short digital signatures and id kems via truncation
play

Short Digital Signatures and ID- KEMs via Truncation Collision - PowerPoint PPT Presentation

Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael Kurek Paderborn University Paderborn University 1 Contributions New security notion for standard Hash Functions Truncation-Collision


  1. Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael Kurek Paderborn University Paderborn University 1

  2. Contributions • New security notion for standard Hash Functions • Truncation-Collision Resistance • New Digital Signature scheme and ID-KEM • From selective to full security in Standard Model • Solving open problem: single element in prime order group 2

  3. Random Oracle Model [BR93] “Cryptographic Hash Function modelled as truly random function” • (Simple) proofs ✅ • Strong security properties ✅ • Short, full secure signatures [BLS01, BB04] • Short, full secure ID-KEMs [BF01, BB04] 3

  4. Random Oracle Model [BR93] “Cryptographic Hash Function modelled as truly random function” • (Simple) proofs ✅ • Strong security properties ✅ • Short, full secure signatures [BLS01, BB04] • Short, full secure ID-KEMs [BF01, BB04] • Unclear security guarantees for implementations [CGH02] ❌ • Unclear which security property required ❌ 4

  5. Random Oracle Model [BR93] “Cryptographic Hash Function modelled as truly random function” • (Simple) proofs ✅ • Strong security properties ✅ • Short, full secure signatures [BLS01, BB04] • Short, full secure ID-KEMs [BF01, BB04] • Unclear security guarantees for implementations [CGH02] ❌ • Unclear which security property required ❌ Looking for reasonable complexity assumption on f standard Cryptographic Hash Functions to avoid ROM 5

  6. Problem of turning selective into adaptive security 6

  7. Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk M* ← 0,1 % 7

  8. Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 8

  9. Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' 9

  10. Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' (m*, 𝜏 *) 𝜏 * 10

  11. Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' (m*, 𝜏 *) 𝜏 * M* = m* M* ≠ 𝑛 ' ∀ 𝑗 11

  12. Problem of turning selective into adaptive security Selective Adversary Adaptive Adversary M* pk pk M* ← 0,1 % 𝑛 ' 𝜏 ' (m*, 𝜏 *) 𝜏 * ROM: Standard: 𝜁 /01023'40 ≈ 𝑞𝑝𝑚𝑧(𝑙) => ? 𝜁 @A@B3'40 𝜁 C01023'40 ≈ 2 =% ? 𝜁 @A@B3'40 12

  13. Collision Resistance 13

  14. Collision Resistance A Hash function H is Collision Resistant if Pr[ A finds collision ] < negl(k) for all ppt adversaries A. 14

  15. Truncation Collision Resistance 15

  16. Truncation Collision Resistance A Hash function H is Truncation-Collision Resistant if 3(3=>) Pr[ A finds collision for prefix of length i ] < E FGH for all probabilistic t-time adversaries A. 16

  17. Truncation Collision Resistance A Hash function H is Truncation-Collision Resistant if 3(3=>) Pr[ A finds collision for prefix of length i ] < E FGH for all probabilistic t-time adversaries A. (Related to birthday bound) 17

  18. Main property H(x)= 1010011000111000111101110011001101100010 18

  19. Main property H(x)= 1010011000111000111101110011001101100010 Easier to guess 19

  20. Main property H(x)= 1010011000111000111101110011001101100010 Easier to guess More collision resistant 20

  21. Main property H(x)= 1010011000111000111101110011001101100010 Easier to guess More collision resistant For every adversary A there exists a prefix length j s.t. Collision Resistant Easy to guess Length j 21

  22. Generic construction from selective to adaptive secure signatures without ROM 22

  23. Generic construction from selective to adaptive secure signatures without ROM 𝐼 > (m) 𝐼 E (m) m H( ? ) 𝐼 E N (m) H Tru-CR 𝐼 E JKL M (m) 𝐼 ' Prefix of lengt h i 23

  24. Generic construction from selective to adaptive secure signatures without ROM 𝐼 > (m) Sig( 𝑡𝑙 S , ? ) 𝐼 E (m) m Sig( 𝑡𝑙 > , ? ) H( ? ) 𝜏 = (𝜏 > ,.., 𝜏 PQR % ) 𝐼 E N (m) Sig( 𝑡𝑙 E , ? ) H Tru-CR 𝐼 E JKL M (m) Sig( 𝑡𝑙 PQR % , ? ) 𝐼 ' Prefix of lengt h i Sig selective secure 24

  25. Proof sketch 25

  26. Proof sketch Adaptive Selective Adversary Adversary Breaking weak scheme with message length j 26

  27. Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 27

  28. Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 m 𝐼 T (m) 𝜏 T 𝜏 = (𝜏 S , … , 𝜏 T , . . . ) 𝜏 ' = Sig( 𝑡𝑙 ' , 𝐼 E F (m)) 28

  29. Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 m 𝐼 T (m) 𝜏 T 𝜏 = (𝜏 S , … , 𝜏 T , . . . ) 𝜏 ' = Sig( 𝑡𝑙 ' , 𝐼 E F (m)) ∗ ∗ , … ) ∗ , … , 𝜏 𝜏 m*, 𝜏 * = (𝜏 S T T 29

  30. Proof sketch Adaptive Selective Adversary pk=( 𝑞𝑙 S ,..., pk*,…) M* Adversary M* ← 0,1 T pk* ( 𝑞𝑙 ' , 𝑡𝑙 ' ) ← 𝐿𝑓𝑧𝐻𝑓𝑜 m 𝐼 T (m) 𝜏 T 𝜏 = (𝜏 S , … , 𝜏 T , . . . ) 𝜏 ' = Sig( 𝑡𝑙 ' , 𝐼 E F (m)) ∗ ∗ , … ) ∗ , … , 𝜏 𝜏 m*, 𝜏 * = (𝜏 S T T T (m*) ? ✅ Truncation-CR: Guess of 𝐼 f No collision? ✅ 30

Recommend


More recommend