Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate...
Transcript of Digital Signatures...Digital Signatures 2020-02-18 15 Adversarial goals General goal:forge/generate...
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel)
Digital Signatures 2020-02-18 1
Outline
Logistics
Overview
Introduction
Definition
Security
Security experiments
Formal security definition
Relations among security definitions
Information-theoretic security
Digital Signatures 2020-02-18 2
Organization
• Lecture: Tuesdays, 10:00-12:00, ML E12
• Exam: oral, 20 minutes
• Contact: [email protected]
• Speaking hours: whenever my door (CAB H33.3) is open
• Website: todo
Digital Signatures 2020-02-18 3
Supporting materials
• Lecture notes (German) by Tibor Jager:https://www.tiborjager.de/DigitaleSignaturen.pdf
• Book “Digital Signatures” by Jonathan Katz
• Slides (on website) and occasional blackboard writeup
Digital Signatures 2020-02-18 4
Overview
• What are (digital) signatures?
• Which security properties do we want from signatures?
• How do we construct and prove signatures?
• Outlook towards current research
Digital Signatures 2020-02-18 5
Content
• Motivation/definitions
• One-time signatures→ tree-based signatures
• RSA-based signatures
• Interlude: chameleon hashing
• Pairing-based signatures
• . . . (?)
Not here: “symmetric signatures” (MACs)
Digital Signatures 2020-02-18 6
Motivation
• Goal: “Digital analogue of (physical) signatures.”
• What do we want to sign? Bitstrings from {0, 1}∗
• Examples: code/programs, websites, emails, . . .• Technical goals:
– Authenticity: document is actually signed by that person– Integrity: document has not been changed since signing
(desirable, but not actually guaranteed by physical signatures)
Digital Signatures 2020-02-18 7
What are signature schemes?
Informally:
• Asymmetric cryptographic mechanisms
• Every participant has a keypair (pk , sk )
• Secret key sk used to sign (a message m), result: signature σ
• Public/verification key pk allows to verify that σ is valid for m
Digital Signatures 2020-02-18 8
Signatures are no. . .
Signatures are no encryption schemes
• Signatures do not hide m (use encryption for that)
Signatures are no “inverse” public-key encryption schemes
• As in: signing=decrypting, verifying=encrypting
• Works (to some extent) for RSA, but not for other schemes
Digital Signatures 2020-02-18 9
Signatures are no. . .
Signatures are no encryption schemes
• Signatures do not hide m (use encryption for that)
Signatures are no “inverse” public-key encryption schemes
• As in: signing=decrypting, verifying=encrypting
• Works (to some extent) for RSA, but not for other schemes
Digital Signatures 2020-02-18 9
Applications of signatures
Ideas?
Digital Signatures 2020-02-18 10
Applications of signatures
• Program updates/apps
• E-commerce (signed websites)
• Certificates (digitally signed signature/encryption keys)
• Identity cards
• Building block in more complex cryptographic systems
• . . .
Digital Signatures 2020-02-18 10
Definition: digitale signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Tupel Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
Definition: digitale signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Tupel Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
Definition: digitale signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Tupel Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
Definition: digitale signature scheme
Def. 1: (Digital signature scheme)A digital signature scheme is a tuple Tupel Σ = (Gen, Sign, Vfy) ofprobabilistic polynomial-time algorithms:
• Gen(1k )→ (pk , sk ) (k ∈ N security parameter → asymptotic definition)
• Sign(sk , m)→ σ, (with m ∈ {0, 1}∗)
• Vfy(pk , m,σ) ∈ {0, 1} (intuitively: 1 iff σ valid)
Digital Signatures 2020-02-18 11
Correctness
Correctness: “The scheme works.”
Formally:
∀k ∀(pk , sk )← Gen(1k ) ∀m : Vfy(pk , m, Sign(sk , m)) = 1.
Digital Signatures 2020-02-18 12
Digitale Signaturen: Soundness
Soundness: “The scheme is secure.”
Formally:
• What is security?
• We need a definition!
Digital Signatures 2020-02-18 13
Digitale Signaturen: Soundness
Soundness: “The scheme is secure.”
Formally:
• What is security?
• We need a definition!
Digital Signatures 2020-02-18 13
Security
• Concrete security definition combines two things:– Adversarial capabilities– Adversarial goal
• Now: overview
• Later: formal definitions
Digital Signatures 2020-02-18 14
Security
• Concrete security definition combines two things:– Adversarial capabilities– Adversarial goal
• Now: overview
• Later: formal definitions
Digital Signatures 2020-02-18 14
Adversarial capabilities
1 a) no-message attack (NMA)• Adversary gets only pk .
1 b) non-adaptive chosen-message attack (naCMA)• Adversary chooses m1, ... , mq . . .• . . . then obtains pk and signatures σ1, ...,σq
1 c) (adaptive) chosen-message attack (CMA)• Adversary gets pk , then chooses m1, ..., mq and
obtains σ1, ...,σq adaptively (i.e., one mi at atime, so mi+1 may depend on pk and σ1, ... ,σi )
Digital Signatures 2020-02-18 15
Adversarial capabilities
1 a) no-message attack (NMA)• Adversary gets only pk .
1 b) non-adaptive chosen-message attack (naCMA)• Adversary chooses m1, ... , mq . . .• . . . then obtains pk and signatures σ1, ...,σq
1 c) (adaptive) chosen-message attack (CMA)• Adversary gets pk , then chooses m1, ..., mq and
obtains σ1, ...,σq adaptively (i.e., one mi at atime, so mi+1 may depend on pk and σ1, ... ,σi )
Digital Signatures 2020-02-18 15
Adversarial capabilities
1 a) no-message attack (NMA)• Adversary gets only pk .
1 b) non-adaptive chosen-message attack (naCMA)• Adversary chooses m1, ... , mq . . .• . . . then obtains pk and signatures σ1, ...,σq
1 c) (adaptive) chosen-message attack (CMA)• Adversary gets pk , then chooses m1, ..., mq and
obtains σ1, ...,σq adaptively (i.e., one mi at atime, so mi+1 may depend on pk and σ1, ... ,σi )
Digital Signatures 2020-02-18 15
Adversarial goals
General goal: forge/generate signatures
2 a) “ Universal Unforgeability” (UUF)• Adversary has to generate valid signature for
externally given m• m chosen at random (not by adversary!)
2 b) “ Existential Unforgeablility” (EUF)• Adversary has to generate valid signature for any
message m not signed before
Digital Signatures 2020-02-18 16
Adversarial goals
General goal: forge/generate signatures
2 a) “ Universal Unforgeability” (UUF)• Adversary has to generate valid signature for
externally given m• m chosen at random (not by adversary!)
2 b) “ Existential Unforgeablility” (EUF)• Adversary has to generate valid signature for any
message m not signed before
Digital Signatures 2020-02-18 16
Adversarial goals
General goal: forge/generate signatures
2 a) “ Universal Unforgeability” (UUF)• Adversary has to generate valid signature for
externally given m• m chosen at random (not by adversary!)
2 b) “ Existential Unforgeablility” (EUF)• Adversary has to generate valid signature for any
message m not signed before
Digital Signatures 2020-02-18 16
Security definition
Security definition =̂ adversarial goal + adversarial capabilities
Interesting combinations:
• EUF-CMA
• EUF-naCMA
Digital Signatures 2020-02-18 17
Security experiments
Tool to formalize security definitions: security experiments
Interactive process between two parties:
• Adversary A• Challenger C
• A plays against C• A wins iff he reaches his goal.
Digital Signatures 2020-02-18 18
EUF-CMA-Sicherheitsexperiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
EUF-CMA-Sicherheitsexperiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
EUF-CMA-Sicherheitsexperiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
EUF-CMA-Sicherheitsexperiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Digital Signatures 2020-02-18 19
EUF-CMA-Sicherheitsexperiment
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
• queries
• q = q(k ) queries
• q polynomial (dep. on A)
m∗,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}Digital Signatures 2020-02-18 19
Why is A allowed arbitrary signing queries?
• Question: why is A allowed arbitrary signing queries?
• Answer: yields strong and universal (application-independent)definition (Attack may yield signatures for unforeseeable messages)
Digital Signatures 2020-02-18 20
Why is A allowed arbitrary signing queries?
• Question: why is A allowed arbitrary signing queries?
• Answer: yields strong and universal (application-independent)definition (Attack may yield signatures for unforeseeable messages)
Digital Signatures 2020-02-18 20
Definition: EUF-CMA
Def. 2: (EUF-CMA)A digital signature scheme Σ = (Gen, Sign, Vfy) is EUF-CMAsecure iff for all PPT A, the function
Pr [A wins EUF-CMA experiment]
= Pr
[ACEUF-CMA(pk ) = (m∗,σ∗) :
Vfy(pk , m∗,σ∗) = 1∧ m∗ /∈ {m1, ..., mq}
]
is negligible.
Digital Signatures 2020-02-18 21
Definition: EUF-CMA
Def. 2: (EUF-CMA)A digital signature scheme Σ = (Gen, Sign, Vfy) is EUF-CMAsecure iff for all PPT A, the function
Pr [A wins EUF-CMA experiment]
= Pr
[ACEUF-CMA(pk ) = (m∗,σ∗) :
Vfy(pk , m∗,σ∗) = 1∧ m∗ /∈ {m1, ..., mq}
]
is negligible.
Digital Signatures 2020-02-18 21
Definition: negligible
Def.: (Negligible)A function negl : N→ [0, 1] is negligible iff
∀c ∈ N ∃k0 ∈ N ∀k ≥ k0 : negl(k ) < 1/kc .
Examples: 1/2k and 1/k log k negligible, 1/k2 not.
Digital Signatures 2020-02-18 22
Definition: negligible
Def.: (Negligible)A function negl : N→ [0, 1] is negligible iff
∀c ∈ N ∃k0 ∈ N ∀k ≥ k0 : negl(k ) < 1/kc .
Examples: 1/2k and 1/k log k negligible, 1/k2 not.
Digital Signatures 2020-02-18 22
UUF-NMA security experiment
Ideas?
Digital Signatures 2020-02-18 23
UUF-NMA security experiment
CUUF-NMA A
(pk , sk )← Gen(1k )
m∗ ← {0, 1}p(k )
pk , m∗
σ∗
Ver (pk , m∗,σ∗) = 1?
A wins iff Vfy(pk , m∗,σ∗) = 1
Digital Signatures 2020-02-18 23
UUF-NMA security experiment
CUUF-NMA A
(pk , sk )← Gen(1k )
m∗ ← {0, 1}p(k )
pk , m∗
σ∗
Ver (pk , m∗,σ∗) = 1?
A wins iff Vfy(pk , m∗,σ∗) = 1
Digital Signatures 2020-02-18 23
EUF-CMA⇒ UUF-NMA
Def. 4 (UUF-NMA):A digital signature scheme Σ = (Gen, Sign, Vfy) is UUF-NMAsecure iff for all PPT A,
Pr[ACUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
is negligible.
Theorem:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. If Σ isEUF-CMA secure, then Σ is also UUF-NMA secure.
Digital Signatures 2020-02-18 24
EUF-CMA⇒ UUF-NMA
Def. 4 (UUF-NMA):A digital signature scheme Σ = (Gen, Sign, Vfy) is UUF-NMAsecure iff for all PPT A,
Pr[ACUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
is negligible.
Theorem:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. If Σ isEUF-CMA secure, then Σ is also UUF-NMA secure.
Digital Signatures 2020-02-18 24
Proof: EUF-CMA⇒ UUF-NMA (1)
Proof outline
• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.
• Then: ∃ PPT adversary AUUF-NMA with non-negligible
Pr[ACUUF-NMAUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
Digital Signatures 2020-02-18 25
Proof: EUF-CMA⇒ UUF-NMA (1)
Proof outline
• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.
• Then: ∃ PPT adversary AUUF-NMA with non-negligible
Pr[ACUUF-NMAUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
Digital Signatures 2020-02-18 25
Proof: EUF-CMA⇒ UUF-NMA (1)
Proof outline
• Proofs (almost) always by reduction
• Way to view reductions: proof by contradiction
• Assume Σ is EUF-CMA secure, but not UUF-NMA secure.
• Then: ∃ PPT adversary AUUF-NMA with non-negligible
Pr[ACUUF-NMAUUF-NMA(pk , m∗) = σ∗ : Vfy(pk , m∗,σ∗) = 1]
Digital Signatures 2020-02-18 25
Proof: EUF-CMA⇒ UUF-NMA (2)
• Idea: use AUUF-NMA to build a successful adversary AEUF-CMA
on the EUF-CMA security of Σ
• AEUF-CMA usually uses AUUF-NMA as subroutine
• Existence of (successful) AEUF-CMA contradicts assumedEUF-CMA security. . .
• . . . hence such a AUUF-NMA cannot exist
Digital Signatures 2020-02-18 26
Proof: EUF-CMA⇒ UUF-NMA (2)
• Idea: use AUUF-NMA to build a successful adversary AEUF-CMA
on the EUF-CMA security of Σ
• AEUF-CMA usually uses AUUF-NMA as subroutine
• Existence of (successful) AEUF-CMA contradicts assumedEUF-CMA security. . .
• . . . hence such a AUUF-NMA cannot exist
Digital Signatures 2020-02-18 26
Proof: EUF-CMA⇒ UUF-NMA (3)
Proof: blackboard
Digital Signatures 2020-02-18 27
Proof: EUF-CMA⇒ UUF-NMA (4)
Remark:
• AEUF-CMA makes no signature queries. . .
• . . . hence we have actually shown
EUF-NMA⇒ UUF-NMA
Digital Signatures 2020-02-18 28
UUF-NMA: useful?
Question: how useful is UUF-NMA security?
Answer: later
Digital Signatures 2020-02-18 29
EUF-naCMA-Sicherheitsexperiment
CEUF-naCMA A
m1, ..., mq • q = q(k ) messages
• q polynomial(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)
Digital Signatures 2020-02-18 30
EUF-naCMA-Sicherheitsexperiment
CEUF-naCMA Am1, ..., mq • q = q(k ) messages
• q polynomial
(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)
Digital Signatures 2020-02-18 30
EUF-naCMA-Sicherheitsexperiment
CEUF-naCMA Am1, ..., mq • q = q(k ) messages
• q polynomial(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)
Digital Signatures 2020-02-18 30
EUF-naCMA-Sicherheitsexperiment
CEUF-naCMA Am1, ..., mq • q = q(k ) messages
• q polynomial(pk , sk )← Gen(1k )
∀i : σi ← Sign(sk , mi ) pk ,σ1, ...,σq
m∗ ,σ∗
Ver (pk , m∗,σ∗) = 1?∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}
Def.: Like Def. 2 (with EUF-naCMA experiment)Digital Signatures 2020-02-18 30
Relations among security definitions
UUF-NMA < UUF-naCMA < UUF-CMA
< < <
EUF-NMA < EUF-naCMA < EUF-CMA
Generally:
• UUF < EUF
• NMA < naCMA < CMA
Proof by counterexample schemes (e.g., assume EUF-naCMA secure
scheme, modify it such that it is still EUF-naCMA but not EUF-CMA secure)
Digital Signatures 2020-02-18 31
Information-theoretic security
Information-theoretic security: unbounded (i.e., not necessarilyPPT) adversaries
Encryption:
• There is no information-theoretically secure public-keyencryption scheme
• But: there are information-theoretically secure symmetric (i.e.,secret-key) encryption schemes (→one-time pad)
Question: is information-theoretic security possible for signatures?
Digital Signatures 2020-02-18 32
Information-theoretic security: impossible! (1)
Theorem 10:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. Thereexists a (not necessarily polynomially bounded) UUF-NMAadversary A on Σ with success probability 1.
Proof: Ideas?
Digital Signatures 2020-02-18 33
Information-theoretic security: impossible! (1)
Theorem 10:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. Thereexists a (not necessarily polynomially bounded) UUF-NMAadversary A on Σ with success probability 1.
Proof: Brute force.
Digital Signatures 2020-02-18 33
Information-theoretic security: impossible! (2)
Theorem 12:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. There existsa (PPT) UUF-NMA adversary A on Σ with success probability atleast 2−L, where L is an upper bound on the length of signatures.
Proof: Ideas?
Digital Signatures 2020-02-18 34
Information-theoretic security: impossible! (2)
Theorem 12:Let Σ = (Gen, Sign, Vfy) be a digital signature scheme. There existsa (PPT) UUF-NMA adversary A on Σ with success probability atleast 2−L, where L is an upper bound on the length of signatures.
Proof: Guess a valid signature.
Digital Signatures 2020-02-18 34
Information-theoretic security: remarks
• But: there are information-theoretically secure bounded-use“symmetric signatures” (MACs), much like the one-time pad forencryption
Digital Signatures 2020-02-18 35