1 / 16

Short Signatures Without Random Oracles

Short Signatures Without Random Oracles. Dan Boneh Stanford University. Xavier Boyen Voltage Security. Secure Signatures (sUF-CMA). Model: Challenger (C) vs. adversary (A) Setup C: (PK, SK)  KeyGen , gives PK to A

dick
Download Presentation

Short Signatures Without Random Oracles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Short SignaturesWithout Random Oracles Dan Boneh Stanford University Xavier Boyen Voltage Security

  2. Secure Signatures (sUF-CMA) • Model: Challenger (C) vs. adversary (A) • Setup C: (PK, SK)  KeyGen, gives PK to A • Queries for i=1,…,q: A: chooses message Mi C: returns signature Si Sign(SK: Mi) • Forgery A: outputs new (M*, S*)  (Mi,Si) wins if Verify(PK: M*, S*) = valid • “Strong” Existential Unforgeability, for A cannot even forge new sigs on the Mi [GMR88,ADR02]

  3. Constructing Secure Sigs w/o RO • (Random Oracles: very convenient, not quite realistic) • Most practical RO-free sigs to date [GHR99,CS00]based on Strong-RSA… • Strong-RSA problem: • Given: (N, g) where N = p q and g  (Z/nZ)* • Find: (c, s) where s = g1/c • Useful because given (N, g) we can construct (N’, g’)with q known solutions (ci, si) s.t. any new solution(c*, s*) gives a solution to the original instance.

  4. Strong Diffie-Hellman Assumption • Strong-RSA: g ? (c, s) s.t. sc = g (mod N) • Relies on the “unknown” order (N) of the group… • Can we do this in a group G of known order p ? • Ideally—use blinding: g, gx? (c, s) s.t. sx+c = g • Technicality: must reveal q powers to be useful: • q-SDH: g, gx, …, g(xq )? (c, s) s.t. sx+c = g  • Also, weaker assumption when c is fixed [MSK02]: • q-DHI: g, gx, …, g(xq), c ? s s.t. sx+c = g  g, gx, …, g(xq)? s s.t. sx = g

  5. Verifying the SDH Condition • q-SDH: g, gx, …, g(xq) (c, s) s.t. sx+c = g • Given (g, gx, …, g(xq), c, s) can we check sx+c = gwithout revealing x ? • Use a “Bilinear Pairing” in the group G • Given g, X, c, s where X = gx • Test whethere( s, X gc ) = e( g, g ) Indeede(s, X gc) = e(g1/(x+c), gx gc) = e(g, g)(x+c)/(x+c) = e(g, g)

  6. Bilinear Pairings • G, G1 : finite cyclic groups of prime order p • Def: an admissible bilinear map e : G  G  G1 is: • Bilinear:e( ga, gb ) = e( g, g )ab  a, b  Z, g  G • Non-degenerate:g generates G  e(g, g) generates G1 • Efficiently computable (Or, more generally, e : G  G’  G1 with  : G’  G) • Currently: known examples from algebraic geometry where discrete log is believed to be hard.

  7. Properties of SDH Groups • Already have computational one-wayness:SDH hardness: given g, gx, …, g(xq)can’t find c, g1/(x+c)SDH verifiability: G has a bilinear map • Now, the key property [MSK02]:Given any q-SDH instance g, gx, …, g(xq) (for unknown x)Can construct new instance h, hx, …, h(xq) • With q-1 known SDH solutions (ci, si) s.t. six+c = hfor chosen ci • Where any new solution (c*, s*) reveals a solution to the original instance

  8. Adaptive Attacks ? • q-SDH already gives a UF signature scheme secure against non-adaptive CMA…(Why? If the simulator knows the query messages in advance, it can choose the ci to match them.) • Need a way to adaptivelymap the query messages Mi to the ci after we have committed to them…Solution : randomized signatures…

  9. Secure SDH Signature Scheme • Keygen: pick g  G* and x, y  (Z/pZ)* the public key PK = (g, X, Y) = (g, gx, gy) the private key SK = (x, y) • Sign: on message m  Z/pZ pick r  Z/pZ the signature is (r, s) = (r, g1/(x+yr+m)) • Verify: on message m and signature (r, s) verify that e( s, X Yrgm ) = e(g, g) • 0 pairing to sign, 1 pairing to verify, only 320 bits…

  10. Security Theorem …And, provably secure w/o assuming Random Oracles! • IFthere is an algorithm that breaks the signaturescheme, i.e., forges a message/signature (m, r, s),making q-1 queries, in time t, with probability , • THENthere is an efficient algorithm that solves theq-SDH problem in time t with probability /2.

  11. Proof (I) • Construct a reduction algorithm that simulates the challenger in a sUF-CMA attack, and uses the adversary’s forgery to solve the given q-SDH instance… q-SDH algorithm q-SDHinstance sUF-CMAgame Reduction algo. q-SDHsolution Challenger(simulated) Adversary

  12. Proof (II) • Given q-SDH instance g, gx, …, g(xq) (for unknown x) • Setup • Construct new instance h, hx, …, h(xq) withq-1 known solutions (ci, si) for random ci • Pick random y and publish PK = (h, X, Y) = (h, hx, hy) • Simulation • Given signing query message mi  Z/pZ • Set ri= (ci - mi) / y and return the signature (ri, si) • Reduction • Given forgery (m*, r*, s*) • Get new SDH solution (c*, s*) where c* = m* + y r*provided thatc*  c1, …, cq

  13. Proof (III) • Q: What if c* = m* + y r* is one of the c1, …, cq ? • A: Pretend we know x instead of y ! • Thus, assume we are given SDH instance g, gy, …, g(yq) • Setup • Make h, hy, …, h(yq) with sols. (ci, si) s.t. siy+ci = h • Pick random x and publish PK = (h, X, Y) = (h, hx, hy) • Simulation • On query mi set ri= (x+mi)/ci Return sig (ri, si1/ri) • Valid since (si1/ri)x+yri+m= siy+(x+mi)/ri = siy+ci = h • Reduction • From (m*, r*, s*) Get SDH sol. (c*=(x+mi)/ri , s*)

  14. Proof (IV) • Any valid forgery (m*, r*, s*) will give a new q-SDH solution under at least one of the 2 above reductions. • Since the simulations are perfect, the adversary cannot guess which reduction the simulator is using. • The simulator chooses one at random before starting.

  15. Relation to Chameleon Hash Sigs • “Strong-RSA” Chameleon Hash Sigs [GHR99,CS00](r, s) where s = g1/c (mod N) andc = H(m, r) Chameleon Hash H is “programmed” by r to hit target c • Difficulty: some Strong-RSA solutions imply others, e.g. from (6, g1/6) we find (3, g1/3) = (6/2, (g1/6)2) • “Strong-DH” Signatures are much more efficient: • Programmability is built in (no need for special H) • SDH solutions all “primitive” (no need for prime c) • Much shorter signatures, since SDH applies to groups with much smaller representations than RSA

  16. Extensions • Signing Arbitrary Messages: easy!Use a collision resistant hash H : *  (Z/pZ)* • Limited Message Recovery: the signature can encode a few bits of the message, further reducing bandwidth • Random Oracle Signatures: • As short as “BLS” [BLS01] – only ~170 bits • Twice as fast to verify – only 1 pairing instead of 2 • And with a tight security reduction! (Related to [ZSNZ04] sigs, with tighter reduction)

More Related