Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Tightly-Secure Signatures from ChameleonHash FunctionsNIST, Maryland, PKC 2015
Olivier Blazy1, Saqib A. Kakvi2, Eike Kiltz2,Jiaxin Pan21University of Limoges, France2Ruhr University Bochum, Germany
Keywords
1. Signatures
2. Tight Security
3. Chameleon Hash
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 2/30
Signature
. (pk, sk)←$ Gen
. σ ←$ Sign(sk,M)
. 0/1← Ver(pk,M, σ)
Correctness:
∀(pk, sk)←$ Gen, Ver(pk,M, Sign(sk,M)) = 1
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 3/30
UF-CMA Security
Challenger
(pk, sk)←$ Gen pk
Miσi ←$ Sign(sk,Mi) σi
(M, σ)Adversary wins:Ver(pk,M, σ) = 1∧M /∈ {M1, . . . ,MQ}
Adversary
Q is the number of signing queries.
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 4/30
Provable Security
DLOG
g,A←$ G
a ∈ ZpA = ga
Reduction Adversary
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 5/30
Provable Security
DLOG
g,A←$ G
a ∈ ZpA = ga
Reduction Adversary“DLOG problem is hard ⇒ scheme is secure”
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 5/30
I Let k be the security parameter,
Adv[Sig] < f(k) · Adv[DLOG]
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 6/30
Tight Security
Adv[Sig] < f(k) · Adv[DLOG]
I “Tight” iff(k) = O(1)
I “Loose” iff(k) = O(Q)
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 7/30
Why “tight”?
I In practice:◦ We want efficient schemes!◦ Smaller security parameters!
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 8/30
For example
I We want 80-bit security and Q = 240
Tight scheme. Adv[Sig] < Adv[DLOG] < 2−80
=⇒ We need DLOG problem with 80-bit security=⇒ |p| = 160 (by the best DLOG attack)
Loose Scheme. Adv[Sig] < 240 · Adv[DLOG] < 2−80
=⇒ Adv[DLOG] < 2−120
=⇒ We need DLOG problem with 120-bit security=⇒ |p| = 240 (by the best DLOG attack)
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 9/30
Signatures in the Standard Model
I Loose Reduction◦ e.g. Waters ’05
I Non-standard/“Q-Type” Assumptions◦ e.g. Boneh-Boyen ’04
I Exceptions: . . .
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 10/30
Tight Signatures from Standard Assumptions
I CRYPTO ’96 Cramer-Damgård: RSA
I PKC ’05 Catalano-Gennaro: Factoring
I CRYPTO ’12 Hofheinz-Jager: DLIN
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 11/30
Tight Signatures from Standard Assumptions
I CRYPTO ’96 Cramer-Damgård: RSA
I PKC ’05 Catalano-Gennaro: Factoring
I CRYPTO ’12 Hofheinz-Jager: DLIN
QuestionGeneric constructions for tight signatures?
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 11/30
Our Contribution
Transformation
DLOG
SIS
CDH
DLIN
RSA
. . .
TSIG[DLOG]
TSIG[SIS]
TSIG[CDH]
TSIG[DLIN]
TSIG[RSA]
TSIG[. . .]
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 12/30
Our Contribution
DLOG SIS FAC . . .
Chameleon Hash Two-Tier Signature Tight Signature
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 13/30
Our Contribution
DLOG SIS FAC . . .
Chameleon Hash Two-Tier Signature Tight Signature[BS07]
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 13/30
Two-Tier Signature
I Proposed by Bellare and Shoup at PKC ’07
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 14/30
Two-Tier Signature
Signature
I (pk, sk)←$ Gen
I σ ←$ Sign(sk,M)
I 0/1← Ver(pk,M, σ)
Two-Tier Signature
I (ppk, psk)←$ PrimaryGenI (spk, ssk)←$ SecondaryGenI σ ←$ TTSign(sk, ssk,M)
I 0/1← TTVer(pk, spk,M, σ)
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 15/30
Security of two-tier signature
Challenger
(ppk, psk)←$ PrimaryGen pk
Mi(spki, sski)←$ SecondaryGenσi ←$ TTSign(sk, sski,Mi) (σi, spki)
(M, σ, spk)Adversary wins:TTVer(ppk, spk,M, σ) = 1∧ M /∈ {M1, . . . ,MQ}∧ spk = spki for some i
Adversary
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 16/30
Two-Tier Signature → Standard Signature
......
......
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30
Two-Tier Signature → Standard Signature
spki ←$ SecondaryGen
......
......
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30
Two-Tier Signature → Standard Signature
spki ←$ SecondaryGen
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 17/30
Gen of Tree Signature
I (ppk, psk)←$ PrimaryGen
I (spkroot, sskroot)←$ SecondaryGenI PK = (ppk, spkroot), sk = (psk, sskroot)
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30
Gen of Tree Signature
I (ppk, psk)←$ PrimaryGenI (spkroot, sskroot)←$ SecondaryGen
I PK = (ppk, spkroot), sk = (psk, sskroot)
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30
Gen of Tree Signature
I (ppk, psk)←$ PrimaryGenI (spkroot, sskroot)←$ SecondaryGenI PK = (ppk, spkroot), sk = (psk, sskroot)
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 18/30
Sign(sk,M)
I Step 1: Nodes Generation
I Step 2: Path Authentication
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 19/30
Step 1: Node Generation
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
Step 1: Node Generation
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
Step 1: Node Generation
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
Step 1: Node Generation
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
Step 1: Node Generation
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 20/30
Step 2: Path Authentication
......
......
M
......
......
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 21/30
Step 2: Path Authentication
I σ = TTSign(psk, sskparent, (LChild||RChild))
Parent
LChild RChild
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 22/30
Step 2: Path Authentication
Use Two-Tier Sig to authenticate the path
......
......
M
......
......
σ0
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30
Step 2: Path Authentication
Use Two-Tier Sig to authenticate the path
......
......
M
......
......
σ0
σ1
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30
Step 2: Path Authentication
Use Two-Tier Sig to authenticate the path
......
......
M
......
......
σ0
σ1
σL
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 23/30
Signatures
I Define signature := (path,σ1, . . . , σL)I Verify:
◦ Check if (σ1, . . . , σL) are valid two-tier signatures on path
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 24/30
Security
Theorem 1Our construction is tightly secure, if the underlying two-tier signature istightly-secure. Particularly,I Adv[TreeSig] = Adv[Two-TierSig]
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 25/30
Proof Idea
I Simulate the signature without sk:◦ Use two-tier signing oracle
I Tightly extract the two-tier forgery:◦ Observation:
I Forgery path differs from signing paths
◦ “Splitting” node: the valid two-tier forgery
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 26/30
“Splitting” Node
......
......
......
...
......
M∗
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 27/30
“Splitting” Node
......
......
......
...
......
M∗
σ∗1
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 27/30
Differences to Merkle trees
I Our tree node only contains “half” of the PK◦ Merkle: the whole PK
I We have a tight reduction◦ Merkle: loose reduction, guessing
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 28/30
Summary
Our ContributionsI Generic framework, new constructionsI Extensions: flat-tree signatures, ssNIZK, multi-challenge PKE
I Shortcoming: linear signature size
Open ProblemsI Reducing signature size
◦ For DLIN, it is already solved by [CW13], [BKP14];◦ Tight and constant size signatures based on DLOG, RSA, SIS?
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 29/30
Many thanks for your attention!
QUESTIONS?
Tight Sign from CHF|Horst Görtz Institute for IT-Security|NIST, Maryland|PKC 2015 30/30