Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH...

44
Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-07 1

Transcript of Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH...

Page 1: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)

Digital Signatures 2020-04-07 1

Page 2: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Outline

Chameleon Signatures

CH functions are one-time signatures

sEUF-CMA from chameleon hashing

Digital Signatures 2020-04-07 2

Page 3: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: motivation (recap)

Customer

Dealer 1

Dealer 2

Offer?

100$, σ1

100$, σ1

99$, σ2

Digital Signatures 2020-04-07 3

Page 4: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: motivation (recap)

Customer

Dealer 1

Dealer 2

Offer?

100$, σ1

100$, σ1

99$, σ2

Digital Signatures 2020-04-07 3

Page 5: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: motivation (recap)

Customer

Dealer 1

Dealer 2

Offer?

100$, σ1

100$, σ1

99$, σ2

Digital Signatures 2020-04-07 3

Page 6: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: goal (recap)

Question: can we construct a signature scheme, such that. . .

• . . . C can verify the authenticity of the offer from D1, but

• . . . C cannot convince D2 that the offer came from D1?

Digital Signatures 2020-04-07 4

Page 7: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon hash functions (Definition, recap)A chameleon hash function CH consists of two PPT algorithms(GenCH, TrapCollCH):

• GenCH(1k ) outputs ch :M×R→ N and a trapdoor τ

• TrapCollCH(τ , m, r , m′), for (m, r , m′) ∈M×R×M,computes r ′ ∈ R with

ch(m, r ) = ch(m′, r ′)

CH is collision-resistant iff for all PPT A,

Pr

[(ch, τ )← GenCH(1k )A(1k , ch) = (m, r , m′, r ′)

:ch(m, r ) = ch(m′, r ′)∧ (m, r ) 6= (m′, r ′)

]

is negligible in k .Digital Signatures 2020-04-07 5

Page 8: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures

• Given: CH = (GenCH, TrapCollCH), ch :M×R→ N• Given: signature scheme Σ′ = (Gen′, Sign′, Vfy′)

Construct chameleon signature Σ = (Gen, Sign, Vfy)

Gen(1k ) :

• (pk ′, sk ′)← Gen′(1k )

• pk := pk ′, sk := sk ′

Digital Signatures 2020-04-07 6

Page 9: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures

• Given: CH = (GenCH, TrapCollCH), ch :M×R→ N• Given: signature scheme Σ′ = (Gen′, Sign′, Vfy′)

Construct chameleon signature Σ = (Gen, Sign, Vfy)

Gen(1k ) :

• (pk ′, sk ′)← Gen′(1k )

• pk := pk ′, sk := sk ′

Digital Signatures 2020-04-07 6

Page 10: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures

Sign(sk , m, ch) : (ch is CH function of receiver)

• r ← R, ch(m, r ) =: y

• σ′ := Sign′(sk , y )

• σ := (σ′, r )

Vfy(pk , m,σ, ch) :

• Vfy′(pk , ch(m, r ),σ′) ?= 1

Digital Signatures 2020-04-07 7

Page 11: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures

Sign(sk , m, ch) : (ch is CH function of receiver)

• r ← R, ch(m, r ) =: y

• σ′ := Sign′(sk , y )

• σ := (σ′, r )

Vfy(pk , m,σ, ch) :

• Vfy′(pk , ch(m, r ),σ′) ?= 1

Digital Signatures 2020-04-07 7

Page 12: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

EUF-CMA for chameleon signatures

CEUF-CMA A

(pk , sk )← Gen(1k )

(ch, τ )← GenCH(1k )

pk , ch

mi

σi ← Sign(sk , mi , ch) σi

q adaptive queries

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1?∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?

Digital Signatures 2020-04-07 8

Page 13: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

EUF-CMA for chameleon signatures

CEUF-CMA A(pk , sk )← Gen(1k )

(ch, τ )← GenCH(1k )

pk , ch

mi

σi ← Sign(sk , mi , ch) σi

q adaptive queries

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1?∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?

Digital Signatures 2020-04-07 8

Page 14: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

EUF-CMA for chameleon signatures

CEUF-CMA A(pk , sk )← Gen(1k )

(ch, τ )← GenCH(1k )

pk , ch

mi

σi ← Sign(sk , mi , ch) σi

q adaptive queries

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1?∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?

