COS433/Math  473:  Cryptography

Mark  ZhandryPrinceton  University

Spring  2017

Last  Time

Digital  Signatures

Digital  Signatures

Algorithms:• Gen() à (sk,pk)• Sign(sk,m) à σ• Ver(pk,m,σ) à 0/1

Correctness:Pr[Ver(pk,m,Sign(sk,m))=1: (sk,pk)ßGen()] = 1

1-­‐time  Security  For  Signatures

(sk,pk)ßGen()

mσ σ ß Sign(sk,m)

(m*,σ*)

Output  1  iff:• m*≠m• Ver(pk,m*,σ*) = 1

1CMA-Adv( ) = Pr[ outputs 1]

pk

Unbounded  Use  Signatures

mi

σi

(m*,σ*)

Output  1  iff:• m*∉{m1,…}• Ver(pk,m*,σ*) = 1

CMA-Adv( ) = Pr[ outputs 1]

(sk,pk)ßGen()

σ ß Sign(sk,m)

pk

Strong  Security

mi

σi

(m*,σ*)

Output  1  iff:• (m*, σ*)∉{(m1,σ1)…}• Ver(pk,m*,σ*) = 1

CMA-Adv( ) = Pr[ outputs 1]

(sk,pk)ßGen()

σ ß Sign(sk,m)

pk

Certificates

Facilitate  public  key  infrastructure

Basically  a  signature  by  a  CA  on  your  public  key• Certifies  that  you  own  the  public  key,  not  some  adversary

Certificate  Chaining

Once  Bob’s  public  key  is  certified,  Bob  can  sign  Charlie’s  public  key

Charlie  can  then  sign  Donald’s  public  key

Donald  is  therefor  the  certified  owner  of  his  public  key

So  Far

Signature  constructions  from  RSA,  Factoring• We  will  later  also  see  constructions  from  DDH

Unfortunately,  all  in  the  random  oracle  model

Ideally:  construction  without  random  oracles• Also  from  general  assumptions

Today

One-­‐way  functions  are  sufficient  to  build  signature  schemes

Therefore,  can  build  signatures  from:• RSA,  DDH,  Block  Ciphers,  CRHF,  etc.

Limitation:• Poor  performance  in  practice

Lamport Signatures

Let  F:XàY be  a  one-­‐way  function

Let  M={0,1}n be  message  space

Gen():

x1,0

x1,1

x2,0

x2,1

x3,0

x3,1

x4,0

x4,1

x5,0

x5,1

y1,0

y1,1

y2,0

y2,1

y3,0

y3,1

y4,0

y4,1

y5,0

y5,1

ß

X

ßFyi,b=F(xi,b)

sk pk

Lamport Signatures

Sign(sk, m): (xi,mi)i=1,…,n

Ver(pk,m,σ): F(xi,mi) = yi,mi

x1,0

x1,1

x2,0

x2,1

x3,0

x3,1

x4,0

x4,1

x5,0

x5,1

y1,0

y1,1

y2,0

y2,1

y3,0

y3,1

y4,0

y4,1

y5,0

y5,1

Lamport Signatures

Theorem:  If F is  a  secure  OWF,  then  (Gen,Sign,Ver) is  a  (weakly)  secure  one-­‐time  signature  scheme

Proofy1,0

y1,1

y2,0

y2,1

y3,0

y3,1

y4,0

y4,1

y5,0

y5,1

x1,0

x1,1

x2,0

x2,1

x3,0

x3,1

x4,0

x4,1

x5,0

x5,1x1,0

x1,1

x2,0

x2,1

x3,0

x3,1

x4,0

x4,1

x5,0

x5,1

x1,0

x1,1

x2,0

x2,1

x3,0

x3,1

x4,0

x4,1

x5,0

x5,1

y1,1

y2,0 y3,0

y4,1

y5,0

Proof

Since  m*≠m, ∃i s.t. m*i≠mi

Suppose  we  know  i, mi = 1-b, m*i = b

Construct  adversary  that  inverts  OWF

Proofy*

x1,0

x1,1

x2,0

x2,1 x3,1

x4,0

x4,1

x5,0

x5,1

y1,0

y1,1

y2,0

y2,1

y*

y3,1

y4,0

y4,1

y5,0

y5,1

Fx1,0

x1,1

x2,0

x2,1

x3,0

x3,1

x4,0

x4,1

x5,0

x5,1

x1,0

x1,1

x2,0

x2,1

x*

x3,1

x4,0

x4,1

x5,0

x5,1

y1,1

y2,0 y3,0

y4,1

y5,0

x*

i,b

Proof

View  of            exactly  as  in  1-­‐time  CMA  experiment,  assuming• ith bit  of  m = b• ith bit  of  m* = 1-b

If            always  chooses  m,m* with  these  properties,  and  forges  with  probability  ε,  then            inverts  with  probability  ε

Proof

In  general,            may  choose  m,m* to  differ  at  arbitrary  places  • May  be  randomly  chosen,  may  depend  on  pk,  may  even  depend  on  σ• May  never  be  at  certain  places

How  do  we  make                still  succeed?  

Proofy*

x1,0

x1,1

x2,0

x2,1 x3,1

x4,0

x4,1

x5,0

x5,1

y1,0

y1,1

y2,0

y2,1

y*

y3,1

y4,0

y4,1

y5,0

y5,1

Fx1,0

x1,1

x2,0

x2,1

x3,0

x3,1

x4,0

x4,1

x5,0

x5,1

x1,0

x1,1

x2,0

x2,1

x*

x3,1

x4,0

x4,1

x5,0

x5,1

y1,1

y2,0 y3,0

y4,1

y5,0

x*

i,b

i,bß[n]×{0,1}

If  need  xi,b,  abort

If  no  xi,b,  abort

Proof

pk independent  of  (i,b)• m independent  of  (i,b)• Therefore,  Pr[mi=1-b]=½

Conditioned  on  mi=1-b,• Signing  succeeds• σ independent  of  i• forges  with  probability  ε,  independent  of  i

Proof

We  know  if          forges,  then  m*≠m

Since  m* independent  of  i,  have  prob at  least  1/nthat  m*i=1-mi = b

In  this  case,            succeeds  in  inverting  y* • Prob =  ½ × ε × 1/n = ε/2n

Limitations  of  Lamport Signatures

Only  weakly  secure• Why?• How  to  fix?

|pk|,|σ| >> |m|• How  to  fix?

Theorem:  Given  a  secure  OWF,  it  is  possible  to  construct  a  strongly  secure  1-­‐time  signature  scheme  where  |m| >> |pk|,|σ|

Signing  Multiple  Messages

Once  adversary  sees  two  signed  messages,  security  is  lost  (why?)

How  do  we  sign  multiple  messages?

Signature  Chaining

m1,σ1ßSign(sk1,m1)

sk1pk1

m1

Ver(pk1,m1,σ1)

Signature  Chaining

m1, σ1 = (pk2,σ1’)

sk1pk1

m1

Ver(pk1,(m1,pk2) ,σ1’)(sk2,pk2)ßGen()

σ1’ßSign(sk1, (m1,pk2) )

Signature  Chaining

m2, σ2

sk1pk1pk2

m2

Ver(pk2,m2 ,σ2)(sk2,pk2)ßGen()

σ1’ßSign(sk2, m2)

Signature  Chaining

Idea:  Bob  can  be  assured  that  pk2 was  in  fact  generated  by  Alice• If  Eve  tampered  with  pk2,  then  signature  on  first  message  would  have  been  invalid

Therefore,  Alice  can  sign  m2 using  sk2,  and  Eve  cannot  produce  a  forgery  m2’ with  valid  signature

Can  repeat  process  to  sign  arbitrarily  many  messages

Signature  Chaining

m2, σ2 = (pk3,σ2’)

sk1pk1pk2

m2

Ver(pk2,(m2,pk3) ,σ2’)(sk2,pk2)ßGen()(sk3,pk3)ßGen()

σ1’ßSign(sk2, (m2,pk3) )

Limitations

Alice  and  Bob  must  stay  synchronized• Else,  Bob  won’t  be  using  correct  public  key  to  verify

If  many  users,  every  pair  needs  to  be  syncronized• What  if  Alice  is  sending  messages  to  Bob  and  Charlie?

(Almost)  Stateless  Signature  Chaining

m2, σ2 = (m1,pk2,σ1’,pk3,σ2’)

sk1pk1

m2

Ver(pk2,(m2,pk3) ,σ2’)(sk2,pk2)ßGen()(sk3,pk3)ßGen()

σ1’ßSign(sk2, (m2,pk3) )

Ver(pk1,(m1,pk2) ,σ1’)

Still  Limitations

Now  Bob  (and  Charlie,  etc)  are  stateless

However,  Alice  is  still  stateful• Needs  to  remember  all  messages  sent  • Signature  length  grows  with  number  of  messages  signed

Signature  Trees

pk∅

pk0 pk1

σ∅ßSign(sk∅, (pk0,pk1))

pk00 pk01 pk10 pk11

σ0ßSign(sk0, (pk00,pk01))σ1ßSign(sk1, (pk10,pk11))

pk000 pk001 pk010 pk011 pk100 pk101 pk110 pk111

σ00, σ01, σ10, σ11

Signature  Trees

To  sign  mi,• Compute  σißSign(ski,mi), where  ski is  the  ith leaf• Must  include  pki in  signature  so  Bob  can  verify  σi

• Must  authenticate  pki,  so  include  σP(i) (and  pkS(i))

• Must  include  pkP(i) so  Bob  can  verify  σP(i)

• Must  auth pkP(i),  so  include  σP(P(i)) (and  pkS(P(i)))

• …

Comparison  to  Chaining

Limitations:• Bounded  number  of  messages  (2d)• Still  requires  Alice  to  keep  state  (all  the  sk’s,  pk’s).

Size  of  state  ≈  2d

Advantages:• Signature  size  ≈  d,  logarithmic  in  number  of  messages  signed

Avoid  Large  State?

Alice  keeps  PRF  key  k as  part  of  secret  key

• For  all  internal  nodes  or  leaves  i,

(ski,pki)ßGen(; PRF(k, i) )

• Alice  never  stores  signatures  or  public  keys

• Instead,  she  computes  needed  signatures/public  

keys  on  the  fly

Unbounded  Messages

Set  d=λ• Can  now  sign  up  to  2λ messages  (exponential)• Signature  size  ≈d = λ,  so  short  signatures• Size  of  state  independent  of  d,  so  short• Time  to  compute  signature?

• Only  need  pk’s,σ’s on  path  from  root  to  leaf,  plus  neighbors

• Only  O(d)=O(λ) terms• Can  efficiently  compute  from  PRF  key  k

Fully  Stateless?

So  far,  still  need  to  keep  state  to  remember  which  leaf  we  should  use  next

However,  now  we  can  do  something  different:• Instead  of  choosing  leafs  sequentially,  just  choose  leaf  at  random• Except  with  probability  O(|messages|2/2d), never  use  the  same  leaf  twice

Putting  it  Together

pk∅

iß{0,…,2d-1}

sk=(sk∅, k)

Putting  it  Together

pk∅

pk0 pk1

pk00 pk01

pk010 pk011

iß{0,…,2d-1}

sk=(sk∅, k)

(sk0,pk0)ßGen(; PRF(k, 0))(sk1,pk1)ßGen(; PRF(k, 1))(sk00,pk00)ßGen(; PRF(k, 00))(sk01,pk01)ßGen(; PRF(k, 01))…σ∅ßSign(sk∅, (pk0,pk1))σ0ßSign(sk0, (pk00,pk01))…σßSign(ski, m)

Output  all  pkj’s and  all  σ’s as  signature

Putting  it  Together

OWF  to  get  1-­‐time  signatures  (with  large  pk’s,  σ’s)

Hash  first  with  target  collision  resistances• 1-­‐time  signatures  with  small  pk’s,  σ’s

Create  tree  of  signatures  (stateful scheme)

Make  stateless  by  using  a  PRF

What’s  Known

OWF

OWP

PRG

Com

CRH TCR

PRF PRP

SKEMACAuthEncCPA

-­‐PKE

CCA-­‐PKE Sig

What’s  Known

OWF

OWP

PRG

Com

CRH TCR

PRF PRP

SKEMACAuthEncCPA

-­‐PKE

CCA-­‐PKE

Sig

Theorem:  Given  a  secure  OWF,  it  is  possible  to  construct  a  strongly  CMA-­‐secure  signature  scheme

Practical  Use?

Lamport signatures  are  fast:• Signing  is  just  revealing  part  of  your  secret  key• Verifying  is  just  a  few  OWF  evaluations

Tree-­‐based  signatures  are  a  bit  slower• Need  to  generate  many  signatures• Need  to  generate  many  public  keys• Need  many  PRF  evals

Practical  Use?

Main  limitation:  Signature  size• Basic  Lamport:  128  bits  per  message  bit• With  hashing,  need  to  sign  256  bit  messages• For  signature  trees,  signature  consists  of  d Lamportsignatures  (plus  public  keys)• dmust  be  big  enough  to  prevent  collisions• E.g.  d = 100

Overall  signature  size:  around  a  megabit

What’s  the  Smallest  Signature?

Signature  Trees:  1megabits

RSA  Hash-­‐and-­‐Sign:  2  kilobits

ECDSA:  around  512  bits

BLS:  256  bits

Are  128-­‐bit  signatures  possible?

Obfuscation-­‐Based  Signatures

Let  (MAC,Ver) be  a  message  authentication  code

Gen(): kßK• sk = k• pk = Obf( Ver(k, . , . ) )

Sign(sk,m) = MAC(k,m)Ver(pk,m,σ) = pk(m,σ)

Signature  size:  128  bits!• But  running  time,  public  key  size  is  horrible

Next  Time

Identification  protocols