of 14

• date post

03-May-2020
• Category

## Documents

• view

0

0

Embed Size (px)

### Transcript of Digital Signatures 2020-04-07آ  TrapColl CH ( , m , r , m 0), for ( m , r , m 0) 2 MRM, computes r...

• Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung)

Digital Signatures 2020-04-07 1

Outline

Chameleon Signatures

CH functions are one-time signatures

sEUF-CMA from chameleon hashing

Digital Signatures 2020-04-07 2

• Chameleon signatures: motivation (recap)

Customer

Dealer 1

Dealer 2

Offer ?

100\$ , σ1

100\$, σ1

99\$, σ2

Digital Signatures 2020-04-07 3

Chameleon signatures: goal (recap)

Question: can we construct a signature scheme, such that. . .

• . . . C can verify the authenticity of the offer from D1, but • . . . C cannot convince D2 that the offer came from D1?

Digital Signatures 2020-04-07 4

• Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (GenCH, TrapCollCH): • GenCH(1k ) outputs ch :M×R→ N and a trapdoor τ • TrapCollCH(τ , m, r , m′), for (m, r , m′) ∈M×R×M,

computes r ′ ∈ R with

ch(m, r ) = ch(m′, r ′)

CH is collision-resistant iff for all PPT A,

Pr

[ (ch, τ )← GenCH(1k ) A(1k , ch) = (m, r , m′, r ′) :

ch(m, r ) = ch(m′, r ′) ∧ (m, r ) 6= (m′, r ′)

]

is negligible in k . Digital Signatures 2020-04-07 5

Chameleon signatures

• Given: CH = (GenCH, TrapCollCH), ch :M×R→ N • Given: signature scheme Σ′ = (Gen′, Sign′, Vfy′)

Construct chameleon signature Σ = (Gen, Sign, Vfy)

Gen(1k ) : • (pk ′, sk ′)← Gen′(1k ) • pk := pk ′, sk := sk ′

Digital Signatures 2020-04-07 6

• Chameleon signatures

Sign(sk , m, ch) : (ch is CH function of receiver) • r ← R, ch(m, r ) =: y • σ′ := Sign′(sk , y ) • σ := (σ′, r )

Vfy(pk , m,σ, ch) : • Vfy′(pk , ch(m, r ),σ′) ?= 1

Digital Signatures 2020-04-07 7

EUF-CMA for chameleon signatures

CEUF-CMA A (pk , sk )← Gen(1k )

(ch, τ )← GenCH(1k ) pk , ch

mi

σi ← Sign(sk , mi , ch) σi q adaptive queries

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1? ∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq} Question: is this notion “strong enough”?

Digital Signatures 2020-04-07 8

• Chameleon signatures: security (not in notes)

Question: is this notion “strong enough”?

• Not realistic: adversary has “no control” over CH function in signing queries (recall: CH function of receiver should be used)

• Such control could help forging signatures • Realistic adversary might choose/use own CH function

Digital Signatures 2020-04-07 9

Attack in case of DLog-based CH (not in notes)

Suppose A can choose CH function for signature queries: • DLog-based CH used (ch(m, r ) = gm · hr ) • A receives ch = (g, h) from challenger • A chooses chA := (ga, h), (a 6= 1 chosen by A)

– Valid CH function (A needs not prove knowledge of trapdoor)! • A queries signature of m under chA and obtains σ = (σ′, r ).

Digital Signatures 2020-04-07 10

• Attack in case of DLog-based CH (not in notes)

• Then:

1 = Vfy(pk , m,σ = (σ′, r ), chA) = Vfy′(pk , chA(m, r ),σ′) = Vfy′(pk , ch(a ·m, r ),σ′) = Vfy(pk , a ·m,σ, ch)

• Since a 6= 1, we have m 6= a ·m • Hence, (a ·m,σ) is a valid forgery under ch

Note: similar attack possible with RSA-based CH function

Digital Signatures 2020-04-07 11

EUF-CMA for chameleon sigs (not in notes)

EUF-CMA variant 1 CEUF-CMA A

(pk , sk )← Gen(1k ) (ch, τ )← GenCH(1k )

pk , ch

mi

mi , chi

σi ← Sign(sk , mi , ch)

σi ← Sign(sk , mi , chi )

σi

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1? ∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq} Digital Signatures 2020-04-07 12

• EUF-CMA for chameleon sigs (not in notes)

EUF-CMA variant 2 CEUF-CMA A

(pk , sk )← Gen(1k ) (ch, τ )← GenCH(1k )

pk , ch

mi

mi , chi

σi ← Sign(sk , mi , ch)

σi ← Sign(sk , mi , chi ) σi q adaptive queries

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1? ∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq} Digital Signatures 2020-04-07 12

EUF-CMA

• In the following: only variant 1 • Variant 2 also achievable, but a little more difficult (need to

make signatures depend on used CH)

Digital Signatures 2020-04-07 13

• Chameleon signatures: security

Theorem 45: For every PPT adversary A(pk , ch) that breaks the EUF-CMA security of Σ in time tA with success �A, there is a PPT adversary B that runs in time tB ≈ tA and. . . • breaks the collision resistance of ch with success

�ch ≥ �A 2

,

• or breaks the EUF-naCMA security of Σ′ with probability

�′ ≥ �A 2

.

