CSE442T Introduction to Cryptography (Lecture 20)

Chapter 5: Authentication

Construction of CRHF (Collision Resistant Hash Function)

Let $h: \{0, 1\}^{n+1} \to \{0, 1\}^n$ be a CRHF.

Base on the discrete log assumption, we can construct a CRHF $H: \{0, 1\}^{n+1} \to \{0, 1\}^n$ as follows:

$Gen(1^n):(g,p,y)$

$p\in \tilde{\Pi}_n(p=2q+1)$

$g$ generator for group of sequence $\mod p$ (G_q)

$y$ is a random element in $G_q$

$h_{g,p,y}(x,b)=y^bg^x\mod p$ , $y^bg^x\mod p \in \{0,1\}^n$

$g^x\mod p$ if $b=0$ , $y\cdot g^x\mod p$ if $b=1$ .

Under the discrete log assumption, $H$ is a CRHF.

It is easy to sample $(g,p,y)$
It is easy to compute
Compressing by 1 bit

Proof

The hash function $h$ is a CRHF

Suppose there exists an adversary $\mathcal{A}$ that can break $h$ with non-negligible probability $\mu$ .

P[(p,g,y)\gets Gen(1^n);(x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y):y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p\land (x_1,b_1)\neq (x_2,b_2)]=\mu(n)>\frac{1}{p(n)}

Where $y^{b_1}g^{x_1}=y^{b_2}g^{x_2}\mod p$ is the collision of $H$ .

Suppose $b_1=b_2$ .

Then $y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p$ implies $g^{x_1}\equiv g^{x_2}\mod p$ .

So $x_1=x_2$ and $(x_1,b_1)=(x_2,b_2)$ .

So $b_1\neq b_2$ , Without loss of generality, say $b_1=1$ and $b_2=0$ .

$y\cdot g^{x_1}\equiv g^{x_2}\mod p$ implies $y\equiv g^{x_2-x_1}\mod p$ .

We can create a adversary $\mathcal{B}$ that can break the discrete log assumption with non-negligible probability $\mu(n)$ using $\mathcal{A}$ .

Let $g,p$ be chosen and set random $x$ such that $y=g^x\mod p$ .

Let the algorithm $\mathcal{B}$ defined as follows:


function B(p,g,y):
    (x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y)
    If (x_1,1) and (x_2,0) and there is a collision:
        y=g^{x_2-x_1}\mod p
        return x_2-x_1 for b=1
    Else:
        return "Failed"

P[B\text{ succeeds}]\geq P[A\text{ succeeds}]-\frac{1}{p(n)}>\frac{1}{p(n)}

So $\mathcal{B}$ can break the discrete log assumption with non-negligible probability $\mu(n)$ , which contradicts the discrete log assumption.

So $h$ is a CRHF.

To compress by more, say $h_k:{0,1}^n\to \{0,1\}^{n-k},k\geq 1$ , then we can use $h: \{0,1\}^{n+1}\to \{0,1\}^n$ multiple times.

h_k(x)=h(h(\cdots(h(x)))\cdots)=h^{k}(x)

To find a collision of $h_k$ , the adversary must find a collision of $h$ .

Application of CRHF to Digital Signature

Digital signature scheme on $\{0,1\}^*$ for a fixed security parameter $n$ . (one-time secure)

Use Digital Signature Scheme on $\{0,1\}^{n}$ : $Gen, Sign, Ver$ .
Use CRHF family $\{h_i:\{0,1\}^*\to \{0,1\}^n\}_{i\in I}$

$Gen'(1^n):(pk,sk)\gets Gen(1^n)$ , choose $i\in I$ uniformly at random.

$sk'=(sk,i)$

$Sign'_{sk'}(m):\sigma\gets Sign_{sk}(h_i(m))$ , return $(i,\sigma)$

$pk'=(pk,i)$

$Ver'_{pk'}(m,(i,\sigma)):Ver_{pk}(m,\sigma)$ and $i\in I$

One-time secure:

Given that ( $Gen,Sign,Ver$ ) is one-time secure
$h$ is a CRHF

Then ( $Gen',Sign',Ver'$ ) is one-time secure.

Ideas of Proof

If the digital signature scheme ( $Gen',Sign',Ver'$ ) is not one-time secure, then there exists an adversary $\mathcal{A}$ which can ask oracle for one signature on $m_1$ and receive $\sigma_1=Sign'_{sk'}(m_1)=Sign_{sk}(h_i(m_1))$ .

It outputs $m_2\neq m_1$ and receives $\sigma_2=Sign'_{sk'}(m_2)=Sign_{sk}(h_i(m_2))$ .
If $Ver'_{pk'}(m_2,\sigma_2)$ is accepted, then $Ver_{pk}(h_i(m_2),\sigma_2)$ is accepted and $i\in I$ .

There are two cases to consider:

Case 1: $h_i(m_1)=h_i(m_2)$ , Then $\mathcal{A}$ finds a collision of $h$ .

Case 2: $h_i(m_1)\neq h_i(m_2)$ , Then $\mathcal{A}$ produced valid signature on $h_i(m_2)$ after only seeing $Sign'_{sk'}(m_1)\neq Sign'_{sk'}(m_2)$ . This contradicts the one-time secure of ( $Gen,Sign,Ver$ ).

Many-time Secure Digital Signature

Using one-time secure digital signature scheme on $\{0,1\}^*$ to construct many-time secure digital signature scheme on $\{0,1\}^*$ .

Let $Gen,Sign,Ver$ defined as follows:

$Gen(1^n):(pk,sk)\gets (pk_0,sk_0)

For the first message:

$(pk_1,sk_1)\gets Gen'(1^n)$

$Sign_{sk}(m_1):\sigma_1\gets Sign_{sk_0}(m_1||pk_1)$ , return $\sigma_1'=(1,m_1,pk_1,\sigma_1)$

We need to remember state $\sigma_1'$ and $sk_1$ for the second message.

For the second message:

$(pk_2,sk_2)\gets Gen'(1^n)$

$Sign_{sk}(m_2):\sigma_2\gets Sign_{sk_1}(m_2||pk_0)$ , return $\sigma_2'=(0,m_2,pk_0,\sigma_1')$

We need to remember state $\sigma_2'$ and $sk_2$ for the third message.

…

For the $i$ -th message:

$(pk_i,sk_i)\gets Gen'(1^n)$

$Sign_{sk}(m_i):\sigma_i\gets Sign_{sk_{i-1}}(m_i||pk_{i-1})$ , return $\sigma_i'=(i-1,m_i,pk_{i-1},\sigma_{i-1}')$

We need to remember state $\sigma_i'$ and $sk_i$ for the $(i+1)$ -th message.

$Ver_{pk}:(m_i,(i,m_i,p_k,\sigma_i,\sigma_{i-1}))$ Will need to verify all the states public keys so far.

Ver_{pk_0}(m_1||pk_1, \sigma_1) = \text{ Accept}\\ Ver_{pk_1}(m_2||pk_2, \sigma_2) = \text{ Accept}\\ \vdots\\ Ver_{pk_i}(m_i||pk_i, \sigma_i) = \text{ Accept}

Proof on homework.

Drawbacks:

Signature size and verification time grows linearly with the number of messages.
Memory for signing grows linearly with the number of messages.

These can be fixed.

Question: Note that the signature signing message longer than the public key, which is impossible in Lamport Scheme.