digital signatures
play

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

May 01, 2023 •130 likes •585 views

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-07 1 Outline Chameleon Signatures CH functions are one-time signatures sEUF-CMA from chameleon hashing Digital

  1. Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-07 1

  2. Outline Chameleon Signatures CH functions are one-time signatures sEUF-CMA from chameleon hashing Digital Signatures 2020-04-07 2

  3. Chameleon signatures: motivation (recap) Dealer 1 Customer Dealer 2

  4. Chameleon signatures: motivation (recap) Dealer 1 ? r e f f O 100$, σ 1 Customer Dealer 2

  5. Chameleon signatures: motivation (recap) Dealer 1 ? r e f f O 100$, σ 1 Customer 100$, σ 1 9 9 $ , σ 2 Dealer 2 Digital Signatures 2020-04-07 3

  6. Chameleon signatures: goal (recap) Question: can we construct a signature scheme, such that. . . • . . . C can verify the authenticity of the offer from D 1 , but • . . . C cannot convince D 2 that the offer came from D 1 ? Digital Signatures 2020-04-07 4

  7. Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms ( Gen CH , TrapColl CH ): • Gen CH (1 k ) outputs ch : M × R → N and a trapdoor τ • TrapColl CH ( τ , m , r , m ′ ), for ( m , r , m ′ ) ∈ M × R × M , computes r ′ ∈ R with ch ( m , r ) = ch ( m ′ , r ′ ) CH is collision-resistant iff for all PPT A , � � A (1 k , ch ) = ( m , r , m ′ , r ′ ) : ch ( m , r ) = ch ( m ′ , r ′ ) ( ch , τ ) ← Gen CH (1 k ) Pr ∧ ( m , r ) � = ( m ′ , r ′ ) is negligible in k . Digital Signatures 2020-04-07 5

  8. Chameleon signatures • Given: CH = ( Gen CH , TrapColl CH ), ch : M × R → N • Given: signature scheme Σ ′ = ( Gen ′ , Sign ′ , Vfy ′ ) Construct chameleon signature Σ = ( Gen , Sign , Vfy ) Digital Signatures 2020-04-07 6

  9. Chameleon signatures • Given: CH = ( Gen CH , TrapColl CH ), ch : M × R → N • Given: signature scheme Σ ′ = ( Gen ′ , Sign ′ , Vfy ′ ) Construct chameleon signature Σ = ( Gen , Sign , Vfy ) Gen (1 k ) : • ( pk ′ , sk ′ ) ← Gen ′ (1 k ) • pk := pk ′ , sk := sk ′ Digital Signatures 2020-04-07 6

  10. Chameleon signatures Sign ( sk , m , ch ) : ( ch is CH function of receiver ) • r ← R , ch ( m , r ) =: y • σ ′ := Sign ′ ( sk , y ) • σ := ( σ ′ , r ) Digital Signatures 2020-04-07 7

  11. Chameleon signatures Sign ( sk , m , ch ) : ( ch is CH function of receiver ) • r ← R , ch ( m , r ) =: y • σ ′ := Sign ′ ( sk , y ) • σ := ( σ ′ , r ) Vfy ( pk , m , σ , ch ) : • Vfy ′ ( pk , ch ( m , r ), σ ′ ) ? = 1 Digital Signatures 2020-04-07 7

  12. EUF-CMA for chameleon signatures C EUF-CMA A Digital Signatures 2020-04-07 8

  13. EUF-CMA for chameleon signatures C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) Digital Signatures 2020-04-07 8

  14. EUF-CMA for chameleon signatures C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) m i q adaptive queries σ i σ i ← Sign ( sk , m i , ch ) Digital Signatures 2020-04-07 8

  15. EUF-CMA for chameleon signatures C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) m i q adaptive queries σ i σ i ← Sign ( sk , m i , ch ) , σ ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ , ch ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? Digital Signatures 2020-04-07 8

  16. EUF-CMA for chameleon signatures C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) m i q adaptive queries σ i σ i ← Sign ( sk , m i , ch ) , σ ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ , ch ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? A wins iff Vfy ( pk , m ∗ , σ ∗ , ch ) = 1 and m ∗ / ∈ { m 1 , ... , m q } Digital Signatures 2020-04-07 8

  17. EUF-CMA for chameleon signatures C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) m i q adaptive queries σ i σ i ← Sign ( sk , m i , ch ) , σ ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ , ch ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? A wins iff Vfy ( pk , m ∗ , σ ∗ , ch ) = 1 and m ∗ / ∈ { m 1 , ... , m q } Question: is this notion “strong enough”? Digital Signatures 2020-04-07 8

  18. Chameleon signatures: security (not in notes) Question: is this notion “strong enough”? Digital Signatures 2020-04-07 9

  19. Chameleon signatures: security (not in notes) Question: is this notion “strong enough”? Answer: no! • Not realistic: adversary has “no control” over CH function in signing queries (recall: CH function of receiver should be used) • Such control could help forging signatures • Realistic adversary might choose/use own CH function Digital Signatures 2020-04-07 9

  20. Attack in case of DLog-based CH (not in notes) Suppose A can choose CH function for signature queries: • DLog-based CH used ( ch ( m , r ) = g m · h r ) • A receives ch = ( g , h ) from challenger Digital Signatures 2020-04-07 10

  21. Attack in case of DLog-based CH (not in notes) Suppose A can choose CH function for signature queries: • DLog-based CH used ( ch ( m , r ) = g m · h r ) • A receives ch = ( g , h ) from challenger • A chooses ch A := ( g a , h ), ( a � = 1 chosen by A ) – Valid CH function ( A needs not prove knowledge of trapdoor)! • A queries signature of m under ch A and obtains σ = ( σ ′ , r ). Digital Signatures 2020-04-07 10

  22. Attack in case of DLog-based CH (not in notes) • Then: 1 = Vfy ( pk , m , σ = ( σ ′ , r ), ch A ) = Vfy ′ ( pk , ch A ( m , r ), σ ′ ) = Vfy ′ ( pk , ch ( a · m , r ), σ ′ ) = Vfy ( pk , a · m , σ , ch ) • Since a � = 1, we have m � = a · m • Hence, ( a · m , σ ) is a valid forgery under ch Note: similar attack possible with RSA-based CH function Digital Signatures 2020-04-07 11

  23. EUF-CMA for chameleon sigs (not in notes) EUF-CMA variant 1 C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) m i q adaptive queries σ i σ i ← Sign ( sk , m i , ch ) , σ ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ , ch ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? A wins iff Vfy ( pk , m ∗ , σ ∗ , ch ) = 1 and m ∗ / ∈ { m 1 , ... , m q } Digital Signatures 2020-04-07 12

  24. EUF-CMA for chameleon sigs (not in notes) EUF-CMA variant 2 C EUF-CMA A ( pk , sk ) ← Gen (1 k ) p k , ch ( ch , τ ) ← Gen CH (1 k ) , ch m i i q adaptive queries σ i σ i ← Sign ( sk , m i , ch i ) , σ ∗ m ∗ Vfy ( pk , m ∗ , σ ∗ , ch ) = 1? ∧ m ∗ / ∈ { m 1 , ... , m q } ? A wins iff Vfy ( pk , m ∗ , σ ∗ , ch ) = 1 and m ∗ / ∈ { m 1 , ... , m q } Digital Signatures 2020-04-07 12

  25. EUF-CMA • In the following: only variant 1 • Variant 2 also achievable, but a little more difficult (need to make signatures depend on used CH) Digital Signatures 2020-04-07 13

  26. Chameleon signatures: security Theorem 45: For every PPT adversary A ( pk , ch ) that breaks the EUF-CMA security of Σ in time t A with success ǫ A , there is a PPT adversary B that runs in time t B ≈ t A and. . . • breaks the collision resistance of ch with success ǫ ch ≥ ǫ A 2 , • or breaks the EUF-naCMA security of Σ ′ with probability ǫ ′ ≥ ǫ A 2 . Digital Signatures 2020-04-07 14

  27. Chameleon signatures: proof EUF-CMA: Let m 1 , ... , m q be A ’s queries, σ i = ( σ ′ i , r i ) the replies, and ( m ∗ , σ ∗ = ( σ ′∗ , r ∗ )) A ’s forgery Digital Signatures 2020-04-07 15

  28. Chameleon signatures: proof EUF-CMA: Let m 1 , ... , m q be A ’s queries, σ i = ( σ ′ i , r i ) the replies, and ( m ∗ , σ ∗ = ( σ ′∗ , r ∗ )) A ’s forgery Two events: • E 0 : There is an i with ch ( m i , r i ) = ch ( m ∗ , r ∗ ). • E 1 : For all i ∈ { 1, ... , q } , we have ch ( m i , r i ) � = ch ( m ∗ , r ∗ ). Digital Signatures 2020-04-07 15

