diff --git a/pages/CSE442T/CSE442T_L20.md b/pages/CSE442T/CSE442T_L20.md index 75171b5..06780cc 100644 --- a/pages/CSE442T/CSE442T_L20.md +++ b/pages/CSE442T/CSE442T_L20.md @@ -1,6 +1,6 @@ # Lecture 20 -## Construction of CRHF (Compression Resistant Hash Function) +## Construction of CRHF (Collision Resistant Hash Function) Let $h: \{0, 1\}^{n+1} \to \{0, 1\}^n$ be a CRHF. @@ -24,7 +24,9 @@ Under the discrete log assumption, $H$ is a CRHF. - It is easy to compute - Compressing by 1 bit -Proof it is a CRHF: +Proof: + +The hash function $h$ is a CRHF Suppose there exists an adversary $\mathcal{A}$ that can break $h$ with non-negligible probability $\mu$. @@ -67,3 +69,106 @@ $$ So $\mathcal{B}$ can break the discrete log assumption with non-negligible probability $\mu(n)$, which contradicts the discrete log assumption. So $h$ is a CRHF. + +EOP + +To compress by more, say $h_k:{0,1}^n\to \{0,1\}^{n-k},k\geq 1$, then we can use $h: \{0,1\}^{n+1}\to \{0,1\}^n$ multiple times. + +$$ +h_k(x)=h(h(\cdots(h(x)))\cdots)=h^{k}(x) +$$ + +To find a collision of $h_k$, the adversary must find a collision of $h$. + +### Application of CRHF to Digital Signature + +Digital signature scheme on $\{0,1\}^*$ for a fixed security parameter $n$. (one-time secure) + +- Use Digital Signature Scheme on $\{0,1\}^{n}$: $Gen, Sign, Ver$. +- Use CRHF family $\{h_i:\{0,1\}^*\to \{0,1\}^n\}_{i\in I}$ + +$Gen'(1^n):(pk,sk)\gets Gen(1^n)$, choose $i\in I$ uniformly at random. + +$sk'=(sk,i)$ + +$Sign'_{sk'}(m):\sigma\gets Sign_{sk}(h_i(m))$, return $(i,\sigma)$ + +$pk'=(pk,i)$ + +$Ver'_{pk'}(m,(i,\sigma)):Ver_{pk}(m,\sigma)$ and $i\in I$ + +One-time secure: + +- Given that ($Gen,Sign,Ver$) is one-time secure +- $h$ is a CRHF + +Then ($Gen',Sign',Ver'$) is one-time secure. + +Idea of Proof: + +If the digital signature scheme ($Gen',Sign',Ver'$) is not one-time secure, then there exists an adversary $\mathcal{A}$ which can ask oracle for one signature on $m_1$ and receive $\sigma_1=Sign'_{sk'}(m_1)=Sign_{sk}(h_i(m_1))$. + +- It outputs $m_2\neq m_1$ and receives $\sigma_2=Sign'_{sk'}(m_2)=Sign_{sk}(h_i(m_2))$. +- If $Ver'_{pk'}(m_2,\sigma_2)$ is accepted, then $Ver_{pk}(h_i(m_2),\sigma_2)$ is accepted and $i\in I$. + +There are two cases to consider: + +Case 1: $h_i(m_1)=h_i(m_2)$, Then $\mathcal{A}$ finds a collision of $h$. + +Case 2: $h_i(m_1)\neq h_i(m_2)$, Then $\mathcal{A}$ produced valid signature on $h_i(m_2)$ after only seeing $Sign'_{sk'}(m_1)\neq Sign'_{sk'}(m_2)$. This contradicts the one-time secure of ($Gen,Sign,Ver$). + +EOP + +## Many-time Secure Digital Signature + +Using one-time secure digital signature scheme on $\{0,1\}^*$ to construct many-time secure digital signature scheme on $\{0,1\}^*$. + +Let $Gen,Sign,Ver$ defined as follows: + +$Gen(1^n):(pk,sk)\gets (pk_0,sk_0) + +For the first message: + +$(pk_1,sk_1)\gets Gen'(1^n)$ + +$Sign_{sk}(m_1):\sigma_1\gets Sign_{sk_0}(m_1||pk_1)$, return $\sigma_1'=(1,m_1,pk_1,\sigma_1)$ + +We need to remember state $\sigma_1'$ and $sk_1$ for the second message. + +For the second message: + +$(pk_2,sk_2)\gets Gen'(1^n)$ + +$Sign_{sk}(m_2):\sigma_2\gets Sign_{sk_1}(m_2||pk_0)$, return $\sigma_2'=(0,m_2,pk_0,\sigma_1')$ + +We need to remember state $\sigma_2'$ and $sk_2$ for the third message. + +... + +For the $i$-th message: + +$(pk_i,sk_i)\gets Gen'(1^n)$ + +$Sign_{sk}(m_i):\sigma_i\gets Sign_{sk_{i-1}}(m_i||pk_{i-1})$, return $\sigma_i'=(i-1,m_i,pk_{i-1},\sigma_{i-1}')$ + +We need to remember state $\sigma_i'$ and $sk_i$ for the $(i+1)$-th message. + +$Ver_{pk}:(m_i,(i,m_i,p_k,\sigma_i,\sigma_{i-1}))$ Will need to verify all the states public keys so far. + +$$ +Ver_{pk_0}(m_1||pk_1, \sigma_1) = \text{ Accept}\\ +Ver_{pk_1}(m_2||pk_2, \sigma_2) = \text{ Accept}\\ +\vdots\\ +Ver_{pk_i}(m_i||pk_i, \sigma_i) = \text{ Accept} +$$ + +Proof on homework. + +Drawbacks: + +- Signature size and verification time grows linearly with the number of messages. +- Memory for signing grows linearly with the number of messages. + +These can be fixed. + +Question: Note that the signature signing message longer than the public key, which is impossible in Lamport Scheme.