realizing hash and sign signatures under standard assumptions
DESCRIPTION
Realizing Hash and Sign Signatures under Standard Assumptions. Susan Hohenberger Johns Hopkins. Brent Waters UT Austin. When, in the course of…. Digital Signatures. 1976 Diffie-Hellman: dream of digital signatures. Digital Signatures. When, in the course of…. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/1.jpg)
Realizing Hash and Sign Signaturesunder Standard Assumptions
Susan Hohenberger Johns Hopkins
Brent Waters UT Austin
![Page 2: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/2.jpg)
Digital SignaturesWhen, in thecourse of…
1976 Diffie-Hellman: dream of digital signatures
![Page 3: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/3.jpg)
Digital SignaturesWhen, in the course of…
1976 Diffie-Hellman: dream of digital signatures1978 Rivest-Shamir-Adleman: first implementation
1adh84naf89hq32nvsd8puwqhevhphvdfp9ufew7u2rasdfohaqsedhfdasjf;
![Page 4: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/4.jpg)
Signatures Today
“Hash-and-Sign” Signatures-- [RSA78, E84, S91, O92, BR93, PS96, GHR99, CS00, CL01, BLS04, BB04, CL04, W05, GJKW07, GPV08, ...]-- what practioners expect-- short signatures and short public keys
Tree-Based Signatures-- [GMR85, G86, M89, DN89, BM90, NY94, R90, CD95, CD96, ...]
Two classes:
![Page 5: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/5.jpg)
Focus on ‘’Hash-and-Sign’’
Strong Assumptions-- Strong RSA [GHR99, CS00]-- q-Strong Diffie-Hellman [BB04]-- LRSW [CL04]
Random Oracle Model-- RSA [RSA78]-- Discrete logarithm [E84,S91]-- Lattices [GPV08]
Again, most things fall into two classes:
Our goal: Hash-and-sign from standardassumptions in the standard model.
![Page 6: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/6.jpg)
Strong AssumptionsRSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = xe mod N.
![Page 7: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/7.jpg)
Strong Assumptions
Computational Diffie-Hellman Given (g, ga, gb), find gab.q-Strong Diffie-Hellman Given (g, ga, ga^2, ..., ga^q), find any (c, g1/(a+c)) s.t. c >0.
RSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = xe mod N.
![Page 8: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/8.jpg)
One AnomalyWaters Signatures [W05]
+ Short (signature = 2 group elements)+ Stateless+ Standard Model+ Secure under CDH assumption
- Public Key requires O(k) group elements, where k is a sec. parameter
![Page 9: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/9.jpg)
Prior and New Contributions
W’05HW’09
PK Size Sig SizeO(k) 2
Short signatures from standard assumptions.Stateless?
CDHAssump.
CDHRSA
HW’09O(1)
834
nono
yes
Let k be the security parameter. Size in group elements (roughly).
![Page 10: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/10.jpg)
Design from RSARSA: Given (N,y,e), find the x s.t. xe = y mod N.
Different exponent per signature [GHR,CS]
Problem: In proof, how can we force adversary to forge with exponent e?Space of ei‘s is exponential ) Strong RSAIf it was polynomial, we’d be all set.
For ith signature:•ei = random•ei = F(mi)
![Page 11: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/11.jpg)
Design from RSARSA: Given (N,y,e), find the x s.t. xe = y mod N.
Problem: In proof, how can we force adversary to forge with exponent e?
Sign(SK, i, m)
Different exponent per signature [GHR,CS]For ith signature:•ei = random•ei = F(mi)•ei = F(i)
What if adversary forges on state
i=2163?
![Page 12: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/12.jpg)
New StrategyProblem: must bound i in adversary’s forgery.
Let x = #signatures issuedType I: using state i* > 2lg(x).
Type II: using state i* <= 2lg(x).
New Idea: sign (m, i) and d lg(i) e
Adversary must forge sig on d lg(i*) e
i* must come from polynomial range 1 to 2lg(x) !
For security parameter 2K, only K distinct d lg(i) e
…But signer might need to sign with i* (solve with ChamHash).
![Page 13: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/13.jpg)
Chameleon HashFormalized by Krawcyzk and Rabin in 2000.
H(m, r) 1. Collision-resistant i.e., hard to find (m,r) != (m’,r’) s.t. H(m,r) = H(m’,r’).
2. With trapdoor, given any y and m, can find r s.t. H(m,r) = y
Exist DL, RSA realizations
![Page 14: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/14.jpg)
ConstructionSign(SK, i, m)• e = F(i). • Choose r, x = ChamHash(m,r).• s1 = (uxh)1/e mod N• s2 = lg(i)th square root of v mod N Sig= (s1, s2, r, i).
Proof idea: Type I: forgery i is “big” ) square roots ) factor N.
Type II: forgery i is “small” ) simulator can guess i) F(i) = e from RSA challenge .....
PK = (N, u, h, v, F, ChamHash), where F maps to primes.
Can “squish” s1, s2
![Page 15: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/15.jpg)
Computational DH -- Overview
• Sigs ~ Boneh-Boyen IBE keys•Sign State; C.H. on master key
• No need to find primes!
VK = g ,ga, h, u, v,w 2 G (bilinear) + ChamHash Sign(SK, M, i) = (ux h)a ( ui vlg(i) w)t, gt
x = ChamHash(M,r) , t 2 Zp
![Page 16: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/16.jpg)
Handling State•Timer: State = Machine Time --- Careful!
•Do not roll back•Always one tick
•Multiple Machines•Coordinate??•Machine k signs: i ¢ n +k
Better not to have state
![Page 17: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/17.jpg)
Our ContributionsShort signatures with short keys with statein the standard model from:-- RSA-- Computational DH
State = a counter of # of sigs issued.
![Page 18: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/18.jpg)
Thank you
![Page 19: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/19.jpg)
BackgroundChameleon hashes exist under RSA, factoring and discrete log.
A signature scheme is secureif for all ppt A, the following is negligible:Full Definition [GMR88]Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) :Verify(PK,m,s)=1 andm not queried to signing oracle Osk].Weak Definition [...,BB04]Pr[ (m1, ..., mq) <- A(1k), (PK,SK) <- KeyGen(1k), si=Sign(SK, mi), (m,s) <- A(PK, s1, ..., sq) :Verify(PK,m,s)=1 and m not equal to m1, ..., mq].
Theorem [...,ST01]: Weak Sig Scheme + Chameleon Hash = Full Sig Scheme.
![Page 20: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/20.jpg)
Digital SignaturesAlgorithmsKeyGen(1k) --> (PK, SK).Sign(SK, m) --> s.Verify(PK, m, s) --> 1/0.
Dear UT,Happy April!
--JohnDefinition [GMR88]A signature scheme is secureif for all ppt A, the following is negligible:Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) :Verify(PK,m,s)=1 andm not queried to signing oracle Osk].
![Page 21: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/21.jpg)
Digital SignaturesAlgorithmsKeyGen(1k) --> (PK, SK).Sign(SK, m) --> s.Verify(PK, m, s) --> 1/0.
When, in thecourse of…
1976 Diffie-Hellman: dream of digital signatures
![Page 22: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/22.jpg)
Digital SignaturesAlgorithmsKeyGen(1k) --> (PK, SK).Sign(SK, m) --> s.Verify(PK, m, s) --> 1/0.
When, in the course of…
1976 Diffie-Hellman: dream of digital signatures1978 Rivest-Shamir-Adleman: first implementation
1adh84naf89hq32nvsd8puwqhevhphvdfp9ufew7u2rasdfohaqsedhfdasjf;
![Page 23: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/23.jpg)
Design from RSARSA: Given (N,y,e), find the x s.t. xe = y mod N.
Problem: In proof, how can we force adversary to forge with exponent e?
Signer will use different exponent for each sig.For ith signature, perhapsei is chosen at random, orei is derived from the message mi,ei is derived from the signer’s state i.
Sign(SK, i, m)
![Page 24: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/24.jpg)
Construction #1PK = (N, u, h, v, F, ChamHash), where F maps to primes. Sign(SK, i, m):1. Increment i := i+1.2. Compute e = F(i). 3. Choose random r, compute x = ChamHash(m,r).4. Compute s1 = (uxh)1/e mod N,
s2 = lg(i)th square root of v mod N.5. Output signature (s1, s2, r, i).
Verify(PK, m, s): straightforward.
![Page 25: Realizing Hash and Sign Signatures under Standard Assumptions](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815b9f550346895dc9a61a/html5/thumbnails/25.jpg)
Type I: using state i* > 2lg(x).
Type II: using state i* <= 2lg(x).
Let x = # signatures
New StrategyProblem: must bound i in adversary’s forgery.New Idea: sign ( m, i ) and dlg(i)e.