# CSE442T Lecture 19

## Chapter 5: Authentication

### One-Time Secure Digital Signature

#### Definition 136.2 (Security of Digital Signature)

A digital signature scheme is $(Gen, Sign, Ver)$ is secure if for all n.u.p.p.t. $\mathcal{A}$, there exists a negligible function $\epsilon(n)$ such that $\forall n\in\mathbb{N}$,

$$
P[(pk,sk)\gets Gen(1^n); (m,\sigma)\gets\mathcal{A}^{Sign_{sk}(\cdot)}(1^n); \mathcal{A}\textup{ did not query }m\textup{ and } Ver_{pk}(m,\sigma)=\textup{``Accept''}]\leq \frac{1}{p(n)}+\epsilon(n)
$$

A digital signature scheme is one-time secure if it is secure and the adversary makes only one query to the signing oracle.

### Lamport's One-Time Signature

Given a one-way function $f$, we can create a signature scheme as follows:

We construct a key pair $(sk, pk)$ as follows:

$sk$ is two list of random bits, 

where $sk_0=\{\bar{x_1}^0, \bar{x_2}^0, \ldots, \bar{x_n}^0\}$ 

and $sk_1=\{\bar{x_1}^1, \bar{x_2}^1, \ldots, \bar{x_n}^1\}$.

$pk$ is the image of $sk$ under $f$, i.e. $pk = f(sk)$.

where $pk_0 = \{f(\bar{x_1}^0), f(\bar{x_2}^0), \ldots, f(\bar{x_n}^0)\}$

and $pk_1 = \{f(\bar{x_1}^1), f(\bar{x_2}^1), \ldots, f(\bar{x_n}^1)\}$.

To sign a message $m\in\{0,1\}^n$, we output the signature $Sign_{sk}(m=m_1m_2\ldots m_n) = \{\bar{x_1}^{m_1}, \bar{x_2}^{m_2}, \ldots, \bar{x_n}^{m_n}\}$.

To verify a signature $\sigma$ on $m$, we check if $f(\sigma) = pk_m$.

This is not more than one-time secure since the adversary can ask oracle for $Sign_{sk}(0^n)$ and $Sign_{sk}(1^n)$ to reveal list $pk_0$ and $pk_1$ to sign any message.

We will show it is one-time secure

Ideas of proof:

Say their query is $Sign_{sk}(0^n)$ and reveals $pk_0$. 

Now must sign $m\neq 0^n$. There must be a 1, somewhere in the message. Say the $i$th bit is the first 1. then they need to produce $x'$ such that $f(x_i)=f(x_i')$, which inverts the one-way function.

Proof of one-time security:

Suppose there exists an adversary $\mathcal{A}$ that can produce a valid signature on a different message after one query to oracle with non-negligible probability $\mu>\frac{1}{p(n)}$.

We will design a function $B$ which use $\mathcal{A}$ to invert the one-way function with non-negligible probability.

Let $x\gets \{0,1\}^n$ be a random variable, $y=f(x)$.

B: input is $y$ and $1^n$. Our goal is to find $x'$ such that $f(x')=y$.

Create 2 lists:

$sk_0=\{x_0^0, x_1^0, \ldots, x_{n-1}^0\}$

$sk_1=\{x_0^1, x_1^1, \ldots, x_{n-1}^1\}$

Then we pick a random $(c,i)\gets \{0,1\}^n\times [n]$. ($2n$ possibilities)

Replace $f(x_i^c)$ with $y$.

Return $sk_c$ with None.

Run $\mathcal{A}$ on input $y$ and $1^n$. It will query $Sign_{sk}$ on some message $m$.

Case 1: $m_i=1-c$

We can answer with all of $x_1^{m_1}, x_2^{m_2}, \ldots, x_{1-c}^{m_{1-c}}, \ldots, x_n^{m_n}$

Case 2: $m_i=c$

We must abort we don't know what to do.

Since $\mathcal{A}$ outputs $(m',\sigma)$ with non-negligible probability, we are hoping that $m_i'=c$. Then it's attempting to provide $x\to y$

Since $m'$ differs at most 1 bit from $m$, we have $x\to y$ with probability $P[m_i'=c]\geq \frac{1}{n}$.

$\sigma=(x_1^1,x_2^1,\ldots,x_n^1)$

Check if $f(\sigma)=y$. If so, output $x'$. (all correct with prob $\geq \frac{1}{p(n)}$)

If not, try again.

$B$ inverts $f$ with prob $\geq \frac{1}{p(n)}$

### Collision Resistant Hash Functions (CRHF)

We now have one-time secure signature scheme.

We want one-time secure signature scheme that increase the size of messages relative to the keys.

Let $H:\{h_i:D_i\to R_i\}_{i\in I}$ be a family of CRHF if

Easy to pick: 

$Gen(1^n)$: outputs $i\in I$ (p,p,t)

Compression

$|R_i|<|D_i|$ for each $i\in I$

Easy to compute:

Can computer $h_i(x),\forall i,x\in D_i$ with a p.p.t

Collision resistant:

$\forall n.u.p.p.t \mathcal{A}$, $\forall n$, 

$$
P[i\gets Gen(1^n); (x_1,x_2)\gets \mathcal{A}(1^n,i): h_i(x_1)=h_i(x_2)\land x_1\neq x_2]\leq \epsilon(n)
$$

CRHF implies one-way function.

But not the other way around. (CRHF is a stronger notion than one-way function.)