Lattice-based DAPS and Generalizations

Size: px

Start display at page:

Download "Lattice-based DAPS and Generalizations"

Oliver Anderson
5 years ago
Views:

1 Lattice-based DAPS and Generalizations Dan Boneh, Sam Kim, Valeria Nikolaenko Stanford University July 11, 2017

2 Certificate Authorities

3 Certificate Authorities

4 Certificate Authorities

5 Certificate Authorities

6 Signatures For many scenarios, signers are trusted to make unique bindings Certificate Authorities Time Stamping Authorities

7 Signatures For many scenarios, signers are trusted to make unique bindings Certificate Authorities Time Stamping Authorities But traditional digital signatures impose no uniqueness condition

8 Signatures For many scenarios, signers are trusted to make unique bindings Certificate Authorities Time Stamping Authorities But traditional digital signatures impose no uniqueness condition Often times, signers are coerced into making fake certificates (double-signing)

9 Signatures For many scenarios, signers are trusted to make unique bindings Certificate Authorities Time Stamping Authorities But traditional digital signatures impose no uniqueness condition Often times, signers are coerced into making fake certificates (double-signing) What can we do in these type of situations?

10 Signatures For many scenarios, signers are trusted to make unique bindings Certificate Authorities Time Stamping Authorities But traditional digital signatures impose no uniqueness condition Often times, signers are coerced into making fake certificates (double-signing) What can we do in these type of situations? Are there mechanisms to really force the CA to act honestly even in the face of coercion?

11 Double Signing There are mechanisms to detect when a CA issues a fake certificate Certificate Transparency (CT) [LLK15] CONIKS [MBB+15]

12 Double Signing There are mechanisms to detect when a CA issues a fake certificate Certificate Transparency (CT) [LLK15] CONIKS [MBB+15] However, often times punishment not so severe A period of bad publicity

13 Double Signing There are mechanisms to detect when a CA issues a fake certificate Certificate Transparency (CT) [LLK15] CONIKS [MBB+15] However, often times punishment not so severe A period of bad publicity Consequences not severe enough to prevent legal coercion

14 Double Signing There are mechanisms to detect when a CA issues a fake certificate Certificate Transparency (CT) [LLK15] CONIKS [MBB+15] However, often times punishment not so severe A period of bad publicity Consequences not severe enough to prevent legal coercion Can we make the consequences more severe such that the CA can use it as an argument against coercion?

15 DAPS Double Authentication Preventing Signatures (DAPS) [PS14]

16 DAPS Double Authentication Preventing Signatures (DAPS) [PS14] Message of them form (subj, payload)

17 DAPS Double Authentication Preventing Signatures (DAPS) [PS14] Message of them form (subj, payload) Signatures of (subj, payload 1 ), (subj, payload 2 ) leaks signing key

18 DAPS Double Authentication Preventing Signatures (DAPS) [PS14] Message of them form (subj, payload) Signatures of (subj, payload 1 ), (subj, payload 2 ) leaks signing key CA uses as self-enforcement

19 DAPS Double Authentication Preventing Signatures (DAPS) [PS14] Message of them form (subj, payload) Signatures of (subj, payload 1 ), (subj, payload 2 ) leaks signing key CA uses as self-enforcement CA will use DAPS as a justification to resist coercion

20 Legal Coercion

21 Legal Coercion

22 Legal Coercion

23 Right Notion? Q : What if Facebook happens to accidentally lose its certificate?

24 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates

25 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates Q : What if agency simply coerces another CA to issue a certificate for facebook.com?

26 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates Q : What if agency simply coerces another CA to issue a certificate for facebook.com? A : Use certificate pinning

27 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates Q : What if agency simply coerces another CA to issue a certificate for facebook.com? A : Use certificate pinning Q : What if Facebook wishes to use a different certificate for each server?

28 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates Q : What if agency simply coerces another CA to issue a certificate for facebook.com? A : Use certificate pinning Q : What if Facebook wishes to use a different certificate for each server? A : Use intermediate CA s

29 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates Q : What if agency simply coerces another CA to issue a certificate for facebook.com? A : Use certificate pinning Q : What if Facebook wishes to use a different certificate for each server? A : Use intermediate CA s There are other holes in the argument (but that is not the point!)

30 DAPS Formulation Setup (sk, vk) Sign(sk, msg) σ Verify(vk, msg, σ) 0/1

31 DAPS Formulation Setup (sk, vk) Sign(sk, (subj, payload)) σ Verify(vk, msg, σ) 0/1 Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ) sk

32 Results Previously, [PS14] construct DAPS from the hardness of factoring

33 Results Previously, [PS14] construct DAPS from the hardness of factoring This Work: Construct DAPS from lattices (SIS) Provide generalization of DAPS Extend to multi-authority setting

34 SIS Let n, m, q, β be appropriately chosen positive integers. Short Integer Solutions (SIS) Problem Given a uniformly random matrix A Z n m q, find short a nonzero u Z m such that A u = 0.

35 SIS Let n, m, q, β be appropriately chosen positive integers. Inhomogeneous SIS Problem Given a uniformly random matrix A Zq n m, and a vector v Z n q, find a short nonzero u Z m such that A u = v.

36 SIS Let n, m, q, β be appropriately chosen positive integers. Inhomogeneous SIS Problem Given a uniformly random matrix A Zq n m, and a vector v Z n q, find a short nonzero u Z m such that A u = v. Nice properties: Solving SIS results in solving worst-case lattice problems! Possible to generate A with a trapdoor td such that SIS easy to solve

37 GPV Signatures Signature scheme using hash-and-sign [GPV08] vk = A sk = td Sign(sk, msg): Hash v = H(msg) Z n q and compute σ = u such that A u = v Verify(vk, msg, σ): Verify that A u = v and u short.

38 Gadget trapdoors Let G be a special gadget matrix where SIS easy ( Find short u such that G u = v )

39 Gadget trapdoors Let G be a special gadget matrix where SIS easy ( Find short u such that G u = v ) Trapdoor td for A defined as a short, full-rank matrix R such that A R = H G for any invertible matrix H Z n n q.

40 Gadget trapdoors Let G be a special gadget matrix where SIS easy ( Find short u such that G u = v ) Trapdoor td for A defined as a short, full-rank matrix R such that A R = H G for any invertible matrix H Z n n q. To sample pre-image u: 1. Sample short ũ such that G ũ = v 2. Let u = R ũ. Then Au = A R ũ = v In the real scheme, must take care of distributional issues

41 FRD Encodings Full-Rank Difference (FRD) encoding: Encoding function H FRD : Z n q GL(Z n n q ) For any two distinct vectors u, v, the matrix H FRD (u) H FRD (v) is full rank

42 DAPS Construction Fix a hash function H and FRD encoding H FRD. vk = A, sk = td Sign(sk, (subj, payload)): 1. V = H(subj) Z n m q 2. H = H FRD (payload) Zq n n 3. Let σ = U be a short matrix U such that A U + H G = V Verify(vk, (subj, payload), σ): Verify the relation A U + H G = V and check U short

43 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A U 1 + H FRD (payload 1 ) G = H(subj) A U 2 + H FRD (payload 2 ) G = H(subj)

44 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A U 1 + H 1 G = V A U 2 + H 2 G = V

45 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A (U 1 U 2 ) = (H 2 H 1 )G

46 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A (U 1 U }{{} 2 ) = (H 2 H 1 )G short

47 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A (U 1 U 2 ) = (H 2 H }{{} 1 )G full-rank

48 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A (U 1 U 2 ) = (H 2 H }{{} 1 )G full-rank The matrix (U 1 U 2 ) trapdoor for A

49 Predicate Authentication Preventing Signatures Setup (sk, vk) Sign(sk, msg) σ Verify(vk, msg, σ) 0/1 Extract((msg 1, σ 1 ),..., (msg t, σ t )) sk Extraction succeeds if φ(msg 1,..., msg t ) = 1

50 Predicate Authentication Preventing Signatures Setup (sk, vk) Sign(sk, msg) σ Verify(vk, msg, σ) 0/1 Extract((msg 1, σ 1 ),..., (msg t, σ t )) sk Extraction succeeds if φ(msg 1,..., msg t ) = 1 DAPS is a special case for predicate φ((subj 1,payload 1 ), (subj 2, payload 2 )) = { 1 subj1 = subj 2 payload 1 payload 2 0 Otherwise

51 Open Problems Theoretical: Can we construct PAPS for more general circuit classes? Practical: What are some practical holes for implementing DAPS in the real world?

52 Open Problems Theoretical: Can we construct PAPS for more general circuit classes? Practical: What are some practical holes for implementing DAPS in the real world? Thanks!

Enforcing honesty of certification authorities: Tagged one-time signature schemes

Enforcing honesty of certification authorities: Tagged one-time signature schemes Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013