Security Arguments for Digital Signatures and Blind Signatures

Download Report

Transcript Security Arguments for Digital Signatures and Blind Signatures 

Security Arguments for Digital
Signatures and Blind
Signatures
Journal of Cryptology, (2000) 13: 361-396
Authors: D. Pointcheval and J. Stern
Presented by J. Liu
Outline
•
•
Introduction
Definitions
1. The random oracle model
2. Digital signature schemes
•
Preliminaries
1. Complexity theory and “Oracle replay attack”
2. Distinguishability of distributions of probability
•
Security arguments for digital signatures
Introduction
• Provable security has tried to provide
proof in the asymptotic framework of
complexity theory.
• That is, poly reductions the problem to
well-established problems, such as
factorization, DLP, NPC….
• One way function NP vs. P
The random oracle model
• Hash function (e.g. MD5, SHA1-2, …) long
message  short digest.
• Nonrepudiation it is impossible to find two
different messages providing the same hash
value (collision freeness)
• The hash function can be seen as an oracle
which produces a truly random value for
each “new” query.
Digital signature schemes
1. Key generation algo. G (probabilistic):
input: k and w, output: (Kp, Ks)
2. Signing algo. Σ(may be probabilistic):
input: message m, (Kp, Ks)
output: signature σ
3. Verification algo. V (not probabilistic):
input: m, Kp, σ
output: accept or reject
Fig. 1. signature schemes
Example: RSA signature
• N = pq, ed = 1 mod φ(N) where e is p and
d is s.
• The signature of a message m with
respect to d is σ= md mod N
• It is not secure under existential forgery.
σ’ = σ2 = (md )2 = (m2 )d mod N
• Not intelligible or without the proper
redundancy
Example: Schnorr signature
• p, q two large prime and q|p-1 with q≧2k.
• g(Z/pZ)* of order q, y = g-x mod p
• σ= (r, e, s), where r = gK mod p with
random K, e = H(m, r) mod q and s =K+ex
mod q
• Verify by e = H(m, gsye mod p)
[gsye = gK+ex(g-x)e = gK+ex-ex = gK =r mod p]
No-message attack vs. knownmessage attack
•
•
Plan known-message attack
Generic chosen-message attack
Oriented chosen-message attack
Adaptively chosen-message attack
少
) ?(
1)
2)
3)
4)
?(
NMA: Attacker only knows public key of
the signer.
KMA: Attacker can access a list of (m, σ)
強
pairs.
弱
多
)
Plan known-message attack
• Attacker has access to a list of signed
messages, but he has not chosen them.
Generic chosen-message attack
• Attacker can choose the list of messages
to be signed. This choice must be made
before accessing the public key of the
signer. That is the choice is independent of
the signer.
Oriented chosen-message attack
• Choose the message for specific signer.
Adaptively chosen-message attack
• Having knowledge of the public key of the
signer, the attacker can ask the signer to
sign any message that he wants. He can
then adapt his queries according to
previous message-signature pairs.
Forgeries
• Total break: Disclose the secret key of the
signer.
• Universal forgery: Constructing an efficient
algorithm which can sign any message.
• Existential forgery: providing a new
message-signature pair. (not dangerous
∵meaningless)
Secure signature scheme
• A signature scheme is secure if an
existential forgery is computationally
impossible, even under an adaptively
chosen-message attack.
Preliminaries
• Complexity theorem and “Oracle replay
attack”
• Distinguishability of distributions of
probability
Complexity theorem and
“Oracle replay attack”
• All participants are modeled by
probabilistic polynomial time Turing
machine.
• Generic reduction technique.
• Oracle replay attack: by a polynomial
replay of the attacker with different random
oracle.
Oracle replay attack
• : random tape
• A query the random oracle Q times, i is
the answer of the i-th query.
• +1: the index of Q(m, 1)
Lemmas
•
•
•
•
Splitting lemma
Lemma 2
Forking lemma
Theorem 2
Splitting lemma
Lemma 2
Let (G, , V) be a generic digital signature scheme witin
security parmater k. Let A be a probabilis tic polynomial time
Turning machine, which can ask Q queries to the random oracle,
with Q  0. We assum that, within th e time bound T. A produces,
with probabilit y   7Q / 2 k , a valid signature (m, 1 , h,  2 ).
Then, within ti me T'  16QT/ , and with probabilit y '  1/9,
a replay of this machine outputs two valid signatures
(m, 1 , h,  2 ) and (m, 1 , h' ,  2 ' ) such that h  h'.
Forking lemma
Let (G, , V) be a generic digital signature scheme witin
security parmater k. Let A be a probabilis tic polynomial time
Turning machine, which can ask Q queries to the random oracle,
with Q  0. We assum that, within th e time bound T. A produces,
with probabilit y   7Q / 2 k , a valid signature (m, 1 , h,  2 ).
Then there is another machine which has control over A and
produces two valid signatures (m, 1 , h,  2 ) and (m, 1 , h' ,  2 ' )
such that h  h' , in expected time T'  84480QT/ .
Theorem 2
Attacker A performs an existentia l forgery under
under a no - message attack against th e Schnorr
signature, with probabilit y   7Q/q.
We denote by Q the number of query that
A can ask to the random oracle.
Then the discrete logrithm in subgroups of prime order
can be solved in excepeted time less than 84480QT/ .
Proof
• By forking lemma, we obtain 2 valid
signatures (m, r, e, s) and (m, r, e’, s’) with
e  e’.
s e
s' e'
• We have, r  g y  g y mod p,
s  s'
then log 
mod q
e ' e
y
g