Schnorr Signature. Schnorr Signature. October 31, 2012

Transcription

1 . October 31, 2012

2 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security Proof Forking Lemma

3 Salient Features - Salient Features Derived from Schnorr identification scheme through Fiat-Shamir transformation Based on the DLP Security argued using oracle replay attacks Uses the random oracle heuristic

4 Preliminaries PRELIMINARIES

5 Preliminaries Security Proofs Proof through Contradiction Consider a protocol P based on a hard problem Π

6 Preliminaries Security Proofs Proof through Contradiction Consider a protocol P based on a hard problem Π Aim: Π is hard = P is not breakable

7 Preliminaries Security Proofs Proof through Contradiction Consider a protocol P based on a hard problem Π Aim: Π is hard = P is not breakable P is breakable = Π is not hard B Π Π P C P A

8 Preliminaries Security Proofs Proof through Contradiction Consider a protocol P based on a hard problem Π Aim: Π is hard = P is not breakable P is breakable = Π is not hard B Π Π P C P A Since Π is assumed to be hard, this leads to a contradiction.

9 Preliminaries Security Proofs Security Model Lays down the schema to be followed for giving security proofs Described using a game between a challenger C and an adversary A C P P A C simulates the protocol environment for A A wins the game if it solves the challenge given by C

10 Preliminaries Random Oracle Heuristic Random Oracles Heuristic aimed at simplifying security proofs of protocols involving hash functions. In proofs, the hash function modelled as a truly random function under the control of the challenger. A given oracle access to this function.

11 Preliminaries Random Oracle Heuristic Random Oracles Heuristic aimed at simplifying security proofs of protocols involving hash functions. In proofs, the hash function modelled as a truly random function under the control of the challenger. A given oracle access to this function. P H

12 Preliminaries Random Oracle Heuristic Random Oracles Heuristic aimed at simplifying security proofs of protocols involving hash functions. In proofs, the hash function modelled as a truly random function under the control of the challenger. A given oracle access to this function. P H P C H P A

13 Preliminaries Random Oracle Heuristic Random Oracles Heuristic aimed at simplifying security proofs of protocols involving hash functions. In proofs, the hash function modelled as a truly random function under the control of the challenger. A given oracle access to this function. P H P C H P A Proofs without random oracles preferred.

14 Preliminaries PKS and its Security Models PUBLIC-KEY SIGNATURES AND ITS SECURITY MODELS

15 Preliminaries PKS and its Security Models Definition Public-Key Signature An PKS scheme consists of three PPT algorithms {K, S, V } -

16 Preliminaries PKS and its Security Models Definition Public-Key Signature An PKS scheme consists of three PPT algorithms {K, S, V } - Key Generation: Used by the user to generate the public-private key pair (pk, sk) pk is published and the sk kept secret Run on a security parameter κ (pk, sk) $ K(κ)

17 Preliminaries PKS and its Security Models Definition Public-Key Signature An PKS scheme consists of three PPT algorithms {K, S, V } - Key Generation: Used by the user to generate the public-private key pair (pk, sk) pk is published and the sk kept secret Run on a security parameter κ (pk, sk) $ K(κ) Signing: Used by the user to generate signature on some message m The secret key sk used for signing σ $ S(sk, m)

18 Preliminaries PKS and its Security Models Definition Public-Key Signature An PKS scheme consists of three PPT algorithms {K, S, V } - Key Generation: Used by the user to generate the public-private key pair (pk, sk) pk is published and the sk kept secret Run on a security parameter κ (pk, sk) $ K(κ) Signing: Used by the user to generate signature on some message m The secret key sk used for signing Verification: σ $ S(sk, m) Outputs 1 if σ is a valid signature on m; else, outputs 0 result V (σ, m, pk)

19 Preliminaries PKS and its Security Models Definition EU-NMA Existential unforgeability under no-message attack

20 Preliminaries PKS and its Security Models Definition EU-NMA Existential unforgeability under no-message attack Challenger C generates key-pair (pk, sk).

21 Preliminaries PKS and its Security Models Definition EU-NMA Existential unforgeability under no-message attack Challenger C generates key-pair (pk, sk).

22 Preliminaries PKS and its Security Models Definition EU-NMA Existential unforgeability under no-message attack Challenger C generates key-pair (pk, sk). Forgery Adversary A wins if ˆσ is a valid signature on ˆm. pk C EU-NMA A (ˆσ, ˆm)

23 Preliminaries PKS and its Security Models Definition EU-NMA Existential unforgeability under no-message attack Challenger C generates key-pair (pk, sk). Forgery Adversary A wins if ˆσ is a valid signature on ˆm. pk C EU-NMA A (ˆσ, ˆm) Adversary s advantage in the game: [ ] Pr 1 V (ˆσ, ˆm, pk) (sk, pk) $ K(κ); (ˆσ, ˆm) $ A(pk)

24 Preliminaries PKS and its Security Models Definition EU-CMA Existential unforgeability under chosen-message attack Challenger C generates key-pair (pk, sk). Signature Queries Access to a signing oracle O Forgery Adversary A wins if ˆσ is a valid signature on ˆm. A has not made a signature query on ˆm. C O pk EU-CMA (ˆσ, ˆm) Adversary s advantage in the game: [ ] Pr 1 V (ˆσ, ˆm, pk) (sk, pk) $ K(κ); (ˆσ, ˆm) $ A O (pk) A

25 Preliminaries Hardness Assumption Hardness Assumption: Discrete-log Assumption Discrete-log problem for a group G = g and G = p DLP C (G, g, p, g α ) α DLP A

26 Preliminaries Hardness Assumption Hardness Assumption: Discrete-log Assumption Discrete-log problem for a group G = g and G = p DLP C (G, g, p, g α ) α DLP A Definition The DLP in G is to find α given g α, where α R Z p. An adversary A has advantage ɛ in solving the DLP if Pr [ α R Z p ; α A(G, p, g, g α ) α = α ] ɛ. The (ɛ, t)-discrete-log assumption holds in G if no adversary has advantage at least ɛ in solving the DLP in time at most t.

27 SCHNORR SIGNATURE

28 The Construction The Setting. 1. We work in group G = g of prime order p. 2. A hash function H is used. H : {0, 1} Z p

29 The Construction The Setting. 1. We work in group G = g of prime order p. 2. A hash function H is used. H : {0, 1} Z p Key Generation. K(κ): 1. Select z R Z p as the secret key sk 2. Set Z := g z as the public key pk

30 The Construction The Setting. 1. We work in group G = g of prime order p. 2. A hash function H is used. H : {0, 1} Z p Key Generation. K(κ): 1. Select z R Z p as the secret key sk 2. Set Z := g z as the public key pk Signing. S(m, sk): 1. Let sk = z. Select r R Z p, set R := g r and c := H(m, R). 2. The signature on m is σ := (y, R) where y := r + zc

31 The Construction Verification. V (σ, m): 1. Let σ = (y, R) and c = H(m, R). 2. σ is valid if g y = RZ c

32 The Construction Security of : An Intuition Consider an adversary A with ability to launch chosen-message attack on the Schnorr signature. Let {σ 1,..., σ n } with σ i = (r i + zc i, R i ) on m i be the signatures that A receives.

33 The Construction Security of : An Intuition Consider an adversary A with ability to launch chosen-message attack on the Schnorr signature. Let {σ 1,..., σ n } with σ i = (r i + zc i, R i ) on m i be the signatures that A receives. r c c 1 r = r c n n z y 1 y 2. r n

34 The Construction Security of : An Intuition However, A can solve for x if it gets two equations containing the same r but different c, i.e. y 1 = r + zc 1 and y 2 = r + zc 2 implies z = y 1 y 2 c 1 c 2

35 Oracle Replay Attack ORACLE REPLAY ATTACK

36 Oracle Replay Attack The Oracle Replay Attack Recall the random oracle methodology. P H P C Q i P A H s i

37 Oracle Replay Attack The Oracle Replay Attack Recall the random oracle methodology. P H P C Q i P A H s i s 1 Q 1 Q 2 Q I s I s γ Q I +1 Q γ Run 0

38 Oracle Replay Attack The Oracle Replay Attack Recall the random oracle methodology. P H P C Q i P A H s i s 1 Q 1 Q 2 Q I s I s γ Q I +1 Q γ Run 0 s I Q I +1 Q γ Run 1 s γ The simulation carried out during Run 1 (from query Q i ) using a different random function

39 Oracle Replay Attack Security of in EU-NMA Consider the simpler model of existential unforgeability under no-message attack (EU-NMA) C gives the challenge public key pk := (G, g, p, g α ) to A A not allowed signature queries; forges on a message ˆm A also allowed access to an H-oracle {Q 1,..., Q γ } DLP B = (G, g, p, g α ) α DLP C SS H pk := EU-NMA ˆσ = (ŷ, ˆR) SS A

40 Security Proof Security of in EU-NMA DLP B = (G, g, p, g α ) α DLP C SS H pk := EU-NMA ˆσ = (ŷ, ˆR) SS A Q 0 I : H( ˆm 0, ˆR 0 ) = c 0 s 0 I s 0 γ Q 0 I +1 Q 0 γ ˆσ 0 = (ŷ 0 = ˆr 0 + αc 0, ˆR 0 ) s Q Q 0 2 Q 0 I

41 Security Proof Security of in EU-NMA DLP B = (G, g, p, g α ) α DLP C SS H pk := EU-NMA ˆσ = (ŷ, ˆR) SS A Q 0 I : H( ˆm 0, ˆR 0 ) = c 0 and Q φ J : H( ˆm 1, ˆR 1 ) = c 1 s 0 I s 0 γ Q 0 I +1 Q 0 γ ˆσ 0 = (ŷ 0 = ˆr 0 + αc 0, ˆR 0 ) s 0 1 Q 0 1 Q 0 2 Q 0 I s 1 I Q 1 I +1 Q 1 γ ˆσ 1 = (ŷ 1 = ˆr 1 + αc 1, ˆR 1 ) s 1 γ

42 Security Proof Security of in EU-NMA DLP B = (G, g, p, g α ) α DLP C SS H pk := EU-NMA ˆσ = (ŷ, ˆR) SS A J = I = ˆm 1 = ˆm 0 ˆR 1 = ˆR 0 s 0 I s 0 γ Q 0 I +1 Q 0 γ ˆσ 0 = (y 0 = r 0 + αc 0, R 0 ) s 0 1 Q 0 1 Q 0 2 Q 0 I s 1 I Q 1 I +1 Q 1 γ ˆσ 1 = (y 1 = r 0 + αc 1, R 0 ) s 1 γ

43 Security Proof Security of in EU-NMA DLP B = (G, g, p, g α ) α DLP C SS H pk := EU-NMA ˆσ = (ŷ, ˆR) SS A J = I = ˆm 1 = ˆm 0 ˆR 1 = ˆR 0 and α = (ŷ 0 ŷ 1 )/(c 0 c 1 ) s 0 I s 0 γ Q 0 I +1 Q 0 γ ˆσ 0 = (y 0 = r 0 + αc 0, R 0 ) s 0 1 Q 0 1 Q 0 2 Q 0 I s 1 I Q 1 I +1 Q 1 γ ˆσ 1 = (y 1 = r 0 + αc 1, R 0 ) s 1 γ

44 Security Proof Security in the Full Model DLP B = (G, g, p, g α ) α DLP C SS O, H pk := EU-CMA ˆσ = (ŷ, ˆR) SS A Signature query. O(m)

45 Security Proof Security in the Full Model DLP B = (G, g, p, g α ) α DLP C SS O, H pk := EU-CMA ˆσ = (ŷ, ˆR) SS A Signature query. O(m) Signature for m is of form σ = (r + αc, g r ), where c = H(m, g r ).

46 Security Proof Security in the Full Model DLP B = (G, g, p, g α ) α DLP C SS O, H pk := EU-CMA ˆσ = (ŷ, ˆR) SS A Signature query. O(m) Signature for m is of form σ = (r + αc, g r ), where c = H(m, g r ). But, we don t know α!

47 Security Proof Security in the Full Model DLP B = (G, g, p, g α ) α DLP C SS O, H pk := EU-CMA ˆσ = (ŷ, ˆR) SS A Signature query. O(m) Signature for m is of form σ = (r + αc, g r ), where c = H(m, g r ). But, we don t know α! Problem solved using Boneh-Boyen algebraic technique: Select c, s R Z p and set r = αc + s. Program the random oracle to set c = H(m, g r ) and send (s, g r ) as the signature.

48 Security Proof FORKING LEMMA

49 Forking Lemma Forking Algorithm The oracle replay attack formalised through the forking algorithm Algorithm 1 F Y (x) Pick coins ρ for Y at random s 0 1,..., s0 γ R S; (I 0, σ 0 ) $ Y (x, s 0 1,..., s0 γ; ρ) [Run 0] s 1 I 0,..., s 1 γ R S; (I 1, σ 1 ) $ Y (x, s 0 1,..., s0 I 0 1, s1 I 0,..., s 1 γ; ρ) [Run 1] if (I 0 > 0 I 1 = I 0 s 1 I 0 s 0 I 0 ) then return (1, σ 0, σ 1 ) else return (0,, ) end if

50 Forking Lemma The Forking Lemma The forking lemma gives a lower bound on the success probability of the oracle replay attack (frk) in terms of the success probability of the adversary during a particular run (acc).

51 Forking Lemma The Forking Lemma The forking lemma gives a lower bound on the success probability of the oracle replay attack (frk) in terms of the success probability of the adversary during a particular run (acc). To be precise, ( acc frk acc γ 1 ) p

52 Forking Lemma The Forking Lemma The forking lemma gives a lower bound on the success probability of the oracle replay attack (frk) in terms of the success probability of the adversary during a particular run (acc). To be precise, ( acc frk acc γ 1 ) p s 1 Q 1 Q 2 Q I s I s γ Q I +1 Q γ Run 0 s I Q I +1 Q γ Run 1 s γ

53 Forking Lemma Theorem Theorem If A is an adversary with advantage ɛ against the Schnorr signature scheme, in the setting (G, g, p), then we can construct an algorithm B that solves the DLP with advantage ( ɛ ɛ ɛ γ 1 ) p provided H is modelled as a random oracle with an upper bound of q H queries.

54 Forking Lemma Related Literature 1. Mihir Bellare and Gregory Neven. Multi-signatures in the plain public-key model and a general forking lemma. 2. David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind signatures. 3. Sanjam Garg, Raghav Bhaskar, and Satyanarayana V. Lokam. Improved bounds on security reductions for discrete log based signatures. 4. Yannick Seurin. On the exact security of Schnorr-type signatures in the random oracle model.

55 Forking Lemma QUESTIONS?

56 Forking Lemma THANK YOU!