signature from one-way functions
DESCRIPTION
Seminar on Digital Signature, which shows the construction of digital signatures solely based on the existence of one-way functions.TRANSCRIPT
![Page 1: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/1.jpg)
Signature from One-way Functions
Cassius Puodzius
Technische Universitat Darmstadt
Mar. 12, 2012
![Page 2: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/2.jpg)
Outline
Outline of the seminar
Motivation
Quick introduction to One-way functions
Attack model
One-time signatures
Lamport’s One-Time Signature Scheme
`-time signatures
Full-fledged one-time signature from length-restrictedone-time signature
Hash-and-sign paradigm
General signature scheme from one-time signature
Refreshing paradigmAuthentication-trees
Conclusions
![Page 3: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/3.jpg)
Motivation
Security of Digital Signatures
Security assumptions:
Integer factorization: Rabin signature [2]
DLP: Modified ElGamal scheme [7]
RSA: RSA-PSS [3]
SVP: GPV [4]
or even:
k-wCDHP (k-weak Computational Diffie-Hellman Problem) [9]
k+1-IEP (k+1 inverse exponent problem) [1]
k+1-SRP (k + 1 Square Roots Problem) [8]
BISDHP (bilinear inverse-square Diffie-Hellman problem) [1]
![Page 4: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/4.jpg)
Motivation
Goal
Obtain secure digital signatures solely based on the existence ofone-way functions
![Page 5: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/5.jpg)
Quick introduction to One-way functions
Idea
![Page 6: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/6.jpg)
Quick introduction to One-way functions
Definition
No probabilistic algorithm is able to find x given f (x) inpolynomial-time
Existence of OWF
No known OWF
Candidates: Factorization, Discrete Logarithm, MultivariatePolynomials, Learning with errors, ...
![Page 7: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/7.jpg)
Attack model
Adaptive chosen-message attack
m /∈ m0,m1, . . . ,mN
![Page 8: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/8.jpg)
Attack model
Existential Unforgeability
A signature scheme is secure (or unforgeable) if every feasiblechosen message attack succeeds with at most negligible probability[6]
Strong Existential Unforgeability
The forger is allowed to output mi ∈ m0,m1, . . . ,mN, howeverσ 6= σi .
![Page 9: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/9.jpg)
Lamport’s One-Time Signature Scheme
G: Key Generation
signing-key:verification-key:
![Page 10: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/10.jpg)
Lamport’s One-Time Signature Scheme
G: Key Generation
Given f : D → I a OWF
sk =( s0
1 ... s0`(n)
s11 ... s1
`(n)
) vk =
( v01 ... v0
`(n)
v11 ... v1
`(n)
)such that ∀i ∈ 1, ..., `(n) and ∀b ∈ 0, 1: sbi
$←− D and vbi = f (sbi )
sk : signing-key (secret)vk : verification-key (public)
![Page 11: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/11.jpg)
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
![Page 12: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/12.jpg)
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
![Page 13: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/13.jpg)
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
![Page 14: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/14.jpg)
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
![Page 15: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/15.jpg)
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
![Page 16: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/16.jpg)
Lamport’s One-Time Signature Scheme
S and V: Signature and Verification
![Page 17: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/17.jpg)
Lamport’s One-Time Signature Scheme
S(sk ,m): Signature
For each bit mi of m ∈ 0, 1`(n):
σi =
s0i if mi = 0
s1i if mi = 1
V(pk ,m, σ): Verification
If for all i ∈ 1, ..., `(n):
vmii = f (σi )
then the signature is accepted. Otherwise it is rejected.
Drawback
Lamport is a length-restricted signature
![Page 18: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/18.jpg)
Lamport’s One-Time Signature Scheme
Chosen one-message attack
The adversary can make at most one query to its Signing Oracle
Why one-time signature?
Choosing the messages 0`(n) and 1`(n) an attacker is able to signany further message m ∈ 0, 1`(n)
![Page 19: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/19.jpg)
Lamport’s One-Time Signature Scheme
Proposition
Lamports OTS is unforgeable under a chosen one-message attackassuming that f is a OWF.
Depiction of proof
![Page 20: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/20.jpg)
Lamport’s One-Time Signature Scheme
Proof - Setup
p$←− 0, . . . , `(n) , b
$←− 0, 1sk =
( s01 ... a0
p ... s0`(n)
s11 ... a1
p ... s1`(n)
) pk =
( v01 ... b0
p ... v0`(n)
v11 ... b1
p ... v1`(n)
)where s0
p , s1p = ⊥, s1−b
p and v 0p , v
1p = y , f (s1−b
p ).
Proof - Emulation of Signing Oracle
When F demands a signature on m′:
σ′ ←
⊥ if mp = b ⇒ Attack failed
Ss(m) if mp = 1− b
![Page 21: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/21.jpg)
Lamport’s One-Time Signature Scheme
Proof - Inversion of OWF
If F outputs a forgery on mp and mp = b, then:
x ← σp|f (x) ≡ f (σp) = y
Proof - Probability of success
Pr [Inv(y)] ≥ Pr [Em. Signing Oracle]︸ ︷︷ ︸=1/2
∧Pr [F ← SUCESS]︸ ︷︷ ︸=ε
∧Pr [forgery on mp]︸ ︷︷ ︸≥1/`(n)
∧Pr [mp = b]︸ ︷︷ ︸=1/2
Pr [Inv(y)] ≥ ε
4 · `(n)⇒ non-negligible
![Page 22: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/22.jpg)
Corollary (One-time signature)
Corollary
If there exists any one-way function then there existslength-restricted one-time signatures as well
![Page 23: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/23.jpg)
`-time signatures
`-time signature from one-time signature
For any polynomial `:` one-time signature keys are generated and appended together togenerate
sk := (sk1, . . . , sk`) pk := (pk1, . . . , pk`)
![Page 24: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/24.jpg)
`-time signatures
`-time signature from one-time signature
signing-key:verification-key:
![Page 25: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/25.jpg)
`-time signatures
`-time signature from one-time signature
For i ≤ `
σi ← Signski (m)
The signature of m is (i , σi ).
Drawback
Stateful signature
![Page 26: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/26.jpg)
Corollary (`-time signature)
Corollary
If there exists any one-way function then there existslength-restricted `-time signature as well
![Page 27: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/27.jpg)
Full-fledged one-time signature from length-restrictedone-time signature
Hash-and-sign paradigm
hr : 0, 1∗ → 0, 1`r∈0,1∗ : collision-free hashing collection
Pro
Signature size depends only on the size of the signing-key
![Page 28: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/28.jpg)
Full-fledged one-time signature from length-restrictedone-time signature
Key generation with G’
On input 1k
(s, v)← G (1k) r ← I (1k)G’ outputs ((r, s), (r, v))
Signature with S’
On input a signing-key (r, s) and m ∈ 0, 1∗
σ ← Ss(hr (m))
S’ outputs σ
Verification with V’
On input a verification-key (r, v), m ∈ 0, 1∗ and a signature σV’ outputs Vv (hr (m), σ)
![Page 29: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/29.jpg)
Full-fledged one-time signature from length-restrictedone-time signature
Isn’t collision-free hashing collection a new assumption?
Yes, but it may be replaced by a collection of Universal One-WayHash Functions (UOWHF), which can be constructed using OWF[6].
