a signature scheme as secure as the diffie hellman problem
DESCRIPTION
A Signature Scheme as Secure as the Diffie Hellman Problem. Goh and Jarecki.TRANSCRIPT
![Page 1: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/1.jpg)
Theory Seminar - Cryptography
A Signature Scheme as Secure as the DiffieHellman Problem
Theory Seminar
Eu-Jin Goh and Stanislaw JareckiEurocrypt 2003
Subhashini VIIT Madras
![Page 2: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/2.jpg)
Theory Seminar - Cryptography
Outline
1 IntroductionHard Assumptions
2 Signature SchemeDefinitionEDL Scheme
3 SecurityCMA modelUnforgeabilityForgeryProbability
4 References
![Page 3: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/3.jpg)
Theory Seminar - Cryptography
Introduction
Objective of this talk
Introduction to
Hardness assumption - CDH
Reduction techniques
ZKP in cryptosystems
Random oracle model
Signature scheme
![Page 4: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/4.jpg)
Theory Seminar - Cryptography
Introduction
Hard Assumptions
Hard Assumption
Discrete log problem- Given: g, ga Find: a
CDH - Computational Diffie-Hellman- Given: g, ga, gb Compute: gab
Reduction to hard assumption
What is tightness?
![Page 5: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/5.jpg)
Theory Seminar - Cryptography
Signature Scheme
Definition
Digital Signature Scheme
Key Generation - private key (sk) and public key (pk)
Sign - Sign(M, sk)→ σ
Verify - V er(pk,M, σ) Output: Accept or Reject
![Page 6: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/6.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 7: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/7.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 8: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/8.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 9: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/9.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)
3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 10: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/10.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 11: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/11.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq
5 s← k + cx6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 12: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/12.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx
6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 13: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/13.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 14: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/14.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 15: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/15.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 16: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/16.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generationsk = x ∈R Zq, pk = y ← gx
Sign(x,M)
1 r ∈R {0, 1}nr , h← H(M, r) , z ← hx
2 NI-ZKP DLh(z) = DLg(y)3 k ∈R Zq, u← gk, v ← hk
4 c← H ′(g, h, y, z, u, v) ∈ Zq5 s← k + cx6 σ ← (z, r, s, c)
Verify
h′ ← H(M, r) , u′ ← gsy−c , v′ ← h′sz−c
c′ = H ′(g, h′, y, z, u′, v′). Check c′?= c
![Page 17: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/17.jpg)
Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
Proof of equality of DL
Replacing ZK-proof of knowledge with just a ZKP
k ∈ Zq;u = gk; v = hk
s = k + cx; gs = uyc; hs = vzc
Also, proof of knowledge of x: gx = y;hx = z
x = DLg(y); x′ = DLh(z)
Possible only if c = (k − k′)/(x′ − x)where k = DLg(u) and k′ = DLh(v)
![Page 18: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/18.jpg)
Theory Seminar - Cryptography
Security
CMA model
Security Model
Chosen Message Attack (CMA)
Adaptive chosen messages.
Training with oracles (hash, sign)
Adversary A outputs forgery.
![Page 19: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/19.jpg)
Theory Seminar - Cryptography
Security
Unforgeability
Unforgeability
Random oracle model - solve CDH. (Proof is from [?])
Setup: y = ga (a is unknown)
H queries: embed - H(M, r) = h = (gb)d, d - random
H ′ queries: all random.
Sign queries:
r ∈R {0, 1}nr . If H(M, r) is queried - abort.κ ∈R Zq. Set, z = yκ, h = gκ and H(M, r) = hDLh(z) = DLg(y)c ∈R Zq, s ∈R Zq,. Set u = gsy−c and v = hsz−c
Store H ′(g, h, y, z, u, v) = cσ = (z, r, s, c)
![Page 20: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/20.jpg)
Theory Seminar - Cryptography
Security
Forgery
Solving CDH
Forgery passes verification.
h = H(M, r) = gbd
DLh(z) = DLg(y)⇒ z = ha = gabd
Output : z1/d = gab
Solved CDH.
![Page 21: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/21.jpg)
Theory Seminar - Cryptography
Security
Probability
Analysis - Probability of solving CDH
Abort cases
1 H(M, r) was queried! ⇒ Pr = qH2−nr
- Aborting in Step1 of signature Pr = qsig · qH · 2−nr
2 Abort at Step4 of signature H ′(g, gk, y, yk, u, uk) queried!- Probability of collision (qH + qsig) · 2−2nq
- Final : Pr = qsig · (qH + qsig) · 2−2nq
Cannot solve CDH on successful forgery (because of DL)
1 Pr[NH ∧ ¬NQ] = 2−nq
2 Pr[NQ] = qH · 2−nq
NH - event that the attacker does not query H-oracle.
NQ - event that DLg(y) = DLh(z)
![Page 22: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/22.jpg)
Theory Seminar - Cryptography
Security
Probability
We assume that the attacker can break the signature scheme witha non-negligible probability of ε.Then, if ε′ is the probability of challenger(C) solving CDH problemusing attacker.
ε′ = ε− (εabort + εDL)
= ε− qsig · qH · 2−nr − qsig · (qH + qsig) · 2−2nq
− 2−nq − qH · 2−nq
ε′ is non-negligible and hence C can solve CDH.
![Page 23: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/23.jpg)
Theory Seminar - Cryptography
References
References I
David Chaum, Jan-Hendrik Evertse, and Jeroen Van De Graaf.An improved protocol for demonstrating possession of discretelogarithms and some generalizations. In Proceedings of the 6thannual international conference on Theory and application ofcryptographic techniques, EUROCRYPT’87, pages 127–141,Berlin, Heidelberg, 1988. Springer-Verlag.
David Chaum and Torben P. Pedersen. Wallet databases withobservers. In Proceedings of the 12th Annual InternationalCryptology Conference on Advances in Cryptology, CRYPTO’92, pages 89–105, London, UK, 1993. Springer-Verlag.
![Page 24: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/24.jpg)
Theory Seminar - Cryptography
References
References II
Eu-Jin Goh and StanisJarecki. A signature scheme as secure asthe diffie-hellman problem. In Proceedings of the 22ndinternational conference on Theory and applications ofcryptographic techniques, EUROCRYPT’03, pages 401–415,Berlin, Heidelberg, 2003. Springer-Verlag.
![Page 25: A Signature Scheme as Secure as the Diffie Hellman Problem](https://reader034.vdocuments.mx/reader034/viewer/2022052321/55620762d8b42ae04e8b5c15/html5/thumbnails/25.jpg)
Theory Seminar - Cryptography
References
Questions?
Thank You!