A Signature Scheme as Secure as the Diffie Hellman Problem
Upcoming SlideShare
Loading in...5
×
 

A Signature Scheme as Secure as the Diffie Hellman Problem

on

  • 803 views

A Signature Scheme as Secure as the Diffie Hellman Problem. Goh and Jarecki.

A Signature Scheme as Secure as the Diffie Hellman Problem. Goh and Jarecki.

Statistics

Views

Total Views
803
Views on SlideShare
803
Embed Views
0

Actions

Likes
0
Downloads
14
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    A Signature Scheme as Secure as the Diffie Hellman Problem A Signature Scheme as Secure as the Diffie Hellman Problem Presentation Transcript

    • Theory Seminar - Cryptography A Signature Scheme as Secure as the Diffie Hellman Problem Theory Seminar Eu-Jin Goh and Stanislaw Jarecki Eurocrypt 2003 Subhashini V IIT Madras
    • Theory Seminar - CryptographyOutline 1 Introduction Hard Assumptions 2 Signature Scheme Definition EDL Scheme 3 Security CMA model Unforgeability Forgery Probability 4 References
    • Theory Seminar - Cryptography IntroductionObjective of this talk Introduction to Hardness assumption - CDH Reduction techniques ZKP in cryptosystems Random oracle model Signature scheme
    • Theory Seminar - Cryptography Introduction Hard Assumptions Hard Assumption Discrete log problem - Given: g, g a Find: a CDH - Computational Diffie-Hellman - Given: g, g a , g b Compute: g ab Reduction to hard assumption What is tightness?
    • Theory Seminar - Cryptography Signature Scheme DefinitionDigital Signature Scheme Key Generation - private key (sk) and public key (pk) Sign - Sign(M, sk) → σ Verify - V er(pk, M, σ) Output: Accept or Reject
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x Sign(x, M )
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x Sign(x, M ) 1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x Sign(x, M ) 1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx 2 NI-ZKP DLh (z) = DLg (y)
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x Sign(x, M ) 1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx 2 NI-ZKP DLh (z) = DLg (y) 3 k ∈R Zq , u ← g k , v ← hk
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x Sign(x, M ) 1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx 2 NI-ZKP DLh (z) = DLg (y) 3 k ∈R Zq , u ← g k , v ← hk 4 c ← H (g, h, y, z, u, v) ∈ Zq
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x Sign(x, M ) 1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx 2 NI-ZKP DLh (z) = DLg (y) 3 k ∈R Zq , u ← g k , v ← hk 4 c ← H (g, h, y, z, u, v) ∈ Zq 5 s ← k + cx
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x Sign(x, M ) 1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx 2 NI-ZKP DLh (z) = DLg (y) 3 k ∈R Zq , u ← g k , v ← hk 4 c ← H (g, h, y, z, u, v) ∈ Zq 5 s ← k + cx 6 σ ← (z, r, s, c)
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x Sign(x, M ) 1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx 2 NI-ZKP DLh (z) = DLg (y) 3 k ∈R Zq , u ← g k , v ← hk 4 c ← H (g, h, y, z, u, v) ∈ Zq 5 s ← k + cx 6 σ ← (z, r, s, c) Verify
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x Sign(x, M ) 1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx 2 NI-ZKP DLh (z) = DLg (y) 3 k ∈R Zq , u ← g k , v ← hk 4 c ← H (g, h, y, z, u, v) ∈ Zq 5 s ← k + cx 6 σ ← (z, r, s, c) Verify h ← H(M, r) , u ← g s y −c , v ← h s z −c
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeEDL Signature scheme Proposed originally by [CEVDG88] and [CP93]. Key-generation sk = x ∈R Zq , pk = y ← g x Sign(x, M ) 1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx 2 NI-ZKP DLh (z) = DLg (y) 3 k ∈R Zq , u ← g k , v ← hk 4 c ← H (g, h, y, z, u, v) ∈ Zq 5 s ← k + cx 6 σ ← (z, r, s, c) Verify h ← H(M, r) , u ← g s y −c , v ← h s z −c ? c = H (g, h , y, z, u , v ). Check c = c
    • Theory Seminar - Cryptography Signature Scheme EDL SchemeProof of equality of DL Replacing ZK-proof of knowledge with just a ZKP k ∈ Zq ; u = g k ; v = hk s = k + cx; g s = uy c ; hs = vz c Also, proof of knowledge of x: g x = y; hx = z x = DLg (y); x = DLh (z) Possible only if c = (k − k )/(x − x) where k = DLg (u) and k = DLh (v)
    • Theory Seminar - Cryptography Security CMA modelSecurity Model Chosen Message Attack (CMA) Adaptive chosen messages. Training with oracles (hash, sign) Adversary A outputs forgery.
    • Theory Seminar - Cryptography Security UnforgeabilityUnforgeability Random oracle model - solve CDH. (Proof is from [?]) Setup: y = g a (a is unknown) H queries: embed - H(M, r) = h = (g b )d , d - random H queries: all random. Sign queries: r ∈R {0, 1}nr . If H(M, r) is queried - abort. κ ∈R Z . Set, z = y κ , h = g κ and H(M, r) = h DLh (z) = DLg (y) c ∈R Zq , s ∈R Zq ,. Set u = g s y −c and v = hs z −c Store H (g, h, y, z, u, v) = c σ = (z, r, s, c)
    • Theory Seminar - Cryptography Security ForgerySolving CDH Forgery passes verification. h = H(M, r) = g bd DLh (z) = DLg (y) ⇒ z = ha = g abd Output : z 1/d = g ab Solved CDH.
    • Theory Seminar - Cryptography Security ProbabilityAnalysis - Probability of solving CDH Abort cases 1 H(M, r) was queried! ⇒ P r = qH 2−nr - Aborting in Step1 of signature P r = qsig · qH · 2−nr 2 Abort at Step4 of signature H (g, g k , y, y k , u, uk ) queried! - Probability of collision (qH + qsig ) · 2−2nq - Final : P r = qsig · (qH + qsig ) · 2−2nq Cannot solve CDH on successful forgery (because of DL) 1 Pr[N H ∧ ¬N Q] = 2−nq 2 Pr[N Q] = qH · 2−nq NH - event that the attacker does not query H-oracle. NQ - event that DLg (y) = DLh (z)
    • Theory Seminar - Cryptography Security Probability We assume that the attacker can break the signature scheme with a non-negligible probability of . Then, if is the probability of challenger(C) solving CDH problem using attacker. = −( abort + DL ) −nr = − qsig · qH · 2 − qsig · (qH + qsig ) · 2−2nq − 2−nq − qH · 2−nq is non-negligible and hence C can solve CDH.
    • Theory Seminar - Cryptography ReferencesReferences I David Chaum, Jan-Hendrik Evertse, and Jeroen Van De Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In Proceedings of the 6th annual international conference on Theory and application of cryptographic techniques, EUROCRYPT’87, pages 127–141, Berlin, Heidelberg, 1988. Springer-Verlag. David Chaum and Torben P. Pedersen. Wallet databases with observers. In Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’92, pages 89–105, London, UK, 1993. Springer-Verlag.
    • Theory Seminar - Cryptography ReferencesReferences II Eu-Jin Goh and StanisJarecki. A signature scheme as secure as the diffie-hellman problem. In Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques, EUROCRYPT’03, pages 401–415, Berlin, Heidelberg, 2003. Springer-Verlag.
    • Theory Seminar - Cryptography ReferencesQuestions? Thank You!