Digital Signatures 2020-04-07آ  TrapColl CH ( , m , r , m 0), for ( m , r , m 0) 2 MRM, computes r...

download Digital Signatures 2020-04-07آ  TrapColl CH ( , m , r , m 0), for ( m , r , m 0) 2 MRM, computes r 0

of 14

  • date post

    03-May-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of Digital Signatures 2020-04-07آ  TrapColl CH ( , m , r , m 0), for ( m , r , m 0) 2 MRM, computes r...

  • Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung)

    Digital Signatures 2020-04-07 1

    Outline

    Chameleon Signatures

    CH functions are one-time signatures

    sEUF-CMA from chameleon hashing

    Digital Signatures 2020-04-07 2

  • Chameleon signatures: motivation (recap)

    Customer

    Dealer 1

    Dealer 2

    Offer ?

    100$ , σ1

    100$, σ1

    99$, σ2

    Digital Signatures 2020-04-07 3

    Chameleon signatures: goal (recap)

    Question: can we construct a signature scheme, such that. . .

    • . . . C can verify the authenticity of the offer from D1, but • . . . C cannot convince D2 that the offer came from D1?

    Digital Signatures 2020-04-07 4

  • Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (GenCH, TrapCollCH): • GenCH(1k ) outputs ch :M×R→ N and a trapdoor τ • TrapCollCH(τ , m, r , m′), for (m, r , m′) ∈M×R×M,

    computes r ′ ∈ R with

    ch(m, r ) = ch(m′, r ′)

    CH is collision-resistant iff for all PPT A,

    Pr

    [ (ch, τ )← GenCH(1k ) A(1k , ch) = (m, r , m′, r ′) :

    ch(m, r ) = ch(m′, r ′) ∧ (m, r ) 6= (m′, r ′)

    ]

    is negligible in k . Digital Signatures 2020-04-07 5

    Chameleon signatures

    • Given: CH = (GenCH, TrapCollCH), ch :M×R→ N • Given: signature scheme Σ′ = (Gen′, Sign′, Vfy′)

    Construct chameleon signature Σ = (Gen, Sign, Vfy)

    Gen(1k ) : • (pk ′, sk ′)← Gen′(1k ) • pk := pk ′, sk := sk ′

    Digital Signatures 2020-04-07 6

  • Chameleon signatures

    Sign(sk , m, ch) : (ch is CH function of receiver) • r ← R, ch(m, r ) =: y • σ′ := Sign′(sk , y ) • σ := (σ′, r )

    Vfy(pk , m,σ, ch) : • Vfy′(pk , ch(m, r ),σ′) ?= 1

    Digital Signatures 2020-04-07 7

    EUF-CMA for chameleon signatures

    CEUF-CMA A (pk , sk )← Gen(1k )

    (ch, τ )← GenCH(1k ) pk , ch

    mi

    σi ← Sign(sk , mi , ch) σi q adaptive queries

    m∗ ,σ∗

    Vfy(pk , m∗,σ∗, ch) = 1? ∧

    m∗ /∈ {m1, ... , mq}?

    A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq} Question: is this notion “strong enough”?

    Digital Signatures 2020-04-07 8

  • Chameleon signatures: security (not in notes)

    Question: is this notion “strong enough”?

    Answer: no!

    • Not realistic: adversary has “no control” over CH function in signing queries (recall: CH function of receiver should be used)

    • Such control could help forging signatures • Realistic adversary might choose/use own CH function

    Digital Signatures 2020-04-07 9

    Attack in case of DLog-based CH (not in notes)

    Suppose A can choose CH function for signature queries: • DLog-based CH used (ch(m, r ) = gm · hr ) • A receives ch = (g, h) from challenger • A chooses chA := (ga, h), (a 6= 1 chosen by A)

    – Valid CH function (A needs not prove knowledge of trapdoor)! • A queries signature of m under chA and obtains σ = (σ′, r ).

    Digital Signatures 2020-04-07 10

  • Attack in case of DLog-based CH (not in notes)

    • Then:

    1 = Vfy(pk , m,σ = (σ′, r ), chA) = Vfy′(pk , chA(m, r ),σ′) = Vfy′(pk , ch(a ·m, r ),σ′) = Vfy(pk , a ·m,σ, ch)

    • Since a 6= 1, we have m 6= a ·m • Hence, (a ·m,σ) is a valid forgery under ch

    Note: similar attack possible with RSA-based CH function

    Digital Signatures 2020-04-07 11

    EUF-CMA for chameleon sigs (not in notes)

    EUF-CMA variant 1 CEUF-CMA A

    (pk , sk )← Gen(1k ) (ch, τ )← GenCH(1k )

    pk , ch

    mi

    mi , chi

    σi ← Sign(sk , mi , ch)

    σi ← Sign(sk , mi , chi )

    σi

    q adaptive queries

    m∗ ,σ∗

    Vfy(pk , m∗,σ∗, ch) = 1? ∧

    m∗ /∈ {m1, ... , mq}?

    A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq} Digital Signatures 2020-04-07 12

  • EUF-CMA for chameleon sigs (not in notes)

    EUF-CMA variant 2 CEUF-CMA A

    (pk , sk )← Gen(1k ) (ch, τ )← GenCH(1k )

    pk , ch

    mi

    mi , chi

    σi ← Sign(sk , mi , ch)

    σi ← Sign(sk , mi , chi ) σi q adaptive queries

    m∗ ,σ∗

    Vfy(pk , m∗,σ∗, ch) = 1? ∧

    m∗ /∈ {m1, ... , mq}?

    A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq} Digital Signatures 2020-04-07 12

    EUF-CMA

    • In the following: only variant 1 • Variant 2 also achievable, but a little more difficult (need to

    make signatures depend on used CH)

    Digital Signatures 2020-04-07 13

  • Chameleon signatures: security

    Theorem 45: For every PPT adversary A(pk , ch) that breaks the EUF-CMA security of Σ in time tA with success �A, there is a PPT adversary B that runs in time tB ≈ tA and. . . • breaks the collision resistance of ch with success

    �ch ≥ �A 2

    ,

    • or breaks the EUF-naCMA security of Σ′ with probability

    �′ ≥ �A 2

    .

    Digital Signatures 2020-04-07 14

    Chameleon signatures: proof

    EUF-CMA: Let m1, ... , mq be A’s queries, σi = (σ′i , ri ) the replies, and (m∗,σ∗ = (σ′∗, r∗)) A’s forgery

    Two events:

    • E0 : There is an i with ch(mi , ri ) = ch(m∗, r∗). • E1 : For all i ∈ {1, ... , q}, we have ch(mi , ri ) 6= ch(m∗, r∗).

    Successful A causes E0 or E1, hence

    �A ≤ Pr[E0] + Pr[E1]⇒ Pr[E0] ≥ �A/2 or Pr[E1] ≥ �A/2

    Digital Signatures 2020-04-07 15

  • Chameleon signatures: proof

    • E0: reduction to collision-resistance of CH – As usual, no surprises

    • E1: reduction to EUF-naCMA security of Σ′ – Also straightforward, details on next slide

    Digital Signatures 2020-04-07 16

    Proof strategy to bound Pr[E1] • Overview:

    CΣ′ B A

    m ′

    1, . . . ,m ′

    q

    pk′

    (pk := pk′, ch) generate (ch, τ)

    mi

    generate signature σi for mi (choose ri, generate Σ

    ′-signature for ch(mi, ri))

    σi

    (m∗, σ∗)

    extract Σ′-forgery (m′∗, σ′∗) (m′∗, σ′∗)

    • Need to fill in details Digital Signatures 2020-04-07 17

  • Proof strategy to bound Pr[E1]

    • How to sign mi for A – Need to choose ri , then Σ′-sign ch(mi , ri ) – Problem: no Σ′-signing oracle (m′i chosen in advance) – Solution: use τ to generate ri with ch(mi , ri ) = m′i – This requires to set up m′i := ch(Mi , Ri ) for arbitrary Mi and

    random Ri in advance

    • How to extract a Σ′-forgery from (m∗,σ∗) – σ∗ = (r∗,σ′∗) with σ′∗ a valid signature for m′∗ = ch(m∗, r∗) – E1 implies that m′

    ∗ 6= m′i for all i – Hence, (m′∗,σ′∗) is a valid Σ′-forgery

    Digital Signatures 2020-04-07 18

    CH function are one-time signatures

    • Previously: constructions of CH function similar to OTSs • Now: transformation CH function→ OTS scheme

    Digital Signatures 2020-04-07 19

  • Transformation CH→ OTS

    • Given: CH = (GenCH, TrapCollCH) • Construct Σ = (Gen, Sign, Vfy) as follows:

    Gen(1k ) : • (ch, τ )← Gench(1k ) • (m̃, r̃ )←M×R • c := ch(m̃, r̃ ) • pk := (ch, c), sk := (τ , m̃, r̃ )

    Digital Signatures 2020-04-07 20

    Transformation CH→ OTS

    pk := (ch, c), sk := (τ , m̃, r̃ )

    Sign(sk , m) : • r := TrapCollCH(τ , m̃, r̃ , m) • σ := r

    Vfy(pk , m,σ) : • c ?= ch(m,σ)

    Digital Signatures 2020-04-07 21

  • Transformation: security

    Theorem 47: Σ is EUF-1-naCMA secure if CH is collision-resistant.

    (without proof)

    Note: applying this transformation to our DLog-/RSA-based CHs, we obtain the DLog-/RSA-based one-time signatures from earlier

    Digital Signatures 2020-04-07 22

    Socrative

    Self-checking with quizzes

    • Use following URL: https://b.socrative.com/login/student • . . . and enter room “HOFHEINZ8872” • Will also be in chat (so you can click on link) • No registration necessary • Quiz about chameleon hashing/signatures starts now!

    Digital Signatures 2020-04-07 23

  • Stronger forms of EUF-CMA

    CEUF-CMA A (pk , sk )← Gen(1k ) pk

    mi

    σi

    q queries

    m∗,σ∗

    Ver (pk , m∗,σ∗) = 1 ∧

    m∗ /∈ {m1, ... , mq}?

    A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}

    Question: what stronger form of security is conceivable? Digital Signatures 2020-04-07 24

    Strong EUF-CMA (sEUF-CMA) experiment

    CsEUF-CMA A (pk , sk )← Gen(1k ) pk

    mi

    σi

    q queries

    m∗,σ∗

    Ver (pk , m∗,σ∗) = 1 ∧

    (m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}?

    A wins iff Vfy(pk , m∗,σ∗) = 1 and (m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)} Digital Signatures 2020-04-07 25

  • Definition: sEUF-CMA

    Def. 51: (sEUF-CMA) A signature scheme Σ = (Gen, Sign, Vfy) is sEUF-CMA secure iff for all PPT A,

    Pr

    [ ACsEUF-CMA(pk ) = (m∗,σ∗) : Vfy(pk , m

    ∗,σ∗) = 1∧ (m∗,σ∗) /∈ {(m1,σ1), ..., (mq ,σq)}

    ]

    is negligible.

    Digital Signatures