![Page 1: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/1.jpg)
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel)
Digital Signatures 2020-03-03 1
![Page 2: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/2.jpg)
Outline
Why assumptions?
Efficient one-time signatures
Digital Signatures 2020-03-03 2
![Page 3: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/3.jpg)
Recap: Lamport
• EUF-1-CMA secure
• Requires only one-way function (weak assumption)• Not very efficient
– Many evaluations of one-way function– Large keys
Digital Signatures 2020-03-03 3
![Page 4: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/4.jpg)
Uselessness of UUF-NMA (not in lecture notes)
Use one-way function f to construct UUF-NMA secure signaturescheme:
• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )
• Sign(sk , m) = sk
• Vfy(pk , m,σ): f (σ) ?= pk
• Actually EUF-NMA secure. . .
• . . . but useless (message-independent signatures)
Digital Signatures 2020-03-03 4
![Page 5: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/5.jpg)
Uselessness of UUF-NMA (not in lecture notes)
Use one-way function f to construct UUF-NMA secure signaturescheme:
• Gen(1k ) : sk ← {0, 1}k , pk = f (sk )
• Sign(sk , m) = sk
• Vfy(pk , m,σ): f (σ) ?= pk
• Actually EUF-NMA secure. . .
• . . . but useless (message-independent signatures)
Digital Signatures 2020-03-03 4
![Page 6: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/6.jpg)
Why assumptions? (not in lecture notes)
We made assumptions so far to construct signature schemes:
• Existence of collision-resistant hash functions
• Existence of one-way functions
• More to come. . .
Why make assumptions in the first place?
Digital Signatures 2020-03-03 5
![Page 7: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/7.jpg)
Why assumptions? (2) (not in lecture notes)
Theorem:Let Σ = (Gen, Sign, Vfy) be a UUF-NMA secure signature scheme.Then P 6= NP .
Digital Signatures 2020-03-03 6
![Page 8: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/8.jpg)
Proof: ∃UUF-NMA⇒ P 6= NP (not in lecturenotes)
• Consider the language
LΣ = {(pk , m,σ) : ∃σ s.t. σ is prefix of σ and Vfy(pk , m,σ) = 1}
• We have LΣ ∈ NP (witness: σ)
• Assume for contradiction that P = NP . Then ∃B that decidesLΣ in polynomial time.
Digital Signatures 2020-03-03 7
![Page 9: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/9.jpg)
Proof: ∃UUF-NMA⇒ P 6= NP (2) (not in lecturenotes)
LΣ = {(pk , m,σ) : ∃σ s.t. σ is prefix of σ and Vfy(pk , m,σ) = 1}.
UUF-NMA adversary from B:
• Use B to find σ given m, pk (bit-by-bit search)
• Signatures are short, hence runtime is polynomial
• Always finds valid σ
Hence: P = NP implies that Σ is not UUF-NMA secure.(Contradiction.)
Digital Signatures 2020-03-03 8
![Page 10: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/10.jpg)
Discrete-log-based one-time signatures
Setting:
• Cyclic group G = 〈g〉 of prime order |G| = p
• G may (should) depend on security parameter (we usually donot make this explicit)
Digital Signatures 2020-03-03 9
![Page 11: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/11.jpg)
DLog problem/assumption
DLog problem:
• Given generator g and y ← G, find x ∈ Zp with gx = y .
DLog assumption:
• ∀ PPT A:
Pr
[x ← Zp
x ′ ← A(1k , g, gx ): x ′ = x
]negligible.
Digital Signatures 2020-03-03 10
![Page 12: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/12.jpg)
DLog problem/assumption
DLog problem:
• Given generator g and y ← G, find x ∈ Zp with gx = y .
DLog assumption:
• ∀ PPT A:
Pr
[x ← Zp
x ′ ← A(1k , g, gx ): x ′ = x
]negligible.
Digital Signatures 2020-03-03 10
![Page 13: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/13.jpg)
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:
Digital Signatures 2020-03-03 11
![Page 14: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/14.jpg)
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:
Digital Signatures 2020-03-03 11
![Page 15: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/15.jpg)
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:Ideas?
Digital Signatures 2020-03-03 11
![Page 16: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/16.jpg)
DLog one-time signatureΣ = (Gen, Sign, Vfy) with message space Zp:
Gen(1k ) : Sign(sk , m) : Vfy(pk , m,σ) :x ← Z∗pω ← Zp
h := gx
c := gω σ = ω−mx c ?= gmhσ
pk = (g, h, c)sk = (x ,ω)
Correctness:
gmhσ = gm+xσ = gm+x ω−mx = gω = c
Digital Signatures 2020-03-03 11
![Page 17: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/17.jpg)
DLog one-time signature: security
Theorem 28:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the DLogproblem in G that runs in time tB ≈ tA and has success probabilityεB ≥ εA.
Digital Signatures 2020-03-03 12
![Page 18: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/18.jpg)
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, hm ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
![Page 19: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/19.jpg)
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, h
m ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
![Page 20: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/20.jpg)
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, hm ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
![Page 21: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/21.jpg)
DLog one-time signature: security
• Details: blackboard.
