signature from one-way functions
DESCRIPTION
Seminar on Digital Signature, which shows the construction of digital signatures solely based on the existence of one-way functions.TRANSCRIPT
Signature from One-way Functions
Cassius Puodzius
Technische Universitat Darmstadt
Mar. 12, 2012
Outline
Outline of the seminar
Motivation
Quick introduction to One-way functions
Attack model
One-time signatures
Lamport’s One-Time Signature Scheme
`-time signatures
Full-fledged one-time signature from length-restrictedone-time signature
Hash-and-sign paradigm
General signature scheme from one-time signature
Refreshing paradigmAuthentication-trees
Conclusions
Motivation
Security of Digital Signatures
Security assumptions:
Integer factorization: Rabin signature [2]
DLP: Modified ElGamal scheme [7]
RSA: RSA-PSS [3]
SVP: GPV [4]
or even:
k-wCDHP (k-weak Computational Diffie-Hellman Problem) [9]
k+1-IEP (k+1 inverse exponent problem) [1]
k+1-SRP (k + 1 Square Roots Problem) [8]
BISDHP (bilinear inverse-square Diffie-Hellman problem) [1]
Motivation
Goal
Obtain secure digital signatures solely based on the existence ofone-way functions
Quick introduction to One-way functions
Idea
Quick introduction to One-way functions
Definition
No probabilistic algorithm is able to find x given f (x) inpolynomial-time
Existence of OWF
No known OWF
Candidates: Factorization, Discrete Logarithm, MultivariatePolynomials, Learning with errors, ...
Attack model
Adaptive chosen-message attack
m /∈ m0,m1, . . . ,mN
Attack model
Existential Unforgeability
A signature scheme is secure (or unforgeable) if every feasiblechosen message attack succeeds with at most negligible probability[6]
Strong Existential Unforgeability
The forger is allowed to output mi ∈ m0,m1, . . . ,mN, howeverσ 6= σi .
Lamport’s One-Time Signature Scheme
G: Key Generation
signing-key:verification-key:
Lamport’s One-Time Signature Scheme
G: Key Generation
Given f : D → I a OWF
sk =( s0
1 ... s0`(n)
s11 ... s1
`(n)
) vk =
( v01 ... v0
`(n)
v11 ... v1
`(n)
)such that ∀i ∈ 1, ..., `(n) and ∀b ∈ 0, 1: sbi
$←− D and vbi = f (sbi )
sk : signing-key (secret)vk : verification-key (public)
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
Lamport’s One-Time Signature Scheme
S(sk ,m): Signature
For each bit mi of m ∈ 0, 1`(n):
σi =
s0i if mi = 0
s1i if mi = 1
V(pk ,m, σ): Verification
If for all i ∈ 1, ..., `(n):
vmii = f (σi )
then the signature is accepted. Otherwise it is rejected.
Drawback
Lamport is a length-restricted signature
Lamport’s One-Time Signature Scheme
Chosen one-message attack
The adversary can make at most one query to its Signing Oracle
Why one-time signature?
Choosing the messages 0`(n) and 1`(n) an attacker is able to signany further message m ∈ 0, 1`(n)
Lamport’s One-Time Signature Scheme
Proposition
Lamports OTS is unforgeable under a chosen one-message attackassuming that f is a OWF.
Depiction of proof
Lamport’s One-Time Signature Scheme
Proof - Setup
p$←− 0, . . . , `(n) , b
$←− 0, 1sk =
( s01 ... a0
p ... s0`(n)
s11 ... a1
p ... s1`(n)
) pk =
( v01 ... b0
p ... v0`(n)
v11 ... b1
p ... v1`(n)
)where s0
p , s1p = ⊥, s1−b
p and v 0p , v
1p = y , f (s1−b
p ).
Proof - Emulation of Signing Oracle
When F demands a signature on m′:
σ′ ←
⊥ if mp = b ⇒ Attack failed
Ss(m) if mp = 1− b
Lamport’s One-Time Signature Scheme
Proof - Inversion of OWF
If F outputs a forgery on mp and mp = b, then:
x ← σp|f (x) ≡ f (σp) = y
Proof - Probability of success
Pr [Inv(y)] ≥ Pr [Em. Signing Oracle]︸ ︷︷ ︸=1/2
∧Pr [F ← SUCESS]︸ ︷︷ ︸=ε
∧Pr [forgery on mp]︸ ︷︷ ︸≥1/`(n)
∧Pr [mp = b]︸ ︷︷ ︸=1/2
Pr [Inv(y)] ≥ ε
4 · `(n)⇒ non-negligible
Corollary (One-time signature)
Corollary
If there exists any one-way function then there existslength-restricted one-time signatures as well
`-time signatures
`-time signature from one-time signature
For any polynomial `:` one-time signature keys are generated and appended together togenerate
sk := (sk1, . . . , sk`) pk := (pk1, . . . , pk`)
`-time signatures
`-time signature from one-time signature
signing-key:verification-key:
`-time signatures
`-time signature from one-time signature
For i ≤ `
σi ← Signski (m)
The signature of m is (i , σi ).
Drawback
Stateful signature
Corollary (`-time signature)
Corollary
If there exists any one-way function then there existslength-restricted `-time signature as well
Full-fledged one-time signature from length-restrictedone-time signature
Hash-and-sign paradigm
hr : 0, 1∗ → 0, 1`r∈0,1∗ : collision-free hashing collection
Pro
Signature size depends only on the size of the signing-key
Full-fledged one-time signature from length-restrictedone-time signature
Key generation with G’
On input 1k
(s, v)← G (1k) r ← I (1k)G’ outputs ((r, s), (r, v))
Signature with S’
On input a signing-key (r, s) and m ∈ 0, 1∗
σ ← Ss(hr (m))
S’ outputs σ
Verification with V’
On input a verification-key (r, v), m ∈ 0, 1∗ and a signature σV’ outputs Vv (hr (m), σ)
Full-fledged one-time signature from length-restrictedone-time signature
Isn’t collision-free hashing collection a new assumption?
Yes, but it may be replaced by a collection of Universal One-WayHash Functions (UOWHF), which can be constructed using OWF[6].
General signature scheme from one-time signature
Refreshing paradigm
(G, S, V): signature scheme - (G’, S’, V’): one-time signatureschemeRefreshing paradim → general signature scheme (G”, S”, V”),which has G”= G
Drawback
(G, S, V) is not a one-time signature scheme
General signature scheme from one-time signature
Signing with S”
On input of a signing-key s and m ∈ 0, 1∗
(s ′, v ′) ← G ′(1k)
σ1 ← Ss(v ′)
σ2 ← S ′s′(m)
S”outputs (σ1, v′, σ2)
Verifying with V”
On input of a verifying-key v, m ∈ 0, 1∗ and (σ1, v′, σ2)
If Vv (v ′, σ1) = 1 and V ′v ′(m, σ2) the signature is accepted,otherwise rejected
General signature scheme from one-time signature
Chain-Based signature
General signature scheme from one-time signature
Chain-Based signature
General signature scheme from one-time signature
Chain-Based signature
On input of mi ∈ 0, 1∗:
(si+1, vi+1) ← G (1k)
σi ← Ssi (mi ||vi+1)
Add (mi , si+1, vi+1, σi ) to the current stateSignature: mj , vj+1, σjj=0
Chain-Based verification
On input of a verifying-key v0, mi ∈ 0, 1∗ and the signaturemj , vj+1, σjj=i
j=0:
Vrfyvj ((mj ||vi+1), σj)?= ACCEPTED ∀j ∈ 0, · · · , i
General signature scheme from one-time signature
Tree-Based signature
General signature scheme from one-time signature
Tree-Based signature
On input of m ∈ 0, 1N , let µi be the first i bits of m (prefix):If µi was never signed (while i <= N)
(sµi |0, vµi |0) ← G (1k)
(sµi |1, vµi |1) ← G (1k)
σi ← Ssi (vµi |0||vµi |1)
µi |0 ← sµi |0, vµi |0
µi |1 ← sµi |1, vµi |1µi ← Ssµi
(vµi |0||vµi |1)
σm ← Ssm(m)
Signature: (authµj︷ ︸︸ ︷
σj , vµj |0, vµj |1j=0, σm)
General signature scheme from one-time signature
Chain-Based verification
On input of a verifying-key v0, m ∈ 0, 1N and the signature(authjj=0, σm):
Vrfyvµj(authµj+1)
?= ACCEPTED ∀j ∈ 0,N
Vrfyvm(σm)?= ACCEPTED
General signature scheme from one-time signature
Proposition
If G is a strongly unforgeable signature under a one-timechosen-message attack, then a tree-based scheme G’ is stronglyunforgeable signature under an adaptive chosen-message attack
Depiction of proof
General signature scheme from one-time signature
Emulation of Oracle: Case 1
Emulation of Oracle: Case 2
General signature scheme from one-time signature
Proof - Setup
A′ is a probabilistic polynomial time adversary ⇒ t ← #[query]Ω(n) = (2 · poly(n) + 1)t ≥ #[(G ,S ,V )]
j$←− 1, · · · ,Ω(n)
General signature scheme from one-time signature
Proof - Emulation of Signing Oracle (Case 1)
Node j is on the authentication path:
(sµj |0, vµj |0) ← G (1k)
(sµj |1, vµj |1) ← G (1k)
σj ← Ssj (vµj |0||vµj |1)[One-time Signing Oracle]
µi |0 ← sµi |0, vµi |0
µi |1 ← sµi |1, vµi |1µi ← Ssµi
(vµi |0||vµi |1)
Proof - Emulation of Signing Oracle (Case 2)
Node j is a leaf: σm ← Ss(m) [One-time Signing Oracle]
General signature scheme from one-time signature
Proof - Forgery in (G, S, V)
If A′ outputs a forgery (m, σ, authm) and this forgery happens innode j , then:
(σf ,mf )←
(σµj , vµj+1) if j ∈ Authm
(σ,m) if j /∈ Authm
Proof - Probability of success
Pr [(σf ,mf )] ≥ Pr [A′ ← SUCESS]︸ ︷︷ ︸=ε
∧Pr [forgery on j ]︸ ︷︷ ︸≥1/Ω(n)
Pr [(σf ,mf )] ≥ ε
Ω(n)⇒ non-negligible
Corollary (General signature scheme from one-timesignature)
Corollary
If there exists any one-way function then there exists (stateful)general signature as well
General (stateless) signature scheme from one-timesignature
Stateless Signature
Use of PRF (which can be obtained from OWF [6]):
General (stateless) signature scheme from one-timesignature
Proposition
If (G, S, V) is a secure one-time signature scheme andfr : 0, 1∗ → 0, 1|r |r∈0,1∗ is a generalized pseudorandomfunction ensemble then (G’, S’, V’) constitutes a secure (general)signature scheme. [6]
Idea of the proof
Exponential growth of leaves → exponentially-vanishing probabilityof two signatures in the same leafDisregard two-times signatures → security proof similar to statefulscheme
Corollary (General signature scheme from one-timesignature)
Corollary
If there exists any one-way function then there exists a generalsignature as well
Conclusions
Theoretical Implication
If there exist any one-way function then there exist a generalsignature as well
Conclusions
So why RSA, DLP, SVP, ...?
Digital SignatureScheme Assumption S-key size (KB) Signature Size (KB)RSA-1024 RSA 0.62 0.13ECDSA DLP 0.08 0.32GPV SVP 6.12 13.18Merkle-tree OWF 41.3a 2.27
aFor 222 signatures[5]
The End
That’s it! Questions? Remarks?
References I
Sedat Akleylek, Baris Bulent Kirlar, Omer Sever, and ZalihaYuce.A new short signature scheme with random oracle frombilinear pairings.
Daniel J. Bernstein.Proving tight security for rabin/williams signatures.In In EUROCRYPT, 2008.
Johannes Bock.Rsa-pss - provably secure rsa signatures and theirimplementation v1.0.1, 2011.
Johannes Buchmann, Richard Lindner, Markus Ruckert, andMichael Schneider.Post-quantum cryptography: lattice signatures.Computing, 85(1-2):105–125, 2009.
References II
Luis Carlos and Luis Carlos Coronado Garcia.On the security and the efficiency of the merkle signaturescheme, 2005.
Oded Goldreich.Draft of chapter on signature schemes, 2003.
David Pointcheval and Jacques Stern.Security Proofs for Signature Schemes.In Ueli Maurer, editor, Advances in Cryptology - Proceedingsof EUROCRYPT ’96, volume 1070 of Lecture Notes inComputer Science, pages 387–398, Saragossa, Spain, 1996.Springer.
Fangguo Zhang, Xiaofeng Chen, Willy Susilo, and Yi Mu.A new short signature scheme without random oracles frombilinear pairings.In IN: VIETCRYPT 2006, LNCS 4341, pages 67–80, 2005.
References III
Fangguo Zhang, Reihaneh Safavi-naini, and Willy Susilo.Efficient verifiably encrypted signature and partially blindsignature from bilinear pairings, 2004.