Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1 , Saqib A. Kakvi 2 , Eike Kiltz 2 , Jiaxin Pan 2 1 University of Limoges, France 2 Ruhr University Bochum, Germany
Keywords 1. Signatures 2. Tight Security 3. Chameleon Hash Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 2/30
Signature ⊲ ( pk , sk ) ← $ Gen ⊲ σ ← $ Sign ( sk , M ) ⊲ 0 / 1 ← Ver ( pk , M , σ ) Correctness: ∀ ( pk , sk ) ← $ Gen , Ver ( pk , M , Sign ( sk , M )) = 1 Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 3/30
UF-CMA Security Challenger Adversary ( pk , sk ) ← $ Gen pk M i σ i ← $ Sign ( sk , M i ) σ i ( M , σ ) Adversary wins: Ver ( pk , M , σ ) = 1 ∧ M / ∈ { M 1 , . . . , M Q } Q is the number of signing queries. Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 4/30
Provable Security g, A ← $ G Adversary DLOG Reduction a ∈ Z p A = g a Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 5/30
Provable Security g, A ← $ G “ DLOG problem is hard ⇒ scheme is secure” Adversary DLOG Reduction a ∈ Z p A = g a Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 5/30
◮ Let k be the security parameter, Adv [ Sig ] < f ( k ) · Adv [ DLOG ] Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 6/30
Tight Security Adv [ Sig ] < f ( k ) · Adv [ DLOG ] ◮ “Tight” if f ( k ) = O (1) ◮ “Loose” if f ( k ) = O ( Q ) Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 7/30
Why “tight”? ◮ In practice: ◦ We want efficient schemes! ◦ Smaller security parameters! Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 8/30
For example ◮ We want 80-bit security and Q = 2 40 Tight scheme ⊲ Adv [ Sig ] < Adv [ DLOG ] < 2 − 80 = ⇒ We need DLOG problem with 80-bit security = ⇒ | p | = 160 (by the best DLOG attack) Loose Scheme ⊲ Adv [ Sig ] < 2 40 · Adv [ DLOG ] < 2 − 80 ⇒ Adv [ DLOG ] < 2 − 120 = = ⇒ We need DLOG problem with 120-bit security = ⇒ | p | = 240 (by the best DLOG attack) Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 9/30
Signatures in the Standard Model ◮ Loose Reduction ◦ e.g. Waters ’05 ◮ Non-standard/“ Q -Type” Assumptions ◦ e.g. Boneh-Boyen ’04 ◮ Exceptions: . . . Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 10/30
Tight Signatures from Standard Assumptions ◮ CRYPTO ’96 Cramer-Damgård: RSA ◮ PKC ’05 Catalano-Gennaro: Factoring ◮ CRYPTO ’12 Hofheinz-Jager: DLIN Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 11/30
Tight Signatures from Standard Assumptions ◮ CRYPTO ’96 Cramer-Damgård: RSA ◮ PKC ’05 Catalano-Gennaro: Factoring ◮ CRYPTO ’12 Hofheinz-Jager: DLIN Question Generic constructions for tight signatures? Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 11/30
Our Contribution TSIG[DLOG] DLOG TSIG[SIS] SIS TSIG[CDH] CDH Transformation TSIG[DLIN] DLIN TSIG[RSA] RSA . . . TSIG[. . .] Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 12/30
Our Contribution Two-Tier Signature Tight Signature Chameleon Hash . . . DLOG SIS FAC Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 13/30
Our Contribution [BS07] Two-Tier Signature Tight Signature Chameleon Hash . . . DLOG SIS FAC Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 13/30
Two-Tier Signature ◮ Proposed by Bellare and Shoup at PKC ’07 Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 14/30
Two-Tier Signature Two-Tier Signature Signature ◮ ( ppk , psk ) ← $ PrimaryGen ◮ ( pk , sk ) ← $ Gen ◮ ( spk , ssk ) ← $ SecondaryGen ◮ σ ← $ Sign ( sk , M ) ◮ σ ← $ TTSign ( sk , ssk , M ) ◮ 0 / 1 ← Ver ( pk , M , σ ) ◮ 0 / 1 ← TTVer ( pk , spk , M , σ ) Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 15/30
Security of two-tier signature Challenger Adversary pk ( ppk , psk ) ← $ PrimaryGen M i ( spk i , ssk i ) ← $ SecondaryGen σ i ← $ TTSign ( sk , ssk i , M i ) ( σ i , spk i ) ( M , σ, spk ) Adversary wins: TTVer ( ppk , spk , M , σ ) = 1 ∧ M / ∈ { M 1 , . . . , M Q } ∧ spk = spk i for some i Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 16/30
Two-Tier Signature → Standard Signature . . . . . . . . . . . . . . . . . . . . . . . . Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30
Two-Tier Signature → Standard Signature spk i ← $ SecondaryGen . . . . . . . . . . . . . . . . . . . . . . . . Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30
Two-Tier Signature → Standard Signature spk i ← $ SecondaryGen . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30
Gen of Tree Signature ◮ ( ppk , psk ) ← $ PrimaryGen Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30
Gen of Tree Signature ◮ ( ppk , psk ) ← $ PrimaryGen ◮ ( spk root , ssk root ) ← $ SecondaryGen . . . . . . . . . . . . Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30
Gen of Tree Signature ◮ ( ppk , psk ) ← $ PrimaryGen ◮ ( spk root , ssk root ) ← $ SecondaryGen ◮ PK = ( ppk , spk root ) , sk = ( psk , ssk root ) Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30
Sign( sk ,M) ◮ Step 1: Nodes Generation ◮ Step 2: Path Authentication Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 19/30
Step 1: Node Generation . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
Step 1: Node Generation . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
Step 1: Node Generation . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
Step 1: Node Generation . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
Step 1: Node Generation . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
Step 2: Path Authentication . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 21/30
Step 2: Path Authentication ◮ σ = TTSign ( psk , ssk parent , ( LChild || RChild )) Parent LChild RChild Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 22/30
Step 2: Path Authentication Use Two-Tier Sig to authenticate the path σ 0 . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30
Step 2: Path Authentication Use Two-Tier Sig to authenticate the path σ 0 σ 1 . . . . . . . . . . . . . . . . . . . . . . . . M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30
Step 2: Path Authentication Use Two-Tier Sig to authenticate the path σ 0 σ 1 . . . . . . . . . . . . . . . . . . . . . . . . σ L M Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30
Signatures ◮ Define signature := (path, σ 1 , . . . , σ L ) ◮ Verify: ◦ Check if ( σ 1 , . . . , σ L ) are valid two-tier signatures on path Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 24/30
Security Theorem 1 Our construction is tightly secure, if the underlying two-tier signature is tightly-secure. Particularly, ◮ Adv[TreeSig] = Adv[Two-TierSig] Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 25/30
Proof Idea ◮ Simulate the signature without sk : ◦ Use two-tier signing oracle ◮ Tightly extract the two-tier forgery: ◦ Observation: ◮ Forgery path differs from signing paths ◦ “Splitting” node: the valid two-tier forgery Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 26/30
“Splitting” Node . . . . . . . . . . . . . . . . . . . . . . . . . . . M ∗ Tight Sign from CHF |Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 27/30
Recommend
More recommend
![Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]](https://c.sambuz.com/970279/long-term-secure-signatures-s.jpg)
