mtat.07.003 cryptology ii digital signatures
TRANSCRIPT
MTAT.07.003 Cryptology II
Digital Signatures
Sven LaurUniversity of Tartu
Formal Syntax
Digital signature scheme
(sk, pk)ā Genpk
māM0
sā Signsk(m)(m, s) (m, s)
Verpk(m, s)?= 1
ā² To establish electronic identity, Charlie must generate (pk, sk) ā Genand convinces others that the public information pk represents him.
ā² A keyed hash function Signsk :Mā S takes in a plaintext and outputsa corresponding digital signature.
ā² A public verification algorithm Verpk :MĆS ā {0, 1} tries to distinguishbetween altered and original message pairs.
ā² The signature scheme is functional if for all (pk, sk)ā Gen and m āM:Verpk(m, Signsk(m)) = 1 .
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 1
Example. RSA-1024 signature scheme
Key generation Gen:
1. Choose uniformly 512-bit prime numbers p and q.
2. Compute N = p Ā· q and Ļ(N) = (pā 1)(q ā 1).
3. Choose uniformly eā ZāĻ(N) and set d = eā1 mod Ļ(N).
4. Output sk = (p, q, e, d) and pk = (N, e).
Signing and verification:
M = ZN , S = ZN , R = ā
Signsk(m) = md mod N
Verpk(m, s) = 1 ā m = se mod N .
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 2
Security definitions
Attack scenarios
ā² Key only attack. The adversary has access only to the public key pk.
ā² Chosen message attack. Besides the public key pk, the adversary canadaptively query a list of valid signatures (m1, s1), . . . , (mn, sn).
Attack types
ā² Universal forgery. The adversary must create a valid signature for aprescribed message m that is chosen from a distribution M0.
ā² Existential forgery. The adversary must create a valid signature for somemessage m, i.e., there are no limitations on the choice of message.
One more signature attack = Chosen message attack + Existential forgery
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 3
Security against one more signature attack
A signature scheme is (t, q, Īµ)-secure against one more signature attack if
Advforge(A) = Pr [GA = 1] ā¤ Īµ
for any t-time adversary A whereG
A
2
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
4
(pk, sk)ā Gen
For i ā {1, . . . , q} do"
mi ā A(siā1)
si ā Signsk(mi)
(m, s)ā A
if (m, s) ā {(m1, s1), . . . , (mq, sq)} return 0
return Verpk(m, s)
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 4
A conceptual description of digital signatures
A digital signature is a non-interactive and transferable counterpart of thefollowing extended identification protocol:
1. Verifier sends a message m to a prover.
2. The prover accepts the message m.
3. The prover authenticates him or herself by using sk.
Transferability means that signature must be verifiable by other parties thatdid not participate in the creation of the signature.
As a result, digital signature is either
ā² a non-interactive proof of possession that is linked to the message m.
ā² a non-interactive proof of knowledge that is linked to the message m.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 5
Digital Signatures Based on
Proofs of Possession
Lamport one-time signatures
Public parameters:
Let {0, 1}n be the message space and f : X ā Y a one-way function.
Key Generation:
Generate 2Ćn random elements xij āu X and compute yij ā f(xij).The secret key is sk = (xij) and the public key is pk = (yij).
Signing:
To sign a message m = mn . . .m1 release Ļ = (x1m1, . . . , xnmn).
Verification:
A signature (m,Ļ) is valid if f(Ļi) = yimifor i = 1, . . . , n.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 6
Security of one-time signatures
Theorem. If f is (t, Īµ)-one-way function, then Lamport signature schemeis (t, 1, 2nĪµ)-secure against one more signature attack.
Proof. A successful forgery must reveal an inverse of yiĀ¬mifor some i.
B(y)
Choose 2nā 1 elements of (xij)āu X .
Compute 2nā 1 entries yij ā f(xij).
Put y to the missing place and send pk to A.
Reveal n elements of (xij) to A if possible.
Return x if A reveals x such that f(x) = y.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 7
Merkle signature scheme
x00 x01 x10 x11
y00 y01 y10 y11
c0 c1
cā General description
ā² Public key pk is a root hash cā
ā² Secret key sk consists of all leafs xij.
ā² A signature Ļ is a minimal amount ofinformation needed to recompute cā.
ā² A secret key can be compressed by apseudoramndom function family.
Detailed description
ā² All intermediate values cu are computed by hashing cu ā h(cu0, cu1).
ā² The second level values yu are computed as before yu ā f(xu).
ā² The secret key can be further compacted by computing xu ā g(u, k)where g : IĆK ā X induces a pseudorandom function family G = {gk}.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 8
Trapdoor one-way permutations
A collection of trapdoor permutations Ftp is determined by three algorithms(Gen, Map, Inv) such that
ā(pk, sk)ā Gen, ām āMpk : Invsk(Mappk(m)) = m
and both algorithms Mappk(Ā·) and Invsk(Ā·) are deterministic.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 9
OW-CPA security
A collection of trapdoor permutations Ftp is (t, Īµ)-secure if for any t-timeadversary A
Advinv-cpa(A) = Pr[
GA = 1]
ā¤ Īµ
where
GA
(pk, sk)ā Gen
māu Mpk
y ā Mappk(m)
return [A(pk, y)?= m]
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 10
Full Domain Hash
Setup
Run (pk, sk) ā Gen to create an instance of trapdoor permutation.Choose h :MāMpk from a collision resistant function family H.
