3.9 KiB
Lecture 19
Chapter 5: Authentication
One-Time Secure Digital Signature
Definition 136.2 (Security of Digital Signature)
A digital signature scheme is (Gen, Sign, Ver) is secure if for all n.u.p.p.t. \mathcal{A}, there exists a negligible function \epsilon(n) such that \forall n\in\mathbb{N},
P[(pk,sk)\gets Gen(1^n); (m,\sigma)\gets\mathcal{A}^{Sign_{sk}(\cdot)}(1^n); \mathcal{A}\textup{ did not query }m\textup{ and } Ver_{pk}(m,\sigma)=\textup{``Accept''}]\leq \frac{1}{p(n)}+\epsilon(n)
A digital signature scheme is one-time secure if it is secure and the adversary makes only one query to the signing oracle.
Lamport's One-Time Signature
Given a one-way function f, we can create a signature scheme as follows:
We construct a key pair (sk, pk) as follows:
sk is two list of random bits,
where sk_0=\{\bar{x_1}^0, \bar{x_2}^0, \ldots, \bar{x_n}^0\}
and sk_1=\{\bar{x_1}^1, \bar{x_2}^1, \ldots, \bar{x_n}^1\}.
pk is the image of sk under f, i.e. pk = f(sk).
where pk_0 = \{f(\bar{x_1}^0), f(\bar{x_2}^0), \ldots, f(\bar{x_n}^0)\}
and pk_1 = \{f(\bar{x_1}^1), f(\bar{x_2}^1), \ldots, f(\bar{x_n}^1)\}.
To sign a message m\in\{0,1\}^n, we output the signature Sign_{sk}(m=m_1m_2\ldots m_n) = \{\bar{x_1}^{m_1}, \bar{x_2}^{m_2}, \ldots, \bar{x_n}^{m_n}\}.
To verify a signature \sigma on m, we check if f(\sigma) = pk_m.
This is not more than one-time secure since the adversary can ask oracle for Sign_{sk}(0^n) and Sign_{sk}(1^n) to reveal list pk_0 and pk_1 to sign any message.
We will show it is one-time secure
Ideas of proof:
Say their query is Sign_{sk}(0^n) and reveals pk_0.
Now must sign m\neq 0^n. There must be a 1, somewhere in the message. Say the $i$th bit is the first 1. then they need to produce x' such that f(x_i)=f(x_i'), which inverts the one-way function.
Proof of one-time security:
Suppose there exists an adversary \mathcal{A} that can produce a valid signature on a different message after one query to oracle with non-negligible probability \mu>\frac{1}{p(n)}.
We will design a function B which use \mathcal{A} to invert the one-way function with non-negligible probability.
Let x\gets \{0,1\}^n be a random variable, y=f(x).
B: input is y and 1^n. Our goal is to find x' such that f(x')=y.
Create 2 lists:
sk_0=\{x_0^0, x_1^0, \ldots, x_{n-1}^0\}
sk_1=\{x_0^1, x_1^1, \ldots, x_{n-1}^1\}
Then we pick a random (c,i)\gets \{0,1\}^n\times [n]. (2n possibilities)
Replace f(x_i^c) with y.
Return sk_c with None.
Run \mathcal{A} on input y and 1^n. It will query Sign_{sk} on some message m.
Case 1: m_i=1-c
We can answer with all of x_1^{m_1}, x_2^{m_2}, \ldots, x_{1-c}^{m_{1-c}}, \ldots, x_n^{m_n}
Case 2: m_i=c
We must abort we don't know what to do.
Since \mathcal{A} outputs (m',\sigma) with non-negligible probability, we are hoping that m_i'=c. Then it's attempting to provide x\to y
Since m' differs at most 1 bit from m, we have x\to y with probability P[m_i'=c]\geq \frac{1}{n}.
\sigma=(x_1^1,x_2^1,\ldots,x_n^1)
Check if f(\sigma)=y. If so, output x'. (all correct with prob \geq \frac{1}{p(n)})
If not, try again.
B inverts f with prob \geq \frac{1}{p(n)}
Collision Resistant Hash Functions (CRHF)
We now have one-time secure signature scheme.
We want one-time secure signature scheme that increase the size of messages relative to the keys.
Let H:\{h_i:D_i\to R_i\}_{i\in I} be a family of CRHF if
Easy to pick:
Gen(1^n): outputs i\in I (p,p,t)
Compression
|R_i|<|D_i| for each i\in I
Easy to compute:
Can computer h_i(x),\forall i,x\in D_i with a p.p.t
Collision resistant:
\forall n.u.p.p.t \mathcal{A}, \forall n,
P[i\gets Gen(1^n); (x_1,x_2)\gets \mathcal{A}(1^n,i): h_i(x_1)=h_i(x_2)\land x_1\neq x_2]\leq \epsilon(n)
CRHF implies one-way function.
But not the other way around. (CRHF is a stronger notion than one-way function.)