signature from one-way functions

Signature from One-way Functions

Cassius Puodzius

Technische Universitat Darmstadt

Mar. 12, 2012

Outline

Outline of the seminar

Motivation

Quick introduction to One-way functions

Attack model

One-time signatures

Lamport’s One-Time Signature Scheme

`-time signatures

Full-fledged one-time signature from length-restrictedone-time signature

Hash-and-sign paradigm

General signature scheme from one-time signature

Refreshing paradigmAuthentication-trees

Conclusions

Motivation

Security of Digital Signatures

Security assumptions:

Integer factorization: Rabin signature [2]

DLP: Modified ElGamal scheme [7]

RSA: RSA-PSS [3]

SVP: GPV [4]

or even:

k-wCDHP (k-weak Computational Diffie-Hellman Problem) [9]

k+1-IEP (k+1 inverse exponent problem) [1]

k+1-SRP (k + 1 Square Roots Problem) [8]

BISDHP (bilinear inverse-square Diffie-Hellman problem) [1]

Motivation

Goal

Obtain secure digital signatures solely based on the existence ofone-way functions


Idea


Definition

No probabilistic algorithm is able to find x given f (x) inpolynomial-time

Existence of OWF

No known OWF

Candidates: Factorization, Discrete Logarithm, MultivariatePolynomials, Learning with errors, ...

Attack model

Adaptive chosen-message attack

m /∈ m0,m1, . . . ,mN

Attack model

Existential Unforgeability

A signature scheme is secure (or unforgeable) if every feasiblechosen message attack succeeds with at most negligible probability[6]

Strong Existential Unforgeability

The forger is allowed to output mi ∈ m0,m1, . . . ,mN, howeverσ 6= σi .


G: Key Generation

signing-key:verification-key:


G: Key Generation

Given f : D → I a OWF

sk =( s0

1 ... s0`(n)

s11 ... s1

`(n)

) vk =

( v01 ... v0

`(n)

v11 ... v1

`(n)

)such that ∀i ∈ 1, ..., `(n) and ∀b ∈ 0, 1: sbi

$←− D and vbi = f (sbi )

sk : signing-key (secret)vk : verification-key (public)


S and V: Signature and Verification


S(sk ,m): Signature

For each bit mi of m ∈ 0, 1`(n):

σi =

s0i if mi = 0

s1i if mi = 1

V(pk ,m, σ): Verification

If for all i ∈ 1, ..., `(n):

vmii = f (σi )

then the signature is accepted. Otherwise it is rejected.

Drawback

Lamport is a length-restricted signature


Chosen one-message attack

The adversary can make at most one query to its Signing Oracle

Why one-time signature?

Choosing the messages 0`(n) and 1`(n) an attacker is able to signany further message m ∈ 0, 1`(n)


Proposition

Lamports OTS is unforgeable under a chosen one-message attackassuming that f is a OWF.

Depiction of proof


Proof - Setup

p$←− 0, . . . , `(n) , b

$←− 0, 1sk =

( s01 ... a0

p ... s0`(n)

s11 ... a1

p ... s1`(n)

) pk =

( v01 ... b0

p ... v0`(n)

v11 ... b1

p ... v1`(n)

)where s0

p , s1p = ⊥, s1−b

p and v 0p , v

1p = y , f (s1−b

p ).

Proof - Emulation of Signing Oracle

When F demands a signature on m′:

σ′ ←

⊥ if mp = b ⇒ Attack failed

Ss(m) if mp = 1− b


Proof - Inversion of OWF

If F outputs a forgery on mp and mp = b, then:

x ← σp|f (x) ≡ f (σp) = y

Proof - Probability of success

Pr [Inv(y)] ≥ Pr [Em. Signing Oracle]︸︷︷︸=1/2

∧Pr [F ← SUCESS]︸︷︷︸=ε

∧Pr [forgery on mp]︸︷︷︸≥1/`(n)

∧Pr [mp = b]︸︷︷︸=1/2

Pr [Inv(y)] ≥ ε

4 · `(n)⇒ non-negligible

Corollary (One-time signature)

Corollary

If there exists any one-way function then there existslength-restricted one-time signatures as well

`-time signatures

`-time signature from one-time signature

For any polynomial `:` one-time signature keys are generated and appended together togenerate

sk := (sk1, . . . , sk`) pk := (pk1, . . . , pk`)

`-time signatures


signing-key:verification-key:

`-time signatures


For i ≤ `

σi ← Signski (m)

The signature of m is (i , σi ).

