125 lines
3.9 KiB
Markdown
125 lines
3.9 KiB
Markdown
# Lecture 19
|
|
|
|
## Chapter 5: Authentication
|
|
|
|
### One-Time Secure Digital Signature
|
|
|
|
#### Definition 136.2 (Security of Digital Signature)
|
|
|
|
A digital signature scheme is $(Gen, Sign, Ver)$ is secure if for all n.u.p.p.t. $\mathcal{A}$, there exists a negligible function $\epsilon(n)$ such that $\forall n\in\mathbb{N}$,
|
|
|
|
$$
|
|
P[(pk,sk)\gets Gen(1^n); (m,\sigma)\gets\mathcal{A}^{Sign_{sk}(\cdot)}(1^n); \mathcal{A}\textup{ did not query }m\textup{ and } Ver_{pk}(m,\sigma)=\textup{``Accept''}]\leq \frac{1}{p(n)}+\epsilon(n)
|
|
$$
|
|
|
|
A digital signature scheme is one-time secure if it is secure and the adversary makes only one query to the signing oracle.
|
|
|
|
### Lamport's One-Time Signature
|
|
|
|
Given a one-way function $f$, we can create a signature scheme as follows:
|
|
|
|
We construct a key pair $(sk, pk)$ as follows:
|
|
|
|
$sk$ is two list of random bits,
|
|
|
|
where $sk_0=\{\bar{x_1}^0, \bar{x_2}^0, \ldots, \bar{x_n}^0\}$
|
|
|
|
and $sk_1=\{\bar{x_1}^1, \bar{x_2}^1, \ldots, \bar{x_n}^1\}$.
|
|
|
|
$pk$ is the image of $sk$ under $f$, i.e. $pk = f(sk)$.
|
|
|
|
where $pk_0 = \{f(\bar{x_1}^0), f(\bar{x_2}^0), \ldots, f(\bar{x_n}^0)\}$
|
|
|
|
and $pk_1 = \{f(\bar{x_1}^1), f(\bar{x_2}^1), \ldots, f(\bar{x_n}^1)\}$.
|
|
|
|
To sign a message $m\in\{0,1\}^n$, we output the signature $Sign_{sk}(m=m_1m_2\ldots m_n) = \{\bar{x_1}^{m_1}, \bar{x_2}^{m_2}, \ldots, \bar{x_n}^{m_n}\}$.
|
|
|
|
To verify a signature $\sigma$ on $m$, we check if $f(\sigma) = pk_m$.
|
|
|
|
This is not more than one-time secure since the adversary can ask oracle for $Sign_{sk}(0^n)$ and $Sign_{sk}(1^n)$ to reveal list $pk_0$ and $pk_1$ to sign any message.
|
|
|
|
We will show it is one-time secure
|
|
|
|
Ideas of proof:
|
|
|
|
Say their query is $Sign_{sk}(0^n)$ and reveals $pk_0$.
|
|
|
|
Now must sign $m\neq 0^n$. There must be a 1, somewhere in the message. Say the $i$th bit is the first 1. then they need to produce $x'$ such that $f(x_i)=f(x_i')$, which inverts the one-way function.
|
|
|
|
Proof of one-time security:
|
|
|
|
Suppose there exists an adversary $\mathcal{A}$ that can produce a valid signature on a different message after one query to oracle with non-negligible probability $\mu>\frac{1}{p(n)}$.
|
|
|
|
We will design a function $B$ which use $\mathcal{A}$ to invert the one-way function with non-negligible probability.
|
|
|
|
Let $x\gets \{0,1\}^n$ be a random variable, $y=f(x)$.
|
|
|
|
B: input is $y$ and $1^n$. Our goal is to find $x'$ such that $f(x')=y$.
|
|
|
|
Create 2 lists:
|
|
|
|
$sk_0=\{x_0^0, x_1^0, \ldots, x_{n-1}^0\}$
|
|
|
|
$sk_1=\{x_0^1, x_1^1, \ldots, x_{n-1}^1\}$
|
|
|
|
Then we pick a random $(c,i)\gets \{0,1\}^n\times [n]$. ($2n$ possibilities)
|
|
|
|
Replace $f(x_i^c)$ with $y$.
|
|
|
|
Return $sk_c$ with None.
|
|
|
|
Run $\mathcal{A}$ on input $y$ and $1^n$. It will query $Sign_{sk}$ on some message $m$.
|
|
|
|
Case 1: $m_i=1-c$
|
|
|
|
We can answer with all of $x_1^{m_1}, x_2^{m_2}, \ldots, x_{1-c}^{m_{1-c}}, \ldots, x_n^{m_n}$
|
|
|
|
Case 2: $m_i=c$
|
|
|
|
We must abort we don't know what to do.
|
|
|
|
Since $\mathcal{A}$ outputs $(m',\sigma)$ with non-negligible probability, we are hoping that $m_i'=c$. Then it's attempting to provide $x\to y$
|
|
|
|
Since $m'$ differs at most 1 bit from $m$, we have $x\to y$ with probability $P[m_i'=c]\geq \frac{1}{n}$.
|
|
|
|
$\sigma=(x_1^1,x_2^1,\ldots,x_n^1)$
|
|
|
|
Check if $f(\sigma)=y$. If so, output $x'$. (all correct with prob $\geq \frac{1}{p(n)}$)
|
|
|
|
If not, try again.
|
|
|
|
$B$ inverts $f$ with prob $\geq \frac{1}{p(n)}$
|
|
|
|
### Collision Resistant Hash Functions (CRHF)
|
|
|
|
We now have one-time secure signature scheme.
|
|
|
|
We want one-time secure signature scheme that increase the size of messages relative to the keys.
|
|
|
|
Let $H:\{h_i:D_i\to R_i\}_{i\in I}$ be a family of CRHF if
|
|
|
|
Easy to pick:
|
|
|
|
$Gen(1^n)$: outputs $i\in I$ (p,p,t)
|
|
|
|
Compression
|
|
|
|
$|R_i|<|D_i|$ for each $i\in I$
|
|
|
|
Easy to compute:
|
|
|
|
Can computer $h_i(x),\forall i,x\in D_i$ with a p.p.t
|
|
|
|
Collision resistant:
|
|
|
|
$\forall n.u.p.p.t \mathcal{A}$, $\forall n$,
|
|
|
|
$$
|
|
P[i\gets Gen(1^n); (x_1,x_2)\gets \mathcal{A}(1^n,i): h_i(x_1)=h_i(x_2)\land x_1\neq x_2]\leq \epsilon(n)
|
|
$$
|
|
|
|
CRHF implies one-way function.
|
|
|
|
But not the other way around. (CRHF is a stronger notion than one-way function.)
|
|
|