Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael Kurek Paderborn University Paderborn University 1
Contributions • New security notion for standard Hash Functions • Truncation-Collision Resistance • New Digital Signature scheme and ID-KEM • From selective to full security in Standard Model • Solving open problem: single element in prime order group 2
Random Oracle Model [BR93] “Cryptographic Hash Function modelled as truly random function” • (Simple) proofs ✅ • Strong security properties ✅ • Short, full secure signatures [BLS01, BB04] • Short, full secure ID-KEMs [BF01, BB04] 3
Random Oracle Model [BR93] “Cryptographic Hash Function modelled as truly random function” • (Simple) proofs ✅ • Strong security properties ✅ • Short, full secure signatures [BLS01, BB04] • Short, full secure ID-KEMs [BF01, BB04] • Unclear security guarantees for implementations [CGH02] ❌ • Unclear which security property required ❌ 4
Random Oracle Model [BR93] “Cryptographic Hash Function modelled as truly random function” • (Simple) proofs ✅ • Strong security properties ✅ • Short, full secure signatures [BLS01, BB04] • Short, full secure ID-KEMs [BF01, BB04] • Unclear security guarantees for implementations [CGH02] ❌ • Unclear which security property required ❌ Looking for reasonable complexity assumption on f standard Cryptographic Hash Functions to avoid ROM 5
Problem of turning selective into adaptive security 6
Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk M* ← 0,1 % 7
Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 8
Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' 9
Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' (m*, 𝜏 *) 𝜏 * 10
Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' (m*, 𝜏 *) 𝜏 * M* = m* M* ≠ 𝑛 ' ∀ 𝑗 11
Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' (m*, 𝜏 *) 𝜏 * ROM: Standard: 𝜁 /01023'40 ≈ 𝑞𝑝𝑚𝑧(𝑙) => ? 𝜁 @A@B3'40 𝜁 C01023'40 ≈ 2 =% ? 𝜁 @A@B3'40 12
Collision Resistance 13
Collision Resistance A Hash function H is Collision Resistant if Pr[ A finds collision ] < negl(k) for all ppt adversaries A. 14
Truncation Collision Resistance 15
Truncation Collision Resistance A Hash function H is Truncation-Collision Resistant if 3(3=>) Pr[ A finds collision for prefix of length i ] < E FGH for all probabilistic t-time adversaries A. 16
Truncation Collision Resistance A Hash function H is Truncation-Collision Resistant if 3(3=>) Pr[ A finds collision for prefix of length i ] < E FGH for all probabilistic t-time adversaries A. (Related to birthday bound) 17
Main property H(x)= 1010011000111000111101110011001101100010 18
Main property H(x)= 1010011000111000111101110011001101100010 Easier to guess 19
Main property H(x)= 1010011000111000111101110011001101100010 Easier to guess More collision resistant 20
Main property H(x)= 1010011000111000111101110011001101100010 Easier to guess More collision resistant For every adversary A there exists a prefix length j s.t. Collision Resistant Easy to guess Length j 21
Generic construction from selective to adaptive secure signatures without ROM 22
Generic construction from selective to adaptive secure signatures without ROM 𝐼 > (m) 𝐼 E (m) m H( ? ) 𝐼 E N (m) H Tru-CR 𝐼 E JKL M (m) 𝐼 ' Prefix of lengt h i 23
Generic construction from selective to adaptive secure signatures without ROM 𝐼 > (m) Sig( 𝑡𝑙 S , ? ) 𝐼 E (m) m Sig( 𝑡𝑙 > , ? ) H( ? ) 𝜏 = (𝜏 > ,.., 𝜏 PQR % ) 𝐼 E N (m) Sig( 𝑡𝑙 E , ? ) H Tru-CR 𝐼 E JKL M (m) Sig( 𝑡𝑙 PQR % , ? ) 𝐼 ' Prefix of lengt h i Sig selective secure 24
Proof sketch 25
Proof sketch Adaptive Selective Adversary Adversary Breaking weak scheme with message length j 26
Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 27
Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 m 𝐼 T (m) 𝜏 T 𝜏 = (𝜏 S , … , 𝜏 T , . . . ) 𝜏 ' = Sig( 𝑡𝑙 ' , 𝐼 E F (m)) 28
Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 m 𝐼 T (m) 𝜏 T 𝜏 = (𝜏 S , … , 𝜏 T , . . . ) 𝜏 ' = Sig( 𝑡𝑙 ' , 𝐼 E F (m)) ∗ ∗ , … ) ∗ , … , 𝜏 𝜏 m*, 𝜏 * = (𝜏 S T T 29
Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 m 𝐼 T (m) 𝜏 T 𝜏 = (𝜏 S , … , 𝜏 T , . . . ) 𝜏 ' = Sig( 𝑡𝑙 ' , 𝐼 E F (m)) ∗ ∗ , … ) ∗ , … , 𝜏 𝜏 m*, 𝜏 * = (𝜏 S T T T (m*) ? ✅ Truncation-CR: Guess of 𝐼 f No collision? ✅ 30
Recommend
More recommend