250 likes | 414 Views
Realizing Hash and Sign Signatures under Standard Assumptions. Susan Hohenberger Johns Hopkins. Brent Waters UT Austin. When, in the course of…. Digital Signatures. 1976 Diffie-Hellman: dream of digital signatures. Digital Signatures. When, in the course of….
E N D
Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins Brent Waters UT Austin
When, in the course of… Digital Signatures 1976 Diffie-Hellman: dream of digital signatures
Digital Signatures When, in the course of… 1adh84naf89hq32nvsd8puwqhevhphvdfp9ufew7u2rasdfohaqsedhfdasjf; 1976 Diffie-Hellman: dream of digital signatures 1978 Rivest-Shamir-Adleman: first implementation
Signatures Today Two classes: Tree-Based Signatures -- [GMR85, G86, M89, DN89, BM90, NY94, R90, CD95, CD96, ...] “Hash-and-Sign” Signatures -- [RSA78, E84, S91, O92, BR93, PS96, GHR99, CS00, CL01, BLS04, BB04, CL04, W05, GJKW07, GPV08, ...] -- what practioners expect -- short signatures and short public keys
Focus on ‘’Hash-and-Sign’’ Again, most things fall into two classes: Random Oracle Model -- RSA [RSA78] -- Discrete logarithm [E84,S91] -- Lattices [GPV08] Strong Assumptions -- Strong RSA [GHR99, CS00] -- q-Strong Diffie-Hellman [BB04] -- LRSW [CL04] Our goal: Hash-and-sign from standard assumptions in the standard model.
Strong Assumptions RSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = xe mod N.
Strong Assumptions RSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = xe mod N. Computational Diffie-Hellman Given (g, ga, gb), find gab. q-Strong Diffie-Hellman Given (g, ga, ga^2, ..., ga^q), find any (c, g1/(a+c)) s.t. c >0.
One Anomaly Waters Signatures [W05] + Short (signature = 2 group elements) + Stateless + Standard Model + Secure under CDH assumption - Public Key requires O(k) group elements, where k is a sec. parameter
Prior and New Contributions Short signatures from standard assumptions. Assump. PK Size Sig Size Stateless? CDH O(k) W’05 2 yes HW’09 RSA O(1) 3 no no 8 4 HW’09 CDH Let k be the security parameter. Size in group elements (roughly).
Design from RSA RSA: Given (N,y,e), find the x s.t. xe = y mod N. Different exponent per signature [GHR,CS] • For ith signature: • ei = random • ei = F(mi) Problem: In proof, how can we force adversary to forge with exponent e? • Space of ei‘s is exponential ) Strong RSA • If it was polynomial, we’d be all set.
Design from RSA RSA: Given (N,y,e), find the x s.t. xe = y mod N. Different exponent per signature [GHR,CS] • For ith signature: • ei = random • ei = F(mi) What if adversary forges on state i=2163? Sign(SK, i, m) • ei = F(i) Problem: In proof, how can we force adversary to forge with exponent e?
New Strategy Problem: must bound i in adversary’s forgery. New Idea:sign (m, i) and d lg(i) e • Let x = #signatures issued • Type I: using state i* > 2lg(x). • Type II: using state i* <= 2lg(x). • Adversary must forge sig on d lg(i*) e • For security parameter 2K, only K distinct d lg(i) e • i* must come from polynomial range 1 to 2lg(x) ! • …But signer might need to sign with i* (solve with ChamHash).
Chameleon Hash Formalized by Krawcyzk and Rabin in 2000. H(m, r) 1. Collision-resistant i.e., hard to find (m,r) != (m’,r’) s.t. H(m,r) = H(m’,r’). 2. With trapdoor, given any y and m, can find r s.t. H(m,r) = y Exist DL, RSA realizations
Construction PK = (N, u, h, v, F, ChamHash), where F maps to primes. • Sign(SK, i, m) • e = F(i). • Choose r, x = ChamHash(m,r). • s1 = (uxh)1/e mod N • s2 = lg(i)th square root of v mod N • Sig= (s1, s2, r, i). Can “squish” s1, s2 Proof idea: Type I: forgery i is “big” ) square roots ) factor N. • Type II: forgery i is “small” ) simulator can guess i • ) F(i) = e from RSA challenge .....
Computational DH -- Overview VK = g ,ga, h, u, v,w 2 G (bilinear) + ChamHash Sign(SK, M, i) = (ux h)a ( ui vlg(i) w)t, gt x = ChamHash(M,r) , t 2 Zp • Sigs ~ Boneh-Boyen IBE keys • Sign State; C.H. on master key • No need to find primes!
Handling State • Timer: State = Machine Time --- Careful! • Do not roll back • Always one tick • Multiple Machines • Coordinate?? • Machine k signs: i ¢ n +k Better not to have state
Our Contributions Short signatures with short keys with state in the standard model from: -- RSA -- Computational DH State = a counter of # of sigs issued.
Theorem [...,ST01]: Weak Sig Scheme + Chameleon Hash = Full Sig Scheme. Background • A signature scheme is secure • if for all ppt A, the following is negligible: • Full Definition [GMR88] • Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) : • Verify(PK,m,s)=1 and • m not queried to signing oracle Osk]. • Weak Definition [...,BB04] • Pr[ (m1, ..., mq) <- A(1k), (PK,SK) <- KeyGen(1k), • si=Sign(SK, mi), (m,s) <- A(PK, s1, ..., sq) : • Verify(PK,m,s)=1 and m not equal to m1, ..., mq]. Chameleon hashes exist under RSA, factoring and discrete log.
Dear UT, Happy April! --John Digital Signatures Algorithms KeyGen(1k) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. • Definition [GMR88] • A signature scheme is secure • if for all ppt A, the following is negligible: • Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) : • Verify(PK,m,s)=1 and • m not queried to signing oracle Osk].
When, in the course of… Digital Signatures Algorithms KeyGen(1k) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. 1976 Diffie-Hellman: dream of digital signatures
Digital Signatures When, in the course of… Algorithms KeyGen(1k) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. 1adh84naf89hq32nvsd8puwqhevhphvdfp9ufew7u2rasdfohaqsedhfdasjf; 1976 Diffie-Hellman: dream of digital signatures 1978 Rivest-Shamir-Adleman: first implementation
Design from RSA RSA: Given (N,y,e), find the x s.t. xe = y mod N. • Signer will use different exponent for each sig. • For ith signature, perhaps • ei is chosen at random, or • ei is derived from the message mi, • ei is derived from the signer’s state i. Sign(SK, i, m) Problem: In proof, how can we force adversary to forge with exponent e?
Construction #1 • PK = (N, u, h, v, F, ChamHash), where F maps to primes. • Sign(SK, i, m): • 1. Increment i := i+1. • 2. Compute e = F(i). • 3. Choose random r, compute x = ChamHash(m,r). • 4. Compute s1 = (uxh)1/e mod N, • s2 = lg(i)th square root of v mod N. • 5. Output signature (s1, s2, r, i). • Verify(PK, m, s): straightforward.
New Strategy Problem: must bound i in adversary’s forgery. New Idea:sign ( m, i ) and dlg(i)e. • Let x = # signatures • Type I: using state i* > 2lg(x). • Type II: using state i* <= 2lg(x).