Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-02-18 1

Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among security definitions Digital Signatures 2020-02-18 2

Organization • Lecture: Tuesdays, 10:00-12:00, ML E12 • Exam: oral, 15 minutes • Contact: hofheinz@inf.ethz.ch • Speaking hours: whenever my door (CAB H33.3) is open • Website: todo Digital Signatures 2020-02-18 3

Supporting materials • Lecture notes (German) by Tibor Jager: https://www.tiborjager.de/DigitaleSignaturen.pdf • Book “Digital Signatures” by Jonathan Katz • Slides (on website) and occasional whiteboard writeup Digital Signatures 2020-02-18 4

Overview • What are (digital) signatures? • Which security properties do we want from signatures? • How do we construct and prove signatures? • Outlook towards current research Digital Signatures 2020-02-18 5

Content • Motivation/definitions • One-time signatures → tree-based signatures • RSA-based signatures • Interlude: chameleon hashing • Pairing-based signatures • . . . (?) Not here: “symmetric signatures” (MACs) Digital Signatures 2020-02-18 6

Motivation • Goal: “Digital analogue of (physical) signatures.” • What do we want to sign? Bitstrings from { 0, 1 } ∗ • Examples: code/programs, websites, emails, . . . • Technical goals: – Authenticity: document is actually signed by that person – Integrity: document has not been changed since signing (desirable, but not actually guaranteed by physical signatures) Digital Signatures 2020-02-18 7

What are signature schemes? Informally: • Asymmetric cryptographic mechanisms • Every participant has a keypair ( pk , sk ) • Secret key sk used to sign (a message m ), result: signature σ • Public/verification key pk allows to verify that σ is valid for m Digital Signatures 2020-02-18 8

Signatures are no. . . Signatures are no encryption schemes • Signatures do not hide m (use encryption for that) Digital Signatures 2020-02-18 9

Signatures are no. . . Signatures are no encryption schemes • Signatures do not hide m (use encryption for that) Signatures are no “inverse” public-key encryption schemes • As in: signing=decrypting, verifying=encrypting • Works (to some extent) for RSA, but not for other schemes Digital Signatures 2020-02-18 9

Applications of signatures Ideas? Digital Signatures 2020-02-18 10

Applications of signatures • Program updates/apps • E-commerce (signed websites) • Certificates (digitally signed signature/encryption keys) • Identity cards • Building block in more complex cryptographic systems • . . . Digital Signatures 2020-02-18 10

Definition: digital signature scheme Def. 1: (Digital signature scheme) A digital signature scheme is a tuple Σ = ( Gen , Sign , Vfy ) of probabilistic polynomial-time algorithms: Digital Signatures 2020-02-18 11

Definition: digital signature scheme Def. 1: (Digital signature scheme) A digital signature scheme is a tuple Σ = ( Gen , Sign , Vfy ) of probabilistic polynomial-time algorithms: • Gen (1 k ) → ( pk , sk ) ( k ∈ N security parameter → asymptotic definition) Digital Signatures 2020-02-18 11

Definition: digital signature scheme Def. 1: (Digital signature scheme) A digital signature scheme is a tuple Σ = ( Gen , Sign , Vfy ) of probabilistic polynomial-time algorithms: • Gen (1 k ) → ( pk , sk ) ( k ∈ N security parameter → asymptotic definition) • Sign ( sk , m ) → σ (with m ∈ { 0, 1 } ∗ ) Digital Signatures 2020-02-18 11

Definition: digital signature scheme Def. 1: (Digital signature scheme) A digital signature scheme is a tuple Σ = ( Gen , Sign , Vfy ) of probabilistic polynomial-time algorithms: • Gen (1 k ) → ( pk , sk ) ( k ∈ N security parameter → asymptotic definition) • Sign ( sk , m ) → σ (with m ∈ { 0, 1 } ∗ ) • Vfy ( pk , m , σ ) ∈ { 0, 1 } (intuitively: 1 iff σ valid) Digital Signatures 2020-02-18 11

Correctness Correctness: “The scheme works.” Formally: ∀ k ∀ ( pk , sk ) ← Gen (1 k ) ∀ m : Vfy ( pk , m , Sign ( sk , m )) = 1. Digital Signatures 2020-02-18 12

Digitale Signaturen: Soundness Soundness: “The scheme is secure.” Formally: Digital Signatures 2020-02-18 13

Digitale Signaturen: Soundness Soundness: “The scheme is secure.” Formally: • What is security? • We need a definition! Digital Signatures 2020-02-18 13

Security • Concrete security definition combines two things: – Adversarial capabilities – Adversarial goal Digital Signatures 2020-02-18 14

Security • Concrete security definition combines two things: – Adversarial capabilities – Adversarial goal • Now: overview • Later: formal definitions Digital Signatures 2020-02-18 14

Adversarial capabilities 1 a) no-message attack (NMA) • Adversary gets only pk Digital Signatures 2020-02-18 15

