Informe Anual (SIGSA 6 Anual) - Instructivo de llenado de Formulario SIGSA

V. Instructivo de llenado de Formulario SIGSA

12. Informe Anual (SIGSA 6 Anual)

Theorem 8.4. Let_{A be an}INV-CMA-adversary operating in timet, after n group queries and m

signing queries, with advantageǫ = Succinv-cma_US,A , such thatn _{≫ 2.}

There exists an adversary_{B, operating in time t}′and attempting to break the pseudo-randomness property ofH1_{, after}_{m queries (to H}1_{), with success probability Succ}prf

H1_,Bsuch that:

t′ ≤ t + n + m(τH2 + τ_h+ 2τ_F)

and

Succprf_H1_,B₁ ≥

Succinv-cma_US,A

2 −

2q − mn/q

whereτF,τH2 andτ_h are the running time forF , H2andh respectively.

Proof. Let _{B be the adversary attempting to break the pseudo-randomness of H}1 using an INV- CMA-adversary_{A against the above undeniable signatures. A operates as previously in the generic} group model, and the polynomialsFℓ manipulated byB are also affine univariate, i.e. of the form

aX +b, however the indeterminate refers to the public key V . In fact,_{B does not know v (otherwise} his task would be easy), but is allowed to choose the private keyu.

Let m⋆

0, m⋆1, and p⋆ be the challenge messages and the challenge time period resp. B will

forward p⋆ _{to his own challenger as a challenge seed and will receive a string}_e⋆ _{which is either}

the result of applyingH1

v top⋆or a uniformly chosen random string from the corresponding space.

B will then form the challenge signature µ⋆ _{= (R}⋆_{, T}⋆_{, s}⋆_{), using e}⋆_{, on the message} _m⋆ b for

b ←R− {0, 1}. If e⋆ _{= H}1

v(p⋆), then µ⋆is valid signature onm⋆b, otherwise it is an invalid signature

on bothm⋆

0 andm⋆1. Thus, the answer ofA will suffice B to conclude.

More precisely,_{B will proceed as follows:}

Game 0. Letm⋆

0, m⋆1andp⋆be the challenge messages and the challenge time period resp. B will

form an undeniable signatureµ⋆_{, following the standard signing algorithm, on}_m⋆

b for some

b_←R_{− {0, 1}. We denote by S}0be the event “A returns the bit b” and we use a similar notation

Siin any Gamei. By definition, we have Pr[S0] = ǫ + 1₂.

Game 1. _{B uses the interpretation described above which considers a safe sequence in order to}

simulate the group oracle. We get:

| Pr[S1]− Pr[S0]| ≤ (n + 4)2/q

Game 2. In this game,_{B simulates the signing oracle. Let (m, p) be the signing query where m}

denotes the message to be signed andp_{6= p}⋆ _{denotes the time period. A signature}_{(R, T, s)}

onm for the time period p should satisfy:

whereT = dP and d = He2p(m, R) and ep = H

1 v(p).

Thus if we writeR = aV + bP , we get:

d_{· F (T ) · h(m) = s · a,}

0 = uF (R) + s· b + 1. Thus,(R, T, s) should satisfy:

ab−1(uF (R) + 1) =−d · F (T ) · h(m). As a consequence,_{B will do the following:}

• request his challenger for ep = Hv1(p),

• pick R, T ←R− S and compute d = H2

ep(m, R),

• pick b←R− Z×

q and computea =−b · d · F (T ) · h(m) · (uF (R) + 1)−1,

• executeRecord(TkdksignT) andRecord(RkaX + bksignR).

The difference between the previous game is when the introduction ofR and T along with their polynomials leads to inconsistencies in simulating the group oracle, i.e. collisions with polynomials in _{F. The probability that these collisions occur is upper-bounded by 2n/q,} thus:

| Pr[S2]− Pr[S1]| ≤ 2mn/q

Game 3. In this game,_{B simulates the challenge signature generation; he proceeds exactly as in} Game 2. The difference is when the createdR⋆ _and_T⋆_{(elements of the challenge signature)}

lead to inconsistencies with the group oracle:

| Pr[S3]− Pr[S2]| ≤ 2n/q

Game 4. In this game,_{B simulates the verification and conversion oracles. Since verification}

and conversion queries can occur only with respect to time periods p 6= p⋆_, _{B can request}

his challenger for the conversion receipt ep = Hv1(p) for the time period p, and simulate

perfectly the verification/conversion oracles. We clearly havePr[S4] = Pr[S3].

