MTAT.07.003 Cryptology II Spring 2012 / Exercise session?? / Example Solution Exercise (FRH in RO model). Show that the full domain hash signature is secure against existential forgeries in the random oracle model. Establish security bounds under the assumption that the scheme uses (t, ε)-secure collection of trapdoor permutations and Map pk ( ) is always τ-time computable. Solution. To show how such proofs are constructed, we construct the proof in three steps. First, we consider a very specific key only attack. Then we generalise the proof for all key only attacks. Finally we show how to convert an attack with uses signing oracle to an attack without the oracle while preserving success. For the proof, recall that a collection of trapdoor permutations is determined by three algorithms (Gen, Map, Inv) such that, m M pk : Inv sk (Map pk (m)) = m and both algorithms Map pk ( ) and Inv sk ( ) are deterministic. The security of the permutation collection is defined through the success Adv inv-cpa (B) against the following game: x u M pk y Map pk (x) return [B(pk, y)? = x]. A collection of trapdoor permutations is (t, ε)-secure if for any t-time adversary B the success probability Adv inv-cpa (B) is upper bounded by ε. A very specific key only attack. Let us first consider an attack, where the adversary makes q h queries to the random oracle O h to forge a signature (m, s) such that h(m) is computed as the 1 st query to O h and all q h hash queries are made on distinct inputs. We start by defining the security game, where the adversary is able to forge one more signature while having access to a random oracle O h : h u H all (m, s) A O h (pk) y h(m) return [Map pk (s)? = y]. As we consider a restricted class of adversaries that forge the signature for the first query m 1 to the hash oracle O h, we can rewrite the security game in more explicit manner: G 2 h u H all m 1 A(pk) y h(m 1 ) s A O h (y) return [Map pk (s)? = y]. The game makes the first query m 1 to the oracle explicit. Formally, the adversary A for the game is not compatible with the game G 2. However, there is a straightforward wrapper construction with constant overhead that makes the conversion without changing the success probability. 1
For constructing the inverter for any input y, we need to trick the adversary into believing that y is the output of h(m 1 ). For this, we replace the initial oracle with a slightly modified one which outputs y if he is queried for m 1 and O h (m) otherwise: O h(m) [ if m? = m 1 then return y else return O h (m) To be punctual, m 1 and y are hidden parameters of O h which must be initialised by the inverter B A,O h (pk, y) m 1 A(pk) s A O h (y) return s before calling O h. Note that if we use this inverter B in game QB, then we get x u M pk y Map pk (x) h u H all m 1 A(pk) s A O h (y) return [s? = x]. Now note that the condition s = x is equivalent to the condition that Map pk (s) = y and we can inverse the choices of m and y in Q by firstly taking y M pk and then x Inv sk (y) without changing the output of the game. As a result, we obtain that the game is equivalent to the following game: G 3 h u H all y u M pk x Inv pk (m) m 1 A(pk) s A O h (y) return [Map pk (s) =? y]. Now the only difference between G 2 and G 3 is in the way y is computed. If h is chosen uniformly from H all, then y h(m 1 ) is also uniform in M pk and thus the games are identical. Thus, we have formally proved Adv win (A) = Adv inv-cpa (B O h ). However, the latter is not sufficient for the proof, since B must have an oracle access to O h to run, whereas the security of is defined in terms of algorithms that make no oracle calls. Fortunately, we can remove the oracle O h from the construction of B. As A makes distinct calls to O h so does the O h. Consequently, we can replace all replies by randomly sampled elements, which leads to the 2
following simplification: O h(m) if m =? m 1 then y y else y u M pk return y. Since O h makes no calls to oracles, the algorithm BA,O h is in the valid form. As the running time of B A,O h is O(q h ) steps slower than A, we get the desired upper bound: Adv win (A) = Adv inv-cpa (B O h ) = Adv inv-cpa (B O h ) ε whenever the running time of A is t O(q). Similar construction could be given for another restricted case when h(m) is the i th query. We modify the oracle such that it returns random value for all j th query for j i and outputs y when j = i: O h(m) count count + 1 if count =? i then y y else y u M pk return y where the global variable count is initially set to zero. Further details are left as an exercise. A constructive reduction for a key only attack. Next, let us consider a general attack where the adversary makes q h queries to the random oracle O h to forge a signature (m, s). W.l.o.g. we can assume that A queries the hash value for the forged signature. If not then we can write a wrapper that queries h(m) as the last step. It can increase the number of queries to q h + 1. Secondly, we can assume that A makes exactly q h + 1 distinct oracle queries. Overhead of the corresponding wrapper is O(q h log q h ). As a result, we can model the attack through the following game: G A y i h(m i ) (m, s) A(h qh +1) return [h(m) =? Map pk (s)], 3
which itself can be simplified due to the properties of the random function family H all : G A 1 y i M pk (m, s) A(h qh +1) Choose k such that m = m k return [h k = Map pk (s)] without changing the success probability nor the semantics of the game. Now it is straightforward to construct the inverter B by planting the value y to be inverted as the k th reply. Clearly for some k, the probability that the adversary A is successful and m is submitted as the k th is not smaller than the average success: k : Pr [ G A 1 = 1 m = m k ] 1 q h + 1 Advwin (A). However, there is no evident way to determine k efficiently by looking at the code of A. Hence, the only sensible alternative is to choose k randomly. The latter leads to the following inverter construction: B A (pk, y) if i =? k then y i y else y i M pk (m, s) A if m =? m k then return s else return There are many way how to estimate the success of the inverter. Here, we choose the most explicit way. We just inline the construction of B into the game Q and manipulate the game further without changing its semantics: x u M pk y Map pk (x) if i =? k then y i y else y i M pk (m, s) A if m? = m k then return [s? = x] else return 0 4
Note that the last line captures the condition that B does not halt with only if m = m k. Since Map pk is the permutation we can rewrite the input generation and output verification phase: y u M pk if i =? k then y i y else y i M pk (m, s) A if m m k then return 0 return [Map pk (s)? = y]. Since the challenge y is chosen uniformly from M pk, the difference between if and else branches in the cycle body vanishes and we can further simplify the game: y i M pk (m, s) A if m m k then return 0 return [Map pk (s)? = y k ], which can be further describe in terms of random function sampling: y i h(m i ) (m, s) A if m m k then return 0 return [Map pk (s) =? h(m)]. As A is guaranteed to produce m {m 1,..., m qh +1} by our assumptions, we can formally derive Pr [ = 1 ] = q h +1 i=1 Pr [ q ] h +1 = 1 m = m i = i=1 Pr [ Map pk (s) = h(m) m = m k m = m i ]. 5
As the term under the sum can be expressed as Pr [ Map pk (s) = h(m) m = m k m = m i ] = Pr [ Mappk (s) = h(m) m = m i ] Pr [mi = m k ] and the condition m i = m k holds with uniform probability we get the desired lower bound i : Pr [m i = m k ] = 1 q h + 1, Adv inv-cpa (B) = Pr [ = 1 ] = 1 q h +1 q h + 1 Pr [ ] Adv win Map pk (s) = h(m) m = m i = (A) q h + 1 Another way to prove this bound is to reorder the checks in the game: i=1. y i h(m i ) (m, s) A if Map pk (s) h(m) then return 0 return [m = m k ]. and then note that the first part of the game is identical to G A 1 m : Pr [m = m k ] = 1 q h + 1. To summarise, we have obtained a direct reduction with Adv inv-cpa (B) = Advwin (A) q h + 1 and the final test succeeds with the probability where the running time of B is O(q h log q h ) time steps longer than the running time of A that is not guaranteed to query distinct inputs. Therefore, if is a (t, ε)-secure collection of trapdoor permutations, the full domain hash signature is ((q h +1)ε, t O(q h log q h ))-secure against key-only attacks where adversary make q h queries. A general constructive reduction. Finally, let us consider a general attack where the adversary makes q h queries to the random oracle O h and q s queries to the signing oracle O Sign to forge a new signature (m, s) that is not in the list of replies. Let S[ ] denote the array of queried signatures, i.e., S[m] means that the signature has been queried form the oracle. Then we can formalise the security game as follows: (m, s) A O h,o Sign (pk) if S[m] return 0 return [h(m) =? Map pk (s)]. 6
As before, let q h denote the maximal number of hash queries and q s the maximal number of signing queries the adversary can make. Also, let H[ ] denote array of queried hashes. First, note that by the construction H[m] = Map pk (S[m]) for all messages m that are submitted to the signing oracle. Moreover, by the properties of H all all values H[m] are uniformly distributed over M pk. As Map pk is a permtation, we can sample uniform values from M pk by first sampling s and then computing Map pk (s). This way we can escape the hard inversion problem. Formally, we define two new oracles O h(m) if H[m] = [ S[m] u M H[m] Map pk (S[m]) return H[m] O Sign(m) if S[m] = [ S[m] u M H[m] Map pk (S[m]) return S[m]. For the correctness, note that the construction guarantees that elements S[m] and H[m] are either simultaneously undefined or defined and there can be no redefinitions of undefined variables. For the reasons explained above, the behaviour of the oracle pair O h and O Sign is indistinguishable form the oracle pair O h and O Sign. Consequently, the game is equivalent to the game G 2 (m, s) A O h,o Sign (pk) if S[m] return 0 return [h(m)? = Map pk (s)]. Note that the new game G 2 is not equivalent to the key-only attack in the random oracle model. Although the oracle O h is indistinguishable form the random oracle O h, the construction is different. Nevertheless, we can use the idea as before to build the inverter algorithm. Let us start from nonconstructive analysis. Clearly, q h +q s+1 Adv win (A) = Pr [ G2 A = 1 i th query corresponds to the signature ] i=1 where A is such that it is quarantined to query the hash of the message m. Now there must exist k such that Pr [ G A 2 = 1 k th query corresponds to the signature ] Advwin (A) q h + q s + 1. Now for this k, we can construct an inverter B by modifying the pair of oracles so that they H[m k ] = y. The simulation can fail only if the adversary A queries O Sign (m k) but then (m k, s) is not a valid forgery. We leave the formal construction of the inverter and its analysis to the reader. For the constructive reduction, we just give the construction of B together with modified oracles: B O h,o Sign (pk, y) count 0 k u {1,..., q h + q s + 1} (m, s) A O h,o Sign (pk) if S[m] return 0 if m m k then return 0 else return s O h(m) count count + 1 if H[m] = if count =? k then [ H[m] y else [ S[m] u M H[m] Map pk (S[m]) return H[m] O Sign(m) count count + 1 if S[m] = if count =? k then [ H[m] y else [ S[m] u M H[m] Map pk (S[m]) return S[m]. 7
For the analysis note that B O h,o Sign provides a perfect simulation of G2 for A unless the k th query is a signing query. However, the B O h,o Sign would halt even if the signature would be correct. Hence, it is straightforward to show by direct inlining that Adv inv-cpa Adv win (B O h,o Sign ) = (A) q h + q s + 1. The reduction overhead is q s + q h + 1 calls to one of O h and O Sign, but both of these have time dominated by the Map pk ( ) operation, hence there is a (q s + q h + 1)τ overhead. So if the scheme uses (t, ε)-secure collection of trapdoor permutations, then the full domain hash is (t (q s + q h + 1)τ, (q s + q h + 1)ε)-secure in the random oracle model. 8