COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Similar documents
COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 18: Message Authentication Codes & Digital Signa

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Katz, Lindell Introduction to Modern Cryptrography

II. Digital signatures

Authentication. Chapter Message Authentication

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

BEYOND POST QUANTUM CRYPTOGRAPHY

ASYMMETRIC ENCRYPTION

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Digital Signatures. Adam O Neill based on

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 1: Introduction to Public key cryptography

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

1 Number Theory Basics

Hash-based signatures & Hash-and-sign without collision-resistance

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Digital Signatures. p1.

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Homework 7 Solutions

March 19: Zero-Knowledge (cont.) and Signatures

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Lecture 28: Public-key Cryptography. Public-key Cryptography

John Hancock enters the 21th century Digital signature schemes. Table of contents

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

2 Message authentication codes (MACs)

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Post-quantum security models for authenticated encryption

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Introduction to Cryptography

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Hash-based Signatures. Andreas Hülsing

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Hash-based Signatures

ECS 189A Final Cryptography Spring 2011

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Digital signature schemes

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Applied cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cryptography

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Introduction to Cybersecurity Cryptography (Part 4)

Question 1. The Chinese University of Hong Kong, Spring 2018

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture 17: Constructions of Public-Key Encryption

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Digital Signatures from Strong RSA without Prime Genera7on. David Cash Rafael Dowsley Eike Kiltz

Lecture 10: Zero-Knowledge Proofs

Lecture 9 - Symmetric Encryption

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

An update on Hash-based Signatures. Andreas Hülsing

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

A survey on quantum-secure cryptographic systems

Short Signatures Without Random Oracles

Entity Authentication

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Security of Symmetric Primitives under Incorrect Usage of Keys

Improved Security for Linearly Homomorphic Signatures: A Generic Framework

Message Authentication

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Short Signatures From Diffie-Hellman: Realizing Short Public Key

CPSC 467: Cryptography and Computer Security

DATA PRIVACY AND SECURITY

Public-Key Encryption

Chapter 8 Public-key Cryptography and Digital Signatures

MATH 158 FINAL EXAM 20 DECEMBER 2016

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Lecture 5, CPA Secure Encryption from PRFs

Public Key Cryptography

Cryptographic Solutions for Data Integrity in the Cloud

Message Authentication Codes (MACs)

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World. Dan Boneh and Mark Zhandry Stanford University

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

1 Basic Number Theory

Lecture 11: Key Agreement

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Leftovers from Lecture 3

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Transcription:

COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017

Previously

Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1: (sk,pk)ß Gen()] = 1

Many- time Signatures pk (sk,pk)ß Gen() m i (m*,σ*) σ i σ ß Sign(sk,m) CMA-Adv( ) = Pr[ outputs 1] Output 1 iff: m* {m 1, } Ver(pk,m*,σ*) = 1

Strong Security pk (sk,pk)ß Gen() m i (m*,σ*) σ i σ ß Sign(sk,m) CMA-Adv( ) = Pr[ outputs 1] Output 1 iff: (m*, σ*) {(m 1,σ 1 ) } Ver(pk,m*,σ*) = 1

Signatures from TDPs Gen Sig () = Gen() Sign(sk,m) = F -1 (sk, H(m) ) Ver(pk,m,σ): F(pk, σ) == H(m) Theorem: If (Gen,F,F -1 ) is a secure TDP, and H is modeled as a random oracle, then (Gen Sig,Sign,Ver) is (strongly) CMA- secure

Basic Rabin Signatures Gen Sig (): let p,q be random large primes sk = (p,q), pk = N = pq Sign(sk,m): Solve equation σ 2 = H(m) mod N using factors p,q Output σ Ver(pk,m,σ): σ 2 mod N == H(m)

Signatures from One- way Functions One- way functions are sufficient to build signature schemes Therefore, can build signatures from: RSA, DDH, Block Ciphers, CRHF, etc. Limitation: Poor performance in practice

Lamport Signatures Let F:Xà Y be a one- way function Let M={0,1} n be message space Gen(): X ß x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 ß F y 1,0 y i,b =F(x i,b ) y 2,0 y 3,0 y 4,0 y 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 sk pk

Lamport Signatures Sign(sk, m): (x i,mi ) i=1,,n x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 Ver(pk,m,σ): F(x i,mi ) = y i,mi y 1,0 y 2,0 y 3,0 y 4,0 y 5,0 y 1,1 y 2,1 y 3,1 y 4,1 y 5,1

Lamport Signatures Theorem: If F is a secure OWF, then (Gen,Sign,Ver) is a (weakly) secure one- time signature scheme

Proof y 1,0 y 2,0 y 3,0 y 4,0 y 5,0 y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 y 2,0 y 3,0 y 5,0 y 1,1 y 4,1 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1

Proof Since m* m, i s.t. m* i m i Suppose we know i, m i = 1-b, m* i = b Construct adversary that inverts OWF

Proof y 1,0 y 2,0 y* y 4,0 y 5,0 y* y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 y 1,1 y 2,0 y 3,0 y 4,1 y 5,0 F x 1,0 x 2,0 i,b x 4,0 x 5,0 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,0 x 2,0 x* x 4,0 x 5,0 x* x 1,1 x 2,1 x 3,1 x 4,1 x 5,1

Proof View of exactly as in 1- time CMA experiment, assuming ith bit of m = b ith bit of m* = 1-b If always chooses m,m* with these properties, and forges with probability ε, then inverts with probability ε

Proof In general, may choose m,m* to differ at arbitrary places May be randomly chosen, may depend on pk, may even depend on σ May never be at certain places How do we make still succeed?

Proof y 1,0 y 2,0 y* y 4,0 y 5,0 i,bß [n] {0,1} y* y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 y 1,1 y 2,0 y 3,0 y 4,1 y 5,0 F x 1,0 x 2,0 i,b x 4,0 x 5,0 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 If need x i,b, abort x 1,0 x 2,0 x* x 4,0 x 5,0 If no x i,b, abort x* x 1,1 x 2,1 x 3,1 x 4,1 x 5,1

Proof pk independent of (i,b) m independent of (i,b) Therefore, Pr[m i =1-b]=½ Conditioned on m i =1-b, Signing succeeds σ independent of i forges with probability ε, independent of i

Proof We know if forges, then m* m Since m* independent of i, have prob at least 1/n that m* i =1-m i = b In this case, succeeds in inverting y* Prob = ½ ε 1/n = ε/2n

Limitations of Lamport Signatures Only weakly secure Why? How to fix? pk, σ >> m How to fix?

Theorem: Given a secure OWF, it is possible to construct a strongly secure 1- time signature scheme where m >> pk, σ

Signing Multiple Messages Once adversary sees two signed messages, security is lost (why?) How do we sign multiple messages?

Signature Chaining m 1 m 1, σ 1 ß Sign(sk 1,m 1 ) sk 1 pk 1 Ver(pk 1,m 1,σ 1 )

Signature Chaining m 1 m 1, σ 1 = (pk 2,σ 1 ) σ 1 ß Sign(sk 1, (m 1,pk 2 ) ) pk 1 sk 1 (sk 2,pk 2 )ß Gen() Ver(pk 1,(m 1,pk 2 ),σ 1 )

Signature Chaining m 2 m 2, σ 2 σ 1 ß Sign(sk 2, m 2 ) pk 1 sk 1 pk 2 (sk 2,pk 2 )ß Gen() Ver(pk 2,m 2,σ 2 )

Signature Chaining Idea: Bob can be assured that pk 2 was in fact generated by Alice If Eve tampered with pk 2, then signature on first message would have been invalid Therefore, Alice can sign m 2 using sk 2, and Eve cannot produce a forgery m 2 with valid signature Can repeat process to sign arbitrarily many messages

Signature Chaining m 2 m 2, σ 2 = (pk 3,σ 2 ) σ 1 ß Sign(sk 2, (m 2,pk 3 ) ) pk 1 sk 1 pk 2 (sk 2,pk 2 )ß Gen() (sk Ver(pk 2,(m 2,pk 3 ),σ 2 ) 3,pk 3 )ß Gen()

Limitations Alice and Bob must stay synchronized Else, Bob won t be using correct public key to verify If many users, every pair needs to be syncronized What if Alice is sending messages to Bob and Charlie?

(Almost) Stateless Signature Chaining m 2 m 2, σ 2 = (m 1,pk 2,σ 1,pk 3,σ 2 ) sk 1 pk 1 (sk 2,pk 2 )ß Gen() (sk 3,pk 3 )ß Gen() σ 1 ß Sign(sk 2, (m 2,pk 3 ) ) Ver(pk 1,(m 1,pk 2 ),σ 1 ) Ver(pk 2,(m 2,pk 3 ),σ 2 )

Still Limitations Now Bob (and Charlie, etc) are stateless However, Alice is still stateful Needs to remember all messages sent Signature length grows with number of messages signed

Signature Trees pk pk 0 pk 1 σ ß Sign(sk, (pk 0,pk 1 )) σ 0 ß Sign(sk 0, (pk 00,pk 01 )) σ 1 ß Sign(sk 1, (pk 10,pk 11 )) pk 00 pk 01 pk 10 pk 11 σ 00, σ 01, σ 10, σ 11 pk 000 pk 001 pk 010 pk 011 pk 100 pk 101 pk 110 pk 111

Signature Trees To sign m i, Compute σ i ß Sign(sk i,m i ), where sk i is the ith leaf Must include pk i in signature so Bob can verify σ i Must authenticate pk i, so include σ P(i) (and pk S(i) ) Must include pk P(i) so Bob can verify σ P(i) Must auth pk P(i), so include σ P(P(i)) (and pk S(P(i)) )

Comparison to Chaining Limitations: Bounded number of messages (2 d ) Still requires Alice to keep state (all the sk s, pk s). Size of state 2 d Advantages: Signature size d, logarithmic in number of messages signed

Avoid Large State? Alice keeps PRF key k as part of secret key For all internal nodes or leaves i, (sk i,pk i )ß Gen(; PRF(k, i) ) Alice never stores signatures or public keys Instead, she computes needed signatures/public keys on the fly

Unbounded Messages Set d=128 or 256 Can now sign up to 2 128 messages Signature size d = 128, so shortish signatures Size of state independent of d, so short Time to compute signature? Only need pk s,σ s on path from root to leaf, plus neighbors Only O(d) terms Can efficiently compute from PRF key k

Fully Stateless? So far, still need to keep state to remember which leaf we should use next However, now we can do something different: Instead of choosing leafs sequentially, just choose leaf at random Except with probability O( messages 2 /2 d ), never use the same leaf twice

Putting it Together pk sk=(sk, k) iß {0,,2 d -1}

Putting it Together pk pk 0 pk 1 pk 00 pk 01 pk 010 pk 011 sk=(sk, k) (sk 0,pk 0 )ß Gen(; PRF(k, 0)) (sk 1,pk 1 )ß Gen(; PRF(k, 1)) (sk 00,pk 00 )ß Gen(; PRF(k, 00)) (sk 01,pk 01 )ß Gen(; PRF(k, 01)) σ ß Sign(sk, (pk 0,pk 1 )) σ 0 ß Sign(sk 0, (pk 00,pk 01 )) σß Sign(sk i, m) Output iß {0,,2 all pk d j s and -1} all σ s as signature

Putting it Together OWF to get 1- time signatures (with large pk s, σ s) Hash message 1- time signatures with small pk s, σ s Can accomplish using just OWFs Create tree of signatures (stateful scheme) Make stateless by using a PRF

What s Known OWP CRH CPA - PKE OWF PRG Com PRF MAC Auth Enc PRP SKE CCA - PKE Sig

What s Known OWP CRH CPA - PKE CCA - PKE TCR OWF PRG Com Sig PRF MAC Auth Enc PRP SKE

Theorem: Given a secure OWF, it is possible to construct a strongly CMA- secure signature scheme

Practical Use? Lamport signatures are fast: Signing is just revealing part of your secret key Verifying is just a few OWF evaluations Tree- based signatures are a bit slower Need to generate many signatures Need to generate many public keys Need many PRF evals

Practical Use? Main limitation: Signature size Basic Lamport: 128 bits per message bit With hashing, need to sign 256 bit messages For signature trees, signature consists of d Lamport signatures (plus public keys) d must be big enough to prevent collisions E.g. d = 128 Overall signature size: around a megabit

What s the Smallest Signature? Signature Trees: 1megabits RSA Hash- and- Sign: 2 kilobits ECDSA: around 512 bits BLS: 256 bits Are 128- bit signatures possible?

Obfuscation- Based Signatures Let (MAC,Ver) be a message authentication code Gen(): kß K sk = k pk = Obf( Ver(k,.,. ) ) Sign(sk,m) = MAC(k,m) Ver(pk,m,σ) = pk(m,σ) Signature size: 128 bits! But running time, public key size is horrible

Next Time Identification protocols: how to prove you are who you say you are

Reminders HW6 Due Wednesday HW7 out Tonight

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback