NoteNextra-origin/pages/CSE442T/CSE442T_L20.md

Lecture 20

Construction of CRHF (Collision Resistant Hash Function)

Let h: \{0, 1\}^{n+1} \to \{0, 1\}^n be a CRHF.

Base on the discrete log assumption, we can construct a CRHF H: \{0, 1\}^{n+1} \to \{0, 1\}^n as follows:

Gen(1^n):(g,p,y)

p\in \tilde{\Pi}_n(p=2q+1)

g generator for group of sequence \mod p (G_q)

y is a random element in G_q

h_{g,p,y}(x,b)=y^bg^x\mod p, y^bg^x\mod p \in \{0,1\}^n

g^x\mod p if b=0, y\cdot g^x\mod p if b=1.

Under the discrete log assumption, H is a CRHF.

• It is easy to sample (g,p,y)
• It is easy to compute
• Compressing by 1 bit

Proof:

The hash function h is a CRHF

Suppose there exists an adversary \mathcal{A} that can break h with non-negligible probability \mu.

P[(p,g,y)\gets Gen(1^n);(x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y):y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p\land (x_1,b_1)\neq (x_2,b_2)]=\mu(n)>\frac{1}{p(n)}

Where y^{b_1}g^{x_1}=y^{b_2}g^{x_2}\mod p is the collision of H.

Suppose b_1=b_2.

Then y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p implies g^{x_1}\equiv g^{x_2}\mod p.

So x_1=x_2 and (x_1,b_1)=(x_2,b_2).

So b_1\neq b_2, Without loss of generality, say b_1=1 and b_2=0.

y\cdot g^{x_1}\equiv g^{x_2}\mod p implies y\equiv g^{x_2-x_1}\mod p.

We can create a adversary \mathcal{B} that can break the discrete log assumption with non-negligible probability \mu(n) using \mathcal{A}.

Let g,p be chosen and set random x such that y=g^x\mod p.

Let the algorithm \mathcal{B} defined as follows:

function B(p,g,y):
    (x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y)
    If (x_1,1) and (x_2,0) and there is a collision:
        y=g^{x_2-x_1}\mod p
        return x_2-x_1 for b=1
    Else:
        return "Failed"

P[B\text{ succeeds}]\geq P[A\text{ succeeds}]-\frac{1}{p(n)}>\frac{1}{p(n)}

So \mathcal{B} can break the discrete log assumption with non-negligible probability \mu(n), which contradicts the discrete log assumption.

So h is a CRHF.

EOP

To compress by more, say h_k:{0,1}^n\to \{0,1\}^{n-k},k\geq 1, then we can use h: \{0,1\}^{n+1}\to \{0,1\}^n multiple times.

h_k(x)=h(h(\cdots(h(x)))\cdots)=h^{k}(x)

To find a collision of h_k, the adversary must find a collision of h.

Application of CRHF to Digital Signature

Digital signature scheme on \{0,1\}^* for a fixed security parameter n. (one-time secure)

• Use Digital Signature Scheme on \{0,1\}^{n}: Gen, Sign, Ver.
• Use CRHF family \{h_i:\{0,1\}^*\to \{0,1\}^n\}_{i\in I}

Gen'(1^n):(pk,sk)\gets Gen(1^n), choose i\in I uniformly at random.

sk'=(sk,i)

Sign'_{sk'}(m):\sigma\gets Sign_{sk}(h_i(m)), return (i,\sigma)

pk'=(pk,i)

Ver'_{pk'}(m,(i,\sigma)):Ver_{pk}(m,\sigma) and i\in I

One-time secure:

• Given that (Gen,Sign,Ver) is one-time secure
• h is a CRHF

Then (Gen',Sign',Ver') is one-time secure.

Idea of Proof:

If the digital signature scheme (Gen',Sign',Ver') is not one-time secure, then there exists an adversary \mathcal{A} which can ask oracle for one signature on m_1 and receive \sigma_1=Sign'_{sk'}(m_1)=Sign_{sk}(h_i(m_1)).

• It outputs m_2\neq m_1 and receives \sigma_2=Sign'_{sk'}(m_2)=Sign_{sk}(h_i(m_2)).
• If Ver'_{pk'}(m_2,\sigma_2) is accepted, then Ver_{pk}(h_i(m_2),\sigma_2) is accepted and i\in I.

There are two cases to consider:

Case 1: h_i(m_1)=h_i(m_2), Then \mathcal{A} finds a collision of h.

Case 2: h_i(m_1)\neq h_i(m_2), Then \mathcal{A} produced valid signature on h_i(m_2) after only seeing Sign'_{sk'}(m_1)\neq Sign'_{sk'}(m_2). This contradicts the one-time secure of (Gen,Sign,Ver).

EOP

Many-time Secure Digital Signature

Using one-time secure digital signature scheme on \{0,1\}^* to construct many-time secure digital signature scheme on \{0,1\}^*.

Let Gen,Sign,Ver defined as follows:

$Gen(1^n):(pk,sk)\gets (pk_0,sk_0)

For the first message:

(pk_1,sk_1)\gets Gen'(1^n)

Sign_{sk}(m_1):\sigma_1\gets Sign_{sk_0}(m_1||pk_1), return \sigma_1'=(1,m_1,pk_1,\sigma_1)

We need to remember state \sigma_1' and sk_1 for the second message.

For the second message:

(pk_2,sk_2)\gets Gen'(1^n)

Sign_{sk}(m_2):\sigma_2\gets Sign_{sk_1}(m_2||pk_0), return \sigma_2'=(0,m_2,pk_0,\sigma_1')

We need to remember state \sigma_2' and sk_2 for the third message.

...

For the $i$-th message:

(pk_i,sk_i)\gets Gen'(1^n)

Sign_{sk}(m_i):\sigma_i\gets Sign_{sk_{i-1}}(m_i||pk_{i-1}), return \sigma_i'=(i-1,m_i,pk_{i-1},\sigma_{i-1}')

We need to remember state \sigma_i' and sk_i for the $(i+1)$-th message.

Ver_{pk}:(m_i,(i,m_i,p_k,\sigma_i,\sigma_{i-1})) Will need to verify all the states public keys so far.

Ver_{pk_0}(m_1||pk_1, \sigma_1) = \text{ Accept}\\
Ver_{pk_1}(m_2||pk_2, \sigma_2) = \text{ Accept}\\
\vdots\\
Ver_{pk_i}(m_i||pk_i, \sigma_i) = \text{ Accept}

Proof on homework.

Drawbacks:

• Signature size and verification time grows linearly with the number of messages.
• Memory for signing grows linearly with the number of messages.

These can be fixed.

Question: Note that the signature signing message longer than the public key, which is impossible in Lamport Scheme.