digital signatures - eth z · digital signatures dennis hofheinz (slides based on slides by björn...
TRANSCRIPT
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)
Digital Signatures 2020-05-19 1
Outline
Waters signatures
Overview over course topics
General remarks
Digital Signatures 2020-05-19 2
Recap: Waters signatures• Gen(1k ):
– gα ← G, κ← GenPHF(1k ).– sk = gα, pk = (g, κ, e(g, gα)).
• Sign(sk , m): choose r ← Zp. Compute
σ1 := gr σ2 := gα · Hκ(m)r .
Set σ = (σ1, σ2).
• Vfy(pk , m, σ):
e(g, σ2) ?= e(g, g)α · e(σ1, Hκ(m))
Digital Signatures 2020-05-19 3
Recap: security of Waters signatures
Theorem (99)Let H be a (1, q, γ)-PHF for any polynomial q. Then
• for every adversary A that breaks the EUF-CMA security ofWaters’ scheme with success εA in time tA with at most qsignature queries,
• there is an adversary B that breaks CDH in G in time tB ≈ tAwith success
εB ≥ γ · εA.
Digital Signatures 2020-05-19 4
Waters: summary
• Less efficient than BLS signatures (+1 group element)• But: proof in standard model, PHFs central tool
– Historical context: Waters IBE (2005) = Boneh-Boyen IBE(2004) + PHFs
• PHFs influential, many “partitioning proofs” with similartechniques
Digital Signatures 2020-05-19 5
Current research
• Better PHFs (but inherent combinatorial limitations)
• Different partitioning techniques (→ tight security)
• Tradeoff: more efficiency↔ weaker assumptions
• (With pairings:) identity-based encryption→ attribute-basedencryption→ functional encryption
Digital Signatures 2020-05-19 6
Socrative
Self-checking with quizzes
• Last time /
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about Waters signatures starts now!
Digital Signatures 2020-05-19 7
Outline
Waters signatures
Overview over course topics
General remarks
Digital Signatures 2020-05-19 8
Introduction
Goal: “Digital version of physical signature.” We want:
• Authenticity– Document signed by specific person/entity
• Integrity– Signed document not changed after signing
Digital Signatures 2020-05-19 9
Definition: digital signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)
• Vfy(pk , m, σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Correctness: “the scheme works.”
Digital Signatures 2020-05-19 10
Security
• Concrete security definition combines two things:– Adversarial capabilities (e.g., naCMA, CMA)– Adversarial goal (e.g., EUF, sEUF, UUF)
• Definition by security experiment (e.g., EUF-CMA)
• We need assumptions (no unconditionally secure schemes)!
Digital Signatures 2020-05-19 11
Hash-then-Sign
• Goal: extend message space of signature scheme• Idea: sign H(m) instead of m
– H collision-resistant hash function
• This modification preserves security
• Sometimes even improves security (RSA-FDH)
Digital Signatures 2020-05-19 12
One-time signatures
• Stepping stone towards construction of signature schemes
• Remain secure if one signature is known(EUF-1-CMA/EUF-1-naCMA)• Constructions based on. . .
– . . . one-way functions (Lamport)– . . . hardness of discrete logarithm problem– . . . hardness of RSA problem– (first encounter with Shamir’s trick)
Digital Signatures 2020-05-19 13
Transformations
• . . . from EUF-(1-)naCMA to EUF-(1-)CMA security– Trick: σ = (σ′
pk1, pk1, σ(1)
m )– Reduction(s) to two assumptions
• . . . from EUF-1-CMA to EUF-CMA security– Use binary tree of hash functions (one-time signatures)– Each node authenticates/signs the two child nodes– Every leaf used only once (to sign message)
Digital Signatures 2020-05-19 14
RSA-based schemes
• Textbook RSA (σ = md mod N): don’t use this!
• PKCS #1 v1.5 (“naive” padding of m): security unclear
• RSA-FDH (σ = H(m)d mod N): secure in ROM• RSA-PSS (clever padding of m): secure in ROM
– Better concrete security guarantees than RSA-FDH– → Better parameter choices, more efficiency– Many σ for each m, reduction knows only one
• GHR: standard-model proof under stronger assumption
Digital Signatures 2020-05-19 15
Chameleon hash functions
• Hash function with trapdoor (to find collisions)
• Can be viewed as one-time signature schemes• Constructions based on DLog and RSA
– Essentially same as DLog-/RSA-based one-time sigs
• Immediate application: chameleon signatures• Technical application: EUF-CMA→sEUF-CMA
– CHFs resolve circular dependency in construction
Digital Signatures 2020-05-19 16
Pairing-based signatures
• Pairing: bilinear map e : G1 ×G2 → GT
• Allows one multiplication in exponent– Price: moving to a different group (GT )
• Allows tripartite key exchange• BLS signatures: pk = gx , σ = H(m)x
– Pairing helps to verify signatures– Proof under CDH in ROM, similar to RSA-FDH
Digital Signatures 2020-05-19 17
Programmable hashing and Waters signatures
• Programmable hash functions: mimic ROM (but withoutoracles)
• Tool to obtain ROM-like proofs in standard model
• PHF is hash function H : {0, 1}` → G with trapdoor
• Trapdoor allows to explain H(m) as H(m) = hamgbm
• Hope that am 6= 0 most of the time, am = 0 sometimes• Leads to Waters signatures:
– Here, reduction can sign iff am 6= 0
Digital Signatures 2020-05-19 18
Outline
Waters signatures
Overview over course topics
General remarks
Digital Signatures 2020-05-19 19
General remarks
• Exam: concepts important, also proof strategies/tricks– Exam is discussion, goal: find out if you understood things
• Lecture: interaction very much appreciated, thank you!
• Similar courses/parts of courses/labs on the way• <blink>OPPORTUNITY</blink>
– Your feedback influences future course design!
Digital Signatures 2020-05-19 20