  29. Chameleon signatures: proof EUF-CMA: Let m 1 , ... , m q be A ’s queries, σ i = ( σ ′ i , r i ) the replies, and ( m ∗ , σ ∗ = ( σ ′∗ , r ∗ )) A ’s forgery Two events: • E 0 : There is an i with ch ( m i , r i ) = ch ( m ∗ , r ∗ ). • E 1 : For all i ∈ { 1, ... , q } , we have ch ( m i , r i ) � = ch ( m ∗ , r ∗ ). Successful A causes E 0 or E 1 , hence ǫ A ≤ Pr[ E 0 ] + Pr[ E 1 ] ⇒ Pr[ E 0 ] ≥ ǫ A / 2 or Pr[ E 1 ] ≥ ǫ A / 2 Digital Signatures 2020-04-07 15

  30. Chameleon signatures: proof • E 0 : reduction to collision-resistance of CH – As usual, no surprises • E 1 : reduction to EUF-naCMA security of Σ ′ – Also straightforward, details on next slide Digital Signatures 2020-04-07 16

  31. Proof strategy to bound Pr[ E 1 ] • Overview: C Σ ′ B A m ′ 1 , . . . , m ′ q pk ′ generate (ch , τ ) ( pk := pk ′ , ch) m i generate signature σ i for m i (choose r i , generate Σ ′ -signature for ch( m i , r i )) σ i ( m ∗ , σ ∗ ) extract Σ ′ -forgery ( m ′∗ , σ ′∗ ) ( m ′∗ , σ ′∗ ) • Need to fill in details Digital Signatures 2020-04-07 17

  32. Proof strategy to bound Pr[ E 1 ] • How to sign m i for A – Need to choose r i , then Σ ′ -sign ch ( m i , r i ) – Problem: no Σ ′ -signing oracle ( m ′ i chosen in advance) Digital Signatures 2020-04-07 18

  33. Proof strategy to bound Pr[ E 1 ] • How to sign m i for A – Need to choose r i , then Σ ′ -sign ch ( m i , r i ) – Problem: no Σ ′ -signing oracle ( m ′ i chosen in advance) – Solution: use τ to generate r i with ch ( m i , r i ) = m ′ i – This requires to set up m ′ i := ch ( M i , R i ) for arbitrary M i and random R i in advance Digital Signatures 2020-04-07 18

Recommend

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

M. Kutyowski Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital Signatures Qualified Signatures and Legal Framework Validity of the Signature Standard Implementation Risk Issues Reasons of

436 views • 42 slides
Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General model Foundations of security RSA, DSA, ECDSA signatures Zero knowledge (Guillo-Quisquater) One-time signature Special

675 views • 46 slides
Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s, but adversary given VK Sig SK Ver VK s i = Sign SK (M i ) Ver VK (M,s) (M,s) M i VK Advantage =

693 views • 10 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-19 1 Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 2 Recap:

250 views • 20 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

627 views • 52 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

785 views • 29 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-24 1 Outline Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures Digital Signatures 2020-03-24 2 Recap Last

661 views • 53 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-10 1 Outline Recap: one-time signatures From EUF-naCMA security to EUF-CMA security Interlude: proof strategies Security proof

336 views • 20 slides
DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA Flipping coins over the phone Why are digital signatures important? Compare with paper signatures Danger: Eve would like to use your

423 views • 7 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

441 views • 13 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

1.3k views • 97 slides
DIGITAL SIGNATURES JOHN NEWBERY @jfnewbery github.com/jnewbery ABOUT ME Live in New York Work

DIGITAL SIGNATURES JOHN NEWBERY @jfnewbery github.com/jnewbery ABOUT ME Live in New York Work

DIGITAL SIGNATURES JOHN NEWBERY @jfnewbery github.com/jnewbery ABOUT ME Live in New York Work for Chaincode Labs Contribute to Bitcoin Core github.com/jnewbery DIGITAL SIGNATURES Electronic coins & digital signatures Finite

830 views • 43 slides
DIGITAL INDIA VISION Use of Digital Signatures to create a completely paperless environment

DIGITAL INDIA VISION Use of Digital Signatures to create a completely paperless environment

DIGITAL INDIA VISION Use of Digital Signatures to create a completely paperless environment WWW.INDIAPKI.ORG TABLE OF CONTENTS o Digital India Vision o Adoption of Digital Signatures o Digital Revolution Going Green and Paperless o

305 views • 16 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1 Outline Pairings Boneh-Lynn-Shacham (BLS) signatures Digital Signatures 2020-04-28 2 Pairings Definition 78

958 views • 63 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-12 1 Outline Recap: programmable hash functions Waters PHF Waters signatures Digital Signatures 2020-05-12 2

1.02k views • 71 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

743 views • 58 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

686 views • 64 slides
Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM Transactions on Networking , August 1999 Digital Signatures (Simon S. Lam) 1 3/8/2017 1 Digital Signature Examples: RSA, DSA Provide

1.17k views • 43 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides

More recommend