Apr 04 Draft of Vol2

A Concrete Introduction to Higher Algebra, 2nd Edition

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Fragments of a chapter on Signature Schemes (revised, second posted version) Extracts from a working draft for Volume 2 of Foundations of Cryptography Oded Goldreich Department of Computer Science and Applied Mathematics Weizmann Institute of Science, Rehovot, Israel. February 10, 2002 I to Dana c Copyright 2002 by Oded Goldreich. Permission to make copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for pro t or commercial advantage and that new copies bear this notice and the full citation on the rst page. Abstracting with credit is permitted. II Preface The current manuscript is a preliminary draft of the chapter on signature schemes (Chapter 6) of the second volume of the work Foundations of Cryptography. This manuscript subsumes a previous version posted in May 2000. The bigger picture. The current manuscript is part of a working draft of Part 2 of the three-part work Foundations of Cryptography (see Figure 0.1). The three parts of this work are Basic Tools, Basic Applications, and Beyond the Basics. The rst part (containing Chapters 1{4) has been published by Cambridge University Press (in June 2001). The second part, consists of Chapters 5{7 (regarding Encryptioni Schemes, Signatures Schemes, and General Cryptographic Protocols, respectively). We hope to publish the second part with Cambridge University Press within a couple of years. Part 1: Introduction and Basic Tools Chapter 1: Introduction Chapter 2: Computational Di culty (One-Way Functions) Chapter 3: Pseudorandom Generators Chapter 4: Zero-Knowledge Proofs Part 2: Basic Applications Chapter 5: Encryption Schemes Chapter 6: Signature Schemes Chapter 7: General Cryptographic Protocols Part 3: Beyond the Basics Figure 0.1: Organization of this work III IV The partition of the work into three parts is a logical one. Furthermore, it o ers the advantage of publishing the rst part without waiting for the completion of the other parts. Similarly, we hope to complete the second part within a couple of years, and publish it without waiting for the third part. basic knowledge of algorithms (including randomized ones), computability and elementary probability theory. Background on (computational) number theory, which is required for speci c implementations of certain constructs, is not really required here. Prerequisites. The most relevant background for this text is provided by Using this text. The text is intended as part of a work that is aimed to serve both as a textbook and a reference text. That is, it is aimed at serving both the beginner and the expert. In order to achieve this aim, the presentation of the basic material is very detailed so to allow a typical CS-undergraduate to follow it. An advanced student (and certainly an expert) will nd the pace (in these parts) way too slow. However, an attempt was made to allow the latter reader to easily skip details obvious to him/her. In particular, proofs are typically presented in a modular way. We start with a high-level sketch of the main ideas, and only later pass to the technical details. Passage from high-level descriptions to lower level details is typically marked by phrases such as details follow. In a few places, we provide straightforward but tedious details in indented paragraphs as this one. In some other (even fewer) places such paragraphs provide technical proofs of claims that are of marginal relevance to the topic of the book. More advanced material is typically presented at a faster pace and with less details. Thus, we hope that the attempt to satisfy a wide range of readers will not harm any of them. hand, way beyond what one may want to cover in a course, and on the other hand falls very short of what one may want to know about Cryptography in general. To assist these con icting needs we make a distinction between basic and advanced material, and provide suggestions for further reading (in the last section of each chapter). In particular, sections, subsections, and subsubsections marked by an asterisk (*) are intended for advanced reading. Teaching. The material presented in the full (three-volume) work is, on one Table of Contents Preface 6 Signatures and Message Authentication 6.1 De nitional Issues : : : : : : : : : : : : : : : : : : : : : : : : : : 479 6.1.1 Message authentication versus signature schemes : : : : : 480 6.1.2 Basic mechanism : : : : : : : : : : : : : : : : : : : : : : : 481 6.1.3 Attacks and security : : : : : : : : : : : : : : : : : : : : : 482 6.1.4 Comments : : : : : : : : : : : : : : : : : : : : : : : : : : : 484 6.1.4.1 Augmenting the attack with a veri cation oracle 485 6.1.4.2 Inessential generalities : : : : : : : : : : : : : : : 485 6.1.4.3 Weaker notions of security and some popular schemes486 6.2 Length-restricted signature scheme : : : : : : : : : : : : : : : : : 486 6.2.1 De nition : : : : : : : : : : : : : : : : : : : : : : : : : : : 486 6.2.2 The power of length-restricted signature schemes : : : : : 487 6.2.2.1 Signing (augmented) blocks : : : : : : : : : : : : 488 6.2.2.2 Signing a hash value : : : : : : : : : : : : : : : : 492 6.2.3 * Constructing collision-free hashing functions : : : : : : 495 6.2.3.1 A construction based on claw-free permutations 496 6.2.3.2 Collision-free hashing via block-chaining : : : : : 497 6.2.3.3 Collision-free hashing via tree-hashing : : : : : : 500 6.3 Constructions of Message Authentication Schemes : : : : : : : : 502 6.3.1 Applying a pseudorandom function to the document : : : 502 6.3.1.1 A simple construction and a plausibility result : 502 6.3.1.2 * Using the hash-and-sign paradigm : : : : : : : 504 6.3.1.3 * A variation on the hash-and-sign paradigm : : 505 6.3.2 * More on Hash-and-Hide and state-based MACs : : : : : 509 6.3.2.1 The de nition of state-based MACs : : : : : : : 510 6.3.2.2 State-based hash-and-hide MACs : : : : : : : : 512 6.4 Constructions of Signature Schemes : : : : : : : : : : : : : : : : 515 6.4.1 One-time signature schemes : : : : : : : : : : : : : : : : : 515 6.4.1.1 De nitions : : : : : : : : : : : : : : : : : : : : : 516 6.4.1.2 Constructing length-restricted one-time signature schemes : : : : : : : : : : : : : : : : : : : : : : : 517 6.4.1.3 From length-restricted schemes to general ones : 520 V III 479 1 6.4.2 From one-time signature schemes to general ones : : : : : 6.4.2.1 The refreshing paradigm : : : : : : : : : : : : : 6.4.2.2 Authentication{trees : : : : : : : : : : : : : : : : 6.4.2.3 The actual construction : : : : : : : : : : : : : : 6.4.2.4 Conclusions and comments : : : : : : : : : : : : 6.4.3 * Universal One-Way Hash Functions and using them : : 6.4.3.1 De nition : : : : : : : : : : : : : : : : : : : : : : 6.4.3.2 Constructions : : : : : : : : : : : : : : : : : : : 6.4.3.3 One-time signature schemes based on UOWHF : 6.4.3.4 Conclusions and comments : : : : : : : : : : : : 6.5 * Additional Properties : : : : : : : : : : : : : : : : : : : : : : : 6.5.1 Unique signatures : : : : : : : : : : : : : : : : : : : : : : 6.5.2 Super-secure signature schemes : : : : : : : : : : : : : : : 6.5.3 O -line/on-line signing : : : : : : : : : : : : : : : : : : : : 6.5.4 Incremental signatures : : : : : : : : : : : : : : : : : : : : 6.5.5 Fail-stop signatures : : : : : : : : : : : : : : : : : : : : : : 6.6 Miscellaneous : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 6.6.1 On Using Signature Schemes : : : : : : : : : : : : : : : : 6.6.2 On Information Theoretic Security : : : : : : : : : : : : : 6.6.3 On Popular Schemes : : : : : : : : : : : : : : : : : : : : : 6.6.4 Historical Notes : : : : : : : : : : : : : : : : : : : : : : : 6.6.4.1 Signature Schemes : : : : : : : : : : : : : : : : : 6.6.4.2 Message Authentication Schemes : : : : : : : : : 6.6.5 Suggestion for Further Reading : : : : : : : : : : : : : : : 6.6.6 Open Problems : : : : : : : : : : : : : : : : : : : : : : : : 6.6.7 Exercises : : : : : : : : : : : : : : : : : : : : : : : : : : : 521 521 523 533 536 537 538 539 547 550 551 551 552 556 557 559 560 560 561 562 563 563 564 565 566 566 478 Chapter 6 Digital Signatures and Message Authentication Message authentication and (digital) signatures were the rst tasks that joined encryption to form modern cryptography. Both message authentication and digital signatures are concerned with the \authenticity" of data, and the di erence between them is analogous to the di erence between private-key and public-key encryption schemes. In this chapter, we de ne message authentication and digital signatures, and the security notions associated to them. We show how to construct message authentication schemes using pseudorandom functions, and how to construct signature schemes using one-way permutations. We stress that the latter construction employ one-way permutations that do not necessarily have a trapdoor. Towards presenting the latter constructions, we discuss restricted types of message authentication and signature schemes, which are of independent interest, such as length-restricted schemes (see Section 6.2) and one-time signature schemes (see Section 6.4.1). role in the following sections. As in Chapter 5, we assume that the reader is familiar with the material in Chapters 2 and 3 (and speci cally with Sections 2.2, 2.4, and 3.6). This familiarity is important not only because we use some of the notions and results presented in these sections, but rather because we use similar proof techniques (and do it while assuming that this is not the reader's rst encounter with these techniques). Teaching Tip: Indeed, do not skip Section 6.2, since it does play an important 6.1 De nitional Issues Loosely speaking, message authentication and signature schemes are supposed to enable reliable transmission of data between parties. That is, the basic setting 479 480 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION consists of a sender and a receiver, where the receiver may be either predetermined or determined only after the data was sent. Loosely speaking, the receiver wishes to be guaranteed that the data received was actually sent by the sender, rather than modi ed (or even concocted) by a third party. The receiver may be a party sharing an unreliable point-to-point communication line with the sender (which is indeed the typical setting in which message authentication is employed). However, in other cases (i.e., when signature schemes are employed), the receiver may be any party that obtains the data in the future and wishes to verify that it was indeed sent by the declared sender. In both cases, the reliability (or authenticity) of the data is established by an authentication process that consists of two main processes: 1. A signing process that is employed by the alleged sender in order to produce signatures to data of its choice. 2. A veri cation process that is employed by the receiver in order to determine the authenticity of the data using the provided signature. As in case of encryption schemes, the authentication process presupposes also a third (implicit) process called key-generation that allows the sender to generate a signing-key (to be used in the signing process), along with a veri cationkey (to be used in the veri cation process). The possession of the signing-key constitutes the sender's advantage over the adversary (see analogous discussion in Chapter 5). The di erence between message authentication and signature schemes arises from the di erence in the settings to which they are intended, which amounts to a di erence in the identity of the receiver and in the level of trust that the sender has in the receiver. Typically, message authentication schemes are employed in cases where the receiver is predetermined (at the time of message transmission) and is fully trusted by the sender, whereas signature schemes allow veri cation of the authenticity of the data by anybody (which is certainly not trusted by the sender). In other words, signature schemes allow for universal veri cation, whereas message authentication schemes may only allow predetermine parties to verify the authenticity of the data. Thus, in signature schemes the veri cationkey must be known to anybody, and in particular is known to the adversary. In contrast, in message-authentication schemes, the veri cation-key is only given to a set of predetermined receivers that are all trusted not to abuse this knowledge that is, in such schemes it is postulated that the veri cation-key is not (a-priori) known to the adversary. di er in the question of whether the veri cation-key is secret (i.e., unknown to the adversary) or public (and also known to the adversary). Thus, in a sense, these are private-key and public-key versions of a task that lacks a good name (since both authentication and signatures are already taken by one of 6.1.1 Message authentication versus signature schemes Summary and terminology: Message authentication and signature schemes 6.1. DEFINITIONAL ISSUES type Message auth. schemes Signature schemes veri cation-key known to designated (trusted) receiver(s) only to everybody (including adversary) veri cation possible for designated (trusted) receiver(s) only for anybody (including adversary) 481 Figure 6.1: Message authentication versus signature schemes. the versions). Still, seeking a uniform terminology, we shall sometimes refer to message authentication schemes (also known as message authentication codes (mac)) as to private-key signature schemes. Analogously, we shall sometimes refer to signature schemes as to public-key signature schemes. We start by de ning the basic mechanism of message-authentication and signature schemes. Recall that there will be private-key and public-key versions, but the di erence between the two version is only re ected in the de nition of security. In contrast, the de nition of the basic mechanism says nothing about the security of the scheme (which is the subject of the next section), and thus is the same for both the private-key and public-key versions. In both cases, the scheme consists of three e cient algorithms: key generation, signing (or authenticating) and veri cation. The basic requirement is that signatures that are produced by the signing algorithm be accepted as valid by the veri cation algorithm, when fed a veri cation-key corresponding to the signing-key used by the signing algorithm. 6.1.2 Basic mechanism De nition 6.1.1 (signature scheme): A signature scheme is a triple, (G S V ), of probabilistic polynomial-time algorithms satisfying the following two conditions 1. On input 1n , algorithm G (called the key generator) outputs a pair of bit strings. 2. For every pair (s v) in the range of G(1n ), and for every algorithms S (signing) and V (veri cation) satisfy Pr V (v 2 f 01 , g S (s ))=1] = 1 where the probability is taken over the internal coin tosses of algorithms S and V . The integer n serves as the security parameter of the scheme. Each (s v) in the range of G(1n ) constitutes a pair of corresponding signing/veri cation keys. The string S (s ) is a signature to the document 2 f0 1g using the signing key s. 482 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION We stress that De nition 6.1.1 says nothing about security, and so trivial (i.e., insecure) algorithms may satisfy it (e.g., S (s ) def 0 and V (v = ) def 1, for = all s v and ). Furthermore, De nition 6.1.1 does not distinguish private-key signature schemes from public-key ones. The di erence between the two types is introduced in the security de nitions: In a public-key scheme the \forging algorithm" gets the veri cation key (i.e., v) as an additional input (and thus v = s follows), whereas in private-key schemes v is not given to the \forging algorithm" (and thus one may assume, without loss of generality, that v = s). 6 Notation: In the rest of this book, we write Ss( ) instead of S (s ) and Vv ( j j j j ) instead of V (v ). Also, we let G1 (1n ) (resp., G2 (1n )) denote the rst (resp., second) element in the pair G(1n ). That is, G(1n ) = (G1 (1n ) G2 (1n )). Without loss of generality, we may assume that G1 (1n ) and G2 (1n ) are polynomially related to n, and that each of these integers can be e ciently computed from the other. Comments: The above de nition may be relaxed in several ways without sig6 ni cantly harming its usefulness. For example, we may relax Condition (2) and allow a negligible veri cation error (e.g., Pr Vv ( Ss ( )) = 1] < 2;n). Alternatively, one may postulate that Condition (2) holds for all but a negligible measure of the key-pairs generated by G(1n ). At least one of these relaxations is essential for many suggestions of (public-key) signature schemes. Another relaxation consists of restricting the domain of possible documents. However, unlike the situation with respect to encryption schemes, such a restriction is non-trivial in the current context, and is discussed at length in Section 6.2. 6.1.3 Attacks and security We consider very powerful attacks on the signature scheme as well as a very liberal notion of breaking it. Speci cally, the attacker is allowed to obtain signatures to any document of its choice. One may argue that in many applications such a general attack is not possible (as documents to be signed must have a speci c format). Yet, our view is that it is impossible to de ne a general (i.e., application-independent) notion of admissible documents, and thus a general/robust de nition of an attack seems to have to be formulated as suggested here. (Note that at worst, our approach is overly cautious.) Likewise, the adversary is said to be successful if it can produce a valid signature to any document for which it has not asked for a signature during its attack. Again, this de nes the ability to form signatures to possibly \nonsensical" documents as a breaking of the scheme. Yet, again, we see no way to have a general (i.e., applicationindependent) notion of \meaningful" documents (so that only forging signatures to them will be consider a breaking of the scheme). The above discussion leads to the following (slightly informal) formulation. 6.1. DEFINITIONAL ISSUES 483 A chosen message attack is a process that can obtain signatures to strings of its choice, relative to some xed signing-key that is generated by G. We distinguish two cases. The private-key case: Here the attacker is given 1n as input, and the signatures are produced relative to s, where (s v) G(1n ). The public-key case: Here the attacker is given v as input, and the signatures are produced relative to s, where (s v) G(1n ). Such an attack is said to succeeds (in existential forgery) if it outputs a valid signature to a string for which it has not requested a signature during the attack. That is, the attack is successful if it outputs a pair ( ) so that is di erent from all strings for which a signature has been required during 1 the attack, and Pr Vv ( ) = 1] 2 , where v is as above.1 A signature scheme is secure (or unforgeable) if every probabilistic polynomialtime chosen message attack succeeds with at most negligible probability. Formally, a chosen message attack is modeled by a probabilistic oracle machine that is given oracle access to a \keyed signing process" (i.e., the signing algorithm combined with the signing-key). Depending on the version (i.e., public-key or not), the attacker may get the corresponding veri cation-key as input. We stress that this is the only di erence between the two cases (i.e., private-key and public-key) that are spelled out in De nition 6.1.2. We refer the reader to the clarifying discussion that follows De nition 6.1.2 in fact, some readers may prefer that discussion over the technical formulations. De nition 6.1.2 (unforgeable signatures): Common notation: Let M be a probabilistic oracle machine. We denote by QO (x) the set of queries made by M on input x and access to oracle M O, and let M1O (x) denote the rst string in the pair of strings output by M on input x and access to oracle O. The private-key case: A private-key signature scheme is secure if for every probabilistic polynomial-time oracle machine M , every polynomial p and all su ciently large n, it holds that i h 1 S Pr VG2 (1n ) (M SG1 (1n ) (1n ))=1 & M1 G1 (1n ) (1n ) QSG1 (1n ) (1n ) < M p(n) where the probability is taken over the coin tosses of algorithms G, S and V as well as over the coin tosses of machine M . 62 1 The threshold of 1=2 used above is quite arbitrary. The de nition is essentially robust under the replacement of 1=2 by either 1=poly(n) or 1 ; 2;poly(n) , by ampli cation of the veri cation algorithm. For example, given V as above, one may consider V 0 that applies V to the tested pair for a linear number of times and accepting if and only if V has accepted in all tries. 484 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION The public-key case: A public-key signature scheme is secure if for every probabilistic polynomial-time oracle machine M , every polynomial p and all su ciently large n, it holds that 2 VG2 (1n ) (M SG1 (1n ) (G2 (1n )))=1 3 5 < 1 and Pr 4 p(n) SG1 (1n ) SG1 (1n ) M1 (G2 (1n)) QM (G2 (1n )) 62 where the probability is taken over the coin tosses of algorithms G, S and V as well as over the coin tosses of machine M . The de nition refers to the following experiment. First a pair of keys, (s v), is generated by invoking G(1n ), and is xed for the rest of the discussion.2 Next, an attacker is invoked on input 1n or v, depending if we are in the private-key or public-key case. In both cases, the attacker is given oracle access to Ss , where the latter may be a probabilistic oracle rather than a standard deterministic one (e.g., if queried twice for the same value then the signing oracle may answer in di erent ways). Finally, the attacker outputs a pair of strings ( ). The attacker is deemed successful if and only if the following two conditions hold: 1. The string is di erent than all queries (i.e., requests for signatures) S made by the attacker that is, M1 s (x) QSs (x), where x = 1n or x = v M depending on whether we are in the private-key or public-key case. S We stress that both M1 s (x) and QSs (x) are random variables that are M de ned based on the same random execution of M (on input x and oracle access to Ss ). 62 2. The pair ( ) corresponds to a valid document-signature pair relative to the veri cation key v. In case V is deterministic (which is typically the case) this means that Vv ( ) = 1. The same applies also in case V is probabilistic, and when viewing Vv ( ) = 1 as a random variable. (Alternatively, in the latter case, a condition such as Pr Vv ( ) = 1] 1=2 may replace the condition Vv ( ) = 1.) 6.1.4 Comments Clearly, any signature scheme that is secure in the public-key model is also secure in the private-key model. The converse is not true: consider, for example, the private-key scheme presented in Construction 6.3.1 (as well as any other \natural" message authentication scheme). Following are a few other comments regarding the de nitions. 2 We stress that G (1n ) and G (1n ) represent related random variables. Thus, given oracle 1 2 access to SG1 (1n ) means given oracle access to Gs , where s is selected and xed according to G1 (1n ). 6.1. DEFINITIONAL ISSUES 485 Indeed, it is natural to augment De nition 6.1.2 by providing the adversary with unlimited access to the corresponding veri cation oracle Vv . We stress that (in this augmented de nition) the documents that (only) appear in the veri cation queries are not added to the set QSs that is, the output ( ) is considered a M successful forgery even if the adversary made the veri cation-query ( ), but provided (as before) that the adversary did not make the signing-query (and that Vv ( ) = 1). Indeed, in the public-key case, the veri cation-oracle adds no power to the adversary, since the adversary (which is given the veri cation-key) can emulate the veri cation-oracle by itself. Furthermore, typically, also in the private-key model, the veri cation-oracle does not add much power. Speci cally, as discussed in Section 6.5.1 (see also Exercises 1 and 2), any secure private-key signature scheme can be transformed into one having a deterministic veri cation algorithm and unique valid signatures (i.e., for every veri cation-key v and document , there exists a unique such that Vs ( ) = 1). In fact, all private-key signature schemes presented in Section 6.3 have unique valid signatures. Considering an arbitrary combined attack on such a private-key signature scheme, we emulate the veri cation-queries (in the original model) as follows. For a veri cation-query ( ) if equals a previous signing-query, then we can emulate the answer by ourselves. Speci cally, if the signing-query was answered with then we we answer the veri cation-query positively else we answer it negatively. Otherwise (i.e., for a veri cation-query ( ) such that does not equal any previous signing-query), we may choose either to output ( ) as a candidate forgery (gambling on Vv ( ) = 1) or emulate a negative answer by ourselves (gambling on Vv ( ) = 0). Speci cally, for every such veri cation-query, we may choose the rst possibility with probability 1=t(n) and the second possibility otherwise, where t(n) is a bound on the number of veri cation-queries performed by the original augmented attack (which we emulate). For further discussion see Exercise 3. 6.1.4.1 Augmenting the attack with a veri cation oracle 6.1.4.2 Inessential generalities The de nitions presented above (speci cally, De nition 6.1.1) were aimed at generality and exibility. We comment that several levels of freedom can be eliminated without loss of generality (but with some loss of convenience). Firstly, as in the case of encryption schemes, one may modify the key-generation algorithm so that on input 1n it outputs a pair of n-bit long keys. Two more fundamental restrictions, which actually do not a ect the existence of secure schemes, follow. Randomization in the signing process: In contrast to the situation with respect to encryption schemes (see Sections 5.2 and 5.3), randomization is not 486 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION essential to the actual signing and verifying processes (but is, as usual, essential to key generation). That is, without loss of generality (but with possible loss in e ciency), the signing algorithm may be deterministic, and in all schemes we present (in the current chapter) the veri cation algorithm is indeed deterministic. For details, see Exercise 1. the private-key case, we may just identify the signing and veri cation keys (i.e., k def s = v). Furthermore (following the comment about deterministic signing), = without loss of generality, veri cation may amount to comparing the alleged signature against the one produced by the veri cation algorithm (as done by the signing algorithm). That is, we may let Vk ( ) def 1 if and only if = Sk ( ). = For details, see Exercise 2. Canonical veri cation in the private-key version: As hinted above, in 6.1.4.3 Weaker notions of security and some popular schemes Weaker notion of security have been considered in the literature. The various notions refer to two parameters: (1) the type of attack, and (2) when is the adversary considered to be a success. Indeed, De nition 6.1.2 refers to the most severe type of attacks (i.e., unrestricted chosen message attacks) and to the most liberal notion of success (i.e., ability to produce a valid signature to any new message). The interested reader is referred to Section 6.6.5. We note that plain RSA as well as plain versions of Rabin's scheme and the DSS are not secure under De nition 6.1.2. However, these schemes satisfy weaker notions of security, provided that some (standard) intractability assumptions hold. Furthermore, variants of these signature schemes (in which the function is not applied directly to the document itself) may be secure (under De nition 6.1.2). 6.2 Length-restricted signature scheme Restricted types of (public-key and private-key) signature schemes play an important role in our exposition. The rst restriction we consider is the one of schemes yielding secure signatures only to documents of a certain predetermined length. The e ect of the length-restriction is more dramatic here (in the context of signature schemes) than it was in the context of encryption schemes compare the following to Section 5.3.2. Nevertheless, as we shall show (see Theorem 6.2.2 below), if the length restriction is not too low then the full power of signature schemes can be regained. 6.2.1 De nition The essence of the length-restriction is in that security is guaranteed only with respect to documents of the predetermined length. Note that the question of 6.2. LENGTH-RESTRICTED SIGNATURE SCHEME 487 what is the result of invoking the signature algorithm on a document of improper length is immaterial. What is important is that an attacker (of a lengthrestricted scheme) is deemed successful only if it produces a signature to a (different) document of proper length. Still, for sake of concreteness (and simplicity of subsequent treatment), we de ne the basic mechanism only for documents of proper length. N . An `-restricted signature scheme is a triple, (G S V ), of probabilistic polynomialtime algorithms satisfying the following two conditions 1. As in De nition 6.1.1, on input 1n , algorithm G outputs a pair of bit strings. 2. Analogously to De nition 6.1.1, for every n and every pair (s v) in the range of G(1n ), and for every 2 f0 1g`(n), algorithms S and D satisfy Pr V (v S (s ))=1] = 1. Such a scheme is called secure (in the private-key or public-key model) if the (corresponding) requirements of De nition 6.1.2 hold when restricted to attackers that only make queries of length `(n) and output a pair ( ) with j j = `(n). De nition 6.2.1 (signature scheme for xed length documents): Let ` : N ! We stress that the essential modi cation is presented in the security condition is that considers an adversary to be successful only it case it forges a signature to a (di erent) document of the proper length (i.e., = `(n)). j j 6.2.2 The power of length-restricted signature schemes We comment that `-restricted private-key signature schemes for `(n) = O(log n) are trivial (since the signing and veri cation keys may contain a table look-up associating a secret with each of the 2`(n) = poly(n) possible documents).3 In contrast, this triviality does not hold for public-key signature schemes. (For both claims, see Exercise 5.) On the other hand, in both (private-key and public-key) cases, `-restricted signature schemes for super-logarithmic ` (e.g., `(n) = n or even `(n) = log2 n will do) are as powerful as ordinary signature schemes: 2 Theorem 6.2.2 Suppose that ` is a super-logarithmically growing function. Then, given an `-restricted signature scheme that is secure in the private-key (resp., public-key) model, one can construct a full- edged signature scheme that is secure in the same model. Results of the above avor can be established in two di erent ways, corresponding to two methods of converting an `-restricted signature scheme into a fulledged one. Both methods are applicable both to private-key and public-key signature schemes. The rst method (presented in Section 6.2.2.1) consists of parsing the original document into blocks (with proper \linkage" between blocks!), 3 Recall, that such triviality does not hold in the context of encryption schemes not even in the private-key case. See Section 5.3.2. 488 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION and applying the `-restricted scheme to each block. The second method (presented in Section 6.2.2.2) consists of hashing the document into an `(n)-bit long value (via an adequate hashing scheme!), and applying the restricted scheme to the resulting value. Thus, the second method requires an additional assumption (i.e., the existence of \collision-free" hashing), and so Theorem 6.2.2 (as stated) is actually proved using the rst method. The second method is presented because it o ers other bene ts in particular, it will play an important role in subsequent sections (e.g., in Sections 6.3.1.2 and 6.4.1.3). 6.2.2.1 Signing (augmented) blocks In this subsection we present a simple method for constructing general signature schemes out of length-restricted ones, and doing so we establish Theorem 6.2.2. Loosely speaking, the method consists of parsing the original document into blocks (with proper \linkage" between blocks!), and applying the length-restricted scheme to each (augmented) block. Let ` and (G S V ) be as in Theorem 6.2.2. We construct a general signature scheme, (G0 S 0 V 0 ), with G0 = G, by viewing documents as sequences of strings, each of length `0 (n) = `(n)=O(1). That is, we associate = 1 t with the sequence ( 1 ::: t ), where each i has length `0 (n). (At this point, the reader may think of `0(n) = `(n), but actually we will use `0 (n) = `(n)=4 in order to make room for further information.) To motivate the following construction, consider the following simpler schemes aimed at producing secure signatures for sequences of `0 (n)-bit long strings. The simplest idea is to just sign each of the strings in the sequence. That is, the signature to the sequence ( 1 ::: t ), is a sequence of i 's each being a signature (w.r.t the length-restricted scheme) to the corresponding i . This will not do since an adversary, given a single signature ( 1 2 ) to the sequence ( 1 2 ) with 1 = 2 , can present ( 2 1 ) as a signature to ( 2 1 ). So how about signing the sequence ( 1 ::: t ) by applying the restricted scheme to each pair (i i ), so to foil the above attack? This will not do either, since an adversary, given a signature to the sequence ( 1 2 3 ) can easily present a signature to the sequence ( 1 2 ). So we need to include in each `(n)-bit string also the total number of i 's in the sequence. But even this is not enough, since an adversary given signatures to the sequences ( 1 2 ) and ( 01 02 ), with 1 = 01 and 2 = 02 , can easily generate a signature to ( 1 02 ). Thus, we have to prevent the forming of new sequences of basic signatures by combination of elements from di erent signature sequences. This can be done by associating (say at random) an identi er with each sequence and incorporating this identi er in each `(n)-bit string to which the restricted scheme is applied. This yields the following signature scheme: 6 6 6 Construction 6.2.3 (signing augmented blocks): Let ` and (G S V ) be as in Theorem 6.2.2. We construct a general signature scheme, (G0 S 0 V 0 ), with G0 = G, by considering documents as sequences of strings. We construct S 0 and V 0 as follows, using G0 = G and `0 (n) = `(n)=4. 6.2. LENGTH-RESTRICTED SIGNATURE SCHEME 489 signing with S 0 : On input a signing-key s G1 (1n ) and a document 01 , algorithm S 0 rst parses into 1 ::: t so that is uniquely reconstructed from the i 's and each i is an `0 (n)-bit long string.4 Next, S 0 uniformly selects r 0 1 ` (n) . For i = 1 ::: t, algorithm S 0 computes i Ss (r t i i ) where i and t are represented as `0 (n)-bit long strings. That is, i is a signature to the statement \ i is the ith block, out of t blocks, in a sequence associate with identi er r". Finally, S 0 outputs as signature the sequence (r t 1 :::: t ) 2 2 f g 2 f g 0 veri cation with V 0 : On input a verifying-key v G2 (1n ), a document 0 1 , and a sequence (r t 1 :::: t ), algorithm V 0 rst parses into 0 0 1 ::: t , using the same parsing rule as S . Algorithm V accepts if and only if the following two conditions hold: 1. t0 = t, where t0 is obtained in the parsing of and t is part of the alleged signature. 2. For i = 1 ::: t, it holds that Vv ((r t i i ) i ), where i is obtained in the parsing of and the rest are as in the corresponding parts of the alleged signature. Clearly, the triplet (G0 S 0 V 0 ) satis es De nition 6.1.1. We need to show that is also inherits the security of (G S V ). That is, Proposition 6.2.4 Suppose that (G S V ) is an `-restricted signature scheme that is secure in the private-key (resp., public-key) model. Then (G0 S 0 V 0 ), as de ned in Construction 6.2.3 is a full- edged signature scheme that is secure in the private-key (resp., public-key) model. Theorem 6.2.2 follows immediately from Proposition 6.2.4. Proof: The proof is by a reducibility argument, and holds for both the privatekey and the public-key models. Given an adversary A0 attacking the complex scheme (G0 S 0 V 0 ), we construct an adversary A that attacks the `-restricted scheme, (G S V ). In particular, A invokes A0 with input identical to its own input (which is the security parameter or the veri cation-key depending on the model), and uses its own ora0 cle in order to emulate the oracle Ss for A0 . This can be done in a straightforward 0 manner that is, algorithm A will act as Ss does by using the oracle Ss . Specif0 of A0 into a corresponding sequence ( 0 ::: 0 ), ically, A parses each query 1 t uniformly selects an identi er r0 , and obtains Ss signatures to (r0 t0 j 0j ), for j = 1 ::: t0. When A0 outputs a document-signature pair relative to the complex scheme (G0 S 0 V 0 ), algorithm A tries to use this pair in order to form a document-signature pair relative to the `-restricted scheme, (G S V ). 2 2 f g 0 0 4 For example, we may require that 10j = 1 t and j < `0 (n). 490 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION We stress that from the point of view of adversary A0 , the distribution of keys and oracle answers that A provides it with is exactly as in a real attack on (G0 S 0 V 0 ). This is a crucial point since we use the fact that events that occur in a real attack of A0 on (G0 S 0 V 0 ), occur with the same probability in the emulation of (G0 S 0 V 0 ) by A. Assume that with (non-negligible) probability "0 (n), the (probabilistic polynomialtime) algorithm A0 succeeds in existentially forging relative to the complex scheme (G0 S 0 V 0 ). We consider the following cases regarding the forging event: 1. The identi er supplied in the forged signature is di erent from the random identi ers supplied (by A) as part of the signatures given to A0 . In this case, each `-restricted signature supplied as part of the forged (complex) signature, yields existential forgery relative to the `-restricted scheme. Formally, let (1) ::: (m) be the sequence of queries made by A0 , and let (r(1) t(1) (1) ) ::: (r(m) t(m) (m) ) be the corresponding (complex) signatures supplied to A0 by A (using Ss to form the (i) 's). Let ( (r t 1 :::: t )) be the output of A0 , and suppose that applying Vv0 to it yields 1 (i.e., it is a valid document-signature pair for the complex scheme). It follows that each (i) consists of a sequence of Ss -signatures to `(n)-bit strings starting with r(i) 0 1 `(n)=4, and that the oracle Ss was invoked (by A) only on strings of this form. The case hypothesis states that r = r(i) , for all i's. It follows that each of the j 's is an Ss -signature to a string starting with r 0 1 `(n)=4, and thus di erent from all queries made to the oracle Ss . Thus, each pair ((r t i i ) i ) is a valid document-signature pair (since Vv0 ( (r t 1 :::: t )) = 1 implies Vv ((r t i i ) i ) = 1), with a document di erent than all queries made to Ss . This yields a successful forgery with respect to the `-restricted scheme. 2. The identi er supplied in the forged signature equals the random identi er supplied (by A) as part of exactly one of the signatures given to A0 . Formally, let (1) ::: (m) be the sequence of queries made by A0 , and let (r(1) t(1) (1) ) ::: (r(m) t(m) (m) ) be the corresponding (complex) signatures supplied to A0 by A (using Ss to form the (i) 's). Let ( (r t 1 :::: t )) be the output of A0 , and suppose that applying Vv0 to it yields 1 (i.e., it is a valid document-signature pair for the complex scheme). The hypothesis of the current case is that there exists a unique i so that r = r(i) . We consider two subcases regarding the relation between t and t(i) : t = t(i) . In this subcase, each `-restricted signature supplied as part of the forged (complex) signature, yields existential forgery relative to the `-restricted scheme. The argument is analogous to the one employed in the previous case. Speci cally, here each of the j 's is an Ss -signature to a string starting with (r t), and thus di erent from all queries made to the oracle Ss (since these queries either start with r(i ) = r or start with (r(i) t(i) ) = (r t)). Thus, each pair 2 f g 6 2 f g 6 0 6 6 6.2. LENGTH-RESTRICTED SIGNATURE SCHEME 491 ((r t j j ) j ) is a valid document-signature pair with a document di erent than all queries made to Ss . t = t(i) . In this case we use the hypothesis = (i) , which implies that there exists a j so that j = (i) , where (i) is the j th block j j in the parsing of (i) . In this subcase, j (supplied as part of the forged complex-signature), yields existential forgery relative to the `-restricted scheme. Speci cally, we have Vv ((r t j j ) j ) = 1, and (r t j j ) is di erent from each query (r(i ) t(i ) j 0 (i ) ) made by A j to Ss . Justi cation for (r t j j ) 6= (r(i ) t(i ) j 0 (i ) ). If i0 6= i then j (by the case hypothesis regarding uniqueness of i s.t. r(i) 6= r) it holds that r(i ) 6= r. Otherwise (i.e., i0 = i) either j 0 6= j or 6 6 0 0 0 0 0 0 0 0 0 Thus, ((r t j j ) j ) is a valid document-signature pair with a document di erent than all queries made to Ss . 3. The identi er supplied in the forged signature equals the random identi ers supplied (by A) as part of at least two signatures given to A0 . In particular, it follows that two signatures given to A use the same random identi er. The probability that this event occurs is at most j 6= j = j . (i0 ) 0 (i) m 2;` (n) < m2 2;`(n)=4 2 0 However, m = poly(n) (since A0 runs in polynomial-time), and 2;`(n)=4 is negligible (since ` is super-logarithmic). So this case occurs with negligible probability, and may be ignored. Note that A can easily determine which of the cases occurs and act accordingly.5 Thus, assuming that A0 forges relative to the complex scheme with non-negligible probability "0 (n), it follows that A forges relative to the length-restricted scheme with non-negligible probability "(n) "0 (n) poly(n) 2;`(n)=4 , in contradiction to the proposition's hypothesis. ; Comment: We call the reader's attention to the essential role of the hypothesis that ` is super-logarithmic in the proof of Proposition 6.2.4. Indeed, Construction 6.2.3 is insecure in case `(n) = O(log n). The reason being that, by asking 0 for polynomially-many signatures, the adversary may obtain two Ss -signatures that use the same (random) identi er. Furthermore, with some care, these signatures yield existential forgery (see Exercise 6). 5 This observation only saves us a polynomial factor in the forging probability. That is, if A did not know which part of the forged complex-signature to use in its own forgery, it could have selected one at random (and be correct with probability 1=poly(n) because there are only poly(n)-many possibilities). 492 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION In this subsection we present an alternative method for constructing general signature schemes out of length-restricted ones. Loosely speaking, the method consists of hashing the document into a short ( xed-length) string (via an adequate hashing scheme), and applying the length-restricted signature scheme to the resulting hash-value. This two-stage process is referred to as the hash and sign paradigm. Let ` and (G S V ) be as in Theorem 6.2.2. The second method of constructing a general signature scheme out of (G S V ) is based on the hash then sign paradigm. That is, rst the document is hashed to an `(n)-bit long value, and then the `-restricted scheme is applied to the hashed value. Thus, in addition to an `-restricted scheme, this method employs an adequate hashing scheme. In particular, one way of implementing this method is based on \collision-free hashing" (de ned next). An alternative implementation, based on \universal one-way hashing" is deferred to Section 6.4.3. 6.2.2.2 Signing a hash value Collision-free hashing functions. Loosely speaking, a collision-free hashing scheme consists of a collection of functions fhs : f0 1g ! f0 1gjsjgs2f0 1g so that given s and x it is easy to compute hs (x), but given a random s it is hard to nd x 6= x0 such that hs (x) = hs (x0 ). De nition 6.2.5 (collision-free hashing functions): Let ` : N ! N . A collection of functions fhs : f0 1g ! f0 1g`(jsj)gs2f0 1g is called collision-free hashing if there exists a probabilistic polynomial-time algorithm I so that the following holds 1. (admissible indexing { technical):6 For some polynomial p, all su ciently large n's and every s in the range of I (1n ) it holds that n p(jsj). Furthermore, n can be computed in polynomial-time from s. 2. (e cient evaluation): There exists a polynomial-time algorithm that given s and x, returns hs (x). 3. (hard to form collisions): We say that the pair (x x0 ) forms a collision under the function h if h(x) = h(x0 ) but x 6= x0 . We require that every probabilistic polynomial-time algorithm, given I (1n ) as input, outputs a collision under hI (1n ) with negligible probability. That is, for every probabilistic polynomial-time algorithm A, every polynomial p and all su ciently large n's, 1 Pr A(I (1n )) is a collision under hI (1n) < p(n) where the probability is taken over the internal coin tosses of algorithms I and A. 6 This condition is made merely to avoid annoying technicalities. In particular, it allows the collision-forming adversary to run for poly(n)-time (since by this condition poly(n) = poly(jsj)) as well as allows to determine n from s. Note that jsj = poly(n) holds by de nition of I . 6.2. LENGTH-RESTRICTED SIGNATURE SCHEME The function ` is called the range speci er of the collection. 493 Note that the range speci er must be super-logarithmic (or else one may easily nd a collisions by selecting 2`(n) + 1 di erent preimages and computing their image under the function). In Section 6.2.3, we show how to construct collisionfree hashing functions using claw-free collections. But rst, we show how to use the former in order to convert a length-restricted signature scheme into a full- edged one. and let fhr : f0 1g ! f0 1g`(jrj)gr2f0 1g be as in De nition 6.2.5. We construct a general signature scheme, (G0 S 0 V 0 ), as follows: key-generation with G0 : On input 1n , algorithm G0 rst invokes G to obtain (s v) G(1n ). Next it invokes I , the indexing algorithm of the collisionfree hashing collection, to obtain r I (1n ). Finally, G0 outputs the pair ((r s) (r v)), where (r s) serves as a signing-key and (r v) serves as a veri cation-key. signing with S 0 : On input a signing-key (r s) 2 G01 (1n ) and a document 2 0 f0 1g , algorithm S invokes S once to produce and output Ss (hr ( )). veri cation with V 0 : On input a verifying-key (r v) 2 G02 (1n ), a document 2 f0 1g , and a alleged signature , algorithm V 0 invokes V , and outputs Vv (hr ( ) ). Construction 6.2.6 (hash and sign): Let ` and (G S V ) be as in Theorem 6.2.2, Proposition 6.2.7 Suppose that (G S V ) is an `-restricted signature scheme that is secure in the private-key (resp., public-key) model. Suppose that fhr : `(jrj)gr2f0 1g is indeed a collision-free hashing collection. Then f0 1g ! f0 1g 0 S 0 V 0 ), as de ned in Construction 6.2.6 is a full- edged signature scheme (G that is secure in the private-key (resp., public-key) model. Proof: Intuitively, the security of (G0 S 0 V 0) follows from the security of f g (G S V ) and the collision-freeness property of the collection hr . Speci cally, forgery relative to (G0 S 0 V 0 ) can be obtained by either a forged S -signature to a hash-value di erent from all hash-values that appeared in the attack or by forming a collision under the hash function. That is, the actual proof is by a reducibility argument. Given an adversary A0 attacking the complex scheme (G0 S 0 V 0 ), we construct an adversary A that attacks the `-restricted scheme, (G S V ), as well as an algorithm B forming collisions under the hashing collection hr . Both A and B will have running-time related to that of A0 . We show if A0 is successful with non-negligible probability than the same holds for either A or B . Thus, in either case, we reach a contradiction. We start with the description of algorithm A, which is designed to attack the `-restricted scheme (G S V ). We stress that almost the same description applies both in the private-key and public-key case. On input x, which equals the security parameter 1n in the private-key case and a veri cation-key v otherwise (i.e., in the public-key case), the adversary f g 494 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION A operates as follows. First A uses I (the indexing algorithm of the collisionfree hashing collection) to obtain r I (1n ), exactly as done in the second step of G0 . Next, A invokes A0 (on input 1n or (r v) depending on the case), and 0 uses r as well as its own oracle Ss in order to emulate the oracle Sr s for A0 . The emulation is done in a straightforward manner that is, algorithm A will 0 act as Sr s does by using the oracle Ss (i.e., to answer query q, algorithm A makes the query hr (q)). When A0 outputs a document-signature pair relative to the complex scheme (G0 S 0 V 0 ), algorithm A tries to use this pair in order to form a document-signature pair relative to the `-restricted scheme, (G S V ). That is, if A0 outputs the document-signature pair ( ), then A will output the document-signature pair (hr ( ) ). We stress (again) that from the point of view of adversary A0 , the distribution of keys and oracle answers that A provides it with is exactly as in a real attack of A0 on (G0 S 0 V 0 ). This is a crucial point since we use the fact that events that occur in a real attack of A0 on (G0 S 0 V 0 ), occur with the same probability in the emulation of (G0 S 0 V 0 ) by A. Assume that with (non-negligible) probability "0 (n), the (probabilistic polynomialtime) algorithm A0 succeeds in existentially forging relative to the complex scheme (G0 S 0 V 0 ). We consider the following two cases regarding the forging event, letting ( (i) (i) ) denote the ith query and answer pair made by A0 , and ( ) denote the forged document-signature pair that A0 outputs (in case of success): Case 1: hr ( ) = hr ( (i) ) for all i's. (That is, the hash value used in the forged signature is di erent from all hash values used in the queries to Ss .) In this case, the pair (hr ( ) ) constitutes a success in existential forgery relative to the `-restricted scheme. Case 2: hr ( ) = hr ( (i) ) for some i. (That is, the hash value used in the forged signature equals the hash value used in the ith query to Ss , although = (i) .) In this case, the pair ( (i) ) forms a collision under hr (and we do not obtain success in existential forgery relative to the `-restricted scheme). Thus, if Case 1 occurs with probability at least "0 (n)=2 then A succeeds in its attack on (G S V ) with probability at least "0 (n)=2, which contradicts the security of the `-restricted scheme (G S V ). On the other hand, if Case 2 occurs with probability at least "0 (n)=2 then we derive a contradiction to the collisionfreeness of the hashing collection hr : 0 1 0 1 `(jrj) r2f0 1g . Details (regarding the second case) follow. We construct an algorithm, denoted B , that given r I (1n ), attempts to form collisions under hr as follows. On input r, algorithm B generates (s v) G(1n ), and emulates the attack of A on this instance of the `-restricted scheme, with the exception that B does not invoke algorithm I to obtain an index of a hash function but rather uses the index r (given to it as input). Recall that A, 0 in turn, emulates an attack of A0 on the signing oracle Sr s , and that A answers 0 made by A0 by forwarding the query q = h (q 0 ) to S . Thus, B the query q r s 6 6 f f g ! f g g 6.2. LENGTH-RESTRICTED SIGNATURE SCHEME 495 0 actually emulates the attack of A0 (on the signing oracle Sr s ), and does so in 0 made by A0 , algorithm B a straightforward manner that is, to answer query q rst obtains q = hr (q0 ) (using its knowledge of r) and then answers with Ss (q) (using its knowledge of s). Finally, when A0 outputs a forged document-signature pair, algorithm B checks whether Case 2 occurs (i.e., whether hr ( ) = hr ( (i) ) holds for some i), in which case it obtains (and outputs) a collision under hr . (Note that in the public-key case B invokes A0 on input (r v), whereas in the private-key case B invokes A0 on input 1n. Thus, in the private-key case, B actually does not use r but rather an oracle access to hr .) We stress that from the point of view of the emulated adversary A, the execution is distributed exactly as in its attack on (G S V ). Thus, since the second case above occurs with probability at least "0 (n)=2 in a real attack, it follows that B succeeds to form a collision under hI (1n ) with probability at least "0 (n)=2. This contradicts the collision-freeness of the hashing functions, and the proposition follows. Comment: For the private-key case, the proof of Proposition 6.2.7 actually established a stronger claim than stated. The proof holds even for a weaker definition of collision-free hashing in which the adversary is not given a description of the hashing function, but can rather obtain its values at any preimage of its choice. This observation is further pursued in Section 6.3.1.3. On using the hash and sign paradigm in practice. The hash-and-sign paradigm, underlying Construction 6.2.6, is often used in practice. Speci cally, a document is signed using a two-stage process: rst the document is hashed into a (relatively) short bit string, and next a basic signature scheme is applied to the resulting string. We stress that this process yields a secure signature scheme only if the hashing scheme is collision-free (as de ned above). In Section 6.2.3, we present one way of constructing collision-free hashing functions. Alternatively, one may indeed postulate that certain o -the-shelf products (such as MD5 or SHA) are collision-free, but such assumptions need to be seriously examined (and indeed may turn out false). We stress that using a hashing scheme, in the above two-stage process, without seriously evaluating whether or not it is collision-free is a very dangerous practice. 6.2.3 * Constructing collision-free hashing functions In view of the relevance of collision-free hashing to signature schemes, we now take a small detour from the main topic and consider the construction of collisionfree hashing. We show how to construct collision-free hashing functions using a claw-free collection of permutations, and how restricted notions of collision-free hashing may be used to obtain full- edged collision-free hashing. 496 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 6.2.3.1 A construction based on claw-free permutations In this subsection we show how to construct collision-free hashing functions using a claw-free collection of permutations as de ned in Section 2.4.5. Recall that such a collection consists of pairs of permutations, (fs0 fs1 ), so that both fs 's are permutations over a set Ds and of a probabilistic polynomial-time index selection algorithm I so that 1. The domain is easy to sample: there exists a probabilistic polynomial-time algorithm that given s outputs a string uniformly distributed over Ds . 2. The permutations are easy to evaluate: there exists a polynomial-time algorithm that given s and x Ds , outputs fs (x). 2 3. Hard to form claws: every probabilistic polynomial-time algorithm, given s I (1n ) outputs a pair (x y) so that fs0 (x) = fs1 (y) with at most negligible probability. That is, a pair (x y) satisfying fs0 (x) = fs1 (y) is called a claw for index s, and Cs denote the set of claws for index s. Then, it is required that for every probabilistic polynomial-time algorithm, A0 , every positive polynomial p( ), and all su ciently large n's 1 Pr A0 (I (1n )) CI (1n ) < p(n) 2 Note that since fs0 and fs1 are permutations over the same set, many claws do exists (i.e., Cs = Ds ). However, the third item above postulates that for s generated by I (1n ) such claws are hard to nd. We may assume, without loss of generality, that for some ` : N N and all s's it holds that Ds 0 1 `(jsj). Indeed, ` must be polynomially bounded. For simplicity we assume that I (1n ) 0 1 n. Recall that such collections of permutation pairs can be constructed based on the standard DLP or factoring intractability assumptions (see Section 2.4.5). j j j j ! f g 2 f g Construction 6.2.8 (collision-free hashing based on claw-free permutations pairs): Given an index selecting algorithm I for a collection of permutation pairs (fs0 fs1) s as above, we construct a collection of hashing functions h(s r) : 01 0 1 jrj (s r)2f0 1g f0 1g as follows: f g f f g ! f g g index selection algorithm: On input 1n, we rst invoke I to obtain s I (1n ), and next use the domain sampler to obtain a string r that is uniformly distributed in Ds . We output the index (s r), de ning a hashing function h(s r)(x) def fsy1 fsy2 = fsyt (r) where y1 yt is a pre x-free encoding of x that is, for any x 6= x0 the coding of x is not a pre x of the coding of x0 . For example, code x1 x2 xm by x1 x1 x2 x2 xm xm 01. 6.2. LENGTH-RESTRICTED SIGNATURE SCHEME 497 evaluation algorithm: Given an index (s r) and a string x, we compute h(s r) (x) in a straightforward manner. That is, rst we compute the pre x-free encoding of x, denoted y1 yt . Next, we use the evaluation algorithm of the claw-free collection to compute fsy1 fsy2 fsyt (r), which is the desired output. Actually, as will become evident from the proof of Proposition 6.2.9, we do not need an algorithm that given an index s generates a uniformly distributed element in Ds any e cient algorithm that generates elements in Ds (under any distribution) will do. Proposition 6.2.9 Suppose that the collection of permutation pairs (fs0 fs1) s together with the index selecting algorithm I constitute a claw-free collection. Then, the function ensemble h(s r) : 0 1 0 1 jrj (s r)2f0 1g f0 1g as de ned in Construction 6.2.8 constitute a collision-free hashing with a range specifying function `0 satisfying `0 (n + `(n)) = `(n). Proof: The proof is by a reducibility argument. Given an algorithm A0 that, on input (s r), forms a collision under h(s r) , we construct an algorithm A that on input s forms a claw for index s. On input s (supposedly generated by I (1n )), algorithm A selects r uniformly in Ds , and invokes algorithm A0 on input (s r). Suppose that A0 outputs a pair (x x0 ) so that h(s r) (x) = h(s r) (x0 ) but x = x0 . Without loss of generality,7 assume that the coding of x equals y1 yi;1 0zi+1 zt, and that the coding of x0 equals y1 yi;1 1zi0+1 zt0 . By the de nition of h(s r) , it follows that f g f f g ! f g g 6 0 fsyi 1 fs0 fszi+1 fszt (r) = fsy1 fsyi 1 fs1 fszi+1 Since each of the fs 's is 1-1, Eq. (6.1) implies that fsy1 0 ; ; 0 0 0 0 0 0 fszt (r) 0 0 (6.1) Construction 6.2.8. Using the hypothesis that the collection of pairs (together with I ) is claw-free, the proposition follows. fs0 fszi+1 fszt (r) = fs1 fszi+1 fszt (r) (6.2) Computing w def fszi+1 fszt (r) and w0 def fszi+1 fszt (r), algorithm A obtains = = a pair (w w0 ) so that fs0(w) = fs1 (w0 ). Thus, algorithm A forms claws for index I (1n ) with probability that is bounded below by the probability that A0 forms a collision under hI (1n ) , where I 0 is the index selection algorithm as de ned in 0 6.2.3.2 Collision-free hashing via block-chaining In this subsection we show how a restricted type of collision-free hashing (CFH) can be used to obtain full- edge collision-free hashing (CFH). Speci cally, we refer to the following restriction of De nition 6.2.5. 7 Let C (x) (resp., C (x0 )) denote the pre x-free coding of x (resp., x0 ). Then C (x) is not a pre x of C (x0 ), and C (x0 ) is not a pre x of C (x). It follows that C (x) = uv and C (x0 ) = uv0 , where v and v0 di er in their leftmost bit. Without loss of generality, we may assume that the leftmost bit of v is is 0, and the leftmost bit of v0 is 1. 498 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION N ! N . A collection of functions fhs : f0 1g` (jsj) ! f0 1g`(jsj)gs2f0 1g is called `0 -restricted collision-free hashing if there exists a probabilistic polynomialtime algorithm I such that the following holds 1. (admissible indexing { technical): As in De nition 6.2.5. 2. (e cient evaluation): There exists a polynomial-time algorithm that given s and x 2 f0 1g` (jsj), returns hs (x). 3. (hard to form collisions): As in De nition 6.2.5, we say that the pair (x x0 ) forms a collision under the function h if h(x) = h(x0 ) but x 6= x0 . We require that every probabilistic polynomial-time algorithm, given I (1n ) as input, outputs a pair in f0 1g` (jsj) f0 1g` (jsj) that forms a collision under hI (1n) with negligible probability. That is, for every probabilistic polynomial-time algorithm A, every polynomial p and all su ciently large n's, h i 1 Pr A(I (1n )) 2 f0 1g2 ` (jI (1n )j) is a collision under hI (1n) < p(n) where the probability is taken over the internal coin tosses of algorithms I and A. 0 0 0 0 0 De nition 6.2.10 (length-restricted collision-free hashing functions): Let `0 ` : Indeed, we focus on the case `0 (n) = poly(n), or else the hardness condition holds vacuously (since no polynomial-time algorithm can print a pair of strings of super-polynomial length). On the other hand, we only care about the case `0 (n) > `(n) (or else the functions may be 1-1). Finally, recall that ` must be super-logarithmic. Construction 6.2.11 (from 2`-restricted CFH to full- edged CFH): Let h0s : f f g ! f f g g f g ! f g g 0 1 2`(jsj) 0 1 `(jsj) s2f0 1g be a collection of functions. Consider the collection hs : 0 1 0 1 2`(jsj) s2f0 1g , where hs (x) is de ned by the following process, which we call block chaining: 1. Break x into t def djxj=`(jsj)e consecutive blocks, while possibly padding the = last block with 0's, such that each block has length `(jsj). Denote these `(jsj)-bit long blocks by x1 ::: xt . That is, x1 xt = x0t `(jsj);jxj. For sake of uniformity, in case jxj `(jsj), we let t = 2 and x1 x2 = x02`(jsj);jxj. On the other hand, we may assume that jxj < 2`(jsj), and so 8 jxj can be represented by an `(jsj)-bit long string. 2. Let y1 def x1 . For i = 2 ::: t, compute yi = h0s (yi;1 xi ). = 3. Set hs (x) to equal (yt jxj). 8 The adversary trying to form collisions with respect to h runs in poly(jsj)-time. Using s `(jsj) = !(log jsj), it follows that such an adversary cannot output a string of length 2`(jsj) . (The same holds, of course, also for legitimate usage of the hashing function.) 6.2. LENGTH-RESTRICTED SIGNATURE SCHEME 499 An interesting property of Construction 6.2.11 is that it allows to compute the hash-value of an input string while processing the input in an on-line fashion that is, the implementation of the hashing process may process the input x in a block-by-block manner, while storing only the current block and a small amount of state information (i.e., the current yi and the number of blocks encountered so far). This property is important in applications in which one wishes to hash a long stream of input bits. 0 1 `(jsj) s2f0 1g and hs : 01 0 1 2`(jsj) s2f0 1g be as in Construction 6.2.11, and suppose that the former is a collection of 2`-restricted collision-free hashing functions. Then the latter constitute a (full edged) collection of collision-free hashing functions. f f g ! f g g f f g ! f g g Proposition 6.2.12 Let h0s : 0 1 2`(jsj) cases: Case 1: If (yt;1 xt ) = (yt0;1 x0t ) then we obtain a collision under h0s (since h0s (yt;1 xt ) = yt = yt0 = h0s (yt0;1 x0t )), and derive a contradiction to its collision-free hypothesis. Case 2: Otherwise (yt;1 xt ) = (yt0;1 x0t ), and we consider the two corresponding cases with respect to the relation of (yt;2 xt;1 ) to (yt0;2 x0t;1 ). Eventually, since x = x0 , we get to a situation in which yi = yi0 and (yi;1 xi ) = (yi0;1 x0i ), which is handled as in the rst case. We now provide a formal implementation of the above intuitive argument. Suppose towards the contradiction that there exist a probabilistic polynomial-time algorithm A that on input s attempts to forms a collision under hs . Then, we construct an algorithm that will, with similar probability, succeeds to form a suitable (i.e., length restricted) collision under h0s . Algorithm A0 (s) operates as follows: 1. Invokes A(s) and obtains (x x0 ) A(s). If hs (x) = hs (x0 ) then A failed, and A0 halts without output. In the sequel, we assume that hs (x) = hs (x0 ). 0 2. A0 (s) computes t x1 ::: xt and y1 ::: yt (resp., t0 x01 ::: x0t and y1 ::: yt0 ) as in Construction 6.2.11. Note that (since hs (x) = hs (x0 )) it holds that t = t0 and yt = yt0 . Next, A0 (s) determines i 2 ::: t such that yi = yi0 and (yi;1 xi ) = (yi0;1 x0i ), and outputs the pair (yi;1 xi yi0;1 x0i ) As argued above and elaborated below, such an i must exist, and the output forms a collision under h0s (because h0s (yi;1 xi ) = yi = yi0 = h0s (yi0;1 x0i ) and yi;1 xi = yi0;1 x0i ). 6 6 6 6 2 f g 6 6 hs (x0 ). By the de nition of hs , this means that (yt x ) = hs (x) = hs (x0 ) = (yt0 x0 ), where t t0 and yt yt0 are determined by hs (x) and hs (x0 ). In particular, it follows that x = x0 and so t = t0 (where, except when x `( s ), it holds that t = x =`( s ) = x0 =`( s ) = t0 ). Recall that yt = yt0 and consider two j j 0 Proof: Forming a collision under hs means nding x = x0 such that hs(x) = 6 j j 0 j j j j j j j j dj j j j e dj j j j e 500 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Pending on the existence of a suitable i, whenever A(s) forms a collision under hs , it holds that A0 (s) outputs a pair of 2`(s)-bit long strings that form a collision under h0s , and so the proposition follows. Thus, it is left to prove the existence of a suitable i (i.e., an i such that yi = yi0 and (yi;1 xi ) = (yi0;1 x0i )). 6 j at each step, we prove that either the current j is suitable (i.e., yj = yj0 and (yj;1 xj ) 6= (yj0 ;1 x0j )) or both yj;1 = yj0 ;1 and x1 xj;1 6= x01 x0j;1 . This claim certainly holds for j = t, because yt = yt0 and x1 xt = x0t`(jsj);jxj 6= x0 0t`(jsj);jxj = x01 x0t (which implies that either (yt;1 xt) 6= (yt0;1 x0t) or both yt;1 = yt0;1 and x1 xt;1 6= x01 x0t;1 ). 0 More generally, suppose that yj = yj and x1 xj 6= x01 x0j , then either 0 0 ;1 x0j )) or (yj ;1 xj ) = (yj ;1 x0j ), which j is suitable (i.e., (yj;1 xj ) 6= (yj 0 ;1 and x1 xj ;1 6= x01 x0j ;1 . It follows that implies that both yj;1 = yj some i must be suitable (or else for j = 1 we have x1 xj;1 6= x01 x0j;1 , which is impossible). On the existence of a suitable i: Starting with j = t and decrementing The proposition follows. 6.2.3.3 Collision-free hashing via tree-hashing Using 2`-restricted collision-free hashing functions, we now present an alternative construction of (full edged) collision-free hashing functions. The alternative construction will have the extra property of supporting veri cation of a bit in the input (with respect to the hash value) within complexity that is independent of the length of the input (see below). Construction 6.2.13 (from 2`-restricted CFH to full- edged CFH { an alternative construction): Let h0s : 0 1 2`(jsj) 0 1 `(jsj) s2f0 1g be a collection of functions. Consider the collection hs : 0 1 0 1 2`(jsj) s2f0 1g , where hs (x) is de ned by the following process, called tree hashing: f f g ! f g g f f g ! f g g 1. Break x into t def 2dlog2 (jxj=`(jsj))e consecutive blocks, while possibly adding = dummy 0-blocks and padding the last block with 0's, such that each block has length `(jsj). Denote these `(jsj)-bit long blocks by x1 ::: xt . That is, x1 xt = x0t `(jsj);jxj. Let d = log2 t, and note that d is a positive integer. Again, for sake of uniformity, in case jxj `(jsj), we let t = 2 and x1 x2 = x02`(jsj);jxj. On the other hand, again, we assume that jxj < 2`(jsj), and so jxj can be represented by an `(jsj)-bit long string. 2. Let i = 1 ::: t, let yd i def xi . = 3. For j = d ; 1 ::: 1 0 and i = 1 ::: 2j , compute yj i = h0s (yj+1 2i;1 yj+1 2i ). 4. Set hs (x) to equal (y0 1 jxj). 6.2. LENGTH-RESTRICTED SIGNATURE SCHEME 501 That is, hashing is performed by placing the `( s )-bit long blocks of x at the leaves of a binary tree of depth d, and computing the values of internal nodes by applying h0s to the values associated with the two children (of the node). The nal hash-value consists of the value associated with the root (i.e., the only level-0 node) and the length of x. j j 0 1 `(jsj) s2f0 1g and hs : 01 0 1 2`(jsj) s2f0 1g be as in Construction 6.2.13, and suppose that the former is a collection of 2`-restricted collision-free hashing functions. Then the latter constitute a (full edged) collection of collision-free hashing functions. f f g ! f g g f f g ! f g g Proposition 6.2.14 Let h0s : 0 1 2`(jsj) Proof Sketch: Forming a collision under hs means nding x = x0 such that 6 j j j j 0 hs (x) = hs (x0 ). By the de nition of hs , this means that (y0 1 x ) = hs (x) = 0 0 hs (x0 ) = (y0 1 x0 ), where (t d t0 d0 ), y0 1 and y0 1 are determined by hs (x) and 0 ). In particular, it follows that x = x0 and so d = d0 (since 2d = t = t0 = hs (x 0 2d ). Recall that y0 1 = y0 1 , and let us state this fact by saying that for j = 0 0 and for every i 1 ::: 2j it holds that yj i = yj i . Starting with j = 0, we consider two cases (for level j + 1 in the tree): 0 Case 1: If for some i 1 ::: 2j+1 it holds that yj+1 i = yj+1 i then we obtain 0 , and derive a contradiction to its collision-free hypothea collision under hs sis. Speci cally, the collision is obtained because z def yj+1 2di=2e;1 yj+1 2di=2e = 0 def y 0 0 is di erent from z = j+1 2di=2e;1 yj+1 2di=2e , whereas h0s (z ) = yj di=2e = yj0 di=2e = h(z 0). j j j j 2 f g 2 f g 6 0 Case 2: Otherwise for every i 1 ::: 2j+1 it holds that yj+1 i = yj+1 i . In this case, we consider the next level. Eventually, since x = x0 , we get to a situation in which for some j 1 ::: d 1 and some i 1 ::: 2j+1 it holds that z def yj+1 2di=2e;1 yj+1 2di=2e = 0 def y 0 0 is di erent from z = j+1 2di=2e;1 yj+1 2di=2e , whereas h0s (z ) = yj di=2e = yj0 di=2e = h(z 0). This situation is handled as in the rst case. 2 f g 6 2 f ; g 2 f g The actual argument proceeds as in the proof of Proposition 6.2.12. supporting e cient veri cation of bits in x with respect to the hash value. That is, suppose that for a randomly selected hs , one party holds x and the other party holds hs (x). Then, for every i, the rst party may provide a short (e ciently veri able) certi cate that xi is indeed the ith block of x. The certi cate consists of the sequence of pairs (yd 2di=2e;1 yd 2di=2e ) ::: (y1 2di=2d e;1 y1 2di=2d e ), where d and the yj k 's are computed as in Construction 6.2.13 (and (y0 1 x ) = hs (x)). The certi cate is veri ed by checking whether or not yj;1 di=2d j+1 e = h0s (yj 2di=2d j+1 e;1 yj 2di=2d j+1 e ), for every j 1 ::: d . Note that if the rst j j ; ; ; A local veri cation property. Construction 6.2.13 has the extra property of 2 f g 502 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION party can present two di erent values for the ith block of x along with corresponding certi cates then it can also form collisions under h0s . Construction 6.2.13 and its local-veri cation property were already used in this work (i.e., in the construction of highly-e cient argument systems, presented in Section 4.8.4). Finally, we note the similarity between the local-veri cation property of Construction 6.2.13 and the authentication-tree of Section 6.4.2.2. 6.3 Constructions of Message Authentication Schemes In this section we present several constructions of secure message authentication schemes (referred to above as secure private-key signature schemes). Below, we sometimes refer to such a scheme by the popular abbreviation MAC (which actually abbreviates the more traditional term of a Message Authentication Code). 6.3.1 Applying a pseudorandom function to the document A scheme for message authentication can be obtained by applying a pseudorandom function (speci ed by the key) to the message (which one wishes to authenticate). The simplest implementation of this idea is presented in Section 6.3.1.1, whereas more sophisticated implementations are presented in Sections 6.3.1.2 and 6.3.1.3. 6.3.1.1 A simple construction and a plausibility result Message authentication schemes can be easily constructed using pseudorandom functions (as de ned in Section 3.6). Speci cally, by Theorem 6.2.2, it sufces to construct an `-restricted message authentication scheme, for any superlogarithmically growing `. Indeed, this is our starting point. Let ` be a super-logarithmically growing function, and ffs : f0 1g`(jsj) ! f0 1g`(jsj)gs2f0 1g be as in De nition 3.6.4. We construct an `-restricted message authentication scheme, (G S V ), as follows: key-generation with G: On input 1n, we uniformly select s 2 f0 1gn, and output the key-pair (s s). (Indeed, the veri cation-key equals the signing-key.) signing with S : On input a signing-key s 2 f0 1gn and an `(n)-bit string , we compute and output fs ( ) as a signature of . veri cation with V : On input a veri cation-key s 2 f0 1gn, an `(n)-bit string , and an alleged signature , we accept if and only if = fs ( ). Construction 6.3.1 (an `-restricted MAC based on pseudorandom functions): Indeed, signing amounts to applying fs to the given document string, and verication amounts to comparing a given value to the result of applying fs to the document. Analogous constructions can be presented by using the generalized 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES503 notions of pseudorandom functions de ned in De nitions 3.6.9 and 3.6.12 (see further comments in the following subsections). In particular, using a pseudorandom function ensemble of the form fs : 0 1 0 1 jsj s2f0 1g , we obtain a general message authentication scheme (rather than a length-restricted one). Below, we only prove the security of the `-restricted message authentication scheme of Construction 6.3.1. (The security of the general message authentication scheme can be established analogously see Exercise 7.) f f g ! f g g 0 1 `(jsj) s2f0 1g is a pseudorandom function, and that ` is a super-logarithmically growing function, Then Construction 6.3.1 constitutes a secure `-restricted message authentication scheme. f f g ! f g g Proposition 6.3.2 Suppose that fs : 0 1 `(jsj) Speci cally, we consider the security of an ideal scheme in which the pseudorandom function is replaced by a truly random function (mapping `(n)-bit long strings to `(n)-bit long strings). Clearly, an adversary that obtains the values of this random function at arguments of its choice, cannot predict its value at a new point with probability greater than 2;`(n) . Thus, an adversary attacking the ideal scheme may succeed in existential forgery with at most negligible probability. The same must hold for any e cient adversary that attacks the actual scheme, since otherwise such an adversary yields a violation of the pseudorandomness of fs : 0 1 `(jsj) 0 1 `(jsj) s2f0 1g . Details follow. The actual proof is by a reducibility argument. Given a probabilistic polynomialtime A attacking the scheme (G S V ), we consider what happens when A is attacking an ideal scheme in which a random function is used instead of a pseudorandom one. That is, we refer to two experiments: 1. Machine A attacks the actual scheme: On input 1n , machine A is given oracle access to (the signing process) fs : 0 1 `(n) 0 1 `(n), where s n. After making some queries of its choice, A is uniformly selected in 0 1 outputs a pair ( ), where is di erent from all its queries. A is deem successful if and only if = fs ( ). 2. Machine A attacks the ideal scheme: On input 1n , machine A is given 0 1 `(n), uniformly selected oracle access to a function F : 0 1 `(n) among all such possible functions. After making some queries of its choice, A outputs a pair ( ), where is di erent from all its queries. Again, A is deem successful if and only if = F ( ). Clearly, A's success probability in this experiment is at most 2;`(n) , which is a negligible function (since ` is super-logarithmic). Assuming that A's success probability in the actual attack is non-negligible, we derive a contradiction to the pseudorandomness of the function ensemble fs . Speci cally, we consider a distinguisher D that on input 1n and oracle access to a function f : 0 1 `(n) 0 1 `(n), behaves as follows: First D emulates the actions of A, while answering A's queries using its oracle f . When A outputs a f f g ! f g g f g ! f g f g f g ! f g f g f g ! f g Proof: The proof follows the general methodology suggested in Section 3.6.3. 504 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION pair ( ), the distinguisher makes one additional oracle query to f and outputs 1 if and only if f ( ) = . Note that when f is selected uniformly among all possible 0 1 `(n) 0 1 `(n) functions, D emulates an attack of A on the ideal scheme, and thus outputs 1 with negligible probability (as explained above). On the other hand, if f is uniformly selected in fs s2f0 1gn then D emulates an attack of A on the actual scheme, and thus (due to the contradiction hypothesis) outputs 1 with non-negligible probability. We reach a contradiction to the pseudorandomness of fs s2f0 1gn . The proposition follows. f g ! f g f g f g A plausibility result: Combining Theorem 6.2.2, Proposition 6.3.2, and Corollary 3.6.7, it follows that the existence of one-way functions implies the existence of message authentication schemes. The converse also holds see Exercise 8. Thus, we have: Theorem 6.3.3 Secure message authentication schemes exist if and only if oneway functions exist. In contrast the the feasibility result stated in Theorem 6.3.3, we now present alternative ways of using pseudorandom functions to obtain secure message authentication schemes (MACs). These alternatives yield more e cient schemes, where e ciency is measures it terms of the length of the signatures and the time it takes to produce and verify them. f Theorem 6.3.3 was proved by combining the length-restricted MAC of Construction 6.3.1 with the simple but wasteful idea of providing signatures (authentication tags) for each block of the document (i.e., Construction 6.2.3). In particular, the signature produced this way is longer than the document. Instead, here we suggest to use the second method of converting length-restricted MACs into fulledged ones that is, the hash-and-sign method of Construction 6.2.6. This will yield signatures of a xed length (i.e., independent of the length of the document). Combining the hash-and-sign method with a length-restricted MAC of Construction 6.3.1 (which is based on pseudorandom functions), we obtain the following construction. Construction 6.3.4 (hash and sign using pseudorandom functions): Let fs : 0 1 jsj 0 1 jsj s2f0 1g be a pseudorandom function ensemble and hr : 01 0 1 jrj r2f0 1g be a collection of collision-free hashing functions. Furthermore, for simplicity we assume that, when invoked on input 1n , the indexing algorithm I of the collision-free hashing collection outputs an n-bit long index. The general message authentication scheme, (G S V ), is as follows: key-generation with G: On input 1n , algorithm G selects uniformly s 0 1 n, and invokes the indexing algorithm I to obtain r I (1n ). The key-pair output by G is ((r s) (r s)). f f g ! f g g f g ! f g g 2 f g 6.3.1.2 * Using the hash-and-sign paradigm 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES505 signing with S : On input a signing-key (r s) in the range of G1 (1n ) and a document 0 1 , algorithm S outputs the signature/tag fs (hr ( )). veri cation with V : On input a veri cation-key (r s) in the range of G2 (1n ), a document 0 1 , and a alleged signature , algorithm outputs 1 if and only if fs (hr ( )) = . 2 f g 2 f g Combining Propositions 6.2.7 and 6.3.2, it follows that Construction 6.3.4 constitutes a secure message authentication scheme (MAC), provided that the ingredients are as postulated. In particular, this means that Construction 6.3.4 yields a secure MAC, provided that collision-free hashing functions exist (and are used in Construction 6.3.4). While this result uses a seemingly stronger assumption than the existence of one-way functions (used to establish the Theorem 6.3.3), it yields more e cient MACs both in terms of signature length (as discussed above) and authentication time (to be discussed next). Construction 6.3.4 yields faster signing and veri cation algorithms than the construction resulting from combining Constructions 6.2.3 and 6.3.1, provided that hashing a long string is less time-consuming than applying a pseudorandom function to it (or to all its blocks). The latter assumption is consistent with the current state-of-art regarding the implementation of both primitives. Further speed improvements are discussed in Section 6.3.1.3. the hash-and-sign paradigm (i.e., Proposition 6.2.7), while referring to the xedlength MAC arising from the pseudorandom function ensemble fs : 0 1 jsj 0 1 jsj s2f0 1g . An alternative analysis may proceed by rst establishing that gs r = fs hr s2f0 1g r I (1 s ) is a generalized pseudorandom function (as in De nition 3.6.12), and next observing that any such ensemble yields a fulledged MAC (see Exercise 7). f f g ! f g g f g j j An alternative presentation: Construction 6.3.4 was analyzed by invoking 6.3.1.3 * A variation on the hash-and-sign paradigm or using non-cryptographic hashing plus hiding Construction 6.3.4 combines the use of a collision-free hashing function with the application of a pseudorandom function. Here we take another step towards speeding-up message authentication by showing that the collision-free hashing can be replaced with ordinary (i.e., non-cryptographic) hashing, provided that a pseudorandom function is applied to the result. Before getting into details, let us explain why we can use non-cryptographic hashing and why this may lead to e ciency improvements. Since we are in the private-key setting, the adversary does not get the description of the hash function used in the hash-and-sign process. Furthermore, applying the pseudorandom function to the hash-value hides it from the adversary. Thus, when trying to form collisions under the hash function, the adversary is in \total darkness" and may only rely on the collision probability of the hashing function (as de ned below). (Recall 506 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION that in case the adversary fails to form collision, it must succeed in forging with respect to the length-restricted scheme if it wishes to forge with respect to the full- edged scheme.) The reason that applying an ordinary hashing, rather than a collisionfree hash function, may yield an e ciency improvement is that the former may be more e cient than the latter. This is to be expected given that ordinary hashing needs only satisfy a weak (probabilistic) condition, whereas collision-free hashing refers to a more complicated (intractability) condition.9 By ordinary hashing we mean function ensembles as de ned in Section 3.5.1.1. For starters, recall that these are collections of functions mapping `(n)-bit strings to m(n)-bit strings. These collections are associated with a set of strings, dem( m( noted S`(nn), and we may assume that S`(nn) 0 1 n. Speci cally, we call ) ) ( S`mnn) n2N a hashing ensemble if it satis es the following three conditions: ( ) 1. Succinctness: n = poly(`(n) + m(n)). 2. E cient evaluation: there exists a polynomial-time algorithm that, on inm( put a representation of a function, h (in S`(nn) ), and a string x 0 1 `(n), ) returns h(x). 3. Pairwise independence: for every x = y 0 1 `(n), if h is uniformly m(n) then h(x) and h(y ) are independent and uniformly disselected in S`(n) tributed in 0 1 m(n). That is, for every 0 1 m(n), Prh h(x) = h(y) = ] = 2;2m(n) f g f g 2f g 6 2 f g f g 2 f g ^ In fact, for the current application, we can replace the third condition by the following weaker condition, parameterized by a function cp : N 0 1] (s.t. cp(n) 2;m(n) ): for every x = y 0 1 `(n), Prh h(x) = h(y)] cp(n) (6.3) Indeed, the pairwise independence condition implies that Eq. (6.3) is satis ed with cp(n) = 2;m(n) . Note that Eq. (6.3) asserts that the collision probability of ( S`mnn) is at most cp(n), where the collision probability refers to the probability ( ) ( that h(x) = h(y) when h is uniformly selected in S`mnn) and x = y 0 1 `(n) ( ) are arbitrary xed strings. Hashing ensembles with n `(n) + m(n) and cp(n) = 2;m(n) can be constructed (for a variety of functions ` m : N N , e.g., `(n) = 2n=3 and m(n) = n=3) see Exercise 18. Using such ensembles, we rst present a construction of length-restricted message authentication schemes. ! 6 2 f g 6 2 f g ! 9 This intuition may not hold when comparing a construction of ordinary hashing that is rigorously analyzed with an ad-hoc suggestion of a collision-free hashing. But it certainly holds when comparing the former to the constructions of collision-free hashing that are based on a well-established intractability assumption. 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES507 Let fhr : f0 1g`(jrj) ! f0 1gm(jrj)gr2f0 1g and ffs : f0 1gm(jsj) ! f0 1gm(jsj)gs2f0 1g be e ciently computable function ensembles. We construct the following `restricted scheme, (G S V ): key-generation with G: On input 1n , algorithm G selects independently and uniformly r s 2 f0 1gn. The key-pair output by G is ((r s) (r s)). signing with S : On input a signing-key (r s) in the range of G1 (1n ) and a document 2 f0 1g`(n), algorithm S outputs the signature/tag fs (hr ( )). veri cation with V : On input a verifying-key (r s) in the range of G2 (1n ), a document 2 f0 1g`(n), and a alleged signature , algorithm outputs 1 if and only if fs (hr ( )) = . Construction 6.3.5 (Construction 6.3.4, revisited { length-restricted version): Proposition 6.3.6 Suppose that fs : 0 1 f f f f g ! f g g 0 1 m(jsj) s2f0 1g is a pseudorandom function, and that the collision probability of the collection hr : 0 1 `(jrj) 0 1 m(jrj) r2f0 1g is a negligible function of r . Then Construction 6.3.5 constitutes a secure `-restricted message authentication scheme. g ! f g g j j m(jsj) In particular, the second hypothesis implies that 2;m(n) is a negligible function in n. By the above discussion, adequate collections of hashing functions exists for `(n) = 2n=3 (and m(n) = n=3). We comment that, under the above hypothesis, the collection gs r : fs hr jsj=jrj constitutes a pseudorandom function ensemble: This is implicitly shown in the following proof, and is related to Exercise 31 in Chapter 3. Proof Sketch: As in the proof of Proposition 6.3.2, we rst consider the security of an ideal scheme in which the pseudorandom function is replaced by a truly random function (mapping m(n)-bit long strings to m(n)-bit long strings). Consider any (probabilistic polynomial-time) adversary attacking the ideal scheme. Such an adversary may obtain the signatures to polynomially-many `(n)-bit long strings of its choice. However, except with negligible probability, these strings are hashed to di erent m(n)-bit long strings, which in turn are mapped by the random function to totally independent and uniformly distributed m(n)-bit long strings. Furthermore, except with negligible probability, the `(n)-bit long string contained in the adversary's (alleged message-signature) output pair is hashed to an m(n)-bit long string that is di erent from all the previous hash-values, and so the single valid signature corresponding to is a uniformly distributed m(n)bit long string that is independent of all previously seen signatures. f g hashing collection fhr : f0 1g`(jrj) ! f0 1gm(jrj) gr2f0 1gn has collision probability cp(n), and F : f0 1gm(n) ! f0 1gm(n) is a random function. Then, we claim that an adversary that obtains signatures to t(n) ; 1 strings of its choice, succeeds in forging a signature to a new string with probability at most t(n)2 cp(n) + 2;m(n) , regardless of its computational powers. The claim is proved by showing that, except with probability at most t(n)2 cp(n), the t(n) strings selected by the adversary are mapped On the distribution of signatures in the ideal scheme: Suppose that the 508 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION tential forgery with at most negligible probability (provided it makes at most polynomially-many queries). The same must hold for any e cient adversary that attacks the actual scheme, since otherwise such an adversary yields a violation of the pseudorandomness of fs : 0 1 m(jsj) 0 1 m(jsj) s2f0 1g . The exact implementation of the above argument follows the details given in the proof of Proposition 6.3.2. f f g ! f g g by hr to distinct strings. The latter claim is proved by induction on the number of selected strings, denoted i, where the base case (i.e., i = 1) holds vacuously. Let s1 ::: si denote the strings selected so far, and recall that with probability at least 1 ; i2 cp(n) the i hash-values hr (sj )'s are distinct. The adversary only sees the corresponding F (hr (sj ))'s, which are uniformly and independently distributed (in a way independent of the values of the hr (sj )'s). Thus, loosely speaking, the adversary's selection of the next string, denoted si+1 , is independent of the values of the hr (sj )'s, and so a collision of hr (si+1 ) with one of the previous hr (sj )'s occurs with probability at most i cp(n). The induction step follows (since 1 ; i2 cp(n) ; i cp(n) < 1 ; (i + 1)2 cp(n)). It follows that any adversary attacking the ideal scheme may succeed in exis- tain full- edged MACs by using generalized hashing families that map arbitrary strings (rather than xed-length ones) to xed length strings. Speci cally, for ` : N N and cp : N 0 1], we call hr : 0 1 0 1 m(jrj) n2N a generalized hashing ensemble with a (` cp)-collision property if it satis es the following two conditions: 1. E cient evaluation: there exists a polynomial-time algorithm that, on input r (representing the function hr ) and a string x 0 1 , returns hr (x). 2. Collision probability:10 For every n N and x = y such that x y `(n), the probability that hr (x) = hr (y) when r is uniformly selected in 0 1 n is at most cp(n). For our construction of a full- edged MAC, we need a generalized hashing ensemble with a (` cp)-collision property for some super-polynomial `(n) and negligible cp(n) (e.g., `(n) = 1=cp(n) = 2;"n" for some constant " > 0). The existence of such ensembles will be discussed below. Proposition 6.3.7 (Construction 6.3.4, revisited { full- edged version): Suppose that fs : 0 1 m(jsj) 0 1 m(jsj) s2f0 1g is a pseudorandom function ensemble. For some super-polynomial ` : N N and negligible cp : N 0 1], suppose that hr : 0 1 0 1 m(jrj) r2f0 1g is a generalized hashing ensemble with a (` cp)-collision property. Then the following (G S V ) constitute a secure MAC: ! ! f f g ! f g g 2 f g 2 6 j j j j f g f f g ! f g g ! ! f f g ! f g g Obtaining full- edged MACs. Construction 6.3.5 can be generalized to ob- 10 Note that it is essential to restrict the collision condition to strings of bounded length. In contrast, for every nite family of functions H , there exists two di erent strings that are mapped to the same image by each function in H . For details, see Exercise 17. 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES509 key-generation with G: On input 1n , algorithm G selects independently and uniformly r s 0 1 n, and outputs ((r s) (r s)). signing with S : On input a signing-key (r s) and a document 0 1 , algorithm S outputs the signature/tag fs (hr ( )). veri cation with V : On input a verifying-key (r s), a document 0 1 `(n), and a alleged signature , algorithm outputs 1 if and only if fs (hr ( )) = . 2 f g 2 f g 2 f g Proof Sketch: The proof is identical to the proof of Proposition 6.3.6, except that here the (polynomial-time) adversary attacking the scheme may query for the signatures of strings of various lengths. Still, all these queries (as well as the nal output) are of polynomial length and thus shorter than `(n). Thus, the (` cp)-collision property implies that, except with negligible probability, all these queries (as well as the relevant part of the output) are hashed to di erent values. On constructing adequate hashing ensembles. For some " > 0 and " f (n) = 2"n , generalized hashing ensembles with a (f 1=f )-collision property can be constructed is several ways. One way is by applying a tree-hashing scheme as in Construction 6.2.13 see Exercise 19. For further details about constructions of generalized hashing ensembles, see Section 6.6.5. actually establish that gs r = fs hr s2f0 1g r I (1 s ) is a generalized pseudorandom function (as in De nition 3.6.12). Hence, the actual claim of these propositions (i.e., the security of the constructed MAC) can be derived from the fact that any generalized pseudorandom function yields a full- edged MAC (see Exercise 7). f g j j An alternative presentation: The proofs of Propositions 6.3.6 and 6.3.7 The basic idea underlying Construction 6.3.5 (as well as Proposition 6.3.7) is to combine a \weak tagging scheme" with an adequate \hiding scheme". Speci cally, the \weak tagging scheme" should be secure against forgery provided that the adversary does not have access to the scheme's outcome, and the \hiding scheme" implements the latter provision in a setting in which the actual adversary does obtain the value of the MAC. In Construction 6.3.5 (and in Proposition 6.3.7), hiding was obtained by applying a pseudorandom function to the string that one wishes to hide. (Although this process is not 1-1, its result looks random and thus is hard to predict.) One more natural \hiding scheme" (which can also be implemented using pseudorandom functions) is obtained by using certain private-key encryption schemes. For example, we may use Construction 5.3.9 (in which the plaintext x is encrypted/hidden by the pair (y x fs (y)), where y is uniformly selected), instead of hiding x by the value fs (x) (as above). Alternative implementations 6.3.2 * More on Hash-and-Hide and state-based MACs 510 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION of this underlying idea are more popular, especially in the context of state-based MACs. We start by de ning state-based MACs, and then show how to construct them based on the hash-and-hide (or rather tag-and-hide) paradigm. 6.3.2.1 The de nition of state-based MACs As in the case of steam-ciphers discussed in Section 5.3.1, we extend the mechanism of message-authentication schemes (MACs) by allowing the signing and veri cation processes to maintain and update a state. Formally, both the signing and the veri cation algorithms take an additional input and emit an additional output, corresponding to their state before and after the operation. The length of the state is not allowed to grow by too much during each application of the algorithm (see Item 3 below), or else e ciency of the entire \repeated signing" process can not be guaranteed. For sake of simplicity, we incorporate the key in the state of the corresponding algorithm. Thus, the initial state of each of the algorithms is set to equal its corresponding key. Furthermore, one may think of the intermediate states as of updated values of the corresponding key. In the following de nition, we follow similar conventions to those used in de ning state-based ciphers (i.e., De nition 5.3.1). Speci cally, for simplicity, we assume that the veri cation algorithm (i.e., V ) is deterministic (otherwise the formulation would be more complex). Intuitively, the main part of the veri cation condition (i.e., Item 2) is that the (proper) iterative signing-verifying process always accepts. The additional requirement in Item 2 is that the state of the veri cation algorithm is updated correctly as long as it is fed with strings of length equal to the length of the valid document-signature pairs. The importance of this condition was discussed in Section 5.3.1 and is further discussed below. De nition 6.3.8 (state-based MAC { the mechanism): A state-based messageauthentication scheme is a triple, (G S V ), of probabilistic polynomial-time algorithms satisfying the following three conditions 1. On input 1n , algorithm G outputs a pair of bit strings. 2. For every pair (s(0) v(0) ) in the range of G(1n ), and every sequence of (i) 's, the following holds: if (s(i) (i) ) S (s(i;1) (i) ) and (v(i) (i) ) (i;1) (i) (i) ) for i = 1 2 :::, then (i) = 1 for every i. FurtherV (v more, for every i and every ( ) 2 f0 1gj (i)j f0 1gj (i)j , it holds that V (v(i;1) ) = (v(i) ). 3. There exists a polynomial p such that for every pair (s(0) v(0) ) in the range of G(1n ), and every sequence of (i) 's and s(i) 's as above, it holds that (i) j (i;1) j + j (i) j p(n). Similarly for the v (i) 's. js js That is, as in De nition 6.1.1, the signing-veri cation process operates properly provided that the corresponding algorithms get the corresponding keys (states). Note that in De nition 6.3.8 the keys are modi ed by the signingveri cation process, and so correct veri cation requires holding the correctly- 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES511 updated veri cation-key. We stress that the furthermore clause in Item 2 guarantees that the veri cation-key is correctly updated as long as the veri cation process is fed with strings of the correct lengths (but not necessarily with the correct document-signature pairs). This extra requirement implies that given the initial veri cation-key and the current document-signature pair as well as the lengths of all previous pairs (which may be actually incorporated in the current signature), one may correctly decide whether or not the current documentsignature pair is valid. As in case of state-based ciphers (cf. Section 5.3.1), this fact is interesting for two reasons: A theoretical reason: It implies that, without loss of generality (alas with possible loss in e ciency), the veri cation algorithm may be stateless. Furthermore, without loss of generality (alas with possible loss in e ciency), the state of the signing algorithm may consist of the initial signing-key and the lengths of the messages signed so far. (We assume here and below that the length of the signature is determined by the length of the message and the length of the signing-key.) A practical reason: It allows to recover from the loss of some of the messagesignature pairs. That is, assuming that all messages have the same length (which is typically the case in MAC applications), if the receiver knows (or is given) the total number of messages sent so far then it can verify the authenticity of the current message-signature pair, even if some of the previous message-signature pairs were lost. We stress that De nition 6.3.8 refers to the signing of multiple messages (and is meaningless when considering the signing of a single message). However, De nition 6.3.8 (by itself) does not explain why one should sign the ith message using the updated signing-key s(i;1) , rather than by reusing the initial signingkey s(0) (where all corresponding veri cations are done by reusing the initial veri cation-key v(0) ). Indeed, the reason for updating these keys is provided by the following security de nition that refers to the signing of multiple messages, and holds only in case the signing-keys in use are properly updated (in the multiple-message authentication process). De nition 6.3.9 (security of state-based MACs): A chosen message attack on a state-based MAC, (G S V ), is an interactive process that is initiated with (s(0) v(0) ) G(1n ), and proceed as follows: In the ith iteration, based on the information gathered so far, the attacker selects a string (i) , and obtains (i) , where (s(i) (i) ) S (s(i;1) (i) ). Such an attack is said to succeeds if it outputs a valid signature to a string for which it has not requested a signature during the attack. That is, the attack is successful if it outputs a pair ( ) such that is di erent from 512 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION all signature-queries made during the attack, and V (v(i;1) ) = ( 1) holds for some intermediate state (veri cation-key) v(i;1) (as above).11 A state-based MAC is secure if every probabilistic polynomial-time chosen message attack as above succeeds with at most negligible probability. Note that De nition 6.3.9 (only) di ers from De nition 6.1.2 in the way that the signatures (i) 's are produced (i.e., using the updated signing-key s(i;1) rather than the initial signing-key s(0) ). Furthermore, De nition 6.3.9 guarantees nothing regarding a signing process in which the signature to the ith message is obtained by invoking S (s(0) ) (as in De nition 6.1.2). 6.3.2.2 State-based hash-and-hide MACs We are now ready to present alternative implementations of the hash-and-hide paradigm. Recall that in Section 6.3.1.3, the document was hashed (by using an adequate hashing function) and the resulting hash-value was (authenticated and) hidden by applying a pseudorandom function to it. In the current subsection, hiding will be obtained in a more natural (and typically more e cient) way that is, by XORing the hash-value with a new portion of a (pseudorandom) onetime pad. Indeed, the state is used in order to keep track of what part of the (one-time) pad was already used (and should not be used again). Furthermore, to obtain improved e ciency, we let the state encode information that allows fast generation of the next portion of the (pseudorandom) one-time pad. This is obtained using (on-line) pseudorandom generator (see Sections 3.3.3 and 5.3.1). Recall that on-line pseudorandom generators are a special case of variableoutput pseudorandom generators (see Section 3.3.3), in which a hidden state is maintained and updated so to allow generation of the next output bit in time polynomial in the length of the initial seed, regardless of the number of bits generated so far. Speci cally, the next (hidden) state and output bit are produced by applying a (polynomial-time computable) function g : 0 1 n 0 1 n+1 to the current state (i.e., (s0 ) g(s), where s is the current state, s0 is the next state and is the next output bit). Analogously to Construction 5.3.3, the suggested state-based MAC will use an on-line pseudorandom generator in order to generate the required pseudorandom one-time pad, and the latter will be used to hide (and authenticate) the hash-value (obtained by hashing the original document). f g ! f g Construction 6.3.10 (a state-based MAC): Let g : 0 1 f g !f 0 1 such that g 11 In fact, one may strengthen the de nition by using a weaker notion of success in which it is only required that 6= (i) (rather than requiring that 62 f (j ) gj ). That is, the attack is successful if, for some i, it outputs a pair ( ) such that 6= (i) and V (v(i;1) ) = ( 1), where the (j ) 's and v(j ) 's are as above. The stronger de nition provides \replay protection" (i.e., even if the adversary obtains a valid signature that authenticates as the j th message it cannot produce a valid signature that authenticates as the ith message, unless was actually authenticated as the ith message). 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES513 0 1 m(jrj) r2f0 1g be a family of functions having an e cient evaluation algorithm. key-generation and initial state: Uniformly select s r 0 1 n, and output the key-pair ((s r) (s r)). The initial state of each algorithm is set to (s r 0 s). (We maintain the initial key (s r) and a step-counter in order to allow recovery from loss of message-signature pairs.) j g(s) = s + 1, for every s 0 1 . Let hr : 0 1 j j j 2f g f f g ! f g g 2 f g signing message x with state (s r t s0 ): Let s0 def s0 . For i = 1 ::: m(n), com= pute si i = g(si;1 ), where si = n and i 0 1 . Output the signature hr (x) 1 m(n) , and set the new state to (s r t + m(n) sm(n) ). j j 2 f g veri cation of the pair (x y) with respect to the state (s r t s0 ): Compute 1 m(n) and sm(n) as in the signing process that is, for i = 1 ::: m(n), compute si i = g(si;1 ), where s0 def s0 . Set the new state to (s r t + m(n) sm(n) ), = and accept if and only if y = hr (x) 1 m(n) . When noti ed that some message-signature pairs may have been lost and that the current message-signature pair has index t0 , one rst recovers the correct current state, which as above will be denoted s0 . This is done by setting s;t def s and computing si;t i;t = g(si;t ;1 ), for i = 1 ::: t0 . = 0 0 0 0 Note that both the signing and veri cation algorithms are deterministic, and that the state after authentication of t messages has length 3n + log2 (t m(n)) < 4n (for t < 2n =m(n)). We now turn to analyze the security of Construction 6.3.10. The hashing property of the collection of hr 's should be slightly stronger than the one used in Section 6.3.1.3. Speci cally, rather than a bound on the collision probability (i.e., the probability that hr (x) = hr (y) for any relevant xed x y and a random r), we need a bound on the probability that hr (x) hr (y) equals any xed string (again, for any relevant xed x y and a random r). This property is commonly referred to by the name Almost-Xor-Universal (AXU). That is, hr : 0 1 0 1 m(jrj) r2f0 1g is called a (` ")-AXU family if for every n N , every x = y such that x y `(n), and every z , it holds that f f g ! f g g 2 6 j j j j Pr hUn (x) hUn (y) = z ] "(n) (6.4) References to constructions of such families are provided in Section 6.6.5. Proposition 6.3.11 Suppose that g is a pseudorandom generator, and that f hr g is a (` ")-AXU family, for some super-polynomial ` and negligible ". Then Construction 6.3.10 constitutes a secure state-based MAC. Furthermore, security holds even with respect to the stronger notion discussed in Footnote 11. f g Proof Sketch: By Exercise 21 of Chapter 3, if g is a pseudorandom generator then for every polynomial p the ensemble Gp n2N is pseudorandom, where Gp n n is de ned by the following random process: 514 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Uniformly select s0 0 1 n For i = 1 to p(n), let si i g(si;1 ), where i 0 1 (and si 0 1 n) Output 1 2 p(n) . Recall that, in such a case, we said that g is a next-step function of an on-line pseudorandom generator. As in previous cases, it su ces to establish the security of an ideal scheme in which the sequence (of m(n)-bit long blocks) produced by iterating the next-step function g is replaced by a truly random sequence (of m(n)-bit long blocks). In the ideal scheme, all that the adversary may obtain via a chosen message attack is a sequence of m(n)-bit long blocks, which is uniformly distributed among all such possible sequences. Note that each of the signatures obtained during the attack as well as the forged signature refers to a single block in this sequence (e.g., the ith obtained signature refers to the ith block). We consider two types of forgery attempts: 1. In case the adversary tries to forge a signature referring to an unused (during the attack) block, it may succeed with probability at most 2;m(n), because we may think of this block as being chosen after the adversary makes its forgery attempt. Note that 2;m(n) is negligible, because "(n) 2;m(n) must hold (since 2;m(n) lower-bounds the collision probability). 2. The more interesting case is when the adversary tries to forge a signature referring to a block, say the ith one, that was used (to answer the ith query) during the attack. Denote the j th query by (j) , the (random) j th block by b(j) , and the forged document by . Then, at the time of outputting the forgery attempt ( ), the adversary only knows the sequence of b(j) hr ( (j) )'s, which yields no information on r. Note that the adversary succeeds if and only if b(i) hr ( ) = , where (i) def = b(i) hr ( (i) ) is known to it. Thus, the adversary succeeds if and only if hr ( (i) ) hr ( ) = (i) , where (i) (i) are xed and r is uniformly distributed. Hence, by the AXU property, the probability that the adversary succeeds is at most "(n). The security of the real scheme follows (or else one could have distinguished the sequence produced by iterating the next-step function g from a truly random sequence). 2 f g 2 f g 2 f g Construction 6.3.10 versus the constructions of Section 6.3.1.3. Re- call that all these schemes are based on the hash-and-hide paradigm. The difference between the schemes is that in Section 6.3.1.3 a pseudorandom function is applied to the hash-value (i.e., the signature to x is fs (hr (x))), whereas in Construction 6.3.10 the hash-value is XORed with a pseudorandom value (i.e., we may view the signature as consisting of (c hr (x) fs (c)), where c is a counter value and fs (c) is the cth block produced by iterating the next-step function g starting with the initial seed s). We note two advantages of the state-based MAC over the MACs presented in Section 6.3.1.3: First, applying an on-line 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 515 pseudorandom generator is likely to be more e cient than applying a pseudorandom function. Second, a counter allows to securely authenticate more messages than can be securely authenticated by applying a pseudorandom function to the hashed value. Speci cally, the use of an a m-bit long counter allows to securely authenticate 2m messages, whereas using an m-bit long hash-value su ers from the \birthday e ect" (i.e., collisions are likely to occur when 2m messages are authenticated). Indeed, these advantages are relevant only in applications in which using state-based MACs is possible, and are most advantageous in applications where veri cation is performed in the same order as signing (e.g., in fifo communication). p 6.4 Constructions of Signature Schemes In this section we present several constructions of secure public-key signature schemes. Here we refer to such schemes as signature schemes, which is indeed the traditional term. Two central paradigms in the construction of signature schemes are the \refreshing" of the \e ective" signing-key, and the usage of an \authentication tree". In addition, the \hashing paradigm" (employed also in the construction of message authentication schemes), plays a even more crucial role in the following presentation. In addition to the above, we use the notion of one-time signature scheme de ned in Section 6.4.1. The current section is organized as follows. In Section 6.4.1 we de ne and construct various types of one-time signature schemes. The \hashing paradigm" plays a crucial role in one of these constructions, which in turn is essential for Section 6.4.2. In Section 6.4.2 we show how to use one-time signature schemes to construct general signature schemes. This construction utilizes the \refreshing paradigm" (as employed to one-time signature schemes) and an \authentication tree". In Section 6.4.3, we de ne Universal One-Way Hashing and show how to use it (in the previous constructions) instead of collision-free hashing. The gain in using Universal One-Way Hashing (rather than collision-free hashing) is that the former can be constructed based on any one-way function (whereas this is not known for collision-free hashing). Thus, we obtain: Theorem 6.4.1 Secure signature schemes exist if and only if one-way functions exist. The di cult direction is to show that the existence of one-way functions implies the existence of signature schemes. For the other direction, see Exercise 8. 6.4.1 One-time signature schemes In this section we de ne and construct various types of one-time signature schemes. Speci cally, we rst de ne one-time signature schemes, next de ne a length-restricted version of this notion (analogous to De nition 6.2.1), then 516 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION present a simple construction of the latter, and nally we show how such a construction combined with collision-free hashing yields a general one-time signature scheme. 6.4.1.1 De nitions Loosely speaking, one-time signature schemes are signature schemes for which the security requirement is restricted to attacks in which the adversary asks for at most one string to be signed. That is, the mechanics of one-time signature schemes are as of ordinary signature schemes (see De nition 6.1.1), but the security requirement is relaxed as follows. A chosen one-message attack is a process that can obtain a signature to at most one string of its choice. That is, the attacker is given v as input, and obtains a signature relative to s, where (s v) G(1n ) for an adequate n. (Note that in this section we focus on public-key signature schemes and thus we present only the de nition for this case.) Such an attack is said to succeeds (in existential forgery) if it outputs a valid signature to a string for which it has not requested a signature during the attack. (Indeed, the notion of success is exactly as in De nition 6.1.2.) A one-time signature scheme is secure (or unforgeable) if every probabilistic polynomial-time chosen one-message attack succeeds with at most negligible probability. Moving to the formal de nition, we again model a chosen message attack as a probabilistic oracle machine however, since here we only care about one-message attacks, we consider only oracle machines that make at most one query. Let M be such a machine. As before, we denote by QO (x) the set of queries made by M M on input x and access to oracle O, and let M1O (x) denote the rst string in the output of M on input x and access to oracle O. Note that here QO (x) 1 M (i.e., M may either make no queries or a single query). j j De nition 6.4.2 (security for one-time signature schemes): A one-time signature scheme is secure if for every probabilistic polynomial-time oracle machine M that makes at most one query, every polynomial p and all su ciently large n, it holds that 2 VG2 (1n ) (M SG1 (1n ) (G2 (1n )))=1 3 5 < 1 and Pr 4 p(n) SG1 (1n ) SG1 (1n ) M1 (G2 (1n )) QM (G2 (1n )) 62 where the probability is taken over the coin tosses of algorithms G, S and V as well as over the coin tosses of machine M . 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 517 We now de ne a length-restricted version of one-time signature schemes. The de nition is indeed analogous to De nition 6.2.1: N . An `-restricted one-time signature scheme is a triple, (G S V ), of probabilistic polynomial-time algorithms satisfying the the mechanics of De nition 6.2.1. That is, it satis es the following two conditions 1. As in De nition 6.1.1, on input 1n , algorithm G outputs a pair of bit strings. 2. Analogously to De nition 6.1.1, for every n and every pair (s v) in the range of G(1n ), and for every 2 f0 1g`(n), algorithms S and D satisfy Pr V (v S (s ))=1] = 1. Such a scheme is called secure (in the one-time model) if the requirement of De nition 6.4.2 holds when restricted to attackers that only make queries of length `(n) and output a pair ( ) with j j = `(n). That is, we consider only attackers that make at most one query, this query has to be of length `(n), and the output ( ) must satisfy j j = `(n). De nition 6.4.3 (length-restricted one-time signature schemes): Let ` : N ! Note that even the existence of secure 1-restricted one-time signature schemes implies the existence of one-way functions: see Exercise 11. 6.4.1.2 Constructing length-restricted one-time signature schemes We now present a simple construction of length-restricted one-time signature schemes. The construction works for any length restriction function `, but the keys will have length greater than `. The latter fact limits the applicability of such schemes, and will be removed in the next subsection. But rst, we construct `-restricted one-time signature schemes based on any one-way function f . We may assume for simplicity that f is length preserving. Construction 6.4.4 (an `-restricted one-time signature scheme): Let ` : N ! N be polynomially-bounded and polynomial-time computable, and f : f0 1g ! f0 1g be polynomial-time computable and length-preserving. We construct an `-restricted one-time signature scheme, (G S V ), as follows: key-generation with G: On input 1n , we uniformly select s0 s1 :::: s0(n) s1(n) 2 1 1 ` ` j j n f0 1g , and compute vi = f (si ), for i = 1 ::: `(n) and j = 0 1. We 0 1 0 1 let s = ((s0 s1 ) :::: (s0(n) s1(n) )), and v = ((v1 v1 ) :::: (v`(n) v`(n) )), and 1 1 ` ` output the key-pair (s v). (Note that jsj = jvj = 2 `(n) n.) signing with S : On input a signing-key s = ((s0 s1 ) :::: (s0(n) s1(n))) and an 1 1 ` ` ( `(n)-bit string = 1 `(n) , we output (s1 1 :::: s`(`nn) ) as a signature of ) . 518 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 0 1 0 1 veri cation with V : On input a veri cation-key v = ((v1 v1 ) :::: (v`(n) v`(n) )), an `(n)-bit string = 1 `(n) , and an alleged signature = ( 1 ::: `(n) ), we accept if and only if vi i = f ( i ), for i = 1 ::: `(n). Proposition 6.4.5 If f is a one-way function then Construction 6.4.4 constitutes a secure `-restricted one-time signature scheme. Note that Construction 6.4.4 does not constitute a (general) `-restricted signature scheme: An attacker that obtains signatures to two strings (e.g., to the strings 0`(n) and 1`(n)), can present a valid signature to any `(n)-bit long string (and thus totally break the system). However, here we consider only attackers that may ask for at most one string (of their choice) to be signed. As a corollary to Proposition 6.4.5, we obtain: Corollary 6.4.6 If there exist one-way functions then, for every polynomially- bounded and polynomial-time computable ` : N ! N , there exist secure `-restricted one-time signature schemes. most one signature to a di erent message) requires inverting f on some random image (corresponding to a bit location on which the two `(n)-bit long messages di er). The actual proof is by a reducibility argument. Given an adversary A attacking the scheme (G S V ), while making at most one query, we construct an algorithm A0 for inverting f . As a warm-up, let us rst deal with the case in which A makes no queries at all. In this case, on input y (supposedly in the range of f ), algorithm A0 proceeds as follows. First A0 selects uniformly and independently a position p in 1 ::: `(n) , a bit b, and a sequence of (2`(n) many) n-bit long strings s0 s1 :::: s0(n) s1(n) . (Actually, sb is not used and needs not be selected.) For 1 1 p ` ` every i 1 ::: `(n) p , and every j 0 1 , algorithm A0 computes vij = 1 b f (sj ). Algorithm A0 also computes vp;b = f (s1;b ), and sets vp = y and v = p i 1 )). Note that if y = f (x), for a uniformly distributed 0 v 1 ) :::: (v 0 ((v1 1 `(n) v`(n) x 0 1 n, then for each possible choice of p and b, the sequence v is distributed identically to the public-key generated by G(1n ). Next, A0 invokes A on input v, hoping that A will forge a signature, denoted = 1 `(n) , to a message = 1 `(n) so that p = b. If this event occurs, A0 obtains a preimage of y b under f , since the validity of the signature implies that f ( p ) = vp p = vp = y. Observe that conditioned on the value of v and the internal coin tosses of A, the value b is uniformly distributed in 0 1 . Thus, A0 inverts f with probability "(n)=2, where "(n) denotes the probability that A succeeds in forgery. We turn back to the actual case in which A may make a single query. (Without loss of generality, we may assume that A always makes a single query see Exercise 9.) In this case, on input y (supposedly in the range of f ), algorithm A0 selects p b and the sj 's, and forms the vij 's and v exactly as in the warm-up i f g 2 f g n f g 2 f g 2 f g f g Proof of Proposition 6.4.5: Intuitively, forging a signature (after seeing at 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 519 Note that conditioned on the value of v, the internal coin tosses of A and on the second case occuring, p is uniformly distributed in 1 ::: `(n) . When the second case occurs, A obtains a signature to and this signature is distributed exactly as in a real attack. We stress that since A asks at most one query, no additional query will be asked by A. Also note that, in this case (i.e., p = 1 b), algorithm A outputs a forged message{signature pair, denoted ( 0 0 ), with probability exactly as in a real attack. For simplicity we assume below that A has indeed made a single query (otherwise one may consider and the i 's to be some non-boolean dummy val0 0 ues and apply the following reasoning nevertheless).14 Let 0 = 1 `(n) and 0 = s0 s0`(n) , where ( 0 0 ) is the forged message{signature pair output by A. 1 By our hypothesis (that this is a forgery-success event) it follows that 0 = and that f (s0i ) = vi i for all i's. Since (conditioned on all the above) p is uniformly 1 i 6= distributed in 1 ::: `(n) , it follows that with probability jfi: `(n) i gj `(n) 0 it holds that p = p , and then A0 obtains a preimage of y under f (since s0p 1 b satis es f (s0p ) = vp p , which in turn equals vp; p = vp = y). 12 That is, rst A0 selects p uniformly in f1 ::: `(n)g, b uniformly in f0 1g, and s0 s1 :::: s0(n) s1(n) each independently and uniformly in f0 1gn . For every i 2 f1 ::: `(n)gn 1 1 ` ` fpg, and every j 2 f0 1g, algorithm A0 computes vij = f (sj ). Algorithm A0 also computes i f g ; 6 0 0 above.12 Recall that if y = f (x), for a uniformly distributed x 0 1 n, then for each possible choice of p and b, the sequence v is distributed identically to b the public-key generated by G(1n ). Also note that for each vij other than vp = y, j ) under f . Next, A0 invokes A on algorithm A0 holds a random preimage (of vi input v, and tries to answer its query, denoted = 1 `(n) . We consider two cases regarding this query: 1. If p = b then A0 can not supply the desired signature since it lacks a preimage of sb = y under f . Thus, in this case A0 aborts. However, this p case occurs with probability 1 , independently of the actions of A (since v 2 yields no information on either p or b). (That is, conditioned on the value of v and the internal coin tosses of A, this case occurs with probability 1 .)13 2 0 can supply the desired signature since it holds all 2. If p = 1 b then A the relevant sj 's (i.e., random preimages of the relevant vij 's under f ). In i particular, A0 holds both sj 's, for i = p, as well as s1;b . Thus, A0 answers p i ( with (s1 1 :::: s`(`nn) ). ) 2 f g ; 6 f g 6 0 1 b 0 1 0 1 vp;b = f (s1;b ), and sets vp = y and v = ((v1 v1 ) :::: (v`(n) v`(n) )). p 13 This follows from an even stronger statement by which conditioned on the value of v , the internal coin tosses of A and on the value of p, the current case happens with probability 1 . 2 The stronger statement holds since conditioned on all the above, b is uniformly distributed in 1 ). f0 1g (and so p = b happens with probability exactly 2 14 Alternatively, recall that, without loss of generality, we may assume that A always makes a single query see Exercise 9. 520 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION To summarize, assuming that A succeeds in a single-message attack on (G S V ) with probability "(n), algorithm A0 inverts f on a random image (i.e., on f (Un )) with probability 0 "(n) i= "(n) 1 i : `(n) i 2 2`(n) Thus, if A is a probabilistic polynomial-time chosen one-message attack that forges signatures with non-negligible probability then A0 is a probabilistic polynomialtime algorithm that inverts f with non-negligible probability (in violation of the hypothesis that f is a one-way function). The proposition follows. jf 6 gj 6.4.1.3 From length-restricted schemes to general ones We now combine a length-restricted one-time signature scheme with collisionfree hashing to obtain a general one-time signature scheme. The construction is identical to Construction 6.2.6, except that here (G S V ) is an `-restricted onetime signature scheme rather than an `-restricted (general) signature scheme. Analogously to Proposition 6.2.7, we obtain. Proposition 6.4.7 Suppose that (G S V ) is a secure `-restricted one-time sig- nature scheme, and that fhr : f0 1g ! f0 1g`(jrj)gr2f0 1g is a collision-free hashing collection. Then (G0 S 0 V 0 ), as de ned in Construction 6.2.6 is a secure one-time signature scheme. Proof: The proof is identical to the proof of Proposition 6.2.7 we merely no- tice that if the adversary A0 , attacking (G0 S 0 V 0 ), makes at most one query then the same holds for the adversary A that we construct (in that proof) to attack (G S V ). In general, the adversary A constructed in the proof of Proposition 6.2.7 makes a single query per each query of the adversary A0 . Combining Proposition 6.4.7, Corollary 6.4.6, and the fact that collision-free hashing collections imply one-way functions (see Exercise 12), we obtain: Corollary 6.4.8 If there exist collision-free hashing collections then there exist secure one-time signature schemes. Comments: We stress that when using Construction 6.2.6, signing each docu- ment under the (general) scheme (G0 S 0 V 0 ) only requires signing a single string under the `-restricted scheme (G S V ). This is in contrast to Construction 6.2.3 in which signing a document under the (general) scheme (G0 S 0 V 0 ) requires signing many strings under the `-restricted scheme (G S V ), where the number of such strings depends (linearly) on the length of the original document. Construction 6.2.6 calls for the use of collision-free hashing. The latter can be constructed using any claw-free permutation collection (see Proposition 6.2.9), however it is not know whether collision-free hashing can be constructed based on any one-way function. Wishing to construct signature schemes based on 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 521 any one-way function, we later avoid (in Section 6.4.3) the use of collision-free hashing. Instead, we use \universal one-way hashing functions" (to be de ned), and present a variant of Construction 6.2.6 that uses these functions rather than collision-free ones. 6.4.2 From one-time signature schemes to general ones (general) signature schemes exist as well. In this section we show how to construct general signature schemes using onetime signature schemes. That is, we shall prove: Theorem 6.4.9 If there exist secure one-time signature schemes then secure Actually, we can use length-restricted one-time signature schemes, provided that the length of the strings being signed is at least twice the length of the veri cationkey. Unfortunately, Construction 6.4.4 does not satisfy this condition. Nevertheless, Corollary 6.4.8 does provide one-time signature schemes. Thus, combining Theorem 6.4.9 and Corollary 6.4.8, we obtain: Corollary 6.4.10 If there exist collision-free hashing collections then there exist secure signature schemes. Note that Corollary 6.4.10 asserts the existence of secure (public-key) signature schemes, based on an assumption that does not mention trapdoors. We stress this point because of the contrast to the situation with respect to public-key encryption schemes, where a trapdoor property seem necessary for the construction of secure schemes. The so-called \refreshing paradigm" plays a central role in the proof of Theorem 6.4.9. Loosely speaking, the \refreshing paradigm" suggests to reduce the dangers of a chosen message attack on the signature scheme by using \fresh" instances of the scheme for signing each new document. Of course, these fresh instances should be authenticated by the original instance (corresponding to the veri cation-key that is publically known), but such an authentication refers to a string selected by the legitimate signer rather than by the adversary. 6.4.2.1 The refreshing paradigm Example: To demonstrate the refreshing paradigm, consider a basic signature scheme (G S V ) used as follows. Suppose that the user U has generated a keypair, (s v) G(1n ), and has placed the veri cation-key v on a public- le. When a party asks U to sign some document , the user U generates a new (fresh) key-pair, (s0 v0 ) G(1n ), signs v0 using the original signing-key s, signs using the new (fresh) signing-key s0 , and presents (Ss (v0 ) v0 Ss ( )) as a signature to . An alleged signature, ( 1 v0 2 ), is veri ed by checking whether both Vv (v0 1 ) = 1 and Vv ( 2 ) = 1. Intuitively, the gain in terms of security is that a full- edged chosen message attack cannot be launched on (G S V ). All 0 0 522 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION that an attacker may obtain (via a chosen message attack on the new scheme) is signatures, relative to the original signing-key s, to randomly chosen strings (taken from the distribution G2 (1n )) as well as additional signatures each relative to a random and independently chosen signing-key. We refrain from analyzing the features of the signature scheme presented in the above example. Instead, as a warm-up to the actual construction used in the next section (in order to establish Theorem 6.4.9), we present and analyze a similar construction (which is, in some sense, a hybrid of the two constructions). The reader may skip this warm-up, and proceed directly to Section 6.4.2.2. (G0 S 0 V 0 ) be a one-time signature scheme. Consider a signature scheme, (G00 S 00 V 00 ), with G00 = G, as follows: signing with S 00 : On input a signing-key s and a document 2 f0 1g , rst invoke G0 to obtain (s0 v0 ) G0 (1n ). Next, invoke S to obtain 1 0 Ss (v0 ), and S 0 to obtain 2 Ss ( ). The nal output is ( 1 v0 2 ). veri cation with V 00 : On input a verifying-key v, a document 2 f0 1g , and a alleged signature = ( 1 v0 2 ), we output 1 if and only if both Vv (v0 1 ) = 1 and Vv0 ( 2 ) = 1. 0 0 Construction 6.4.11 (a warm-up): Let (G S V ) be a signature scheme and Construction 6.4.11 di ers from the above example only in that a one-time signature scheme is used to generate the \second signature" (rather than using the same ordinary signature scheme). The use of a one-time signature scheme is natural here, since it is unlikely that the same signing-key s0 will be selected in two invocations of S 00 . Proposition 6.4.12 Suppose that (G S V ) is a secure signature scheme, and that (G0 S 0 V 0 ) is a secure one-time signature scheme. Then (G00 S 00 V 00 ), as de ned in Construction 6.4.11 is a secure signature scheme. We comment that the proposition holds even if (G S V ) is only secure against attackers that select queries according to the distribution G02 (1n ). Furthermore, (G S V ) need only be `-restricted, for some suitable function ` : N N . Proof Sketch: Consider an adversary A00 attacking the scheme (G00 S 00 V 00 ). We may ignore the case in which two queries of A00 are answered by triplets containing the same one-time veri cation-key v0 (since if this event occurs with non-negligible probability then the one-time scheme (G0 S 0 V 0 ) cannot be secure). We consider two cases regarding the relation of the one-time veri cation00 keys included in the signatures provided by Ss and the one-time veri cation-key 00 . included in the signature forged by A 1. In case, for some i, the one-time veri cation-key v0 contained in the forged message equals the one-time veri cation-key v(i) contained in the answer to the ith query, we derive violation to the security of the one-time scheme (G0 S 0 V 0 ). ! 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 523 Speci cally, consider an adversary A0 that on input a veri cation-key v0 for the one-time scheme (G0 S 0 V 0 ), generates (s v) G(1n ) at random, selects i at random (among polynomially many possibilities), invokes A00 on input v, and answers its queries as follows. The ith query of 0 A00 , denoted (i) , is answered by making the only query to Ss , obtaining 0 = S 0 ( (i) ), and returning (S (v 0 ) v 0 0 ) to A00 . (Note that A0 holds s s s.) Each other query of A00 , denoted (j) , is answered by invoking G0 0 to obtain (s(j) v(j) ) G0 (1n ), and returning (Ss (v(j) ) v(j) Ss(j) ( (j) ) to 00 . If A00 answers with a forged signature and v 0 is the veri cation-key A contained in it, then A0 obtains a forged signature relative to the one-time scheme (G0 S 0 V 0 ) (i.e., a signature to a message di erent from (i) , which is valid w.r.t the veri cation-key v0 ). Furthermore, conditioned on the case hypothesis and a forgery event, the second event (i.e., v0 is the veri cationkey contained in the forged signature) occurs with 1=poly(n) probability. 0 Note that indeed A0 makes at most one query to Ss , and that the distri00 is exactly as in an actual attack on (G00 S 00 V 00 ). bution seen by A 2. In case, for all i, the one-time veri cation-key v0 contained in the forged message is di erent from the one-time veri cation-key v(i) contained in the answer to the ith query, we derive violation to the security of the scheme (G S V ). Speci cally, consider an adversary A that on input a veri cation-key v for the scheme (G S V ), invokes A00 on input v, and answers its queries as follows. To answer the j th query of A00 , denoted (j) , algorithm A invokes G0 to obtain (s(j) v(j) ) G0 (1n ), queries Ss for a signature to v(j) , and 0 returns (Ss (v(j) ) v(j) Ss(j) ( (j) ) to A00 . When A00 answers with a forged 0 (j ) : j = 1 ::: poly(n) is the one-time veri cationsignature and v v key contained in it, A obtains a forged signature relative to the scheme (G S V ) (i.e., a signature to a string v0 di erent from all v(j) 's, which is valid w.r.t the veri cation-key v). (Note again that the distribution seen by A00 is exactly as in an actual attack on (G00 S 00 V 00 ).)15 Thus in both cases we derive a contradiction to some hypothesis, and the proposition follows. 2 0 0 0 62 f g 6.4.2.2 Authentication{trees The refreshing paradigm by itself (i.e., as employed in Construction 6.4.11) does not seem to be enough for establishing Theorem 6.4.9. Recall that our aim is to construct a general signature scheme based on a one-time signature scheme. The refreshing paradigm suggests to use a fresh instance of a one-time signature scheme in order to sign the actual document however, whenever we do so (as in Construction 6.4.11), we must authenticate this fresh instance relative to the single veri cation-key that is public. A straightforward implementation of this 15 Furthermore, all queries to S are distributed according to G (1n ), justifying the comment s 2 made just before the proof sketch. 524 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION scheme (as presented in Construction 6.4.11) calls for many signatures to be signed relative to the single veri cation-key that is public, and so a one-time signature scheme cannot be used (for this purpose). Instead, a more sophisticated method of authentication is required. Let us try to sketch the basic idea underlying the new authentication method. The idea is to use the public veri cation-key (of a one-time signature scheme) in order to authenticate several (e.g., two) fresh instances (of the one-time signature scheme), use each of these instances to authenticate several fresh instances, and so on. We obtain a tree of fresh instances of the one-time signature, where each internal node authenticates its children. See Figure 6.2 (below). We can now use the leaves of this tree in order to sign actual documents, where each leave is used at most once. We stress that each instance of the one-time signature scheme is used to sign at most one string (i.e., a sequence of veri cation-keys if the instance resides in an internal node, and an actual document if the instance resides in a leaf). x sx vx + authx x0 sx0 vx0 + authx0 x1 sx1 vx1 + authx1 Figure 6.2: A node labeled x authenticates its children, labeled x0 and x1, respectively. The authentication is via a one-time signature of the text vx0 vx1 using signing-key sx . The above description may leave the reader wondering as to how one actually signs (and veri es signatures) using the suggested signature scheme. We start with a description that does not t our de nition of a signature scheme, because it requires the signer to keep a record of its actions during all previous invocations of the signing process.16 We refer to such a scheme as memory dependent. De nition 6.4.13 (memory-dependent signature schemes): 16 This (memory) requirement will be removed in the next section. 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 525 mechanics: Item 1 of De nition 6.1.1 stays as it is, and the initial state (of the signing algorithm) is de ned to equal the output of the key-generator. Item 2 is modi ed so that the signing algorithm is given a state, denoted , as auxiliary input and returns a modi ed state, denoted , as auxiliary output. It is required that for every pair (s v) in the range of G(1n ), and for every 0 1 , if Ss ( ) = ( ) then Vv ( ) = 1 and + poly(n). (That is, the veri cation algorithm accepts the signature and the state does not grow by too much.) 2 f g j j j j j j security: The notion of a chosen message attack is modi ed so that the oracle Ss now maintains a state that it updates in the natural manner that is, when in state and faced with query , the oracle sets ( ) Ss ( ), returns and updates its state to . The notions of success and security are de ned as in De nition 6.1.2, except that they now refer to the modi ed notion of an attack. The de nition of memory-dependent signature schemes (i.e., De nition 6.4.13) is related to the de nition of state-based MACs (i.e., De nition 6.3.9). However, there are two di erences between the two de nitions: First, De nition 6.4.13 refers to (public-key) signature schemes, whereas De nition 6.3.9 refers to MACs. Second, in De nition 6.4.13 only the signing algorithm is state-based (or memorydependent), whereas in De nition 6.3.9 also the veri cation algorithm is statebased. The latter di erence re ects the di erence in the applications envisioned for both types of schemes. (Typically, MACs are indented for communication between a predetermined set of \mutually synchronized" parties, whereas signature schemes are intended for production of signatures that may be universally veri er at any time.) We note that memory-dependent signature schemes may su ce in many applications of signature schemes. Still, it is preferable to have memoryless (i.e., ordinary) signature schemes. Below we use any one-time signature schemes to construct a memory-dependent signature scheme. The memory requirement will be removed in the next section, so to obtain a (memoryless) signature scheme (as in De nition 6.1.1). Construction 6.4.14 (a memory-dependent signature scheme): Let (G S V ) be a one-time signature scheme. Consider the following memory-dependent signature scheme, (G0 S 0 V 0 ), with G0 = G. On security parameter n, the scheme uses a full binary tree of depth n. Each of the nodes in this tree is labeled by a binary string so that the root is labeled by the empty string, denoted , and the left (resp., right) child of a node labeled by x is labeled by x0 (resp., x1). Below we refer to the current state of the signing process as to a record. initiating the scheme: To initiate the scheme, on security parameter n, we invoke G(1n ) and let (s v) G(1n ). We record (s v) as the key-pair associated with the root, and output v as the (public) veri cation-key. 526 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION In the rest of the description, we denote by (sx vx ) the key-pair associated with the node labeled x thus, (s v ) = (s v). signing with S 0 using the current record: Recall that the current record contains the signing-key s = s , which is used to produce auth (de ned below). To sign a new document, denoted , we rst allocate an unused leaf. Let 1 n be the label of this leaf. For example, we may keep a counter of the number of documents signed, and determine 1 n according to the counter value (e.g., if the counter value is c then we use the cth string in lexicographic order). Next, for every i = 1 ::: n and every 2 f0 1g, we try to retrieve from our record the key-pair associated with the node labeled 1 i;1 . In case such a pair is not found, we generate it by invoking G(1n ) and store it (i.e., add it to our record) for future use that is, we let (s 1 i 1 v 1 i 1 ) G(1n ). For every i = 1 ::: n, we try to retrieve from our record a signature to the string v 1 i 1 0 v 1 i 1 1 relative to the signing-key s 1 i 1 . In case such a signature is not found, we generate it by invoking Ss 1 i 1 , and store it for future use that is, we obtain Ss 1 i 1 (v 1 i 1 0 v 1 i 1 1 ). (The ability to retrieve this signature from memory for repeated use is the most important place in which we rely on the memory-dependence of our signature scheme.)17 We let auth 1 i 1 def v 1 i 1 0 v 1 i 1 1 Ss 1 i 1 (v 1 i 1 0 v 1 i 1 1 ) = ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; (Intuitively, via auth 1 i 1 the node labeled 1 i;1 authenticates the veri cation-keys associated with its children.) Finally, we sign by invoking Ss 1 n , and output ( 1 n auth auth 1 ::: auth 1 n 1 Ss 1 n ( )) ; ; 17 This allows the signing process S 0 to use each (one-time) signing-key s for producing a x s single Ssx -signature. In contrast, the use of a counter for determining a new leaf can be easily avoided, by selecting a leaf at random. veri cation with V 0 : On input a veri cation-key v, a document , and an alleged signature we accept if and only if the following conditions hold: 1. has the form ( 1 n (v0 0 v0 1 0 ) (v1 0 v1 1 1 ) ::: (vn;1 0 vn;1 1 n;1 ) n ) where the i 's are bits and all other symbols represent strings. (Jumping ahead, we mention that vi is supposed to equal v 1 i 1 , the veri cation-key associated by the signing process with the node labeled 1 i;1 . In particular, vi i is supposed to equal v 1 i .) ; 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 527 2. Vv (v0 0 v0 1 0 ) = 1. (That is, the public-key (i.e., v) authenticates the two strings v0 0 and v0 1 claimed to correspond to the instances of the one-time signature scheme associated with the nodes labeled 0 and 1, respectively.) 3. For i = 1 ::: n ; 1, it holds that Vvi 1 i (vi 0 vi 1 i ) = 1. (That is, the veri cation-key vi;1 i , which is already believed to be authentic and supposedly corresponds to the instance of the one-time signature scheme associated with the node labeled 1 i , authenticates the two strings vi 0 and vi 1 that are supposed to correspond to the instances of the one-time signature scheme associated with the nodes labeled 1 i 0 and 1 i 1, respectively.) 4. Vvn 1 n ( n ) = 1. (That is, the veri cation-key vn;1 n , which is already believed to be authentic, authenticates the actual document .) ; ; Regarding the veri cation algorithm, note that Conditions 2 and 3 establish that vi i+1 is authentic (i.e., equals v 1 i i+1 ). That is, v = v authenticates v 1 , which authenticates v 1 2 , and so on up-to v 1 n . The fact that the vi 1; i+1 's are proven to be authentic (i.e., equal the v 1 i 1; i+1 's) is not really useful (when signing a message using the leaf associated with 1 n ). This excess is merely an artifact of the need to use s 1 i only once during the entire operation 0 of the memory-dependent signature scheme: In the currently (constructed) Ss signature we may not care about the authenticity of some v 1 i 1; i+1 , but 0 we may care about it in some other Ss -signature. For example, if we use the n to sign the rst document and the leaf labeled 0n;1 1 to sign the leaf labeled 0 0 second, then in the rst Ss -signature we only care about the authenticity of v0n , 0 -signature we care about the authenticity of v n 1 . whereas in the second Ss 0 1 ; Proposition 6.4.15 If (G S V ) is a secure one-time signature scheme then Construction 6.4.14 constitutes a secure memory-dependent signature scheme. Proof: Recall that a Ss0 -signature to a document has the form ( 1 n auth auth 1 ::: auth 1 n;1 Ss 1 n( )) (6.5) (6.6) ; where the authx 's, vx 's and sx 's satisfy authx = (vx0 vx1 Ssx (vx0 vx1 )) 0 (See Figure 6.2.) In this case we say that this Ss -signature uses the leaf labeled 1 n . For every i = 1 ::: n, we call the sequence (auth auth 1 ::: auth 1 i 1 ) an authentication path for v 1 i . (Note that the above sequence is also an au0 thentication path for v 1 i 1 i , where = 1 .) Thus, a valid Ss -signature to a document consists of an n-bit string 1 n , authentication paths for each v 1 i (i = 1 ::: n), and a signature to with respect to the one-time scheme (G S V ) using the signing-key s 1 n . ; ; 528 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 0 Intuitively, forging an Ss -signature requires either using an authentication 0 path supplied by the signer (i.e., supplied by Ss as part of an answer to a query) or producing an authentication path di erent from all paths supplied by the signer. In both cases, we reach a contradiction to the security of the one-time 0 signature scheme (G S V ). Speci cally, in the rst case, the forged Ss -signature contains a signature relative to (G S V ) using the signing-key s 1 n . The latter Ss 1 n -signature is veri able using the veri cation-key v 1 n , which is authentic by the case hypothesis. This yields forgery with respect to the instance of the one-time signature scheme associated with the leaf labeled 1 n (since 0 0 the document Ss -signed by the forger must be di erent from all Ss -signed documents, and thus the forged document is di erent from all strings to which a one-time signature was applied).18 We now turn to the second case (i.e., forgery with respect to (G0 S 0 V 0 ) is obtained by producing an authentication path different from all paths supplied by the signer). In this case there must exists an i 1 ::: n and an i-bit long string 1 i so that auth ::: auth 1 i 1 is the shortest pre x of the authentication path produced by the forger that is not a pre x of any authentication path supplied by the signer. (Note that i > 0 must hold, since empty sequences are equal, whereas i n by the case hypothesis.) In this case auth 1 i 1 (produced by the forge), contains a signature relative to (G S V ) using the signing-key s 1 i 1 . The latter signature is veri able using the veri cation-key v 1 i 1 , which is authentic by the minimality of i. Furthermore, by de nition of i, the latter signature is to a string di erent from 0 the string to which the Ss -signer has applied Ss 1 i 1 . This yields forgery with respect to the instance of the one-time signature scheme associated with the node labeled 1 i;1 . The actual proof is by a reducibility argument. Given an adversary A0 attacking the complex scheme (G0 S 0 V 0 ), we construct an adversary A that attacks the one-time signature scheme, (G S V ). In particular, the adversary A will use its oracle access Ss in order to emulate the memory-dependent signing oracle for A0 . Recall that the adversary A can make at most one query to its Ss -oracle. Below is a detailed description of the adversary A. Since we care only about probabilistic polynomial-time adversaries, we may assume that A0 makes at most t = poly(n) many queries, where n is the security parameter. 2 f g ; ; ; ; ; The construction of adversary A: Suppose that (s v) is in the range of follows: 2 f g G(1n ). On input v and one-query oracle access to Ss , adversary A proceeds as 1. Initial choice: A uniformly selects j 1 ::: (2n + 1) t . (The integer j speci es an instance of (G S V ) generated during the attack of A0 . This instance will be attacked by A. Note that since 2n +1 instances of (G S V ) are referred to in each signature relative to (G0 S 0 V 0 ), the 0 Note that what matter is merely that the document Ss -signed by the forger is di erent 0 from the (single) document to which Ss 1 n was applied by the Ss -signer, in case Ss 1 n 0 was ever applied by the Ss -signer. 18 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 529 quantity (2n +1) t upper bounds the total number of instances of (G S V ) that appear during the entire attack of A0 . This upper bound is not tight.) 2. Invoking A0 : If j = 1 then A sets v = v and invokes A0 on input v. In this case A does not know s , which is de ned to equal s, but can obtain a single signature relative to it by making a (single) query to oracle Ss . Otherwise (i.e., j > 1), machine A invokes G, obtains (s0 v0 ) G(1n ), sets (s v ) = (s0 v0 ) and invokes A0 on input v0 . We stress that in this case A knows s . In fact, in both case, A0 is invoked on input v . Also, in both cases, the one-time instance associated with the root (i.e., the node labeled ) is called the rst instance. 3. Emulating the memory-dependent signing oracle for A0 : The emulation is analogous to the operation of the signing procedure as speci ed in Construction 6.4.14. The only exception refers to the j th instance of (G S V ) that occurs in the memory-dependent signing process. Here, A uses the veri cation key v, and if an Ss -signature needs to be produced then A queries Ss for it. We stress that at most one signature needs ever be produced with respect to each instance of (G S V ) that occurs in the memory-dependent signing process, and therefore Ss is queried at most once. Details follow. A maintains a record of all key-pairs and one-time signatures it has generated and/or obtained from Ss . When A is asked to supply a signature to a new document, denoted , it proceeds as follows: (a) A allocates a new leaf-label, denoted 1 n , exactly as done by the signing process. (b) For every i = 1 ::: n and every 0 1 , machine A tries to retrieve from its record the one-time instance associated with the node labeled 1 i;1 . If such an instance does not exist in the record (i.e., the one-time instance associated with the node labeled 1 i;1 did not appear so far) then A distinguishes two cases: i. If the record so far contains exactly j 1 one-time instances (i.e., the current instance is the j th one to be encountered) then A sets v1 i1 v, and adds it to its record. In this case, A does not know s 1 i 1 , which is de ned to equal s, but can obtain a single signature relative to it by making a (single) query to oracle Ss . From this point on, the one-time instance associated with the node labeled 1 i;1 will be called the j th instance. ii. Otherwise (i.e., the current instance is not the j th one to be encountered), A acts as the signing process: It invokes G(1n ), obtains (s 1 i 1 v 1 i 1 ) G(1n ), and adds it to the record. 2 f g ; ; ; ; ; 530 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION (Note that in this case A knows s 1 i 1 , and can generate by itself signatures relative to it.) The one-time instance just generated is given the next serial number. That is, the one-time instance associated with the node labeled 1 i;1 will be called the k th instance if the current record (i.e., after the generation of the one-time key-pair associated with the node labeled 1 i;1 ) contains exactly k instances. (c) For every i = 1 ::: n, machine A tries to retrieve from its record a (one-time) signature to the string v 1 i 1 0 v 1 i 1 1 , relative to the signing-key s 1 i 1 . If such a signature does not exist in the record then A distinguishes two cases: i. If the one-time signature instance associated with the node labeled 1 i;1 is the j th such instance then A obtains the onetime signature Ss 1 i 1 (v 1 i 1 0 v 1 i 1 1 ) by querying Ss , and adds this signature to the record. Note that by the previous steps (i.e., Step 3(b)i as well as Step 2), s is identi ed with s 1 i 1 , and that the instance associated with a node labeled 1 i;1 is only used to produce a single signature that is, to the string v 1 i 1 0 v 1 i 1 1 . Thus, in this case, A queries Ss at most once. We stress that the above makes crucial use of the fact that, for every , the veri cation-key associated with the node labeled 1 i;1 is identical in all executions of the current step, regardless of whether it is generated in Step 3(b)ii or xed to equal v (in Step 3(b)i). This fact guarantees that A only needs a single signature relative to the instance associated with a node labeled 1 i;1 , and thus queries Ss at most once (and retrieves this signature from memory if it ever needs it again). ii. Otherwise (i.e., the one-time signature instance associated with the node labeled 1 i;1 is not the j th such instance), A acts as the signing process: It invokes Ss 1 i 1 , obtains the one-time signature Ss 1 i 1 (v 1 i 1 0 v 1 i 1 1 )v 1 i 1 ), and adds it to the record. (Note that in this case A knows s 1 i 1 , and can generate by itself signatures relative to it.) Thus, A obtains auth 1 i 1 . (d) Machine A now obtains a one-time signature of relative to Ss 1 n . (Recall that since A0 never makes the same query twice,19 we need to generate at most one signature relative to the one-time instance Ss 1 n .) This is done analogously to the previous step (i.e., Step 3c). Speci cally: ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; 19 This assertion can be justi ed, without loss of generality. Otherwise, we may modify A0 so that retrieves from its own memory the answer to a query that it wishes to ask for the second time. 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 531 i. If the one-time signature instance associated with the leaf labeled 1 n is the j th instance (associated with any node) then A obtains the one-time signature Ss 1 n ( ) by querying Ss . Note that, in this case, s is identi ed with s 1 n , and that an instance associated with a leaf is only used to produce a single signature. Thus, also in this case (which is disjoint of Case 3(c)i), A queries Ss at most once. ii. Otherwise (i.e., the one-time signature instance associated with the node labeled 1 n is not the j th instance), A acts as the signing process: It invokes Ss 1 n , obtains the one-time signature Ss 1 n ( ), and adds it to the record. (Again, in this case A knows s 1 n , and can generate by itself signatures relative to it.) Thus, A obtains n = Ss 1 n ( ). (e) Finally, A answers the query with ( 1 n auth auth 1 ::: auth 1 n 1 n ) 4. Using the output of A0 : When A0 halts with output ( 0 0 ), machine A checks whether this is a valid document-signature pair with respect to Vv0 and whether the document 0 did not appear as a query of A0 . If both conditions hold then A tries to obtain forgery with respect to Ss . To explain how this is done, we need to take a closer look at the valid document-signature pair, ( 0 0 ), output by A0 . Speci cally, suppose that 0 has the form 0 0 0 0 0 0 0 0 0 0 0 0 ( 1 n (v0 0 v0 1 0 ) (v1 0 v1 1 1 ) ::: (vn;1 0 vn;1 1 n;1 ) n ) and that the various components satisfy all conditions stated in the veri ca0 0 0 0 0 0 tion procedure. (In particular, the sequence (v0 0 v0 1 0 ) ::: (vn;1 0 vn;1 1 n;1 ) 0 0 .) Let i be maximal is the authentication path (for vn;1 n ) output by A 0 so that for some 0 ::: i;1 (which may but need not equal 0 ::: i0;1 ) 0 0 0 0 the sequence (v0 0 v0 1 0 ) ::: (vi;1 0 vi;1 1 i;1 ) is a pre x of some authentication path (for some v 1 i i+1 n ) supplied to A0 by A. Note that 0 0 i 0 ::: n , where i = 0 means that (v0 0 v0 1 ) di ers from (v0 v1 ), and 0 0 ) ::: (v 0 0 i = n means that the sequence ((v0 0 v0 1 n;1 0 vn;1 1 )) equals the sequence ((v0 v1 ) ::: (v 1 n 1 0 v 1 n 1 1 )). 0 Recall that the vk s are strings included in the output of A0 , and that the vx s are veri cation-keys as recorded by A. In general, the sequence 0 0 ((v0 0 v0 1 ) ::: (vi0;1 0 vi0;1 1 )) equals the sequence ((v0 v1 ) ::: (v 1 i 1 0 v 1 i 1 1 )). In particular, for i 1, it holds that vi0;1 i = v 1 i , whereas for i = 0 we shall only refer to v (which is the veri cation-key attacked by A0 ). In both cases, the output of A0 contains a one-time signature relative to v 1 i , and this signature is to a string di erent from the (possibly) only one to which a signature was supplied to A0 by A. Analogously to the motivating discussion above, we distinguish the cases i = n and i < n: ; 0 0 0 2 f g 0 0 ; 0 0 ; 0 0 ; 0 0 ; 0 0 0 0 0 532 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 0 (a) In case i = n, the output of A0 contains the (one-time) signature n 0 0 ) = 1. Furthermore, 0 is di erent from that satis es Vv 1 n ( n the (possibly) only document to which Ss 1 n was applied during the emulation of the S 0 -signer by A, since by our hypothesis the document 0 did not appear as a query of A0 . (Recall that, by the construction of A, instances of the one-time signature scheme associated with leaves are only applied to the queries of A0 .) (b) In case i < n, the output of A0 contains the (one-time) signature i0 that satis es Vv 1 i (vi0 0 vi0 1 i0 ) = 1. Furthermore, vi0 0 vi0 1 is di erent from v 1 i 0 v 1 i 0 , which is the (possibly) only string to which Ss 1 i was applied during the emulation of the S 0-signer by A, where the last assertion is due to the maximality of i (and the construction of A). Thus, in both cases, A obtains from A0 a valid (one-time) signature rela0 0 tive to the (one-time) instance associated with the node labeled 1 i. Furthermore, in both cases, this (one-time) signature is to a string that did not appear in the record of A. The question is whether the instance 0 0 th associated with the node labeled 1 i is the j instance, for which A set v = v 1 i . In case the answer is yes, A obtains forgery with respect to the (one-time) veri cation-key v (which it attacks). In view of the above discussion, A acts as follows. It determines i as in the discussion, and checks whether v = v 1 i (almost equivalently, whether 0 0 the j th instance is the one associated with the node labeled 1 i ). In 0 0 ), otherwise case i = n, machine A outputs the string-signature pair ( n (i.e., i < n) it outputs the string-signature pair (vi0 0 vi0 1 i0 ). This completes the (admittingly long) description of adversary A. We repeat again some obvious observations regarding this construction. Firstly, A makes at most one query to its (one-time) signature oracle Ss . Secondly, assuming that A0 is probabilistic polynomial-time, so is A. Thus, all that remains is to relate the success probability of A (when attacking a random instance of (G S V )) to the success probability of A0 (when attacking a random instance of (G0 S 0 V 0 )). As usual the main observation is that the view of A0 , during the emulation (of the memory-dependent signing process) by A, is identically distributed to its view in an actual attack on (G0 S 0 V 0 ). Furthermore, this holds conditioned on any possible xed value of j (selected in the rst step of A). It follows that if A0 succeeds to forge signatures in an actual attack on (G0 S 0 V 0 ) with probability "0 (n) then A succeeds to forge signatures with respect to (G S V ) (n) with probability at least (2" +1) t , where the (2n + 1) t factor is due to the n probability that the choice of j is a good one (i.e., so that the j th instance is 0 0 0 0 the one associated with the node labeled 1 n and i are as i , where 1 de ned in Step 4). We conclude that if (G0 S 0 V 0 ) can be broken by a probabilistic polynomialtime chosen message attack with non-negligible probability then (G S V ) can 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 533 be broken by a probabilistic polynomial-time single-message attack with nonnegligible probability, in contradiction to the proposition's hypothesis. The proposition follows. 6.4.2.3 The actual construction In this section, we remove the memory-dependency of Construction 6.4.14, and obtain an ordinary (rather than memory-dependent) signature scheme. Towards this end, we use pseudorandom functions (as de ned in De nition 3.6.4). The basic idea is that the record maintained in Construction 6.4.14 can be determined (on-the- y) by an application of a pseudorandom function to certain strings. For example, instead of generating and storing an instance of a (one-time) signature scheme for each node that we encounter, we can determine the randomness for the key-generation algorithm as a function of the label of that node. Thus, there is no need to store the key-pair generated, since if we ever need it again then re-generating it (in the very same way) will yield exactly the same result. The same idea applies also to the generation of (one-time) signatures. In fact, the construction is simpli ed, since we need not check whether or not we are generating an object for the rst time. For simplicity, let us assume that, on security parameter n, both the keygeneration and signing algorithms (of the one-time signature scheme (G S V )) use exactly n internal coin tosses. (This assumption can be justi ed by using pseudorandom generators, which exist anyhow under the assumptions used here.) For r 0 1 n, we denote by G(1n r) the output of G on input 1n and internal coin-tosses r. Likewise, for r 0 1 n, we denote by Ss ( r) the output of S , on input a signing-key s and a document , when using internal coin-tosses r. For simplicity, we shall be actually using generalized pseudorandom functions as in De nition 3.6.12 (rather than pseudorandom functions as de ned in De nition 3.6.4).20 Furthermore, for simplicity, we shall consider applications of such pseudorandom functions to sequences of characters containing 0 1 as well as a few additional special characters. 2 f g 2 f g f g Construction 6.4.16 (Removing the memory requirement from Construction 6.4.14): Let (G S V ) be a one-time signature scheme, and ffr : f0 1g ! f0 1gjrjgr2f0 1g be a generalized pseudorandom function ensemble as in De nition 3.6.12. Consider the following signature scheme, (G0 S 0 V 0 ), which refers to a full binary tree of depth n as in Construction 6.4.14. key-generation algorithm G0 : On input 1n , algorithm G0 obtains (s v) G(1n ) and selects uniformly r 0 1 n. Algorithm G0 outputs the pair ((r s) v), where (r s) is the signing-key and v is the veri cation-key.21 2 f g 20 We shall make comments regarding the minor changes required in order to use ordinary pseudorandom functions. The rst comment is that we shall consider an encoding of strings of length up-to n + 2 by strings of length n + 3 (e.g., for i n + 2, the string x 2 f0 1gi is encoded by x10n+2;i ). 21 In case we use ordinary pseudorandom functions, rather than generalized ones, we select 534 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION signing algorithm S 0 : On input a signing-key (r s) and a document , the algorithm proceeds as follows. 1. It selects uniformly 1 n 2 f0 1gn. (Algorithm S 0 will use the leaf labeled 1 n 2 f0 1gn to sign the current document. Indeed, with exponentially-vanishing probability the same leaf may be used to sign two di erent documents, and this will lead to forgery (but only with negligible probability).) (Alternatively, to obtain a deterministic signing algorithm, one may set 1 n fr (select-leaf ), where select-leaf is a special character.)22 2. Next, for every i = 1 ::: n and every 2 f0 1g, the algorithm invokes G and sets (s 1 i;1 v 1 i;1 ) G(1n fr (key-gen 1 i;1 )) where key-gen is a special character.23 3. For every i = 1 ::: n, the algorithm invokes Ss 1 i 1 and sets ; auth 1 i 1 def v 1 i 1 0 v 1 i 1 1 = Ss 1 i 1 (v 1 i 1 0 v 1 i 1 1 fr (sign 1 ; ; ; ; ; ; ; i;1 )) where sign is a special character.24 4. Finally, the algorithm invokes Ss 1 n and outputs25 ( 1 n auth auth 1 ::: auth 1 n;1 Ss 1 n( fr (sign 1 n ))) veri cation algorithm V 0 : On input a veri cation-key v, a document , and an alleged signature algorithm V 0 behaves exactly as in Construction 6.4.14. Speci cally, assuming that has the form ( 1 n (v0 0 v0 1 0 ) (v1 0 v1 1 1 ) ::: (vn;1 0 vn;1 1 n;1 ) n ) algorithm V 0 accepts if and only if the following three conditions hold: r uniformly in f0 1gn+3 so that fr : f0 1gn+3 ! f0 1gn+3 . Actually, we shall be using the function fr : f0 1gn+3 ! f0 1gn derived from the above by dropping the last 3 bits of the function value. 22 In case we use ordinary pseudorandom functions, rather than generalized ones, this alternative can be (directly) implemented only if it is guaranteed that j j n. In such a case, we apply the fr to the (n + 3)-bit encoding of 00 . 23 In case we use ordinary pseudorandom functions, rather than generalized ones, the argument to fr is the (n + 3)-bit encoding of 10 1 i;1 . 24 In case we use ordinary pseudorandom functions, rather than generalized ones, the argument to fr is the (n + 3)-bit encoding of 11 1 i;1 . 25 In case we use ordinary pseudorandom functions, rather than generalized ones, the argument to fr is the (n + 3)-bit encoding of 11 1 n. 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 535 Vv (v0 0 v0 1 0 ) = 1. For i = 1 ::: n 1, it holds that Vvi Vvn 1 n ( n ) = 1. ; ; ;1 i (vi 0 vi 1 i ) = 1. Proposition 6.4.17 If (G S V ) is a secure one-time signature scheme and f 0 1 jrj r2f0 1g is a generalized pseudorandom function ensemble then Construction 6.4.16 constitutes a secure (general) signature scheme. fr : 0 1 f g ! f g g Proof: Following the general methodology suggested in Section 3.6.3, we consider an ideal version of Construction 6.4.16 in which a truly random function is used (rather than a pseudorandom one). The ideal version is almost identical to Construction 6.4.14, with the only di erence being the way in which 1 n is selected. Speci cally, applying a random function to determine (one-time) key-pairs and (one-time) signatures is equivalent to generating these keys and signatures at random (on-the- y) and re-using the stored values whenever necessary. Regarding the way in which 1 n is selected, observe that the proof of Proposition 6.4.15 is oblivious of this way, except for the assumption that the same leaf is never used to sign two di erent documents. However, the probability that the same leaf is used twice by the (memoryless) signing algorithm, when serving polynomially-many signing requests, is exponentially-vanishing and thus can be ignored in our analysis. We conclude that the ideal scheme (in which a truly random function is used instead of fr ) is secure. It follows that also the actual signature scheme (as in Construction 6.4.16) is secure, or else one can e ciently distinguish a pseudorandom function from a truly random one (which is impossible). Details follow. Assume towards the contradiction that there exists a probabilistic polynomialtime adversary A0 that succeeds to forge signatures with respect to (G0 S 0 V 0 ) with non-negligible probability, but succeeds only with negligible probability when attacking the ideal scheme. We construct a distinguisher D that on input 1n and oracle access to f : 0 1 0 1 n behaves as follows. Machine D 0 s) v ) 0 (1n ), and invokes A0 on input v . Machine D answers generates ((r G the queries of A0 by running the signing process, using the signing-key (r0 s), with the exception that it replaces the values fr (x) by f (x). That is, whenever the signing process calls for the computation of the value of the function fr on some string x, machine D queries its oracle (i.e., f ) on the string x, and uses the respond f (x) instead of fr (x). When A0 outputs an alleged signature to a new document, machine M evaluates whether or not the signature is valid (with respect to Vv ) and output 1 if and only if A0 has indeed succeeded (i.e., the signature is valid). Observe that if D is given oracle access to a truly random function then the emulated A0 attacks the ideal scheme, whereas if D is given oracle access to a pseudorandom function fr then the emulated A0 attacks the real scheme. It follows that D distinguishes the two cases, in contradiction to the pseudorandomness of the ensemble fr . f g ! f g 0 0 0 f g 536 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 6.4.2.4 Conclusions and comments Theorem 6.4.9 follows by combining Proposition 6.4.17 with the fact that the existence of secure one-time signature schemes implies the existence of oneway functions (see Exercise 11), which in turn imply the existence of (generalized) pseudorandom functions. Recall that combining Theorem 6.4.9 and Corollary 6.4.8, we obtain Corollary 6.4.10 that states that the existence of collisionfree hashing collections implies the existence of secure signature schemes. We comment that Constructions 6.4.14 and 6.4.16 can be generalized as follows. Rather than using a depth n full binary tree, one can use any tree that has a super-polynomial (in n) number of leaves, provided that one can enumerate the leaves (resp., uniformly select a leaf), and generate the path from the root to a given leaf. We consider a few possibilities: For any d : N N bounded by a polynomial in n (e.g., d 2 or d(n) = n are indeed \extreme" cases), we may consider a full d(n)-ary tree of depth e(n) so that d(n)e(n) is greater than any polynomial in n. The choice of parameters in Constructions 6.4.14 and 6.4.16 (i.e., d 2 and e(n) = n) is probably the simplest one as well as the most e cient one (from a generic perspective). Natural complexity measures for a signature scheme include the length of signatures and the signing and veri cation times. In a generalized construction, the length of the signatures is linear in d(n) e(n), and the number of applications of the underlying one-time signature scheme (per each general signature) is linear in e(n), where in internal nodes the one-time signature scheme is applied to string of length linear in d(n). Assuming that the complexity of one-time signatures is linear in the document length, all complexity measures are linear in d(n) e(n), and so d 2 is the best generic choice. However, the above assumption may be wrong when some speci c one-time signatures are used. For example, the complexity of producing a signature to an `-bit long string in a one-time signature scheme may be of the form p(n) + p0 (n) `, where p0 (n) p(n). In such (special) cases, one may prefer to use larger d : N N (see Section 6.6.5). ! ! For the memory-dependent construction, it may be preferable to use unbalanced trees (i.e., having leaves at various levels). The advantage is that if one utilizes rst the leaves closer to the root then one can obtain a saving on the cost of signing the rst documents. For example, consider using a ternary tree of super-logarithmic depth (i.e., d 3 and e(n) = !(log n)) in which each internal node of level i 0 1 ::: e(n) 2 has a two children that are internal nodes and a single child that is a leaf (and the internal nodes of level e(n) 1 have only leaves as children). Thus, for i 1, there are 3i;1 leaves at level i. If we use all leaves of level i before using any leave of level i + 1 then the length of the j th signature in this scheme is linear in log3 j (and so is the number of applications of the underlying one-time signature scheme). 2 f ; g ; 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 537 In actual applications, one should observe that in variants of Construction 6.4.14 the size of the tree determines the total number of documents that can be signed, whereas in variants of Construction 6.4.16 the tree size has even a more drastic e ect on the number of documents that can be signed.26 In some cases a hybrid of Constructions 6.4.14 and 6.4.16 may be preferable: We refer to a memory-dependent scheme in which leaves are assigned as in Construction 6.4.14 (i.e., according to a counter), but the rest of the operation is done as in Construction 6.4.16 (i.e., the one-time instances are re-generated on-the- y, rather than being generated and recorded). In some applications, the introduction of a document-counter may be tolerated, and the gain is the ability to use a smaller tree (i.e., of size merely greater than the total number of documents that should be ever signed). More generally, we wish to stress that each of the following ingredients of the above constructions, is useful in a variety of related and unrelated settings. We refer speci cally to the refreshing paradigm, the authentication tree construction, and the notion (and constructions) of one-time signatures. For example: It is common practice to authenticate messages sent during a \communication session" via a session-key that is typically authenticated by a master-key. One of the reasons for this practice is the prevention of a chosen message attack on the (more valuable) master-key. (Other reasons include allowing the use of a faster alas less secure authentication scheme for the actual communication, introducing independence between sessions, etc.) Observe the analogy between the tree-hashing (of Construction 6.2.13) and the authentication tree (of Construction 6.4.14). Despite the many di erences, in both cases, the value of internal nodes essentially determines the values that may be claimed for their children. Recall the application of one-time signatures in the construction of CCAsecure public-key encryption schemes (cf. proof of Theorem 5.4.30). So far, we have established that the existence of collision-free hashing collections implies the existence of secure signature schemes (cf. Corollary 6.4.10). We seek to weaken the assumption under which secure signature schemes can be constructed, and bear in mind that the existence of one-way functions is certainly a necessary condition (cf., for example, Exercise 11). In view of Theorem 6.4.9, we may focus on constructing secure one-time signature schemes. Furthermore, recall that secure length-restricted one-time signature schemes can be constructed 6.4.3 * Universal One-Way Hash Functions and using them 26 In particular, the number of documents that can be signed should de nitely be smaller than the square root of the size of the tree (or else two documents are likely to be assigned the same leaf). Furthermore, we cannot use a small tree (e.g., of size 1000) even if we know that the total number of documents that will ever be signed is small (e.g., 10), since otherwise the probability that two documents are assigned the same leaf is too big (e.g., 1=20). 538 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION based on any one-way function (cf. Corollary 6.4.6). Thus, the only bottleneck we face (with respect to the assumption used) is Proposition 6.4.7, which refers to Construction 6.2.6 and utilizes collision-free hashing. Our aim in this section, is to replace this component in the construction. We use a variant of Construction 6.2.6 in which, instead of using collision-free hashing, we use a seemingly weaker notion called Universal One-Way Hash Functions. 6.4.3.1 De nition A collection of universal one-way hash functions is de ned analogously to a collection of collision-free hash functions. The only di erence is that the hardness (to form collisions) requirement is relaxed. Recall that for a collection of collision-free hash functions it was required that given the function's description it is hard to form an arbitrary collision under the function. For a collection of universal one-way hash functions we only require that given the function's description h and a preimage x it is hard to nd an x0 = x so that h(x0 ) = h(x). We refer to this requirement as to hardness to form designated collisions. Our formulation of the hardness to form designated collisions is actually seemingly stronger. Rather than being supplied with a (random) preimage x, the collision-forming algorithm is allowed to select x by itself, but must do so before being presented with the function's description. That it, the attack of the collision-forming algorithm proceeds in three stages: rst the algorithm selects a preimage x, next it is given a description of a randomly selected function h, and nally it is required to output x0 = x such that h(x0 ) = h(x). We stress that the third stage in the attack is also given the random choices made while producing the preimage in the rst stage. This yields the following de nition, where the rst stage is captured by a deterministic polynomial-time algorithm A0 (which maps a sequence of coin tosses, denoted Uq(n) , to a preimage of the function) and the third stage is captured by algorithm A (which is given the very same Uq(n) as well as the function's description). 6 6 De nition 6.4.18 (universal one-way hash functions { UOWHF): Let ` : N N . A collection of functions fhs : f0 1g ! f0 1g`(jsj)gs2f0 1g is called universal one-way hashing (UOWHF) if there exists a probabilistic polynomial-time algorithm I so that the following holds 1. (admissible indexing { technical):27 For some polynomial p, all su ciently large n's and every s in the range of I (1n ) it holds that n p(jsj). Furthermore, n can be computed in polynomial-time from s. 2. (e cient evaluation): There exists a polynomial-time algorithm that given s and x, returns hs (x). 3. (hard to form designated collisions): For every polynomial q, every deterministic polynomial-time algorithm A0 , every probabilistic polynomial-time 27 This condition is made merely to avoid annoying technicalities. Note that jsj = poly(n) holds by de nition of I . ! 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES algorithm A, every polynomial p and all su ciently large n's 539 (A n U ) q Pr hI (1n )and(I (1(I)(1nq)(nU)) =)hI (1n) (A0 (U)(n) )) A 6= A (U q(n) 0 q ( n) < p(1 ) n (6.7) where the probability is taken over Uq(n) and the internal coin tosses of algorithms I and A. The function ` is called the range speci er of the collection. We stress that the hardness to form designated collisions condition refers to the following three-stage process: rst, using a uniformly distributed r 0 1 q(n), the (initial) adversary generates a preimage x = A0 (r) next, a function h is selected and, nally, the (residual) adversary A is given h (as well as r used in the rst stage), and tries to nd a preimage x0 = x such that h(x0 ) = h(x). Indeed, Eq. (6.7) refers to the probability that x0 def A(h r) = x and yet h(x0 ) = h(x). = Note that the range speci er must be super-logarithmic (or else, given s and x Un, one is too likely to nd an x0 = x so that hs (x) = hs (x0 ), by uniformly selecting x0 in 0 1 n). Also note that any UOWHF collection yields a collection of one-way functions (see Exercise 15). Finally, note that any collision-free hashing is universally one-way hashing, but the converse is false (see Exercise 16). Furthermore, it is not known whether collision-free hashing can be constructed based on any one-way functions (in contrast to Theorem 6.4.29 below). 2 f g 6 6 6 f g 6.4.3.2 Constructions We construct UOWHF collections in several steps, starting with a related but restricted notion, and relaxing the restriction gradually (until we reach the unrestricted notion of UOWHF collections). The abovementioned restriction refers to the length of the arguments to the function. Most importantly, the hardness (to form designated collisions) requirement will refer only to argument of this length. That is, we refer to the following technical de nition. ! N . A collection of functions fhs : f0 1gd(jsj) ! f0 1gr(jsj)gs2f0 1g is called (d r)-UOWHF if there exists a probabilistic polynomial-time algorithm I so that the following holds De nition 6.4.19 ((d r)-UOWHFs): Let d r : N 1. For all su ciently large n's and every s in the range of I (1n ) it holds that 28 jsj = n. 2. There exists a polynomial-time algorithm that given s and x 2 f0 1gd(jsj), returns hs (x). 28 Here we chose to make a more stringent condition, requiring that jsj = n rather than n poly(jsj). In fact, one can easily enforce this more stringent condition by modifying I into I 0 so that I 0 (1l(n) ) = I (1n ) for a suitable function l : N ! N satisfying l(n) poly(n) and n poly(l(n)). 540 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 3. For every polynomial q, every deterministic polynomial-time algorithm A0 mapping q(n)-bit long strings to d(jsj)-bit long strings, every probabilistic polynomial-time algorithm A, every polynomial p and all su ciently large n's Eq. (6.7) holds. O course, we care only of (d r)-UOWHF for functions d r : N ! N satisfying d(n) > r(n). (The case d(n) r(n) is trivial since collisions can be avoided altogether say by the identity map.) The \minimal" non-trivial case is when d(n) = r(n)+1. Indeed, this is our starting point. Furthermore, the construction of such a minimal (d d ; 1)-UOWHF (undertaken in the rst step) is the most interesting step to be taken on our entire way towards the construction of fulledged UOWHF. restricted UOWHFs that shrink their input by a single bit. Our construction can be carried out using any one-way permutation. In addition, we use a family n of hashing functions, Sn ;1 , as de ned in Section 3.5.1.1. Recall that a function n selected uniformly in Sn ;1 maps 0 1 n to 0 1 n;1 in a pairwise independent n manner, that the functions in Sn ;1 are easy to evaluate, and that for some n polynomial p it holds that log2 Sn ;1 = p(n). Construction 6.4.20 (a (d d 1)-UOWHF): Let f : 0 1 0 1 be a 1-1 n and length preserving function, and let Sn ;1 be a family of hashing functions n such that log2 Sn ;1 = p(n), for some polynomial p. (Speci cally, suppose that n;1 log2 Sn 3n 2 2n , as in Exercises 22.2 and 23 of Chapter 3.) Then, for n;1 every s Sn 0 1 p(n) and every x 0 1 n, we de ne h0s (x) def hs (f (x)). = In case s p(n) : n N , we de ne h0s def h0s where s0 is the longest pre x = of s satisfying s0 p(n) : n N . We refer to an index selection algorithm that, on input 1m , uniformly selects s 0 1 m. That is, h0s : 0 1 d(jsj) 0 1 d(jsj);1, where d(m) is the largest integer n satisfying p(n) m. Note that d is monotonically non-decreasing, and that for 1-1 p's the corresponding d is onto (i.e., d(p(n)) = n for every n). The analysis presented below uses, in an essential way, an additional property of the above-mentioned families of hashing functions speci cally, we assume that give two preimage{image pairs it is easy to uniformly generate a hashing function (in the family) that is consistent with these two mapping conditions. Furthermore, to facilitate the analysis we use a speci c family of hashing funcn tions, presented in Exercise 23 of Chapter 3: functions in Sn ;1 are described by n ) so that the pair (a b) describes the a pair of elements of the nite eld GF(2 function ha b that maps x GF(2n ) to the (n 1)-bit pre x of the n-bit representation of ax + b, where the arithmetics is of the eld GF(2n ). This speci c family satis es all the additional properties required in the next proposition (see Exercise 20). n Proposition 6.4.21 Suppose that f is a one-way permutation, and that log2 Sn ;1 = n;1 satis es the following two conditions 2n. Furthermore, suppose that Sn f g f g j j ; f g ! f g j j j j 2 f ; f g 2 g 2 f g j j 62 f 2 g 0 Step I: constructing (d d 1)-UOWHFs. We show how to construct length; j j 2 f 2 g 2 f g f g ! f g 2 ; j j 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 541 0 1 n and z1 z2 0 1 n;1, outputs a uniformly distributed element of n s Sn ;1 : hs (yi ) = zi i 1 2 . Then h0s s2f0 1g as in Construction 6.4.20 is a (d d 1)-UOWHF, for d(m) = m=2 . f g 2 f g f 2 8 2 f gg f g ; b c n C1 All but a negligible fraction of the functions in Sn ;1 are 2-to-1. C2 There exists a probabilistic polynomial-time algorithm that given y1 y2 2 ability to invert f , because the collision is due to hs , which may be selected such that hs (y) = hs (f (x0 )) for any given y and x0 . We stress that typically there are only two preimages of h0s (x0 ) under h0s , one being x0 itself (which is given to the collision- nder) and the other being f ;1(y) such that hs (y) = h0s (x0 ). Thus, if we wish to invert f on a random image y, then we may invoke a collision- nder, which rst outputs some x0 , supply it with a random s satisfying hs (y) = h0s (x0 ), and hope that it forms a collision (i.e., nds a di erent preimage x satisfying h0s (x) = h0s (x0 )). Indeed, the di erent preimage must be f ;1(y), which means that whenever the collision- nder succeed we also succeed (i.e., invert f on y). The actual proof is by a reducibility argument. Suppose that we are given a probabilistic polynomial-time algorithm A0 that forms designated collisions under h0s , with respect to preimages produced by a deterministic polynomialtime algorithm A00 , which maps p(n)-bit strings to n-bit strings. Then, we construct an algorithm A that inverts f . On input y = f (x), where n = y = x , algorithm A proceeds as follows: (1) Select r0 uniformly in 0 1 p(n), and compute x0 = A00 (r0 ) and y0 = f (x0 ). n (2) Select s uniformly in s Sn ;1 : hs (y0 ) = hs (y) . (Recall that y is the input to A, and y0 is generated by A in Step (1).) (3) Invoke A0 on input (s r0 ), and output whatever A0 does. By Condition C2, Step (2) can be implemented in probabilistic polynomial-time. Turning to the analysis of algorithm A, we consider the behavior of A on input y = f (x) for a uniformly distributed x 0 1 n (which implies that y is uniformly distributed over 0 1 n). We rst observe that for every xed r0 selected in Step (1), if y is uniformly distributed in 0 1 n then s as determined n in Step (2) is uniformly distributed in Sn ;1. Using Condition C1, it follows that the probability that hs is not 2-to-1 is negligible. By the construction of A, the probability that f (x0 ) = y is also negligible (but we could have taken advantage of this case too, by augmenting Step (1) so that if y0 = y then A halts with output x0 ). We now claim that, in case f (x0 ) = y and hs is 2-to-1, if A0 returns x00 such that x00 = x0 and h0s (x00 ) = h0s (x0 ) then f (x00 ) = y. Proving the Claim: By the de nitions of h0s and A (i.e., its Step (2)), we have h0s (x) = hs (f (x)) = hs (y) = hs (y0) = hs (f (x0 )) = h0s (x0 ), which equals h0s (x00 ) by one of the claim's hypotheses. Thus, x0 x00 and x are all preimages of h0s (x) = hs (y) under h0s , but they are not necessarily distinct. By other two hypotheses x0 6= x00 and h0s = hs f is 2-to-1 (since hs is 2-to-1 and f is 1-to-1). Thus, x 2 fx0 x00 g. Using the last of the claim's f g j j j j f g f 2 g 2 f g f g f g 6 6 Proof Sketch: Intuitively, forming designated collisions under h0s hs f yields 542 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION hypotheses (i.e., y = f (x) 6= f (x0 )) and the hypothesis that f is 1-1, it follows that x 6= x0 , which in turn implies that x = x00 and y = f (x00 ). We conclude that if A0 forms designated collisions with probability "0 (n) then A inverts f with probability "0 (n) (n), where is a negligible function (accounting for the negligible probability that hs is not 2-to-1). The proposition follows. 2 ; Step II: constructing (d0 d0=2)-UOWHFs. We now take the second step ; ; on our way, and use any (d d 1)-UOWHF in order to construct a (d0 d0 =2)UOWHF. That is, we construct length-restricted UOWHFs that shrink their input by a factor of 2. The construction is obtained by composing a sequence of (di erent) (d d 1)-UOWHFs. For simplicity, we assume that the function d : N N is onto and monotonically non-decreasing. In such a case we denote by d;1 (m) the smallest natural number n satisfying d(n) = m. ! d(jsj) ! f0 1gd(jsj);1gs2f0 1g , where d : N ! N is onto and non-decreasing. Then, for every s1 ::: sbd(n)=2c , where each si 2 f0 1gd 1(d(n)+1;i) , and every x 2 f0 1gd(n), we de ne f f g ; Construction 6.4.22 (a (d0 d0 =2)-UOWHF): Let hs : 0 1 = h0s1 ::: s d(n)=2 (x) def hs d(n)=2 ( hs2 (hs1 (x)) ) b c b c That is, we let x0 def x, and xi hsi (xi;1 ), for i = 1 ::: bd(n)=2c. (Note that = d(jsi j) = d(n) + 1 ; i and jxi j = d(n) + 1 ; i indeed hold.) We refer to an index selection algorithm that, on input 1m , determines the P largest integer n such that m m0 def b=1n)=2c d;1 (d(n) + 1 ; i), uniformly = i d( selects s1 ::: sbd(n)=2c so that si 2 f0 1gd 1(d(n)+1;i) , and s0 2 f0 1gm;m , and lets h0s0 s1 ::: s d(n)=2 def h0s1 ::: s d(n)=2 . = ; 0 b c b c That P m = s and h0s : 0 1 d(n) is, 0 1 bd(n)=2c , where n is largest so that bd(n)=2c ;1 m d (d(n) + 1 i). Thus, d0 (m) = d(n), where n is as above that i=1 is, we have h0s : 0 1 d (jsj) 0 1 bd (jsj)=2c , with d0 ( s ) = d(n). Note that, for d(n) = (n) (as in Construction 6.4.20), it holds that d0 (O(n2 )) d(n) and d0 (m) = ( m) follows. More generally, if for some polynomial p it holds that p(d(n)) n (for all n's) then for some polynomial p0 it holds that p0 (d0 (m)) m (for all m's), since d0 (p(n) d(n)) d(n). We call such a function su cientlygrowing that is, d : N N is su ciently-growing if there exists a polynomial p so that for every n it holds that p(d(n)) n. (E.g., for every xed " "0 > 0, the function d(n) = "0 n" is su ciently-growing.) j j f g ! f g ; f g 0 ! f g 0 j j p ! Proposition 6.4.23 Suppose that hs f ! s2f0 1g is a (d d 1)-UOWHF, where d : N N is onto, non-decreasing and su ciently-growing. Then, for some su ciently-growing function d0 : N N , Construction 6.4.22 is a (d0 d0 =2 )g ; UOWHF. ! b c 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 543 nated collision under one of the hsi 's. That is, let x0 def x, and xi hsi (xi;1 ), = for i = 1 ::: d(n)=2 . Then if given x and s = (s1 ::: sd=2 ), one can nd an x0 = x so that h0s (x) = h0s (x0 ), then there exists an i so that xi;1 = x0i;1 and hsi (xi;1 ) = hsi (x0i;1 ), where the x0i 's are de ned analogously to the xi 's. Thus, we obtain a designated collision under hsi . The actual proof uses the hypothesis that it is hard to form designated collisions when one is also given the coins used in the generation of the preimage (and not merely the preimage itself). Speci cally, we construct an algorithm that forms designated collision under one of the hsi 's, when given not only xi;1 but rather also x0 (which yields xi;1 as above). The following details are quite tedious, and merely provide an implementation of the above idea. As stated, the proof is by a reducibility argument. We are given a probabilistic polynomial-time algorithm A0 that forms designated collisions under 0 hs , with respect to preimages produced by a deterministic polynomial-time algorithm A00 that maps p0 (n)-bit strings to n-bit strings. We construct algorithms A0 and A such that A forms designated collisions under hs with respect to preimages produced by algorithm A0 , which maps p(n)-bit strings to n-bit strings, for a suitable polynomial p. Speci cally, p : N N is 1-1 and p(n) p0 (d;1 (2d(n))) + n + n d;1 (2d(n)). We start with the description of A0 that is, the algorithm that generates preimages of hs . Intuitively, A0 selects a random j , uses A00 to obtain a 0 preimage x0 of hs , generates random s0 ::: sj;1 , and outputs a preimage xj;1 of hsj , computed by xi = hsi (xi;1 ) for i = 1 ::: j 1. (Algorithm A will be given xj;1 and a random hsj 1 and will try to form a collision with xj;1 under hsj 1 .) Speci cally, on input r 0 1 p(n), algorithm A0 proceeds as follows, where q(n) def d;1 (2d(n)). = b c 6 6 f g f g ! f g f g f g ; ; ; Proof Sketch: Intuitively, a designated collision under h0s1 ::: sd=2 yields a desig- 2 f g Write r = r1 r2 r3 so that r1 = n and r3 = p0 (q(n)). (1) Using r1 , determine m in n + 1 ::: n q(n) and j 1 ::: q(n) so that both m and j are almost uniformly distributed in the corresponding sets. Pbd(n )=2c ;1 0 (2) Compute the largest integer n0 so that m d (d(n ) + 1 i). i=1 (3) If d;1 (d(n0 ) + 1 j ) = n then output the d(n)-bit long su x of r3 . (Comment: the output in this case is immaterial to our proof.) (4) Otherwise (i.e., n = d;1 (d(n0 ) + 1 j ), which is the case we care about), do: (4.1) Let s0 s1 sj;1 be a pre x of r2 so that Pbd(n )=2c ;1 0 s0 = m d (d(n ) + 1 i), i=1 and si = d;1 (d(n0 ) + 1 i), for i = 1 ::: j 1. (4.2) Let x0 A00 (r0 ), where r0 is the p0 (d;1 (d(n0 )))-bit long su x of r3 . (4.3) For i = 1 ::: j 1, compute xi hsi (xi;1 ). Output xj;1 . j j j j f g 2 f g 0 ; ; 6 ; 0 j j ; ; j j ; ; ; As stated above, we only care about the case in which Step (4) is applied. This case occurs with noticeable probability, and the description of the following algorithm A refers to it. Algorithm A will be given xj;1 as produced above 544 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION (along with (or actually only) the coins used in its generation) as well as a random hsj 1 and will try to form a collision with xj;1 under hsj 1 . On input s 0 1 n and r 0 1 p(n), algorithm A proceeds as follows. (1{2) Using r, determine m, j and n0 exactly as done by A0 . (3) If d;1 (d(n0 ) + 1 j ) = n then abort. (4) Otherwise (i.e., n = d;1 (d(n0 ) + 1 j )), do: (4.1) Determine s0 s1 ::: sj;1 and r0 exactly as A0 does in Step (4). (4.2) Uniformly select sj+1 ::: sbd(n )=2c so that si 0 1 d 1(d(n )+1;i) , and set s0 = s0 s1 ::: sj;1 s sj+1 ::: sbd(n )=2c . (4.3) Invoke A0 on input (s0 r0 ), and output whatever A0 does. Clearly, if algorithms A0 and A00 run in polynomial-time then so do A and A0 . We now lower bound the probability that A succeeds to form designated collisions under hs , with respect to preimages produced by A0 . We start from the contradiction hypothesis by which the corresponding probability for A0 (w.r.t A00 ) is non-negligible. Let use denote by "0 (m) the success probability of A0 on uniformly distributed input (s0 r0 ) 0 1 m 0 1 p (m) . Let n0 be the largest integer so that m Pbd(n )=2c ;1 0 d (d(n ) + 1 i). Then, there exists a j 1 ::: d(n0) so that with i=1 probability at least "0 (m)=d0 (n0 ) on input (s0 r0 ), where s0 = s0 s1 ::: sbd(n )=2c as above, A0 outputs an x0 = x def A00 (r0 ) so that hsj 1 ( (hs1 (x0 ) ) = = hsj 1 ( (hs1 (x0 ) ) and hsj ( (hs1 (x0 ) ) = hsj ( (hs1 (x0 ) ). Fixing this m, j and n0 , let n = d;1 (d(n0 ) + 1 j ), consider what happens when A is invoked on uniformly distributed (s r) 0 1 n 0 1 p(n). With probability at least 1=m2 over the possible r's, the values of m and j are determined to equal the above. Conditioned on this case, A0 is invoked on uniformly distributed input (s0 r0 ) 0 1 m 0 1 p (m) , and so a collision at the j th hashing function occurs with probability at least "0 (m)=d0 (n0 ). Note that m = poly(n) and d0 (n0 ) = poly(n). This implies that A succeeds with probability at least "(n) def m" dmn ) = " (poly(n)) , with respect to preimages produced by A0 . Thus, = 2 ( () poly(n) 0 is non-negligible then so is ", and the proposition follows. if " 2 ; ; 2 f g 2 f g ; 6 ; 0 2 f g ; 0 0 f g 2 f g f g 0 0 ; 2 f g 0 6 ; 6 ; ; 2 f g f g 2 f g f g 0 0 0 0 0 any (d d=2)-UOWHF in order to construct \quasi UOWHFs" that are applicable to any input length but shrink each input to half its length (rather than to a xed length that only depends on the function description). The resulting construct does not t De nition 6.4.19, since the function's output length depends on the function's input length, but the function can be applied to any input length (rather than only to a single length determined by the function's description). Yet, the resulting construct yields a (d0 d0 =2)-UOWHF for any polynomiallybounded function d0 (e.g., d0 (n) = n2 ), whereas in Construction 6.4.22 the function d0 is xed and satis es d0 (n) n. The construction itself amounts to parsing the input into blocks and applying the same (d d=2)-UOWHF to each block. Step III: Constructing (length-unrestricted) quasi-UOWHFs that shrink their input by a factor of two. The third step on our way consists of using 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 545 d(jsj) ! Construction 6.4.24 (a (d0 d0 =2)-UOWHF for any d0): Let hs : 0 1 f 01 s2f0 1g , where d : N ! N is onto and non-decreasing. Then, for every s 2 f0 1gn and every x 2 f0 1g , we de ne j j j j ; bd(jsj)=2c g g f f g h0s (x) def hs (x1 ) hs (xt 10d(n);jxtj;1 ) = where x = x1 xt , 0 xt < d(n) and xi = d(n) for i = 1 ::: t 1. The index selection algorithm of h0s is identical to the one of hs . f g f g Clearly, Construction 6.4.24 satis es Conditions 1 and 2 of De nition 6.4.18, provided that hs satis es the corresponding conditions of De nition 6.4.19. We thus focus of the hardness to form designated collisions property. Proposition 6.4.25 Suppose that hs s2f0 1g is a (d d=2)-UOWHF, where d : N N is onto, non-decreasing and su ciently-growing. Then Construction 6.4.22 satis es Condition 3 of De nition 6.4.18. Proof Sketch: Intuitively, a designated collision under h0s yields a designated collision under hs . That is, consider the parsing of each string into blocks of length d(n), as in the above construction. Then if given x = x1 xt and s, one can nd an x0 = x01 x0t = x so that h0s (x) = h0s (x0 ), then t0 = t and there exists an i such that xi = x0i and hs (xi ) = hs (x0i ). The actual proof is by a reducibility argument. Given a probabilistic polynomialtime algorithm A0 that forms designated collisions under h0s , with respect to preimages produced by a deterministic polynomial-time algorithm A00 , we construct algorithms A0 and A such that A forms designated collisions under hs with respect to preimages produced by algorithm A0 . Speci cally, algorithm A0 invokes A00 , and uses extra randomness (supplied in its input) to uniformly select one of the d(n)-bit long blocks in the standard parsing of the output of A00 . That is, the random-tape used by algorithm A0 has the form (r0 i), and A0 outputs the ith block in the parsing of the string A00 (r0 ). Algorithm A is obtained analogously. That is, given s 0 1 n and coins r = (r0 i) used by A0 , algorithm A invokes A0 on input s and r0 , obtains the output x0 , and outputs the ith block in the standard parsing of x0 . Note that whenever we have a collision under h0s (i.e., a pair x = x0 such that h0s (x) = h0s (x0 )), we obtain at least one collision under the corresponding hs (i.e., for some i, the ith blocks of x = x0 di er, and yet both are mapped by hs to the same image). Thus, if algorithm A0 succeeds (in forming designated collisions w.r.t h0s ) with probability "0 (n) then algorithm A succeeds (in forming designated collisions w.r.t hs ) with probability at least "0 (n)=t(n), where t(n) is a bound on the running-time of A0 (which also upper-bounds the length of the output of A0 , and so 1=t(n) is a lower bound on the probability that the colliding strings di er in a certain uniformly selected block). The proposition follows. 2 f g f g ! 0 6 6 f g f g 2 f g 6 6 6 f g f g Step IV: Full- edged UOWHFs. The last step on our way consists of using any quasi-UOWHFs as constructed (in Step III) above to obtain full- edged 546 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION UOWHFs. That is, we use quasi-UOWHFs that are applicable to any input length but shrink each input to half its length (rather than to a xed length that only depends on the function description). The resulted construct is a UOWHF (as de ned in De nition 6.4.18). The construction is obtained by composing a sequence of (di erent) quasi-UOWHFs that is, the following construction is analogous to Construction 6.4.22. f f g ! f0 1g gs2f0 1g , so that jhs (x)j jxj=2, for all x's. Then, for every s1 ::: sn 2 f0 1gn, every t 2 N and x 2 f0 1g2t n , we de ne Construction 6.4.26 (a UOWHF): Let hs : 0 1 h0s1 ::: sn (x) def hst ( hs2 (hs1 (x)) ) = That is, we let x0 def x, and xi = hsi (xi;1 ), for i = 1 ::: t. Strings x of length that is not of the form 2t n are padded into such strings in a standard manner. We refer to an index selection algorithm that, on input 1m, determines n = bpmc, uniformly selects s1 ::: sn 2 f0 1gn and s0 2 f0 1gm;n2 , and lets h0s0 s1 ::: sn def h0s1 ::: sn . = Proposition 6.4.27 Suppose that fhsgs2f0 1g satis es the conditions of De nition 6.4.18, except that it maps arbitrary input strings to outputs having half the length (rather than a length determined by jsj). Then Construction 6.4.26 constitutes a collection of UOWHFs. The proof of Proposition 6.4.27 is omitted because it is almost identical to the proof of Proposition 6.4.23. Note that h0s0 s1 ::: sn : 0 1 f g ! f 0 1 n, and that s0 s1 ::: sn = m < (n + 1)2 . g j j Conclusion: Combining the above four steps, we obtain a construction of (fullTheorem 6.4.28 If one-way permutations exist then universal one-way hash functions exist. edged) UOWHFs (based on any one-way permutation). That is, combining Proposition 6.4.21, 6.4.23, 6.4.25 and 6.4.27, we obtain: Note that the only barrier towards constructing UOWHF based on arbitrary one-way functions is Proposition 6.4.21, which refers to one-way permutations. Thus, if we wish to construct UOWHF based on any one-way function then we need to present an alternative construction of (d d 1)-UOWHF (i.e., an alternative to Construction 6.4.20, which fails in case f is 2-to-1).29 Such a construction is actually known, and so the following result is known to hold (but is not proven here): 29 For example, if f ( x0 ) = (0 f 0 (x0 )), for 2 f0 1g, then forming designated collisions 0 0 ; under Construction 6.4.20 is easy: Given (0 x ), one outputs (1 x ), and indeed a collision is formed already under f . 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 547 Theorem 6.4.29 Universal one-way hash functions exist if and only if one-way functions exist. We stress that the di cult direction is the one referred to above (i.e., from one-way functions to UOWHF collections). For the much easier converse, see Exercise 15. Using universal one-way hash functions, we present an alternative construction of one-time signature schemes based on length-restricted one-time signature schemes. Speci cally, we replace Construction 6.2.6 in which collision-free hashings were used by the following construction in which universal one-way hash functions are used instead. The di erence between the two constructions is that here the (description of the) hashing function is not a part of the signing and veri cation keys, but is rather selected on the y by the signing algorithm (and appears as part of the signature). Furthermore, the description of the hash function is being authenticated (by the signer) together with the hash value. It follows that the forging adversary, which is unable to break the length-restricted one-time signature scheme, must form a designated collision (rather than an arbitrary one). However, the latter is infeasible too (by virtue of the UOWHF collection in use). We comment that the same (new) construction is applicable to length-restricted signature schemes (rather than to one-time ones): we stress that, in this case, a new hashing function is selected at random each time the signing algorithm is applied. In fact, we present the more general construction. such that `(n) = `0 (n) + n. Let (G S V ) be an `-restricted signature scheme as in De nition 6.2.1, and fhr : f0 1g ! f0 1g` (jrj)gr2f0 1g be a collection of functions with an indexing algorithm I (as in De nition 6.4.18). We construct a general signature scheme, (G0 S 0 V 0 ), with G0 identical to G, as follows: signing with S 0 : On input a signing-key s 2 G01 (1n ) and a document 2 f0 1g , algorithm S 0 proceeds in two steps: 1. Algorithm S 0 invokes I to obtain 1 I (1n ). 2. Algorithm S 0 invokes S to produce 2 Ss ( 1 h 1 ( )). Algorithm S 0 outputs the signature ( 1 2 ). veri cation with V 0 : On input a verifying-key v 2 G02 (1n ), a document 2 0 f0 1g , and a alleged signature ( 1 2 ), algorithm V invokes V , and outputs Vv (( 1 h 1 ( )) 2 ). 0 6.4.3.3 One-time signature schemes based on UOWHF Construction 6.4.30 (the hash and sign paradigm, revisited): Let ` `0 : N N ! Recall that secure `-restricted one-time signature schemes exist for any polynomial `, provided that one-way function exist. Thus, the fact that Construction 6.4.30 requires `(n) > n is not a problem. In applying Construction 6.4.30, one should rst choose a family of UOWHFs hr : 0 1 0 1 ` (jrj) r2f0 1g , f f g ! f g 0 g 548 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION then determine `(n) = `0 (n)+ n, and use a corresponding secure `-restricted onetime signature scheme. Let us pause to compare Construction 6.2.6 with Construction 6.4.30. Recall that in Construction 6.2.6 the function description 1 I (1n ) is produced (and xed as part of both keys) by the key-generation algorithm. Thus, the function description 1 is trivially authenticated (i.e., by merely being part of the veri cation-key). Consequently, in Construction 6.2.6, the S 0 -signature (of ) equals Ss (h 1 ( )). In contrast, in Construction 6.4.30 a fresh new (function description) 1 is selected per each signature, and thus 1 needs to be authenticated. Hence, the S 0 -signature equals the pair ( 1 Ss ( 1 h 1 ( ))). Since we want to be able to use (length-restricted) one-time signatures, we let the signing algorithm authenticate both 1 and h 1 ( ) via a single signature. (Alternatively, we could have used two instances of the signature scheme (G S V ), one for signing the function description 1 , and the other for signing the hash value h 1 ( ).) scheme and that fhr : f0 1g ! f0 1g`(jrj);jrjgr2f0 1g is a collection of UOWHFs. Then (G0 S 0 V 0 ), as de ned in Construction 6.4.30, is a secure (full- edged) signature scheme. Furthermore, if (G S V ) is only a secure `-restricted one-time signature scheme then (G0 S 0 V 0 ) is a secure one-time signature scheme. Proposition 6.4.31 Suppose that (G S V ) is a secure `-restricted signature Proposition 6.2.7. That is, forgery with respect to (G0 S 0 V 0 ) yields either forgery with respect to (G S V ) or a collision under the hash function, where in the latter case a designated collision is formed (in contradiction to the hypothesis regarding the UOWHF). For the furthermore-part, the observation underlying the proof of Proposition 6.4.7 still holds (i.e., the number of queries made by the forger constructed for (G S V ) equals the number of queries made by the forger assumed (towards the contradiction) for (G0 S 0 V 0 )). Details follow. Given an adversary A0 attacking the complex scheme (G0 S 0 V 0 ), we construct an adversary A that attacks the `-restricted scheme, (G S V ). The adversary A uses I (the indexing algorithm of the UOWHF collection) and its 0 oracle Ss in order to emulate the oracle Ss for A0 . This is done in a straightfor0 ward manner that is, algorithm A emulates Ss by using the oracle Ss (exactly 0 actually does). Speci cally, to answer query q , algorithm A generates as Ss a1 I (1n ), forwards (a1 ha1 (q)) to its own oracle (i.e., Ss ), and answers with (a1 a2 ), where a2 = Ss (a1 ha1 (q)). (We stress that A issues a single Ss -query per 0 each Ss -query made by A0 .) When A0 outputs a document-signature pair relative to the complex scheme (G0 S 0 V 0 ), algorithm A tries to use it in order to form a document-signature pair relative to the `-restricted scheme, (G S V ). That is, if A0 outputs the document-signature pair ( ), where = ( 1 2 ), then A will output the document-signature pair ( 2 2 ), where 2 def ( 1 h 1 ( )). = Assume that with (non-negligible) probability "0 (n), the (probabilistic polynomialtime) algorithm A0 succeeds in existentially forging relative to the complex scheme (G0 S 0 V 0 ). Let ( (i) (i) ) denote the ith query and answer pair made Proof Sketch: The proof follows the underlying principles of the proof of 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 549 by A0 , and ( ) be the forged document-signature pair that A0 outputs (in case ( ( of success), where (i) = ( 1i) 2i) ) and = ( 1 2 ). We consider the following two cases regarding the forging event: ( Case 1: ( 1 h 1 ( )) = ( 1i) h 1i) ( (i) )) for all i's. (That is, the Ss -signed value ( in the forged signature (i.e., ( 1 h 1 ( ))) is di erent from all queries made to Ss .) In this case, the document-signature pair (( 1 h 1 ( )) 2 ) constitutes a success in existential forgery relative to the `-restricted scheme (G S V ). ( Case 2: ( 1 h 1 ( )) = ( 1i) h 1i) ( (i) )) for some i. (That is, the Ss -signed value ( used in the forged signature equals the ith query made to Ss , although ( = (i) .) Thus, 1 = 1i) and h 1 ( ) = h 1i) ( (i) ), although = (i) . In ( (i) ) forms a designated collision under h (i) (and this case, the pair ( 1 we do not obtain success in existential forgery relative to the `-restricted scheme). We stress that A0 selects (i) before it is given the description of the function h 1i) , and thus its ability to later produce = (i) such that ( h 1 ( ) = h 1i) ( (i) ) yields a violation of the UOWHF property. ( Thus, if Case 1 occurs with probability at least "0 (n)=2 then A succeeds in its attack on (G S V ) with probability at least "0 (n)=2, which contradicts the security of the `-restricted scheme (G S V ). On the other hand, if Case 2 occurs with probability at least "0 (n)=2 then we derive a contradiction to the di culty of forming designated collision with respect to hr . Details regarding Case 2 follow. We start with a sketch of the construction of an algorithm that attempts to form designated collisions under a randomly selected hash function. Loosely speaking, we construct an algorithm B 0 that tries to form designated collisions by emulating the attack of A0 on an random instance of (G0 S 0 V 0 ) that B 0 selects by itself. Thus, B 0 can easily answer any signing-query referred to it by A0 , but in one of these queries (the index of which B selects at random) algorithm B 0 will use a hash function given to it by the outside (rather than generating such a function at random by itself). In case A0 forges a signature while using this speci c function-value pair (as in Case 2), algorithm B 0 obtains and outputs a designated collision. We now turn to the actual construction of algorithm B 0 (which attempts to form designated collisions under a randomly selected hash function). Recall that such an algorithm operates in three stages (see discussion preceding De nition 6.7): rst the algorithm selects a preimage x, next it is given a description of a function h, and nally it is required to output x0 = x such that h(x0 ) = h(x). We stress that the third stage in the attack is also given the random choices made while producing the preimage x in the rst stage. Indeed, on input 1n , algorithm B 0 proceeds in three stages: Stage 1: Algorithm B 0 selects uniformly i 1 ::: t(n) , where t(n) bounds the running-time of A0 (G01 (1n )) (and thus the number of queries it makes). 6 6 6 6 f g 6 2 f g 550 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 0 Next B 0 selects (s v) G0 (1n ), and emulate the attack of A0 (v) on Ss , 0 as follows. All queries except the ith one while answering the queries of Ss are emulated in the straightforward manner (i.e., by executing the program 0 of Ss as stated). That is, for j = i, the j th query, denoted (j) , is answered ( ( ( by producing 1j) I (1n ), computing 2j) Ss ( 1j) h 1j) ( (j) )) (using ( (j ) (j ) the knowledge of s), and answering with the pair ( 1 2 ). The ith query of A0 , denoted (i) , will be used as the designated preimage. Once (i) is issued (by A0 ), algorithm B 0 completes its rst stage (without answering this query), and the rest of the emulation of A0 will be conducted by the third stage of B 0 . 6 Stage 2: At this point (i.e., after B 0 has selected the designated preimage (i) ), B 0 obtains a description of a random hashing function hr (thus completing its second operation stage). That is, this stage consists of B 0 being given r I (1n ). Stage 3: Next, algorithm B 0 answers the ith query (i.e., (i) ) by applying Ss to the pair (r hr ( (i) )). Subsequent queries are emulated in the straightforward manner (as explained above). When A0 halts, B 0 checks whether A0 has output a valid document-signature pair ( ) as in Case 2 (i.e., hr ( ) = hr ( (j) ) for some j ), and whether the collision formed is indeed on the ith query (i.e., hr ( ) = hr ( (i) )). When this happens, B 0 outputs , and doing so it succeeded in forming a designated collision (with (i) under hr ). Now, if Case 2 occurs with probability at least " (n) (and A0 makes at most t(n) 2 queries) then B 0 succeeded in forming a designated collision with probability at least t(1 ) " (2n) , which contradicts the hypothesis that hr is UOWHF. n The furthermore part of the proposition follows by observing that if the forging algorithm A0 makes at most one query then the same holds for the algorithm A constructed above. Thus, if (G0 S 0 V 0 ) can be broken via a singlemessage attack that either (G S V ) can be broken via a single-message attack or one can form designated collisions (w.r.t hr ). In both cases, we reach a contradiction. 0 0 f g f g Conclusion: Combining the furthermore-part of Proposition 6.4.31, Corollary 6.4.6, and the fact that UOWHF collections imply one-way functions (see Exercise 15), we obtain: one-time signature schemes exist too. Theorem 6.4.32 If there exist universal one-way hash functions then secure 6.4.3.4 Conclusions and comments Combining Theorems 6.4.28, 6.4.32 and 6.4.9, we obtain: 6.5. * ADDITIONAL PROPERTIES 551 Corollary 6.4.33 If one-way permutations exists then there exist secure signature schemes. Like Corollary 6.4.10, Corollary 6.4.33 asserts the existence of secure (publickey) signature schemes, based on an assumption that does not mention trapdoors. Furthermore, the assumption made in Corollary 6.4.33 seems weaker than the one made in Corollary 6.4.10. We can further weaker the assumption by using Theorem 6.4.29 (which was stated without a proof) rather than Theorem 6.4.28. Speci cally, combining Theorems 6.4.29, 6.4.32 and 6.4.9, we establish Theorem 6.4.1. That is, secure signature schemes exist if and only if one-way functions exist. Comment: the hash-and-sign paradigm, revisited. We wish to highlight the revised version of the hash-and-sign paradigm as underlying Construction 6.4.30. Similar to the original instantiation of the hash-and-sign paradigm (i.e., Construction 6.2.6), Construction 6.4.30 is useful in practice. We warn that using the latter construction requires verifying that (G S V ) is a secure `-restricted signature scheme and that hr is a UOWHF (rather than collisionfree). The advantage of Construction 6.4.30 over Construction 6.2.6 is that the former relies on a seemingly weaker construct that is, hardness of forming designated collisions (as in UOWHF) is a seemingly weaker condition than hardness of forming any collision (as in collision-free hashing). On the other hand, Construction 6.2.6 is simpler and more e cient (e.g., one need not generate a new hashing function per each signature). f g 6.5 * Additional Properties We brie y discuss several properties of interest that some signature schemes enjoy. We rst discuss properties that seem unrelated to the original purpose of signature schemes, but are useful towards utilizing signature scheme as a building block towards constructing other primitives (e.g., see Section 5.4.4.4). These (related) properties are having unique valid signatures and being supersecure, where the latter term indicates the infeasibility of nding a di erent signature even to a document for which a signature was obtained by the attack. We next turn to properties that o er some advantages in the originally-intended applications of signature schemes. Speci cally, we consider properties that allow saving real time in some settings (see Sections 6.5.3 and 6.5.4), and a property supporting legitimate revoking of forged signatures (see Section 6.5.5). 6.5.1 Unique signatures Loosely speaking, we say that a signature scheme (G S V ) (either a private-key or a public-key one) has unique signatures if for every possible veri cation-key v and every document there is a unique such that Vv ( ) = 1. 552 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Note that this property is related, but not equivalent, to the question of whether or not the signing algorithm is deterministic (which is considered in Exercise 1). Indeed, if the signing algorithm is deterministic then, for every key pair (s v) and document , the result of applying Ss to is unique (and indeed Vv ( Ss ( )) = 1). Still, this does not mean that there is no other (which is never produced by applying Ss to ) such that Vv ( ) = 1. On the other hand, the unique signature property may hold even in case the signing algorithm is randomized, but indeed in this case the randomization can be eliminated from the latter (e.g., by replacing it with a xed sequence in case the signing algorithm always succeeds, or incorporating the coins in the signing-key (and possibly using a pseudorandom function) otherwise). Can secure signature schemes have unique signatures? The answer is de nitely a rmative, and in fact we have seen several such schemes in the previous sections. Speci cally, all private-key signature schemes presented in Section 6.3 have unique signatures. Furthermore, every secure private-key signature scheme can be transformed into one having unique signatures (e.g., by combining deterministic signing as in Exercise 1 with canonical veri cation as in Exercise 2). Turning to public-key signature schemes, we observe that if the one-way function f used in Construction 6.4.4 is 1-1, then the resulting secure length-restricted one-time (public-key) signature scheme has unique signatures (because each f -image has a unique preimage). In addition, Construction 6.2.6 (i.e., the basic hash-and-sign) preserves the unique signature property. Let use summarize all these observations. Theorem 6.5.1 (secure schemes with unique signatures): 1. Assuming the existence of one-way functions, there exist secure message authentication schemes having the unique signature property. 2. Assuming the existence of 1-1 one-way functions, there exist secure lengthrestricted one-time (public-key) signature schemes having the unique signature property. 3. Assuming the existence of 1-1 one-way functions and collision-free hashing collections, there exist secure one-time (public-key) signature schemes having the unique signature property. Still, this leaves open the question of whether or not there exist secure (fulledged) signature schemes having the unique signature property. In case the signature scheme does not posses the unique signature property, it makes sense to ask whether given a message-signature pair it is feasible to produce a di erent signature to the same message. More generally, we may ask whether it is feasible for a chosen message attack to produce a di erent signature to any of the messages to which it has obtained signatures. Such 6.5.2 Super-secure signature schemes 6.5. * ADDITIONAL PROPERTIES 553 ability may be of concern in some applications (but, indeed, not in the most natural applications). Combining the new concern with the standard notion of security, we derive the following notion, which we call super-security. A signature scheme is called super-secure if it is infeasible for a chosen message attack to produce a valid message-signature pair that is di erent from all query-answer pairs obtained during the attack, regardless of whether or not the message used in the new pair equals one of the previous queries. (Recall that ordinary security only requires the infeasibility of producing a valid message-signature pair such that the message part is di erent from all queries made in the attack.) Do super-secure signature schemes exist? Indeed, every secure signature scheme that has unique signatures is super-secure, but the question is whether super-security may hold for a signature scheme that does not posses the unique signature property. We answer this question a rmatively. Theorem 6.5.2 (super-secure signature schemes): Assuming the existence of one-way functions, there exist super-secure (public-key) signature schemes. In other words, super-secure signature schemes exist if and only if secure signature schemes exist. We comment that the signature scheme constructed in the following proof does not have the unique signature property. Proof: Starting from (Part 2 of) Theorem 6.5.1, we can use any 1-1 one-way function to obtain super-secure length-restricted one-time signature schemes. However, wishing to use arbitrary one-way functions, we will rst show that universal one-way hashing functions can be used (instead of 1-1 one-way functions) to obtain super-secure length-restricted one-time signature schemes. Next, we will show that super-security is preserved by two transformations presented in Section 6.4: speci cally, the transformation of length-restricted one-time signature schemes into one-time signature schemes (speci cally, Construction 6.4.30), and the transformation of the latter to (full- edged) signature schemes (i.e., Construction 6.4.16). Applying these transformations (to the rst scheme), we obtained the desired super-secure signature scheme. Recall that Construction 6.4.30 also uses universal one-way hashing functions, but the latter can be constructed using any one-way function (cf. Theorem 6.4.29).30 Claim 6.5.2.1: If there exist universal one-way hashing functions then, for every polynomially-bounded ` : N N , there exist super-secure `-restricted one-time signature schemes. Proof sketch: We modify Construction 6.4.4 by using universal one-way hashing functions (UOWHFs) instead of one-way functions. Speci cally, for each preimage placed in the signing-key, we select at random and independently a UOWHF, and place its description both in the signing and veri cation keys. That is, ! 30 We comment that a simpler proof su ces in case we are willing to use a one-way permutation (rather than an arbitrary one-way function). In this case, we can start from (Part 2 of) Theorem 6.5.1 (rather than prove Claim 6.5.2.1), and use Theorem 6.4.28 (rather than Theorem 6.4.29, which has a more complicated proof). 554 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION on input 1n , we uniformly select s0 s1 :::: s0(n) s1(n) 0 1 n and UOWHFs 1 1 ` ` h0 h1 :::: h0(n) h1(n), and compute vij = hj (sj ), for i = 1 ::: `(n) and j = 0 1. 1 1 i i ` ` We let s = ((s0 s1 ) :::: (s0(n) s1(n) )), h = ((h0 h1 ) :::: (h0(n) h1(n) )), and v = 1 1 1 1 ` ` ` ` 0 1 0 1 ((v1 v1 ) :::: (v`(n) v`(n) )), and output the key-pair (s v) = ((h s) (h v)) (or, actually, we may set (s v) = (s (h v))). Signing and veri cation are modi ed accordingly that is, signing 1 ` amounts to handing (s1 1 ::: s` ` ), whereas ( 1 ::: ` ) is accepted as a valid signature of 1 ` (w.r.t the veri cation-key v) if and only of hi i ( i ) = vi i for every i. In order to show that the resulting scheme is super-secure under a chosen one-message attack, we adapt the proof of Proposition 6.4.5. Speci cally, xing such an attacker A, we consider the event in which A violated the super-security of the scheme. There are two cases to consider: 1. The valid signature formed by A is to the same document for which A has obtained a di erent signature (via its single query). In this case, for at least one of the UOWHFs contained in the veri cation-key, we obtain a preimage that is di erent from the one contained in the signing-key. Adapting the construction presented in the proof of Proposition 6.4.5, we obtain (in this case) ability to form designated collisions (in contradiction to the UOWHF property). We stress that the preimages contained in the signing-key are selected independently of the description of the UOWHFs (because both are selected independently by the key-generation process). In fact, we obtain a designated collision for a uniformly selected preimage. 2 f g 2. The valid signature formed by A is to a document that is di erent from the one for which A has obtained a signature (via its single query). In this case, the proof of Proposition 6.4.5 yields ability to invert a randomly selected UOWHF (on a randomly selected image), which contradicts the UOWHF property (as shown in Exercise 15). Thus, in both cases we derive a contradiction, and the claim follows. 2 Claim 6.5.2.2: Construction 6.4.30, when applied to a super-secure length-restricted signature scheme yields a super-secure signature scheme. In case the lengthrestricted scheme is only super-secure under a chosen one-message attack, the same holds for the the resulting (length-unrestricted) scheme. Proof sketch: We follow the proof of Proposition 6.4.31, and use the same construction of a forger for the length-restricted scheme (based on the forger for the complex scheme). Furthermore, we consider the two forgery cases analyzed in the proof of Proposition 6.4.31:31 31 Recall that ( ) denotes the document-signature pair output by the original forger (i.e., for the complex scheme), whereas ( (i) (i) ) denotes the ith query-answer pair (to that scheme). The document-signature pair that we output (as a candidate forgery w.r.t lengthrestricted scheme) is ( 2 2 ), where 2 def ( 1 h 1 ( )) and = ( 1 2 ). Recall that a generic = 0 0 valid document-signature for the complex scheme has the form ( 0 0 ), where 0 = ( 1 2 ) 0 0 satis es Vv (( 1 h ( 0 )) 2 ) = 1. 1 0 6.5. * ADDITIONAL PROPERTIES 555 ( Case 1: ( 1 h 1 ( )) 6= ( 1i) h 1i) ( (i) )) for all i's. In this case, the analysis is ( exactly as in the original proof. Note that it does not matter whether or not 6= (i) , since in both subcases we obtain a valid signature for a new string with respect to the length-restricted signature scheme. Thus, in this case, we derive a violation of the (ordinary) security of the length-restricted scheme. ( Case 2: ( 1 h 1 ( )) = ( 1i) h 1i) ( (i) )) for some i. The case 6= (i) was han( dled in the original proof (by showing that it yields a designated collision (under h 1i) which is supposedly a UOWHF)), so here we only handle the ( case = (i) . Now, suppose that super-security of the complex scheme ( ( was violated that is, ( 1 2 ) 6= ( 1i) 2i) ). Then, by the case hypothesis (i) ( (which implies 1 = 1 ), it must be that 2 6= 2i) . This means that we derive a violation of the super-security of length-restricted scheme, because (i) (i) )). 2 is a di erent valid Ss -signature of ( 1 h 1 ( )) = ( 1 h (i) ( 1 ( Actually, we have to consider all i's for which ( 1 h 1 ( )) = ( 1i) h (i) ( (i) )) 1 holds, and observe that violation of super-security for the complex scheme means that 2 must be di erent from each of the correspond( ing 2i) 's. Alternatively, we may rst prove that, with overwhelmingly ( high probability, all 1i) 's must be distinct. Thus, in both cases we reach a contradiction to the super-security of the lengthrestricted signature scheme, which establishes our claim that the general signature scheme must be super-secure. We stress that, like in Proposition 6.4.31, the above proof establishes that super-security for one-time attacks is preserved too (because the constructed forger makes a single query per each query made by the original forger). 2 Claim 6.5.2.3: Construction 6.4.16, when applied to super-secure one-time signature schemes yields super-secure signature schemes. Proof sketch: We follow the proof of Proposition 6.4.17, which actually means following the proof of Proposition 6.4.15. Speci cally, we use the same construction of a forger for the one-time scheme (based on the forger for the complex scheme). Furthermore, we consider the two forgery cases analyzed in the proof of Proposition 6.4.15:32 1. The rst case is when the forged signature for the complex (general signature) scheme (G0 S 0 V 0 ) contains a signature relative to an instance of the one-time scheme (G S V ) associated with a leaf that has been authenticated in an answer given to some signing-query. If no oracle answer has used the instance associated with this leaf then (as in the proof of 32 Recall that forging a signature for the general scheme requires either using an authentication path supplied by the (general) signing-oracle or producing an authentication path di erent from all paths supplied by the (general) signing-signer. 556 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Proposition 6.4.15) we obtain (ordinary) forgery with respect to the instance of (G S V ) associated with the leaf (without making any query to that instance of the one-time scheme). Otherwise, by the case hypothesis, the forged document-signature pair di ers from the query-answer pair that used the same leaf. The di erence is either in the document part or in the part of the complex-signature that corresponds to the one-time signature produced at the leaf. In both subcases this yields violation of the supersecurity of the instance of (G S V ) associated with that leaf. Speci cally, in the rst subcase we obtain a one-time signature to a di erent document (i.e., violation of ordinary security), whereas in the second subcase we obtain a di erent one-time signature to the same document (i.e., only a violation of super-security). We stress that, in both subcases, the violating signature is obtained after making a single query to the instance of (G S V ) associated with that leaf. 2. We now turn to the second case (i.e., forgery with respect to (G0 S 0 V 0 ) is obtained by producing an authentication path di erent from all paths supplied by the signer). In this case, we obtain violation of the ordinary (one-time) security of the scheme (G S V ), exactly as in the original proof of Proposition 6.4.15. We stress that in this case (regardless of which document is authenticated by the leaf), an internal node authenticates data that is di erent from the data authenticated by the signing-oracle, and thus we obtain forgery via a one-message attack on the instance of (G S V ) associated with this internal node. Thus, in both cases we reach a contradiction to the super-security of the onetime signature scheme, which establishes our claim that the general signature scheme must be super-secure. 2 Combining the three claims (and recalling that universal one-way hashing functions can be constructed using any one-way function (cf. Theorem 6.4.29)), the theorem follows. Loosely speaking, we say that a signature scheme (G S V ) (either a privatekey or a public-key one) has an o -line/on-line signing process if signatures are produced in two steps, where the rst step is independent of the actual message to be signed. That is, the computation of Ss ( ) can be decoupled into two steps, performed by randomized algorithms that are denoted S o and S on on respectively such that Ss ( ) Ss ( S o (s)). Thus, one may prepare (or precompute) S o (s) before the document is known (i.e., o -line), and produce the actual signature (on-line) once the document is presented is produced (by invoking algorithm S on on input S o (s)). This yields improvement in on-line response-time to signature requests, provided that S on is signi cantly 6.5.3 O -line/on-line signing 6.5. * ADDITIONAL PROPERTIES 557 faster that S itself. This improvement is worthwhile in many natural settings in which on-line response-time is more important than o -line processing time. We stress that S o must be randomized (as otherwise S o (s) can be incorporated in the signing-key). Indeed, one may view algorithm S o as an extension of the key-generation algorithm that produces random extensions of the signingkey on the y (i.e., after the veri cation-key was already determined). We stress that algorithm S o is invoked once per each document to be signed, but this invocation can take place at any time and even before the document to be signed is even determined. (In contrast, it may be insecure to re-use the result obtained from S o for two di erent signatures.) two steps, but we are only interested in meaningful decouplings in which the o -line step takes most of the computational load. Interestingly, schemes based on the refreshing paradigm (cf. Section 6.4.2.1) lend themselves to such a decoupling. Speci cally, in Construction 6.4.16, only the last step in the signing process depends on the actual document (and needs to be performed on-line). Furthermore, this last step amounts to applying the signing algorithm of a onetime signature scheme, which is typically much faster than all the other steps (which can be performed o -line).33 Loosely speaking, we say that a signature scheme (G S V ) (either a private-key or a public-key one) has an incremental signing process if the signing process can be sped-up when given a valid signature to a (textually) related document. The actual de nition refers to a set of text editing operations such as delete word and insert word (where more powerful operations like cutting a document into two parts and pasting two documents may be supported two). Speci cally, one may require that given a document-signature pair, ( ), a sequence of edit operations (i.e., specifying the operation type and its location), and the signingkey one may modify into a valid signature for the modi ed document in time proportional to the number of edit operations (and not to ). Indeed, here time is measured in a direct-access model of computation. Of course, the time saving on the signing side should not come at the expense of a signi cant increase in veri cation time. In particular, veri cation time should only depend on the length of the nal document (and not on the number of edit operations). An incremental signing process is bene cial in settings where one needs to sign many textually related documents (e.g., in simple contracts much of the text j j Can secure signature schemes employ meaningful o -line/on-line signing algorithms? Of course, any algorithm can be vacuously decoupled into 6.5.4 Incremental signatures 33 When plugging-in the one-time signature scheme suggested in Proposition 6.4.7, producing one-time signatures amounts to applying a collision-free hashing function and outputting corresponding parts of the signing-key. This is all that needs to be performed in the on-line step. In contrast, the o -line steps calls for n applications of a pseudorandom function, n applications of the key-generation algorithm of the one-time signature scheme, and n applications of the signing algorithm of the one-time signature scheme. 558 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION is almost identical and edit changes refer to the party's speci c details as well as to speci c clauses that are modi ed from their standard form in order to meet the party's speci c needs). In some cases the privacy of the edit sequence may be of concern that is, one may require that the nal signature be distributed in a way that only depends on the nal document (rather than depend also on documents that \contributed" signatures to the process of generating the nal signature). Can secure signature schemes employ a meaningful incremental signing process? Here meaningful refers to the set of supported text-modi cation operations. The answer is a rmative, and furthermore these schemes may even protect the privacy of the edit sequence. Below, we refer to edit operations that delete/insert x-length bit-strings called blocks from/to a document (as well as to the cut and paste operations mentioned above). Theorem 6.5.3 (secure schemes with incremental signing process): 1. Assuming the existence of one-way functions, there exist secure message authentication schemes having an incremental signing process that supports block deletion and insertion. Furthermore, the scheme uses a xed-length authentication tag. 2. Assuming the existence of one-way functions, there exist secure (privatekey and public-key) signature schemes having an incremental signing process that supports block deletion and insertion as well as cut and paste. Furthermore, in both parts, the resulting schemes protect the privacy of the edit sequence. Part 1 is proved by using a variant on an e cient message authentication scheme that is related to the schemes presented in Section 6.3.1. Part 2 is proved by using an arbitrary secure (private-key or public-key) signature scheme that produces nbit long signatures to O(n)-bit long strings, where n is the security parameter. (Indeed, the scheme need only be secure in the O(n)-restricted sense.) The document is stored in the leaves of a 2{3 tree,34 and the signature essentially consists of the tags of all internal nodes, where each internal node is tagged by applying the basic signature scheme to the tags of its children. One important observation is that a 2{3 tree supports the said operations while incurring only 34 A 2{3 tree is a balanced tree in which each internal node has either 2 or 3 children. Such trees support insert and delete (of a single symbol/leaf) in logarithmically many operations. To insert a leaf (in a depth d tree), add it as a child to the suitable level d ; 1 vertex, denoted v. In case the resulting children-degree of v is 4, split v (evenly) into two vertices such that both the resulting vertices are children of v's parent. The parent may be split so too, and so on until one gets to the root. If the root needs to be split then the height of the tree is incremented. To delete a leaf, we apply an analogous procedure. Namely, if the resulting parent and its siblings have total children-degree at least 4 then we rearrange these children so that each of the resulting parent nodes has children-degree either 2 or 3. In case the total children-degree is at most 3, we merge the parent and its sibling to one vertex and turn to its parent. Cutting and pasting of (sub)trees can be performed analogously. 6.5. * ADDITIONAL PROPERTIES 559 a logarithmic (in its size) cost that is, modifying only the links of logarithmic many nodes in the tree. Thus, only the tags of these nodes and their ancestors in the tree needs to be modi ed in order to form the correspondingly modi ed signature. (Privacy of the edit sequence is obtained by randomizing the standard modi cation procedure for 2{3 trees.) By analogy to Construction 6.2.13 (and Proposition 6.2.14), the incremental signature scheme is secure. Loosely speaking, a fail-stop signature scheme is a signature scheme augmented by a (non-interactive) proof system that allows the legitimate signer to prove to anybody that a particular (document,signature)-pair was not generated by him/her. Actually, key-generation involves interaction with an administrating entity (which publicizes the resulting veri cation-keys), rather than just having the user publicize his/her veri cation-key. In addition, we allow memorydependent signing procedures (as in De nition 6.4.13).35 The system guarantees the following four properties, where the rst two properties are the standard ones: 1. Proper operation: In case the user is honest, the signatures produced by it will pass the veri cation procedure (with respect to the corresponding veri cation-key). 2. Infeasibility of forgery: In case the user is honest, forgery is infeasible in the standard sense. That is, every feasible chosen message attack may succeed (to generate a valid signature to a new message) only with negligible probability. 3. Revocation of forged signatures: In case the user is honest, it can prove that forgery has been committed (in case it was indeed committed). That is, for every chosen message attack (even a computationally-unbounded one)36 that produces a valid signature to a new message, except for with negligible probability, the user can convince anyone (which knows the veri cationkey) that this valid signature was forged (i.e., produced by somebody else). The probability is taken over the actions of the (computationallyunbounded) adversary committing forgery. 4. Infeasibility of revoking unforged signatures: It is infeasible for a user to create a valid signature and later convince anybody that this signature was forged (i.e., produced by somebody else). Indeed, it is possible (but not feasible) for a user to cheat here. Furthermore, Property 3 (i.e., revocation of forged signatures) holds also in case the administrating entity participates in the forgery and even if it behaves 35 Allowing memory-dependent signing is essential to the existence of secure fail-stop signature schemes see Exercise 21. 36 It seems reasonable to restrict such adversaries to polynomially-many signing requests. 6.5.5 Fail-stop signatures 560 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION improperly at the key-generation stage. (In contrast, the other items hold only if the administrating entity behaves properly during the key-generation stage.) To summarize, fail-stop signature schemes allow to prove that forgery has occurred, and so o er an information-theoretic security guarantee to the potential signers (yet the guarantee to potential signature-recipients is only a computational one).37 In contrast, when following the standard semantics of signature schemes, the potential signers have only a computational security guarantee and the signature recipients have an absolute guarantee: whenever the veri cation algorithm accepts a signature, it is by de nition an unrevocable one. of either the Discrete Logarithm Problem or of integer factorization, the answer is a rmative. Indeed, in fail-stop signature schemes, each document must have super-polynomially many possible valid signatures (with respect to the publically known veri cation-key), but only a negligible fraction of these will be (properly) produced by the legitimate signer (who knows a corresponding signing-key, which is not uniquely determined by the veri cation-key). Furthermore, any strategy (even an infeasible one), is unlikely to generate signatures corresponding to the signing-key. On the other hand, it is infeasible given one signing-key to produce valid signatures (i.e., w.r.t the veri cation-key) that do not correspond to the proper signing with this signing-key. Do secure fail-stop signature schemes exist? Assuming the intractability 6.6 Miscellaneous 6.6.1 On Using Signature Schemes Once de ned and constructed, signature schemes may be (and are actually) used as building blocks towards various goals that are di erent from the original motivation. Still, the original motivation (i.e., reliable communication of information) is of great importance, and in this subsection we discuss several issues regarding the use of signature schemes towards achieving it. The discussion is analogous to a similar discussion conducted in Section 5.5.1, but the analogous issues discussed here are even more severe. in Section 6.1, using a private-key signature scheme (i.e., a message authentication scheme) requires the communicating parties to share a secret key. This key can be generated by one party and secretly communicated to the other party by an alternative (expensive) secure and reliable channel. Often, a preferable solution consists of employing a key-exchange (or rather key-generation) protocol, which is executed over the standard (unreliable) communication channel. 37 The above refers to the natural convention by which a proof of forgery frees the signer of any obligations implied by the document. In this case, when accepting a valid signature the recipient is only guaranteed that it is infeasible for the signer to revoke the signature. Using private-key schemes { the key exchange problem. As discussed 6.6. MISCELLANEOUS 561 We stress that here (unlike in Section 5.5.1) we must consider active adversaries. Consequently, the focus should be on key-exchange protocols that are secure against active adversaries and are called unauthenticated key-exchange protocols (because the messages received over the channel are not necessarily authentic). Such protocols are too complex to be treated in this section, and the interested reader is referred to 30, 31, 18]. munication settings it is reasonable to assume that the authentication device may maintain (and modify) a state (e.g., a counter or a clock). Furthermore, in many applications, a changing state (e.g., a clock) must be employed anyhow in order to prevent reply of old messages (i.e., each message will be authenticated along with its transmission time). In such cases, state-dependent schemes as discussed in Section 6.3.2 may be preferable. (See further discussion in Section 6.3.2 and analogous discussion in Section 5.5.1.) Using state-dependent message authentication schemes. In many com- Using signature schemes { public-key infrastructure. The standard use of (public-key) signature schemes in real-life applications requires a mechanism for providing the veri ers with the signer's authentic veri cation-key. In small systems, one may assume that each user holds a local record of the veri cationkeys of all other users. However, this is not realistic in large-scale systems, and so the veri er must obtain the relevant veri cation-key on-the- y in a \reliable" way (i.e., typically, certi ed by some trusted authority). In most theoretical work, one assumes that the veri cation-keys are posted and can be retrieved from a public- le that is maintained by a trusted party (which makes sure that each user can post only veri cation-keys bearing its own identity). In abstract terms, such trusted party may provide each user with a (signed) certi cate stating the authenticity of the user's veri cation-key. In practice, maintaining such a publicle (and handling such certi cates) is a major problem, and mechanisms that implement this abstraction are typically referred to by the generic term \publickey infrastructure (PKI)". For a discussion of the practical problems regarding PKI deployment see, e.g., 180, Chap. 13]. 