tightly-secure signatures from chameleon hash functionstightly-securesignaturesfromchameleon...
Post on 07-Feb-2021
8 Views
Preview:
TRANSCRIPT
-
Tightly-Secure Signatures from ChameleonHash FunctionsNIST, Maryland, PKC 2015
Olivier Blazy1, Saqib A. Kakvi2, Eike Kiltz2,Jiaxin Pan21University of Limoges, France2Ruhr University Bochum, Germany
-
Keywords
1. Signatures
2. Tight Security
3. Chameleon Hash
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 2/30
-
Signature
. (pk, sk)←$ Gen
. σ ←$ Sign(sk,M)
. 0/1← Ver(pk,M, σ)
Correctness:
∀(pk, sk)←$ Gen, Ver(pk,M, Sign(sk,M)) = 1
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 3/30
-
UF-CMA Security
Challenger
(pk, sk)←$ Gen pk
Miσi ←$ Sign(sk,Mi) σi
(M, σ)Adversary wins:Ver(pk,M, σ) = 1∧M /∈ {M1, . . . ,MQ}
Adversary
Q is the number of signing queries.
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 4/30
-
Provable Security
DLOG
g,A←$ G
a ∈ ZpA = ga
Reduction Adversary
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 5/30
-
Provable Security
DLOG
g,A←$ G
a ∈ ZpA = ga
Reduction Adversary“DLOG problem is hard ⇒ scheme is secure”
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 5/30
-
I Let k be the security parameter,
Adv[Sig] < f(k) · Adv[DLOG]
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 6/30
-
Tight Security
Adv[Sig] < f(k) · Adv[DLOG]
I “Tight” iff(k) = O(1)
I “Loose” iff(k) = O(Q)
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 7/30
-
Why “tight”?
I In practice:◦ We want efficient schemes!◦ Smaller security parameters!
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 8/30
-
For example
I We want 80-bit security and Q = 240
Tight scheme. Adv[Sig] < Adv[DLOG] < 2−80
=⇒ We need DLOG problem with 80-bit security=⇒ |p| = 160 (by the best DLOG attack)
Loose Scheme. Adv[Sig] < 240 · Adv[DLOG] < 2−80
=⇒ Adv[DLOG] < 2−120
=⇒ We need DLOG problem with 120-bit security=⇒ |p| = 240 (by the best DLOG attack)
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 9/30
-
Signatures in the Standard Model
I Loose Reduction◦ e.g. Waters ’05
I Non-standard/“Q-Type” Assumptions◦ e.g. Boneh-Boyen ’04
I Exceptions: . . .
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 10/30
-
Tight Signatures from Standard Assumptions
I CRYPTO ’96 Cramer-Damgård: RSA
I PKC ’05 Catalano-Gennaro: Factoring
I CRYPTO ’12 Hofheinz-Jager: DLIN
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 11/30
-
Tight Signatures from Standard Assumptions
I CRYPTO ’96 Cramer-Damgård: RSA
I PKC ’05 Catalano-Gennaro: Factoring
I CRYPTO ’12 Hofheinz-Jager: DLIN
QuestionGeneric constructions for tight signatures?
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 11/30
-
Our Contribution
Transformation
DLOG
SIS
CDH
DLIN
RSA
. . .
TSIG[DLOG]
TSIG[SIS]
TSIG[CDH]
TSIG[DLIN]
TSIG[RSA]
TSIG[. . .]
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 12/30
-
Our Contribution
DLOG SIS FAC . . .
Chameleon Hash Two-Tier Signature Tight Signature
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 13/30
-
Our Contribution
DLOG SIS FAC . . .
Chameleon Hash Two-Tier Signature Tight Signature[BS07]
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 13/30
-
Two-Tier Signature
I Proposed by Bellare and Shoup at PKC ’07
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 14/30
-
Two-Tier Signature
Signature
I (pk, sk)←$ Gen
I σ ←$ Sign(sk,M)
I 0/1← Ver(pk,M, σ)
Two-Tier Signature
I (ppk, psk)←$ PrimaryGenI (spk, ssk)←$ SecondaryGenI σ ←$ TTSign(sk, ssk,M)
I 0/1← TTVer(pk, spk,M, σ)
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 15/30
-
Security of two-tier signature
Challenger
(ppk, psk)←$ PrimaryGen pk
Mi(spki, sski)←$ SecondaryGenσi ←$ TTSign(sk, sski,Mi) (σi, spki)
(M, σ, spk)Adversary wins:TTVer(ppk, spk,M, σ) = 1∧ M /∈ {M1, . . . ,MQ}∧ spk = spki for some i
Adversary
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 16/30
-
Two-Tier Signature → Standard Signature
......
......
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30
-
Two-Tier Signature → Standard Signature
spki ←$ SecondaryGen
......
......
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30
-
Two-Tier Signature → Standard Signature
spki ←$ SecondaryGen
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30
-
Gen of Tree Signature
I (ppk, psk)←$ PrimaryGen
I (spkroot, sskroot)←$ SecondaryGenI PK = (ppk, spkroot), sk = (psk, sskroot)
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30
-
Gen of Tree Signature
I (ppk, psk)←$ PrimaryGenI (spkroot, sskroot)←$ SecondaryGen
I PK = (ppk, spkroot), sk = (psk, sskroot)
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30
-
Gen of Tree Signature
I (ppk, psk)←$ PrimaryGenI (spkroot, sskroot)←$ SecondaryGenI PK = (ppk, spkroot), sk = (psk, sskroot)
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30
-
Sign(sk,M)
I Step 1: Nodes Generation
I Step 2: Path Authentication
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 19/30
-
Step 1: Node Generation
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
-
Step 1: Node Generation
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
-
Step 1: Node Generation
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
-
Step 1: Node Generation
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
-
Step 1: Node Generation
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
-
Step 2: Path Authentication
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 21/30
-
Step 2: Path Authentication
I σ = TTSign(psk, sskparent, (LChild||RChild))
Parent
LChild RChild
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 22/30
-
Step 2: Path Authentication
Use Two-Tier Sig to authenticate the path
......
......
M
......
......
σ0
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30
-
Step 2: Path Authentication
Use Two-Tier Sig to authenticate the path
......
......
M
......
......
σ0
σ1
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30
-
Step 2: Path Authentication
Use Two-Tier Sig to authenticate the path
......
......
M
......
......
σ0
σ1
σL
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30
-
Signatures
I Define signature := (path,σ1, . . . , σL)I Verify:
◦ Check if (σ1, . . . , σL) are valid two-tier signatures on path
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 24/30
-
Security
Theorem 1Our construction is tightly secure, if the underlying two-tier signature istightly-secure. Particularly,I Adv[TreeSig] = Adv[Two-TierSig]
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 25/30
-
Proof Idea
I Simulate the signature without sk:◦ Use two-tier signing oracle
I Tightly extract the two-tier forgery:◦ Observation:
I Forgery path differs from signing paths
◦ “Splitting” node: the valid two-tier forgery
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 26/30
-
“Splitting” Node
......
......
......
...
......
M∗
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 27/30
-
“Splitting” Node
......
......
......
...
......
M∗
σ∗1
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 27/30
-
Differences to Merkle trees
I Our tree node only contains “half” of the PK◦ Merkle: the whole PK
I We have a tight reduction◦ Merkle: loose reduction, guessing
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 28/30
-
Summary
Our ContributionsI Generic framework, new constructionsI Extensions: flat-tree signatures, ssNIZK, multi-challenge PKE
I Shortcoming: linear signature size
Open ProblemsI Reducing signature size
◦ For DLIN, it is already solved by [CW13], [BKP14];◦ Tight and constant size signatures based on DLOG, RSA, SIS?
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 29/30
-
Many thanks for your attention!
QUESTIONS?
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 30/30
top related