nach oben

Journal of Cryptology

Erschienen in:

01.01.2015

Confined Guessing: New Signatures From Standard Assumptions

verfasst von: Florian Böhl, Dennis Hofheinz, Tibor Jager, Jessica Koch, Christoph Striecks

Erschienen in: Journal of Cryptology | Ausgabe 1/2015

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We put forward a new technique to construct very efficient and compact signature schemes. Our technique combines several instances of only a mildly secure signature scheme to obtain a fully secure scheme. Since the mild security notion we require is much easier to achieve than full security, we can combine our strategy with existing techniques to obtain a number of interesting new (stateless and fully secure) signature schemes. Concretely, we get (1) A scheme based on the computational Diffie–Hellman (CDH) assumption in pairing-friendly groups. Signatures contain \(\mathbf {O}(1)\) and verification keys \(\mathbf {O}(\log k)\) group elements, where \(k\) is the security parameter. Our scheme is the first fully secure CDH-based scheme with such compact verification keys. (2) A scheme based on the (nonstrong) RSA assumption in which both signatures and verification keys contain \(\mathbf {O}(1)\) group elements. Our scheme is significantly more efficient than existing RSA-based schemes. (3) A scheme based on the Short Integer Solutions (SIS) assumption. Signatures contain \(\mathbf {O}(\log (k)\cdot m)\) and verification keys \(\mathbf {O}(n\cdot m) {\mathbb {Z}}_p\)-elements, where \(p\) may be polynomial in \(k\), and \(n,m\) denote the usual SIS matrix dimensions. Compared to state-of-the-art SIS-based schemes, this gives very small verification keys, at the price of slightly larger signatures. In all cases, the involved constants are small, and the arising schemes provide significant improvements upon state-of-the-art schemes. The only price we pay is a rather large (polynomial) loss in the security reduction. However, this loss can be significantly reduced at the cost of an additive term in signature and verification key size.

Vorheriger Artikel Quantum Private Information Retrieval has Linear Communication Complexity

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

There are cleverer ways of embedding a computational problem into a signature scheme (e.g., partitioning [9, 34]). These techniques, however, usually require special algebraic features such as homomorphic properties or pairing-friendly groups. For instance, partitioning is not known to apply in the (standard-model) RSA setting.

Since we guess \(t^*\) from a small set of possible tags, we call our technique “confined guessing.”

This neglects a subtlety: \(A\)must specify the messages to be signed for the \(i^*\)-th instance in advance, while \(B\)expects to make adaptive signing queries. This difference can be handled using standard techniques (i.e., chameleon hashing [23]).

It will become clear in the security proof that actually a function with weaker security properties than a fully secure PRF is sufficient for our application. However, we stick to standard PRF security for simplicity. Thanks to an anonymous reviewer for pointing this out.

There is a subtlety here, since we assume to know \(\varepsilon (k)\). To obtain a black-box reduction, we can guess \(\lfloor \log _2(\varepsilon (k))\rfloor \) which would result in an additional security loss of a factor \(k\) in the reduction.

Technically, [20, Lemma 2.3] assumes an EUF-naCMA secure scheme (i.e., one which is secure against non-adaptive attacks with not necessarily distinct signed messages). However, it is easy to see that the corresponding reduction to EUF-naCMA security actually leads to a distinct-message attack with overwhelming probability. (In a nutshell, the EUF-naCMA secure scheme is used to sign honestly and independently generated chameleon hash images, resp. signature verification keys. The probability for a collision of two such keys must be negligible by the security of these building blocks).

Similar to footnote 5, here, we assume to know the number of signature queries \(q\ge 0\).

\(\mathsf {P}_{(\kappa ,b)}(t)\) can be computed in expected polynomial time but not in strict polynomial time. However, one can simply pick an upper bound \(\overline{\mu }\) and set \(\mathsf {P}_{(\kappa ,b)}(t) = p\) for some arbitrary but fix prime \(p\) if \(\mu _t> \overline{\mu }\) for the resolving index of \(t\) \(\mu _t\). For a proper \(\overline{\mu }\) the event \(\mu _t> \overline{\mu }\) will only occur with negligible probability (see Theorem 5.6, Game 3).

S. Agrawal, D. Boneh, X. Boyen, Efficient lattice (H)IBE in the standard model, in H. Gilbert, editor, EUROCRYPT 2010, French Riviera. LNCS, vol. 6110 (Springer, Berlin, 2010), pp. 553–572

M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in V. Ashby, editor, ACM CCS 93, Fairfax, Virginia, USA, (ACM Press, New York, 1993), pp. 62–73

F. Böhl, D. Hofheinz, T. Jager, J. Koch, J. H. Seo, C. Striecks, Practical signatures from standard assumptions, in EUROCRYPT (2013)

D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in M. Franklin, editor, CRYPTO 2004, Santa Barbara, CA, USA. LNCS, vol. 3152 (Springer, Berlin, 2004), pp. 443–459

D. Boneh, X. Boyen, Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptol. 21(2), 149–177 (2008)

X. Boyen, Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more, in P.Q. Nguyen, D. Pointcheval, editors, PKC 2010, Paris, France. LNCS, vol. 6056 (Springer, Berlin, 2010), pp. 499–517

Z. Brakerski, Y.T. Kalai, A framework for efficient signatures, ring signatures and identity based encryption in the standard model. Cryptology ePrint Archive, Report 2010/086 (2010). http://eprint.iacr.org/

D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in H. Gilbert, editor, EUROCRYPT 2010, French Riviera. LNCS, vol. 6110 (Springer, Berlin, 2010), pp. 523–552

J.-S. Coron, On the exact security of full domain hash, in M. Bellare, editor, CRYPTO 2000, Santa Barbara, CA, USA. LNCS, vol. 1880 (Springer, Berlin, 2000), pp. 229–235

10.

