Topics in Cryptology — CT-RSA 2002: The Cryptographers’ Track at the RSA Conference 2002 San Jose, CA, USA, February 18–22, 2002 Proceedings [1 ed.] 3540432248, 9783540432241

This volume continues the tradition established in 2001 of publishing the c- tributions presented at the Cryptographers’

259 41 3MB

English Pages 318 [319] Year 2002

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
On Hash Function Firewalls in Signature Schemes....Pages 1-16
Observability Analysis - Detecting When Improved Cryptosystems Fail -....Pages 17-29
Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli....Pages 30-39
Montgomery in Practice: How to Do It More Efficiently in Hardware....Pages 40-52
MIST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis....Pages 53-66
An ASIC Implementation of the AES SBoxes....Pages 67-78
On the Impossibility of Constructing Non-interactive Statistically-Secret Protocols from Any Trapdoor One-Way Function....Pages 79-95
The Representation Problem Based on Factoring....Pages 96-113
Ciphers with Arbitrary Finite Domains....Pages 114-130
Known Plaintext Correlation Attack against RC5....Pages 131-148
Micropayments Revisited....Pages 149-163
Proprietary Certificates....Pages 164-181
Stateless-Recipient Certified E-Mail System Based on Verifiable Encryption....Pages 182-199
RSA-Based Undeniable Signatures for General Moduli....Pages 200-217
Co-operatively Formed Group Signatures....Pages 218-235
Transitive Signature Schemes....Pages 236-243
Homomorphic Signature Schemes....Pages 244-262
GEM: A G eneric Chosen-Ciphertext Secure E ncryption M ethod....Pages 263-276
Securing “Encryption + Proof of Knowledge” in the Random Oracle Model....Pages 277-289
Nonuniform Polynomial Time Algorithm to Solve Decisional Diffie-Hellman Problem in Finite Fields under Conjecture....Pages 290-299
Secure Key-Evolving Protocols for Discrete Logarithm Schemes....Pages 300-309
Recommend Papers

Topics in Cryptology — CT-RSA 2002: The Cryptographers’ Track at the RSA Conference 2002 San Jose, CA, USA, February 18–22, 2002 Proceedings [1 ed.]
 3540432248, 9783540432241

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

3

P re fa c e

T his volume cont inues t he t radit ion est ablished in 2001 of publishing t he cont ribut ions present ed at t he Crypt ographers’ Track (CT -RSA) of t he yearly RSA Security Conference in Springer-Verlag’ s Lect ure Not es in Comput er Science series. Wit h 14 parallel t racks and many t housands of part icipant s, t he RSA Security Conference is t he largest e-security and crypt ography conference. In t his set t ing, t he Crypt ographers’ Track present s t he lat est scient ific development s. T he program commit t ee considered 49 papers and select ed 20 for present at ion. One paper was wit hdrawn by t he aut hors. T he program also included two invit ed t alks by Ron Rivest (“Micropayment s Revisit ed” – joint work wit h Silvio Micali) and by Vict or Shoup (“T he Bumpy Road from Crypt ographic T heory t o P ract ice”). Each paper was reviewed by at least t hree program commit t ee members; papers writ t en by program commit t ee members received six reviews. T he aut hors of accept ed papers made a subst ant ial eff ort t o t ake int o account t he comment s in t he version submit t ed t o t hese proceedings. In a limit ed number of cases, t hese revisions were checked by members of t he program commit t ee. I would like t o t hank t he 20 members of t he program commit t ee who helped t o maint ain t he rigorous scient ific st andards t o which t he Crypt ographers’ Track aims t o adhere. T hey wrot e t hought ful reviews and cont ribut ed t o long discussions; more t han 400 Kbyt e of comment s were accumulat ed. Many of t hem at t ended t he program commit t ee meet ing, while t hey could have been enjoying t he sunny beaches of Sant a Barbara. I grat efully acknowledge t he help of a large number of colleagues who reviewed submissions in t heir area of expert ise: Masayuki Abe, N. Asokan, Tonnes Brekne, Emmanuel Bresson, Eric Brier, J an Camenisch, Christ ian Collberg, Don Coppersmit h, J ean-S´ebast ien Coron, Serge Fehr, Marc Fischlin, Mat t hias Fit zi, P ierre-Alain Fouque, Anwar Hasan, Clemens Holenst ein, Kamal J ain, Marc J oye, Darko Kirovski, Lars Knudsen, Neal Koblit z, Anna Lysyanskaya, Lennart Meier, David M’ Raihi, P hong Nguyen, Pascal Paillier, Adrian Perrig, David Point cheval, Tal Rabin, Tomas Sander, Berk Sunar, Michael Szydlo, Christ ophe Tymen, Frederik Vercaut eren, Colin Walt er, Andre Weimerskirch, and Susanne Wet zel. I apologize for any inadvert ent omissions. Elect ronic submissions were made possible by a collect ion of P HP script s originally writ t en by Chanat hip Namprempre and some perl script s writ t en by Sam Rebelsky and SIGACT ’ s Elect ronic P ublishing Board. For t he review procedure, web-based software was used which I designed for Eurocrypt 2000; t he code was writ t en by Wim Moreau and J oris Claessens. I would like t o t hank Wim Moreau for helping wit h t he elect ronic processing of t he submissions and final versions, Ari J uels and Burt Kaliski for int erfacing

VI

P r e fa c e

wit h t he RSA Security Conference, and Alfred Hofmann and his colleagues at Springer-Verlag for t he t imely product ion of t his volume. Finally, I wish t o t hank all t he aut hors who submit t ed papers and t he aut hors of accept ed papers for t he smoot h cooperat ion which enabled us t o process t hese proceedings as a single L a T e X document . We hope t hat in t he coming years t he Crypt ographers’ Track will cont inue t o be a forum for dialogue between researchers and pract it ioners in informat ion security. November 2001

Bart P reneel

R S A C ry p t o g ra p h e rs ’ Tra ck 2 0 0 2 F e b r u a r y 1 8 – 2 2 , 2 0 0 2 , S a n J o s e , C a lifo r n ia

The RSA Conference 2002 was organized by RSA Security Inc. and it s part ner organizat ions around t he world. The Crypt ographers’ Track was organized by RSA Laborat ories (ht t p:/ / www.rsasecurity. com). P ro g ra m C h a ir

Bart P reneel, Kat holieke Universit eit Leuven, Belgium

P ro g ra m C o m m it t e e

Dan Boneh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . St anford University, USA Yvo Desmedt . . . . . . . . . . . . . . . . . . . . . . . Florida St at e University, USA Diet er Gollmann . . . . . . . . . . . . . . . . . . . . . . . . Microsoft Research, USA St uart Haber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Int ert rust , USA Shai Halevi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IBM Research, USA Helena Handschuh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gemplus, France Mart in Hirt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ETH, Swit zerland Markus J akobssen . . . . . . . . . . . . . . . . . . . . . . . . RSA Laborat ories, USA Ari J uels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RSA Laborat ories, USA P il J ong Lee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Post ech, Korea Alfred Menezes . . . . . . . . . . . . . . . . . . . University of Wat erloo, Canada Kaisa Nyberg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nokia, Finland Tat suaki Okamot o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NTT Labs, J apan Christ of Paar . . . . . . . . . . . . . Worcest er Polyt echnique Inst it ut e, USA J ean-J acques Quisquat er . . . . . . . . Univ. Cat h. de Louvain, Belgium J acques St ern . . . . . . . . . . . . . . . . . . Ecole Normale Sup´erieure, France Michael Wiener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Canada Yacov Yacobi . . . . . . . . . . . . . . . . . . . . . . . . . . . . Microsoft Research, USA Mot i Yung . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cert co, USA Yuliang Zheng . . . . . . . . . . . . . . . . . . . . . . Monash University, Aust ralia

Ta b le o f C o nt e nt s

P u b lic K e y C ry p t o g ra p hy On Hash Funct ion Firewalls in Signat ure Schemes . . . . . . . . . . . . . . . . . . . . . . Burton S. K aliski Jr.

1

Observability Analysis – Det ect ing When Improved Crypt osyst ems Fail . . . 17 Marc Joye, Jean-Jacques Quisquater, Sung-Ming Y en, and Moti Y ung

Effi

c ie nt H a rd w a re Im p le m e nt a t io n s

P recise Bounds for Mont gomery Modular Mult iplicat ion and Some Pot ent ially Insecure RSA Moduli . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Colin D. W alter Mont gomery in P ract ice: How t o Do It More Effi cient ly in Hardware . . . . . 40 Lejla Batina and Geeke Muurling Mist: An Effi cient , Randomized Exponent iat ion Algorit hm for Resist ing Power Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Colin D. W alter An ASIC Implement at ion of t he AES SBoxes . . . . . . . . . . . . . . . . . . . . . . . . . 67 Johannes W olkerstorfer, Elisabeth Oswald, and Mario Lamberger

P u b lic K e y C ry p t o g ra p hy : T h e o ry On t he Impossibility of Const ruct ing Non-int eract ive St at ist ically-Secret P rot ocols from Any Trapdoor One-Way Funct ion . . . . . . . . . . . . . . . . . . . . . . 79 Marc Fischlin T he Represent at ion P roblem Based on Fact oring . . . . . . . . . . . . . . . . . . . . . . . 96 Marc Fischlin and Roger Fischlin

S y m m e t ric C ip h e rs Ciphers wit h Arbit rary Finit e Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 John Black and Phillip Rogaway Known P laint ext Correlat ion At t ack against RC5 . . . . . . . . . . . . . . . . . . . . . . 131 A tsuko Miyaji, Masao Nonaka, and Y oshinori Takii

E -C o m m e rc e a n d A p p lic a t io n s Micropayment s Revisit ed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Silvio Micali and Ronald L. Rivest

X

T a b le o f C o n t e n t s

P ropriet ary Cert ificat es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Markus Jakobsson, A ri Juels, and Phong Q. Nguyen St at eless-Recipient Cert ified E-Mail Syst em Based on Verifiable Encrypt ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Giuseppe A teniese and Cristina Nita-Rotaru

D ig it a l S ig n a t u re s RSA-Based Undeniable Signat ures for General Moduli . . . . . . . . . . . . . . . . . . 200 Steven D. Galbraith, W enbo Mao, and K enneth G. Paterson Co-operat ively Formed Group Signat ures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Greg Maitland and Colin Boyd Transit ive Signat ure Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Silvio Micali and Ronald L. Rivest Homomorphic Signat ure Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Robert Johnson, David Molnar, Dawn Song, and David W agner

P u b lic K e y E n c ry p t io n GEM: A Generic Chosen-Ciphert ext Secure Encrypt ion Met hod . . . . . . . . . 263 Jean-S´ebastien Coron, Helena Handschuh, Marc Joye, Pascal Paillier, David Pointcheval, and Christophe Tymen Securing “Encrypt ion + P roof of Knowledge” in t he Random Oracle Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Masayuki A be

D is c re t e Lo g a rit h m Nonuniform Polynomial T ime Algorit hm t o Solve Decisional Diffi e-Hellman P roblem in Finit e Fields under Conject ure . . . . . . . . . . . . . . 290 Qi Cheng and Shigenori Uchiyama Secure Key-Evolving P rot ocols for Discret e Logarit hm Schemes . . . . . . . . . . 300 Cheng-Fen Lu and ShiuhPyng W inston Shieh

A u t h o r In d e x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

O n H a s h Fu n c t io n F ire w a lls in S ig n a t u re S ch e m e s Burt on S. Kaliski J r. RSA Laborat ories 20 Crosby Drive, Bedford, MA 01730, USA [email protected]

T he security of many signat ure schemes depends on t he verifier’ s assurance t hat t he same hash funct ion is applied durin g signat ure verificat ion as during signat ure generat ion. Several schemes provide t his assurance by appending a hash funct ion ident ifier t o t he hash value. We show t hat such “hash funct ion firewalls” do not necessarily prevent an opponent from forging signat ures wit h a weak hash funct ion and we give “weak hash funct ion” at t acks on several signat ure schemes t hat employ such firewalls. We also describe a new signat ure forgery at t ack on P KCS # 1 v1.5 signat ures, possible even wit h a st rong hash funct ion, based on choosing a new (and suspicious-looking) hash funct ion ident ifier as part of t he at t ack. A b st r a c t .

1

In t ro d u c t io n

Nearly all digit al signat ure schemes in pract ice combine a hash funct ion wit h ot her crypt ographic operat ions. In a typical scheme, a signer applies t he hash funct ion t o t he message, t hen applies a signat ure primit ive t o t he signer’ s private key and t he hash funct ion out put t o obt ain a signat ure. T he verifier likewise comput es a hash value, t hen applies a verificat ion primit ive t o t he signer’ s public key, t he hash value, and t he signat ure t o det ermine whet her t he signat ure is valid. In many schemes, some format t ing is applied t o t he hash value prior t o t he signat ure primit ive, and in some schemes part or all of t he message is included in t he input t o t he signat ure primit ive and can be recovered from t he signat ure. T he security of a signat ure scheme clearly depends on t he security of t he hash funct ion. J ust as import ant ly, t he security depends on t he verifier’ s assurance t hat t he correct hash funct ion is applied during signat ure verificat ion. Ot herwise, an opponent may be able t o t ake advant age of hash funct ion weaknesses t o obt ain a forged signat ure. Suppose t hat t he signer has select ed a st rong hash funct ion H ash and has signed messages M 1 , . . . , M k , producing signat ures σ 1 , . . . , σ k . Suppose furt her t hat t he opponent knows a weak hash funct ion W eak H ash and can cause t he verifier t o apply t he weak hash funct ion rat her t han t he st rong one. If t he opponent can find anot her message M such t hat W eak H ash ( M ) = H ash ( M i ) for some message M i t hen t he opponent can present M and σ i t o t he verifier, specifying t hat t he weak hash funct ion is t o be applied, and t hey will be accept ed. T he verifier’ s willingness t o accept hash funct ions ot her t han t he one t he signer has select ed is oft en in t he int erest of int eroperability. A typical verifier may int eract wit h many signers and t hus may need t o support a large set of hash ′





B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 1 – 1 6 , 2 0 0 2 .  c S p r in g e r -Ve r la g B e r lin H e id e lb e r g 2 0 0 2

2

Burt on S. Kaliski J r.

funct ions, even if each individual signer only support s a few hash funct ions. T he verifier may not know which hash funct ions are accept able for a given signer, nor whet her a weakness has been found in a hash funct ion. (By “weakness,” here and elsewhere, we mean t he ability for an opponent t o invert t he hash funct ion effi cient ly for a significant fract ion of hash values.) Clearly, it is desirable t o limit t he set of hash funct ions t hat a verifier accept s for a given signer. One approach is t o permit only a small set of well t rust ed hash funct ions in a given domain. T he Digit al Signat ure St andard [17], for inst ance, allows only t he SHA-1 hash funct ion [16]; ANSI X9.31 [1] and ANSI X9.62 [2] likewise allow only “ANSI-approved” hash funct ions. Anot her approach is t o convey t he set of permit t ed hash funct ions as an at t ribut e of t he signer’s public key, for inst ance in a public-key cert ificat e or as part of policy for a cert ificat e domain. In t his way, signers can select diff erent hash funct ions but are not aff ect ed by one anot her’s choices. Each of t he met hods just ment ioned has some drawbacks. Limit ing t he set of hash funct ions precludes new hash funct ions t hat may be fast er or ot herwise more at t ract ive; conveying t he set as an at t ribut e of a public key may rely on more complex cert ificat e management infrast ruct ure t han is convenient ly available. Not e t hat ident ifying t he hash funct ion in t he message it self is not enough; it is likely as easy for an opponent t o cont rol t he ident ifier as any ot her part of a message when forging a signat ure. As a result of t hese concerns, t he hash funct ion is oft en ident ified wit hin t he format t ing t hat is applied t o t he hash value. T his ident ifier might be an index t o a regist ry of hash funct ions, such as IS 10118-3:1998 [10], or it might be based on an OSI ob ject ident ifier (see [23]), which can be assigned by any organizat ion. T he signat ure primit ive is t hen relied upon t o bind t he hash funct ion ident ifier securely t o t he hash value. In t his way t he hash funct ion ident ifier serves as a fi r e w a l l between diff erent hash funct ions. A hash funct ion firewall prevent s an opponent from causing a verifier t o verify a signat ure wit h a diff erent hash funct ion t han t he signer int ended. But t his prot ect ion is only for exist ing signat ures; a separat e quest ion is whet her an opponent can obt ain new signat ures t hat exploit a weak hash funct ion. In t his paper, we answer t hat quest ion, off ering t he following new cont ribut ions: 1. We present new w ea k h a s h f u n c t i o n a t t a c k s against t he signat ure schemes in IS 9796-2:1997 [9], IS 14888-2:1999 [11], and IS 9796-3:2000 [12]. Each scheme includes an opt ional hash funct ion firewall and claims t hat t he firewall off ers some level of prot ect ion against at t ack. We show t hat such claims are incorrect , and t hat if any regist ered hash funct ion were found t o be weak and a verifier support s it , it may be possible t o forge a signat ure. Significant ly, our at t acks are possible w i t h o u t t h e s i g n e r ’ s p a r t i c i p a t i o n. 2. We show t hat t he signat ure schemes in ANSI X9.31 [1] and P KCS # 1 v1.5 [23], which also include hash funct ion firewalls, appear t o prot ect against weak hash funct ion at t acks. However, in t he case of P KCS # 1 v1.5 signat ures, we show t hat if t he opponent is allowed t o regist er a n e w hash funct ion ident ifier for a given hash funct ion, it is possible t o forge signat ures even if t he hash funct ion is st rong. Moreover, t he forged signat ures are valid for a wide range of public keys, not just for one signer.

On Hash Funct ion F irewalls in Signat ure Schemes

3

3. We observe t hat t he RSA-P SS const ruct ion in IEEE P 1363a [8] off ers an i m p li c i t hash funct ion firewall – wit hout an explicit hash funct ion ident ifier – under reasonable assumpt ions on t he hash funct ion involved (i.e., it is not ‘concoct ed’ purely for t he purpose of forging a signat ure), and provided a cert ain amount of padding is present . We emphasize t hat as long as t he verifier accept s only st rong hash funct ions for t hese signat ure schemes (and, in t he case of P KCS # 1 v1.5, t he verifier is careful about accept ing new, suspicious-looking hash funct ion ident ifiers), t he schemes ment ioned here remain secure. Moreover, we are not aware of any weaknesses in t he normal hash funct ions employed wit h t hese schemes t hat would be suffi cient t o enable an at t ack. 1.1

R e lat e d W ork

T he concept of a hash funct ion firewall appears t o have been int roduced by Linn in t he design of P rivacy-Enhanced Mail in 1990 [14]. Referring t o t he t hencont emplat ed support for t he MD2 and MD4 hash funct ions, Linn wrot e, “I observe t hat any accomodat ion [s i c ] of MD4 in addit ion t o MD2 should incorporat e some form of a signed algorit hm ident ifier, perhaps in t he high-order [. . . ] bit s of t he input block t o t he public-key signat ure operat ion, t o provide fi r e w a l li n g for t he benefit of users of one algorit hm in t he event t hat flaws are found in t he ot her algorit hm aft er placing t hat ot her algorit hm int o use on P EM messages.” (emphasis added) Mot ivat ed by Linn’s recommendat ion, t he P KCS # 1 specificat ion for RSA signat ures [23], first published in 1991, adopt ed a hash funct ion firewall, and a firewall has become st andard in most implement at ions of RSA signat ures since t hat t ime. IBM’s Transact ion Security Syst em [15], also developed in t he early 1990s, employed a hash funct ion firewall as well. In T SS, t he ident ifier is called a “hash rule” (see t he definit ion of t he Crypt o Facility Syst em Signat ure Record in [15]). T he concept of a hash funct ion firewall was subsequent ly adopt ed in several ISO/ IEC st andards, addressing fact oring-based schemes (e.g., RSA) as well as discret e logarit hm / ellipt ic curve-based schemes. T he st andards also give general guidance on hash funct ion ident ificat ion. IS 9796-3:2000 [12], for inst ance, present s four “opt ions for binding signat ure mechanism and hash-funct ion . . . in order of increasing risk”: – “a) Require a part icular hash-funct ion . . . ” – “b) Allow a set of hash-funct ions and explicit ly indicat e in every signat ure t he hash-funct ion in use by a hash-funct ion ident ifier included as part of t he signat ure calculat ion . . . ” (i.e., a firewall) – “c) Allow a set of hash-funct ions and explicit ly indicat e t he hash-funct ion in use in t he cert ificat e domain paramet ers.” – “d) Allow a set of hash-funct ions and indicat e t he hash-funct ion in use by some ot her met hod, e.g., an indicat ion in t he message or a bilat eral agreement .”

4

Burt on S. Kaliski J r.

T he st andard st at es t hat “[w]it hout such a binding, an adversary may claim t he use of a weak hash-funct ion (and not t he act ual one) and t hereby forge t he signat ure.” Most of t he lit erat ure on signat ure schemes focuses on t he security propert ies under t he assumpt ion t hat t he underlying hash funct ion is st rong, and generally assumes t here is only one underlying hash funct ion. We are not aware of any formal analysis of t he propert ies of signat ure schemes t hat allow mult iple hash funct ions, nor of hash funct ion firewalls in part icular. Addit ional analysis on several of t he signat ure schemes present ed here can be found in a paper by Coron et al. [4]. T heir work focuses on t he security of t he schemes wit h st rong hash funct ions and does not address weak hash funct ion at t acks. Brown and J ohnson [3] consider a type of weak-hash funct ion at t ack in t heir security analysis of t he P int sov-Vanst one signat ure scheme [20], but t hey do not consider hash funct ion firewalls. 1.2

O rgan izat ion of T h is P ap e r

Sect ion 2 defines t erminology and not at ion. In Sect ion 3 we give weak hash funct ion at t acks on t hree signat ure schemes in ISO st andards. Sect ion 4 discusses t he firewalls in ot her signat ure schemes. Finally, Sect ion 5 draws several conclusions. An appendix shows why an ext ension t o DSA t hat includes a hash funct ion firewall, as suggest ed by at least one aut hor, must be done carefully.

2

P re lim in a rie s

T hroughout t his paper, we denot e a generic inst ance of a hash funct ion, whet her st rong or weak, by H ash , and a specific inst ance of a weak hash funct ion by W eak H ash . H ash ID and W eak H ash ID denot e one-byt e ident ifiers for t he corresponding hash funct ions. In t he various ISO/ IEC st andards, t he one-byt e ident ifiers are t aken from one of t he IS 10118 regist ries such as IS 10118-3 [10]. However, t he specific one-byt e ident ifier values do not aff ect our result s. H ash ID L o n g denot es a variable-lengt h ident ifier value. Ot her not at ion is as follows: ℓ H a sh lengt h in bit s of t he out put of H ash cc hexadecimal value 0u (resp. 1u ) bit st ring consist ing of u ‘0’ (resp. ‘1’) bit s X .Y concat enat ion of st rings X and Y X ⊕ Y bit -wise exclusive-or  X  lengt h in bit s of X

In a st ring expression,  X  refers t o t he 64-bit represent at ion of t he lengt h of X , most significant bit first . We denot e conversion between an int eger and a bit st ring as m ⇐

M    , ⇒ ℓ

b it s

On Hash Funct ion F irewalls in Signat ure Schemes

5

where m is an int eger, M is t he corresponding bit st ring, and “ ℓ bit s” indicat es t he lengt h of t he bit st ring. Conversion is most significant bit first . A signat ure scheme consist s of a signat ure operat ion and a verificat ion operat ion. In a signat ure scheme wit h appendix, t he signat ure operat ion generat es a signat ure σ given a message and a privat e key, and t he verificat ion operat ion verifies σ given M and t he corresponding public key. In a signat ure scheme giving message recovery, a message is considered in two part s: a recoverable part M 1 and a non-recoverable part M 2 . T he signat ure operat ion generat es a signat ure σ given M 1 , M 2 and t he privat e key; t he verificat ion operat ion verifies t he signat ure σ and recovers M 1 given t he M 2 and t he public key. As not ed in Sect ion 1, a signat ure scheme may allow a choice of hash funct ions. For such a scheme, let Σ K [H ash ] denot e t he set of all signat ures t hat can be generat ed by t he scheme wit h hash funct ion H ash under privat e key K . We say t hat t he scheme has a h a s h f u n c t i o n fi r e w a l l wit h respect t o a set of hash funct ions H if for all H ash 1 , H ash 2 ∈ H , for all privat e keys K , Σ K [H ash 1 ] and Σ K [H ash 2 ] are dist inct . A common way t o build a hash funct ion firewall is t o append a hash funct ion ident ifier t o t he out put of t he hash funct ion. T he result ing value is called a h a s h t o k e n in t he ISO/ IEC st andards. We say t hat a hash funct ion firewall is e x p li c i t if it is based on a hash funct ion ident ifier, and i m p li c i t ot herwise. A hash funct ion firewall prot ect s signat ures generat ed wit h a st rong hash funct ion from weaknesses in ot her hash funct ions. However, it does not necessarily prevent an opponent from exploit ing weaknesses in a hash funct ion (i.e., t he ability t o invert t he hash funct ion) t o obt ain a diff erent signat ure. We say t hat a signat ure scheme has a w ea k hash funct ion firewall if it is vulnerable t o such forgery, and we t erm t he at t ack t hat obt ains such a forgery a w ea k h a s h fu n ctio n a tta ck.

3

S ig n a t u re S ch e m e s w it h W e a k F ire w a lls

We now consider t hree signat ure schemes t hat have hash funct ion firewalls and show t hat for each one t he firewall does not prot ect against weak hash funct ion at t acks. T he at t acks all follow a common approach, exploit ing a type of exist ent ial forgery in t erms of t he hash-t oken. Alt hough it is (presumably) diffi cult t o obt ain a valid signat ure on a p r ed e t e r m i n ed hash-t oken for any of t he schemes, for all t hree it is easy t o produce a valid (hash-t oken, signat ure) pair. If t he hash-t oken ident ifies a weak hash funct ion, t he opponent needs only t o invert t he weak hash funct ion t o forge a signat ure. T he cost of t he at t ack t hus consist s of t he amount of t ime t o produce t he (hash-t oken, signat ure pair), plus t he amount of t ime t o invert t he hash funct ion. In t he at t acks, part of t he input t o t he hash funct ion is predet ermined but t he opponent has full cont rol over t he rest , which gives considerable flexibility in t he choice of message for t he forged signat ure. In t he at t acks on t he schemes giving message recovery, t he opponent has no direct cont rol over t he recoverable message part , which is eff ect ively random. T his may make t he forged signat ures produced by t he at t ack less plausible, depending on how t he recoverable part is int erpret ed.

