Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Similar documents
Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Schnorr Signature. Schnorr Signature. October 31, 2012

Some Security Comparisons of GOST R and ECDSA Signature Schemes

Security Arguments for Digital Signatures and Blind Signatures

Advanced Cryptography 1st Semester Public Encryption

Constructing Provably-Secure Identity-Based Signature Schemes

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

Provable security. Michel Abdalla

Digital Signatures from Challenge-Divided Σ-Protocols

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Lecture 18: Message Authentication Codes & Digital Signa

1 Number Theory Basics

Design Validations for Discrete Logarithm Based Signature Schemes

Security Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05

Chosen-Ciphertext Security without Redundancy

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

CPA-Security. Definition: A private-key encryption scheme

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Uninstantiability of Full-Domain Hash

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Secure and Practical Identity-Based Encryption

Chosen Ciphertext Security with Optimal Ciphertext Overhead

New Approach for Selectively Convertible Undeniable Signature Schemes

Block Ciphers/Pseudorandom Permutations

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

RSA OAEP is Secure under the RSA Assumption

Katz, Lindell Introduction to Modern Cryptrography

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

The Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes

Cryptographical Security in the Quantum Random Oracle Model

Computational security & Private key encryption

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

OAEP Reconsidered. Victor Shoup. IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland

Modern symmetric-key Encryption

Non-malleability under Selective Opening Attacks: Implication and Separation

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

A DL Based Short Strong Designated Verifier Signature Scheme with Low Computation

Advanced Topics in Cryptography

2 Message authentication codes (MACs)

Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks

PAPER An Identification Scheme with Tight Reduction

Random Oracles in a Quantum World

Provable Security Proofs and their Interpretation in the Real World

Extractable Perfectly One-way Functions

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Digital Signatures. Adam O Neill based on

An Identification Scheme Based on KEA1 Assumption

The Random Oracle Model and the Ideal Cipher Model are Equivalent

How to Enhance the Security of Public-Key. Encryption at Minimum Cost 3. NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa Japan

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

10 Concrete candidates for public key crypto

Foundations of Cryptography

ECS 189A Final Cryptography Spring 2011

RSA and Rabin Signatures Signcryption

Efficient Smooth Projective Hash Functions and Applications

Digital signature schemes

Transitive Signatures Based on Non-adaptive Standard Signatures

Certificateless Signcryption without Pairing

On the (In)security of the Fiat-Shamir Paradigm

Smooth Projective Hash Function and Its Applications

Lecture 14 - CCA Security

Boneh-Franklin Identity Based Encryption Revisited

III. Pseudorandom functions & encryption

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Evaluation Report on the ECDSA signature scheme

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Introduction to Elliptic Curve Cryptography

On The (In)security Of Fischlin s Paradigm

John Hancock enters the 21th century Digital signature schemes. Table of contents

Encoding-Free ElGamal Encryption Without Random Oracles

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

ASYMMETRIC ENCRYPTION

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

ID-based tripartite key agreement with signatures

VI. The Fiat-Shamir Heuristic

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Simple SK-ID-KEM 1. 1 Introduction

Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks

Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)

Short Exponent Diffie-Hellman Problems

SIS-based Signatures

Provably Secure Partially Blind Signatures

f (x) f (x) easy easy

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

Type-based Proxy Re-encryption and its Construction

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

PSS Is Secure against Random Fault Attacks

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack

Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes

Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors

Transcription:

Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm Zero-Knowledge Proofs The Forking Lemma MPRI Paris NS/CNRS/INRI Cascade David Pointcheval 1/51ENS/CNRS/INRI Cascade David Pointcheval 2/51 Public-Key Encryption Public-Key Encryption Signatures 2 dvanced Security for Signature Goal: Privacy/Secrecy of the plaintext NS/CNRS/INRI Cascade David Pointcheval 3/51ENS/CNRS/INRI Cascade David Pointcheval 4/51

OW CP Security Game IND CP Security Game m * random r * random m * c * r * m * =? m E m Succ ow S () = Pr[(sk, pk) K(); m R M; c = E pk (m) : (pk, c) m] k e G k d b {0,1} r random? b = b m 0 m 1 m r b E c * b k e G (sk, pk) K();(m 0, m 1, state) (pk); b R {0, 1};c = E pk (m b ); b (state, c) k d dv ind cpa S ()=Pr[b = 1 b = 1] Pr[b = 1 b = 0] = 2 Pr[b = b] 1 NS/CNRS/INRI Cascade David Pointcheval 5/51ENS/CNRS/INRI Cascade David Pointcheval 6/51 Signature Public-Key Encryption Signatures 2 dvanced Security for Signature Goal: uthentication of the sender NS/CNRS/INRI Cascade David Pointcheval 7/51ENS/CNRS/INRI Cascade David Pointcheval 8/51