Signing
To sign m āM, compute xā h(m) and output sā Invsk(x).
Verification
A pair (m, s) is a valid signature if h(m) = Mappk(s).
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 11
Random oracle model
Let us model the hash function by an oracle Opk(Ā·) that evaluates hāu Hall
where Hall = {h :MāMpk} is a set of all functions.
Thus, the advantage is now computed as average
AdvforgeHall
(A) =1
|Hall|Ā·
ā
hāHall
Advforgeh (A) .
In reality, we substitute Hall with a suitable hash family H and hope
AdvforgeH (A) =
1
|H|Ā·ā
hāH
Advforgeh (A) ā Advforge
Hall(A)
for all relevant adversaries A ā A humans devise.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 12
Security in the random oracle model
Theorem. Let Ftp is (t, Īµ)-secure collection of trapdoor permutationssuch that Mappk(Ā·) is always Ļ -time computable. Then the FDH signaturescheme is (tā (qh + qs + 1) Ā· Ļ, qs, (qh + qs + 1) Ā· Īµ)-secure against one moresignature attack provided that the adversary can do up to qh hash queries.
Drawbacks
ā² The result holds only in random oracle model.
ā² The security bound increases linearly with qh and ds.
ā² PSS signature scheme achieves a āsublinearā bound.
ā² The proof cannot be generalised to the standard model [Pallier2007].
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 13
The corresponding proof
ā² We can always assume that A queries hash for the forgery.
ā² The following evaluation strategies lead to identical results
Opk(m)
if H[m] = ā„ then[
H[m]āu Mpk
return H[m]
Opk(m)
if H[m] = ā„ then[
S[m]āu Mpk
H[m]ā Mappk(S[m])
return H[m]
ā² Let Īµi be the probability that forgery was successful and the ith hashquery corresponded to the message.
ā² Then Īµi ā¤ Īµ, since otherwise we would have a too efficient inverter.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 14
Digital Signatures Based on
Proofs of Knowledge
Sigma protocols
sk Vpk(Ī±, Ī², Ī³)
Ī² ā BĪ±ā R Ī±
Ī²
Ī³ = Ī³sk(Ī±, Ī²)
A sigma protocol for an efficiently computable relation R ā {0, 1}āĆ{0, 1}ā
is a three move protocol that satisfies the following properties.
ā² Ī£-structure. A prover first sends a commitment, next a verifier sendsvarying challenge, and then the prover must give a consistent response.
ā² Functionality. The protocol run between an honest prover P(sk) andverifier V(pk) is always accepting if (sk, pk) ā R.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 15
Security properties of sigma protocols
sk Vpk(Ī±, Ī², Ī³)
Ī² ā BĪ±ā R Ī±
Ī²
Ī³ = Ī³sk(Ī±, Ī²)
ā² Perfect simulatability. There exists an efficient non-rewinding simulatorS such that the output distribution of a semi-honest verifier Vā in thereal world and the output distribution of SVā in the ideal world coincide.
ā² Special soundness. There exists an efficient extraction algorithm Extrthat, given two accepting protocol runs (Ī±, Ī²0, Ī³0) and (Ī±, Ī²1, Ī³1) withĪ²0 6= Ī²1 that correspond to pk, outputs skā such that (skā, pk) ā R
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 16
Fiat-Shamir heuristics
Fiat-Shamir heuristics converts any sigma-protocol to a signature scheme.
sk Vpk(Ī±, Ī², Ī³)
Ī² ā BĪ±ā RĪ±
Ī²
Ī³
Sigma protocols are
ā interactive
ā non-transferrable
and cannot be linked to
ā particular messages
sk,m Vpk(Ī±, Ī², Ī³) ā§ h(m, Ī±)?= Ī²
Ī±ā RĪ±
Ī² ā h(m, Ī±)
s = (Ī±, Ī², Ī³)
m
If Ī² ā h(m, Ī±) thenā the signer cannot cheat
ā the protocol is non-interactive
ā the protocol is transferable
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 17
Generic signature schemes
Let Ļ be a sigma protocol specified by the prover and verifier algorithmsPsk and Vpk. Then the corresponding generic signature scheme is following.
Setup
Use output (pk, sk)ā Gen of the sigma protocol setup.
Signing
To sign a message m, output (Ī±, Ī², Ī³) as a signature where
Ī±ā Psk, Ī² ā h(m, Ī±), Ī³ ā Psk(Ī²) .
Verification
A tuple (m, Ī±, Ī², Ī³) is a valid signature if
Ī² = h(m, Ī±) ā§ Verpk(Ī±, Ī², Ī³) = 1 .
