# Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins

```Realizing Hash and Sign Signatures
under Standard Assumptions
Susan Hohenberger
Johns Hopkins
Brent Waters
UT Austin
Digital Signatures
When, in the
course of…
1976 Diffie-Hellman: dream of digital signatures
Digital Signatures
When, in the
course of…
uwqhevhphvdfp9ufew7u2
rasdfohaqsedhfdasjf;
1976 Diffie-Hellman: dream of digital signatures
Signatures Today
Two classes:
Tree-Based Signatures
-- [GMR85, G86, M89, DN89, BM90, NY94, R90, CD95, CD96, ...]
“Hash-and-Sign” Signatures
-- [RSA78, E84, S91, O92, BR93, PS96, GHR99, CS00, CL01,
BLS04, BB04, CL04, W05, GJKW07, GPV08, ...]
-- what practioners expect
-- short signatures and short public keys
Focus on ‘’Hash-and-Sign’’
Again, most things fall into two classes:
Random Oracle Model
-- RSA [RSA78]
-- Discrete logarithm [E84,S91]
-- Lattices [GPV08]
Strong Assumptions
-- Strong RSA [GHR99, CS00]
-- q-Strong Diffie-Hellman [BB04]
-- LRSW [CL04]
Our goal: Hash-and-sign from standard
assumptions in the standard model.
Strong Assumptions
RSA
Given (N,y,e), find the x s.t. y = xe mod N.
Strong RSA
e
Given (N,y), find any (x,e) s.t. e &gt;1 and y = x mod N.
Strong Assumptions
RSA
Given (N,y,e), find the x s.t. y = xe mod N.
Strong RSA
e
Given (N,y), find any (x,e) s.t. e &gt;1 and y = x mod N.
Computational Diffie-Hellman
Given (g, ga, gb), find gab.
q-Strong Diffie-Hellman
Given (g, ga, ga^2, ..., ga^q), find any (c, g1/(a+c)) s.t. c &gt;0.
One Anomaly
Waters Signatures [W05]
+ Short (signature = 2 group elements)
+ Stateless
+ Standard Model
+ Secure under CDH assumption
- Public Key requires O(k) group
elements, where k is a sec. parameter
Prior and New Contributions
Short signatures from standard assumptions.
Assump. PK Size
Sig Size Stateless?
W’05
CDH
O(k)
2
yes
HW’09
RSA
O(1)
3
no
HW’09
CDH
8
4
no
Let k be the security parameter. Size in group elements (roughly).
Design from RSA
RSA: Given (N,y,e), find the x s.t. xe = y mod N.
Different exponent per signature [GHR,CS]
For ith signature:
•ei = random
•ei = F(mi)
Problem: In proof, how can we force adversary to
forge with exponent e?
Space of ei‘s is exponential ) Strong RSA
If it was polynomial, we’d be all set.
Design from RSA
RSA: Given (N,y,e), find the x s.t. xe = y mod N.
Different exponent per signature [GHR,CS]
For ith signature:
•ei = random
•ei = F(mi)
•ei = F(i)
Sign(SK,
What
forges on state
i=2163?
Problem: In proof, how can we force adversary to
forge with exponent e?
New Strategy
Problem: must bound i in adversary’s forgery.
New Idea: sign (m, i) and d lg(i) e
Let x = #signatures issued
Type I: using state i* &gt; 2lg(x).
Adversary must forge sig on d lg(i*) e
For security parameter 2K, only K distinct d lg(i) e
Type II: using state i* &lt;= 2lg(x).
i* must come from polynomial range 1 to 2lg(x) !
…But signer might need to sign with i* (solve with ChamHash).
Chameleon Hash
Formalized by Krawcyzk and Rabin in 2000.
H(m, r)
1. Collision-resistant
i.e., hard to find (m,r) != (m’,r’) s.t.
H(m,r) = H(m’,r’).
2. With trapdoor, given any y and m,
can find r s.t. H(m,r) = y
Exist DL, RSA realizations
Construction
PK = (N, u, h, v, F, ChamHash), where F maps to primes.
Sign(SK, i, m)
• e = F(i).
• Choose r, x = ChamHash(m,r).
Can
• s1 = (uxh)1/e mod N
• s2 = lg(i)th square root of v mod N
“squish” s1, s2
Sig= (s1, s2, r, i).
Proof idea:
Type I: forgery i is “big” ) square roots ) factor N.
Type II: forgery i is “small” ) simulator can guess i
) F(i) = e from RSA challenge .....
Computational DH -- Overview
VK = g ,ga, h, u, v,w 2 G (bilinear) + ChamHash
Sign(SK, M, i) = (ux h)a ( ui vlg(i) w)t, gt
x = ChamHash(M,r) , t 2 Zp
• Sigs ~ Boneh-Boyen IBE keys
•Sign State; C.H. on master key
• No need to find primes!
Handling State
•Timer: State = Machine Time --- Careful!
•Do not roll back
•Always one tick
•Multiple Machines
•Coordinate??
•Machine k signs: i &cent; n +k
Better not to have state
Our Contributions
Short signatures with short keys with state
in the standard model from:
-- RSA
-- Computational DH
State = a counter of # of sigs issued.
Thank you
Background
A signature scheme is secure
if for all ppt A, the following is negligible:
Full Definition [GMR88]
Pr[ (PK,SK) &lt;- KeyGen(1k), (m,s) &lt;- AOsk(PK) :
Verify(PK,m,s)=1 and
m not queried to signing oracle Osk].
Chameleon
hashes exist
under RSA,
factoring and
discrete log.
Weak Definition [...,BB04]
Pr[ (m1, ..., mq) &lt;- A(1k), (PK,SK) &lt;- KeyGen(1k),
si=Sign(SK, mi), (m,s) &lt;- A(PK, s1, ..., sq) :
Verify(PK,m,s)=1 and m not equal to m1, ..., mq].
Theorem [...,ST01]: Weak Sig Scheme + Chameleon Hash = Full Sig Scheme.
Digital Signatures
Algorithms
KeyGen(1k) --&gt; (PK, SK).
Sign(SK, m) --&gt; s.
Verify(PK, m, s) --&gt; 1/0.
Definition [GMR88]
A signature scheme is secure
if for all ppt A, the following is negligible:
Pr[ (PK,SK) &lt;- KeyGen(1k), (m,s) &lt;- AOsk(PK) :
Verify(PK,m,s)=1 and
m not queried to signing oracle Osk].
Dear UT,
Happy
April!
--John
Digital Signatures
Algorithms
KeyGen(1k) --&gt; (PK, SK).
Sign(SK, m) --&gt; s.
Verify(PK, m, s) --&gt; 1/0.
When, in the
course of…
1976 Diffie-Hellman: dream of digital signatures
Digital Signatures
Algorithms
KeyGen(1k) --&gt; (PK, SK).
Sign(SK, m) --&gt; s.
Verify(PK, m, s) --&gt; 1/0.
When, in the
course of…
uwqhevhphvdfp9ufew7u2
rasdfohaqsedhfdasjf;
1976 Diffie-Hellman: dream of digital signatures
Design from RSA
RSA: Given (N,y,e), find the x s.t. xe = y mod N.
Signer will use different exponent for each sig.
For ith signature, perhaps
ei is chosen at random, or
ei is derived from the message mi,
ei is derived from the signer’s state i.
Sign(SK, i, m)
Problem: In proof, how can we force adversary to
forge with exponent e?
Construction #1
PK = (N, u, h, v, F, ChamHash), where F maps to primes.
Sign(SK, i, m):
1. Increment i := i+1.
2. Compute e = F(i).
3. Choose random r, compute x = ChamHash(m,r).
4. Compute s1 = (uxh)1/e mod N,
s2 = lg(i)th square root of v mod N.
5. Output signature (s1, s2, r, i).
Verify(PK, m, s): straightforward.
New Strategy
Problem: must bound i in adversary’s forgery.
New Idea: sign ( m, i ) and dlg(i)e.
Let x = # signatures
Type I: using state i* &gt; 2lg(x).
Type II: using state i* &lt;= 2lg(x).
```