digital signatures
play

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Apr 26, 2023 •304 likes •1.02k views

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-12 1 Outline Recap: programmable hash functions Waters PHF Waters signatures Digital Signatures 2020-05-12 2

  1. Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-12 1

  2. Outline Recap: programmable hash functions Waters’ PHF Waters signatures Digital Signatures 2020-05-12 2

  3. Programmable hash functions Motivation: • RO proofs use programmability of RO (RSA-FDH, BLS, . . . ) • Problem: ROs do not exist, leads to heuristic arguments • Goal: imitate necessary programming operations with standard-model hash function Closer look: • PHF maps bitstrings m to group elements H ( m ) • PHF trapdoor gives decomposition H ( m ) = h a m g b m • Later: a m � = 0 ⇔ reduction can sign m • Want a m � = 0 often (sig. queries), a m = 0 sometimes (forgery) Digital Signatures 2020-05-12 3

  4. Programmable hash functions Def.: A group hash function ( Gen , Eval ) is ( v , w , γ ) -programmable (for v , w ∈ N , γ ∈ [0, 1]), if there are two PPT algorithms as follows: • TrapGen ( g , h ) → ( κ , τ ): trapdoor key generation • TrapEval ( τ , m ) → ( a m , b m ) with h a m g b m = H κ ( m ) (deterministic) that fulfill the following two requirements: • κ from Gen statistically close to κ from TrapGen • TrapEval has ( v , w , γ )-well-distributed outputs (next slide) A ( v , w , γ ) -PHF is a ( v , w , γ )-programmable group hash function. Digital Signatures 2020-05-12 4

  5. Programmable hash functions Well-distributedness condition of TrapEval ’s outputs: • ( v , w , γ ) -well-distributed (for v , w ∈ N , γ ∈ [0, 1]): For all – generators g , h of G , v ∈ { 0, 1 } ℓ , – m ∗ 1 , ... m ∗ – m 1 , ... , m w ∈ { 0, 1 } ℓ (s.t. ∀ i , j : m ∗ i � = m j ) – κ in the range of TrapGen ’s first output we have: � � a m ∗ i = 0 for i = 1, ... , v ∧ ≥ γ , Pr a m j � = 0 for j = 1, ... , w where Pr is over τ from ( κ , τ ) ← TrapGen ( g , h ) (cond. on κ ) Digital Signatures 2020-05-12 5

  6. Outline Recap: programmable hash functions Waters’ PHF Waters signatures Digital Signatures 2020-05-12 6

  7. Waters’ programmable hash function Waters’ group hash function (used earlier for different purpose): • Gen (1 k ): choose u 0 , ... , u k ← G . κ = ( u 0 , ... , u k ) Digital Signatures 2020-05-12 7

  8. Waters’ programmable hash function Waters’ group hash function (used earlier for different purpose): • Gen (1 k ): choose u 0 , ... , u k ← G . κ = ( u 0 , ... , u k ) • Eval ( κ , m = m (1) · · · m ( k ) ): compute k � ( m ( i ) ∈ { 0, 1 } ) u m ( i ) H κ ( m ) = u 0 i i =1 Digital Signatures 2020-05-12 7

  9. Waters’ programmable hash function Waters’ group hash function (used earlier for different purpose): • Gen (1 k ): choose u 0 , ... , u k ← G . κ = ( u 0 , ... , u k ) • Eval ( κ , m = m (1) · · · m ( k ) ): compute k � ( m ( i ) ∈ { 0, 1 } ) u m ( i ) H κ ( m ) = u 0 i i =1 Theorem: Let q = q ( k ) be a polynomial. Then, Waters’ group hash √ function is (1, q , γ )-programmable for γ = 1 / O ( q k ). Digital Signatures 2020-05-12 7

  10. Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). Digital Signatures 2020-05-12 8

  11. Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Digital Signatures 2020-05-12 8

  12. Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: h a m g b m = Digital Signatures 2020-05-12 8

  13. Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: � k � k a i m ( i ) · g � g � h a m g b m = h � h � b i m ( i ) a 0 b 0 i =1 i =1 Digital Signatures 2020-05-12 8

  14. Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: � k � k � k m ( i ) a i m ( i ) · g � b i m ( i ) = ( h � g � a 0 g � a i g � h a m g b m = h � h � ( h � a 0 b 0 b 0 ) · b i ) i =1 i =1 i =1 Digital Signatures 2020-05-12 8

  15. Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: � k � k � k m ( i ) a i m ( i ) · g � b i m ( i ) = ( h � g � a 0 g � a i g � h a m g b m = h � h � ( h � a 0 b 0 b 0 ) b i ) · � �� � i =1 i =1 i =1 u 0 Digital Signatures 2020-05-12 8

  16. Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: � k � k � k m ( i ) a i m ( i ) · g � b i m ( i ) = ( h � g � a 0 g � a i g � h a m g b m = h � h � ( h � a 0 b 0 b 0 ) b i ) · � �� � � �� � i =1 i =1 i =1 u 0 u i Digital Signatures 2020-05-12 8