EUF NM k v G k s V(k v,m,σ)? (m,σ) 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm Succ euf SG () = Pr[(sk, pk) K(); (m, σ) (pk) : V pk(m, σ) = 1] NS/CNRS/INRI Cascade David Pointcheval 9/51ENS/CNRS/INRI Cascade David Pointcheval 10/51 Signature EUF NM k v G k s (m,σ) V(k v,m,σ)? Goal: uthentication of the sender The adversary knows the public key only, whereas signatures are not private! NS/CNRS/INRI Cascade David Pointcheval 11/51ENS/CNRS/INRI Cascade David Pointcheval 12/51

EUF CM SUF CM [Stern-Pointcheval-Malone-Lee-Smart Crypto 01] k v G k s k v G k s i, m m i V(k v,m,σ)? (m,σ) The adversary has access to any signature of its choice: Chosen-Message ttacks (oracle access): [ (sk, pk) K(); (m, σ) SG () = Pr S (pk) : i, m m i V pk (m, σ) = 1 m i σ i S ] (m,σ) i, (m,σ) (m i,σ i ) V(k v,m,σ)? The notion is even stronger (in case of probabilistic signature): also known as non-malleability: [ Succ suf cma (sk, pk) K(); (m, σ) SG () = Pr S (pk) : i, (m, σ) (m i, σ i ) V pk (m, σ) = 1 m i σ i S ] NS/CNRS/INRI Cascade David Pointcheval 13/51ENS/CNRS/INRI Cascade David Pointcheval 14/51 Full-Domain Hash Signature [Bellare-Rogaway Eurocrypt 94] Signature Scheme 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm R Key generation: the public key f P is a trapdoor one-way bijection from X onto Y ; the private key is the inverse g : Y X; Signature of M Y : σ = g(m); Verification of (M, σ): check f (σ) = M Full-Domain Hash (Hash-and-Invert) H : {0, 1} Y in order to sign m, one computes M = H(m) Y, and σ = g(m) and the verification consists in checking whether f (σ) = H(m) NS/CNRS/INRI Cascade David Pointcheval 15/51ENS/CNRS/INRI Cascade David Pointcheval 16/51

Random Oracle Model Security of the Signature Random Oracle H is modelled as a truly random function, from {0, 1} into Y. Formally, H is chosen at random at the beginning of the game. More concretely, for any new query, a random element in Y is uniformly and independently drawn ny security game becomes: [ SG ()=Pr H R Y ; (sk, pk) K(); (m, σ) S,H (pk) : i, m m i V pk (m, σ) = 1 ] Theorem The signature achieves EUF CM security, under the One-Wayness of P, in the Random Oracle Model: ssumptions: (t) q H Succ ow P (t + q Hτ f ) any signing query has been first asked to H the forgery has been asked to H τ f is the maximal time to evaluate f P NS/CNRS/INRI Cascade David Pointcheval 17/51ENS/CNRS/INRI Cascade David Pointcheval 18/51 Real ttack Game Simulations Game 0 K Oracles S H Game 0 : use of the oracles K, S and H Game 1 : use of the simulation of the Random Oracle Random Oracle dversary H(m): M R Y, output M pk m,σ Challenger (pk, sk) K() Checks (m,σ) if new and valid: 1 else 0 0 / 1 Key Generation Oracle K(): (f, g) R P, sk g, pk f Simulation of H H(m): µ R X, output M = f (µ) = Hop-D-Perfect: Pr Game1 [1] = Pr Game0 [1] Game 2 : use of the simulation of the Signing Oracle Simulation of S S(m): find µ such that M = H(m) = f (µ), output σ = µ Signing Oracle S(m): M = H(m), output σ = g(m) = Hop-S-Perfect: Pr Game2 [1] = Pr Game1 [1] NS/CNRS/INRI Cascade David Pointcheval 19/51ENS/CNRS/INRI Cascade David Pointcheval 20/51

H-Query Selection OW Instance Game 3 : random index t Event Ev R {1,..., q H } If the t-th query to H is not the output forgery We terminate the game and output 0 if Ev happens = Hop-S-Non-Negl Then, clearly = Pr[ Ev] Game 3 Game 2 = 1 Game 3 Game 2 q H Pr[Ev] = 1 1/q H R Game 4 : P OW instance (f, y) (where f P, x R X, y = f (x)) Use of the simulation of the Key Generation Oracle Simulation of K K(): set pk f Modification of the simulation of the Random Oracle Simulation of H If this is the t-th query, H(m): M y, output M The unique difference is for the t-th simulation of the random oracle, for which we cannot compute a signature. But since it corresponds to the forgery output, it cannot be queried to the signing oracle: = Hop-S-Perfect: Pr Game4 [1] = Pr Game3 [1] NS/CNRS/INRI Cascade David Pointcheval 21/51ENS/CNRS/INRI Cascade David Pointcheval 22/51 Summary Key Size In Game 4, when the output is 1, σ = g(y) = g(f (x)) = x and the simulator computes one exponentiation per hashing: Game 4 Succ ow P (t + q Hτ f ) Game 4 = Game 3 Game 3 = 1 Game 2 q H Game 2 = Game 1 Game 1 = Game 0 = () Game 0 () q H Succ ow P (t + q Hτ f ) () q H Succ ow P (t + q Hτ f ) If one wants (t) ε with t/ε 280 If one allows q H up to 2 60 Then one needs Succ ow P (t) ε with t/ε 2140. If one uses -RS: at least 3072 bit keys are needed. NS/CNRS/INRI Cascade David Pointcheval 23/51ENS/CNRS/INRI Cascade David Pointcheval 24/51

Improvement [Coron Crypto 00] Signature Oracle In the case that f is homomorphic (as RS): f (ab) = f (a)f (b) Game 0 : use of the oracles K, S and H Game 1 : use of the simulation of the Random Oracle Simulation of H H(m): µ R X, output M = f (µ) = Hop-D-Perfect: Pr Game1 [1] = Pr Game0 [1] Game 2 : use of the homomorphic property R P OW instance (f, y) (where f P, x R X, y = f (x)) Game 3 : use of the simulation of the Signing Oracle Simulation of S S(m): find µ such that M = H(m) = f (µ), output σ = µ Fails (with output 0) if H(m) = M = y f (µ): but with probability p q S = Hop-S-Non-Negl: Pr Game3 [1] = Pr Game2 [1] p q S Simulation of H H(m): flip a biased coin b (with Pr[b = 0] = p), µ R X. If b = 0, output M = f (µ), otherwise output M = y f (µ) = Hop-D-Perfect: Pr Game2 [1] = Pr Game1 [1] NS/CNRS/INRI Cascade David Pointcheval 25/51ENS/CNRS/INRI Cascade David Pointcheval 26/51 Summary Key Size In Game 3, when the output is 1, with probability 1 p: σ = g(m) = g(y f (µ)) = g(y) g(f (µ)) = g(f (x)) µ = x µ Succ ow Game 3 P (t + q Hτ f )/(1 p) Game 3 = p q S Game 2 Game 2 = Game 1 Game 1 = Game 0 = () Game 0 () 1 (1 p)p q S Succ ow P (t + q Hτ f ) () 1 (1 p)p q S The maximal for p (1 p)p q S is reached for p = 1 1 q S + 1 Succ ow P (t + q Hτ f ) ( 1 q S + 1 1 1 ) qs e 1 q S + 1 q S If one wants (t) ε with t/ε 280 If one allows q S up to 2 30 Then one needs Succ ow P (t) ε with t/ε 2110. If one uses -RS: 2048 bit keys are enough. NS/CNRS/INRI Cascade David Pointcheval 27/51ENS/CNRS/INRI Cascade David Pointcheval 28/51

Proof of Knowledge How do I prove that I know a solution s to a problem P? Public Data P 2 dvanced Security for Signature Prover Verifier Zero-Knowledge Proofs The Forking Lemma ω Secret s communication Polynomial Size B ω B Polynomial Time NS/CNRS/INRI Cascade David Pointcheval 29/51ENS/CNRS/INRI Cascade David Pointcheval 30/51 Proof of Knowledge: Soundness Proof of Knowledge: Zero-Knowledge If I can be accepted, I really know a solution: extractor Public Data P How do I prove that I know a solution s to a problem P? I reveal the solution... How can do it without revealing any information? Zero-knowledge: simulator Prover Extractor Public Data P s ω communication ω E s ω E s Prover Simulator ω communication Indistinguishable Verifier B S ωs communication ω B NS/CNRS/INRI Cascade David Pointcheval 31/51ENS/CNRS/INRI Cascade David Pointcheval 32/51

Proof of Knowledge How do I prove that I know a 3-color covering, without revealing any information? Secure Multiple Proofs of Knowledge: uthentication If there exists an efficient adversary, then one can solve the underlying problem: Cheater C 1 ω1 communication Simulator S ω S (a) Hist Public Data P I choose a random permutation on the colors and I apply it to the vertices I mask the vertices and send it to the verifier The verifier chooses an edge I open it The verifier checks the validity: 2 different colors Cheater C 2 ω2 communication ω 2 Extractor E ωe s NS/CNRS/INRI Cascade David Pointcheval 33/51ENS/CNRS/INRI Cascade David Pointcheval 34/51 Schnorr Proofs [Schnorr Eurocrypt 89 - Crypto 89] Generic Zero-Knowledge Proofs Zero-Knowledge Proof Setting: (G = g ) of order q P knows x, such thaty = g x and wants to prove it to V P chooses K R Z q sets and sends r = g K V chooses h R {0, 1} k and sends it to P P computes and sends s = K + xh mod q V checks whether r? = g s y h Signature (G = g ) of order q H: {0, 1} Z q Key Generation (y, x) private key x Z q public key y = g x Signature of m (r, h, s) K R Z q r = g K h = H(m, r) and s = K + xh mod q Verification of (m, r, s) compute h = H(m, r) and check r? = g s y h Zero-Knowledge Proof Proof of knowledge of x, such that R(x, y) P builds a commitment r and sends it to V V chooses a challenge h R {0, 1} k for P P computes and sends the answer s V checks (r, h, s) Signature H viewed as a random oracle Key Generation (y, x) private: x public: y Signature of m (r, h, s) Commitment r Challenge h = H(m, r) nswer s Verification of (m, r, s) compute h = H(m, r) and check (r, h, s) NS/CNRS/INRI Cascade David Pointcheval 35/51ENS/CNRS/INRI Cascade David Pointcheval 36/51

Σ Protocols Zero-Knowledge Proof Proof of knowledge of x P sends a commitment r V sends a challenge h P sends the answer s V checks (r, h, s) Signature Key Generation (y, x) Signature of m (r, h, s) Commitment r Challenge h = H(m, r) nswer s Verification of (m, r, s) compute h = H(m, r) and check (r, h, s) 2 dvanced Security for Signature Zero-Knowledge Proofs The Forking Lemma Special soundness If one can answer to two different challenges h h : s and s for a unique commitment r, one can extract x NS/CNRS/INRI Cascade David Pointcheval 37/51ENS/CNRS/INRI Cascade David Pointcheval 38/51 Splitting Lemma Splitting Lemma Proof Idea When a subset is large in a product space X Y, it has many large sections. The Splitting Lemma Let X Y such that Pr[(x, y) ] ε. For any α < ε, define { } B α = (x, y) X Y Pr [(x, y ) ] ε α, then y Y (i) Pr[B α ] α (ii) (x, y) B α, Pr y Y [(x, y ) ] ε α. (iii) Pr[B α ] α/ε. (i) we argue by contradiction, using the notation B for the complement of B in X Y. ssume that Pr[B α ] < α. Then, ε Pr[B] Pr[ B] + Pr[ B] Pr[ B] < α 1 + 1 (ε α) = ε. (ii) straightforward. (iii) using Bayes law: Pr[B ] = 1 Pr[ B ] = 1 Pr[ B] Pr[ B]/ Pr[] 1 (ε α)/ε = α/ε. NS/CNRS/INRI Cascade David Pointcheval 39/51ENS/CNRS/INRI Cascade David Pointcheval 40/51

Forking Lemma [Pointcheval-Stern Eurocrypt 96] Forking Lemma Proof Theorem (The Forking Lemma) Let (K, S, V) be a digital signature scheme with security parameter k, with a signature as above, of the form (m, r, h, s), where h = H(m, r) and s depends on r and h only. Let be a probabilistic polynomial time Turing machine whose input only consists of public data and which can ask q H queries to the random oracle, with q H > 0. We assume that, within the time bound T, produces, with probability ε 7q H /2 k, a valid signature (m, r, h, s). Then, within time T 16q H T /ε, and with probability ε 1/9, a replay of this machine outputs two valid signatures (m, r, h, s) and (m, r, h, s ) such that h h. is a PPTM with random tape ω. During the attack, asks a polynomial number of queries to H. We may assume that these questions are distinct: Q 1,..., Q qh are the q H distinct questions and let H = (h 1,..., h qh ) be the list of the q H answers of H. Note: a random choice of H = a random choice of H. For a random choice of (ω, H), with probability ε, outputs a valid signature (m, r, h, s). Since H is a random oracle, the probability for h to be equal to H(m, r) is less than 1/2 k, unless it has been asked during the attack. ccordingly, we define Ind H (ω) to be the index of this question: (m, r) = Q IndH (ω) (Ind H (ω) = if the question is never asked). NS/CNRS/INRI Cascade David Pointcheval 41/51ENS/CNRS/INRI Cascade David Pointcheval 42/51 Forking Lemma Proof Forking Lemma Proof We then define the sets S = { (ω, H) H (ω) succeeds & Ind H (ω) }, S i = { (ω, H) H (ω) succeeds & Ind H (ω) = i } i {1,..., q H }. Note: the set {S i } is a partition of S. ν = Pr[S] ε 1/2 k. Since ε 7q H /2 k 7/2 k, then ν 6ε/7. Let I be the set consisting of the most likely indices i, I = {i Pr[S i S] 1/2q H }. Lemma Pr[Ind H (ω) I S] 1 2. By definition of S i, Pr[Ind H (ω) I S] = Pr[S i S] = 1 Pr[S i S]. i I i I Since the complement of I contains fewer than q H elements, Pr[S i S] q H 1/2q H 1/2. i I NS/CNRS/INRI Cascade David Pointcheval 43/51ENS/CNRS/INRI Cascade David Pointcheval 44/51

Forking Lemma Proof Forking Lemma Proof We run 2/ε times, with independent random ω and random H. Since ν = Pr[S] 6ε/7, with probability greater than 1 (1 ν) 2/ε 4/5, we get at least one pair (ω, H) in S. We apply the Splitting Lemma, with ε = ν/2q h and α = ε/2, for i I. We denote by H i the restriction of H to queries of index < i. Since Pr[S i ] ν/2q H, there exists a subset Ω i such that, (ω, H) Ω i, Pr H [(ω, H ) S i H i = H i ] ν 4q H Pr[Ω i S i ] 1 2. Since all the subsets S i are disjoint, Pr [( i I) (ω, H) Ω i S i S] ω,h [ ] = Pr (Ω i S i ) S = Pr[Ω i S i S] i I i I = ( ) Pr[Ω i S i ] Pr[S i S] Pr[S i S] /2 1 4. i I i I We let β denote the index Ind H (ω) of to the successful pair. With prob. at least 1/4, β I and (ω, H) S β Ω β. With prob. greater than 4/5 1/4 = 1/5, the 2/ε attacks provided a successful pair (ω, H), with β = Ind H (ω) I and (ω, H) S β. NS/CNRS/INRI Cascade David Pointcheval 45/51ENS/CNRS/INRI Cascade David Pointcheval 46/51 Forking Lemma Proof Forking Lemma Proof We know that Pr H [(ω, H ) S β H β = H β] ν/4q H. Then Pr H [(ω, H ) S β and h β h β H β = H β] Pr H [(ω, H ) S β H β = H β] Pr H [h β = h β] ν/4q H 1/2 k, where h β = H(Q β ) and h β = H (Q β ). Using the assumption that ε 7q H /2 k, the above prob. is ε/14q H. We replay the attack 14q H /ε times with a new random oracle H such that H β = H β, and get another success with probability greater than 1 (1 ε/14q H ) 14q H/ε 3/5. H H Q 1 h 1 (m, r) Q i 1 Q i hi 1 h i h i Q j... (m, r, h h j i, s) h j (m, r, h i, s ) Finally, after less than 2/ε + 14q H /ε repetitions of the attack, with probability greater than 1/5 3/5 1/9, we have obtained two signatures (m, r, h, s) and (m, r, h, s ), both valid w.r.t. their specific random oracle H or H : Q β = (m, r) and h = H(Q β ) H (Q β ) = h. NS/CNRS/INRI Cascade David Pointcheval 47/51ENS/CNRS/INRI Cascade David Pointcheval 48/51

Chosen-Message ttacks In order to answer signing queries, one simply uses the simulator of the zero-knowledge proof: (r, h, s), and we set H(m, r) h. The random oracle programming may fail, but with negligible probability. Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm Zero-Knowledge Proofs The Forking Lemma NS/CNRS/INRI Cascade David Pointcheval 49/51ENS/CNRS/INRI Cascade David Pointcheval 50/51 Conclusion Two generic methodologies for signatures hash and invert the Forking Lemma Both in the random-oracle model Cramer-Shoup: based on the flexible RS problem Based on Pairings etc NS/CNRS/INRI Cascade David Pointcheval 51/51

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback