![Page 1: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/1.jpg)
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel)
Digital Signatures 2020-02-18 1
![Page 2: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/2.jpg)
Outline
Logistics
Overview
Introduction
Definition
Security
Security experiments
Formal security definition
Relations among security definitions
Information-theoretic security
Digital Signatures 2020-02-18 2
![Page 3: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/3.jpg)
Organization
• Lecture: Tuesdays, 10:00-12:00, ML E12
• Exam: oral, 20 minutes
• Contact: [email protected]
• Speaking hours: whenever my door (CAB H33.3) is open
• Website: todo
Digital Signatures 2020-02-18 3
![Page 4: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/4.jpg)
Supporting materials
• Lecture notes (German) by Tibor Jager:https://www.tiborjager.de/DigitaleSignaturen.pdf
• Book “Digital Signatures” by Jonathan Katz
• Slides (on website) and occasional blackboard writeup
Digital Signatures 2020-02-18 4
![Page 5: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/5.jpg)
Overview
• What are (digital) signatures?
• Which security properties do we want from signatures?
• How do we construct and prove signatures?
• Outlook towards current research
Digital Signatures 2020-02-18 5
![Page 6: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/6.jpg)
Content
• Motivation/definitions
• One-time signatures→ tree-based signatures
• RSA-based signatures
• Interlude: chameleon hashing
• Pairing-based signatures
• . . . (?)
Not here: “symmetric signatures” (MACs)
Digital Signatures 2020-02-18 6
![Page 7: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/7.jpg)
Motivation
• Goal: “Digital analogue of (physical) signatures.”
• What do we want to sign? Bitstrings from {0, 1}∗
• Examples: code/programs, websites, emails, . . .• Technical goals:
– Authenticity: document is actually signed by that person– Integrity: document has not been changed since signing
(desirable, but not actually guaranteed by physical signatures)
Digital Signatures 2020-02-18 7
![Page 8: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/8.jpg)
What are signature schemes?
Informally:
• Asymmetric cryptographic mechanisms
• Every participant has a keypair (pk , sk )
• Secret key sk used to sign (a message m), result: signature σ
• Public/verification key pk allows to verify that σ is valid for m
Digital Signatures 2020-02-18 8
![Page 9: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/9.jpg)
Signatures are no. . .
Signatures are no encryption schemes
• Signatures do not hide m (use encryption for that)
Signatures are no “inverse” public-key encryption schemes
• As in: signing=decrypting, verifying=encrypting
• Works (to some extent) for RSA, but not for other schemes
Digital Signatures 2020-02-18 9
![Page 10: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/10.jpg)
Signatures are no. . .
Signatures are no encryption schemes
• Signatures do not hide m (use encryption for that)
Signatures are no “inverse” public-key encryption schemes
• As in: signing=decrypting, verifying=encrypting
• Works (to some extent) for RSA, but not for other schemes
Digital Signatures 2020-02-18 9
![Page 11: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/11.jpg)
Applications of signatures
Ideas?
Digital Signatures 2020-02-18 10
![Page 12: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/12.jpg)
Applications of signatures
• Program updates/apps
• E-commerce (signed websites)
• Certificates (digitally signed signature/encryption keys)
• Identity cards
• Building block in more complex cryptographic systems
• . . .
Digital Signatures 2020-02-18 10
![Page 13: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/13.jpg)
Definition: digitale signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Tupel Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
![Page 14: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/14.jpg)
Definition: digitale signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Tupel Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
![Page 15: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/15.jpg)
Definition: digitale signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Tupel Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
![Page 16: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/16.jpg)
Definition: digitale signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Tupel Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
![Page 17: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/17.jpg)
Correctness
Correctness: “The scheme works.”
Formally:
∀k ∀(pk , sk )← Gen(1k ) ∀m : Vfy(pk , m, Sign(sk , m)) = 1.
Digital Signatures 2020-02-18 12
![Page 18: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/18.jpg)
Digitale Signaturen: Soundness
Soundness: “The scheme is secure.”
Formally:
• What is security?
• We need a definition!
Digital Signatures 2020-02-18 13
![Page 19: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/19.jpg)
Digitale Signaturen: Soundness
Soundness: “The scheme is secure.”
Formally:
• What is security?
• We need a definition!
Digital Signatures 2020-02-18 13
![Page 20: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/20.jpg)
Security
• Concrete security definition combines two things:– Adversarial capabilities– Adversarial goal
• Now: overview
• Later: formal definitions
Digital Signatures 2020-02-18 14
![Page 21: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/21.jpg)
Security
• Concrete security definition combines two things:– Adversarial capabilities– Adversarial goal
• Now: overview
• Later: formal definitions
Digital Signatures 2020-02-18 14
![Page 22: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/22.jpg)
Adversarial capabilities
1 a) no-message attack (NMA)• Adversary gets only pk .
1 b) non-adaptive chosen-message attack (naCMA)• Adversary chooses m1, ... , mq . . .• . . . then obtains pk and signatures σ1, ...,σq
1 c) (adaptive) chosen-message attack (CMA)• Adversary gets pk , then chooses m1, ..., mq and
obtains σ1, ...,σq adaptively (i.e., one mi at atime, so mi+1 may depend on pk and σ1, ... ,σi )
Digital Signatures 2020-02-18 15
![Page 23: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/23.jpg)
Adversarial capabilities
1 a) no-message attack (NMA)• Adversary gets only pk .
1 b) non-adaptive chosen-message attack (naCMA)• Adversary chooses m1, ... , mq . . .• . . . then obtains pk and signatures σ1, ...,σq
1 c) (adaptive) chosen-message attack (CMA)• Adversary gets pk , then chooses m1, ..., mq and
obtains σ1, ...,σq adaptively (i.e., one mi at atime, so mi+1 may depend on pk and σ1, ... ,σi )
Digital Signatures 2020-02-18 15
![Page 24: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/24.jpg)
Adversarial capabilities
1 a) no-message attack (NMA)• Adversary gets only pk .
1 b) non-adaptive chosen-message attack (naCMA)• Adversary chooses m1, ... , mq . . .• . . . then obtains pk and signatures σ1, ...,σq
1 c) (adaptive) chosen-message attack (CMA)• Adversary gets pk , then chooses m1, ..., mq and
obtains σ1, ...,σq adaptively (i.e., one mi at atime, so mi+1 may depend on pk and σ1, ... ,σi )
Digital Signatures 2020-02-18 15
![Page 25: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/25.jpg)
Adversarial goals
General goal: forge/generate signatures
2 a) “ Universal Unforgeability” (UUF)• Adversary has to generate valid signature for
externally given m• m chosen at random (not by adversary!)
2 b) “ Existential Unforgeablility” (EUF)• Adversary has to generate valid signature for any
message m not signed before
Digital Signatures 2020-02-18 16
![Page 26: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/26.jpg)
Adversarial goals
General goal: forge/generate signatures
2 a) “ Universal Unforgeability” (UUF)• Adversary has to generate valid signature for
externally given m• m chosen at random (not by adversary!)
2 b) “ Existential Unforgeablility” (EUF)• Adversary has to generate valid signature for any
message m not signed before
Digital Signatures 2020-02-18 16
![Page 27: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/27.jpg)
Adversarial goals
General goal: forge/generate signatures
2 a) “ Universal Unforgeability” (UUF)• Adversary has to generate valid signature for
externally given m• m chosen at random (not by adversary!)
2 b) “ Existential Unforgeablility” (EUF)• Adversary has to generate valid signature for any
message m not signed before
Digital Signatures 2020-02-18 16
![Page 28: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/28.jpg)
Security definition
Security definition =̂ adversarial goal + adversarial capabilities
Interesting combinations:
• EUF-CMA
• EUF-naCMA
Digital Signatures 2020-02-18 17
![Page 29: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/29.jpg)
Security experiments
Tool to formalize security definitions: security experiments
Interactive process between two parties:
• Adversary A• Challenger C
• A plays against C• A wins iff he reaches his goal.
Digital Signatures 2020-02-18 18
![Page 30: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/30.jpg)
EUF-CMA-Sicherheitsexperiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
![Page 31: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/31.jpg)
EUF-CMA-Sicherheitsexperiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
![Page 32: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/32.jpg)
EUF-CMA-Sicherheitsexperiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
![Page 33: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/33.jpg)
EUF-CMA-Sicherheitsexperiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
![Page 34: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/34.jpg)
EUF-CMA-Sicherheitsexperiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}Digital Signatures 2020-02-18 19
![Page 35: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/35.jpg)
Why is A allowed arbitrary signing queries?
• Question: why is A allowed arbitrary signing queries?
• Answer: yields strong and universal (application-independent)definition (Attack may yield signatures for unforeseeable messages)
Digital Signatures 2020-02-18 20
![Page 36: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/36.jpg)
Why is A allowed arbitrary signing queries?
• Question: why is A allowed arbitrary signing queries?
• Answer: yields strong and universal (application-independent)definition (Attack may yield signatures for unforeseeable messages)
Digital Signatures 2020-02-18 20
![Page 37: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/37.jpg)
Definition: EUF-CMA
Def. 2: (EUF-CMA)A digital signature scheme Σ = (Gen, Sign, Vfy) is EUF-CMAsecure iff for all PPT A, the function
Pr [A wins EUF-CMA experiment]
= Pr
[ACEUF-CMA(pk ) = (m∗,σ∗) :
Vfy(pk , m∗,σ∗) = 1∧ m∗ /∈ {m1, ..., mq}
]
is negligible.
Digital Signatures 2020-02-18 21
![Page 38: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/38.jpg)
Definition: EUF-CMA
Def. 2: (EUF-CMA)A digital signature scheme Σ = (Gen, Sign, Vfy) is EUF-CMAsecure iff for all PPT A, the function
Pr [A wins EUF-CMA experiment]
= Pr
[ACEUF-CMA(pk ) = (m∗,σ∗) :
Vfy(pk , m∗,σ∗) = 1∧ m∗ /∈ {m1, ..., mq}
]
is negligible.
Digital Signatures 2020-02-18 21
![Page 39: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/39.jpg)
Definition: negligible
Def.: (Negligible)A function negl : N→ [0, 1] is negligible iff
∀c ∈ N ∃k0 ∈ N ∀k ≥ k0 : negl(k ) < 1/kc .
Examples: 1/2k and 1/k log k negligible, 1/k2 not.
Digital Signatures 2020-02-18 22
![Page 40: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/40.jpg)
Definition: negligible
Def.: (Negligible)A function negl : N→ [0, 1] is negligible iff
∀c ∈ N ∃k0 ∈ N ∀k ≥ k0 : negl(k ) < 1/kc .
Examples: 1/2k and 1/k log k negligible, 1/k2 not.
Digital Signatures 2020-02-18 22
![Page 41: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/41.jpg)
UUF-NMA security experiment
Ideas?
Digital Signatures 2020-02-18 23
![Page 42: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/42.jpg)
UUF-NMA security experiment
CUUF-NMA A
(pk , sk )← Gen(1k )
m∗ ← {0, 1}p(k )
pk , m∗
σ∗
Ver (pk , m∗,σ∗) = 1?
A wins iff Vfy(pk , m∗,σ∗) = 1
Digital Signatures 2020-02-18 23
![Page 43: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/43.jpg)
UUF-NMA security experiment
CUUF-NMA A
(pk , sk )← Gen(1k )
m∗ ← {0, 1}p(k )
pk , m∗
σ∗
Ver (pk , m∗,σ∗) = 1?
A wins iff Vfy(pk , m∗,σ∗) = 1
Digital Signatures 2020-02-18 23
![Page 44: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/44.jpg)
EUF-CMA⇒ UUF-NMA
Def. 4 (UUF-NMA):A digital signature scheme Σ = (Gen, Sign, Vfy) is UUF-NMAsecure iff for all PPT A,
Pr[ACUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
is negligible.
Theorem:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. If Σ isEUF-CMA secure, then Σ is also UUF-NMA secure.
Digital Signatures 2020-02-18 24
![Page 45: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/45.jpg)
EUF-CMA⇒ UUF-NMA
Def. 4 (UUF-NMA):A digital signature scheme Σ = (Gen, Sign, Vfy) is UUF-NMAsecure iff for all PPT A,
Pr[ACUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
is negligible.
Theorem:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. If Σ isEUF-CMA secure, then Σ is also UUF-NMA secure.
Digital Signatures 2020-02-18 24
![Page 46: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/46.jpg)
Proof: EUF-CMA⇒ UUF-NMA (1)
Proof outline
• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.
• Then: ∃ PPT adversary AUUF-NMA with non-negligible
Pr[ACUUF-NMAUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
Digital Signatures 2020-02-18 25
![Page 47: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/47.jpg)
Proof: EUF-CMA⇒ UUF-NMA (1)
Proof outline
• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.
• Then: ∃ PPT adversary AUUF-NMA with non-negligible
Pr[ACUUF-NMAUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
Digital Signatures 2020-02-18 25
![Page 48: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/48.jpg)
Proof: EUF-CMA⇒ UUF-NMA (1)
Proof outline
• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.
• Then: ∃ PPT adversary AUUF-NMA with non-negligible
Pr[ACUUF-NMAUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
Digital Signatures 2020-02-18 25
![Page 49: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/49.jpg)
Proof: EUF-CMA⇒ UUF-NMA (2)
• Idea: use AUUF-NMA to build a successful adversary AEUF-CMA
on the EUF-CMA security of Σ
• AEUF-CMA usually uses AUUF-NMA as subroutine
• Existence of (successful) AEUF-CMA contradicts assumedEUF-CMA security. . .
• . . . hence such a AUUF-NMA cannot exist
Digital Signatures 2020-02-18 26
![Page 50: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/50.jpg)
Proof: EUF-CMA⇒ UUF-NMA (2)
• Idea: use AUUF-NMA to build a successful adversary AEUF-CMA
on the EUF-CMA security of Σ
• AEUF-CMA usually uses AUUF-NMA as subroutine
• Existence of (successful) AEUF-CMA contradicts assumedEUF-CMA security. . .
• . . . hence such a AUUF-NMA cannot exist
Digital Signatures 2020-02-18 26
![Page 51: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/51.jpg)
Proof: EUF-CMA⇒ UUF-NMA (3)
Proof: blackboard
Digital Signatures 2020-02-18 27
![Page 52: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/52.jpg)
Proof: EUF-CMA⇒ UUF-NMA (4)
Remark:
• AEUF-CMA makes no signature queries. . .
• . . . hence we have actually shown
EUF-NMA⇒ UUF-NMA
Digital Signatures 2020-02-18 28
![Page 53: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/53.jpg)
UUF-NMA: useful?
Question: how useful is UUF-NMA security?
Answer: later
Digital Signatures 2020-02-18 29
![Page 54: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/54.jpg)
EUF-naCMA-Sicherheitsexperiment
CEUF-naCMA A
m1, ..., mq • q = q(k ) messages
• q polynomial(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)
Digital Signatures 2020-02-18 30
![Page 55: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/55.jpg)
EUF-naCMA-Sicherheitsexperiment
CEUF-naCMA Am1, ..., mq • q = q(k ) messages
• q polynomial
(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)
Digital Signatures 2020-02-18 30
![Page 56: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/56.jpg)
EUF-naCMA-Sicherheitsexperiment
CEUF-naCMA Am1, ..., mq • q = q(k ) messages
• q polynomial(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)
Digital Signatures 2020-02-18 30
![Page 57: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/57.jpg)
EUF-naCMA-Sicherheitsexperiment
CEUF-naCMA Am1, ..., mq • q = q(k ) messages
• q polynomial(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)Digital Signatures 2020-02-18 30
![Page 58: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/58.jpg)
Relations among security definitions
UUF-NMA < UUF-naCMA < UUF-CMA
< < <
EUF-NMA < EUF-naCMA < EUF-CMA
Generally:
• UUF < EUF
• NMA < naCMA < CMA
Proof by counterexample schemes (e.g., assume EUF-naCMA secure
scheme, modify it such that it is still EUF-naCMA but not EUF-CMA secure)
Digital Signatures 2020-02-18 31
![Page 59: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/59.jpg)
Information-theoretic security
Information-theoretic security: unbounded (i.e., not necessarilyPPT) adversaries
Encryption:
• There is no information-theoretically secure public-keyencryption scheme
• But: there are information-theoretically secure symmetric (i.e.,secret-key) encryption schemes (→one-time pad)
Question: is information-theoretic security possible for signatures?
Digital Signatures 2020-02-18 32
![Page 60: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/60.jpg)
Information-theoretic security: impossible! (1)
Theorem 10:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. Thereexists a (not necessarily polynomially bounded) UUF-NMAadversary A on Σ with success probability 1.
Proof: Ideas?
Digital Signatures 2020-02-18 33
![Page 61: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/61.jpg)
Information-theoretic security: impossible! (1)
Theorem 10:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. Thereexists a (not necessarily polynomially bounded) UUF-NMAadversary A on Σ with success probability 1.
Proof: Brute force.
Digital Signatures 2020-02-18 33
![Page 62: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/62.jpg)
Information-theoretic security: impossible! (2)
Theorem 12:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. There existsa (PPT) UUF-NMA adversary A on Σ with success probability atleast 2−L, where L is an upper bound on the length of signatures.
Proof: Ideas?
Digital Signatures 2020-02-18 34
![Page 63: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/63.jpg)
Information-theoretic security: impossible! (2)
Theorem 12:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. There existsa (PPT) UUF-NMA adversary A on Σ with success probability atleast 2−L, where L is an upper bound on the length of signatures.
Proof: Guess a valid signature.
Digital Signatures 2020-02-18 34
![Page 64: Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate signatures 2 a)“ Universal Unforgeability” (UUF) •Adversary has to generate](https://reader034.vdocument.in/reader034/viewer/2022051906/5ff8f951d76c1b53574d4c15/html5/thumbnails/64.jpg)
Information-theoretic security: remarks
• But: there are information-theoretically secure bounded-use“symmetric signatures” (MACs), much like the one-time pad forencryption
Digital Signatures 2020-02-18 35