Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)
Digital Signatures 2020-03-31 1
Outline
Gennaro-Halevi-Rabin signatures
Chameleon hash functions
Digital Signatures 2020-03-31 2
RSA signatures so far: issues
• Schemes so far: either inefficient, or only heuristic security(ROM)• Goal (hard!): EUF-CMA-secure signature scheme based on
RSA. . .– that is efficient (i.e., usable in practice)– whose security requires no random oracles.
• “Workaround”: Strong RSA assumption
Digital Signatures 2020-03-31 3
Strong RSA assumption
RSA problem:
• given N, e and y ← ZN , find x ∈ ZN with xe ≡ y mod N.
RSA assumption:
• ∀ PPT A:
Pr
[N = P · Q, e← Z∗ϕ(N),
y ← ZN , x ← A(1k , N, e, y ): xe ≡ y mod N
]
is negligible in k .
Digital Signatures 2020-03-31 4
Strong RSA assumption
Strong RSA problem:
• given N and y ← ZN , find x ∈ ZN , e > 1 with xe ≡ y mod N.
Strong RSA assumption:
• ∀ PPT A:
Pr
[N = P · Q,
y ← ZN , (x , e)← A(1k , N, y ): xe ≡ y mod N ∧ e > 1
]
is negligible in k .
Digital Signatures 2020-03-31 4
Strong RSA: naming
• Strong RSA assumption stronger assumption than RSAassumption
– We give adversary more control, easier to win game– We assume that it’s still hard for adversary to win
• But: strong RSA problem easier than RSA problem
Strong RSA assumption⇒ RSA assumption,converse implication not obvious at all
Digital Signatures 2020-03-31 5
Gennaro-Halevi-Rabin signatures
Let h : {0, 1}∗ → P be a hash function (P = primes)
Gen(1k ) :
• Choose N = P · Q, P, Q prime as with RSA
• s ← ZN
• We will assume ∀m ∈ {0, 1}∗ : gcd(h(m),ϕ(N)) = 1– Can be enforced, e.g., by letting h only output large primes
• pk := (N, s, h)
• sk := (pk ,ϕ(N)) = (pk , (P − 1)(Q − 1))
Sign(sk , m) :
• σ := s1/h(m) mod N
Vfy(pk , m,σ) : σh(m) ?≡ s mod NDigital Signatures 2020-03-31 6
GHR signatures: security
Theorem 70: For every PPT A that breaks the EUF-naCMAsecurity of Σ in time tA with success εA, there is a PPT B that runsin time tB ≈ tA and which
• either breaks the collision-resistance of h with success
εcoll ≥ εA/2,
• or solves the strong RSA problem with success
εsRSA ≥ εA/2.
Digital Signatures 2020-03-31 7
GHR signatures: proof
EUF-naCMA: Denote with m1, ... , mq the signature queries, andwith (m∗,σ∗) the forgery of A
Two possibilities:
• E0 : A successful and there is an mi with h(mi ) = h(m∗).
• E1 : A successful and for all i ∈ {1, ... , q}, we haveh(mi ) 6= h(m∗)
Successful A causes E0 or E1, hence
εA ≤ Pr[E0] + Pr[E1]⇒ Pr[E0] ≥ εA/2 or Pr[E1] ≥ εA/2
Digital Signatures 2020-03-31 8
GHR signatures: proof – event E0
E0 : There is an mi with h(mi ) = h(m∗).
• mi and m∗ form an h-collision.
• Reduce to the collision-resistance of h.
• Reduction B gets as input h, chooses (pk , sk )← Gen(1k ),runs A, . . .
Digital Signatures 2020-03-31 9
GHR signatures: proof – event E1
E1 : For all i ∈ {1, ... , q}, we have h(mi ) 6= h(m∗).
• Reduce to strong RSA assumption.
• Assume for contradiction: there is a PPT A that breaksEUF-naCMA, . . .
• . . . construct B that breaks strong RSA. . .
• B gets as input (N, y ) and needs to find (x , e) with– e > 1– xe ≡ y mod N.
Digital Signatures 2020-03-31 10
GHR signatures: sRSA reductionRecall:
Gen(1k ) : s ← ZN pk := (N, s, h) sk := (pk ,ϕ(N))
σ = s1/h(m) mod N
• B uses (N, y ) and sets up
s := yΠi∈{1,...,q}h(mi ) mod N
(gcd(h(m),ϕ(N)) = 1 ensures that s “well-distributed”, i.e.,uniform over ZN !)• Signature for mj :
σj := yΠi∈{1,...,q}\{j}h(mi ) mod N
Digital Signatures 2020-03-31 11
GHR signatures: sRSA reduction – forgery
E1 occurs: A outputs valid forgery (m∗,σ∗) with
• h(m∗) 6= h(mi ) for all i ∈ {1, ... , q}, and
• (σ∗)h(m∗) ≡ s ≡ yΠi∈{1,...,q}h(mi ) mod N
Additionally, we have
gcd(h(m∗),Πi∈{1,...,q}h(mi )) = 1,
since h maps to prime numbers, and since E1 occurred.
Digital Signatures 2020-03-31 12
GHR signatures: use Shamir’s trick
(σ∗)h(m∗) ≡ s ≡ yΠi∈{1,...,q}h(mi ) mod N
Lemma 31:Let J, S ∈ ZN and e, f ∈ Z with
• gcd(e, f ) = 1
• J f ≡ Se mod N.
Then, given N ∈ Z und (J, S, e, f ) ∈ Z2N × Z2 it is possible to
efficiently compute x ∈ ZN with xe ≡ J mod N.
xh(m∗) ≡ y mod N
Hence: (x , h(m∗)) is the desired sRSA solution
Digital Signatures 2020-03-31 13
Goal: EUF-CMA from (non-strong) RSA
• In Chapter 4.4 of lecture notes (not here)
• There: construction of EUF-CMA signatures from RSA (noROM!)• Very high-level overview:
– Show: GHR selectively secure under RSA assumption(A needs to commit to all mi and m∗ before seeing pk )
– Transformation: selective security→ EUF-naCMA– Leads to EUF-naCMA-secure Hohenberger-Waters signatures– Transformation: EUF-naCMA→ EUF-CMA– Result: compact signatures, not very efficient (like GHR)
Digital Signatures 2020-03-31 14
Open problems
• Construction of efficient EUF-CMA secure signatures fromRSA
– Hohenberger-Waters not very efficient– Many exponentiations, need to find many primes
• Construction of compact EUF-CMA secure signatures fromfactoring assumption
Digital Signatures 2020-03-31 15
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• First quiz (about the GHR signature scheme) starts now!
Digital Signatures 2020-03-31 16
Chameleon signatures: motivation
Customer
Dealer 1
Dealer 2
Offer?
100$, σ1
100$, σ1
99$, σ2
Digital Signatures 2020-03-31 17
Chameleon signatures: goal
Question: can we construct a signature scheme, such that. . .
• . . . C can verify the authenticity of the offer from D1, but
• . . . C cannot convince D2 that the offer came from D1?
Digital Signatures 2020-03-31 18
Chameleon hash functions (Definition)
Def. (Chameleon hash function):A chameleon hash function CH consists of two PPT algorithms(GenCH, TrapCollCH): GenCH(1k ) : outputs (ch, τ ):
• ch is a function ch :M×R→ N– M message space– R randomness space– N target space– M,R,N may depend on concrete CH!
• τ is a trapdoor (or secret key).
Digital Signatures 2020-03-31 19
Chameleon hash functions (Definition)
TrapCollCH(τ , m, r , m′), for (m, r , m′) ∈M×R×M, computesr ′ ∈ R with
ch(m, r ) = ch(m′, r ′)
• Owner of τ can compute collisions
• Hence the name “chameleon” hash function
• Output “changes preimage” (like a chameleon changes color)
Digital Signatures 2020-03-31 20
Collision-resistance
Def. 39 (Collision-resistance for chameleon hash functions):A chameleon hash function CH = (GenCH, TrapCollCH) iscollision-resistant iff for all PPT A,
Pr
[(ch, τ )← GenCH(1k )A(1k , ch) = (m, r , m′, r ′)
:ch(m, r ) = ch(m′, r ′)∧ (m, r ) 6= (m′, r ′)
]
is negligible in k .
Digital Signatures 2020-03-31 21
Chameleon hashing based on DLogAs usual:• G group, |G| = p prime, g generator of G
Gen(1k ) :• x ← Z∗p• h := gx
• ch := (g, h)• τ := x
ch defines function:
ch : Zp × Zp → Gch(m, r ) := gm · hr
Digital Signatures 2020-03-31 22
Chameleon hashing based on DLog
ch(m, r ) = gm · hr
TrapColl(τ , m, r , m∗) : Compute r∗ with
m + x · r = m∗ + x · r∗ modp
⇔ r∗ =m −m∗
x+ r modp
This implies:
ch(m, r ) = gm · hr = gm+xr = gm∗+xr∗ = gm∗ · hr∗ = ch(m∗, r∗)
Digital Signatures 2020-03-31 23
Chameleon hashing based on DLog – security
Theorem 40:For every PPT A that, upon input ch = (g, h)← Gen(1k ), outputs atuple (m, r , m∗, r∗) with (m, r ) 6= (m∗, r∗) and ch(m, r ) = ch(m∗, r∗) intime tA and with success εA,there exists a PPT B that breaks the DLog problem in G in timetB ≈ tA with success εB ≥ εA.
Proof: Like proof of DLog-based one-time signatures (Theorem 28).
Digital Signatures 2020-03-31 24
Chameleon hashing based on RSAGen(1k ) :• N = P · Q, P, Q prime• Prime e > 2N with gcd(e,ϕ(N)) = 1• d = e−1 mod ϕ(N)• J ← ZN
• ch := (N, e, J)• τ := d
ch : ZN × ZN → ZN
ch(m, r ) := Jm · re mod N
Digital Signatures 2020-03-31 25
Chameleon hashing based on RSA
ch(m, r ) := Jm · re mod N
TrapColl(τ , m, r , m∗): Compute r∗ as
r∗ = (Jm−m∗ · re)d mod N
ch(m, r ) = Jm · re mod N = Jm∗ · (r∗)e mod N = ch(m∗, r∗)
Digital Signatures 2020-03-31 26
Chameleon hashing based on RSA – security
Theorem 42: For every PPT A that, upon input (N, e, J), outputs atuple (m, r , m∗, r∗) with (m, r ) 6= (m∗, r∗) and ch(m, r ) = ch(m∗, r∗) intime tA and with success εB,there is a PPT B that breaks the prime-e-RSA problem in timetB ≈ tA and with success εB ≥ εA.
Proof: Like proof of RSA-based one-time signatures (Theorem 30).
Digital Signatures 2020-03-31 27
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Second quiz (about chameleon hash functions) starts now!
Digital Signatures 2020-03-31 28