Digital Signatures. Sven Laur University of Tartu

Similar documents
MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Security of Cryptosystems

MTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu

CSC 5930/9010 Modern Cryptography: Digital Signatures

Reminder: Homework 4. Due: Friday at the beginning of class

Lecture 10, Zero Knowledge Proofs, Secure Computation

Cryptographic protocols

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

CS408 Cryptography & Internet Security

Anonymous Signature Schemes

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Notes for Lecture 21. From One-Time Signatures to Fully Secure Signatures

COMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Solutions to exam in Cryptography December 17, 2013

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Automated Security Proofs with Sequences of Games

CPSC 467: Cryptography and Computer Security

Definitions and Notations

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

SAS-Based Group Authentication and Key Agreement Protocols

Securely Combining Public-Key Cryptosystems

Digital Signatures 1

10 More on Signatures and the Public-Key Infrastructure

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Applied cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Short Schnorr signatures require a hash function with more than just random-prefix resistance

A Ring Signature Scheme with Strong Designated Verifiers to Provide Signer Anonymity

Lecture 15: Public Key Encryption: I

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Digital Signatures. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 54

Bounded-Concurrent Secure Two-Party Computation Without Setup Assumptions

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

CS 495 Cryptography Lecture 6

Applied Cryptography and Computer Security CSE 664 Spring 2018

Cryptography. Lecture 12. Arpita Patra

Deniable Unique Group Authentication CS380S Project Report

Publicly-verifiable proof of storage: a modular construction. Federico Giacon

Distributed ID-based Signature Using Tamper-Resistant Module

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Cryptography V: Digital Signatures

Anonymizable Ring Signature Without Pairing

Efficient identity-based GQ multisignatures

Introduction to Cryptography Lecture 7

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Mike Reiter. University of North Carolina at Chapel Hill. Proliferation of mobile devices. Proliferation of security-relevant apps using these

Chaum s Designated Confirmer Signature Revisited

IND-CCA2 secure cryptosystems, Dan Bogdanov

Chapter 11 : Private-Key Encryption

From Digital Signature to ID-based Identification/Signature

Lecture 18 - Chosen Ciphertext Security

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Public-key Cryptography: Theory and Practice

Notes for Lecture 24

Introduction to Cryptography Lecture 10

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Proactive Two-Party Signatures for User Authentication

Further Analysis of a Proposed Hash-Based Signature Standard

Lecture 8: Cryptography in the presence of local/public randomness

Cryptology complementary. Symmetric modes of operation

Optimistic Fair Exchange in a Multi-user Setting

6.842 Randomness and Computation September 25-27, Lecture 6 & 7. Definition 1 Interactive Proof Systems (IPS) [Goldwasser, Micali, Rackoff]

1 Defining Message authentication

Cryptography V: Digital Signatures

SMS Lottery. An Application for MOVA. Florin Oswald Master s Thesis in Computer Science March 20th, 2006 September 19th, 2006

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Lecture 4: Authentication and Hashing

Lecture 8 - Message Authentication Codes

Authentication Mechanisms for Open Distributed Systems

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

On Deniability in the Common Reference String and Random Oracle Model

Secure digital certificates with a blockchain protocol

Homework 3: Solution

Zero-Knowledge Proof and Authentication Protocols

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Part VI. Public-key cryptography

Other Topics in Cryptography. Truong Tuan Anh

Cryptography: More Primitives

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications

One-Shot Verifiable Encryption from Lattices. Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Introduction to Secure Multi-Party Computation

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Revisiting optimistic fair exchange based on ring signatures

Study Guide for the Final Exam

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Feedback Week 4 - Problem Set

Introduction to Cryptography Lecture 7

Transcription:

Digital Signatures Sven Laur swen@math.ut.ee University of Tartu

Formal Syntax

Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic identity, Charlie must generate (pk, sk) Gen and convinces others that the public information pk represents him. A keyed hash function Sign sk : M S takes in a plaintext and outputs a corresponding digital signature. A public verification algorithm Ver pk : M S {0,1} tries to distinguish between altered and original message pairs. The signature scheme is functional if for all (pk, sk) Gen and m M: Ver pk (m, Sign sk (m)) = 1. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 1

Key generation Gen: Example. RSA-1024 signature scheme 1. Choose uniformly 512-bit prime numbers p and q. 2. Compute N = p q and φ(n) = (p 1)(q 1). 3. Choose uniformly e Z φ(n) and set d = e 1 mod φ(n). 4. Output sk = (p,q, e, d) and pk = (N, e). Signing and verification: M = Z N, S = Z N, R = Sign sk (m) = m d mod N Ver pk (m,s) = 1 m = s e mod N. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 2

Attack scenarios Security definitions Key only attack. The adversary has access only to the public key pk. Chosen message attack. Besides the public key pk, the adversary can adaptively query a list of valid signatures (m 1,s 1 ),...,(m n,s n ). Attack types Universal forgery. The adversary must create a valid signature for a prescribed message m that is chosen from a distribution M 0. Existential forgery. The adversary must create a valid signature for some message m, i.e., there are no limitations on the choice of message. One more signature attack = Chosen message attack + Existential forgery MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 3

Security against one more signature attack A signature scheme is (t, q, ε)-secure against one more signature attack if Adv forge (A) = Pr[G A = 1] ε for any t-time adversary A where G A (pk, sk) Gen For i {1,...,q} do [ mi A(s i 1 ) s i Sign sk (m i ) (m, s) A if (m, s) {(m 1, s 1 ),...,(m q, s q )} return 0 return Ver pk (m, s) MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 4

A conceptual description of digital signatures A digital signature is a non-interactive and transferable counterpart of the following extended identification protocol: 1. Verifier sends a message m to a prover. 2. The prover accepts the message m. 3. The prover authenticates him or herself by using sk. Transferability means that signature must be verifiable by other parties that did not participate in the creation of the signature. As a result, digital signature is either a non-interactive proof of possession that is linked to the message m. a non-interactive proof of knowledge that is linked to the message m. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 5

Digital Signatures Based on Proofs of Possession

Trapdoor one-way permutations A collection of trapdoor permutations F tp is determined by three algorithms (Gen, Map, Inv) such that (pk, sk) Gen, m M pk : Inv sk (Map pk (m)) = m and both algorithms Map pk ( ) and Inv sk ( ) are deterministic. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 6

OW-CPA security A collection of trapdoor permutations F tp is (t, ε)-secure if for any t-time adversary A where Adv inv-cpa (A) = Pr [ G A = 1 ] ε G A (pk,sk) Gen m u M pk y Map pk (m) return [A(y) =? m] MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 7

Full Domain Hash Setup Run (pk, sk) Gen to create an instance of trapdoor permutation. Choose h : M M pk from a collision resistant function family H. Signing To sign m M, compute x h(m) and output s Inv sk (x). Verification A pair (m, s) is a valid signature if h(m) = Map pk (s). MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 8

Random oracle model Let us model the hash function by an oracle O pk ( ) that evaluates h u H all where H all = {h : M M pk } is a set of all functions. Thus, the advantage is now computed as average Adv forge H all (A) = 1 H all Adv forge h (A). h H all In reality, we substitute H all with a suitable hash family H and hope Adv forge H (A) = 1 H Adv forge h (A) Adv forge H all (A) h H all for all relevant adversaries A A humans devise. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 9

Security in the random oracle model Theorem. Let F tp is (t, ε)-secure collection of trapdoor permutations such that Map pk ( ) is always τ-time computable. Then the FDH signature scheme is (t (q h + q s + 1) τ, q s,(q h + q s + 1) ε)-secure against one more signature attack provided that the adversary can do up to q h hash queries. Drawbacks The result holds only in random oracle model. The security bound increases linearly with q h and d s. PSS signature scheme achieves a sublinear bound. The proof cannot be generalised to the standard model [Pallier2007]. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 10

The corresponding proof We can always assume that A queries hash for the forgery. The following evaluation strategies lead to identical results O pk (m) if H[m] = then [ H[m] u M pk return H[m] O pk (m) if H[m] = then [ S[m] u M pk H[m] Map pk (S[m]) return H[m] Let ε i be the probability that forgery was successful and the ith hash query corresponded to the message. Then ε i ε, since otherwise we would have a too efficient inverter. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 11

Digital Signatures Based on Proofs of Knowledge

Fiat-Shamir heuristics Fiat-Shamir heuristics converts any sigma-protocol to a signature scheme. α R α β γ β B Sigma protocols are interactive non-transferrable sk V pk (α,β,γ) and cannot be linked to particular messages α R sk,m α If β h(m, α) then β h(m, α) the signer cannot cheat m the protocol is non-interactive the protocol is transferable s = (α,β,γ) V pk (α, β, γ) h(m, α) =? β MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 12

Generic signature schemes Let π be a sigma protocol specified by the prover and verifier algorithms P sk and V pk. Then the corresponding generic signature scheme is following. Setup Signing Use output (pk,sk) Gen of the sigma protocol setup. To sign a message m, output (α,β, γ) as a signature where Verification α P sk, β h(m, α), γ P sk (β). A tuple (m, α,β, γ) is a valid signature if β = h(m, α) Ver pk (α, β, γ) = 1. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 13

Famous examples Schnorr authentication protocol Schnorr signature scheme DSA algorithm ElGamal signature scheme Nyberg-Rueppel signature scheme Fiat-Shamir identification protocol Feige-Fiat-Shamir signature scheme Guillou-Quisquater identification protocol Guillou-Quisquater signature scheme MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 14

Security in the random oracle model Forking Lemma (Basic form). Let κ be the knowledge error of the sigma protocol. If for a particular public key pk, a t-time adversary A manages to output valid signature by making at most n queries to the random oracle and no queries to the signing oracle with probability ε, then there exist an extraction algorithm K for that runs in expected time ( ) (n + 2) t E[τ] = Θ ε κ and returns the corresponding secret key sk. Simulatability Lemma. Oracle calls to the signing oracle can be replaced with the runs of the sigma protocol simulator. The probability of simulation failures due to the contradicting assignments for O( ) are negligible. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 15

Yet Another Matrix Game

An encoding of the extraction task Assume that A never queries the same value h(m i, α i ) twice and that A itself verifies the validity of the candidate signature (m n+1, s n+1 ). Let ω 0 denote the randomness used by A and let ω 1,...ω n+1 be the replies for the hash queries h(m i,α i ). Now define A(ω 0, ω 1,...,ω n+1 ) = { i, if the i th reply ω i is used in forgery, 0, if A fails. For any ω = (ω 0,...,ω i 1,ω i,...,ω n+1 ), A behaves identically up to the i th query as with the randomness ω. To extract the secret key sk, we must find ω and ω such that A(ω) = i and A(ω) = i and ω i ω i. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 16

Extended classical algorithm Rewind: 1. Probe random entries A(ω) until A(r, c) 0. 2. Store the matrix location ω and the rewinding point i A(ω). 3. Probe random entries A(ω) until A(ω) = i. 4. Output the location tuple (ω,ω). Rewind-Exp: 1. Repeat the procedure Rewind until ω i ω i. 2. Use the Knowledge extraction lemma to extract sk. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 17

Average case complexity I Assume that A succeeds with probability ε. Then the results proved for the simplified case (discussed in the last lecture) imply E[probes 1 ] = 1 ε and E[probes 2 A(ω) = i] = 1 ε i where ε i is the fraction of entries labelled with i. Thus E[probes 2 ] = E[probes 2 ] = n+1 i=1 n+1 i=1 Pr[A(ω) = i] E[probes 2 A(ω) = i] ε i ε 1 = n + 1 ε i ε. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 18

Average case complexity II As a result we obtain that the Rewind algorithm does on average E[probes] = n+2 ε probes. Since the Rewind algorithm fails with probability Pr[failure] = Pr[halting ω i = ω i ] Pr[halting] κ ε we make on average E[probes ] = 1 Pr[success] E[probes] ε ε κ n + 2 ε = n + 2 ε κ. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 19

Interpretation of the Results

Objective and subjective security All forms of the Forking Lemma are stated with respect to a fixed key and thus give only soundness guarantees. If we believe that no human can devise an algorithm that for a particular public key pk computes the corresponding secret key, then we also get the corresponding subjective security guarantee. For objective security guarantees, we have to consider average success probability over all public keys. In this situation, the knowledge extraction with high probability is overkill. Fixed number of probes together with Jensen s inequality give more tight bounds. All these security guarantees hold in the random oracle model! MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 20

Average case nature of advantages Adv forge (A h) 1 Trivial ε General purpose Weakly specialised h The limit on the average advantage over all functions means: An attack algorithm A can be successful on few functions For randomly chosen function family H the corresponding average advantage is comparable with high probability over the choice of H. Such argumentation does not rule out possibility that one can choose adaptively a specialised attack algorithm A based on the description of h. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 21

Security against generic attacks An adaptive choice of a specialised attack algorithm implies that the attack depends on the description of the hash function and not the family H. Often, it is advantageous to consider only generic attacks that depend on the description of function family H and use only black-box access to the function h. Therefore, we can consider two oracles O Hall and O H. If H is pseudorandom function family then for any generic attack, we can substitute H with the H all and the success decreases marginally. Theorem. Security in the random oracle model implies security against generic attacks if H is a pseudorandom function family. The assumption that attackers use only generic attacks is subjective. Such an assumption are not universal, i.e., there are settings where this assumption is clearly irrational (various non-instantiability results). MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 22

Why the random oracle argument truly fails? All currently used hash functions are iterative h(m 1,...,m k ) = f( f(f(iv, m 1 ),m 2 ),...,m k ). Consequently, the class of generic attack A bb that treats h( ) as a black box without internal structure is sub-optimal. Instead, we should consider a wider class of attacks that treat f as a black box, but still try to exploit iterative structure of the hash function. However, the corresponding black box adversaries A f( ),h( ) can distinguish H form H all with high probability. As a result, there might be a successful attack strategy A f( ),h( ) that works for all possible iterative hash functions, although the signature scheme is secure in the random oracle model. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 23

Other Interesting Examples

Setup Signing Generic group signatures Participants set up a joint public parameters pk such that each of them knows one of the corresponding sub-secrets sk 1,...,sk n Signing procedure is based on sigma protocol that proves that a signer knows a sub-secret sk i. Again, the challenge is replaced with h(m,α). Verification A tuple (m, α,β, γ) is a valid signature if β = h(m, α) Ver pk (α, β, γ) = 1. Extra property: Verifier cannot learn who exactly signed the document. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 24

Setup Signing Forward secure signatures A participant chooses a master secret key s u Z n for an RSA modulus and outputs v = s 2n as a public key. The signer can uses s 2n 1,...,s 2, s as a secret keys and uses a generic signature scheme based on the Fiat-Shamir identification scheme. Verification A tuple (m, α,β, γ) is a valid signature if β = h(m, α) Ver pk (α, β, γ) = 1. Extra property: Single public key v corresponds to many secret keys s 2n 1,...,s 2, s that can be revoked one by one. MTAT.07.003 Cryptology II, Digital Signatures, April 17, 2008 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback