short signatures without random oracles and the sdh assumption in bilinear groups (part 1.)
DESCRIPTION
Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.). Dan Boneh and Xavier Boyen J. Cryptol . (2008) 21: 149–177 Presenter: Yu-Chi Chen. About this paper. - PowerPoint PPT PresentationTRANSCRIPT
Short Signatures Without Random Oracles and the SDH Assumption in
Bilinear Groups (Part 1.)Dan Boneh and Xavier BoyenJ. Cryptol. (2008) 21: 149–177
Presenter: Yu-Chi Chen
About this paper
• One of the authors, Dan Boneh, is a well-known researcher in the areas of applied cryptography.
• The previous version (Eurocrypt 2004), cite: 600+. This paper is a full one (J. Cryptol.).
• His website: http://crypto.stanford.edu/~dabo/
Summary
• Part 1: Background of the security proof• Part 2: Background of the security proof• Part 3: BB-weakly secure short signature
scheme with its security proof• Part 4: BB-full short signature scheme with its
security proof• Part 5: (undecided)
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
Introduction
• Cryptographic scheme
• Security argument vs. Security proof
• Before 2000 vs. After 2000.
• M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols– in Proceedings of the 1st ACM conference on
Computer and communications security, 1993.– Cite: 2800+
ROM: Random oracle model
• An adversary can ask to “Oracle” for it’s queries.
• Oracle is like a function: H:{0,1}*→{0,1}k.– Ex: H(x) = y
• If the input, x, has been queried, Oracle will return the same value, y, as before.
ROM
• If the input, x, has never been queried, Oracle will randomly output y.
• The outputted values are uniform distribution.
Comments
• ROM vs. Standard model– Hardness assumptions– Attacks– Security goals– Efficiency
Comments
• Hardness assumptions:– The RSA problem (formal)– The variant RSA problem (informal)– The CDH problem (formal)–…
• Attacks– Chosen message attack– Adaptive chosen message attack–Weak chosen message attack– CPA, CCA, CCA-2,…
• Security goals– Existential unforgeability– Strong unforgeability–…
• Efficiency– Computation– Communication–…
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
Secure signature
• (BB-SS, page 3)• KeyGen: Outputs a random key pair (pk, sk).• Sign: Takes sk and a message M, then returns a
signature σ.• Verify: Takes pk and a signed message (σ ,
M), then returns valid or invalid.
Secure signature (cont.)
• (BB-SS, page 4)• The signature scheme is said to be correct if
the following property is satisfied.
.1]valid),,(VerifyPr[:),(Sign
(),KeyGen),(,~
MpkMsk
skpkMM
Signature scheme
• KeyGen:
• Sign:• Verify:
xskHeXgpk
gXGg
GHGGGex
:},,,{:
,
}1,0{:,:
1
1*
211
),(:
)(
MSignQ
MHQx
))(,(?),( MHXege
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
Existential unforgeability
• Existential unforgeability– Given n valid signatures of (M1,…,Mn), to output a
forged signature of M* where M* not in {M1,…,Mn}.
• We construct a security game to model an attack to forge a signature existentially.
Roles
• A: the adversary– Break the scheme–Win this game
• C: the challenger– Solve a hard problem– Be an oracle to respond A’s request.
Security game
• Setup• Attack• Forgery
Setup
Attack
Queries
ResponseAdversary Challenger
Adversary Challenger
Forgery
Forgery
Solve a hard problem
Computational Diffie-Hellman
• Given
• Compute
ba ggGg ,,1
abg
Security proof
• Setup:
• C returns pk to A.
},,,{:,
}1,0{:,:
1
1*
211
HeXgpkgXGg
GHGGGea
Security proof
• Setup• Attack:– H queries.– Sign queries.
• Forgery
H queries.
• A can query H(Mi).• C maintains H-table, <M, Q, α, c>.• If H(Mi) has been queried before, C will return
H(Mi) as before.
H queries.
• If not, C will randomly pick a coinwith Pr[ci=0]=1/qS.– If ci=0, C randomly chooses
and returns . – If ci=1, C randomly chooses
and returns .• Finally, C inserts (Mi, Qi, αi, ci) into H-table.
}1,0{ic
*Zqi ib
i gQ )(*Zqi
igQi
Sign queries.
• A can query a signature of a message Mi.• If the message Mi maps to ci=0 in H-table, C
will abort and terminate.• If not, C will compute the signature
where αi is from H-table.– σi is a valid signature without doubt.
iXi
Security proof
• Setup• Attack:• Forgery
Forgery
• A forges a signature σ* on M*.• If M* does not map to c*=0, C will abort and
terminate.• The forged signature is valid, whereas the
following equation holds.
• C can use A’s forgery to solve the CDH problem.
*
)(* abg
*1
*)( abg
Security proof
• We conclude that A wins this game if and only if C does not abort in Attack and Forgery.
• Two events are as follows.– E1: C does not abort in Attack such as Sign
queries.– E2: C does not abort in Forgery.
• Thus, we have– The probability of A winning this game is .– The probability of C winning this game is .
]Pr[]Pr[' 21 EE'
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
A new assumption
• According to the above proof, we can obtain a new assumption.
• Given
• Find a pair where
},{},...,,{,, 111
kk abbabba gggggGg
},{** abb gg },...,{ 1
*kbbb
Conclusions
• We give a simple signature scheme to introduce the security proof.