Drawback

Stateful signature

Corollary (`-time signature)

Corollary

If there exists any one-way function then there existslength-restricted `-time signature as well


Hash-and-sign paradigm

hr : 0, 1∗ → 0, 1`r∈0,1∗ : collision-free hashing collection

Pro

Signature size depends only on the size of the signing-key


Key generation with G’

On input 1k

(s, v)← G (1k) r ← I (1k)G’ outputs ((r, s), (r, v))

Signature with S’

On input a signing-key (r, s) and m ∈ 0, 1∗

σ ← Ss(hr (m))

S’ outputs σ

Verification with V’

On input a verification-key (r, v), m ∈ 0, 1∗ and a signature σV’ outputs Vv (hr (m), σ)


Isn’t collision-free hashing collection a new assumption?

Yes, but it may be replaced by a collection of Universal One-WayHash Functions (UOWHF), which can be constructed using OWF[6].


Refreshing paradigm

(G, S, V): signature scheme - (G’, S’, V’): one-time signatureschemeRefreshing paradim → general signature scheme (G”, S”, V”),which has G”= G

Drawback

(G, S, V) is not a one-time signature scheme


Signing with S”

On input of a signing-key s and m ∈ 0, 1∗

(s ′, v ′) ← G ′(1k)

σ1 ← Ss(v ′)

σ2 ← S ′s′(m)

S”outputs (σ1, v′, σ2)

Verifying with V”

On input of a verifying-key v, m ∈ 0, 1∗ and (σ1, v′, σ2)

If Vv (v ′, σ1) = 1 and V ′v ′(m, σ2) the signature is accepted,otherwise rejected


Chain-Based signature


Chain-Based signature

On input of mi ∈ 0, 1∗:

(si+1, vi+1) ← G (1k)

σi ← Ssi (mi ||vi+1)

Add (mi , si+1, vi+1, σi ) to the current stateSignature: mj , vj+1, σjj=0

Chain-Based verification

On input of a verifying-key v0, mi ∈ 0, 1∗ and the signaturemj , vj+1, σjj=i

j=0:

Vrfyvj ((mj ||vi+1), σj)?= ACCEPTED ∀j ∈ 0, · · · , i


Tree-Based signature


Tree-Based signature

On input of m ∈ 0, 1N , let µi be the first i bits of m (prefix):If µi was never signed (while i <= N)

(sµi |0, vµi |0) ← G (1k)

(sµi |1, vµi |1) ← G (1k)

σi ← Ssi (vµi |0||vµi |1)

µi |0 ← sµi |0, vµi |0

µi |1 ← sµi |1, vµi |1µi ← Ssµi

(vµi |0||vµi |1)

σm ← Ssm(m)

Signature: (authµj︷︸︸︷

σj , vµj |0, vµj |1j=0, σm)


Chain-Based verification

On input of a verifying-key v0, m ∈ 0, 1N and the signature(authjj=0, σm):

Vrfyvµj(authµj+1)

?= ACCEPTED ∀j ∈ 0,N

Vrfyvm(σm)?= ACCEPTED


Proposition

If G is a strongly unforgeable signature under a one-timechosen-message attack, then a tree-based scheme G’ is stronglyunforgeable signature under an adaptive chosen-message attack

Depiction of proof


Emulation of Oracle: Case 1

Emulation of Oracle: Case 2


Proof - Setup

A′ is a probabilistic polynomial time adversary ⇒ t ← #[query]Ω(n) = (2 · poly(n) + 1)t ≥ #[(G ,S ,V )]

j$←− 1, · · · ,Ω(n)


Proof - Emulation of Signing Oracle (Case 1)

