COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017
Previously
Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1: (sk,pk)ß Gen()] = 1
Many- time Signatures pk (sk,pk)ß Gen() m i (m*,σ*) σ i σ ß Sign(sk,m) CMA-Adv( ) = Pr[ outputs 1] Output 1 iff: m* {m 1, } Ver(pk,m*,σ*) = 1
Strong Security pk (sk,pk)ß Gen() m i (m*,σ*) σ i σ ß Sign(sk,m) CMA-Adv( ) = Pr[ outputs 1] Output 1 iff: (m*, σ*) {(m 1,σ 1 ) } Ver(pk,m*,σ*) = 1
Signatures from TDPs Gen Sig () = Gen() Sign(sk,m) = F -1 (sk, H(m) ) Ver(pk,m,σ): F(pk, σ) == H(m) Theorem: If (Gen,F,F -1 ) is a secure TDP, and H is modeled as a random oracle, then (Gen Sig,Sign,Ver) is (strongly) CMA- secure
Basic Rabin Signatures Gen Sig (): let p,q be random large primes sk = (p,q), pk = N = pq Sign(sk,m): Solve equation σ 2 = H(m) mod N using factors p,q Output σ Ver(pk,m,σ): σ 2 mod N == H(m)
Signatures from One- way Functions One- way functions are sufficient to build signature schemes Therefore, can build signatures from: RSA, DDH, Block Ciphers, CRHF, etc. Limitation: Poor performance in practice
Lamport Signatures Let F:Xà Y be a one- way function Let M={0,1} n be message space Gen(): X ß x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 ß F y 1,0 y i,b =F(x i,b ) y 2,0 y 3,0 y 4,0 y 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 sk pk
Lamport Signatures Sign(sk, m): (x i,mi ) i=1,,n x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 Ver(pk,m,σ): F(x i,mi ) = y i,mi y 1,0 y 2,0 y 3,0 y 4,0 y 5,0 y 1,1 y 2,1 y 3,1 y 4,1 y 5,1
Lamport Signatures Theorem: If F is a secure OWF, then (Gen,Sign,Ver) is a (weakly) secure one- time signature scheme
Proof y 1,0 y 2,0 y 3,0 y 4,0 y 5,0 y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 y 2,0 y 3,0 y 5,0 y 1,1 y 4,1 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1
Proof Since m* m, i s.t. m* i m i Suppose we know i, m i = 1-b, m* i = b Construct adversary that inverts OWF
Proof y 1,0 y 2,0 y* y 4,0 y 5,0 y* y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 y 1,1 y 2,0 y 3,0 y 4,1 y 5,0 F x 1,0 x 2,0 i,b x 4,0 x 5,0 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,0 x 2,0 x* x 4,0 x 5,0 x* x 1,1 x 2,1 x 3,1 x 4,1 x 5,1
Proof View of exactly as in 1- time CMA experiment, assuming ith bit of m = b ith bit of m* = 1-b If always chooses m,m* with these properties, and forges with probability ε, then inverts with probability ε
Proof In general, may choose m,m* to differ at arbitrary places May be randomly chosen, may depend on pk, may even depend on σ May never be at certain places How do we make still succeed?
Proof y 1,0 y 2,0 y* y 4,0 y 5,0 i,bß [n] {0,1} y* y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 y 1,1 y 2,0 y 3,0 y 4,1 y 5,0 F x 1,0 x 2,0 i,b x 4,0 x 5,0 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 If need x i,b, abort x 1,0 x 2,0 x* x 4,0 x 5,0 If no x i,b, abort x* x 1,1 x 2,1 x 3,1 x 4,1 x 5,1
Proof pk independent of (i,b) m independent of (i,b) Therefore, Pr[m i =1-b]=½ Conditioned on m i =1-b, Signing succeeds σ independent of i forges with probability ε, independent of i
Proof We know if forges, then m* m Since m* independent of i, have prob at least 1/n that m* i =1-m i = b In this case, succeeds in inverting y* Prob = ½ ε 1/n = ε/2n
Limitations of Lamport Signatures Only weakly secure Why? How to fix? pk, σ >> m How to fix?
Theorem: Given a secure OWF, it is possible to construct a strongly secure 1- time signature scheme where m >> pk, σ
Signing Multiple Messages Once adversary sees two signed messages, security is lost (why?) How do we sign multiple messages?
Signature Chaining m 1 m 1, σ 1 ß Sign(sk 1,m 1 ) sk 1 pk 1 Ver(pk 1,m 1,σ 1 )
Signature Chaining m 1 m 1, σ 1 = (pk 2,σ 1 ) σ 1 ß Sign(sk 1, (m 1,pk 2 ) ) pk 1 sk 1 (sk 2,pk 2 )ß Gen() Ver(pk 1,(m 1,pk 2 ),σ 1 )
Signature Chaining m 2 m 2, σ 2 σ 1 ß Sign(sk 2, m 2 ) pk 1 sk 1 pk 2 (sk 2,pk 2 )ß Gen() Ver(pk 2,m 2,σ 2 )
Signature Chaining Idea: Bob can be assured that pk 2 was in fact generated by Alice If Eve tampered with pk 2, then signature on first message would have been invalid Therefore, Alice can sign m 2 using sk 2, and Eve cannot produce a forgery m 2 with valid signature Can repeat process to sign arbitrarily many messages
Signature Chaining m 2 m 2, σ 2 = (pk 3,σ 2 ) σ 1 ß Sign(sk 2, (m 2,pk 3 ) ) pk 1 sk 1 pk 2 (sk 2,pk 2 )ß Gen() (sk Ver(pk 2,(m 2,pk 3 ),σ 2 ) 3,pk 3 )ß Gen()
Limitations Alice and Bob must stay synchronized Else, Bob won t be using correct public key to verify If many users, every pair needs to be syncronized What if Alice is sending messages to Bob and Charlie?
(Almost) Stateless Signature Chaining m 2 m 2, σ 2 = (m 1,pk 2,σ 1,pk 3,σ 2 ) sk 1 pk 1 (sk 2,pk 2 )ß Gen() (sk 3,pk 3 )ß Gen() σ 1 ß Sign(sk 2, (m 2,pk 3 ) ) Ver(pk 1,(m 1,pk 2 ),σ 1 ) Ver(pk 2,(m 2,pk 3 ),σ 2 )
Still Limitations Now Bob (and Charlie, etc) are stateless However, Alice is still stateful Needs to remember all messages sent Signature length grows with number of messages signed
Signature Trees pk pk 0 pk 1 σ ß Sign(sk, (pk 0,pk 1 )) σ 0 ß Sign(sk 0, (pk 00,pk 01 )) σ 1 ß Sign(sk 1, (pk 10,pk 11 )) pk 00 pk 01 pk 10 pk 11 σ 00, σ 01, σ 10, σ 11 pk 000 pk 001 pk 010 pk 011 pk 100 pk 101 pk 110 pk 111
Signature Trees To sign m i, Compute σ i ß Sign(sk i,m i ), where sk i is the ith leaf Must include pk i in signature so Bob can verify σ i Must authenticate pk i, so include σ P(i) (and pk S(i) ) Must include pk P(i) so Bob can verify σ P(i) Must auth pk P(i), so include σ P(P(i)) (and pk S(P(i)) )
Comparison to Chaining Limitations: Bounded number of messages (2 d ) Still requires Alice to keep state (all the sk s, pk s). Size of state 2 d Advantages: Signature size d, logarithmic in number of messages signed
Avoid Large State? Alice keeps PRF key k as part of secret key For all internal nodes or leaves i, (sk i,pk i )ß Gen(; PRF(k, i) ) Alice never stores signatures or public keys Instead, she computes needed signatures/public keys on the fly
Unbounded Messages Set d=128 or 256 Can now sign up to 2 128 messages Signature size d = 128, so shortish signatures Size of state independent of d, so short Time to compute signature? Only need pk s,σ s on path from root to leaf, plus neighbors Only O(d) terms Can efficiently compute from PRF key k
Fully Stateless? So far, still need to keep state to remember which leaf we should use next However, now we can do something different: Instead of choosing leafs sequentially, just choose leaf at random Except with probability O( messages 2 /2 d ), never use the same leaf twice
Putting it Together pk sk=(sk, k) iß {0,,2 d -1}
Putting it Together pk pk 0 pk 1 pk 00 pk 01 pk 010 pk 011 sk=(sk, k) (sk 0,pk 0 )ß Gen(; PRF(k, 0)) (sk 1,pk 1 )ß Gen(; PRF(k, 1)) (sk 00,pk 00 )ß Gen(; PRF(k, 00)) (sk 01,pk 01 )ß Gen(; PRF(k, 01)) σ ß Sign(sk, (pk 0,pk 1 )) σ 0 ß Sign(sk 0, (pk 00,pk 01 )) σß Sign(sk i, m) Output iß {0,,2 all pk d j s and -1} all σ s as signature
Putting it Together OWF to get 1- time signatures (with large pk s, σ s) Hash message 1- time signatures with small pk s, σ s Can accomplish using just OWFs Create tree of signatures (stateful scheme) Make stateless by using a PRF
What s Known OWP CRH CPA - PKE OWF PRG Com PRF MAC Auth Enc PRP SKE CCA - PKE Sig
What s Known OWP CRH CPA - PKE CCA - PKE TCR OWF PRG Com Sig PRF MAC Auth Enc PRP SKE
Theorem: Given a secure OWF, it is possible to construct a strongly CMA- secure signature scheme
Practical Use? Lamport signatures are fast: Signing is just revealing part of your secret key Verifying is just a few OWF evaluations Tree- based signatures are a bit slower Need to generate many signatures Need to generate many public keys Need many PRF evals
Practical Use? Main limitation: Signature size Basic Lamport: 128 bits per message bit With hashing, need to sign 256 bit messages For signature trees, signature consists of d Lamport signatures (plus public keys) d must be big enough to prevent collisions E.g. d = 128 Overall signature size: around a megabit
What s the Smallest Signature? Signature Trees: 1megabits RSA Hash- and- Sign: 2 kilobits ECDSA: around 512 bits BLS: 256 bits Are 128- bit signatures possible?
Obfuscation- Based Signatures Let (MAC,Ver) be a message authentication code Gen(): kß K sk = k pk = Obf( Ver(k,.,. ) ) Sign(sk,m) = MAC(k,m) Ver(pk,m,σ) = pk(m,σ) Signature size: 128 bits! But running time, public key size is horrible
Next Time Identification protocols: how to prove you are who you say you are
Reminders HW6 Due Wednesday HW7 out Tonight