a signature scheme as secure as the diffie hellman problem

Theory Seminar - Cryptography

A Signature Scheme as Secure as the DiffieHellman Problem

Theory Seminar

Eu-Jin Goh and Stanislaw JareckiEurocrypt 2003

Subhashini VIIT Madras

Theory Seminar - Cryptography

Outline

1 IntroductionHard Assumptions

2 Signature SchemeDefinitionEDL Scheme

3 SecurityCMA modelUnforgeabilityForgeryProbability

4 References

Theory Seminar - Cryptography

Introduction

Objective of this talk

Introduction to

Hardness assumption - CDH

Reduction techniques

ZKP in cryptosystems

Random oracle model

Signature scheme

Theory Seminar - Cryptography

Introduction

Hard Assumptions

Hard Assumption

Discrete log problem- Given: g, ga Find: a

CDH - Computational Diffie-Hellman- Given: g, ga, gb Compute: gab

Reduction to hard assumption

What is tightness?

Theory Seminar - Cryptography

Signature Scheme

Definition

Digital Signature Scheme

Key Generation - private key (sk) and public key (pk)

Sign - Sign(M, sk)→ σ

Verify - V er(pk,M, σ) Output: Accept or Reject

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)

3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq

5 s← k + cx6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx

6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

EDL Signature scheme

Proposed originally by [CEVDG88] and [CP93].

Key-generationsk = x ∈R Zq, pk = y ← gx

Sign(x,M)

1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx

2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk

4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)

Verify

h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c

c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c

Theory Seminar - Cryptography

Signature Scheme

EDL Scheme

Proof of equality of DL

Replacing ZK-proof of knowledge with just a ZKP

k ∈ Zq;u = gk; v = hk

s = k + cx; gs = uyc; hs = vzc

Also, proof of knowledge of x: gx = y;hx = z

x = DLg(y); x′ = DLh(z)

Possible only if c = (k − k′)/(x′ − x)where k = DLg(u) and k′ = DLh(v)

Theory Seminar - Cryptography

Security

CMA model

Security Model

Chosen Message Attack (CMA)

Adaptive chosen messages.

Training with oracles (hash, sign)

Adversary A outputs forgery.

Theory Seminar - Cryptography

Security

Unforgeability

Unforgeability

Random oracle model - solve CDH. (Proof is from [?])

Setup: y = ga (a is unknown)

H queries: embed - H(M, r) = h = (gb)d, d - random

H ′ queries: all random.

Sign queries:

r ∈R {0, 1}nr . If H(M, r) is queried - abort.κ ∈R Zq. Set, z = yκ, h = gκ and H(M, r) = hDLh(z) = DLg(y)c ∈R Zq, s ∈R Zq,. Set u = gsy−c and v = hsz−c

Store H ′(g, h, y, z, u, v) = cσ = (z, r, s, c)

Theory Seminar - Cryptography

Security

Forgery

Solving CDH

Forgery passes verification.

h = H(M, r) = gbd

DLh(z) = DLg(y)⇒ z = ha = gabd

Output : z1/d = gab

Solved CDH.

Theory Seminar - Cryptography

Security

Probability

Analysis - Probability of solving CDH

Abort cases

1 H(M, r) was queried! ⇒ Pr = qH2−nr

- Aborting in Step1 of signature Pr = qsig · qH · 2−nr

2 Abort at Step4 of signature H ′(g, gk, y, yk, u, uk) queried!- Probability of collision (qH + qsig) · 2−2nq

- Final : Pr = qsig · (qH + qsig) · 2−2nq

Cannot solve CDH on successful forgery (because of DL)

1 Pr[NH ∧ ¬NQ] = 2−nq

2 Pr[NQ] = qH · 2−nq

NH - event that the attacker does not query H-oracle.

NQ - event that DLg(y) = DLh(z)

Theory Seminar - Cryptography

Security

Probability

We assume that the attacker can break the signature scheme witha non-negligible probability of ε.Then, if ε′ is the probability of challenger(C) solving CDH problemusing attacker.

ε′ = ε− (εabort + εDL)

= ε− qsig · qH · 2−nr − qsig · (qH + qsig) · 2−2nq

− 2−nq − qH · 2−nq

ε′ is non-negligible and hence C can solve CDH.

Theory Seminar - Cryptography

References

References I

David Chaum, Jan-Hendrik Evertse, and Jeroen Van De Graaf.An improved protocol for demonstrating possession of discretelogarithms and some generalizations. In Proceedings of the 6thannual international conference on Theory and application ofcryptographic techniques, EUROCRYPT’87, pages 127–141,Berlin, Heidelberg, 1988. Springer-Verlag.

David Chaum and Torben P. Pedersen. Wallet databases withobservers. In Proceedings of the 12th Annual InternationalCryptology Conference on Advances in Cryptology, CRYPTO’92, pages 89–105, London, UK, 1993. Springer-Verlag.

Theory Seminar - Cryptography

References

References II

Eu-Jin Goh and StanisJarecki. A signature scheme as secure asthe diffie-hellman problem. In Proceedings of the 22ndinternational conference on Theory and applications ofcryptographic techniques, EUROCRYPT’03, pages 401–415,Berlin, Heidelberg, 2003. Springer-Verlag.

Theory Seminar - Cryptography

References

Questions?

Thank You!