CSE442T Introduction to Cryptography (Lecture 19)

Chapter 5: Authentication

One-Time Secure Digital Signature

Definition 136.2 (Security of Digital Signature)

A digital signature scheme is $(Gen, Sign, Ver)$ is secure if for all n.u.p.p.t. $\mathcal{A}$ , there exists a negligible function $\epsilon(n)$ such that $\forall n\in\mathbb{N}$ ,

P[(pk,sk)\gets Gen(1^n); (m,\sigma)\gets\mathcal{A}^{Sign_{sk}(\cdot)}(1^n); \mathcal{A}\textup{ did not query }m\textup{ and } Ver_{pk}(m,\sigma)=\textup{``Accept''}]\leq \frac{1}{p(n)}+\epsilon(n)

A digital signature scheme is one-time secure if it is secure and the adversary makes only one query to the signing oracle.

Lamport’s One-Time Signature

Given a one-way function $f$ , we can create a signature scheme as follows:

We construct a key pair $(sk, pk)$ as follows:

$sk$ is two list of random bits,

where $sk_0=\{\bar{x_1}^0, \bar{x_2}^0, \ldots, \bar{x_n}^0\}$

and $sk_1=\{\bar{x_1}^1, \bar{x_2}^1, \ldots, \bar{x_n}^1\}$ .

$pk$ is the image of $sk$ under $f$ , i.e. $pk = f(sk)$ .

where $pk_0 = \{f(\bar{x_1}^0), f(\bar{x_2}^0), \ldots, f(\bar{x_n}^0)\}$

and $pk_1 = \{f(\bar{x_1}^1), f(\bar{x_2}^1), \ldots, f(\bar{x_n}^1)\}$ .

To sign a message $m\in\{0,1\}^n$ , we output the signature $Sign_{sk}(m=m_1m_2\ldots m_n) = \{\bar{x_1}^{m_1}, \bar{x_2}^{m_2}, \ldots, \bar{x_n}^{m_n}\}$ .

To verify a signature $\sigma$ on $m$ , we check if $f(\sigma) = pk_m$ .

This is not more than one-time secure since the adversary can ask oracle for $Sign_{sk}(0^n)$ and $Sign_{sk}(1^n)$ to reveal list $pk_0$ and $pk_1$ to sign any message.

We will show it is one-time secure

Ideas of proof:

Say their query is $Sign_{sk}(0^n)$ and reveals $pk_0$ .

Now must sign $m\neq 0^n$ . There must be a 1, somewhere in the message. Say the $i$ th bit is the first 1. then they need to produce $x'$ such that $f(x_i)=f(x_i')$ , which inverts the one-way function.

Proof of one-time security:

Suppose there exists an adversary $\mathcal{A}$ that can produce a valid signature on a different message after one query to oracle with non-negligible probability $\mu>\frac{1}{p(n)}$ .

We will design a function $B$ which use $\mathcal{A}$ to invert the one-way function with non-negligible probability.

Let $x\gets \{0,1\}^n$ be a random variable, $y=f(x)$ .

B: input is $y$ and $1^n$ . Our goal is to find $x'$ such that $f(x')=y$ .

Create 2 lists:

$sk_0=\{x_0^0, x_1^0, \ldots, x_{n-1}^0\}$

$sk_1=\{x_0^1, x_1^1, \ldots, x_{n-1}^1\}$

Then we pick a random $(c,i)\gets \{0,1\}^n\times [n]$ . ( $2n$ possibilities)

Replace $f(x_i^c)$ with $y$ .

Return $sk_c$ with None.

Run $\mathcal{A}$ on input $y$ and $1^n$ . It will query $Sign_{sk}$ on some message $m$ .

Case 1: $m_i=1-c$

We can answer with all of $x_1^{m_1}, x_2^{m_2}, \ldots, x_{1-c}^{m_{1-c}}, \ldots, x_n^{m_n}$

Case 2: $m_i=c$

We must abort we don’t know what to do.

Since $\mathcal{A}$ outputs $(m',\sigma)$ with non-negligible probability, we are hoping that $m_i'=c$ . Then it’s attempting to provide $x\to y$

Since $m'$ differs at most 1 bit from $m$ , we have $x\to y$ with probability $P[m_i'=c]\geq \frac{1}{n}$ .

$\sigma=(x_1^1,x_2^1,\ldots,x_n^1)$

Check if $f(\sigma)=y$ . If so, output $x'$ . (all correct with prob $\geq \frac{1}{p(n)}$ )

If not, try again.

$B$ inverts $f$ with prob $\geq \frac{1}{p(n)}$

Collision Resistant Hash Functions (CRHF)

We now have one-time secure signature scheme.

We want one-time secure signature scheme that increase the size of messages relative to the keys.

Let $H:\{h_i:D_i\to R_i\}_{i\in I}$ be a family of CRHF if

Easy to pick:

$Gen(1^n)$ : outputs $i\in I$ (p,p,t)

Compression

$|R_i|<|D_i|$ for each $i\in I$

Easy to compute:

Can computer $h_i(x),\forall i,x\in D_i$ with a p.p.t

Collision resistant:

$\forall n.u.p.p.t \mathcal{A}$ , $\forall n$ ,

P[i\gets Gen(1^n); (x_1,x_2)\gets \mathcal{A}(1^n,i): h_i(x_1)=h_i(x_2)\land x_1\neq x_2]\leq \epsilon(n)

CRHF implies one-way function.

But not the other way around. (CRHF is a stronger notion than one-way function.)