Update CSE442T_L20.md

pages/CSE442T/CSE442T_L20.md

@@ -1,6 +1,6 @@
 # Lecture 20
 
-## Construction of CRHF (Compression Resistant Hash Function)
+## Construction of CRHF (Collision Resistant Hash Function)
 
 Let $h: \{0, 1\}^{n+1} \to \{0, 1\}^n$ be a CRHF.
 
@@ -24,7 +24,9 @@ Under the discrete log assumption, $H$ is a CRHF.
 - It is easy to compute
 - Compressing by 1 bit
 
-Proof it is a CRHF:
+Proof:
+
+The hash function $h$ is a CRHF
 
 Suppose there exists an adversary $\mathcal{A}$ that can break $h$ with non-negligible probability $\mu$.
 
@@ -67,3 +69,106 @@ $$
 So $\mathcal{B}$ can break the discrete log assumption with non-negligible probability $\mu(n)$, which contradicts the discrete log assumption.
 
 So $h$ is a CRHF.
+
+EOP
+
+To compress by more, say $h_k:{0,1}^n\to \{0,1\}^{n-k},k\geq 1$, then we can use $h: \{0,1\}^{n+1}\to \{0,1\}^n$ multiple times.
+
+$$
+h_k(x)=h(h(\cdots(h(x)))\cdots)=h^{k}(x)
+$$
+
+To find a collision of $h_k$, the adversary must find a collision of $h$.
+
+### Application of CRHF to Digital Signature
+
+Digital signature scheme on $\{0,1\}^*$ for a fixed security parameter $n$. (one-time secure)
+
+- Use Digital Signature Scheme on $\{0,1\}^{n}$: $Gen, Sign, Ver$.
+- Use CRHF family $\{h_i:\{0,1\}^*\to \{0,1\}^n\}_{i\in I}$
+
+$Gen'(1^n):(pk,sk)\gets Gen(1^n)$, choose $i\in I$ uniformly at random.
+
+$sk'=(sk,i)$
+
+$Sign'_{sk'}(m):\sigma\gets Sign_{sk}(h_i(m))$, return $(i,\sigma)$
+
+$pk'=(pk,i)$
+
+$Ver'_{pk'}(m,(i,\sigma)):Ver_{pk}(m,\sigma)$ and $i\in I$
+
+One-time secure:
+
+- Given that ($Gen,Sign,Ver$) is one-time secure
+- $h$ is a CRHF
+
+Then ($Gen',Sign',Ver'$) is one-time secure.
+
+Idea of Proof:
+
+If the digital signature scheme ($Gen',Sign',Ver'$) is not one-time secure, then there exists an adversary $\mathcal{A}$ which can ask oracle for one signature on $m_1$ and receive $\sigma_1=Sign'_{sk'}(m_1)=Sign_{sk}(h_i(m_1))$.
+
+- It outputs $m_2\neq m_1$ and receives $\sigma_2=Sign'_{sk'}(m_2)=Sign_{sk}(h_i(m_2))$.
+- If $Ver'_{pk'}(m_2,\sigma_2)$ is accepted, then $Ver_{pk}(h_i(m_2),\sigma_2)$ is accepted and $i\in I$.
+
+There are two cases to consider:
+
+Case 1: $h_i(m_1)=h_i(m_2)$, Then $\mathcal{A}$ finds a collision of $h$.
+
+Case 2: $h_i(m_1)\neq h_i(m_2)$, Then $\mathcal{A}$ produced valid signature on $h_i(m_2)$ after only seeing $Sign'_{sk'}(m_1)\neq Sign'_{sk'}(m_2)$. This contradicts the one-time secure of ($Gen,Sign,Ver$).
+
+EOP
+
+## Many-time Secure Digital Signature
+
+Using one-time secure digital signature scheme on $\{0,1\}^*$ to construct many-time secure digital signature scheme on $\{0,1\}^*$.
+
+Let $Gen,Sign,Ver$ defined as follows:
+
+$Gen(1^n):(pk,sk)\gets (pk_0,sk_0)
+
+For the first message:
+
+$(pk_1,sk_1)\gets Gen'(1^n)$
+
+$Sign_{sk}(m_1):\sigma_1\gets Sign_{sk_0}(m_1||pk_1)$, return $\sigma_1'=(1,m_1,pk_1,\sigma_1)$
+
+We need to remember state $\sigma_1'$ and $sk_1$ for the second message.
+
+For the second message:
+
+$(pk_2,sk_2)\gets Gen'(1^n)$
+
+$Sign_{sk}(m_2):\sigma_2\gets Sign_{sk_1}(m_2||pk_0)$, return $\sigma_2'=(0,m_2,pk_0,\sigma_1')$
+
+We need to remember state $\sigma_2'$ and $sk_2$ for the third message.
+
+...
+
+For the $i$-th message:
+
+$(pk_i,sk_i)\gets Gen'(1^n)$
+
+$Sign_{sk}(m_i):\sigma_i\gets Sign_{sk_{i-1}}(m_i||pk_{i-1})$, return $\sigma_i'=(i-1,m_i,pk_{i-1},\sigma_{i-1}')$
+
+We need to remember state $\sigma_i'$ and $sk_i$ for the $(i+1)$-th message.
+
+$Ver_{pk}:(m_i,(i,m_i,p_k,\sigma_i,\sigma_{i-1}))$ Will need to verify all the states public keys so far.
+
+$$
+Ver_{pk_0}(m_1||pk_1, \sigma_1) = \text{ Accept}\\
+Ver_{pk_1}(m_2||pk_2, \sigma_2) = \text{ Accept}\\
+\vdots\\
+Ver_{pk_i}(m_i||pk_i, \sigma_i) = \text{ Accept}
+$$
+
+Proof on homework.
+
+Drawbacks:
+
+- Signature size and verification time grows linearly with the number of messages.
+- Memory for signing grows linearly with the number of messages.
+
+These can be fixed.
+
+Question: Note that the signature signing message longer than the public key, which is impossible in Lamport Scheme.