notes-10 - Leo Reyzin. Notes for BU CAS CS 538. 1 10 More...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Leo Reyzin. Notes for BU CAS CS 538. 1 10 More on Signatures and the Public-Key Infrastructure 10.1 Random Oracle Model and Full-Domain-Hash Very efficient stateless signatures seem to come from the so-called random oracle model , formally introduced by Bellare and Rogaway [BR93]. The idea is that often people use hash function such as SHA-1 [NIS95] as something that produces random-looking outputs. What if we really had a truly random function available to everyone (signer, verifier and adversary alike)? In the random oracle model, the definition of signature scheme changes as follows: all three algorithms (Gen , Sig , Ver) are now oracle algorithms (Gen ? , Sig ? , Ver ? ); the adversary E ? now has access to two oracles E ? , ? . The new oracle will be random. Namely, the experiment changes as follows: exp-forge (k) 0. Let R : { , 1 } * { , 1 } be a function chosen uniformly at random from all possible functions. 1. (PK , SK) Gen R (1 k ) 2. ( m, ) E Sig R SK ( ) ,R (1 k , PK) 3. If m was not queried by E to its signing oracle and Ver R PK ( m, ) = 1, output 1. Else output 0. The rest of the definition stays the same. Note that the adversary has to be built obliviously to the oracle R , and work for a random choice of R . In this model, we could build signature schemes more easily. Specifically, let ( n, e ) be an RSA public key, and ( n, d ) be the corresponding RSA secret key. Let H : { , 1 } * Z * n be a random function (it can be easily built out of R : { , 1 } * { , 1 } ). To sign m , compute h = H ( m ), and = h d mod n . To verify, compute h = H ( m ) and check if it equals e mod n . More generally, let { f i : D i D i } be a trapdoor permutation family (such a family comes with the following probabilistic polynomial-time algorithms: the algorithm GenT to generate i and trapdoor t , an algorithm to compute f i ( x ) given i and x D i , and an algorithm to compute f- 1 i ( y ) given t and y ). Let H : { , 1 } * D i denote the random oracle. Let Full Domain Hash (FDH) be the following signature scheme: Gen picks a trapdoor permutation: runs GenT to generate PK = i and SK = t Sig(SK , m ) computes and outputs s = f- 1 i ( H ( m )) Ver(PK , m, s ) checks if f ( s ) = H ( m ) Theorem 1 ([BR93]). Full Domain Hash is secure in the random oracle model. Proof. We will show security by reduction to the one-wayness of f . Indeed, suppose F is a forger for FDH. Then we will build an inverter Inv for f . Given an index i and a random value y D i , Inv has to find f- 1 i ( y ). Suppose F asks q hash hash queries a 1 , . . . , a q hash and q sig signature queries m 1 , . . . , m q sig , and then outputs a forgery ( m, s ). Without loss of generality, assume that before m j is queried to a signing oracle, it is queried to the hash oracle (if not, Inv can perform the query to the hash oracle itself before it answers the signing query). Same for the final forgery m : assume that before being output, it is queried to the hash...
View Full Document

Page1 / 5

notes-10 - Leo Reyzin. Notes for BU CAS CS 538. 1 10 More...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online