Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm Zero-Knowledge Proofs The Forking Lemma MPRI Paris NS/CNRS/INRI Cascade David Pointcheval 1/51ENS/CNRS/INRI Cascade David Pointcheval 2/51 Public-Key Encryption Public-Key Encryption Signatures 2 dvanced Security for Signature Goal: Privacy/Secrecy of the plaintext NS/CNRS/INRI Cascade David Pointcheval 3/51ENS/CNRS/INRI Cascade David Pointcheval 4/51
OW CP Security Game IND CP Security Game m * random r * random m * c * r * m * =? m E m Succ ow S () = Pr[(sk, pk) K(); m R M; c = E pk (m) : (pk, c) m] k e G k d b {0,1} r random? b = b m 0 m 1 m r b E c * b k e G (sk, pk) K();(m 0, m 1, state) (pk); b R {0, 1};c = E pk (m b ); b (state, c) k d dv ind cpa S ()=Pr[b = 1 b = 1] Pr[b = 1 b = 0] = 2 Pr[b = b] 1 NS/CNRS/INRI Cascade David Pointcheval 5/51ENS/CNRS/INRI Cascade David Pointcheval 6/51 Signature Public-Key Encryption Signatures 2 dvanced Security for Signature Goal: uthentication of the sender NS/CNRS/INRI Cascade David Pointcheval 7/51ENS/CNRS/INRI Cascade David Pointcheval 8/51
EUF NM k v G k s V(k v,m,σ)? (m,σ) 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm Succ euf SG () = Pr[(sk, pk) K(); (m, σ) (pk) : V pk(m, σ) = 1] NS/CNRS/INRI Cascade David Pointcheval 9/51ENS/CNRS/INRI Cascade David Pointcheval 10/51 Signature EUF NM k v G k s (m,σ) V(k v,m,σ)? Goal: uthentication of the sender The adversary knows the public key only, whereas signatures are not private! NS/CNRS/INRI Cascade David Pointcheval 11/51ENS/CNRS/INRI Cascade David Pointcheval 12/51
EUF CM SUF CM [Stern-Pointcheval-Malone-Lee-Smart Crypto 01] k v G k s k v G k s i, m m i V(k v,m,σ)? (m,σ) The adversary has access to any signature of its choice: Chosen-Message ttacks (oracle access): [ (sk, pk) K(); (m, σ) SG () = Pr S (pk) : i, m m i V pk (m, σ) = 1 m i σ i S ] (m,σ) i, (m,σ) (m i,σ i ) V(k v,m,σ)? The notion is even stronger (in case of probabilistic signature): also known as non-malleability: [ Succ suf cma (sk, pk) K(); (m, σ) SG () = Pr S (pk) : i, (m, σ) (m i, σ i ) V pk (m, σ) = 1 m i σ i S ] NS/CNRS/INRI Cascade David Pointcheval 13/51ENS/CNRS/INRI Cascade David Pointcheval 14/51 Full-Domain Hash Signature [Bellare-Rogaway Eurocrypt 94] Signature Scheme 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm R Key generation: the public key f P is a trapdoor one-way bijection from X onto Y ; the private key is the inverse g : Y X; Signature of M Y : σ = g(m); Verification of (M, σ): check f (σ) = M Full-Domain Hash (Hash-and-Invert) H : {0, 1} Y in order to sign m, one computes M = H(m) Y, and σ = g(m) and the verification consists in checking whether f (σ) = H(m) NS/CNRS/INRI Cascade David Pointcheval 15/51ENS/CNRS/INRI Cascade David Pointcheval 16/51
Random Oracle Model Security of the Signature Random Oracle H is modelled as a truly random function, from {0, 1} into Y. Formally, H is chosen at random at the beginning of the game. More concretely, for any new query, a random element in Y is uniformly and independently drawn ny security game becomes: [ SG ()=Pr H R Y ; (sk, pk) K(); (m, σ) S,H (pk) : i, m m i V pk (m, σ) = 1 ] Theorem The signature achieves EUF CM security, under the One-Wayness of P, in the Random Oracle Model: ssumptions: (t) q H Succ ow P (t + q Hτ f ) any signing query has been first asked to H the forgery has been asked to H τ f is the maximal time to evaluate f P NS/CNRS/INRI Cascade David Pointcheval 17/51ENS/CNRS/INRI Cascade David Pointcheval 18/51 Real ttack Game Simulations Game 0 K Oracles S H Game 0 : use of the oracles K, S and H Game 1 : use of the simulation of the Random Oracle Random Oracle dversary H(m): M R Y, output M pk m,σ Challenger (pk, sk) K() Checks (m,σ) if new and valid: 1 else 0 0 / 1 Key Generation Oracle K(): (f, g) R P, sk g, pk f Simulation of H H(m): µ R X, output M = f (µ) = Hop-D-Perfect: Pr Game1 [1] = Pr Game0 [1] Game 2 : use of the simulation of the Signing Oracle Simulation of S S(m): find µ such that M = H(m) = f (µ), output σ = µ Signing Oracle S(m): M = H(m), output σ = g(m) = Hop-S-Perfect: Pr Game2 [1] = Pr Game1 [1] NS/CNRS/INRI Cascade David Pointcheval 19/51ENS/CNRS/INRI Cascade David Pointcheval 20/51
H-Query Selection OW Instance Game 3 : random index t Event Ev R {1,..., q H } If the t-th query to H is not the output forgery We terminate the game and output 0 if Ev happens = Hop-S-Non-Negl Then, clearly = Pr[ Ev] Game 3 Game 2 = 1 Game 3 Game 2 q H Pr[Ev] = 1 1/q H R Game 4 : P OW instance (f, y) (where f P, x R X, y = f (x)) Use of the simulation of the Key Generation Oracle Simulation of K K(): set pk f Modification of the simulation of the Random Oracle Simulation of H If this is the t-th query, H(m): M y, output M The unique difference is for the t-th simulation of the random oracle, for which we cannot compute a signature. But since it corresponds to the forgery output, it cannot be queried to the signing oracle: = Hop-S-Perfect: Pr Game4 [1] = Pr Game3 [1] NS/CNRS/INRI Cascade David Pointcheval 21/51ENS/CNRS/INRI Cascade David Pointcheval 22/51 Summary Key Size In Game 4, when the output is 1, σ = g(y) = g(f (x)) = x and the simulator computes one exponentiation per hashing: Game 4 Succ ow P (t + q Hτ f ) Game 4 = Game 3 Game 3 = 1 Game 2 q H Game 2 = Game 1 Game 1 = Game 0 = () Game 0 () q H Succ ow P (t + q Hτ f ) () q H Succ ow P (t + q Hτ f ) If one wants (t) ε with t/ε 280 If one allows q H up to 2 60 Then one needs Succ ow P (t) ε with t/ε 2140. If one uses -RS: at least 3072 bit keys are needed. NS/CNRS/INRI Cascade David Pointcheval 23/51ENS/CNRS/INRI Cascade David Pointcheval 24/51
Improvement [Coron Crypto 00] Signature Oracle In the case that f is homomorphic (as RS): f (ab) = f (a)f (b) Game 0 : use of the oracles K, S and H Game 1 : use of the simulation of the Random Oracle Simulation of H H(m): µ R X, output M = f (µ) = Hop-D-Perfect: Pr Game1 [1] = Pr Game0 [1] Game 2 : use of the homomorphic property R P OW instance (f, y) (where f P, x R X, y = f (x)) Game 3 : use of the simulation of the Signing Oracle Simulation of S S(m): find µ such that M = H(m) = f (µ), output σ = µ Fails (with output 0) if H(m) = M = y f (µ): but with probability p q S = Hop-S-Non-Negl: Pr Game3 [1] = Pr Game2 [1] p q S Simulation of H H(m): flip a biased coin b (with Pr[b = 0] = p), µ R X. If b = 0, output M = f (µ), otherwise output M = y f (µ) = Hop-D-Perfect: Pr Game2 [1] = Pr Game1 [1] NS/CNRS/INRI Cascade David Pointcheval 25/51ENS/CNRS/INRI Cascade David Pointcheval 26/51 Summary Key Size In Game 3, when the output is 1, with probability 1 p: σ = g(m) = g(y f (µ)) = g(y) g(f (µ)) = g(f (x)) µ = x µ Succ ow Game 3 P (t + q Hτ f )/(1 p) Game 3 = p q S Game 2 Game 2 = Game 1 Game 1 = Game 0 = () Game 0 () 1 (1 p)p q S Succ ow P (t + q Hτ f ) () 1 (1 p)p q S The maximal for p (1 p)p q S is reached for p = 1 1 q S + 1 Succ ow P (t + q Hτ f ) ( 1 q S + 1 1 1 ) qs e 1 q S + 1 q S If one wants (t) ε with t/ε 280 If one allows q S up to 2 30 Then one needs Succ ow P (t) ε with t/ε 2110. If one uses -RS: 2048 bit keys are enough. NS/CNRS/INRI Cascade David Pointcheval 27/51ENS/CNRS/INRI Cascade David Pointcheval 28/51
Proof of Knowledge How do I prove that I know a solution s to a problem P? Public Data P 2 dvanced Security for Signature Prover Verifier Zero-Knowledge Proofs The Forking Lemma ω Secret s communication Polynomial Size B ω B Polynomial Time NS/CNRS/INRI Cascade David Pointcheval 29/51ENS/CNRS/INRI Cascade David Pointcheval 30/51 Proof of Knowledge: Soundness Proof of Knowledge: Zero-Knowledge If I can be accepted, I really know a solution: extractor Public Data P How do I prove that I know a solution s to a problem P? I reveal the solution... How can do it without revealing any information? Zero-knowledge: simulator Prover Extractor Public Data P s ω communication ω E s ω E s Prover Simulator ω communication Indistinguishable Verifier B S ωs communication ω B NS/CNRS/INRI Cascade David Pointcheval 31/51ENS/CNRS/INRI Cascade David Pointcheval 32/51
Proof of Knowledge How do I prove that I know a 3-color covering, without revealing any information? Secure Multiple Proofs of Knowledge: uthentication If there exists an efficient adversary, then one can solve the underlying problem: Cheater C 1 ω1 communication Simulator S ω S (a) Hist Public Data P I choose a random permutation on the colors and I apply it to the vertices I mask the vertices and send it to the verifier The verifier chooses an edge I open it The verifier checks the validity: 2 different colors Cheater C 2 ω2 communication ω 2 Extractor E ωe s NS/CNRS/INRI Cascade David Pointcheval 33/51ENS/CNRS/INRI Cascade David Pointcheval 34/51 Schnorr Proofs [Schnorr Eurocrypt 89 - Crypto 89] Generic Zero-Knowledge Proofs Zero-Knowledge Proof Setting: (G = g ) of order q P knows x, such thaty = g x and wants to prove it to V P chooses K R Z q sets and sends r = g K V chooses h R {0, 1} k and sends it to P P computes and sends s = K + xh mod q V checks whether r? = g s y h Signature (G = g ) of order q H: {0, 1} Z q Key Generation (y, x) private key x Z q public key y = g x Signature of m (r, h, s) K R Z q r = g K h = H(m, r) and s = K + xh mod q Verification of (m, r, s) compute h = H(m, r) and check r? = g s y h Zero-Knowledge Proof Proof of knowledge of x, such that R(x, y) P builds a commitment r and sends it to V V chooses a challenge h R {0, 1} k for P P computes and sends the answer s V checks (r, h, s) Signature H viewed as a random oracle Key Generation (y, x) private: x public: y Signature of m (r, h, s) Commitment r Challenge h = H(m, r) nswer s Verification of (m, r, s) compute h = H(m, r) and check (r, h, s) NS/CNRS/INRI Cascade David Pointcheval 35/51ENS/CNRS/INRI Cascade David Pointcheval 36/51
Σ Protocols Zero-Knowledge Proof Proof of knowledge of x P sends a commitment r V sends a challenge h P sends the answer s V checks (r, h, s) Signature Key Generation (y, x) Signature of m (r, h, s) Commitment r Challenge h = H(m, r) nswer s Verification of (m, r, s) compute h = H(m, r) and check (r, h, s) 2 dvanced Security for Signature Zero-Knowledge Proofs The Forking Lemma Special soundness If one can answer to two different challenges h h : s and s for a unique commitment r, one can extract x NS/CNRS/INRI Cascade David Pointcheval 37/51ENS/CNRS/INRI Cascade David Pointcheval 38/51 Splitting Lemma Splitting Lemma Proof Idea When a subset is large in a product space X Y, it has many large sections. The Splitting Lemma Let X Y such that Pr[(x, y) ] ε. For any α < ε, define { } B α = (x, y) X Y Pr [(x, y ) ] ε α, then y Y (i) Pr[B α ] α (ii) (x, y) B α, Pr y Y [(x, y ) ] ε α. (iii) Pr[B α ] α/ε. (i) we argue by contradiction, using the notation B for the complement of B in X Y. ssume that Pr[B α ] < α. Then, ε Pr[B] Pr[ B] + Pr[ B] Pr[ B] < α 1 + 1 (ε α) = ε. (ii) straightforward. (iii) using Bayes law: Pr[B ] = 1 Pr[ B ] = 1 Pr[ B] Pr[ B]/ Pr[] 1 (ε α)/ε = α/ε. NS/CNRS/INRI Cascade David Pointcheval 39/51ENS/CNRS/INRI Cascade David Pointcheval 40/51
Forking Lemma [Pointcheval-Stern Eurocrypt 96] Forking Lemma Proof Theorem (The Forking Lemma) Let (K, S, V) be a digital signature scheme with security parameter k, with a signature as above, of the form (m, r, h, s), where h = H(m, r) and s depends on r and h only. Let be a probabilistic polynomial time Turing machine whose input only consists of public data and which can ask q H queries to the random oracle, with q H > 0. We assume that, within the time bound T, produces, with probability ε 7q H /2 k, a valid signature (m, r, h, s). Then, within time T 16q H T /ε, and with probability ε 1/9, a replay of this machine outputs two valid signatures (m, r, h, s) and (m, r, h, s ) such that h h. is a PPTM with random tape ω. During the attack, asks a polynomial number of queries to H. We may assume that these questions are distinct: Q 1,..., Q qh are the q H distinct questions and let H = (h 1,..., h qh ) be the list of the q H answers of H. Note: a random choice of H = a random choice of H. For a random choice of (ω, H), with probability ε, outputs a valid signature (m, r, h, s). Since H is a random oracle, the probability for h to be equal to H(m, r) is less than 1/2 k, unless it has been asked during the attack. ccordingly, we define Ind H (ω) to be the index of this question: (m, r) = Q IndH (ω) (Ind H (ω) = if the question is never asked). NS/CNRS/INRI Cascade David Pointcheval 41/51ENS/CNRS/INRI Cascade David Pointcheval 42/51 Forking Lemma Proof Forking Lemma Proof We then define the sets S = { (ω, H) H (ω) succeeds & Ind H (ω) }, S i = { (ω, H) H (ω) succeeds & Ind H (ω) = i } i {1,..., q H }. Note: the set {S i } is a partition of S. ν = Pr[S] ε 1/2 k. Since ε 7q H /2 k 7/2 k, then ν 6ε/7. Let I be the set consisting of the most likely indices i, I = {i Pr[S i S] 1/2q H }. Lemma Pr[Ind H (ω) I S] 1 2. By definition of S i, Pr[Ind H (ω) I S] = Pr[S i S] = 1 Pr[S i S]. i I i I Since the complement of I contains fewer than q H elements, Pr[S i S] q H 1/2q H 1/2. i I NS/CNRS/INRI Cascade David Pointcheval 43/51ENS/CNRS/INRI Cascade David Pointcheval 44/51
Forking Lemma Proof Forking Lemma Proof We run 2/ε times, with independent random ω and random H. Since ν = Pr[S] 6ε/7, with probability greater than 1 (1 ν) 2/ε 4/5, we get at least one pair (ω, H) in S. We apply the Splitting Lemma, with ε = ν/2q h and α = ε/2, for i I. We denote by H i the restriction of H to queries of index < i. Since Pr[S i ] ν/2q H, there exists a subset Ω i such that, (ω, H) Ω i, Pr H [(ω, H ) S i H i = H i ] ν 4q H Pr[Ω i S i ] 1 2. Since all the subsets S i are disjoint, Pr [( i I) (ω, H) Ω i S i S] ω,h [ ] = Pr (Ω i S i ) S = Pr[Ω i S i S] i I i I = ( ) Pr[Ω i S i ] Pr[S i S] Pr[S i S] /2 1 4. i I i I We let β denote the index Ind H (ω) of to the successful pair. With prob. at least 1/4, β I and (ω, H) S β Ω β. With prob. greater than 4/5 1/4 = 1/5, the 2/ε attacks provided a successful pair (ω, H), with β = Ind H (ω) I and (ω, H) S β. NS/CNRS/INRI Cascade David Pointcheval 45/51ENS/CNRS/INRI Cascade David Pointcheval 46/51 Forking Lemma Proof Forking Lemma Proof We know that Pr H [(ω, H ) S β H β = H β] ν/4q H. Then Pr H [(ω, H ) S β and h β h β H β = H β] Pr H [(ω, H ) S β H β = H β] Pr H [h β = h β] ν/4q H 1/2 k, where h β = H(Q β ) and h β = H (Q β ). Using the assumption that ε 7q H /2 k, the above prob. is ε/14q H. We replay the attack 14q H /ε times with a new random oracle H such that H β = H β, and get another success with probability greater than 1 (1 ε/14q H ) 14q H/ε 3/5. H H Q 1 h 1 (m, r) Q i 1 Q i hi 1 h i h i Q j... (m, r, h h j i, s) h j (m, r, h i, s ) Finally, after less than 2/ε + 14q H /ε repetitions of the attack, with probability greater than 1/5 3/5 1/9, we have obtained two signatures (m, r, h, s) and (m, r, h, s ), both valid w.r.t. their specific random oracle H or H : Q β = (m, r) and h = H(Q β ) H (Q β ) = h. NS/CNRS/INRI Cascade David Pointcheval 47/51ENS/CNRS/INRI Cascade David Pointcheval 48/51
Chosen-Message ttacks In order to answer signing queries, one simply uses the simulator of the zero-knowledge proof: (r, h, s), and we set H(m, r) h. The random oracle programming may fail, but with negligible probability. Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm Zero-Knowledge Proofs The Forking Lemma NS/CNRS/INRI Cascade David Pointcheval 49/51ENS/CNRS/INRI Cascade David Pointcheval 50/51 Conclusion Two generic methodologies for signatures hash and invert the Forking Lemma Both in the random-oracle model Cramer-Shoup: based on the flexible RS problem Based on Pairings etc NS/CNRS/INRI Cascade David Pointcheval 51/51