Digital Signatures 2020-04-07 8

Page 15: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

EUF-CMA for chameleon signatures

CEUF-CMA A(pk , sk )← Gen(1k )

(ch, τ )← GenCH(1k )

pk , ch

mi

σi ← Sign(sk , mi , ch) σi

q adaptive queries

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1?∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?

Digital Signatures 2020-04-07 8

Page 16: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

EUF-CMA for chameleon signatures

CEUF-CMA A(pk , sk )← Gen(1k )

(ch, τ )← GenCH(1k )

pk , ch

mi

σi ← Sign(sk , mi , ch) σi

q adaptive queries

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1?∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}

Question: is this notion “strong enough”?

Digital Signatures 2020-04-07 8

Page 17: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

EUF-CMA for chameleon signatures

CEUF-CMA A(pk , sk )← Gen(1k )

(ch, τ )← GenCH(1k )

pk , ch

mi

σi ← Sign(sk , mi , ch) σi

q adaptive queries

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1?∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?

Digital Signatures 2020-04-07 8

Page 18: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: security (not in notes)

Question: is this notion “strong enough”?

Answer: no!

• Not realistic: adversary has “no control” over CH function insigning queries (recall: CH function of receiver should be used)

• Such control could help forging signatures

• Realistic adversary might choose/use own CH function

Digital Signatures 2020-04-07 9

Page 19: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: security (not in notes)

Question: is this notion “strong enough”?

Answer: no!

• Not realistic: adversary has “no control” over CH function insigning queries (recall: CH function of receiver should be used)

• Such control could help forging signatures

• Realistic adversary might choose/use own CH function

Digital Signatures 2020-04-07 9

Page 20: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Attack in case of DLog-based CH (not in notes)

Suppose A can choose CH function for signature queries:

• DLog-based CH used (ch(m, r ) = gm · hr )

• A receives ch = (g, h) from challenger

• A chooses chA := (ga, h), (a 6= 1 chosen by A)– Valid CH function (A needs not prove knowledge of trapdoor)!

• A queries signature of m under chA and obtains σ = (σ′, r ).

Digital Signatures 2020-04-07 10

Page 21: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Attack in case of DLog-based CH (not in notes)

Suppose A can choose CH function for signature queries:

• DLog-based CH used (ch(m, r ) = gm · hr )

• A receives ch = (g, h) from challenger• A chooses chA := (ga, h), (a 6= 1 chosen by A)

– Valid CH function (A needs not prove knowledge of trapdoor)!

• A queries signature of m under chA and obtains σ = (σ′, r ).

Digital Signatures 2020-04-07 10

Page 22: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Attack in case of DLog-based CH (not in notes)

• Then:

1 = Vfy(pk , m,σ = (σ′, r ), chA)

= Vfy′(pk , chA(m, r ),σ′)

= Vfy′(pk , ch(a ·m, r ),σ′)

= Vfy(pk , a ·m,σ, ch)

• Since a 6= 1, we have m 6= a ·m• Hence, (a ·m,σ) is a valid forgery under ch

Note: similar attack possible with RSA-based CH function

Digital Signatures 2020-04-07 11

Page 23: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

EUF-CMA for chameleon sigs (not in notes)

EUF-CMA variant 1CEUF-CMA A

(pk , sk )← Gen(1k )

(ch, τ )← GenCH(1k )

pk , ch

mi

mi , chi

σi ← Sign(sk , mi , ch)

σi ← Sign(sk , mi , chi )

σi

q adaptive queries

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1?∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Digital Signatures 2020-04-07 12

Page 24: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

EUF-CMA for chameleon sigs (not in notes)

EUF-CMA variant 2CEUF-CMA A

(pk , sk )← Gen(1k )

(ch, τ )← GenCH(1k )

pk , ch

mi

mi , chi

σi ← Sign(sk , mi , ch)

σi ← Sign(sk , mi , chi ) σi

q adaptive queries

m∗ ,σ∗

Vfy(pk , m∗,σ∗, ch) = 1?∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Digital Signatures 2020-04-07 12

Page 25: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

EUF-CMA

• In the following: only variant 1

• Variant 2 also achievable, but a little more difficult (need tomake signatures depend on used CH)

Digital Signatures 2020-04-07 13

Page 26: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: security

Theorem 45:For every PPT adversary A(pk , ch) that breaks the EUF-CMAsecurity of Σ in time tA with success εA, there is a PPT adversary Bthat runs in time tB ≈ tA and. . .

• breaks the collision resistance of ch with success

εch ≥εA2

,

• or breaks the EUF-naCMA security of Σ′ with probability

ε′ ≥ εA2

.

Digital Signatures 2020-04-07 14

Page 27: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: proof

EUF-CMA:Let m1, ... , mq be A’s queries, σi = (σ′i , ri ) the replies, and(m∗,σ∗ = (σ′∗, r∗)) A’s forgery

Two events:

• E0 : There is an i with ch(mi , ri ) = ch(m∗, r∗).

• E1 : For all i ∈ {1, ... , q}, we have ch(mi , ri ) 6= ch(m∗, r∗).

Successful A causes E0 or E1, hence

εA ≤ Pr[E0] + Pr[E1]⇒ Pr[E0] ≥ εA/2 or Pr[E1] ≥ εA/2

Digital Signatures 2020-04-07 15

Page 28: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: proof

EUF-CMA:Let m1, ... , mq be A’s queries, σi = (σ′i , ri ) the replies, and(m∗,σ∗ = (σ′∗, r∗)) A’s forgery

Two events:

• E0 : There is an i with ch(mi , ri ) = ch(m∗, r∗).

• E1 : For all i ∈ {1, ... , q}, we have ch(mi , ri ) 6= ch(m∗, r∗).

Successful A causes E0 or E1, hence

εA ≤ Pr[E0] + Pr[E1]⇒ Pr[E0] ≥ εA/2 or Pr[E1] ≥ εA/2

Digital Signatures 2020-04-07 15

Page 29: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: proof

EUF-CMA:Let m1, ... , mq be A’s queries, σi = (σ′i , ri ) the replies, and(m∗,σ∗ = (σ′∗, r∗)) A’s forgery

Two events:

• E0 : There is an i with ch(mi , ri ) = ch(m∗, r∗).

• E1 : For all i ∈ {1, ... , q}, we have ch(mi , ri ) 6= ch(m∗, r∗).

Successful A causes E0 or E1, hence

εA ≤ Pr[E0] + Pr[E1]⇒ Pr[E0] ≥ εA/2 or Pr[E1] ≥ εA/2

Digital Signatures 2020-04-07 15

Page 30: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Chameleon signatures: proof

• E0: reduction to collision-resistance of CH– As usual, no surprises

• E1: reduction to EUF-naCMA security of Σ′

– Also straightforward, details on next slide

Digital Signatures 2020-04-07 16

Page 31: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Proof strategy to bound Pr[E1]• Overview:

CΣ′ B A

m′

1, . . . ,m′

q

pk′

(pk := pk′, ch)generate (ch, τ)

mi

generate signature σi for mi

(choose ri, generate Σ′-signature for ch(mi, ri))

σi

(m∗, σ

∗)

extract Σ′-forgery (m′∗, σ

′∗)(m′∗

, σ′∗)

• Need to fill in detailsDigital Signatures 2020-04-07 17

Page 32: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Proof strategy to bound Pr[E1]

• How to sign mi for A– Need to choose ri , then Σ′-sign ch(mi , ri )– Problem: no Σ′-signing oracle (m′i chosen in advance)

– Solution: use τ to generate ri with ch(mi , ri ) = m′i– This requires to set up m′i := ch(Mi , Ri ) for arbitrary Mi and

random Ri in advance

• How to extract a Σ′-forgery from (m∗,σ∗)– σ∗ = (r∗,σ′∗) with σ′∗ a valid signature for m′∗ = ch(m∗, r∗)– E1 implies that m′∗ 6= m′i for all i– Hence, (m′∗,σ′∗) is a valid Σ′-forgery

Digital Signatures 2020-04-07 18

Page 33: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Proof strategy to bound Pr[E1]

• How to sign mi for A– Need to choose ri , then Σ′-sign ch(mi , ri )– Problem: no Σ′-signing oracle (m′i chosen in advance)– Solution: use τ to generate ri with ch(mi , ri ) = m′i– This requires to set up m′i := ch(Mi , Ri ) for arbitrary Mi and

random Ri in advance

• How to extract a Σ′-forgery from (m∗,σ∗)– σ∗ = (r∗,σ′∗) with σ′∗ a valid signature for m′∗ = ch(m∗, r∗)– E1 implies that m′∗ 6= m′i for all i– Hence, (m′∗,σ′∗) is a valid Σ′-forgery

