This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Fragments of a chapter on Signature Schemes
(revised, second posted version) Extracts from a working draft for Volume 2 of Foundations of Cryptography Oded Goldreich
Department of Computer Science and Applied Mathematics Weizmann Institute of Science, Rehovot, Israel. February 10, 2002 I to Dana c Copyright 2002 by Oded Goldreich. Permission to make copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for pro t or commercial advantage and that new copies bear this notice and the full citation on the rst page. Abstracting with credit is permitted. II Preface
The current manuscript is a preliminary draft of the chapter on signature schemes (Chapter 6) of the second volume of the work Foundations of Cryptography. This manuscript subsumes a previous version posted in May 2000.
The bigger picture. The current manuscript is part of a working draft of
Part 2 of the threepart work Foundations of Cryptography (see Figure 0.1). The three parts of this work are Basic Tools, Basic Applications, and Beyond the Basics. The rst part (containing Chapters 1{4) has been published by Cambridge University Press (in June 2001). The second part, consists of Chapters 5{7 (regarding Encryptioni Schemes, Signatures Schemes, and General Cryptographic Protocols, respectively). We hope to publish the second part with Cambridge University Press within a couple of years. Part 1: Introduction and Basic Tools Chapter 1: Introduction Chapter 2: Computational Di culty (OneWay Functions) Chapter 3: Pseudorandom Generators Chapter 4: ZeroKnowledge Proofs Part 2: Basic Applications Chapter 5: Encryption Schemes Chapter 6: Signature Schemes Chapter 7: General Cryptographic Protocols Part 3: Beyond the Basics Figure 0.1: Organization of this work III IV The partition of the work into three parts is a logical one. Furthermore, it o ers the advantage of publishing the rst part without waiting for the completion of the other parts. Similarly, we hope to complete the second part within a couple of years, and publish it without waiting for the third part. basic knowledge of algorithms (including randomized ones), computability and elementary probability theory. Background on (computational) number theory, which is required for speci c implementations of certain constructs, is not really required here. Prerequisites. The most relevant background for this text is provided by Using this text. The text is intended as part of a work that is aimed to serve both as a textbook and a reference text. That is, it is aimed at serving both the beginner and the expert. In order to achieve this aim, the presentation of the basic material is very detailed so to allow a typical CSundergraduate to follow it. An advanced student (and certainly an expert) will nd the pace (in these parts) way too slow. However, an attempt was made to allow the latter reader to easily skip details obvious to him/her. In particular, proofs are typically presented in a modular way. We start with a highlevel sketch of the main ideas, and only later pass to the technical details. Passage from highlevel descriptions to lower level details is typically marked by phrases such as details follow.
In a few places, we provide straightforward but tedious details in indented paragraphs as this one. In some other (even fewer) places such paragraphs provide technical proofs of claims that are of marginal relevance to the topic of the book. More advanced material is typically presented at a faster pace and with less details. Thus, we hope that the attempt to satisfy a wide range of readers will not harm any of them. hand, way beyond what one may want to cover in a course, and on the other hand falls very short of what one may want to know about Cryptography in general. To assist these con icting needs we make a distinction between basic and advanced material, and provide suggestions for further reading (in the last section of each chapter). In particular, sections, subsections, and subsubsections marked by an asterisk (*) are intended for advanced reading. Teaching. The material presented in the full (threevolume) work is, on one Table of Contents
Preface 6 Signatures and Message Authentication
6.1 De nitional Issues : : : : : : : : : : : : : : : : : : : : : : : : : : 479 6.1.1 Message authentication versus signature schemes : : : : : 480 6.1.2 Basic mechanism : : : : : : : : : : : : : : : : : : : : : : : 481 6.1.3 Attacks and security : : : : : : : : : : : : : : : : : : : : : 482 6.1.4 Comments : : : : : : : : : : : : : : : : : : : : : : : : : : : 484 6.1.4.1 Augmenting the attack with a veri cation oracle 485 6.1.4.2 Inessential generalities : : : : : : : : : : : : : : : 485 6.1.4.3 Weaker notions of security and some popular schemes486 6.2 Lengthrestricted signature scheme : : : : : : : : : : : : : : : : : 486 6.2.1 De nition : : : : : : : : : : : : : : : : : : : : : : : : : : : 486 6.2.2 The power of lengthrestricted signature schemes : : : : : 487 6.2.2.1 Signing (augmented) blocks : : : : : : : : : : : : 488 6.2.2.2 Signing a hash value : : : : : : : : : : : : : : : : 492 6.2.3 * Constructing collisionfree hashing functions : : : : : : 495 6.2.3.1 A construction based on clawfree permutations 496 6.2.3.2 Collisionfree hashing via blockchaining : : : : : 497 6.2.3.3 Collisionfree hashing via treehashing : : : : : : 500 6.3 Constructions of Message Authentication Schemes : : : : : : : : 502 6.3.1 Applying a pseudorandom function to the document : : : 502 6.3.1.1 A simple construction and a plausibility result : 502 6.3.1.2 * Using the hashandsign paradigm : : : : : : : 504 6.3.1.3 * A variation on the hashandsign paradigm : : 505 6.3.2 * More on HashandHide and statebased MACs : : : : : 509 6.3.2.1 The de nition of statebased MACs : : : : : : : 510 6.3.2.2 Statebased hashandhide MACs : : : : : : : : 512 6.4 Constructions of Signature Schemes : : : : : : : : : : : : : : : : 515 6.4.1 Onetime signature schemes : : : : : : : : : : : : : : : : : 515 6.4.1.1 De nitions : : : : : : : : : : : : : : : : : : : : : 516 6.4.1.2 Constructing lengthrestricted onetime signature schemes : : : : : : : : : : : : : : : : : : : : : : : 517 6.4.1.3 From lengthrestricted schemes to general ones : 520 V III 479 1 6.4.2 From onetime signature schemes to general ones : : : : : 6.4.2.1 The refreshing paradigm : : : : : : : : : : : : : 6.4.2.2 Authentication{trees : : : : : : : : : : : : : : : : 6.4.2.3 The actual construction : : : : : : : : : : : : : : 6.4.2.4 Conclusions and comments : : : : : : : : : : : : 6.4.3 * Universal OneWay Hash Functions and using them : : 6.4.3.1 De nition : : : : : : : : : : : : : : : : : : : : : : 6.4.3.2 Constructions : : : : : : : : : : : : : : : : : : : 6.4.3.3 Onetime signature schemes based on UOWHF : 6.4.3.4 Conclusions and comments : : : : : : : : : : : : 6.5 * Additional Properties : : : : : : : : : : : : : : : : : : : : : : : 6.5.1 Unique signatures : : : : : : : : : : : : : : : : : : : : : : 6.5.2 Supersecure signature schemes : : : : : : : : : : : : : : : 6.5.3 O line/online signing : : : : : : : : : : : : : : : : : : : : 6.5.4 Incremental signatures : : : : : : : : : : : : : : : : : : : : 6.5.5 Failstop signatures : : : : : : : : : : : : : : : : : : : : : : 6.6 Miscellaneous : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 6.6.1 On Using Signature Schemes : : : : : : : : : : : : : : : : 6.6.2 On Information Theoretic Security : : : : : : : : : : : : : 6.6.3 On Popular Schemes : : : : : : : : : : : : : : : : : : : : : 6.6.4 Historical Notes : : : : : : : : : : : : : : : : : : : : : : : 6.6.4.1 Signature Schemes : : : : : : : : : : : : : : : : : 6.6.4.2 Message Authentication Schemes : : : : : : : : : 6.6.5 Suggestion for Further Reading : : : : : : : : : : : : : : : 6.6.6 Open Problems : : : : : : : : : : : : : : : : : : : : : : : : 6.6.7 Exercises : : : : : : : : : : : : : : : : : : : : : : : : : : : 521 521 523 533 536 537 538 539 547 550 551 551 552 556 557 559 560 560 561 562 563 563 564 565 566 566 478 Chapter 6 Digital Signatures and Message Authentication
Message authentication and (digital) signatures were the rst tasks that joined encryption to form modern cryptography. Both message authentication and digital signatures are concerned with the \authenticity" of data, and the di erence between them is analogous to the di erence between privatekey and publickey encryption schemes. In this chapter, we de ne message authentication and digital signatures, and the security notions associated to them. We show how to construct message authentication schemes using pseudorandom functions, and how to construct signature schemes using oneway permutations. We stress that the latter construction employ oneway permutations that do not necessarily have a trapdoor. Towards presenting the latter constructions, we discuss restricted types of message authentication and signature schemes, which are of independent interest, such as lengthrestricted schemes (see Section 6.2) and onetime signature schemes (see Section 6.4.1). role in the following sections. As in Chapter 5, we assume that the reader is familiar with the material in Chapters 2 and 3 (and speci cally with Sections 2.2, 2.4, and 3.6). This familiarity is important not only because we use some of the notions and results presented in these sections, but rather because we use similar proof techniques (and do it while assuming that this is not the reader's rst encounter with these techniques). Teaching Tip: Indeed, do not skip Section 6.2, since it does play an important 6.1 De nitional Issues
Loosely speaking, message authentication and signature schemes are supposed to enable reliable transmission of data between parties. That is, the basic setting 479 480 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION consists of a sender and a receiver, where the receiver may be either predetermined or determined only after the data was sent. Loosely speaking, the receiver wishes to be guaranteed that the data received was actually sent by the sender, rather than modi ed (or even concocted) by a third party. The receiver may be a party sharing an unreliable pointtopoint communication line with the sender (which is indeed the typical setting in which message authentication is employed). However, in other cases (i.e., when signature schemes are employed), the receiver may be any party that obtains the data in the future and wishes to verify that it was indeed sent by the declared sender. In both cases, the reliability (or authenticity) of the data is established by an authentication process that consists of two main processes: 1. A signing process that is employed by the alleged sender in order to produce signatures to data of its choice. 2. A veri cation process that is employed by the receiver in order to determine the authenticity of the data using the provided signature. As in case of encryption schemes, the authentication process presupposes also a third (implicit) process called keygeneration that allows the sender to generate a signingkey (to be used in the signing process), along with a veri cationkey (to be used in the veri cation process). The possession of the signingkey constitutes the sender's advantage over the adversary (see analogous discussion in Chapter 5). The di erence between message authentication and signature schemes arises from the di erence in the settings to which they are intended, which amounts to a di erence in the identity of the receiver and in the level of trust that the sender has in the receiver. Typically, message authentication schemes are employed in cases where the receiver is predetermined (at the time of message transmission) and is fully trusted by the sender, whereas signature schemes allow veri cation of the authenticity of the data by anybody (which is certainly not trusted by the sender). In other words, signature schemes allow for universal veri cation, whereas message authentication schemes may only allow predetermine parties to verify the authenticity of the data. Thus, in signature schemes the veri cationkey must be known to anybody, and in particular is known to the adversary. In contrast, in messageauthentication schemes, the veri cationkey is only given to a set of predetermined receivers that are all trusted not to abuse this knowledge that is, in such schemes it is postulated that the veri cationkey is not (apriori) known to the adversary. di er in the question of whether the veri cationkey is secret (i.e., unknown to the adversary) or public (and also known to the adversary). Thus, in a sense, these are privatekey and publickey versions of a task that lacks a good name (since both authentication and signatures are already taken by one of 6.1.1 Message authentication versus signature schemes Summary and terminology: Message authentication and signature schemes 6.1. DEFINITIONAL ISSUES type Message auth. schemes Signature schemes veri cationkey known to designated (trusted) receiver(s) only to everybody (including adversary) veri cation possible for designated (trusted) receiver(s) only for anybody (including adversary) 481 Figure 6.1: Message authentication versus signature schemes. the versions). Still, seeking a uniform terminology, we shall sometimes refer to message authentication schemes (also known as message authentication codes (mac)) as to privatekey signature schemes. Analogously, we shall sometimes refer to signature schemes as to publickey signature schemes. We start by de ning the basic mechanism of messageauthentication and signature schemes. Recall that there will be privatekey and publickey versions, but the di erence between the two version is only re ected in the de nition of security. In contrast, the de nition of the basic mechanism says nothing about the security of the scheme (which is the subject of the next section), and thus is the same for both the privatekey and publickey versions. In both cases, the scheme consists of three e cient algorithms: key generation, signing (or authenticating) and veri cation. The basic requirement is that signatures that are produced by the signing algorithm be accepted as valid by the veri cation algorithm, when fed a veri cationkey corresponding to the signingkey used by the signing algorithm. 6.1.2 Basic mechanism De nition 6.1.1 (signature scheme): A signature scheme is a triple, (G S V ),
of probabilistic polynomialtime algorithms satisfying the following two conditions 1. On input 1n , algorithm G (called the key generator) outputs a pair of bit strings. 2. For every pair (s v) in the range of G(1n ), and for every algorithms S (signing) and V (veri cation) satisfy
Pr V (v
2 f 01 ,
g S (s ))=1] = 1 where the probability is taken over the internal coin tosses of algorithms S and V . The integer n serves as the security parameter of the scheme. Each (s v) in the range of G(1n ) constitutes a pair of corresponding signing/veri cation keys. The string S (s ) is a signature to the document 2 f0 1g using the signing key s. 482 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION We stress that De nition 6.1.1 says nothing about security, and so trivial (i.e., insecure) algorithms may satisfy it (e.g., S (s ) def 0 and V (v = ) def 1, for = all s v and ). Furthermore, De nition 6.1.1 does not distinguish privatekey signature schemes from publickey ones. The di erence between the two types is introduced in the security de nitions: In a publickey scheme the \forging algorithm" gets the veri cation key (i.e., v) as an additional input (and thus v = s follows), whereas in privatekey schemes v is not given to the \forging algorithm" (and thus one may assume, without loss of generality, that v = s).
6 Notation: In the rest of this book, we write Ss( ) instead of S (s ) and
Vv (
j j j j ) instead of V (v ). Also, we let G1 (1n ) (resp., G2 (1n )) denote the rst (resp., second) element in the pair G(1n ). That is, G(1n ) = (G1 (1n ) G2 (1n )). Without loss of generality, we may assume that G1 (1n ) and G2 (1n ) are polynomially related to n, and that each of these integers can be e ciently computed from the other. Comments: The above de nition may be relaxed in several ways without sig6 ni cantly harming its usefulness. For example, we may relax Condition (2) and allow a negligible veri cation error (e.g., Pr Vv ( Ss ( )) = 1] < 2;n). Alternatively, one may postulate that Condition (2) holds for all but a negligible measure of the keypairs generated by G(1n ). At least one of these relaxations is essential for many suggestions of (publickey) signature schemes. Another relaxation consists of restricting the domain of possible documents. However, unlike the situation with respect to encryption schemes, such a restriction is nontrivial in the current context, and is discussed at length in Section 6.2. 6.1.3 Attacks and security
We consider very powerful attacks on the signature scheme as well as a very liberal notion of breaking it. Speci cally, the attacker is allowed to obtain signatures to any document of its choice. One may argue that in many applications such a general attack is not possible (as documents to be signed must have a speci c format). Yet, our view is that it is impossible to de ne a general (i.e., applicationindependent) notion of admissible documents, and thus a general/robust de nition of an attack seems to have to be formulated as suggested here. (Note that at worst, our approach is overly cautious.) Likewise, the adversary is said to be successful if it can produce a valid signature to any document for which it has not asked for a signature during its attack. Again, this de nes the ability to form signatures to possibly \nonsensical" documents as a breaking of the scheme. Yet, again, we see no way to have a general (i.e., applicationindependent) notion of \meaningful" documents (so that only forging signatures to them will be consider a breaking of the scheme). The above discussion leads to the following (slightly informal) formulation. 6.1. DEFINITIONAL ISSUES 483 A chosen message attack is a process that can obtain signatures to strings of its choice, relative to some xed signingkey that is generated by G. We distinguish two cases. The privatekey case: Here the attacker is given 1n as input, and the signatures are produced relative to s, where (s v) G(1n ). The publickey case: Here the attacker is given v as input, and the signatures are produced relative to s, where (s v) G(1n ). Such an attack is said to succeeds (in existential forgery) if it outputs a valid signature to a string for which it has not requested a signature during the attack. That is, the attack is successful if it outputs a pair ( ) so that is di erent from all strings for which a signature has been required during 1 the attack, and Pr Vv ( ) = 1] 2 , where v is as above.1 A signature scheme is secure (or unforgeable) if every probabilistic polynomialtime chosen message attack succeeds with at most negligible probability. Formally, a chosen message attack is modeled by a probabilistic oracle machine that is given oracle access to a \keyed signing process" (i.e., the signing algorithm combined with the signingkey). Depending on the version (i.e., publickey or not), the attacker may get the corresponding veri cationkey as input. We stress that this is the only di erence between the two cases (i.e., privatekey and publickey) that are spelled out in De nition 6.1.2. We refer the reader to the clarifying discussion that follows De nition 6.1.2 in fact, some readers may prefer that discussion over the technical formulations. De nition 6.1.2 (unforgeable signatures):
Common notation: Let M be a probabilistic oracle machine. We denote by QO (x) the set of queries made by M on input x and access to oracle M O, and let M1O (x) denote the rst string in the pair of strings output by M on input x and access to oracle O. The privatekey case: A privatekey signature scheme is secure if for every probabilistic polynomialtime oracle machine M , every polynomial p and all su ciently large n, it holds that i h 1 S Pr VG2 (1n ) (M SG1 (1n ) (1n ))=1 & M1 G1 (1n ) (1n ) QSG1 (1n ) (1n ) < M p(n) where the probability is taken over the coin tosses of algorithms G, S and V as well as over the coin tosses of machine M .
62 1 The threshold of 1=2 used above is quite arbitrary. The de nition is essentially robust under the replacement of 1=2 by either 1=poly(n) or 1 ; 2;poly(n) , by ampli cation of the veri cation algorithm. For example, given V as above, one may consider V 0 that applies V to the tested pair for a linear number of times and accepting if and only if V has accepted in all tries. 484 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION The publickey case: A publickey signature scheme is secure if for every probabilistic polynomialtime oracle machine M , every polynomial p and all su ciently large n, it holds that 2 VG2 (1n ) (M SG1 (1n ) (G2 (1n )))=1 3 5 < 1 and Pr 4 p(n) SG1 (1n ) SG1 (1n ) M1 (G2 (1n)) QM (G2 (1n ))
62 where the probability is taken over the coin tosses of algorithms G, S and V as well as over the coin tosses of machine M . The de nition refers to the following experiment. First a pair of keys, (s v), is generated by invoking G(1n ), and is xed for the rest of the discussion.2 Next, an attacker is invoked on input 1n or v, depending if we are in the privatekey or publickey case. In both cases, the attacker is given oracle access to Ss , where the latter may be a probabilistic oracle rather than a standard deterministic one (e.g., if queried twice for the same value then the signing oracle may answer in di erent ways). Finally, the attacker outputs a pair of strings ( ). The attacker is deemed successful if and only if the following two conditions hold: 1. The string is di erent than all queries (i.e., requests for signatures) S made by the attacker that is, M1 s (x) QSs (x), where x = 1n or x = v M depending on whether we are in the privatekey or publickey case. S We stress that both M1 s (x) and QSs (x) are random variables that are M de ned based on the same random execution of M (on input x and oracle access to Ss ).
62 2. The pair ( ) corresponds to a valid documentsignature pair relative to the veri cation key v. In case V is deterministic (which is typically the case) this means that Vv ( ) = 1. The same applies also in case V is probabilistic, and when viewing Vv ( ) = 1 as a random variable. (Alternatively, in the latter case, a condition such as Pr Vv ( ) = 1] 1=2 may replace the condition Vv ( ) = 1.) 6.1.4 Comments
Clearly, any signature scheme that is secure in the publickey model is also secure in the privatekey model. The converse is not true: consider, for example, the privatekey scheme presented in Construction 6.3.1 (as well as any other \natural" message authentication scheme). Following are a few other comments regarding the de nitions.
2 We stress that G (1n ) and G (1n ) represent related random variables. Thus, given oracle 1 2 access to SG1 (1n ) means given oracle access to Gs , where s is selected and xed according to G1 (1n ). 6.1. DEFINITIONAL ISSUES 485 Indeed, it is natural to augment De nition 6.1.2 by providing the adversary with unlimited access to the corresponding veri cation oracle Vv . We stress that (in this augmented de nition) the documents that (only) appear in the veri cation queries are not added to the set QSs that is, the output ( ) is considered a M successful forgery even if the adversary made the veri cationquery ( ), but provided (as before) that the adversary did not make the signingquery (and that Vv ( ) = 1). Indeed, in the publickey case, the veri cationoracle adds no power to the adversary, since the adversary (which is given the veri cationkey) can emulate the veri cationoracle by itself. Furthermore, typically, also in the privatekey model, the veri cationoracle does not add much power. Speci cally, as discussed in Section 6.5.1 (see also Exercises 1 and 2), any secure privatekey signature scheme can be transformed into one having a deterministic veri cation algorithm and unique valid signatures (i.e., for every veri cationkey v and document , there exists a unique such that Vs ( ) = 1). In fact, all privatekey signature schemes presented in Section 6.3 have unique valid signatures. Considering an arbitrary combined attack on such a privatekey signature scheme, we emulate the veri cationqueries (in the original model) as follows. For a veri cationquery ( ) if equals a previous signingquery, then we can emulate the answer by ourselves. Speci cally, if the signingquery was answered with then we we answer the veri cationquery positively else we answer it negatively. Otherwise (i.e., for a veri cationquery ( ) such that does not equal any previous signingquery), we may choose either to output ( ) as a candidate forgery (gambling on Vv ( ) = 1) or emulate a negative answer by ourselves (gambling on Vv ( ) = 0). Speci cally, for every such veri cationquery, we may choose the rst possibility with probability 1=t(n) and the second possibility otherwise, where t(n) is a bound on the number of veri cationqueries performed by the original augmented attack (which we emulate). For further discussion see Exercise 3. 6.1.4.1 Augmenting the attack with a veri cation oracle 6.1.4.2 Inessential generalities The de nitions presented above (speci cally, De nition 6.1.1) were aimed at generality and exibility. We comment that several levels of freedom can be eliminated without loss of generality (but with some loss of convenience). Firstly, as in the case of encryption schemes, one may modify the keygeneration algorithm so that on input 1n it outputs a pair of nbit long keys. Two more fundamental restrictions, which actually do not a ect the existence of secure schemes, follow. Randomization in the signing process: In contrast to the situation with respect to encryption schemes (see Sections 5.2 and 5.3), randomization is not 486 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION essential to the actual signing and verifying processes (but is, as usual, essential to key generation). That is, without loss of generality (but with possible loss in e ciency), the signing algorithm may be deterministic, and in all schemes we present (in the current chapter) the veri cation algorithm is indeed deterministic. For details, see Exercise 1. the privatekey case, we may just identify the signing and veri cation keys (i.e., k def s = v). Furthermore (following the comment about deterministic signing), = without loss of generality, veri cation may amount to comparing the alleged signature against the one produced by the veri cation algorithm (as done by the signing algorithm). That is, we may let Vk ( ) def 1 if and only if = Sk ( ). = For details, see Exercise 2. Canonical veri cation in the privatekey version: As hinted above, in 6.1.4.3 Weaker notions of security and some popular schemes
Weaker notion of security have been considered in the literature. The various notions refer to two parameters: (1) the type of attack, and (2) when is the adversary considered to be a success. Indeed, De nition 6.1.2 refers to the most severe type of attacks (i.e., unrestricted chosen message attacks) and to the most liberal notion of success (i.e., ability to produce a valid signature to any new message). The interested reader is referred to Section 6.6.5. We note that plain RSA as well as plain versions of Rabin's scheme and the DSS are not secure under De nition 6.1.2. However, these schemes satisfy weaker notions of security, provided that some (standard) intractability assumptions hold. Furthermore, variants of these signature schemes (in which the function is not applied directly to the document itself) may be secure (under De nition 6.1.2). 6.2 Lengthrestricted signature scheme
Restricted types of (publickey and privatekey) signature schemes play an important role in our exposition. The rst restriction we consider is the one of schemes yielding secure signatures only to documents of a certain predetermined length. The e ect of the lengthrestriction is more dramatic here (in the context of signature schemes) than it was in the context of encryption schemes compare the following to Section 5.3.2. Nevertheless, as we shall show (see Theorem 6.2.2 below), if the length restriction is not too low then the full power of signature schemes can be regained. 6.2.1 De nition The essence of the lengthrestriction is in that security is guaranteed only with respect to documents of the predetermined length. Note that the question of 6.2. LENGTHRESTRICTED SIGNATURE SCHEME 487 what is the result of invoking the signature algorithm on a document of improper length is immaterial. What is important is that an attacker (of a lengthrestricted scheme) is deemed successful only if it produces a signature to a (different) document of proper length. Still, for sake of concreteness (and simplicity of subsequent treatment), we de ne the basic mechanism only for documents of proper length.
N . An `restricted signature scheme is a triple, (G S V ), of probabilistic polynomialtime algorithms satisfying the following two conditions 1. As in De nition 6.1.1, on input 1n , algorithm G outputs a pair of bit strings. 2. Analogously to De nition 6.1.1, for every n and every pair (s v) in the range of G(1n ), and for every 2 f0 1g`(n), algorithms S and D satisfy Pr V (v S (s ))=1] = 1. Such a scheme is called secure (in the privatekey or publickey model) if the (corresponding) requirements of De nition 6.1.2 hold when restricted to attackers that only make queries of length `(n) and output a pair ( ) with j j = `(n). De nition 6.2.1 (signature scheme for xed length documents): Let ` : N ! We stress that the essential modi cation is presented in the security condition is that considers an adversary to be successful only it case it forges a signature to a (di erent) document of the proper length (i.e., = `(n)).
j j 6.2.2 The power of lengthrestricted signature schemes We comment that `restricted privatekey signature schemes for `(n) = O(log n) are trivial (since the signing and veri cation keys may contain a table lookup associating a secret with each of the 2`(n) = poly(n) possible documents).3 In contrast, this triviality does not hold for publickey signature schemes. (For both claims, see Exercise 5.) On the other hand, in both (privatekey and publickey) cases, `restricted signature schemes for superlogarithmic ` (e.g., `(n) = n or even `(n) = log2 n will do) are as powerful as ordinary signature schemes: 2 Theorem 6.2.2 Suppose that ` is a superlogarithmically growing function. Then, given an `restricted signature scheme that is secure in the privatekey (resp., publickey) model, one can construct a full edged signature scheme that is secure in the same model.
Results of the above avor can be established in two di erent ways, corresponding to two methods of converting an `restricted signature scheme into a fulledged one. Both methods are applicable both to privatekey and publickey signature schemes. The rst method (presented in Section 6.2.2.1) consists of parsing the original document into blocks (with proper \linkage" between blocks!),
3 Recall, that such triviality does not hold in the context of encryption schemes not even in the privatekey case. See Section 5.3.2. 488 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION and applying the `restricted scheme to each block. The second method (presented in Section 6.2.2.2) consists of hashing the document into an `(n)bit long value (via an adequate hashing scheme!), and applying the restricted scheme to the resulting value. Thus, the second method requires an additional assumption (i.e., the existence of \collisionfree" hashing), and so Theorem 6.2.2 (as stated) is actually proved using the rst method. The second method is presented because it o ers other bene ts in particular, it will play an important role in subsequent sections (e.g., in Sections 6.3.1.2 and 6.4.1.3). 6.2.2.1 Signing (augmented) blocks
In this subsection we present a simple method for constructing general signature schemes out of lengthrestricted ones, and doing so we establish Theorem 6.2.2. Loosely speaking, the method consists of parsing the original document into blocks (with proper \linkage" between blocks!), and applying the lengthrestricted scheme to each (augmented) block. Let ` and (G S V ) be as in Theorem 6.2.2. We construct a general signature scheme, (G0 S 0 V 0 ), with G0 = G, by viewing documents as sequences of strings, each of length `0 (n) = `(n)=O(1). That is, we associate = 1 t with the sequence ( 1 ::: t ), where each i has length `0 (n). (At this point, the reader may think of `0(n) = `(n), but actually we will use `0 (n) = `(n)=4 in order to make room for further information.) To motivate the following construction, consider the following simpler schemes aimed at producing secure signatures for sequences of `0 (n)bit long strings. The simplest idea is to just sign each of the strings in the sequence. That is, the signature to the sequence ( 1 ::: t ), is a sequence of i 's each being a signature (w.r.t the lengthrestricted scheme) to the corresponding i . This will not do since an adversary, given a single signature ( 1 2 ) to the sequence ( 1 2 ) with 1 = 2 , can present ( 2 1 ) as a signature to ( 2 1 ). So how about signing the sequence ( 1 ::: t ) by applying the restricted scheme to each pair (i i ), so to foil the above attack? This will not do either, since an adversary, given a signature to the sequence ( 1 2 3 ) can easily present a signature to the sequence ( 1 2 ). So we need to include in each `(n)bit string also the total number of i 's in the sequence. But even this is not enough, since an adversary given signatures to the sequences ( 1 2 ) and ( 01 02 ), with 1 = 01 and 2 = 02 , can easily generate a signature to ( 1 02 ). Thus, we have to prevent the forming of new sequences of basic signatures by combination of elements from di erent signature sequences. This can be done by associating (say at random) an identi er with each sequence and incorporating this identi er in each `(n)bit string to which the restricted scheme is applied. This yields the following signature scheme:
6 6 6 Construction 6.2.3 (signing augmented blocks): Let ` and (G S V ) be as
in Theorem 6.2.2. We construct a general signature scheme, (G0 S 0 V 0 ), with G0 = G, by considering documents as sequences of strings. We construct S 0 and V 0 as follows, using G0 = G and `0 (n) = `(n)=4. 6.2. LENGTHRESTRICTED SIGNATURE SCHEME 489 signing with S 0 : On input a signingkey s G1 (1n ) and a document 01 , algorithm S 0 rst parses into 1 ::: t so that is uniquely reconstructed from the i 's and each i is an `0 (n)bit long string.4 Next, S 0 uniformly selects r 0 1 ` (n) . For i = 1 ::: t, algorithm S 0 computes i Ss (r t i i ) where i and t are represented as `0 (n)bit long strings. That is, i is a signature to the statement \ i is the ith block, out of t blocks, in a sequence associate with identi er r". Finally, S 0 outputs as signature the sequence (r t 1 :::: t )
2 2 f g 2 f g
0 veri cation with V 0 : On input a verifyingkey v G2 (1n ), a document 0 1 , and a sequence (r t 1 :::: t ), algorithm V 0 rst parses into 0 0 1 ::: t , using the same parsing rule as S . Algorithm V accepts if and only if the following two conditions hold: 1. t0 = t, where t0 is obtained in the parsing of and t is part of the alleged signature. 2. For i = 1 ::: t, it holds that Vv ((r t i i ) i ), where i is obtained in the parsing of and the rest are as in the corresponding parts of the alleged signature. Clearly, the triplet (G0 S 0 V 0 ) satis es De nition 6.1.1. We need to show that is also inherits the security of (G S V ). That is, Proposition 6.2.4 Suppose that (G S V ) is an `restricted signature scheme that is secure in the privatekey (resp., publickey) model. Then (G0 S 0 V 0 ), as de ned in Construction 6.2.3 is a full edged signature scheme that is secure in the privatekey (resp., publickey) model. Theorem 6.2.2 follows immediately from Proposition 6.2.4. Proof: The proof is by a reducibility argument, and holds for both the privatekey and the publickey models. Given an adversary A0 attacking the complex scheme (G0 S 0 V 0 ), we construct an adversary A that attacks the `restricted scheme, (G S V ). In particular, A invokes A0 with input identical to its own input (which is the security parameter or the veri cationkey depending on the model), and uses its own ora0 cle in order to emulate the oracle Ss for A0 . This can be done in a straightforward 0 manner that is, algorithm A will act as Ss does by using the oracle Ss . Specif0 of A0 into a corresponding sequence ( 0 ::: 0 ), ically, A parses each query 1 t uniformly selects an identi er r0 , and obtains Ss signatures to (r0 t0 j 0j ), for j = 1 ::: t0. When A0 outputs a documentsignature pair relative to the complex scheme (G0 S 0 V 0 ), algorithm A tries to use this pair in order to form a documentsignature pair relative to the `restricted scheme, (G S V ).
2 2 f g
0 0 4 For example, we may require that 10j = 1 t and j < `0 (n). 490 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION We stress that from the point of view of adversary A0 , the distribution of keys and oracle answers that A provides it with is exactly as in a real attack on (G0 S 0 V 0 ). This is a crucial point since we use the fact that events that occur in a real attack of A0 on (G0 S 0 V 0 ), occur with the same probability in the emulation of (G0 S 0 V 0 ) by A. Assume that with (nonnegligible) probability "0 (n), the (probabilistic polynomialtime) algorithm A0 succeeds in existentially forging relative to the complex scheme (G0 S 0 V 0 ). We consider the following cases regarding the forging event: 1. The identi er supplied in the forged signature is di erent from the random identi ers supplied (by A) as part of the signatures given to A0 . In this case, each `restricted signature supplied as part of the forged (complex) signature, yields existential forgery relative to the `restricted scheme. Formally, let (1) ::: (m) be the sequence of queries made by A0 , and let (r(1) t(1) (1) ) ::: (r(m) t(m) (m) ) be the corresponding (complex) signatures supplied to A0 by A (using Ss to form the (i) 's). Let ( (r t 1 :::: t )) be the output of A0 , and suppose that applying Vv0 to it yields 1 (i.e., it is a valid documentsignature pair for the complex scheme). It follows that each (i) consists of a sequence of Ss signatures to `(n)bit strings starting with r(i) 0 1 `(n)=4, and that the oracle Ss was invoked (by A) only on strings of this form. The case hypothesis states that r = r(i) , for all i's. It follows that each of the j 's is an Ss signature to a string starting with r 0 1 `(n)=4, and thus di erent from all queries made to the oracle Ss . Thus, each pair ((r t i i ) i ) is a valid documentsignature pair (since Vv0 ( (r t 1 :::: t )) = 1 implies Vv ((r t i i ) i ) = 1), with a document di erent than all queries made to Ss . This yields a successful forgery with respect to the `restricted scheme. 2. The identi er supplied in the forged signature equals the random identi er supplied (by A) as part of exactly one of the signatures given to A0 . Formally, let (1) ::: (m) be the sequence of queries made by A0 , and let (r(1) t(1) (1) ) ::: (r(m) t(m) (m) ) be the corresponding (complex) signatures supplied to A0 by A (using Ss to form the (i) 's). Let ( (r t 1 :::: t )) be the output of A0 , and suppose that applying Vv0 to it yields 1 (i.e., it is a valid documentsignature pair for the complex scheme). The hypothesis of the current case is that there exists a unique i so that r = r(i) . We consider two subcases regarding the relation between t and t(i) : t = t(i) . In this subcase, each `restricted signature supplied as part of the forged (complex) signature, yields existential forgery relative to the `restricted scheme. The argument is analogous to the one employed in the previous case. Speci cally, here each of the j 's is an Ss signature to a string starting with (r t), and thus di erent from all queries made to the oracle Ss (since these queries either start with r(i ) = r or start with (r(i) t(i) ) = (r t)). Thus, each pair
2 f g 6 2 f g 6
0 6 6 6.2. LENGTHRESTRICTED SIGNATURE SCHEME 491 ((r t j j ) j ) is a valid documentsignature pair with a document di erent than all queries made to Ss . t = t(i) . In this case we use the hypothesis = (i) , which implies that there exists a j so that j = (i) , where (i) is the j th block j j in the parsing of (i) . In this subcase, j (supplied as part of the forged complexsignature), yields existential forgery relative to the `restricted scheme. Speci cally, we have Vv ((r t j j ) j ) = 1, and (r t j j ) is di erent from each query (r(i ) t(i ) j 0 (i ) ) made by A j to Ss . Justi cation for (r t j j ) 6= (r(i ) t(i ) j 0 (i ) ). If i0 6= i then j (by the case hypothesis regarding uniqueness of i s.t. r(i) 6= r) it holds that r(i ) 6= r. Otherwise (i.e., i0 = i) either j 0 6= j or
6 6
0 0 0 0 0 0 0 0 0 Thus, ((r t j j ) j ) is a valid documentsignature pair with a document di erent than all queries made to Ss . 3. The identi er supplied in the forged signature equals the random identi ers supplied (by A) as part of at least two signatures given to A0 . In particular, it follows that two signatures given to A use the same random identi er. The probability that this event occurs is at most j 6= j = j .
(i0 )
0 (i) m 2;` (n) < m2 2;`(n)=4 2
0 However, m = poly(n) (since A0 runs in polynomialtime), and 2;`(n)=4 is negligible (since ` is superlogarithmic). So this case occurs with negligible probability, and may be ignored. Note that A can easily determine which of the cases occurs and act accordingly.5 Thus, assuming that A0 forges relative to the complex scheme with nonnegligible probability "0 (n), it follows that A forges relative to the lengthrestricted scheme with nonnegligible probability "(n) "0 (n) poly(n) 2;`(n)=4 , in contradiction to the proposition's hypothesis.
; Comment: We call the reader's attention to the essential role of the hypothesis that ` is superlogarithmic in the proof of Proposition 6.2.4. Indeed, Construction 6.2.3 is insecure in case `(n) = O(log n). The reason being that, by asking 0 for polynomiallymany signatures, the adversary may obtain two Ss signatures that use the same (random) identi er. Furthermore, with some care, these signatures yield existential forgery (see Exercise 6).
5 This observation only saves us a polynomial factor in the forging probability. That is, if A did not know which part of the forged complexsignature to use in its own forgery, it could have selected one at random (and be correct with probability 1=poly(n) because there are only poly(n)many possibilities). 492 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION In this subsection we present an alternative method for constructing general signature schemes out of lengthrestricted ones. Loosely speaking, the method consists of hashing the document into a short ( xedlength) string (via an adequate hashing scheme), and applying the lengthrestricted signature scheme to the resulting hashvalue. This twostage process is referred to as the hash and sign paradigm. Let ` and (G S V ) be as in Theorem 6.2.2. The second method of constructing a general signature scheme out of (G S V ) is based on the hash then sign paradigm. That is, rst the document is hashed to an `(n)bit long value, and then the `restricted scheme is applied to the hashed value. Thus, in addition to an `restricted scheme, this method employs an adequate hashing scheme. In particular, one way of implementing this method is based on \collisionfree hashing" (de ned next). An alternative implementation, based on \universal oneway hashing" is deferred to Section 6.4.3. 6.2.2.2 Signing a hash value Collisionfree hashing functions. Loosely speaking, a collisionfree hashing scheme consists of a collection of functions fhs : f0 1g ! f0 1gjsjgs2f0 1g so that given s and x it is easy to compute hs (x), but given a random s it is hard to nd x 6= x0 such that hs (x) = hs (x0 ). De nition 6.2.5 (collisionfree hashing functions): Let ` : N ! N . A collection of functions fhs : f0 1g ! f0 1g`(jsj)gs2f0 1g is called collisionfree hashing if there exists a probabilistic polynomialtime algorithm I so that the following holds 1. (admissible indexing { technical):6 For some polynomial p, all su ciently large n's and every s in the range of I (1n ) it holds that n p(jsj). Furthermore, n can be computed in polynomialtime from s. 2. (e cient evaluation): There exists a polynomialtime algorithm that given s and x, returns hs (x). 3. (hard to form collisions): We say that the pair (x x0 ) forms a collision under the function h if h(x) = h(x0 ) but x 6= x0 . We require that every probabilistic polynomialtime algorithm, given I (1n ) as input, outputs a collision under hI (1n ) with negligible probability. That is, for every probabilistic polynomialtime algorithm A, every polynomial p and all su ciently large n's, 1 Pr A(I (1n )) is a collision under hI (1n) < p(n) where the probability is taken over the internal coin tosses of algorithms I and A.
6 This condition is made merely to avoid annoying technicalities. In particular, it allows the collisionforming adversary to run for poly(n)time (since by this condition poly(n) = poly(jsj)) as well as allows to determine n from s. Note that jsj = poly(n) holds by de nition of I . 6.2. LENGTHRESTRICTED SIGNATURE SCHEME
The function ` is called the range speci er of the collection. 493 Note that the range speci er must be superlogarithmic (or else one may easily nd a collisions by selecting 2`(n) + 1 di erent preimages and computing their image under the function). In Section 6.2.3, we show how to construct collisionfree hashing functions using clawfree collections. But rst, we show how to use the former in order to convert a lengthrestricted signature scheme into a full edged one.
and let fhr : f0 1g ! f0 1g`(jrj)gr2f0 1g be as in De nition 6.2.5. We construct a general signature scheme, (G0 S 0 V 0 ), as follows: keygeneration with G0 : On input 1n , algorithm G0 rst invokes G to obtain (s v) G(1n ). Next it invokes I , the indexing algorithm of the collisionfree hashing collection, to obtain r I (1n ). Finally, G0 outputs the pair ((r s) (r v)), where (r s) serves as a signingkey and (r v) serves as a veri cationkey. signing with S 0 : On input a signingkey (r s) 2 G01 (1n ) and a document 2 0 f0 1g , algorithm S invokes S once to produce and output Ss (hr ( )). veri cation with V 0 : On input a verifyingkey (r v) 2 G02 (1n ), a document 2 f0 1g , and a alleged signature , algorithm V 0 invokes V , and outputs Vv (hr ( ) ). Construction 6.2.6 (hash and sign): Let ` and (G S V ) be as in Theorem 6.2.2, Proposition 6.2.7 Suppose that (G S V ) is an `restricted signature scheme that is secure in the privatekey (resp., publickey) model. Suppose that fhr : `(jrj)gr2f0 1g is indeed a collisionfree hashing collection. Then f0 1g ! f0 1g 0 S 0 V 0 ), as de ned in Construction 6.2.6 is a full edged signature scheme (G that is secure in the privatekey (resp., publickey) model. Proof: Intuitively, the security of (G0 S 0 V 0) follows from the security of
f g (G S V ) and the collisionfreeness property of the collection hr . Speci cally, forgery relative to (G0 S 0 V 0 ) can be obtained by either a forged S signature to a hashvalue di erent from all hashvalues that appeared in the attack or by forming a collision under the hash function. That is, the actual proof is by a reducibility argument. Given an adversary A0 attacking the complex scheme (G0 S 0 V 0 ), we construct an adversary A that attacks the `restricted scheme, (G S V ), as well as an algorithm B forming collisions under the hashing collection hr . Both A and B will have runningtime related to that of A0 . We show if A0 is successful with nonnegligible probability than the same holds for either A or B . Thus, in either case, we reach a contradiction. We start with the description of algorithm A, which is designed to attack the `restricted scheme (G S V ). We stress that almost the same description applies both in the privatekey and publickey case. On input x, which equals the security parameter 1n in the privatekey case and a veri cationkey v otherwise (i.e., in the publickey case), the adversary
f g 494 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION A operates as follows. First A uses I (the indexing algorithm of the collisionfree hashing collection) to obtain r I (1n ), exactly as done in the second step of G0 . Next, A invokes A0 (on input 1n or (r v) depending on the case), and 0 uses r as well as its own oracle Ss in order to emulate the oracle Sr s for A0 . The emulation is done in a straightforward manner that is, algorithm A will 0 act as Sr s does by using the oracle Ss (i.e., to answer query q, algorithm A makes the query hr (q)). When A0 outputs a documentsignature pair relative to the complex scheme (G0 S 0 V 0 ), algorithm A tries to use this pair in order to form a documentsignature pair relative to the `restricted scheme, (G S V ). That is, if A0 outputs the documentsignature pair ( ), then A will output the documentsignature pair (hr ( ) ). We stress (again) that from the point of view of adversary A0 , the distribution of keys and oracle answers that A provides it with is exactly as in a real attack of A0 on (G0 S 0 V 0 ). This is a crucial point since we use the fact that events that occur in a real attack of A0 on (G0 S 0 V 0 ), occur with the same probability in the emulation of (G0 S 0 V 0 ) by A. Assume that with (nonnegligible) probability "0 (n), the (probabilistic polynomialtime) algorithm A0 succeeds in existentially forging relative to the complex scheme (G0 S 0 V 0 ). We consider the following two cases regarding the forging event, letting ( (i) (i) ) denote the ith query and answer pair made by A0 , and ( ) denote the forged documentsignature pair that A0 outputs (in case
of success): Case 1: hr ( ) = hr ( (i) ) for all i's. (That is, the hash value used in the forged signature is di erent from all hash values used in the queries to Ss .) In this case, the pair (hr ( ) ) constitutes a success in existential forgery relative to the `restricted scheme. Case 2: hr ( ) = hr ( (i) ) for some i. (That is, the hash value used in the forged signature equals the hash value used in the ith query to Ss , although = (i) .) In this case, the pair ( (i) ) forms a collision under hr (and we do not obtain success in existential forgery relative to the `restricted scheme). Thus, if Case 1 occurs with probability at least "0 (n)=2 then A succeeds in its attack on (G S V ) with probability at least "0 (n)=2, which contradicts the security of the `restricted scheme (G S V ). On the other hand, if Case 2 occurs with probability at least "0 (n)=2 then we derive a contradiction to the collisionfreeness of the hashing collection hr : 0 1 0 1 `(jrj) r2f0 1g . Details (regarding the second case) follow. We construct an algorithm, denoted B , that given r I (1n ), attempts to form collisions under hr as follows. On input r, algorithm B generates (s v) G(1n ), and emulates the attack of A on this instance of the `restricted scheme, with the exception that B does not invoke algorithm I to obtain an index of a hash function but rather uses the index r (given to it as input). Recall that A, 0 in turn, emulates an attack of A0 on the signing oracle Sr s , and that A answers 0 made by A0 by forwarding the query q = h (q 0 ) to S . Thus, B the query q r s
6 6 f f g ! f g g 6.2. LENGTHRESTRICTED SIGNATURE SCHEME 495 0 actually emulates the attack of A0 (on the signing oracle Sr s ), and does so in 0 made by A0 , algorithm B a straightforward manner that is, to answer query q rst obtains q = hr (q0 ) (using its knowledge of r) and then answers with Ss (q) (using its knowledge of s). Finally, when A0 outputs a forged documentsignature pair, algorithm B checks whether Case 2 occurs (i.e., whether hr ( ) = hr ( (i) ) holds for some i), in which case it obtains (and outputs) a collision under hr . (Note that in the publickey case B invokes A0 on input (r v), whereas in the privatekey case B invokes A0 on input 1n. Thus, in the privatekey case, B actually does not use r but rather an oracle access to hr .) We stress that from the point of view of the emulated adversary A, the execution is distributed exactly as in its attack on (G S V ). Thus, since the second case above occurs with probability at least "0 (n)=2 in a real attack, it follows that B succeeds to form a collision under hI (1n ) with probability at least "0 (n)=2. This contradicts the collisionfreeness of the hashing functions, and the proposition follows. Comment: For the privatekey case, the proof of Proposition 6.2.7 actually established a stronger claim than stated. The proof holds even for a weaker definition of collisionfree hashing in which the adversary is not given a description of the hashing function, but can rather obtain its values at any preimage of its choice. This observation is further pursued in Section 6.3.1.3. On using the hash and sign paradigm in practice. The hashandsign paradigm, underlying Construction 6.2.6, is often used in practice. Speci cally, a document is signed using a twostage process: rst the document is hashed into a (relatively) short bit string, and next a basic signature scheme is applied to the resulting string. We stress that this process yields a secure signature scheme only if the hashing scheme is collisionfree (as de ned above). In Section 6.2.3, we present one way of constructing collisionfree hashing functions. Alternatively, one may indeed postulate that certain o theshelf products (such as MD5 or SHA) are collisionfree, but such assumptions need to be seriously examined (and indeed may turn out false). We stress that using a hashing scheme, in the above twostage process, without seriously evaluating whether or not it is collisionfree is a very dangerous practice. 6.2.3 * Constructing collisionfree hashing functions
In view of the relevance of collisionfree hashing to signature schemes, we now take a small detour from the main topic and consider the construction of collisionfree hashing. We show how to construct collisionfree hashing functions using a clawfree collection of permutations, and how restricted notions of collisionfree hashing may be used to obtain full edged collisionfree hashing. 496 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 6.2.3.1 A construction based on clawfree permutations
In this subsection we show how to construct collisionfree hashing functions using a clawfree collection of permutations as de ned in Section 2.4.5. Recall that such a collection consists of pairs of permutations, (fs0 fs1 ), so that both fs 's are permutations over a set Ds and of a probabilistic polynomialtime index selection algorithm I so that 1. The domain is easy to sample: there exists a probabilistic polynomialtime algorithm that given s outputs a string uniformly distributed over Ds . 2. The permutations are easy to evaluate: there exists a polynomialtime algorithm that given s and x Ds , outputs fs (x).
2 3. Hard to form claws: every probabilistic polynomialtime algorithm, given s I (1n ) outputs a pair (x y) so that fs0 (x) = fs1 (y) with at most negligible probability. That is, a pair (x y) satisfying fs0 (x) = fs1 (y) is called a claw for index s, and Cs denote the set of claws for index s. Then, it is required that for every probabilistic polynomialtime algorithm, A0 , every positive polynomial p( ), and all su ciently large n's 1 Pr A0 (I (1n )) CI (1n ) < p(n)
2 Note that since fs0 and fs1 are permutations over the same set, many claws do exists (i.e., Cs = Ds ). However, the third item above postulates that for s generated by I (1n ) such claws are hard to nd. We may assume, without loss of generality, that for some ` : N N and all s's it holds that Ds 0 1 `(jsj). Indeed, ` must be polynomially bounded. For simplicity we assume that I (1n ) 0 1 n. Recall that such collections of permutation pairs can be constructed based on the standard DLP or factoring intractability assumptions (see Section 2.4.5).
j j j j ! f g 2 f g Construction 6.2.8 (collisionfree hashing based on clawfree permutations
pairs): Given an index selecting algorithm I for a collection of permutation pairs (fs0 fs1) s as above, we construct a collection of hashing functions h(s r) : 01 0 1 jrj (s r)2f0 1g f0 1g as follows:
f g f f g ! f g g index selection algorithm: On input 1n, we rst invoke I to obtain s I (1n ), and next use the domain sampler to obtain a string r that is uniformly distributed in Ds . We output the index (s r), de ning a hashing function h(s r)(x) def fsy1 fsy2 = fsyt (r) where y1 yt is a pre xfree encoding of x that is, for any x 6= x0 the coding of x is not a pre x of the coding of x0 . For example, code x1 x2 xm by x1 x1 x2 x2 xm xm 01. 6.2. LENGTHRESTRICTED SIGNATURE SCHEME 497 evaluation algorithm: Given an index (s r) and a string x, we compute h(s r) (x) in a straightforward manner. That is, rst we compute the pre xfree encoding of x, denoted y1 yt . Next, we use the evaluation algorithm of the clawfree collection to compute fsy1 fsy2 fsyt (r), which is the desired output. Actually, as will become evident from the proof of Proposition 6.2.9, we do not need an algorithm that given an index s generates a uniformly distributed element in Ds any e cient algorithm that generates elements in Ds (under any distribution) will do. Proposition 6.2.9 Suppose that the collection of permutation pairs (fs0 fs1) s together with the index selecting algorithm I constitute a clawfree collection. Then, the function ensemble h(s r) : 0 1 0 1 jrj (s r)2f0 1g f0 1g as de ned in Construction 6.2.8 constitute a collisionfree hashing with a range specifying function `0 satisfying `0 (n + `(n)) = `(n). Proof: The proof is by a reducibility argument. Given an algorithm A0 that, on input (s r), forms a collision under h(s r) , we construct an algorithm A that on input s forms a claw for index s. On input s (supposedly generated by I (1n )), algorithm A selects r uniformly in Ds , and invokes algorithm A0 on input (s r). Suppose that A0 outputs a pair (x x0 ) so that h(s r) (x) = h(s r) (x0 ) but x = x0 . Without loss of generality,7 assume that the coding of x equals y1 yi;1 0zi+1 zt, and that the coding of x0 equals y1 yi;1 1zi0+1 zt0 . By the de nition of h(s r) , it follows that
f g f f g ! f g g 6
0 fsyi 1 fs0 fszi+1 fszt (r) = fsy1 fsyi 1 fs1 fszi+1 Since each of the fs 's is 11, Eq. (6.1) implies that fsy1
0 ; ; 0 0 0 0 0 0 fszt (r)
0 0 (6.1) Construction 6.2.8. Using the hypothesis that the collection of pairs (together with I ) is clawfree, the proposition follows. fs0 fszi+1 fszt (r) = fs1 fszi+1 fszt (r) (6.2) Computing w def fszi+1 fszt (r) and w0 def fszi+1 fszt (r), algorithm A obtains = = a pair (w w0 ) so that fs0(w) = fs1 (w0 ). Thus, algorithm A forms claws for index I (1n ) with probability that is bounded below by the probability that A0 forms a collision under hI (1n ) , where I 0 is the index selection algorithm as de ned in
0 6.2.3.2 Collisionfree hashing via blockchaining In this subsection we show how a restricted type of collisionfree hashing (CFH) can be used to obtain full edge collisionfree hashing (CFH). Speci cally, we refer to the following restriction of De nition 6.2.5. 7 Let C (x) (resp., C (x0 )) denote the pre xfree coding of x (resp., x0 ). Then C (x) is not a pre x of C (x0 ), and C (x0 ) is not a pre x of C (x). It follows that C (x) = uv and C (x0 ) = uv0 , where v and v0 di er in their leftmost bit. Without loss of generality, we may assume that the leftmost bit of v is is 0, and the leftmost bit of v0 is 1. 498 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION N ! N . A collection of functions fhs : f0 1g` (jsj) ! f0 1g`(jsj)gs2f0 1g is called `0 restricted collisionfree hashing if there exists a probabilistic polynomialtime algorithm I such that the following holds 1. (admissible indexing { technical): As in De nition 6.2.5. 2. (e cient evaluation): There exists a polynomialtime algorithm that given s and x 2 f0 1g` (jsj), returns hs (x). 3. (hard to form collisions): As in De nition 6.2.5, we say that the pair (x x0 ) forms a collision under the function h if h(x) = h(x0 ) but x 6= x0 . We require that every probabilistic polynomialtime algorithm, given I (1n ) as input, outputs a pair in f0 1g` (jsj) f0 1g` (jsj) that forms a collision under hI (1n) with negligible probability. That is, for every probabilistic polynomialtime algorithm A, every polynomial p and all su ciently large n's, h i 1 Pr A(I (1n )) 2 f0 1g2 ` (jI (1n )j) is a collision under hI (1n) < p(n) where the probability is taken over the internal coin tosses of algorithms I and A.
0 0 0 0 0 De nition 6.2.10 (lengthrestricted collisionfree hashing functions): Let `0 ` : Indeed, we focus on the case `0 (n) = poly(n), or else the hardness condition holds vacuously (since no polynomialtime algorithm can print a pair of strings of superpolynomial length). On the other hand, we only care about the case `0 (n) > `(n) (or else the functions may be 11). Finally, recall that ` must be superlogarithmic. Construction 6.2.11 (from 2`restricted CFH to full edged CFH): Let h0s :
f f g ! f f g g f g ! f g g 0 1 2`(jsj) 0 1 `(jsj) s2f0 1g be a collection of functions. Consider the collection hs : 0 1 0 1 2`(jsj) s2f0 1g , where hs (x) is de ned by the following process, which we call block chaining:
1. Break x into t def djxj=`(jsj)e consecutive blocks, while possibly padding the = last block with 0's, such that each block has length `(jsj). Denote these `(jsj)bit long blocks by x1 ::: xt . That is, x1 xt = x0t `(jsj);jxj. For sake of uniformity, in case jxj `(jsj), we let t = 2 and x1 x2 = x02`(jsj);jxj. On the other hand, we may assume that jxj < 2`(jsj), and so 8 jxj can be represented by an `(jsj)bit long string. 2. Let y1 def x1 . For i = 2 ::: t, compute yi = h0s (yi;1 xi ). = 3. Set hs (x) to equal (yt jxj). 8 The adversary trying to form collisions with respect to h runs in poly(jsj)time. Using s `(jsj) = !(log jsj), it follows that such an adversary cannot output a string of length 2`(jsj) . (The same holds, of course, also for legitimate usage of the hashing function.) 6.2. LENGTHRESTRICTED SIGNATURE SCHEME 499 An interesting property of Construction 6.2.11 is that it allows to compute the hashvalue of an input string while processing the input in an online fashion that is, the implementation of the hashing process may process the input x in a blockbyblock manner, while storing only the current block and a small amount of state information (i.e., the current yi and the number of blocks encountered so far). This property is important in applications in which one wishes to hash a long stream of input bits. 0 1 `(jsj) s2f0 1g and hs : 01 0 1 2`(jsj) s2f0 1g be as in Construction 6.2.11, and suppose that the former is a collection of 2`restricted collisionfree hashing functions. Then the latter constitute a (full edged) collection of collisionfree hashing functions.
f f g ! f g g f f g ! f g g Proposition 6.2.12 Let h0s : 0 1 2`(jsj) cases: Case 1: If (yt;1 xt ) = (yt0;1 x0t ) then we obtain a collision under h0s (since h0s (yt;1 xt ) = yt = yt0 = h0s (yt0;1 x0t )), and derive a contradiction to its collisionfree hypothesis. Case 2: Otherwise (yt;1 xt ) = (yt0;1 x0t ), and we consider the two corresponding cases with respect to the relation of (yt;2 xt;1 ) to (yt0;2 x0t;1 ). Eventually, since x = x0 , we get to a situation in which yi = yi0 and (yi;1 xi ) = (yi0;1 x0i ), which is handled as in the rst case. We now provide a formal implementation of the above intuitive argument. Suppose towards the contradiction that there exist a probabilistic polynomialtime algorithm A that on input s attempts to forms a collision under hs . Then, we construct an algorithm that will, with similar probability, succeeds to form a suitable (i.e., length restricted) collision under h0s . Algorithm A0 (s) operates as follows: 1. Invokes A(s) and obtains (x x0 ) A(s). If hs (x) = hs (x0 ) then A failed, and A0 halts without output. In the sequel, we assume that hs (x) = hs (x0 ). 0 2. A0 (s) computes t x1 ::: xt and y1 ::: yt (resp., t0 x01 ::: x0t and y1 ::: yt0 ) as in Construction 6.2.11. Note that (since hs (x) = hs (x0 )) it holds that t = t0 and yt = yt0 . Next, A0 (s) determines i 2 ::: t such that yi = yi0 and (yi;1 xi ) = (yi0;1 x0i ), and outputs the pair (yi;1 xi yi0;1 x0i ) As argued above and elaborated below, such an i must exist, and the output forms a collision under h0s (because h0s (yi;1 xi ) = yi = yi0 = h0s (yi0;1 x0i ) and yi;1 xi = yi0;1 x0i ).
6 6 6 6 2 f g 6 6 hs (x0 ). By the de nition of hs , this means that (yt x ) = hs (x) = hs (x0 ) = (yt0 x0 ), where t t0 and yt yt0 are determined by hs (x) and hs (x0 ). In particular, it follows that x = x0 and so t = t0 (where, except when x `( s ), it holds that t = x =`( s ) = x0 =`( s ) = t0 ). Recall that yt = yt0 and consider two
j j
0 Proof: Forming a collision under hs means nding x = x0 such that hs(x) =
6 j j
0 j j j j j j j j dj j j j e dj j j j e 500 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Pending on the existence of a suitable i, whenever A(s) forms a collision under hs , it holds that A0 (s) outputs a pair of 2`(s)bit long strings that form a collision under h0s , and so the proposition follows. Thus, it is left to prove the existence of a suitable i (i.e., an i such that yi = yi0 and (yi;1 xi ) = (yi0;1 x0i )).
6 j at each step, we prove that either the current j is suitable (i.e., yj = yj0 and (yj;1 xj ) 6= (yj0 ;1 x0j )) or both yj;1 = yj0 ;1 and x1 xj;1 6= x01 x0j;1 . This claim certainly holds for j = t, because yt = yt0 and x1 xt = x0t`(jsj);jxj 6= x0 0t`(jsj);jxj = x01 x0t (which implies that either (yt;1 xt) 6= (yt0;1 x0t) or both yt;1 = yt0;1 and x1 xt;1 6= x01 x0t;1 ). 0 More generally, suppose that yj = yj and x1 xj 6= x01 x0j , then either 0 0 ;1 x0j )) or (yj ;1 xj ) = (yj ;1 x0j ), which j is suitable (i.e., (yj;1 xj ) 6= (yj 0 ;1 and x1 xj ;1 6= x01 x0j ;1 . It follows that implies that both yj;1 = yj some i must be suitable (or else for j = 1 we have x1 xj;1 6= x01 x0j;1 ,
which is impossible). On the existence of a suitable i: Starting with j = t and decrementing The proposition follows. 6.2.3.3 Collisionfree hashing via treehashing Using 2`restricted collisionfree hashing functions, we now present an alternative construction of (full edged) collisionfree hashing functions. The alternative construction will have the extra property of supporting veri cation of a bit in the input (with respect to the hash value) within complexity that is independent of the length of the input (see below). Construction 6.2.13 (from 2`restricted CFH to full edged CFH { an alternative construction): Let h0s : 0 1 2`(jsj) 0 1 `(jsj) s2f0 1g be a collection of functions. Consider the collection hs : 0 1 0 1 2`(jsj) s2f0 1g , where hs (x) is de ned by the following process, called tree hashing:
f f g ! f g g f f g ! f g g 1. Break x into t def 2dlog2 (jxj=`(jsj))e consecutive blocks, while possibly adding = dummy 0blocks and padding the last block with 0's, such that each block has length `(jsj). Denote these `(jsj)bit long blocks by x1 ::: xt . That is, x1 xt = x0t `(jsj);jxj. Let d = log2 t, and note that d is a positive integer. Again, for sake of uniformity, in case jxj `(jsj), we let t = 2 and x1 x2 = x02`(jsj);jxj. On the other hand, again, we assume that jxj < 2`(jsj), and so jxj can be represented by an `(jsj)bit long string. 2. Let i = 1 ::: t, let yd i def xi . = 3. For j = d ; 1 ::: 1 0 and i = 1 ::: 2j , compute yj i = h0s (yj+1 2i;1 yj+1 2i ). 4. Set hs (x) to equal (y0 1 jxj). 6.2. LENGTHRESTRICTED SIGNATURE SCHEME 501 That is, hashing is performed by placing the `( s )bit long blocks of x at the leaves of a binary tree of depth d, and computing the values of internal nodes by applying h0s to the values associated with the two children (of the node). The nal hashvalue consists of the value associated with the root (i.e., the only level0 node) and the length of x.
j j 0 1 `(jsj) s2f0 1g and hs : 01 0 1 2`(jsj) s2f0 1g be as in Construction 6.2.13, and suppose that the former is a collection of 2`restricted collisionfree hashing functions. Then the latter constitute a (full edged) collection of collisionfree hashing functions.
f f g ! f g g f f g ! f g g Proposition 6.2.14 Let h0s : 0 1 2`(jsj) Proof Sketch: Forming a collision under hs means nding x = x0 such that
6 j j j j
0 hs (x) = hs (x0 ). By the de nition of hs , this means that (y0 1 x ) = hs (x) = 0 0 hs (x0 ) = (y0 1 x0 ), where (t d t0 d0 ), y0 1 and y0 1 are determined by hs (x) and 0 ). In particular, it follows that x = x0 and so d = d0 (since 2d = t = t0 = hs (x 0 2d ). Recall that y0 1 = y0 1 , and let us state this fact by saying that for j = 0 0 and for every i 1 ::: 2j it holds that yj i = yj i . Starting with j = 0, we consider two cases (for level j + 1 in the tree): 0 Case 1: If for some i 1 ::: 2j+1 it holds that yj+1 i = yj+1 i then we obtain 0 , and derive a contradiction to its collisionfree hypothea collision under hs sis. Speci cally, the collision is obtained because z def yj+1 2di=2e;1 yj+1 2di=2e = 0 def y 0 0 is di erent from z = j+1 2di=2e;1 yj+1 2di=2e , whereas h0s (z ) = yj di=2e = yj0 di=2e = h(z 0).
j j j j 2 f g 2 f g 6 0 Case 2: Otherwise for every i 1 ::: 2j+1 it holds that yj+1 i = yj+1 i . In this case, we consider the next level. Eventually, since x = x0 , we get to a situation in which for some j 1 ::: d 1 and some i 1 ::: 2j+1 it holds that z def yj+1 2di=2e;1 yj+1 2di=2e = 0 def y 0 0 is di erent from z = j+1 2di=2e;1 yj+1 2di=2e , whereas h0s (z ) = yj di=2e = yj0 di=2e = h(z 0). This situation is handled as in the rst case.
2 f g 6 2 f ; g 2 f g The actual argument proceeds as in the proof of Proposition 6.2.12. supporting e cient veri cation of bits in x with respect to the hash value. That is, suppose that for a randomly selected hs , one party holds x and the other party holds hs (x). Then, for every i, the rst party may provide a short (e ciently veri able) certi cate that xi is indeed the ith block of x. The certi cate consists of the sequence of pairs (yd 2di=2e;1 yd 2di=2e ) ::: (y1 2di=2d e;1 y1 2di=2d e ), where d and the yj k 's are computed as in Construction 6.2.13 (and (y0 1 x ) = hs (x)). The certi cate is veri ed by checking whether or not yj;1 di=2d j+1 e = h0s (yj 2di=2d j+1 e;1 yj 2di=2d j+1 e ), for every j 1 ::: d . Note that if the rst
j j
; ; ; A local veri cation property. Construction 6.2.13 has the extra property of 2 f g 502 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION party can present two di erent values for the ith block of x along with corresponding certi cates then it can also form collisions under h0s . Construction 6.2.13 and its localveri cation property were already used in this work (i.e., in the construction of highlye cient argument systems, presented in Section 4.8.4). Finally, we note the similarity between the localveri cation property of Construction 6.2.13 and the authenticationtree of Section 6.4.2.2. 6.3 Constructions of Message Authentication Schemes
In this section we present several constructions of secure message authentication schemes (referred to above as secure privatekey signature schemes). Below, we sometimes refer to such a scheme by the popular abbreviation MAC (which actually abbreviates the more traditional term of a Message Authentication Code). 6.3.1 Applying a pseudorandom function to the document A scheme for message authentication can be obtained by applying a pseudorandom function (speci ed by the key) to the message (which one wishes to authenticate). The simplest implementation of this idea is presented in Section 6.3.1.1, whereas more sophisticated implementations are presented in Sections 6.3.1.2 and 6.3.1.3. 6.3.1.1 A simple construction and a plausibility result Message authentication schemes can be easily constructed using pseudorandom functions (as de ned in Section 3.6). Speci cally, by Theorem 6.2.2, it sufces to construct an `restricted message authentication scheme, for any superlogarithmically growing `. Indeed, this is our starting point.
Let ` be a superlogarithmically growing function, and ffs : f0 1g`(jsj) ! f0 1g`(jsj)gs2f0 1g be as in De nition 3.6.4. We construct an `restricted message authentication scheme, (G S V ), as follows: keygeneration with G: On input 1n, we uniformly select s 2 f0 1gn, and output the keypair (s s). (Indeed, the veri cationkey equals the signingkey.) signing with S : On input a signingkey s 2 f0 1gn and an `(n)bit string , we compute and output fs ( ) as a signature of . veri cation with V : On input a veri cationkey s 2 f0 1gn, an `(n)bit string , and an alleged signature , we accept if and only if = fs ( ). Construction 6.3.1 (an `restricted MAC based on pseudorandom functions): Indeed, signing amounts to applying fs to the given document string, and verication amounts to comparing a given value to the result of applying fs to the document. Analogous constructions can be presented by using the generalized 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES503 notions of pseudorandom functions de ned in De nitions 3.6.9 and 3.6.12 (see further comments in the following subsections). In particular, using a pseudorandom function ensemble of the form fs : 0 1 0 1 jsj s2f0 1g , we obtain a general message authentication scheme (rather than a lengthrestricted one). Below, we only prove the security of the `restricted message authentication scheme of Construction 6.3.1. (The security of the general message authentication scheme can be established analogously see Exercise 7.)
f f g ! f g g 0 1 `(jsj) s2f0 1g is a pseudorandom function, and that ` is a superlogarithmically growing function, Then Construction 6.3.1 constitutes a secure `restricted message authentication scheme.
f f g ! f g g Proposition 6.3.2 Suppose that fs : 0 1 `(jsj) Speci cally, we consider the security of an ideal scheme in which the pseudorandom function is replaced by a truly random function (mapping `(n)bit long strings to `(n)bit long strings). Clearly, an adversary that obtains the values of this random function at arguments of its choice, cannot predict its value at a new point with probability greater than 2;`(n) . Thus, an adversary attacking the ideal scheme may succeed in existential forgery with at most negligible probability. The same must hold for any e cient adversary that attacks the actual scheme, since otherwise such an adversary yields a violation of the pseudorandomness of fs : 0 1 `(jsj) 0 1 `(jsj) s2f0 1g . Details follow. The actual proof is by a reducibility argument. Given a probabilistic polynomialtime A attacking the scheme (G S V ), we consider what happens when A is attacking an ideal scheme in which a random function is used instead of a pseudorandom one. That is, we refer to two experiments: 1. Machine A attacks the actual scheme: On input 1n , machine A is given oracle access to (the signing process) fs : 0 1 `(n) 0 1 `(n), where s n. After making some queries of its choice, A is uniformly selected in 0 1 outputs a pair ( ), where is di erent from all its queries. A is deem successful if and only if = fs ( ). 2. Machine A attacks the ideal scheme: On input 1n , machine A is given 0 1 `(n), uniformly selected oracle access to a function F : 0 1 `(n) among all such possible functions. After making some queries of its choice, A outputs a pair ( ), where is di erent from all its queries. Again, A is deem successful if and only if = F ( ). Clearly, A's success probability in this experiment is at most 2;`(n) , which is a negligible function (since ` is superlogarithmic). Assuming that A's success probability in the actual attack is nonnegligible, we derive a contradiction to the pseudorandomness of the function ensemble fs . Speci cally, we consider a distinguisher D that on input 1n and oracle access to a function f : 0 1 `(n) 0 1 `(n), behaves as follows: First D emulates the actions of A, while answering A's queries using its oracle f . When A outputs a
f f g ! f g g f g ! f g f g f g ! f g f g f g ! f g Proof: The proof follows the general methodology suggested in Section 3.6.3. 504 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION pair ( ), the distinguisher makes one additional oracle query to f and outputs 1 if and only if f ( ) = . Note that when f is selected uniformly among all possible 0 1 `(n) 0 1 `(n) functions, D emulates an attack of A on the ideal scheme, and thus outputs 1 with negligible probability (as explained above). On the other hand, if f is uniformly selected in fs s2f0 1gn then D emulates an attack of A on the actual scheme, and thus (due to the contradiction hypothesis) outputs 1 with nonnegligible probability. We reach a contradiction to the pseudorandomness of fs s2f0 1gn . The proposition follows.
f g ! f g f g f g A plausibility result: Combining Theorem 6.2.2, Proposition 6.3.2, and Corollary 3.6.7, it follows that the existence of oneway functions implies the existence of message authentication schemes. The converse also holds see Exercise 8. Thus, we have: Theorem 6.3.3 Secure message authentication schemes exist if and only if oneway functions exist. In contrast the the feasibility result stated in Theorem 6.3.3, we now present alternative ways of using pseudorandom functions to obtain secure message authentication schemes (MACs). These alternatives yield more e cient schemes, where e ciency is measures it terms of the length of the signatures and the time it takes to produce and verify them. f Theorem 6.3.3 was proved by combining the lengthrestricted MAC of Construction 6.3.1 with the simple but wasteful idea of providing signatures (authentication tags) for each block of the document (i.e., Construction 6.2.3). In particular, the signature produced this way is longer than the document. Instead, here we suggest to use the second method of converting lengthrestricted MACs into fulledged ones that is, the hashandsign method of Construction 6.2.6. This will yield signatures of a xed length (i.e., independent of the length of the document). Combining the hashandsign method with a lengthrestricted MAC of Construction 6.3.1 (which is based on pseudorandom functions), we obtain the following construction. Construction 6.3.4 (hash and sign using pseudorandom functions): Let fs : 0 1 jsj 0 1 jsj s2f0 1g be a pseudorandom function ensemble and hr : 01 0 1 jrj r2f0 1g be a collection of collisionfree hashing functions. Furthermore, for simplicity we assume that, when invoked on input 1n , the indexing algorithm I of the collisionfree hashing collection outputs an nbit long index. The general message authentication scheme, (G S V ), is as follows: keygeneration with G: On input 1n , algorithm G selects uniformly s 0 1 n, and invokes the indexing algorithm I to obtain r I (1n ). The keypair output by G is ((r s) (r s)).
f f g ! f g g f g ! f g g 2 f g 6.3.1.2 * Using the hashandsign paradigm 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES505 signing with S : On input a signingkey (r s) in the range of G1 (1n ) and a document 0 1 , algorithm S outputs the signature/tag fs (hr ( )). veri cation with V : On input a veri cationkey (r s) in the range of G2 (1n ), a document 0 1 , and a alleged signature , algorithm outputs 1 if and only if fs (hr ( )) = .
2 f g 2 f g Combining Propositions 6.2.7 and 6.3.2, it follows that Construction 6.3.4 constitutes a secure message authentication scheme (MAC), provided that the ingredients are as postulated. In particular, this means that Construction 6.3.4 yields a secure MAC, provided that collisionfree hashing functions exist (and are used in Construction 6.3.4). While this result uses a seemingly stronger assumption than the existence of oneway functions (used to establish the Theorem 6.3.3), it yields more e cient MACs both in terms of signature length (as discussed above) and authentication time (to be discussed next). Construction 6.3.4 yields faster signing and veri cation algorithms than the construction resulting from combining Constructions 6.2.3 and 6.3.1, provided that hashing a long string is less timeconsuming than applying a pseudorandom function to it (or to all its blocks). The latter assumption is consistent with the current stateofart regarding the implementation of both primitives. Further speed improvements are discussed in Section 6.3.1.3. the hashandsign paradigm (i.e., Proposition 6.2.7), while referring to the xedlength MAC arising from the pseudorandom function ensemble fs : 0 1 jsj 0 1 jsj s2f0 1g . An alternative analysis may proceed by rst establishing that gs r = fs hr s2f0 1g r I (1 s ) is a generalized pseudorandom function (as in De nition 3.6.12), and next observing that any such ensemble yields a fulledged MAC (see Exercise 7).
f f g ! f g g f g
j j An alternative presentation: Construction 6.3.4 was analyzed by invoking 6.3.1.3 * A variation on the hashandsign paradigm or using noncryptographic hashing plus hiding Construction 6.3.4 combines the use of a collisionfree hashing function with the application of a pseudorandom function. Here we take another step towards speedingup message authentication by showing that the collisionfree hashing can be replaced with ordinary (i.e., noncryptographic) hashing, provided that a pseudorandom function is applied to the result. Before getting into details, let us explain why we can use noncryptographic hashing and why this may lead to e ciency improvements. Since we are in the privatekey setting, the adversary does not get the description of the hash function used in the hashandsign process. Furthermore, applying the pseudorandom function to the hashvalue hides it from the adversary. Thus, when trying to form collisions under the hash function, the adversary is in \total darkness" and may only rely on the collision probability of the hashing function (as de ned below). (Recall 506 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION that in case the adversary fails to form collision, it must succeed in forging with respect to the lengthrestricted scheme if it wishes to forge with respect to the full edged scheme.) The reason that applying an ordinary hashing, rather than a collisionfree hash function, may yield an e ciency improvement is that the former may be more e cient than the latter. This is to be expected given that ordinary hashing needs only satisfy a weak (probabilistic) condition, whereas collisionfree hashing refers to a more complicated (intractability) condition.9 By ordinary hashing we mean function ensembles as de ned in Section 3.5.1.1. For starters, recall that these are collections of functions mapping `(n)bit strings to m(n)bit strings. These collections are associated with a set of strings, dem( m( noted S`(nn), and we may assume that S`(nn) 0 1 n. Speci cally, we call ) ) ( S`mnn) n2N a hashing ensemble if it satis es the following three conditions: ( ) 1. Succinctness: n = poly(`(n) + m(n)). 2. E cient evaluation: there exists a polynomialtime algorithm that, on inm( put a representation of a function, h (in S`(nn) ), and a string x 0 1 `(n), ) returns h(x). 3. Pairwise independence: for every x = y 0 1 `(n), if h is uniformly m(n) then h(x) and h(y ) are independent and uniformly disselected in S`(n) tributed in 0 1 m(n). That is, for every 0 1 m(n), Prh h(x) = h(y) = ] = 2;2m(n)
f g f g 2f g 6 2 f g f g 2 f g ^ In fact, for the current application, we can replace the third condition by the following weaker condition, parameterized by a function cp : N 0 1] (s.t. cp(n) 2;m(n) ): for every x = y 0 1 `(n), Prh h(x) = h(y)] cp(n) (6.3) Indeed, the pairwise independence condition implies that Eq. (6.3) is satis ed with cp(n) = 2;m(n) . Note that Eq. (6.3) asserts that the collision probability of ( S`mnn) is at most cp(n), where the collision probability refers to the probability ( ) ( that h(x) = h(y) when h is uniformly selected in S`mnn) and x = y 0 1 `(n) ( ) are arbitrary xed strings. Hashing ensembles with n `(n) + m(n) and cp(n) = 2;m(n) can be constructed (for a variety of functions ` m : N N , e.g., `(n) = 2n=3 and m(n) = n=3) see Exercise 18. Using such ensembles, we rst present a construction of lengthrestricted message authentication schemes.
! 6 2 f g 6 2 f g ! 9 This intuition may not hold when comparing a construction of ordinary hashing that is rigorously analyzed with an adhoc suggestion of a collisionfree hashing. But it certainly holds when comparing the former to the constructions of collisionfree hashing that are based on a wellestablished intractability assumption. 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES507 Let fhr : f0 1g`(jrj) ! f0 1gm(jrj)gr2f0 1g and ffs : f0 1gm(jsj) ! f0 1gm(jsj)gs2f0 1g be e ciently computable function ensembles. We construct the following `restricted scheme, (G S V ): keygeneration with G: On input 1n , algorithm G selects independently and uniformly r s 2 f0 1gn. The keypair output by G is ((r s) (r s)). signing with S : On input a signingkey (r s) in the range of G1 (1n ) and a document 2 f0 1g`(n), algorithm S outputs the signature/tag fs (hr ( )). veri cation with V : On input a verifyingkey (r s) in the range of G2 (1n ), a document 2 f0 1g`(n), and a alleged signature , algorithm outputs 1 if and only if fs (hr ( )) = . Construction 6.3.5 (Construction 6.3.4, revisited { lengthrestricted version): Proposition 6.3.6 Suppose that fs : 0 1
f f f f g ! f g g 0 1 m(jsj) s2f0 1g is a pseudorandom function, and that the collision probability of the collection hr : 0 1 `(jrj) 0 1 m(jrj) r2f0 1g is a negligible function of r . Then Construction 6.3.5 constitutes a secure `restricted message authentication scheme.
g ! f g g j j m(jsj) In particular, the second hypothesis implies that 2;m(n) is a negligible function in n. By the above discussion, adequate collections of hashing functions exists for `(n) = 2n=3 (and m(n) = n=3). We comment that, under the above hypothesis, the collection gs r : fs hr jsj=jrj constitutes a pseudorandom function ensemble: This is implicitly shown in the following proof, and is related to Exercise 31 in Chapter 3. Proof Sketch: As in the proof of Proposition 6.3.2, we rst consider the security of an ideal scheme in which the pseudorandom function is replaced by a truly random function (mapping m(n)bit long strings to m(n)bit long strings). Consider any (probabilistic polynomialtime) adversary attacking the ideal scheme. Such an adversary may obtain the signatures to polynomiallymany `(n)bit long strings of its choice. However, except with negligible probability, these strings are hashed to di erent m(n)bit long strings, which in turn are mapped by the random function to totally independent and uniformly distributed m(n)bit long strings. Furthermore, except with negligible probability, the `(n)bit long string contained in the adversary's (alleged messagesignature) output pair is hashed to an m(n)bit long string that is di erent from all the previous hashvalues, and so the single valid signature corresponding to is a uniformly distributed m(n)bit long string that is independent of all previously seen signatures.
f g hashing collection fhr : f0 1g`(jrj) ! f0 1gm(jrj) gr2f0 1gn has collision probability cp(n), and F : f0 1gm(n) ! f0 1gm(n) is a random function. Then, we claim that an adversary that obtains signatures to t(n) ; 1 strings of its choice, succeeds in forging a signature to a new string with probability at most t(n)2 cp(n) + 2;m(n) , regardless of its computational powers. The claim is proved by showing that, except with probability at most t(n)2 cp(n), the t(n) strings selected by the adversary are mapped On the distribution of signatures in the ideal scheme: Suppose that the 508 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION tential forgery with at most negligible probability (provided it makes at most polynomiallymany queries). The same must hold for any e cient adversary that attacks the actual scheme, since otherwise such an adversary yields a violation of the pseudorandomness of fs : 0 1 m(jsj) 0 1 m(jsj) s2f0 1g . The exact implementation of the above argument follows the details given in the proof of Proposition 6.3.2.
f f g ! f g g by hr to distinct strings. The latter claim is proved by induction on the number of selected strings, denoted i, where the base case (i.e., i = 1) holds vacuously. Let s1 ::: si denote the strings selected so far, and recall that with probability at least 1 ; i2 cp(n) the i hashvalues hr (sj )'s are distinct. The adversary only sees the corresponding F (hr (sj ))'s, which are uniformly and independently distributed (in a way independent of the values of the hr (sj )'s). Thus, loosely speaking, the adversary's selection of the next string, denoted si+1 , is independent of the values of the hr (sj )'s, and so a collision of hr (si+1 ) with one of the previous hr (sj )'s occurs with probability at most i cp(n). The induction step follows (since 1 ; i2 cp(n) ; i cp(n) < 1 ; (i + 1)2 cp(n)). It follows that any adversary attacking the ideal scheme may succeed in exis tain full edged MACs by using generalized hashing families that map arbitrary strings (rather than xedlength ones) to xed length strings. Speci cally, for ` : N N and cp : N 0 1], we call hr : 0 1 0 1 m(jrj) n2N a generalized hashing ensemble with a (` cp)collision property if it satis es the following two conditions: 1. E cient evaluation: there exists a polynomialtime algorithm that, on input r (representing the function hr ) and a string x 0 1 , returns hr (x). 2. Collision probability:10 For every n N and x = y such that x y `(n), the probability that hr (x) = hr (y) when r is uniformly selected in 0 1 n is at most cp(n). For our construction of a full edged MAC, we need a generalized hashing ensemble with a (` cp)collision property for some superpolynomial `(n) and negligible cp(n) (e.g., `(n) = 1=cp(n) = 2;"n" for some constant " > 0). The existence of such ensembles will be discussed below. Proposition 6.3.7 (Construction 6.3.4, revisited { full edged version): Suppose that fs : 0 1 m(jsj) 0 1 m(jsj) s2f0 1g is a pseudorandom function ensemble. For some superpolynomial ` : N N and negligible cp : N 0 1], suppose that hr : 0 1 0 1 m(jrj) r2f0 1g is a generalized hashing ensemble with a (` cp)collision property. Then the following (G S V ) constitute a secure MAC:
! ! f f g ! f g g 2 f g 2 6 j j j j f g f f g ! f g g ! ! f f g ! f g g Obtaining full edged MACs. Construction 6.3.5 can be generalized to ob 10 Note that it is essential to restrict the collision condition to strings of bounded length. In contrast, for every nite family of functions H , there exists two di erent strings that are mapped to the same image by each function in H . For details, see Exercise 17. 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES509 keygeneration with G: On input 1n , algorithm G selects independently and uniformly r s 0 1 n, and outputs ((r s) (r s)). signing with S : On input a signingkey (r s) and a document 0 1 , algorithm S outputs the signature/tag fs (hr ( )). veri cation with V : On input a verifyingkey (r s), a document 0 1 `(n), and a alleged signature , algorithm outputs 1 if and only if fs (hr ( )) = .
2 f g 2 f g 2 f g Proof Sketch: The proof is identical to the proof of Proposition 6.3.6, except that here the (polynomialtime) adversary attacking the scheme may query for the signatures of strings of various lengths. Still, all these queries (as well as the nal output) are of polynomial length and thus shorter than `(n). Thus, the (` cp)collision property implies that, except with negligible probability, all these queries (as well as the relevant part of the output) are hashed to di erent values. On constructing adequate hashing ensembles. For some " > 0 and "
f (n) = 2"n , generalized hashing ensembles with a (f 1=f )collision property
can be constructed is several ways. One way is by applying a treehashing scheme as in Construction 6.2.13 see Exercise 19. For further details about constructions of generalized hashing ensembles, see Section 6.6.5. actually establish that gs r = fs hr s2f0 1g r I (1 s ) is a generalized pseudorandom function (as in De nition 3.6.12). Hence, the actual claim of these propositions (i.e., the security of the constructed MAC) can be derived from the fact that any generalized pseudorandom function yields a full edged MAC (see Exercise 7).
f g
j j An alternative presentation: The proofs of Propositions 6.3.6 and 6.3.7 The basic idea underlying Construction 6.3.5 (as well as Proposition 6.3.7) is to combine a \weak tagging scheme" with an adequate \hiding scheme". Speci cally, the \weak tagging scheme" should be secure against forgery provided that the adversary does not have access to the scheme's outcome, and the \hiding scheme" implements the latter provision in a setting in which the actual adversary does obtain the value of the MAC. In Construction 6.3.5 (and in Proposition 6.3.7), hiding was obtained by applying a pseudorandom function to the string that one wishes to hide. (Although this process is not 11, its result looks random and thus is hard to predict.) One more natural \hiding scheme" (which can also be implemented using pseudorandom functions) is obtained by using certain privatekey encryption schemes. For example, we may use Construction 5.3.9 (in which the plaintext x is encrypted/hidden by the pair (y x fs (y)), where y is uniformly selected), instead of hiding x by the value fs (x) (as above). Alternative implementations 6.3.2 * More on HashandHide and statebased MACs 510 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION of this underlying idea are more popular, especially in the context of statebased MACs. We start by de ning statebased MACs, and then show how to construct them based on the hashandhide (or rather tagandhide) paradigm. 6.3.2.1 The de nition of statebased MACs As in the case of steamciphers discussed in Section 5.3.1, we extend the mechanism of messageauthentication schemes (MACs) by allowing the signing and veri cation processes to maintain and update a state. Formally, both the signing and the veri cation algorithms take an additional input and emit an additional output, corresponding to their state before and after the operation. The length of the state is not allowed to grow by too much during each application of the algorithm (see Item 3 below), or else e ciency of the entire \repeated signing" process can not be guaranteed. For sake of simplicity, we incorporate the key in the state of the corresponding algorithm. Thus, the initial state of each of the algorithms is set to equal its corresponding key. Furthermore, one may think of the intermediate states as of updated values of the corresponding key. In the following de nition, we follow similar conventions to those used in de ning statebased ciphers (i.e., De nition 5.3.1). Speci cally, for simplicity, we assume that the veri cation algorithm (i.e., V ) is deterministic (otherwise the formulation would be more complex). Intuitively, the main part of the veri cation condition (i.e., Item 2) is that the (proper) iterative signingverifying process always accepts. The additional requirement in Item 2 is that the state of the veri cation algorithm is updated correctly as long as it is fed with strings of length equal to the length of the valid documentsignature pairs. The importance of this condition was discussed in Section 5.3.1 and is further discussed below. De nition 6.3.8 (statebased MAC { the mechanism): A statebased messageauthentication scheme is a triple, (G S V ), of probabilistic polynomialtime algorithms satisfying the following three conditions 1. On input 1n , algorithm G outputs a pair of bit strings. 2. For every pair (s(0) v(0) ) in the range of G(1n ), and every sequence of (i) 's, the following holds: if (s(i) (i) ) S (s(i;1) (i) ) and (v(i) (i) ) (i;1) (i) (i) ) for i = 1 2 :::, then (i) = 1 for every i. FurtherV (v more, for every i and every ( ) 2 f0 1gj (i)j f0 1gj (i)j , it holds that V (v(i;1) ) = (v(i) ). 3. There exists a polynomial p such that for every pair (s(0) v(0) ) in the range of G(1n ), and every sequence of (i) 's and s(i) 's as above, it holds that (i) j (i;1) j + j (i) j p(n). Similarly for the v (i) 's. js js That is, as in De nition 6.1.1, the signingveri cation process operates properly provided that the corresponding algorithms get the corresponding keys (states). Note that in De nition 6.3.8 the keys are modi ed by the signingveri cation process, and so correct veri cation requires holding the correctly 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES511 updated veri cationkey. We stress that the furthermore clause in Item 2 guarantees that the veri cationkey is correctly updated as long as the veri cation process is fed with strings of the correct lengths (but not necessarily with the correct documentsignature pairs). This extra requirement implies that given the initial veri cationkey and the current documentsignature pair as well as the lengths of all previous pairs (which may be actually incorporated in the current signature), one may correctly decide whether or not the current documentsignature pair is valid. As in case of statebased ciphers (cf. Section 5.3.1), this fact is interesting for two reasons:
A theoretical reason: It implies that, without loss of generality (alas with possible loss in e ciency), the veri cation algorithm may be stateless. Furthermore, without loss of generality (alas with possible loss in e ciency), the state of the signing algorithm may consist of the initial signingkey and the lengths of the messages signed so far. (We assume here and below that the length of the signature is determined by the length of the message and the length of the signingkey.) A practical reason: It allows to recover from the loss of some of the messagesignature pairs. That is, assuming that all messages have the same length (which is typically the case in MAC applications), if the receiver knows (or is given) the total number of messages sent so far then it can verify the authenticity of the current messagesignature pair, even if some of the previous messagesignature pairs were lost. We stress that De nition 6.3.8 refers to the signing of multiple messages (and is meaningless when considering the signing of a single message). However, De nition 6.3.8 (by itself) does not explain why one should sign the ith message using the updated signingkey s(i;1) , rather than by reusing the initial signingkey s(0) (where all corresponding veri cations are done by reusing the initial veri cationkey v(0) ). Indeed, the reason for updating these keys is provided by the following security de nition that refers to the signing of multiple messages, and holds only in case the signingkeys in use are properly updated (in the multiplemessage authentication process). De nition 6.3.9 (security of statebased MACs):
A chosen message attack on a statebased MAC, (G S V ), is an interactive process that is initiated with (s(0) v(0) ) G(1n ), and proceed as follows: In the ith iteration, based on the information gathered so far, the attacker selects a string (i) , and obtains (i) , where (s(i) (i) ) S (s(i;1) (i) ). Such an attack is said to succeeds if it outputs a valid signature to a string for which it has not requested a signature during the attack. That is, the attack is successful if it outputs a pair ( ) such that is di erent from 512 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION
all signaturequeries made during the attack, and V (v(i;1) ) = ( 1) holds for some intermediate state (veri cationkey) v(i;1) (as above).11 A statebased MAC is secure if every probabilistic polynomialtime chosen message attack as above succeeds with at most negligible probability. Note that De nition 6.3.9 (only) di ers from De nition 6.1.2 in the way that the signatures (i) 's are produced (i.e., using the updated signingkey s(i;1) rather than the initial signingkey s(0) ). Furthermore, De nition 6.3.9 guarantees nothing regarding a signing process in which the signature to the ith message is obtained by invoking S (s(0) ) (as in De nition 6.1.2). 6.3.2.2 Statebased hashandhide MACs
We are now ready to present alternative implementations of the hashandhide paradigm. Recall that in Section 6.3.1.3, the document was hashed (by using an adequate hashing function) and the resulting hashvalue was (authenticated and) hidden by applying a pseudorandom function to it. In the current subsection, hiding will be obtained in a more natural (and typically more e cient) way that is, by XORing the hashvalue with a new portion of a (pseudorandom) onetime pad. Indeed, the state is used in order to keep track of what part of the (onetime) pad was already used (and should not be used again). Furthermore, to obtain improved e ciency, we let the state encode information that allows fast generation of the next portion of the (pseudorandom) onetime pad. This is obtained using (online) pseudorandom generator (see Sections 3.3.3 and 5.3.1). Recall that online pseudorandom generators are a special case of variableoutput pseudorandom generators (see Section 3.3.3), in which a hidden state is maintained and updated so to allow generation of the next output bit in time polynomial in the length of the initial seed, regardless of the number of bits generated so far. Speci cally, the next (hidden) state and output bit are produced by applying a (polynomialtime computable) function g : 0 1 n 0 1 n+1 to the current state (i.e., (s0 ) g(s), where s is the current state, s0 is the next state and is the next output bit). Analogously to Construction 5.3.3, the suggested statebased MAC will use an online pseudorandom generator in order to generate the required pseudorandom onetime pad, and the latter will be used to hide (and authenticate) the hashvalue (obtained by hashing the original document).
f g ! f g Construction 6.3.10 (a statebased MAC): Let g : 0 1
f g !f 0 1 such that
g 11 In fact, one may strengthen the de nition by using a weaker notion of success in which it is only required that 6= (i) (rather than requiring that 62 f (j ) gj ). That is, the attack is successful if, for some i, it outputs a pair ( ) such that 6= (i) and V (v(i;1) ) = ( 1), where the (j ) 's and v(j ) 's are as above. The stronger de nition provides \replay protection" (i.e., even if the adversary obtains a valid signature that authenticates as the j th message it cannot produce a valid signature that authenticates as the ith message, unless was actually authenticated as the ith message). 6.3. CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES513 0 1 m(jrj) r2f0 1g be a family of functions having an e cient evaluation algorithm. keygeneration and initial state: Uniformly select s r 0 1 n, and output the keypair ((s r) (s r)). The initial state of each algorithm is set to (s r 0 s). (We maintain the initial key (s r) and a stepcounter in order to allow recovery from loss of messagesignature pairs.)
j g(s) = s + 1, for every s 0 1 . Let hr : 0 1
j j j 2f g f f g ! f g g 2 f g signing message x with state (s r t s0 ): Let s0 def s0 . For i = 1 ::: m(n), com= pute si i = g(si;1 ), where si = n and i 0 1 . Output the signature hr (x) 1 m(n) , and set the new state to (s r t + m(n) sm(n) ).
j j 2 f g veri cation of the pair (x y) with respect to the state (s r t s0 ): Compute 1 m(n) and sm(n) as in the signing process that is, for i = 1 ::: m(n), compute si i = g(si;1 ), where s0 def s0 . Set the new state to (s r t + m(n) sm(n) ), = and accept if and only if y = hr (x) 1 m(n) . When noti ed that some messagesignature pairs may have been lost and that the current messagesignature pair has index t0 , one rst recovers the correct current state, which as above will be denoted s0 . This is done by setting s;t def s and computing si;t i;t = g(si;t ;1 ), for i = 1 ::: t0 . =
0 0 0 0 Note that both the signing and veri cation algorithms are deterministic, and that the state after authentication of t messages has length 3n + log2 (t m(n)) < 4n (for t < 2n =m(n)). We now turn to analyze the security of Construction 6.3.10. The hashing property of the collection of hr 's should be slightly stronger than the one used in Section 6.3.1.3. Speci cally, rather than a bound on the collision probability (i.e., the probability that hr (x) = hr (y) for any relevant xed x y and a random r), we need a bound on the probability that hr (x) hr (y) equals any xed string (again, for any relevant xed x y and a random r). This property is commonly referred to by the name AlmostXorUniversal (AXU). That is, hr : 0 1 0 1 m(jrj) r2f0 1g is called a (` ")AXU family if for every n N , every x = y such that x y `(n), and every z , it holds that
f f g ! f g g 2 6 j j j j Pr hUn (x) hUn (y) = z ] "(n) (6.4) References to constructions of such families are provided in Section 6.6.5. Proposition 6.3.11 Suppose that g is a pseudorandom generator, and that
f hr g is a (` ")AXU family, for some superpolynomial ` and negligible ". Then Construction 6.3.10 constitutes a secure statebased MAC. Furthermore, security holds even with respect to the stronger notion discussed in Footnote 11.
f g Proof Sketch: By Exercise 21 of Chapter 3, if g is a pseudorandom generator then for every polynomial p the ensemble Gp n2N is pseudorandom, where Gp n n is de ned by the following random process: 514 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Uniformly select s0 0 1 n For i = 1 to p(n), let si i g(si;1 ), where i 0 1 (and si 0 1 n) Output 1 2 p(n) . Recall that, in such a case, we said that g is a nextstep function of an online pseudorandom generator. As in previous cases, it su ces to establish the security of an ideal scheme in which the sequence (of m(n)bit long blocks) produced by iterating the nextstep function g is replaced by a truly random sequence (of m(n)bit long blocks). In the ideal scheme, all that the adversary may obtain via a chosen message attack is a sequence of m(n)bit long blocks, which is uniformly distributed among all such possible sequences. Note that each of the signatures obtained during the attack as well as the forged signature refers to a single block in this sequence (e.g., the ith obtained signature refers to the ith block). We consider two types of forgery attempts: 1. In case the adversary tries to forge a signature referring to an unused (during the attack) block, it may succeed with probability at most 2;m(n), because we may think of this block as being chosen after the adversary makes its forgery attempt. Note that 2;m(n) is negligible, because "(n) 2;m(n) must hold (since 2;m(n) lowerbounds the collision probability). 2. The more interesting case is when the adversary tries to forge a signature referring to a block, say the ith one, that was used (to answer the ith query) during the attack. Denote the j th query by (j) , the (random) j th block by b(j) , and the forged document by . Then, at the time of outputting the forgery attempt ( ), the adversary only knows the sequence of b(j) hr ( (j) )'s, which yields no information on r. Note that the adversary succeeds if and only if b(i) hr ( ) = , where (i) def = b(i) hr ( (i) ) is known to it. Thus, the adversary succeeds if and only if hr ( (i) ) hr ( ) = (i) , where (i) (i) are xed and r is uniformly distributed. Hence, by the AXU property, the probability that the adversary succeeds is at most "(n). The security of the real scheme follows (or else one could have distinguished the sequence produced by iterating the nextstep function g from a truly random sequence).
