Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)
description
Transcript of Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)
![Page 1: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/1.jpg)
Short Signatures Without Random Oracles and the SDH Assumption in
Bilinear Groups (Part 1.)Dan Boneh and Xavier BoyenJ. Cryptol. (2008) 21: 149–177
Presenter: Yu-Chi Chen
![Page 2: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/2.jpg)
About this paper
• One of the authors, Dan Boneh, is a well-known researcher in the areas of applied cryptography.
• The previous version (Eurocrypt 2004), cite: 600+. This paper is a full one (J. Cryptol.).
• His website: http://crypto.stanford.edu/~dabo/
![Page 3: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/3.jpg)
Summary
• Part 1: Background of the security proof• Part 2: Background of the security proof• Part 3: BB-weakly secure short signature
scheme with its security proof• Part 4: BB-full short signature scheme with its
security proof• Part 5: (undecided)
![Page 4: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/4.jpg)
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
![Page 5: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/5.jpg)
Introduction
• Cryptographic scheme
• Security argument vs. Security proof
• Before 2000 vs. After 2000.
![Page 6: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/6.jpg)
• M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols– in Proceedings of the 1st ACM conference on
Computer and communications security, 1993.– Cite: 2800+
![Page 7: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/7.jpg)
ROM: Random oracle model
• An adversary can ask to “Oracle” for it’s queries.
• Oracle is like a function: H:{0,1}*→{0,1}k.– Ex: H(x) = y
• If the input, x, has been queried, Oracle will return the same value, y, as before.
![Page 8: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/8.jpg)
ROM
• If the input, x, has never been queried, Oracle will randomly output y.
• The outputted values are uniform distribution.
![Page 9: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/9.jpg)
Comments
• ROM vs. Standard model– Hardness assumptions– Attacks– Security goals– Efficiency
![Page 10: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/10.jpg)
Comments
• Hardness assumptions:– The RSA problem (formal)– The variant RSA problem (informal)– The CDH problem (formal)–…
![Page 11: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/11.jpg)
• Attacks– Chosen message attack– Adaptive chosen message attack–Weak chosen message attack– CPA, CCA, CCA-2,…
![Page 12: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/12.jpg)
• Security goals– Existential unforgeability– Strong unforgeability–…
![Page 13: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/13.jpg)
• Efficiency– Computation– Communication–…
![Page 14: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/14.jpg)
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
![Page 15: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/15.jpg)
Secure signature
• (BB-SS, page 3)• KeyGen: Outputs a random key pair (pk, sk).• Sign: Takes sk and a message M, then returns a
signature σ.• Verify: Takes pk and a signed message (σ ,
M), then returns valid or invalid.
![Page 16: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/16.jpg)
Secure signature (cont.)
• (BB-SS, page 4)• The signature scheme is said to be correct if
the following property is satisfied.
.1]valid),,(VerifyPr[:),(Sign
(),KeyGen),(,~
MpkMsk
skpkMM
![Page 17: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/17.jpg)
Signature scheme
• KeyGen:
• Sign:• Verify:
xskHeXgpk
gXGg
GHGGGex
:},,,{:
,
}1,0{:,:
1
1*
211
),(:
)(
MSignQ
MHQx
))(,(?),( MHXege
![Page 18: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/18.jpg)
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
![Page 19: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/19.jpg)
Existential unforgeability
• Existential unforgeability– Given n valid signatures of (M1,…,Mn), to output a
forged signature of M* where M* not in {M1,…,Mn}.
• We construct a security game to model an attack to forge a signature existentially.
![Page 20: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/20.jpg)
Roles
• A: the adversary– Break the scheme–Win this game
• C: the challenger– Solve a hard problem– Be an oracle to respond A’s request.
![Page 21: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/21.jpg)
Security game
• Setup• Attack• Forgery
![Page 22: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/22.jpg)
Setup
Attack
Queries
ResponseAdversary Challenger
![Page 23: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/23.jpg)
Adversary Challenger
Forgery
Forgery
Solve a hard problem
![Page 24: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/24.jpg)
Computational Diffie-Hellman
• Given
• Compute
ba ggGg ,,1
abg
![Page 25: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/25.jpg)
Security proof
• Setup:
• C returns pk to A.
},,,{:,
}1,0{:,:
1
1*
211
HeXgpkgXGg
GHGGGea
![Page 26: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/26.jpg)
Security proof
• Setup• Attack:– H queries.– Sign queries.
• Forgery
![Page 27: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/27.jpg)
H queries.
• A can query H(Mi).• C maintains H-table, <M, Q, α, c>.• If H(Mi) has been queried before, C will return
H(Mi) as before.
![Page 28: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/28.jpg)
H queries.
• If not, C will randomly pick a coinwith Pr[ci=0]=1/qS.– If ci=0, C randomly chooses
and returns . – If ci=1, C randomly chooses
and returns .• Finally, C inserts (Mi, Qi, αi, ci) into H-table.
}1,0{ic
*Zqi ib
i gQ )(*Zqi
igQi
![Page 29: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/29.jpg)
Sign queries.
• A can query a signature of a message Mi.• If the message Mi maps to ci=0 in H-table, C
will abort and terminate.• If not, C will compute the signature
where αi is from H-table.– σi is a valid signature without doubt.
iXi
![Page 30: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/30.jpg)
Security proof
• Setup• Attack:• Forgery
![Page 31: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/31.jpg)
Forgery
• A forges a signature σ* on M*.• If M* does not map to c*=0, C will abort and
terminate.• The forged signature is valid, whereas the
following equation holds.
• C can use A’s forgery to solve the CDH problem.
*
)(* abg
*1
*)( abg
![Page 32: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/32.jpg)
Security proof
• We conclude that A wins this game if and only if C does not abort in Attack and Forgery.
• Two events are as follows.– E1: C does not abort in Attack such as Sign
queries.– E2: C does not abort in Forgery.
• Thus, we have– The probability of A winning this game is .– The probability of C winning this game is .
]Pr[]Pr[' 21 EE'
![Page 33: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/33.jpg)
Outline
• Introduction• A simple signature scheme• Security analysis• Discussions• Conclusions
![Page 34: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/34.jpg)
A new assumption
• According to the above proof, we can obtain a new assumption.
• Given
• Find a pair where
},{},...,,{,, 111
kk abbabba gggggGg
},{** abb gg },...,{ 1
*kbbb
![Page 35: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)](https://reader035.fdocuments.net/reader035/viewer/2022062410/56816134550346895dd08dd2/html5/thumbnails/35.jpg)
Conclusions
• We give a simple signature scheme to introduce the security proof.