6

Burt on S. Kaliski J r.

3.1

R S A / RW S ign at u re s in IS 9796-2:1997

We first consider t he signat ure scheme giving message recovery in IS 9796-2:1997 [9], which can be based on eit her t he RSA [22] or Rabin-Williams [21] [24] crypt osyst em. T he scheme has been shown previously t o be vulnerable t o signat ure forgery wit h a st rong hash funct ion in cert ain cases [4]. Our focus here is on vulnerabilit ies wit h a weak hash funct ion. We present t he RSA version of t he scheme, but similar result s apply t o t he Rabin-Williams version. Let n be a composit e modulus and let e be an odd int eger relat ively prime t o λ ( n ) where e > 1. We only need t o consider t he public key, which consist s of t he pair ( n , e). Let ℓ n = ⌊ log2 n ⌋ + 1 be t he lengt h in bit s of t he modulus n . We focus on t he specificat ion of t he scheme in t he sit uat ion t hat a hash funct ion ident ifier is included and t hat t he non-recoverable message part is not empty, as needed by t he at t ack. In t his case, t he recoverable message part is between ℓ n − ℓ H a sh − 27 and ℓ n − ℓ H a sh − 20 bit s long. T he scheme employs two predet ermined set s of st rings for padding and masking (see t he st andards document for t he specific values): P ad 4 , . . . , P ad 1 1 } , a prefix-free set where for each u ,  P ad u  = u , and where t he left most bit of each st ring is 0; – { M ask 4 , . . . , M ask 1 1 } , a set where for each u ,  M ask u  = ℓ n − ℓ H a sh − u − 16.



{

An IS 9796-2:1997 signat ure on a recoverable message part M 1 and a nonrecoverable message part M 2 , for t he condit ions just ment ioned, is a value s where 0 ≤ s < n / 2 such t hat ( ± s e mod n ) ⇐



P ad u . ( M 1





M ask u ) .H . H ash ID . cc

 



b it s

ℓ n

for some u such t hat 4 ≤ u ≤ 11 where H = H ash ( M 1 .M 2 ). (T he “ ± ” indicat es t hat t he correspondence must hold for eit her s e mod n or ( n − s e ) mod n .) T he at t ack is as follows: 1. Generat e s uniformly at random in { 0, . . . , ( n − 1) / 2} . 2. Let t = s e mod n . 3. If t ≡ 12 (mod 16), t hen let m = t ; if t ≡ n − 12 (mod 16), t hen let m = n − t . Ot herwise, go t o st ep 1. 4. Let T be t he ℓ n -bit st ring corresponding t o m . 5. If T is format t ed correct ly as T = P ad u .M 1 .H . H ash ID . cc for some u such t hat 4 ≤ u < 11, t hen parse T t o obt ain M 1 , H and H ash ID . If not , go t o st ep 1. 6. If H ash ID = W eak H ash ID , go t o st ep 1. 7. Let M 1 = M 1 ⊕ M ask u . 8. Find M 2 such t hat W eak H ash ( M 1 .M 2 ) = H . 9. Out put M 1 , M 2 and s . ′





T he probability t hat st ep 3 succeeds is about 1/ 8. Since each possible value of m in st ep 3 corresponds t o a diff erent and unique value of s and t he value of s in st ep 1 is uniformly dist ribut ed in { 1, . . . , ( n − 1) / 2} , t he value of m in

On Hash Funct ion F irewalls in Signat ure Schemes

7

st ep 3 is uniformly dist ribut ed in t he subset of { 1, . . . , n − 1} congruent t o 12 modulo 16. For st eps 5 and 6 t o succeed, t he st ring T in st ep 5 must begin wit h one of t he eight padding st rings and end wit h W eak H ash ID . cc. Since for each u ,  P ad u  = u and t he left most bit of P ad u is 0, t he probability t hat T begins wit h P ad u is at least 2 u . T he probability t hat T begins wit h one of t he eight padding st rings is t hus at least  11 1 2 u ≈ . 8 u= 4 −



T he probability t hat T ends wit h W eak H ash ID . cc, given t hat m ≡ 12 (mod 16), is about 2 1 2 . T hus, t he probability t hat an it erat ion of st eps 1–7 succeeds is at least about (1/ 8)(1/ 8)2 1 2 = 2 1 8 , so t he expect ed number of it erat ions is at most about 21 8 . T he cost of t he at t ack is t hus about 21 8 exponent iat ions, plus t he t ime t o invert t he weak hash funct ion. −



3.2



G Q S ign at u re s in IS 14888-2:1999

We next consider t he signat ure scheme wit h appendix in IS 14888-2:1999 [11], which is based on t he Guillou-Quisquat er (GQ) ident ificat ion scheme [6]. Let n be a composit e modulus and let v be an int eger relat ively prime t o Φ ( n ) where v > 1. T he public key is an int eger y ∈ { 1, . . . , n − 1} . In IS 14888-2, as in t he original GQ scheme, t he public key y is based on t he ident ity of t he user, but t his property is not relevant t o our at t ack. An IS 14888-2:1999 signat ure on a message M is a pair ( r , s ) where 0 ≤ r < n and 1 ≤ s < n such t hat r = H . H ash ID where H = H ash ( Π .M ) and Π T he at t ack is as follows: 1. 2. 3. 4.

= y r s v mod n .

Select any s ∈ { 1, . . . , n − 1} , and any hash value H . Format r as r = H . W eak H ash ID . Find M such t hat W eak H ash ( Π | | M ) = H . Out put M and ( r , s ).

In cont rast t o t he ot her at t acks in t his sect ion t hat involve mult iple it erat ions, one it erat ion is suffi cient . In t his at t ack, t he opponent has t ot al cont rol over t he hash value H . T hus it may be possible t o forge signat ures if t he hash funct ion is weak only for cert ain hash values H , even if it is st ill st rong for random hash values. 3.3

N y b e rg-R u e p p e l S ign at u re s in IS 9796-3:2000

We finally consider t he signat ure scheme giving message recovery in IS 97963:2000 [12], which is based on t he Nyberg-Rueppel signat ure scheme [19]. We present t he discret e logarit hm version of t he scheme, but similar result s apply t o t he ellipt ic curve version.

8

Burt on S. Kaliski J r. ∗

Let p and q be odd primes where q | ( p − 1) and let g be an element of Z p wit h mult iplicat ive order q . T he public key is an element y ∈ Z p where y = g x mod p for some x ∈ { 2, . . . , q − 1} . Let ℓ q = ⌊ log2 q ⌋ + 1 be t he lengt h in bit s of t he prime q . In t his scheme, t he bit lengt h of t he hash value, ℓ H a sh , must be a mult iple of 8. As in Sect ion 3.1, we focus on t he sit uat ion t hat a hash funct ion ident ifier is included and t hat t he non-recoverable message part is not empty, in which case t he recoverable message part is ⌊ ( ℓ q − 1) / 8⌋ − ℓ H a sh / 8 − 1 byt es long. Let u = (( ℓ q − 1) mod 8) + 1. An IS 9796-3:2000 signat ure on a recoverable message part M 1 and a nonrecoverable message part M 2 , for t he condit ions just ment ioned, is a pair ( r , s ) where 1 ≤ r < q and 0 ≤ s < q such t hat ∗

(( r



Π

) mod q ) ⇐





0u .H . H ash ID .M 1    ℓ q

where H = H ash (  M 1  .  M 2  .M 1 .M 2 .Π ) and Π T he at t ack is as follows:

b it s

= g s y r mod p .

1. 2. 3. 4. 5.

Generat e r ∈ { 1, . . . , q − 1} and s ∈ { 0, . . . , q − 1} uniformly at random. Let Π = g s y r mod p . Let m = ( r − Π ) mod q . Let T be t he ℓ q -bit st ring corresponding t o m . If T is format t ed correct ly as T = 0u .H . H ash ID .M 1 , t hen parse T t o obt ain H , H ash ID and M 1 . If not , go t o st ep 1. 6. If H ash ID = W eak H ash ID , go t o st ep 1. 7. Find M 2 such t hat W eak H ash ( M 1 .M 2 ) = H . 8. Out put M 1 , M 2 and ( r , s ).

For st eps 5 and 6 t o succeed, t he st ring T in st ep 5 must begin wit h 0u and end wit h W eak H ash ID . Assuming t hat m in st ep 3 is uniformly dist ribut ed in (u + 8) { 0, . . . , q − 1} , t he probability t hat T has t he correct format is at least 2 . T hus t he expect ed number of it erat ions of st eps 1–6 at most 2u + 8 , which is at most 21 6 . −

4

O t h e r S ig n a t u re S ch e m e s w it h F ire w a lls

We now consider addit ional signat ure schemes wit h hash funct ion firewalls and discuss t he applicability of weak hash funct ion at t acks t o each one. 4.1

R S A / RW S ign at u re s in A N S I X 9.31

We first consider t he signat ure scheme wit h appendix in ANSI X9.31 [1], which, like t he scheme in IS 9796-2, can be based on eit her t he RSA or t he RabinWilliams crypt osyst em. As before, we will focus on t he RSA version. Let t he not at ion be as in Sect ion 3.1, except t hat only one padding st ring is defined, P ad u where u = ℓ n − ℓ H a sh − 16, a st ring of bit lengt h u wit h left most

On Hash Funct ion F irewalls in Signat ure Schemes

9

bit 0. Let v = ℓ n − u . (Act ually, ANSI X9.31 employs a diff erent padding st ring if M is t he empty st ring, but t his diff erence does not aff ect t he result .) T he ANSI X9.31 signat ure is a value s where 0 ≤ s < n / 2 such t hat ( ± s e mod n ) ⇐

P ad u .H . H ash ID . cc ⇒



 

ℓ n



b it s

where H = H ash ( M ). One approach t o a weak hash funct ion at t ack is t o generat e s at random unt il t he equat ion is sat isfied. T his will t ake at most about 2u + 1 5 it erat ions. However, wit h t he paramet ers in ANSI X9.31 – a 160-bit hash value and at least a 1024-bit modulus – u is at least 848, so t he at t ack is infeasible. Anot her approach, relevant when e is small (say, e = 3 for RSA or e = 2 for RW) is t o t ake int eger et h root s. Let α be t he int eger corresponding t o t he st ring P ad u . Considering only t he “+ ” case, t he verificat ion equat ion requires, among ot her condit ions, t hat α

2v

e

s
j τ where j τ represent s t he current value of count er j (Line b.2, Fig. 1) when t he faulty bit s are int roduced. Since t he words cont aining t he errors are no longer required for t he next it erat ions (i.e., for j = j τ , j τ − 1, . . . , 0, Line b.2, Fig. 1), t he comput at ion of R = A B mod n will be correct . Moreover, since R is rest ored int o regist er A , A ← A B mod n (Line a.3, Fig. 1), t he error locat ed in regist er A will be cleared and t he final result c d mod n will be correct , t oo. Conversely, if t he value of bit d i was 0, t hen t he int erleaved mult iplicat ion (Line a.3, Fig. 1) is bypassed at it erat ion i and t he errors induced int o regist er A will not be cleared, result ing in an incorrect value for t he final result c d mod n . Remember t hat we made t he explicit assumpt ion t hat t he adversary knows whet her a ciphert ext decrypt s correct ly or not . So, by inducing faulty bit s as previously described, she knows t he value of bit d i according t o whet her t he decrypt ion algorit hm ret urns an error message or not . Let us emphasize again t hat if Shamir’ s count ermeasure (or any ot her means t o det ect errors) was not implement ed, t hen t he adversary would not be able t o guess t he correct value of d i because, due t o t he limit ed feedback she is allowed t o have, she does not know whet her a ciphert ext decrypt s correct ly or not . In t his case, t he only way for her t o recover t he value of d i is t o raise t he value of c d mod n ret urned by t he decrypt ion algorit hm o t he e and compare it wit h t he original value of c ; if t hey mat ch t hen d i = 1, ot herwise d i = 0. However, t his supposes a much st ronger assumpt ion. Namely t hat (besides inducing fault s) t he adversary has access t o t he (raw) decrypt ed values of many ciphert ext s, which, in most cases, is quit e unrealist ic.

2

Here d has t o be underst ood as t he secret exponent involved in t he exponent iat ion. It st ands for t he decrypt ion key d in st andard mode and for d = d mod ( p − 1) (or d = d mod ( q − 1)) in CRT mode. p

q

22

Marc J oye et al.

3

T h e C ase o f A d d e d R o b u st n e ss t o S t ro n g e r A t t acks: O p t im al A sy m m e t ric E n cry p t io n P ad d in g

In t his sect ion we will again consider t he induced-fault at t ack model and t he same passive at t acker who is an observer of t he syst em’ s react ion. 3 .1

H ow t o E n c ry p t w it h R S A ?

Recall t hat t here is a big diff erence between t he R S A prim itive also called plain RSA encrypt ion (t hat is, t he modular exponent iat ion funct ion f : x → f ( x ) = x e mod n ) and an R S A en cryption schem e (t hat is, a part icular way t o use t he RSA primit ive t o encrypt a message). P lain RSA encrypt ion is definit ively not a reasonable way t o encrypt wit h RSA: as observed by Goldwasser and Micali [14], an encrypt ion scheme had bet t er be probabilist ic. T his st ems from t he fact t hat a det erminist ic scheme does not off er, in essence, t he desired property of in distin guishability . Informally, indist inguishability is defined as t he adversary’s inability t o make t he diff erence between t he encrypt ions of bit s ‘0’ and ‘1’, or more generally, given a challenge ciphert ext , t o learn any informat ion about t he corresponding plaint ext . T his does not imply t hat t he converse is necessarily t rue: Bleichenbacher [5] has shown t hat t he ( probabilistic) encrypt ion st andard RSA P KCS # 1 v1.5 does not achieve indist inguishability and exploit ed t his failure t o mount a chosen ciphert ext at t ack on some int eract ive key est ablishment prot ocols (e.g., SSL) const ruct ed from it . Ot her problems of plain schemes are present ed in [9]. T he commonly recommended way t o encrypt wit h RSA is t he Opt imal Asymmet ric Encrypt ion Padding (OAEP ) by Bellare and Rogaway [4] (which was claimed t o achieve chosen-ciphert ext security [26]) 3 . T his met hod was support ed by t he RSA st andardizat ion process [6] following t he Bleichenbacher at t ack. It was t hen published as RSA P KCS # 1 v2.0, which will be followed by t he IEEE and ANSI X9 st andards. A simplified version of OAEP (called basic embedding scheme in [4]) goes as follows. Let k = ⌊ log2 ( n ) ⌋ . A message m < 2k k 0 is encrypt ed as      e  c = m ⊕ G (r )  r ⊕ H m ⊕ G (r ) mod n (3) −

for a (public) “generat or” funct ion G : { 0, 1} k 0 → { 0, 1} k k 0 , a (public) hash funct ion H : { 0, 1} k k 0 → { 0, 1} k 0 and where r is a random int eger uniformly chosen in { 0, 1} k 0 . To decrypt t he ciphert ext c , t he decrypt ion algorit hm comput es x := c d mod n . T hen set t ing x 0 t o t he k 0 least significant bit s of x and x 1 t o t he remaining bit s of x (i.e., x = x 1 x 0 ), it comput es r = x 0 ⊕ H ( x 1 ) and ret urns x 1 ⊕ G ( r ) as t he plaint ext message corresponding t o c . OAEP diff ers from t he above in t hat some ext ra bit s are padded: t hey are used t o check t he int egrity of t he message. In part icular, OAEP achieves −







3

Recent ly, Shoup [31] has shown t hat t he original proof was enough t o claim only security against a non-adapt ive adversary [23], and a new proof of security was const ruct ed [12].

Observability Analysis

23

plain text-awaren ess , t hat is, informally, t he impossibility of producing a ciphert ext wit hout t he knowledge of t he corresponding plaint ext , a random oracle property which implies chosen-ciphert ext security. Let again k = ⌊ log2 ( n ) ⌋ . To encrypt a message m < 2k k 0 k 1 , choose a random int eger r in { 0, 1} k 0 and comput e      e  k k mod n (4) c = m { 0} 1 ⊕ G ( r )  r ⊕ H m { 0} 1 ⊕ G ( r ) −



for G : { 0, 1} k 0 → { 0, 1} k k 0 and H : { 0, 1} k k 0 → { 0, 1} k 0 . T hen, given c , t he decrypt ion algorit hm comput es x = c d mod n and set s x 0 t o t he k 0 least significant bit s of x and x 1 t o t he t he remaining bit s of x (i.e., x = x 1 x 0 ). Next , it comput es r = x 0 ⊕ H ( x 1 ) and y = x 1 ⊕ G ( r ), and set s y 0 t o t he k 1 least significant bit s of y and y 1 t o t he remaining bit s of y (i.e., y = y 1 y 0 ). If y 0 = { 0} k 1 t hen it ret urns y 1 as plaint ext ; ot herwise it ret urns an error message. −



3 .2





S e c o n d P a ra d ox

Here t oo, we see t hat t he decrypt ion algorit hm act s as an oracle . Hence as in Sect ion 2, we suppose t hat t he RSA exponent iat ion is carried out wit h an algorit hm such as t he one depict ed in Fig. 1, t hen by int roducing some errors, an adversary is able t o recover t he value of t he bit s d i of t he secret decrypt ion key d according t o t he decrypt ion is possible or not . It is wort h remarking t hat t he “basic embedding scheme” (see Eq. (3)) or even t he plain RSA encrypt ion are not suscept ible t o t his at t ack because t hey do not check t he int egrity4 . In t hose two cases, t he adversary must have access t o t he decrypt ed value, encrypt it and finally compare it t o t he init ial ciphert ext t o guess t he value of d i ; wit h OAEP, t he value of d i is deduced from the on ly kn ow ledge that an er r or m essage is return ed or n ot , t he knowledge of t he decrypt ed value is not necessary. We t hus have a second paradox: “ A m o r e r o b u s t im p le m e n t a t io n ( i. e . , s e c u r e a g a in s t a c t iv e a t t a c k s ) m a y , in f a c t , b e w e a k e r . ”

3 .3

S e t t in g -D e p e n d e n t R o b u s t n e s s in A n o t h e r C a s e

T he at t acks described in t his sect ion (and in Sect ion 2 and t he subsequent paradoxes) assume some variant s of t he induced-fault model of [8]. However, t he idea t hat improving a syst em t o increase it s robust ness in one sense may not suffi ce for ot her considerat ions can be widely applicable (regardless of t he specific model). In fact , we can draw exact ly t his conclusion by considering a model where t he decrypt ion is carried out by a device which is really t amper-proof (and no fault s are possible). Our at t ack follows t he recent at t ack by Manger [22] against (some implement at ions of) RSA P KCS # 1 v2.0 combined wit h t he power analysis of [21]. RSA P KCS # 1 v2.0 [1] is a slight variat ion of OAEP where t he most 4

Not e, however, t hat we do not suggest t o use a weaker form of encrypt ion for many ot her reasons.

24

Marc J oye et al.

significant byt e (MSB) of t he encoded message, m , being encrypt ed is forced t o 00h t o ensure t hat t he result ing padding is always smaller t han modulus n . Current implement at ions of t he decrypt ion operat ion decrypt c t o get m = c d mod n , check whether the fi rst byte of m is zero and if so, check t he OAEP int egrity of m . If bot h verificat ions are successful, t he plaint ext message m corresponding t o m is out put ; ot herwise, t here is an error message. If we can dist inguish between an error result ing from a t oo large message (i.e., MSB( m ) = 00h) and an error result ing from an incorrect decoding, t hen a chosen ciphert ext at t ack similar in spirit t o t hat of Bleichenbacher [5] can be mount ed (see [22] for det ails). T he t rivial solut ion consist s of course in making t he two error messages ident ical, as already recommended in t he P KCS # 1 v2.0 st andard ( c f . [1, § 7.1.2]). T he last P KCS # 1 v2.1 draft [2] explicit ly request s t o made t he two kinds of error indist inguishable; in part icular, it insist s t hat t he execut ion t ime of t he decrypt ion operat ion (t iming channel) must not reveal whet her t he first byt e is 00h or not . So, it is suggest ed t hat , in t he case of MSB( m ) = 00h, t o proceed t o t he OAEP int egrity check by set t ing m t o a st ring of zero oct ant s. However, such an “improved” solut ion is not sat isfact ory in all respect s, since it is very likely t hat power analysis (power consumpt ion channel) will reveal informat ion as t he power consumpt ion is relat ed t o t he manipulat ed dat a, making it easy t o dist inguish between t he zero st ring (when MSB( m ) = 00h) and a random-looking st ring m (when MSB( m ) = 00h).

4

T h e C ase o f In cre ase d S e cu rit y P aram e t e r: U nb alan ce d R S A

We now ret urn t o invest igat e a seemingly paradoxical sit uat ion. Act ually, t his sect ion shows t hat a seemingly improved variant of RSA is sub ject t o somewhat st ronger at t acks in t he physical sense, since t hey can be mount ed remot ely. Namely, we increase t he at t acker’ s power t o choose ciphert ext s, which she can “t ransmit only remot ely” (wit h or wit hout errors) t o t he device; at t he same t ime we limit t he adversary’ s device t ampering power as before t o be an observer of t he error messages (and not allowing it access t o decrypt ed values). 4 .1

R S A fo r P a ra n o id s

T he security of t he RSA syst em is based on t he diffi culty of fact oring large int egers. T herefore, a larger modulus off ers furt her security, at t he expense, however, of a larger comput at ional eff ort . A good compromise is t o use an un balan ced RSA modulus [28], t hat is, a modulus n = p q where p , q are primes and q ≫ p (e.g., | p | = 500 bit s and | q | = 4500 bit s). T he best fact orizat ion algorit hms [24] cannot t ake advant age of t hese special moduli and t hey t hus seem as secure as moduli const ruct ed from t he product of two 2500-bit primes. Shamir [28] observed t hat if t he plaint ext m being encrypt ed is smaller t han p , t hen, from t he corresponding ciphert ext c = m e mod n , it can be recovered as m = c d mod p p

Observability Analysis

25

(where d p = d mod ( p − 1)). T his follows immediat ely from Eq. (2) by not ing t hat m = m mod p = m p . T he result ing syst em is called R S A for paran oids . 4 .2

T h ird P a ra d ox

Is t he name ‘ RSA for paranoids’ really just ified? If a plaint extm larger t han p is encrypt ed (let c = m e mod n denot e t he corresponding ciphert ext ), t hen t he d mod p = m mod p = m . Consequent ly, gcd( m − m , n ) decrypt ion gives m = c gives t he secret prime p and t he syst em is broken [13]. Not e t hat t his can only be t urned int o an act ive at t ack if the adversary can get access to the value of m , which, as in t he previous sect ions, may be considered an unrealist ic assumpt ion in many cases. T he usual way t o prevent such an at t ack is t o enhance t he purely algebraic “plain” scheme and add redundancy and randomness t o t he plaint ext prior t o encrypt ion. T he redundancy enables one t o check t he int egrity of t he plaint ext and t he randomness serves t o avoid many drawbacks inherent t o any det erminist ic encrypt ion algorit hm ( c f . Sect ion 3). We t hus assume t hat t he syst em is implement ed using an appropriat e embedding of t he kind of OAEP 5 (or any ot her applicable variant t hereof); t he main point being t hat t he decrypt ion syst em “int ernally” checks t he in tegrity of t he plaint ext s (and assures message awareness even against act ive at t acks). T hus, as before, we now make t he weaker assumpt ion t hat the adversary on ly kn ows whether a ciphertext can be decrypted or n ot , but in no way, can she get access t o a decrypt ed value. However, we allow her t o choose ciphert ext s. T he at t ack demonst rat es our principle of observing behavior under an oracle. Technically, it follows t he basic propert ies shown in [13] (see also [18]). Since t he plaint ext s being encrypt ed must be smaller t han p , we set k = ⌊ log2 ( p ) ⌋ in t he OAEP descript ion given by Eq. (4):     OAEP ( m ) = m { 0} k 1 ⊕ G ( r )  r ⊕ H m { 0} k 1 ⊕ G ( r )





k − k 0 bit s k 0 bit s ′







p



for a message m ∈ { 0, 1} k k 0 k 1 and a random r ∈ { 0, 1} k 0 , where G : { 0, 1} k 0 → k k0 { 0, 1} and H : { 0, 1} k k 0 → { 0, 1} k 0 . T he adversary can fix t he value of t he ( k + 1 − k 0 − k 1 ) most significant bit s of OAEP ( m ) by an appropriat e choice for message m : if she want s t hat t hese bit s represent a chosen value T , she simply set s m = T ⊕ [G ( r )]k k 0 k 1 where [G ( r )]k k 0 k 1 denot es t he ( k − k 0 − k 1 ) most significant bit s of G ( r ). Fut hermore, t he adversary is not rest rict ed t o probe wit h valid messages; she can choose an m out of t he prescribed range (i.e., m ≥ 2k k 0 k 1 ) so t hat OAEP ( m ) will be a ( k + 1)-bit number or more. Consequent ly, t he adversary has a t ot al cont rol on all t he bit s of OAEP ( m ) except t he ( k 0 + k 1 ) least significant ones. From t his observat ion, we will now −





5















Remark t hat OAEP, as is, does not apply t o ‘ RSA for paranoids’since it s usage is limit ed t o permut at ions. One has t o use, for example, t he more general const ruct ion of [11].

26

Marc J oye et al.

explain how she can recover t he ( k + 1 − k 0 − k 1 ) most significant bit s of t he secret prime p . T he remaining bit s of p may be found by appropriat e choices for r , exhaust ion or more elaborat ed t echniques (e.g., [10]).  k Ask +t he  value of k is public, t he adversary knows t hat p lies in t he int erval I 0 = 2 , 2 1 . T hen she chooses an m so t hat it s OAEP embedding x 0 := OAEP ( m ) belongs t o I 0 and comput es t he corresponding ciphert ext c 0 = x 0 e mod n . If c 0 can be decrypt ed 6 t hen she knows t hat x 0 < p ; ot herwise (i.e., if an error message is ret urned) t hat x 0 ≥ p .  She t hen reit erat es t he process wit h   she knows t he int erval I 1 = x 0 , 2k + 1 or I 1 = 2k , x 0 , respect ively, wit h a new message each t ime. And so on. . . unt il t he ( k + 1 − k 0 − k 1 ) most significant bit s of p are disclosed. Not e t hat t his at t ack does not make sense in t he st andard RSA; t hat is, when t he decrypt ion is comput ed modulo n = p q . So, in t his view, t he RSA for paranoids wit h a 5000-bit RSA modulus ( | p | = 500 bit s and | q | = 4500 bit s) is weaker t han t he st andard RSA using a 1000-bit modulus where | p | = | q | = 500 bit s. Hence, t he paradox: “ A s t r o n g e r s y s t e m w it h in c r e a s e d le n g t h p a r a m e t e r s ( w h ic h p o s s ib ly m a k e t h e u n d e r ly in g p r o b le m h a r d e r ) m a y , in f a c t , b e w e a k e r . ”

5

C o n clu sio n s

What we saw are t hree improvement s t hat act ually in some operat ional set t ing induce exposures (vulnerabilit ies). In each of t he t hree cases, we show t hat t here are implement at ion environment s where: 1. Increasing Reliability may weaken t he syst em; 2. Improving Security and Robust ness t o at t acks (OAEP ) may weaken t he syst em; 3. Improving cert ain security paramet ers (especially if t he growt h is not uniform in all paramet ers) may weaken t he syst em. T he t hesis put fort h and demonst rat ed in t his paper is t hat a syst em exist s wit hin cert ain operat ional environment which may enable adversaries t o t amper and perform ot her (somewhat limit ed) observat ions regarding t he syst em’ s operat ions. Paradoxically, what looks like a “universal improvement ” or “st raight forward improvement ” which enables bet t er security and bet t er reliability, may in fact , wit hin t hese specific operat ional cont ext s, int roduce new exposures and at t acks. Where do t he paradoxes come from? Given t he at t ack, one not ices t hat t he improved “more secure and reliable syst em” t akes addit ional comput at ional measures t o improve it self. However, t hese measures may increase t he o b s e rva b ilit y of t he syst em w.r.t . cert ain (possibly newly) int roduced “event s”. Under cert ain allowed at t ack scenarios (int eract ion wit h t he implement ed environment ) t his increased observability in fact makes t he syst ems less smoot h in t he sense t hat 6

T he at t ack supposes t hat t he decrypt ion algorit hm does not check, implicit ly or explicit ly, t hat t he decrypt ed m is < 2 − 0 − 1 (see [18, Sect ion 3]). k

k

k

Observability Analysis

27

t he event s (report ed by t he oracle) reveal t he inner workings. T he adversary in t he less smoot h operat ion mode can play wit h or observe t he increased set of possible event s. T his, in t urn, may enable her t o break t he syst em. On t he ot her hand, t he syst em wit hout t he improvement may operat e more smoot hly and produce less not iceable diff erences in report ed event s, t hus not enabling at t acks as above. It is expect ed t hat as crypt ography becomes very st rong, fut ure adversaries will concent rat e on exploit ing observable event s and informat ion emit t ed by t he working environment . T he basic rule which may resolve t he paradoxes can (informally) be st at ed as follows: “A

st ron ger sy st em

w h o s e o p e r a t io n , h o w e v e r , is le s s s m o o t h t h a n a

w e a k e r c o u n t e r p a r t ( n a m e ly w h e r e it s in t e r a c t io n w it h t h e a d v e r s a r ia l e n v ir o n m e n t e n a b le s e n h a n c e d “ o b s e r v a b ilit y ” o f e v e n t s w h ic h r e fl e c t o n it s in n e r w o r k in g s ) , m a y , in f a c t , b e w e a k e r . ”

In conclusion, t he nat ural belief t hat obvious st raight -forward security improvement s are always good (namely, are universal) is a fallacy. In fact , security measures are con text sen sitive , especially when we consider t he full cycle of a crypt ographic syst em (design, implement at ion, and operat ion). T he int erplay of t he basic design wit h t he im plem en tation and operation al en viron m en t and t he pot ent ial adversaries in each st age should be considered very carefully in t he deployment of act ual working syst ems. While t he above issue may have been implicit ly not iced earlier, our examples demonst rat e it on quit e modern st at eof-t he-art const ruct ions. We feel t hat t he not ion of “event observability” and it s implied exposures and weaknesses have t o be t aken int o considerat ion when analyzing t he security of a working crypt osyst em. Our invest igat ion point s out t hat one should conduct what may be called “observability analysis” of t he working environment , analyzing event s under an expect ed or reasonable (well modeled) set of exposures. It should t hen be made sure t hat t he pot ent ially observable event s are not made available t o t he possible adversary (by eit her t echnical, physical or operat ional measures).

R e fe re n ce s 1. RSA Laborat ories. P KCS # 1 v2.0: RSA crypt ography st andard, Oct ober 1, 1998. Available at http://www.rsasecurity.com/rsalabs/pkcs/. 2. RSA Laborat ories. P KCS # 1 v2.1: RSA crypt ography st andard, Draft 2, J anuary 5, 2001. Available at http://www.rsasecurity.com/rsalabs/pkcs/. 3. F . Bao, R. Deng, Y. Han, A. J eng, A. D. Narasimhalu, and T .-H. Ngair. Breaking public key crypt osyst ems on t amper resist ant devices in t he presence of t ransient fault s. In B. Christ ianson, B. Crispo, M. Lomas, and M. Roe, eds, Secur i ty Protocols, vol. 1361 of Lecture N otes i n Computer Sci ence, pp. 115–124, Springer-Verlag, 1998. 4. Mihir Bellare and P hillip Rogaway. Opt imal asymmet ric encrypt ion — How t o encrypt wit h RSA. In A. De Sant is, ed., Advances i n Cr yptology – EU ROCRY PT ’ 94, vol. 950 of Lecture N otes i n Computer Sci ence, pp. 92–111, Springer-Verlag, 1995.

28

Marc J oye et al.

5. Daniel Bleichenbacher. A chosen ciphert ext at t ack against prot ocols based on t he RSA encrypt ion st andard RSA P KCS # 1. In H. Krawczyk, ed., Advances i n Cr yptology – CRY PT O ’ 98, vol. 1462 of Lecture N otes i n Computer Sci ence, pp. 1–12, Springer-Verlag, 1998. 6. Daniel Bleichenbacher, Burt Kaliski, and J essica St addon. Recent result s on P KCS # 1: RSA encrypt ion st andard. RSA Laborator i es’ B ul leti n, no. 7, J une 1998. 7. Dan Boneh. T wenty years of at t acks on t he RSA crypt osyst em. N oti ces of the A M S, 46(2):203–213, 1999. 8. Dan Boneh, Richard A. DeMillo and Richard J . Lipt on. On t he import ance of checking crypt ographic prot ocols for fault s. In W . Fumy, ed., Advances i n Cr yptology – EU ROCRY PT ’ 97, vol. 1233 of Lecture N otes i n Computer Sci ence, pp. 37– 51, Springer-Verlag, 1997. 9. Dan Boneh, Ant oine J oux, and P hong Q. Nguyen. W hy Text book El Gamal and RSA encrypt ion are insecure. In T . Okamot o, ed., Advances i n Cr yptology – A SI A CRY PT 2000, vol. 1976 of Lecture N otes i n Computer Sci ence, pp. 30–43, Springer-Verlag, 2000. 10. Don Coppersmit h. Small solut ions t o polynomial equat ions, and low exponent RSA vulnerabilit ies. Jour nal of Cr yptology , 10(4):233–260, 1997. 11. Eiichiro Fujisaki and Tat suaki Okamot o. How t o enhance t he security of public-key encrypt ion at minimum cost . In H. Imai and Y. Zheng, eds., Publi c K ey Cr yptography , vol. 1560 of Lecture N otes i n Computer Sci ence, pp. 53–68, Springer-Verlag, 1999. 12. Eiichiro Fujisaki, Tat suaki Okamot o, David P oint cheval, and J acques St ern. RSA– OAEP is secure under t he RSA assumpt ion. In J . Kilian, ed., Advances i n Cr yptology – CRY PT O 2001, vol. 2139 of Lecture N otes i n Computer Sci ence, SpringerVerlag, 2001. 13. Henri Gilbert , Dipankar Gupt a, Andrew Odlyzko, and J ean-J acques Quisquat er. At t acks on Shamir’ s ‘ RSA for paranoids’I .nfor mati on Processi ng Letter s, 68:197– 199, 1998. 14. Shafi Goldwasser and Silvio Micali. P robabilist ic encrypt ion. Jour nal of Computer and System Sci ences, 28:270–299, 1984. 15. Marc J oye, Arjen K. Lenst ra, and J ean-J acques Quisquat er. Chinese remaindering crypt osyst ems in t he presence of fault s. Jour nal of Cr yptology , 12(4):241-245, 1999. 16. Marc J oye, P ascal P aillier, and Sung-Ming Yen. Secure evaluat ion of modular funct ions. In R.J . Hwang and C.K. Wu, eds., Proc. of the 2001 I nter nati onal W or kshop on Cr yptology and N etwor k Secur i ty ( CN S 2001) , pp. 227–229, Taipei, Taiwan, Sept ember 26–28, 2001. 17. Marc J oye, J ean-J acques Quisquat er, Feng Bao, and Robert H. Deng. RSA-type signat ures in t he presence of t ransient fault s. In M. Darnell, ed., Cr yptography and Codi ng, vol. 1355 of Lecture N otes i n Computer Sci ence, pp. 155–160, SpringerVerlag, 1997. 18. Marc J oye, J ean-J acques Quisquat er, and Mot i Yung. On t he power of misbehaving adversaries and security analysis of t he original EP OC. In D. Naccache, ed., Topi cs i n Cr yptology – CT -RSA 2001, vol. 2020 of Lecture N otes i n Computer Sci ence, pp. 208–222, Springer-Verlag, 2001. 19. Burt on S. Kaliski J r. Comment s on a new at t ack on crypt ographic devices. RSA Laborat ories Technical Not e, Oct ober 23, 1996. 20. C ¸ et in K. Ko¸c. RSA hardware implement at ion. Technical Report T R 801, RSA Laborat ories, April 1996.

Observability Analysis

29

21. P aul Kocher, J oshua J aff e, and Benjamin J un. Diff erent ial power analysis. In M. W iener, edit or, Advances i n Cr yptology – CRY PT O ’ 99, vol. 1666 of Lecture N otes i n Computer Sci ence, pp. 388–397, Springer-Verlag, 1999. 22. J ames Manger. A chosen ciphert ext at t ack on RSA opt imal asymmet ric encrypt ion padding (OAEP ) as st andardized in P KCS # 1. In J . Kilian, ed., Advances i n Cr yptology – CRY PT O 2001, vol. 2139 of Lecture N otes i n Computer Sci ence, pp. 230–238, Springer-Verlag, 2001. 23. Moni Naor and Mot i Yung. P ublic-key crypt osyst ems provably secure against chosen ciphert ext at t acks. In Proc. of the 22nd A CM A nnual Symposi um on the T heor y of Computi ng ( ST OC ’ 90), pp. 427–437, ACM P ress, 1990. 24. Andrew Odlyzko. T he fut ure of int eger fact orizat ion. Cr yptobytes, 1(2):5–12, 1995. 25. J ean-J acques Quisquat er and Chant al Couvreur. Fast decipherment algorit hm for RSA public-key crypt osyst em. Electroni cs Letter s, 18:905–907, 1982. 26. Charles Rackoff and Daniel R. Simon. Non-int eract ive zero-knowledge proof of knowledge and chosen ciphert ext at t ack. In J . Feigenbaum, ed., Advances i n Cr yptology – CRY PT O ’ 91, vol. 576 of Lecture N otes i n Computer Sci ence, pp. 433–444, Springer-Verlag, 1992. 27. Ronald L. Rivest , Adi Shamir, and Leonard M. Adleman. A met hod for obt aining digit al signat ures and public key crypt osyst ems. Communi cati ons of the A CM , 21(2):120–126, 1978. 28. Adi Shamir. RSA for paranoids. Cr yptobytes, 1(2):1–4, 1995. 29. Adi Shamir. P at ent US 5.991.415: Met hod and apparat us for prot ect ing public key schemes from t iming and fault at t acks, 12 May 1997. 30. Adi Shamir. How t o check modular exponent iat ion. P resent ed at t he rump session of EU ROCRY PT ’ 97, Konst anz, Germany, 11–15t h May 1997. 31. Vict or Shoup. OAEP reconsidered. In J . Kilian, ed., Advances i n Cr yptology – CRY PT O 2001, vol. 2139 of Lecture N otes i n Computer Sci ence, Springer-Verlag, 2001. 32. Sung-Ming Yen and Marc J oye. Checking before out put may not be enough against fault -based crypt analysis. I EEE Transacti ons on Computer s, 49(9):967–970, 2000.

P re c is e B o u n d s fo r M o n t g o m e ry M o d u la r M u lt ip lic a t io n a n d S o m e P o t e n t ia lly In s e c u re R S A M o d u li Colin D. Walt er Comodo Research Laborat ory 10 Hey St reet , Bradford, BD7 1DQ, UK www.comodo.net Comput at ion Depart ment , UMIST P O Box 88, Sackville St reet , Manchest er, M60 1QD, UK www.co.umist.ac.uk An opt imal upper bound for t he number of it erat ions and precise bounds for t he out put are est ablished for t he version of Mont gomery Modular Mult iplicat ion from which condit ional st at ement s have been eliminat ed. T he removal of such st at ement s is done t o avoid t iming at t acks on embedded crypt osyst ems but it can mean great er execut ion t ime. Unfort unat ely, t his ineffi ciency is close t o it s maximal for st andard RSA key lengt hs such as 512 or 1024 bit s. Cert ain such keys are t hen pot ent ially sub ject t o at t ack using diff erent ial power analysis. T hese keys are ident ified, but t hey are rare and t he danger is minimal. T he improved bounds, however, lead t o consequent savings in hardware. K e y w o r d s: Crypt ography, RSA crypt osyst em, Mont gomery modular mult iplicat ion, diff erent ial power analysis, DPA. A b st r a c t .

1

In t ro d u c t io n

Modular mult iplicat ion forms t he basis of RSA encrypt ion [11], El-Gamal encrypt ion [5], and Diffi e-Hellman key exchange [2] as well as many ot her crypt ographic funct ions. One algorit hm which is part icularly effi cient for such mult iplicat ion is t hat of Pet er Mont gomery [9]. Since t he algorit hm makes modular adjust ment s unrelat ed t o t he magnit ude of t he accumulat ing part ial product , precise bounds on it s out put are of int erest in order t o det ermine how much space is required for operands and also how many it erat ions of it s main loop need t o be performed. If M is t he modulus in quest ion, it is easy t o show t hat t he main loop of Mont gomery’s algorit hm will generat e an out put less t han 2M if t he input s sat isfy t hat same condit ion and enough it erat ions are done [3]. T hus exponent iat ion can be performed more simply by omit t ing t he final condit ional subt ract ion of M from each mult iplicat ion unt il t he last one. However, wit h st andard choices of RSA key lengt h, such as 512 or 1024 bit s, 2M usually exceeds t he word lengt h by just 1 bit . Hence, for effi ciency reasons, t he condit ional subt ract ions are usually included. But , recent st udies of embedded crypt ographic syst ems have revealed t he import ance of eliminat ing condit ional st at ement s from code because t hey may B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 3 0 – 3 9 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

P recise Bounds for Mont gomery Modular Mult iplicat ion

31

enable t iming at t acks t o be mount ed [7]. For example, t he condit ional subt ract ion of M occurs wit h diff erent probability during an exponent iat ion depending on whet her t he operat ion being performed is a square or a mult iplicat ion [13]. T his can lead t o t he recovery of t he secret key. So, in [12] it was shown t hat a l l condit ional st at ement s, even t he very last one, can be removed from exponent iat ion code using Mont gomery modular mult iplicat ion if suffi cient ly many it erat ions are performed. Hachez and Quisquat er [6] subsequent ly showed t hat t he suffi cient condit ions given in [12] can lead t o an excessive number of it erat ions. In fact , t he problem only arises close t o word boundaries. T he main purpose of t his paper is t o improve furt her on t he effi ciency issues which arise from [6] and [12]. Specifically, we est ablish t he precise condit ions for avoiding unnecessary it erat ions, and for select ing opt imal hardware for cert ain common modulus lengt hs. Unfort unat ely, ineffi ciency t urns out t o be close t o it s maximum for st andard RSA key lengt hs such as 512 or 1024 bit s. For such key lengt hs t he normal 2M bound yields a t opmost “overflow” digit of eit her 0 or 1. Because of t he diff erent power used during mult iplicat ion by zero and non-zero words, t his could lead t o an at t ack on t he crypt osyst em using d i ff e re n t i a l po w e r a n a ly s i s (DPA) [8], [14]. A secondary aim of t his paper is t herefore t o ident ify t he moduli for which t his is a risk and assess t he danger. T he very fort unat e conclusion is t hat almost all st andard keys are safe from t his form of DPA at t ack, and for t hose which are vulnerable t he risk is ext remely small. As a by-product , we show t hat hardware savings are possible for all st andard RSA moduli by ensuring t hat t he out put has t he same number of digit s as t he modulus.

2

M o n t g o m e ry M o d u la r M u lt ip lic a t io n ( M M M )

For t he not at ion, suppose t he crypt o-syst em is support ed by a mult iplier t hat performs k -bit × k -bit mult iplicat ions. Let r = 2k . T he i + 1st digit of A in base n − 1 i r will be writ t en A [i ] and so t he value of A is A = A [i ]r if it has n digit s. i = 0 T hen t he appropriat e form of t he MMM algorit hm is as below. It excludes t he usual final condit ional st at ement :

If P >= M then P N , N must be subt ract ed so t hat t he out put can be used as input of t he next mult iplicat ion. To avoid t his subt ract ion a bound for R is known ([23]) such t hat for input s X , Y < 2N also t he out put is bounded by T < 2N . In [23] t he need of avoiding reduct ion aft er each mult iplicat ion is addressed. In pract ice t his means t hat t he out put of t he mult iplicat ion can be direct ly used as an input of t he next Mont gomery mult iplicat ion. We want t o find a bound on R such t hat wit h X , Y < 2N t he out put of t he Mont gomery mult iplicat ion T < 2N . Writ e R ≥ k N , t hen: T

=

X Y

+ mN R

=

X Y R

+

m R

N
4N .

1

mod N
0 do Begin If (RemE mod 2) = 1 then ResultM := StartM× ResultM ; StartM := StartM2 ; RemE := RemE div 2 ; E { Loop invariant : M = S t ar t M R em E End ; E { P ost -condit ion: R es u l t M = M }

×

R es u l t M

}

T hus S t a r t M cont ains t he init ial value M raised t o a p ower of 2, and it is t he st art ing p oint for each loop it erat ion. R es u l t M is t he part ial product which cont ains M raised t o t he p ower of t he processed suffi x of E and ends up cont aining t he required out put . W it hout t he e s s e n t i a l random feat ure made p ossible by a larger divisor set , t his is an insecure sp ecial case of Mist. In fact , we are assuming t hat t he at t acker can dist inguish b etween squares and mult iplies. Hence he can read off t he bit s of t he exp onent in t he ab ove from t he sequence of long int eger inst ruct ions which he deduces. However, unlike t he left -t o-right version of square-and-mult iply, b ot h argument s in t he condit ional product are now changed for every mult iplicat ion. T his, at least , makes an at t ack of t he typ e [11] impract ical. Next is t he generalisat ion of t his, which is named “ Mist” b ecause of it s use in obscuring t he exp onent from side channel at t acks. For convenience and comparison, t he processing of t he exp onent E is present ed as b eing p erformed wit hin t he main loop. In pract ice, it m u s t b e scheduled diff erent ly. As will b e p oint ed out b elow, t he illust rat ed processing order is insecure from t he p oint of diff erent ial p ower analysis b ecause it can reveal t he random choice of t he divisor D , which m u s t remain secret . In fact , t he choices of divisors and comput at ions wit h t he exp onent must b e done init ially in a secure way, or at least int erleaved wit h t he long int eger op erat ions in a more considered way. To b e even more precise, t he complet e schedule of long int eger op erat ions, i.e. t he addit ion chain which det ermines t he exp onent iat ion scheme, should b e comput ed wit h great care in order t o hide t he choice of divisors.

56

Colin D. Walt er

The Mist Exponentiation Algorithm { b efore prop er re-scheduling of addit ion chain choices { P re-condit ion: E ≥ 0 } RemE := E ; StartM := M ; ResultM := 1 ; While RemE > 0 do Begin Choose a random “divisor” D ; R := RemE mod D ; If R = 0 then ResultM := StartMR × ResultM ; StartM := StartMD ; RemE := RemE div D ; E { Loop invariant : M = S t ar t M R em E End ; E { P ost -condit ion: R es u l t M = M }

×

}

R es u l t M

}

Observe t hat t here are no p owers of M which are rep eat edly re-used during t he exp onent iat ion, so t hat t he at t ack describ ed in [11] on a single exp onent iat ion is inapplicable in it s current form. Also, t he random choice of divisors achieves diff erent exp onent iat ion schemes on successive runs and so makes imp ossible t he usual averaging process required for diff erent ial p ower analysis [5]. For t he proof of correct ness, it is immediat e t hat t he st at ed invariant M

E

=

S t ar t M

R em E

×

R es u l t M

holds at t he st art of t he first it erat ion of t he loop. Because init ial and final values of R em E for one loop it erat ion sat isfy R em E I

n itial

=

D

×

R em E F

in al

+ R

it is easy t o check t hat if t he invariant holds at t he st art of an it erat ion t hen it holds again at t he end of t he it erat ion. Consequent ly, t he invariant holds at t he end of every it erat ion. In part icular, at t he end of t he last it erat ion, we have R em E = 0 and hence, by simplifying t he invariant , R es u l t M = M E . So R es u l t M yields t he required result on t erminat ion. Needless t o say, t erminat ion is guarant eed b ecause only divisors great er t han 1 are allowed, and so RemE decreases on every it erat ion. T he choices of divisor set and associat ed addit ion chains for each residue R are made wit h security and effi ciency in mind. In part icular, for effi ciency t he choice of addit ion chain for raising t o t he p ower D always includes R so t hat t he comput at ion of S t a r t M D provides S t a r t M R e n ro u t e at lit t le or no ext ra cost . T hus, t hese two p ower comput at ions are not p erformed indep endent ly, as might b e implied by t he code. T hey are t o b e implement ed so t hat S t a r t M D uses all t he work done already t o comput e S t a r t M R . So, in t he case of RSA, t he

Mist: An Effi cient , Randomized Exponent iat ion Algorit hm

57

main cost of a loop it erat ion is only t he cost of comput ing S t a r t M D plus t he condit ional ext ra mult iplicat ion involving R es u l t M . In t erms of space, an ext ra long int eger variable T em pM is required t o enable t he addit ion chain op erat ions t o b e carried out . It s value is always a p ower of t he value of S t a r t M at t he b eginning of t he main loop ab ove, but it s value does not need t o p ersist b etween successive it erat ions of t he loop. Of course, on t he final it erat ion, once S t a r t M R has b een comput ed t here is no need t o cont inue t o comput e t he rest of S t a r t M D . Likewise, t he init ial mult iplicat ion of R es u l t M by 1 can b e easily omit t ed. For security reasons, some care is necessary in t he init ial choice of divisor set and addit ion chains, and in how and when t he divisors are chosen for each exp onent iat ion. T he select ion of t he divisor and associat ed addit ion chain inst ruct ions can b e p erformed by t he CP U on-t he-fly while t he exp onent iat ion is p erformed in parallel by t he co-processor, or it can b e done in advance when t here is no co-processor. At any rat e, t hese comput at ions must b e scheduled so as not t o reveal t he end p oint s of each it erat ion of t he main loop. Ot herwise, t he numb er and typ e of long int eger op erat ions during t he loop it erat ion may leak t he values of D and R , enabling E t o b e reconst ruct ed. A typical safe set of divisors is { 2,3,5} . If t he exp onent is represent ed using a radix which is a mult iple of every divisor (say 240 in t his case if an 8-bit processor is b eing used) t hen t he divisions of t he exp onent by D b ecome t rivial. So, over and ab ove t he op erat ions for execut ing t he addit ion chain, t he cost of t he algorit hm is lit t le more t han t hat for calling t he random numb er generat or t o select each D .

3

T h e A d d it ion S u b -ch ain s an d S p ace R e qu ire m e nt s

W hen divisor choices are made during pre-processing, t he sequence of op erat ions t o p erform t he exp onent iat ion is st ored as an a d d i t i o n c h a i n [3]. For a safe implement at ion, t he pat t ern of squares and mult iplies in t his chain must not reveal t oo much ab out t he divisors and residues. However, for t he complexity considerat ions of t his and t he following sect ion, we only need t o look at t he sub chain associat ed wit h a single divisor. Such sub chains can b e concat enat ed t o yield an addit ion chain for t he whole exp onent iat ion, if desired. Let us choose t he divisor set t o b e { 2,3,5} . T he full list of minimal addit ion sub chains can b e represent ed as follows: 1+ 1= 2 1+ 1= 2, 1+ 2= 3 1+ 1= 2, 1+ 2= 3, 2+ 3= 5 1+ 1= 2, 2+ 2= 4, 1+ 4= 5

for for for for

divisor divisor divisor divisor

2 3 5 5

wit h wit h wit h wit h

any any any any

residue residue residue residue

R R

except 4 except 3

T he t hird case corresp onds t o using an init ial M 1 t o comput e M 2 wit h one mult iplicat ion, t hen M 3 wit h anot her mult iplicat ion, and finally M 5 wit h a t hird mult iplicat ion. T he first t hree addit ion chains provide M R when R is 0, 1, 2 or 3: for 0 < R < D t he chain already cont ains t he value of R , while t he case R = 0 requires no mult iplicat ion and so 0 does not need t o app ear. T he

58

Colin D. Walt er

last addit ion chain can b e used when R = 4. M i n i m a l here means t hat any ot her addit ion chains which give a p ower equal t o t he divisor are longer. T he sub chains ab ove are minimal. To achieve t he fast est exp onent iat ion, we will not include longer chains. However, t here may b e ext ra crypt ographic st rengt h in ext ending t he choice in such a way. T here is no inst ruct ion which up dat es t he value of R es u l t M in t he ab ove addit ion sub chains, but it can b e represent ed explicit ly using t he following not at ion. Supp ose we numb er t he regist ers 1 for S t a r t M , 2 for T em pM and 3 for R es u l t M . T hen t he sub chains can b e st ored as sequences of t riples i j k ∈ { 1, 2, 3} 3 , where i j k means read t he cont ent s from regist ers i and j , mult iply t hem t oget her, and writ e t he product int o regist er k . In part icular, R es u l t M will always b e up dat ed using a t riple of t he form i 33 and 3 will not app ear in t riples ot herwise. Now, adding in t he inst ruct ion for up dat ing R es u l t M yields t he following as a p ossible list of sub chains, wit h one represent at ive for each divisor/ residue pair [D , R ]. Such a t able requires only a few byt es of st orage.

T a b le 3 .1 .

A Choice for t he Divisor Sub-Chains. [2, 0] [2, 1] [3, 0] [3, 1] [3, 2] [5, 0] [5, 1] [5, 2] [5, 3] [5, 4]

(111) (112, 133) (112, 121) (112, 133, 121) (112, 233, 121) (112, 121, 121) (112, 133, 121, 121) (112, 233, 121, 121) (112, 121, 133, 121) (112, 222, 233, 121)

Many ot her choices are p ossible. In part icular, we might prefer t o preserve t he locat ion of S t a r t M t o b e in regist er 1 from one divisor t o t he next . T his could b e achieved by choosing (133, 111) inst ead of (112, 133) for [2,1]. T hen sub chains of t riples i j k could b e concat enat ed wit hout modificat ion t o provide t he complet e exp onent iat ion scheme. However, for t he given sub chain, t he new value for S t a r t M is in regist er 2 inst ead of regist er 1. Rat her t han wast e t ime copying, t he comput at ion should cont inue wit h 2 as t he address for S t a r t M , and t he next sub chain t hen has t o b e up dat ed wit h t he regist er addresses 1 and 2 int erchanged. However, as not ed in t he p enult imat e sect ion, t his apparent ly less obvious choice for [2,1] makes t he implement at ion more secure against diff erent ial p ower analysis. Following t his last remark, it is clear t hat we could provide an addit ional source of randomness by writ ing t he product int o any regist er whose current cont ent s are no longer required [6]. T hus t he purp ose of each regist er can b e changed. If we include every p ossible minimal addit ion sub chain wit h such variat ions, t hen we obt ain 2, 6, 2, 6, 4, 4, 16, 8, 4 and 4 p ossibilit ies resp ect ively for

Mist: An Effi cient , Randomized Exponent iat ion Algorit hm

59

t he 10 divisor/ residue cases. T he st orage is st ill only a few byt es, but it provides an ext ra source of randomness which may provide added security. T hus t he space order required for Mist is low. In t he next sect ion we t urn t o t he t ime complexity, which we measure in t erms of t he numb er of mult iplicat ions in t he exp onent iat ion scheme.

4

T h e T im e C om p le x ity

T he usual square-and-mult iply algorit hm uses 1. 5× ⌊ log 2 E ⌋ mult iplicat ive op erat ions (including squarings) on average and a maximum of at most 2× ⌊ log 2 E ⌋ . In t his sect ion almost t he same upp er b ound will b e est ablished for Mist, and an improved average. In pract ice t he variance is very small. Consequent ly, if a pre-comput ed scheme involved more t han 1. 5× ⌊ log 2 E ⌋ mult iplicat ions, say, it could b e abandoned and an alt ernat ive scheme comput ed. 4 . 1 Assume minimal sub chains are provided as ab ove for t he divisor set { 2,3,5} and E > 0, and unnecessary init ial and final mult iplicat ions have b een omit t ed. T hen t he maximum numb er of op erat ions in an addit ion chain for E is at most 2 log 2 E wit h equality p ossible only for E = 1. T h eor em

P r o o f . We use a proof by descent : assuming E is a smallest count er-example, we will const ruct a smaller count er-example E ′ for which t he t heorem fails. Such a cont radict ion will prove t he t heorem. F irst assume t hat at least two divisors are required t o reduce t he minimal count er-example E t o 0. We will consider t he t hree choices for t he first divisor of E in t urn. Supp ose t he first divisor is 3. T hen E ′ = E div 3 is t he next value of R em E aft er E and 3E ′ ≤ E . Let m b e t he numb er of mult iplicat ions for E , and k t he numb er for t his first divisor 3. T hen k = 2 or 3, so t hat k < 2(log 2 3) ≈ 2× 1. 585. By assumpt ion, m ≥ 2 log 2 E . So m ≥ 2 log 2 (3E ′ ) = 2 log 2 ( E ′ ) + 2(log 2 3) gives m − k > m − 2(log 2 3) ≥ 2 log 2 ( E ′ ). But m − k is t he numb er of mult iplicat ions for E ′ . Hence we obt ain a smaller E for which t he t heorem does not hold. T his is a cont radict ion unless E ′ = 0. However, t hat is imp ossible as t here is anot her divisor in t he exp onent iat ion scheme. Similarly, supp ose t he first divisor is 5 and E ′ is t he next value for R em E . T hen t he associat ed sub chain requires k = 3 or 4 mult iplicat ions, so t hat k < 2(log 2 5) ≈ 2× 2. 322. T hus, a similar argument yields a cont radict ion again. Last ly, supp ose t he first divisor is 2 and E ′ is defined again as t he next value for R em E . If E is odd, t hen 2E ′ < E and t he corresp onding division requires k = 2 = 2(log 2 2) mult iplicat ions. By assumpt ion, m ≥ 2 log 2 E > 2+ 2 log 2 E ′ . So t he numb er of mult iplicat ions used by E ′ is m − 2 > 2 log 2 ( E ′ ) and E ′ is also a failing inst ance unless E ′ = 0, which is a cont radict ion as t here is st ill anot her divisor t o come. On t he ot her hand, if E is even, t hen t he corresp onding division requires k = 1 mult iplicat ion. By assumpt ion, m ≥ 2 log 2 E = 2+ 2 log 2 E ′ . So t he numb er of mult iplicat ions used by E ′ is m − 1 > 2 log 2 ( E ′ ) and E ′ is also a failing inst ance unless E ′ ≤ 0, which, as b efore, is a cont radict ion.

60

Colin D. Walt er

It remains t o consider t he cases of a single divisor reducing E t o 0. For all of t hese, t he chosen divisor sat isfies D > E since E div D = 0 and so R = E . T he only mult iplicat ions are t hose which const ruct M E . For E = 1, 2, 3, 4 t he numb er of mult iplicat ions are 0, 1, 2 and 2 resp ect ively, all of which sat isfy t he t heorem. Hence, by t he met hod of descent , t here are no failing inst ances, and t he t heorem holds. It may b e wort h not ing t hat removal of a divisor 3 or 5 at any p oint from t he addit ion chain for E (ot her t han t he last ) yields a chain for which t he b ound in t he t heorem is t ight er. T he same is t rue when t he divisor is 2 and t he residue 0. T hus, t he t ight est b ounds (i.e. t he most mult iplicat ions for given E ) will occur when only divisor 2 is chosen and t he residue is always 1. T hen E = 2n − 1 for some n and E requires n − 1 sub chains of 2 op erat ions t o reduce R em E t o 21 − 1, leading t o 2n − 2 op erat ions in all. So 2× ⌊ log 2 E ⌋ would normally hold as an upp er b ound. However, it requires more care t o est ablish t he except ions for t his slight ly b et t er b ound.

5

A W e ight in g for t h e C h oice of D iv isor

Supp ose k is t he numb er of mult iplicat ions required for t he divisor/ residue pair ( D , R ). T he result of picking divisor D is t hat R em E is reduced by a fact or which is very close t o D , esp ecially when R em E is large. So, we would exp ect t he t ot al numb er of mult iplicat ions t o b e close t o k log D E if ( D , R ) occurred for every divisor. Consequent ly, t he cost of using ( D , R ) is prop ort ional t o k / log D . We might use t his t o bias t he choice of divisor in an at t empt t o decrease t he numb er of mult iplicat ions. However, t his is not t he b est measure b ecause t he eff ect of larger divisors is longer last ing t han t hat of smaller divisors. A small divisor wit h many mult iplicat ions, which is exp ect ed t o b e followed by divisors wit h an average numb er of mult iplicat ions, may b e a b et t er choice t han picking a larger divisor wit h a b et t er, but p oorer t han average, rat io k / log D ( s ee [9]). Supp ose α is t he average numb er of mult iplicat ions required t o reduce E by a fact or of 2. T hen reducing E by a fact or F will require α log 2 F mult iplicat ions, on average. For t he usual square-and-mult iply algorit hm α = 1. 5, for 4-ary exp onent iat ion α = 1. 375, and for t he sliding window version of 4-ary exp onent iat ion α = 1. 333... Here we can manage just a lit t le b et t er t han α = 1. 4 wit h appropriat e choices for t he divisors1 . Comparing (3,0) wit h (5,0) we find 3 mult iplicat ions will reduce E by a fact or of 5 when (5,0) is chosen, whereas t he same fact or of 5 t akes 2+ α log 2 (5/ 3) mult iplicat ions on average if (3,0) is chosen inst ead. Equat ing t hese cost s, 3 = 2+ α log 2 (5/ 3), provides t he cross-over p oint α ′ = 1/ log 2 (5/ 3) = 1. 357 at which one b ecomes a b et t er choice t han t he ot her. Since α ′ < α , for sp eed we should choose (5,0) in preference t o (3,0) alt hough t he rat ios k / log D suggest ed t he opp osit e preference. In a similar way, for t he exp ect ed range of α , (3,0) is preferred t o (5, R ) for R = 0; (5, R ) t o (3, S ) for R , 1

Choose D = 2 if t he residue is 0, else D = 3 if t he residue is 0, else D = 5 if t he residue is 0, else D = 2. However, t he probabilit ies of t hese choices need reducing t o less t han 1 in order t o yield randomly diff erent exponent iat ion schemes.

Mist: An Effi cient , Randomized Exponent iat ion Algorit hm

61

= 0; (3, R ) t o (2,1) for R = 0; and (5, R ) t o (2,1) for R = 0. T his yields t he following order of desirability for t he pairs ( D , R ): (2, 0) < (5, 0) < (3, 0) < (5, 1) = (5, 2) = (5, 3) = (5, 4) < (3, 1) = (3, 2) < (2, 1) So (2,0) will lead t o t he short est chains, and (2,1) t o t he longest . Once more we caut ion t hat t his is only a b et t er approximat ion t han t he previous one. Successive divisors are not indep endent , so t hat t he ab ove argument is not quit e accurat e. T his is clear from an example. We consider t he ext reme case where divisibility by a divisor always leads t o t he choice of t hat divisor. If 5 is chosen as t he divisor and it s residue is 0 t hen it s residue mod 30 was 5 or 25. Residue 5 mod 30 leads t o t he next residue mod 30 b eing 1, 7, 13, 19 or 25, and residue 25 mod 30 leads t o it b eing 5, 11, 17, 23 or 29. Hence 5 b ecomes t he most likely choice for t he next divisor as divisibility by 2 or 3 cannot t o occur. Indeed, t he dep endence is inherit ed by t he next residue b eyond t his as well, since t hese residues favour 5 as t he next divisor and so 5 or 25 as t he following residue. Choosing one of t he t hree divisors wit h equal probability leads t o an ineffi cient process. So we make a choice which is biased t owards t he b et t er pairs ( D , R ). For non-t rivial reasons out lined in t he p enult imat e sect ion, it is less safe crypt ographically t o make a det erminist ic choice of divisor even if t he exp onent is modified randomly on every occasion. So 2 is not chosen whenever it s residue is 0. Inst ead, we might use code such as t he following for choosing t he divisor non-det erminist ically. ( R a n d om ret urns a fresh random real in t he range [0,1].)

S

D := 0 ; If Random(x) < 7/8 then If 0 = RemE mod 2 then If 0 = RemE mod 5 then If 0 = RemE mod 3 then If D = 0 then Begin p := Random(x) ; If p < 6/8 then D := 2 If p < 7/8 then D := 3 D := 5 End ;

D := 2 else D := 5 else D := 3 ;

else else ;

T he paramet ers, such as 6/ 8 and 7/ 8, are free for t he implement or t o choose, and might even b e adjust ed dynamically. T his is t he code which will b e used for calculat ing t he various paramet ers of int erest in t he rest of t his art icle, such as α , which t urns out t o b e 1. 4205 here. So a good implement at ion of M ist can b e exp ect ed t o have a t ime effi ciency midway b etween t he square-and-mult iply and 4-ary exp onent iat ion met hods.

6

A M arkov P ro ce ss

As t he successive residues of R em E mod 30 are not indep endent , we must st udy t hem as forming a Markov process. By forming t he probability mat rix of out put

62

Colin D. Walt er T a b le 6 .1 .

0 3 6 9 12 15 18 21 24 27 T a b le 6 .2 .

(D

, R

2 3 5

)

T he limit probabilit ies of residues mod 30.

0.02914032 0.05345146 0.02920902 0.04985984 0.02014301 0.03681055 0.03160194 0.04915191 0.03197409 0.04020936

1 4 7 10 13 16 19 22 25 28

T he limit probabilit ies

0 0.35012341 0.18867464 0.09792592

1 0.27101192 0.02086851 0.01202820

0.03448691 0.01884630 0.04100675 0.02011853 0.04214864 0.01526795 0.03600811 0.02166433 0.02706484 0.02102305 p

D ,R

2 5 8 11 14 17 20 23 26 29

0.01660770 0.03655590 0.02436897 0.04919923 0.03407472 0.03368564 0.03187408 0.04323007 0.03224476 0.04897205

of t he divisor/ residue pairs ( D

2 0.02419582 0.01060216

3 0.01227849

, R

)

4 0.01229092

residues against input residues and it erat ing a numb er of t imes, it is p ossible t o obt ain t he limit ing relat ive frequencies of t he residues. T hese are given in Table 6.1, from which it is apparent t hat t he residues do not occur wit h equal frequency, and so, as one would exp ect , t he probabilit ies of divisors and divisor/ residue pairs are also not what we might init ially exp ect from t he code ab ove. From t his t able t he probability p D , R of each divisor/ residue pair ( D , R ) can b e obt ained as well as t he probability p ∼ 0 of select ing a divisor wit h a non-zero residue and t he probability p D of each divisor D :

7

A ve rage P rop e rt ie s of t h e A d d it ion C h ain

T he probabilit ies in t he ab ove t ables are fairly accurat e aft er only a small numb er of divisors have b een applied. So t he following result s hold very closely for any exp onent s relat ed t o int eger RSA decrypt ion. T he average sub chain lengt h is just under 1.89 op erat ions p er divisor as E → ∞ . T h eor em 7 .1

P r o of.

W it h probability p 2 , 0 = 0. 35012341 t he sub chain has lengt h 1, wit h probability p 3 , 0 + p 2 , 1 = 0. 45968656 t he sub chain has lengt h 2, wit h probability p 5 , 0 + p 3 , 1 + p 3 , 2 = 0. 14299025 t he sub chain has lengt h 3, and wit h probability p 5 , 1 + p 5 , 2 + p 5 , 3 + p 5 , 4 = 0. 04719977 t he sub chain has lengt h 4. T he average lengt h of a sub chain is t herefore 1( p 2 , 0 ) + 2( p 3 , 0 + p 2 , 1 ) + 3( p 5 , 0 + p 3 , 1 + p 3 , 2 ) + 4( p 5 , 1 + p 5 , 2 + p 5 , 3 + p 5 , 4 ) = 1. 88726638. 7 . 2 T he average numb er of sub chains in t he addit ion chain for E is approximat ely 0. 75× log 2 E as E → ∞ . T h eor em

Mist: An Effi cient , Randomized Exponent iat ion Algorit hm T a b le 6 .3 .

T he limit probability p2 p3 p5

p

D

for each divisor

D

63

.

= 0.62113534 = 0.23373897 = 0.14512570

P r o of.

Using t he divisor probabilit ies list ed in Table 6.3, t he average decrease in size of R em E due t o a single sub chain is by t he fact or 2p 2 3p 3 5p 5 = 2↑ { 0. 6211353× log 2 2 + 0. 233739× log 2 3 + 0. 1451257× log 2 5} ≈ 21 . 3 2 8 5 7 4 . Hence t he average numb er of sub chains is ab out log2 ↑ ( 1 . 3 2 8 5 7 4 ) E = 0. 75268656 × log 2 E . 7 . 3 T he average numb er of op erat ions in t he addit ion chain for E is approximat ely 1. 42× log 2 E as E → ∞ . T his is ab out 3% ab ove t he 1. 375 × log 2 E of t he 4-ary met hod, and not iceably less t han t he 1. 5× log 2 E of t he square-and-mult iply met hod. T h eor em

P r o o f . Using t he result s of t he last two t heorems, t he average numb er of op erat ions for t he whole addit ion chain is approximat ely

1. 88726638 × 0. 75268656 × log 2 E ≈

1. 42052005× log 2 E

For small exp onent s E t he approximat ions are slight ly more inaccurat e b ecause modular division by t he divisor produces a result which diff ers more from rat ional division. However, each sub chain reduces t he exp onent by a t lea s t t he divisor. Hence exact calculat ions here should yield an u p pe r b ound on t he average. Last ly, we not e t hat t he numb er of mult iplicat ions in t he exp onent iat ion schemes for a given exp onent E does vary b etween diff erent execut ions. T he variance is usually small but dep ends on t he met hod of picking divisors. T ypically, t he choice of divisors is rest rict ed, as here, in order t o improve effi ciency, and t his reduces t he variance. Indeed, in t he limit , det erminist ic choices lead t o zero variance for fixed E .

8

D at a Le akage

Because of t he diffi culty of successfully hiding all t he diff erences b etween squaring and non-squaring mult iplicat ions, t he M ist algorit hm has b een creat ed in order t o make it imp ossible t o deduce t he secret exp onent E from leaked knowledge of t he sequence of square or mult iply inst ruct ions which p erform an exp onent iat ion. A det ailed exp osit ion of how easy it is t o reconst ruct t he exp onent from t his and ot her relat ed dat a is b eyond t he scop e of t his art icle. However, we will out line some of t he issues. Fuller det ails will b e published elsewhere. St andard p ower analysis at t acks [5] average t races over a numb er of exp onent iat ions in order t o det ermine informat ion such as which op erat ions are mult iplicat ions and which are squares. T his requires t he same exp onent iat ion

64

Colin D. Walt er

scheme t o b e used every t ime. However, assuming t he choice of divisors does vary from one exp onent iat ion t o t he next (or at least changes wit h suffi cient frequency), such an averaging process cannot b e carried out here. Diff erences b etween squaring and mult iplying are so great t hat one should assume t hat t hey can b e correct ly dist inguished for a single exp onent iat ion. In t he case of t he st andard square-and-mult iply met hods, such knowledge can b e t ranslat ed immediat ely int o t he bit sequence for E . But here t he equivalent process requires first parsing t he sequence of squares and mult iplies int o divisor sub chains in order t o deduce each choice of divisor/ residue pair. T hen E is reconst ruct ed by working backwards from t he final value of 0. However, t he subsequences are ident ical for various pairs, such as for [2, 1] and [3, 0], and for [3, 1], [3, 2] and [5, 0]. It is easy enough t o verify t hat t hese ambiguit ies put t he numb er of p ossibilit ies for E far out side t he limit s of feasible comput at ion, making M ist secure against such an at t ack. T his was one reason for choosing t he less obvious sub chain for [2, 1] given in Table 3.1. T he m -ary and sliding windows met hods of exp onent iat ion can b e defeat ed for a single exp onent iat ion if t he p ower at t ack describ ed in [11] can b e applied. T hat at t ack dep ends on ident ifying t he re-use of mult iplicands. In part icular, whenever a digit i is encount ered in t he exp onent , a mult iplicat ion is p erformed using t he pre-comput ed value M i . T hen careful averaging of t he p ower t race subsect ions enables mult iplicat ions which involve t he same p ower M i t o b e ident ified, and t his leads t o recovery of t he exp onent E . T he same at t ack has an analogue here. Every mult iplicat ion here involves a new p ower of M . More precisely, S t a r t M and R es u l t M represent higher p owers of M every t ime t hey are up dat ed. So t he p ossibilit ies of two mult iplicat ions sharing t he same mult iplicand are most ly limit ed t o local considerat ions. If operat ions which share a common argument can b e ident ified, it usually b ecomes p ossible t o det ermine uniquely t he sub chains which corresp ond t o each divisor. Of course, a careless implement at ion of M ist might do t his anyway: for example, if t he exp onent iat ion is halt ed in every it erat ion of t he main loop while det erminat ion of t he next divisor is made. However, alt hough knowledge of argument sharing now dist inguishes [3, 1], [3, 2] and [5, 0], it does not dist inguish [2, 1] from [3, 0]. T hus it does not necessarily det ermine t he divisor which was chosen. A more careful est imat e of t he numb er of exp onent s E which sat isfy all t he op erand sharing requirement s shows t hat such an at t ack is st ill infeasible. F inally, it would b e nice t o make det erminist ic choices of t he divisor. In part icular, one would like t o pick [2, 0] when p ossible b ecause of it s higher effi ciency. However, t his is generally a bad idea, and was delib erat ely avoided in t he code suggest ed in Sect ion 5. T his is b ecause when such choices are used t o prune t he p ossible values of E which are deduced from knowledge of op erand sharing, it may b ecome feasible t o recover E . T he choices of t he divisor set { 2, 3, 5} and t he addit ion sub chains in Table 3.1 have b een made wit h some care t o ensure such at t acks as t he ab ove leave an infeasible numb er of values which E might b e. Small divisors lead t o short addit ion sub chains and hence more ambiguity over which divisor occurred, but

Mist: An Effi cient , Randomized Exponent iat ion Algorit hm

65

large divisors may lead t o charact erist ic pat t erns which ident ify condit ions under which t he search t ree for E can b e pruned t o a comput at ionally feasible size.

9

C on clu sion

An exp onent iat ion algorit hm “ Mist” has b een present ed which has a variety of feat ures which make it much more resilient t o at t ack by diff erent ial p ower analysis t han t he normal m -ary or sliding window met hods. Mist uses randomly diff erent mult iplicat ion schemes on every run in order t o avoid t he averaging which is normally required for p ower analysis at t acks t o succeed. It also avoids re-using mult iplicands wit hin a single exp onent iat ion, t hereby defeat ing some of t he more recent p ower analysis at t acks. T here are many diff erent ways in which t o program t he random select ion of t he so-called divisors of t he algorit hm. For t he code present ed here, ab out 1. 42 log 2 E mult iplicat ions are required for t he exp onent E , t hereby making it more effi cient t han square-and-mult iply. T hree read/ writ e regist ers are required for st oring int ermediat e p owers, t oget her wit h somewhat less memory for st oring a pre-comput ed addit ion chain which det ermines t he exp onent iat ion scheme. Ot herwise t here is lit t le ext ra overhead in t erms of eit her space or t ime. In a processor/ co-processor set -up, t he addit ional minor comput ing associat ed wit h t he exp onent can b e carried out on t he processor in parallel wit h, and wit hout holding up, t he exp onent iat ion on t he co-processor. As wit h all algorit hms, p oor implement at ion can lead t o dat a leakage. T he main sources of such weakness have b een ident ified. In part icular, divisor set s and addit ion sub chains must b e chosen carefully and a predict able choice of any divisor must b e avoided. Mist is compat ible wit h most ot her blinding t echniques, and indep endent of t he met hods used for ot her arit hmet ic op erat ors. So, in conjunct ion wit h exist ing met hods, it off ers a sound basis for high sp ecificat ion, t amp er resist ant crypt o-syst ems.

R e fe re n ce s 1. C. Clavier & M. J oye, U ni ver sal Exponenti ati on A lgor i thm , Crypt ographic Hardware and Embedded Syst ems – CHES 2001, C ¸ . Ko¸c, D. Naccache & C. P aar (edit ors), Lect ure Not es in Comput er Science, 2 1 6 2 , Springer-Verlag, 2001, 300–308. 2. K. Gandolfi, C. Mourt el & F . Olivier, Electromagneti c A nalysi s: Concrete Results, Crypt ographic Hardware and Embedded Syst ems – CHES 2001, C ¸ . Ko¸c, D. Naccache & C. P aar (edit ors), Lect ure Not es in Comput er Science, 2 1 6 2 , SpringerVerlag, 2001, 251–261. 3. D. E. Knut h, T he A r t of Computer Programmi ng, vol. 2 , “Seminumerical Algorit hms”, 2nd Edit ion, Addison-Wesley, 1981, 441–466. 4. P. Kocher, T i mi ng A ttack on I mplementati ons of D i ffi e-H el lman, RSA , D SS, and other systems, Advances in Crypt ology – Crypto ’ 96, N. Koblit z (edit or), Lect ure Not es in Comput er Science, 1 1 0 9 , Springer-Verlag, 1996, 104–113.

66

Colin D. Walt er

5. P. Kocher, J . J aff e & B. J un, D i ff erenti al Power A nalysi s, Advances in Crypt ology – Crypto ’ 99, M. W iener (edit or), Lect ure Not es in Comput er Science, 1 6 6 6 , Springer-Verlag, 1999, 388–397. 6. D. May, H.L. Muller & N.P. Smart , Random Regi ster Renami ng to Foi l D PA , Crypt ographic Hardware and Embedded Syst ems – CHES 2001, C ¸ . Ko¸c, D. Naccache & C. P aar (edit ors), Lect ure Not es in Comput er Science, 2 1 6 2 , Springer-Verlag, 2001, 28–38. 7. T . S. Messerges, E. A. Dabbish & R. H. Sloan, Power A nalysi s A ttacks of M odular Exponenti ati on i n Smar tcards, Crypt ographic Hardware and Embedded Syst ems (P roc CHES 99), C. P aar & C ¸ . Ko¸c (edit ors), Lect ure Not es in Comput er Science, 1 7 1 7 , Springer-Verlag, 1999, 144–157. 8. E. Oswald & M. Aigner, Randomi zed A ddi ti on-Subtracti on Chai ns as a Counter measure agai nst Power A ttacks, Crypt ographic Hardware and Embedded Syst ems – CHES 2001, C ¸ . Ko¸c, D. Naccache & C. P aar (edit ors), Lect ure Not es in Comput er Science, 2 1 6 2 , Springer-Verlag, 2001, 39–50. 9. C. D. Walt er, Exponenti ati on usi ng D i vi si on Chai ns, IEEE Transact ions on Comput ers, 4 7 , No. 7, J uly 1998, 757–765. 10. C. D. Walt er & S. T hompson, D i sti ngui shi ng Exponent D i gi ts by Obser vi ng M odular Subtracti ons, Topics in Crypt ology − CT -RSA 2001, D. Naccache (edit or), Lect ure Not es in Comput er Science, 2 0 2 0 , Springer-Verlag, 2001, 192–207. 11. C. D. Walt er, Sli di ng W i ndows succumbs to B i g M ac A ttack, Crypt ographic Hardware and Embedded Syst ems – CHES 2001, C ¸ . Ko¸c, D. Naccache & C. P aar (edit ors), Lect ure Not es in Comput er Science, 2 1 6 2 , Springer-Verlag, 2001, 286–299. 12. C. D. Walt er, Preci se B ounds for M ontgomer y M odular M ulti pli cati on and Some Potenti al ly I nsecure RSA M oduli , Topics in Crypt ology − CT -RSA 2002, B. P reneel (edit or), Lect ure Not es in Comput er Science, 2 2 7 1 , Springer-Verlag, 2002, 30–39, T his Volume.

A n A S IC Im p le m e n t a t io n o f t h e A E S S B o x e s ⋆ J ohannes Wolkerst orfer 1 , Elisabet h Oswald 1 , and Mario Lamberger 2 1

Inst it ut e for Applied Informat ion P rocessing and Communicat ions, Graz University of Technology, Inff eldgasse 16a, A-8010 Graz, Aust ria [email protected], http://www.iaik.at 2 Depart ment of Mat hemat ics Graz University of Technology, St eyrergasse 30, A-8010 Graz, Aust ria

T his art icle present s a hardware implement at ion of t he SBoxes from t he Advanced Encrypt ion St andard (AES). T he SBoxes subst it ut e an 8-bit input for an 8-bit out put and are based on arit hmet ic op erat ions in t he finit e field G F (28 ). We show t hat a calculat ion of t his funct ion and it s inverse can be done effi cient ly wit h combinat ional logic. T his approach has advant ages over a st raight -forward implement at ion using read-only memories for t able lookups. Most of t he funct ionality is used for bot h encrypt ion and decrypt ion. T he result ing circuit offers low t ransist or count , has low die-size, is convenient for pipelining, and can be realized easily wit hin a semi-cust om design met hodology like a st andard-cell design. Our st andard cell implement at ion on a 0.6 µ m CMOS process requires an area of only 0.108 mm 2 and has delay below 15 ns which equals a maximum clock frequency of 70 MHz. T hese result s were achieved wit hout applying any sp eed opt imizat ion t echniques like pipelining. A b st ra ct .

Advanced Encrypt ion St andard (AES), finit e field arit hmet ic, inversion, Applicat ion Specific Int egrat ed Circuit (ASIC), st andard-cell design, Very Large Scale Int egrat ion (VLSI), scalability, pipelining. K e y w o rd s:

1

In t ro d u c t io n

T he Advanced Encrypt ion St andard (AES) is a symmet ric encrypt ion algorit hm. It will become a FIP S st andard in Fall 2001 [1]. AES will replace t he DESalgorit hm in t he coming years since it off ers higher levels of security. AES support s key lengt hs of 128, 192, and 256 bit s. It operat es on 128-bit dat a blocks. T he ma jor building blocks of t he AES algorit hm are t he non-linear SBoxes (SubByt e-operat ion) and t he MixColumn-operat ion. Bot h are based on finit e field arit hmet ic and have an inverse funct ion which is used for decrypt ion. ⋆

T he work describ ed originat es from t he Europ ean Commission funded P roject Secure Ter mi nal I C ( SET I C) est ablished under cont ract IST -2000-25167 resp. Cr ypto M odule wi th USB I nter face ( USB CRY PT ) est ablished under cont ract IST -2000-25169 in t he Informat ion Society Technologies (IST ) P rogram.

B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 6 7 – 7 8 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

68

J ohannes Wolkerst orfer, Elisabet h Oswald, and Mario Lamberger AESROUND () { SubByt e(St at e); Shift Row(St at e); MixColumn(St at e); AddRoundKey(St at e, RoundKey); }

F ig . 1 .

Round funct ion of t he AES-algorit hm

T he AES-algorit hm’ s operat ions are performed on a two-dimensional array of byt es called t he S t a t e . T he St at e consist s of four columns and four rows of byt es. For bot h encrypt ion and decrypt ion, t he AES-algorit hm uses a round funct ion t hat is composed of four diff erent t ransformat ions which modify t he St at e (see Fig. 1). First , t he SubByt e-funct ion subst it ut es all byt es of t he St at e using a lookup-t able called SBox. SBox-t able ent ries are calculat ed by inversion in t he finit e field GF(28 ) followed by a short final t ransformat ion. Second, t he rows of t he St at e are shift ed by diff erent off set s (Shift Row-funct ion). T he MixColumnfunct ion scrambles t he columns of t he St at e by mult iplying a finit e field const ant . An addit ion of t he St at e wit h t he Roundkey – which is derived from t he input key – concludes t he round funct ion which is execut ed t en t imes when 128-bit keys are used. T he RoundKey is calculat ed by operat ions which are similar t o t hose of t he round funct ion and require t he SBox funct ionality t oo. T he effi ciency of an AES hardware implement at ion in t erms of die-size, t hroughput , and power consumpt ion is mainly det ermined by t he implement at ion of t he MixColumn-operat ion and t he SBoxes. T he remaining operat ions are t rivial: Shift Row is a simple cyclic shift , and AddRoundKey is a XOR-operat ion of t he St at e and t he RoundKey. Up t o 20 inst ances of AES-SBoxes are used t o realize hardware for t he AES round funct ion. T he exact number of SBoxes depends on t he archit ect ure’ s degree of parallelism and is det ermined by t hroughput requirement s and t he desired clock frequency. In case t hat t he AES-module should also decrypt dat a, it has t o be t aken int o account t hat t he SBoxes used for decrypt ion have a diff erent funct ionality. T he number of SBoxes and t heir style of implement at ion has import ant influence on t he size and t he speed of an AES hardware. For t his reason, V. Rijmen (one of t he AES invent ors) suggest s in [4] an alt ernat ive met hod for t he comput at ion of t he AES-SBox. It consist s essent ially of a replacement of t he SBox lookup-t able by an effi cient combinat ional logic for t he comput at ion of t he inverse element s in GF(28 ). T herefore, anot her represent at ion of t he finit e field GF(28 ) is used. T his represent at ion leads t o an effi cient implement at ion of t he finit e field arit hmet ic and was invest igat ed in connect ion wit h t he implement at ion of error correct ing codes in C. Paar [7], Soljanin et al. [5], and Mast rovit o [6]. In cont rast t o V. Rijmen’ s original proposal which addit ionally suggest s t he opt imal normal basis represent at ion of finit e field element s (for a definit ion see [3]) we use t he polynomial represent at ion of finit e field element s. T he benefit of our met hod is t hat we have a far more flexible hardware archit ect ure (in comparison t o t he possible archit ect ures wit h a st raight forward SBox implement at ion) wit hout t he necessity t o do complex conversions from one

An ASIC Implement at ion of t he AES SBoxes

69

represent at ion (of finit e field element s) t o anot her. T he main advant ages of our archit ect ure are: – lower t ransist or count and die-size t han a ROM-based approach, – a short crit ical pat h t o achieve a high operat ional frequency, – easier implement at ion wit hin a semi-cust om design met hodology since all

comput at ions can be done wit h st andard-cells, – flexibility for speed opt imizat ion: pipelining t echniques can t rade t hroughput

for lat ency. – suit ability for a full-cust om implement at ion: a few leaf-cells using an appro-

priat e logic-style could increase speed or decrease power consumpt ion. T he remainder of t his art icle provides t he mat hemat ical background of t he finit e field arit hmet ic and t he comput at ion of t he AES SBoxes in Sect . 2. T he building blocks of an SBox and t he according formulas are given in Sect . 3. Sect ion 4 present s t he implement at ion.

2

M a t h e m a t ic a l B a c k g ro u n d

T his art icle uses t he same not at ion and convent ions as t he AES specificat ion [1]. All not at ions and mat hemat ical operat ions required for t he SBox-operat ion are present ed in a condensed form. B y t e s . T he basic dat a unit of AES are Byt es

a = { a7, a6, a5, a4, a3, a2, a1, a0} each holding eight bit s. A Byt e can be int erpret ed as an element of t he GaloisField GF(28 ) in polynomial represent at ion: 7

 a (x

)=

ai x i

i

=

a7x

7

+

a6x

6

+

a5x

5

+

4

a4x

+

a3x

3

+

a2x

2

+

a1x

+

a0.

= 0

T he coeffi cient s a i of a polynomial a ( x ) are bit s. Byt es can be writ t en in diff erent not at ions. For example, t he binary value { 01100011} is { 63} in hexadecimal not at ion and represent s t he polynomial x 6 + x 5 + x + 1. A d d it io n . T he addit ion of two Byt es represent ing polynomials

a (x ), b(x ) ∈ (28 ) is achieved by adding t heir corresponding coeffi cient s modulo 2 which is a XOR-operat ion usually denot ed wit h ⊕ . GF

7

 a (x

)⊕

b(x

)=

ai x i

= 0

i

7



bi x ⊕ i

= 0

i

7



(a i

= i



bi )x

i

(1)

= 0

T he addit ive inverse of a Byt e is t he Byt e it self: − b ( x ) = b ( x ) and t herefore subt ract ion is ident ical wit h addit ion: a ( x ) − b ( x ) = a ( x ) + b ( x ).

70

J ohannes Wolkerst orfer, Elisabet h Oswald, and Mario Lamberger

) ∈ G F (28 ) – denot ed wit h a (x ) ⊗ b ( x ) – requires an irreducible polynomial of degree 8. For t he AESalgorit hm it is defined as

M u lt ip lic a t io n . T he mult iplicat ion of

m

(x ) =

x

8

+

x

4

+

x

3

+

x

a (x ), b(x

+ 1 = 1{ 00011011} (bin) = 1{ 1b } (hex) .

T he mult iplicat ion q ( x ) = a ( x ) · b ( x ) in GF(28 ) is done by mult iplying t he polynomials a ( x ) b ( x ) which yields a polynomial p ( x ) wit h degree less t han 15. T his st ep is followed by a modular reduct ion st ep q ( x ) = p ( x ) m o d m ( x ) t o ensure t hat t he result is an element of GF(28 ). A convenient met hod t o mult iply in t he finit e field GF(28 ) is t o generat e eight part ial product s: P i ( x ) = a ( x ) · x i and t o add t hose part ial product s where  7 t he according bit b i of t he mult iplier b ( x ) is 1: q ( x ) = P i b i . T he part ial i= 0 product s can be calculat ed effi cient ly by it erat ing a mult iplicat ion by x : P i ( x ) = P i 1 ( x ) · x m o d m ( x ) , P 0 ( x ) = a ( x ). A mult iplicat ion by x is t ermed x t i m e s and is given by −

q (x

)= =

a7,

q1

=

a3 ⊕

a7,

q0

q4

x t i m e s (a )

=

=

a (x )x m o d m

a0 ⊕ q5

=

(x )

(2)

a7,

q2

=

a1,

q3

=

a2 ⊕

a4,

q6

=

a5,

q7

=

a6.

a7

Xt imes can be implement ed by a shift left operat ion of t he input Byt e a and a condit ional addit ion of t he irreducible polynomial m ( x ) if t he most significant bit ( a 7 ) of a is set . T his ensures a Byt e as result . −

1



1

of an element a ∈ G F (28 ) has t he property t hat ∀ a ∈ G F (2 ) \ { 0} : a ⊗ a = { 1} . Calculat ing t he inverse of a Byt e is even more cost ly t han mult iplying Byt es. A widely used algorit hm for inversion is t he e x t e n d ed E u c li d ea n a lgo r i t h m described in [2]. Unfort unat ely, t his algorit hm is not suit able for a hardware implement at ion.

In v e rs io n . T he mult iplicat ive inverse 8

2 .1

a

G F ( 2 8 ) a s a n E x t e n s io n o f G F ( 2 4 )

Usually, t he field GF(28 ) is seen as a field ext ension of GF(2) and t herefore it s element s can be represent ed as Byt es. An isomorphic – but for hardware implement at ions far bet t er suit ed – represent at ion is t o see t he field GF(28 ) as a quadrat ic ext ension of t he field GF(24 ). In t his case, an element a ∈ GF(28 ) is represent ed as a linear polynomial wit h coeffi cient s in GF(24 ), a ∼= a h x

+

al,

a ∈

GF(28 ) ,

ah , al ∈

GF(24 )

(3)

and will be denot ed by t he pair [a h , a l ]. Bot h coeffi cient s of such a polynomial have four bit s. All mat hemat ical operat ions applied t o element s of GF(28 ) can also be comput ed in t his represent at ion which we call t w o - t e r m po ly n o m i a ls . T wo-t erm polynomials are added by addit ion of t heir corresponding coeffi cient s (a h x +

al) ⊕

(bh x +

bl )

= (a h ⊕

bh )x

+ (a l ⊕

bl ).

(4)

An ASIC Implement at ion of t he AES SBoxes

71

Mult iplicat ion and inversion of two-t erm polynomials require a modular reduct ion st ep t o ensure t hat t he result is a two-t erm polynomial t oo. T he irreducible polynomial needed for t he modular reduct ion is given by n (x

)=

2

x

+ { 1}

x

+

(5)

{ e} .

T he coeffi cient s of n ( x ) are element s in GF(24 ) and are writ t en in hexadecimal not at ion. T heir part icular values are chosen t o opt imize t he finit e field arit hmet ic. T he mult iplicat ion of two-t erm polynomials involves mult iplicat ion of element s in GF(24 ) which requires an irreducible polynomial of degree 4 which is given by 4 (6) m 4 ( x ) = x + x + 1. Deriving formulas for mult iplicat ion in GF(24 ) is similar t o Byt e-mult iplicat ion. Mult iplicat ion in GF(24 ) is given by q (x

)=

a (x aA

q0 q2

= =

)⊗ =

b(x a0 ⊕

)=

a (x

a3,

) · b(x ) m aB = a2 ⊕

a 0 b0 ⊕

a 3 b1 ⊕

a 2 b2 ⊕

a 1 b3

a 2 b0 ⊕

a 1 b1 ⊕

a A b2 ⊕

a B b3

o d m 4 (x ),

a (x ), b(x ), q (x

)

GF(24 ) ∈

(7)

a3

=

q1 q3

=

a 1 b0 ⊕

a A b1 ⊕

a 3 b0 ⊕

a 2 b1 ⊕

(a 1

a B b2 ⊕ a 1 b2 ⊕



a 2 )b3

a A b3 .

Squaring in GF(24 ) is a special case of mult iplicat ion and is given by q (x

)= q0 =

a (x

)2

a0 ⊕

m o d m 4 (x ), a2,

q1

=

q (x ), a (x

a2,

q2

=

)

GF(24 ) ∈

a1 ⊕

a3,

q3

(8) =

a3.

T he inverse a 1 of an element a ∈ G F (24 ) can be derived by solving t he equat ion 1 a (x ) · a m o d m 4 ( x ) = 1 as follows −



q (x

)=

a (x aA

q0 q1 q2 q3

= = = =



) =

aA ⊕

1

m o d m 4 (x ),

a1 ⊕

a2 ⊕

a3 ⊕

a0 ⊕

a0a2 ⊕

q (x ), a (x

GF(24 )

(9)

a0a1a2

a0a1 ⊕

a0a2 ⊕

a0a1 ⊕

a2 ⊕

a0a2 ⊕

a3 ⊕

a0a3 ⊕

a1a3 ⊕

a2a3.

aA ⊕



a1a2a3

a1a2 ⊕

a1a2 ⊕

)

a3 ⊕

a1a3 ⊕ a0a3 ⊕

a0a1a3 a0a2a3

T he concat enat ion of two bit s a i a j in Equat ions 7 and 9 represent s a binary mult iplicat ion which is an AND-operat ion. In cont rast t o inversion in GF(28 ), inversion in GF(24 ) is suit able for a hardware implement at ion using combinat ional logic since all Boolean equat ions depend only on four input bit s. In v e rs io n o f T w o -T e rm P o ly n o m ia ls . Inversion of two-t erm polynomials is

t he equivalent operat ion t o inversion in GF(28 ). A mult iplicat ion of a two-t erm polynomial wit h it s inverse yields t he 1-element of t he field: ( a h x + a l ) ⊗ ( a h x + ′

72

J ohannes Wolkerst orfer, Elisabet h Oswald, and Mario Lamberger

al)

= { 0} x + { 1} , a h , a l , a h , a l inversion can be derived: ′

(a h x +

al)



1





ah x

+



=

GF ∈



al d

(24 ). From t his definit ion t he formula for

= (a h

d )x ⊗

2

= (( a h



+ (a h

) ⊕ (a h

{ e}

al) ⊗ ⊕

al) ⊕ ⊗

(10)

d 2

al

)



1

.

Inversion of two-t erm polynomials involves only operat ions in GF(24 ) which are suit able for a hardware implement at ion using combinat ional logic. Most of t he funct ionality is used t o calculat e t he t erm d which is used t o calculat e bot h coeffi cient s of t he invert ed two-t erm polynomial. T ra n s it io n b e t w e e n R e p re s e n t a t io n s o f G F ( 2 8 ) . T he finit e field GF(28 )

is isomorphic t o t he finit e field GF((24 ) 2 ) which means t hat for each element in GF(28 ) t here exist s exact ly one element in GF((24 ) 2 ). T he biject ion from an element a ∈ G F (28 ) t o a two-t erm polynomial a h x + a l where a h , a l ∈ G F (24 ) is given by t he funct ion m a p : ah x

+

al

=

m a p (a ),

=

aA

a1 ⊕

a7, a5,

al0

=

aC ⊕

a0 ⊕

ah0

=

aC ⊕

a5,

GF(24 ) , a aB = a5 ⊕ a7, al1 = a1 ⊕ a2,

ah , al ∈

ah1

=

aA ⊕

aC ,

GF(28 ) aC = a4 ⊕ al2 = aA , ∈

ah2

=

aB ⊕

(11) a6 al3

a2 ⊕

a3,

=

a2 ⊕

a4

ah3

T he inverse t ransformat ion ( m a p 1 ) convert s two-t erm polynomials 4 8 G F (2 ) back int o element s a ∈ G F (2 ). It is given by −

=

ah x

aB .

+

al,

ah , al ∈

a

=

m ap aA



=

1

(a h x +

a l ),

al1 ⊕

ah 3, a1

=

aB

al0 ⊕

ah 0,

a2

= =

aA ⊕

aB ,

a3

a4

=

aA ⊕

aB ⊕

al3,

a5

a6

=

aA ⊕

al2 ⊕

al3 ⊕

ah 0,

a0

GF(28 ) ,

a ∈

= aB ⊕ = aB ⊕ =

ah0 ⊕

ah , al ∈

GF(24 )

(12)

ah 1,

ah3 al1 ⊕

ah2

aB ⊕

al2

a7

=

aB ⊕

al2 ⊕

ah3

Bot h t ransformat ions can be derived by following t he procedure given in C. Paar’ s P hD t hesis [7]. T hey diff er from t he t ransformat ions given in [5] because t he irreducible polynomial m ( x ) for GF(28 ) is diff erent .

3

S B o x B u ild in g B lo c k s

T he SubByt e t ransformat ion operat es independent ly on each Byt e of t he St at e using a subst it ut ion t able (SBox). An AES-SBox is composed of two t ransformat ions: 1. Calculat e t he mult iplicat ive inverse in t he finit e field GF(28 ). T he element { 00} is mapped t o it self. Table 1 present s t he inversion.

An ASIC Implement at ion of t he AES SBoxes Inversion of a Byt e

T a b le 1 .

x

\

y

0 1 2 3 4 5 6 7 8 9 a b c d e f

0 00 74 3a 2c 1d ed 16 79 83 de fb 0c 0b 7a b1 5b

1 01 b4 6e 45 fe 5c 5e b7 7e 6a 7c e0 28 07 0d 23

2 8d aa 5a 92 37 05 af 97 7f 32 2e 1f 2f ae d6 38

3 f6 4b f1 6c 67 ca d3 85 80 6d c3 ef a3 63 eb 34

4 cb 99 55 f3 2d 4c 49 10 96 d8 8f 11 da c5 c6 68

{ x y}

5 52 2b 4d 39 31 24 a6 b5 73 8a b8 75 d4 db 0e 46

6 7b 60 a8 66 f5 87 36 ba be 84 65 78 e4 e2 cf 03



7 d1 5f c9 42 69 bf 43 3c 56 72 48 71 0f ea ad 8c

G F

8 e8 58 c1 f2 a7 18 f4 b6 9b 2a 26 a5 a9 94 08 dd

73

(28 ) in hexadecimal not at ion. 9 4f 3f 0a 35 64 3e 47 70 9e 14 c8 8e 27 8b 4e 9c

a 29 fd 98 20 ab 22 91 d0 95 9f 12 76 53 c4 d7 7d

b c0 cc 15 6f 13 f0 df 06 d9 88 4a 3d 04 d5 e3 a0

c b0 ff 30 77 54 51 33 a1 f7 f9 ce bd 1b 9d 5d cd

d e1 40 44 bb 25 ec 93 fa 02 dc e7 bc fc f8 50 1a

e e5 ee a2 59 e9 61 21 81 b9 89 d2 86 ac 90 1e 41

f c7 b2 c2 19 09 17 3b 82 a4 9a 62 57 e6 6b b3 1c

2. Apply t he affi ne t ransformat ion which is given by Equat ion 13. = aff

aC

t rans = a0 ⊕ = a2 ⊕

q0

=

a0 ⊕

aC ⊕

aD

q0

=

a5 ⊕

aC

q1

a5 ⊕

aA ⊕

aD

q1

aD

a2 ⊕

aA ⊕

aD

q2

a7 ⊕

aB

a7 ⊕

aA ⊕

aB

q3

= = =

a0 ⊕

q3

= = =

a2 ⊕

aA

q4

=

a4 ⊕

aA ⊕

aB

q4

=

a1 ⊕

aD

q5

=

a1 ⊕

aB ⊕

aC

q5

a4 ⊕

aC

q6

=

a6 ⊕

aB ⊕

aC

q6

= =

a3 ⊕

aA

q7

=

a3 ⊕

aC ⊕

aD .

q7

=

a6 ⊕

aB .

q

aA aC

q2

t rans( a ) = a0 ⊕ a1, aB = = a4 ⊕ a5, aD =

(13) a2 ⊕

a3,

a6 ⊕

a7

q

= aff aA



1

(a ) a5, aB a7, aD

(14) = =

a1 ⊕

a4,

a3 ⊕

a6

Overlined bit s in Equat ion 13 and 14 denot e invert ed bit s. Decrypt ion requires t he inverse funct ion of SubByt e ( I n v S u bB y t e ) which reverses t he SBoxoperat ion by applying t he inverse affi ne t ransformat ion first (Equat ion 14). T hen, t he mult iplicat ive inverse in t he finit e field GF(28 ) is calculat ed. Inversion in t he finit e field GF(28 ) is needed t o calculat e t he SubByt efunct ion as well as InvSubByt e. It makes sense, t o merge t he encrypt ion SBox wit h t he decrypt ion SBox in order t o reuse t he finit e field inversion circuit for decrypt ion. Figure 2 depict s t his approach. T he cont rol signal e n c swit ches between encrypt ion and decrypt ion. If encrypt ion is chosen ( e n c = 1), t he inverse affi ne t ransformat ion ( a ff t ra n s 1 ) is bypassed and t he input a is direct ly fed −

74

J ohannes Wolkerst orfer, Elisabet h Oswald, and Mario Lamberger

enc

8

sr,c

a

aff_trans-1 1

8

map ah

0

al 4

4

^2

^2

{e} a ^-1 a-1 ^-1 d aff_trans 1

0

4

4 a’h a’l -1 map

SBox 8

GF(28) Inversion

a-1

s’r,c F ig . 2 .

Archit ect ure of t he AES-SBox

int o t he inversion circuit . T he out put of t he inversion circuit is modified by t he affi ne t ransformat ion block which calculat es t he result of t he SubByt e-funct ion. During decrypt ion ( e n c = 0), t he inverse affi ne t ransformat ion is act ive and t he affi ne t ransformat ion is bypassed t o calculat e InvSubByt e. T he delay for encrypt ion and decrypt ion is essent ially t he same because t he circuit ’ s complexity for t he affi ne t ransformat ion and it s inverse are equal. T he circuit for inversion of element s in GF(28 ) covers most of t he SBox funct ionality. In our approach t he inversion is calculat ed wit h combinat ional logic and is based on Equat ion 10 which operat es in GF(24 ). T he operat ions occurring in t his equat ion correspond t o t he funct ion blocks shown in Fig. 2. Furt hermore, t his funct ion block has t o convert dat a from GF(28 ) t o two-t erm polynomials and vice versa. T he blocks m a p resp. m a p 1 provide t his funct ionality based on Equat ion 11 and 12. Addit ion of element s in GF(24 ) is accomplished by a bitwise XOR-operat ion. Squaring relies on Equat ion 9. Mult iplicat ion of an element in GF(24 ) wit h t he const ant { e } is given by −

An ASIC Implement at ion of t he AES SBoxes q

=

a ⊗ aA

a0 ⊕

q0

=

a1 ⊕

q1

=

aA

q2

= =

aA ⊕

a2

aA ⊕

aB .

q3

(15)

{ e}

=

75

a1, aB

=

a2 ⊕

a3

aB

Mult iplicat ion and inversion in GF(24 ) are t he most complex funct ion blocks and rely on Equat ions 7 and 9.

