Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1

Outline Pairings Boneh-Lynn-Shacham (BLS) signatures Digital Signatures 2020-04-28 2

Pairings Definition 78 (Pairings): Let G 1 , G 2 , G T be groups of prime order p . A pairing is a map e : G 1 × G 2 → G T with the following properties: Digital Signatures 2020-04-28 3

Pairings Definition 78 (Pairings): Let G 1 , G 2 , G T be groups of prime order p . A pairing is a map e : G 1 × G 2 → G T with the following properties: 1) Bilinearity: ∀ g 1 , g ′ 1 ∈ G 1 , g 2 , g ′ 2 ∈ G 2 : e ( g 1 · g ′ 1 , g 2 ) = e ( g 1 , g 2 ) · e ( g ′ 1 , g 2 ) e ( g 1 , g 2 · g ′ 2 ) = e ( g 1 , g 2 ) · e ( g 1 , g ′ 2 ) Digital Signatures 2020-04-28 3

Pairings Definition 78 (Pairings): Let G 1 , G 2 , G T be groups of prime order p . A pairing is a map e : G 1 × G 2 → G T with the following properties: 1) Bilinearity: ∀ g 1 , g ′ 1 ∈ G 1 , g 2 , g ′ 2 ∈ G 2 : e ( g 1 · g ′ 1 , g 2 ) = e ( g 1 , g 2 ) · e ( g ′ 1 , g 2 ) e ( g 1 , g 2 · g ′ 2 ) = e ( g 1 , g 2 ) · e ( g 1 , g ′ 2 ) 1 , g 2 ) = e ( g 1 , g 2 ) a = e ( g 1 , g a ⇒ e ( g a 2 ) enables one multiplication in the exponent. Digital Signatures 2020-04-28 3

Pairings 2) Non-degeneracy: for all generators g 1 ∈ G 1 , g 2 ∈ G 2 : � � | G T | prime ⇐ ⇒ e ( g 1 , g 2 ) � = 1 e ( g 1 , g 2 ) generates G T Digital Signatures 2020-04-28 4

Pairings 2) Non-degeneracy: for all generators g 1 ∈ G 1 , g 2 ∈ G 2 : � � | G T | prime ⇐ ⇒ e ( g 1 , g 2 ) � = 1 e ( g 1 , g 2 ) generates G T 3) e efficiently computable Digital Signatures 2020-04-28 4

Pairings 2) Non-degeneracy: for all generators g 1 ∈ G 1 , g 2 ∈ G 2 : � � | G T | prime ⇐ ⇒ e ( g 1 , g 2 ) � = 1 e ( g 1 , g 2 ) generates G T 3) e efficiently computable Note: there are also pairings over groups of non-prime order. Digital Signatures 2020-04-28 4

Pairings: remarks • G 1 , G 2 often elliptic curves (“source groups”) • G T ⊆ F ∗ Q (“target group”) • Pairing operation less efficient than exponentiation Digital Signatures 2020-04-28 5

Pairings: remarks • G 1 , G 2 often elliptic curves (“source groups”) • G T ⊆ F ∗ Q (“target group”) • Pairing operation less efficient than exponentiation Original (cryptographic) application: • Cryptanalysis • Example: assuming DLog easier in G T than in G i , then e helps to “lift/push” DLog problem from G i to G T – given g x 1 ∈ G 1 , find x 1 , g 2 ) = e ( g 1 , g 2 ) x , and then DLog of e ( g 1 , g 2 ) x in – compute e ( g x G T • Some assumptions (like DDH) do not hold in G 1 if G 1 = G 2 Digital Signatures 2020-04-28 5

Types of Pairings Type 1: G 1 = G 2 , “symmetric pairing” e : G × G → G T Digital Signatures 2020-04-28 6

Types of Pairings Type 1: G 1 = G 2 , “symmetric pairing” e : G × G → G T Type 2: G 1 � = G 2 , “asymmetric pairing” There is an efficient nontrivial homomorphism ψ : G 2 → G 1 Digital Signatures 2020-04-28 6

Types of Pairings Type 1: G 1 = G 2 , “symmetric pairing” e : G × G → G T Type 2: G 1 � = G 2 , “asymmetric pairing” There is an efficient nontrivial homomorphism ψ : G 2 → G 1 Type 3: G 1 � = G 2 , “asymmetric pairing” There is no efficient nontrivial homomorphism ψ : G 2 → G 1 Digital Signatures 2020-04-28 6

Types of Pairings Type 1: G 1 = G 2 , “symmetric pairing” e : G × G → G T Type 2: G 1 � = G 2 , “asymmetric pairing” There is an efficient nontrivial homomorphism ψ : G 2 → G 1 Type 3: G 1 � = G 2 , “asymmetric pairing” There is no efficient nontrivial homomorphism ψ : G 2 → G 1 Note: here, we mainly consider type-1 pairings Digital Signatures 2020-04-28 6

Pairings: research • Pairings already very powerful (we will see examples) • Multilinear maps (for more source groups) would be even more powerful • 2012: Garg, Gentry, Halevi “Candidate Multilinear Maps from Ideal Lattices and Applications” • Since then many MLM candidates, attacks, improvements, applications. . . Digital Signatures 2020-04-28 7

Joux’s 3-party key exchange • Like Diffie-Hellman key exchange, but for 3 parties A , B , C • That means A , B , C end up with common shared key • e : G × G → G T , g generates G , | G | = | G T | = p prime Digital Signatures 2020-04-28 8

Joux’s 3-party key exchange A B C Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange a ← Z p A b ← Z p c ← Z p B C Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange a ← Z p A g a g a b ← Z p c ← Z p B C g a g a Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange g b a ← Z p A g b b ← Z p c ← Z p B C g b g a g a , g b Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange g b , g c a ← Z p A g c b ← Z p c ← Z p B C g c g a , g c g a , g b Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange k = e ( g b , g c ) a = e ( g , g ) abc g b , g c a ← Z p A b ← Z p c ← Z p B C g a , g c g a , g b k = e ( g a , g c ) b = e ( g , g ) abc k = e ( g a , g b ) c = e ( g , g ) abc Digital Signatures 2020-04-28 9

Joux’s 3-party key exchange k = e ( g b , g c ) a = e ( g , g ) abc g b , g c a ← Z p A b ← Z p c ← Z p B C g a , g c g a , g b k = e ( g a , g c ) b = e ( g , g ) abc k = e ( g a , g b ) c = e ( g , g ) abc • Shared key is k = e ( g , g ) abc • Order of exchanged messages does not matter • (Multilinear map → more parties) Digital Signatures 2020-04-28 9

Socrative Self-checking with quizzes • Use following URL: https://b.socrative.com/login/student • . . . and enter room “HOFHEINZ8872” • Will also be in chat (so you can click on link) • No registration necessary • Quiz about pairings starts now! Digital Signatures 2020-04-28 10

Boneh-Lynn-Shacham signatures • Simple pairing-based signature scheme • Short signatures • EUF-CMA secure in random oracle model In the following: • G , G T groups, | G | = | G T | = p prime, � g � = G • e : G × G → G T pairing • Hash function H : { 0, 1 } ∗ → G \ { 1 } Digital Signatures 2020-04-28 11

BLS signatures Gen (1 k ) : • x ← Z ∗ p • pk = ( g , g x ), sk = x Sign ( sk , m ) : • σ := H ( m ) x ∈ G Vfy ( pk , m , σ ) : • e ( H ( m ), g x ) ? = e ( σ , g ) Digital Signatures 2020-04-28 12

BLS signatures Gen (1 k ) : • x ← Z ∗ p • pk = ( g , g x ), sk = x Sign ( sk , m ) : • σ := H ( m ) x ∈ G Vfy ( pk , m , σ ) : • e ( H ( m ), g x ) ? = e ( σ , g ) Correctness: e ( H ( m ), g x ) = e ( H ( m ), g ) x = e ( H ( m ) x , g ) = e ( σ , g ) Digital Signatures 2020-04-28 12

The computational Diffie-Hellman (CDH) problem • Given ( g , g x , g y ), compute g xy (for random g and x , y ← Z ∗ p ). Digital Signatures 2020-04-28 13

The computational Diffie-Hellman (CDH) problem • Given ( g , g x , g y ), compute g xy (for random g and x , y ← Z ∗ p ). CDH assumption: • ∀ PPT A : Pr[ g random, x , y ← Z ∗ p : A (1 k , g , g x , g y ) = g xy ] is negligible. Note: group G and order p may depend on security parameter k . Digital Signatures 2020-04-28 13

BLS signatures: security Theorem 85: Assuming H is modeled as a random oracle, then • for every adversary A that breaks the EUF-CMA security of the BLS signature scheme in time t A with success ǫ A , • there is an adversary B that solves the CDH problem in G in time t B ≈ t A with success ǫ B ≥ ǫ A , q H where q H is the number of random oracle queries A makes. Proof idea: conceptually very similar to RSA-FDH, details up next. Digital Signatures 2020-04-28 14

BLS: security proof Simulation/reduction strategy: • A has to explicitly query H for hash values (also for m ∗ ) • Intercept these queries and simulate RO for A Digital Signatures 2020-04-28 15

BLS: security proof Simulation/reduction strategy: • A has to explicitly query H for hash values (also for m ∗ ) • Intercept these queries and simulate RO for A • B can implement RO for A as follows: – guess index i ∗ of message for which A forges a signature (i.e., guess when m ∗ is being queried) – choose hash values h i (for i � = i ∗ ) such that signature is known – embed (part of) CDH challenge into h i ∗ as h i ∗ = g y (for the last part of the given CDH challenge g , g x , g y ) Digital Signatures 2020-04-28 15

BLS: security proof • Assume that A outputs valid forgery ( m ∗ , σ ∗ ). • We will assume (wlog) that A has always queried H ( m ∗ ). – Given an A that sometimes does not query H ( m ∗ ), can construct an A ′ that always does before submitting forgery Digital Signatures 2020-04-28 16

BLS: reduction to CDH problem CDH problem EUF-CMA C CDH B A Digital Signatures 2020-04-28 17

BLS: reduction to CDH problem CDH problem EUF-CMA C CDH B A g , x g y choose g , x , y , g Digital Signatures 2020-04-28 17

BLS: reduction to CDH problem CDH problem EUF-CMA C CDH B A g , x g y choose g , x , y , g p k = ( g , x g ) Digital Signatures 2020-04-28 17