Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

Similar documents
Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Schnorr Signature. Schnorr Signature. October 31, 2012

Digital Signatures. Adam O Neill based on

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

John Hancock enters the 21th century Digital signature schemes. Table of contents

Lecture 18: Message Authentication Codes & Digital Signa

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

CPA-Security. Definition: A private-key encryption scheme

Authentication. Chapter Message Authentication

Provable Security Proofs and their Interpretation in the Real World

10 Concrete candidates for public key crypto

Katz, Lindell Introduction to Modern Cryptrography

Entity Authentication

SIS-based Signatures

Block Ciphers/Pseudorandom Permutations

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

1 Number Theory Basics

A Security Proof of KCDSA using an extended Random Oracle Model

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Transitive Signatures Based on Non-adaptive Standard Signatures

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Introduction to Cryptography

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Semantic Security of RSA. Semantic Security

Uninstantiability of Full-Domain Hash

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Foundations of Cryptography

2 Message authentication codes (MACs)

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Short Signatures Without Random Oracles

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

CTR mode of operation

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Chosen Ciphertext Security with Optimal Ciphertext Overhead

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Constructing Provably-Secure Identity-Based Signature Schemes

Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE

ASYMMETRIC ENCRYPTION

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Random Oracles in a Quantum World

Memory Lower Bounds of Reductions Revisited

Lectures 2+3: Provable Security

III. Pseudorandom functions & encryption

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Constructing secure MACs Message authentication in action. Table of contents

II. Digital signatures

Digital signature schemes

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Notes on Property-Preserving Encryption

Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

ECS 189A Final Cryptography Spring 2011

CS 6260 Applied Cryptography

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

VI. The Fiat-Shamir Heuristic

Lecture 2: Perfect Secrecy and its Limitations

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

1 Cryptographic hash functions

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Lecture 14: Cryptographic Hash Functions

Lecture 7: CPA Security, MACs, OWFs

Digital Signatures. p1.

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Improved Security for Linearly Homomorphic Signatures: A Generic Framework

Standard Security Does Not Imply Indistinguishability Under Selective Opening

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

CPSC 467: Cryptography and Computer Security

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Modern symmetric-key Encryption

A survey on quantum-secure cryptographic systems

Lecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Non-Adaptive Programmability of Random Oracle

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

5.4 ElGamal - definition

Provable Security in Symmetric Key Cryptography

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

PSS Is Secure against Random Fault Attacks

5199/IOC5063 Theory of Cryptology, 2014 Fall

Searchable encryption & Anonymous encryption

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Evaluation Report on the ECDSA signature scheme

Provable security. Michel Abdalla

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

Introduction to Pairing-Based Cryptography

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Lecture 5, CPA Secure Encryption from PRFs

Digital Signatures from Strong RSA without Prime Genera7on. David Cash Rafael Dowsley Eike Kiltz

Post-quantum security models for authenticated encryption

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Symmetric Encryption

Transcription:

MTAT.07.003 Cryptology II Spring 2012 / Exercise session?? / Example Solution Exercise (FRH in RO model). Show that the full domain hash signature is secure against existential forgeries in the random oracle model. Establish security bounds under the assumption that the scheme uses (t, ε)-secure collection of trapdoor permutations and Map pk ( ) is always τ-time computable. Solution. To show how such proofs are constructed, we construct the proof in three steps. First, we consider a very specific key only attack. Then we generalise the proof for all key only attacks. Finally we show how to convert an attack with uses signing oracle to an attack without the oracle while preserving success. For the proof, recall that a collection of trapdoor permutations is determined by three algorithms (Gen, Map, Inv) such that, m M pk : Inv sk (Map pk (m)) = m and both algorithms Map pk ( ) and Inv sk ( ) are deterministic. The security of the permutation collection is defined through the success Adv inv-cpa (B) against the following game: x u M pk y Map pk (x) return [B(pk, y)? = x]. A collection of trapdoor permutations is (t, ε)-secure if for any t-time adversary B the success probability Adv inv-cpa (B) is upper bounded by ε. A very specific key only attack. Let us first consider an attack, where the adversary makes q h queries to the random oracle O h to forge a signature (m, s) such that h(m) is computed as the 1 st query to O h and all q h hash queries are made on distinct inputs. We start by defining the security game, where the adversary is able to forge one more signature while having access to a random oracle O h : h u H all (m, s) A O h (pk) y h(m) return [Map pk (s)? = y]. As we consider a restricted class of adversaries that forge the signature for the first query m 1 to the hash oracle O h, we can rewrite the security game in more explicit manner: G 2 h u H all m 1 A(pk) y h(m 1 ) s A O h (y) return [Map pk (s)? = y]. The game makes the first query m 1 to the oracle explicit. Formally, the adversary A for the game is not compatible with the game G 2. However, there is a straightforward wrapper construction with constant overhead that makes the conversion without changing the success probability. 1

For constructing the inverter for any input y, we need to trick the adversary into believing that y is the output of h(m 1 ). For this, we replace the initial oracle with a slightly modified one which outputs y if he is queried for m 1 and O h (m) otherwise: O h(m) [ if m? = m 1 then return y else return O h (m) To be punctual, m 1 and y are hidden parameters of O h which must be initialised by the inverter B A,O h (pk, y) m 1 A(pk) s A O h (y) return s before calling O h. Note that if we use this inverter B in game QB, then we get x u M pk y Map pk (x) h u H all m 1 A(pk) s A O h (y) return [s? = x]. Now note that the condition s = x is equivalent to the condition that Map pk (s) = y and we can inverse the choices of m and y in Q by firstly taking y M pk and then x Inv sk (y) without changing the output of the game. As a result, we obtain that the game is equivalent to the following game: G 3 h u H all y u M pk x Inv pk (m) m 1 A(pk) s A O h (y) return [Map pk (s) =? y]. Now the only difference between G 2 and G 3 is in the way y is computed. If h is chosen uniformly from H all, then y h(m 1 ) is also uniform in M pk and thus the games are identical. Thus, we have formally proved Adv win (A) = Adv inv-cpa (B O h ). However, the latter is not sufficient for the proof, since B must have an oracle access to O h to run, whereas the security of is defined in terms of algorithms that make no oracle calls. Fortunately, we can remove the oracle O h from the construction of B. As A makes distinct calls to O h so does the O h. Consequently, we can replace all replies by randomly sampled elements, which leads to the 2

following simplification: O h(m) if m =? m 1 then y y else y u M pk return y. Since O h makes no calls to oracles, the algorithm BA,O h is in the valid form. As the running time of B A,O h is O(q h ) steps slower than A, we get the desired upper bound: Adv win (A) = Adv inv-cpa (B O h ) = Adv inv-cpa (B O h ) ε whenever the running time of A is t O(q). Similar construction could be given for another restricted case when h(m) is the i th query. We modify the oracle such that it returns random value for all j th query for j i and outputs y when j = i: O h(m) count count + 1 if count =? i then y y else y u M pk return y where the global variable count is initially set to zero. Further details are left as an exercise. A constructive reduction for a key only attack. Next, let us consider a general attack where the adversary makes q h queries to the random oracle O h to forge a signature (m, s). W.l.o.g. we can assume that A queries the hash value for the forged signature. If not then we can write a wrapper that queries h(m) as the last step. It can increase the number of queries to q h + 1. Secondly, we can assume that A makes exactly q h + 1 distinct oracle queries. Overhead of the corresponding wrapper is O(q h log q h ). As a result, we can model the attack through the following game: G A y i h(m i ) (m, s) A(h qh +1) return [h(m) =? Map pk (s)], 3

which itself can be simplified due to the properties of the random function family H all : G A 1 y i M pk (m, s) A(h qh +1) Choose k such that m = m k return [h k = Map pk (s)] without changing the success probability nor the semantics of the game. Now it is straightforward to construct the inverter B by planting the value y to be inverted as the k th reply. Clearly for some k, the probability that the adversary A is successful and m is submitted as the k th is not smaller than the average success: k : Pr [ G A 1 = 1 m = m k ] 1 q h + 1 Advwin (A). However, there is no evident way to determine k efficiently by looking at the code of A. Hence, the only sensible alternative is to choose k randomly. The latter leads to the following inverter construction: B A (pk, y) if i =? k then y i y else y i M pk (m, s) A if m =? m k then return s else return There are many way how to estimate the success of the inverter. Here, we choose the most explicit way. We just inline the construction of B into the game Q and manipulate the game further without changing its semantics: x u M pk y Map pk (x) if i =? k then y i y else y i M pk (m, s) A if m? = m k then return [s? = x] else return 0 4

Note that the last line captures the condition that B does not halt with only if m = m k. Since Map pk is the permutation we can rewrite the input generation and output verification phase: y u M pk if i =? k then y i y else y i M pk (m, s) A if m m k then return 0 return [Map pk (s)? = y]. Since the challenge y is chosen uniformly from M pk, the difference between if and else branches in the cycle body vanishes and we can further simplify the game: y i M pk (m, s) A if m m k then return 0 return [Map pk (s)? = y k ], which can be further describe in terms of random function sampling: y i h(m i ) (m, s) A if m m k then return 0 return [Map pk (s) =? h(m)]. As A is guaranteed to produce m {m 1,..., m qh +1} by our assumptions, we can formally derive Pr [ = 1 ] = q h +1 i=1 Pr [ q ] h +1 = 1 m = m i = i=1 Pr [ Map pk (s) = h(m) m = m k m = m i ]. 5

As the term under the sum can be expressed as Pr [ Map pk (s) = h(m) m = m k m = m i ] = Pr [ Mappk (s) = h(m) m = m i ] Pr [mi = m k ] and the condition m i = m k holds with uniform probability we get the desired lower bound i : Pr [m i = m k ] = 1 q h + 1, Adv inv-cpa (B) = Pr [ = 1 ] = 1 q h +1 q h + 1 Pr [ ] Adv win Map pk (s) = h(m) m = m i = (A) q h + 1 Another way to prove this bound is to reorder the checks in the game: i=1. y i h(m i ) (m, s) A if Map pk (s) h(m) then return 0 return [m = m k ]. and then note that the first part of the game is identical to G A 1 m : Pr [m = m k ] = 1 q h + 1. To summarise, we have obtained a direct reduction with Adv inv-cpa (B) = Advwin (A) q h + 1 and the final test succeeds with the probability where the running time of B is O(q h log q h ) time steps longer than the running time of A that is not guaranteed to query distinct inputs. Therefore, if is a (t, ε)-secure collection of trapdoor permutations, the full domain hash signature is ((q h +1)ε, t O(q h log q h ))-secure against key-only attacks where adversary make q h queries. A general constructive reduction. Finally, let us consider a general attack where the adversary makes q h queries to the random oracle O h and q s queries to the signing oracle O Sign to forge a new signature (m, s) that is not in the list of replies. Let S[ ] denote the array of queried signatures, i.e., S[m] means that the signature has been queried form the oracle. Then we can formalise the security game as follows: (m, s) A O h,o Sign (pk) if S[m] return 0 return [h(m) =? Map pk (s)]. 6

As before, let q h denote the maximal number of hash queries and q s the maximal number of signing queries the adversary can make. Also, let H[ ] denote array of queried hashes. First, note that by the construction H[m] = Map pk (S[m]) for all messages m that are submitted to the signing oracle. Moreover, by the properties of H all all values H[m] are uniformly distributed over M pk. As Map pk is a permtation, we can sample uniform values from M pk by first sampling s and then computing Map pk (s). This way we can escape the hard inversion problem. Formally, we define two new oracles O h(m) if H[m] = [ S[m] u M H[m] Map pk (S[m]) return H[m] O Sign(m) if S[m] = [ S[m] u M H[m] Map pk (S[m]) return S[m]. For the correctness, note that the construction guarantees that elements S[m] and H[m] are either simultaneously undefined or defined and there can be no redefinitions of undefined variables. For the reasons explained above, the behaviour of the oracle pair O h and O Sign is indistinguishable form the oracle pair O h and O Sign. Consequently, the game is equivalent to the game G 2 (m, s) A O h,o Sign (pk) if S[m] return 0 return [h(m)? = Map pk (s)]. Note that the new game G 2 is not equivalent to the key-only attack in the random oracle model. Although the oracle O h is indistinguishable form the random oracle O h, the construction is different. Nevertheless, we can use the idea as before to build the inverter algorithm. Let us start from nonconstructive analysis. Clearly, q h +q s+1 Adv win (A) = Pr [ G2 A = 1 i th query corresponds to the signature ] i=1 where A is such that it is quarantined to query the hash of the message m. Now there must exist k such that Pr [ G A 2 = 1 k th query corresponds to the signature ] Advwin (A) q h + q s + 1. Now for this k, we can construct an inverter B by modifying the pair of oracles so that they H[m k ] = y. The simulation can fail only if the adversary A queries O Sign (m k) but then (m k, s) is not a valid forgery. We leave the formal construction of the inverter and its analysis to the reader. For the constructive reduction, we just give the construction of B together with modified oracles: B O h,o Sign (pk, y) count 0 k u {1,..., q h + q s + 1} (m, s) A O h,o Sign (pk) if S[m] return 0 if m m k then return 0 else return s O h(m) count count + 1 if H[m] = if count =? k then [ H[m] y else [ S[m] u M H[m] Map pk (S[m]) return H[m] O Sign(m) count count + 1 if S[m] = if count =? k then [ H[m] y else [ S[m] u M H[m] Map pk (S[m]) return S[m]. 7

For the analysis note that B O h,o Sign provides a perfect simulation of G2 for A unless the k th query is a signing query. However, the B O h,o Sign would halt even if the signature would be correct. Hence, it is straightforward to show by direct inlining that Adv inv-cpa Adv win (B O h,o Sign ) = (A) q h + q s + 1. The reduction overhead is q s + q h + 1 calls to one of O h and O Sign, but both of these have time dominated by the Map pk ( ) operation, hence there is a (q s + q h + 1)τ overhead. So if the scheme uses (t, ε)-secure collection of trapdoor permutations, then the full domain hash is (t (q s + q h + 1)τ, (q s + q h + 1)ε)-secure in the random oracle model. 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback