digital signatures...digital signatures 2020-02-18 15 adversarial goals general goal:forge/generate...

Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel)

Digital Signatures 2020-02-18 1

Outline

Logistics

Overview

Introduction

Definition

Security

Security experiments

Formal security definition

Relations among security definitions

Information-theoretic security

Organization

• Lecture: Tuesdays, 10:00-12:00, ML E12

• Exam: oral, 20 minutes

• Contact: [email protected]

• Speaking hours: whenever my door (CAB H33.3) is open

• Website: todo

Supporting materials

• Lecture notes (German) by Tibor Jager:https://www.tiborjager.de/DigitaleSignaturen.pdf

• Book “Digital Signatures” by Jonathan Katz

• Slides (on website) and occasional blackboard writeup

Overview

• What are (digital) signatures?

• Which security properties do we want from signatures?

• How do we construct and prove signatures?

• Outlook towards current research

Content

• Motivation/definitions

• One-time signatures→ tree-based signatures

• RSA-based signatures

• Interlude: chameleon hashing

• Pairing-based signatures

• . . . (?)

Not here: “symmetric signatures” (MACs)

Motivation

• Goal: “Digital analogue of (physical) signatures.”

• What do we want to sign? Bitstrings from {0, 1}∗

• Examples: code/programs, websites, emails, . . .• Technical goals:

– Authenticity: document is actually signed by that person– Integrity: document has not been changed since signing

(desirable, but not actually guaranteed by physical signatures)

What are signature schemes?

Informally:

• Asymmetric cryptographic mechanisms

• Every participant has a keypair (pk , sk )

• Secret key sk used to sign (a message m), result: signature σ

• Public/verification key pk allows to verify that σ is valid for m

Signatures are no. . .

Signatures are no encryption schemes

• Signatures do not hide m (use encryption for that)

Signatures are no “inverse” public-key encryption schemes

• As in: signing=decrypting, verifying=encrypting

• Works (to some extent) for RSA, but not for other schemes

Signatures are no. . .

Signatures are no encryption schemes

• Signatures do not hide m (use encryption for that)

Signatures are no “inverse” public-key encryption schemes

• As in: signing=decrypting, verifying=encrypting

• Works (to some extent) for RSA, but not for other schemes

Applications of signatures

Ideas?

Applications of signatures

• Program updates/apps

• E-commerce (signed websites)

• Certificates (digitally signed signature/encryption keys)

• Identity cards

• Building block in more complex cryptographic systems

• . . .

Definition: digitale signature scheme

Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Tupel Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:

• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)

• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)

• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)

• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)

Correctness

Correctness: “The scheme works.”

Formally:

∀k ∀(pk , sk )← Gen(1k ) ∀m : Vfy(pk , m, Sign(sk , m)) = 1.

Digitale Signaturen: Soundness

Soundness: “The scheme is secure.”

Formally:

• What is security?

• We need a definition!

Digitale Signaturen: Soundness

Soundness: “The scheme is secure.”

Formally:

• What is security?

• We need a definition!

Security

• Concrete security definition combines two things:– Adversarial capabilities– Adversarial goal

• Now: overview

• Later: formal definitions

Security

• Concrete security definition combines two things:– Adversarial capabilities– Adversarial goal

• Now: overview

• Later: formal definitions

Adversarial capabilities

1 a) no-message attack (NMA)• Adversary gets only pk .

1 b) non-adaptive chosen-message attack (naCMA)• Adversary chooses m1, ... , mq . . .• . . . then obtains pk and signatures σ1, ...,σq

1 c) (adaptive) chosen-message attack (CMA)• Adversary gets pk , then chooses m1, ..., mq and

obtains σ1, ...,σq adaptively (i.e., one mi at atime, so mi+1 may depend on pk and σ1, ... ,σi )

Adversarial goals

General goal: forge/generate signatures

2 a) “ Universal Unforgeability” (UUF)• Adversary has to generate valid signature for

externally given m• m chosen at random (not by adversary!)

2 b) “ Existential Unforgeablility” (EUF)• Adversary has to generate valid signature for any

message m not signed before

Adversarial goals

Security definition

Security definition =̂ adversarial goal + adversarial capabilities

Interesting combinations:

• EUF-CMA

• EUF-naCMA

Security experiments

Tool to formalize security definitions: security experiments

Interactive process between two parties:

• Adversary A• Challenger C

• A plays against C• A wins iff he reaches his goal.

EUF-CMA-Sicherheitsexperiment

CEUF-CMA A

(pk , sk )← Gen(1k ) pk

• queries

• q = q(k ) queries

• q polynomial (dep. on A)

m∗,σ∗

Ver (pk , m∗,σ∗) = 1?∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}

CEUF-CMA A

• queries

m∗,σ∗

Ver (pk , m∗,σ∗) = 1?∧

m∗ /∈ {m1, ... , mq}?

CEUF-CMA A

• queries

m∗,σ∗

Ver (pk , m∗,σ∗) = 1?∧

m∗ /∈ {m1, ... , mq}?

CEUF-CMA A

• queries

m∗,σ∗

Ver (pk , m∗,σ∗) = 1?∧

m∗ /∈ {m1, ... , mq}?

CEUF-CMA A

• queries

m∗,σ∗

Ver (pk , m∗,σ∗) = 1?∧

m∗ /∈ {m1, ... , mq}?

A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}Digital Signatures 2020-02-18 19

Why is A allowed arbitrary signing queries?

• Question: why is A allowed arbitrary signing queries?

• Answer: yields strong and universal (application-independent)definition (Attack may yield signatures for unforeseeable messages)

Why is A allowed arbitrary signing queries?

• Question: why is A allowed arbitrary signing queries?

• Answer: yields strong and universal (application-independent)definition (Attack may yield signatures for unforeseeable messages)

Definition: EUF-CMA

Def. 2: (EUF-CMA)A digital signature scheme Σ = (Gen, Sign, Vfy) is EUF-CMAsecure iff for all PPT A, the function

Pr [A wins EUF-CMA experiment]

[ACEUF-CMA(pk ) = (m∗,σ∗) :

Vfy(pk , m∗,σ∗) = 1∧ m∗ /∈ {m1, ..., mq}

is negligible.

Definition: EUF-CMA

Def. 2: (EUF-CMA)A digital signature scheme Σ = (Gen, Sign, Vfy) is EUF-CMAsecure iff for all PPT A, the function

Pr [A wins EUF-CMA experiment]

[ACEUF-CMA(pk ) = (m∗,σ∗) :

Vfy(pk , m∗,σ∗) = 1∧ m∗ /∈ {m1, ..., mq}

is negligible.

Definition: negligible

Def.: (Negligible)A function negl : N→ [0, 1] is negligible iff

∀c ∈ N ∃k0 ∈ N ∀k ≥ k0 : negl(k ) < 1/kc .

Examples: 1/2k and 1/k log k negligible, 1/k2 not.

Definition: negligible

Def.: (Negligible)A function negl : N→ [0, 1] is negligible iff

∀c ∈ N ∃k0 ∈ N ∀k ≥ k0 : negl(k ) < 1/kc .

Examples: 1/2k and 1/k log k negligible, 1/k2 not.

UUF-NMA security experiment

Ideas?

CUUF-NMA A

(pk , sk )← Gen(1k )

m∗ ← {0, 1}p(k )

pk , m∗

Ver (pk , m∗,σ∗) = 1?

A wins iff Vfy(pk , m∗,σ∗) = 1

CUUF-NMA A

m∗ ← {0, 1}p(k )

pk , m∗

Ver (pk , m∗,σ∗) = 1?

A wins iff Vfy(pk , m∗,σ∗) = 1

EUF-CMA⇒ UUF-NMA

Def. 4 (UUF-NMA):A digital signature scheme Σ = (Gen, Sign, Vfy) is UUF-NMAsecure iff for all PPT A,

Pr[ACUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]

is negligible.

Theorem:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. If Σ isEUF-CMA secure, then Σ is also UUF-NMA secure.

EUF-CMA⇒ UUF-NMA

Def. 4 (UUF-NMA):A digital signature scheme Σ = (Gen, Sign, Vfy) is UUF-NMAsecure iff for all PPT A,

Pr[ACUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]

is negligible.

Theorem:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. If Σ isEUF-CMA secure, then Σ is also UUF-NMA secure.

Proof: EUF-CMA⇒ UUF-NMA (1)

Proof outline

• Proofs (almost) always by reduction

• Way to view reductions: proof by contradiction

• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.

• Then: ∃ PPT adversary AUUF-NMA with non-negligible

Pr[ACUUF-NMAUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]

Proof outline

• Idea: use AUUF-NMA to build a successful adversary AEUF-CMA

on the EUF-CMA security of Σ

• AEUF-CMA usually uses AUUF-NMA as subroutine

• Existence of (successful) AEUF-CMA contradicts assumedEUF-CMA security. . .

• . . . hence such a AUUF-NMA cannot exist

• Idea: use AUUF-NMA to build a successful adversary AEUF-CMA

on the EUF-CMA security of Σ

• AEUF-CMA usually uses AUUF-NMA as subroutine

• Existence of (successful) AEUF-CMA contradicts assumedEUF-CMA security. . .

• . . . hence such a AUUF-NMA cannot exist

Proof: blackboard

Remark:

• AEUF-CMA makes no signature queries. . .

• . . . hence we have actually shown

EUF-NMA⇒ UUF-NMA

UUF-NMA: useful?

Question: how useful is UUF-NMA security?

Answer: later

EUF-naCMA-Sicherheitsexperiment

CEUF-naCMA A

m1, ..., mq • q = q(k ) messages

• q polynomial(pk , sk )← Gen(1k )

∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq

m∗ ,σ∗

Ver (pk , m∗,σ∗) = 1?∧

m∗ /∈ {m1, ... , mq}?

Def.: Like Def. 2 (with EUF-naCMA experiment)

CEUF-naCMA Am1, ..., mq • q = q(k ) messages

• q polynomial

m∗ ,σ∗

Ver (pk , m∗,σ∗) = 1?∧

m∗ /∈ {m1, ... , mq}?

m∗ ,σ∗

Ver (pk , m∗,σ∗) = 1?∧

m∗ /∈ {m1, ... , mq}?

m∗ ,σ∗

Ver (pk , m∗,σ∗) = 1?∧

m∗ /∈ {m1, ... , mq}?

Def.: Like Def. 2 (with EUF-naCMA experiment)Digital Signatures 2020-02-18 30

Relations among security definitions

UUF-NMA < UUF-naCMA < UUF-CMA

EUF-NMA < EUF-naCMA < EUF-CMA

Generally:

• UUF < EUF

• NMA < naCMA < CMA

Proof by counterexample schemes (e.g., assume EUF-naCMA secure

scheme, modify it such that it is still EUF-naCMA but not EUF-CMA secure)

Information-theoretic security

Information-theoretic security: unbounded (i.e., not necessarilyPPT) adversaries

Encryption:

• There is no information-theoretically secure public-keyencryption scheme

• But: there are information-theoretically secure symmetric (i.e.,secret-key) encryption schemes (→one-time pad)

Question: is information-theoretic security possible for signatures?

Information-theoretic security: impossible! (1)

Theorem 10:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. Thereexists a (not necessarily polynomially bounded) UUF-NMAadversary A on Σ with success probability 1.

Proof: Ideas?

Theorem 10:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. Thereexists a (not necessarily polynomially bounded) UUF-NMAadversary A on Σ with success probability 1.

Proof: Brute force.

Theorem 12:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. There existsa (PPT) UUF-NMA adversary A on Σ with success probability atleast 2−L, where L is an upper bound on the length of signatures.

Proof: Ideas?

Theorem 12:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. There existsa (PPT) UUF-NMA adversary A on Σ with success probability atleast 2−L, where L is an upper bound on the length of signatures.

Proof: Guess a valid signature.

Information-theoretic security: remarks

• But: there are information-theoretically secure bounded-use“symmetric signatures” (MACs), much like the one-time pad forencryption

digital signatures...digital signatures 2020-02-18 15 adversarial goals general goal:forge/generate...

Documents