Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH...
Transcript of Digital Signatures...Chameleon hash functions (Definition, recap) A chameleon hash function CH...
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)
Digital Signatures 2020-04-07 1
Outline
Chameleon Signatures
CH functions are one-time signatures
sEUF-CMA from chameleon hashing
Digital Signatures 2020-04-07 2
Chameleon signatures: motivation (recap)
Customer
Dealer 1
Dealer 2
Offer?
100$, σ1
100$, σ1
99$, σ2
Digital Signatures 2020-04-07 3
Chameleon signatures: motivation (recap)
Customer
Dealer 1
Dealer 2
Offer?
100$, σ1
100$, σ1
99$, σ2
Digital Signatures 2020-04-07 3
Chameleon signatures: motivation (recap)
Customer
Dealer 1
Dealer 2
Offer?
100$, σ1
100$, σ1
99$, σ2
Digital Signatures 2020-04-07 3
Chameleon signatures: goal (recap)
Question: can we construct a signature scheme, such that. . .
• . . . C can verify the authenticity of the offer from D1, but
• . . . C cannot convince D2 that the offer came from D1?
Digital Signatures 2020-04-07 4
Chameleon hash functions (Definition, recap)A chameleon hash function CH consists of two PPT algorithms(GenCH, TrapCollCH):
• GenCH(1k ) outputs ch :M×R→ N and a trapdoor τ
• TrapCollCH(τ , m, r , m′), for (m, r , m′) ∈M×R×M,computes r ′ ∈ R with
ch(m, r ) = ch(m′, r ′)
CH is collision-resistant iff for all PPT A,
Pr
[(ch, τ )← GenCH(1k )A(1k , ch) = (m, r , m′, r ′)
:ch(m, r ) = ch(m′, r ′)∧ (m, r ) 6= (m′, r ′)
]
is negligible in k .Digital Signatures 2020-04-07 5
Chameleon signatures
• Given: CH = (GenCH, TrapCollCH), ch :M×R→ N• Given: signature scheme Σ′ = (Gen′, Sign′, Vfy′)
Construct chameleon signature Σ = (Gen, Sign, Vfy)
Gen(1k ) :
• (pk ′, sk ′)← Gen′(1k )
• pk := pk ′, sk := sk ′
Digital Signatures 2020-04-07 6
Chameleon signatures
• Given: CH = (GenCH, TrapCollCH), ch :M×R→ N• Given: signature scheme Σ′ = (Gen′, Sign′, Vfy′)
Construct chameleon signature Σ = (Gen, Sign, Vfy)
Gen(1k ) :
• (pk ′, sk ′)← Gen′(1k )
• pk := pk ′, sk := sk ′
Digital Signatures 2020-04-07 6
Chameleon signatures
Sign(sk , m, ch) : (ch is CH function of receiver)
• r ← R, ch(m, r ) =: y
• σ′ := Sign′(sk , y )
• σ := (σ′, r )
Vfy(pk , m,σ, ch) :
• Vfy′(pk , ch(m, r ),σ′) ?= 1
Digital Signatures 2020-04-07 7
Chameleon signatures
Sign(sk , m, ch) : (ch is CH function of receiver)
• r ← R, ch(m, r ) =: y
• σ′ := Sign′(sk , y )
• σ := (σ′, r )
Vfy(pk , m,σ, ch) :
• Vfy′(pk , ch(m, r ),σ′) ?= 1
Digital Signatures 2020-04-07 7
EUF-CMA for chameleon signatures
CEUF-CMA A
(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
σi ← Sign(sk , mi , ch) σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?
Digital Signatures 2020-04-07 8
EUF-CMA for chameleon signatures
CEUF-CMA A(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
σi ← Sign(sk , mi , ch) σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?
Digital Signatures 2020-04-07 8
EUF-CMA for chameleon signatures
CEUF-CMA A(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
σi ← Sign(sk , mi , ch) σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?
