Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins.

Slides:



Advertisements
Similar presentations
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Advertisements

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Lecture 10 Signature Schemes Stefan Dziembowski MIM UW ver 1.0.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
7. Asymmetric encryption-
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Lattice-Based Cryptography
Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Introduction to Modern Cryptography Homework assignments.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
8. Data Integrity Techniques
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
The RSA Algorithm Rocky K. C. Chang, March
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Cryptography Lecture 8 Stefan Dziembowski
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters.
Controlled Algebras and GII’s Ronald L. Rivest MIT CSAIL IPAM Workshop October 9, 2006.
1 Network and Computer Security (CS 475) Modular Arithmetic and the RSA Public Key Cryptosystem Jeremy R. Johnson.
1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
S EMINAR P RESENTATION ON N OTIONS OF S ECURITY 1 S M Masud Karim January 18, 2008 Bonn, Germany.
Transitive Signatures based on Factoring and RSA Mihir Bellare (University of California, San Diego, USA) Gregory Neven (Katholieke Universiteit Leuven,
Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.
On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Constructing Verifiable Random Functions for Large Input Spaces Brent Waters Susan Hohenberger.
COM 5336 Lecture 8 Digital Signatures
Online/Offline Attribute-Based Encryption Brent WatersSusan Hohenberger Presented by Shai Halevi.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
On the Notion of Pseudo-Free Groups
Certificateless signature revisited
Modern symmetric-key Encryption
Digital signatures.
Digital Signature Schemes and the Random Oracle Model
Cryptographic Hash Functions Part I
Cryptography Lecture 27.
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
Digital Signature Schemes and the Random Oracle Model
CS 394B Introduction Marco Canini.
The power of Pairings towards standard model security
Cryptography Lecture 21.
Cryptography Lecture 26.
Jens Groth and Mary Maller University College London
Presentation transcript:

Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins Susan Hohenberger Johns Hopkins Brent Waters UT Austin Brent Waters UT Austin

Digital Signatures When, in the course of… 1976 Diffie-Hellman: dream of digital signatures

Digital Signatures When, in the course of… 1976 Diffie-Hellman: dream of digital signatures 1978 Rivest-Shamir-Adleman: first implementation 1adh84naf89hq32nvsd8p uwqhevhphvdfp9ufew7u2 rasdfohaqsedhfdasjf;

Signatures Today “Hash-and-Sign” Signatures -- [RSA78, E84, S91, O92, BR93, PS96, GHR99, CS00, CL01, BLS04, BB04, CL04, W05, GJKW07, GPV08,...] -- what practioners expect -- short signatures and short public keys Tree-Based Signatures -- [GMR85, G86, M89, DN89, BM90, NY94, R90, CD95, CD96,...] Two classes:

Focus on ‘’Hash-and-Sign’’ Strong Assumptions -- Strong RSA [GHR99, CS00] -- q-Strong Diffie-Hellman [BB04] -- LRSW [CL04] Random Oracle Model -- RSA [RSA78] -- Discrete logarithm [E84,S91] -- Lattices [GPV08] Again, most things fall into two classes: Our goal: Hash-and-sign from standard assumptions in the standard model.

Strong Assumptions RSA Given (N,y,e), find the x s.t. y = x e mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = x e mod N.

Strong Assumptions Computational Diffie-Hellman Given (g, g a, g b ), find g ab. q-Strong Diffie-Hellman Given (g, g a, g a^2,..., g a^q ), find any (c, g 1/(a+c) ) s.t. c >0. RSA Given (N,y,e), find the x s.t. y = x e mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = x e mod N.

One Anomaly Waters Signatures [W05] + Short (signature = 2 group elements) + Stateless + Standard Model + Secure under CDH assumption - Public Key requires O(k) group elements, where k is a sec. parameter

Prior and New Contributions W’05 HW’09 PK SizeSig Size O(k) 2 Short signatures from standard assumptions. Stateless? CDH Assump. CDH RSA HW’09 O(1) no yes Let k be the security parameter. Size in group elements (roughly).

Design from RSA RSA: Given (N,y,e), find the x s.t. x e = y mod N. Different exponent per signature [GHR,CS] Problem: In proof, how can we force adversary to forge with exponent e? Space of e i ‘s is exponential ) Strong RSA If it was polynomial, we’d be all set. For ith signature: e i = random e i = F(m i )

Design from RSA RSA: Given (N,y,e), find the x s.t. x e = y mod N. Problem: In proof, how can we force adversary to forge with exponent e? Sign(SK, i, m) Different exponent per signature [GHR,CS] For ith signature: e i = random e i = F(m i ) e i = F(i) What if adversary forges on state i=2 163 ?

New Strategy Problem: must bound i in adversary’s forgery. Let x = #signatures issued Type I: using state i* > 2lg(x). Type II: using state i* <= 2lg(x). New Idea: sign (m, i) and d lg(i) e Adversary must forge sig on d lg(i*) e i* must come from polynomial range 1 to 2lg(x) ! For security parameter 2 K, only K distinct d lg(i) e …But signer might need to sign with i* (solve with ChamHash).

Chameleon Hash Formalized by Krawcyzk and Rabin in H(m, r) 1. Collision-resistant i.e., hard to find (m,r) != (m’,r’) s.t. H(m,r) = H(m’,r’). 2. With trapdoor, given any y and m, can find r s.t. H(m,r) = y Exist DL, RSA realizations

Construction Sign(SK, i, m) e = F(i). Choose r, x = ChamHash(m,r). s 1 = (u x h) 1/e mod N s 2 = lg(i)th square root of v mod N Sig= (s 1, s 2, r, i). Proof idea: Type I: forgery i is “big” ) square roots ) factor N. Type II: forgery i is “small” ) simulator can guess i ) F(i) = e from RSA challenge..... PK = (N, u, h, v, F, ChamHash), where F maps to primes. Can “squish” s 1, s 2

Computational DH -- Overview Sigs ~ Boneh-Boyen IBE keys Sign State; C.H. on master key No need to find primes! VK = g,g a, h, u, v,w 2 G (bilinear) + ChamHash Sign(SK, M, i) = (u x h) a ( u i v lg(i) w) t, g t x = ChamHash(M,r), t 2 Z p

Handling State Timer: State = Machine Time --- Careful! Do not roll back Always one tick Multiple Machines Coordinate?? Machine k signs: i ¢ n +k Better not to have state

Our Contributions Short signatures with short keys with state in the standard model from: -- RSA -- Computational DH State = a counter of # of sigs issued.

Thank you

Background Chameleon hashes exist under RSA, factoring and discrete log. A signature scheme is secure if for all ppt A, the following is negligible: Full Definition [GMR88] Pr[ (PK,SK) <- KeyGen(1 k ), (m,s) <- A Osk (PK) : Verify(PK,m,s)=1 and m not queried to signing oracle O sk ]. Weak Definition [...,BB04] Pr[ (m 1,..., m q ) <- A(1 k ), (PK,SK) <- KeyGen(1 k ), s i =Sign(SK, m i ), (m,s) <- A(PK, s 1,..., s q ) : Verify(PK,m,s)=1 and m not equal to m 1,..., m q ]. Theorem [...,ST01]: Weak Sig Scheme + Chameleon Hash = Full Sig Scheme.

Digital Signatures Algorithms KeyGen(1 k ) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. Dear UT, Happy April! --John Definition [GMR88] A signature scheme is secure if for all ppt A, the following is negligible: Pr[ (PK,SK) <- KeyGen(1 k ), (m,s) <- A Osk (PK) : Verify(PK,m,s)=1 and m not queried to signing oracle O sk ].

Digital Signatures Algorithms KeyGen(1 k ) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. When, in the course of… 1976 Diffie-Hellman: dream of digital signatures

Digital Signatures Algorithms KeyGen(1 k ) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. When, in the course of… 1976 Diffie-Hellman: dream of digital signatures 1978 Rivest-Shamir-Adleman: first implementation 1adh84naf89hq32nvsd8p uwqhevhphvdfp9ufew7u2 rasdfohaqsedhfdasjf;

Two Types of Forgeries RSA: Given (N,y,e), find the x s.t. x e = y mod N. Problem: must bound i in adversary’s forgery. Signer will use different exponent for each sig. For ith signature, e i is derived from the signer’s state i.

Design from RSA RSA: Given (N,y,e), find the x s.t. x e = y mod N. Problem: In proof, how can we force adversary to forge with exponent e? Signer will use different exponent for each sig. For ith signature, perhaps e i is chosen at random, or e i is derived from the message m i, e i is derived from the signer’s state i. Sign(SK, i, m)

Construction #1 PK = (N, u, h, v, F, ChamHash), where F maps to primes. Sign(SK, i, m): 1. Increment i := i Compute e = F(i). 3. Choose random r, compute x = ChamHash(m,r). 4. Compute s 1 = (u x h) 1/e mod N, s 2 = lg(i)th square root of v mod N. 5. Output signature (s 1, s 2, r, i). More Type II details (where forgery i* is small): On input, RSA challenge (N, y, e). Guess i*. Design F such that F(i*) = e. Use ChamHash to issue one signature on i*. The adversary’s forgery on (m,i*) will either: -- give a collision for ChamHash, or -- give the RSA solution y 1/e mod N.

Two Types of Forgeries RSA: Given (N,y,e), find the x s.t. x e = y mod N. Problem: must bound i in adversary’s forgery. Signer will use different exponent for each sig. For ith signature, e i is derived from the signer’s state i. Let x be the number of signatures issued by the signer. There are two types of forgeries: Type I: using state i greater than 2lg(x). Type II: using state i <= 2lg(x). Idea: sign [ m, i ] and [ ceiling(lg(i)) ].

Construction #1 PK = (N, u, h, v, F, ChamHash), where F maps to primes. Sign(SK, i, m): 1. Increment i := i Compute e = F(i). 3. Choose random r, compute x = ChamHash(m,r). 4. Compute s 1 = (u x h) 1/e mod N, s 2 = lg(i)th square root of v mod N. 5. Output signature (s 1, s 2, r, i). Verify(PK, m, s): straightforward.

Type I: using state i* > 2lg(x). Type II: using state i* <= 2lg(x). Let x = # signatures New Strategy Problem: must bound i in adversary’s forgery. New Idea: sign ( m, i ) and d lg(i) e.

New Strategy Problem: must bound i in adversary’s forgery. Let x be the number of signatures issued by the signer. There are two types of forgeries: Type I: using state i greater than 2lg(x). Type II: using state i <= 2lg(x). New Idea: sign [ m, i ] and [ ceiling(lg(i)) ].

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.