short signatures - Semantic Scholar
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen
(presented by Aleksandr Yampolskiy)
Outline Ø n n n n
Motivation Preliminaries Secure short signature Extensions Conclusion
Why signatures without random oracles? n
“random oracle” model ¡ ¡
n
H(¢) ¼ perfectly random function [FS87] useful yet often unrealistic [CGH98]
most signatures without random oracles [GHR99, CS00] based on strong RSA assumption
Why this paper? n
n
n
strong RSA problem ¡ Given N=pq, g2 Zn*, find (c, g1/c), c2 Z. ¡ Difficult because group order φ(n) is hidden. Useful property: From (N, g), we can construct (N, h) with q known solutions (ci, h1/ci). Any new solution (c*, h1/c*) gives solution to original scheme. Can we have a similar property in a group with known order p?
Outline n Ø n n n
Motivation Preliminaries Secure short signature Extensions Conclusion
Secure Signatures n n
signature scheme = (KeyGen, Sign, Verify) strong existential unforgeability (sUF-CMA) [ADR02] ¡
setup
(PK, SK) Ã KeyGen PK
challenger
adversary
Secure Signatures (cont.) n n
signature scheme = (KeyGen, Sign, Verify) strong existential unforgeability (sUF-CMA) [ADR02] ¡ ¡
setup queries (M1, σ1), …, (Mqs, σqs) (PK, SK)
Mi
PK
σi = Sign(SKi, Mi) challenger
adversary
Secure Signatures (cont.) n n
signature scheme = (KeyGen, Sign, Verify) strong existential unforgeability (sUF-CMA) [ADR02] ¡ ¡ ¡
setup queries (M1, σ1), …, (Mqs, σqs) outputs new (M*, σ*) ? (Mi, σi); wins if valid (PK, SK)
challenger
(Μ∗, σ∗)
PK
adversary
Secure Signatures (cont.) n n
signature scheme = (KeyGen, Sign, Verify) weak strong existential unforgeability (wUF-CMA) ¡ setup non-adaptive * ? M 8i M i ¡ queries (M , σ ), …, (M , σ ) 1
¡
1
qs
qs
outputs new (M*, σ*) ? (Mi, σi); wins if valid (PK, SK)
challenger
(Μ∗, σ∗)
PK
adversary
Bilinear Groups n
n
G1, G2 : cyclic groups of prime order p; GT : group of order p bilinear map e: G1£ G2 a GT ¡
¡ ¡
n
bilinear: 8u2 G1, v2 G 2; 8a,b 2 Z e(ua, vb) = e(u, v)ab non-degenerate: e(g1, g2) ? 1 efficiently computable: 9Ψ: G2 a G1
can construct bilinear maps from Weil pairing [JN01]
Strong Diffie-Hellman Assumption x,
(xq) ),
n
q-SDH problem: given (g1, g2, g2 …, g2 output (c, g11/(x+c)), where c 2 Zp* ( hard
n
Checking that (c, s) is a valid pair ( easy ¡
n
Simply test if e(s, g2c¢g2x) = e(g1, g2)?
Prior works [BB04, MSK02] used weaker q-DHI q) x (x problem: given (g1, g2, g2 , …, g2 ; c ), output g11/(x+c).
Outline n n Ø n n
Motivation Preliminaries Secure short signature Extensions Conclusion
Short Signature Scheme S n
n
n
Key generation: Pick x,y 2r Zp*. Let u=g1x, v=g2y. Public key is PK = (g1, g2, u, v). Secret key is SK = (x, y). Signing: To sign m2 Zp*, pick r2r Zp*. Compute σ = g11/(x+m+yr). Signature is (σ, r). Verification: Given m and σ, output valid if e(σ, u¢g2m ¢vr) = e(g 1, g2). 2log2(p) bits ¼ 40 bytes
Main Theorem Thm: Suppose (q, t', ε')-SDH assumption holds. Then signature scheme S is (qs, t, ε)-secure against existential forgeries under (strong) CMA, where t' ¼ t, qs < q, and ε' ¼ ε/2.
Proof Idea : big picture 1. 2. 3.
Simplified signature scheme S' q-SDH is hard ) S' is wUF-CMA S' is wUF-CMA ) S is sUF-CMA
Hence, q-SDH is hard ) S is sUF-CMA
Proof Idea : 1/3 n
Simplified signature S‘ ¡ ¡ ¡
Key Generation: PK = (g 1, g2, g2x), SK = x Signing: To sign m, compute σ = g11/(x+m) Verification: On input (m, σ), return valid if e(σ, g2x¢g 2m ) = e(g1, g2)
Proof Idea : 2/3 n n
Lemma: q-SDH is hard ) S' is wUF-CMA Idea: property of q-SDH ¼ property of strong RSA q x x ¡ Given g2, g 2 , …, g2 q x x ¡ Can construct new instance h, h , …, h with q -1 known solutions (ci, h1/(x+ci)) for specially chosen ci ¡ …so that any new solution (c*, h1/(x+c*)) produced by forger yields a solution (c, g21/(x+c)).
Proof Idea : 3/3 n
n
Lemma: S' is wUF-CMA ) S is sUF-CMA σ1, …,σq
Idea:
weak challenger
n
n
B
w1, …, wq
Astrong
PK=(g1, g2, u)
A sends m 1, …, m q to B. Gets back (si, ri ), i=1..qs. Then A outputs forgery (m*, s* , r* ). Let wi = mi + yri for i=1.. qs and w* = m* + yr*. ¡ ¡
Type-1 forger: w* ? w1, …, wqs Type-2 forger: w* is one of w1, …, wqs
Proof Idea : 3/3 (cont.) n n
Upon startup, B guesses what type of forger A is If B chose Type-1: ¡ ¡
¡
n
it picks y2 Zp*, PK = (g1, g2, u, g2y) on l-th Sign(m) request from A, set rl = (wl – m) / y and return (σl, rl) given forgery (m*, s*, r*) by A, return (w*, s*)
If B chose Type-2: ¡
it picks x2 Z p*, PK = (g1, g2, g2x, u) on l-th Sign(m) request from A, set rl = (x + m) / wl and return (σl1/rl, rl)
¡
given forgery (m*, s*, r*) by A, return ((x+m*)/r*, s*).
¡
Outline n n n Ø n
Motivation Preliminaries Secure short signature Extensions Conclusion
Extensions n
n
n
To sign arbitrary messages, simply hash them in advance: h: {0,1}* a Zp* We can use Pollard’s Λ method for limited message recovery. If we use random oracles, we can achieve even shorter signatures: σ Ã g11/(x+H(m))
Conclusion n n n
Short signature based on a novel q-SDH assumption. Proved secure without random oracles! Final thoughts: ¡ ¡
Is there anything left to extend? Can q-SDH be utilized for something else? (BBS04)
(presented by Aleksandr Yampolskiy)
Outline Ø n n n n
Motivation Preliminaries Secure short signature Extensions Conclusion
Why signatures without random oracles? n
“random oracle” model ¡ ¡
n
H(¢) ¼ perfectly random function [FS87] useful yet often unrealistic [CGH98]
most signatures without random oracles [GHR99, CS00] based on strong RSA assumption
Why this paper? n
n
n
strong RSA problem ¡ Given N=pq, g2 Zn*, find (c, g1/c), c2 Z. ¡ Difficult because group order φ(n) is hidden. Useful property: From (N, g), we can construct (N, h) with q known solutions (ci, h1/ci). Any new solution (c*, h1/c*) gives solution to original scheme. Can we have a similar property in a group with known order p?
Outline n Ø n n n
Motivation Preliminaries Secure short signature Extensions Conclusion
Secure Signatures n n
signature scheme = (KeyGen, Sign, Verify) strong existential unforgeability (sUF-CMA) [ADR02] ¡
setup
(PK, SK) Ã KeyGen PK
challenger
adversary
Secure Signatures (cont.) n n
signature scheme = (KeyGen, Sign, Verify) strong existential unforgeability (sUF-CMA) [ADR02] ¡ ¡
setup queries (M1, σ1), …, (Mqs, σqs) (PK, SK)
Mi
PK
σi = Sign(SKi, Mi) challenger
adversary
Secure Signatures (cont.) n n
signature scheme = (KeyGen, Sign, Verify) strong existential unforgeability (sUF-CMA) [ADR02] ¡ ¡ ¡
setup queries (M1, σ1), …, (Mqs, σqs) outputs new (M*, σ*) ? (Mi, σi); wins if valid (PK, SK)
challenger
(Μ∗, σ∗)
PK
adversary
Secure Signatures (cont.) n n
signature scheme = (KeyGen, Sign, Verify) weak strong existential unforgeability (wUF-CMA) ¡ setup non-adaptive * ? M 8i M i ¡ queries (M , σ ), …, (M , σ ) 1
¡
1
qs
qs
outputs new (M*, σ*) ? (Mi, σi); wins if valid (PK, SK)
challenger
(Μ∗, σ∗)
PK
adversary
Bilinear Groups n
n
G1, G2 : cyclic groups of prime order p; GT : group of order p bilinear map e: G1£ G2 a GT ¡
¡ ¡
n
bilinear: 8u2 G1, v2 G 2; 8a,b 2 Z e(ua, vb) = e(u, v)ab non-degenerate: e(g1, g2) ? 1 efficiently computable: 9Ψ: G2 a G1
can construct bilinear maps from Weil pairing [JN01]
Strong Diffie-Hellman Assumption x,
(xq) ),
n
q-SDH problem: given (g1, g2, g2 …, g2 output (c, g11/(x+c)), where c 2 Zp* ( hard
n
Checking that (c, s) is a valid pair ( easy ¡
n
Simply test if e(s, g2c¢g2x) = e(g1, g2)?
Prior works [BB04, MSK02] used weaker q-DHI q) x (x problem: given (g1, g2, g2 , …, g2 ; c ), output g11/(x+c).
Outline n n Ø n n
Motivation Preliminaries Secure short signature Extensions Conclusion
Short Signature Scheme S n
n
n
Key generation: Pick x,y 2r Zp*. Let u=g1x, v=g2y. Public key is PK = (g1, g2, u, v). Secret key is SK = (x, y). Signing: To sign m2 Zp*, pick r2r Zp*. Compute σ = g11/(x+m+yr). Signature is (σ, r). Verification: Given m and σ, output valid if e(σ, u¢g2m ¢vr) = e(g 1, g2). 2log2(p) bits ¼ 40 bytes
Main Theorem Thm: Suppose (q, t', ε')-SDH assumption holds. Then signature scheme S is (qs, t, ε)-secure against existential forgeries under (strong) CMA, where t' ¼ t, qs < q, and ε' ¼ ε/2.
Proof Idea : big picture 1. 2. 3.
Simplified signature scheme S' q-SDH is hard ) S' is wUF-CMA S' is wUF-CMA ) S is sUF-CMA
Hence, q-SDH is hard ) S is sUF-CMA
Proof Idea : 1/3 n
Simplified signature S‘ ¡ ¡ ¡
Key Generation: PK = (g 1, g2, g2x), SK = x Signing: To sign m, compute σ = g11/(x+m) Verification: On input (m, σ), return valid if e(σ, g2x¢g 2m ) = e(g1, g2)
Proof Idea : 2/3 n n
Lemma: q-SDH is hard ) S' is wUF-CMA Idea: property of q-SDH ¼ property of strong RSA q x x ¡ Given g2, g 2 , …, g2 q x x ¡ Can construct new instance h, h , …, h with q -1 known solutions (ci, h1/(x+ci)) for specially chosen ci ¡ …so that any new solution (c*, h1/(x+c*)) produced by forger yields a solution (c, g21/(x+c)).
Proof Idea : 3/3 n
n
Lemma: S' is wUF-CMA ) S is sUF-CMA σ1, …,σq
Idea:
weak challenger
n
n
B
w1, …, wq
Astrong
PK=(g1, g2, u)
A sends m 1, …, m q to B. Gets back (si, ri ), i=1..qs. Then A outputs forgery (m*, s* , r* ). Let wi = mi + yri for i=1.. qs and w* = m* + yr*. ¡ ¡
Type-1 forger: w* ? w1, …, wqs Type-2 forger: w* is one of w1, …, wqs
Proof Idea : 3/3 (cont.) n n
Upon startup, B guesses what type of forger A is If B chose Type-1: ¡ ¡
¡
n
it picks y2 Zp*, PK = (g1, g2, u, g2y) on l-th Sign(m) request from A, set rl = (wl – m) / y and return (σl, rl) given forgery (m*, s*, r*) by A, return (w*, s*)
If B chose Type-2: ¡
it picks x2 Z p*, PK = (g1, g2, g2x, u) on l-th Sign(m) request from A, set rl = (x + m) / wl and return (σl1/rl, rl)
¡
given forgery (m*, s*, r*) by A, return ((x+m*)/r*, s*).
¡
Outline n n n Ø n
Motivation Preliminaries Secure short signature Extensions Conclusion
Extensions n
n
n
To sign arbitrary messages, simply hash them in advance: h: {0,1}* a Zp* We can use Pollard’s Λ method for limited message recovery. If we use random oracles, we can achieve even shorter signatures: σ Ã g11/(x+H(m))
Conclusion n n n
Short signature based on a novel q-SDH assumption. Proved secure without random oracles! Final thoughts: ¡ ¡
Is there anything left to extend? Can q-SDH be utilized for something else? (BBS04)
