1 / 25

Realizing Hash and Sign Signatures under Standard Assumptions

Realizing Hash and Sign Signatures under Standard Assumptions. Susan Hohenberger Johns Hopkins. Brent Waters UT Austin. When, in the course of…. Digital Signatures. 1976 Diffie-Hellman: dream of digital signatures. Digital Signatures. When, in the course of….

abba
Download Presentation

Realizing Hash and Sign Signatures under Standard Assumptions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins Brent Waters UT Austin

  2. When, in the course of… Digital Signatures 1976 Diffie-Hellman: dream of digital signatures

  3. Digital Signatures When, in the course of… 1adh84naf89hq32nvsd8puwqhevhphvdfp9ufew7u2rasdfohaqsedhfdasjf; 1976 Diffie-Hellman: dream of digital signatures 1978 Rivest-Shamir-Adleman: first implementation

  4. Signatures Today Two classes: Tree-Based Signatures -- [GMR85, G86, M89, DN89, BM90, NY94, R90, CD95, CD96, ...] “Hash-and-Sign” Signatures -- [RSA78, E84, S91, O92, BR93, PS96, GHR99, CS00, CL01, BLS04, BB04, CL04, W05, GJKW07, GPV08, ...] -- what practioners expect -- short signatures and short public keys

  5. Focus on ‘’Hash-and-Sign’’ Again, most things fall into two classes: Random Oracle Model -- RSA [RSA78] -- Discrete logarithm [E84,S91] -- Lattices [GPV08] Strong Assumptions -- Strong RSA [GHR99, CS00] -- q-Strong Diffie-Hellman [BB04] -- LRSW [CL04] Our goal: Hash-and-sign from standard assumptions in the standard model.

  6. Strong Assumptions RSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = xe mod N.

  7. Strong Assumptions RSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = xe mod N. Computational Diffie-Hellman Given (g, ga, gb), find gab. q-Strong Diffie-Hellman Given (g, ga, ga^2, ..., ga^q), find any (c, g1/(a+c)) s.t. c >0.

  8. One Anomaly Waters Signatures [W05] + Short (signature = 2 group elements) + Stateless + Standard Model + Secure under CDH assumption - Public Key requires O(k) group elements, where k is a sec. parameter

  9. Prior and New Contributions Short signatures from standard assumptions. Assump. PK Size Sig Size Stateless? CDH O(k) W’05 2 yes HW’09 RSA O(1) 3 no no 8 4 HW’09 CDH Let k be the security parameter. Size in group elements (roughly).

  10. Design from RSA RSA: Given (N,y,e), find the x s.t. xe = y mod N. Different exponent per signature [GHR,CS] • For ith signature: • ei = random • ei = F(mi) Problem: In proof, how can we force adversary to forge with exponent e? • Space of ei‘s is exponential ) Strong RSA • If it was polynomial, we’d be all set.

  11. Design from RSA RSA: Given (N,y,e), find the x s.t. xe = y mod N. Different exponent per signature [GHR,CS] • For ith signature: • ei = random • ei = F(mi) What if adversary forges on state i=2163? Sign(SK, i, m) • ei = F(i) Problem: In proof, how can we force adversary to forge with exponent e?

  12. New Strategy Problem: must bound i in adversary’s forgery. New Idea:sign (m, i) and d lg(i) e • Let x = #signatures issued • Type I: using state i* > 2lg(x). • Type II: using state i* <= 2lg(x). • Adversary must forge sig on d lg(i*) e • For security parameter 2K, only K distinct d lg(i) e • i* must come from polynomial range 1 to 2lg(x) ! • …But signer might need to sign with i* (solve with ChamHash).

  13. Chameleon Hash Formalized by Krawcyzk and Rabin in 2000. H(m, r) 1. Collision-resistant i.e., hard to find (m,r) != (m’,r’) s.t. H(m,r) = H(m’,r’). 2. With trapdoor, given any y and m, can find r s.t. H(m,r) = y Exist DL, RSA realizations

  14. Construction PK = (N, u, h, v, F, ChamHash), where F maps to primes. • Sign(SK, i, m) • e = F(i). • Choose r, x = ChamHash(m,r). • s1 = (uxh)1/e mod N • s2 = lg(i)th square root of v mod N • Sig= (s1, s2, r, i). Can “squish” s1, s2 Proof idea: Type I: forgery i is “big” ) square roots ) factor N. • Type II: forgery i is “small” ) simulator can guess i • ) F(i) = e from RSA challenge .....

  15. Computational DH -- Overview VK = g ,ga, h, u, v,w 2 G (bilinear) + ChamHash Sign(SK, M, i) = (ux h)a ( ui vlg(i) w)t, gt x = ChamHash(M,r) , t 2 Zp • Sigs ~ Boneh-Boyen IBE keys • Sign State; C.H. on master key • No need to find primes!

  16. Handling State • Timer: State = Machine Time --- Careful! • Do not roll back • Always one tick • Multiple Machines • Coordinate?? • Machine k signs: i ¢ n +k Better not to have state

  17. Our Contributions Short signatures with short keys with state in the standard model from: -- RSA -- Computational DH State = a counter of # of sigs issued.

  18. Thank you

  19. Theorem [...,ST01]: Weak Sig Scheme + Chameleon Hash = Full Sig Scheme. Background • A signature scheme is secure • if for all ppt A, the following is negligible: • Full Definition [GMR88] • Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) : • Verify(PK,m,s)=1 and • m not queried to signing oracle Osk]. • Weak Definition [...,BB04] • Pr[ (m1, ..., mq) <- A(1k), (PK,SK) <- KeyGen(1k), • si=Sign(SK, mi), (m,s) <- A(PK, s1, ..., sq) : • Verify(PK,m,s)=1 and m not equal to m1, ..., mq]. Chameleon hashes exist under RSA, factoring and discrete log.

  20. Dear UT, Happy April! --John Digital Signatures Algorithms KeyGen(1k) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. • Definition [GMR88] • A signature scheme is secure • if for all ppt A, the following is negligible: • Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) : • Verify(PK,m,s)=1 and • m not queried to signing oracle Osk].

  21. When, in the course of… Digital Signatures Algorithms KeyGen(1k) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. 1976 Diffie-Hellman: dream of digital signatures

  22. Digital Signatures When, in the course of… Algorithms KeyGen(1k) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. 1adh84naf89hq32nvsd8puwqhevhphvdfp9ufew7u2rasdfohaqsedhfdasjf; 1976 Diffie-Hellman: dream of digital signatures 1978 Rivest-Shamir-Adleman: first implementation

  23. Design from RSA RSA: Given (N,y,e), find the x s.t. xe = y mod N. • Signer will use different exponent for each sig. • For ith signature, perhaps • ei is chosen at random, or • ei is derived from the message mi, • ei is derived from the signer’s state i. Sign(SK, i, m) Problem: In proof, how can we force adversary to forge with exponent e?

  24. Construction #1 • PK = (N, u, h, v, F, ChamHash), where F maps to primes. • Sign(SK, i, m): • 1. Increment i := i+1. • 2. Compute e = F(i). • 3. Choose random r, compute x = ChamHash(m,r). • 4. Compute s1 = (uxh)1/e mod N, • s2 = lg(i)th square root of v mod N. • 5. Output signature (s1, s2, r, i). • Verify(PK, m, s): straightforward.

  25. New Strategy Problem: must bound i in adversary’s forgery. New Idea:sign ( m, i ) and dlg(i)e. • Let x = # signatures • Type I: using state i* > 2lg(x). • Type II: using state i* <= 2lg(x).

More Related