Revisiting the security model for aggregate signature schemes

Transcription

1 Revisiting the security odel for aggregate signature schees by Marie-Sarah Lacharité A thesis presented to the University of Waterloo in fulfillent of the thesis requireent for the degree of Master of Matheatics in Cobinatorics and Optiization Waterloo, Ontario, Canada, 2014 c Marie-Sarah Lacharité 2014

2 Author s Declaration I hereby declare that I a the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by y exainers. I understand that y thesis ay be ade electronically available to the public. ii

3 Abstract Aggregate signature schees cobine the digital signatures of ultiple users on different essages into one single signature. The Boneh-Gentry-Lynn-Shacha (BGLS) aggregate signature schee is one such schee, based on pairings, where anyone can aggregate the signatures in any order. We suggest iproveents to its current chosen-key security odel. In particular, we argue that the schee should be resistant to attackers that can adaptively choose their target users, and either replace other users public keys or expose other users private keys. We copare these new types of forgers to the original targeted-user forger, building up to the stronger replaceent-and-exposure forger. Finally, we present a security reduction for a variant of the BGLS aggregate signature schee with respect to this new notion of forgery. Recent attacks by Joux and others on the discrete logarith proble in sall-characteristic finite fields draatically reduced the security of any type I pairings. Therefore, we explore security reductions for BGLS with type III rather than type I pairings. Although our reductions are specific to BGLS, we believe that other aggregate signature schees could benefit fro siilar changes to their security odels. iii

4 Acknowledgeents Thank you to y supervisor, Alfred Menezes, for his excellent guidance as I wrote this thesis. I appreciate his encourageent and patience. I a also thankful to Edlyn Teske-Wilson and David Jao, the other ebers of y Reading Coittee, for their insightful coents. I a also grateful for the financial support of the Departent of Cobinatorics and Optiization and the Ontario Ministry of Training, Colleges, and Universities, in the for of an Ontario Graduate Scholarship. iv

5 Table of Contents List of Figures vi 1 Introduction Notation and useful atheatical results Background Digital signatures Elliptic curves and pairings Diffie-Hellan probles The iportance of tightness BLS and BGLS signatures BLS short signature schee BGLS aggregate signatures Why should essages be distinct? Original security definition Iproving aggregate signature security definitions Coparison to other signature schees security odels Forgers that can expose other users private keys Forgers that can replace other users public keys Is exposure forgery or replaceent forgery easier? A new aggregate forgery proble New security reduction for BGLS Conclusion 62 References 64 v

6 List of Figures 2.1 Reduction fro proble A to proble B Security of BLS with type III pairing Capabilities and goals of a targeted-user forger Security of BGLS with type III pairing Tightness gaps in reductions aong types of aggregate signature forgery Capabilities and goals of an exposure forger Reduction fro exposure forgery to targeted-user forgery Reduction fro targeted-user forgery to exposure forgery Capabilities and goals of a replaceent forger Reduction fro replaceent forgery to targeted-user forgery Reduction fro targeted-user forgery to replaceent forgery Reduction fro exposure forgery to replaceent forgery Reduction fro replaceent forgery to exposure forgery Capabilities and goals of a replaceent-and-exposure forger Reduction fro exposure forgery to replaceent-and-exposure forgery Reduction fro replaceent forgery to replaceent-and-exposure forgery Security of BGLS-KW with type III pairing, new security odel vi

7 Chapter 1 Introduction Reductions give us confidence in the security of cryptographic schees, but they are not siple to interpret. The tightness of a reduction fro solving a priitive to breaking a protocol indicates how uch of the priitive s hardness is inherited by the protocol. If the reduction is not tight, then its security guarantee is weak: breaking the protocol takes only soe fraction of the work required to solve the priitive. This thesis exaines two aspects of security reductions: tightness of the reduction and what it eans for an adversary to break the schee. We exaine not only reductions fro solving priitives to breaking protocols, but also reductions aong different ways of breaking protocols. Good security definitions are iportant they specify what capabilities attackers have and what they ust accoplish to break a protocol. The best security definitions typically assue that adversaries have strong capabilities and weak goals. For instance, a secure digital signature schee ust be existentially unforgeable under adaptive chosen-essage attack, a secure essage authentication code (MAC) schee ust be existentially unforgeable under adaptive chosen-essage attack, and a secure public-key encryption schee ust be indistinguishable under adaptive chosen-ciphertext attack. These definitions are all in the single-user setting: we assue that only one user is signing essages, only one pair of users is tagging essages, and only one user is receiving encrypted essages. In the ulti-user setting, security definitions becoe ore coplex. In this thesis, we explore types of attackers for a schee that is naturally in the ulti-user setting the Boneh-Gentry-Lynn-Shacha (BGLS) aggregate signature schee. Its security is based on solving the odified coputational co-diffie-hellan (co-cdh*) proble in the doain groups of a pairing. In the original security odel, an attacker receives one public key to target and can choose the public keys of any other users in its forged signature. Most signature schees have security odels where attackers do not choose their target users. We believe these security odels are not as strong as they could be. The thesis is organized as follows. In Chapter 2, we review digital signature schees, elliptic curves, and pairings, which act on groups of points on elliptic curves. We justify our decision to consider only type III pairings and define soe Diffie-Hellan probles, including 1

8 the co-cdh* proble that is the priitive for the BGLS aggregate signature schee. The chapter ends with observations about why the tightness of a reduction is iportant. Chapter 3 reviews the BLS signature schee and BGLS aggregate signature schee. We discuss the authors requireent for distinct essages in an aggregate signature and then present the original BGLS security reduction. In Chapter 4, we exaine existing security definitions for other aggregate signature schees and related schees, such as ulti-signatures. Then, we begin exploring other types of BGLS forgers. First, we exaine aggregate forgers that can choose their target users and expose other users private keys. Next, we exaine aggregate forgers that can choose their target users and replace the public keys of any other users. The chapter concludes with a section coparing these two types of attackers. In Chapter 5, we present our new security definition, based on resistance to a forger with the cobined capabilities of the exposure and replaceent forgers fro the previous chapter. We present a security reduction for BGLS aggregate signatures with respect to this type of forgery. 1.1 Notation and useful atheatical results In this section, we state two useful results and suarize our notation. First, arg axx(1 x) n 1 } = 1 x n. (1.1) We use this optial value of x to axiize success probabilities in reductions. The derivative equals 0 when x = 1 or 1 = nx. d ( x(1 x) n 1 ) = (1 x) n 2 (1 x (n 1)x) dx Second, ( e x = li 1 + x n. (1.2) n n) In particular, e 1 = li n ( 1 1 n) n, and this liit converges rapidly. We use this approxiation of powers of e when analyzing the success probability of reductions. Finally, we briefly list soe of our notation. [n] is the set of positive integers 1,..., n}. 2

9 a R B eans that the eleent a is chosen uniforly and randoly fro the set B. h( ) is a hash function. H is a hashing oracle. S i is a signing oracle for user i. e(, ) is a pairing. e is Euler s nuber, the base of the natural logarith. P and Q are probabilities. p and q are pries. 1 G is the identity of the group G. g is the group generated by g. T and T e are the ties required to perfor ultiplication and exponentiation in a given group or groups. (x, y) = (g 1 z, g 2 z ) is a public key in the BLS or BGLS signature schees with type III pairings. The corresponding private key is z. (u, v) = (g 1 w, g 2 w ) is a public key that was chosen by a forger in the BLS schee with type III pairings, or replaced by a forger in the BGLS schee with type III pairings. The corresponding private key is w. (x, y ) = (g 1 z, g 2 z ) is a public key that ay have been odified in soe way. For instance, it could represent a public key after interacting with a forger that can replace keys. It could also represent a key created by one forger, possibly as a function of a key it received, to give to another forger. The corresponding private key is z. 3

10 Chapter 2 Background Digital signatures are ubiquitous online. Every tie an SSL connection is established between a client and a server, the client verifies the server s identity by verifying its certificate it checks the validity of a signature by a certificate authority on the server s identity and public key. 2.1 Digital signatures In this section, we introduce digital signature schees and what it eans for the to be secure, using RSA-FDH signatures as an exaple. The security reduction for RSA-FDH signatures is very siilar to the security reduction for BLS signatures, which for the basis of the BGLS aggregate signature schee. A digital signature, like its written equivalent, verifies the origin of a essage or indicates approval of a docuent. Anyone can verify the authenticity of a signature on paper, but only one person can create it. Diffie and Hellan proposed the first digital replaceent, based on an abstract public-key cryptosyste constructed fro a trapdoor function [15]. A trapdoor function is one that is easy to copute but hard to invert without knowledge of the trapdoor inforation. A trapdoor function can be the encryption function of a public-key encryption schee, while the trapdoor inforation is the private key, which allows a user to decrypt essages. A signature schee naturally arises fro such an encryption schee. To sign a essage, a user decrypts it with its private key. To verify a signature, the receiver encrypts it with the sender s public key. This schee was the first to provide a purely digital, unforgeable, essage dependent signature [15]. Diffie and Hellan s description of digital signatures, or one-way authentication, was only a concept, but concrete schees soon followed. Rivest, Shair, and Adlean proposed RSA signatures at the sae tie as the RSA cryptosyste, in 1978 [29]. In the RSA cryptosyste and signature schee, the odulus n is the product of two pries and the integers e and d are inverses of each other odulo φ(n), where φ( ) denotes the Euler phi function. Messages are integers odulo n. The trapdoor function is the RSA function, exponentiation by e odulo n. The trapdoor inforation that allows inverting this function is d, 4

11 the private key. To encrypt a essage, the sender raises it to the power of the receiver s public key e. To decrypt a essage, the receiver raises it to the power of its own private key d. Since ed (od n), the receiver obtains the essage. To sign a essage, the signer raises it to the power of its private key d. To verify the signature on a essage, any user can raise it to the power of the purported signer s public key e. Again, since ed (od n), the user will obtain the essage if the signature is valid. The inventors of RSA stated that the security of the RSA cryptosyste and digital signature schee rests in part on the difficulty of factoring the published divisor, n. They felt reasonably confident that [coputing e-th roots odulo n without factoring n] is coputationally intractable. Today, we call this proble the RSA proble or the eth-root proble, and solving it corresponds to forging a signature on a essage or decrypting a essage. Ten years after the proposal of RSA signatures, Goldwasser, Micali, and Rivest foralized the notions of a digital signature schee and what it eans to break such a schee [19]. We present a siplified version of their definition. Definition 2.1. A digital signature schee has the following coponents: A essage space, key space, and signature space. A public, randoized key generation algorith that receives a security paraeter and returns a public-private key pair in the key space for that security paraeter. A signing algorith that receives a essage and a user s private key, and returns a signature by that user on that essage. A public verification algorith that receives a signature, a essage, and a user s public key, and outputs TRUE if the signature is valid for the essage by that user, or FALSE otherwise. A digital signature schee is correct if the verification algorith returns TRUE for any signature obtained fro the signing algorith. In a digital signature schee, each user that wants to sign essages ust have a public-private key pair. Goldwasser, Micali, and Rivest also identified what it eans to break a digital signature schee [19]. Definition 2.2. A digital signature schee is secure if it is resistant to existential forgery under adaptive chosen-essage attack. A signature schee is (t, ɛ, q h, q s )-secure against existential forgery under adaptive chosen essage attack if there is no adversary that breaks the schee in tie at ost t with probability at least ɛ and akes at ost q h hashing queries and q s signing queries. That is, no attacker that is given a public key can forge a single signature on any new essage given access to an oracle that signs essages of its choice. The attacker ay choose 5

12 which essages to give to the signing oracle based on its previous responses. This definition of security is strong because the adversary is powerful and it has a weak goal: it can ount a chosen-essage attack and all it ust do is forge a signature on any essage of its choice. An attacker could have a stronger goal, such as selective forgery, universal forgery, or recovery of the private key. It could have fewer capabilities, such as receiving only soe essage-signature pairs, or having to choose which essages it will ask to be signed before seeing the user s public key. However, the strongest notion of security is against an attacker with the weakest goal and greatest capabilities. The RSA signature schee, as we described it earlier, is not resistant to existential forgery under chosen-essage attack. An attacker can select an arbitrary signature σ odulo n and copute its corresponding essage = σ e od n. Then, σ is a valid forged signature on. Efficiency is another proble: a bigger odulus is required to sign longer essages. One solution to these probles is to sign the hash of a essage. In 1996, Bellare and Rogaway proved that any signature schee based on a trapdoor perutation, such as the RSA function, is secure when essage hashes are signed, provided the hash function is rando and uniforly aps essages onto the doain of the signing function [7]. A trapdoor perutation is a bijective trapdoor function whose range is a perutation of its doain. In particular, the RSA signature schee with a full-doain unifor hash function (RSA-FDH) is secure in the rando oracle odel. The use of digital signatures in practice provokes any questions, such as how to cobine ultiple digital signatures to reduce their size or the verification tie. How can we efficiently cobine the signatures of any users on the sae essage or on any essages? Multisignature schees solve the first proble. Aggregate signature schees such as BGLS, which we focus on, solve the second proble. Before introducing BLS signatures and BGLS aggregate signatures, we review the basics of elliptic curves and pairings. 2.2 Elliptic curves and pairings An elliptic curve is a atheatical object often used in cryptography because its points for a group. In general, a curve is the set of points with coordinates in a certain field that satisfy an equation with coefficients in the sae field. In this section, we first define elliptic curves as types of plane curves. Then, we transfor projective coordinates to affine coordinates and present the reduced Weierstrass for for elliptic curves. Definition 2.3. For any field K, the projective plane over K, P 2 (K), is the set of equivalence classes of the relation on non-zero points in K 3, where (a 1, a 2, a 3 ) (b 1, b 2, b 3 ) if there exists an eleent x in K such that a i = xb i for i = 1, 2, and 3. We denote the equivalence class containing (a, b, c) by (a : b : c) and call it a projective point. Let K denote the algebraic closure of K and let L be any extension field of K any field such that K L K. Next, we define a type of curve whose points are in the projective plane P 2 (K). 6

13 Definition A non-singular plane curve C of degree d over K is a curve defined by a hoogeneous degree-d polynoial f in three variables, say x, y, and z, with coefficients in K, such that no point in P 2 (K) on the curve is a solution to x f = y f = z f = 0. The set of points on C are all of the points (x 0 : y 0 : z 0 ) in P 2 (K) such that f(x 0, y 0, z 0 ) = 0. Definition The set of L-rational points C(L) on C coprises all points (x 0 : y 0 : z 0 ) in P 2 (L) such that f(x 0, y 0, z 0 ) = 0. The points where the partial derivatives in Definition siultaneously vanish are singular points. We avoid the because they do not have well-defined tangent lines. Therefore, a non-singular curve is also called a sooth curve. Definition 2.5. An elliptic curve over K is a cubic, non-singular plane curve over K, with a K-rational point on that curve. Every elliptic curve over K is isoorphic to a curve in (projective) general Weierstrass for: Y 2 Z + a 1 XY Z + a 3 Y Z 2 = X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3 where a 1, a 2, a 3, a 4, and a 6 are eleents of K and the point O, called the point at infinity, corresponds to (0 : 1 : 0). Although this thesis does not consider the proble of representing points on elliptic curves, we present the siplified general Weierstrass for by converting projective coordinates to affine coordinates. The projective point (a : b : c) is the set of all points (aλ, bλ, cλ), where λ is any non-zero eleent in the field K. If we set λ = c 1, we can associate any projective point (a : b : c) with an affine point (a, b ) = (ac 1, bc 1 ). We siply denote the point at infinity, (0 : 1 : 0), by O. Hence, we obtain the following alternate definition of an elliptic curve. Definition An elliptic curve E over K is the set of all non-zero points in K 2 satisfying the non-singular equation Y 2 + a 1 XY + a 3 Y = X 3 + a 2 X 2 + a 4 X + a 6, where a 1, a 2, a 3, a 4, and a 6 are eleents of K, together with the point at infinity. Non-singularity requires that the partial derivatives do not siultaneously vanish at any point in K 2 that is on the curve. Definition The set of L-rational points E(L) on E coprises the point at infinity and all points (x 0, y 0 ) in L 2 that satisfy the curve s affine general Weierstrauss equation. For any extension field L of K, the set of L-rational points on an elliptic curve for an abelian group with point addition as the group operation. The point at infinity is the group identity adding any point to it results in that point. We present only a brief description of how to geoetrically construct the su of two affine points. First, construct a line through the two points, or a tangent line if doubling a point. This line intersects the curve at exactly one other point. Reflect this third point about the x-axis, i.e., negate its y-coordinate, to get the su of the first two points. If the line through two points is vertical, then the third intersection point their su is the point at infinity whose inverse is itself. 7