2 f g 2 f g 2 f g Construction 6.3.10 versus the constructions of Section 6.3.1.3. Re call that all these schemes are based on the hashandhide paradigm. The difference between the schemes is that in Section 6.3.1.3 a pseudorandom function is applied to the hashvalue (i.e., the signature to x is fs (hr (x))), whereas in Construction 6.3.10 the hashvalue is XORed with a pseudorandom value (i.e., we may view the signature as consisting of (c hr (x) fs (c)), where c is a counter value and fs (c) is the cth block produced by iterating the nextstep function g starting with the initial seed s). We note two advantages of the statebased MAC over the MACs presented in Section 6.3.1.3: First, applying an online 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 515 pseudorandom generator is likely to be more e cient than applying a pseudorandom function. Second, a counter allows to securely authenticate more messages than can be securely authenticated by applying a pseudorandom function to the hashed value. Speci cally, the use of an a mbit long counter allows to securely authenticate 2m messages, whereas using an mbit long hashvalue su ers from the \birthday e ect" (i.e., collisions are likely to occur when 2m messages are authenticated). Indeed, these advantages are relevant only in applications in which using statebased MACs is possible, and are most advantageous in applications where veri cation is performed in the same order as signing (e.g., in fifo communication).
p 6.4 Constructions of Signature Schemes
In this section we present several constructions of secure publickey signature schemes. Here we refer to such schemes as signature schemes, which is indeed the traditional term. Two central paradigms in the construction of signature schemes are the \refreshing" of the \e ective" signingkey, and the usage of an \authentication tree". In addition, the \hashing paradigm" (employed also in the construction of message authentication schemes), plays a even more crucial role in the following presentation. In addition to the above, we use the notion of onetime signature scheme de ned in Section 6.4.1. The current section is organized as follows. In Section 6.4.1 we de ne and construct various types of onetime signature schemes. The \hashing paradigm" plays a crucial role in one of these constructions, which in turn is essential for Section 6.4.2. In Section 6.4.2 we show how to use onetime signature schemes to construct general signature schemes. This construction utilizes the \refreshing paradigm" (as employed to onetime signature schemes) and an \authentication tree". In Section 6.4.3, we de ne Universal OneWay Hashing and show how to use it (in the previous constructions) instead of collisionfree hashing. The gain in using Universal OneWay Hashing (rather than collisionfree hashing) is that the former can be constructed based on any oneway function (whereas this is not known for collisionfree hashing). Thus, we obtain: Theorem 6.4.1 Secure signature schemes exist if and only if oneway functions
exist. The di cult direction is to show that the existence of oneway functions implies the existence of signature schemes. For the other direction, see Exercise 8. 6.4.1 Onetime signature schemes In this section we de ne and construct various types of onetime signature schemes. Speci cally, we rst de ne onetime signature schemes, next de ne a lengthrestricted version of this notion (analogous to De nition 6.2.1), then 516 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION present a simple construction of the latter, and nally we show how such a construction combined with collisionfree hashing yields a general onetime signature scheme. 6.4.1.1 De nitions
Loosely speaking, onetime signature schemes are signature schemes for which the security requirement is restricted to attacks in which the adversary asks for at most one string to be signed. That is, the mechanics of onetime signature schemes are as of ordinary signature schemes (see De nition 6.1.1), but the security requirement is relaxed as follows. A chosen onemessage attack is a process that can obtain a signature to at most one string of its choice. That is, the attacker is given v as input, and obtains a signature relative to s, where (s v) G(1n ) for an adequate n. (Note that in this section we focus on publickey signature schemes and thus we present only the de nition for this case.) Such an attack is said to succeeds (in existential forgery) if it outputs a valid signature to a string for which it has not requested a signature during the attack. (Indeed, the notion of success is exactly as in De nition 6.1.2.) A onetime signature scheme is secure (or unforgeable) if every probabilistic polynomialtime chosen onemessage attack succeeds with at most negligible probability. Moving to the formal de nition, we again model a chosen message attack as a probabilistic oracle machine however, since here we only care about onemessage attacks, we consider only oracle machines that make at most one query. Let M be such a machine. As before, we denote by QO (x) the set of queries made by M M on input x and access to oracle O, and let M1O (x) denote the rst string in the output of M on input x and access to oracle O. Note that here QO (x) 1 M (i.e., M may either make no queries or a single query).
j j De nition 6.4.2 (security for onetime signature schemes): A onetime signature scheme is secure if for every probabilistic polynomialtime oracle machine M that makes at most one query, every polynomial p and all su ciently large n, it holds that 2 VG2 (1n ) (M SG1 (1n ) (G2 (1n )))=1 3 5 < 1 and Pr 4 p(n) SG1 (1n ) SG1 (1n ) M1 (G2 (1n )) QM (G2 (1n ))
62 where the probability is taken over the coin tosses of algorithms G, S and V as well as over the coin tosses of machine M . 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 517 We now de ne a lengthrestricted version of onetime signature schemes. The de nition is indeed analogous to De nition 6.2.1:
N . An `restricted onetime signature scheme is a triple, (G S V ), of probabilistic polynomialtime algorithms satisfying the the mechanics of De nition 6.2.1. That is, it satis es the following two conditions 1. As in De nition 6.1.1, on input 1n , algorithm G outputs a pair of bit strings. 2. Analogously to De nition 6.1.1, for every n and every pair (s v) in the range of G(1n ), and for every 2 f0 1g`(n), algorithms S and D satisfy Pr V (v S (s ))=1] = 1. Such a scheme is called secure (in the onetime model) if the requirement of De nition 6.4.2 holds when restricted to attackers that only make queries of length `(n) and output a pair ( ) with j j = `(n). That is, we consider only attackers that make at most one query, this query has to be of length `(n), and the output ( ) must satisfy j j = `(n). De nition 6.4.3 (lengthrestricted onetime signature schemes): Let ` : N ! Note that even the existence of secure 1restricted onetime signature schemes implies the existence of oneway functions: see Exercise 11. 6.4.1.2 Constructing lengthrestricted onetime signature schemes We now present a simple construction of lengthrestricted onetime signature schemes. The construction works for any length restriction function `, but the keys will have length greater than `. The latter fact limits the applicability of such schemes, and will be removed in the next subsection. But rst, we construct `restricted onetime signature schemes based on any oneway function f . We may assume for simplicity that f is length preserving. Construction 6.4.4 (an `restricted onetime signature scheme): Let ` : N ! N be polynomiallybounded and polynomialtime computable, and f : f0 1g ! f0 1g be polynomialtime computable and lengthpreserving. We construct an `restricted onetime signature scheme, (G S V ), as follows: keygeneration with G: On input 1n , we uniformly select s0 s1 :::: s0(n) s1(n) 2 1 1 ` ` j j n f0 1g , and compute vi = f (si ), for i = 1 ::: `(n) and j = 0 1. We 0 1 0 1 let s = ((s0 s1 ) :::: (s0(n) s1(n) )), and v = ((v1 v1 ) :::: (v`(n) v`(n) )), and 1 1 ` ` output the keypair (s v). (Note that jsj = jvj = 2 `(n) n.) signing with S : On input a signingkey s = ((s0 s1 ) :::: (s0(n) s1(n))) and an 1 1 ` ` ( `(n)bit string = 1 `(n) , we output (s1 1 :::: s`(`nn) ) as a signature of ) . 518 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 0 1 0 1 veri cation with V : On input a veri cationkey v = ((v1 v1 ) :::: (v`(n) v`(n) )), an `(n)bit string = 1 `(n) , and an alleged signature = ( 1 ::: `(n) ), we accept if and only if vi i = f ( i ), for i = 1 ::: `(n). Proposition 6.4.5 If f is a oneway function then Construction 6.4.4 constitutes a secure `restricted onetime signature scheme. Note that Construction 6.4.4 does not constitute a (general) `restricted signature scheme: An attacker that obtains signatures to two strings (e.g., to the strings 0`(n) and 1`(n)), can present a valid signature to any `(n)bit long string (and thus totally break the system). However, here we consider only attackers that may ask for at most one string (of their choice) to be signed. As a corollary to Proposition 6.4.5, we obtain: Corollary 6.4.6 If there exist oneway functions then, for every polynomially bounded and polynomialtime computable ` : N ! N , there exist secure `restricted onetime signature schemes. most one signature to a di erent message) requires inverting f on some random image (corresponding to a bit location on which the two `(n)bit long messages di er). The actual proof is by a reducibility argument. Given an adversary A attacking the scheme (G S V ), while making at most one query, we construct an algorithm A0 for inverting f . As a warmup, let us rst deal with the case in which A makes no queries at all. In this case, on input y (supposedly in the range of f ), algorithm A0 proceeds as follows. First A0 selects uniformly and independently a position p in 1 ::: `(n) , a bit b, and a sequence of (2`(n) many) nbit long strings s0 s1 :::: s0(n) s1(n) . (Actually, sb is not used and needs not be selected.) For 1 1 p ` ` every i 1 ::: `(n) p , and every j 0 1 , algorithm A0 computes vij = 1 b f (sj ). Algorithm A0 also computes vp;b = f (s1;b ), and sets vp = y and v = p i 1 )). Note that if y = f (x), for a uniformly distributed 0 v 1 ) :::: (v 0 ((v1 1 `(n) v`(n) x 0 1 n, then for each possible choice of p and b, the sequence v is distributed identically to the publickey generated by G(1n ). Next, A0 invokes A on input v, hoping that A will forge a signature, denoted = 1 `(n) , to a message = 1 `(n) so that p = b. If this event occurs, A0 obtains a preimage of y b under f , since the validity of the signature implies that f ( p ) = vp p = vp = y. Observe that conditioned on the value of v and the internal coin tosses of A, the value b is uniformly distributed in 0 1 . Thus, A0 inverts f with probability "(n)=2, where "(n) denotes the probability that A succeeds in forgery. We turn back to the actual case in which A may make a single query. (Without loss of generality, we may assume that A always makes a single query see Exercise 9.) In this case, on input y (supposedly in the range of f ), algorithm A0 selects p b and the sj 's, and forms the vij 's and v exactly as in the warmup i
f g 2 f g n f g 2 f g 2 f g f g Proof of Proposition 6.4.5: Intuitively, forging a signature (after seeing at 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 519 Note that conditioned on the value of v, the internal coin tosses of A and on the second case occuring, p is uniformly distributed in 1 ::: `(n) . When the second case occurs, A obtains a signature to and this signature is distributed exactly as in a real attack. We stress that since A asks at most one query, no additional query will be asked by A. Also note that, in this case (i.e., p = 1 b), algorithm A outputs a forged message{signature pair, denoted ( 0 0 ), with probability exactly as in a real attack. For simplicity we assume below that A has indeed made a single query (otherwise one may consider and the i 's to be some nonboolean dummy val0 0 ues and apply the following reasoning nevertheless).14 Let 0 = 1 `(n) and 0 = s0 s0`(n) , where ( 0 0 ) is the forged message{signature pair output by A. 1 By our hypothesis (that this is a forgerysuccess event) it follows that 0 = and that f (s0i ) = vi i for all i's. Since (conditioned on all the above) p is uniformly 1 i 6= distributed in 1 ::: `(n) , it follows that with probability jfi: `(n) i gj `(n) 0 it holds that p = p , and then A0 obtains a preimage of y under f (since s0p 1 b satis es f (s0p ) = vp p , which in turn equals vp; p = vp = y). 12 That is, rst A0 selects p uniformly in f1 ::: `(n)g, b uniformly in f0 1g, and s0 s1 :::: s0(n) s1(n) each independently and uniformly in f0 1gn . For every i 2 f1 ::: `(n)gn 1 1 ` ` fpg, and every j 2 f0 1g, algorithm A0 computes vij = f (sj ). Algorithm A0 also computes i
f g ; 6
0 0 above.12 Recall that if y = f (x), for a uniformly distributed x 0 1 n, then for each possible choice of p and b, the sequence v is distributed identically to b the publickey generated by G(1n ). Also note that for each vij other than vp = y, j ) under f . Next, A0 invokes A on algorithm A0 holds a random preimage (of vi input v, and tries to answer its query, denoted = 1 `(n) . We consider two cases regarding this query: 1. If p = b then A0 can not supply the desired signature since it lacks a preimage of sb = y under f . Thus, in this case A0 aborts. However, this p case occurs with probability 1 , independently of the actions of A (since v 2 yields no information on either p or b). (That is, conditioned on the value of v and the internal coin tosses of A, this case occurs with probability 1 .)13 2 0 can supply the desired signature since it holds all 2. If p = 1 b then A the relevant sj 's (i.e., random preimages of the relevant vij 's under f ). In i particular, A0 holds both sj 's, for i = p, as well as s1;b . Thus, A0 answers p i ( with (s1 1 :::: s`(`nn) ). )
2 f g ; 6 f g 6 0 1 b 0 1 0 1 vp;b = f (s1;b ), and sets vp = y and v = ((v1 v1 ) :::: (v`(n) v`(n) )). p 13 This follows from an even stronger statement by which conditioned on the value of v , the internal coin tosses of A and on the value of p, the current case happens with probability 1 . 2 The stronger statement holds since conditioned on all the above, b is uniformly distributed in 1 ). f0 1g (and so p = b happens with probability exactly 2 14 Alternatively, recall that, without loss of generality, we may assume that A always makes a single query see Exercise 9. 520 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION To summarize, assuming that A succeeds in a singlemessage attack on (G S V ) with probability "(n), algorithm A0 inverts f on a random image (i.e., on f (Un )) with probability 0 "(n) i= "(n) 1 i : `(n) i 2 2`(n) Thus, if A is a probabilistic polynomialtime chosen onemessage attack that forges signatures with nonnegligible probability then A0 is a probabilistic polynomialtime algorithm that inverts f with nonnegligible probability (in violation of the hypothesis that f is a oneway function). The proposition follows.
jf 6 gj 6.4.1.3 From lengthrestricted schemes to general ones We now combine a lengthrestricted onetime signature scheme with collisionfree hashing to obtain a general onetime signature scheme. The construction is identical to Construction 6.2.6, except that here (G S V ) is an `restricted onetime signature scheme rather than an `restricted (general) signature scheme. Analogously to Proposition 6.2.7, we obtain. Proposition 6.4.7 Suppose that (G S V ) is a secure `restricted onetime sig nature scheme, and that fhr : f0 1g ! f0 1g`(jrj)gr2f0 1g is a collisionfree hashing collection. Then (G0 S 0 V 0 ), as de ned in Construction 6.2.6 is a secure onetime signature scheme. Proof: The proof is identical to the proof of Proposition 6.2.7 we merely no tice that if the adversary A0 , attacking (G0 S 0 V 0 ), makes at most one query then the same holds for the adversary A that we construct (in that proof) to attack (G S V ). In general, the adversary A constructed in the proof of Proposition 6.2.7 makes a single query per each query of the adversary A0 . Combining Proposition 6.4.7, Corollary 6.4.6, and the fact that collisionfree hashing collections imply oneway functions (see Exercise 12), we obtain: Corollary 6.4.8 If there exist collisionfree hashing collections then there exist
secure onetime signature schemes. Comments: We stress that when using Construction 6.2.6, signing each docu ment under the (general) scheme (G0 S 0 V 0 ) only requires signing a single string under the `restricted scheme (G S V ). This is in contrast to Construction 6.2.3 in which signing a document under the (general) scheme (G0 S 0 V 0 ) requires signing many strings under the `restricted scheme (G S V ), where the number of such strings depends (linearly) on the length of the original document. Construction 6.2.6 calls for the use of collisionfree hashing. The latter can be constructed using any clawfree permutation collection (see Proposition 6.2.9), however it is not know whether collisionfree hashing can be constructed based on any oneway function. Wishing to construct signature schemes based on 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 521 any oneway function, we later avoid (in Section 6.4.3) the use of collisionfree hashing. Instead, we use \universal oneway hashing functions" (to be de ned), and present a variant of Construction 6.2.6 that uses these functions rather than collisionfree ones. 6.4.2 From onetime signature schemes to general ones
(general) signature schemes exist as well. In this section we show how to construct general signature schemes using onetime signature schemes. That is, we shall prove: Theorem 6.4.9 If there exist secure onetime signature schemes then secure
Actually, we can use lengthrestricted onetime signature schemes, provided that the length of the strings being signed is at least twice the length of the veri cationkey. Unfortunately, Construction 6.4.4 does not satisfy this condition. Nevertheless, Corollary 6.4.8 does provide onetime signature schemes. Thus, combining Theorem 6.4.9 and Corollary 6.4.8, we obtain: Corollary 6.4.10 If there exist collisionfree hashing collections then there exist
secure signature schemes. Note that Corollary 6.4.10 asserts the existence of secure (publickey) signature schemes, based on an assumption that does not mention trapdoors. We stress this point because of the contrast to the situation with respect to publickey encryption schemes, where a trapdoor property seem necessary for the construction of secure schemes. The socalled \refreshing paradigm" plays a central role in the proof of Theorem 6.4.9. Loosely speaking, the \refreshing paradigm" suggests to reduce the dangers of a chosen message attack on the signature scheme by using \fresh" instances of the scheme for signing each new document. Of course, these fresh instances should be authenticated by the original instance (corresponding to the veri cationkey that is publically known), but such an authentication refers to a string selected by the legitimate signer rather than by the adversary. 6.4.2.1 The refreshing paradigm Example: To demonstrate the refreshing paradigm, consider a basic signature scheme (G S V ) used as follows. Suppose that the user U has generated a keypair, (s v) G(1n ), and has placed the veri cationkey v on a public le. When a party asks U to sign some document , the user U generates a new (fresh) keypair, (s0 v0 ) G(1n ), signs v0 using the original signingkey s, signs using the new (fresh) signingkey s0 , and presents (Ss (v0 ) v0 Ss ( )) as a signature to . An alleged signature, ( 1 v0 2 ), is veri ed by checking whether both Vv (v0 1 ) = 1 and Vv ( 2 ) = 1. Intuitively, the gain in terms of security is that a full edged chosen message attack cannot be launched on (G S V ). All
0 0 522 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION that an attacker may obtain (via a chosen message attack on the new scheme) is signatures, relative to the original signingkey s, to randomly chosen strings (taken from the distribution G2 (1n )) as well as additional signatures each relative to a random and independently chosen signingkey. We refrain from analyzing the features of the signature scheme presented in the above example. Instead, as a warmup to the actual construction used in the next section (in order to establish Theorem 6.4.9), we present and analyze a similar construction (which is, in some sense, a hybrid of the two constructions). The reader may skip this warmup, and proceed directly to Section 6.4.2.2. (G0 S 0 V 0 ) be a onetime signature scheme. Consider a signature scheme, (G00 S 00 V 00 ), with G00 = G, as follows: signing with S 00 : On input a signingkey s and a document 2 f0 1g , rst invoke G0 to obtain (s0 v0 ) G0 (1n ). Next, invoke S to obtain 1 0 Ss (v0 ), and S 0 to obtain 2 Ss ( ). The nal output is ( 1 v0 2 ). veri cation with V 00 : On input a verifyingkey v, a document 2 f0 1g , and a alleged signature = ( 1 v0 2 ), we output 1 if and only if both Vv (v0 1 ) = 1 and Vv0 ( 2 ) = 1.
0 0 Construction 6.4.11 (a warmup): Let (G S V ) be a signature scheme and Construction 6.4.11 di ers from the above example only in that a onetime signature scheme is used to generate the \second signature" (rather than using the same ordinary signature scheme). The use of a onetime signature scheme is natural here, since it is unlikely that the same signingkey s0 will be selected in two invocations of S 00 . Proposition 6.4.12 Suppose that (G S V ) is a secure signature scheme, and that (G0 S 0 V 0 ) is a secure onetime signature scheme. Then (G00 S 00 V 00 ), as de ned in Construction 6.4.11 is a secure signature scheme. We comment that the proposition holds even if (G S V ) is only secure against attackers that select queries according to the distribution G02 (1n ). Furthermore, (G S V ) need only be `restricted, for some suitable function ` : N N . Proof Sketch: Consider an adversary A00 attacking the scheme (G00 S 00 V 00 ). We may ignore the case in which two queries of A00 are answered by triplets containing the same onetime veri cationkey v0 (since if this event occurs with nonnegligible probability then the onetime scheme (G0 S 0 V 0 ) cannot be secure). We consider two cases regarding the relation of the onetime veri cation00 keys included in the signatures provided by Ss and the onetime veri cationkey 00 . included in the signature forged by A 1. In case, for some i, the onetime veri cationkey v0 contained in the forged message equals the onetime veri cationkey v(i) contained in the answer to the ith query, we derive violation to the security of the onetime scheme (G0 S 0 V 0 ).
! 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 523 Speci cally, consider an adversary A0 that on input a veri cationkey v0 for the onetime scheme (G0 S 0 V 0 ), generates (s v) G(1n ) at random, selects i at random (among polynomially many possibilities), invokes A00 on input v, and answers its queries as follows. The ith query of 0 A00 , denoted (i) , is answered by making the only query to Ss , obtaining 0 = S 0 ( (i) ), and returning (S (v 0 ) v 0 0 ) to A00 . (Note that A0 holds s s s.) Each other query of A00 , denoted (j) , is answered by invoking G0 0 to obtain (s(j) v(j) ) G0 (1n ), and returning (Ss (v(j) ) v(j) Ss(j) ( (j) ) to 00 . If A00 answers with a forged signature and v 0 is the veri cationkey A contained in it, then A0 obtains a forged signature relative to the onetime scheme (G0 S 0 V 0 ) (i.e., a signature to a message di erent from (i) , which is valid w.r.t the veri cationkey v0 ). Furthermore, conditioned on the case hypothesis and a forgery event, the second event (i.e., v0 is the veri cationkey contained in the forged signature) occurs with 1=poly(n) probability. 0 Note that indeed A0 makes at most one query to Ss , and that the distri00 is exactly as in an actual attack on (G00 S 00 V 00 ). bution seen by A 2. In case, for all i, the onetime veri cationkey v0 contained in the forged message is di erent from the onetime veri cationkey v(i) contained in the answer to the ith query, we derive violation to the security of the scheme (G S V ). Speci cally, consider an adversary A that on input a veri cationkey v for the scheme (G S V ), invokes A00 on input v, and answers its queries as follows. To answer the j th query of A00 , denoted (j) , algorithm A invokes G0 to obtain (s(j) v(j) ) G0 (1n ), queries Ss for a signature to v(j) , and 0 returns (Ss (v(j) ) v(j) Ss(j) ( (j) ) to A00 . When A00 answers with a forged 0 (j ) : j = 1 ::: poly(n) is the onetime veri cationsignature and v v key contained in it, A obtains a forged signature relative to the scheme (G S V ) (i.e., a signature to a string v0 di erent from all v(j) 's, which is valid w.r.t the veri cationkey v). (Note again that the distribution seen by A00 is exactly as in an actual attack on (G00 S 00 V 00 ).)15 Thus in both cases we derive a contradiction to some hypothesis, and the proposition follows. 2
0 0 0 62 f g 6.4.2.2 Authentication{trees The refreshing paradigm by itself (i.e., as employed in Construction 6.4.11) does not seem to be enough for establishing Theorem 6.4.9. Recall that our aim is to construct a general signature scheme based on a onetime signature scheme. The refreshing paradigm suggests to use a fresh instance of a onetime signature scheme in order to sign the actual document however, whenever we do so (as in Construction 6.4.11), we must authenticate this fresh instance relative to the single veri cationkey that is public. A straightforward implementation of this
15 Furthermore, all queries to S are distributed according to G (1n ), justifying the comment s 2 made just before the proof sketch. 524 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION scheme (as presented in Construction 6.4.11) calls for many signatures to be signed relative to the single veri cationkey that is public, and so a onetime signature scheme cannot be used (for this purpose). Instead, a more sophisticated method of authentication is required. Let us try to sketch the basic idea underlying the new authentication method. The idea is to use the public veri cationkey (of a onetime signature scheme) in order to authenticate several (e.g., two) fresh instances (of the onetime signature scheme), use each of these instances to authenticate several fresh instances, and so on. We obtain a tree of fresh instances of the onetime signature, where each internal node authenticates its children. See Figure 6.2 (below). We can now use the leaves of this tree in order to sign actual documents, where each leave is used at most once. We stress that each instance of the onetime signature scheme is used to sign at most one string (i.e., a sequence of veri cationkeys if the instance resides in an internal node, and an actual document if the instance resides in a leaf). x
sx vx + authx x0
sx0 vx0 + authx0 x1
sx1 vx1 + authx1 Figure 6.2: A node labeled x authenticates its children, labeled x0 and x1, respectively. The authentication is via a onetime signature of the text vx0 vx1 using signingkey sx . The above description may leave the reader wondering as to how one actually signs (and veri es signatures) using the suggested signature scheme. We start with a description that does not t our de nition of a signature scheme, because it requires the signer to keep a record of its actions during all previous invocations of the signing process.16 We refer to such a scheme as memory dependent. De nition 6.4.13 (memorydependent signature schemes):
16 This (memory) requirement will be removed in the next section. 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 525 mechanics: Item 1 of De nition 6.1.1 stays as it is, and the initial state (of the signing algorithm) is de ned to equal the output of the keygenerator. Item 2 is modi ed so that the signing algorithm is given a state, denoted , as auxiliary input and returns a modi ed state, denoted , as auxiliary output. It is required that for every pair (s v) in the range of G(1n ), and for every 0 1 , if Ss ( ) = ( ) then Vv ( ) = 1 and + poly(n). (That is, the veri cation algorithm accepts the signature and the state does not grow by too much.)
2 f g j j j j j j security: The notion of a chosen message attack is modi ed so that the oracle Ss now maintains a state that it updates in the natural manner that is, when in state and faced with query , the oracle sets ( ) Ss ( ), returns and updates its state to . The notions of success and security are de ned as in De nition 6.1.2, except that they now refer to the modi ed notion of an attack. The de nition of memorydependent signature schemes (i.e., De nition 6.4.13) is related to the de nition of statebased MACs (i.e., De nition 6.3.9). However, there are two di erences between the two de nitions: First, De nition 6.4.13 refers to (publickey) signature schemes, whereas De nition 6.3.9 refers to MACs. Second, in De nition 6.4.13 only the signing algorithm is statebased (or memorydependent), whereas in De nition 6.3.9 also the veri cation algorithm is statebased. The latter di erence re ects the di erence in the applications envisioned for both types of schemes. (Typically, MACs are indented for communication between a predetermined set of \mutually synchronized" parties, whereas signature schemes are intended for production of signatures that may be universally veri er at any time.) We note that memorydependent signature schemes may su ce in many applications of signature schemes. Still, it is preferable to have memoryless (i.e., ordinary) signature schemes. Below we use any onetime signature schemes to construct a memorydependent signature scheme. The memory requirement will be removed in the next section, so to obtain a (memoryless) signature scheme (as in De nition 6.1.1). Construction 6.4.14 (a memorydependent signature scheme): Let (G S V ) be a onetime signature scheme. Consider the following memorydependent signature scheme, (G0 S 0 V 0 ), with G0 = G. On security parameter n, the scheme uses a full binary tree of depth n. Each of the nodes in this tree is labeled by a binary string so that the root is labeled by the empty string, denoted , and the left (resp., right) child of a node labeled by x is labeled by x0 (resp., x1). Below we refer to the current state of the signing process as to a record.
initiating the scheme: To initiate the scheme, on security parameter n, we invoke G(1n ) and let (s v) G(1n ). We record (s v) as the keypair associated with the root, and output v as the (public) veri cationkey. 526 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION In the rest of the description, we denote by (sx vx ) the keypair associated with the node labeled x thus, (s v ) = (s v). signing with S 0 using the current record: Recall that the current record contains the signingkey s = s , which is used to produce auth (de ned below). To sign a new document, denoted , we rst allocate an unused leaf. Let 1 n be the label of this leaf. For example, we may keep a counter of the number of documents signed, and determine 1 n according to the counter value (e.g., if the counter value is c then we use the cth string in lexicographic order). Next, for every i = 1 ::: n and every 2 f0 1g, we try to retrieve from our record the keypair associated with the node labeled 1 i;1 . In case such a pair is not found, we generate it by invoking G(1n ) and store it (i.e., add it to our record) for future use that is, we let (s 1 i 1 v 1 i 1 ) G(1n ). For every i = 1 ::: n, we try to retrieve from our record a signature to the string v 1 i 1 0 v 1 i 1 1 relative to the signingkey s 1 i 1 . In case such a signature is not found, we generate it by invoking Ss 1 i 1 , and store it for future use that is, we obtain Ss 1 i 1 (v 1 i 1 0 v 1 i 1 1 ). (The ability to retrieve this signature from memory for repeated use is the most important place in which we rely on the memorydependence of our signature scheme.)17 We let auth 1 i 1 def v 1 i 1 0 v 1 i 1 1 Ss 1 i 1 (v 1 i 1 0 v 1 i 1 1 ) =
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; (Intuitively, via auth 1 i 1 the node labeled 1 i;1 authenticates the veri cationkeys associated with its children.) Finally, we sign by invoking Ss 1 n , and output ( 1 n auth auth 1 ::: auth 1 n 1 Ss 1 n ( ))
; ; 17 This allows the signing process S 0 to use each (onetime) signingkey s for producing a x s single Ssx signature. In contrast, the use of a counter for determining a new leaf can be easily avoided, by selecting a leaf at random. veri cation with V 0 : On input a veri cationkey v, a document , and an alleged signature we accept if and only if the following conditions hold: 1. has the form ( 1 n (v0 0 v0 1 0 ) (v1 0 v1 1 1 ) ::: (vn;1 0 vn;1 1 n;1 ) n ) where the i 's are bits and all other symbols represent strings. (Jumping ahead, we mention that vi is supposed to equal v 1 i 1 , the veri cationkey associated by the signing process with the node labeled 1 i;1 . In particular, vi i is supposed to equal v 1 i .)
; 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 527 2. Vv (v0 0 v0 1 0 ) = 1. (That is, the publickey (i.e., v) authenticates the two strings v0 0 and v0 1 claimed to correspond to the instances of the onetime signature scheme associated with the nodes labeled 0 and 1, respectively.) 3. For i = 1 ::: n ; 1, it holds that Vvi 1 i (vi 0 vi 1 i ) = 1. (That is, the veri cationkey vi;1 i , which is already believed to be authentic and supposedly corresponds to the instance of the onetime signature scheme associated with the node labeled 1 i , authenticates the two strings vi 0 and vi 1 that are supposed to correspond to the instances of the onetime signature scheme associated with the nodes labeled 1 i 0 and 1 i 1, respectively.) 4. Vvn 1 n ( n ) = 1. (That is, the veri cationkey vn;1 n , which is already believed to be authentic, authenticates the actual document .)
; ; Regarding the veri cation algorithm, note that Conditions 2 and 3 establish that vi i+1 is authentic (i.e., equals v 1 i i+1 ). That is, v = v authenticates v 1 , which authenticates v 1 2 , and so on upto v 1 n . The fact that the vi 1; i+1 's are proven to be authentic (i.e., equal the v 1 i 1; i+1 's) is not really useful (when signing a message using the leaf associated with 1 n ). This excess is merely an artifact of the need to use s 1 i only once during the entire operation 0 of the memorydependent signature scheme: In the currently (constructed) Ss signature we may not care about the authenticity of some v 1 i 1; i+1 , but 0 we may care about it in some other Ss signature. For example, if we use the n to sign the rst document and the leaf labeled 0n;1 1 to sign the leaf labeled 0 0 second, then in the rst Ss signature we only care about the authenticity of v0n , 0 signature we care about the authenticity of v n 1 . whereas in the second Ss 0 1
; Proposition 6.4.15 If (G S V ) is a secure onetime signature scheme then
Construction 6.4.14 constitutes a secure memorydependent signature scheme. Proof: Recall that a Ss0 signature to a document has the form
(
1 n auth auth 1 ::: auth 1 n;1 Ss 1 n( )) (6.5) (6.6)
; where the authx 's, vx 's and sx 's satisfy authx = (vx0 vx1 Ssx (vx0 vx1 ))
0 (See Figure 6.2.) In this case we say that this Ss signature uses the leaf labeled 1 n . For every i = 1 ::: n, we call the sequence (auth auth 1 ::: auth 1 i 1 ) an authentication path for v 1 i . (Note that the above sequence is also an au0 thentication path for v 1 i 1 i , where = 1 .) Thus, a valid Ss signature to a document consists of an nbit string 1 n , authentication paths for each v 1 i (i = 1 ::: n), and a signature to with respect to the onetime scheme (G S V ) using the signingkey s 1 n .
; ; 528 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 0 Intuitively, forging an Ss signature requires either using an authentication 0 path supplied by the signer (i.e., supplied by Ss as part of an answer to a query) or producing an authentication path di erent from all paths supplied by the signer. In both cases, we reach a contradiction to the security of the onetime 0 signature scheme (G S V ). Speci cally, in the rst case, the forged Ss signature contains a signature relative to (G S V ) using the signingkey s 1 n . The latter Ss 1 n signature is veri able using the veri cationkey v 1 n , which is authentic by the case hypothesis. This yields forgery with respect to the instance of the onetime signature scheme associated with the leaf labeled 1 n (since 0 0 the document Ss signed by the forger must be di erent from all Ss signed documents, and thus the forged document is di erent from all strings to which a onetime signature was applied).18 We now turn to the second case (i.e., forgery with respect to (G0 S 0 V 0 ) is obtained by producing an authentication path different from all paths supplied by the signer). In this case there must exists an i 1 ::: n and an ibit long string 1 i so that auth ::: auth 1 i 1 is the shortest pre x of the authentication path produced by the forger that is not a pre x of any authentication path supplied by the signer. (Note that i > 0 must hold, since empty sequences are equal, whereas i n by the case hypothesis.) In this case auth 1 i 1 (produced by the forge), contains a signature relative to (G S V ) using the signingkey s 1 i 1 . The latter signature is veri able using the veri cationkey v 1 i 1 , which is authentic by the minimality of i. Furthermore, by de nition of i, the latter signature is to a string di erent from 0 the string to which the Ss signer has applied Ss 1 i 1 . This yields forgery with respect to the instance of the onetime signature scheme associated with the node labeled 1 i;1 . The actual proof is by a reducibility argument. Given an adversary A0 attacking the complex scheme (G0 S 0 V 0 ), we construct an adversary A that attacks the onetime signature scheme, (G S V ). In particular, the adversary A will use its oracle access Ss in order to emulate the memorydependent signing oracle for A0 . Recall that the adversary A can make at most one query to its Ss oracle. Below is a detailed description of the adversary A. Since we care only about probabilistic polynomialtime adversaries, we may assume that A0 makes at most t = poly(n) many queries, where n is the security parameter.
2 f g
; ; ; ; ; The construction of adversary A: Suppose that (s v) is in the range of
follows:
2 f g G(1n ). On input v and onequery oracle access to Ss , adversary A proceeds as
1. Initial choice: A uniformly selects j 1 ::: (2n + 1) t . (The integer j speci es an instance of (G S V ) generated during the attack of A0 . This instance will be attacked by A. Note that since 2n +1 instances of (G S V ) are referred to in each signature relative to (G0 S 0 V 0 ), the 0 Note that what matter is merely that the document Ss signed by the forger is di erent 0 from the (single) document to which Ss 1 n was applied by the Ss signer, in case Ss 1 n 0 was ever applied by the Ss signer.
18 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 529 quantity (2n +1) t upper bounds the total number of instances of (G S V ) that appear during the entire attack of A0 . This upper bound is not tight.) 2. Invoking A0 : If j = 1 then A sets v = v and invokes A0 on input v. In this case A does not know s , which is de ned to equal s, but can obtain a single signature relative to it by making a (single) query to oracle Ss . Otherwise (i.e., j > 1), machine A invokes G, obtains (s0 v0 ) G(1n ), sets (s v ) = (s0 v0 ) and invokes A0 on input v0 . We stress that in this case A knows s . In fact, in both case, A0 is invoked on input v . Also, in both cases, the onetime instance associated with the root (i.e., the node labeled ) is called the rst instance. 3. Emulating the memorydependent signing oracle for A0 : The emulation is analogous to the operation of the signing procedure as speci ed in Construction 6.4.14. The only exception refers to the j th instance of (G S V ) that occurs in the memorydependent signing process. Here, A uses the veri cation key v, and if an Ss signature needs to be produced then A queries Ss for it. We stress that at most one signature needs ever be produced with respect to each instance of (G S V ) that occurs in the memorydependent signing process, and therefore Ss is queried at most once. Details follow. A maintains a record of all keypairs and onetime signatures it has generated and/or obtained from Ss . When A is asked to supply a signature to a new document, denoted , it proceeds as follows: (a) A allocates a new leaflabel, denoted 1 n , exactly as done by the signing process. (b) For every i = 1 ::: n and every 0 1 , machine A tries to retrieve from its record the onetime instance associated with the node labeled 1 i;1 . If such an instance does not exist in the record (i.e., the onetime instance associated with the node labeled 1 i;1 did not appear so far) then A distinguishes two cases: i. If the record so far contains exactly j 1 onetime instances (i.e., the current instance is the j th one to be encountered) then A sets v1 i1 v, and adds it to its record. In this case, A does not know s 1 i 1 , which is de ned to equal s, but can obtain a single signature relative to it by making a (single) query to oracle Ss . From this point on, the onetime instance associated with the node labeled 1 i;1 will be called the j th instance. ii. Otherwise (i.e., the current instance is not the j th one to be encountered), A acts as the signing process: It invokes G(1n ), obtains (s 1 i 1 v 1 i 1 ) G(1n ), and adds it to the record.
2 f g ;
; ; ; ; 530 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION (Note that in this case A knows s 1 i 1 , and can generate by itself signatures relative to it.) The onetime instance just generated is given the next serial number. That is, the onetime instance associated with the node labeled 1 i;1 will be called the k th instance if the current record (i.e., after the generation of the onetime keypair associated with the node labeled 1 i;1 ) contains exactly k instances. (c) For every i = 1 ::: n, machine A tries to retrieve from its record a (onetime) signature to the string v 1 i 1 0 v 1 i 1 1 , relative to the signingkey s 1 i 1 . If such a signature does not exist in the record then A distinguishes two cases: i. If the onetime signature instance associated with the node labeled 1 i;1 is the j th such instance then A obtains the onetime signature Ss 1 i 1 (v 1 i 1 0 v 1 i 1 1 ) by querying Ss , and adds this signature to the record. Note that by the previous steps (i.e., Step 3(b)i as well as Step 2), s is identi ed with s 1 i 1 , and that the instance associated with a node labeled 1 i;1 is only used to produce a single signature that is, to the string v 1 i 1 0 v 1 i 1 1 . Thus, in this case, A queries Ss at most once. We stress that the above makes crucial use of the fact that, for every , the veri cationkey associated with the node labeled 1 i;1 is identical in all executions of the current step, regardless of whether it is generated in Step 3(b)ii or xed to equal v (in Step 3(b)i). This fact guarantees that A only needs a single signature relative to the instance associated with a node labeled 1 i;1 , and thus queries Ss at most once (and retrieves this signature from memory if it ever needs it again). ii. Otherwise (i.e., the onetime signature instance associated with the node labeled 1 i;1 is not the j th such instance), A acts as the signing process: It invokes Ss 1 i 1 , obtains the onetime signature Ss 1 i 1 (v 1 i 1 0 v 1 i 1 1 )v 1 i 1 ), and adds it to the record. (Note that in this case A knows s 1 i 1 , and can generate by itself signatures relative to it.) Thus, A obtains auth 1 i 1 . (d) Machine A now obtains a onetime signature of relative to Ss 1 n . (Recall that since A0 never makes the same query twice,19 we need to generate at most one signature relative to the onetime instance Ss 1 n .) This is done analogously to the previous step (i.e., Step 3c). Speci cally:
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; 19 This assertion can be justi ed, without loss of generality. Otherwise, we may modify A0 so that retrieves from its own memory the answer to a query that it wishes to ask for the second time. 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 531 i. If the onetime signature instance associated with the leaf labeled 1 n is the j th instance (associated with any node) then A obtains the onetime signature Ss 1 n ( ) by querying Ss . Note that, in this case, s is identi ed with s 1 n , and that an instance associated with a leaf is only used to produce a single signature. Thus, also in this case (which is disjoint of Case 3(c)i), A queries Ss at most once. ii. Otherwise (i.e., the onetime signature instance associated with the node labeled 1 n is not the j th instance), A acts as the signing process: It invokes Ss 1 n , obtains the onetime signature Ss 1 n ( ), and adds it to the record. (Again, in this case A knows s 1 n , and can generate by itself signatures relative to it.) Thus, A obtains n = Ss 1 n ( ). (e) Finally, A answers the query with ( 1 n auth auth 1 ::: auth 1 n 1 n ) 4. Using the output of A0 : When A0 halts with output ( 0 0 ), machine A checks whether this is a valid documentsignature pair with respect to Vv0 and whether the document 0 did not appear as a query of A0 . If both conditions hold then A tries to obtain forgery with respect to Ss . To explain how this is done, we need to take a closer look at the valid documentsignature pair, ( 0 0 ), output by A0 . Speci cally, suppose that 0 has the form 0 0 0 0 0 0 0 0 0 0 0 0 ( 1 n (v0 0 v0 1 0 ) (v1 0 v1 1 1 ) ::: (vn;1 0 vn;1 1 n;1 ) n ) and that the various components satisfy all conditions stated in the veri ca0 0 0 0 0 0 tion procedure. (In particular, the sequence (v0 0 v0 1 0 ) ::: (vn;1 0 vn;1 1 n;1 ) 0 0 .) Let i be maximal is the authentication path (for vn;1 n ) output by A 0 so that for some 0 ::: i;1 (which may but need not equal 0 ::: i0;1 ) 0 0 0 0 the sequence (v0 0 v0 1 0 ) ::: (vi;1 0 vi;1 1 i;1 ) is a pre x of some authentication path (for some v 1 i i+1 n ) supplied to A0 by A. Note that 0 0 i 0 ::: n , where i = 0 means that (v0 0 v0 1 ) di ers from (v0 v1 ), and 0 0 ) ::: (v 0 0 i = n means that the sequence ((v0 0 v0 1 n;1 0 vn;1 1 )) equals the sequence ((v0 v1 ) ::: (v 1 n 1 0 v 1 n 1 1 )). 0 Recall that the vk s are strings included in the output of A0 , and that the vx s are veri cationkeys as recorded by A. In general, the sequence 0 0 ((v0 0 v0 1 ) ::: (vi0;1 0 vi0;1 1 )) equals the sequence ((v0 v1 ) ::: (v 1 i 1 0 v 1 i 1 1 )). In particular, for i 1, it holds that vi0;1 i = v 1 i , whereas for i = 0 we shall only refer to v (which is the veri cationkey attacked by A0 ). In both cases, the output of A0 contains a onetime signature relative to v 1 i , and this signature is to a string di erent from the (possibly) only one to which a signature was supplied to A0 by A. Analogously to the motivating discussion above, we distinguish the cases i = n and i < n:
; 0 0 0 2 f g 0 0 ; 0 0 ; 0 0 ; 0 0 ; 0 0 0 0 0 532 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 0 (a) In case i = n, the output of A0 contains the (onetime) signature n 0 0 ) = 1. Furthermore, 0 is di erent from that satis es Vv 1 n ( n the (possibly) only document to which Ss 1 n was applied during the emulation of the S 0 signer by A, since by our hypothesis the document 0 did not appear as a query of A0 . (Recall that, by the construction of A, instances of the onetime signature scheme associated with leaves are only applied to the queries of A0 .) (b) In case i < n, the output of A0 contains the (onetime) signature i0 that satis es Vv 1 i (vi0 0 vi0 1 i0 ) = 1. Furthermore, vi0 0 vi0 1 is di erent from v 1 i 0 v 1 i 0 , which is the (possibly) only string to which Ss 1 i was applied during the emulation of the S 0signer by A, where the last assertion is due to the maximality of i (and the construction of A). Thus, in both cases, A obtains from A0 a valid (onetime) signature rela0 0 tive to the (onetime) instance associated with the node labeled 1 i. Furthermore, in both cases, this (onetime) signature is to a string that did not appear in the record of A. The question is whether the instance 0 0 th associated with the node labeled 1 i is the j instance, for which A set v = v 1 i . In case the answer is yes, A obtains forgery with respect to the (onetime) veri cationkey v (which it attacks). In view of the above discussion, A acts as follows. It determines i as in the discussion, and checks whether v = v 1 i (almost equivalently, whether 0 0 the j th instance is the one associated with the node labeled 1 i ). In 0 0 ), otherwise case i = n, machine A outputs the stringsignature pair ( n (i.e., i < n) it outputs the stringsignature pair (vi0 0 vi0 1 i0 ). This completes the (admittingly long) description of adversary A. We repeat again some obvious observations regarding this construction. Firstly, A makes at most one query to its (onetime) signature oracle Ss . Secondly, assuming that A0 is probabilistic polynomialtime, so is A. Thus, all that remains is to relate the success probability of A (when attacking a random instance of (G S V )) to the success probability of A0 (when attacking a random instance of (G0 S 0 V 0 )). As usual the main observation is that the view of A0 , during the emulation (of the memorydependent signing process) by A, is identically distributed to its view in an actual attack on (G0 S 0 V 0 ). Furthermore, this holds conditioned on any possible xed value of j (selected in the rst step of A). It follows that if A0 succeeds to forge signatures in an actual attack on (G0 S 0 V 0 ) with probability "0 (n) then A succeeds to forge signatures with respect to (G S V ) (n) with probability at least (2" +1) t , where the (2n + 1) t factor is due to the n probability that the choice of j is a good one (i.e., so that the j th instance is 0 0 0 0 the one associated with the node labeled 1 n and i are as i , where 1 de ned in Step 4). We conclude that if (G0 S 0 V 0 ) can be broken by a probabilistic polynomialtime chosen message attack with nonnegligible probability then (G S V ) can
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 533 be broken by a probabilistic polynomialtime singlemessage attack with nonnegligible probability, in contradiction to the proposition's hypothesis. The proposition follows. 6.4.2.3 The actual construction
In this section, we remove the memorydependency of Construction 6.4.14, and obtain an ordinary (rather than memorydependent) signature scheme. Towards this end, we use pseudorandom functions (as de ned in De nition 3.6.4). The basic idea is that the record maintained in Construction 6.4.14 can be determined (onthe y) by an application of a pseudorandom function to certain strings. For example, instead of generating and storing an instance of a (onetime) signature scheme for each node that we encounter, we can determine the randomness for the keygeneration algorithm as a function of the label of that node. Thus, there is no need to store the keypair generated, since if we ever need it again then regenerating it (in the very same way) will yield exactly the same result. The same idea applies also to the generation of (onetime) signatures. In fact, the construction is simpli ed, since we need not check whether or not we are generating an object for the rst time. For simplicity, let us assume that, on security parameter n, both the keygeneration and signing algorithms (of the onetime signature scheme (G S V )) use exactly n internal coin tosses. (This assumption can be justi ed by using pseudorandom generators, which exist anyhow under the assumptions used here.) For r 0 1 n, we denote by G(1n r) the output of G on input 1n and internal cointosses r. Likewise, for r 0 1 n, we denote by Ss ( r) the output of S , on input a signingkey s and a document , when using internal cointosses r. For simplicity, we shall be actually using generalized pseudorandom functions as in De nition 3.6.12 (rather than pseudorandom functions as de ned in De nition 3.6.4).20 Furthermore, for simplicity, we shall consider applications of such pseudorandom functions to sequences of characters containing 0 1 as well as a few additional special characters.
2 f g 2 f g f g Construction 6.4.16 (Removing the memory requirement from Construction 6.4.14): Let (G S V ) be a onetime signature scheme, and ffr : f0 1g ! f0 1gjrjgr2f0 1g be a generalized pseudorandom function ensemble as in De nition 3.6.12. Consider the following signature scheme, (G0 S 0 V 0 ), which refers to a full binary tree of depth n as in Construction 6.4.14.
keygeneration algorithm G0 : On input 1n , algorithm G0 obtains (s v) G(1n ) and selects uniformly r 0 1 n. Algorithm G0 outputs the pair ((r s) v), where (r s) is the signingkey and v is the veri cationkey.21
2 f g 20 We shall make comments regarding the minor changes required in order to use ordinary pseudorandom functions. The rst comment is that we shall consider an encoding of strings of length upto n + 2 by strings of length n + 3 (e.g., for i n + 2, the string x 2 f0 1gi is encoded by x10n+2;i ). 21 In case we use ordinary pseudorandom functions, rather than generalized ones, we select 534 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION signing algorithm S 0 : On input a signingkey (r s) and a document , the algorithm proceeds as follows.
1. It selects uniformly 1 n 2 f0 1gn. (Algorithm S 0 will use the leaf labeled 1 n 2 f0 1gn to sign the current document. Indeed, with exponentiallyvanishing probability the same leaf may be used to sign two di erent documents, and this will lead to forgery (but only with negligible probability).) (Alternatively, to obtain a deterministic signing algorithm, one may set 1 n fr (selectleaf ), where selectleaf is a special character.)22 2. Next, for every i = 1 ::: n and every 2 f0 1g, the algorithm invokes G and sets (s 1 i;1 v 1 i;1 ) G(1n fr (keygen 1 i;1 )) where keygen is a special character.23 3. For every i = 1 ::: n, the algorithm invokes Ss 1 i 1 and sets ; auth 1 i 1 def v 1 i 1 0 v 1 i 1 1 = Ss 1 i 1 (v 1 i 1 0 v 1 i 1 1 fr (sign 1
; ; ; ; ; ; ; i;1 )) where sign is a special character.24 4. Finally, the algorithm invokes Ss 1 n and outputs25 ( 1 n auth auth 1 ::: auth 1 n;1 Ss 1 n( fr (sign 1 n ))) veri cation algorithm V 0 : On input a veri cationkey v, a document , and an alleged signature algorithm V 0 behaves exactly as in Construction 6.4.14. Speci cally, assuming that has the form (
1 n (v0 0 v0 1 0 ) (v1 0 v1 1 1 ) ::: (vn;1 0 vn;1 1 n;1 ) n ) algorithm V 0 accepts if and only if the following three conditions hold: r uniformly in f0 1gn+3 so that fr : f0 1gn+3 ! f0 1gn+3 . Actually, we shall be using the function fr : f0 1gn+3 ! f0 1gn derived from the above by dropping the last 3 bits of the function value. 22 In case we use ordinary pseudorandom functions, rather than generalized ones, this alternative can be (directly) implemented only if it is guaranteed that j j n. In such a case, we apply the fr to the (n + 3)bit encoding of 00 . 23 In case we use ordinary pseudorandom functions, rather than generalized ones, the argument to fr is the (n + 3)bit encoding of 10 1 i;1 . 24 In case we use ordinary pseudorandom functions, rather than generalized ones, the argument to fr is the (n + 3)bit encoding of 11 1 i;1 . 25 In case we use ordinary pseudorandom functions, rather than generalized ones, the argument to fr is the (n + 3)bit encoding of 11 1 n. 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 535 Vv (v0 0 v0 1 0 ) = 1. For i = 1 ::: n 1, it holds that Vvi Vvn 1 n ( n ) = 1.
;
; ;1 i (vi 0 vi 1 i ) = 1. Proposition 6.4.17 If (G S V ) is a secure onetime signature scheme and
f 0 1 jrj r2f0 1g is a generalized pseudorandom function ensemble then Construction 6.4.16 constitutes a secure (general) signature scheme. fr : 0 1
f g ! f g g Proof: Following the general methodology suggested in Section 3.6.3, we consider an ideal version of Construction 6.4.16 in which a truly random function is used (rather than a pseudorandom one). The ideal version is almost identical to Construction 6.4.14, with the only di erence being the way in which 1 n is selected. Speci cally, applying a random function to determine (onetime) keypairs and (onetime) signatures is equivalent to generating these keys and signatures at random (onthe y) and reusing the stored values whenever necessary. Regarding the way in which 1 n is selected, observe that the proof of Proposition 6.4.15 is oblivious of this way, except for the assumption that the same leaf is never used to sign two di erent documents. However, the probability that the same leaf is used twice by the (memoryless) signing algorithm, when serving polynomiallymany signing requests, is exponentiallyvanishing and thus can be ignored in our analysis. We conclude that the ideal scheme (in which a truly random function is used instead of fr ) is secure. It follows that also the actual signature scheme (as in Construction 6.4.16) is secure, or else one can e ciently distinguish a pseudorandom function from a truly random one (which is impossible). Details follow. Assume towards the contradiction that there exists a probabilistic polynomialtime adversary A0 that succeeds to forge signatures with respect to (G0 S 0 V 0 ) with nonnegligible probability, but succeeds only with negligible probability when attacking the ideal scheme. We construct a distinguisher D that on input 1n and oracle access to f : 0 1 0 1 n behaves as follows. Machine D 0 s) v ) 0 (1n ), and invokes A0 on input v . Machine D answers generates ((r G the queries of A0 by running the signing process, using the signingkey (r0 s), with the exception that it replaces the values fr (x) by f (x). That is, whenever the signing process calls for the computation of the value of the function fr on some string x, machine D queries its oracle (i.e., f ) on the string x, and uses the respond f (x) instead of fr (x). When A0 outputs an alleged signature to a new document, machine M evaluates whether or not the signature is valid (with respect to Vv ) and output 1 if and only if A0 has indeed succeeded (i.e., the signature is valid). Observe that if D is given oracle access to a truly random function then the emulated A0 attacks the ideal scheme, whereas if D is given oracle access to a pseudorandom function fr then the emulated A0 attacks the real scheme. It follows that D distinguishes the two cases, in contradiction to the pseudorandomness of the ensemble fr .
f g ! f g
0 0 0 f g 536 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 6.4.2.4 Conclusions and comments
Theorem 6.4.9 follows by combining Proposition 6.4.17 with the fact that the existence of secure onetime signature schemes implies the existence of oneway functions (see Exercise 11), which in turn imply the existence of (generalized) pseudorandom functions. Recall that combining Theorem 6.4.9 and Corollary 6.4.8, we obtain Corollary 6.4.10 that states that the existence of collisionfree hashing collections implies the existence of secure signature schemes. We comment that Constructions 6.4.14 and 6.4.16 can be generalized as follows. Rather than using a depth n full binary tree, one can use any tree that has a superpolynomial (in n) number of leaves, provided that one can enumerate the leaves (resp., uniformly select a leaf), and generate the path from the root to a given leaf. We consider a few possibilities: For any d : N N bounded by a polynomial in n (e.g., d 2 or d(n) = n are indeed \extreme" cases), we may consider a full d(n)ary tree of depth e(n) so that d(n)e(n) is greater than any polynomial in n. The choice of parameters in Constructions 6.4.14 and 6.4.16 (i.e., d 2 and e(n) = n) is probably the simplest one as well as the most e cient one (from a generic perspective). Natural complexity measures for a signature scheme include the length of signatures and the signing and veri cation times. In a generalized construction, the length of the signatures is linear in d(n) e(n), and the number of applications of the underlying onetime signature scheme (per each general signature) is linear in e(n), where in internal nodes the onetime signature scheme is applied to string of length linear in d(n). Assuming that the complexity of onetime signatures is linear in the document length, all complexity measures are linear in d(n) e(n), and so d 2 is the best generic choice. However, the above assumption may be wrong when some speci c onetime signatures are used. For example, the complexity of producing a signature to an `bit long string in a onetime signature scheme may be of the form p(n) + p0 (n) `, where p0 (n) p(n). In such (special) cases, one may prefer to use larger d : N N (see Section 6.6.5).
! ! For the memorydependent construction, it may be preferable to use unbalanced trees (i.e., having leaves at various levels). The advantage is that if one utilizes rst the leaves closer to the root then one can obtain a saving on the cost of signing the rst documents. For example, consider using a ternary tree of superlogarithmic depth (i.e., d 3 and e(n) = !(log n)) in which each internal node of level i 0 1 ::: e(n) 2 has a two children that are internal nodes and a single child that is a leaf (and the internal nodes of level e(n) 1 have only leaves as children). Thus, for i 1, there are 3i;1 leaves at level i. If we use all leaves of level i before using any leave of level i + 1 then the length of the j th signature in this scheme is linear in log3 j (and so is the number of applications of the underlying onetime signature scheme).
2 f ; g ; 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 537 In actual applications, one should observe that in variants of Construction 6.4.14 the size of the tree determines the total number of documents that can be signed, whereas in variants of Construction 6.4.16 the tree size has even a more drastic e ect on the number of documents that can be signed.26 In some cases a hybrid of Constructions 6.4.14 and 6.4.16 may be preferable: We refer to a memorydependent scheme in which leaves are assigned as in Construction 6.4.14 (i.e., according to a counter), but the rest of the operation is done as in Construction 6.4.16 (i.e., the onetime instances are regenerated onthe y, rather than being generated and recorded). In some applications, the introduction of a documentcounter may be tolerated, and the gain is the ability to use a smaller tree (i.e., of size merely greater than the total number of documents that should be ever signed). More generally, we wish to stress that each of the following ingredients of the above constructions, is useful in a variety of related and unrelated settings. We refer speci cally to the refreshing paradigm, the authentication tree construction, and the notion (and constructions) of onetime signatures. For example: It is common practice to authenticate messages sent during a \communication session" via a sessionkey that is typically authenticated by a masterkey. One of the reasons for this practice is the prevention of a chosen message attack on the (more valuable) masterkey. (Other reasons include allowing the use of a faster alas less secure authentication scheme for the actual communication, introducing independence between sessions, etc.) Observe the analogy between the treehashing (of Construction 6.2.13) and the authentication tree (of Construction 6.4.14). Despite the many di erences, in both cases, the value of internal nodes essentially determines the values that may be claimed for their children. Recall the application of onetime signatures in the construction of CCAsecure publickey encryption schemes (cf. proof of Theorem 5.4.30). So far, we have established that the existence of collisionfree hashing collections implies the existence of secure signature schemes (cf. Corollary 6.4.10). We seek to weaken the assumption under which secure signature schemes can be constructed, and bear in mind that the existence of oneway functions is certainly a necessary condition (cf., for example, Exercise 11). In view of Theorem 6.4.9, we may focus on constructing secure onetime signature schemes. Furthermore, recall that secure lengthrestricted onetime signature schemes can be constructed 6.4.3 * Universal OneWay Hash Functions and using them 26 In particular, the number of documents that can be signed should de nitely be smaller than the square root of the size of the tree (or else two documents are likely to be assigned the same leaf). Furthermore, we cannot use a small tree (e.g., of size 1000) even if we know that the total number of documents that will ever be signed is small (e.g., 10), since otherwise the probability that two documents are assigned the same leaf is too big (e.g., 1=20). 538 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION based on any oneway function (cf. Corollary 6.4.6). Thus, the only bottleneck we face (with respect to the assumption used) is Proposition 6.4.7, which refers to Construction 6.2.6 and utilizes collisionfree hashing. Our aim in this section, is to replace this component in the construction. We use a variant of Construction 6.2.6 in which, instead of using collisionfree hashing, we use a seemingly weaker notion called Universal OneWay Hash Functions. 6.4.3.1 De nition A collection of universal oneway hash functions is de ned analogously to a collection of collisionfree hash functions. The only di erence is that the hardness (to form collisions) requirement is relaxed. Recall that for a collection of collisionfree hash functions it was required that given the function's description it is hard to form an arbitrary collision under the function. For a collection of universal oneway hash functions we only require that given the function's description h and a preimage x it is hard to nd an x0 = x so that h(x0 ) = h(x). We refer to this requirement as to hardness to form designated collisions. Our formulation of the hardness to form designated collisions is actually seemingly stronger. Rather than being supplied with a (random) preimage x, the collisionforming algorithm is allowed to select x by itself, but must do so before being presented with the function's description. That it, the attack of the collisionforming algorithm proceeds in three stages: rst the algorithm selects a preimage x, next it is given a description of a randomly selected function h, and nally it is required to output x0 = x such that h(x0 ) = h(x). We stress that the third stage in the attack is also given the random choices made while producing the preimage in the rst stage. This yields the following de nition, where the rst stage is captured by a deterministic polynomialtime algorithm A0 (which maps a sequence of coin tosses, denoted Uq(n) , to a preimage of the function) and the third stage is captured by algorithm A (which is given the very same Uq(n) as well as the function's description).
6 6 De nition 6.4.18 (universal oneway hash functions { UOWHF): Let ` : N N . A collection of functions fhs : f0 1g ! f0 1g`(jsj)gs2f0 1g is called universal oneway hashing (UOWHF) if there exists a probabilistic polynomialtime algorithm I so that the following holds 1. (admissible indexing { technical):27 For some polynomial p, all su ciently large n's and every s in the range of I (1n ) it holds that n p(jsj). Furthermore, n can be computed in polynomialtime from s. 2. (e cient evaluation): There exists a polynomialtime algorithm that given s and x, returns hs (x). 3. (hard to form designated collisions): For every polynomial q, every deterministic polynomialtime algorithm A0 , every probabilistic polynomialtime 27 This condition is made merely to avoid annoying technicalities. Note that jsj = poly(n)
holds by de nition of I . ! 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES
algorithm A, every polynomial p and all su ciently large n's 539 (A n U ) q Pr hI (1n )and(I (1(I)(1nq)(nU)) =)hI (1n) (A0 (U)(n) )) A 6= A (U
q(n)
0 q ( n) < p(1 ) n (6.7) where the probability is taken over Uq(n) and the internal coin tosses of algorithms I and A. The function ` is called the range speci er of the collection. We stress that the hardness to form designated collisions condition refers to the following threestage process: rst, using a uniformly distributed r 0 1 q(n), the (initial) adversary generates a preimage x = A0 (r) next, a function h is selected and, nally, the (residual) adversary A is given h (as well as r used in the rst stage), and tries to nd a preimage x0 = x such that h(x0 ) = h(x). Indeed, Eq. (6.7) refers to the probability that x0 def A(h r) = x and yet h(x0 ) = h(x). = Note that the range speci er must be superlogarithmic (or else, given s and x Un, one is too likely to nd an x0 = x so that hs (x) = hs (x0 ), by uniformly selecting x0 in 0 1 n). Also note that any UOWHF collection yields a collection of oneway functions (see Exercise 15). Finally, note that any collisionfree hashing is universally oneway hashing, but the converse is false (see Exercise 16). Furthermore, it is not known whether collisionfree hashing can be constructed based on any oneway functions (in contrast to Theorem 6.4.29 below).
2 f g 6 6 6 f g 6.4.3.2 Constructions
We construct UOWHF collections in several steps, starting with a related but restricted notion, and relaxing the restriction gradually (until we reach the unrestricted notion of UOWHF collections). The abovementioned restriction refers to the length of the arguments to the function. Most importantly, the hardness (to form designated collisions) requirement will refer only to argument of this length. That is, we refer to the following technical de nition.
! N . A collection of functions fhs : f0 1gd(jsj) ! f0 1gr(jsj)gs2f0 1g is called (d r)UOWHF if there exists a probabilistic polynomialtime algorithm I so that the following holds De nition 6.4.19 ((d r)UOWHFs): Let d r : N 1. For all su ciently large n's and every s in the range of I (1n ) it holds that 28 jsj = n. 2. There exists a polynomialtime algorithm that given s and x 2 f0 1gd(jsj), returns hs (x).
28 Here we chose to make a more stringent condition, requiring that jsj = n rather than n poly(jsj). In fact, one can easily enforce this more stringent condition by modifying I into I 0 so that I 0 (1l(n) ) = I (1n ) for a suitable function l : N ! N satisfying l(n) poly(n) and n poly(l(n)). 540 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 3. For every polynomial q, every deterministic polynomialtime algorithm A0 mapping q(n)bit long strings to d(jsj)bit long strings, every probabilistic polynomialtime algorithm A, every polynomial p and all su ciently large n's Eq. (6.7) holds. O course, we care only of (d r)UOWHF for functions d r : N ! N satisfying d(n) > r(n). (The case d(n) r(n) is trivial since collisions can be avoided altogether say by the identity map.) The \minimal" nontrivial case is when d(n) = r(n)+1. Indeed, this is our starting point. Furthermore, the construction of such a minimal (d d ; 1)UOWHF (undertaken in the rst step) is the most interesting step to be taken on our entire way towards the construction of fulledged UOWHF. restricted UOWHFs that shrink their input by a single bit. Our construction can be carried out using any oneway permutation. In addition, we use a family n of hashing functions, Sn ;1 , as de ned in Section 3.5.1.1. Recall that a function n selected uniformly in Sn ;1 maps 0 1 n to 0 1 n;1 in a pairwise independent n manner, that the functions in Sn ;1 are easy to evaluate, and that for some n polynomial p it holds that log2 Sn ;1 = p(n). Construction 6.4.20 (a (d d 1)UOWHF): Let f : 0 1 0 1 be a 11 n and length preserving function, and let Sn ;1 be a family of hashing functions n such that log2 Sn ;1 = p(n), for some polynomial p. (Speci cally, suppose that n;1 log2 Sn 3n 2 2n , as in Exercises 22.2 and 23 of Chapter 3.) Then, for n;1 every s Sn 0 1 p(n) and every x 0 1 n, we de ne h0s (x) def hs (f (x)). = In case s p(n) : n N , we de ne h0s def h0s where s0 is the longest pre x = of s satisfying s0 p(n) : n N . We refer to an index selection algorithm that, on input 1m , uniformly selects s 0 1 m. That is, h0s : 0 1 d(jsj) 0 1 d(jsj);1, where d(m) is the largest integer n satisfying p(n) m. Note that d is monotonically nondecreasing, and that for 11 p's the corresponding d is onto (i.e., d(p(n)) = n for every n). The analysis presented below uses, in an essential way, an additional property of the abovementioned families of hashing functions speci cally, we assume that give two preimage{image pairs it is easy to uniformly generate a hashing function (in the family) that is consistent with these two mapping conditions. Furthermore, to facilitate the analysis we use a speci c family of hashing funcn tions, presented in Exercise 23 of Chapter 3: functions in Sn ;1 are described by n ) so that the pair (a b) describes the a pair of elements of the nite eld GF(2 function ha b that maps x GF(2n ) to the (n 1)bit pre x of the nbit representation of ax + b, where the arithmetics is of the eld GF(2n ). This speci c family satis es all the additional properties required in the next proposition (see Exercise 20). n Proposition 6.4.21 Suppose that f is a oneway permutation, and that log2 Sn ;1 = n;1 satis es the following two conditions 2n. Furthermore, suppose that Sn
f g f g j j ; f g ! f g j j j j 2 f ; f g 2 g 2 f g j j 62 f 2 g
0 Step I: constructing (d d 1)UOWHFs. We show how to construct length; j j 2 f 2 g 2 f g f g ! f g 2 ; j j 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 541 0 1 n and z1 z2 0 1 n;1, outputs a uniformly distributed element of n s Sn ;1 : hs (yi ) = zi i 1 2 . Then h0s s2f0 1g as in Construction 6.4.20 is a (d d 1)UOWHF, for d(m) = m=2 .
f g 2 f g f 2 8 2 f gg f g ; b c n C1 All but a negligible fraction of the functions in Sn ;1 are 2to1. C2 There exists a probabilistic polynomialtime algorithm that given y1 y2 2 ability to invert f , because the collision is due to hs , which may be selected such that hs (y) = hs (f (x0 )) for any given y and x0 . We stress that typically there are only two preimages of h0s (x0 ) under h0s , one being x0 itself (which is given to the collision nder) and the other being f ;1(y) such that hs (y) = h0s (x0 ). Thus, if we wish to invert f on a random image y, then we may invoke a collision nder, which rst outputs some x0 , supply it with a random s satisfying hs (y) = h0s (x0 ), and hope that it forms a collision (i.e., nds a di erent preimage x satisfying h0s (x) = h0s (x0 )). Indeed, the di erent preimage must be f ;1(y), which means that whenever the collision nder succeed we also succeed (i.e., invert f on y). The actual proof is by a reducibility argument. Suppose that we are given a probabilistic polynomialtime algorithm A0 that forms designated collisions under h0s , with respect to preimages produced by a deterministic polynomialtime algorithm A00 , which maps p(n)bit strings to nbit strings. Then, we construct an algorithm A that inverts f . On input y = f (x), where n = y = x , algorithm A proceeds as follows: (1) Select r0 uniformly in 0 1 p(n), and compute x0 = A00 (r0 ) and y0 = f (x0 ). n (2) Select s uniformly in s Sn ;1 : hs (y0 ) = hs (y) . (Recall that y is the input to A, and y0 is generated by A in Step (1).) (3) Invoke A0 on input (s r0 ), and output whatever A0 does. By Condition C2, Step (2) can be implemented in probabilistic polynomialtime. Turning to the analysis of algorithm A, we consider the behavior of A on input y = f (x) for a uniformly distributed x 0 1 n (which implies that y is uniformly distributed over 0 1 n). We rst observe that for every xed r0 selected in Step (1), if y is uniformly distributed in 0 1 n then s as determined n in Step (2) is uniformly distributed in Sn ;1. Using Condition C1, it follows that the probability that hs is not 2to1 is negligible. By the construction of A, the probability that f (x0 ) = y is also negligible (but we could have taken advantage of this case too, by augmenting Step (1) so that if y0 = y then A halts with output x0 ). We now claim that, in case f (x0 ) = y and hs is 2to1, if A0 returns x00 such that x00 = x0 and h0s (x00 ) = h0s (x0 ) then f (x00 ) = y. Proving the Claim: By the de nitions of h0s and A (i.e., its Step (2)), we have h0s (x) = hs (f (x)) = hs (y) = hs (y0) = hs (f (x0 )) = h0s (x0 ), which equals h0s (x00 ) by one of the claim's hypotheses. Thus, x0 x00 and x are all preimages of h0s (x) = hs (y) under h0s , but they are not necessarily distinct. By other two hypotheses x0 6= x00 and h0s = hs f is 2to1 (since hs is 2to1 and f is 1to1). Thus, x 2 fx0 x00 g. Using the last of the claim's
f g j j j j f g f 2 g 2 f g f g f g 6 6 Proof Sketch: Intuitively, forming designated collisions under h0s hs f yields 542 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION
hypotheses (i.e., y = f (x) 6= f (x0 )) and the hypothesis that f is 11, it follows that x 6= x0 , which in turn implies that x = x00 and y = f (x00 ). We conclude that if A0 forms designated collisions with probability "0 (n) then A inverts f with probability "0 (n) (n), where is a negligible function (accounting for the negligible probability that hs is not 2to1). The proposition follows. 2
; Step II: constructing (d0 d0=2)UOWHFs. We now take the second step
; ; on our way, and use any (d d 1)UOWHF in order to construct a (d0 d0 =2)UOWHF. That is, we construct lengthrestricted UOWHFs that shrink their input by a factor of 2. The construction is obtained by composing a sequence of (di erent) (d d 1)UOWHFs. For simplicity, we assume that the function d : N N is onto and monotonically nondecreasing. In such a case we denote by d;1 (m) the smallest natural number n satisfying d(n) = m.
! d(jsj) ! f0 1gd(jsj);1gs2f0 1g , where d : N ! N is onto and nondecreasing. Then, for every s1 ::: sbd(n)=2c , where each si 2 f0 1gd 1(d(n)+1;i) , and every x 2 f0 1gd(n), we de ne
f f g
; Construction 6.4.22 (a (d0 d0 =2)UOWHF): Let hs : 0 1 = h0s1 ::: s d(n)=2 (x) def hs d(n)=2 ( hs2 (hs1 (x)) )
b c b c That is, we let x0 def x, and xi hsi (xi;1 ), for i = 1 ::: bd(n)=2c. (Note that = d(jsi j) = d(n) + 1 ; i and jxi j = d(n) + 1 ; i indeed hold.) We refer to an index selection algorithm that, on input 1m , determines the P largest integer n such that m m0 def b=1n)=2c d;1 (d(n) + 1 ; i), uniformly = i d( selects s1 ::: sbd(n)=2c so that si 2 f0 1gd 1(d(n)+1;i) , and s0 2 f0 1gm;m , and lets h0s0 s1 ::: s d(n)=2 def h0s1 ::: s d(n)=2 . =
; 0 b c b c That P m = s and h0s : 0 1 d(n) is, 0 1 bd(n)=2c , where n is largest so that bd(n)=2c ;1 m d (d(n) + 1 i). Thus, d0 (m) = d(n), where n is as above that i=1 is, we have h0s : 0 1 d (jsj) 0 1 bd (jsj)=2c , with d0 ( s ) = d(n). Note that, for d(n) = (n) (as in Construction 6.4.20), it holds that d0 (O(n2 )) d(n) and d0 (m) = ( m) follows. More generally, if for some polynomial p it holds that p(d(n)) n (for all n's) then for some polynomial p0 it holds that p0 (d0 (m)) m (for all m's), since d0 (p(n) d(n)) d(n). We call such a function su cientlygrowing that is, d : N N is su cientlygrowing if there exists a polynomial p so that for every n it holds that p(d(n)) n. (E.g., for every xed " "0 > 0, the function d(n) = "0 n" is su cientlygrowing.)
j j f g ! f g ; f g
0 ! f g 0 j j p ! Proposition 6.4.23 Suppose that hs
f ! s2f0 1g is a (d d 1)UOWHF, where d : N N is onto, nondecreasing and su cientlygrowing. Then, for some su cientlygrowing function d0 : N N , Construction 6.4.22 is a (d0 d0 =2 )g ; UOWHF. ! b c 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 543 nated collision under one of the hsi 's. That is, let x0 def x, and xi hsi (xi;1 ), = for i = 1 ::: d(n)=2 . Then if given x and s = (s1 ::: sd=2 ), one can nd an x0 = x so that h0s (x) = h0s (x0 ), then there exists an i so that xi;1 = x0i;1 and hsi (xi;1 ) = hsi (x0i;1 ), where the x0i 's are de ned analogously to the xi 's. Thus, we obtain a designated collision under hsi . The actual proof uses the hypothesis that it is hard to form designated collisions when one is also given the coins used in the generation of the preimage (and not merely the preimage itself). Speci cally, we construct an algorithm that forms designated collision under one of the hsi 's, when given not only xi;1 but rather also x0 (which yields xi;1 as above). The following details are quite tedious, and merely provide an implementation of the above idea. As stated, the proof is by a reducibility argument. We are given a probabilistic polynomialtime algorithm A0 that forms designated collisions under 0 hs , with respect to preimages produced by a deterministic polynomialtime algorithm A00 that maps p0 (n)bit strings to nbit strings. We construct algorithms A0 and A such that A forms designated collisions under hs with respect to preimages produced by algorithm A0 , which maps p(n)bit strings to nbit strings, for a suitable polynomial p. Speci cally, p : N N is 11 and p(n) p0 (d;1 (2d(n))) + n + n d;1 (2d(n)). We start with the description of A0 that is, the algorithm that generates preimages of hs . Intuitively, A0 selects a random j , uses A00 to obtain a 0 preimage x0 of hs , generates random s0 ::: sj;1 , and outputs a preimage xj;1 of hsj , computed by xi = hsi (xi;1 ) for i = 1 ::: j 1. (Algorithm A will be given xj;1 and a random hsj 1 and will try to form a collision with xj;1 under hsj 1 .) Speci cally, on input r 0 1 p(n), algorithm A0 proceeds as follows, where q(n) def d;1 (2d(n)). =
b c 6 6 f g f g ! f g f g f g ;
; ; Proof Sketch: Intuitively, a designated collision under h0s1 ::: sd=2 yields a desig 2 f g Write r = r1 r2 r3 so that r1 = n and r3 = p0 (q(n)). (1) Using r1 , determine m in n + 1 ::: n q(n) and j 1 ::: q(n) so that both m and j are almost uniformly distributed in the corresponding sets. Pbd(n )=2c ;1 0 (2) Compute the largest integer n0 so that m d (d(n ) + 1 i). i=1 (3) If d;1 (d(n0 ) + 1 j ) = n then output the d(n)bit long su x of r3 . (Comment: the output in this case is immaterial to our proof.) (4) Otherwise (i.e., n = d;1 (d(n0 ) + 1 j ), which is the case we care about), do: (4.1) Let s0 s1 sj;1 be a pre x of r2 so that Pbd(n )=2c ;1 0 s0 = m d (d(n ) + 1 i), i=1 and si = d;1 (d(n0 ) + 1 i), for i = 1 ::: j 1. (4.2) Let x0 A00 (r0 ), where r0 is the p0 (d;1 (d(n0 )))bit long su x of r3 . (4.3) For i = 1 ::: j 1, compute xi hsi (xi;1 ). Output xj;1 .
j j j j f g 2 f g
0 ; ; 6 ; 0 j j ; ; j j ; ; ; As stated above, we only care about the case in which Step (4) is applied. This case occurs with noticeable probability, and the description of the following algorithm A refers to it. Algorithm A will be given xj;1 as produced above 544 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION (along with (or actually only) the coins used in its generation) as well as a random hsj 1 and will try to form a collision with xj;1 under hsj 1 . On input s 0 1 n and r 0 1 p(n), algorithm A proceeds as follows. (1{2) Using r, determine m, j and n0 exactly as done by A0 . (3) If d;1 (d(n0 ) + 1 j ) = n then abort. (4) Otherwise (i.e., n = d;1 (d(n0 ) + 1 j )), do: (4.1) Determine s0 s1 ::: sj;1 and r0 exactly as A0 does in Step (4). (4.2) Uniformly select sj+1 ::: sbd(n )=2c so that si 0 1 d 1(d(n )+1;i) , and set s0 = s0 s1 ::: sj;1 s sj+1 ::: sbd(n )=2c . (4.3) Invoke A0 on input (s0 r0 ), and output whatever A0 does. Clearly, if algorithms A0 and A00 run in polynomialtime then so do A and A0 . We now lower bound the probability that A succeeds to form designated collisions under hs , with respect to preimages produced by A0 . We start from the contradiction hypothesis by which the corresponding probability for A0 (w.r.t A00 ) is nonnegligible. Let use denote by "0 (m) the success probability of A0 on uniformly distributed input (s0 r0 ) 0 1 m 0 1 p (m) . Let n0 be the largest integer so that m Pbd(n )=2c ;1 0 d (d(n ) + 1 i). Then, there exists a j 1 ::: d(n0) so that with i=1 probability at least "0 (m)=d0 (n0 ) on input (s0 r0 ), where s0 = s0 s1 ::: sbd(n )=2c as above, A0 outputs an x0 = x def A00 (r0 ) so that hsj 1 ( (hs1 (x0 ) ) = = hsj 1 ( (hs1 (x0 ) ) and hsj ( (hs1 (x0 ) ) = hsj ( (hs1 (x0 ) ). Fixing this m, j and n0 , let n = d;1 (d(n0 ) + 1 j ), consider what happens when A is invoked on uniformly distributed (s r) 0 1 n 0 1 p(n). With probability at least 1=m2 over the possible r's, the values of m and j are determined to equal the above. Conditioned on this case, A0 is invoked on uniformly distributed input (s0 r0 ) 0 1 m 0 1 p (m) , and so a collision at the j th hashing function occurs with probability at least "0 (m)=d0 (n0 ). Note that m = poly(n) and d0 (n0 ) = poly(n). This implies that A succeeds with probability at least "(n) def m" dmn ) = " (poly(n)) , with respect to preimages produced by A0 . Thus, = 2 ( () poly(n) 0 is nonnegligible then so is ", and the proposition follows. if " 2
; ; 2 f g 2 f g ; 6 ; 0 2 f g ; 0 0 f g 2 f g f g 0 0 ; 2 f g 0 6 ; 6 ; ; 2 f g f g 2 f g f g 0 0 0 0 0 any (d d=2)UOWHF in order to construct \quasi UOWHFs" that are applicable to any input length but shrink each input to half its length (rather than to a xed length that only depends on the function description). The resulting construct does not t De nition 6.4.19, since the function's output length depends on the function's input length, but the function can be applied to any input length (rather than only to a single length determined by the function's description). Yet, the resulting construct yields a (d0 d0 =2)UOWHF for any polynomiallybounded function d0 (e.g., d0 (n) = n2 ), whereas in Construction 6.4.22 the function d0 is xed and satis es d0 (n) n. The construction itself amounts to parsing the input into blocks and applying the same (d d=2)UOWHF to each block. Step III: Constructing (lengthunrestricted) quasiUOWHFs that shrink their input by a factor of two. The third step on our way consists of using 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 545
d(jsj) ! Construction 6.4.24 (a (d0 d0 =2)UOWHF for any d0): Let hs : 0 1
f 01 s2f0 1g , where d : N ! N is onto and nondecreasing. Then, for every s 2 f0 1gn and every x 2 f0 1g , we de ne
j j j j ; bd(jsj)=2c g g f f g h0s (x) def hs (x1 ) hs (xt 10d(n);jxtj;1 ) = where x = x1 xt , 0 xt < d(n) and xi = d(n) for i = 1 ::: t 1. The index selection algorithm of h0s is identical to the one of hs .
f g f g Clearly, Construction 6.4.24 satis es Conditions 1 and 2 of De nition 6.4.18, provided that hs satis es the corresponding conditions of De nition 6.4.19. We thus focus of the hardness to form designated collisions property. Proposition 6.4.25 Suppose that hs s2f0 1g is a (d d=2)UOWHF, where d : N N is onto, nondecreasing and su cientlygrowing. Then Construction 6.4.22 satis es Condition 3 of De nition 6.4.18. Proof Sketch: Intuitively, a designated collision under h0s yields a designated collision under hs . That is, consider the parsing of each string into blocks of length d(n), as in the above construction. Then if given x = x1 xt and s, one can nd an x0 = x01 x0t = x so that h0s (x) = h0s (x0 ), then t0 = t and there exists an i such that xi = x0i and hs (xi ) = hs (x0i ). The actual proof is by a reducibility argument. Given a probabilistic polynomialtime algorithm A0 that forms designated collisions under h0s , with respect to preimages produced by a deterministic polynomialtime algorithm A00 , we construct algorithms A0 and A such that A forms designated collisions under hs with respect to preimages produced by algorithm A0 . Speci cally, algorithm A0 invokes A00 , and uses extra randomness (supplied in its input) to uniformly select one of the d(n)bit long blocks in the standard parsing of the output of A00 . That is, the randomtape used by algorithm A0 has the form (r0 i), and A0 outputs the ith block in the parsing of the string A00 (r0 ). Algorithm A is obtained analogously. That is, given s 0 1 n and coins r = (r0 i) used by A0 , algorithm A invokes A0 on input s and r0 , obtains the output x0 , and outputs the ith block in the standard parsing of x0 . Note that whenever we have a collision under h0s (i.e., a pair x = x0 such that h0s (x) = h0s (x0 )), we obtain at least one collision under the corresponding hs (i.e., for some i, the ith blocks of x = x0 di er, and yet both are mapped by hs to the same image). Thus, if algorithm A0 succeeds (in forming designated collisions w.r.t h0s ) with probability "0 (n) then algorithm A succeeds (in forming designated collisions w.r.t hs ) with probability at least "0 (n)=t(n), where t(n) is a bound on the runningtime of A0 (which also upperbounds the length of the output of A0 , and so 1=t(n) is a lower bound on the probability that the colliding strings di er in a certain uniformly selected block). The proposition follows. 2
f g f g !
0 6 6 f g f g 2 f g 6 6 6 f g f g Step IV: Full edged UOWHFs. The last step on our way consists of using
any quasiUOWHFs as constructed (in Step III) above to obtain full edged 546 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION UOWHFs. That is, we use quasiUOWHFs that are applicable to any input length but shrink each input to half its length (rather than to a xed length that only depends on the function description). The resulted construct is a UOWHF (as de ned in De nition 6.4.18). The construction is obtained by composing a sequence of (di erent) quasiUOWHFs that is, the following construction is analogous to Construction 6.4.22.
f f g ! f0 1g gs2f0 1g , so that jhs (x)j jxj=2, for all x's. Then, for every s1 ::: sn 2 f0 1gn, every t 2 N and x 2 f0 1g2t n , we de ne Construction 6.4.26 (a UOWHF): Let hs : 0 1 h0s1 ::: sn (x) def hst ( hs2 (hs1 (x)) ) =
That is, we let x0 def x, and xi = hsi (xi;1 ), for i = 1 ::: t. Strings x of length that is not of the form 2t n are padded into such strings in a standard manner. We refer to an index selection algorithm that, on input 1m, determines n = bpmc, uniformly selects s1 ::: sn 2 f0 1gn and s0 2 f0 1gm;n2 , and lets h0s0 s1 ::: sn def h0s1 ::: sn . = Proposition 6.4.27 Suppose that fhsgs2f0 1g satis es the conditions of De nition 6.4.18, except that it maps arbitrary input strings to outputs having half the length (rather than a length determined by jsj). Then Construction 6.4.26 constitutes a collection of UOWHFs.
The proof of Proposition 6.4.27 is omitted because it is almost identical to the proof of Proposition 6.4.23. Note that h0s0 s1 ::: sn : 0 1
f g ! f 0 1 n, and that s0 s1 ::: sn = m < (n + 1)2 .
g j j Conclusion: Combining the above four steps, we obtain a construction of (fullTheorem 6.4.28 If oneway permutations exist then universal oneway hash
functions exist. edged) UOWHFs (based on any oneway permutation). That is, combining Proposition 6.4.21, 6.4.23, 6.4.25 and 6.4.27, we obtain: Note that the only barrier towards constructing UOWHF based on arbitrary oneway functions is Proposition 6.4.21, which refers to oneway permutations. Thus, if we wish to construct UOWHF based on any oneway function then we need to present an alternative construction of (d d 1)UOWHF (i.e., an alternative to Construction 6.4.20, which fails in case f is 2to1).29 Such a construction is actually known, and so the following result is known to hold (but is not proven here): 29 For example, if f ( x0 ) = (0 f 0 (x0 )), for 2 f0 1g, then forming designated collisions 0 0
; under Construction 6.4.20 is easy: Given (0 x ), one outputs (1 x ), and indeed a collision is formed already under f . 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 547 Theorem 6.4.29 Universal oneway hash functions exist if and only if oneway
functions exist. We stress that the di cult direction is the one referred to above (i.e., from oneway functions to UOWHF collections). For the much easier converse, see Exercise 15. Using universal oneway hash functions, we present an alternative construction of onetime signature schemes based on lengthrestricted onetime signature schemes. Speci cally, we replace Construction 6.2.6 in which collisionfree hashings were used by the following construction in which universal oneway hash functions are used instead. The di erence between the two constructions is that here the (description of the) hashing function is not a part of the signing and veri cation keys, but is rather selected on the y by the signing algorithm (and appears as part of the signature). Furthermore, the description of the hash function is being authenticated (by the signer) together with the hash value. It follows that the forging adversary, which is unable to break the lengthrestricted onetime signature scheme, must form a designated collision (rather than an arbitrary one). However, the latter is infeasible too (by virtue of the UOWHF collection in use). We comment that the same (new) construction is applicable to lengthrestricted signature schemes (rather than to onetime ones): we stress that, in this case, a new hashing function is selected at random each time the signing algorithm is applied. In fact, we present the more general construction.
such that `(n) = `0 (n) + n. Let (G S V ) be an `restricted signature scheme as in De nition 6.2.1, and fhr : f0 1g ! f0 1g` (jrj)gr2f0 1g be a collection of functions with an indexing algorithm I (as in De nition 6.4.18). We construct a general signature scheme, (G0 S 0 V 0 ), with G0 identical to G, as follows: signing with S 0 : On input a signingkey s 2 G01 (1n ) and a document 2 f0 1g , algorithm S 0 proceeds in two steps: 1. Algorithm S 0 invokes I to obtain 1 I (1n ). 2. Algorithm S 0 invokes S to produce 2 Ss ( 1 h 1 ( )). Algorithm S 0 outputs the signature ( 1 2 ). veri cation with V 0 : On input a verifyingkey v 2 G02 (1n ), a document 2 0 f0 1g , and a alleged signature ( 1 2 ), algorithm V invokes V , and outputs Vv (( 1 h 1 ( )) 2 ).
0 6.4.3.3 Onetime signature schemes based on UOWHF Construction 6.4.30 (the hash and sign paradigm, revisited): Let ` `0 : N N
! Recall that secure `restricted onetime signature schemes exist for any polynomial `, provided that oneway function exist. Thus, the fact that Construction 6.4.30 requires `(n) > n is not a problem. In applying Construction 6.4.30, one should rst choose a family of UOWHFs hr : 0 1 0 1 ` (jrj) r2f0 1g ,
f f g ! f g
0 g 548 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION then determine `(n) = `0 (n)+ n, and use a corresponding secure `restricted onetime signature scheme. Let us pause to compare Construction 6.2.6 with Construction 6.4.30. Recall that in Construction 6.2.6 the function description 1 I (1n ) is produced (and xed as part of both keys) by the keygeneration algorithm. Thus, the function description 1 is trivially authenticated (i.e., by merely being part of the veri cationkey). Consequently, in Construction 6.2.6, the S 0 signature (of ) equals Ss (h 1 ( )). In contrast, in Construction 6.4.30 a fresh new (function description) 1 is selected per each signature, and thus 1 needs to be authenticated. Hence, the S 0 signature equals the pair ( 1 Ss ( 1 h 1 ( ))). Since we want to be able to use (lengthrestricted) onetime signatures, we let the signing algorithm authenticate both 1 and h 1 ( ) via a single signature. (Alternatively, we could have used two instances of the signature scheme (G S V ), one for signing the function description 1 , and the other for signing the hash value h 1 ( ).)
scheme and that fhr : f0 1g ! f0 1g`(jrj);jrjgr2f0 1g is a collection of UOWHFs. Then (G0 S 0 V 0 ), as de ned in Construction 6.4.30, is a secure (full edged) signature scheme. Furthermore, if (G S V ) is only a secure `restricted onetime signature scheme then (G0 S 0 V 0 ) is a secure onetime signature scheme. Proposition 6.4.31 Suppose that (G S V ) is a secure `restricted signature Proposition 6.2.7. That is, forgery with respect to (G0 S 0 V 0 ) yields either forgery with respect to (G S V ) or a collision under the hash function, where in the latter case a designated collision is formed (in contradiction to the hypothesis regarding the UOWHF). For the furthermorepart, the observation underlying the proof of Proposition 6.4.7 still holds (i.e., the number of queries made by the forger constructed for (G S V ) equals the number of queries made by the forger assumed (towards the contradiction) for (G0 S 0 V 0 )). Details follow. Given an adversary A0 attacking the complex scheme (G0 S 0 V 0 ), we construct an adversary A that attacks the `restricted scheme, (G S V ). The adversary A uses I (the indexing algorithm of the UOWHF collection) and its 0 oracle Ss in order to emulate the oracle Ss for A0 . This is done in a straightfor0 ward manner that is, algorithm A emulates Ss by using the oracle Ss (exactly 0 actually does). Speci cally, to answer query q , algorithm A generates as Ss a1 I (1n ), forwards (a1 ha1 (q)) to its own oracle (i.e., Ss ), and answers with (a1 a2 ), where a2 = Ss (a1 ha1 (q)). (We stress that A issues a single Ss query per 0 each Ss query made by A0 .) When A0 outputs a documentsignature pair relative to the complex scheme (G0 S 0 V 0 ), algorithm A tries to use it in order to form a documentsignature pair relative to the `restricted scheme, (G S V ). That is, if A0 outputs the documentsignature pair ( ), where = ( 1 2 ), then A will output the documentsignature pair ( 2 2 ), where 2 def ( 1 h 1 ( )). = Assume that with (nonnegligible) probability "0 (n), the (probabilistic polynomialtime) algorithm A0 succeeds in existentially forging relative to the complex scheme (G0 S 0 V 0 ). Let ( (i) (i) ) denote the ith query and answer pair made Proof Sketch: The proof follows the underlying principles of the proof of 6.4. CONSTRUCTIONS OF SIGNATURE SCHEMES 549 by A0 , and ( ) be the forged documentsignature pair that A0 outputs (in case ( ( of success), where (i) = ( 1i) 2i) ) and = ( 1 2 ). We consider the following two cases regarding the forging event: ( Case 1: ( 1 h 1 ( )) = ( 1i) h 1i) ( (i) )) for all i's. (That is, the Ss signed value ( in the forged signature (i.e., ( 1 h 1 ( ))) is di erent from all queries made to Ss .) In this case, the documentsignature pair (( 1 h 1 ( )) 2 ) constitutes a success in existential forgery relative to the `restricted scheme (G S V ). ( Case 2: ( 1 h 1 ( )) = ( 1i) h 1i) ( (i) )) for some i. (That is, the Ss signed value ( used in the forged signature equals the ith query made to Ss , although ( = (i) .) Thus, 1 = 1i) and h 1 ( ) = h 1i) ( (i) ), although = (i) . In ( (i) ) forms a designated collision under h (i) (and this case, the pair ( 1 we do not obtain success in existential forgery relative to the `restricted scheme). We stress that A0 selects (i) before it is given the description of the function h 1i) , and thus its ability to later produce = (i) such that ( h 1 ( ) = h 1i) ( (i) ) yields a violation of the UOWHF property. ( Thus, if Case 1 occurs with probability at least "0 (n)=2 then A succeeds in its attack on (G S V ) with probability at least "0 (n)=2, which contradicts the security of the `restricted scheme (G S V ). On the other hand, if Case 2 occurs with probability at least "0 (n)=2 then we derive a contradiction to the di culty of forming designated collision with respect to hr . Details regarding Case 2 follow. We start with a sketch of the construction of an algorithm that attempts to form designated collisions under a randomly selected hash function. Loosely speaking, we construct an algorithm B 0 that tries to form designated collisions by emulating the attack of A0 on an random instance of (G0 S 0 V 0 ) that B 0 selects by itself. Thus, B 0 can easily answer any signingquery referred to it by A0 , but in one of these queries (the index of which B selects at random) algorithm B 0 will use a hash function given to it by the outside (rather than generating such a function at random by itself). In case A0 forges a signature while using this speci c functionvalue pair (as in Case 2), algorithm B 0 obtains and outputs a designated collision. We now turn to the actual construction of algorithm B 0 (which attempts to form designated collisions under a randomly selected hash function). Recall that such an algorithm operates in three stages (see discussion preceding De nition 6.7): rst the algorithm selects a preimage x, next it is given a description of a function h, and nally it is required to output x0 = x such that h(x0 ) = h(x). We stress that the third stage in the attack is also given the random choices made while producing the preimage x in the rst stage. Indeed, on input 1n , algorithm B 0 proceeds in three stages: Stage 1: Algorithm B 0 selects uniformly i 1 ::: t(n) , where t(n) bounds the runningtime of A0 (G01 (1n )) (and thus the number of queries it makes).
6 6 6 6 f g 6 2 f g 550 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION
0 Next B 0 selects (s v) G0 (1n ), and emulate the attack of A0 (v) on Ss , 0 as follows. All queries except the ith one while answering the queries of Ss are emulated in the straightforward manner (i.e., by executing the program 0 of Ss as stated). That is, for j = i, the j th query, denoted (j) , is answered ( ( ( by producing 1j) I (1n ), computing 2j) Ss ( 1j) h 1j) ( (j) )) (using ( (j ) (j ) the knowledge of s), and answering with the pair ( 1 2 ). The ith query of A0 , denoted (i) , will be used as the designated preimage. Once (i) is issued (by A0 ), algorithm B 0 completes its rst stage (without answering this query), and the rest of the emulation of A0 will be conducted by the third stage of B 0 .
6 Stage 2: At this point (i.e., after B 0 has selected the designated preimage (i) ), B 0 obtains a description of a random hashing function hr (thus completing its second operation stage). That is, this stage consists of B 0 being given r I (1n ). Stage 3: Next, algorithm B 0 answers the ith query (i.e., (i) ) by applying Ss to the pair (r hr ( (i) )). Subsequent queries are emulated in the straightforward manner (as explained above). When A0 halts, B 0 checks whether A0 has output a valid documentsignature pair ( ) as in Case 2 (i.e., hr ( ) = hr ( (j) ) for some j ), and whether the collision formed is indeed on the ith query (i.e., hr ( ) = hr ( (i) )). When this happens, B 0 outputs , and doing so it succeeded in forming a designated collision (with (i) under hr ). Now, if Case 2 occurs with probability at least " (n) (and A0 makes at most t(n) 2 queries) then B 0 succeeded in forming a designated collision with probability at least t(1 ) " (2n) , which contradicts the hypothesis that hr is UOWHF. n The furthermore part of the proposition follows by observing that if the forging algorithm A0 makes at most one query then the same holds for the algorithm A constructed above. Thus, if (G0 S 0 V 0 ) can be broken via a singlemessage attack that either (G S V ) can be broken via a singlemessage attack or one can form designated collisions (w.r.t hr ). In both cases, we reach a contradiction.
0 0 f g f g Conclusion: Combining the furthermorepart of Proposition 6.4.31, Corollary 6.4.6, and the fact that UOWHF collections imply oneway functions (see Exercise 15), we obtain:
onetime signature schemes exist too. Theorem 6.4.32 If there exist universal oneway hash functions then secure 6.4.3.4 Conclusions and comments
Combining Theorems 6.4.28, 6.4.32 and 6.4.9, we obtain: 6.5. * ADDITIONAL PROPERTIES 551 Corollary 6.4.33 If oneway permutations exists then there exist secure signature schemes. Like Corollary 6.4.10, Corollary 6.4.33 asserts the existence of secure (publickey) signature schemes, based on an assumption that does not mention trapdoors. Furthermore, the assumption made in Corollary 6.4.33 seems weaker than the one made in Corollary 6.4.10. We can further weaker the assumption by using Theorem 6.4.29 (which was stated without a proof) rather than Theorem 6.4.28. Speci cally, combining Theorems 6.4.29, 6.4.32 and 6.4.9, we establish Theorem 6.4.1. That is, secure signature schemes exist if and only if oneway functions exist. Comment: the hashandsign paradigm, revisited. We wish to highlight the revised version of the hashandsign paradigm as underlying Construction 6.4.30. Similar to the original instantiation of the hashandsign paradigm (i.e., Construction 6.2.6), Construction 6.4.30 is useful in practice. We warn that using the latter construction requires verifying that (G S V ) is a secure `restricted signature scheme and that hr is a UOWHF (rather than collisionfree). The advantage of Construction 6.4.30 over Construction 6.2.6 is that the former relies on a seemingly weaker construct that is, hardness of forming designated collisions (as in UOWHF) is a seemingly weaker condition than hardness of forming any collision (as in collisionfree hashing). On the other hand, Construction 6.2.6 is simpler and more e cient (e.g., one need not generate a new hashing function per each signature).
f g 6.5 * Additional Properties
We brie y discuss several properties of interest that some signature schemes enjoy. We rst discuss properties that seem unrelated to the original purpose of signature schemes, but are useful towards utilizing signature scheme as a building block towards constructing other primitives (e.g., see Section 5.4.4.4). These (related) properties are having unique valid signatures and being supersecure, where the latter term indicates the infeasibility of nding a di erent signature even to a document for which a signature was obtained by the attack. We next turn to properties that o er some advantages in the originallyintended applications of signature schemes. Speci cally, we consider properties that allow saving real time in some settings (see Sections 6.5.3 and 6.5.4), and a property supporting legitimate revoking of forged signatures (see Section 6.5.5). 6.5.1 Unique signatures Loosely speaking, we say that a signature scheme (G S V ) (either a privatekey or a publickey one) has unique signatures if for every possible veri cationkey v and every document there is a unique such that Vv ( ) = 1. 552 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Note that this property is related, but not equivalent, to the question of whether or not the signing algorithm is deterministic (which is considered in Exercise 1). Indeed, if the signing algorithm is deterministic then, for every key pair (s v) and document , the result of applying Ss to is unique (and indeed Vv ( Ss ( )) = 1). Still, this does not mean that there is no other (which is never produced by applying Ss to ) such that Vv ( ) = 1. On the other hand, the unique signature property may hold even in case the signing algorithm is randomized, but indeed in this case the randomization can be eliminated from the latter (e.g., by replacing it with a xed sequence in case the signing algorithm always succeeds, or incorporating the coins in the signingkey (and possibly using a pseudorandom function) otherwise). Can secure signature schemes have unique signatures? The answer is de nitely a rmative, and in fact we have seen several such schemes in the previous sections. Speci cally, all privatekey signature schemes presented in Section 6.3 have unique signatures. Furthermore, every secure privatekey signature scheme can be transformed into one having unique signatures (e.g., by combining deterministic signing as in Exercise 1 with canonical veri cation as in Exercise 2). Turning to publickey signature schemes, we observe that if the oneway function f used in Construction 6.4.4 is 11, then the resulting secure lengthrestricted onetime (publickey) signature scheme has unique signatures (because each f image has a unique preimage). In addition, Construction 6.2.6 (i.e., the basic hashandsign) preserves the unique signature property. Let use summarize all these observations. Theorem 6.5.1 (secure schemes with unique signatures):
1. Assuming the existence of oneway functions, there exist secure message authentication schemes having the unique signature property. 2. Assuming the existence of 11 oneway functions, there exist secure lengthrestricted onetime (publickey) signature schemes having the unique signature property. 3. Assuming the existence of 11 oneway functions and collisionfree hashing collections, there exist secure onetime (publickey) signature schemes having the unique signature property. Still, this leaves open the question of whether or not there exist secure (fulledged) signature schemes having the unique signature property. In case the signature scheme does not posses the unique signature property, it makes sense to ask whether given a messagesignature pair it is feasible to produce a di erent signature to the same message. More generally, we may ask whether it is feasible for a chosen message attack to produce a di erent signature to any of the messages to which it has obtained signatures. Such 6.5.2 Supersecure signature schemes 6.5. * ADDITIONAL PROPERTIES 553 ability may be of concern in some applications (but, indeed, not in the most natural applications). Combining the new concern with the standard notion of security, we derive the following notion, which we call supersecurity. A signature scheme is called supersecure if it is infeasible for a chosen message attack to produce a valid messagesignature pair that is di erent from all queryanswer pairs obtained during the attack, regardless of whether or not the message used in the new pair equals one of the previous queries. (Recall that ordinary security only requires the infeasibility of producing a valid messagesignature pair such that the message part is di erent from all queries made in the attack.) Do supersecure signature schemes exist? Indeed, every secure signature
scheme that has unique signatures is supersecure, but the question is whether supersecurity may hold for a signature scheme that does not posses the unique signature property. We answer this question a rmatively. Theorem 6.5.2 (supersecure signature schemes): Assuming the existence of oneway functions, there exist supersecure (publickey) signature schemes.
In other words, supersecure signature schemes exist if and only if secure signature schemes exist. We comment that the signature scheme constructed in the following proof does not have the unique signature property. Proof: Starting from (Part 2 of) Theorem 6.5.1, we can use any 11 oneway function to obtain supersecure lengthrestricted onetime signature schemes. However, wishing to use arbitrary oneway functions, we will rst show that universal oneway hashing functions can be used (instead of 11 oneway functions) to obtain supersecure lengthrestricted onetime signature schemes. Next, we will show that supersecurity is preserved by two transformations presented in Section 6.4: speci cally, the transformation of lengthrestricted onetime signature schemes into onetime signature schemes (speci cally, Construction 6.4.30), and the transformation of the latter to (full edged) signature schemes (i.e., Construction 6.4.16). Applying these transformations (to the rst scheme), we obtained the desired supersecure signature scheme. Recall that Construction 6.4.30 also uses universal oneway hashing functions, but the latter can be constructed using any oneway function (cf. Theorem 6.4.29).30 Claim 6.5.2.1: If there exist universal oneway hashing functions then, for every polynomiallybounded ` : N N , there exist supersecure `restricted onetime signature schemes. Proof sketch: We modify Construction 6.4.4 by using universal oneway hashing functions (UOWHFs) instead of oneway functions. Speci cally, for each preimage placed in the signingkey, we select at random and independently a UOWHF, and place its description both in the signing and veri cation keys. That is,
! 30 We comment that a simpler proof su ces in case we are willing to use a oneway permutation (rather than an arbitrary oneway function). In this case, we can start from (Part 2 of) Theorem 6.5.1 (rather than prove Claim 6.5.2.1), and use Theorem 6.4.28 (rather than Theorem 6.4.29, which has a more complicated proof). 554 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION on input 1n , we uniformly select s0 s1 :::: s0(n) s1(n) 0 1 n and UOWHFs 1 1 ` ` h0 h1 :::: h0(n) h1(n), and compute vij = hj (sj ), for i = 1 ::: `(n) and j = 0 1. 1 1 i i ` ` We let s = ((s0 s1 ) :::: (s0(n) s1(n) )), h = ((h0 h1 ) :::: (h0(n) h1(n) )), and v = 1 1 1 1 ` ` ` ` 0 1 0 1 ((v1 v1 ) :::: (v`(n) v`(n) )), and output the keypair (s v) = ((h s) (h v)) (or, actually, we may set (s v) = (s (h v))). Signing and veri cation are modi ed accordingly that is, signing 1 ` amounts to handing (s1 1 ::: s` ` ), whereas ( 1 ::: ` ) is accepted as a valid signature of 1 ` (w.r.t the veri cationkey v) if and only of hi i ( i ) = vi i for every i. In order to show that the resulting scheme is supersecure under a chosen onemessage attack, we adapt the proof of Proposition 6.4.5. Speci cally, xing such an attacker A, we consider the event in which A violated the supersecurity of the scheme. There are two cases to consider: 1. The valid signature formed by A is to the same document for which A has obtained a di erent signature (via its single query). In this case, for at least one of the UOWHFs contained in the veri cationkey, we obtain a preimage that is di erent from the one contained in the signingkey. Adapting the construction presented in the proof of Proposition 6.4.5, we obtain (in this case) ability to form designated collisions (in contradiction to the UOWHF property). We stress that the preimages contained in the signingkey are selected independently of the description of the UOWHFs (because both are selected independently by the keygeneration process). In fact, we obtain a designated collision for a uniformly selected preimage.
2 f g 2. The valid signature formed by A is to a document that is di erent from the one for which A has obtained a signature (via its single query). In this case, the proof of Proposition 6.4.5 yields ability to invert a randomly selected UOWHF (on a randomly selected image), which contradicts the UOWHF property (as shown in Exercise 15). Thus, in both cases we derive a contradiction, and the claim follows. 2 Claim 6.5.2.2: Construction 6.4.30, when applied to a supersecure lengthrestricted signature scheme yields a supersecure signature scheme. In case the lengthrestricted scheme is only supersecure under a chosen onemessage attack, the same holds for the the resulting (lengthunrestricted) scheme. Proof sketch: We follow the proof of Proposition 6.4.31, and use the same construction of a forger for the lengthrestricted scheme (based on the forger for the complex scheme). Furthermore, we consider the two forgery cases analyzed in the proof of Proposition 6.4.31:31
31 Recall that ( ) denotes the documentsignature pair output by the original forger (i.e., for the complex scheme), whereas ( (i) (i) ) denotes the ith queryanswer pair (to that scheme). The documentsignature pair that we output (as a candidate forgery w.r.t lengthrestricted scheme) is ( 2 2 ), where 2 def ( 1 h 1 ( )) and = ( 1 2 ). Recall that a generic = 0 0 valid documentsignature for the complex scheme has the form ( 0 0 ), where 0 = ( 1 2 ) 0 0 satis es Vv (( 1 h ( 0 )) 2 ) = 1.
1
0 6.5. * ADDITIONAL PROPERTIES 555 ( Case 1: ( 1 h 1 ( )) 6= ( 1i) h 1i) ( (i) )) for all i's. In this case, the analysis is ( exactly as in the original proof. Note that it does not matter whether or not 6= (i) , since in both subcases we obtain a valid signature for a new string with respect to the lengthrestricted signature scheme. Thus, in this case, we derive a violation of the (ordinary) security of the lengthrestricted scheme. ( Case 2: ( 1 h 1 ( )) = ( 1i) h 1i) ( (i) )) for some i. The case 6= (i) was han( dled in the original proof (by showing that it yields a designated collision (under h 1i) which is supposedly a UOWHF)), so here we only handle the ( case = (i) . Now, suppose that supersecurity of the complex scheme ( ( was violated that is, ( 1 2 ) 6= ( 1i) 2i) ). Then, by the case hypothesis (i) ( (which implies 1 = 1 ), it must be that 2 6= 2i) . This means that we derive a violation of the supersecurity of lengthrestricted scheme, because (i) (i) )). 2 is a di erent valid Ss signature of ( 1 h 1 ( )) = ( 1 h (i) ( 1
( Actually, we have to consider all i's for which ( 1 h 1 ( )) = ( 1i) h (i) ( (i) )) 1 holds, and observe that violation of supersecurity for the complex scheme means that 2 must be di erent from each of the correspond( ing 2i) 's. Alternatively, we may rst prove that, with overwhelmingly ( high probability, all 1i) 's must be distinct. Thus, in both cases we reach a contradiction to the supersecurity of the lengthrestricted signature scheme, which establishes our claim that the general signature scheme must be supersecure. We stress that, like in Proposition 6.4.31, the above proof establishes that supersecurity for onetime attacks is preserved too (because the constructed forger makes a single query per each query made by the original forger). 2 Claim 6.5.2.3: Construction 6.4.16, when applied to supersecure onetime signature schemes yields supersecure signature schemes. Proof sketch: We follow the proof of Proposition 6.4.17, which actually means following the proof of Proposition 6.4.15. Speci cally, we use the same construction of a forger for the onetime scheme (based on the forger for the complex scheme). Furthermore, we consider the two forgery cases analyzed in the proof of Proposition 6.4.15:32 1. The rst case is when the forged signature for the complex (general signature) scheme (G0 S 0 V 0 ) contains a signature relative to an instance of the onetime scheme (G S V ) associated with a leaf that has been authenticated in an answer given to some signingquery. If no oracle answer has used the instance associated with this leaf then (as in the proof of
32 Recall that forging a signature for the general scheme requires either using an authentication path supplied by the (general) signingoracle or producing an authentication path di erent from all paths supplied by the (general) signingsigner. 556 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Proposition 6.4.15) we obtain (ordinary) forgery with respect to the instance of (G S V ) associated with the leaf (without making any query to that instance of the onetime scheme). Otherwise, by the case hypothesis, the forged documentsignature pair di ers from the queryanswer pair that used the same leaf. The di erence is either in the document part or in the part of the complexsignature that corresponds to the onetime signature produced at the leaf. In both subcases this yields violation of the supersecurity of the instance of (G S V ) associated with that leaf. Speci cally, in the rst subcase we obtain a onetime signature to a di erent document (i.e., violation of ordinary security), whereas in the second subcase we obtain a di erent onetime signature to the same document (i.e., only a violation of supersecurity). We stress that, in both subcases, the violating signature is obtained after making a single query to the instance of (G S V ) associated with that leaf. 2. We now turn to the second case (i.e., forgery with respect to (G0 S 0 V 0 ) is obtained by producing an authentication path di erent from all paths supplied by the signer). In this case, we obtain violation of the ordinary (onetime) security of the scheme (G S V ), exactly as in the original proof of Proposition 6.4.15. We stress that in this case (regardless of which document is authenticated by the leaf), an internal node authenticates data that is di erent from the data authenticated by the signingoracle, and thus we obtain forgery via a onemessage attack on the instance of (G S V ) associated with this internal node. Thus, in both cases we reach a contradiction to the supersecurity of the onetime signature scheme, which establishes our claim that the general signature scheme must be supersecure. 2 Combining the three claims (and recalling that universal oneway hashing functions can be constructed using any oneway function (cf. Theorem 6.4.29)), the theorem follows. Loosely speaking, we say that a signature scheme (G S V ) (either a privatekey or a publickey one) has an o line/online signing process if signatures are produced in two steps, where the rst step is independent of the actual message to be signed. That is, the computation of Ss ( ) can be decoupled into two steps, performed by randomized algorithms that are denoted S o and S on on respectively such that Ss ( ) Ss ( S o (s)). Thus, one may prepare (or precompute) S o (s) before the document is known (i.e., o line), and produce the actual signature (online) once the document is presented is produced (by invoking algorithm S on on input S o (s)). This yields improvement in online responsetime to signature requests, provided that S on is signi cantly 6.5.3 O line/online signing 6.5. * ADDITIONAL PROPERTIES 557 faster that S itself. This improvement is worthwhile in many natural settings in which online responsetime is more important than o line processing time. We stress that S o must be randomized (as otherwise S o (s) can be incorporated in the signingkey). Indeed, one may view algorithm S o as an extension of the keygeneration algorithm that produces random extensions of the signingkey on the y (i.e., after the veri cationkey was already determined). We stress that algorithm S o is invoked once per each document to be signed, but this invocation can take place at any time and even before the document to be signed is even determined. (In contrast, it may be insecure to reuse the result obtained from S o for two di erent signatures.) two steps, but we are only interested in meaningful decouplings in which the o line step takes most of the computational load. Interestingly, schemes based on the refreshing paradigm (cf. Section 6.4.2.1) lend themselves to such a decoupling. Speci cally, in Construction 6.4.16, only the last step in the signing process depends on the actual document (and needs to be performed online). Furthermore, this last step amounts to applying the signing algorithm of a onetime signature scheme, which is typically much faster than all the other steps (which can be performed o line).33 Loosely speaking, we say that a signature scheme (G S V ) (either a privatekey or a publickey one) has an incremental signing process if the signing process can be spedup when given a valid signature to a (textually) related document. The actual de nition refers to a set of text editing operations such as delete word and insert word (where more powerful operations like cutting a document into two parts and pasting two documents may be supported two). Speci cally, one may require that given a documentsignature pair, ( ), a sequence of edit operations (i.e., specifying the operation type and its location), and the signingkey one may modify into a valid signature for the modi ed document in time proportional to the number of edit operations (and not to ). Indeed, here time is measured in a directaccess model of computation. Of course, the time saving on the signing side should not come at the expense of a signi cant increase in veri cation time. In particular, veri cation time should only depend on the length of the nal document (and not on the number of edit operations). An incremental signing process is bene cial in settings where one needs to sign many textually related documents (e.g., in simple contracts much of the text
j j Can secure signature schemes employ meaningful o line/online signing algorithms? Of course, any algorithm can be vacuously decoupled into 6.5.4 Incremental signatures 33 When pluggingin the onetime signature scheme suggested in Proposition 6.4.7, producing onetime signatures amounts to applying a collisionfree hashing function and outputting corresponding parts of the signingkey. This is all that needs to be performed in the online step. In contrast, the o line steps calls for n applications of a pseudorandom function, n applications of the keygeneration algorithm of the onetime signature scheme, and n applications of the signing algorithm of the onetime signature scheme. 558 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION is almost identical and edit changes refer to the party's speci c details as well as to speci c clauses that are modi ed from their standard form in order to meet the party's speci c needs). In some cases the privacy of the edit sequence may be of concern that is, one may require that the nal signature be distributed in a way that only depends on the nal document (rather than depend also on documents that \contributed" signatures to the process of generating the nal signature). Can secure signature schemes employ a meaningful incremental signing process? Here meaningful refers to the set of supported textmodi cation operations. The answer is a rmative, and furthermore these schemes may even protect the privacy of the edit sequence. Below, we refer to edit operations that delete/insert xlength bitstrings called blocks from/to a document (as well as to the cut and paste operations mentioned above). Theorem 6.5.3 (secure schemes with incremental signing process): 1. Assuming the existence of oneway functions, there exist secure message authentication schemes having an incremental signing process that supports block deletion and insertion. Furthermore, the scheme uses a xedlength authentication tag. 2. Assuming the existence of oneway functions, there exist secure (privatekey and publickey) signature schemes having an incremental signing process that supports block deletion and insertion as well as cut and paste. Furthermore, in both parts, the resulting schemes protect the privacy of the edit sequence. Part 1 is proved by using a variant on an e cient message authentication scheme that is related to the schemes presented in Section 6.3.1. Part 2 is proved by using an arbitrary secure (privatekey or publickey) signature scheme that produces nbit long signatures to O(n)bit long strings, where n is the security parameter. (Indeed, the scheme need only be secure in the O(n)restricted sense.) The document is stored in the leaves of a 2{3 tree,34 and the signature essentially consists of the tags of all internal nodes, where each internal node is tagged by applying the basic signature scheme to the tags of its children. One important observation is that a 2{3 tree supports the said operations while incurring only
34 A 2{3 tree is a balanced tree in which each internal node has either 2 or 3 children. Such trees support insert and delete (of a single symbol/leaf) in logarithmically many operations. To insert a leaf (in a depth d tree), add it as a child to the suitable level d ; 1 vertex, denoted v. In case the resulting childrendegree of v is 4, split v (evenly) into two vertices such that both the resulting vertices are children of v's parent. The parent may be split so too, and so on until one gets to the root. If the root needs to be split then the height of the tree is incremented. To delete a leaf, we apply an analogous procedure. Namely, if the resulting parent and its siblings have total childrendegree at least 4 then we rearrange these children so that each of the resulting parent nodes has childrendegree either 2 or 3. In case the total childrendegree is at most 3, we merge the parent and its sibling to one vertex and turn to its parent. Cutting and pasting of (sub)trees can be performed analogously. 6.5. * ADDITIONAL PROPERTIES 559 a logarithmic (in its size) cost that is, modifying only the links of logarithmic many nodes in the tree. Thus, only the tags of these nodes and their ancestors in the tree needs to be modi ed in order to form the correspondingly modi ed signature. (Privacy of the edit sequence is obtained by randomizing the standard modi cation procedure for 2{3 trees.) By analogy to Construction 6.2.13 (and Proposition 6.2.14), the incremental signature scheme is secure. Loosely speaking, a failstop signature scheme is a signature scheme augmented by a (noninteractive) proof system that allows the legitimate signer to prove to anybody that a particular (document,signature)pair was not generated by him/her. Actually, keygeneration involves interaction with an administrating entity (which publicizes the resulting veri cationkeys), rather than just having the user publicize his/her veri cationkey. In addition, we allow memorydependent signing procedures (as in De nition 6.4.13).35 The system guarantees the following four properties, where the rst two properties are the standard ones: 1. Proper operation: In case the user is honest, the signatures produced by it will pass the veri cation procedure (with respect to the corresponding veri cationkey). 2. Infeasibility of forgery: In case the user is honest, forgery is infeasible in the standard sense. That is, every feasible chosen message attack may succeed (to generate a valid signature to a new message) only with negligible probability. 3. Revocation of forged signatures: In case the user is honest, it can prove that forgery has been committed (in case it was indeed committed). That is, for every chosen message attack (even a computationallyunbounded one)36 that produces a valid signature to a new message, except for with negligible probability, the user can convince anyone (which knows the veri cationkey) that this valid signature was forged (i.e., produced by somebody else). The probability is taken over the actions of the (computationallyunbounded) adversary committing forgery. 4. Infeasibility of revoking unforged signatures: It is infeasible for a user to create a valid signature and later convince anybody that this signature was forged (i.e., produced by somebody else). Indeed, it is possible (but not feasible) for a user to cheat here. Furthermore, Property 3 (i.e., revocation of forged signatures) holds also in case the administrating entity participates in the forgery and even if it behaves
35 Allowing memorydependent signing is essential to the existence of secure failstop signature schemes see Exercise 21. 36 It seems reasonable to restrict such adversaries to polynomiallymany signing requests. 6.5.5 Failstop signatures 560 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION improperly at the keygeneration stage. (In contrast, the other items hold only if the administrating entity behaves properly during the keygeneration stage.) To summarize, failstop signature schemes allow to prove that forgery has occurred, and so o er an informationtheoretic security guarantee to the potential signers (yet the guarantee to potential signaturerecipients is only a computational one).37 In contrast, when following the standard semantics of signature schemes, the potential signers have only a computational security guarantee and the signature recipients have an absolute guarantee: whenever the veri cation algorithm accepts a signature, it is by de nition an unrevocable one. of either the Discrete Logarithm Problem or of integer factorization, the answer is a rmative. Indeed, in failstop signature schemes, each document must have superpolynomially many possible valid signatures (with respect to the publically known veri cationkey), but only a negligible fraction of these will be (properly) produced by the legitimate signer (who knows a corresponding signingkey, which is not uniquely determined by the veri cationkey). Furthermore, any strategy (even an infeasible one), is unlikely to generate signatures corresponding to the signingkey. On the other hand, it is infeasible given one signingkey to produce valid signatures (i.e., w.r.t the veri cationkey) that do not correspond to the proper signing with this signingkey. Do secure failstop signature schemes exist? Assuming the intractability 6.6 Miscellaneous 6.6.1 On Using Signature Schemes Once de ned and constructed, signature schemes may be (and are actually) used as building blocks towards various goals that are di erent from the original motivation. Still, the original motivation (i.e., reliable communication of information) is of great importance, and in this subsection we discuss several issues regarding the use of signature schemes towards achieving it. The discussion is analogous to a similar discussion conducted in Section 5.5.1, but the analogous issues discussed here are even more severe. in Section 6.1, using a privatekey signature scheme (i.e., a message authentication scheme) requires the communicating parties to share a secret key. This key can be generated by one party and secretly communicated to the other party by an alternative (expensive) secure and reliable channel. Often, a preferable solution consists of employing a keyexchange (or rather keygeneration) protocol, which is executed over the standard (unreliable) communication channel.
37 The above refers to the natural convention by which a proof of forgery frees the signer of any obligations implied by the document. In this case, when accepting a valid signature the recipient is only guaranteed that it is infeasible for the signer to revoke the signature. Using privatekey schemes { the key exchange problem. As discussed 6.6. MISCELLANEOUS 561 We stress that here (unlike in Section 5.5.1) we must consider active adversaries. Consequently, the focus should be on keyexchange protocols that are secure against active adversaries and are called unauthenticated keyexchange protocols (because the messages received over the channel are not necessarily authentic). Such protocols are too complex to be treated in this section, and the interested reader is referred to 30, 31, 18]. munication settings it is reasonable to assume that the authentication device may maintain (and modify) a state (e.g., a counter or a clock). Furthermore, in many applications, a changing state (e.g., a clock) must be employed anyhow in order to prevent reply of old messages (i.e., each message will be authenticated along with its transmission time). In such cases, statedependent schemes as discussed in Section 6.3.2 may be preferable. (See further discussion in Section 6.3.2 and analogous discussion in Section 5.5.1.) Using statedependent message authentication schemes. In many com Using signature schemes { publickey infrastructure. The standard use of (publickey) signature schemes in reallife applications requires a mechanism for providing the veri ers with the signer's authentic veri cationkey. In small systems, one may assume that each user holds a local record of the veri cationkeys of all other users. However, this is not realistic in largescale systems, and so the veri er must obtain the relevant veri cationkey onthe y in a \reliable" way (i.e., typically, certi ed by some trusted authority). In most theoretical work, one assumes that the veri cationkeys are posted and can be retrieved from a public le that is maintained by a trusted party (which makes sure that each user can post only veri cationkeys bearing its own identity). In abstract terms, such trusted party may provide each user with a (signed) certi cate stating the authenticity of the user's veri cationkey. In practice, maintaining such a publicle (and handling such certi cates) is a major problem, and mechanisms that implement this abstraction are typically referred to by the generic term \publickey infrastructure (PKI)". For a discussion of the practical problems regarding PKI deployment see, e.g., 180, Chap. 13]. 6.6.2 On Information Theoretic Security In contrast to the bulk of our treatment, which focuses on computationallybounded adversaries, in this section we consider computationallyunbounded adversaries. Speci cally, we consider computationallyunbounded chosen message attacks, but do bound (as usual, by an unknown polynomial) the total number of bits in the signingqueries made by such attackers. We call a (privatekey or publickey) signature scheme perfectlysecure (or informationtheoretically secure) if even such computationallyunbounded attackers may succeed (in forgery) only with negligible probability. It is easy to see that no (publickey) signature scheme may be perfectlysecure, not even in a lengthrestricted onetime sense. The reason is that a 562 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION computationallyunbounded adversary that is given a veri cationkey can nd (without making any queries) a corresponding signingkey, which allows it to forge signatures to any message of its choice. In contrast, restricted types of message authentication schemes (i.e., privatekey signature schemes) may be perfectlysecure. Speci cally, given any polynomial bound on the total number of messages to be authenticated, one may construct a corresponding statebased perfectlysecure message authentication scheme. In fact, a variant of Construction 6.3.10 will do, where a truly random onetime pad is used instead of the pseudorandom sequence generated using the nextstep function g. Indeed, this onetime pad will be part of the key, which in turn must be longer than the total number of messages to be authenticated. We comment that the use of a state is essential for allowing several messages to be authenticated (in a perfectlysecure manner). (Proofs of both statements can be derived following the ideas underlying Exercise 8.2.) The reader may note that we have avoided the presentation of several popular signature schemes (i.e., publickey ones). As noted in Section 6.1.4.3, some of these schemes (e.g., RSA 216] and DSS 192]) seem to satisfy some weak (i.e., weaker than De nition 6.1.2) notions of security. Variants of these schemes are proven to be secure in the random oracle model, provided some standard intractability assumptions hold (cf, e.g., 32]). However, we are not satis ed with either of these types of results, and articulate our opinion next. 6.6.3 On Popular Schemes On using weaker de nitions. We distinguish between weak de nitions that make clear reference to the abilities of the adversary (e.g., onemessage attacks, lengthrestricted message attacks) and weak notions that make hidden and unspeci ed assumptions regarding what may be bene cial to the adversary (e.g., \forgery of signatures for meaningful documents"). In our opinion, the fact that the hidden assumptions often \feel right" makes them even more dangerous, because it means that they are never seriously considered (and not even formulated). For example, it is often said that existential forgery (see Section 6.1.3) is \merely of theoretical concern", but these claims are never supported by any evidence or by a speci cation of the types of forgery that are of \real practical concern". Furthermore, a few years later, one learns that this \merely theoretical" issue yields a real security breach in some important applications. Still, weak de nition of security may make sense, provided that they are clearly stated and that one realizes their limitations (i.e., \nongenerality"). Since this book focuses on generallyapplicable de nitions, we chose not to discuss such weaker notions of security and not to present schemes that can be evaluated only with respect to these weak notion. On the Random Oracle Methodology. The Random Oracle Methodology 95, 29] consists of two steps: First, one designs an ideal system in which all 6.6. MISCELLANEOUS 563 parties (including the adversary) have oracle access to a truly random function, and proves this ideal system to be secure (i.e., one typically says that the system is secure in the random oracle model). Next, one replaces the random oracle by a \good cryptographic hashing function", providing all parties (including the adversary) with the succinct description of this function, and hopes that the resulting (actual) scheme is secure.38 We warn that this hope has no justi cation. Furthermore, there exist encryption and signature schemes that are secure in the Random Oracle Model, but replacing the random function (used in them) by any function ensemble yields a totally insecure scheme (cf., 59]). 6.6.4 Historical Notes
As in case of encryption schemes, the rigorous study of the security of privatekey signature schemes (i.e., message authentication schemes) has legged behind the corresponding study of publickey signature schemes. The current section is organized accordingly. 6.6.4.1 Signature Schemes
The notion of a (publickey) signature scheme was introduced by Di e and Hellman 78], who also suggested to implement it using trapdoor permutations. Concrete implementations were suggested by Rivest, Shamir and Adleman 216] and by Rabin 211]. However, de nitions of security for signature schemes were presented only a few years afterwards. A rst rigorous treatment of security notions for signature schemes was suggested by Goldwasser, Micali and Yao 145], but their de nition is weaker than the one followed in our text. (Speci cally, the adversary's queries in the de nition of 145] are determined nonadaptively and obliviously of the publickey.) Assuming the intractability of factoring, they also presented a signature scheme that is secure under their de nition. We stress that the security de nition of 145] is signi cantly stronger than all security notions considered before 145]. A comprehensive treatment of security notions for signature schemes, which culminates in the notion used in our text, was presented by Goldwasser, Micali and Rivest 143]. Assuming the intractability of factoring, they also presented a signature scheme that is secure (in the sense of De nition 6.1.2). This was the rst time that a signature scheme was proven secure under a simple intractability assumption such as the intractability of factoring. Their proof has refuted a folklore (attributed to Ron Rivest) by which no such \constructive proof" may exist (as its mere existence was believed to yield a forging procedure). Whereas the (two) schemes of 145] were inherently memorydependent, the scheme of 143] has a \memoryless" variant (cf. 105] and 143]).
38 Recall that, in contrast, the methodology of Section 3.6.3 (which is applied often in the current chapter) refers to a situation in which the adversary does not have direct oracle access to the random function, and does not obtain the description of the pseudorandom function used in the latter implementation. 564 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Following Goldwasser, Micali and Rivest 143], research has focused on constructing secure signature schemes under weaker assumptions. In fact, as noted in 143], their construction of secure signature schemes can be carried out using any collection of clawfree, trapdoor permutation pairs. The clawfree requirement was omitted in 28], whereas the seemingly more fundamental trapdoor requirement was omitted by Naor and Yung 198]. Finally, Rompel showed that one may use arbitrary oneway functions rather oneway permutations 217], and thus established Theorem 6.4.1. The progress brie y summarized above was enabled by the use of many important ideas and paradigms, some of them were introduced in that body of work and some were \only" revisited and properly formalized. Speci cally, we refer to the introduction of the refreshing paradigm in 143], the use of authentication trees (cf., 182, 183] and 143]), the use of the hashandsign paradigm (rigorously analyzed in 72]), the introduction of Universal OneWay Hash Functions (and the adaptation of the hashandsign paradigm to them) in 198], and the use of onetime signature schemes (cf., 210]). We comment that our presentation of the construction of signature schemes is di erent from the one given in any of the above cited papers. Speci cally, the main part of Section 6.4 (i.e., Sections 6.4.1 and 6.4.2) is based on a variant of the signature scheme of 198], in which collisionfree hashing (cf. 72]) are used instead of universal oneway hashing (cf. 198]). 6.6.4.2 Message Authentication Schemes
Message authentication schemes were rst discussed in the information theoretic setting, where a onetime pad was used. Such schemes were rst suggested in 104], and further developed in 236]. The onetime pad can be implemented by a pseudorandom function (or a online pseudorandom generator), yielding only computational security, as we have done in Section 6.3.2. Speci cally, Construction 6.3.10 is based on 163, 164]. In Section 6.3.1 we have followed a di erent paradigm that amounts to applying a pseudorandom function to the message (or its hashedvalue), rather than using a pseudorandom function (or a online pseudorandom generator) to implement a onetime pad. This alternative paradigm is due to 119], and is followed in works such as 27, 24, 16]. Indeed, following this paradigm (and similarly to 27, 24, 16]), we have actually focused (in Section 6.3.1) on constructing generalized pseudorandom function ensembles (as in De nition 3.6.12), based on ordinary pseudorandom functions (as in De nition 3.6.4). Collisionfree hashing
Collisionfree hashing was rst de ned in 72]. Construction 6.2.8 is also due to 72], with underlying principles that can be traced to 143]. Construction 6.2.11 is due to 73]. Construction 6.2.13 is due to 184]. 6.6. MISCELLANEOUS 565 On the additional properties
Unique signatures and supersecurity have been used in several works, but never extensively treated before. The notion of o ine/online signature scheme was introduced (and rst instantiated) in 86]. The notion of incremental cryptographic schemes (and in particular incremental signature schemes) was introduced and instantiated in 21, 22]. In particular, the incremental MAC of 22] (i.e., Part 1 of Theorem 6.5.3) builds on the message authentication scheme of 24], and the incremental signature scheme that protects the privacy of the edit sequence is due to 188] (building upon 22]). Failstop signatures were de ned and constructed in 206]. As mentioned above, the work of Goldwasser, Micali and Rivest contains a comprehensive treatment of security notions for signature schemes 143]. Their treatment refers to two parameters: (1) the type of attack, and (2) the type of forgery that follows from it. The most severe type of attack allows the adversary to adaptively select the documents to be signed (as in De nition 6.1.2). The most liberal notion of forgery refers to producing a signature to any document for which a signature was not obtained during the attack (again, as in De nition 6.1.2). Thus, the notion of security presented in De nition 6.1.2 is the strongest among the notions discussed in 143]. (Still, in some applications, weaker notions of security may su ce.) We stress that one may still bene t from the de nitional part of 143], but the constructive part of 143] should be ignored since it is superseded by later work (on which our presentation is based). P tzmann's book 207] contains a comprehensive discussion of many aspects involved in the integration of signature schemes in reallife systems. In addition, her book surveys variants and augmentations of the notion of signature schemes, viewing the one treated in the current book as \ordinary". The focus is on failstop signature schemes 207, Chap. 7{11], but much attention is given to the presentation of a general framework 207, Chap. 5] and to review of other \nonordinary" schemes 207, Sec. 2.7 & 6.1]. As hinted in Section 6.6.4.2, our treatment of the construction of message authentication schemes is merely the tip of an iceberg. The interested reader is referred to 230, 163, 164, 40] for details on the \onetime pad" approach, and to 27, 24, 16, 17, 23, 7] for alternative approaches. Constructions and discussion of AXU hashing functions can be found in 163, 164]. The constructions of universal oneway hash functions presented in Section 6.4.3 use any oneway permutation, and do so in a generic way. The number of applications of the oneway permutation in these constructions is linearly related to the di erence between the number of input and output bits in the hash function. In 103], it is shown that as far as generic (blackbox) constructions go, this is essentially the best performance that one can hope for. In continuation to the discussion in Section 6.4.2.4, we refer to reader to 82, 69], in which speci c implementations (of a generalization) of Constructions 6.4.14 6.6.5 Suggestion for Further Reading 566 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION and 6.4.16 are presented. Speci cally, these works utilize an authentication tree of large degree (rather than binary trees as in Section 6.4.2.2). 6.6.6 Open Problems The known construction of signature schemes from arbitrary oneway functions 217] is merely a feasibility result. It is indeed an important open problem to provide an alternative construction that may be practical and still utilize an arbitrary oneway function. We believe that providing such a construction may require the discovery of important new paradigms. 6.6.7 Exercises Exercise 1: Deterministic Signing and Veri cation algorithms:
1. Using a pseudorandom function ensembles, show how to transform any (privatekey or publickey) signature scheme into one employing a deterministic signing algorithm. 2. Using a pseudorandom function ensembles, show how to transform any message authentication scheme into one employing deterministic signing and verifying algorithms. 3. Verify that all signature schemes presented in the current chapter employ a deterministic veri cation algorithm.
Augment the signingkey with a description of a pseudorandom function, and apply this function to the string to be signed in order to extract the randomness used by the original signing algorithm.
Guideline (for Part 1): Analogous to Part 1. (Highlight your use of the privatekey hypothesis.) Alternatively, see Exercise 2.
Guideline (for Part 2): Exercise 2: Canonical veri cation in the privatekey version: Show that, with out loss of generality, the veri cation algorithm of a privatekey signature scheme may consist of comparing the alleged signature to one produced by the veri cation algorithm itself (which does so exactly as the signing algorithm). Why does this claim fail with respect to publickey schemes?
Use Part 1 of Exercise 1, and conclude that the on a xed input the signing algorithm always produces the same output. Use the fact that (by Exercise 8.2) the existence of message authentication schemes implies the existence of pseudorandom functions.
Guideline: Exercise 3: Augmented attacks in the privatekey case: In continuation to the discussion in Section 6.1.4.1, consider the de nition of an augmented attack (on a privatekey signature scheme) in which the adversary is allowed veri cationqueries. 6.6. MISCELLANEOUS 567 1. Show that in case the signature scheme has (a deterministic veri cation algorithm and) unique valid signatures, it is secure against augmented attacks if and only if it is secure against ordinary attacks (as in De nition 6.1.2). 2. Assuming the existence of secure privatekey signature schemes (as in De nition 6.1.2), present such a secure scheme that is insecure under augmented attacks.
Analyze the emulation outlined in Section 6.1.4.1. Speci cally, ignoring the redundant veri cationqueries (for which the answer is determined by previous answers), consider the probability that the emulation has gambled correctly on all the veri cationqueries upto (and including) the rst such query that should be answered a rmatively.
Guideline (Part 1): Guideline (Part 2): Given any secure MAC (G S V ), assume without loss of generality that in the keypairs output by G the veri cationkey equals the signingkey. Consider the scheme (G0 S 0 V ) (with G0 = G), 0 where Ss ( ) = (Ss ( ) 0), Vv0 ( ( 0)) = Vv ( ) and Vv0 ( ( i )) = 1 if both Vv ( ) = 1 and the ith bit of s = v is . Prove that (G0 S 0 V ) is secure under ordinary attacks, and present an augmented attack that totally breaks it (i.e., obtains the signingkey). Exercise 4: The signature may reveal the document: Both for privatekey and publickey signature schemes, show that if such secure schemes exist then there exist secure signature schemes in which any valid signature to a message allows to e ciently recover the entire message. Exercise 5: On the triviality of some lengthrestricted signature schemes: 1. Show that for logarithmically bounded `, secure `restricted privatekey signature schemes (i.e., message authentication schemes) can be trivially constructed (without relying on any assumption). 2. In contrast, show that the existence of a secure `restricted publickey signature scheme, even for ` 1, implies the existence of oneway functions.
Guideline (Part 1):
2`(n) s 2 f0 1g where each si is an nbit long string, and consider any xed ordering of the 2`(n) strings of length `(n). The signature to 2 f0 1g`(n) is de ned as si , where i is the index of in the latter ordering.
Let (G S V ) be a 1restricted publickey signature scheme. De ne f (1n r) = v if on input 1n and coins r, algorithm G generates the keypair of the form ( v). Assuming that algorithm A inverts f with probability "(n), we construct a forger that attacks (G S V ) as follows. On input a veri cation key v, the forger invokes A on input v. With probability "(n), the forger obtains r so that f (1n r) = v. In such a case, the forger obtains a matching signingkey s (i.e., (s v) is output by G(1n ) on coins r), and so can produce valid signatures to any string of its choice.
Guideline (Part 2): On input 1n , the key generator uniformly selects n , and outputs the key pair (s s). View s = s1 s `(n) , 2 568 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION Exercise 6: Failure of Construction 6.2.3 in case `(n) = O(log n): Show that
Note that by asking for polynomiallymany signatures, the ad0 versary may obtain two Ss signatures that use the same (random) identi er. Speci cally, consider making the queries , for all possible 2 f0 1g`(n) , 0 and note that if and 0 0 are Ss signed using the same identi er then 0 signature to 0 . we can derive a valid Ss
Guideline:
f f g if Construction 6.2.3 is used with logarithmically bounded ` then the resulting scheme is insecure. Exercise 7: Using a pseudorandom function ensemble of the form fs : 0 1
f g 0 1 jsj s2f0 1g , construct a general secure message authentication scheme (rather than a lengthrestricted one).
Guideline: The construction is identical to Construction 6.3.1, except that here we use a general pseudorandom function ensemble rather than the one used there. The proof of security is analogous to the proof of Proposition 6.3.2. g ! Exercise 8: Prove that the existence of secure message authentication schemes implies the existence of oneway functions. Speci cally, let (G S V ) be as in the hypothesis. 1. To simplify the following two items, show that, without loss of generality, G(1n ) uses n coins and outputs a signingkey of length n and that Ss ( ) is determined by s + . 2. Assume rst that S is a deterministic signing algorithm. Prove that f (r 1 ::: m ) def (Ss ( 1 ) ::: Ss ( m ) 1 ::: m ) is a oneway func= tion, where s = G1 (r) is the signingkey generated with coins r, all i 's are of length n = r and m = (n). Extend the proof to handle randomized signing algorithms. 3. Using the relation between pseudorandom functions (as in De nition 3.6.12) and oneway functions, the following provides an alternative proof for the special case of deterministic signing.39 (Based on 197]): Consider the Boolean function ensemble fs r s r , where s is selected according to G1 (1n ) and r is uniformly distributed over strings of length Ss (1n ) , de ned such that fs r ( ) equals the innerproduct mod 2 of r and Ss ( ). Prove that this ensemble is pseudorandom (as de ned in De nition 3.6.12 for the case r(n) = 1).
j j j j j j j j f g j j
0 Guideline (Part 2): Note that the m signatures determine an r0 , which in turn determines a signingkey s0 = G1 (r0 ) such that Ss ( ) = Ss ( ) for most 2 f0 1gn . (Note that s0 does not necessarily equal s.) Show that this implies that ability to invert f yields ability to forger (under a chosen message attack). (Hint: use m random signingqueries to produce a 39 Note that the functions in the ensemble have a su ciently large domain. Thus, this pseudorandom function ensemble gives rise to a pseudorandom generator (analogously to Exercise 28 of Chapter 3), which in turn implies the existence of oneway functions. 6.6. MISCELLANEOUS
random image of f .) The extension to randomized signing is obtained by augmenting the argument of the oneway function with the coins used by the m invocations of the signing algorithm.
Guideline (Part 3): Consider hybrid experiments such that in the ith hybrid the rst i queries are answered by a truly random Boolean function and the rest are answered by a uniformly distributed fs r . (Note that it seems important to use this nonstandard order of random versus pseudorandom answers.) Show that distinguishability of the ith and i + 1st hybrids implies that a probabilistic polynomialtime machine can have a nonnegligible advantage in the following game in which the machine is asked to select , next fs r is uniformly selected and the machine is given r as well as oracle access to Ss (but is not allowed the query ) and is asked to guess fs r ( ). (Note that the particular order used allows to produce the rest of the hybrid when given this oracle access. On the other hand, it is important to hand r only after the machine has selected see 197].) At this point, one may apply the proof of Theorem 2.5.2, and deduce that the said machine can construct Ss ( ) with nonnegligible probability, in contradiction to the security of the MAC. 569 Exercise 9: Prove that, without loss of generality, one can always assume that
Given an adversary A0 that outputs a messagesignature pair ( ) without making any query, modify it so that it makes an arbitrary query 0 2 f0 1gj j n f g just before producing that output.
Guideline: a chosen message attack makes at least one query. (This holds for general signature schemes as well as for lengthrestricted and/or onetime ones.) Exercise 10: On perfectlysecure onetime message authentication (MAC) schemes: By perfect (or informationtheoretic) security we mean that even computationallyunbounded chosen message attacks may succeed (in forgery) only with negligible probability. De ne perfect (or informationtheoretic) security for onetime MACs and lengthrestricted onetime MACs. (Be sure to bound the length of documents (e.g., by some superpolynomial function) also in the unrestricted case.) Prove the following, without relying on any (intractability) assumptions (which are anyhow useless in the informationtheoretic context): 1. For any polynomiallybounded and polynomialtime computable function ` : N N , perfectlysecure `restricted onetime MACs can be trivially constructed. 2. Using a suitable AXU family of hashing functions, present a construction of a perfectlysecure onetime MAC. Furthermore, present such a MAC in which the authenticationtags have xed length (i.e., depending on the length of the key but not on the length of the message being authenticated).
! 570 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 3. Show that any perfectlysecure onetime MAC that utilizes xed length authenticationtags and a deterministic signing algorithm yields a generalized hashing ensembles with negligible collision probability. Speci cally, for any polynomial p, this ensembles has a (p 1=p)collision property.
For Part 1, combine the ideas underlying Exercise 5 and Construction 6.4.4. For Part 2, use the ideas underlying Construction 6.3.10 and the proof of Proposition 6.3.11. For Part 3, given a MAC (G S V ) as in the claim, consider the functions hs(x) def Ss (x), where s G1 (1n ). =
Guideline: Exercise 11: In contrast to Exercise 10, prove that the existence of secure
See guideline for Item 2 in Exercise 5. onetime signature schemes implies the existence of oneway functions. Furthermore, prove that this holds even for 1restricted signature schemes that are secure (only) under attacks that make no signingqueries.
Guideline: Exercise 12: Prove that the existence of collisionfree hashing collections implies the existence of oneway functions.
Guideline: Given a collisionfree hashing collection, fhr : f0 1g ! f0 1g`(jrj) gr2f0 1g , consider the function f (r x) = (r hr (x)), where (say) jxj = `(jrj) + jrj. Prove that f is a oneway function, by assuming towards the contradiction that f can be e ciently inverted with nonnegligible probability, and deriving an e cient algorithm that forms collisions on random hr 's. Given r, form a collision under the function hr , by uniformly selecting x 2 f0 1g`(jrj)+jrj , and feeding the inverting algorithm with input (r hr (x)). Observe that with nonnegligible probability a preimage is obtained, and that with exponentially vanishing probability this preimage is (r x) itself. Thus, with nonnegligible probability, we obtain a preimage (r x0 ) 6= (r x) and it holds that hr (x0 ) = hr (x). Exercise 13: In contrast to Exercise 4, show that if secure message authenti cation schemes exist then there exist such schemes in which it is infeasible (for a party not knowing the key) to extract from the signature any partial information about the message (except for the message length). (Indeed, privacy of the message is formulated as the de nition of semantic security of encryption schemes see Chapter 5.)
Combine a message authentication scheme with an adequate privatekey encryption scheme. Refer to issues such as the type of security required of the encryption scheme, and why the hypothesis yields the existence of the ingredients used in the construction.
Guideline: Exercise 14: In continuation to Exercise 13, show that if there exist collisionfree hashing functions then there exist message authentication schemes in which it is infeasible (for a party not knowing the key) to extract from the signature any partial information about the message (including the 6.6. MISCELLANEOUS 571 message length). How come we can hide the message length in this context, whereas we cannot do this in the context of encryption schemes?
Combine a message authentication scheme having xed length signatures with an adequate privatekey encryption scheme. Again, refer to issues as in Exercise 13.
Guideline: Exercise 15: Prove that the existence of collections of UOWHF implies the
Note that the guidelines provided in Exercise 12 can be modi ed to t the current context. Speci cally, the collisionforming algorithm is given uniformly distributed r and x, and invokes the inverter on input (r hr (x)). Note that the furthermore clause is implicit in the proof.
Guideline: existence of oneway functions. Furthermore, show that uniformly chosen functions in any collection of UOWHFs are hard to invert (in the sense of De nition 2.4.3). Exercise 16: Assuming the existence of oneway functions, show that there exists a collection of universal oneway hashing functions that is not collisionfree.
Guideline: ffs : f0 1g ! f0 1gjsj g, consider the collection F 0 = ffs0 : f0 1g ! 0 f0 1gjsj g de ned so that fs (x) = (0 fs (x)) if the jsjbit long pre x of x is
0 di erent from s, and fs (sx0 ) = (1 s) otherwise. Clearly, F 0 is not collision0 remains universal oneway hashing. free. Show that F
2 Given a collection of universal oneway hashing functions, Exercise 17: Show that for every nite family of functions H , there exists
f x = y such that h(x) = h(y) for every h H . Furthermore, for H = h : 01 0 1 m , show that this holds for x y m H .
6 f g ! f g g j j j j j j Guideline: collision as soon as we consider more than 2mt preimages. Consider the mapping x 7! (h1 (x) ::: ht (x)), where H = fhi gt=1 . Since the number of possible images is at most (2m )t , we get a i Exercise 18: Constructions of Hashing Families with Bounded Collision Prob ability: In continuation to Exercise 22.2 in Chapter 3, consider the set of m functions S` associated with `bym Toeplitz matrix that is hT (x) = Tx, where T = (Ti j ) is a Toeplitz matrix (i.e., Ti j = Ti+1 j+1 for all i j ). Show that this family has collision probability 2;m . (Note that each `bym Toeplitz matrix is speci ed using ` + m ; 1 bits.)
Guideline: Note that we have eliminated the shifting vector b used in Exercise 22.2 of Chapter 3, but this does not e ect the relevant analysis. Exercise 19: Constructions of Generalized Hashing Families with Bounded Collision Property: (See de nition in Section 6.3.1.3.) 1. Using a treehashing scheme as in Construction 6.2.13, construct a generalized hashing ensemble with a (f 1=f )collision property, where f (n) = 2"n" for some " > 0. 572 CHAPTER 6. SIGNATURES AND MESSAGE AUTHENTICATION 2. (By Hugo Krawczyk): Show that the blockchaining method (as in Construction 6.2.11) fails in the current context. That is, there exists a hashing ensemble hr : 0 1 2m(jrj) 0 1 m(jrj) with negligible collision probability such that applying Construction 6.2.11 to it (even with three blocks) yields an ensemble with high collision probability. Guideline (Part 1): Let fhr : f0 1g2m(jrj) ! f0 1gm(jrj) g, be a hashf f g ! f g g ing ensemble with collision probability cp. Recall that such ensembles with m(n) = n=3 and cp(n) = 2;m(n) can be constructed (see Exercise 18). Then, consider the function ensemble fhr1 ::: rm(n) : f0 1g ! f0 1g2m(n) gn2N , where all ri 's are of length n, such that hr1 ::: rm(n) (x) is de ned as follows 1. As in Construction 6.2.13, break x into t def 2dlog2 (jxj=m(n))e consec= utive blocks, denoted x1 ::: xt , and let d = log2 t. 2. Let i = 1 ::: t, let yd i def xi . For j = d ; 1 ::: 1 0 and i = 1 ::: 2j , = let yj i = hrj (yj +1 2i;1 yj +1 2i ). The hash value equals (y0 1 jxj). = The above functions have description length N def m(n) n and map strings of length smaller than 2m(n) to strings of length 2m(n). It is easy to bound the collision probability (for strings of equal length) by the probability of collision occuring in each of the levels of the tree. In fact, for x1 xt 6= x01 x0t such that xi 6= x0i , it su ces to bound the 0 sum of the probabilities that yj di=2d j e = yj di=2d j e holds (given that 0 yj+1 di=2d (j+1) e 6= yj+1 di=2d (j+1) e) for j = d ; 1 ::: 1 0. Thus, this generalized hashing ensemble has a (` )collision property, where `(N ) = 2m(n) ; 1 and (N ) = m(n) cp(n). Recalling that we may use m(n) = n=3 and cp(n) = 2;m(n) , we obtain (using N = n2 =3), `(N ) = 2(N=3)1=2 ; 1 > 2(N=4)1=2 and (N ) < (N=`(N )) < 2;(N=4)1=2 (as desired).
; ; ; ; Given a hashing family as in the hypothesis, modify it into fh0r s : f0 1g2m ! f0 1gm g, such that h0r s (02m ) = s, h0r s (s m ) = 0m for both 2 f0 1g, and h0r s (x) = hr (x) for all other x's. Note that the new family maintains the collision probability of the original one upto an additive term of O(2;m ). On the other hand, for both 2 f0 1g, it holds that h0r s (h0r s (02m ) m ) = h0r s (s m ) = 0m .
Guideline (Part 2): Exercise 20: Additional properties required in Proposition 6.4.21: In continuation to Exercise 23 of Chapter 3, show that the said function ensemble satis es the following two properties: n 1. All but a negligible fraction of the functions in Sn ;1 are 2to1. 2. There exists a probabilistic polynomialtime algorithm that given y1 y2 0 1 n and z1 z2 0 1 n;1, outputs a uniformly disn;1 : hs (yi ) = zi i 1 2 . tributed element of s Sn
2 f g 2 f g f 2 8 2 f gg n Recall that functions in Sn ;1 are described by a pair of elen ) so that the pair (a b) describes the function ments of the nite eld GF(2 ha b that maps x 2 GF(2n ) to the (n ; 1)bit pre x of the nbit representation of ax + b, where the arithmetics is of the eld GF(2n ). The rst condition follows by observing that the function ha b is 2to1 if and only if
Guideline: 6.6. MISCELLANEOUS
a 6= 0. The second condition follows by observing that ha b (yi ) = zi if and only if ayi + b = vi for some vi that is a singlebit extension of zi . Thus, generating a pair (a b) such that ha b (yi ) = zi for both i's, amounts to selecting random singlebit extensions vi 's, and (assuming y1 6= y2 ) solving the system fayi + b = vi gi=1 2 (for the variables a and b). 573 Exercise 21: Failstop signatures require a memorydependent signing process:
Suppose towards the contradiction that there exist a secure memoryless failstop signature scheme. For every signingkey s 2 f0 1gn , consider the randomized process Ps in which one rst selects uniformly x 2 f0 1gn , produces a (random) signature y Ss (x), and outputs the pair (x y). Show that, given polynomiallymany samples of Ps , one can nd (in exponential time) a string s0 2 f0 1gn such that with probability at least 0:99 the statistical distance between Ps and Ps is at most 0:01. Thus, a computationally unbounded adversary making polynomiallymany signing queries, can nd a signingkey that typically produces the same signatures as the true signer. It follows that either these signatures cannot be revoked or that the user may also revoke its own signatures.
Guideline:
0 In continuation to Section 6.5.5, prove that a secure failstop signature scheme must employ a memorydependent signing process (as in De nition 6.4.13). Author's Note: First draft written mainly in May 2000. Major revision completed in Feb. 2002. ...
View Full
Document
 Spring '02
 Trevisan
 Computer Science

Click to edit the document details