Foundation of Cryptography, Lecture 5 MACs and Signatures Iftach - PowerPoint PPT Presentation

Length-restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : Sample k ← Gen ( 1 n ) and h ← H n . Output k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m )) Claim 14 Assume H is an efficient collision-resistant family and ( Gen , Mac , Vrfy ) is existential unforgeable, then ( Gen ′ , Mac ′ , Vrfy ′ ) is existential unforgeable MAC. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 14 / 39

Length-restricted MAC = ⇒ MAC Construction 13 (Length restricted MAC = ⇒ MAC) Let ( Gen , Mac , Vrfy ) be a length-restricted MAC, and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be an efficient function family. Gen ′ ( 1 n ) : Sample k ← Gen ( 1 n ) and h ← H n . Output k ′ = ( k , h ) Mac ′ k , h ( m ) = Mac k ( h ( m )) Vrfy ′ k , h ( t , m ) = Vrfy k ( t , h ( m )) Claim 14 Assume H is an efficient collision-resistant family and ( Gen , Mac , Vrfy ) is existential unforgeable, then ( Gen ′ , Mac ′ , Vrfy ′ ) is existential unforgeable MAC. Proof : ? Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 14 / 39

Part II Signature Schemes Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 15 / 39

Signature schemes Definition 15 (Signature schemes) A trippet of PPT ’s ( Gen , Sign , Vrfy ) such that Gen ( 1 n ) : output a pair of keys ( s , v ) ∈ { 0 , 1 } ∗ × { 0 , 1 } ∗ 1 Sign ( s , m ) : output a “signature" σ ∈ { 0 , 1 } ∗ 2 Vrfy ( v , m , σ ) : output 1 (YES) or 0 (NO) 3 Consistency: Vrfy v ( m , σ ) = 1 for any ( s , v ) ∈ Supp ( Gen ( 1 n )) , m ∈ { 0 , 1 } ∗ and σ ∈ Supp ( Sign s ( m )) Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 16 / 39

Signature schemes Definition 15 (Signature schemes) A trippet of PPT ’s ( Gen , Sign , Vrfy ) such that Gen ( 1 n ) : output a pair of keys ( s , v ) ∈ { 0 , 1 } ∗ × { 0 , 1 } ∗ 1 Sign ( s , m ) : output a “signature" σ ∈ { 0 , 1 } ∗ 2 Vrfy ( v , m , σ ) : output 1 (YES) or 0 (NO) 3 Consistency: Vrfy v ( m , σ ) = 1 for any ( s , v ) ∈ Supp ( Gen ( 1 n )) , m ∈ { 0 , 1 } ∗ and σ ∈ Supp ( Sign s ( m )) Definition 16 (Existential unforgability) A signature scheme is existential unforgeable (EU), if ∀ PPT A Pr [ Vrfy v ( m , σ ) = 1 ∧ Sign s was not asked on m ] = neg ( n ) ( s , v ) ← Gen ( 1 n ) ( m ,σ ) ← ASign s ( 1 n , v ) Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 16 / 39

Signature schemes cont. Signature = ⇒ MAC Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 17 / 39

Signature schemes cont. Signature = ⇒ MAC “Harder" to construct than MACs: (even restricted forms) require OWF Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 17 / 39

Signature schemes cont. Signature = ⇒ MAC “Harder" to construct than MACs: (even restricted forms) require OWF Oracle access to Vrfy is not given Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 17 / 39

Signature schemes cont. Signature = ⇒ MAC “Harder" to construct than MACs: (even restricted forms) require OWF Oracle access to Vrfy is not given Strong existential unforgeable signatures (for short, strong signatures): infeasible to generate new valid signatures (even for message for which a signature was asked) Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 17 / 39

Signature schemes cont. Signature = ⇒ MAC “Harder" to construct than MACs: (even restricted forms) require OWF Oracle access to Vrfy is not given Strong existential unforgeable signatures (for short, strong signatures): infeasible to generate new valid signatures (even for message for which a signature was asked) Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 17 / 39

Signature schemes cont. Signature = ⇒ MAC “Harder" to construct than MACs: (even restricted forms) require OWF Oracle access to Vrfy is not given Strong existential unforgeable signatures (for short, strong signatures): infeasible to generate new valid signatures (even for message for which a signature was asked) Theorem 17 OWFs imply strong existential unforgeable signatures. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 17 / 39

Section 2 OWFs = ⇒ Signatures Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 18 / 39

Subsection 1 One-time signatures Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 19 / 39

Length-restricted signatures Definition 18 (length-restricted signatures) Same as in Definition 15, but for ( s , v ) ∈ Supp ( G ( 1 n )) , Sign s and Vrfy v only accept messages of length n . Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 20 / 39

Bounded-query signatures Definition 19 ( ℓ -time signatures) A signature scheme is existential unforgeable against ℓ -query (for short, ℓ -time signature), if it is existential unforgeable as in Definition 16, but A can only ask for ℓ queries. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 21 / 39

Bounded-query signatures Definition 19 ( ℓ -time signatures) A signature scheme is existential unforgeable against ℓ -query (for short, ℓ -time signature), if it is existential unforgeable as in Definition 16, but A can only ask for ℓ queries. Claim 20 Assuming CRH exists, then length restricted k -time signatures can be used to construct k -time signatures. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 21 / 39

Bounded-query signatures Definition 19 ( ℓ -time signatures) A signature scheme is existential unforgeable against ℓ -query (for short, ℓ -time signature), if it is existential unforgeable as in Definition 16, but A can only ask for ℓ queries. Claim 20 Assuming CRH exists, then length restricted k -time signatures can be used to construct k -time signatures. Proof : ? Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 21 / 39

Bounded-query signatures Definition 19 ( ℓ -time signatures) A signature scheme is existential unforgeable against ℓ -query (for short, ℓ -time signature), if it is existential unforgeable as in Definition 16, but A can only ask for ℓ queries. Claim 20 Assuming CRH exists, then length restricted k -time signatures can be used to construct k -time signatures. Proof : ? Proposition 21 Wlg, the signer of a k -time signature scheme, for fixed k , is deterministic Proof : ? Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 21 / 39

OWF = ⇒ length-restricted one-time signatures Construction 22 (length-restricted, one-time signature) Let f : { 0 , 1 } n �→ { 0 , 1 } n . Gen ( 1 n ) : 1 s 0 1 , s 1 1 , . . . , s 0 n , s 1 n ← { 0 , 1 } n , 1 � � s 0 1 , s 1 1 , . . . , s 0 n , s 1 s = 2 n � � v 0 1 = f ( s 0 1 ) , v 1 1 = f ( s 1 1 ) , . . . , v 0 n = f ( s 0 n ) , v 1 n = f ( s 1 Output v = n ) 3 Sign ( s , m ) : σ = ( s m 1 1 , . . . , s m n n ) 2 Vrfy ( v , m , σ = ( σ 1 , . . . , σ n )) : check that f ( σ i ) = v m i for all i ∈ [ n ] 3 i Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 22 / 39

OWF = ⇒ length-restricted one-time signatures Construction 22 (length-restricted, one-time signature) Let f : { 0 , 1 } n �→ { 0 , 1 } n . Gen ( 1 n ) : 1 s 0 1 , s 1 1 , . . . , s 0 n , s 1 n ← { 0 , 1 } n , 1 � � s 0 1 , s 1 1 , . . . , s 0 n , s 1 s = 2 n � � v 0 1 = f ( s 0 1 ) , v 1 1 = f ( s 1 1 ) , . . . , v 0 n = f ( s 0 n ) , v 1 n = f ( s 1 Output v = n ) 3 Sign ( s , m ) : σ = ( s m 1 1 , . . . , s m n n ) 2 Vrfy ( v , m , σ = ( σ 1 , . . . , σ n )) : check that f ( σ i ) = v m i for all i ∈ [ n ] 3 i Lemma 23 If f is a OWF , then Construction 22 is a length restricted one-time signature scheme. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 22 / 39

OWF = ⇒ length-restricted one-time signatures Construction 22 (length-restricted, one-time signature) Let f : { 0 , 1 } n �→ { 0 , 1 } n . Gen ( 1 n ) : 1 s 0 1 , s 1 1 , . . . , s 0 n , s 1 n ← { 0 , 1 } n , 1 � � s 0 1 , s 1 1 , . . . , s 0 n , s 1 s = 2 n � � v 0 1 = f ( s 0 1 ) , v 1 1 = f ( s 1 1 ) , . . . , v 0 n = f ( s 0 n ) , v 1 n = f ( s 1 Output v = n ) 3 Sign ( s , m ) : σ = ( s m 1 1 , . . . , s m n n ) 2 Vrfy ( v , m , σ = ( σ 1 , . . . , σ n )) : check that f ( σ i ) = v m i for all i ∈ [ n ] 3 i Lemma 23 If f is a OWF , then Construction 22 is a length restricted one-time signature scheme. Is this a strong signature scheme? Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 22 / 39

OWF = ⇒ length-restricted one-time signatures Construction 22 (length-restricted, one-time signature) Let f : { 0 , 1 } n �→ { 0 , 1 } n . Gen ( 1 n ) : 1 s 0 1 , s 1 1 , . . . , s 0 n , s 1 n ← { 0 , 1 } n , 1 � � s 0 1 , s 1 1 , . . . , s 0 n , s 1 s = 2 n � � v 0 1 = f ( s 0 1 ) , v 1 1 = f ( s 1 1 ) , . . . , v 0 n = f ( s 0 n ) , v 1 n = f ( s 1 Output v = n ) 3 Sign ( s , m ) : σ = ( s m 1 1 , . . . , s m n n ) 2 Vrfy ( v , m , σ = ( σ 1 , . . . , σ n )) : check that f ( σ i ) = v m i for all i ∈ [ n ] 3 i Lemma 23 If f is a OWF , then Construction 22 is a length restricted one-time signature scheme. Is this a strong signature scheme? With some additional work, it can be turned into a strong one. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 22 / 39

Proving Lemma 23 Let a PPT A, I ⊆ N and p ∈ poly that break the security of Construction 22, we use A to invert f . Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 23 / 39

Proving Lemma 23 Let a PPT A, I ⊆ N and p ∈ poly that break the security of Construction 22, we use A to invert f . Algorithm 24 ( Inv ) Input: y ∈ { 0 , 1 } n j ∗ for a random i ∗ ∈ [ n ] and Choose ( s , v ) ← Gen ( 1 n ) and replace v i ∗ 1 j ∗ ∈ { 0 , 1 } , with y . Abort, if A ( 1 n , v ) asks to sign message m ∈ { 0 , 1 } n with m i ∗ = j ∗ . 2 Otherwise, use s to answer the query. Let ( m ′ , σ ′ ) be A’s output. 3 Abort, if σ ′ is not a valid signature for m ′ , or m ′ i ∗ � = j ∗ . Otherwise, return σ i ∗ . Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 23 / 39

Proving Lemma 23 Let a PPT A, I ⊆ N and p ∈ poly that break the security of Construction 22, we use A to invert f . Algorithm 24 ( Inv ) Input: y ∈ { 0 , 1 } n j ∗ for a random i ∗ ∈ [ n ] and Choose ( s , v ) ← Gen ( 1 n ) and replace v i ∗ 1 j ∗ ∈ { 0 , 1 } , with y . Abort, if A ( 1 n , v ) asks to sign message m ∈ { 0 , 1 } n with m i ∗ = j ∗ . 2 Otherwise, use s to answer the query. Let ( m ′ , σ ′ ) be A’s output. 3 Abort, if σ ′ is not a valid signature for m ′ , or m ′ i ∗ � = j ∗ . Otherwise, return σ i ∗ . v is distributed as is in the real “signature game" Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 23 / 39

Proving Lemma 23 Let a PPT A, I ⊆ N and p ∈ poly that break the security of Construction 22, we use A to invert f . Algorithm 24 ( Inv ) Input: y ∈ { 0 , 1 } n j ∗ for a random i ∗ ∈ [ n ] and Choose ( s , v ) ← Gen ( 1 n ) and replace v i ∗ 1 j ∗ ∈ { 0 , 1 } , with y . Abort, if A ( 1 n , v ) asks to sign message m ∈ { 0 , 1 } n with m i ∗ = j ∗ . 2 Otherwise, use s to answer the query. Let ( m ′ , σ ′ ) be A’s output. 3 Abort, if σ ′ is not a valid signature for m ′ , or m ′ i ∗ � = j ∗ . Otherwise, return σ i ∗ . v is distributed as is in the real “signature game" v is independent of i ∗ and j ∗ . Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 23 / 39

Proving Lemma 23 Let a PPT A, I ⊆ N and p ∈ poly that break the security of Construction 22, we use A to invert f . Algorithm 24 ( Inv ) Input: y ∈ { 0 , 1 } n j ∗ for a random i ∗ ∈ [ n ] and Choose ( s , v ) ← Gen ( 1 n ) and replace v i ∗ 1 j ∗ ∈ { 0 , 1 } , with y . Abort, if A ( 1 n , v ) asks to sign message m ∈ { 0 , 1 } n with m i ∗ = j ∗ . 2 Otherwise, use s to answer the query. Let ( m ′ , σ ′ ) be A’s output. 3 Abort, if σ ′ is not a valid signature for m ′ , or m ′ i ∗ � = j ∗ . Otherwise, return σ i ∗ . v is distributed as is in the real “signature game" v is independent of i ∗ and j ∗ . 1 Therefore Inv inverts f w.p. 2 np ( n ) for every n ∈ I . Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 23 / 39

Subsection 2 Stateful Schemes Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 24 / 39

Stateful signature schemes 1 Definition 25 (Stateful scheme) Same as in Definition 15, but Sign might keep state. 1 Also known as memory-dependant schemes Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 25 / 39

Stateful signature schemes 1 Definition 25 (Stateful scheme) Same as in Definition 15, but Sign might keep state. Make sense in many applications (e.g., smartcards) 1 Also known as memory-dependant schemes Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 25 / 39

Stateful signature schemes 1 Definition 25 (Stateful scheme) Same as in Definition 15, but Sign might keep state. Make sense in many applications (e.g., smartcards) We’ll later use it a building block for building stateless scheme 1 Also known as memory-dependant schemes Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 25 / 39

Stateful schemes — straight-line construction Let ( Gen , Sign , Vrfy ) be a strong one-time signature scheme. Construction 26 (straight-line construction) Gen ′ ( 1 n ) : Output ( s ′ , v ′ ) = ( s 1 , v 1 ) ← Gen ( 1 n ) . Sign ′ s 1 ( m i ) , where m i is i ’th message to sign: Let ( s i + 1 , v i + 1 ) ← Gen ( 1 n ) 1 Let σ i = Sign s i ( m i , v i + 1 ) 2 Output σ ′ i = ( σ ′ i − 1 , m i , v i + 1 , σ i ) . a 3 v 1 ( m , σ ′ = ( m 1 , v 2 , σ 1 ) , . . . , ( m i , v i + 1 , σ i )) : Vrfy ′ Check that Vrfy v j (( m j , v j + 1 ) , σ j ) = 1 for every j ∈ [ i ] 1 m i = m 2 a σ ′ 0 is the empty string. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 26 / 39

Stateful schemes — straight-line construction Let ( Gen , Sign , Vrfy ) be a strong one-time signature scheme. Construction 26 (straight-line construction) Gen ′ ( 1 n ) : Output ( s ′ , v ′ ) = ( s 1 , v 1 ) ← Gen ( 1 n ) . Sign ′ s 1 ( m i ) , where m i is i ’th message to sign: Let ( s i + 1 , v i + 1 ) ← Gen ( 1 n ) 1 Let σ i = Sign s i ( m i , v i + 1 ) 2 Output σ ′ i = ( σ ′ i − 1 , m i , v i + 1 , σ i ) . a 3 v 1 ( m , σ ′ = ( m 1 , v 2 , σ 1 ) , . . . , ( m i , v i + 1 , σ i )) : Vrfy ′ Check that Vrfy v j (( m j , v j + 1 ) , σ j ) = 1 for every j ∈ [ i ] 1 m i = m 2 a σ ′ 0 is the empty string. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 26 / 39

Straight-line construction cont. The state of Sign ′ is used for maintaining the most recent signing key (e.g., s i ), and the last published signature that connects s i to v 1 . Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 27 / 39

Straight-line construction cont. The state of Sign ′ is used for maintaining the most recent signing key (e.g., s i ), and the last published signature that connects s i to v 1 . While polynomial time, it is rather inefficient scheme: both running time and signature size are linear in number of published signatures. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 27 / 39

Straight-line construction cont. The state of Sign ′ is used for maintaining the most recent signing key (e.g., s i ), and the last published signature that connects s i to v 1 . While polynomial time, it is rather inefficient scheme: both running time and signature size are linear in number of published signatures. That ( Gen , Sign , Vrfy ) works for any length (specifically, it is possible to sign message that is longer than the verification key), is critically used. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 27 / 39

Straight-line construction cont. The state of Sign ′ is used for maintaining the most recent signing key (e.g., s i ), and the last published signature that connects s i to v 1 . While polynomial time, it is rather inefficient scheme: both running time and signature size are linear in number of published signatures. That ( Gen , Sign , Vrfy ) works for any length (specifically, it is possible to sign message that is longer than the verification key), is critically used. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 27 / 39

Straight-line construction cont. The state of Sign ′ is used for maintaining the most recent signing key (e.g., s i ), and the last published signature that connects s i to v 1 . While polynomial time, it is rather inefficient scheme: both running time and signature size are linear in number of published signatures. That ( Gen , Sign , Vrfy ) works for any length (specifically, it is possible to sign message that is longer than the verification key), is critically used. Lemma 27 ( Gen ′ , Sign ′ , Vrfy ′ ) is a stateful, strong signature scheme. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 27 / 39

Straight-line construction cont. The state of Sign ′ is used for maintaining the most recent signing key (e.g., s i ), and the last published signature that connects s i to v 1 . While polynomial time, it is rather inefficient scheme: both running time and signature size are linear in number of published signatures. That ( Gen , Sign , Vrfy ) works for any length (specifically, it is possible to sign message that is longer than the verification key), is critically used. Lemma 27 ( Gen ′ , Sign ′ , Vrfy ′ ) is a stateful, strong signature scheme. Proof : Assume ∃ PPT A ′ , p ∈ poly and infinite set I ⊆ N , such that A ′ breaks the strong security of ( Gen ′ , Sign ′ , Vrfy ′ ) with probability 1 p ( n ) for all n ∈ I . Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 27 / 39

Straight-line construction cont. The state of Sign ′ is used for maintaining the most recent signing key (e.g., s i ), and the last published signature that connects s i to v 1 . While polynomial time, it is rather inefficient scheme: both running time and signature size are linear in number of published signatures. That ( Gen , Sign , Vrfy ) works for any length (specifically, it is possible to sign message that is longer than the verification key), is critically used. Lemma 27 ( Gen ′ , Sign ′ , Vrfy ′ ) is a stateful, strong signature scheme. Proof : Assume ∃ PPT A ′ , p ∈ poly and infinite set I ⊆ N , such that A ′ breaks the strong security of ( Gen ′ , Sign ′ , Vrfy ′ ) with probability 1 p ( n ) for all n ∈ I . We present PPT A that breaks the security of ( Gen , Sign , Vrfy ) . Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 27 / 39

Straight-line construction cont. The state of Sign ′ is used for maintaining the most recent signing key (e.g., s i ), and the last published signature that connects s i to v 1 . While polynomial time, it is rather inefficient scheme: both running time and signature size are linear in number of published signatures. That ( Gen , Sign , Vrfy ) works for any length (specifically, it is possible to sign message that is longer than the verification key), is critically used. Lemma 27 ( Gen ′ , Sign ′ , Vrfy ′ ) is a stateful, strong signature scheme. Proof : Assume ∃ PPT A ′ , p ∈ poly and infinite set I ⊆ N , such that A ′ breaks the strong security of ( Gen ′ , Sign ′ , Vrfy ′ ) with probability 1 p ( n ) for all n ∈ I . We present PPT A that breaks the security of ( Gen , Sign , Vrfy ) . We assume for simplicity that p also bounds the query complexity of A ′ Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 27 / 39

Proving Lemma 27 cont. Let ( m t , σ ′ = ( m 1 , v 2 , σ 1 ) , . . . , ( m t , v t + 1 , σ t )) be the pair output by A ′ Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 28 / 39

Proving Lemma 27 cont. Let ( m t , σ ′ = ( m 1 , v 2 , σ 1 ) , . . . , ( m t , v t + 1 , σ t )) be the pair output by A ′ Claim 28 Whenever A ′ succeeds, ∃ � i ∈ [ p ] such that: Sign ′ has output σ ′ i − 1 = ( m 1 , v 2 , σ 1 ) , . . . , ( m i − 1 , v i , σ i − 1 ) 1 � � � � Sign ′ has not output σ ′ i = ( m 1 , v 2 , σ 1 ) , . . . , ( m i , v i ) 2 i + 1 , σ � � � � Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 28 / 39

Proving Lemma 27 cont. Let ( m t , σ ′ = ( m 1 , v 2 , σ 1 ) , . . . , ( m t , v t + 1 , σ t )) be the pair output by A ′ Claim 28 Whenever A ′ succeeds, ∃ � i ∈ [ p ] such that: Sign ′ has output σ ′ i − 1 = ( m 1 , v 2 , σ 1 ) , . . . , ( m i − 1 , v i , σ i − 1 ) 1 � � � � Sign ′ has not output σ ′ i = ( m 1 , v 2 , σ 1 ) , . . . , ( m i , v i ) 2 i + 1 , σ � � � � Proof : ? Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 28 / 39

Proving Lemma 27 cont. Let ( m t , σ ′ = ( m 1 , v 2 , σ 1 ) , . . . , ( m t , v t + 1 , σ t )) be the pair output by A ′ Claim 28 Whenever A ′ succeeds, ∃ � i ∈ [ p ] such that: Sign ′ has output σ ′ i − 1 = ( m 1 , v 2 , σ 1 ) , . . . , ( m i − 1 , v i , σ i − 1 ) 1 � � � � Sign ′ has not output σ ′ i = ( m 1 , v 2 , σ 1 ) , . . . , ( m i , v i ) 2 i + 1 , σ � � � � Proof : ? It follows that i was sampled by Sign ′ v � Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 28 / 39

Proving Lemma 27 cont. Let ( m t , σ ′ = ( m 1 , v 2 , σ 1 ) , . . . , ( m t , v t + 1 , σ t )) be the pair output by A ′ Claim 28 Whenever A ′ succeeds, ∃ � i ∈ [ p ] such that: Sign ′ has output σ ′ i − 1 = ( m 1 , v 2 , σ 1 ) , . . . , ( m i − 1 , v i , σ i − 1 ) 1 � � � � Sign ′ has not output σ ′ i = ( m 1 , v 2 , σ 1 ) , . . . , ( m i , v i ) 2 i + 1 , σ � � � � Proof : ? It follows that i was sampled by Sign ′ v � i be the signing key generated by Sign ′ along with v Let s i , and let � � � m = ( m i , v i + 1 ) � � Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 28 / 39

Proving Lemma 27 cont. Let ( m t , σ ′ = ( m 1 , v 2 , σ 1 ) , . . . , ( m t , v t + 1 , σ t )) be the pair output by A ′ Claim 28 Whenever A ′ succeeds, ∃ � i ∈ [ p ] such that: Sign ′ has output σ ′ i − 1 = ( m 1 , v 2 , σ 1 ) , . . . , ( m i − 1 , v i , σ i − 1 ) 1 � � � � Sign ′ has not output σ ′ i = ( m 1 , v 2 , σ 1 ) , . . . , ( m i , v i ) 2 i + 1 , σ � � � � Proof : ? It follows that i was sampled by Sign ′ v � i be the signing key generated by Sign ′ along with v Let s i , and let � � � m = ( m i , v i + 1 ) � � i ( � Vrfy v m , σ i ) = 1 � � Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 28 / 39

Proving Lemma 27 cont. Let ( m t , σ ′ = ( m 1 , v 2 , σ 1 ) , . . . , ( m t , v t + 1 , σ t )) be the pair output by A ′ Claim 28 Whenever A ′ succeeds, ∃ � i ∈ [ p ] such that: Sign ′ has output σ ′ i − 1 = ( m 1 , v 2 , σ 1 ) , . . . , ( m i − 1 , v i , σ i − 1 ) 1 � � � � Sign ′ has not output σ ′ i = ( m 1 , v 2 , σ 1 ) , . . . , ( m i , v i ) 2 i + 1 , σ � � � � Proof : ? It follows that i was sampled by Sign ′ v � i be the signing key generated by Sign ′ along with v Let s i , and let � � � m = ( m i , v i + 1 ) � � i ( � Vrfy v m , σ i ) = 1 � � i was not queried by Sign ′ on � Sign s m and output σ i . � � Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 28 / 39

Proving Lemma 27 cont. Let ( m t , σ ′ = ( m 1 , v 2 , σ 1 ) , . . . , ( m t , v t + 1 , σ t )) be the pair output by A ′ Claim 28 Whenever A ′ succeeds, ∃ � i ∈ [ p ] such that: Sign ′ has output σ ′ i − 1 = ( m 1 , v 2 , σ 1 ) , . . . , ( m i − 1 , v i , σ i − 1 ) 1 � � � � Sign ′ has not output σ ′ i = ( m 1 , v 2 , σ 1 ) , . . . , ( m i , v i ) 2 i + 1 , σ � � � � Proof : ? It follows that i was sampled by Sign ′ v � i be the signing key generated by Sign ′ along with v Let s i , and let � � � m = ( m i , v i + 1 ) � � i ( � Vrfy v m , σ i ) = 1 � � i was not queried by Sign ′ on � Sign s m and output σ i . � � i was queried at most once by Sign ′ Sign s � Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 28 / 39

Definition of A Algorithm 29 ( A ) Input: 1 n , v Oracle: Sign s Choose i ∗ ← [ p = p ( n )] and ( s ′ , v ′ ) ← Gen ′ ( 1 n ) . 1 Emulate a random execution of A ′ Sign ′ s ′ with a single twist: 2 ◮ On the i ∗ ’th call to Sign ′ s ′ , set v i ∗ = v (rather than choosing it via Gen) ◮ When need to sign using s i ∗ , use Sign s . Let ( m , σ = ( m 1 , v 1 , σ 1 ) , . . . , ( m q , v q , σ q )) ← A ′ 3 Output (( m i ∗ , v i ∗ ) , σ i ∗ ) (abort if i ∗ > q ) ) 4 Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 29 / 39

Definition of A Algorithm 29 ( A ) Input: 1 n , v Oracle: Sign s Choose i ∗ ← [ p = p ( n )] and ( s ′ , v ′ ) ← Gen ′ ( 1 n ) . 1 Emulate a random execution of A ′ Sign ′ s ′ with a single twist: 2 ◮ On the i ∗ ’th call to Sign ′ s ′ , set v i ∗ = v (rather than choosing it via Gen) ◮ When need to sign using s i ∗ , use Sign s . Let ( m , σ = ( m 1 , v 1 , σ 1 ) , . . . , ( m q , v q , σ q )) ← A ′ 3 Output (( m i ∗ , v i ∗ ) , σ i ∗ ) (abort if i ∗ > q ) ) 4 The emulated game A ′ Sign ′ s ′ has the same distribution as the real game. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 29 / 39

Definition of A Algorithm 29 ( A ) Input: 1 n , v Oracle: Sign s Choose i ∗ ← [ p = p ( n )] and ( s ′ , v ′ ) ← Gen ′ ( 1 n ) . 1 Emulate a random execution of A ′ Sign ′ s ′ with a single twist: 2 ◮ On the i ∗ ’th call to Sign ′ s ′ , set v i ∗ = v (rather than choosing it via Gen) ◮ When need to sign using s i ∗ , use Sign s . Let ( m , σ = ( m 1 , v 1 , σ 1 ) , . . . , ( m q , v q , σ q )) ← A ′ 3 Output (( m i ∗ , v i ∗ ) , σ i ∗ ) (abort if i ∗ > q ) ) 4 The emulated game A ′ Sign ′ s ′ has the same distribution as the real game. Sign s is called at most once Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 29 / 39

Definition of A Algorithm 29 ( A ) Input: 1 n , v Oracle: Sign s Choose i ∗ ← [ p = p ( n )] and ( s ′ , v ′ ) ← Gen ′ ( 1 n ) . 1 Emulate a random execution of A ′ Sign ′ s ′ with a single twist: 2 ◮ On the i ∗ ’th call to Sign ′ s ′ , set v i ∗ = v (rather than choosing it via Gen) ◮ When need to sign using s i ∗ , use Sign s . Let ( m , σ = ( m 1 , v 1 , σ 1 ) , . . . , ( m q , v q , σ q )) ← A ′ 3 Output (( m i ∗ , v i ∗ ) , σ i ∗ ) (abort if i ∗ > q ) ) 4 The emulated game A ′ Sign ′ s ′ has the same distribution as the real game. Sign s is called at most once A breaks ( Gen , Sign , Vrfy ) whenever i ∗ = � i . Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 29 / 39

Subsection 3 Somewhat-Stateful Schemes Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 30 / 39

A somewhat-stateful scheme Let ( Gen , Sign , Vrfy ) be a strong one-time signature scheme. Construction 30 (A somewhat-stateful scheme) Gen ′ ( 1 n ) : Output ( s ′ , v ′ ) = ( s λ , v λ ) ← Gen ( 1 n ) . Sign ′ s λ ( m ) : choose an unused r ∈ { 0 , 1 } n For i = 0 to n − 1: if a r 1 ,..., i was not set before: 1 For both j ∈ { 0 , 1 } , let ( s r 1 ,..., i , j , v r 1 ,..., i , j ) ← Gen ( 1 n ) 1 Let a r 1 ,..., i = ( v r 1 ,..., i , 0 , v r 1 ,..., i , 1 ) . 2 Let σ r 1 ,..., i = Sign s r 1 ,..., i ( a r 1 ,..., i ) 3 Output ( r , a λ , σ λ , . . . , a r 1 ,..., n − 1 , σ r 1 ,..., n − 1 , σ r = Sign s r ( m )) 2 v λ ( m , σ ′ = ( r , a λ , σ λ , . . . , a r − 1 , σ r 1 ,..., n − 1 , σ r ) Vrfy ′ Check that Vrfy v r 1 ,..., i ( a r 1 ,..., i , σ r 1 ,..., i ) = 1 for every i ∈ { 0 , . . . , n − 1 } 1 Vrfy v r ( m , σ r ) = 1, for v r = ( a r 1 ,..., n − 1 ) r n 2 Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 31 / 39

A somewhat-stateful Scheme, cont. Each one-time signature key is used at most once. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 32 / 39

A somewhat-stateful Scheme, cont. Each one-time signature key is used at most once. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 32 / 39

A somewhat-stateful Scheme, cont. Each one-time signature key is used at most once. Lemma 31 ( Gen ′ , Sign ′ , Vrfy ′ ) is a stateful strong signature scheme. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 32 / 39

A somewhat-stateful Scheme, cont. Each one-time signature key is used at most once. Lemma 31 ( Gen ′ , Sign ′ , Vrfy ′ ) is a stateful strong signature scheme. Proof : ? Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 32 / 39

A somewhat-stateful Scheme, cont. Each one-time signature key is used at most once. Lemma 31 ( Gen ′ , Sign ′ , Vrfy ′ ) is a stateful strong signature scheme. Proof : ? Note that Sign ′ does not keep track of the message history. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 32 / 39

A somewhat-stateful Scheme, cont. Each one-time signature key is used at most once. Lemma 31 ( Gen ′ , Sign ′ , Vrfy ′ ) is a stateful strong signature scheme. Proof : ? Note that Sign ′ does not keep track of the message history. More efficient scheme — Enough to construct tree of depth ω ( log n ) (i.e., to choose r ∈ { 0 , 1 } ℓ ∈ ω ( log n ) ) Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 32 / 39

Subsection 4 Stateless Schemes Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 33 / 39

Stateless Scheme Π k be the set of all functions from � i ∈ [ k ] { 0 , 1 } i to { 0 , 1 } k to { 0 , 1 } n , let Let � q ∈ poly be “large enough", and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be a CRH. Construction 32 (Inefficient stateless Scheme) Gen ′ ( 1 n ) : Sample ( s λ , v λ ) ← Gen ( 1 n ) and π ← � Π q ( n ) and h ← H n . Output ( s ′ = ( s , π, h ) , v ′ = v ) . Sign ′ s ( m ) : Set r = π ( h ( m )) 1 ,..., n . For i = 0 to n − 1: if a r 1 ,..., i was not set before: 1 For both j ∈ { 0 , 1 } , let ( s r 1 ,..., i , j , v r 1 ,..., i , j ) ← Gen ( 1 n ; π ( r 1 ,..., i , j )) 1 Let σ r 1 ,..., i = Sign s r 1 ,..., i ( a r 1 ,..., i = ( v r 1 ,..., i , 0 , v r 1 ,..., i , 1 )) 2 Output ( r , a λ , σ λ , . . . , a r 1 ,..., n − 1 , σ r 1 ,..., n − 1 , σ r = Sign s r ( m )) 2 Vrfy ′ : unchanged Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 34 / 39

Stateless Scheme Π k be the set of all functions from � i ∈ [ k ] { 0 , 1 } i to { 0 , 1 } k to { 0 , 1 } n , let Let � q ∈ poly be “large enough", and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be a CRH. Construction 32 (Inefficient stateless Scheme) Gen ′ ( 1 n ) : Sample ( s λ , v λ ) ← Gen ( 1 n ) and π ← � Π q ( n ) and h ← H n . Output ( s ′ = ( s , π, h ) , v ′ = v ) . Sign ′ s ( m ) : Set r = π ( h ( m )) 1 ,..., n . For i = 0 to n − 1: if a r 1 ,..., i was not set before: 1 For both j ∈ { 0 , 1 } , let ( s r 1 ,..., i , j , v r 1 ,..., i , j ) ← Gen ( 1 n ; π ( r 1 ,..., i , j )) 1 Let σ r 1 ,..., i = Sign s r 1 ,..., i ( a r 1 ,..., i = ( v r 1 ,..., i , 0 , v r 1 ,..., i , 1 )) 2 Output ( r , a λ , σ λ , . . . , a r 1 ,..., n − 1 , σ r 1 ,..., n − 1 , σ r = Sign s r ( m )) 2 Vrfy ′ : unchanged One one-time signature key might be used several times, but always on the same message. Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 34 / 39

Stateless Scheme Π k be the set of all functions from � i ∈ [ k ] { 0 , 1 } i to { 0 , 1 } k to { 0 , 1 } n , let Let � q ∈ poly be “large enough", and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be a CRH. Construction 32 (Inefficient stateless Scheme) Gen ′ ( 1 n ) : Sample ( s λ , v λ ) ← Gen ( 1 n ) and π ← � Π q ( n ) and h ← H n . Output ( s ′ = ( s , π, h ) , v ′ = v ) . Sign ′ s ( m ) : Set r = π ( h ( m )) 1 ,..., n . For i = 0 to n − 1: if a r 1 ,..., i was not set before: 1 For both j ∈ { 0 , 1 } , let ( s r 1 ,..., i , j , v r 1 ,..., i , j ) ← Gen ( 1 n ; π ( r 1 ,..., i , j )) 1 Let σ r 1 ,..., i = Sign s r 1 ,..., i ( a r 1 ,..., i = ( v r 1 ,..., i , 0 , v r 1 ,..., i , 1 )) 2 Output ( r , a λ , σ λ , . . . , a r 1 ,..., n − 1 , σ r 1 ,..., n − 1 , σ r = Sign s r ( m )) 2 Vrfy ′ : unchanged One one-time signature key might be used several times, but always on the same message. Efficient scheme: Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 34 / 39

Stateless Scheme Π k be the set of all functions from � i ∈ [ k ] { 0 , 1 } i to { 0 , 1 } k to { 0 , 1 } n , let Let � q ∈ poly be “large enough", and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be a CRH. Construction 32 (Inefficient stateless Scheme) Gen ′ ( 1 n ) : Sample ( s λ , v λ ) ← Gen ( 1 n ) and π ← � Π q ( n ) and h ← H n . Output ( s ′ = ( s , π, h ) , v ′ = v ) . Sign ′ s ( m ) : Set r = π ( h ( m )) 1 ,..., n . For i = 0 to n − 1: if a r 1 ,..., i was not set before: 1 For both j ∈ { 0 , 1 } , let ( s r 1 ,..., i , j , v r 1 ,..., i , j ) ← Gen ( 1 n ; π ( r 1 ,..., i , j )) 1 Let σ r 1 ,..., i = Sign s r 1 ,..., i ( a r 1 ,..., i = ( v r 1 ,..., i , 0 , v r 1 ,..., i , 1 )) 2 Output ( r , a λ , σ λ , . . . , a r 1 ,..., n − 1 , σ r 1 ,..., n − 1 , σ r = Sign s r ( m )) 2 Vrfy ′ : unchanged One one-time signature key might be used several times, but always on the same message. Efficient scheme: Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 34 / 39

Stateless Scheme Π k be the set of all functions from � i ∈ [ k ] { 0 , 1 } i to { 0 , 1 } k to { 0 , 1 } n , let Let � q ∈ poly be “large enough", and let H = {H n : { 0 , 1 } ∗ �→ { 0 , 1 } n } be a CRH. Construction 32 (Inefficient stateless Scheme) Gen ′ ( 1 n ) : Sample ( s λ , v λ ) ← Gen ( 1 n ) and π ← � Π q ( n ) and h ← H n . Output ( s ′ = ( s , π, h ) , v ′ = v ) . Sign ′ s ( m ) : Set r = π ( h ( m )) 1 ,..., n . For i = 0 to n − 1: if a r 1 ,..., i was not set before: 1 For both j ∈ { 0 , 1 } , let ( s r 1 ,..., i , j , v r 1 ,..., i , j ) ← Gen ( 1 n ; π ( r 1 ,..., i , j )) 1 Let σ r 1 ,..., i = Sign s r 1 ,..., i ( a r 1 ,..., i = ( v r 1 ,..., i , 0 , v r 1 ,..., i , 1 )) 2 Output ( r , a λ , σ λ , . . . , a r 1 ,..., n − 1 , σ r 1 ,..., n − 1 , σ r = Sign s r ( m )) 2 Vrfy ′ : unchanged One one-time signature key might be used several times, but always on the same message. Efficient scheme: use PRF (?) Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 34 / 39

Subsection 5 “CRH free" Schemes Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 35 / 39

Target collision-resistant functions Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 36 / 39