6.6.2 On Information Theoretic Security In contrast to the bulk of our treatment, which focuses on computationallybounded adversaries, in this section we consider computationally-unbounded adversaries. Speci cally, we consider computationally-unbounded chosen message attacks, but do bound (as usual, by an unknown polynomial) the total number of bits in the signing-queries made by such attackers. We call a (private-key or public-key) signature scheme perfectly-secure (or information-theoretically secure) if even such computationally-unbounded attackers may succeed (in forgery) only with negligible probability. It is easy to see that no (public-key) signature scheme may be perfectlysecure, not even in a length-restricted one-time sense. The reason is that a 562 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION computationally-unbounded adversary that is given a veri cation-key can nd (without making any queries) a corresponding signing-key, which allows it to forge signatures to any message of its choice. In contrast, restricted types of message authentication schemes (i.e., privatekey signature schemes) may be perfectly-secure. Speci cally, given any polynomial bound on the total number of messages to be authenticated, one may construct a corresponding state-based perfectly-secure message authentication scheme. In fact, a variant of Construction 6.3.10 will do, where a truly random one-time pad is used instead of the pseudorandom sequence generated using the next-step function g. Indeed, this one-time pad will be part of the key, which in turn must be longer than the total number of messages to be authenticated. We comment that the use of a state is essential for allowing several messages to be authenticated (in a perfectly-secure manner). (Proofs of both statements can be derived following the ideas underlying Exercise 8.2.) The reader may note that we have avoided the presentation of several popular signature schemes (i.e., public-key ones). As noted in Section 6.1.4.3, some of these schemes (e.g., RSA 216] and DSS 192]) seem to satisfy some weak (i.e., weaker than De nition 6.1.2) notions of security. Variants of these schemes are proven to be secure in the random oracle model, provided some standard intractability assumptions hold (cf, e.g., 32]). However, we are not satis ed with either of these types of results, and articulate our opinion next. 6.6.3 On Popular Schemes On using weaker de nitions. We distinguish between weak de nitions that make clear reference to the abilities of the adversary (e.g., one-message attacks, length-restricted message attacks) and weak notions that make hidden and unspeci ed assumptions regarding what may be bene cial to the adversary (e.g., \forgery of signatures for meaningful documents"). In our opinion, the fact that the hidden assumptions often \feel right" makes them even more dangerous, because it means that they are never seriously considered (and not even formulated). For example, it is often said that existential forgery (see Section 6.1.3) is \merely of theoretical concern", but these claims are never supported by any evidence or by a speci cation of the types of forgery that are of \real practical concern". Furthermore, a few years later, one learns that this \merely theoretical" issue yields a real security breach in some important applications. Still, weak de nition of security may make sense, provided that they are clearly stated and that one realizes their limitations (i.e., \non-generality"). Since this book focuses on generally-applicable de nitions, we chose not to discuss such weaker notions of security and not to present schemes that can be evaluated only with respect to these weak notion. On the Random Oracle Methodology. The Random Oracle Methodology 95, 29] consists of two steps: First, one designs an ideal system in which all 6.6. MISCELLANEOUS 563 parties (including the adversary) have oracle access to a truly random function, and proves this ideal system to be secure (i.e., one typically says that the system is secure in the random oracle model). Next, one replaces the random oracle by a \good cryptographic hashing function", providing all parties (including the adversary) with the succinct description of this function, and hopes that the resulting (actual) scheme is secure.38 We warn that this hope has no justi cation. Furthermore, there exist encryption and signature schemes that are secure in the Random Oracle Model, but replacing the random function (used in them) by any function ensemble yields a totally insecure scheme (cf., 59]). 6.6.4 Historical Notes As in case of encryption schemes, the rigorous study of the security of privatekey signature schemes (i.e., message authentication schemes) has legged behind the corresponding study of public-key signature schemes. The current section is organized accordingly. 6.6.4.1 Signature Schemes The notion of a (public-key) signature scheme was introduced by Di e and Hellman 78], who also suggested to implement it using trapdoor permutations. Concrete implementations were suggested by Rivest, Shamir and Adleman 216] and by Rabin 211]. However, de nitions of security for signature schemes were presented only a few years afterwards. A rst rigorous treatment of security notions for signature schemes was suggested by Goldwasser, Micali and Yao 145], but their de nition is weaker than the one followed in our text. (Speci cally, the adversary's queries in the de nition of 145] are determined non-adaptively and obliviously of the public-key.) Assuming the intractability of factoring, they also presented a signature scheme that is secure under their de nition. We stress that the security de nition of 145] is signi cantly stronger than all security notions considered before 145]. A comprehensive treatment of security notions for signature schemes, which culminates in the notion used in our text, was presented by Goldwasser, Micali and Rivest 143]. Assuming the intractability of factoring, they also presented a signature scheme that is secure (in the sense of De nition 6.1.2). This was the rst time that a signature scheme was proven secure under a simple intractability assumption such as the intractability of factoring. Their proof has refuted a folklore (attributed to Ron Rivest) by which no such \constructive proof" may exist (as its mere existence was believed to yield a forging procedure). Whereas the (two) schemes of 145] were inherently memory-dependent, the scheme of 143] has a \memoryless" variant (cf. 105] and 143]). 38 Recall that, in contrast, the methodology of Section 3.6.3 (which is applied often in the current chapter) refers to a situation in which the adversary does not have direct oracle access to the random function, and does not obtain the description of the pseudorandom function used in the latter implementation. 564 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Following Goldwasser, Micali and Rivest 143], research has focused on constructing secure signature schemes under weaker assumptions. In fact, as noted in 143], their construction of secure signature schemes can be carried out using any collection of claw-free, trapdoor permutation pairs. The claw-free requirement was omitted in 28], whereas the seemingly more fundamental trapdoor requirement was omitted by Naor and Yung 198]. Finally, Rompel showed that one may use arbitrary one-way functions rather one-way permutations 217], and thus established Theorem 6.4.1. The progress brie y summarized above was enabled by the use of many important ideas and paradigms, some of them were introduced in that body of work and some were \only" revisited and properly formalized. Speci cally, we refer to the introduction of the refreshing paradigm in 143], the use of authentication trees (cf., 182, 183] and 143]), the use of the hash-and-sign paradigm (rigorously analyzed in 72]), the introduction of Universal One-Way Hash Functions (and the adaptation of the hash-and-sign paradigm to them) in 198], and the use of one-time signature schemes (cf., 210]). We comment that our presentation of the construction of signature schemes is di erent from the one given in any of the above cited papers. Speci cally, the main part of Section 6.4 (i.e., Sections 6.4.1 and 6.4.2) is based on a variant of the signature scheme of 198], in which collision-free hashing (cf. 72]) are used instead of universal one-way hashing (cf. 198]). 6.6.4.2 Message Authentication Schemes Message authentication schemes were rst discussed in the information theoretic setting, where a one-time pad was used. Such schemes were rst suggested in 104], and further developed in 236]. The one-time pad can be implemented by a pseudorandom function (or a on-line pseudorandom generator), yielding only computational security, as we have done in Section 6.3.2. Speci cally, Construction 6.3.10 is based on 163, 164]. In Section 6.3.1 we have followed a di erent paradigm that amounts to applying a pseudorandom function to the message (or its hashed-value), rather than using a pseudorandom function (or a on-line pseudorandom generator) to implement a one-time pad. This alternative paradigm is due to 119], and is followed in works such as 27, 24, 16]. Indeed, following this paradigm (and similarly to 27, 24, 16]), we have actually focused (in Section 6.3.1) on constructing generalized pseudorandom function ensembles (as in De nition 3.6.12), based on ordinary pseudorandom functions (as in De nition 3.6.4). Collision-free hashing Collision-free hashing was rst de ned in 72]. Construction 6.2.8 is also due to 72], with underlying principles that can be traced to 143]. Construction 6.2.11 is due to 73]. Construction 6.2.13 is due to 184]. 6.6. MISCELLANEOUS 565 On the additional properties Unique signatures and super-security have been used in several works, but never extensively treated before. The notion of o ine/online signature scheme was introduced (and rst instantiated) in 86]. The notion of incremental cryptographic schemes (and in particular incremental signature schemes) was introduced and instantiated in 21, 22]. In particular, the incremental MAC of 22] (i.e., Part 1 of Theorem 6.5.3) builds on the message authentication scheme of 24], and the incremental signature scheme that protects the privacy of the edit sequence is due to 188] (building upon 22]). Fail-stop signatures were de ned and constructed in 206]. As mentioned above, the work of Goldwasser, Micali and Rivest contains a comprehensive treatment of security notions for signature schemes 143]. Their treatment refers to two parameters: (1) the type of attack, and (2) the type of forgery that follows from it. The most severe type of attack allows the adversary to adaptively select the documents to be signed (as in De nition 6.1.2). The most liberal notion of forgery refers to producing a signature to any document for which a signature was not obtained during the attack (again, as in De nition 6.1.2). Thus, the notion of security presented in De nition 6.1.2 is the strongest among the notions discussed in 143]. (Still, in some applications, weaker notions of security may su ce.) We stress that one may still bene t from the de nitional part of 143], but the constructive part of 143] should be ignored since it is superseded by later work (on which our presentation is based). P tzmann's book 207] contains a comprehensive discussion of many aspects involved in the integration of signature schemes in real-life systems. In addition, her book surveys variants and augmentations of the notion of signature schemes, viewing the one treated in the current book as \ordinary". The focus is on failstop signature schemes 207, Chap. 7{11], but much attention is given to the presentation of a general framework 207, Chap. 5] and to review of other \nonordinary" schemes 207, Sec. 2.7 & 6.1]. As hinted in Section 6.6.4.2, our treatment of the construction of message authentication schemes is merely the tip of an iceberg. The interested reader is referred to 230, 163, 164, 40] for details on the \one-time pad" approach, and to 27, 24, 16, 17, 23, 7] for alternative approaches. Constructions and discussion of AXU hashing functions can be found in 163, 164]. The constructions of universal one-way hash functions presented in Section 6.4.3 use any one-way permutation, and do so in a generic way. The number of applications of the one-way permutation in these constructions is linearly related to the di erence between the number of input and output bits in the hash function. In 103], it is shown that as far as generic (black-box) constructions go, this is essentially the best performance that one can hope for. In continuation to the discussion in Section 6.4.2.4, we refer to reader to 82, 69], in which speci c implementations (of a generalization) of Constructions 6.4.14 6.6.5 Suggestion for Further Reading 566 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION and 6.4.16 are presented. Speci cally, these works utilize an authentication tree of large degree (rather than binary trees as in Section 6.4.2.2). 6.6.6 Open Problems The known construction of signature schemes from arbitrary one-way functions 217] is merely a feasibility result. It is indeed an important open problem to provide an alternative construction that may be practical and still utilize an arbitrary one-way function. We believe that providing such a construction may require the discovery of important new paradigms. 6.6.7 Exercises Exercise 1: Deterministic Signing and Veri cation algorithms: 1. Using a pseudorandom function ensembles, show how to transform any (private-key or public-key) signature scheme into one employing a deterministic signing algorithm. 2. Using a pseudorandom function ensembles, show how to transform any message authentication scheme into one employing deterministic signing and verifying algorithms. 3. Verify that all signature schemes presented in the current chapter employ a deterministic veri cation algorithm. Augment the signing-key with a description of a pseudorandom function, and apply this function to the string to be signed in order to extract the randomness used by the original signing algorithm. Guideline (for Part 1): Analogous to Part 1. (Highlight your use of the private-key hypothesis.) Alternatively, see Exercise 2. Guideline (for Part 2): Exercise 2: Canonical veri cation in the private-key version: Show that, with- out loss of generality, the veri cation algorithm of a private-key signature scheme may consist of comparing the alleged signature to one produced by the veri cation algorithm itself (which does so exactly as the signing algorithm). Why does this claim fail with respect to public-key schemes? Use Part 1 of Exercise 1, and conclude that the on a xed input the signing algorithm always produces the same output. Use the fact that (by Exercise 8.2) the existence of message authentication schemes implies the existence of pseudorandom functions. Guideline: Exercise 3: Augmented attacks in the private-key case: In continuation to the discussion in Section 6.1.4.1, consider the de nition of an augmented attack (on a private-key signature scheme) in which the adversary is allowed veri cation-queries. 6.6. MISCELLANEOUS 567 1. Show that in case the signature scheme has (a deterministic veri cation algorithm and) unique valid signatures, it is secure against augmented attacks if and only if it is secure against ordinary attacks (as in De nition 6.1.2). 2. Assuming the existence of secure private-key signature schemes (as in De nition 6.1.2), present such a secure scheme that is insecure under augmented attacks. Analyze the emulation outlined in Section 6.1.4.1. Speci cally, ignoring the redundant veri cation-queries (for which the answer is determined by previous answers), consider the probability that the emulation has gambled correctly on all the veri cation-queries up-to (and including) the rst such query that should be answered a rmatively. Guideline (Part 1): Guideline (Part 2): Given any secure MAC (G S V ), assume without loss of generality that in the key-pairs output by G the veri cation-key equals the signing-key. Consider the scheme (G0 S 0 V ) (with G0 = G), 0 where Ss ( ) = (Ss ( ) 0), Vv0 ( ( 0)) = Vv ( ) and Vv0 ( ( i )) = 1 if both Vv ( ) = 1 and the ith bit of s = v is . Prove that (G0 S 0 V ) is secure under ordinary attacks, and present an augmented attack that totally breaks it (i.e., obtains the signing-key). Exercise 4: The signature may reveal the document: Both for private-key and public-key signature schemes, show that if such secure schemes exist then there exist secure signature schemes in which any valid signature to a message allows to e ciently recover the entire message. Exercise 5: On the triviality of some length-restricted signature schemes: 1. Show that for logarithmically bounded `, secure `-restricted privatekey signature schemes (i.e., message authentication schemes) can be trivially constructed (without relying on any assumption). 2. In contrast, show that the existence of a secure `-restricted publickey signature scheme, even for ` 1, implies the existence of one-way functions. Guideline (Part 1): 2`(n) s 2 f0 1g where each si is an n-bit long string, and consider any xed ordering of the 2`(n) strings of length `(n). The signature to 2 f0 1g`(n) is de ned as si , where i is the index of in the latter ordering. Let (G S V ) be a 1-restricted public-key signature scheme. De ne f (1n r) = v if on input 1n and coins r, algorithm G generates the key-pair of the form ( v). Assuming that algorithm A inverts f with probability "(n), we construct a forger that attacks (G S V ) as follows. On input a veri cation key v, the forger invokes A on input v. With probability "(n), the forger obtains r so that f (1n r) = v. In such a case, the forger obtains a matching signing-key s (i.e., (s v) is output by G(1n ) on coins r), and so can produce valid signatures to any string of its choice. Guideline (Part 2): On input 1n , the key generator uniformly selects n , and outputs the key pair (s s). View s = s1 s `(n) , 2 568 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Exercise 6: Failure of Construction 6.2.3 in case `(n) = O(log n): Show that Note that by asking for polynomially-many signatures, the ad0 versary may obtain two Ss -signatures that use the same (random) identi er. Speci cally, consider making the queries , for all possible 2 f0 1g`(n) , 0 and note that if and 0 0 are Ss -signed using the same identi er then 0 -signature to 0 . we can derive a valid Ss Guideline: f f g if Construction 6.2.3 is used with logarithmically bounded ` then the resulting scheme is insecure. Exercise 7: Using a pseudorandom function ensemble of the form fs : 0 1 f g 0 1 jsj s2f0 1g , construct a general secure message authentication scheme (rather than a length-restricted one). Guideline: The construction is identical to Construction 6.3.1, except that here we use a general pseudorandom function ensemble rather than the one used there. The proof of security is analogous to the proof of Proposition 6.3.2. g ! Exercise 8: Prove that the existence of secure message authentication schemes implies the existence of one-way functions. Speci cally, let (G S V ) be as in the hypothesis. 1. To simplify the following two items, show that, without loss of generality, G(1n ) uses n coins and outputs a signing-key of length n and that Ss ( ) is determined by s + . 2. Assume rst that S is a deterministic signing algorithm. Prove that f (r 1 ::: m ) def (Ss ( 1 ) ::: Ss ( m ) 1 ::: m ) is a one-way func= tion, where s = G1 (r) is the signing-key generated with coins r, all i 's are of length n = r and m = (n). Extend the proof to handle randomized signing algorithms. 3. Using the relation between pseudorandom functions (as in De nition 3.6.12) and one-way functions, the following provides an alternative proof for the special case of deterministic signing.39 (Based on 197]): Consider the Boolean function ensemble fs r s r , where s is selected according to G1 (1n ) and r is uniformly distributed over strings of length Ss (1n ) , de ned such that fs r ( ) equals the inner-product mod 2 of r and Ss ( ). Prove that this ensemble is pseudorandom (as de ned in De nition 3.6.12 for the case r(n) = 1). j j j j j j j j f g j j 0 Guideline (Part 2): Note that the m signatures determine an r0 , which in turn determines a signing-key s0 = G1 (r0 ) such that Ss ( ) = Ss ( ) for most 2 f0 1gn . (Note that s0 does not necessarily equal s.) Show that this implies that ability to invert f yields ability to forger (under a chosen message attack). (Hint: use m random signing-queries to produce a 39 Note that the functions in the ensemble have a su ciently large domain. Thus, this pseudorandom function ensemble gives rise to a pseudorandom generator (analogously to Exercise 28 of Chapter 3), which in turn implies the existence of one-way functions. 6.6. MISCELLANEOUS random image of f .) The extension to randomized signing is obtained by augmenting the argument of the one-way function with the coins used by the m invocations of the signing algorithm. Guideline (Part 3): Consider hybrid experiments such that in the ith hybrid the rst i queries are answered by a truly random Boolean function and the rest are answered by a uniformly distributed fs r . (Note that it seems important to use this non-standard order of random versus pseudorandom answers.) Show that distinguishability of the ith and i + 1st hybrids implies that a probabilistic polynomial-time machine can have a non-negligible advantage in the following game in which the machine is asked to select , next fs r is uniformly selected and the machine is given r as well as oracle access to Ss (but is not allowed the query ) and is asked to guess fs r ( ). (Note that the particular order used allows to produce the rest of the hybrid when given this oracle access. On the other hand, it is important to hand r only after the machine has selected see 197].) At this point, one may apply the proof of Theorem 2.5.2, and deduce that the said machine can construct Ss ( ) with non-negligible probability, in contradiction to the security of the MAC. 569 Exercise 9: Prove that, without loss of generality, one can always assume that Given an adversary A0 that outputs a message-signature pair ( ) without making any query, modify it so that it makes an arbitrary query 0 2 f0 1gj j n f g just before producing that output. Guideline: a chosen message attack makes at least one query. (This holds for general signature schemes as well as for length-restricted and/or one-time ones.) Exercise 10: On perfectly-secure one-time message authentication (MAC) schemes: By perfect (or information-theoretic) security we mean that even computationallyunbounded chosen message attacks may succeed (in forgery) only with negligible probability. De ne perfect (or information-theoretic) security for one-time MACs and length-restricted one-time MACs. (Be sure to bound the length of documents (e.g., by some super-polynomial function) also in the unrestricted case.) Prove the following, without relying on any (intractability) assumptions (which are anyhow useless in the information-theoretic context): 1. For any polynomially-bounded and polynomial-time computable function ` : N N , perfectly-secure `-restricted one-time MACs can be trivially constructed. 2. Using a suitable AXU family of hashing functions, present a construction of a perfectly-secure one-time MAC. Furthermore, present such a MAC in which the authentication-tags have xed length (i.e., depending on the length of the key but not on the length of the message being authenticated). ! 570 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 3. Show that any perfectly-secure one-time MAC that utilizes xed length authentication-tags and a deterministic signing algorithm yields a generalized hashing ensembles with negligible collision probability. Speci cally, for any polynomial p, this ensembles has a (p 1=p)-collision property. For Part 1, combine the ideas underlying Exercise 5 and Construction 6.4.4. For Part 2, use the ideas underlying Construction 6.3.10 and the proof of Proposition 6.3.11. For Part 3, given a MAC (G S V ) as in the claim, consider the functions hs(x) def Ss (x), where s G1 (1n ). = Guideline: Exercise 11: In contrast to Exercise 10, prove that the existence of secure See guideline for Item 2 in Exercise 5. one-time signature schemes implies the existence of one-way functions. Furthermore, prove that this holds even for 1-restricted signature schemes that are secure (only) under attacks that make no signing-queries. Guideline: Exercise 12: Prove that the existence of collision-free hashing collections implies the existence of one-way functions. Guideline: Given a collision-free hashing collection, fhr : f0 1g ! f0 1g`(jrj) gr2f0 1g , consider the function f (r x) = (r hr (x)), where (say) jxj = `(jrj) + jrj. Prove that f is a one-way function, by assuming towards the contradiction that f can be e ciently inverted with non-negligible probability, and deriving an e cient algorithm that forms collisions on random hr 's. Given r, form a collision under the function hr , by uniformly selecting x 2 f0 1g`(jrj)+jrj , and feeding the inverting algorithm with input (r hr (x)). Observe that with non-negligible probability a preimage is obtained, and that with exponentially vanishing probability this preimage is (r x) itself. Thus, with non-negligible probability, we obtain a preimage (r x0 ) 6= (r x) and it holds that hr (x0 ) = hr (x). Exercise 13: In contrast to Exercise 4, show that if secure message authenti- cation schemes exist then there exist such schemes in which it is infeasible (for a party not knowing the key) to extract from the signature any partial information about the message (except for the message length). (Indeed, privacy of the message is formulated as the de nition of semantic security of encryption schemes see Chapter 5.) Combine a message authentication scheme with an adequate private-key encryption scheme. Refer to issues such as the type of security required of the encryption scheme, and why the hypothesis yields the existence of the ingredients used in the construction. Guideline: Exercise 14: In continuation to Exercise 13, show that if there exist collisionfree hashing functions then there exist message authentication schemes in which it is infeasible (for a party not knowing the key) to extract from the signature any partial information about the message (including the 6.6. MISCELLANEOUS 571 message length). How come we can hide the message length in this context, whereas we cannot do this in the context of encryption schemes? Combine a message authentication scheme having xed length signatures with an adequate private-key encryption scheme. Again, refer to issues as in Exercise 13. Guideline: Exercise 15: Prove that the existence of collections of UOWHF implies the Note that the guidelines provided in Exercise 12 can be modi ed to t the current context. Speci cally, the collision-forming algorithm is given uniformly distributed r and x, and invokes the inverter on input (r hr (x)). Note that the furthermore clause is implicit in the proof. Guideline: existence of one-way functions. Furthermore, show that uniformly chosen functions in any collection of UOWHFs are hard to invert (in the sense of De nition 2.4.3). Exercise 16: Assuming the existence of one-way functions, show that there exists a collection of universal one-way hashing functions that is not collisionfree. Guideline: ffs : f0 1g ! f0 1gjsj g, consider the collection F 0 = ffs0 : f0 1g ! 0 f0 1gjsj g de ned so that fs (x) = (0 fs (x)) if the jsj-bit long pre x of x is 0 di erent from s, and fs (sx0 ) = (1 s) otherwise. Clearly, F 0 is not collision0 remains universal one-way hashing. free. Show that F 2 Given a collection of universal one-way hashing functions, Exercise 17: Show that for every nite family of functions H , there exists f x = y such that h(x) = h(y) for every h H . Furthermore, for H = h : 01 0 1 m , show that this holds for x y m H . 6 f g ! f g g j j j j j j Guideline: collision as soon as we consider more than 2mt preimages. Consider the mapping x 7! (h1 (x) ::: ht (x)), where H = fhi gt=1 . Since the number of possible images is at most (2m )t , we get a i Exercise 18: Constructions of Hashing Families with Bounded Collision Prob- ability: In continuation to Exercise 22.2 in Chapter 3, consider the set of m functions S` associated with `-by-m Toeplitz matrix that is hT (x) = Tx, where T = (Ti j ) is a Toeplitz matrix (i.e., Ti j = Ti+1 j+1 for all i j ). Show that this family has collision probability 2;m . (Note that each `-bym Toeplitz matrix is speci ed using ` + m ; 1 bits.) Guideline: Note that we have eliminated the shifting vector b used in Exercise 22.2 of Chapter 3, but this does not e ect the relevant analysis. Exercise 19: Constructions of Generalized Hashing Families with Bounded Collision Property: (See de nition in Section 6.3.1.3.) 1. Using a tree-hashing scheme as in Construction 6.2.13, construct a generalized hashing ensemble with a (f 1=f )-collision property, where f (n) = 2"n" for some " > 0. 572 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 2. (By Hugo Krawczyk): Show that the block-chaining method (as in Construction 6.2.11) fails in the current context. That is, there exists a hashing ensemble hr : 0 1 2m(jrj) 0 1 m(jrj) with negligible collision probability such that applying Construction 6.2.11 to it (even with three blocks) yields an ensemble with high collision probability. Guideline (Part 1): Let fhr : f0 1g2m(jrj) ! f0 1gm(jrj) g, be a hashf f g ! f g g ing ensemble with collision probability cp. Recall that such ensembles with m(n) = n=3 and cp(n) = 2;m(n) can be constructed (see Exercise 18). Then, consider the function ensemble fhr1 ::: rm(n) : f0 1g ! f0 1g2m(n) gn2N , where all ri 's are of length n, such that hr1 ::: rm(n) (x) is de ned as follows 1. As in Construction 6.2.13, break x into t def 2dlog2 (jxj=m(n))e consec= utive blocks, denoted x1 ::: xt , and let d = log2 t. 2. Let i = 1 ::: t, let yd i def xi . For j = d ; 1 ::: 1 0 and i = 1 ::: 2j , = let yj i = hrj (yj +1 2i;1 yj +1 2i ). The hash value equals (y0 1 jxj). = The above functions have description length N def m(n) n and map strings of length smaller than 2m(n) to strings of length 2m(n). It is easy to bound the collision probability (for strings of equal length) by the probability of collision occuring in each of the levels of the tree. In fact, for x1 xt 6= x01 x0t such that xi 6= x0i , it su ces to bound the 0 sum of the probabilities that yj di=2d j e = yj di=2d j e holds (given that 0 yj+1 di=2d (j+1) e 6= yj+1 di=2d (j+1) e) for j = d ; 1 ::: 1 0. Thus, this generalized hashing ensemble has a (` )-collision property, where `(N ) = 2m(n) ; 1 and (N ) = m(n) cp(n). Recalling that we may use m(n) = n=3 and cp(n) = 2;m(n) , we obtain (using N = n2 =3), `(N ) = 2(N=3)1=2 ; 1 > 2(N=4)1=2 and (N ) < (N=`(N )) < 2;(N=4)1=2 (as desired). ; ; ; ; Given a hashing family as in the hypothesis, modify it into fh0r s : f0 1g2m ! f0 1gm g, such that h0r s (02m ) = s, h0r s (s m ) = 0m for both 2 f0 1g, and h0r s (x) = hr (x) for all other x's. Note that the new family maintains the collision probability of the original one up-to an additive term of O(2;m ). On the other hand, for both 2 f0 1g, it holds that h0r s (h0r s (02m ) m ) = h0r s (s m ) = 0m . Guideline (Part 2): Exercise 20: Additional properties required in Proposition 6.4.21: In continuation to Exercise 23 of Chapter 3, show that the said function ensemble satis es the following two properties: n 1. All but a negligible fraction of the functions in Sn ;1 are 2-to-1. 2. There exists a probabilistic polynomial-time algorithm that given y1 y2 0 1 n and z1 z2 0 1 n;1, outputs a uniformly disn;1 : hs (yi ) = zi i 1 2 . tributed element of s Sn 2 f g 2 f g f 2 8 2 f gg n Recall that functions in Sn ;1 are described by a pair of elen ) so that the pair (a b) describes the function ments of the nite eld GF(2 ha b that maps x 2 GF(2n ) to the (n ; 1)-bit pre x of the n-bit representation of ax + b, where the arithmetics is of the eld GF(2n ). The rst condition follows by observing that the function ha b is 2-to-1 if and only if Guideline: 6.6. MISCELLANEOUS a 6= 0. The second condition follows by observing that ha b (yi ) = zi if and only if ayi + b = vi for some vi that is a single-bit extension of zi . Thus, generating a pair (a b) such that ha b (yi ) = zi for both i's, amounts to selecting random single-bit extensions vi 's, and (assuming y1 6= y2 ) solving the system fayi + b = vi gi=1 2 (for the variables a and b). 573 Exercise 21: Fail-stop signatures require a memory-dependent signing process: Suppose towards the contradiction that there exist a secure memoryless fail-stop signature scheme. For every signing-key s 2 f0 1gn , consider the randomized process Ps in which one rst selects uniformly x 2 f0 1gn , produces a (random) signature y Ss (x), and outputs the pair (x y). Show that, given polynomially-many samples of Ps , one can nd (in exponential time) a string s0 2 f0 1gn such that with probability at least 0:99 the statistical distance between Ps and Ps is at most 0:01. Thus, a computationally unbounded adversary making polynomially-many signing queries, can nd a signing-key that typically produces the same signatures as the true signer. It follows that either these signatures cannot be revoked or that the user may also revoke its own signatures. Guideline: 0 In continuation to Section 6.5.5, prove that a secure fail-stop signature scheme must employ a memory-dependent signing process (as in De nition 6.4.13). Author's Note: First draft written mainly in May 2000. Major revision completed in Feb. 2002. ...
View Full Document

Ask a homework question - tutors are online