Digital Signatures 2020-04-07 8
EUF-CMA for chameleon signatures
CEUF-CMA A(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
σi ← Sign(sk , mi , ch) σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?
Digital Signatures 2020-04-07 8
EUF-CMA for chameleon signatures
CEUF-CMA A(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
σi ← Sign(sk , mi , ch) σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}
Question: is this notion “strong enough”?
Digital Signatures 2020-04-07 8
EUF-CMA for chameleon signatures
CEUF-CMA A(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
σi ← Sign(sk , mi , ch) σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Question: is this notion “strong enough”?
Digital Signatures 2020-04-07 8
Chameleon signatures: security (not in notes)
Question: is this notion “strong enough”?
Answer: no!
• Not realistic: adversary has “no control” over CH function insigning queries (recall: CH function of receiver should be used)
• Such control could help forging signatures
• Realistic adversary might choose/use own CH function
Digital Signatures 2020-04-07 9
Chameleon signatures: security (not in notes)
Question: is this notion “strong enough”?
Answer: no!
• Not realistic: adversary has “no control” over CH function insigning queries (recall: CH function of receiver should be used)
• Such control could help forging signatures
• Realistic adversary might choose/use own CH function
Digital Signatures 2020-04-07 9
Attack in case of DLog-based CH (not in notes)
Suppose A can choose CH function for signature queries:
• DLog-based CH used (ch(m, r ) = gm · hr )
• A receives ch = (g, h) from challenger
• A chooses chA := (ga, h), (a 6= 1 chosen by A)– Valid CH function (A needs not prove knowledge of trapdoor)!
• A queries signature of m under chA and obtains σ = (σ′, r ).
Digital Signatures 2020-04-07 10
Attack in case of DLog-based CH (not in notes)
Suppose A can choose CH function for signature queries:
• DLog-based CH used (ch(m, r ) = gm · hr )
• A receives ch = (g, h) from challenger• A chooses chA := (ga, h), (a 6= 1 chosen by A)
– Valid CH function (A needs not prove knowledge of trapdoor)!
• A queries signature of m under chA and obtains σ = (σ′, r ).
Digital Signatures 2020-04-07 10
Attack in case of DLog-based CH (not in notes)
• Then:
1 = Vfy(pk , m,σ = (σ′, r ), chA)
= Vfy′(pk , chA(m, r ),σ′)
= Vfy′(pk , ch(a ·m, r ),σ′)
= Vfy(pk , a ·m,σ, ch)
• Since a 6= 1, we have m 6= a ·m• Hence, (a ·m,σ) is a valid forgery under ch
Note: similar attack possible with RSA-based CH function
Digital Signatures 2020-04-07 11
EUF-CMA for chameleon sigs (not in notes)
EUF-CMA variant 1CEUF-CMA A
(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
mi , chi
σi ← Sign(sk , mi , ch)
σi ← Sign(sk , mi , chi )
σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Digital Signatures 2020-04-07 12
EUF-CMA for chameleon sigs (not in notes)
EUF-CMA variant 2CEUF-CMA A
(pk , sk )← Gen(1k )
(ch, τ )← GenCH(1k )
pk , ch
mi
mi , chi
σi ← Sign(sk , mi , ch)
σi ← Sign(sk , mi , chi ) σi
q adaptive queries
m∗ ,σ∗
Vfy(pk , m∗,σ∗, ch) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗, ch) = 1 and m∗ /∈ {m1, ... , mq}Digital Signatures 2020-04-07 12
EUF-CMA
• In the following: only variant 1
• Variant 2 also achievable, but a little more difficult (need tomake signatures depend on used CH)
Digital Signatures 2020-04-07 13
Chameleon signatures: security
Theorem 45:For every PPT adversary A(pk , ch) that breaks the EUF-CMAsecurity of Σ in time tA with success εA, there is a PPT adversary Bthat runs in time tB ≈ tA and. . .
• breaks the collision resistance of ch with success
εch ≥εA2
,
• or breaks the EUF-naCMA security of Σ′ with probability
ε′ ≥ εA2
.
Digital Signatures 2020-04-07 14
Chameleon signatures: proof
EUF-CMA:Let m1, ... , mq be A’s queries, σi = (σ′i , ri ) the replies, and(m∗,σ∗ = (σ′∗, r∗)) A’s forgery
Two events:
• E0 : There is an i with ch(mi , ri ) = ch(m∗, r∗).
• E1 : For all i ∈ {1, ... , q}, we have ch(mi , ri ) 6= ch(m∗, r∗).
Successful A causes E0 or E1, hence
εA ≤ Pr[E0] + Pr[E1]⇒ Pr[E0] ≥ εA/2 or Pr[E1] ≥ εA/2
Digital Signatures 2020-04-07 15
Chameleon signatures: proof
EUF-CMA:Let m1, ... , mq be A’s queries, σi = (σ′i , ri ) the replies, and(m∗,σ∗ = (σ′∗, r∗)) A’s forgery
Two events:
• E0 : There is an i with ch(mi , ri ) = ch(m∗, r∗).
• E1 : For all i ∈ {1, ... , q}, we have ch(mi , ri ) 6= ch(m∗, r∗).
Successful A causes E0 or E1, hence
εA ≤ Pr[E0] + Pr[E1]⇒ Pr[E0] ≥ εA/2 or Pr[E1] ≥ εA/2
Digital Signatures 2020-04-07 15
Chameleon signatures: proof
EUF-CMA:Let m1, ... , mq be A’s queries, σi = (σ′i , ri ) the replies, and(m∗,σ∗ = (σ′∗, r∗)) A’s forgery
Two events:
• E0 : There is an i with ch(mi , ri ) = ch(m∗, r∗).
• E1 : For all i ∈ {1, ... , q}, we have ch(mi , ri ) 6= ch(m∗, r∗).
Successful A causes E0 or E1, hence
εA ≤ Pr[E0] + Pr[E1]⇒ Pr[E0] ≥ εA/2 or Pr[E1] ≥ εA/2
Digital Signatures 2020-04-07 15
Chameleon signatures: proof
• E0: reduction to collision-resistance of CH– As usual, no surprises
• E1: reduction to EUF-naCMA security of Σ′
– Also straightforward, details on next slide
Digital Signatures 2020-04-07 16
Proof strategy to bound Pr[E1]• Overview:
CΣ′ B A
m′
1, . . . ,m′
q
pk′
(pk := pk′, ch)generate (ch, τ)
mi
generate signature σi for mi
(choose ri, generate Σ′-signature for ch(mi, ri))
σi
(m∗, σ
∗)
extract Σ′-forgery (m′∗, σ
′∗)(m′∗
, σ′∗)
• Need to fill in detailsDigital Signatures 2020-04-07 17
Proof strategy to bound Pr[E1]
• How to sign mi for A– Need to choose ri , then Σ′-sign ch(mi , ri )– Problem: no Σ′-signing oracle (m′i chosen in advance)
– Solution: use τ to generate ri with ch(mi , ri ) = m′i– This requires to set up m′i := ch(Mi , Ri ) for arbitrary Mi and
random Ri in advance
• How to extract a Σ′-forgery from (m∗,σ∗)– σ∗ = (r∗,σ′∗) with σ′∗ a valid signature for m′∗ = ch(m∗, r∗)– E1 implies that m′∗ 6= m′i for all i– Hence, (m′∗,σ′∗) is a valid Σ′-forgery
Digital Signatures 2020-04-07 18
Proof strategy to bound Pr[E1]
• How to sign mi for A– Need to choose ri , then Σ′-sign ch(mi , ri )– Problem: no Σ′-signing oracle (m′i chosen in advance)– Solution: use τ to generate ri with ch(mi , ri ) = m′i– This requires to set up m′i := ch(Mi , Ri ) for arbitrary Mi and
random Ri in advance
• How to extract a Σ′-forgery from (m∗,σ∗)– σ∗ = (r∗,σ′∗) with σ′∗ a valid signature for m′∗ = ch(m∗, r∗)– E1 implies that m′∗ 6= m′i for all i– Hence, (m′∗,σ′∗) is a valid Σ′-forgery
