cos433/math+473:+ cryptographymzhandry/2017-spring-cos433/ln/l… · cos433/math+473:+ cryptography...
TRANSCRIPT
![Page 1: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/1.jpg)
COS433/Math 473: Cryptography
Mark ZhandryPrinceton University
Spring 2017
![Page 2: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/2.jpg)
Last Time
Digital Signatures
![Page 3: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/3.jpg)
Digital Signatures
Algorithms:• Gen() à (sk,pk)• Sign(sk,m) à σ• Ver(pk,m,σ) à 0/1
Correctness:Pr[Ver(pk,m,Sign(sk,m))=1: (sk,pk)ßGen()] = 1
![Page 4: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/4.jpg)
1-‐time Security For Signatures
(sk,pk)ßGen()
mσ σ ß Sign(sk,m)
(m*,σ*)
Output 1 iff:• m*≠m• Ver(pk,m*,σ*) = 1
1CMA-Adv( ) = Pr[ outputs 1]
pk
![Page 5: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/5.jpg)
Unbounded Use Signatures
mi
σi
(m*,σ*)
Output 1 iff:• m*∉{m1,…}• Ver(pk,m*,σ*) = 1
CMA-Adv( ) = Pr[ outputs 1]
(sk,pk)ßGen()
σ ß Sign(sk,m)
pk
![Page 6: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/6.jpg)
Strong Security
mi
σi
(m*,σ*)
Output 1 iff:• (m*, σ*)∉{(m1,σ1)…}• Ver(pk,m*,σ*) = 1
CMA-Adv( ) = Pr[ outputs 1]
(sk,pk)ßGen()
σ ß Sign(sk,m)
pk
![Page 7: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/7.jpg)
Certificates
Facilitate public key infrastructure
Basically a signature by a CA on your public key• Certifies that you own the public key, not some adversary
![Page 8: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/8.jpg)
Certificate Chaining
Once Bob’s public key is certified, Bob can sign Charlie’s public key
Charlie can then sign Donald’s public key
Donald is therefor the certified owner of his public key
![Page 9: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/9.jpg)
So Far
Signature constructions from RSA, Factoring• We will later also see constructions from DDH
Unfortunately, all in the random oracle model
Ideally: construction without random oracles• Also from general assumptions
![Page 10: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/10.jpg)
Today
One-‐way functions are sufficient to build signature schemes
Therefore, can build signatures from:• RSA, DDH, Block Ciphers, CRHF, etc.
Limitation:• Poor performance in practice
![Page 11: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/11.jpg)
Lamport Signatures
Let F:XàY be a one-‐way function
Let M={0,1}n be message space
Gen():
x1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
y1,0
y1,1
y2,0
y2,1
y3,0
y3,1
y4,0
y4,1
y5,0
y5,1
ß
X
ßFyi,b=F(xi,b)
sk pk
![Page 12: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/12.jpg)
Lamport Signatures
Sign(sk, m): (xi,mi)i=1,…,n
Ver(pk,m,σ): F(xi,mi) = yi,mi
x1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
y1,0
y1,1
y2,0
y2,1
y3,0
y3,1
y4,0
y4,1
y5,0
y5,1
![Page 13: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/13.jpg)
Lamport Signatures
Theorem: If F is a secure OWF, then (Gen,Sign,Ver) is a (weakly) secure one-‐time signature scheme
![Page 14: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/14.jpg)
Proofy1,0
y1,1
y2,0
y2,1
y3,0
y3,1
y4,0
y4,1
y5,0
y5,1
x1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1x1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
x1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
y1,1
y2,0 y3,0
y4,1
y5,0
![Page 15: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/15.jpg)
Proof
Since m*≠m, ∃i s.t. m*i≠mi
Suppose we know i, mi = 1-b, m*i = b
Construct adversary that inverts OWF
![Page 16: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/16.jpg)
Proofy*
x1,0
x1,1
x2,0
x2,1 x3,1
x4,0
x4,1
x5,0
x5,1
y1,0
y1,1
y2,0
y2,1
y*
y3,1
y4,0
y4,1
y5,0
y5,1
Fx1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
x1,0
x1,1
x2,0
x2,1
x*
x3,1
x4,0
x4,1
x5,0
x5,1
y1,1
y2,0 y3,0
y4,1
y5,0
x*
i,b
![Page 17: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/17.jpg)
Proof
View of exactly as in 1-‐time CMA experiment, assuming• ith bit of m = b• ith bit of m* = 1-b
If always chooses m,m* with these properties, and forges with probability ε, then inverts with probability ε
![Page 18: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/18.jpg)
Proof
In general, may choose m,m* to differ at arbitrary places • May be randomly chosen, may depend on pk, may even depend on σ• May never be at certain places
How do we make still succeed?
![Page 19: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/19.jpg)
Proofy*
x1,0
x1,1
x2,0
x2,1 x3,1
x4,0
x4,1
x5,0
x5,1
y1,0
y1,1
y2,0
y2,1
y*
y3,1
y4,0
y4,1
y5,0
y5,1
Fx1,0
x1,1
x2,0
x2,1
x3,0
x3,1
x4,0
x4,1
x5,0
x5,1
x1,0
x1,1
x2,0
x2,1
x*
x3,1
x4,0
x4,1
x5,0
x5,1
y1,1
y2,0 y3,0
y4,1
y5,0
x*
i,b
i,bß[n]×{0,1}
If need xi,b, abort
If no xi,b, abort
![Page 20: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/20.jpg)
Proof
pk independent of (i,b)• m independent of (i,b)• Therefore, Pr[mi=1-b]=½
Conditioned on mi=1-b,• Signing succeeds• σ independent of i• forges with probability ε, independent of i
![Page 21: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/21.jpg)
Proof
We know if forges, then m*≠m
Since m* independent of i, have prob at least 1/nthat m*i=1-mi = b
In this case, succeeds in inverting y* • Prob = ½ × ε × 1/n = ε/2n
![Page 22: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/22.jpg)
Limitations of Lamport Signatures
Only weakly secure• Why?• How to fix?
|pk|,|σ| >> |m|• How to fix?
![Page 23: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/23.jpg)
Theorem: Given a secure OWF, it is possible to construct a strongly secure 1-‐time signature scheme where |m| >> |pk|,|σ|
![Page 24: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/24.jpg)
Signing Multiple Messages
Once adversary sees two signed messages, security is lost (why?)
How do we sign multiple messages?
![Page 25: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/25.jpg)
Signature Chaining
m1,σ1ßSign(sk1,m1)
sk1pk1
m1
Ver(pk1,m1,σ1)
![Page 26: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/26.jpg)
Signature Chaining
m1, σ1 = (pk2,σ1’)
sk1pk1
m1
Ver(pk1,(m1,pk2) ,σ1’)(sk2,pk2)ßGen()
σ1’ßSign(sk1, (m1,pk2) )
![Page 27: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/27.jpg)
Signature Chaining
m2, σ2
sk1pk1pk2
m2
Ver(pk2,m2 ,σ2)(sk2,pk2)ßGen()
σ1’ßSign(sk2, m2)
![Page 28: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/28.jpg)
Signature Chaining
Idea: Bob can be assured that pk2 was in fact generated by Alice• If Eve tampered with pk2, then signature on first message would have been invalid
Therefore, Alice can sign m2 using sk2, and Eve cannot produce a forgery m2’ with valid signature
Can repeat process to sign arbitrarily many messages
![Page 29: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/29.jpg)
Signature Chaining
m2, σ2 = (pk3,σ2’)
sk1pk1pk2
m2
Ver(pk2,(m2,pk3) ,σ2’)(sk2,pk2)ßGen()(sk3,pk3)ßGen()
σ1’ßSign(sk2, (m2,pk3) )
![Page 30: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/30.jpg)
Limitations
Alice and Bob must stay synchronized• Else, Bob won’t be using correct public key to verify
If many users, every pair needs to be syncronized• What if Alice is sending messages to Bob and Charlie?
![Page 31: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/31.jpg)
(Almost) Stateless Signature Chaining
m2, σ2 = (m1,pk2,σ1’,pk3,σ2’)
sk1pk1
m2
Ver(pk2,(m2,pk3) ,σ2’)(sk2,pk2)ßGen()(sk3,pk3)ßGen()
σ1’ßSign(sk2, (m2,pk3) )
Ver(pk1,(m1,pk2) ,σ1’)
![Page 32: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/32.jpg)
Still Limitations
Now Bob (and Charlie, etc) are stateless
However, Alice is still stateful• Needs to remember all messages sent • Signature length grows with number of messages signed
![Page 33: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/33.jpg)
Signature Trees
pk∅
pk0 pk1
σ∅ßSign(sk∅, (pk0,pk1))
pk00 pk01 pk10 pk11
σ0ßSign(sk0, (pk00,pk01))σ1ßSign(sk1, (pk10,pk11))
pk000 pk001 pk010 pk011 pk100 pk101 pk110 pk111
σ00, σ01, σ10, σ11
![Page 34: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/34.jpg)
Signature Trees
To sign mi,• Compute σißSign(ski,mi), where ski is the ith leaf• Must include pki in signature so Bob can verify σi
• Must authenticate pki, so include σP(i) (and pkS(i))
• Must include pkP(i) so Bob can verify σP(i)
• Must auth pkP(i), so include σP(P(i)) (and pkS(P(i)))
• …
![Page 35: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/35.jpg)
Comparison to Chaining
Limitations:• Bounded number of messages (2d)• Still requires Alice to keep state (all the sk’s, pk’s).
Size of state ≈ 2d
Advantages:• Signature size ≈ d, logarithmic in number of messages signed
![Page 36: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/36.jpg)
Avoid Large State?
Alice keeps PRF key k as part of secret key
• For all internal nodes or leaves i,
(ski,pki)ßGen(; PRF(k, i) )
• Alice never stores signatures or public keys
• Instead, she computes needed signatures/public
keys on the fly
![Page 37: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/37.jpg)
Unbounded Messages
Set d=λ• Can now sign up to 2λ messages (exponential)• Signature size ≈d = λ, so short signatures• Size of state independent of d, so short• Time to compute signature?
• Only need pk’s,σ’s on path from root to leaf, plus neighbors
• Only O(d)=O(λ) terms• Can efficiently compute from PRF key k
![Page 38: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/38.jpg)
Fully Stateless?
So far, still need to keep state to remember which leaf we should use next
However, now we can do something different:• Instead of choosing leafs sequentially, just choose leaf at random• Except with probability O(|messages|2/2d), never use the same leaf twice
![Page 39: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/39.jpg)
Putting it Together
pk∅
iß{0,…,2d-1}
sk=(sk∅, k)
![Page 40: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/40.jpg)
Putting it Together
pk∅
pk0 pk1
pk00 pk01
pk010 pk011
iß{0,…,2d-1}
sk=(sk∅, k)
(sk0,pk0)ßGen(; PRF(k, 0))(sk1,pk1)ßGen(; PRF(k, 1))(sk00,pk00)ßGen(; PRF(k, 00))(sk01,pk01)ßGen(; PRF(k, 01))…σ∅ßSign(sk∅, (pk0,pk1))σ0ßSign(sk0, (pk00,pk01))…σßSign(ski, m)
Output all pkj’s and all σ’s as signature
![Page 41: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/41.jpg)
Putting it Together
OWF to get 1-‐time signatures (with large pk’s, σ’s)
Hash first with target collision resistances• 1-‐time signatures with small pk’s, σ’s
Create tree of signatures (stateful scheme)
Make stateless by using a PRF
![Page 42: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/42.jpg)
What’s Known
OWF
OWP
PRG
Com
CRH TCR
PRF PRP
SKEMACAuthEncCPA
-‐PKE
CCA-‐PKE Sig
![Page 43: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/43.jpg)
What’s Known
OWF
OWP
PRG
Com
CRH TCR
PRF PRP
SKEMACAuthEncCPA
-‐PKE
CCA-‐PKE
Sig
![Page 44: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/44.jpg)
Theorem: Given a secure OWF, it is possible to construct a strongly CMA-‐secure signature scheme
![Page 45: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/45.jpg)
Practical Use?
Lamport signatures are fast:• Signing is just revealing part of your secret key• Verifying is just a few OWF evaluations
Tree-‐based signatures are a bit slower• Need to generate many signatures• Need to generate many public keys• Need many PRF evals
![Page 46: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/46.jpg)
Practical Use?
Main limitation: Signature size• Basic Lamport: 128 bits per message bit• With hashing, need to sign 256 bit messages• For signature trees, signature consists of d Lamportsignatures (plus public keys)• dmust be big enough to prevent collisions• E.g. d = 100
Overall signature size: around a megabit
![Page 47: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/47.jpg)
What’s the Smallest Signature?
Signature Trees: 1megabits
RSA Hash-‐and-‐Sign: 2 kilobits
ECDSA: around 512 bits
BLS: 256 bits
Are 128-‐bit signatures possible?
![Page 48: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/48.jpg)
Obfuscation-‐Based Signatures
Let (MAC,Ver) be a message authentication code
Gen(): kßK• sk = k• pk = Obf( Ver(k, . , . ) )
Sign(sk,m) = MAC(k,m)Ver(pk,m,σ) = pk(m,σ)
Signature size: 128 bits!• But running time, public key size is horrible
![Page 49: COS433/Math+473:+ Cryptographymzhandry/2017-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2017](https://reader035.vdocuments.mx/reader035/viewer/2022062604/5fc41cfbe4f64146d35c155f/html5/thumbnails/49.jpg)
Next Time
Identification protocols