Notes for Lecture 21. From One-Time Signatures to Fully Secure Signatures

Similar documents
CS 495 Cryptography Lecture 6

Notes for Lecture 24

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Analysis of a Redactable Signature Scheme on Data with Dependencies

Lecture 10, Zero Knowledge Proofs, Secure Computation

Cryptography: More Primitives

COMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Summer School on Post-Quantum Cryptography 2017, TU Eindhoven Exercises on Hash-based Signature Schemes

6 Pseudorandom Functions

Further Analysis of a Proposed Hash-Based Signature Standard

Digital Signatures. Sven Laur University of Tartu

Data Structures and Algorithms

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

1 Defining Message authentication

Secure digital certificates with a blockchain protocol

COMP3121/3821/9101/ s1 Assignment 1

Cryptography V: Digital Signatures

CSC 5930/9010 Modern Cryptography: Digital Signatures

Cryptography V: Digital Signatures

Short Schnorr signatures require a hash function with more than just random-prefix resistance

Lecture 4: Authentication and Hashing

Lecture 8: Cryptography in the presence of local/public randomness

Homework 3: Solution

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

MITOCW watch?v=zlohv4xq_ti

Proofs for Key Establishment Protocols

Applied cryptography

On the Composition of Authenticated Byzantine Agreement

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Reminder: Homework 4. Due: Friday at the beginning of class

Financial Cryptography February 2001 Grand Cayman Islands - BWI

CS408 Cryptography & Internet Security

Anonymous Signature Schemes

Algorithms for Memory Hierarchies Lecture 2

CS F-11 B-Trees 1

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Trees. 3. (Minimally Connected) G is connected and deleting any of its edges gives rise to a disconnected graph.

How to Sign Digital Streams 1

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Lecture 8 - Message Authentication Codes

Notes for Lecture 24

Binary Trees

Introduction to Cryptography Lecture 10

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Notes for Lecture 14

Lower Bound on Comparison-based Sorting

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Timed-Release Certificateless Encryption

Feedback Week 4 - Problem Set

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Digital Signature. Raj Jain

6. Asymptotics: The Big-O and Other Notations

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Treaps. 1 Binary Search Trees (BSTs) CSE341T/CSE549T 11/05/2014. Lecture 19

13.4 Deletion in red-black trees

Plaintext Awareness via Key Registration

Outline for Today. How can we speed up operations that work on integer data? A simple data structure for ordered dictionaries.

6 Distributed data management I Hashing

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

CS 161 Problem Set 4

Notes for Lecture 20

Outline for Today. How can we speed up operations that work on integer data? A simple data structure for ordered dictionaries.

Introduction to Algorithms / Algorithms I Lecturer: Michael Dinitz Topic: Approximation algorithms Date: 11/18/14

13.4 Deletion in red-black trees

Applied Cryptography and Computer Security CSE 664 Spring 2018

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

QuasiModo: Efficient Certificate Validation and Revocation

Efficient Compilers for Authenticated Group Key Exchange

P2_L8 - Hashes Page 1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

RSA. Public Key CryptoSystem

CS 270 Algorithms. Oliver Kullmann. Generalising arrays. Direct addressing. Hashing in general. Hashing through chaining. Reading from CLRS for week 7

Lecture 32. No computer use today. Reminders: Homework 11 is due today. Project 6 is due next Friday. Questions?

Scribe: Virginia Williams, Sam Kim (2016), Mary Wootters (2017) Date: May 22, 2017

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

On Optimal Hash Tree Traversal for Interval Time-Stamping (Lipmaa)

(2,4) Trees. 2/22/2006 (2,4) Trees 1

CS 441 Discrete Mathematics for CS Lecture 26. Graphs. CS 441 Discrete mathematics for CS. Final exam

Study Guide for the Final Exam

1 Better Approximation of the Traveling Salesman

Data Structures and Algorithms Dr. Naveen Garg Department of Computer Science and Engineering Indian Institute of Technology, Delhi

Chosen-Ciphertext Security (II)

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Principles of Algorithm Design

1 The range query problem

Lecture 9 March 4, 2010

Efficient Content Authentication in Peer-to-peer Networks

How many leaves on the decision tree? There are n! leaves, because every permutation appears at least once.

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Lecture 5. Treaps Find, insert, delete, split, and join in treaps Randomized search trees Randomized search tree time costs

CMSC Introduction to Algorithms Spring 2012 Lecture 16

Enabling Cloud Storage Auditing with Key-Exposure Resistance

On the Security of a Certificateless Public-Key Encryption

Week 9. Hash tables. 1 Generalising arrays. 2 Direct addressing. 3 Hashing in general. 4 Hashing through chaining. 5 Hash functions.

A Forward-Secure Signature with Backward-Secure Detection

2.2 Syntax Definition

Non-context-Free Languages. CS215, Lecture 5 c

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Transcription:

U.C. Berkeley CS276: Cryptography Handout N21 Luca Trevisan April 7, 2009 Notes for Lecture 21 Scribed by Anand Bhaskar, posted May 1, 2009 Summary Today we show how to construct an inefficient (but efficiently verifiable) signature scheme starting from a one-time signature scheme. Next time we shall see how to make it efficient using a pseudorandom function. From One-Time Signatures to Fully Secure Signatures Assume we have a (t, ɛ)-secure one-time signature scheme (G, S, V ) such that if m is the length of messages that can be signed by S, then the length of public keys generated by G() is at most m/2. (Lamport s signatures do not satisfy the second property, but in Lecture 20 we described how to use a collision-resistant hash function to turn Lamport s scheme into a scheme that can sign longer messages. We can arrange the parameters of the construction so that the hash-and-sign scheme can sign messages at least twice as long as the public key.) We describe a scheme in which the key generation and signing have exponential complexity; later we will see how to reduce their complexity. Key Generation: run G() 2 m+1 1 times, once for every string a {0, 1} of length at most m, and produce a public key / secret key pair (pk a, sk a ). It is convenient to think of the strings a of length at most m as being arranged in a binary tree, with a being the parent of a0 and a1, and the empty string ɛ being the root. Public Key: pk ɛ (where ɛ is the empty string) Secret Key: the set of all pairs (pk a, sk a ) for all a of length m. Sign: given a message M of length m, denote by M i the string M 1,..., M i made of the first i bits of M. Then the signature of M is composed of m + 1 parts: 1

pk M, S(sk M, M): the signature of M using secret key sk M, along with the value of the matching public key pk M pk M m 1, pk M m 1 0 pk M m 1 1, S(sk M m 1, pk M m 1 0 pk M m 1 1) the signature of the public keys corresponding to M and its sibling, signed using the secret key corresponding to the parent of M, along with the public keys pk M i, pk M i 0 pk M i 1, S(sk M i, pk M i 0 pk M i 1) pk 0, pk 1, S(sk ɛ, pk 0 pk 1 ) Verify. The verification algorithm receives a public key pk ɛ, a message M, and a signature made of m + 1 pieces: the first piece is of the form (pk m, σ m ), the following m 1 pieces are of the form (pk j, pk j, pk j, σ j ), for j = 1,..., m 1, and the last piece is of the form (pk 0, pk 0, σ 0 ). The verification algorithm: 1. checks V (pk m, M, σ m ) is valid; 2. For j = 1,..., m, if M j = 0 it checks that pk j 1 = pk j, and if M j = 1 it checks that pk j 1 = pk j ; 3. For j = 0,..., m 1, it checks that V (pk j, pk j pk j, σ j ) is valid. (For the case j = 0, we take pk 0 := pk ɛ.) We visualize the m-bit messages as labels for the leaf nodes of an m level complete binary tree. Each node a of the tree represents a public-secret key pair pk a, sk a. The above scheme signs a message M by first using the one-time signature function to sign M using the secret key sk M at its corresponding leaf node, and releasing the public key pk M for that node as part of the signature. Now the sender needs to convince the receiver that public key pk M was really generated by the sender and not a forger. So the sender signs the message consisting of pk M and its sibling, namely pk M m 1 0 pk M m 1 1, using the secret key of their parent node sk M m 1, and releases these two public keys and the public key pk M m 1 as part of the message. The sender now has to convince the receiver that pk M m 1 was generated by the sender, and it can apply the previous procedure again to do this. This signing procedure moves up the tree from signing the message at the leaf node to signing messages of two public keys at each level of the tree until it gets to the root node. The root public key pk ɛ doesn t have to be signed since this is the public key that is released by the sender at the very beginning for all future communication. 2

Each public-secret key pair node in this tree is used to sign only one message - either the message corresponding to the leaf node if the key is at a leaf node, or the message that is the concatenation of the public keys at its two children. Note that the public key length is m/2 and so there are only 2 m/2 distinct public keys in this tree which has 2 m+1 1 nodes. There will certainly be many copies (on average 2 m/2+1 ) of each public key at different nodes of the tree. We might be concerned that an adversary might then see many signatures for the same public key and have a much higher chance of breaking the one-time signature scheme for some public key. But if this attack was feasible, then the adversary might as well have generated public-secret key pairs by calling G() and checking if one of these matched some public key seen in the signature of some earlier message - thus, in this scheme, the adversary doesn t get any extra power from seeing multiple signatures using the same key pair. The theorem below shows that if it is hard for an adversary to forge signatures for the one-time signature scheme (G, S, V ), then it will be also be hard to forge signatures under this tree-scheme. Theorem 1 Suppose that the scheme described in this section is not (t, ɛ) existentially unforgeable against a chosen message attack. Then (G, S, V ) is not a (t O(r m), ɛ/(2tm + 1))-secure one time signature scheme, where r is the maximum of the running time of S and G. Proof: If the tree-scheme is not (t, ɛ) existentially unforgeable against a chosen message attack, then there exists an algorithm A with complexity t such that P[A Sign() (pk) forges] ɛ A makes t queries to the signing oracle before outputting a fresh message and its forged signature. Hence, A can only see 2tm + 1 public keys (and signatures using them) generated by the key generation algorithm G. Using A as a subroutine, we will construct an algorithm A which given as input a public key pk of the signature scheme (G, S, V ) and one-time access to the signature function S(sk, ) will forge a signature for a fresh message with probability ɛ. A picks a random integer i in {1,..., 2tm+1} and using the key generation algorithm G(), generates 2tm key pairs (pk 1, sk 1 ),..., (pk i 1, sk i 1 ), (pk i +1, sk i +1 ),..., (pk 2tm+1, sk 2tm+1 ) For notational convenience, set pk i = pk. A now simulates A on input pk 1. Whenever A makes a call to Sign() with a given message, A performs the signing algorithm of the tree-scheme by using the publicsecret key pairs it randomly generated at the beginning. A will keep track of which 3

nodes of the tree were already assigned key pairs from it s cache of 2tm + 1 key pairs. Since at worst 2tm + 1 key pairs are needed for performing the t signatures requested by A, A can satisfy all these signature queries using its generated key pairs. If A needs to sign using S(sk, ), it will use its one-time access to S(sk, ) to perform this action. A won t have to call S(sk, ) twice with different messages since a public key is never used to sign more than one message in the tree-scheme, unless coincidentally pk is present as another pk j, j i in the list of 2tm key-pairs generated, in which case A would have the secret key sk corresponding to pk and can completely break (G, S, V ). The view of A being run in the simulation by A is exactly the same as if A had been run on a random public key as input. Hence, the probability A produces a forgery is ɛ. If A produces a fresh message M and its valid signature {pk M i, pk M i 0 pk M i 1, σ M i } m 1 i=0, pk M m, σ M m then let j be the largest integer such that pk M j was seen by A as part of the signature of some message at position M j in the virtual signature tree. Hence, pk M j must be one of the 2tm + 1 keys pk i generated by A. Such a value of j must exist because certainly 0 is a candidate for j (since the public key pk ɛ = pk M 0 = pk 1 was given as input to A). Based on the value of j, there are two cases: j {0,..., m 1}. Hence, pk M j = pk i for some i, and if i = i, then A will output the message-signature pair pk M j 0 pk M j 1, σ M j as a forgery. V (pk M j, pk M j 0 pk M j 1, σ M j ) = 1 because this was part of the valid tree-scheme signature of message M output by A. By the definition of j, A has never seen the signature of pk M j 0 pk M j 1 before. Since the position i was chosen randomly, the event i = i has probability 1/(2tm + 1). j = m. Here, all the intermediate public keys in the forged signature of M match those seen by A (and hence match the keys generated by A ), but the signature of M at the last level of the tree itself has not been seen. Hence, pk M m = pki for some i and V (pk M m, M, σ M m ) = 1 because M is a valid forge produced by A. If i = i, then A outputs the forged message-signature pair M, σ M m. Again, since the position i was chosen randomly, the event i = i has probability 1/(2tm + 1). Conditioned on algorithm A outputting a forge to the tree scheme, in both cases algorithm A produces a forge to the original scheme (G, S, V ) with probability 1/(2tm + 1). Hence, the probability that A produces a forge to (G, S, V ) is ɛ/(2tm + 1). The running time of the simulation A is dominated by having to 4

generate 2tm key pairs and performing m signatures using S for each of the t signing queries made by A, and is t O(r m). 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback