Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)

Digital Signatures 2020-05-19 1

Outline

Waters signatures

Overview over course topics

General remarks

Digital Signatures 2020-05-19 2

Recap: Waters signatures• Gen(1k ):

– gα ← G, κ← GenPHF(1k ).– sk = gα, pk = (g, κ, e(g, gα)).

• Sign(sk , m): choose r ← Zp. Compute

σ1 := gr σ2 := gα · Hκ(m)r .

Set σ = (σ1, σ2).

• Vfy(pk , m, σ):

e(g, σ2) ?= e(g, g)α · e(σ1, Hκ(m))

Digital Signatures 2020-05-19 3

Recap: security of Waters signatures

Theorem (99)Let H be a (1, q, γ)-PHF for any polynomial q. Then

• for every adversary A that breaks the EUF-CMA security ofWaters’ scheme with success εA in time tA with at most qsignature queries,

• there is an adversary B that breaks CDH in G in time tB ≈ tAwith success

εB ≥ γ · εA.

Digital Signatures 2020-05-19 4

Waters: summary

• Less efficient than BLS signatures (+1 group element)• But: proof in standard model, PHFs central tool

– Historical context: Waters IBE (2005) = Boneh-Boyen IBE(2004) + PHFs

• PHFs influential, many “partitioning proofs” with similartechniques

Digital Signatures 2020-05-19 5

Current research

• Better PHFs (but inherent combinatorial limitations)

• Different partitioning techniques (→ tight security)

• Tradeoff: more efficiency↔ weaker assumptions

• (With pairings:) identity-based encryption→ attribute-basedencryption→ functional encryption

Digital Signatures 2020-05-19 6

Socrative

Self-checking with quizzes

• Last time /

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• Quiz about Waters signatures starts now!

Digital Signatures 2020-05-19 7

Outline

Waters signatures

Overview over course topics

General remarks

Digital Signatures 2020-05-19 8

Introduction

Goal: “Digital version of physical signature.” We want:

• Authenticity– Document signed by specific person/entity

• Integrity– Signed document not changed after signing

Digital Signatures 2020-05-19 9

Definition: digital signature scheme

Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:

• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)

• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)

• Vfy(pk , m, σ) ∈ {0, 1} (intuitively: 1 iff σ valid)

Correctness: “the scheme works.”

Digital Signatures 2020-05-19 10

Security

• Concrete security definition combines two things:– Adversarial capabilities (e.g., naCMA, CMA)– Adversarial goal (e.g., EUF, sEUF, UUF)

• Definition by security experiment (e.g., EUF-CMA)

• We need assumptions (no unconditionally secure schemes)!

Digital Signatures 2020-05-19 11

Hash-then-Sign

• Goal: extend message space of signature scheme• Idea: sign H(m) instead of m

– H collision-resistant hash function

• This modification preserves security

• Sometimes even improves security (RSA-FDH)

Digital Signatures 2020-05-19 12

One-time signatures

• Stepping stone towards construction of signature schemes

• Remain secure if one signature is known(EUF-1-CMA/EUF-1-naCMA)• Constructions based on. . .

– . . . one-way functions (Lamport)– . . . hardness of discrete logarithm problem– . . . hardness of RSA problem– (first encounter with Shamir’s trick)

Digital Signatures 2020-05-19 13

Transformations

• . . . from EUF-(1-)naCMA to EUF-(1-)CMA security– Trick: σ = (σ′

pk1, pk1, σ(1)

m )– Reduction(s) to two assumptions

• . . . from EUF-1-CMA to EUF-CMA security– Use binary tree of hash functions (one-time signatures)– Each node authenticates/signs the two child nodes– Every leaf used only once (to sign message)

Digital Signatures 2020-05-19 14

RSA-based schemes

• Textbook RSA (σ = md mod N): don’t use this!

• PKCS #1 v1.5 (“naive” padding of m): security unclear

• RSA-FDH (σ = H(m)d mod N): secure in ROM• RSA-PSS (clever padding of m): secure in ROM

– Better concrete security guarantees than RSA-FDH– → Better parameter choices, more efficiency– Many σ for each m, reduction knows only one

• GHR: standard-model proof under stronger assumption

Digital Signatures 2020-05-19 15

Chameleon hash functions

• Hash function with trapdoor (to find collisions)

• Can be viewed as one-time signature schemes• Constructions based on DLog and RSA

– Essentially same as DLog-/RSA-based one-time sigs

• Immediate application: chameleon signatures• Technical application: EUF-CMA→sEUF-CMA

– CHFs resolve circular dependency in construction

Digital Signatures 2020-05-19 16

Pairing-based signatures

• Pairing: bilinear map e : G1 ×G2 → GT

• Allows one multiplication in exponent– Price: moving to a different group (GT )

• Allows tripartite key exchange• BLS signatures: pk = gx , σ = H(m)x

– Pairing helps to verify signatures– Proof under CDH in ROM, similar to RSA-FDH

Digital Signatures 2020-05-19 17

Programmable hashing and Waters signatures

• Programmable hash functions: mimic ROM (but withoutoracles)

• Tool to obtain ROM-like proofs in standard model

• PHF is hash function H : {0, 1}` → G with trapdoor

• Trapdoor allows to explain H(m) as H(m) = hamgbm

• Hope that am 6= 0 most of the time, am = 0 sometimes• Leads to Waters signatures:

– Here, reduction can sign iff am 6= 0

Digital Signatures 2020-05-19 18

Outline

Waters signatures

Overview over course topics

General remarks

Digital Signatures 2020-05-19 19

General remarks

• Exam: concepts important, also proof strategies/tricks– Exam is discussion, goal: find out if you understood things

• Lecture: interaction very much appreciated, thank you!

• Similar courses/parts of courses/labs on the way• <blink>OPPORTUNITY</blink>

– Your feedback influences future course design!

Digital Signatures 2020-05-19 20