Short Digital Signatures and ID- KEMs via Truncation Collision - PowerPoint PPT Presentation

Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael Kurek Paderborn University Paderborn University 1

Contributions • New security notion for standard Hash Functions • Truncation-Collision Resistance • New Digital Signature scheme and ID-KEM • From selective to full security in Standard Model • Solving open problem: single element in prime order group 2

Random Oracle Model [BR93] “Cryptographic Hash Function modelled as truly random function” • (Simple) proofs ✅ • Strong security properties ✅ • Short, full secure signatures [BLS01, BB04] • Short, full secure ID-KEMs [BF01, BB04] 3

Random Oracle Model [BR93] “Cryptographic Hash Function modelled as truly random function” • (Simple) proofs ✅ • Strong security properties ✅ • Short, full secure signatures [BLS01, BB04] • Short, full secure ID-KEMs [BF01, BB04] • Unclear security guarantees for implementations [CGH02] ❌ • Unclear which security property required ❌ 4

Random Oracle Model [BR93] “Cryptographic Hash Function modelled as truly random function” • (Simple) proofs ✅ • Strong security properties ✅ • Short, full secure signatures [BLS01, BB04] • Short, full secure ID-KEMs [BF01, BB04] • Unclear security guarantees for implementations [CGH02] ❌ • Unclear which security property required ❌ Looking for reasonable complexity assumption on f standard Cryptographic Hash Functions to avoid ROM 5

Problem of turning selective into adaptive security 6

Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk M* ← 0,1 % 7

Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 8

Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' 9

Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' (m*, 𝜏 *) 𝜏 * 10

Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' (m*, 𝜏 *) 𝜏 * M* = m* M* ≠ 𝑛 ' ∀ 𝑗 11

Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' (m*, 𝜏 *) 𝜏 * ROM: Standard: 𝜁 /01023'40 ≈ 𝑞𝑝𝑚𝑧(𝑙) => ? 𝜁 @A@B3'40 𝜁 C01023'40 ≈ 2 =% ? 𝜁 @A@B3'40 12

Collision Resistance 13

Collision Resistance A Hash function H is Collision Resistant if Pr[ A finds collision ] < negl(k) for all ppt adversaries A. 14

Truncation Collision Resistance 15

Truncation Collision Resistance A Hash function H is Truncation-Collision Resistant if 3(3=>) Pr[ A finds collision for prefix of length i ] < E FGH for all probabilistic t-time adversaries A. 16

Truncation Collision Resistance A Hash function H is Truncation-Collision Resistant if 3(3=>) Pr[ A finds collision for prefix of length i ] < E FGH for all probabilistic t-time adversaries A. (Related to birthday bound) 17

Main property H(x)= 1010011000111000111101110011001101100010 18

Main property H(x)= 1010011000111000111101110011001101100010 Easier to guess 19

Main property H(x)= 1010011000111000111101110011001101100010 Easier to guess More collision resistant 20

Main property H(x)= 1010011000111000111101110011001101100010 Easier to guess More collision resistant For every adversary A there exists a prefix length j s.t. Collision Resistant Easy to guess Length j 21

Generic construction from selective to adaptive secure signatures without ROM 22

Generic construction from selective to adaptive secure signatures without ROM 𝐼 > (m) 𝐼 E (m) m H( ? ) 𝐼 E N (m) H Tru-CR 𝐼 E JKL M (m) 𝐼 ' Prefix of lengt h i 23

Generic construction from selective to adaptive secure signatures without ROM 𝐼 > (m) Sig( 𝑡𝑙 S , ? ) 𝐼 E (m) m Sig( 𝑡𝑙 > , ? ) H( ? ) 𝜏 = (𝜏 > ,.., 𝜏 PQR % ) 𝐼 E N (m) Sig( 𝑡𝑙 E , ? ) H Tru-CR 𝐼 E JKL M (m) Sig( 𝑡𝑙 PQR % , ? ) 𝐼 ' Prefix of lengt h i Sig selective secure 24

Proof sketch 25

Proof sketch Adaptive Selective Adversary Adversary Breaking weak scheme with message length j 26

Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 27

Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 m 𝐼 T (m) 𝜏 T 𝜏 = (𝜏 S , … , 𝜏 T , . . . ) 𝜏 ' = Sig( 𝑡𝑙 ' , 𝐼 E F (m)) 28

Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 m 𝐼 T (m) 𝜏 T 𝜏 = (𝜏 S , … , 𝜏 T , . . . ) 𝜏 ' = Sig( 𝑡𝑙 ' , 𝐼 E F (m)) ∗ ∗ , … ) ∗ , … , 𝜏 𝜏 m*, 𝜏 * = (𝜏 S T T 29

Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 m 𝐼 T (m) 𝜏 T 𝜏 = (𝜏 S , … , 𝜏 T , . . . ) 𝜏 ' = Sig( 𝑡𝑙 ' , 𝐼 E F (m)) ∗ ∗ , … ) ∗ , … , 𝜏 𝜏 m*, 𝜏 * = (𝜏 S T T T (m*) ? ✅ Truncation-CR: Guess of 𝐼 f No collision? ✅ 30