Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1

Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2

Recap: Lamport • EUF-1-CMA secure • Requires only one-way function (weak assumption) • Not very efficient – Many evaluations of one-way function – Large keys Digital Signatures 2020-03-03 3

Uselessness of UUF-NMA ( not in lecture notes ) Use one-way function f to construct UUF-NMA secure signature scheme: • Gen (1 k ) : sk ← { 0, 1 } k , pk = f ( sk ) • Sign ( sk , m ) = sk • Vfy ( pk , m , σ ): f ( σ ) ? = pk Digital Signatures 2020-03-03 4

Uselessness of UUF-NMA ( not in lecture notes ) Use one-way function f to construct UUF-NMA secure signature scheme: • Gen (1 k ) : sk ← { 0, 1 } k , pk = f ( sk ) • Sign ( sk , m ) = sk • Vfy ( pk , m , σ ): f ( σ ) ? = pk • Actually EUF-NMA secure. . . • . . . but useless (message-independent signatures) Digital Signatures 2020-03-03 4

Why assumptions? ( not in lecture notes ) We made assumptions so far to construct signature schemes: • Existence of collision-resistant hash functions • Existence of one-way functions • More to come. . . Why make assumptions in the first place? Digital Signatures 2020-03-03 5

Why assumptions? (2) ( not in lecture notes ) Theorem: Let Σ = ( Gen , Sign , Vfy ) be a UUF-NMA secure signature scheme. Then P � = NP . Digital Signatures 2020-03-03 6

Proof: ∃ UUF-NMA ⇒ P � = NP ( not in lecture notes ) • Consider the language L Σ = { ( pk , m , σ ) : ∃ σ s.t. σ is prefix of σ and Vfy ( pk , m , σ ) = 1 } • We have L Σ ∈ NP (witness: σ ) • Assume for contradiction that P = NP . Then ∃B that decides L Σ in polynomial time. Digital Signatures 2020-03-03 7

Proof: ∃ UUF-NMA ⇒ P � = NP (2) ( not in lecture notes ) L Σ = { ( pk , m , σ ) : ∃ σ s.t. σ is prefix of σ and Vfy ( pk , m , σ ) = 1 } . UUF-NMA adversary from B : • Use B to find σ given m , pk (bit-by-bit search) • Signatures are short, hence runtime is polynomial • Always finds valid σ Hence: P = NP implies that Σ is not UUF-NMA secure. (Contradiction.) Digital Signatures 2020-03-03 8

Discrete-log-based one-time signatures Setting: • Cyclic group G = � g � of prime order | G | = p • G may (should) depend on security parameter (we usually do not make this explicit) Digital Signatures 2020-03-03 9

DLog problem/assumption DLog problem: • Given generator g and y ← G , find x ∈ Z p with g x = y . Digital Signatures 2020-03-03 10

DLog problem/assumption DLog problem: • Given generator g and y ← G , find x ∈ Z p with g x = y . DLog assumption: • ∀ PPT A : � � x ← Z p x ′ ← A (1 k , g , g x ) : x ′ = x Pr negligible. Digital Signatures 2020-03-03 10

DLog one-time signature Σ = ( Gen , Sign , Vfy ) with message space Z p : Gen (1 k ) : Sign ( sk , m ) : Vfy ( pk , m , σ ) : x ← Z ∗ p ω ← Z p h := g x c ? σ = ω − m = g m h σ c := g ω x pk = ( g , h , c ) sk = ( x , ω ) Digital Signatures 2020-03-03 11

DLog one-time signature Σ = ( Gen , Sign , Vfy ) with message space Z p : Gen (1 k ) : Sign ( sk , m ) : Vfy ( pk , m , σ ) : x ← Z ∗ p ω ← Z p h := g x c ? σ = ω − m = g m h σ c := g ω x pk = ( g , h , c ) sk = ( x , ω ) Correctness: Digital Signatures 2020-03-03 11

DLog one-time signature Σ = ( Gen , Sign , Vfy ) with message space Z p : Gen (1 k ) : Sign ( sk , m ) : Vfy ( pk , m , σ ) : x ← Z ∗ p ω ← Z p h := g x c ? σ = ω − m = g m h σ c := g ω x pk = ( g , h , c ) sk = ( x , ω ) Correctness: Ideas? Digital Signatures 2020-03-03 11

DLog one-time signature Σ = ( Gen , Sign , Vfy ) with message space Z p : Gen (1 k ) : Sign ( sk , m ) : Vfy ( pk , m , σ ) : x ← Z ∗ p ω ← Z p h := g x c ? σ = ω − m = g m h σ c := g ω x pk = ( g , h , c ) sk = ( x , ω ) Correctness: g m h σ = g m + x σ = g m + x ω − m = g ω = c x Digital Signatures 2020-03-03 11

DLog one-time signature: security Theorem 28: For every EUF-1-naCMA adversary A on Σ with runtime t A and success probability ǫ A , there is an adversary B on the DLog problem in G that runs in time t B ≈ t A and has success probability ǫ B ≥ ǫ A . Digital Signatures 2020-03-03 12

DLog one-time signature: security • Details: blackboard. • Overview: Dlog problem EUF-1-naCMA C Dlog B A Digital Signatures 2020-03-03 13

DLog one-time signature: security • Details: blackboard. • Overview: Dlog problem EUF-1-naCMA C Dlog B A g , h x ← Z p h := g x Digital Signatures 2020-03-03 13

DLog one-time signature: security • Details: blackboard. • Overview: Dlog problem EUF-1-naCMA C Dlog B A g , h x ← Z p m ∈ Z p h := g x Compute c , σ suitably 1 p k = ( g , h , c ) , σ Digital Signatures 2020-03-03 13