• Overview:
CDlog B A
Dlog problem EUF-1-naCMA
x ← Zp
h := gx
g, hm ∈ Zp
Compute c,σ suitablypk = (g, h, c),σ
1
m∗,σ∗
x 2
Digital Signatures 2020-03-03 13
![Page 22: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/22.jpg)
One-time signatures based on RSA
Setting:
• N = P · Q, for large primes P, Q
• ϕ(N) = (P − 1)(Q − 1) = |Z∗N |• Choose e ∈ N uniformly between 1 and ϕ(N) with
gcd(e,ϕ(N)) = 1.
• Then d ∈ N with e · d ≡ 1 mod ϕ(N) can be found efficientlyfrom ϕ(N) and e.
• For x ∈ ZN , we have xe·d ≡ x mod N.
Digital Signatures 2020-03-03 14
![Page 23: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/23.jpg)
RSA problem/assumption
RSA problem:
• Given N, e as above and y ← ZN , find x ∈ ZN withxe ≡ y mod N.
RSA assumption:
• ∀ PPT A:
Pr
N, e as abovey ← ZN
x ← A(1k , N, e, y ): xe = y mod N
negligible.
Digital Signatures 2020-03-03 15
![Page 24: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/24.jpg)
RSA problem/assumption
RSA problem:
• Given N, e as above and y ← ZN , find x ∈ ZN withxe ≡ y mod N.
RSA assumption:
• ∀ PPT A:
Pr
N, e as abovey ← ZN
x ← A(1k , N, e, y ): xe = y mod N
negligible.
Digital Signatures 2020-03-03 15
![Page 25: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/25.jpg)
RSA one-time signature
Σ = (Gen, Sign, Vfy) with message space {0, ... , 2n − 1}:
Gen(1k ) :
• choose primes P, Q, set N := P · Q• uniformly choose prime e with 2n < e < ϕ(N) (and
gcd(e,ϕ(N)) = 1)
• d := e−1 mod ϕ(N)
• J, c ← ZN
• pk = (N, e, J, c)
• sk = d
Digital Signatures 2020-03-03 16
![Page 26: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/26.jpg)
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:
Digital Signatures 2020-03-03 17
![Page 27: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/27.jpg)
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:
Digital Signatures 2020-03-03 17
![Page 28: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/28.jpg)
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:Ideas?
Digital Signatures 2020-03-03 17
![Page 29: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/29.jpg)
RSA one-time signature: Sign & Vfy
pk = (N, e, J, c) sk = d = e−1 mod ϕ(N)
Sign(sk , m):
σ ≡(
cJm
)dmod N
Vfy(pk , m,σ) :
c?≡ Jmσe mod N
Correctness:
Jmσe ≡ Jm(
cJm
)e·d≡ Jm · c
Jm ≡ c mod N
Digital Signatures 2020-03-03 17
![Page 30: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/30.jpg)
RSA one-time signature: security
Prime-e-RSA problem/assumption: like RSA problem andassumption, but with e chosen as prime between 2n and ϕ(N).(Asymptotically: RSA assumption⇒ prime-e-RSA assumption!)
Theorem 30:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the prime-e-RSAassumption that computes x ∈ ZN with xe ≡ y mod N in timetB ≈ tA with success probability εB ≥ εA.
Digital Signatures 2020-03-03 18
![Page 31: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/31.jpg)
RSA one-time signature: security
Prime-e-RSA problem/assumption: like RSA problem andassumption, but with e chosen as prime between 2n and ϕ(N).(Asymptotically: RSA assumption⇒ prime-e-RSA assumption!)
Theorem 30:For every EUF-1-naCMA adversary A on Σ with runtime tA andsuccess probability εA, there is an adversary B on the prime-e-RSAassumption that computes x ∈ ZN with xe ≡ y mod N in timetB ≈ tA with success probability εB ≥ εA.
Digital Signatures 2020-03-03 18
![Page 32: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/32.jpg)
Shamir’s trick
Lemma 31:Let J, S ∈ ZN and e, f ∈ Z with
• gcd(e, f ) = 1
• J f ≡ Se mod N.
Then, given N ∈ Z und (J, S, e, f ) ∈ Z2N × Z2 it is possible to
efficiently compute x ∈ ZN with xe ≡ J mod N.
Proof: blackboard.
Digital Signatures 2020-03-03 19
![Page 33: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/33.jpg)
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, ym ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
![Page 34: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/34.jpg)
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, y
m ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
![Page 35: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/35.jpg)
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, ym ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
![Page 36: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/36.jpg)
RSA one-time signatures: security
• Details: see blackboard.
• Overview:
CRSA B A
prime-e-RSA EUF-1-naCMA
N = P · Qe > 2n
y ← ZN
N, e, ym ∈ [0, 2n − 1]
Compute J, c,σ suitablypk = (N, e, J, c),σ
1
m∗ ,σ∗
x 2
Digital Signatures 2020-03-03 20
![Page 37: Digital SignaturesDigital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel) Digital Signatures 2020-03-03 1](https://reader034.vdocument.in/reader034/viewer/2022052320/5f10543d7e708231d44891ff/html5/thumbnails/37.jpg)
One-time signatures: current research
Example: Tightly Secure Signatures and Public-Key Encryption[HofJag12]
• One-time signatures⇒ many-time signatures⇒ public-keyencryption
• Special feature: security reduction scales to manyusers/instances without loss of reduction success
Digital Signatures 2020-03-03 21