Node j is on the authentication path:

(sµj |0, vµj |0) ← G (1k)

(sµj |1, vµj |1) ← G (1k)

σj ← Ssj (vµj |0||vµj |1)[One-time Signing Oracle]

µi |0 ← sµi |0, vµi |0

µi |1 ← sµi |1, vµi |1µi ← Ssµi

(vµi |0||vµi |1)

Proof - Emulation of Signing Oracle (Case 2)

Node j is a leaf: σm ← Ss(m) [One-time Signing Oracle]


Proof - Forgery in (G, S, V)

If A′ outputs a forgery (m, σ, authm) and this forgery happens innode j , then:

(σf ,mf )←

(σµj , vµj+1) if j ∈ Authm

(σ,m) if j /∈ Authm

Proof - Probability of success

Pr [(σf ,mf )] ≥ Pr [A′ ← SUCESS]︸︷︷︸=ε

∧Pr [forgery on j ]︸︷︷︸≥1/Ω(n)

Pr [(σf ,mf )] ≥ ε

Ω(n)⇒ non-negligible

Corollary (General signature scheme from one-timesignature)

Corollary

If there exists any one-way function then there exists (stateful)general signature as well

General (stateless) signature scheme from one-timesignature

Stateless Signature

Use of PRF (which can be obtained from OWF [6]):

General (stateless) signature scheme from one-timesignature

Proposition

If (G, S, V) is a secure one-time signature scheme andfr : 0, 1∗ → 0, 1|r |r∈0,1∗ is a generalized pseudorandomfunction ensemble then (G’, S’, V’) constitutes a secure (general)signature scheme. [6]

Idea of the proof

Exponential growth of leaves → exponentially-vanishing probabilityof two signatures in the same leafDisregard two-times signatures → security proof similar to statefulscheme

Corollary (General signature scheme from one-timesignature)

Corollary

If there exists any one-way function then there exists a generalsignature as well

Conclusions

Theoretical Implication

If there exist any one-way function then there exist a generalsignature as well

Conclusions

So why RSA, DLP, SVP, ...?

Digital SignatureScheme Assumption S-key size (KB) Signature Size (KB)RSA-1024 RSA 0.62 0.13ECDSA DLP 0.08 0.32GPV SVP 6.12 13.18Merkle-tree OWF 41.3a 2.27

aFor 222 signatures[5]

The End

That’s it! Questions? Remarks?

References I

Sedat Akleylek, Baris Bulent Kirlar, Omer Sever, and ZalihaYuce.A new short signature scheme with random oracle frombilinear pairings.

Daniel J. Bernstein.Proving tight security for rabin/williams signatures.In In EUROCRYPT, 2008.

Johannes Bock.Rsa-pss - provably secure rsa signatures and theirimplementation v1.0.1, 2011.

Johannes Buchmann, Richard Lindner, Markus Ruckert, andMichael Schneider.Post-quantum cryptography: lattice signatures.Computing, 85(1-2):105–125, 2009.

References II

Luis Carlos and Luis Carlos Coronado Garcia.On the security and the efficiency of the merkle signaturescheme, 2005.

Oded Goldreich.Draft of chapter on signature schemes, 2003.

David Pointcheval and Jacques Stern.Security Proofs for Signature Schemes.In Ueli Maurer, editor, Advances in Cryptology - Proceedingsof EUROCRYPT ’96, volume 1070 of Lecture Notes inComputer Science, pages 387–398, Saragossa, Spain, 1996.Springer.

Fangguo Zhang, Xiaofeng Chen, Willy Susilo, and Yi Mu.A new short signature scheme without random oracles frombilinear pairings.In IN: VIETCRYPT 2006, LNCS 4341, pages 67–80, 2005.

References III

Fangguo Zhang, Reihaneh Safavi-naini, and Willy Susilo.Efficient verifiably encrypted signature and partially blindsignature from bilinear pairings, 2004.

signature from one-way functions

Technology

edged onetime signature

rabin signature

signature keys

signature signingkey

lengthrestricted signature

drawback stateful signature

signature v outputs

vericationkey r