Upload
nicola
View
35
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.). Dan Boneh and Xavier Boyen J. Cryptol . (2008) 21: 149–177 Presenter: Yu-Chi Chen. About this paper. - PowerPoint PPT Presentation
Citation preview
Short Signatures Without Random Oracles and the SDH Assumption in
Bilinear Groups (Part 1.)Dan Boneh and Xavier BoyenJ. Cryptol. (2008) 21: 149–177
Presenter: Yu-Chi Chen
About this paper
• One of the authors, Dan Boneh, is a well-known researcher in the areas of applied cryptography.
• The previous version (Eurocrypt 2004), cite: 600+. This paper is a full one (J. Cryptol.).
• His website: http://crypto.stanford.edu/~dabo/
Summary
• Part 1: Background of the security proof• Part 2: Background of the security proof• Part 3: BB-weakly secure short signature
scheme with its security proof• Part 4: BB-full short signature scheme with its
security proof• Part 5: (undecided)
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
Introduction
• Cryptographic scheme
• Security argument vs. Security proof
• Before 2000 vs. After 2000.
• M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols– in Proceedings of the 1st ACM conference on
Computer and communications security, 1993.– Cite: 2800+
ROM: Random oracle model
• An adversary can ask to “Oracle” for it’s queries.
• Oracle is like a function: H:{0,1}*→{0,1}k.– Ex: H(x) = y
• If the input, x, has been queried, Oracle will return the same value, y, as before.
ROM
• If the input, x, has never been queried, Oracle will randomly output y.
• The outputted values are uniform distribution.
Comments
• ROM vs. Standard model– Hardness assumptions– Attacks– Security goals– Efficiency
Comments
• Hardness assumptions:– The RSA problem (formal)– The variant RSA problem (informal)– The CDH problem (formal)–…
• Attacks– Chosen message attack– Adaptive chosen message attack–Weak chosen message attack– CPA, CCA, CCA-2,…
• Security goals– Existential unforgeability– Strong unforgeability–…
• Efficiency– Computation– Communication–…
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
Secure signature
• (BB-SS, page 3)• KeyGen: Outputs a random key pair (pk, sk).• Sign: Takes sk and a message M, then returns a
signature σ.• Verify: Takes pk and a signed message (σ ,
M), then returns valid or invalid.
Secure signature (cont.)
• (BB-SS, page 4)• The signature scheme is said to be correct if
the following property is satisfied.
.1]valid),,(VerifyPr[:),(Sign
(),KeyGen),(,~
MpkMsk
skpkMM
Signature scheme
• KeyGen:
• Sign:• Verify:
xskHeXgpk
gXGg
GHGGGex
:},,,{:
,
}1,0{:,:
1
1*
211
),(:
)(
MSignQ
MHQx
))(,(?),( MHXege
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
Existential unforgeability
• Existential unforgeability– Given n valid signatures of (M1,…,Mn), to output a
forged signature of M* where M* not in {M1,…,Mn}.
• We construct a security game to model an attack to forge a signature existentially.
Roles
• A: the adversary– Break the scheme–Win this game
• C: the challenger– Solve a hard problem– Be an oracle to respond A’s request.
Security game
• Setup• Attack• Forgery
Setup
Attack
Queries
ResponseAdversary Challenger
Adversary Challenger
Forgery
Forgery
Solve a hard problem
Computational Diffie-Hellman
• Given
• Compute
ba ggGg ,,1
abg
Security proof
• Setup:
• C returns pk to A.
},,,{:,
}1,0{:,:
1
1*
211
HeXgpkgXGg
GHGGGea
Security proof
• Setup• Attack:– H queries.– Sign queries.
• Forgery
H queries.
• A can query H(Mi).• C maintains H-table, <M, Q, α, c>.• If H(Mi) has been queried before, C will return
H(Mi) as before.
H queries.
• If not, C will randomly pick a coinwith Pr[ci=0]=1/qS.– If ci=0, C randomly chooses
and returns . – If ci=1, C randomly chooses
and returns .• Finally, C inserts (Mi, Qi, αi, ci) into H-table.
}1,0{ic
*Zqi ib
i gQ )(*Zqi
igQi
Sign queries.
• A can query a signature of a message Mi.• If the message Mi maps to ci=0 in H-table, C
will abort and terminate.• If not, C will compute the signature
where αi is from H-table.– σi is a valid signature without doubt.
iXi
Security proof
• Setup• Attack:• Forgery
Forgery
• A forges a signature σ* on M*.• If M* does not map to c*=0, C will abort and
terminate.• The forged signature is valid, whereas the
following equation holds.
• C can use A’s forgery to solve the CDH problem.
*
)(* abg
*1
*)( abg
Security proof
• We conclude that A wins this game if and only if C does not abort in Attack and Forgery.
• Two events are as follows.– E1: C does not abort in Attack such as Sign
queries.– E2: C does not abort in Forgery.
• Thus, we have– The probability of A winning this game is .– The probability of C winning this game is .
]Pr[]Pr[' 21 EE'
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
A new assumption
• According to the above proof, we can obtain a new assumption.
• Given
• Find a pair where
},{},...,,{,, 111
kk abbabba gggggGg
},{** abb gg },...,{ 1
*kbbb
Conclusions
• We give a simple signature scheme to introduce the security proof.