![Page 30: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/30.jpg)
General signature scheme from one-time signature
Refreshing paradigm
(G, S, V): signature scheme - (G’, S’, V’): one-time signatureschemeRefreshing paradim → general signature scheme (G”, S”, V”),which has G”= G
Drawback
(G, S, V) is not a one-time signature scheme
![Page 31: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/31.jpg)
General signature scheme from one-time signature
Signing with S”
On input of a signing-key s and m ∈ 0, 1∗
(s ′, v ′) ← G ′(1k)
σ1 ← Ss(v ′)
σ2 ← S ′s′(m)
S”outputs (σ1, v′, σ2)
Verifying with V”
On input of a verifying-key v, m ∈ 0, 1∗ and (σ1, v′, σ2)
If Vv (v ′, σ1) = 1 and V ′v ′(m, σ2) the signature is accepted,otherwise rejected
![Page 32: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/32.jpg)
General signature scheme from one-time signature
Chain-Based signature
![Page 33: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/33.jpg)
General signature scheme from one-time signature
Chain-Based signature
![Page 34: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/34.jpg)
General signature scheme from one-time signature
Chain-Based signature
On input of mi ∈ 0, 1∗:
(si+1, vi+1) ← G (1k)
σi ← Ssi (mi ||vi+1)
Add (mi , si+1, vi+1, σi ) to the current stateSignature: mj , vj+1, σjj=0
Chain-Based verification
On input of a verifying-key v0, mi ∈ 0, 1∗ and the signaturemj , vj+1, σjj=i
j=0:
Vrfyvj ((mj ||vi+1), σj)?= ACCEPTED ∀j ∈ 0, · · · , i
![Page 35: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/35.jpg)
General signature scheme from one-time signature
Tree-Based signature
![Page 36: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/36.jpg)
General signature scheme from one-time signature
Tree-Based signature
On input of m ∈ 0, 1N , let µi be the first i bits of m (prefix):If µi was never signed (while i <= N)
(sµi |0, vµi |0) ← G (1k)
(sµi |1, vµi |1) ← G (1k)
σi ← Ssi (vµi |0||vµi |1)
µi |0 ← sµi |0, vµi |0
µi |1 ← sµi |1, vµi |1µi ← Ssµi
(vµi |0||vµi |1)
σm ← Ssm(m)
Signature: (authµj︷ ︸︸ ︷
σj , vµj |0, vµj |1j=0, σm)
![Page 37: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/37.jpg)
General signature scheme from one-time signature
Chain-Based verification
On input of a verifying-key v0, m ∈ 0, 1N and the signature(authjj=0, σm):
Vrfyvµj(authµj+1)
?= ACCEPTED ∀j ∈ 0,N
Vrfyvm(σm)?= ACCEPTED
![Page 38: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/38.jpg)
General signature scheme from one-time signature
Proposition
If G is a strongly unforgeable signature under a one-timechosen-message attack, then a tree-based scheme G’ is stronglyunforgeable signature under an adaptive chosen-message attack
Depiction of proof
![Page 39: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/39.jpg)
General signature scheme from one-time signature
Emulation of Oracle: Case 1
Emulation of Oracle: Case 2
![Page 40: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/40.jpg)
General signature scheme from one-time signature
Proof - Setup
A′ is a probabilistic polynomial time adversary ⇒ t ← #[query]Ω(n) = (2 · poly(n) + 1)t ≥ #[(G ,S ,V )]
j$←− 1, · · · ,Ω(n)
![Page 41: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/41.jpg)
General signature scheme from one-time signature
Proof - Emulation of Signing Oracle (Case 1)
Node j is on the authentication path:
(sµj |0, vµj |0) ← G (1k)
(sµj |1, vµj |1) ← G (1k)
σj ← Ssj (vµj |0||vµj |1)[One-time Signing Oracle]
µi |0 ← sµi |0, vµi |0
µi |1 ← sµi |1, vµi |1µi ← Ssµi
(vµi |0||vµi |1)
Proof - Emulation of Signing Oracle (Case 2)
Node j is a leaf: σm ← Ss(m) [One-time Signing Oracle]
![Page 42: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/42.jpg)
General signature scheme from one-time signature
Proof - Forgery in (G, S, V)
If A′ outputs a forgery (m, σ, authm) and this forgery happens innode j , then:
(σf ,mf )←
(σµj , vµj+1) if j ∈ Authm
(σ,m) if j /∈ Authm
Proof - Probability of success
Pr [(σf ,mf )] ≥ Pr [A′ ← SUCESS]︸ ︷︷ ︸=ε
∧Pr [forgery on j ]︸ ︷︷ ︸≥1/Ω(n)
Pr [(σf ,mf )] ≥ ε
Ω(n)⇒ non-negligible
![Page 43: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/43.jpg)
Corollary (General signature scheme from one-timesignature)
Corollary
If there exists any one-way function then there exists (stateful)general signature as well
![Page 44: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/44.jpg)
General (stateless) signature scheme from one-timesignature
Stateless Signature
Use of PRF (which can be obtained from OWF [6]):
![Page 45: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/45.jpg)
General (stateless) signature scheme from one-timesignature
Proposition
If (G, S, V) is a secure one-time signature scheme andfr : 0, 1∗ → 0, 1|r |r∈0,1∗ is a generalized pseudorandomfunction ensemble then (G’, S’, V’) constitutes a secure (general)signature scheme. [6]
Idea of the proof
Exponential growth of leaves → exponentially-vanishing probabilityof two signatures in the same leafDisregard two-times signatures → security proof similar to statefulscheme
![Page 46: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/46.jpg)
Corollary (General signature scheme from one-timesignature)
Corollary
If there exists any one-way function then there exists a generalsignature as well
![Page 47: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/47.jpg)
Conclusions
Theoretical Implication
If there exist any one-way function then there exist a generalsignature as well
![Page 48: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/48.jpg)
Conclusions
So why RSA, DLP, SVP, ...?
Digital SignatureScheme Assumption S-key size (KB) Signature Size (KB)RSA-1024 RSA 0.62 0.13ECDSA DLP 0.08 0.32GPV SVP 6.12 13.18Merkle-tree OWF 41.3a 2.27
aFor 222 signatures[5]
![Page 49: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/49.jpg)
The End
That’s it! Questions? Remarks?
![Page 50: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/50.jpg)
References I
Sedat Akleylek, Baris Bulent Kirlar, Omer Sever, and ZalihaYuce.A new short signature scheme with random oracle frombilinear pairings.
Daniel J. Bernstein.Proving tight security for rabin/williams signatures.In In EUROCRYPT, 2008.
Johannes Bock.Rsa-pss - provably secure rsa signatures and theirimplementation v1.0.1, 2011.
Johannes Buchmann, Richard Lindner, Markus Ruckert, andMichael Schneider.Post-quantum cryptography: lattice signatures.Computing, 85(1-2):105–125, 2009.
![Page 51: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/51.jpg)
References II
Luis Carlos and Luis Carlos Coronado Garcia.On the security and the efficiency of the merkle signaturescheme, 2005.
Oded Goldreich.Draft of chapter on signature schemes, 2003.
David Pointcheval and Jacques Stern.Security Proofs for Signature Schemes.In Ueli Maurer, editor, Advances in Cryptology - Proceedingsof EUROCRYPT ’96, volume 1070 of Lecture Notes inComputer Science, pages 387–398, Saragossa, Spain, 1996.Springer.
Fangguo Zhang, Xiaofeng Chen, Willy Susilo, and Yi Mu.A new short signature scheme without random oracles frombilinear pairings.In IN: VIETCRYPT 2006, LNCS 4341, pages 67–80, 2005.
![Page 52: Signature from One-way Functions](https://reader033.vdocuments.mx/reader033/viewer/2022052900/5562239fd8b42ac6588b4cee/html5/thumbnails/52.jpg)
References III
Fangguo Zhang, Reihaneh Safavi-naini, and Willy Susilo.Efficient verifiably encrypted signature and partially blindsignature from bilinear pairings, 2004.