This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Leo Reyzin. Notes for BU CAS CS 538. 1 10 More on Signatures and the PublicKey Infrastructure 10.1 Random Oracle Model and FullDomainHash Very efficient stateless signatures seem to come from the socalled random oracle model , formally introduced by Bellare and Rogaway [BR93]. The idea is that often people use hash function such as SHA1 [NIS95] as something that produces randomlooking outputs. What if we really had a truly random function available to everyone (signer, verifier and adversary alike)? In the random oracle model, the definition of signature scheme changes as follows: all three algorithms (Gen , Sig , Ver) are now oracle algorithms (Gen ? , Sig ? , Ver ? ); the adversary E ? now has access to two oracles E ? , ? . The new oracle will be random. Namely, the experiment changes as follows: expforge (k) 0. Let R : { , 1 } * { , 1 } be a function chosen uniformly at random from all possible functions. 1. (PK , SK) Gen R (1 k ) 2. ( m, ) E Sig R SK ( ) ,R (1 k , PK) 3. If m was not queried by E to its signing oracle and Ver R PK ( m, ) = 1, output 1. Else output 0. The rest of the definition stays the same. Note that the adversary has to be built obliviously to the oracle R , and work for a random choice of R . In this model, we could build signature schemes more easily. Specifically, let ( n, e ) be an RSA public key, and ( n, d ) be the corresponding RSA secret key. Let H : { , 1 } * Z * n be a random function (it can be easily built out of R : { , 1 } * { , 1 } ). To sign m , compute h = H ( m ), and = h d mod n . To verify, compute h = H ( m ) and check if it equals e mod n . More generally, let { f i : D i D i } be a trapdoor permutation family (such a family comes with the following probabilistic polynomialtime algorithms: the algorithm GenT to generate i and trapdoor t , an algorithm to compute f i ( x ) given i and x D i , and an algorithm to compute f 1 i ( y ) given t and y ). Let H : { , 1 } * D i denote the random oracle. Let Full Domain Hash (FDH) be the following signature scheme: Gen picks a trapdoor permutation: runs GenT to generate PK = i and SK = t Sig(SK , m ) computes and outputs s = f 1 i ( H ( m )) Ver(PK , m, s ) checks if f ( s ) = H ( m ) Theorem 1 ([BR93]). Full Domain Hash is secure in the random oracle model. Proof. We will show security by reduction to the onewayness of f . Indeed, suppose F is a forger for FDH. Then we will build an inverter Inv for f . Given an index i and a random value y D i , Inv has to find f 1 i ( y ). Suppose F asks q hash hash queries a 1 , . . . , a q hash and q sig signature queries m 1 , . . . , m q sig , and then outputs a forgery ( m, s ). Without loss of generality, assume that before m j is queried to a signing oracle, it is queried to the hash oracle (if not, Inv can perform the query to the hash oracle itself before it answers the signing query). Same for the final forgery m : assume that before being output, it is queried to the hash...
View
Full
Document
 Spring '09

Click to edit the document details