Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins
advertisement
Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins Brent Waters UT Austin Digital Signatures When, in the course of… 1976 Diffie-Hellman: dream of digital signatures Digital Signatures When, in the course of… 1adh84naf89hq32nvsd8p uwqhevhphvdfp9ufew7u2 rasdfohaqsedhfdasjf; 1976 Diffie-Hellman: dream of digital signatures 1978 Rivest-Shamir-Adleman: first implementation Signatures Today Two classes: Tree-Based Signatures -- [GMR85, G86, M89, DN89, BM90, NY94, R90, CD95, CD96, ...] “Hash-and-Sign” Signatures -- [RSA78, E84, S91, O92, BR93, PS96, GHR99, CS00, CL01, BLS04, BB04, CL04, W05, GJKW07, GPV08, ...] -- what practioners expect -- short signatures and short public keys Focus on ‘’Hash-and-Sign’’ Again, most things fall into two classes: Random Oracle Model -- RSA [RSA78] -- Discrete logarithm [E84,S91] -- Lattices [GPV08] Strong Assumptions -- Strong RSA [GHR99, CS00] -- q-Strong Diffie-Hellman [BB04] -- LRSW [CL04] Our goal: Hash-and-sign from standard assumptions in the standard model. Strong Assumptions RSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA e Given (N,y), find any (x,e) s.t. e >1 and y = x mod N. Strong Assumptions RSA Given (N,y,e), find the x s.t. y = xe mod N. Strong RSA e Given (N,y), find any (x,e) s.t. e >1 and y = x mod N. Computational Diffie-Hellman Given (g, ga, gb), find gab. q-Strong Diffie-Hellman Given (g, ga, ga^2, ..., ga^q), find any (c, g1/(a+c)) s.t. c >0. One Anomaly Waters Signatures [W05] + Short (signature = 2 group elements) + Stateless + Standard Model + Secure under CDH assumption - Public Key requires O(k) group elements, where k is a sec. parameter Prior and New Contributions Short signatures from standard assumptions. Assump. PK Size Sig Size Stateless? W’05 CDH O(k) 2 yes HW’09 RSA O(1) 3 no HW’09 CDH 8 4 no Let k be the security parameter. Size in group elements (roughly). Design from RSA RSA: Given (N,y,e), find the x s.t. xe = y mod N. Different exponent per signature [GHR,CS] For ith signature: •ei = random •ei = F(mi) Problem: In proof, how can we force adversary to forge with exponent e? Space of ei‘s is exponential ) Strong RSA If it was polynomial, we’d be all set. Design from RSA RSA: Given (N,y,e), find the x s.t. xe = y mod N. Different exponent per signature [GHR,CS] For ith signature: •ei = random •ei = F(mi) •ei = F(i) Sign(SK, i, m)if adversary What forges on state i=2163? Problem: In proof, how can we force adversary to forge with exponent e? New Strategy Problem: must bound i in adversary’s forgery. New Idea: sign (m, i) and d lg(i) e Let x = #signatures issued Type I: using state i* > 2lg(x). Adversary must forge sig on d lg(i*) e For security parameter 2K, only K distinct d lg(i) e Type II: using state i* <= 2lg(x). i* must come from polynomial range 1 to 2lg(x) ! …But signer might need to sign with i* (solve with ChamHash). Chameleon Hash Formalized by Krawcyzk and Rabin in 2000. H(m, r) 1. Collision-resistant i.e., hard to find (m,r) != (m’,r’) s.t. H(m,r) = H(m’,r’). 2. With trapdoor, given any y and m, can find r s.t. H(m,r) = y Exist DL, RSA realizations Construction PK = (N, u, h, v, F, ChamHash), where F maps to primes. Sign(SK, i, m) • e = F(i). • Choose r, x = ChamHash(m,r). Can • s1 = (uxh)1/e mod N • s2 = lg(i)th square root of v mod N “squish” s1, s2 Sig= (s1, s2, r, i). Proof idea: Type I: forgery i is “big” ) square roots ) factor N. Type II: forgery i is “small” ) simulator can guess i ) F(i) = e from RSA challenge ..... Computational DH -- Overview VK = g ,ga, h, u, v,w 2 G (bilinear) + ChamHash Sign(SK, M, i) = (ux h)a ( ui vlg(i) w)t, gt x = ChamHash(M,r) , t 2 Zp • Sigs ~ Boneh-Boyen IBE keys •Sign State; C.H. on master key • No need to find primes! Handling State •Timer: State = Machine Time --- Careful! •Do not roll back •Always one tick •Multiple Machines •Coordinate?? •Machine k signs: i ¢ n +k Better not to have state Our Contributions Short signatures with short keys with state in the standard model from: -- RSA -- Computational DH State = a counter of # of sigs issued. Thank you Background A signature scheme is secure if for all ppt A, the following is negligible: Full Definition [GMR88] Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) : Verify(PK,m,s)=1 and m not queried to signing oracle Osk]. Chameleon hashes exist under RSA, factoring and discrete log. Weak Definition [...,BB04] Pr[ (m1, ..., mq) <- A(1k), (PK,SK) <- KeyGen(1k), si=Sign(SK, mi), (m,s) <- A(PK, s1, ..., sq) : Verify(PK,m,s)=1 and m not equal to m1, ..., mq]. Theorem [...,ST01]: Weak Sig Scheme + Chameleon Hash = Full Sig Scheme. Digital Signatures Algorithms KeyGen(1k) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. Definition [GMR88] A signature scheme is secure if for all ppt A, the following is negligible: Pr[ (PK,SK) <- KeyGen(1k), (m,s) <- AOsk(PK) : Verify(PK,m,s)=1 and m not queried to signing oracle Osk]. Dear UT, Happy April! --John Digital Signatures Algorithms KeyGen(1k) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. When, in the course of… 1976 Diffie-Hellman: dream of digital signatures Digital Signatures Algorithms KeyGen(1k) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. When, in the course of… 1adh84naf89hq32nvsd8p uwqhevhphvdfp9ufew7u2 rasdfohaqsedhfdasjf; 1976 Diffie-Hellman: dream of digital signatures 1978 Rivest-Shamir-Adleman: first implementation Design from RSA RSA: Given (N,y,e), find the x s.t. xe = y mod N. Signer will use different exponent for each sig. For ith signature, perhaps ei is chosen at random, or ei is derived from the message mi, ei is derived from the signer’s state i. Sign(SK, i, m) Problem: In proof, how can we force adversary to forge with exponent e? Construction #1 PK = (N, u, h, v, F, ChamHash), where F maps to primes. Sign(SK, i, m): 1. Increment i := i+1. 2. Compute e = F(i). 3. Choose random r, compute x = ChamHash(m,r). 4. Compute s1 = (uxh)1/e mod N, s2 = lg(i)th square root of v mod N. 5. Output signature (s1, s2, r, i). Verify(PK, m, s): straightforward. New Strategy Problem: must bound i in adversary’s forgery. New Idea: sign ( m, i ) and dlg(i)e. Let x = # signatures Type I: using state i* > 2lg(x). Type II: using state i* <= 2lg(x).