DLog one-time signature: security • Details: blackboard. • Overview: Dlog problem EUF-1-naCMA C Dlog B A g , h x ← Z p m ∈ Z p h := g x Compute c , σ suitably 1 p k = ( g , h , c ) , σ , σ ∗ m ∗ x 2 Digital Signatures 2020-03-03 13

One-time signatures based on RSA Setting: • N = P · Q , for large primes P , Q • ϕ ( N ) = ( P − 1)( Q − 1) = | Z ∗ N | • Choose e ∈ N uniformly between 1 and ϕ ( N ) with gcd( e , ϕ ( N )) = 1. • Then d ∈ N with e · d ≡ 1 mod ϕ ( N ) can be found efficiently from ϕ ( N ) and e . • For x ∈ Z N , we have x e · d ≡ x mod N . Digital Signatures 2020-03-03 14

RSA problem/assumption RSA problem: • Given N , e as above and y ← Z N , find x ∈ Z N with x e ≡ y mod N . Digital Signatures 2020-03-03 15

RSA problem/assumption RSA problem: • Given N , e as above and y ← Z N , find x ∈ Z N with x e ≡ y mod N . RSA assumption: • ∀ PPT A :   N , e as above : x e = y mod N y ← Z N Pr     x ← A (1 k , N , e , y ) negligible. Digital Signatures 2020-03-03 15

RSA one-time signature Σ = ( Gen , Sign , Vfy ) with message space { 0, ... , 2 n − 1 } : Gen (1 k ) : • choose primes P , Q , set N := P · Q • uniformly choose prime e with 2 n < e < ϕ ( N ) (and gcd( e , ϕ ( N )) = 1) • d := e − 1 mod ϕ ( N ) • J , c ← Z N • pk = ( N , e , J , c ) • sk = d Digital Signatures 2020-03-03 16

RSA one-time signature: Sign & Vfy sk = d = e − 1 mod ϕ ( N ) pk = ( N , e , J , c ) Sign ( sk , m ): � c � d σ ≡ mod N J m Digital Signatures 2020-03-03 17

RSA one-time signature: Sign & Vfy sk = d = e − 1 mod ϕ ( N ) pk = ( N , e , J , c ) Sign ( sk , m ): � c � d σ ≡ mod N J m Vfy ( pk , m , σ ) : ? ≡ J m σ e mod N c Digital Signatures 2020-03-03 17

RSA one-time signature: Sign & Vfy sk = d = e − 1 mod ϕ ( N ) pk = ( N , e , J , c ) Sign ( sk , m ): � c � d σ ≡ mod N J m Vfy ( pk , m , σ ) : ? ≡ J m σ e mod N c Correctness: Ideas? Digital Signatures 2020-03-03 17

RSA one-time signature: Sign & Vfy sk = d = e − 1 mod ϕ ( N ) pk = ( N , e , J , c ) Sign ( sk , m ): � c � d σ ≡ mod N J m Vfy ( pk , m , σ ) : ? ≡ J m σ e mod N c Correctness: � c � e · d ≡ J m · c J m σ e ≡ J m J m ≡ c mod N J m Digital Signatures 2020-03-03 17

RSA one-time signature: security Prime- e -RSA problem/assumption: like RSA problem and assumption, but with e chosen as prime between 2 n and ϕ ( N ). (Asymptotically: RSA assumption ⇒ prime- e -RSA assumption!) Digital Signatures 2020-03-03 18

RSA one-time signature: security Prime- e -RSA problem/assumption: like RSA problem and assumption, but with e chosen as prime between 2 n and ϕ ( N ). (Asymptotically: RSA assumption ⇒ prime- e -RSA assumption!) Theorem 30: For every EUF-1-naCMA adversary A on Σ with runtime t A and success probability ǫ A , there is an adversary B on the prime- e -RSA assumption that computes x ∈ Z N with x e ≡ y mod N in time t B ≈ t A with success probability ǫ B ≥ ǫ A . Digital Signatures 2020-03-03 18

Shamir’s trick Lemma 31: Let J , S ∈ Z N and e , f ∈ Z with • gcd( e , f ) = 1 • J f ≡ S e mod N . N × Z 2 it is possible to Then, given N ∈ Z und ( J , S , e , f ) ∈ Z 2 efficiently compute x ∈ Z N with x e ≡ J mod N . Proof: blackboard. Digital Signatures 2020-03-03 19

RSA one-time signatures: security • Details: see blackboard. • Overview: prime- e -RSA EUF-1-naCMA C RSA B A Digital Signatures 2020-03-03 20

RSA one-time signatures: security • Details: see blackboard. • Overview: prime- e -RSA EUF-1-naCMA C RSA B A N = P · Q N , e , y e > 2 n y ← Z N Digital Signatures 2020-03-03 20

RSA one-time signatures: security • Details: see blackboard. • Overview: prime- e -RSA EUF-1-naCMA C RSA B A N = P · Q N , e , y n − 1 ] e > 2 n 2 m ∈ [ 0 , y ← Z N Compute J , c , σ suitably 1 p k = ( N , e , J , c ) , σ Digital Signatures 2020-03-03 20

RSA one-time signatures: security • Details: see blackboard. • Overview: prime- e -RSA EUF-1-naCMA C RSA B A N = P · Q N , e , y n − 1 ] e > 2 n 2 m ∈ [ 0 , y ← Z N Compute J , c , σ suitably 1 p k = ( N , e , J , c ) , σ , σ ∗ m ∗ x 2 Digital Signatures 2020-03-03 20