Adversarial capabilities 1 a) no-message attack (NMA) • Adversary gets only pk 1 b) non-adaptive chosen-message attack (naCMA) • Adversary chooses m 1 , ... , m q . . . • . . . then obtains pk and signatures σ 1 , ..., σ q Digital Signatures 2020-02-18 15

Adversarial capabilities 1 a) no-message attack (NMA) • Adversary gets only pk 1 b) non-adaptive chosen-message attack (naCMA) • Adversary chooses m 1 , ... , m q . . . • . . . then obtains pk and signatures σ 1 , ..., σ q 1 c) (adaptive) chosen-message attack (CMA) • Adversary gets pk , then chooses m 1 , ..., m q and obtains σ 1 , ..., σ q adaptively (i.e., one m i at a time, so m i +1 may depend on pk and σ 1 , ... , σ i ) Digital Signatures 2020-02-18 15

Angreiferziele General goal: forge/generate signatures Digital Signatures 2020-02-18 16

Angreiferziele General goal: forge/generate signatures 2 a) “ Universal Unforgeability” (UUF) • Adversary has to generate valid signature for externally given m • m chosen at random (not by adversary!) Digital Signatures 2020-02-18 16

Angreiferziele General goal: forge/generate signatures 2 a) “ Universal Unforgeability” (UUF) • Adversary has to generate valid signature for externally given m • m chosen at random (not by adversary!) 2 b) “ Existential Unforgeablility” (EUF) • Adversary has to generate valid signature for any message m not signed before Digital Signatures 2020-02-18 16

Security definition Security definition ˆ = adversarial goal + adversarial capabilities Interesting combinations: • EUF-CMA • EUF-naCMA Digital Signatures 2020-02-18 17

Security experiments Tool to formalize security definitions: security experiments Interactive process between two parties: • Adversary A • Challenger C • A plays against C • A wins iff he reaches his goal. Digital Signatures 2020-02-18 18

EUF-CMA security experiment C EUF-CMA A Digital Signatures 2020-02-18 19

EUF-CMA security experiment C EUF-CMA A p k ( pk , sk ) ← Gen (1 k ) Digital Signatures 2020-02-18 19

EUF-CMA security experiment C EUF-CMA A p k ( pk , sk ) ← Gen (1 k ) m i σ i Digital Signatures 2020-02-18 19

EUF-CMA security experiment C EUF-CMA A p k ( pk , sk ) ← Gen (1 k ) m i • queries • q = q ( k ) queries σ i • q polynomial (dep. on A ) Digital Signatures 2020-02-18 19

EUF-CMA security experiment C EUF-CMA A p k ( pk , sk ) ← Gen (1 k ) m i • queries • q = q ( k ) queries σ i • q polynomial (dep. on A ) , σ ∗ m ∗ Ver ( pk , m ∗ , σ ∗ ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? A wins iff Vfy ( pk , m ∗ , σ ∗ ) = 1 and m ∗ / ∈ { m 1 , ..., m q } Digital Signatures 2020-02-18 19

Why is A allowed arbitrary signing queries? • Question: why is A allowed arbitrary signing queries? Digital Signatures 2020-02-18 20

Why is A allowed arbitrary signing queries? • Question: why is A allowed arbitrary signing queries? • Answer: yields strong and universal (application-independent) definition (Attack may yield signatures for unforeseeable messages) Digital Signatures 2020-02-18 20

Definition: EUF-CMA Def. 2: (EUF-CMA) A digital signature scheme Σ = ( Gen , Sign , Vfy ) is EUF-CMA secure iff for all PPT A , the function Digital Signatures 2020-02-18 21

Definition: EUF-CMA Def. 2: (EUF-CMA) A digital signature scheme Σ = ( Gen , Sign , Vfy ) is EUF-CMA secure iff for all PPT A , the function Pr [ A wins EUF-CMA experiment] � A C EUF-CMA ( pk ) = ( m ∗ , σ ∗ ) : Vfy ( pk , m ∗ , σ ∗ ) = 1 � = Pr ∧ m ∗ / ∈ { m 1 , ..., m q } is negligible. Digital Signatures 2020-02-18 21

Definition: negligible Def.: (Negligible) A function negl : N → [0, 1] is negligible iff ∀ c ∈ N ∃ k 0 ∈ N ∀ k ≥ k 0 : negl ( k ) < 1 / k c . Digital Signatures 2020-02-18 22

Definition: negligible Def.: (Negligible) A function negl : N → [0, 1] is negligible iff ∀ c ∈ N ∃ k 0 ∈ N ∀ k ≥ k 0 : negl ( k ) < 1 / k c . Examples: 1 / 2 k and 1 / k log k negligible, 1 / k 2 not. Digital Signatures 2020-02-18 22

UUF-NMA security experiment Ideas? Digital Signatures 2020-02-18 23

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

DIGITAL SIGNATURES JOHN NEWBERY @jfnewbery github.com/jnewbery ABOUT ME Live in New York Work

DIGITAL INDIA VISION Use of Digital Signatures to create a completely paperless environment

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis