Short Signatures Without Random Oracles

Transcription

1 Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy)

2 Outline Motivation Preliminaries Secure short signature Extensions Conclusion

3 Why signatures without random oracles? random oracle model H( ) ¼ perfectly random function [FS87] useful yet often unrealistic [CGH98] most signatures without random oracles [GHR99, CS00] based on strong RSA assumption

4 Why this paper? strong RSA problem Given N=pq, g2 Z n*, find (c, g 1/c ), c2 Z. Difficult because group order φ(n) is hidden. Useful property: From (N, g), we can construct (N, h) with q known solutions (c i, h 1/c i). Any new solution (c *, h 1/c* ) gives solution to original scheme. Can we have a similar property in a group with known order p?

5 Outline Motivation Preliminaries Secure short signature Extensions Conclusion

6 Secure Signatures signature scheme = (KeyGen, Sign, Verify) strong existential unforgeability (suf-cma) [ADR02] setup (PK, SK) Ã KeyGen PK challenger adversary

7 Secure Signatures (cont.) signature scheme = (KeyGen, Sign, Verify) strong existential unforgeability (suf-cma) [ADR02] setup queries (M 1, σ 1 ),, (M qs, σ qs ) (PK, SK) M i PK σ i = Sign(SK i, M i ) challenger adversary

8 Secure Signatures (cont.) signature scheme = (KeyGen, Sign, Verify) strong existential unforgeability (suf-cma) [ADR02] setup queries (M 1, σ 1 ),, (M qs, σ qs ) outputs new (M *, σ * )? (M i, σ i ); wins if valid (PK, SK) (Μ, σ ) PK challenger adversary

9 Secure Signatures (cont.) signature weak scheme = (KeyGen, Sign, Verify) strong existential unforgeability (wuf-cma) setup non-adaptive queries (M 1, σ 1 ),, (M qs, σ qs ) 8i M *? M i outputs new (M *, σ * )? (M i, σ i ); wins if valid (PK, SK) (Μ, σ ) PK challenger adversary

10 Bilinear Groups G 1, G 2 : cyclic groups of prime order p; G T : group of order p bilinear map e: G 1 G 2 a G T bilinear: 8u2 G 1, v2 G 2 ; 8a,b 2 Z e(u a, v b ) = e(u, v) ab non-degenerate: e(g 1, g 2 )? 1 efficiently computable: 9Ψ: G 2 a G 1 can construct bilinear maps from Weil pairing [JN01]

11 Strong Diffie-Hellman Assumption q-sdh problem: given (g 1, g 2, g 2x,, g 2 (x q ) ), output (c, g 1 1/(x+c) ), where c 2 Z p * ( hard Checking that (c, s) is a valid pair ( easy Simply test if e(s, g 2c g 2x ) = e(g 1, g 2 )? Prior works [BB04, MSK02] used weaker q-dhi problem: given (g 1, g 2, g 2x,, g 2 (x q ) ; c ), output g 1 1/(x+c).

12 Outline Motivation Preliminaries Secure short signature Extensions Conclusion

13 Short Signature Scheme S Key generation: Pick x,y 2 r Z p*. Let u=g 1x, v=g 2y. Public key is PK = (g 1, g 2, u, v). Secret key is SK = (x, y). Signing: To sign m2 Z p*, pick r2 r Z p*. Compute σ = g 1 1/(x+m+yr). Signature is (σ, r). Verification: Given m and σ, output valid if e(σ, u g 2m v r ) = e(g 1, g 2 ). 2log 2 (p) bits ¼ 40 bytes

14 Main Theorem Thm: Suppose (q, t', ε')-sdh assumption holds. Then signature scheme S is (q s, t, ε)-secure against existential forgeries under (strong) CMA, where t' ¼ t, q s < q, and ε' ¼ ε/2.

15 Proof Idea : big picture 1. Simplified signature scheme S' 2. q-sdh is hard ) S' is wuf-cma 3. S' is wuf-cma ) S is suf-cma Hence, q-sdh is hard ) S is suf-cma

16 Proof Idea : 1/3 Simplified signature S Key Generation: PK = (g 1, g 2, g 2x ), SK = x Signing: To sign m, compute σ = g 1 1/(x+m) Verification: On input (m, σ), return valid if e(σ, g 2x g 2m ) = e(g 1, g 2 )

17 Proof Idea : 2/3 Lemma: q-sdh is hard ) S' is wuf-cma Idea: property of q-sdh ¼ property of strong RSA Given g 2, g 2x,, g 2 x q Can construct new instance h, h x,, h xq with q -1 known solutions (c i, h 1/(x+c i ) ) for specially chosen c i so that any new solution (c *, h 1/(x+c*) ) produced by forger yields a solution (c, g 2 1/(x+c) ).

18 Proof Idea : 3/3 Lemma: S' is wuf-cma ) S is suf-cma Idea: σ 1,,σ q B weak A strong challenger w 1,, w q PK=(g 1, g 2, u) A sends m 1,, m q to B. Gets back (s i, r i ), i=1..q s. Then A outputs forgery (m *, s *, r * ). Let w i = m i + yr i for i=1.. q s and w * = m * + yr *. Type-1 forger: w *? w 1,, w qs Type-2 forger: w * is one of w 1,, w qs

19 Proof Idea : 3/3 (cont.) Upon startup, B guesses what type of forger A is If B chose Type-1: it picks y2 Z p*, PK = (g 1, g 2, u, g 2y ) on l-th Sign(m) request from A, set r l = (w l m) / y and return (σ l, r l ) given forgery (m *, s *, r * ) by A, return (w *, s * ) If B chose Type-2: it picks x2 Z p*, PK = (g 1, g 2, g 2x, u) on l-th Sign(m) request from A, set r l = (x + m) / w l and return (σ l 1/r l, r l ) given forgery (m *, s *, r * ) by A, return ((x+m * )/r *, s * ).

20 Outline Motivation Preliminaries Secure short signature Extensions Conclusion

21 Extensions To sign arbitrary messages, simply hash them in advance: h: {0,1} * a Z p * We can use Pollard s Λ method for limited message recovery. If we use random oracles, we can achieve even shorter signatures: σ Ã g 1 1/(x+H(m))

22 Conclusion Short signature based on a novel q-sdh assumption. Proved secure without random oracles! Final thoughts: Is there anything left to extend? Can q-sdh be utilized for something else? (BBS04)