14 The group of points on an elliptic curve is always isoorphic to the product of two cyclic groups. Suppose now that K and L are finite fields. The group of L-rational points on an elliptic curve over K is isoorphic to Z n1 Z n2 where n 2 divides n 1 and n 2 divides #L 1. There is a special case of the discrete logarith proble in groups of points on elliptic curves: Definition 2.7. The elliptic curve discrete logarith proble (ECDLP) in the subgroup P 1 generated by a point P 1 of order n is to find the integer l in [0, n 1] such that lp 1 = P 2, given the base point P 1, its order n, and a point P 2 in P 1. Elliptic curves are useful in cryptography because this proble is hard: the best-known generic attack on the ECDLP in a group of order n, Pollard s parallelized ρ ethod, takes tie O( n) [30]. When the factorization of n is known, the tie is proportional to the square root of n s largest prie factor. Elliptic curves over finite fields are classified into two types supersingular and ordinary depending on whether the characteristic of the field divides a certain quantity relating the order of the field and the nuber of points on the curve. Definition 2.8. The trace of Frobenius of the elliptic curve E(K) is t = #K+1 #E(K) where #K is the order of the field and #E(K) is the nuber of K-rational points on the elliptic curve E. If the field s characteristic does divide the trace of Frobenius, then the elliptic curve is supersingular. Otherwise, it is ordinary. We exaine one final property of elliptic curves over finite fields. Definition 2.9. Let E(K) be an elliptic curve and let p be a prie integer that divides #E(K) and is co-prie with #K. The ebedding degree k of E(K) with respect to p is the sallest positive integer k such that p divides (#K) k 1. Now that we have briefly exained how groups arise fro elliptic curves, we look at pairings. We consider pairings based on the Weil or Tate pairings on elliptic curves over finite fields. We denote the finite field of order q by F q. Let G 1, G 2, and G T be groups of prie order p. The groups G 1 and G 2 can be written ultiplicatively or additively since there is only one group of order p up to isoorphis. Although groups of points on elliptic curves have an additive operation, we choose to write all groups ultiplicatively. We use the following cryptographic definition of pairings; we do not consider exactly how pairings are constructed over elliptic curves. Definition A pairing is a ap e(, ) fro G 1 G 2 to G T satisfying the following three properties: (i) bilinearity. For all x 1 and x 2 in G 1, and y in G 2, e(x 1 x 2, y) = e(x 1, y) e(x 2, y). Siilarly, for all x in G 1, and y 1 and y 2 in G 2, e(x, y 1 y 2 ) = e(x, y 1 ) e(x, y 2 ). 8

15 (ii) non-degeneracy. If e(x 0, y) = 1 GT for all y in G 2, then x 0 = 1 G1. Siilarly, if e(x, y 0 ) = 1 GT for all x in G 1, then y 0 = 1 G2. Synonyously, if x and y are generators of G 1 and G 2, then e(x, y) 1 GT. (iii) efficiency. The pairing e(, ) can be coputed in polynoial tie in log p, where p is the order of the groups. By repeatedly applying bilinearity, powers of the operands change into powers of the pairing values and vice versa. For any integers a and b and all group eleents x G 1 and y G 2, e(x a, y b ) = e(x a, y) b = e(x, y b ) a = e(x, y) ab = e(x ab, y) = e(x, y ab ) = e(x b, y a ). Galbraith, Paterson, and Sart classified pairings into three types [17]: Type I: syetric pairings, where the groups G 1 and G 2 are identical. Type II: asyetric pairings, where G 1 G 2 and there is a known, efficiently coputable isoorphis ψ fro G 2 to G 1. Type III: asyetric pairings that have no known efficiently coputable isoorphis fro G 2 to G 1, or fro G 1 to G 2. For ost coon pairings, G 1 is an order-p subgroup of E(F q ), G 2 is an order-p subgroup of E(F q k) where k is the ebedding degree with respect to a prie divisor p of #E(F q ), and G T is the order-p subgroup of F [16]. For pairing-based schees to be secure, the q k ECDLP in the groups G 1 and G 2 and the DLP in the target group G T ust be hard. A pairing-friendly curve is one that has a large prie-order subgroup and an ebedding degree that is big enough so that solving the DLP in G T is not easy, but sall enough so that coputing pairing values is not infeasible. Freean, Scott, and Teske foralized the definition of pairing-friendly curves [16]: Definition An elliptic curve E over F q is pairing-friendly if there exists a prie integer p q dividing #E(F q ) and the ebedding degree k of E with respect to p is less than (log 2 p)/8. Type I pairings are ipleented with supersingular curves over prie fields or fields of characteristic 2 or 3 [17]. Recent work by Joux and others on solving the discrete logarith proble in fields of sall characteristic render these curves, and thus any type I pairings, insecure [3, 20, 21]. Since coputations in sall-characteristic fields are uch ore efficient than in prie fields, we choose to ignore type I pairings. In the paper introducing BLS short signatures, the authors use type II pairings, stating that the isoorphis ψ sees to be necessary for the security reductions [9]. However, Chatterjee, Hankerson, Knapp, and Menezes describe variants of BLS and BGLS signature schees that use type III pairings, eliinating the need for a known, efficiently coputable ap ψ [10]. They further argue that type II pairings have no advantage in either perforance or security over type III pairings when ipleenting BLS and BGLS with Barreto-Naehrig pairings. Therefore, in this thesis, we consider only type III pairings. 9

16 2.3 Diffie-Hellan probles Diffie-Hellan probles are the priitives of any cryptographic protocols that involve groups. First, we exaine Diffie-Hellan probles that involve eleents of either a single group or two groups. Let g be a generator (any eleent except the identity) of a ultiplicative group G of prie order p. The group G, its order p, and the chosen generator g are public. Let a, b, and c be any three non-zero integers odulo p. Definition The coputational Diffie-Hellan proble (CDH) is to copute g ab when given g a and g b. Definition The decisional Diffie-Hellan proble (DDH) is to deterine whether g ab = g c when given g a, g b, and g c. A group where solving the CDH proble is hard, but solving the DDH proble is easy is a gap group. We can solve the DDH proble given a type I pairing e : G G G T by checking whether e(g a, g b ) equals e(g c, g). Next, we exaine two co-diffie-hellan probles that involve two groups, such as the coponents of the doain of an asyetric pairing. Again, one of these probles is decisional and one is coputational. Let g 1 and g 2 be generators of the ultiplicative groups G 1 and G 2, both of prie order p. The groups G 1 and G 2, their order p, and their generators g 1 and g 2 are public. Let a, b, and c be any non-zero integers odulo p. Definition The coputational co-diffie-hellan proble (co-cdh) is to copute h a G 1 when given g 2 a G 2 and h G 1. Definition The decisional co-diffie-hellan proble (co-ddh) is to deterine whether h a = h c when given g 2 a G 2, h G 1 and h c G 1. The groups used with type II or III pairings are groups where solving the co-cdh proble is hard, but solving the co-ddh proble is easy. Given a type II or III pairing e : G 1 G 2 G T, we can solve the co-ddh proble by checking whether e(h, g a 2 ) equals e(h c, g 2 ). At the end of Section 2.2, we noted that it is possible to odify the BLS and BGLS signature schees to work with type III pairings [10]. The security reductions for the odified schees described by Chatterjee et al. require a different coputational co-diffie-hellan proble, which we denote by co-cdh*. Definition The odified coputational co-diffie-hellan proble (co-cdh*) is to copute h a G 1 when given g 2 a G 2, g 1 a G 1, and h G 1. This co-cdh* proble is siilar to the co-cdh proble, but with one extra piece of inforation knowledge of g 1 a. The co-cdh* proble, therefore, cannot be harder than the co-cdh proble. If an adversary can solve the co-cdh proble, then it can clearly solve the co-cdh* proble. 10

17 instance of proble A Solver for proble A work done by the solver for proble A instance of proble B given oracle query response siulated oracle query response Solver for proble B ore work done by the solver for proble A solution to proble B solution to proble A Figure 2.1: We represent reductions with diagras where dotted lines indicate algoriths or oracles to construct and solid lines represent given algoriths or oracles. 2.4 The iportance of tightness The reduction fro solving a priitive to breaking a protocol gives us confidence in a protocol s security. This reduction is an algorith that can solve the priitive by using a hypothetical subroutine that breaks the protocol and by doing little additional work. Algorith and solver refer to deterinistic algoriths that have access to a source of rando bits. In this thesis, we augent written descriptions of reductions with diagras. See Figure 2.1 for a saple reduction fro solving proble A to solving proble B. The probles ay each access certain oracles. The oracles for proble A are included with the proble instance, whereas the oracles for proble B ust be siulated by the solver for proble A. Such a reduction proves, by contraposition, that if solving proble A is hard, then solving proble B is hard. We quantify this hardness by considering the tie an algorith requires and its success probability. Definition An algorith (t, ɛ)-solves proble A if, given a rando instance of proble A, it solves it with probability at least ɛ in tie at ost t. The probability of success is coputed over all possible instances of proble A and all of the solver s coin tosses. 11

18 Definition Suppose that a reduction uses an algorith for (t, ɛ)-breaking a protocol to (t, ɛ )-solve a priitive. The tightness gap of the reduction is the ratio (t /ɛ )/(t/ɛ). A reduction is tight if this ratio is close to 1: when (t/ɛ) (t /ɛ ), the protocol inherits the strength of the priitive. The RSA proble the proble of coputing eth roots odulo n is the priitive in soe security reductions for RSA-FDH. Suppose that the best attack on the RSA proble is factoring the odulus n with the nuber field sieve. For a 1024-bit odulus n, this attack takes tie roughly 2 80 and succeeds with probability nearly 1. Suppose that the RSA proble is (2 70, 2 31 )-hard and that adversaries can copute up to q h = 2 60 hashes. The standard reduction fro solving the RSA proble to forging an RSA-FDH signature has a tightness gap of q h. Therefore, this reduction tells us only that RSA-FDH is (2 40, 1/2)- secure, which is not very assuring. To counter this lack of tightness, we ust increase the bitlength of n. Chatterjee, Menezes, and Sarkar illustrate what a non-tight reduction could ean in the worst case with essage authentication code (MAC) schees, the syetric-key equivalents of signatures [11]. The best possible attack on an ideal MAC schee with key length r in the single-user setting is exhaustive key search, which takes tie 2 r. The authors present a reduction fro breaking a MAC schee in the single-user setting to breaking it in the ulti-user setting. Its tightness gap is n, the nuber of users. Next, they describe an attack in the ulti-user setting that succeeds in tie 2 r /n. The existence of this attack proves that no reduction fro single-user MAC to ulti-user MAC can be any tighter. Suppose a tighter reduction did exist: given a (t, ɛ)-ulti-user MAC forger, it is possible to construct a (t, ɛ )-single-user MAC forger, where (t /ɛ ) / (t/ɛ) = < n. Then, breaking single-user MAC takes ties ore work than breaking ulti-user MAC. However, as noted above, there exists an attack on ulti-user MAC that takes tie 2 r /n. Hence, there exists an attack on single-user MAC that takes tie (2 r )/n < 2 r, contradicting the fact that the best attack on an ideal MAC schee takes tie 2 r. Therefore, no tighter reduction can exist fro breaking single-user MAC to breaking ulti-user MAC. This general approach could apply to other reductions. Consider two probles, A and B. Suppose that the best possible attack on proble A succeeds in tie t A ; no attack on proble A can succeed in tie faster than t A. Next, suppose one finds an attack on proble B that succeeds in tie t B. Finally, suppose that there exists a reduction fro solving proble A to solving proble B that has a tightness gap of. Given this attack and the reduction, it is possible to construct an attack on proble A that succeeds in tie t B. Hence, it ust be the case that t B t A, i.e., t A /t B. No reduction fro solving proble A to solving proble B can have a tightness gap saller than t A /t B. As the Chatterjee-Menezes-Sarkar exaple illustrates, a non-tight reduction could indicate the existence of an attack. How should we address non-tight reductions? We could try to find a better reduction with the sae priitive. We could weaken the security definition or odify the priitive in a natural way so that the reduction is tighter. We could increase the security paraeter size to ake up for the tightness gap. In this thesis, we carefully analyze the tightness of all reductions, even those aong different types of forgery. 12

19 Chapter 3 BLS and BGLS signatures In this chapter, we review the BLS signature schee and the BGLS aggregate signature schee. We restate a proof of the optiality of the BLS security reduction, and explore soe constraints on BGLS aggregate signatures. Our work uses the following assuptions: Hash functions are indistinguishable fro rando functions, so we odel the as rando oracles. When a forger requests a signature on a essage fro a signing oracle, it has already obtained the hash of this essage fro the hashing oracle. A forger never requests the hash of a essage twice, nor a signature fro a certain user on the sae essage twice. (This assuption is without loss of generality for deterinistic signature schees such as BLS and BGLS.) When a forger outputs a signature (or aggregate signature) on a essage (or essages), every essage was previously hashed. Signing oracles never output invalid signatures. The axiu nuber of users n in an aggregate signature schee, or an upper bound on it, is public. 3.1 BLS short signature schee The BLS signature schee has the sae security level as the ECDSA signature schee, but BLS signatures have half the bitlength [9]. The schee was introduced for type II pairings those for which an efficiently coputable isoorphis fro G 2 to G 1 is known. However, we present the odified schee, due to Chatterjee et al., that also works for type III pairings [10]. 13

20 Signature Schee 3.1 (BLS with type III pairing [9, 10]). Set-up: The groups G 1, G 2, and G T have prie order p. The groups G 1 and G 2 have generators g 1 and g 2. The function h( ) is a full-doain hash function fro 0, 1} to G 1. The ap e(, ) is a type III pairing fro G 1 G 2 to G T. Key generation: Let z be a randoly chosen non-zero integer odulo p. The public key is the pair of eleents (x, y) = (g 1 z, g 2 z ) in G 1 G 2. The private key is the integer z. Signing: To sign a essage 0, 1} with the secret key z in Z p, copute the signature σ() = h() z in G 1. Verification: To verify the signature σ on a essage by a user with public key (x, y), verify that e(h(), y) = e(σ, g 2 ). Given the schee s paraeters and soe user s public key, a forger s goal is to copute a valid signature by this user on soe essage. This proble resebles the co-cdh* proble: given g 2 z in G 2, g 1 z in G 1 and h G 1, copute h z G 1. This inforal reasoning suggests that the security of the BLS signature schee depends on the hardness of solving the co-cdh* proble in (G 1, G 2 ). It is not obvious fro the definition of this schee why the public key ust contain both g 1 z and g 2 z, since only the latter is used for verification. The first part of the public key is necessary in the reduction fro BLS forgery to solving the odified coputational co- Diffie-Hellan proble. The reduction in the opposite direction supports security of the BLS signature schee with a type III pairing. This reduction, in the following theore s proof, is depicted in Figure 3.1 on page 15. Theore 3.2 (Security of BLS signature schee with type III pairing [9, 10]). If solving the co-cdh* proble in (G 1, G 2 ) is (t, ɛ )-hard, then the BLS signature schee with a type III pairing is (t, ɛ, q h, q s )-secure against existential forgery under adaptive chosenessage attack, for t = t (q h + q s ) T e q h T, and ɛ = ɛ e (q s + 1). Proof. We prove the contrapositive of this stateent: we build a co-cdh* solver given a forger for BLS. The co-cdh* solver is given h G 1, g 2 a G 2, and g 1 a G 1. It ust soehow use the BLS forger to copute h a G 1. The solver ust give the forger a public key and siulate hashing and signing oracles for its queries. First, the solver gives the forger the public key (x, y) = (g a 1, g a 2 ) in G 1 G 2. When the forger requests the hash of a essage, the solver chooses a rando integer r Z p and returns one of the following eleents of G 1 : h g r 1 with probability P, h() = g r 1 otherwise. 14

21 h, g 2 a, and g 1 a co-cdh* solver (x, y) = (g 1 a, g 2 a ) H S h() = h g 1 r g 1 r pr. else 1 q s+1 FAIL or σ() = (g 1 a ) r BLS forger copute h a = σ (g 1 a ) r σ, h a Figure 3.1: The reduction fro solving the co-cdh* proble to BLS forgery has a tightness gap of q s. The solver records the essage and the exponent r. We will deterine the optial probability of P when we copute the solver s success probability. When the forger requests a signature, the solver s reply depends on the essage s hash type. If the essage hash is h-dependent, then the solver ust abort since it cannot provide a signature. However, if the hash is a rando power of g 1, then the solver looks up the appropriate exponent r and returns σ() = (g a 1 ) r : FAIL if h() is h-dependent, σ() = (g a 1 ) r otherwise. The signature in the latter case is correct: e (σ(), g 2 ) = e (g 1 ar, g 2 ) = e (g 1 r, g 2 a ) = e (h (), y). The co-cdh* solver succeeds if and only if the following events occur: (E 1 ) The forger does not request a signature on any essage with an h-dependent hash. Since the forger akes at ost q s signing queries, this event occurs with probability at least (1 P ) qs. 15

22 (E 2 ) The forger successfully outputs a forgery in tie at ost t. If it does not request signatures on essages with h-dependent hashes, then the hashing and signing oracles siulated by the co-cdh* solver are indistinguishable fro real hashing and signing oracles. Hence, given the first event, this event happens with probability at least ɛ. (E 3 ) The forged signature is on a essage with an h-dependent hash. The probability of this event given the first two events is at least P. When these three events occur, the forger outputs a forged signature σ on a essage with hash h() = h g 1 r. It satisfies e(σ, g 2 ) = e(h g 1 r, y), so the co-cdh* solver coputes h a = σ (g 1 a ) r. Hence, the probability ɛ that the co-cdh* solver succeeds is Pr (E 1 E 2 E 3 ) = Pr (E 3 E 2 E 1 ) Pr (E 2 E 1 ) Pr (E 1 ) P ɛ (1 P ) qs. By Equation (1.1), the value of P that axiizes this lower bound is P = 1/(q s + 1). Then, applying the approxiation for e 1 in Equation (1.2) gives the lower bound ɛ/(e (q s + 1)). The tie required by the co-cdh* solver is at ost t + (q h + q s + 1) T e + (q h + 1) T. Hence, given a (t, ɛ, q h, q s )-forger for BLS, it is possible to build a (t, ɛ )-co-cdh* solver, for t = t + (q h + q s + 1) T e + (q h + 1) T, and ɛ ɛ = e (q s + 1). The reduction fro solving the RSA proble to forging an RSA-FDH signature is very siilar to the reduction fro solving the co-cdh* proble to forging a BLS signature. Like the BLS security reduction, it also has a tightness gap of q s, the nuber of signature queries the forger can ake [13]. In 2002, Coron proved that the RSA-FDH reduction is optial when the RSA solver uses the forger only once [14]. Kakvi and Kiltz later pointed out that the proof relies on the fact that signatures ust be unique, which is not necessarily the case in RSA-FDH if public keys are not certifiable [22]. If the RSA solver gives the RSA-FDH forger a public key (n, e) for which e and φ(n) are not relatively prie, then signatures are not unique. Deterining whether e and φ(n) are relatively prie is believed to be hard when e is less than n 1/4. For the BLS schee, however, signatures are unique for any public key and Coron s result holds, as Knapp noted in 2008 [24]. We state the result here, but oit the proof. Theore 3.3 (Optiality of BLS security reduction [24]). Suppose that a reduction (t R, ɛ R )-solves the co-cdh* proble by invoking a (t F, ɛ F, q h, q s )-forger for BLS only once. Then, it is possible to build a (2 (t R t F ), ɛ R (ɛ F /q s ))-co-cdh* solver by calling the reduction twice and siulating the forger each tie, so no real forger is required at any point. The proof describes how to build a co-cdh* solver given only a reduction fro solving the co-cdh* proble to BLS forgery, but no real forger. Coron s theore has the following iplication. Suppose there exists a new reduction, which uses a forger only once, and proves 16

23 that if solving the co-cdh* proble is (t, ɛ )-hard, then BLS forgery is (t, ɛ)-hard for soe t t and ɛ = ɛ q s + δ. Then, with the construction given in the theore, we can build an algorith that solves the co-cdh* proble in tie at ost 2(t t) with probability at least ɛ ɛ ( ) ɛ = + δ ɛ = δ. q s q s q s If δ is non-negligible, then the existence of this better reduction eans that we can solve the co-cdh* proble, which is believed to be hard. Therefore, the existence of better reductions that call the forger only once is unlikely. We ephasize that Coron s theore does not prove that no tighter reduction exists; it proves only the non-existence of tighter reductions that invoke the BLS forger just once. 3.2 BGLS aggregate signatures Soe applications of digital signatures require any users valid signatures. Batch verification schees ay verify signatures ore efficiently, but they require each signature to be transitted. For efficiency, we would like to cobine these signatures. Multi-signature schees cobine signatures by any users on the sae essage. Aggregate signature schees cobine any users signatures on different essages. An aggregate signature schee is either sequential or general, depending on whether the order of aggregation atters. In this section, we present the first aggregate signature schee, BGLS, which is based on BLS signatures [8]. In the following two subsections, we explain why essages in a BGLS aggregate signature ust be pairwise distinct, and we present the original security definition. Again, we odify the schee in the anner of Chatterjee et al. to use type III pairings. Signature Schee 3.4 (BGLS with type III pairing [8, 10]). Set-up: The groups G 1, G 2, and G T have prie order p. The groups G 1 and G 2 have generators g 1 and g 2. The function h( ) is a full-doain hash function fro 0, 1} to G 1. The ap e(, ) is a type III pairing fro G 1 G 2 to G T. Key generation: Let z i be a randoly chosen non-zero integer odulo p. User i s public key is the pair of eleents (x i, y i ) = (g 1 z i, g 2 z i ) in G 1 G 2. The corresponding private key is the integer z i. Signing: To sign the k distinct essages 1,..., k 0, 1} with secret keys z 1,..., z k Z p, copute the aggregate signature σ A = k i=1 h( i) z i in G 1. Verification: To verify the aggregate signature σ A on essages 1,..., k by users with public keys (x 1, y 1 ),..., (x k, y k ), verify that the essages are pairwise distinct and k i=1 e(h( i), y i ) = e(σ A, g 2 ). 17

24 Aggregation can be perfored by anyone and the resulting signature has the sae size as a single BLS signature. Verification succeeds when each individual signature is valid: ( k k k ) z e (h( i ), y i ) = e (h( i ), g i 2 ) = e h( i ) z i, g 2 = e (σ A, g 2 ). i=1 i= Why should essages be distinct? The BGLS aggregate signature schee requires that all essages be distinct, otherwise BGLS is vulnerable to the following rogue key attack. Suppose honest user 1 has public key (x 1, y 1 ). A alicious user picks a rando integer z odulo p and publishes (x 2, y 2 ) = (x 1 1 g 1 z, y 1 1 g 2 z ) as its public key. Then, the attacker can copute a signature on any essage and clai that it was signed by both itself and the first user it siply coputes σ A = h() z. This signature is valid since e (h(), y 1 ) e (h(), y 2 ) = e ( h(), y 1 (y 1 1 g 2 z ) ) = e (h(), g 2 z ) = e (σ A, g 2 ). The creators of BGLS were aware of this attack and suggested the following three countereasures [8]: 1. Require users to prove knowledge of their private keys. Users could disclose their private keys to a trusted party. Users could prove knowledge of their private keys with zero-knowledge proofs. 2. Require users to prove possession of their private keys. i=1 Users could sign their certificate request essage. Users could sign rando essages that will never be used in practice. 3. Require all of the essages in one aggregate signature to be distinct. The authors suggest that the third option ight be the siplest: a user could prepend its public key to a essage, creating an enhanced essage, before hashing it. Bellare, Naprepre, and Neven argue that hashing enhanced essages reduces the proble but does not eliinate it [4]. They point out that in soe settings, aggregate signatures could genuinely include ultiple signatures by the sae user on the sae essage. For exaple, this situation could occur when aggregation is used to store any digital signatures. They provide a security reduction for the case of enhanced essages. They also present a tight security reduction for a odification of BGLS where each signer prepends a rando bit to the enhanced essage before signing it. We use a siilar technique in Section 5.1 to give a security reduction for BGLS with respect to stronger adversaries. In this thesis, we siply require that all essages in an aggregate signature be distinct. Our reductions are in the plain public-key odel: any valid public key can be certified. In this odel, suggested by Bellare and Neven, there is no requireent for proof of knowledge or possession of the private key [5]. In the BGLS schee, a valid public key is one that 18

25 (x 1, y 1 ) G 1 G 2 H S h() G 1 σ() G 1 targeteduser forger σ A G 1, 1,..., k, and (x 2, y 2 ),..., (x k, y k ) G 1 G 2 Figure 3.2: Capabilities and goals of a targeted-user forger. has the for (x, y) where the discrete logarith of x with respect to g 1 equals the discrete logarith of y with respect to g 2. Validity of a public key can be verified by checking that e(g 1, y) = e(x, g 2 ). When a user registers with a certificate authority, it does not have to provide evidence of knowing its own private key Original security definition The first security definition for a general aggregate signature schee was introduced with BGLS [8]. In this section, we restate this definition of what it eans for an attacker to break an aggregate signature schee. Instead of calling this attack existential forgery in the aggregate chosen-key odel, we call it targeted-user forgery to ephasize that the goal is existential forgery under chosen-essage attack for a particular user. Let e(, ) be a type III pairing fro G 1 G 2 to G T. Consider an instance of BGLS with at ost n users, where user i has public key (x i, y i ) and private key z i. Definition A targeted-user forger has the following capabilities and goals. It is given a randoly chosen public key (x 1, y 1 ) in G 1 G 2. It adaptively queries a hashing oracle and a signing oracle with essages of its choice. For soe positive integer k that is at ost n, the forger ust output k 1 public keys of its choice (x 2, y 2 ),..., (x k, y k ), k distinct essages 1,..., k, and a valid aggregate signature σ A coprising user i s signature on essage i, for each i fro 1 to k. The forger succeeds if it never requested the first user s signature on 1. Definition A (t, ɛ, q h, q s )-targeted-user forger akes at ost q h hashing queries, at ost q s signing queries, runs in tie at ost t, and succeeds with probability at least ɛ. The success probability is coputed over all possible inputs (x 1, y 1 ) in G 1 G 2 and all of the forger s coin tosses. Definition An aggregate signature schee is (t, ɛ, q h, q s )-secure against targeteduser forgery if no (t, ɛ, q h, q s )-targeted-user forger exists. 19

26 h, x = g 1 z, y = g 2 co-cdh* solver (x, y ) = (x g 1 r, y g 2 r ) H S h() = h g 1 s g 1 s pr. else 1 n+q s FAIL or σ() = (x g 1 r ) s targeteduser forger h z = σ A (h r (x g r 1 ) s1 k ) i=2 uis 1 i σ A, 1,..., k, and (u 2, v 2),..., (u k, v k ) h z Figure 3.3: The reduction fro solving the co-cdh* proble to targeted-user forgery has a tightness gap of n + q s. The original security reduction for BGLS with respect to this type of forgery has a tightness gap of q s + n. We represent the reduction in the proof of Theore 3.5 in Figure 3.3 on page 20. Theore 3.5 (Security of BGLS aggregate signature schee with type III pairing [8]). If solving the co-cdh* proble in (G 1, G 2 ) is (t, ɛ )-hard, then the BGLS aggregate signature schee with a type III pairing e : G 1 G 2 G T is (t, ɛ, q h, q s )-secure against targeted-user forgery, for t = t (q h + q s + n + 3) T e (q h + n + 2) T, and ɛ = ɛ e (n + q s ). Proof. We prove the contrapositive of this stateent: we show how to build a co-cdh* solver given a targeted-user forger for BGLS. The solver receives an instance of the co-cdh* proble, say h and x = g 1 z in G 1, and y = g 2 z in G 2. It ust eventually output h z in G 1. First, it gives the targeted-user forger the public key (x, y ) = (x g 1 r, y g 2 r ) where r is a randoly chosen integer odulo p. When the targeted-user forger requests the hash of 20