Confined Guessing: New Signatures From Standard Assumptions

Transcription

1 Confned Guessng: New Sgnatures From Standard Assumptons Floran Böhl 1, Denns Hofhenz 1, Tbor Jager 2, Jessca Koch 1, and Chrstoph Strecks 1 1 Karlsruhe Insttute of Technology, Germany, {floran.boehl,denns.hofhenz,jessca.koch,chrstoph.strecks}@kt.edu 2 Ruhr-Unverstät Bochum, Germany, tbor.jager@rub.de Abstract We put forward a new technque to construct very effcent and compact sgnature schemes. Our technque combnes several nstances of an only mldly secure sgnature scheme to obtan a fully secure scheme. Snce the mld securty noton we requre s much easer to acheve than full securty, we can combne our strategy wth exstng technques to obtan a number of nterestng new (stateless and fully secure) sgnature schemes. Concretely, we get: A scheme based on the computatonal Dffe-Hellman (CDH) assumpton n parngfrendly groups. Sgnatures contan O(1) and verfcaton keys O(log k) group elements, where k s the securty parameter. Our scheme s the frst fully secure CDH-based scheme wth such compact verfcaton keys. A scheme based on the (non-strong) RSA assumpton n whch both sgnatures and verfcaton keys contan O(1) group elements. Our scheme s sgnfcantly more effcent than exstng RSA-based schemes. A scheme based on the Short Integer Solutons (SIS) assumpton. Sgnatures contan O(log(k) m) and verfcaton keys O(n m) Z p -elements, where p may be polynomal n k, and n, m denote the usual SIS matrx dmensons. Compared to state-of-the-art SIS-based schemes, ths gves very small verfcaton keys, at the prce of slghtly larger sgnatures. In all cases, the nvolved constants are small, and the arsng schemes provde sgnfcant mprovements upon state-of-the-art schemes. The only prce we pay s a rather large (polynomal) loss n the securty reducton. However, ths loss can be sgnfcantly reduced at the cost of an addtve term n sgnature and verfcaton key sze. Keywords: dgtal sgnatures, CDH assumpton, parng-frendly groups, RSA assumpton, SIS assumpton. 1 Introducton Generc and non-generc sgnature schemes. Dgtal sgnature schemes can be bult from any one-way functon [24, 27, 28]. However, ths generc constructon s not partcularly effcent. (For nstance, each sgnature contans O(k 2 ) premages.) One could hope that for concrete assumptons (such as the RSA or Dffe-Hellman-related assumptons), t s possble to derve much more effcent schemes. Tree-based sgnatures. But whle ndeed there exsts a varety of effcent sgnature schemes from concrete assumptons, there are surprsngly few dfferent techncal paradgms. For nstance, early RSA-based sgnature schemes (such as [16, 11, 12]) follow a tree-based approach, Supported by MWK grant MoSeS. Part of work performed whle at KIT and supported by DFG grant GZ HO 4534/2-1. Supported by BMBF project KASTEL.

2 much lke the generc constructon from [27, 28]. Also later schemes (e.g., [13] and ts varants [14, 22, 17], or [20]) can at least be seen as heavly nspred by earler tree-based schemes. For nstance, [13] can be seen as a more effcent varant of the scheme from [12] wth an extremely flat tree, at the prce of a stronger computatonal assumpton. On the other hand, the scheme from [20] can be vewed as a tree-based scheme n whch sgnatures are aggregated and thus become very compact. Parttonng strateges. A second class of sgnature schemes tres to enable a parttonng strategy durng the securty proof (e.g., [9, 34, 17, 6]). (Ths means that durng the securty proof, the set of messages s parttoned nto those that can be sgned by the smulator, and those that cannot.) At least outsde of the random oracle model, currently known nstantatons of parttonng strateges rely on certan algebrac structures, and lead to comparatvely large publc keys. More specfc schemes. Fnally, there are a number of very effcent sgnature schemes (e.g., [5, 33]) wth specfc requrements. For nstance, the scheme of [5] reles on a specfc (and somewhat nonstandard) computatonal assumpton, and the scheme of [33] nherently requres a decsonal (as opposed to a search) assumpton. Whle we focus on the standard model, we note that there are also very effcent schemes wth a heurstc proof,.e., a proof n the random oracle model (e.g., [2]). 1.1 Our Contrbuton In ths work, we present a new paradgm for the constructon of effcent sgnature schemes from standard computatonal assumptons. The techncal dffculty. We beleve that one of the man dffcultes n constructng sgnature schemes s the followng. Namely, n the standard securty experment for dgtal sgnatures, an adversary A wns f t generates a sgnature for a (fresh) message of hs own choce. If we use A n a straghtforward way as a problem-solver n a securty reducton to a computatonal assumpton, A tself may select whch nstance of the partcular problem t s gong to solve (by choosng the forgery message). Note that we cannot smply guess whch nstance A s gong to solve, snce there usually wll be superpolynomally many possble messages (and thus problem nstances). 1 Our man dea. We now explan the man dea behnd our approach. As a steppng stone, we ntroduce a very mld form of securty for sgnature schemes that s much easer to acheve than full (.e., standard) securty. Intutvely, the mld securty experment forces an adversary to essentally commt to a crucal part of the forgery before even seeng the verfcaton key. Durng a securty reducton, ths allows to embed a computatonal problem nto the verfcaton key that s talored specfcally to the adversary s forgery. In partcular, we do not have to rely on strong assumptons to acheve mld securty. Indeed, we present very effcent mldly secure schemes based on the computatonal Dffe-Hellman (CDH) assumpton (n parng-frendly groups), the RSA assumpton, and the Short Integer Solutons (SIS) assumpton. These constructons are bascally strpped-down versons of known (fully secure) stateful [21] and stateless [6] schemes. The heart of our work s a very smple and effcent constructon of a fully secure sgnature scheme from log(k) nstances of a mldly secure one. Note that we only use logarthmcally many mldly secure nstances. In contrast, the related but techncally very dfferent prefxguessng technque of Hohenberger and Waters [20, 27, 7], uses k nstances of a less secure scheme. Furthermore, the sgnature schemes that result from our transformaton can often be optmzed (e.g., usng aggregaton of sgnatures or verfcaton keys). Concretely, f we use our 1 There are more clever ways of embeddng a computatonal problem nto a sgnature scheme (e.g., parttonng [9, 34]). These technques however usually requre specal algebrac features such as homomorphc propertes or parng-frendly groups. For nstance, parttonng s not known to apply n the (standard-model) RSA settng. 2

3 transformaton on the mldly secure schemes mentoned above, and optmze the result, we end up wth extremely effcent new sgnature schemes from standard assumptons. More on our technques. We now explan our transformaton n a lttle more detal. We start out wth a tag-based sgnature scheme that satsfes only a very mld form of securty. In a tag-based sgnature scheme, sgnatures carry a tag t that can be chosen freely durng sgnature tme. In our mld securty experment, the adversary A must ntally (.e., non-adaptvely) specfy all messages M t wants sgned, along wth correspondng parwse dfferent tags t. After recevng the verfcaton key and the requested sgnatures, A s then expected to forge a sgnature for a fresh message M, but wth respect to a recycled tag t = t (that was already used for one of the ntally sgned messages). Mld securty thus forces A to choose the tag t of hs forgery from a small set {t } of possble tags. In a securty proof, we can smply guess t = t wth sgnfcant probablty, and embed a computatonal problem that s specfcally talored towards t nto the verfcaton key. 2 How ths embeddng s done depends on the specfc settng; for nstance, n the CDH settng, t can be used to program a Boneh-Boyen hash functon [4]. In fact, Hohenberger and Waters [21] use such a programmng to construct a very effcent stateful sgnature scheme. A sgnature n our fully secure scheme conssts of log(k) sgnatures (σ ) log(k) =1 of a mldly secure scheme. (In some cases, these sgnatures can be aggregated.) The -th sgnature component σ s created wth tag chosen as unform 2 -bt strng. Hence, tag-collsons (.e., multply used tags) are lkely to occur after a few sgnatures n nstances wth small, whle nstances wth larger wll almost never have tag-collsons. We wll reduce the (full) securty of the new scheme genercally to the mld securty of the underlyng scheme. When reducng a concrete (full) adversary B to a mld adversary A, we wll frst sngle out an nstance such that (a) the set of all tags s polynomally small (so we can guess the -th challenge tag t n advance), and (b) tag-collsons occur only wth suffcently small (but possbly non-neglgble) probablty n an attack wth A (so only a constant number of t -sgnatures wll have to be generated for A). Ths nstance s the challenge nstance, and all other nstances are smulated by A for B. 3 Any vald forgery of B must contan a vald sgnature under nstance wth 2 -bt tag. Hence any B-forgery mples an A-forgery. The bottleneck of our transformaton s the securty reducton. Concretely, f B makes q sgnature queres and forges wth success probablty ε, A wll make up to Q = O(q 4 /ε) sgnature queres and have success ε/2. (One squarng s caused by a brthday bound when hopng for few tag-collsons; another squarng may occur when we have to round up to the next nteger.) Ths securty loss s annoyng, but can be sgnfcantly reduced by usng technques from [17]. Namely, by frst applyng a sutable weakly programmable hash functon to tags, we can allow m-fold tag-collsons n the sgnatures prepared for B, at the cost of an extra m group elements n verfcaton key and sgnatures. Orthogonally, we can use c -bt tags wth 1 < c < 2 (nstead of 2 -bt tags) n the -th mldly secure nstance to get a fner-graned growth of possble tag sets. Ths costs a multplcatve factor of 1/ log 2 (c) n verfcaton key and sgnature sze, of course unless aggregaton s possble. Wth these measures, the securty reducton mproves consderably: A wll make Q = O(q c+c/m /ε c/m ) sgnature queres and have success ε/2. Varyng c and m gves thus an nterestng tradeoff between effcency and qualty of the securty reducton. Effcency comparson. The most effcent prevous CDH-based sgnature scheme [34] has sgnatures and publc keys of sze O(1), resp. O(k) group elements. Our CDH-based scheme also has constant-szed sgnatures, and more compact publc keys. Concretely, we can get publc keys of O(log(k)) group elements at the prce of a worse securty reducton. Our RSA-based 2 Snce we guess t from a small set of possble tags, we call our technque confned guessng. 3 Ths neglects a subtlety: A must specfy the messages to be sgned for the -th nstance n advance, whle B expects to make adaptve sgnng queres. Ths dfference can be handled usng standard technques (.e., chameleon hashng [23]). 3

4 scheme has smlar key and sgnature szes as exstng RSA-based schemes [20, 18], but requres sgnfcantly fewer (.e., only O(log(k)) nstead of O(k), resp. O(k/ log(k)) many) generatons of large prmes. Agan, ths mprovement s bought wth a worse securty reducton. Our SISbased scheme offers an alternatve to the exstng scheme of [6]. Concretely, our scheme has larger (by a factor of log(k)) sgnatures and a worse securty reducton, but sgnfcantly smaller (by a factor of k/ log(k)) publc keys. On a related result by Seo. In an ndependent work, Seo [30] constructs essentally the same CDH-based scheme, however wth a very dfferent securty analyss. Hs analyss s much tghter than ours, and for concrete securty parameters, hs scheme s more effcent. At the same tme, Seo only proves a bounded form of securty n whch the number of adversaral sgnature queres has to be known at the tme of key generaton. The merged paper [3] presents both hs and our own analyss. 2 Prelmnares Notaton. For n R, let [n] := {1,..., n }. Throughout the paper, k N denotes the securty parameter. For a fnte set S, we denote by s S the process of samplng s unformly from S. For a probablstc algorthm A, we wrte y A(x) for the process of runnng A on nput x wth unformly chosen random cons, and assgnng y the result. If A s runnng tme s polynomal n k, then A s called probablstc polynomal-tme (PPT). A functon f : N R 0 s neglgble f t vanshes faster than the nverse of any polynomal (.e., f c k 0 k k 0 : f(k) 1/k c ). On the other hand, f s sgnfcant f t domnates the nverse of some polynomal (.e., f c, k 0 k k 0 : f(k) 1/k c ). Defnton 2.1 (Sgnature scheme). A sgnature scheme SIG wth message space M k conssts of three PPT algorthms: Setup. The setup algorthm Gen(1 k ), gven the securty parameter 1 k n unary, outputs a publc key pk and a secret key sk. Sgn. The sgnng algorthm Sg(sk, M), gven the secret key sk and a message M M k, outputs a sgnature σ. Verfy. Gven the publc key pk, a message M, and a sgnature σ, Ver(pk, M, σ) outputs a bt b {0, 1}. (The case b = 1 corresponds to a vald sgnature on the message, and the case b = 0 means nvald.) For correctness, we requre for any k N, all (pk, sk) Gen(1 k ), all M M k, and all σ Sg(sk, M) that Ver(pk, M, σ) = 1. Defnton 2.2 ((Dstnct-message) exstental unforgeablty under (non-adaptve) chosen-message attacks). We say a sgnature scheme s exstental unforgeable under chosen-message attacks (EUF-CMA) or exstental unforgeable under dstnct-message non-adaptve chosenmessage attacks (EUF-dnaCMA) ff Adv euf-cma SIG,F (k) := Pr [ Exp euf-cma SIG,F (k) = 1 ] [ ] and Adv euf-dnacma SIG,F (k) := Pr Exp euf-dnacma SIG,F (k) = 1, respectvely, are neglgble for any PPT adversary F, where Exp euf-cma SIG,F (k) and Expeuf-dnacma SIG t,f (k), respectvely, are defned n Fgure 1. Pseudorandom functons. For any set S a pseudorandom functon (PRF) wth range S s an effcently computable functon PRF S : {0, 1} k {0, 1} S. We may also wrte PRF S κ(x) for PRF S (κ, x) wth key κ {0, 1} k. Addtonally we requre that [ Adv prf Pr (k) := A PRFS PRF S κ ( ) = 1 for κ {0, 1} k] [ Pr A US( ) = 1],A 4

5 Experment Exp euf-cma SIG,F (k) (pk, sk) Gen(1 k ) (M, σ ) F Sg(sk, ) (pk) f Ver(pk, M, σ ) = 1 and F has not quered Sg(sk, M ) then return 1, else return 0 Experment Exp euf-dnacma SIG,F (k) (M ) F (k) (pk, sk) Gen(1 k ) σ Sg(sk, M ), for all [q] (M, σ ) F (pk, σ 1,..., σ q ) f Ver(pk, M, σ ) = 1 and j : M M j and M {M } then return 1, else return 0 Fgure 1: EUF-CMA and EUF-dnaCMA experment for sgnature schemes. s neglgble n k where U S s a truly unform functon to S. Note that for any effcently samplable set S wth unform samplng algorthm Samp we can genercally construct a PRF wth range S from a PRF PRF {0,1}k by usng the output of PRF κ {0,1}k as random cons for Samp. Followng ths prncple we can construct (PRF S ) [n] for a famly of sets (S ) [n] from a sngle PRF PRF {0,1}k wth suffcently long output (hence we need only one key κ). Chameleon hashng. A chameleon hash scheme conssts of two PPT algorthms (CHGen, CHTrapColl). CHGen(1 k ) outputs a tuple (CH, τ) where CH s the descrpton of a effcently computable chameleon hash functon CH : M R N whch maps a message M and randomness r to a hash value CH(M, r). We requre collson-resstance n the sense that t s nfeasble to fnd (M, r) (M, r ) wth CH(M, r) = CH(M, r ). However, the trapdoor τ allows to produce collsons n the followng sense: gven arbtrary M, r, M, CHTrapColl(τ, M, r, M ) fnds r wth CH(M, r) = CH(M, r ). We requre that the dstrbuton of r s unform gven only CH and M. 3 Tag-based Sgnatures: From Mld to Full Securty We now descrbe our man result: a generc transformaton from mldly secure tag-based sgnature schemes to fully secure schemes. Let us frst defne the noton of tag-based sgnature schemes. Defnton 3.1. A tag-based sgnature scheme SIG t = (Gen t, Sg t, Ver t ) wth message space M k and tag space T k conssts of three PPT algorthms. The key generaton algorthm (pk, sk) Gen t (1 k ) takes as nput a securty parameter and outputs a key par (pk, sk). The sgnng algorthm σ Sg t (sk, M, t) computes a sgnature σ on nput a secret key sk, message M, and tag t. The verfcaton algorthm Ver t (pk, M, σ, t) {0, 1} takes as nput a publc key pk, message M, sgnature σ, and a tag t, and outputs a bt. For correctness, we requre for any k N, all (pk, sk) Gen t (1 k ), all M M k, all t T k, and all σ Sg t (sk, M, t) that Ver t (pk, M, σ, t) = 1. We defne a mld securty noton for tag-based schemes, dubbed EUF-dnaCMA m securty, whch requres an adversary F to ntally specfy all (dstnct) messages M t wants sgned, along wth correspondng tags t. Only then, F gets to see a publc key, and s subsequently expected to produce a forgery for an arbtrary fresh message M, but wth respect to an already used tag t {t }. As a slghtly techncal (but crucal) requrement, we only allow F to ntally specfy at most m messages M wth tag t = t. We call m the tag-collson parameter; t nfluences key and sgnature szes, and the securty reducton. 5

6 Gen(1 k ) (pk, sk) Gen t (1 k ) κ {0, 1} k pk := (pk, κ) return (pk, sk) Sg(sk, M) t := PRF T κ (M) for [l] σ Sg t (sk, M, t ) return σ := (σ ) l =1 Ver((pk, κ), σ = (σ ) l =1, M) t := PRF T κ (M) for [l] return l =1 Ver t (pk, M, σ, t ) Fgure 3: Our EUF-dnaCMA secure sgnature scheme. Defnton 3.2 (EUF-dnaCMA m). Let m N. A tag-based sgnature scheme SIG t s exstentally unforgeable under dstnct-message non-adaptve chosen-message [ attacks wth m-fold tagcollsons (short: EUF-dnaCMA m secure) ff Adv euf-dnacma m ] SIG t,f (k) := Pr Exp euf-dnacma m SIG t,f (k) = 1 s neglgble for any PPT adversary F. Here, experment Exp euf-dnacma m SIG t,f (k) s defned n Fgure 2. In ths secton, we wll show how to use an EUF-dnaCMA m secure scheme SIG t to buld an EUFdnaCMA secure scheme SIG. (Full EUF-CMA securty can then be acheved usng a chameleon hash functon [23].) To ths end, we separate the tag space T k nto l := log c (k) parwse dsjont sets T, such that T = 2 c. Here c > 1 s a granularty parameter that wll affect key and sgnature szes, and the securty reducton. For nstance, f c = 2 and T k = {0, 1} k, then we may set T := {0, 1} 2. The constructed sgnature scheme SIG assgns to each message M a vector of tags (t 1,..., t l ), where each tag s derved from the message M by applyng a pseudorandom functon as t := PRF T κ (M). The PRF seed κ s part of SIG s publc key. 4 A SIG-sgnature s of the form σ = (σ ) l =1, where each σ Sg t (sk, M, t ) s a sgnature accordng to Experment Exp euf-dnacma m SIG t,f (k) (M j, t j ) j F (1 k ) (pk, sk) Gen t (1 k ) σ j Sg t (sk, M j, t j ) for all j (M, σ, t ) F (pk, (σ j ) j ) f Ver t (pk, M, σ, t ) = 1 and j : M M j and M / {M j } j and {j : t j = t } m and t {t j } j then return 1, else return 0 Fgure 2: EUF-dnaCMA m experment for tag-based sgnature schemes. SIG t wth message M and tag t. Ths sgnature s consdered vald f all σ are vald w.r.t. SIG t. The crucal dea s to defne the sets T of allowed tags as sets quckly growng n. Ths means that (m + 1)-tag-collsons (.e., the same tag t beng chosen for m + 1 dfferent sgned messages) are very lkely for small, but become quckly less lkely for larger. Concretely, let SIG t = (Gen t, Sg t, Ver t ) be a tag-based sgnature scheme wth tag space T k = l =1 T, let m N and c > 1, and let PRF be a PRF. SIG s descrbed n Fgure 3. It s straghtforward to verfy SIG s correctness. Before turnng to the formal proof, we frst gve an ntuton why SIG s EUF-dnaCMA secure. We wll map an adversary F on SIG s EUF-dnaCMA securty to an adversary F on SIG t s EUF-dnaCMA m securty. Intutvely, F wll nternally smulate the EUF-dnaCMA securty experment for F and embed ts own SIG t - nstance (wth publc key pk ) n the SIG-nstance of F by settng pk := (pk, κ). Addtonally, the seed κ for PRF s chosen nternally by F. Say that F makes q = q(k) (non-adaptve) sgnng requests for messages M 1,..., M q. To answer these q requests, F can obtan sgnatures under pk from ts own EUF-dnaCMA m experment. The correspondng tags are chosen as n SIG, as t (j) = PRF T κ (M j ). Once F 4 It wll become clear n the securty proof that actually a functon wth weaker securty propertes than a fully-secure PRF s suffcent for our applcaton. However, we stck to standard PRF securty for smplcty. Thanks to an anonymous revewer for pontng ths out. 6

7 produces a forgery σ = (σ )l =1, F wll try to use σ (wth tag t = PRFT κ (M ) for some appropate [l]) as ts own forgery. Indeed, σ wll be a vald SIG t-forgery (n the EUF-dnaCMA m experment) f (a) F dd not ntally request sgnatures for more than m messages for the forgery tag t, and (b) t already appears n one of F s ntal sgnature requests. Our techncal handle to make ths event lkely wll be a sutable choce of. Frst, recall that the -th sgnature σ uses c -bt tags. We wll hence choose such that () the probablty of an (m + 1)-tag-collson among the t (j) s sgnfcantly lower than F s success probablty (so F wll sometmes have to forge sgnatures when no (m + 1)-tag collson occurs), and () T = 2 c s polynomally small (so all tags n T can be ntally quered by F ). We turn to a formal proof: Theorem 3.3. If PRF s a PRF and SIG t s an EUF-dnaCMA m secure tag-based sgnature scheme, then SIG s EUF-dnaCMA secure. Concretely, let F be an EUF-dnaCMA forger on SIG that makes q = q(k) sgnature queres and has advantage ε := AdvSIG,F euf-dnacma (k) wth ε > 1/p(k) for nfntely many k N. Then there exsts an EUF-dnaCMA m forger F on SIG t that makes ( ) q (k) 2 2 q m+1 c/m ε(k) + l q sgnature queres and has advantage ε := Adv euf-dnacma m SIG t,f (k), and a PRF dstngusher wth advantage ε PRF such that ε ε/2 ε PRF p (k) M k for nfntely many k, where p (k) s a sutable polynomal, and M k denotes SIG t s (and thus SIG s) the message space. Proof. Setup and sgn. Frst, F receves messages M 1,..., M q from F. F chooses the challenge nstance such that the probablty of an (m + 1)-tag collson s at most ε(k)/2,.e., such that [ ] Pr dstnct j 0,..., j m [q] wth t (j 0) = = t(jm) ε(k) 2, (1) (where the probablty s over ndependently chosen t (j) T ), and such that T s polynomal n k. 5 We wll prove n Lemma 3.5 that ( ( ) 2 q m+1 1/m ) := log c log 2 ε(k) s an ndex that fulflls these condtons. F then chooses a PRF key κ {0, 1} k. Recall that a sgnature σ = (σ 1,..., σ l ) of SIG conssts of l sgnatures of SIG t. In the sequel we wrte σ (j) = (σ (j) 1,..., σ(j) l ) to denote the SIG-sgnature for message M j, for all j {1,..., q}. Adversary F uses ts sgnng oracle provded from the SIG t -securty experment to smulate these SIG-sgnatures. To ths end, t proceeds as follows. In order to smulate all sgnatures σ (j) wth, F computes t (j) := PRF T κ (M j ) and defnes message-tag par (M j, t (j) ). F wll later request sgnatures for these (l 1) q messagetag pars from ts EUF-dnaCMA m-challenger. Note that t (j) T for all, snce the sets T 1,..., T l are parwse dsjont. To compute the -th SIG t -sgnature σ (j) contaned n σ(j), F proceeds as follows. Frst t computes t (j) := PRFT κ (M j ) for all j {1,..., q}. If an (m + 1)-fold tag-collson occurs, then 5 There s a subtlety here, snce we assume to know ε(k). To obtan a black-box reducton, we can guess log 2 (ε(k)) whch would result n an addtonal securty loss of a factor k n the reducton. 7

8 F aborts. Ths defnes q more message-tag-pars (M j, t j ) for j {1,..., q}. Note that the lst (t (1),..., t(q) ) need not contan all elements of T, that s, t mght hold that T \ {t(j) } j. If ths happens, then F chooses for each so far unused tag t T \ {t(j) } j a dfferent unformly selected dummy message M t M k \ {M j } j. (Here we mplctly assume that M k > m( T 1), whch guarantees that suffcently many dstnct dummy messages can be chosen.) Ths defnes no more than T further message-tag-pars (M, t) for each t T \{t(1),..., t(q) }. We do ths snce F has to re-use an already quered tag for a vald forgery later and F does not know at ths pont whch tag F s gong to use n hs forgery later. Fnally F requests sgnatures for all message-tag-pars from ts challenger, and receves n return sgnatures σ (j) for all j, as well as a publc key pk. (The number of requested sgnatures s at most T + q l, whch can be bounded as clamed usng Lemma 3.5.) F defnes pk := (pk, κ) and hands (pk, σ (1),..., σ (q) ) to F. Note that each σ (j) s a vald SIG-sgnature for message M j. Extracton. Suppose that F eventually forges a sgnature σ = (σ )l =1 for a fresh message M {M 1,..., M q }. If M s a prevously selected dummy message, then F aborts. Otherwse t forwards (M, σ, PRFT κ (M )) to the challenger of the EUF-dnaCMA m securty experment. Ths concludes the descrpton of F. Analyss. We now turn to F s analyss. Let bad abort be the event that F aborts. It s clear that F successfully forges a sgnature whenever F does so and bad abort does not occur. Note that the dummy messages M are ndependent of the vew of F, thus M s a dummy message wth probablty at most T /( M k m T ). Furthermore, by Lemma 3.5, there s a polynomal p (k) wth m T p (k). Hence, there s another polynomal p (k), such that the probablty that M s a dummy message s at most p (k)/ M k. Hence, to prove our theorem, t suffces to show that Pr [bad abort ] ε/2+ε PRF +p (k)/ M k, snce ths leaves a non-neglgble advantage for F. Frst note that the probablty of an (m + 1)-tag collson would be at most ε/2 by (1) f the tags t (j) were chosen truly unformly and ndependently from T. Now recall that the actual choce of the t (j) = PRFT κ (M j ) was performed n a way that uses PRF only n a black-box way. Hence, f (m + 1)-tag collsons (and thus bad abort ) occurred sgnfcantly more often than wth truly unform tags, we had a contradcton to PRF s pseudorandomness. (Note that ths mplctly uses that all messages M j quered by F are dstnct and thus lead to dfferent PRF queres.) Concretely, a PRF dstngusher that smulates F untl the decson to abort s made shows Pr [bad abort ] ε/2 + ε PRF + p (k)/ M k, and thus the theorem. In order to obtan a fully EUF-CMA secure sgnature scheme, one may combne our EUFdnaCMA secure scheme wth a sutable chameleon hash functon or a one-tme sgnature scheme. Ths s a very effcent standard constructon, see for nstance [20, Lemma 2.3] for detals. 6 However, we wll gve more concrete optmzed and fully secure schemes later on. We now turn to the analyss of selectng the challenge ndex. For ths, the followng Lemma 3.4 wll be helpful. Lemma 3.4 ([18], Lemma 2.3). Let A be a set wth A = a. Let X 1,..., X q be q ndependent random varables, takng unformly random values from A. Then the probablty that there exst m + 1 parwse dstnct ndces 1,..., m+1 such that X 1 = = X m+1 s upper bounded by q m+1 a m. 6 Techncally, [20, Lemma 2.3] assumes an EUF-naCMA secure scheme (that s, one whch s secure aganst nonadaptve attacks wth not necessarly dstnct sgned messages). However, t s easy to see that the correspondng reducton to EUF-naCMA securty actually leads to a dstnct-message attack wth overwhelmng probablty. (In a nutshell, the EUF-naCMA secure scheme s used to sgn honestly and ndependently generated chameleon hash mages, resp. sgnature verfcaton keys. The probablty for a collson of two such keys must be neglgble by the securty of these buldng blocks.) 8

9 Lemma 3.5. In the stuaton n Theorem 3.3, ( ( ) 2 q m+1 1/m ) := log c log 2 ε(k) (2) s an ndex that guarantees (1) and T p (k) for a sutable polynomal p (k) and all k N wth ε(k) 1/p(k). Proof. From Lemma 3.4, we obtan [ ] Pr dstnct j 0,..., j m wth t (j 0) = = t(jm) Furthermore, T (2) = 2 c 2 2 c log 2 ((2qm+1 /ε(k)) 1/m) = 2 whch s bounded by a sutable polynomal p (k). 4 Our CDH-based Scheme qm+1 T m = ( 2q m+1 ε(k) qm+1 2 m c (2) ( qm+1 2q m+1 ε(k) ) = ε(k) 2. ) c/m ε(k) 1/p(k) 2 (2p(k)q m+1) c/m, In ths secton we construct a fully EUF-CMA-secure sgnature scheme based on the CDH assumpton. We start wth constructng a tag-based scheme, whch s derved from the stateful CDH-based scheme of Hohenberger and Waters [21], and prove t EUF-dnaCMA m-secure. Then we can apply our generc transformaton from Secton 3 to acheve full EUF-CMA securty. Fnally, we llustrate some optmzatons that allow us to reduce the sze of publc keys and sgnatures, for nstance by aggregaton. Our scheme s the frst fully secure CDH-based sgnature scheme wth such compact publc keys. Defnton 4.1 (CDH assumpton). We say that the Computatonal Dffe-Hellman (CDH) assumpton holds n a group G of order p ff Adv cdh G,F (k) := Pr [ F (1 k, g, g a, g b ) = g ab] s neglgble for any PPT adversary F, where g G and a, b Z p are unformly chosen. CDH Constructon. The sgnature scheme SIG CDH descrbed n Fgure 4 s derved from the CDH-based scheme of [21], but wth two modfcatons. Frst, we substtute the mplct chameleon hash functon u m v r used n [21] wth a product u M = m =0 um. Second, we omt the w log(t) -factor n the Boneh-Boyen hash functon whch smplfes ths part to (z t h) s. From now on, we assume that G and G T are groups of prme order and e : G G G T s an effcently computable non-degenerate blnear map,.e., e(g, g) 1 for g 1 and e(g a, g b ) = e(g, g) ab for a, b Z. Our message space n ths constructon s M = Z p. (Techncally, f G s not fxed for a gven securty parameter, then a fxed message message space can be, e.g., Z 2 l, where 2 l lower bounds all possble p = G for ths securty parameter.) Theorem 4.2. If the CDH assumpton holds n G, then the scheme SIG CDH from Fgure 4 s EUF-dnaCMA m-secure. Let F be a PPT adversary wth advantage ε := Adv euf-dnacma m(k) SIG CDH,F askng for q := q(k) sgnatures, then t can be used to solve a CDH challenge wth probablty at least ε/q, where q denotes the number of dstnct tags quered by F. Proof. Publc key setup. The smulaton receves a CDH-Challenge (g, g a, g b ) and pars (M, t ) [q] for whch the adversary F asks for sgnatures. We frst guess an ndex [q] for whch we suppose F wll forge a sgnature on a fresh message M / {M } but wth t = t. The adversary F queres q = q =1 m > 0 sgnatures for messages wth tags where q s the 9

10 Gen t (1 k ) Choose G s.t. p := G > 2 k a Z p g, u 0,..., u m, z, h G sk := a pk := (g, g a, u 0,..., u m, z, h) return (pk, sk) Sg t (sk, M, t) s Z p u M := m =0 u M σ 1 := (u M ) a (z t h) s σ 2 := g s return ( σ 1, σ 2 ) Ver t (pk, M, σ = ( σ 1, σ 2 ), t) f t T k return 0 f e( σ 1, g) e(u M, g a )e(z t h, σ 2 ) return 0 else return 1 Fgure 4: The modfed Hohenberger-Waters CDH-based sgnature scheme SIG CDH [21]. number of dstnct tags (t ) [q ] and m the number of messages quered for tag t. Durng the smulaton, we defne by Mj, j = 1,..., m, the correspondng messages for tag t. Usng these, we construct a polynomal f(x) := m =1 (X M ) = m =0 d X Z p [X] for some approprate coeffcents d 0,..., d m Z p. In partcular, for m = 0 we have 0 =1 (X M ) = 1. Next, we set up the publc key for F by frst choosng random r 0,..., r m, x z, x h Z p and then set u := (g b ) d g r, = 0,..., m, where d = 0 for > m, z := g b g xz, and h := g bt g x h. The smulaton outputs pk := (g, g a, u 0,..., u m, z, h) and mplctly sets the secret key as sk := a. We set r(x) := m =0 r X so we can wrte u M = g bf(m)+r(m). Sgnng. Now, there are two cases we have to consder when F asks for a sgnature on (M, t ). If t = t and thus M = Mj for some j = 1,..., m, we can compute a vald sgnature as follows: We choose a random s Z p and set σ := ( σ 1,, σ 2, ), where We verfy ths by usng that f(mj ) = 0,.e., σ 1, = (g a ) r(m j ) (z t h) s, σ 2, = g s. σ 1, = (g a ) r(m j ) (z t h) s = (g bf(m j ) g r(m j ) ) a (z t h) s = (u M j ) a (z t h) s. If t t then, followng the orgnal Boneh-Boyen smulaton, choose a random s Z p and set S := g s /(g a ) f(m )/(t t ) = g s af(m )/(t t ). We compute our vald sgnature σ := ( σ 1,, σ 2, ) as follows: σ 1, = (g a ) r(m ) S xzt +x h (g b ) s (t t ), σ 2, = S. Thus, mplctly, we set the randomness s = s af(m )/(t t ) and obtan S = g s. We verfy by showng that σ 1, = (g a ) r(m ) S xzt +x h (g b ) s (t t ) = (g r(m ) ) a (g xzt g x h ) s (g b ) s (t t ) = (g ab ) f(m ) (g r(m ) ) a (g xzt g x h ) s (g b ) s (t t ) (g ab ) f(m ) = ((g bf(m )+r(m ) ) a (g xzt g x h ) s (g b(t t ) ) s = (u M ) a ((g b+xz ) t (g bt +x h )) s = (u M ) a (z t h) s. Extract from forgery. The adversary F responds wth (M, σ, t ) for some tag t {t 1,..., t q } and σ = ( σ 1, σ 2 ). We abort f σ s not a vald forgery. Otherwse, snce the verfcaton equaton holds, we have σ 1 = (u M ) a (z t h) s, σ 2 = g s. 10

11 Gen(1 k ) Choose G s.t. p := G > 2 k a Z p g, w, h, u 0,..., u m, z 1,..., z l G κ {0, 1} k sk := (g, w, a) pk := (g, w, g a, (u j ) m j=0, (z ) l =1, h, κ) return (pk, sk) Sg(sk, M) s, r Z p x := CH (g,w) (M, r) u x := m =0 ux for := 1 to l do t := PRF T κ (x) z := l =1 zt σ 1 := (u x ) a (z h) s σ 2 := g s return ( σ 1, σ 2, r) Ver(pk, M, σ = ( σ 1, σ 2, r)) x := CH (g,w) (M, r) for := 1 to l do t := PRF T κ (x) f e( σ 1, g) e(u x, g a )e(h l return 0 else return 1 =1 z t, σ 2) Fgure 5: The optmzed CDH-based sgnature scheme SIG CDH opt. If t t, we abort, otherwse, our guess was correct and t holds that σ 1 = ((g b ) f(m ) (g r(m ) )) a ((g b+xz ) t (g bt +x h )) s = g abf(m ) g ar(m ) (g xzt g x h ) s = g abf(m ) g ar(m ) g s (x zt +x h ). Snce M M j, we have f(m ) 0 and the smulator can compute ( σ 1/(g ar(m ) σ (xzt +x h ) 2 )) 1/f(M ) = g ab. Analyss. We show that the adversary F cannot dstngush effectvely between the experment and the smulaton. We denote by ε the advantage of the adversary F n the experment and by success the event, that the smulaton outputs a soluton g ab. The smulator does not pck (u ) m =0, z, and h at random, but sets them as descrbed above. Snce the r, x z and x h are randomly chosen, ths yelds the correct dstrbuton, so the vew of the adversary s stll the same as n the experment. The smulator s successful f t does not abort, that means, f F s successful and t guesses t correctly. So we have Pr [success] = ε q. 4.1 Optmzatons Now, wth ths result and our generc transformaton from Secton 3, we can construct a stateless sgnature scheme, whch s proven EUF-dnaCMA secure by Theorem 3.3. Then, we add an explct chameleon hash functon CH (g,w) (M, r) := g M w r n each nstance = 1,..., log c (k) to acheve a fully EUF-CMA-secure sgnature scheme. Ths sgnature scheme does have a constant sze publc key, but sgnatures consst of O(log k) group elements,.e., σ = (σ 1,..., σ log k ) where σ = ( σ 1,, σ 2,, r ). Now, we concentrate on how we can mprove ths and acheve constant sze sgnatures. Ths wll be done by aggregaton, essentally by multplyng the sgnatures of each nstance smlar to [25]. We re-use u 0,..., u m, one sk := a and one randomness s for all nstances (see Fgure 5). Unfortunately, we need addtonal elements n the publc key for the aggregaton to work. In ths sense our optmzaton s rather a tradeoff: We prefer constant-sze sgnatures wth publc keys of logarthmc length over logarthmc-length sgnatures wth constant-sze publc keys. Theorem 4.3. If the CDH assumpton holds n G, then the optmzed CDH-based sgnature scheme n Fgure 5 s an EUF-CMA secure sgnature scheme. Let F be a PPT adversary wth 11

12 advantage ε := Adv euf-cma SIG CDH opt,f CDH challenge wth probablty at least (k) askng for q := q(k) sgnatures, then t can be used to solve a ε c/m+1 2ε c/m (ε PRF + ε CH ) 2 2+c/m q c+c/m, where ε PRF and ε CH correspond to the advantages for breakng PRF and CH respectvely. Proof. We only sketch the proof here, because t s essentally a combnaton of the proofs from Theorem 4.2 and Theorem 3.3. We emphasze the dfferences and mportant parts. We have to deal wth l = log c (k) nstances and obtan our sgnature by generc aggregaton. Publc key setup. Frst, we select an ndex and guess a tag t from the correspondng set T. Next, we pck a random κ {0, 1} k and random dstnct M 1,..., M q, r 1,..., r q Z p and compute x j = CH(M j, r j ), j [q]. 7 Due to the collson resstance of our chameleon hash functon and the fact that Z p > q, we can assume that all x j are dstnct, otherwse, we abort. From that, we derve a tag t (j) := PRF T κ (x j ) for each nstance [l]. Then, we consder the set J = { j [q] t (j) = t }. If J > m, we abort, otherwse, J = m m. Wth that, we can, smlar to Theorem 4.2, compute a polynomal f s.t. f(x j ) = 0 for j J. We set up u 0,..., u m, h, z as before n Theorem 4.2 to embed our challenge here and choose random z for [q] \ { } by choosng random exponents x z for them. Sgnng. The adversary wll send us messages M 1,..., M q and we have to compute a vald sgnature σ (j) = ( σ 1,j, σ 2,j, r j ) for each of them. We compute r j s.t. x j = CH(M j, r j ). Thus, t (j) belongs to M j, for = 1,..., l. Now, we consder the nstance = : Agan, we have two cases, ether t (j) = t or t(j) t. In both cases we can apply the same technques as n Theorem 4.2 to obtan a vald (u x j ) a (z t(j) h)s j. For the other nstances, we can compute (z t(j) ) s j = (g xz t(j) ) s j = (g s j ) xz t(j) the fact that we know the exponents x z and then can aggregate them to get σ j := ((u x j ) a (h l =1 z t(j) ) s j, g s j, r j). due to Extract from forgery. The adversary F responds wth (M, σ ) where σ = ( σ 1, σ 2, r ) and M M j for j [q]. Abort f σ s not vald. We can assume that F has not produced a collson x = CH(M, r ) = x j for some j [q] due to the collson resstance of our chameleon hash functon. Thus, we have f(x ) 0. Now, we compute t = PRFT κ (x ) for each nstance [l]. If t t, abort, otherwse t holds σ 1 = (u x ) a (h l =1 z t )s, σ 2 = g s. We can compute (g s ) xz t = (z t )s for and obtan l σ1/ (z t )s = (u x ) a (z t h)s. =1, Therefore, we apply the same method as n Theorem 4.2 snce f(x ) 0 and t = t to extract a soluton g ab. 7 Smlarly to footnote 5, here, we assume to know the number of sgnature queres q 0. 12

13 Analyss. The analyss s smlar to Theorem 3.3 and Theorem 4.2. Hence, Pr[success] 1 ( ε ( ) T 2 (ε PRF + ε CH )) ε1+c/m 2ε c/m (ε PRF + ε CH ) 2 2+c/m q c+c/m, ( 2q m+1 ) c/m. where (*) holds by Lemma 3.5, snce we have T 2 ε(k) Here, εprf s the advantage for a sutable adversary on PRF and ε CH s the advantage to produce a collson for CH, both neglgble n the securty parameter. 5 Our RSA-based Scheme In ths secton we construct a stateless sgnature scheme SIG RSA opt secure under the RSA assumpton. The result s the most effcent RSA-based scheme currently known. The prototype for our constructon s the stateful RSA-based scheme of Hohenberger and Waters [21] whch we reference as SIG RSA HW09 from now on. We frst show that a strpped-to-thebascs varaton of ther scheme (whch s tag-based but stateless), denoted SIG RSA, s mldly secure,.e., EUF-dnaCMA m-secure. Subsequently, we apply our generc transformaton from Secton 3 and add a chameleon hash to construct a fully secure stateless scheme. Fnally, we apply common aggregaton technques whch yeld the optmzed scheme SIG RSA opt. 5.1 Prelmnares RSA(k) s a polynomally bounded functon that maps a gven securty parameter k to the btlength of the RSA modulus. Defnton 5.1 (RSA assumpton). Let N N be the product of two dstnct safe prmes P and Q wth 2 RSA(k) 2 P, Q 2 RSA(k) Let e be a randomly chosen postve nteger less than and relatvely prme to ϕ(n) = (P 1)(Q 1). For y Z N we call the trple (N, e, y) RSA challenge. The RSA assumpton holds f for every PPT algorthm A the probablty Pr [A(N, e, y) = x x e y (mod N)] s neglgble n k for a unformly chosen RSA challenge (N, e, y). Lemma 5.2 (Shamr s trck [31, 10]). Gven w, y Z N together wth a, b Z such that w a = y b and gcd(a, b) = 1, there s an effcent algorthm for computng x Z N such that x a = y. Lemma 5.3. Let π(n) denote the number of prmes p n. For n N, n 2 21 we have n log 2 (n) π(n) 2n log 2 (n) Proof. Ths lemma s just a varaton of the well-known prme bound for n 55 [29]. We fnd n log 2 (n) n ln(n)+2 snce log 2(n) ln(n) + 2 for n 92 e 2/(log 2 (e) 1) and n ln(n) 4 2n log 2 (n) snce ln(n) log 2(n) for n 2 21 e 8/(2 log 2 (e)) whch proves the clam. n ln(n)+2 π(n) n ln(n) 4 Lemma 5.4. For k N we defne P k := {p prme 2 k 2 p 2 k }. It holds P k > 2k 5k. 13

14 Proof. P k = π(2k ) π(2 k 2 ) π(2 k ) π(2 k 2 ) = k/2 > =1 2 + k ln(2)( + k 2 ) = 1 k/2 6 ln(2) =1 k/2 (π(2 + k 2 ) π(2 + k 2 1 )) =1 2 + k 2 + k 2 > 1 2 k 6 ln(2) k > 2k 5k (*) by [32], Theorem 5.8 (Betrand s postulate): π(2 l ) π(2 l 1 ) 2l 1 3 ln(2)l Lemma 5.5. For l, k N we have that for all sets X [2 k ] wth X 2 l Pr [p P k where P k s the set of prmes p wth 2 k 2 p 2 k. : x X such that p x] 10k 2 k l Proof. For any x [2 k ] we have {p P k : p x} 2 snce the product of any three elements of P k s bgger than 2k. Hence Pr [p P k (1) : x X such that p x] 2 X (2) P k 2 2l (3) P k 2 2l 2 k 5k (1) by the unon bound, (2) by assumpton X 2 l, (3) by Lemma EUF-dnaCMA m-secure Sgnature Scheme = 10k 2 k l The basc scheme SIG RSA. Let N = P Q be an RSA modulus consstent wth the RSA assumpton (Defnton 5.1). Bascally, a SIG RSA sgnature for a message-tag-par (M, t) s a tuple ((u M ) 1 p mod N, t) where p s a prme derved from the tag t. Analogously to our CDH scheme (Secton 4), we defne u M := m =0 um usng quadratc resdues (u ) m =0 to allow for the sgnng of up to m messages wth the same tag. The message space s {0, 1} l where we pck 1 l = k/ max(2, m) for our realzaton we wll need later that s neglgble and that lm k. 2 k l To construct a mappng from tags to prmes, we use a technque from [20] and [18]: For a PRF PRF {0,1}RSA(k), a correspondng key κ {0, 1} k, and a random btstrng b {0, 1} RSA(k), we defne P (κ,b) (t) := PRF κ {0,1}RSA(k) (t µ t ) b, where µ t := mn{µ N : PRF {0,1}RSA(k) κ (t µ) b s prme} and denotes the concatenaton of btstrngs. 8 We call µ t the resolvng ndex of t. The complete scheme SIG RSA s depcted n Fgure 6. Dfferences to SIG RSA HW09. For readers acquanted wth the stateful Hohenberger-Waters constructon [21], also known as HW09a, we gve a quck overvew how SIG RSA relates to ts prototype SIG RSA HW09. To have the least amount of overhead, we frst removed all components from SIG RSA HW09 that are not requred to prove the scheme EUF-dnaCMA m secure. Ths ncludes the chameleon hash (we are n a non-adaptve settng) and logarthm-of-tag-constructon n the exponent (we guess from a small set of tags only). Our setup of P (κ,b) slghtly dffers from the one n SIG RSA HW09 snce we do need that every tag s mapped to a prme. 8 P (κ,b) (t) can be computed n expected polynomal tme but not n strct polynomal tme. However, one can smply pck an upper bound µ and set P (κ,b) (t) = p for some arbtrary but fx prme p f µ t > µ for the resolvng ndex of t µ t. For a proper µ the event µ t > µ wll only occur wth neglgble probablty (see Theorem 5.6, Game 3). 14

15 Gen t (1 k ) Pck modulus N = P Q u QR N ( {0,..., m}) κ {0, 1} k b {0, 1} RSA(k) pk := (N, (u ) m =0, κ, b) sk := (P, Q) return (pk, sk) Sg t (sk, M, t) p := P (κ,b) (t) ˆσ := ( m =0 um ) 1 p mod N return (ˆσ, t) Ver t (pk, M, σ = (ˆσ, t)) f t T return 0 p := P (κ,b) (t) f ˆσ p m =0 um mod N return 0 else return EUF-dnaCMA m Securty Fgure 6: The tag-based RSA scheme SIG RSA. Theorem 5.6. If F s a PPT EUF-dnaCMA m-adversary for SIG RSA wth advantage ε := Adv euf-dnacma m(k) askng for q := q(k) sgnatures, then t can be used to effcently solve an RSA SIG RSA,F challenge accordng to Defnton 5.1 wth probablty at least ( 1 ε RSA(k) 2 8q RSA(k) ε PRF 1 ) 2 RSA(k) ε PRF q RSA(k) 2 RSA(k) 10k 2 k/2 where q denotes the number of dstnct tags quered by F, and ε PRF and ε PRF are the advantage of sutable dstngushers for the PRF. Proof. We frst descrbe the smulaton and subsequently provde a detaled analyss. In the followng (N, e, y) denotes the RSA challenge gven to the smulator. Frst, we guess an ndex [q] for whch we suppose F wll forge a sgnature on a new message M M, but wth t = t. The adversary F queres q = q =1 m > 0 sgnatures for messages wth tags where q s the number of dstnct tags (t ) [q ] and m the number of messages quered for tag t. (M ) [m ] denotes the lst of messages quered for tag t. If e s not a prme wth log 2 (e ) RSA(k) 2, we abort. Otherwse, we proceed as follows: Publc key setup. We guess an ndex [q ] and wrte t for the correspondng tag. Intutvely, t s the tag we wll use to embed our challenge. We pck κ and µ t [RSA(k) 2 ] at random and compute b := PRF {0,1}RSA(k) κ (t µ t ) e. If P (κ,b) (t ) e or f P (κ,b) (t ) = e for any t t ( [q ]), we abort. We compute p := P (κ,b) (t ) for [q ] and set p := p (note that p = e ). Next, we defne two polynomals over Z[X]. The frst one, f(x) := m =1 (X M ), s determned by the messages quered for the challenge tag t. We have f(x) = m =0 α X for some approprate coeffcents α Z and set α := 0 for {m + 1,..., m}. For the second one we pck β Z N/4 for {0,..., m} and set g(x) := m =0 β X. For a more comprehensve notaton we defne φ I := ([q ]\I) p for any set of ndexes I [q ], φ := φ and u M := m =0 um. We set Note that for any message M u := (y φ { }α +φβ ) 2. u M = (y φ { }f(m)+φg(m) ) 2. We send the publc key (N, (u ) m =0, κ, b) to the adversary. Sgnng. For each query (M, t) we compute the correspondng sgnature σ as follows. If t = t, σ s (ˆσ, t) where ˆσ := (y φ { }g(m) ) 2. We use the fact that M = M for some [m] and hence f(m) = 0 to verfy ( u M ) 1 p ((y φ { }f(m)+φg(m) ) 2 ) 1 p (y φ { }g(m) ) 2 ˆσ. 15

16 If t = t t ( [q ]), the correspondng sgnature σ s (ˆσ, t) where ˆσ := (y φ {, }f(m)+φ {} g(m) ) 2. We verfy ( u M ) 1 p ((y φ { } f(m)+φg(m) ) 2 ) 1 p (y φ {, }f(m)+φ {} g(m) ) 2 ˆσ. Fnally, we send all sgnatures to the adversary. Extract from forgery. The adversary responds wth (M, σ ) where σ = (ˆσ, t ) for some tag t {t 1,..., t q }. Here, f t t and f σ s not a vald forgery, we abort. Otherwse, snce the verfcaton equaton holds, we have and hence (σ ) p u M (y φ { }f(m )+φg(m ) ) 2 y 2φ { }f(m ) y 2φg(M ) (σ /y 2φ { }g(m ) ) p y 2φ { }f(m ). Note that f(m ) 0 snce M M for [m]. Clearly, p does not dvde 2φ { }. If gcd(p, f(m )) 1, we abort. Otherwse, we use Shamr s trck (Lemma 5.2) to compute x such that x p y (mod N). Snce p = e by constructon, x s the output of the smulator and a soluton to the RSA challenge (N, e, y) was gven. Analyss. We show that the adversary F cannot dstngush effectvely between the experment and the smulaton. Let X denote the event that the adversary s successful n Game. Game 0. In Game 0 the smulator runs the orgnal EUF-dnaCMA m experment and, hence, we have Pr [X 0 ] = ε. Game 1. In Game 1 the smulator aborts f e s not a prme wth log 2 (e ) RSA(k) 2. Hence, we do not abort wth probablty π(ϕ(n)) π(2 RSA(k)/2 ) 2 ϕ(ϕ(n)) ( ) 1 8RSA(k) ( ) snce 2 RSA(k) ϕ(ϕ(n)), ϕ(n) N/4, and Lemma 5.3 (all for suffcently large N). Thus, Pr [X 1 ] 1 8RSA(k) Pr [X 0]. Game 2. In Game 2 the smulator aborts f t t, for challenge tag t and guessed tag t. In partcular, for gven (dstnct) tags (t ) [q ], the smulator frst chooses an ndex [q ] as above. Now, f F outputs a forgery (M, ˆσ, t ) wth tag t t, the smulator aborts. Thus, we have Pr [X 2 ] Pr [X 1] q. Game 3. In Game 3 we set up P (κ,b) as descrbed n the smulaton above. Concretely, we choose µ t [RSA(k) 2 ] and set b := PRF κ {0,1}RSA(k) (t µ t ) e. If µ t s not the resolvng ndex of P (κ,b) (t ), we abort. We denote ths event as abort µ. Assume PRF κ {0,1}RSA(k) s a truly random functon. Now, by evaluatng P (κ,b), we derve unformly random RSA(k)-bt strngs. By Lemma 5.3, the probablty that the output of P (κ,b) s a RSA(k)-bt prme s at least 1/RSA(k). Further, for RSA(k) 2 P (κ,b) -evaluatons, the probablty of not outputtng a RSA(k)-bt prme s at most (1 1/RSA(k)) RSA(k)2. Hence, we can construct a PRF dstngusher wth probablty ε PRF Pr [abort µ ] (1 1/RSA(k)) RSA(k)2. (For a detaled analyss of ths Game see [19], Proof of Theorem 4.1, Games In partcular, we have (1 1/RSA(k)) RSA(k)2 1/RSA(k) k.) We conclude ( 1 Pr [X 3 ] RSA(k) 2 Pr [X 2 ] ε PRF 1 ) 2 RSA(k). 16

17 Game 4. Now, n Game 4, we abort f P (κ,b) (t ) = e for some t t ( [q ]). Let abort coll denote the correspondng event. If PRF s a truly random functon, then the output of P (κ,b) (t ) s a unform RSA(k)-bt prme. By Lemma 5.3, there are at least 2RSA(k) such prmes. Hence, the probablty of a collson wth e s at most ( ) q RSA(k) 2 RSA(k) RSA(k). Usng ths, we can construct an adversary that dstngushes PRF from a truly random functon wth advantage ε ( ) PRF Pr [abort coll ] q RSA(k). Thus, t follows that 2 RSA(k) Pr [X 4 ] Pr [X 3 ] ε PRF q RSA(k) 2 RSA(k). Game 5. In Game 5 we do not pck (u ) m =0 at random but set them as descrbed above. Snce the β are randomly chosen and blnd the α known to the adversary ths yelds a correct dstrbuton. Hence, we have Pr [X 5 ] = Pr [X 4 ]. The vew of the adversary n ths Game s exactly the vew n the smulaton descrbed above. Game 6. In Game 6 let abort gcd denote the event that gcd(p, f(m )) 1. Remember that messages are btstrngs of length l. The range of f s a set X [2 k ] contanng 2 l elements at most. Therefore, by Lemma 5.5 wth l = k/ max(2, m), we have and, thus, Pr [abort gcd ] 10k 2 k l = 10k 2 max(2,m) 1 k max(2,m) 10k 2 k/2 Pr [X 6 ] Pr [X 5 ] 10k 2 k/2. Fnally, we summarze and see that the smulator s successful wth probablty at least Pr [X 5 ] 10k 2 k/2 = Pr [X 4 ] 10k 2 k/2 Pr [X 3 ] ε PRF q RSA(k) 2 RSA(k) 10k ( 2 k/2 1 RSA(k) 2 Pr [X 2 ] ε PRF 1 ) 2 RSA(k) ε PRF q RSA(k) 2 RSA(k) 10k 2 ( k/2 1 Pr [X1 ] RSA(k) 2 q ε PRF 1 ) 2 RSA(k) ε PRF q RSA(k) 2 RSA(k) 10k 2 ( k/2 1 ε RSA(k) 2 8q RSA(k) ε PRF 1 ) 2 RSA(k) ε PRF q RSA(k) 2 RSA(k) 10k 2 k/2. Now, by Theorem 5.6, our generc transformaton from Secton 3 appled to SIG RSA yelds an EUF-dnaCMA-secure sgnature scheme. Fnally, we use chameleon hashng [23] to genercally construct the fully secure scheme SIG RSA gen, lke for nstance the RSA-based chameleon hash from [20, Appendx C]. 5.4 Optmzatons The resultng sgnature scheme of the prevous secton SIG RSA gen may be EUF-CMA-secure but s not very compact yet. In addton to parameters for the chameleon hash, a sgnature of SIG RSA gen 17

18 Gen(1 k ) Pck modulus N = P Q u QR N ( {0,..., m}) κ {0, 1} k b {0, 1} RSA(k) (CH, τ) CHGen(1 k ) pk := (N, (u ) m =0, κ, b, CH) sk := (P, Q) return (pk, sk) Sg(sk, M) Pck unform r for CH x := CH(M, r) for := 1 to l do t := PRF T κ (x) p := P (κ,b) (t ) p := [l] p ˆσ := ( m return (ˆσ, r) =0 ux ) 1 p mod N Ver(pk, M, (ˆσ, r)) x := CH(M, r) for := 1 to l do t := PRF T κ (x)) p := P (κ,b) (t ) p := [l] p f ˆσ p m =0 ux mod N return 0 else return 1 Fgure 7: The optmzed RSA-based sgnature scheme SIG RSA opt. conssts of l = log c (k) SIG RSA sgnatures. Ths can be mproved consderably to constant sze sgnatures by generc aggregaton. Fgure 7 depcts the resultng scheme SIG RSA opt for the two parameters l (whch mplctly contans the granularty parameter c) and m. We stll use l tags (ntutvely representng the l nstances of the orgnal scheme) for sgnng and verfcaton. However, the publc key s sze depends only on m (whch s a fxed parameter) and the sgnature sze s constant: We need one group element and randomness for the chameleon hash (whch s typcally also about the sze of a group element). Addtonally to PRF {0,1}RSA(k), we now need functons (PRF T ) [l] to generate the tags for a sgnature. We can construct all of these functons from a sngle PRF PRF {0,1} wth suffcently long output and use κ {0, 1} k as ts key. Theorem 5.7. Let F be a PPT EUF-CMA adversary aganst SIG RSA opt wth advantage ε := Adv euf-cma (k) askng for q := q(k) sgnatures (at most). Then t can be used to effcently solve SIG RSA,F an RSA challenge accordng to Defnton 5.1 wth probablty at least ( ) 1 ε c/m+1 RSA(k) c/m q c+c/m RSA(k) ε PRF 1 2 RSA(k) ε PRF ε PRF ε CH q l RSA(k) 2 RSA(k) 10k 2 k/2 where ε PRF, ε PRF, ε PRF, and ε CH are the success probabltes for breakng PRF and CH respectvely. Proof. Snce the proof s very smlar to the combnaton of proofs Theorem 3.3 and Theorem 5.6, we only descrbe the nterestng parts. Addtonally, we omt the chameleon hash here and prove the EUF-dnaCMA securty of the correspondng modfed scheme (wth x := M nstead of x := CH(M, r) and no randomness for the chameleon hash n the sgnature). The chameleon hash s then added at the end usng generc arguments [23]. Agan, w.l.o.g. we assume that the adversary wll ask for exactly q > 0 sgnatures. Setup. Analogously to Theorem 3.3, we use the select algorthm to pck an. Intutvely, represents one of the l nstances and T s the set of tags used for ths nstance. We wll embed the challenge only n ths nstance and smulate all the others. We start off by pckng a random key κ for the PRF PRF. For each quered message (M j ) j [q] we compute the tags t (j) := Samp(T, PRF κ (M j )). Subsequently, we guess a tag t T and abort f the lst of tags for the th nstance (t ( ) j ) j [q] contans any tag more than m tmes. Next, we embed the challenge exponent. Lke n Theorem 5.6, we set up P (κ,b) such that P (κ,b) (t ) = e =: p and abort f P (κ,b) (t (j) ) = p for any t (j) t. Afterwards we compute prmes p (j) := P (κ,b) (t (j) ) correspondng to the nstance tags for l, j [q]. 18