170 likes | 367 Views
Short Signatures Without Random Oracles. Dan Boneh Stanford University. Xavier Boyen Voltage Security. Secure Signatures (sUF-CMA). Model: Challenger (C) vs. adversary (A) Setup C: (PK, SK) KeyGen , gives PK to A
E N D
Short SignaturesWithout Random Oracles Dan Boneh Stanford University Xavier Boyen Voltage Security
Secure Signatures (sUF-CMA) • Model: Challenger (C) vs. adversary (A) • Setup C: (PK, SK) KeyGen, gives PK to A • Queries for i=1,…,q: A: chooses message Mi C: returns signature Si Sign(SK: Mi) • Forgery A: outputs new (M*, S*) (Mi,Si) wins if Verify(PK: M*, S*) = valid • “Strong” Existential Unforgeability, for A cannot even forge new sigs on the Mi [GMR88,ADR02]
Constructing Secure Sigs w/o RO • (Random Oracles: very convenient, not quite realistic) • Most practical RO-free sigs to date [GHR99,CS00]based on Strong-RSA… • Strong-RSA problem: • Given: (N, g) where N = p q and g (Z/nZ)* • Find: (c, s) where s = g1/c • Useful because given (N, g) we can construct (N’, g’)with q known solutions (ci, si) s.t. any new solution(c*, s*) gives a solution to the original instance.
Strong Diffie-Hellman Assumption • Strong-RSA: g ? (c, s) s.t. sc = g (mod N) • Relies on the “unknown” order (N) of the group… • Can we do this in a group G of known order p ? • Ideally—use blinding: g, gx? (c, s) s.t. sx+c = g • Technicality: must reveal q powers to be useful: • q-SDH: g, gx, …, g(xq )? (c, s) s.t. sx+c = g • Also, weaker assumption when c is fixed [MSK02]: • q-DHI: g, gx, …, g(xq), c ? s s.t. sx+c = g g, gx, …, g(xq)? s s.t. sx = g
Verifying the SDH Condition • q-SDH: g, gx, …, g(xq) (c, s) s.t. sx+c = g • Given (g, gx, …, g(xq), c, s) can we check sx+c = gwithout revealing x ? • Use a “Bilinear Pairing” in the group G • Given g, X, c, s where X = gx • Test whethere( s, X gc ) = e( g, g ) Indeede(s, X gc) = e(g1/(x+c), gx gc) = e(g, g)(x+c)/(x+c) = e(g, g)
Bilinear Pairings • G, G1 : finite cyclic groups of prime order p • Def: an admissible bilinear map e : G G G1 is: • Bilinear:e( ga, gb ) = e( g, g )ab a, b Z, g G • Non-degenerate:g generates G e(g, g) generates G1 • Efficiently computable (Or, more generally, e : G G’ G1 with : G’ G) • Currently: known examples from algebraic geometry where discrete log is believed to be hard.
Properties of SDH Groups • Already have computational one-wayness:SDH hardness: given g, gx, …, g(xq)can’t find c, g1/(x+c)SDH verifiability: G has a bilinear map • Now, the key property [MSK02]:Given any q-SDH instance g, gx, …, g(xq) (for unknown x)Can construct new instance h, hx, …, h(xq) • With q-1 known SDH solutions (ci, si) s.t. six+c = hfor chosen ci • Where any new solution (c*, s*) reveals a solution to the original instance
Adaptive Attacks ? • q-SDH already gives a UF signature scheme secure against non-adaptive CMA…(Why? If the simulator knows the query messages in advance, it can choose the ci to match them.) • Need a way to adaptivelymap the query messages Mi to the ci after we have committed to them…Solution : randomized signatures…
Secure SDH Signature Scheme • Keygen: pick g G* and x, y (Z/pZ)* the public key PK = (g, X, Y) = (g, gx, gy) the private key SK = (x, y) • Sign: on message m Z/pZ pick r Z/pZ the signature is (r, s) = (r, g1/(x+yr+m)) • Verify: on message m and signature (r, s) verify that e( s, X Yrgm ) = e(g, g) • 0 pairing to sign, 1 pairing to verify, only 320 bits…
Security Theorem …And, provably secure w/o assuming Random Oracles! • IFthere is an algorithm that breaks the signaturescheme, i.e., forges a message/signature (m, r, s),making q-1 queries, in time t, with probability , • THENthere is an efficient algorithm that solves theq-SDH problem in time t with probability /2.
Proof (I) • Construct a reduction algorithm that simulates the challenger in a sUF-CMA attack, and uses the adversary’s forgery to solve the given q-SDH instance… q-SDH algorithm q-SDHinstance sUF-CMAgame Reduction algo. q-SDHsolution Challenger(simulated) Adversary
Proof (II) • Given q-SDH instance g, gx, …, g(xq) (for unknown x) • Setup • Construct new instance h, hx, …, h(xq) withq-1 known solutions (ci, si) for random ci • Pick random y and publish PK = (h, X, Y) = (h, hx, hy) • Simulation • Given signing query message mi Z/pZ • Set ri= (ci - mi) / y and return the signature (ri, si) • Reduction • Given forgery (m*, r*, s*) • Get new SDH solution (c*, s*) where c* = m* + y r*provided thatc* c1, …, cq
Proof (III) • Q: What if c* = m* + y r* is one of the c1, …, cq ? • A: Pretend we know x instead of y ! • Thus, assume we are given SDH instance g, gy, …, g(yq) • Setup • Make h, hy, …, h(yq) with sols. (ci, si) s.t. siy+ci = h • Pick random x and publish PK = (h, X, Y) = (h, hx, hy) • Simulation • On query mi set ri= (x+mi)/ci Return sig (ri, si1/ri) • Valid since (si1/ri)x+yri+m= siy+(x+mi)/ri = siy+ci = h • Reduction • From (m*, r*, s*) Get SDH sol. (c*=(x+mi)/ri , s*)
Proof (IV) • Any valid forgery (m*, r*, s*) will give a new q-SDH solution under at least one of the 2 above reductions. • Since the simulations are perfect, the adversary cannot guess which reduction the simulator is using. • The simulator chooses one at random before starting.
Relation to Chameleon Hash Sigs • “Strong-RSA” Chameleon Hash Sigs [GHR99,CS00](r, s) where s = g1/c (mod N) andc = H(m, r) Chameleon Hash H is “programmed” by r to hit target c • Difficulty: some Strong-RSA solutions imply others, e.g. from (6, g1/6) we find (3, g1/3) = (6/2, (g1/6)2) • “Strong-DH” Signatures are much more efficient: • Programmability is built in (no need for special H) • SDH solutions all “primitive” (no need for prime c) • Much shorter signatures, since SDH applies to groups with much smaller representations than RSA
Extensions • Signing Arbitrary Messages: easy!Use a collision resistant hash H : * (Z/pZ)* • Limited Message Recovery: the signature can encode a few bits of the message, further reducing bandwidth • Random Oracle Signatures: • As short as “BLS” [BLS01] – only ~170 bits • Twice as fast to verify – only 1 pairing instead of 2 • And with a tight security reduction! (Related to [ZSNZ04] sigs, with tighter reduction)