Digital Signatures 2020-04-07 14

Chameleon signatures: proof

EUF-CMA: Let m1, ... , mq be A’s queries, σi = (σ′i , ri ) the replies, and (m∗,σ∗ = (σ′∗, r∗)) A’s forgery

Two events:

• E0 : There is an i with ch(mi , ri ) = ch(m∗, r∗). • E1 : For all i ∈ {1, ... , q}, we have ch(mi , ri ) 6= ch(m∗, r∗).

Successful A causes E0 or E1, hence

�A ≤ Pr[E0] + Pr[E1]⇒ Pr[E0] ≥ �A/2 or Pr[E1] ≥ �A/2

Digital Signatures 2020-04-07 15

• Chameleon signatures: proof

• E0: reduction to collision-resistance of CH – As usual, no surprises

• E1: reduction to EUF-naCMA security of Σ′ – Also straightforward, details on next slide

Digital Signatures 2020-04-07 16

Proof strategy to bound Pr[E1] • Overview:

CΣ′ B A

m ′

1, . . . ,m ′

q

pk′

(pk := pk′, ch) generate (ch, τ)

mi

generate signature σi for mi (choose ri, generate Σ

′-signature for ch(mi, ri))

σi

(m∗, σ∗)

extract Σ′-forgery (m′∗, σ′∗) (m′∗, σ′∗)

• Need to fill in details Digital Signatures 2020-04-07 17

• Proof strategy to bound Pr[E1]

• How to sign mi for A – Need to choose ri , then Σ′-sign ch(mi , ri ) – Problem: no Σ′-signing oracle (m′i chosen in advance) – Solution: use τ to generate ri with ch(mi , ri ) = m′i – This requires to set up m′i := ch(Mi , Ri ) for arbitrary Mi and

• How to extract a Σ′-forgery from (m∗,σ∗) – σ∗ = (r∗,σ′∗) with σ′∗ a valid signature for m′∗ = ch(m∗, r∗) – E1 implies that m′

∗ 6= m′i for all i – Hence, (m′∗,σ′∗) is a valid Σ′-forgery

Digital Signatures 2020-04-07 18

CH function are one-time signatures

• Previously: constructions of CH function similar to OTSs • Now: transformation CH function→ OTS scheme

Digital Signatures 2020-04-07 19

• Transformation CH→ OTS

• Given: CH = (GenCH, TrapCollCH) • Construct Σ = (Gen, Sign, Vfy) as follows:

Gen(1k ) : • (ch, τ )← Gench(1k ) • (m̃, r̃ )←M×R • c := ch(m̃, r̃ ) • pk := (ch, c), sk := (τ , m̃, r̃ )

Digital Signatures 2020-04-07 20

Transformation CH→ OTS

pk := (ch, c), sk := (τ , m̃, r̃ )

Sign(sk , m) : • r := TrapCollCH(τ , m̃, r̃ , m) • σ := r

Vfy(pk , m,σ) : • c ?= ch(m,σ)

Digital Signatures 2020-04-07 21

• Transformation: security

Theorem 47: Σ is EUF-1-naCMA secure if CH is collision-resistant.

(without proof)

Note: applying this transformation to our DLog-/RSA-based CHs, we obtain the DLog-/RSA-based one-time signatures from earlier

Digital Signatures 2020-04-07 22

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student • . . . and enter room “HOFHEINZ8872” • Will also be in chat (so you can click on link) • No registration necessary • Quiz about chameleon hashing/signatures starts now!

Digital Signatures 2020-04-07 23

• Stronger forms of EUF-CMA

CEUF-CMA A (pk , sk )← Gen(1k ) pk

mi

σi

q queries

m∗,σ∗

Ver (pk , m∗,σ∗) = 1 ∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}

Question: what stronger form of security is conceivable? Digital Signatures 2020-04-07 24

Strong EUF-CMA (sEUF-CMA) experiment

CsEUF-CMA A (pk , sk )← Gen(1k ) pk

mi

σi

q queries

m∗,σ∗

Ver (pk , m∗,σ∗) = 1 ∧

(m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}?

A wins iff Vfy(pk , m∗,σ∗) = 1 and (m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)} Digital Signatures 2020-04-07 25

• Definition: sEUF-CMA

Def. 51: (sEUF-CMA) A signature scheme Σ = (Gen, Sign, Vfy) is sEUF-CMA secure iff for all PPT A,

Pr

[ ACsEUF-CMA(pk ) = (m∗,σ∗) : Vfy(pk , m

∗,σ∗) = 1∧ (m∗,σ∗) /∈ {(m1,σ1), ..., (mq ,σq)}

]

is negligible.

Digital Signatures