Digital Signatures 2020-04-07 18
Proof strategy to bound Pr[E1]
• How to sign mi for A– Need to choose ri , then Σ′-sign ch(mi , ri )– Problem: no Σ′-signing oracle (m′i chosen in advance)– Solution: use τ to generate ri with ch(mi , ri ) = m′i– This requires to set up m′i := ch(Mi , Ri ) for arbitrary Mi and
random Ri in advance
• How to extract a Σ′-forgery from (m∗,σ∗)– σ∗ = (r∗,σ′∗) with σ′∗ a valid signature for m′∗ = ch(m∗, r∗)– E1 implies that m′∗ 6= m′i for all i– Hence, (m′∗,σ′∗) is a valid Σ′-forgery
Digital Signatures 2020-04-07 18
CH function are one-time signatures
• Previously: constructions of CH function similar to OTSs
• Now: transformation CH function→ OTS scheme
Digital Signatures 2020-04-07 19
Transformation CH→ OTS
• Given: CH = (GenCH, TrapCollCH)
• Construct Σ = (Gen, Sign, Vfy) as follows:
Gen(1k ) :
• (ch, τ )← Gench(1k )
• (m̃, r̃ )←M×R• c := ch(m̃, r̃ )
• pk := (ch, c), sk := (τ , m̃, r̃ )
Digital Signatures 2020-04-07 20
Transformation CH→ OTS
pk := (ch, c), sk := (τ , m̃, r̃ )
Sign(sk , m) :
• r := TrapCollCH(τ , m̃, r̃ , m)
• σ := r
Vfy(pk , m,σ) :
• c ?= ch(m,σ)
Digital Signatures 2020-04-07 21
Transformation: security
Theorem 47:Σ is EUF-1-naCMA secure if CH is collision-resistant.
(without proof)
Note: applying this transformation to our DLog-/RSA-based CHs,we obtain the DLog-/RSA-based one-time signatures from earlier
Digital Signatures 2020-04-07 22
Transformation: security
Theorem 47:Σ is EUF-1-naCMA secure if CH is collision-resistant.
(without proof)
Note: applying this transformation to our DLog-/RSA-based CHs,we obtain the DLog-/RSA-based one-time signatures from earlier
Digital Signatures 2020-04-07 22
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about chameleon hashing/signatures starts now!
Digital Signatures 2020-04-07 23
Stronger forms of EUF-CMA
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
q queries
m∗,σ∗
Ver (pk , m∗,σ∗) = 1∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Question: what stronger form of security is conceivable?
Digital Signatures 2020-04-07 24
Strong EUF-CMA (sEUF-CMA) experiment
CsEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
q queries
m∗,σ∗
Ver (pk , m∗,σ∗) = 1∧
(m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and (m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}Digital Signatures 2020-04-07 25
Definition: sEUF-CMA
Def. 51: (sEUF-CMA)A signature scheme Σ = (Gen, Sign, Vfy) is sEUF-CMA secure ifffor all PPT A,
Pr
[ACsEUF-CMA(pk ) = (m∗,σ∗) :
Vfy(pk , m∗,σ∗) = 1∧(m∗,σ∗) /∈ {(m1,σ1), ..., (mq ,σq)}
]
is negligible.
Digital Signatures 2020-04-07 26
sEUF-CMA: applications
• A can win even if m∗ has been signed before. . .
• . . . as long as σ∗ is fresh
• Mainly useful as component of more complex buildingblocks. . .
• . . . such as adaptively secure public-key encryption
Digital Signatures 2020-04-07 27