A Signature Scheme as Secure as the Diffie Hellman Problem

Theory Seminar - Cryptography

A Signature Scheme as Secure as the Diﬃe
Hellman Problem
Theory Seminar

Eu-Jin Goh and Stanislaw Jarecki
Eurocrypt 2003

Subhashini V
IIT Madras


Outline

1 Introduction
Hard Assumptions

2 Signature Scheme
Deﬁnition
EDL Scheme

3 Security
CMA model
Unforgeability
Forgery
Probability

4 References

Introduction

Objective of this talk

Introduction to
Hardness assumption - CDH
Reduction techniques
ZKP in cryptosystems
Random oracle model
Signature scheme

Introduction
Hard Assumptions

Hard Assumption
Discrete log problem
- Given: g, g a Find: a
CDH - Computational Diﬃe-Hellman
- Given: g, g a , g b Compute: g ab
Reduction to hard assumption
What is tightness?

Signature Scheme
Deﬁnition

Digital Signature Scheme

Key Generation - private key (sk) and public key (pk)
Sign - Sign(M, sk) → σ
Verify - V er(pk, M, σ) Output: Accept or Reject

Signature Scheme
EDL Scheme

EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x

Signature Scheme
EDL Scheme

Key-generation
Sign(x, M )

Signature Scheme
EDL Scheme

Key-generation
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx

Signature Scheme
EDL Scheme

Key-generation
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
2 NI-ZKP DLh (z) = DLg (y)

Signature Scheme
EDL Scheme

Key-generation
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
3 k ∈R Zq , u ← g k , v ← hk

Signature Scheme
EDL Scheme

Key-generation
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq

Signature Scheme
EDL Scheme

Key-generation
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
5 s ← k + cx

Signature Scheme
EDL Scheme

Key-generation
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
5 s ← k + cx
6 σ ← (z, r, s, c)

Signature Scheme
EDL Scheme

Key-generation
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
5 s ← k + cx
6 σ ← (z, r, s, c)
Verify

Signature Scheme
EDL Scheme

Key-generation
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
5 s ← k + cx
6 σ ← (z, r, s, c)
Verify
h ← H(M, r) , u ← g s y −c , v ← h s z −c

Signature Scheme
EDL Scheme

Key-generation
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
5 s ← k + cx
6 σ ← (z, r, s, c)
Verify
h ← H(M, r) , u ← g s y −c , v ← h s z −c
?
c = H (g, h , y, z, u , v ). Check c = c

Signature Scheme
EDL Scheme

Proof of equality of DL

Replacing ZK-proof of knowledge with just a ZKP
k ∈ Zq ; u = g k ; v = hk
s = k + cx; g s = uy c ; hs = vz c
Also, proof of knowledge of x: g x = y; hx = z
x = DLg (y); x = DLh (z)
Possible only if c = (k − k )/(x − x)
where k = DLg (u) and k = DLh (v)

Security
CMA model

Security Model

Chosen Message Attack (CMA)
Adaptive chosen messages.
Training with oracles (hash, sign)
Adversary A outputs forgery.

Security
Unforgeability

Unforgeability

Random oracle model - solve CDH. (Proof is from [?])
Setup: y = g a (a is unknown)
H queries: embed - H(M, r) = h = (g b )d , d - random
H queries: all random.
Sign queries:
r ∈R {0, 1}nr . If H(M, r) is queried - abort.
κ ∈R Z . Set, z = y κ , h = g κ and H(M, r) = h
DLh (z) = DLg (y)
c ∈R Zq , s ∈R Zq ,. Set u = g s y −c and v = hs z −c
Store H (g, h, y, z, u, v) = c
σ = (z, r, s, c)

Security
Forgery

Solving CDH

Forgery passes veriﬁcation.
h = H(M, r) = g bd
DLh (z) = DLg (y) ⇒ z = ha = g abd
Output : z 1/d = g ab
Solved CDH.

Security
Probability

Analysis - Probability of solving CDH

Abort cases
1 H(M, r) was queried! ⇒ P r = qH 2−nr
- Aborting in Step1 of signature P r = qsig · qH · 2−nr
2 Abort at Step4 of signature H (g, g k , y, y k , u, uk ) queried!
- Probability of collision (qH + qsig ) · 2−2nq
- Final : P r = qsig · (qH + qsig ) · 2−2nq
Cannot solve CDH on successful forgery (because of DL)
1 Pr[N H ∧ ¬N Q] = 2−nq
2 Pr[N Q] = qH · 2−nq

NH - event that the attacker does not query H-oracle.
NQ - event that DLg (y) = DLh (z)

Security
Probability

We assume that the attacker can break the signature scheme with
a non-negligible probability of .
Then, if is the probability of challenger(C) solving CDH problem
using attacker.

= −( abort + DL )
−nr
= − qsig · qH · 2 − qsig · (qH + qsig ) · 2−2nq
− 2−nq − qH · 2−nq

is non-negligible and hence C can solve CDH.

References

References I

David Chaum, Jan-Hendrik Evertse, and Jeroen Van De Graaf.
An improved protocol for demonstrating possession of discrete
logarithms and some generalizations. In Proceedings of the 6th
annual international conference on Theory and application of
cryptographic techniques, EUROCRYPT’87, pages 127–141,
Berlin, Heidelberg, 1988. Springer-Verlag.
David Chaum and Torben P. Pedersen. Wallet databases with
observers. In Proceedings of the 12th Annual International
Cryptology Conference on Advances in Cryptology, CRYPTO
’92, pages 89–105, London, UK, 1993. Springer-Verlag.

References

References II

Eu-Jin Goh and StanisJarecki. A signature scheme as secure as
the diﬃe-hellman problem. In Proceedings of the 22nd
international conference on Theory and applications of
cryptographic techniques, EUROCRYPT’03, pages 401–415,
Berlin, Heidelberg, 2003. Springer-Verlag.

References

Questions?

Thank You!

A Signature Scheme as Secure as the Diffie Hellman Problem

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (14)

Similar to A Signature Scheme as Secure as the Diffie Hellman Problem

Similar to A Signature Scheme as Secure as the Diffie Hellman Problem (20)

Recently uploaded

Recently uploaded (20)

A Signature Scheme as Secure as the Diffie Hellman Problem