Game 5. In this game, we modify the challenge signature generation. In fact, after _{A outputs}

m⋆

0, m⋆1, andp⋆,B outputs p⋆to his own challenger as a challenge seed, and gets a challenge

bit-stringe⋆_{, which is either}_H1

v(p⋆), if some b′ R

←− {0, 1} is 1, or a random string from the given space otherwise. _{B produces then the challenge signature µ}⋆ = (R⋆_{, T}⋆_{, s}⋆_{) on m}⋆ b

usinge⋆, i.e. proceeds exactly as the standard algorithm with the exception of computingd⋆ asH2

e⋆(m⋆_b, R⋆). Note that when e⋆ is a random string, thenµ⋆ is not a valid signature on

neitherm⋆ 0 norm⋆1. Clearly: Pr[S5] = Pr[ba = b|b′ = 1] and Pr[ba 6= b|b′ = 0] = 1 2

At the end of the simulation, if_{A outputs b}a = b, thenB will respond b” = 1, i.e. e⋆ is indeed

v(p⋆), otherwise he responds b” = 0. We have:

Succprf_H1_,B = Pr[b” = b′]− 1 2 = Pr[b” = 1, b′ = 1] + Pr[b” = 0, b′ = 0]− 1₂ = Pr[b” = 1|b′ = 1] Pr[b′ = 1] + Pr[b” = 0|b′ = 0] Pr[b′ = 0]− 1₂ = 1 2|Pr[b” = 1|b ′ _{= 1] + Pr[b” = 0} |b′ = 0]_{− 1|} = 1 2|Pr[ba = b|b ′ _{= 1] + Pr[b} a6= b|b′ = 0]− 1| = 1 2 Pr[S5]− 1 2 ≥ ǫ 2− n2 2q − mn/q Moreover, t′ _{≤ t + n + m(τ}H2 + τ_h+ 2τ_F)

8.5 Conclusion

We properly defined security notions for convertible undeniable signatures that support the addi- tional property of achronous gradual conversion. Adapting the scheme proposed by Michels, Pe- tersen, and Horster in 1996, we realized the first scheme featuring this useful notion of conversion.

In addition, we gave the first security analysis of the Michels-Petersen-Horster protocol, thereby addressing a problem left open since 1996. We have modified this scheme such that it becomes a generic one, which allows to use it for instance in the setting of elliptic curves (and therefore of- fers attractive practical advantages in terms of signature length and performances). In this context and in comparison with the time-selective convertible undeniable signatures from [Laguillaumie & Vergnaud, 2005], the computational costs for the confirmation/disavowal protocols and the conversion algorithms are much smaller.

Conclusion

In this thesis, we were interested in signatures with controlled verification, more specifically undeniable and confirmer signatures. We actually focused on how to produce these signatures from basic cryptographic primitives such as digital signatures, encryption, and commitment schemes. In fact, we noticed that even the monolithic realizations of these signatures are built upon popular primitives, which results in security and efficiency analyses similar to those of the underlying components, but still indispensable to carry out. Our main purpose was to understand then bridge the gap between these realizations and the known generic constructions of such opaque signatures. To analyze the generic constructions of confirmer signatures, we used the famous meta-reduction tool; such a tool was mainly applied to achieve impossibility results, e.g. disproving equivalence between complexity assumptions or separating results between idealized and standard models. In our study, we used meta-reductions to show that the popular generic constructions cannot achieve secure confirmer signatures without using strong encryption as a building block, which engen- ders expensive confirmer signatures with limited efficient instantiations. This is actually due to an inherent weakness in these constructions that consists in the possibility of creating confirmer signatures without the help of the signer. After identifying the weaknesses in the popular generic constructions, comes the task of annihilating these weaknesses at cheap costs and without com- promising the security. Fortunately, this was doable by simply binding the digital signature - these generic constructions require always the computation of a digital signature - to the resulting confirmer signature. The outcome of this tweak was tremendous as it made the constructions rest on very cheap encryption, and consequently led to short confirmer signatures with small generation, verification, and conversion costs. Another important consequence of this slight change consists in allowing homomorphic encryption in the design, which translates in efficient confirmation and denial protocols.

The immediate prospect of such an analysis is its extension to other opaque or privacy-preserving mechanisms/signatures, e.g. group signatures, designated verifier signatures, or anonymous cre- dentials. In fact, most such mechanisms involve a digital signature on some message and an encryption layer that ensures the privacy. Hence the possibility of applying the same techniques in order to allow cheap and useful encryption in the design, and thus achieve constructions with many efficient instantiations. The long-run prospect consists in systematically applying the meta- reduction tool in other cryptographic realizations in order to spot the potential flaws in the design, and later repair these flaws and improve the resulting constructions.

In document Manual para el. llenado de Formularios SIGSA. Manual para el llenado de formularios SIGSA MAN-SIGSA-001. Guía. Código MAN-SIGSA (página 125-134)