Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-19 1

Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 2

Recap: Waters signatures • Gen (1 k ): – g α ← G , κ ← Gen PHF (1 k ). – sk = g α , pk = ( g , κ , e ( g , g α )). • Sign ( sk , m ): choose r ← Z p . Compute σ 2 := g α · H κ ( m ) r . σ 1 := g r Set σ = ( σ 1 , σ 2 ). • Vfy ( pk , m , σ ): = e ( g , g ) α · e ( σ 1 , H κ ( m )) e ( g , σ 2 ) ? Digital Signatures 2020-05-19 3

Recap: security of Waters signatures Theorem (99) Let H be a (1, q , γ ) -PHF for any polynomial q. Then • for every adversary A that breaks the EUF-CMA security of Waters’ scheme with success ǫ A in time t A with at most q signature queries, • there is an adversary B that breaks CDH in G in time t B ≈ t A with success ǫ B ≥ γ · ǫ A . Digital Signatures 2020-05-19 4

Waters: summary • Less efficient than BLS signatures (+1 group element) • But: proof in standard model, PHFs central tool – Historical context: Waters IBE (2005) = Boneh-Boyen IBE (2004) + PHFs • PHFs influential, many “partitioning proofs” with similar techniques Digital Signatures 2020-05-19 5

Current research • Better PHFs (but inherent combinatorial limitations) • Different partitioning techniques ( → tight security) • Tradeoff: more efficiency ↔ weaker assumptions • (With pairings:) identity-based encryption → attribute-based encryption → functional encryption Digital Signatures 2020-05-19 6

Socrative Self-checking with quizzes • Last time � • Use following URL: https://b.socrative.com/login/student • . . . and enter room “HOFHEINZ8872” • Will also be in chat (so you can click on link) • No registration necessary • Quiz about Waters signatures starts now! Digital Signatures 2020-05-19 7

Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 8

Introduction Goal: “Digital version of physical signature.” We want: • Authenticity – Document signed by specific person/entity • Integrity – Signed document not changed after signing Digital Signatures 2020-05-19 9

Definition: digital signature scheme Def. 1: (Digital signature scheme) A digital signature scheme is a tuple Σ = ( Gen , Sign , Vfy ) of probabilistic polynomial-time algorithms: • Gen (1 k ) → ( pk , sk ) ( k ∈ N security parameter → asymptotic definition) • Sign ( sk , m ) → σ , (with m ∈ { 0, 1 } ∗ ) • Vfy ( pk , m , σ ) ∈ { 0, 1 } (intuitively: 1 iff σ valid) Correctness: “the scheme works.” Digital Signatures 2020-05-19 10

Security • Concrete security definition combines two things: – Adversarial capabilities (e.g., naCMA, CMA) – Adversarial goal (e.g., EUF, sEUF , UUF) • Definition by security experiment (e.g., EUF-CMA) • We need assumptions (no unconditionally secure schemes)! Digital Signatures 2020-05-19 11

Hash-then-Sign • Goal: extend message space of signature scheme • Idea: sign H ( m ) instead of m – H collision-resistant hash function • This modification preserves security • Sometimes even improves security (RSA-FDH) Digital Signatures 2020-05-19 12

One-time signatures • Stepping stone towards construction of signature schemes • Remain secure if one signature is known (EUF-1-CMA/EUF-1-naCMA) • Constructions based on. . . – . . . one-way functions (Lamport) – . . . hardness of discrete logarithm problem – . . . hardness of RSA problem – (first encounter with Shamir’s trick) Digital Signatures 2020-05-19 13

Transformations • . . . from EUF-(1-)naCMA to EUF-(1-)CMA security pk 1 , pk 1 , σ (1) – Trick: σ = ( σ ′ m ) – Reduction(s) to two assumptions • . . . from EUF-1-CMA to EUF-CMA security – Use binary tree of hash functions (one-time signatures) – Each node authenticates/signs the two child nodes – Every leaf used only once (to sign message) Digital Signatures 2020-05-19 14

RSA-based schemes • Textbook RSA ( σ = m d mod N ): don’t use this! • PKCS #1 v1.5 (“naive” padding of m ): security unclear • RSA-FDH ( σ = H ( m ) d mod N ): secure in ROM • RSA-PSS (clever padding of m ): secure in ROM – Better concrete security guarantees than RSA-FDH – → Better parameter choices, more efficiency – Many σ for each m , reduction knows only one • GHR: standard-model proof under stronger assumption Digital Signatures 2020-05-19 15

Chameleon hash functions • Hash function with trapdoor (to find collisions) • Can be viewed as one-time signature schemes • Constructions based on DLog and RSA – Essentially same as DLog-/RSA-based one-time sigs • Immediate application: chameleon signatures • Technical application: EUF-CMA → sEUF-CMA – CHFs resolve circular dependency in construction Digital Signatures 2020-05-19 16

Pairing-based signatures • Pairing: bilinear map e : G 1 × G 2 → G T • Allows one multiplication in exponent – Price: moving to a different group ( G T ) • Allows tripartite key exchange • BLS signatures: pk = g x , σ = H ( m ) x – Pairing helps to verify signatures – Proof under CDH in ROM, similar to RSA-FDH Digital Signatures 2020-05-19 17

Programmable hashing and Waters signatures • Programmable hash functions: mimic ROM (but without oracles) • Tool to obtain ROM-like proofs in standard model • PHF is hash function H : { 0, 1 } ℓ → G with trapdoor • Trapdoor allows to explain H ( m ) as H ( m ) = h a m g b m • Hope that a m � = 0 most of the time, a m = 0 sometimes • Leads to Waters signatures: – Here, reduction can sign iff a m � = 0 Digital Signatures 2020-05-19 18

Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 19

General remarks • Exam: concepts important, also proof strategies/tricks – Exam is discussion, goal: find out if you understood things • Lecture: interaction very much appreciated, thank you! • Similar courses/parts of courses/labs on the way • <blink> OPPORTUNITY </blink> – Your feedback influences future course design! Digital Signatures 2020-05-19 20