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 18
Famous examples
Schnorr authentication protocol
ā Schnorr signature scheme
ā DSA algorithm
ā ElGamal signature scheme
ā Nyberg-Rueppel signature scheme
Fiat-Shamir identification protocol
ā Feige-Fiat-Shamir signature scheme
Guillou-Quisquater identification protocol
ā Guillou-Quisquater signature scheme
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 19
Security in the random oracle model
Basic Forking Lemma. Let Īŗ be the knowledge error of the sigmaprotocol. If for a particular public key pk, a t-time adversary A manages tooutput valid signature by making at most ā queries to the random oracleand no queries to the signing oracle with probability Īµ, then there exist anextraction algorithm K for that runs in expected time
E[Ļ ] = Ī
(
(ā + 2) Ā· t
Īµā Īŗ
)
and returns the corresponding secret key sk.
Simulatability Lemma. Oracle calls to the signing oracle can be replacedwith the runs of the sigma protocol simulator. The probability of simulationfailures due to the contradicting assignments for O(Ā·) are negligible.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 20
An encoding of the extraction task
Assume that A never queries the same value h(mi, Ī±i) twice and that A
itself verifies the validity of the candidate signature (mn+1, sn+1).
Let Ļ0 denote the randomness used by A and let Ļ1, . . . Ļā+1 be the repliesfor the hash queries h(mi, Ī±i). Now define
A(Ļ0, Ļ1, . . . , Ļā+1) =
{
i, if the ith reply Ļi is used in forgery ,
0, if A fails .
ā² For any Ļ = (Ļ0, . . . , Ļiā1, Ļi, . . . , Ļā+1), A behaves identically up tothe ith query as with the randomness Ļ.
ā² To extract the secret key sk, we must find Ļ and Ļ such that A(Ļ) = i
and A(Ļ) = i and Ļi 6= Ļi.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 21
Classical algorithm
Rewind:
1. Probe random entries A(Ļ) until A(r, c) 6= 0.
2. Store the matrix location Ļ and the rewinding point iā A(Ļ).
3. Probe random entries A(Ļ) until A(Ļ) = i.
4. Output the location tuple (Ļ,Ļ).
Rewind-Exp:
1. Repeat the procedure Rewind until Ļi 6= Ļi.
2. Use the knowledge extraction lemma to extract sk.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 22
Average-case running time
Theorem. If a array A(Ļ) with entries in {0, . . . , ā} contains Īµ-fraction ofnonzero entries, then Rewind and Rewind-Exp make on average
E[probes|Rewind] =2
Īµ
E[probes|Rewind-Exp] =ā + 1
Īµā Īŗ
probes where the knowledge error
Īŗ =ā
ā
i=1
Pr [Ļi = Ļi] .
Proof. We prove this theorem in another lecture.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 23
Interpretation of the Results
Objective and subjective security
All forms of the Forking Lemma are stated with respect to a fixed key andthus give only soundness guarantees.
If we believe that no human can devise an algorithm that for a particular
public key pk computes the corresponding secret key, then we also get thecorresponding subjective security guarantee.
For objective security guarantees, we have to consider average successprobability over all public keys. In this situation, the knowledge extractionwith high probability is overkill. Fixed number of probes together withJensenās inequality give more tight bounds.
All these security guarantees hold in the random oracle model!
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 24
Average case nature of advantages
General purposeWeakly specialised
Trivial
h
Advforge(A|h)
1
Īµ
The limit on the average advantage over all functions means:
ā² An attack algorithm A can be successful on few functions
ā² For randomly chosen function family H the corresponding averageadvantage is comparable with high probability over the choice of H.
Such argumentation does not rule out possibility that one can chooseadaptively a specialised attack algorithm A based on the description of h.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 25
Security against generic attacks
An adaptive choice of a specialised attack algorithm implies that the attackdepends on the description of the hash function and not the family H.
Often, it is advantageous to consider only generic attacks that depend onthe description of function family H and use only black-box access to thefunction h. Therefore, we can consider two oracles OHall
and OH.
If H is pseudorandom function family then for any generic attack, we cansubstitute H with the Hall and the success decreases marginally.
Theorem. Security in the random oracle model implies security againstgeneric attacks if H is a pseudorandom function family.
ā² The assumption that attackers use only generic attacks is subjective.
ā² Such an assumption are not universal, i.e., there are settings where thisassumption is clearly irrational (various non-instantiability results).
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 26
Why the random oracle argument truly fails?
All currently used hash functions are iterative
h(m1, . . . , mk) = f(Ā· Ā· Ā· f(f(iv, m1),m2), . . . , mk) .
Consequently, the class of generic attack Abb that treats h(Ā·) as a blackbox without internal structure is sub-optimal.
Instead, we should consider a wider class of attacks that treat f as a blackbox, but still try to exploit iterative structure of the hash function.
However, the corresponding black box adversaries Af(Ā·),h(Ā·) can distinguishH form Hall with high probability.
As a result, there might be a successful attack strategy Af(Ā·),h(Ā·) that worksfor all possible iterative hash functions, although the signature scheme issecure in the random oracle model.
MTAT.07.003 Cryptology II, Digital Signatures, 8 April, 2009 27