 0, 1 } ∗ → P be a hash function ( P = primes) Gen (1 k ) : • Choose N = P · Q , P , Q prime as with RSA • s ← Z N • We will assume ∀ m ∈ { 0, 1 } ∗ : gcd( h ( m ), ϕ ( N )) = 1 – Can be enforced, e.g., by letting h only output large primes • pk := ( N , s , h ) • sk := ( pk , ϕ ( N )) = ( pk , ( P − 1)( Q − 1)) Sign ( sk , m ) : • σ := s 1 / h ( m ) mod N Vfy ( pk , m , σ ) : σ h ( m ) ? ≡ s mod N Digital Signatures 2020-03-31 6

GHR signatures: security Theorem 70: For every PPT A that breaks the EUF-naCMA security of Σ in time t A with success ǫ A , there is a PPT B that runs in time t B ≈ t A and which • either breaks the collision-resistance of h with success ǫ coll ≥ ǫ A / 2, • or solves the strong RSA problem with success ǫ sRSA ≥ ǫ A / 2. Digital Signatures 2020-03-31 7

GHR signatures: proof EUF-naCMA: Denote with m 1 , ... , m q the signature queries, and with ( m ∗ , σ ∗ ) the forgery of A Two possibilities: • E 0 : A successful and there is an m i with h ( m i ) = h ( m ∗ ). • E 1 : A successful and for all i ∈ { 1, ... , q } , we have h ( m i ) � = h ( m ∗ ) Digital Signatures 2020-03-31 8

GHR signatures: proof EUF-naCMA: Denote with m 1 , ... , m q the signature queries, and with ( m ∗ , σ ∗ ) the forgery of A Two possibilities: • E 0 : A successful and there is an m i with h ( m i ) = h ( m ∗ ). • E 1 : A successful and for all i ∈ { 1, ... , q } , we have h ( m i ) � = h ( m ∗ ) Successful A causes E 0 or E 1 , hence ǫ A ≤ Pr[ E 0 ] + Pr[ E 1 ] ⇒ Pr[ E 0 ] ≥ ǫ A / 2 or Pr[ E 1 ] ≥ ǫ A / 2 Digital Signatures 2020-03-31 8

GHR signatures: proof – event E 0 E 0 : There is an m i with h ( m i ) = h ( m ∗ ). • m i and m ∗ form an h -collision. • Reduce to the collision-resistance of h . • Reduction B gets as input h , chooses ( pk , sk ) ← Gen (1 k ), runs A , . . . Digital Signatures 2020-03-31 9

GHR signatures: proof – event E 1 E 1 : For all i ∈ { 1, ... , q } , we have h ( m i ) � = h ( m ∗ ). • Reduce to strong RSA assumption. • Assume for contradiction: there is a PPT A that breaks EUF-naCMA, . . . • . . . construct B that breaks strong RSA. . . Digital Signatures 2020-03-31 10

GHR signatures: proof – event E 1 E 1 : For all i ∈ { 1, ... , q } , we have h ( m i ) � = h ( m ∗ ). • Reduce to strong RSA assumption. • Assume for contradiction: there is a PPT A that breaks EUF-naCMA, . . . • . . . construct B that breaks strong RSA. . . • B gets as input ( N , y ) and needs to find ( x , e ) with – e > 1 – x e ≡ y mod N . Digital Signatures 2020-03-31 10

GHR signatures: sRSA reduction Recall: Gen (1 k ) : s ← Z N pk := ( N , s , h ) sk := ( pk , ϕ ( N )) σ = s 1 / h ( m ) mod N • B uses ( N , y ) and sets up s := y Π i ∈{ 1,..., q } h ( m i ) mod N Digital Signatures 2020-03-31 11

GHR signatures: sRSA reduction Recall: Gen (1 k ) : s ← Z N pk := ( N , s , h ) sk := ( pk , ϕ ( N )) σ = s 1 / h ( m ) mod N • B uses ( N , y ) and sets up s := y Π i ∈{ 1,..., q } h ( m i ) mod N (gcd( h ( m ), ϕ ( N )) = 1 ensures that s “well-distributed”, i.e., uniform over Z N !) Digital Signatures 2020-03-31 11

GHR signatures: sRSA reduction Recall: Gen (1 k ) : s ← Z N pk := ( N , s , h ) sk := ( pk , ϕ ( N )) σ = s 1 / h ( m ) mod N • B uses ( N , y ) and sets up s := y Π i ∈{ 1,..., q } h ( m i ) mod N (gcd( h ( m ), ϕ ( N )) = 1 ensures that s “well-distributed”, i.e., uniform over Z N !) • Signature for m j : σ j := y Π i ∈{ 1,..., q }\{ j } h ( m i ) mod N Digital Signatures 2020-03-31 11

GHR signatures: sRSA reduction – forgery E 1 occurs: A outputs valid forgery ( m ∗ , σ ∗ ) with • h ( m ∗ ) � = h ( m i ) for all i ∈ { 1, ... , q } , and • ( σ ∗ ) h ( m ∗ ) ≡ s ≡ y Π i ∈{ 1,..., q } h ( m i ) mod N Additionally, we have gcd( h ( m ∗ ), Π i ∈{ 1,..., q } h ( m i )) = 1, since h maps to prime numbers, and since E 1 occurred. Digital Signatures 2020-03-31 12

GHR signatures: use Shamir’s trick ( σ ∗ ) h ( m ∗ ) ≡ s ≡ y Π i ∈{ 1,..., q } h ( m i ) mod N Digital Signatures 2020-03-31 13

GHR signatures: use Shamir’s trick ( σ ∗ ) h ( m ∗ ) ≡ s ≡ y Π i ∈{ 1,..., q } h ( m i ) mod N Lemma 31: Let J , S ∈ Z N and e , f ∈ Z with • gcd( e , f ) = 1 • J f ≡ S e mod N . N × Z 2 it is possible to Then, given N ∈ Z und ( J , S , e , f ) ∈ Z 2 efficiently compute x ∈ Z N with x e ≡ J mod N . Digital Signatures 2020-03-31 13

GHR signatures: use Shamir’s trick ( σ ∗ ) h ( m ∗ ) ≡ s ≡ y Π i ∈{ 1,..., q } h ( m i ) mod N Lemma 31: Let J , S ∈ Z N and e , f ∈ Z with • gcd( e , f ) = 1 • J f ≡ S e mod N . N × Z 2 it is possible to Then, given N ∈ Z und ( J , S , e , f ) ∈ Z 2 efficiently compute x ∈ Z N with x e ≡ J mod N . x h ( m ∗ ) ≡ y mod N Hence: ( x , h ( m ∗ )) is the desired sRSA solution Digital Signatures 2020-03-31 13

Goal: EUF-CMA from (non-strong) RSA • In Chapter 4.4 of lecture notes (not here) • There: construction of EUF-CMA signatures from RSA (no ROM!) • Very high-level overview: – Show: GHR selectively secure under RSA assumption ( A needs to commit to all m i and m ∗ before seeing pk ) – Transformation: selective security → EUF-naCMA – Leads to EUF-naCMA-secure Hohenberger-Waters signatures – Transformation: EUF-naCMA → EUF-CMA – Result: compact signatures, not very efficient (like GHR) Digital Signatures 2020-03-31 14

Open problems • Construction of efficient EUF-CMA secure signatures from RSA – Hohenberger-Waters not very efficient – Many exponentiations, need to find many primes • Construction of compact EUF-CMA secure signatures from factoring assumption Digital Signatures 2020-03-31 15

Socrative Self-checking with quizzes • Use following URL: https://b.socrative.com/login/student • . . . and enter room “HOFHEINZ8872” • Will also be in chat (so you can click on link) • No registration necessary • First quiz (about the GHR signature scheme) starts now! Digital Signatures 2020-03-31 16

Chameleon signatures: motivation Dealer 1 Customer Dealer 2

Chameleon signatures: motivation Dealer 1 ? r e f f O 100$, σ 1 Customer Dealer 2