R. Cramer, V. Shoup, Signature schemes based on the strong RSA assumption. ACM Trans. Inf. Syst. Secur. 3(3), 161–185 (2000)

11.

R. Cramer, I. Damgård, Secure signature schemes based on interactive protocols, in D. Coppersmith, editor, CRYPTO’95, Santa Barbara, CA, USA. LNCS, vol. 963 (Springer, Berlin, 1995), pp. 297–310

12.

R. Cramer, I. Damgård, New generation of secure and practical RSA-based signatures, in N. Koblitz, editor, CRYPTO’96, Santa Barbara, CA, USA. LNCS, vol. 1109 (Springer, Berlin, 1996), pp. 173–185

13.

R. Cramer, V. Shoup, Signature schemes based on the strong RSA assumption, in ACM CCS 99, Kent Ridge Digital Labs, Singapore (ACM Press, Signapore, 1999), pp. 46–51

14.

M. Fischlin, The Cramer-Shoup strong-RSA signature scheme revisited, in Y. Desmedt, editor, PKC 2003, Miami, USA. LNCS, vol. 2567 (Springer, Berlin, 2003), pp. 116–129

15.

C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in R.E. Ladner, C. Dwork, editors, 40th ACM STOC, Victoria, British Columbia, Canada (ACM Press, New York, 2008), pp. 197–206

16.

S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2): 281–308 (1988)

17.

D. Hofheinz, E. Kiltz, Programmable hash functions and their applications, in D. Wagner, editor, CRYPTO 2008, Santa Barbara, CA, USA. LNCS, vol. 5157 (Springer, Berlin, 2008), pp. 21–38

18.

D. Hofheinz, T. Jager, E. Kiltz, Short signatures from weaker assumptions, in D. H. Lee, X. Wang, editors, ASIACRYPT 2011, Seoul, South Korea. LNCS, vol. 7073 (Springer, Berlin, 2011), pp. 647–666

19.

D. Hofheinz, T. Jager, E. Kiltz, Short signatures from weaker assumptions. Cryptology ePrint Archive, Report 2011/296 (2011). http://eprint.iacr.org/

20.

S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in S. Halevi, editor, CRYPTO 2009, Santa Barbara, CA, USA. LNCS, vol. 5677 (Springer, Berlin, 2009), pp. 654–670

21.

S. Hohenberger, B. Waters, Realizing hash-and-sign signatures under standard assumptions, in A. Joux, editor, EUROCRYPT 2009, Cologne, Germany. LNCS, vol. 5479 (Springer, Berlin, 2009), pp. 333–350

22.

M. Joye, An efficient on-line/off-line signature scheme without random oracles, in M.K. Franklin, L.C.K. Hui, D.S. Wong, editors, CANS 08, Hong-Kong, China, vol. 5339 (Springer, Berlin, 2008), pp. 98–107

23.

H. Krawczyk, T. Rabin, Chameleon signatures, in NDSS 2000, San Diego, California, USA (The Internet Society, San Diego, 2000)

24.

L. Lamport, Constructing digital signatures from a one-way function. Technical Report SRI-CSL-98, SRI International Computer Science Laboratory (1979)

25.

S. Lu, R. Ostrovsky, A. Sahai, H. Shacham, B. Waters, Sequential aggregate signatures and multisignatures without random oracles, in S. Vaudenay, editor, EUROCRYPT 2006, St. Petersburg, Russia. LNCS, vol. 4004 (Springer, Berlin, 2006), pp. 465–485

26.

D. Micciancio, O. Regev, Worst-case to average-case reductions based on Gaussian measures, in 45th FOCS, Rome, Italy (IEEE Computer Society Press, Los Alamitos, 2004), pp. 372–381

27.

M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications, in 21st ACM STOC (ACM Press, Seattle, 1989), pp. 33-43

28.

J. Rompel, One-way functions are necessary and sufficient for secure signatures, in 22nd STOC (ACM Press, Baltimore, 1990), pp. 387–394

29.

B. Rosser, Explicit bounds for some functions of prime numbers. Am. J. Math. 63(1): 211–232 (1941)

30.

J.H. Seo, Short signatures from Diffie-Hellman: realizing short public key. Cryptology ePrint Archive, Report 2012/480 (2012). http://eprint.iacr.org/

31.

A. Shamir, On the generation of cryptographically strong pseudorandom sequences. ACM Trans. Comput. Syst. 1(1): 38–44 (1983)

32.

V. Shoup, A computational introduction to number theory and algebra. Cambridge University Press, Cambridge (2008)

33.

B. Waters, Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions, in S. Halevi, editor, CRYPTO 2009, Santa Barbara, CA, USA. LNCS, vol. 5677 (Springer, Berlin, 2009), pp. 619–636

34.

B.R. Waters, Efficient identity-based encryption without random oracles, in R. Cramer, editor, EUROCRYPT 2005, Aarhus, Denmark. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 114–127

Titel: Confined Guessing: New Signatures From Standard Assumptions
verfasst von: Florian Böhl
Dennis Hofheinz
Tibor Jager
Jessica Koch
Christoph Striecks
Publikationsdatum: 01.01.2015
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 1/2015
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-014-9183-z

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2015

Efficient Asynchronous Verifiable Secret Sharing and Multiparty Computation

Slidex Attacks on the Even–Mansour Encryption Scheme

Cryptanalysis of SHA-0 and Reduced SHA-1

Quantum Private Information Retrieval has Linear Communication Complexity

Subtleties in the Definition of IND-CCA: When and How Should Challenge Decryption Be Disallowed?