Digital Signatures 2020-04-07 18

Page 34: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Proof strategy to bound Pr[E1]

• How to sign mi for A– Need to choose ri , then Σ′-sign ch(mi , ri )– Problem: no Σ′-signing oracle (m′i chosen in advance)– Solution: use τ to generate ri with ch(mi , ri ) = m′i– This requires to set up m′i := ch(Mi , Ri ) for arbitrary Mi and

random Ri in advance

• How to extract a Σ′-forgery from (m∗,σ∗)– σ∗ = (r∗,σ′∗) with σ′∗ a valid signature for m′∗ = ch(m∗, r∗)– E1 implies that m′∗ 6= m′i for all i– Hence, (m′∗,σ′∗) is a valid Σ′-forgery

Digital Signatures 2020-04-07 18

Page 35: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

CH function are one-time signatures

• Previously: constructions of CH function similar to OTSs

• Now: transformation CH function→ OTS scheme

Digital Signatures 2020-04-07 19

Page 36: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Transformation CH→ OTS

• Given: CH = (GenCH, TrapCollCH)

• Construct Σ = (Gen, Sign, Vfy) as follows:

Gen(1k ) :

• (ch, τ )← Gench(1k )

• (m̃, r̃ )←M×R• c := ch(m̃, r̃ )

• pk := (ch, c), sk := (τ , m̃, r̃ )

Digital Signatures 2020-04-07 20

Page 37: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Transformation CH→ OTS

pk := (ch, c), sk := (τ , m̃, r̃ )

Sign(sk , m) :

• r := TrapCollCH(τ , m̃, r̃ , m)

• σ := r

Vfy(pk , m,σ) :

• c ?= ch(m,σ)

Digital Signatures 2020-04-07 21

Page 38: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Transformation: security

Theorem 47:Σ is EUF-1-naCMA secure if CH is collision-resistant.

(without proof)

Note: applying this transformation to our DLog-/RSA-based CHs,we obtain the DLog-/RSA-based one-time signatures from earlier

Digital Signatures 2020-04-07 22

Page 39: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Transformation: security

Theorem 47:Σ is EUF-1-naCMA secure if CH is collision-resistant.

(without proof)

Note: applying this transformation to our DLog-/RSA-based CHs,we obtain the DLog-/RSA-based one-time signatures from earlier

Digital Signatures 2020-04-07 22

Page 40: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• Quiz about chameleon hashing/signatures starts now!

Digital Signatures 2020-04-07 23

Page 41: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Stronger forms of EUF-CMA

CEUF-CMA A

(pk , sk )← Gen(1k ) pk

mi

σi

q queries

m∗,σ∗

Ver (pk , m∗,σ∗) = 1∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}

Question: what stronger form of security is conceivable?

Digital Signatures 2020-04-07 24

Page 42: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Strong EUF-CMA (sEUF-CMA) experiment

CsEUF-CMA A

(pk , sk )← Gen(1k ) pk

mi

σi

q queries

m∗,σ∗

Ver (pk , m∗,σ∗) = 1∧

(m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}?

A wins iff Vfy(pk , m∗,σ∗) = 1 and (m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}Digital Signatures 2020-04-07 25

Page 43: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

Definition: sEUF-CMA

Def. 51: (sEUF-CMA)A signature scheme Σ = (Gen, Sign, Vfy) is sEUF-CMA secure ifffor all PPT A,

Pr

[ACsEUF-CMA(pk ) = (m∗,σ∗) :

Vfy(pk , m∗,σ∗) = 1∧(m∗,σ∗) /∈ {(m1,σ1), ..., (mq ,σq)}

]

is negligible.

Digital Signatures 2020-04-07 26

Page 44: Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH consists of two PPT algorithms (Gen CH,TrapColl):•Gen CH(1k) outputs ch: M×R→Nand

sEUF-CMA: applications

• A can win even if m∗ has been signed before. . .

• . . . as long as σ∗ is fresh

• Mainly useful as component of more complex buildingblocks. . .

• . . . such as adaptively secure public-key encryption

Digital Signatures 2020-04-07 27