  17. Waters’ programmable hash function Proof sketch: a i ∈ Z p suitably, � • TrapGen ( g , h ): choose � b i ← Z p . Let a i g � u i := h � b i for i ∈ { 0, ... , k } , a k , � b 0 , ... , � κ = ( u 0 , ... , u k ), τ = ( � a 0 , ... , � b k ). • TrapEval ( τ , m = m (1) · · · m ( k ) ): compute a 0 + � k i =1 m ( i ) � � a m = a i and b 0 + � k i =1 m ( i ) � � b m = b i . Then: � k � k � k m ( i ) a i m ( i ) · g � b i m ( i ) = ( h � g � a 0 g � a i g � h a m g b m = h � h � ( h � a 0 b 0 b 0 ) b i ) · = H κ ( m ) � �� � � �� � i =1 i =1 i =1 u 0 u i Digital Signatures 2020-05-12 8

  18. Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G Digital Signatures 2020-05-12 9

  19. Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): Digital Signatures 2020-05-12 9

  20. Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): ◮ � b i uniform over Z p Digital Signatures 2020-05-12 9

  21. Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): ◮ � b i uniform over Z p ⇒ g � b i uniform over G ( g generator!) ◮ = Digital Signatures 2020-05-12 9

  22. Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): ◮ � b i uniform over Z p ⇒ g � b i uniform over G ( g generator!) ◮ = ⇒ u i = h � a i g � b i uniform over G ◮ = Digital Signatures 2020-05-12 9

  23. Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): ◮ � b i uniform over Z p ⇒ g � b i uniform over G ( g generator!) ◮ = ⇒ u i = h � a i g � b i uniform over G � ◮ = • ( v , w , γ )-well-distribution: Digital Signatures 2020-05-12 9

  24. Waters’ programmable hash function • Distribution of (real/trapdoor) κ ? – Gen (1 k ): all u i uniform over G – TrapGen ( g , h ): ◮ � b i uniform over Z p ⇒ g � b i uniform over G ( g generator!) ◮ = ⇒ u i = h � a i g � b i uniform over G � ◮ = • ( v , w , γ )-well-distribution: – Need to define � a i suitably (next slide) Digital Signatures 2020-05-12 9

Recommend

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

M. Kutyowski Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital Signatures Qualified Signatures and Legal Framework Validity of the Signature Standard Implementation Risk Issues Reasons of

436 views • 42 slides
Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General model Foundations of security RSA, DSA, ECDSA signatures Zero knowledge (Guillo-Quisquater) One-time signature Special

675 views • 46 slides
Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s, but adversary given VK Sig SK Ver VK s i = Sign SK (M i ) Ver VK (M,s) (M,s) M i VK Advantage =

693 views • 10 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-19 1 Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 2 Recap:

250 views • 20 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

627 views • 52 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

785 views • 29 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-24 1 Outline Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures Digital Signatures 2020-03-24 2 Recap Last

661 views • 53 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-10 1 Outline Recap: one-time signatures From EUF-naCMA security to EUF-CMA security Interlude: proof strategies Security proof

336 views • 20 slides
DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA Flipping coins over the phone Why are digital signatures important? Compare with paper signatures Danger: Eve would like to use your

423 views • 7 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-07 1 Outline Chameleon Signatures CH functions are one-time signatures sEUF-CMA from chameleon hashing Digital

585 views • 44 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

441 views • 13 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

1.3k views • 97 slides
DIGITAL SIGNATURES JOHN NEWBERY @jfnewbery github.com/jnewbery ABOUT ME Live in New York Work

DIGITAL SIGNATURES JOHN NEWBERY @jfnewbery github.com/jnewbery ABOUT ME Live in New York Work

DIGITAL SIGNATURES JOHN NEWBERY @jfnewbery github.com/jnewbery ABOUT ME Live in New York Work for Chaincode Labs Contribute to Bitcoin Core github.com/jnewbery DIGITAL SIGNATURES Electronic coins & digital signatures Finite

830 views • 43 slides
DIGITAL INDIA VISION Use of Digital Signatures to create a completely paperless environment

DIGITAL INDIA VISION Use of Digital Signatures to create a completely paperless environment

DIGITAL INDIA VISION Use of Digital Signatures to create a completely paperless environment WWW.INDIAPKI.ORG TABLE OF CONTENTS o Digital India Vision o Adoption of Digital Signatures o Digital Revolution Going Green and Paperless o

305 views • 16 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1 Outline Pairings Boneh-Lynn-Shacham (BLS) signatures Digital Signatures 2020-04-28 2 Pairings Definition 78

958 views • 63 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

743 views • 58 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

686 views • 64 slides
Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM Transactions on Networking , August 1999 Digital Signatures (Simon S. Lam) 1 3/8/2017 1 Digital Signature Examples: RSA, DSA Provide

1.17k views • 43 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides

More recommend