Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
COS433/Math 473: Cryptography
Mark ZhandryPrinceton University
Spring 2017
Last Time
Digital Signatures
Digital Signatures
Algorithms:• Gen() à (sk,pk)• Sign(sk,m) à σ• Ver(pk,m,σ) à 0/1
Correctness:Pr[Ver(pk,m,Sign(sk,m))=1: (sk,pk)ßGen()] = 1
1-‐time Security For Signatures
(sk,pk)ßGen()
mσ σ ß Sign(sk,m)
(m*,σ*)
Output 1 iff:• m*≠m• Ver(pk,m*,σ*) = 1
1CMA-Adv( ) = Pr[ outputs 1]
pk
Unbounded Use Signatures
mi
σi
(m*,σ*)
Output 1 iff:• m*∉{m1,…}• Ver(pk,m*,σ*) = 1
CMA-Adv( ) = Pr[ outputs 1]
(sk,pk)ßGen()
σ ß Sign(sk,m)
pk
Strong Security
mi
σi
(m*,σ*)
Output 1 iff:• (m*, σ*)∉{(m1,σ1)…}• Ver(pk,m*,σ*) = 1
CMA-Adv( ) = Pr[ outputs 1]
(sk,pk)ßGen()
σ ß Sign(sk,m)
pk
Certificates
Facilitate public key infrastructure
Basically a signature by a CA on your public key• Certifies that you own the public key, not some adversary
Certificate Chaining
Once Bob’s public key is certified, Bob can sign Charlie’s public key
Charlie can then sign Donald’s public key
Donald is therefor the certified owner of his public key
So Far
Signature constructions from RSA, Factoring• We will later also see constructions from DDH
Unfortunately, all in the random oracle model
Ideally: construction without random oracles• Also from general assumptions
Today
One-‐way functions are sufficient to build signature schemes
Therefore, can build signatures from:• RSA, DDH, Block Ciphers, CRHF, etc.
Limitation:• Poor performance in practice
Lamport Signatures
Let F:XàY be a one-‐way function
Let M={0,1}n be message space
Gen():
x1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
y1,0
y1,1
y2,0
y2,1
y3,0
y3,1
y4,0
y4,1
y5,0
y5,1
ß
X
ßFyi,b=F(xi,b)
sk pk
Lamport Signatures
Sign(sk, m): (xi,mi)i=1,…,n
Ver(pk,m,σ): F(xi,mi) = yi,mi
x1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
y1,0
y1,1
y2,0
y2,1
y3,0
y3,1
y4,0
y4,1
y5,0
y5,1
Lamport Signatures
Theorem: If F is a secure OWF, then (Gen,Sign,Ver) is a (weakly) secure one-‐time signature scheme
Proofy1,0
y1,1
y2,0
y2,1
y3,0
y3,1
y4,0
y4,1
y5,0
y5,1
x1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1x1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
x1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
y1,1
y2,0 y3,0
y4,1
y5,0
Proof
Since m*≠m, ∃i s.t. m*i≠mi
Suppose we know i, mi = 1-b, m*i = b
Construct adversary that inverts OWF
Proofy*
x1,0
x1,1
x2,0
x2,1 x3,1
x4,0
x4,1
x5,0
x5,1
y1,0
y1,1
y2,0
y2,1
y*
y3,1
y4,0
y4,1
y5,0
y5,1
Fx1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
x1,0
x1,1
x2,0
x2,1
x*
x3,1
x4,0
x4,1
x5,0
x5,1
y1,1
y2,0 y3,0
y4,1
y5,0
x*
i,b
Proof
View of exactly as in 1-‐time CMA experiment, assuming• ith bit of m = b• ith bit of m* = 1-b
If always chooses m,m* with these properties, and forges with probability ε, then inverts with probability ε
Proof
In general, may choose m,m* to differ at arbitrary places • May be randomly chosen, may depend on pk, may even depend on σ• May never be at certain places
How do we make still succeed?
Proofy*
x1,0
x1,1
x2,0
x2,1 x3,1
x4,0
x4,1
x5,0
x5,1
y1,0
y1,1
y2,0
y2,1
y*
y3,1
y4,0
y4,1
y5,0
y5,1
Fx1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
x1,0
x1,1
x2,0
x2,1
x*
x3,1
x4,0
x4,1
x5,0
x5,1
y1,1
y2,0 y3,0
y4,1
y5,0
x*
i,b
i,bß[n]×{0,1}
If need xi,b, abort
If no xi,b, abort
Proof
pk independent of (i,b)• m independent of (i,b)• Therefore, Pr[mi=1-b]=½
Conditioned on mi=1-b,• Signing succeeds• σ independent of i• forges with probability ε, independent of i
Proof
We know if forges, then m*≠m
Since m* independent of i, have prob at least 1/nthat m*i=1-mi = b
In this case, succeeds in inverting y* • Prob = ½ × ε × 1/n = ε/2n
Limitations of Lamport Signatures
Only weakly secure• Why?• How to fix?
|pk|,|σ| >> |m|• How to fix?
Theorem: Given a secure OWF, it is possible to construct a strongly secure 1-‐time signature scheme where |m| >> |pk|,|σ|
Signing Multiple Messages
Once adversary sees two signed messages, security is lost (why?)
How do we sign multiple messages?
Signature Chaining
m1,σ1ßSign(sk1,m1)
sk1pk1
m1
Ver(pk1,m1,σ1)
Signature Chaining
m1, σ1 = (pk2,σ1’)
sk1pk1
m1
Ver(pk1,(m1,pk2) ,σ1’)(sk2,pk2)ßGen()
σ1’ßSign(sk1, (m1,pk2) )
Signature Chaining
m2, σ2
sk1pk1pk2
m2
Ver(pk2,m2 ,σ2)(sk2,pk2)ßGen()
σ1’ßSign(sk2, m2)
Signature Chaining
Idea: Bob can be assured that pk2 was in fact generated by Alice• If Eve tampered with pk2, then signature on first message would have been invalid
Therefore, Alice can sign m2 using sk2, and Eve cannot produce a forgery m2’ with valid signature
Can repeat process to sign arbitrarily many messages
Signature Chaining
m2, σ2 = (pk3,σ2’)
sk1pk1pk2
m2
Ver(pk2,(m2,pk3) ,σ2’)(sk2,pk2)ßGen()(sk3,pk3)ßGen()
σ1’ßSign(sk2, (m2,pk3) )
Limitations
Alice and Bob must stay synchronized• Else, Bob won’t be using correct public key to verify
If many users, every pair needs to be syncronized• What if Alice is sending messages to Bob and Charlie?
(Almost) Stateless Signature Chaining
m2, σ2 = (m1,pk2,σ1’,pk3,σ2’)
sk1pk1
m2
Ver(pk2,(m2,pk3) ,σ2’)(sk2,pk2)ßGen()(sk3,pk3)ßGen()
σ1’ßSign(sk2, (m2,pk3) )
Ver(pk1,(m1,pk2) ,σ1’)
Still Limitations
Now Bob (and Charlie, etc) are stateless
However, Alice is still stateful• Needs to remember all messages sent • Signature length grows with number of messages signed
Signature Trees
pk∅
pk0 pk1
σ∅ßSign(sk∅, (pk0,pk1))
pk00 pk01 pk10 pk11
σ0ßSign(sk0, (pk00,pk01))σ1ßSign(sk1, (pk10,pk11))
pk000 pk001 pk010 pk011 pk100 pk101 pk110 pk111
σ00, σ01, σ10, σ11
Signature Trees
To sign mi,• Compute σißSign(ski,mi), where ski is the ith leaf• Must include pki in signature so Bob can verify σi
• Must authenticate pki, so include σP(i) (and pkS(i))
• Must include pkP(i) so Bob can verify σP(i)
• Must auth pkP(i), so include σP(P(i)) (and pkS(P(i)))
• …
Comparison to Chaining
Limitations:• Bounded number of messages (2d)• Still requires Alice to keep state (all the sk’s, pk’s).
Size of state ≈ 2d
Advantages:• Signature size ≈ d, logarithmic in number of messages signed
Avoid Large State?
Alice keeps PRF key k as part of secret key
• For all internal nodes or leaves i,
(ski,pki)ßGen(; PRF(k, i) )
• Alice never stores signatures or public keys
• Instead, she computes needed signatures/public
keys on the fly
Unbounded Messages
Set d=λ• Can now sign up to 2λ messages (exponential)• Signature size ≈d = λ, so short signatures• Size of state independent of d, so short• Time to compute signature?
• Only need pk’s,σ’s on path from root to leaf, plus neighbors
• Only O(d)=O(λ) terms• Can efficiently compute from PRF key k
Fully Stateless?
So far, still need to keep state to remember which leaf we should use next
However, now we can do something different:• Instead of choosing leafs sequentially, just choose leaf at random• Except with probability O(|messages|2/2d), never use the same leaf twice
Putting it Together
pk∅
iß{0,…,2d-1}
sk=(sk∅, k)
Putting it Together
pk∅
pk0 pk1
pk00 pk01
pk010 pk011
iß{0,…,2d-1}
sk=(sk∅, k)
(sk0,pk0)ßGen(; PRF(k, 0))(sk1,pk1)ßGen(; PRF(k, 1))(sk00,pk00)ßGen(; PRF(k, 00))(sk01,pk01)ßGen(; PRF(k, 01))…σ∅ßSign(sk∅, (pk0,pk1))σ0ßSign(sk0, (pk00,pk01))…σßSign(ski, m)
Output all pkj’s and all σ’s as signature
Putting it Together
OWF to get 1-‐time signatures (with large pk’s, σ’s)
Hash first with target collision resistances• 1-‐time signatures with small pk’s, σ’s
Create tree of signatures (stateful scheme)
Make stateless by using a PRF
What’s Known
OWF
OWP
PRG
Com
CRH TCR
PRF PRP
SKEMACAuthEncCPA
-‐PKE
CCA-‐PKE Sig
What’s Known
OWF
OWP
PRG
Com
CRH TCR
PRF PRP
SKEMACAuthEncCPA
-‐PKE
CCA-‐PKE
Sig
Theorem: Given a secure OWF, it is possible to construct a strongly CMA-‐secure signature scheme
Practical Use?
Lamport signatures are fast:• Signing is just revealing part of your secret key• Verifying is just a few OWF evaluations
Tree-‐based signatures are a bit slower• Need to generate many signatures• Need to generate many public keys• Need many PRF evals
Practical Use?
Main limitation: Signature size• Basic Lamport: 128 bits per message bit• With hashing, need to sign 256 bit messages• For signature trees, signature consists of d Lamportsignatures (plus public keys)• dmust be big enough to prevent collisions• E.g. d = 100
Overall signature size: around a megabit
What’s the Smallest Signature?
Signature Trees: 1megabits
RSA Hash-‐and-‐Sign: 2 kilobits
ECDSA: around 512 bits
BLS: 256 bits
Are 128-‐bit signatures possible?
Obfuscation-‐Based Signatures
Let (MAC,Ver) be a message authentication code
Gen(): kßK• sk = k• pk = Obf( Ver(k, . , . ) )
Sign(sk,m) = MAC(k,m)Ver(pk,m,σ) = pk(m,σ)
Signature size: 128 bits!• But running time, public key size is horrible
Next Time
Identification protocols