4

Im p le m e n t a t io n

Our implement at ion is based on t he archit ect ure described in Sect . 3. It has a maskable affi ne t ransformat ion block, a maskable inverse affi ne t ransformat ion block and a block which calculat es t he inverse in t he finit e field GF(28 ). Most of t he funct ionality can be implement ed wit h XOR-gat es. Addit ionally, invert ers, AND-gat es, and 2-t o-1 mult iplexers are required, but t hey can be neglect ed for performance analysis purposes. T a b le 2 .

block aff t rans aff t rans− 1 map map − 1 ⊕

2 ∧

{ e} ⊗ ⊗ ∧

−1

dX

Complexity of t he SBox O R

3 2 2 3 1 1 2 2 3 Max 15

XORs inst ances sum XORs 16 1 16 12 1 12 11 1 11 15 1 15 4 3 12 2 2 4 5 1 5 12 3 36 12 1 12 Sum 123

T a b le 3 .

P ipelining of t he SBox

st ages flipflops frequency area 0 0 100% 100% 1 12 178% 111% 3 28 205% 151%

Table 2 list s t he resources of all blocks – measured in number of XORs. T he overall amount of gat es are 123 XOR-gat es wit h two input s, 16 2-t o-1 mult iplexers and a dozen of invert ers and AND-gat es. If XOR-gat es wit h t hree input s are available, t he number of gat es can be reduced. T he delay of t he blocks is measured in numbers of XOR-gat es in series ( d X O R ). T he crit ical pat h for encrypt ion is composed of 15 XOR-gat es in series. For decrypt ion it is 14 because t he inverse of t he affi ne t ransformat ion has lower complexity. XOR-gat es wit h t hree input s will short en t he crit ical pat h and improve performance. A feat ure t hat can be exploit ed t o gain higher t hroughput is pipelining. P ipelining is a t echnique which subdivides t he crit ical pat h by insert ion of st oring element s (flipflops). Subdividing t he SBox funct ionality int o a number of st ages

76

J ohannes Wolkerst orfer, Elisabet h Oswald, and Mario Lamberger

F ig . 3 .

Layout of t he AES-SBox

is easy t o accomplish since flipflops can be insert ed nearly anywhere when SBoxes are implement ed wit h combinat ional logic. P ipelining int roduces lat ency but t he addit ional clock cycles are made up by an increased clock frequency as shown in Table 3. T his t echnique will off er best result s if t he number of SBox inst ances used for an AES implement at ion is kept low (e.g. 4), ot herwise lat ency will consume more t ime t han it is saved by short ening t he crit ical pat h. Our implement at ion of t he AES-SBox which combines t he SubByt e-funct ion and InvSubByt e-funct ion from t he AES algorit hm is a st andard-cell circuit on a 0.6 µ m CMOS process from AMS using two met al layers. It has an area of 0.108 mm 2 and cont ains 1624 t ransist ors (406 NAND equivalent s) when no pipelining is used. A layout is shown in Fig. 3. Layout simulat ion wit h typical mean paramet ers considering parasit ics yields a delay below 14.2 ns which equals a maximum clock frequency of 70 MHz for bot h encrypt ion and decrypt ion. A pipelined version wit h one st age is slight ly bigger (0.120 mm 2 ), cont ains nearly 2000 t ransist ors (500 NAND equivalent s) and yields a delay below 8 ns (125 MHz). Furt her increasing t he number of pipeline st ages will not improve t hroughput t hat st rong and has a worse rat io of performance benefit t o area penalty. It should be considered when t he maximum clock frequency is of ut most int erest . For comparison, a lookup-t able based approach requires a 4k-bit ROM t o st ore t he 256 8-bit ent ries of SubByt e and InvSubByt e. An implement at ion on t he same process t echnology uses about 0.200 mm 2 and has an est imat ed maximum frequency of 100 MHz [9]. For an SBox implement at ion using a full-cust om design met hodology we suggest t o use a diff erent ial logic style [8]. T he logic funct ions of an SBox based on combinat ional logic are dominat ed by XOR-gat es and diff erent ial XOR-gat es off er good performance and have a moderat e t ransist or count . We assume t hat a full-cust om design could halve t he required chip area because an SBbox is a small module and does not require t he excessive driving capability off ered by

An ASIC Implement at ion of t he AES SBoxes

77

st andard cells. Out put t ransist ors of gat es can be dimensioned smaller and t his will in t urn make it possible t o scale all t ransist ors down wit hout det eriorat ing performance. At least t hree leaf cells are needed: a XOR-gat e, an AND-gat e and an invert er. To develop t hese cells will be an rewarding t ask if t he result ing performance gain and area saving is pict ured.

5

R e la t e d W o rk

Several AES-implement at ions have been present ed recent ly. For comparison wit h our work, only ASIC circuit s [11] or circuit s exploit ing a more effi cient finit e field arit hmet ic are of int erest [10]. T he approach followed in IBM implement at ion [10] is also based on a conversion of element s in GF(28 ) int o two-t erm polynomials. In cont rast t o our approach, t hey calculat e t he whole round funct ion in t his represent at ion. T herefore, t hey choose t he conversion funct ion m a p () in a way t hat minimizes t he overall gat e count . Our primary focus on choosing m a p () was t o minimize t he crit ical pat h of t he complet e SBox and secondarily t o keep t he gat e count low. Our m a p ()-funct ion has a short er crit ical pat h compared t o t he IBM implement at ion, t he crit ical pat h of m a p 1 () is ident ical. −

6

C o n c lu s io n

T his art icle present ed an ASIC implement at ion of t he SBoxes from t he Advanced Encrypt ion St andard (AES). It is based on finit e field arit hmet ic rat her t han using lookup-t ables. T his approach off ers higher flexibility. Area requirement s can be t raded for t he maximum clock frequency. T he archit ect ure can be easily implement ed wit hin a st andard-cell design met hodology because it complet ely relies on combinat ional logic. It is also well suit ed for a full-cust om implement at ion since it uses only a few leaf cells. We implement ed t he AES-SBox on 0.6 µ m CMOS process wit h st andard-cells. T he most promising configurat ion of design paramet ers we found is a single st age pipeline archit ect ure. It has a silicon area of 0.12 mm 2 and a maximum clock frequency of 125 MHz. T his configurat ion has a lat ency of one clock cycle like a ROM based approach. In comparison t o ROMs, it off ers bet t er performance on smaller area and can even be improved by exploit ing bet t er suit ed logic styles like diff erent ial logic.

R e fe re n c e s 1. NIST , Advanced Encr ypti on Standard ( A ES) , F IP S P UBS 197, Nat ional Inst it ut e of St andards and Technology, November 2001. 2. A. Menezes, P. van Oorschot , and S. Vanst one, Handbook of A ppli ed Cr yptography, CRC P ress, New York, 1997. 3. R. Lidl and H. Niederreit er, I ntroducti on to fi ni te fi elds and thei r appli cati ons, Cambridge University P ress, Cambridge, 1986. 4. V. Rijmen, Effi ci ent I mplementati on of the Ri j ndael SB ox, http://www.esat.kuleuven.ac.be/∼ rijmen/rijndael/ .

78

J ohannes Wolkerst orfer, Elisabet h Oswald, and Mario Lamberger

5. E. Soljanin, R. Urbanke, A n Effi ci ent A rchi tecture for I mplementati on of a M ulti pli er and I nver ter i n GF ( 28 ) , Lucent Technologies. 6. E. D. Mast rovit o, V L SI A rchi tectures for Computati ons i n Galoi s F i elds, P hD t hesis, Link¨oping University, Link¨oping, Sweden, 1991. 7. C. P aar, Effi ci ent V L SI A rchi tectures for B i t Paral lel Computati on i n Galoi s F i elds, P hD t hesis, Universit ¨a t Essen, 1994. 8. J . B. Kuo, J . H. Lou, Low-Voltage V L SI Ci rcui ts, J ohn W iley, New York, J an. 1999. 9. AMS, M emor y Compi ler for D i ff usi on Programmable ROM i n 0.6 µ m CM OS, http://www.amsint.com/databooks/. 10. A. Rudra, P. Dubey, C. J ut la, V. Kumar, J . Rao, P. Rohat gi, Effi ci ent Ri j ndael Encr ypti on I mplementati on wi th Composi te F i eld A r i thmeti c, P roceedings of Workshop on Crypt ographic Hardware and Embedded Syst ems, France, 2001, t o be published in Springer LNCS. 11. I. Verbauwhede, H. Kuo, A rchi tectural Opti mi zati on for a 1.82 Gbi ts/ sec V L SI I mplementati on of the A ES Ri j ndael A lgor i thm , P roceedings of Workshop on Crypt ographic Hardware and Embedded Syst ems, France, 2001, t o be published in Springer LNCS.

On t he Im p ossibility of Const ruct ing N on-int eract ive St at ist ically-Secret P rot ocols from A ny Trap door One-Way Funct ion Marc Fischlin J ohann Wolfgang Goet he-University, Frankfurt am Main, Germany [email protected] http://www.mi.informatik.uni-frankfurt.de/

A b s t r a c t . We show t hat non-int eract ive st at ist ically-secret bit commit ment cannot be const ruct ed from arbit rary black-box one-t o-one t rapdoor funct ions and t hus from general public-key crypt osyst ems. Reducing t he problems of non-int eract ive crypt o-comput ing, rerandomizable encrypt ion, and non-int eract ive st at ist ically-sender-privat e oblivious t ransfer and low-communicat ion privat e informat ion ret rieval t o such commit ment schemes, it follows t hat t hese primit ives are neit her const ruct ible from one-t o-one t rapdoor funct ions and public-key encrypt ion in general. Furt hermore, our separat ion sheds some light on st at ist ical zeroknowledge proofs. T here is an oracle relat ive t o which one-t o-one t rapdoor funct ions and one-way permut at ions exist , while t he class of promise problems wit h st at ist ical zero-knowledge proofs collapses in P . T his indicat es t hat nont rivial problems wit h st at ist ical zero-knowledge proofs require more t han (t rapdoor) one-wayness.

1

Int roduct ion

One of t he fundament al quest ions in crypt ography deals wit h t he relat ionship of crypt ographic primit ives: does t he exist ence of primit ive A imply t he exist ence of primit ive B ? As for posit ive result s, such proofs usually give rise t o an explicit const ruct ion of primit ive B given an arbit rary inst ance of primit ive A . For inst ance, given any one-way funct ion we can eff ect ively specify a secure signat ure scheme [33,38]. We also know t hat one-way funct ions, pseudorandom generat ors, pseudorandom funct ions, privat e-key encrypt ion, signat ure schemes and comput at ionally-secret bit commit ment are all equivalent in t his sense [21,25,33,38,30,24]. Similarly, t rapdoor permut at ions are suffi cient for oblivious t ransfer and public-key encrypt ion, and for key agreement [13,22,15]. Concerning separat ions of primit ives, Impagliazzo and Rudich [26] have shown t hat basing key agreement (and t hus t rapdoor permut at ions and oblivious t ransfer) on any “black-box” one-way permut at ion is at least as hard as proving P = N P . T he t erminology “black-box” refers t o t he fact t hat not hing beyond t he st ruct ure of a primit ive is assumed except for fundament al propert ies guarant eed by t he definit ion. For inst ance, in [26] t he abst ract of a one-way B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 7 9 – 9 5 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

80

Marc F ischlin

permut at ion is a one-way permut at ion oracle, and t he effi cient evaluat ion algorit hm of t he one-way permut at ion corresponds t o single oracle st ep t hat ret urns t he funct ion value. Since reduct ions where t he st art ing primit ive is t reat ed as a black box are common t hroughout complexity-based crypt ography, t he result of Impagliazzo and Rudich suggest s t hat showing t he equivalence of key agreement and one-way funct ions is infeasible. T herefore, in a sense, secure key agreement needs more t han one-wayness. Alt hough most known reduct ions obey t he black-box approach, t here is at least one example of a reduct ion which is not black-box, i.e., requires t hat t he descript ion of t he evaluat ion algorit hm is explicit . See [26] for a discussion. T hus, oracle-based separat ions do not complet ely rule out t he possibility t hat reduct ions exist . T here might st ill be eff ect ive const ruct ions which are not black-box. Yet , as ment ioned before, t he black-box design is widely used in complexitybased crypt ography. For more impossibility result s we refer t he reader t o [39,45,29,28,17,18]. In part icular, t he work by Simon [45] separat es collision-int ract ability and onewayness by defining an oracle relat ive t o which one-way permut at ions exist , but collision-int ract able hash funct ions do not . Here, relying on t he t echniques developed in [45], we ext end Simon’ s result . In t he first st ep we present an oracle relat ive t o which non-int eract ive st at ist ically-secret bit commit ment is impossible, yet one-way permut at ions exist s (t hroughout t he paper we refer t o non-int eract ive prot ocols as schemes where bot h part ies consecut ively send a single message only). Relat ive t o our oracle a very weak form of non-int eract ive st at ist ically-secret bit commit ment does not exist . T hat is, secrecy is only guarant eed wit h respect t o honest ly behaving receivers, and a commit ment merely binds wit h very small, yet not iceable probability. We st ress t hat it is not known whet her any kind of bit commit ment yields collision-int ract able hash funct ions in general or not . T hus, our ext ension from collision-int ract able hash funct ions t o commit ment s is not known t o be implied by Simon’ s result direct ly. We remark t hat , conversely, collision-int ract able hash funct ions are suffi cient for non-int eract ive st at ist ically-secret commit ment [33,10,23]. Furt hermore, one can const ruct perfect ly-secret bit commit ment from any one-way permut at ion wit h linear many rounds in t he security paramet er [31]. To best of our knowledge, not hing has been report ed about improvement s concerning eit her t he assumpt ion or t he round complexity1 . Our result provides some evidence t hat accomplishing non-int eract ive st at ist ically-secret commit ment based on one-wayness alone is impossible. In cont rast , non-int eract ive comput at ionally-secret commit ment can be based on one-way funct ions [24,30]. In addit ion t o showing t hat non-int eract ive st at ist ically-secret commit ment s are impossible in t he presence of general one-way funct ions, in t he second ext ension st ep we prove t hat t his impossibility result t ransfers t o t he case t hat one adds t he “power” of t rapdoors t o t he one-way funct ion. Such (one-t o-one) t rap1

We always refer t o t he classical Turing machine model in t his work. In t he Quant um comput ing model t here are indeed result s t hat one-wayness is suffi cient for const ant round st at ist ically-secret commit ment s [14,9].

Impossibility of Const ruct ing Non-int eract ive St at ist ically-Secret P rot ocols

81

door funct ions are a relaxed version of t rapdoor permut at ions. We only demand t hat t he former are one-t o-one in order t o support unique inversion. Bellare et al. [5] prove t hat many-t o-one t rapdoor funct ions wit h superpolynomial preimage size can be derived from any one-way funct ion. Trapdoor funct ions wit h polynomially bounded preimage size, among which are one-t o-one t rapdoor funct ions, yield public-key crypt osyst ems, t hough. In light of [26] t hey cannot be derived from one-way funct ions in general, and t herefore, in a sense, our result is a st rict ext ension of Simon’ s separat ion. In summery, we broaden Simon’ s separat ion in bot h direct ions. On one side, we show t hat relat ive t o an oracle non-int eract ive weakly-binding honest receiver st at ist ically-secret commit ment s schemes do not exist . Such commit ment schemes include collision-int ract able hash funct ions, but are not known t o imply t he exist ence of such hash funct ions. On t he ot her side, t he negat ive result holds in t he presence of one-way permut at ion and of one-t o-one t rapdoor funct ions. T he lat t er funct ions are presumably not derivable from general one-way permut at ions. T he relat ionship of st at ist ical secrecy and one-wayness enables us t o obt ain a new result about t he class S Z K of promise problems wit h st at ist ical zeroknowledge proofs. We prove t hat relat ive t o a one-way permut at ion oracle and t o a one-t o-one t rapdoor funct ion oracle, respect ively, t he class S Z K breaks down t o P . In cont rast t o our impossibility result , one-way funct ions suffi ce t o lift t he class CZ K of promise problems wit h comput at ional zero-knowledge proofs t o I P = P S PA CE [43,27,7]. T his gives us anot her, oracle-based separat ion of CZ K and S Z K in addit ion t o t he one implied by t he presumably st rict ness of t he polynomial hierarchy: S Z K belongs t o A M ∩ co-A M [16,1], and likewise lies much lower in t he polynomial hierarchy t han CZ K (which equals P S PA CE under t he assumpt ion t hat one-way funct ions exist ). From a crypt ographer’ s point of view, our result says t hat while one-wayness is suffi cient and necessary [36] for nont rivial problems in CZ K , hard problems in S Z K seem t o require more t han general one-way permut at ions and one-t o-one t rapdoor funct ions. Finally, we consider implicat ions t o ot her crypt ographic prot ocols. By const ruct ing non-int eract ive weakly-binding honest -receiver st at ist ically-secret commit ment schemes from ot her non-int eract ive st at ist ically-secret crypt ographic prot ocols, we conclude t hat such prot ocols cannot be derived from general blackbox one-t o-one t rapdoor funct ions. Specifically, we prove t hat t his holds for nonint eract ive crypt o-comput ing, rerandomizable encrypt ion, and non-int eract ive st at ist ically-sender-privat e prot ocols for oblivious t ransfer and, using a result of Beimel et al. [4], for privat e informat ion ret rieval wit h low communicat ion complexity. T he paper is organized as follows. We st art wit h basic definit ions in Sect ion 2. T hen, in Sect ion 3 we int roduce t he class S Z K of st at ist ical zero-knowledge proofs for mot ivat ing our oracle separat ion const ruct ions in Sect ion 4. In Sect ion 5 we t hen apply t he separat ion t o S Z K , and we discuss implicat ions t o ot her crypt ographic prot ocols in t he final part .

82

2

Marc F ischlin

D efinit ions

We occasionally view probabilist ic algorit hms as det erminist ic ones by providing t he random coins explicit ly. T hat is, let A be a det erminist ic algorit hm t aking two input s x and r . T hen we denot e by A ( x , r ) t he out put of A for input x , r and by A ( x ) t he random variable t hat describes t he out put for fixed x and uniformly chosen r . It will be clear from t he cont ext which part of t he input is considered as t he random coins. Addit ionally, we denot e by [A ( x )] t he support of A ( x ), i.e., a ∈ [A ( x )] if and only if t here exist s r wit h a = A ( x , r ). When passing a funct ion as argument t o, say, an oracle, it is underst ood t hat we pass a circuit descript ion of t he funct ion. A funct ion δ ( n ) is negligible if it is event ually less t han any polynomial fract ion, i.e., δ ( n ) < 1/ p ( n ) for any posit ive polynomial p ( n ) and all suffi cient ly large n ’ s. A funct ionδ ( n ) is noticeable if it is not negligible; it is overwhelm ing if 1 − δ ( n ) is negligible. T wo sequences X = ( X n ) n ∈ IN and Y = ( Y n ) n ∈ IN of random s variables are called statistically close , X = Y , if t he st at ist ical diff erence  | P rob [X n = s ] − P rob [Y n = s ]| St at Diff( X n , Y n ) = 12 · s∈

[X

n ]∪

[Y n ]

is negligible. 2 .1

C o m m it m e n t S ch e m e s

A commit ment scheme consist s of two phases. In t he commit ment phase t he sender put s a secret bit b int o a box and sends t he locked box t o t he receiver. In t he decommit ment phase t he sender assist s in opening t he box, say, by t ransmit t ing t he key. T hen, on one hand, even a malicious sender S ∗ cannot change his mind once t he box has been given t o t he receiver (binding property). T he receiver, on t he ot her hand, does not learn anyt hing about t he bit b t ill t he decommit ment st ep is carried out (secrecy). We exclusively present t he definit ion of non-int eract ive honest -receiver st at ist ically-secret bit commit ment schemes. Our definit ion capt ures only a very weak binding property, namely, t hat t here is no collision-finder t hat nearly always succeeds in finding ambiguous decommit ment s. Usually, t he binding property demands t hat any collision-finder fails wit h very high probability. D e fi n it io n 1 . T he tuple (Gen , Com , Decom , Vf) of probabilistic polynom ialtim e algorithm s is a non-interactive weakly-binding honest-receiver statistically-secret bit com m itm ent schem e if – generation: on input 1n algorithm Gen outputs a description k n ( wlog. k n contains 1n ) . – m eaningfulness: for every k n ∈ [Gen(1n )] and every c = Com k n ( b, r ) and d = Decom k n ( b, r ) we have Vf k n ( b, c, d ) = 1. – honest-receiver statistical secrecy: for every sequence ( k n ) n ∈ IN with k n ∈ s [Gen(1n )] we have Com k n (0) = Com k n (1) .

Impossibility of Const ruct ing Non-int eract ive St at ist ically-Secret P rot ocols

83

– weakly binding: for any probabilistic polynom ial-tim e algorithm S ∗ the probability that S ∗ on input k n outputs c and d , d ′ such that Vf k n (0, c, d ) = Vf k n (1, c, d ′ ) = 1 is not overwhelm ing ( where the probability is taken over the choice of k n and the coin tosses of S ∗ ) .

Inst ead of using t he not at ion above, we somet imes adopt t he viewpoint of a prot ocol between a sender S and a receiver R , in which t he honest R t ransmit s k n obt ained by running Gen(1n ) and S (wit h input b) answers wit h a sample Com k n ( b, r ) by choosing r at random. Lat er, in t he decommit ment phase, t he receiver t hen applies t he verificat ion algorit hm Vf k n t o check t he validity of t he decommit ment d = Decom k n ( b, r ). Not e t hat , in order t o generat e t he decommit ment d , algorit hm Decom get s t he same random st ring r as Com. Wlog. assume t hat t he input lengt h of t he commit ment funct ion Com k n is at least as large as t he security paramet er n . Also, let t he out put size of Com k n ( b) be at most t he size of t he randomness port ion of t he input . T his can always be achieved by padding t he input wit h redundant random bit s. T hen t he domain of Com k n is at least twice as large as it s range. 2 .2

B la ck -B o x ( T ra p d o o r) O n e -W ay Fu n c t io n s

We rigidly formalize t he concept of black-box (t rapdoor) one-way funct ions as discussed in t he int roduct ion. D e fi n it io n 2 . A black-box one-way function is an oracle F : { 0, 1} ∗ → { 0, 1} ∗ such that for any uniform polynom ial-size circuit fam ily C = ( C n ) n ∈ IN the inversion probability  

P rob

F

Cn

( F ( x ))



F



1

( F ( x ))

is negligible, where the probability is taken over the random choice of x ∈ R { 0, 1} n and the internal coin tosses of C n . If additionally F ( { 0, 1} n ) = { 0, 1} n for all n ∈ IN then we say that F is a black-box one-way perm utation.

We remark t hat C n is grant ed oracle access t o F . T his enables C n t o evaluat e at values of it s choice. Also, we demand t hat t he family C of circuit s is uniform. T his is necessary t o derandomize t he probabilist ic oracle const ruct ion as described in [44,45]. Our definit ion imit at es t he one of a one-way funct ion wit h infinit e domain. Inst ead, one somet imes uses collect ions of one-way funct ion, where each funct ion of t his collect ion is indexed. Yet , we omit furt her discussions since t he not ion of a collect ion of black-box one-way funct ions is implicit in t he definit ion of t rapdoor one-way funct ions below, and can be easily inferred. From an exist ent ial point of view bot h not ions of one-way funct ions are equivalent , even in t he black-box case.

F

D e fi n it io n 3 . A black-box one-to-one trapdoor function is an oracle T with three query states g en er a t e , ev a l u a t e , i n v er t : – generation: T ( g en er a t e , ω ) for ω ∈ { 0, 1} n outputs a pair ( t , i ) . W log. let 1n be recoverable from index i and trapdoor t . Furtherm ore, assum e that i uniquely determ ines t and vice versa.

84

Marc F ischlin

– evaluation: given x ∈ { 0, 1} n and an index i with ( t , i ) = T ( g en er a t e , ω ) for som e ω ∈ { 0, 1} n , the oracle T ( ev a l u a t e , i , x ) returns y ∈ { 0, 1} po l y( n ) . A lso, let T ( ev a l u a t e , i , · ) be one-to-one for any index i . – inversion: given y ∈ { 0, 1} po l y( n ) and t , the answer T ( i n v er t , t , y ) is som e x such that T ( ev a l u a t e , i , x ) = y if such an x exists ( where i is the uniquely determ ined index to t ) , and an undefined sym bol otherwise.

A dditionally, T satisfies the following one-wayness property: for any uniform polynom ial-size circuit fam ily C = ( C n ) n ∈ IN the inversion probability

P rob



T

Cn

( i , T ( ev a l u a t e , i , x )) =

 x

is negligible, where the probability is taken over the choice of i according to ) for a random ω ∈ R { 0, 1} n , over x ∈ R { 0, 1} n , and over the random ness of C n .

T ( g en er a t e , ω

T he generat ion st ep of our definit ion says t hat one must ext ernally supply t he det erminist ic oracle T wit h randomness ω t o get a random funct ion descript ion ( t , i ). For simplicity and since our const ruct ion achieves t his, we presume t hat T only t akes n random bit s t o produce a random descript ion of complexity n . Addit ionally, we demand a biject ive relat ionship of t rapdoors and indices. More generally, we could allow several mat ching indices i , i ′ t o a single t rapdoor t . Again, as our const ruct ion support s t his uniqueness property, we do not include t his in our definit ion.

3

St at ist ical Zero-K nowledge

When t alking about complexity classes, we always refer t o classes of prom ise problem s . A promise problem Π = ( Π yes , Π no ) is a pair of disjoint set s of yesinst ances Π yes ⊆ { 0, 1} ∗ and no-inst ances Π no ⊆ { 0, 1} ∗ . T he not ion of promise problems generalizes t he language-based approach: an algorit hm put at ively deciding membership for some input x ∈ { 0, 1} ∗ get s a promise t hat x ∈ Π yes ∪ Π no . We briefly int roduce t he zero-knowledge-based classes we deal wit h. As we do not use any definit ional propert ies beyond some basic fact s about t heir relat ionships, we omit formal definit ions of t hese classes and refer t he reader t o [46] for det ails. T he class N I S Z K consist s of t he promise problems having a non-int eract ive st at ist ical zero-knowledge proof. T he class S Z K is t he class of problems having general, possibly int eract ive st at ist ical zero-knowledge proofs; t his is clearly a subset of t he class of problems where st at ist ical zero-knowledge holds wit h respect t o honest verifiers, denot ed by H V S Z K . By [12,20,19] we have P ⊆ B P P ⊆ N I S Z K ⊆ S Z K = H V S Z K . Sahai and Vadhan [40] int roduced t he S Z K -complet e problem st at ist ical difference. Using t he complet eness of t his problem we show t he collapse of S Z K . To a circuit X : { 0, 1} m → { 0, 1} n (more precisely, t o it s descript ion) we associat e a random variable over { 0, 1} n by choosing t he input uniformly from { 0, 1} m .

Impossibility of Const ruct ing Non-int eract ive St at ist ically-Secret P rot ocols

85

D e fi n it io n 4 . T he prom ise problem statistical diff erence, SD = (SDyes , SDno ) , is defined by

SDyes = { ( X SDno = { ( X

0, X 1) 0, X

St at Diff( X 1 ) | St at Diff( X |

0, X 1)



0, X 1)



2/ 3 } 1/ 3 }

To prove t hat SD is complet e for S Z K , Sahai and Vadhan [40,41] est ablished t he polarizat ion lemma. Basically, t his lemma says t hat one can t urn an inst ance ( X 0 , X 1 ) of SD int o a pair ( Y 0 , Y 1 ) of circuit s such t hat t he dist ribut ions of Y 0 , Y 1 are almost disjoint if ( X 0 , X 1 ) ∈ SDyes and nearly equal if ( X 0 , X 1 ) ∈ SDno . Addit ionally, t he t ransformat ion involves an error paramet er ℓ t hat det ermines how far and close, respect ively, t he derived dist ribut ions are. T his paramet er ℓ may be independent of X 0 , X 1 . Fa c t 1 ( P o la riz a t io n Le m m a [4 0 , 4 1 ]) T here is a polynom ial-tim e algorithm Polarize that on input ( X 0 , X 1 , 1ℓ ) outputs ( Y 0 , Y 1 ) such that

(X (X Set Polarize( X

0, X 1) 0, X 1)

0, X 1)

SDyes ∈ ∈

SDno



= Polarize



St at Diff( Y 0 , Y 1 )



1 − 2−

St at Diff( Y 0 , Y 1 )



2−

 X 0, X 1,

1| ( X

0,X 1)|







.

Int uit ively, one can t hink of a polarized pair ( Y 0 , Y 1 ) as a descript ion of a non-int eract ive commit ment funct ion. T he sender split s t he bit b int o n random pieces b1 , . . . , bn such t hat b = b1 ⊕ · · · ⊕ bn . Given n random inst ances ( Y i , 0 , Y i , 1 ) —among which t here will be a no-inst ance wit h high probability— t he sender commit s t o each piece bi individually by sampling according t o Y i , b i and handing t his sample t o t he receiver. If ( Y i , 0 , Y i , 1 ) is a (polarized) no-inst ance t hen t he dist ribut ion hides bi and t herefore b st at ist ically; if it corresponds t o a yesinst ance t hen t he sample det ermines bi wit h very high probability (as long as t he sender does not bias t he sample t oo much). For an ambiguous decommit ment t o b′ = b ⊕ 1 t he sender has t o flip at least one piece bi . P ut diff erent ly, t he sender has t o find a random st ring r ′ such t hat Y i , b i ⊕ 1 maps t his st ring t o t he previously given sample Y 1 , b i ( r ). But if ( Y i , 0 , Y i , 1 ) is a yes-inst ance t hen t he dist ribut ions are almost disjoint and t his is quasi impossible. On t he ot her hand, for a no-inst ance t his is indeed possible. Hence, an ambiguous decommit ment t ells us t he st at us of (at least ) one of t he inst ances. T his is basically t he reason why deciding membership for SD becomes t ract able relat ive t o our oracle: ambiguous decommit ment s can be found easily given access t o t he oracle. However, we remark t hat for a correct membership decision on each inst ance of SD, t he oracle must never err. T his mot ivat es t he invest igat ion of weakly-binding commit ment schemes, where t he oracle must (nearly) always ret urn ambiguous decommiment s t o disprove t heir exist ence. St ill, a very small error for t he binding property is accept able t o ensure a perfect oracle.

86

4

Marc F ischlin

Ext ensions of Sim on’ s R esult

In t his sect ion we apply Simon’ s result [45] t o obt ain an oracle separat ion of black-box one-way permut at ions and t rapdoor one-way funct ions from nonint eract ive weakly-binding honest -receiver st at ist ically-secret bit commit ment . 4 .1

E x t e n s io n t o C o m m it m e n t S ch e m e s

We briefly describe t he oracle const ruct ion in [45]. One st art s wit h a random oracle Π which cont ains a random permut at ion f and a special query st at e c o l l i si o n . Basically, t he random permut at ion f const it ut es a one-way funct ion, and t he query st at e c o l l i si o n enables t o find collisions in hash funct ions. Once proven t hat t his random oracle is one-way, one can t hen derandomize t he const ruct ion. C o n s t ru c t io n 1 Let f : { 0, 1} ∗ → { 0, 1} ∗ be a random perm utation, i.e., a random function with the constraint f ( { 0, 1} n ) = { 0, 1} n for all n ∈ IN. Define oracle Π to contain a random perm utation f , and a special query state c o l l i si o n that takes a circuit description of a m any-to-one hash function h and outputs a random elem ent x together with a uniform ly chosen value x ′ from { y | h ( x ) = h ( y ) } ( and, besides, repeats the description of the hash function and any oracle queries and answers obtained within the com putation of the hash values for x and x ′ ) .

In t he rest of t he paper, we call t his way of generat ing collisions x , x ′ t he basic sam pling procedure . In [45] it was shown t hat t he collision-finding port ion of Π does not help t o invert f significant ly. Not e t hat t he descript ion of t he hash funct ion might also include f - and recursive c o l l i si o n -queries and t hat we let Π append t hese queries and answers t o t he out put for c o l l i si o n -quest ions, t oo. Using an appropriat e encoding for c o l l i si o n -queries, e.g., subst it ut ing values in f by mapping input s of t he form (1 · · ·1, h , . . . , h ) t o (1 · · ·1, h , x , x ′ , queries & answers) and vice versa for a suffi cient number of 1’ s and h -repet it ions, t he special query st at e c o l l i si o n can be eliminat ed and it can be achieved t hat Π is also a permut at ion over { 0, 1} ∗ . See [45] for det ails. In t he sequel, we somet imes swit ch between bot h approaches for sake of convenience. We would like t o ext end t he negat ive result t o non-int eract ive weakly-binding honest -receiver st at ist ically-secret bit commit ment schemes. To t his end, we change oracle Π t o an oracle Σ which allows t o open such commit ment schemes ambiguously and t o cont radict t he weak binding property. T hat is, Σ should ret urn valid decommit ment s for diff erent bit s for st at ist ically-secret commit ment schemes for any suffi cient ly large security paramet er. For inst ance, t his can be accomplished by let t ing t he oracle always out put a non-t rivial collision (i.e., wit h b = b′ ) if t he st at ist ical diff erence is, say, less t han some bound B , and by reducing one-wayness of t his oracle t o t he one-wayness of Π by querying Π a suffi cient number of t imes in order t o simulat e t he new oracle. However, for t his we have t o ensure t hat t he oracle’ s answers t o queries wit h st at ist ical diff erence more t han B are answered consist ent ly compared t o t he simulat ion. We will

Impossibility of Const ruct ing Non-int eract ive St at ist ically-Secret P rot ocols

87

overcome t his problem by let t ing our new oracle Σ generat e random ambiguous decommit ment s in a way t hat already mimics t he simulat or’ s behavior asking several quest ions t o Π : C o n s t ru c t io n 2 Let Π be defined as in Construction 1. M odify Π by replacing the c o l l i si o n -query state as follows: if the probability that the basic sam pling procedure outputs a random collision ( b, r ) , ( b′ , r ′ ) with b = b′ for the m any-to-one function Com k m is at least 1/ 6, then uniform ly select som e ( b, r ) from the set of pairs ( c, s ) for which C c,s

= { ( c ⊕ 1, s ′ ) | Com k m ( c, s ) = Com k m ( c ⊕ 1, s ′ ) }

is not em pty, together with a uniform ly chosen value ( b′ , r ′ ) from C b , r . E lse, for input length ℓ of Com k m , generate ℓ random collisions ( b, r ) , ( b′ , r ′ ) with the basic sam pling procedure; if there is som e collision with b = b′ then output the first one that appears am ong these sam ples, otherwise return the first of the ℓ sam ples ( which is then of the form ( b, r ) , ( b, r ′ ) , of course) . Furtherm ore, the oracle appends the description of Com k m and all oracle queries to com pute Com k m ( b, r ) and Com k m ( b′ , r ′ ) . Denote this oracle by Σ .

We claim t hat set t ing t he bound t o 1/ 6 guarant ees t hat oracle Σ always ret urns ambiguous decommit ment s for st at ist ically-secret bit commit ment s (for suffi cient ly large security paramet er). To see t his, let Com k m be a st at ist icallysecret bit commit ment funct ion. Call an input ( b, r ) good if t he number of random st rings s t hat map t o t he same commit ment Com k m ( b, r ) = Com k m ( b, s ) is at most twice t he number of random st rings s ′ which map t o t he same commit ment Com k m ( b, r ) = Com k m ( b ⊕ 1, s ′ ) for t he inverse bit b ⊕ 1. Wit h probability at least 1/ 2 a random value ( b, r ) is good (ot herwise t he st at ist ical diff erence of Com k m (0) and Com k m (1) would be at least 1/ 4 which would cont radict t he negligible deviat ion for large security paramet ers) 2 . In t his case, for a uniformly chosen colliding input ( b′ , r ′ ) t o some good ( b, r ) it holds t hat b′ = b wit h probability at least 1/ 3. Hence, for st at ist ically-secret commit ment , wit h probability at least 1/ 6 a random collision represent s valid decommit ment s for dist inct bit s. See [41] for a t ight er bound depending on t he act ual st at ist ical diff erence. Not e t hat if we eliminat e t he c o l l i si o n -st at e from Π by encoding such queries in { 0, 1} ∗ , t hen Σ inherit s t his property. Le m m a 1 . Oracle Σ

in Construction 2 is a black-box one-way perm utation.

Formally, Σ is a random oracle. Hence, we would bet t er say “P icking Σ as in Const ruct ion 2 one obt ains a black-box one-way permut at ion.” We neglect t his as we will lat er derandomize t he const ruct ion anyway. P roof ( Sketch) . Clearly, t he permut at ion property is not aff ect ed by t he modifi-

cat ion, even if we encode 2

c o l l i si o n -queries

by bit st rings. It t hus suffi ces t o prove

By assumpt ion t he input lengt h of commit ment funct ions is at least as large as t he security paramet er. T his allows us t o use t he same bound 1/ 6 when considering t he input lengt h as replacement for t he security paramet er, as done in Const ruct ion 2.

88

Marc F ischlin

one-wayness. Assume t hat t here exist s a (uniform) polynomial-size circuit family D = ( D n ) n ∈ IN t hat t akes advant age of t he modificat ion in Const ruct ion 2. T hat is, D is able t o invert Σ wit h not iceable probability. Let t he polynomial q ( n ) bound t he size of D , and let D n invert a random image under Σ wit h probability at least 1/ p ( n ) for a polynomial p ( n ) and infinit ely many n ∈ IN. Not e t hat t he t ot al number of oracle queries, including t he recursive ones in c o l l i si o n -queries, is bounded above by t he size q ( n ) of D n . From D we const ruct a polynomial-size circuit family C = ( C n ) n ∈ IN int eract ing wit h a random oracle Π according t o Const ruct ion 1. Basically, C n get s an image y as input and simulat es D n on y . Each f -query of D n is answered by asking t he f -oracle of Σ . Every t ime D n submit s a c o l l i si o n query for some Com k m wit h input lengt h ℓ , t hen circuit C n essent ially (det ails below) asks Π alt oget her ℓ c o l l i si o n -queries by padding t he descript ion of Com k m wit h redundant bit s in each query (aft er all, Π is a random function and always ret urns t he same answer t o t he same quest ion again; padding t he commit ment funct ion descript ion t hus yields independent random collisions). T hen C n select s an adequat e collision and hands it t o D n . We explain in det ail how C n finds an appropriat e collision. Assume for t he moment t hat C n picks a collision by querying Π as described above ℓ t imes. If t he commit ment funct ion Com k m is above t he limit 1/ 6, t hen circuit C n would find a proper collision wit h probability at least 1 − (5/ 6) ℓ ; if ℓ is large t his is very close t o 1 and almost ident ical t o t he answer of Σ . For Com k m -funct ions below t he bound 1/ 6, circuit C n would give ident ically dist ribut ed answers t o c o l l i si o n -queries in comparison t o Σ . A problem occurs if ℓ is t oo small. T hen C n ’ s out put would diff er not iceably from Σ ’ s answer for commit ment funct ion above t he bound 1/ 6. To overcome t his, we let C n search for t he right answers for commit ment funct ions Com k m wit h small input lengt h. T hen t he simulat ion error will st ill leave enough mass for C n ’ s success probability. We use t he limit L ( n ) = 4 log2 (2p ( n ) q ( n )) ≥ log6 / 5 (2p ( n ) q ( n )) t o ident ify a small input lengt h. Recall t hat t he descript ion of many-t o-one funct ions in c o l l i si o n -queries may also include recursive c o l l i si o n -request . We assert t hat t he same solut ion as before applies. Eit her t he input lengt h is “very short ”, or using enough samples yields a suffi cient ly good approximat ion. More formally, we can first modify t he commit ment funct ion descript ion by adding an “if-t hen-else”-check for recursive c o l l i si o n -queries. T his check simply imit at es C n ’ s st rat egy, i.e., compares t he input lengt h t o L ( n ) and proceeds accordingly. It is not hard t o show t hat by t he choice of t he paramet ers t he simulat ion error for a single c o l l i si o n -query, eit her one on t op level or a recursive one, is at most 1/ (2p ( n ) q ( n )). Since D n put s at most q ( n ) oracle queries, by t he union bound t he simulat ion t herefore fails wit h probability at most 1/ (2p ( n )) for any suffi cient ly large n . T hus, at most half of t he cases of D n ’ s success are covered by t he simulat ion error, and C n successfully invert s Π wit h probability at least 1/ (2p ( n )) infinit ely oft en. But t his cont radict s t he result in [45]. ⊓⊔ Derandomizing t he oracle const ruct ion by t aking an appropriat e oracle which works for all of t he count able many uniform circuit s [44,45], we obt ain a one-way

Impossibility of Const ruct ing Non-int eract ive St at ist ically-Secret P rot ocols

89

permut at ion oracle relat ive t o which t here cannot exist non-int eract ive weaklybinding honest -receiver st at ist ically-secret bit commit ment schemes, even such ones t hat use oracle queries. T h e o re m 1 . R elative to an oracle there exist black-box one-way functions and perm utations, but no non-interactive weakly-binding honest-receiver statisticallysecret bit com m itm ent schem es. 4 .2

E x t e n s io n t o B la ck -B o x T ra p d o o r Fu n c t io n s

T he essence of our const ruct ion of a black-box t rapdoor funct ion ut ilizes t he idea of t he const ruct ion of signat ure schemes from one-way funct ions [33,38]: t he public and t he privat e key of t he signat ure scheme are t he value of a oneway funct ion and it s preimage. Here, t he index i of t he t rapdoor funct ion is t he value of Σ at t he t rapdoor t . Incorporat ing i int o t he evaluat ion process by set t ing t he funct ion t o Σ ( i , · ) gives t he desired t rapdoor one-way funct ion. To invert some y in t he range of Σ ( i , · ) one has t o provide t he mat ching t rapdoor t t o i t o t he inversion oracle. C o n s t ru c t io n 3 Let Σ follows:

( over { 0, 1} ∗ ) be as in Construction 2. Define T as

– generation: on input ω ∈ { 0, 1} n oracle T outputs t = ω and i = Σ ( ω ) . – evaluation: on input i , x ∈ { 0, 1} n the evaluation algorithm of T returns Σ

(i , x ) ∈

{ 0, 1} 2 n

– inversion: given y ∈ { 0, 1} 2 n and t ∈ { 0, 1} n the oracle T first checks that Σ ( t ) equals the left half of ( i , x ) = Σ − 1 ( y ) . If so, it outputs x , else som e undefined sym bol.

Some remarks are in place. Apparent ly, our funct ion is one-t o-one but not a permut at ion. Hence, it erat ion t echniques for t rapdoor permut at ions, like feeding t he out put int o t he funct ion again, are impossible. Nevert heless, we can apply a t ree const ruct ion of logarit hmic dept h by it erat ing t he funct ion on each out put half. T his may replace t he permut at ion in some set t ings. Similarly, it may suffi ce t o it erat e t he funct ion on, say, t he left half of t he result and out put t he right half “in clear”. Also, observe how our const ruct ion circumvent s t he problem of claws. A pair of claw-free funct ions is pair of funct ions wit h ident ical range, but such t hat finding input s for each funct ion t hat bot h map t o t he same out put is infeasible. Any impossibility result about t he const ruct ion of non-int eract ive st at ist icallysecret commit ment schemes based on any t rapdoor funct ion implies t hat t he t rapdoor funct ions do not yield claw-free funct ions. In our case, any dist inct t rapdoor funct ions ( t , i ) = ( t ′ , i ′ ) have disjoint ranges (because Σ ( i , x ) = Σ ( i ′ , x ′ ) for all x , x ′ for t he permut at ion Σ ). T he proof t hat T is a t rapdoor one-way funct ion follows by reduct ion t o t he one-wayness of Σ . While generat ion and evaluat ion queries for T can be easily emulat ed given access t o Σ , we have t o ensure t hat inversion queries do

90

Marc F ischlin

not lend significant power t o an adversary. Indeed, for a given index i ∈ { 0, 1} n t he range of Σ ( i , · ) forms a sparse subset of { 0, 1} 2 n of size 2n . T herefore, any algorit hm t hat t ries t o invert an image y by guessing a t rapdoor t ′ and asking T t o invert a large y wit h respect t o t ′ almost cert ainly get s t he undefined symbol as reply. In ot her words, inversion queries for large images essent ially lead t o reasonable answers only if t he corresponding image has been comput ed previously by querying t he evaluat ion oracle of T . But t hen t he preimage is already known and gives no addit ional informat ion. For short images, a preimage can be comput ed effi cient ly by searching t he domain, and t hus inversion queries do not give any advant age in t his case eit her. Le m m a 2 . Oracle T in Construction 3 is a black-box one-to-one trapdoor oneway function.

Basically, t he proof follows t he one of Lemma 1 of t he one-wayness of oracle Σ , regarding t hat inversion queries do not help significant ly according t o t he previous discussion. It is omit t ed for space reasons. Derandomizing Const ruct ion 3 we conclude: T h e o re m 2 . R elative to an oracle there are black-box one-to-one trapdoor functions and black-box one-way functions and perm utations, but no non-interactive weakly-binding honest-receiver statistically-secret bit com m itm ent schem es.

In analogy t o [45] we can t urn T int o a single oracle t hat operat es on bit st rings. A descript ion of t his will be given in t he full version.

5

N ont rivial St at ist ical Zero-K nowledge R equires M ore T han B lack-B ox One-Wayness

In t his sect ion we prove t he collapse of S Z K relat ive t o an appropriat e one-way permut at ion oracle and t o a one-t o-one black-box t rapdoor funct ion. It is known t hat hard-t o-predict problems in S Z K imply one-way funct ions [34]. T he premise of t his implicat ion was lat er relaxed t o CZ K = average-case-B P P [36]. Our result present s some evidence t hat nont rivial problems in S Z K act ually need more t han one-wayness. Furt hermore, we supplement t he result t hat S Z K = B P P relat ive t o an oracle [2] by showing t hat S Z K = B P P = P relat ive t o a one-way permut at ion oracle. Not e t hat t he exist ence of (black-box) one-way funct ions implies t hat N P ⊆ B P P . T he const ruct ion of our oracle Γ , relat ive t o which SD is easy, is a slight modificat ion of Σ in Const ruct ion 3. In order t o preserve t he int erpret at ion t hat one-wayness does not suffi ce for nont rivial problems in S Z K , we allow inst ances of SD t o include query gat es for t he oracle Γ . We remark t hat t his ext ended version of SD is complet e for t his relat ivized class of S Z K ; t his shows for example in t he complet eness proof given in [46]. Hence, if we show t he t ract ability of SD relat ive t o Γ it follows t hat t he whole relat ivized class of S Z K collapses. In t he const ruct ion of Γ we presume wlog. t hat t he input size of circuit s Y 0 and Y 1 of a polarized inst ance (for any complexity paramet er) is at least t he

Impossibility of Const ruct ing Non-int eract ive St at ist ically-Secret P rot ocols

91

out put lengt h, and t hat bot h circuit have t he same input size. Ot herwise algorit hm Polarize pads t he input lengt h wit h a minimal number of bit s. T hen we can view an input ( X 0 , X 1 ) as a descript ion of a commit ment funct ion Com ( X 0 , X 1 ) ( b, r ) = Y b ( r ), where Y 0 , Y 1 are derived by applying t he polarizat ion lemma (t oget her wit h t he lengt h convent ion). C o n s t ru c t io n 4 Let Σ be as in Construction 3. A lter Σ to Γ by m odifying the c o l l i si o n -state as follows: Γ only accepts pairs ( X 0 , X 1 ) of circuits as argum ents to c o l l i si o n -queries. T hen Γ polarizes ( X 0 , X 1 ) with param eter ℓ = | ( X 0 , X 1 ) | to obtain ( Y 0 , Y 1 ) . If ( X 0 , X 1 ) is a yes-instance for SD then return a pair ( b, r ) , ( b, r ′ ) such that Y b ( r ) = Y b ( r ′ ) ( generated by the basic sam pling procedure with the restriction that the second value is chosen uniform ly am ong the collisions with the sam e leftm ost bit b) ; if ( X 0 , X 1 ) ∈ SDno then sam ple a random collision ( b, r ) , ( b ⊕ 1, r ′ ) accordingly. Otherwise, if ( X 0 , X 1 ) ∈ / SDyes ∪ SDno , com pute ℓ random collisions with the basic procedure, output the first one with b = b′ , if such a collision exists, otherwise return the first sam ple. E ach tim e, also append ( X 0 , X 1 ) and all oracle queries m ade to com pute the circuits’ outputs.

Clearly, for any polarized no-inst ance ( Y 0 , Y 1 ) wit h probability at least 1/ 6 t he basic sampling procedure ret urns a collision ( b, r ) , ( b′ , r ′ ) wit h b = b′ . See t he discussion in Sect ion 4.1. Next we show t hat for yes-inst ances (wit h st at ist ical diff erence close t o 1) t his rarely happens; t he proof is deferred from t his version: Le m m a 3 . Let ( X 0 , X 1 ) ∈ SDyes . T hen the probability that the basic sam pling procedure for ( Y 0 , Y 1 ) = Polarize( X 0 , X 1 ) yields a collision ( b, r ) , ( b, r ′ ) is at m ost 2− ℓ / 2 + 1 for ℓ = | ( X 0 , X 1 ) | .

We omit a formal proof t hat we can reduce a circuit D invert ing Γ t o a circuit C finding preimages for Π . T he argument is almost ident ical t o t he one of Lemma 1, t aking int o account t hat t he basic sampling procedure almost never yields collisions for t he same bit b for yes-inst ances according t o t he previous lemma. Addit ionally, replacing Σ by Γ in Const ruct ion 3 of T , we obt ain a one-t o-one t rapdoor funct ion grant ing access t o Γ . T h e o re m 3 . T here exists an oracle relative to which P = B P P = N I S Z K = = H V S Z K but relative to which one-to-one trapdoor functions and oneway perm utations exist. SZ K

P roof. Obviously, relat ive t o our (derandomized) oracles

Γ and T we have , because if we simply query t he oracle about t he input inst ance ( X 0 , X 1 ) and out put 1 (respect ively, 0) if and only if we are given a collision ( b, r ) , ( b, r ′ ) (respect ively, ( b, r ) , ( b ⊕ 1, r ′ )), t hen we correct ly decide membership for SD in polynomial t ime. Furt hermore, t he proofs [20,19] t hat N I S Z K ⊆ H V S Z K ⊆ S Z K relat ivize, and t oget her wit h B P P ⊆ N I S Z K t he assert ion follows. ⊓⊔

SZ K



P



BP P

92

6

Marc F ischlin

Im plicat ions t o Ot her Crypt ographic P rot ocols

We show t hat various problems imply non-int eract ive weakly-binding honest receiver st at ist ically-secret commit ment schemes. It follows t hat our oracle separat ion t ransfers t o t hese cases as well. Because of lack of space, a formal t reat ment is deferred from t his abst ract , and we give a rat her informal descript ion here. T he problem of non-int eract ive crypt o-comput ing [42] deals wit h comput ing on encrypt ed dat a. T he server, possessing a secret circuit C , receives an encrypt ion of some input x from t he client . T hen t he server inat t ent ively evaluat es C ( x ) and ret urns some value t o t he client upon which t he client can ext ract t he value C ( x ) but learns not hing more about C in a st at ist ically sense. It is st raight forward t o devise non-int eract ive weakly-binding honest -receiver st at ist ically-secret bit commit ment schemes from such crypt o-comput ing prot ocols. Namely, t he commit t ing party split s bit b = b1 ⊕ · · · ⊕ bn int o n random pieces, t hen t he honest receiver in t his commit ment prot ocol sends n encrypt ions of random bit s a 1 , . . . , a n , and t he sender replies wit h t he inat t ent ive circuit evaluat ions of O R b i ( a i ) = bi ∨ a i for i = 1, . . . , n . If t he honest receiver sends some a i wit h a i = 1 (which happens wit h probability at least 1 − 2− n ) t hen he does not learn anyt hing about bi and t hus about b. On t he ot her hand, t o open a commit ment ambiguously, a malicious sender needs t o dist inguish wit h not iceable advant age between 0-encrypt ions —for which bj is pinned down because t he receiver learns bj — and 1-encrypt ions when t he receiver does not gain any informat ion about bj . But t his would cont radict t he security of t he encrypt ion scheme. Sander et al. [42] const ruct non-int eract ive crypt o-comput ing prot ocols from any semant ically-secure rerandom izable bit encrypt ion scheme; a rerandomizable bit encrypt ion syst em allows t o renew t he dist ribut ion of an encrypt ed bit wit hout knowing t he secret key, i.e., from t he ciphert ext and t he public key alone. Hence, we can also const ruct a st at ist ically-secret bit commit ment prot ocol from a rerandomizable encrypt ion scheme. Wit h a one-out -of-two oblivious t ransfer (OT ) prot ocol [37,15] a party t ransfers one of two bit s (t he choice is made at random) t o a receiver such t hat t he receiver does not learn anyt hing about t he ot her bit , and such t hat t he sender does not know which bit has been sent . In order t o derive a commit ment prot ocol we apply t he same split t ing t echnique as in t he case of crypt o-comput ers. Specifically, t he sender split s b int o two random pieces and obliviously t ransfers one t o t he honest receiver. T herefore, if t he oblivious t ransfer prot ocol is non-int eract ive and provides st at ist ically-sender-privacy wit h respect t o honest receivers we obt ain an appropriat e commit ment scheme. Addit ionally, t his approach works wit h ot her kinds of oblivous t ransfers, like chosen-one-out -of-two prot ocols. Det ails are omit t ed. Unt il recent ly, non-int eract ive oblivious t ransfer prot ocols were only known in a public-key infrast ruct ure set t ing [6,11]. But lat ely, under t he decisional Diffi e-Hellman assumpt ion, Naor and P inkas [32] and Aiello et al. [3] devised st at ist ically-sender-privat e chosen-one-out -of-two OT prot ocols which require

Impossibility of Const ruct ing Non-int eract ive St at ist ically-Secret P rot ocols

93

bot h part ies t o send a single message only and wit hout any set up assumpt ions. Hence, such oblivious t ransfers may be impossible using general public-key crypt osyst ems but t hey are const ruct ible from specific int ract ability assumpt ions. A privat e informat ion ret rieval (P IR) scheme [8] is a special oblivous t ransfer prot ocol in which one out of n bit s is t ransferred. Not hing is guarant eed about t he sender’ s privacy, t hough, i.e., even t he honest receiver might learn more t han a single bit . In cont rast t o oblivious t ransfer t he communicat ion complexity must not exceed n bit s in P IR schemes. In [4] it has been shown t hat non-int eract ive low-com unication P IR schemes, i.e., where less t han n / 2 bit s are communicat ed, imply non-int eract ive st at ist ically-secret bit commit ment . In summery, C o ro lla ry 1 . T here is an oracle relative to which black-box one-to-one trapdoor functions and black-box one-way perm utations exist, but relative to which non-interactive honest-client statistically-server-private crypto-com puting for orgates, rerandom izable bit encryption, non-interactive honest-receiver statisticallysender-private oblivous transfer and non-interactive low-com m unication private inform ation retrieval are im possible.

A cknowledgem ent s We are grat eful t o Dan Simon for helpful discussions about his paper. We would also like t o t hank all anonymous reviewers for t heir comment s.

R eferences 1. W.Aiello, J.H˚ astad: St at ist ical Zero-Knowledge Languages can be Recognized in T wo Rounds, Jour nal of Computer and System Sci ence, Vol. 42, pp. 327–345, 1991. 2. W.Aiello, J.H˚ astad: Relat ivized P erfect Zero-Knowledge is not BP P, I nfor mati on and Computati on, Vol. 93, pp. 223–240, 1991. 3. W.Aiello, Y.Ishai, O.Reingold: P riced Oblivious Transfer: How t o Sell Digit al Goods, E urocr ypt 2001, Lecture N otes i n Computer Sci ence, Vol. 2045, Spr i nger Ver lag, 2001. 4. A.Beimel, Y.Ishai, E.Kushilevitz, T.Malkin: One-Way Funct ions are Essent ial for Single-Server P rivat e Informat ion Ret rieval, P roceedi ngs of the 31st A nnual A CM Symposi um on the T heor y of Computi ng ( ST OC) , pp. 89–98, 1999. 5. M.Bellare, S.Halevi, A.Sahai, S.Vadhan: Many-To-One Trapdoor Funct ions and T heir Relat ion t o P ublic-Key Crypt osyst ems, Cr ypto ’ 98, Lecture N otes i n Computer Sci ence, Vol. 1462, Spr i nger -Ver lag, pp. 283–298, 1998. 6. M.Bellare, S.Micali: Non-Int eract ive Oblivious Transfer and Applicat ions, Cr ypto ’ 89, Lecture N otes i n Computer Sci ence, Vol. 435, Spri nger -Ver lag, pp. 547–559, 1990.

7. M.Ben-Or, O.Goldreich, S.Goldwasser, J.H˚ astad, J.Killian, S.Micali, P.Rogaway: Everyt hing P rovable is P rovable in Zero-Knowledge, Cr ypto ’ 88, Lecture N otes i n Computer Sci ence, Vol. 403, Spr i nger -Ver lag, pp. 37–56, 1990. 8. B.Chor, O.Goldreich, E.Kushilevitz, M.Sudan: P rivat e Informat ion Ret rieval, Jour nal of A CM , vol. 45, pp. 965–981, 1998.

94

Marc F ischlin

´peau, F.Le ´gare ´, L.Savail: How t o Convert a F lavor of Quant um Bit 9. C.Cre Commit ment , E urocr ypt 2001, Lecture N otes i n Computer Sci ence, Vol. 2045, Spr i nger -Ver lag, 2001. ˙ 10. I.Damgard, T.Pedersen, B.Pfitzmann: On t he Exist ence of St at ist ically Hiding Bit Commit ment Schemes and Fail-St op Signat ures, Cr ypto ’ 93, Lecture N otes i n Computer Sci ence, Vol. 773, Spr i nger -Ver lag, pp. 250–255, 1993. 11. A.De Santis, G.Di Crescenzo, G.Persiano: P ublic-Key Crypt ography and Zero-Knowledge Argument s, I nfor mati on and Computati on, Vol. 121, N o. 1, pp. 23–40, 1995. 12. G.Di Crescenzo, T.Okamoto, M.Yung: Keeping t he SZK-Verifier Honest Uncondit ionally, Cr ypto ’ 97, Lecture N otes i n Computer Sci ence, Vol. 1294, Spr i nger -Ver lag, pp. 31–45, 1997. 13. W.Diffie, M.Hellman: New Direct ions in Crypt ography, I E E E T ransacti on on I nfor mati on T heor y, Vol. 22, pp. 644–654, 1976. 14. P.Dumais, D.Mayers, L.Salvail: P erfect ly Concealing Quant um Bit Commit ment from Any One-Way P ermut at ion, E urocr ypt 2000, Lecture N otes i n Computer Sci ence, Vol. 1807, Spr i nger -Ver lag, pp. 300–315, 2000. 15. S.Even, O.Goldreich, A.Lempel: A Randomized P rot ocol for Signing Cont ract s, Communi cati on of the A CM , vol. 28, pp. 637–647, 1985. 16. L.Fortnow: T he Complexity of P erfect Zero-Knowledge, P roceedi ngs of the 19th A nnual A CM Symposi um on the T heor y of Computi ng ( ST OC) , pp. 204–209, 1987. 17. R.Gennaro, L.Trevisan: Lower Bounds on t he Effi ciency of Generic Crypt ographic Const ruct ions, P roceedi ngs of the 41st I E E E Symposi um on Foundati ons of Computer Sci ence ( F OCS) , 2000. 18. Y.Gertner, S.Kannan, T.Malkin, O.Reingold, M.Viswanathan: T he Relat ionship Between P ublic Key Encrypt ion and Oblivious Transfer, P roceedi ngs of the 41st I E E E Symposi um on Foundati ons of Computer Sci ence ( F OCS) , 2000. 19. O.Goldreich, A.Sahai, S.Vadhan: Can St at ist ical Zero-Knowledge be made Non-Int eract ive? or On t he Relat ionship of SZK and NISZK, Cr ypto ’ 99, Lecture N otes i n Computer Sci ence, Spr i nger -Ver lag, 1999. 20. O.Goldreich, A.Sahai, S.Vadhan: Honest -Verifier St at ist ical Zero-Knowledge Equals General St at ist ical Zero-Knowledge, P roceedi ngs of the 30th A nnual A CM Symposi um on T heor y of Computi ng ( ST OC) , A CM P ress, pp. 399–408, 1998. 21. S.Goldwasser, O.Goldreich, S.Micali: How t o Const ruct Random Funct ions, Jour nal of A CM , vol. 33, pp. 792–807, 1986. 22. S.Goldwasser, S.Micali: P robabilist ic Encrypt ion, Jour nal of Computer and System Sci ence, Vol. 28, pp. 270–299, 1984. 23. S.Halevi, S.Micali: P ract ical and P rovably-Secure Commit ment Schemes from Collision-Free Hashing, Cr ypto ’ 96, Lecture N otes i n Computer Sci ence, Vol. 1109, Spr i nger -Ver lag, pp. 201–215, 1996. 24. J.H˚ astad, R.Impagliazzo, L.Levin, M.Luby: A P seudorandom Generat or from any One-way Funct ion, SI A M Jour nal on Computi ng, vol. 28( 4) , pp. 1364–1396, 1999. 25. R.Impagliazzo, M.Luby: One-Way Funct ions are Essent ial for Complexity Based Crypt ography, P roceedi ngs of the 30th I E E E Symposi um on Foundati ons of Computer Sci ence ( F OCS) , pp. 230–235, 1989. 26. R.Impagliazzo, S.Rudich: Limit s on t he P rovable Consequences of One-Way P ermut at ions, P roceedi ngs of the 21st A nnual A CM Symposi um on the T heor y of Computi ng ( ST OC) , pp. 44–61, 1989.

Impossibility of Const ruct ing Non-int eract ive St at ist ically-Secret P rot ocols

95

27. R.Impagliazzo, M.Yung: Direct Minimum-Knowledge Comput at ions, Cr ypto ’ 87, Lecture N otes i n Computer Sci ence, Vol. 293, Spr i nger -Ver lag, pp. 40–51, 1987. 28. J.Kahn, M.Saks, C.Smyth: A Dual Version of Reimer’ s Inequality and a P roof of Rudich’ s Conject ure, P roceedi ngs of 15th I E E E Conference on Computati onal Complexi ty , 2000. 29. J.Kim, D.Simon, P.Tetali: Limit s on t he Effi ciency of One-Way P ermut at ionBased Hash Funct ions, P roceedi ngs of the 40th I E E E Symposi um on Foundati ons of Computer Sci ence ( F OCS) , 1999. 30. M.Naor: Bit Commit ment Using P seudo-Randomness, Jour nal of Cr yptology, vol. 4, pp. 151–158, 1991. 31. M.Naor, R.Ostrovsky, R.Venkatesan, M.Yung: P erfect Zero-Knowledge Argument s for NP Using Any One-Way P ermut at ion, Jour nal of Cr yptology, vol. 11, pp. 87–108, 1998. 32. M.Naor, B.Pinkas: Effi cient Oblivious Transfer P rot ocols, T welfth A nnual A CM -SI A M Symposi um on D i screte A lgor i thms, 2001. 33. M.Naor, M.Yung: Universal One-Way Hash Funct ions and T heir Crypt ographic Applicat ions, P roceedi ngs of the 21st A nnual A CM Symposi um on the T heor y of Computi ng ( ST OC) , pp. 33–43, 1989. 34. R.Ostrovsky: One-Way Funct ions, Hard on Average P roblems, and St at ist ical Zero-Knowledge P roofs, I E E E Conference on Str ucture i n Complexi ty T heor y, pp. 133–138, 1991. 35. R.Ostrovsky, R.Venkatesan, M.Yung: Fair Games Against an All-P owerful Adversary, A M S D I M A CS Ser i es i n D i screte M athemati cs and T heoreti cal Computer Sci ence, Vol. 13, pp. 155–169, 1993. 36. R.Ostrovsky, A.Wigderson: One-Way Funct ions are Essent ial for Non-Trivial Zero-Knowledge, P roceedi ngs of the Second I srael Symposi um on T heor y of Computi ng and Systems, 1993. 37. M.Rabin: How t o Exchange Secret s by Oblivious Transfer, T echni cal Repor t T R 81, H ar vard, 1981. 38. J.Rompel: One-Way Funct ions are Necessary and Suffi cient for Secure Signat ures, P roceedi ngs of the 22nd A nnual A CM Symposi um on the T heor y of Computi ng ( ST OC) , pp. 387–394, 1990. 39. S.Rudich: T he Use of Int eract ion in P ublic Crypt osyst ems, Cr ypto ’ 91, Lecture N otes i n Computer Sci ence, Vol. 576, Spr i nger -Ver lag, pp. 242–251, 1992. 40. A.Sahai, S.Vadhan: A Complet e P romise P roblem for St at ist ical ZeroKnowledge, P roceedi ngs of the 38th I E E E Symposi um on Foundati ons of Computer Sci ence ( F OCS) , pp. 448–457, 1997. 41. A.Sahai, S.Vadhan: Manipulat ing St at ist ical Diff erence, A M S D I M A CS Ser i es i n D i screte M athemati cs and T heoreti cal Computer Sci ence, Vol. 43, pp. 251–270, 1999. 42. T.Sander, A.Young, M.Yung: Non-Int eract ive Crypt o-Comput ing for NC 1 , P roceedi ngs of the 40th I E E E Symposi um on Foundati ons of Computer Sci ence ( F OCS) , 1999. 43. A.Shamir: IP = P SPACE, P roceedi ngs of the 31st I E E E Symposi um on Foundati ons of Computer Sci ence ( F OCS) , 1990. 44. D.Simon: On t he P ower of Quant um Comput at ion, P roceedi ngs of the 35th I E E E Symposi um on Foundati ons of Computer Sci ence ( F OCS) , pp. 124–134, 1994.

45. D.Simon: F inding Collisions on a One-Way St reet : Can Secure Hash Funct ions be Based on General Assumpt ions?, E urocr ypt ’ 98, Lecture N otes i n Computer Sci ence, Vol. 1403, Spr i nger -Ver lag, pp. 334–345, 1998. 46. S.Vadhan: A St udy of St at ist ical Zero-Knowledge P roofs, P h.D . thesi s, M I T , avai lable at http://theory.lcs.mit.edu/∼ salil/, Sept ember 1999.

T h e R e p re s e n t a t io n P ro b le m B a s e d o n Fa c t o rin g Marc Fischlin and Roger Fischlin

{

J ohann Wolfgang Goet he-University Frankfurt am Main, Germany marc,fischlin} @mi.informatik.uni-frankfurt.de http://www.mi.informatik.uni-frankfurt.de/

We review t he represent at ion problem based on fact oring and show t hat t his problem gives rise t o alt ernat ive solut ions t o a lot of crypt ographic prot ocols in t he lit erat ure. And, while t he solut ions so far usually eit her rely on t he RSA problem or t he int ract ability of fact oring int egers of a special form (e.g., Blum int egers), t he solut ions here work wit h t he most general fact oring assumpt ion. P rot ocols we discuss include ident ificat ion schemes secure against parallel at t acks, secure signat ures, blind signat ures and (non-malleable) commit ment s. A b st r a ct .

1

In t ro d u c t io n

T he RSA represent at ion problem deals wit h t he problem of finding a decomposit ion of a value int o an RSA-like represent at ion. Specifically, given a modulus N = pq of two secret primes p, q , an exponent e relat ively prime t o Euler’ s t ot ient funct ion ϕ ( N ) and a value g ∈ ZZ N , find t o X ∈ ZZ N a represent at ion x ∈ ZZ e and r ∈ ZZ N wit h X = g x r e mod N . It is well-known t hat given N , e, g coming up wit h some X and dist inct represent at ions ( x 1 , r 1 ) , ( x 2 , r 2 ) is as hard as t he RSA problem [Ok92]. T he RSA represent at ion problem has a vast number of applicat ions: for inst ance, Okamot o [Ok92] const ruct s an ident ificat ion prot ocol secure against (parallel) act ive at t acks which Point cheval and St ern [P S00] subsequent ly t urn int o a secure signat ure scheme and a blind signat ure scheme. Fischlin and Fischlin [FF00] as well as Di Crescenzo et al. [CKOS01] use t he RSA represent at ion problem t o derive effi cient non-malleable commit ment schemes based on RSA. Brands [B97] shows how t o prove linear relat ions on commit t ed values wit h an ext ended version of t he RSA represent at ion problem. Int erest ingly, t here is a seemingly less popular analogue t o t he RSA represent at ion problem relying on t he assumed hardness of fact oring int egers. In t his case, a represent at ion of X wit h respect t o N , g and a number t is a pair x ∈ ZZ 2 and r ∈ ZZ N wit h X = g x r 2 mod N . Brassard et al. [BCC88] int roduce t his represent at ion type for t he special case t = 1. Damg˚ard [D95] generalizes t his t o arbit rary t ≥ 1 for Blum int egers N where p, q = 3 mod 4. In order t o advance t o general moduli we int roduce an “adjust ment ” paramet er τ which depends on t he prime fact orizat ion of N (and which equals 0 for Blum int egers, for example), and we define a represent at ion of X wit h respect t o N , τ , g and t t o ∗





t



t

B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 9 6 – 1 1 3 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

T he Represent at ion P roblem Based on Fact oring τ

+

97

t

mod N . As we will be a pair x ∈ ZZ 2 and r ∈ ZZ N such t hat X = g x r 2 elaborat e, for appropriat e choices of τ , g t he t ask of finding a value X and different represent at ions becomes equivalent t o t he fact oring problem for arbitrary m oduli . One reason for t he unpopularity of t he fact oring represent at ion problem may st em from t he fact t hat Okamot o’ s previously proposed ident ificat ion scheme based on t his problem is flawed. It is suffi cient t o solve t he RSA problem t o pass t he ident ificat ion scheme wit h const ant probability, wit hout necessarily being able t o fact or t he modulus. We review t his short coming in Appendix A. Fort unat ely, t he bug in Okamot o’s scheme is fixable, and we can indeed devise a secure ident ificat ion scheme using t he fact oring represent at ion problem. We show t hat for suit able paramet ers t he prot ocol becomes provably secure under t he fact oring assumpt ion. Among ot her ident ificat ion schemes provably secure as fact oring, t he presumably most popular are t he Feige-Fiat -Shamir prot ocol [FFS88] and it s variat ion due t o Ong-Schnorr [OS90,S96] as well as Shoup’s syst em [Sh99]. For t hese schemes t here is a t rade-off between t he key size and security against parallel at t acks. While t he Feige-Fiat -Shamir prot ocol provides security against such parallel at t acks, and t herefore forms a fundament for secure reset t able ident ificat ion [BFGM01] and blind signat ures wit h parallel signat ure generat ion [P S97,P S00], it also requires large secret and public keys. T he Shoup and t he Ong-Schnorr syst em, on t he ot her hand, admit short keys but are conceivably not secure against parallel at t acks1 . Our prot ocol fills t he gap and achieves security against parallel at t acks and requires only short keys. Wit h t he t echniques int roduced in [P S00] we t herefore obt ain a secure signat ure scheme and a secure blind signat ure scheme wit hst anding up t o poly-logarit hmically many concurrent signat ure request , bot h in t he random oracle model. Furt hermore, we derive a secure reset t able ident ificat ion prot ocol by t he general t ransformat ion present ed in [BFGM01]. As for furt her applicat ions, our result generalizes t he result by Halevi [H99] t hat two-round commit ment schemes does not only work wit h William int egers but rat her wit h any moduli. Also, plugging our result int o t he const ruct ions of [FF00,CKOS01], we conclude t hat effi cient non-malleable commit ment schemes can be const ruct ed under t he assumpt ion t hat fact oring is hard. In fact , our variat ion of t he prot ocols in [CKOS01] does not only base t he security on a milder assumpt ion, but also simplifies and improves t he scheme concerning comput at ional eff ort and communicat ion complexity. T he paper is st ruct ured as follows. In Sect ion 2 we formally st at e t he represent at ion problem based on fact oring and prove equivalence t o t he int ract ability ∗

t

1

Schnorr [S96,S97] claims t hat t he Ong-Schnorr prot ocol wit h short keys is secure against parallel at t acks for very special syst em paramet ers where a large power 2m divides p − 1 or q − 1 (e.g., m ≥ 25 for reasonable choices). Such primes form only a small subspace of all primes and may be much harder t o find. Moreover, alt hough we are not aware of any fact oring met hod t oday t aking advant age of t his property, such moduli are in principle more vulnerable t o improved fact oring procedures.

98

Marc F ischlin and Roger F ischlin

of fact oring large numbers. Sect ion 3 discusses applicat ions of t he represent at ion problem t o ident ificat ion and (blind) signat ures. In Sect ion 4 we deal wit h commit ment s and show how t o const ruct effi cient non-malleable commit ment schemes based on t he fact oring represent at ion problem.

2

R e p re s e n t a t io n P ro b le m

We st at e t he RSA and fact oring represent at ion problems formally in Sect ions 2.1 and 2.2, respect ively. In Sect ion 2.3 we prove t he equivalence of t he fact oring represent at ion problem t o t he fact oring problem. 2 .1

R S A R e p re s e n t a t io n P ro b le m

An RSA modulus N = pq is t he product of two dist inct primes p, q. A corresponding RSA exponent e = ± 1 mod ϕ ( N ) is relat ively prime t o Euler’s t ot ient funct ion ϕ ( N ) = ( p − 1)( q − 1) [RSA78]. We say t hat N is an n -bit modulus if n bit s are suffi cient and necessary for t he binary represent at ion of N , t hat is, if 2n 1 ≤ N < 2n . We presume t hat t here is an effi cient index generat or R S A I n d e x for t he represent at ion problem which, on input 1n , ret urns an n -bit RSA modulus N , a corresponding RSA exponent e and a random element g ∈ R ZZ N . Let ( N , e, g ) ← R S A I n d e x (1n ) denot e t he sampling process. An R S A represen tation for a value X ∈ ZZ N wit h respect t o a t uple ( N , e, g ) is a pair ( x , r ) wit h x ∈ ZZ e and r ∈ ZZ N such t hat −







X

= g x r e mod N .



Every X ∈ ZZ N has exact ly e represent at ions wit h respect t o ( N , e, g ), because for each x ∈ ZZ e t here is a unique r ∈ ZZ N such t hat r e = X g x mod N . We usually omit ment ioning t he reference t o ( N , e, g ) if it is clear from t he cont ext , and simply say t hat ( x , r ) is a represent at ion of X . ∗



D e fi n it io n 1 ( R S A R e p re s e n t a t io n P ro b le m ) . G iven ( N , e, g ) ← n ) return som e X ∈ ZZ ∗N as well as two diff eren t represen tation s ( x 1 , r 1 ) , ( x 2 , r 2 ) ∈ ZZ e × ZZ ∗N of X .

R S A I n d e x (1

In cont rast , t he ordinary RSA problem asks t o comput e t he e-t h root g 1 / e mod N given ( N , e, g ) ← R S A I n d e x (1n ). T his t ask is widely assumed t o be int ract able, i.e., no polynomial-t ime algorit hm solves t he RSA problem wit h more t han negligible success probability. T his implies t hat fact oring N , t oo, is believed t o be int ract able. Yet , it is an open problem if RSA is indeed equally hard as fact oring (see also [BV98] for a discussion). P rovided one can solve t he RSA problem, t hen t he RSA represent at ion problem becomes t ract able, e.g., for any r ∈ ZZ N bot h (0, r ) and (1, r g 1 / e mod N ) are represent at ions of X = r e mod N . T he converse holds as well [Ok92], and t he equivalence reveals t hat bot h problems can be solved wit h t he same success/ running t ime charact erist ics, neglect ing minor ext ra comput at ions (in t he ∗



T he Represent at ion P roblem Based on Fact oring

99

sequel we keep on disregarding t he eff ort for such addit ional minor comput at ions). 2 .2

F a c t o rin g R e p re s e n t a t io n P ro b le m

We next address t he fact oring represent at ion problem. We replace t he RSA exponent e by some power of 2. Namely, we subst it ut e e by 2τ + t where t describes t he bit lengt h of x ∈ ZZ 2 and t he int eger τ depends on t he prime fact orizat ion of t he modulus N ; we will explain t he choice and role of t his adjust ment paramet er τ lat er. T hen a represent at ion for X ∈ ZZ N wit h respect t o N = pq , g ∈ ZZ N and τ ≥ 0, t ≥ 1 is a pair ( x , r ) ∈ ZZ 2 × ZZ N such t hat t







t

X

= gx r 2

τ

+

t

mod N .

Apparent ly, given t he fact orizat ion of N one can easily come up wit h two diff erent represent at ions. T he converse does not hold in general: for example ( x , r ) and ( x , − r ) represent t he same X . Since we are mainly int erest ed in finding dist inct x -component s we t herefore call represent at ions ( x 1 , r 1 ) and ( x 2 , r 2 ) diff eren t or distin ct if and only if x 1 = x 2 . Observe t hat t his subsumes t he RSA case where dist inct x -component s imply diff erent r ’s and vice versa. Basically, t he RSA and t he fact oring represent at ion problem diverge concerning t he equivalence t o t he underlying number-t heoret ic assumpt ion because + of t he number of preimages of r e and r 2 , respect ively. For RSA paramet ers t he mapping r → r e mod N const it ut es a permut at ion on ZZ N . Squaring on ZZ N , however, is a 4:1 mapping for N = pq. Rest rict ing t he modulus t o a Blum int eger where p, q = 3 mod 4 squaring becomes a permut at ion on t he subgroup of quadrat ic residues N . More generally, for any odd modulus N wit h  QR r e prime fact orizat ion N = p i where p 1 , p 2 , . . . , p r are dist inct odd primes i= 1 and e1 , e2 , . . . , er ≥ 1, let η denot e t he smallest int eger such t hat 2η + 1 does not divide any ϕ ( p ei ). T hen squaring is a permut at ion on t he subgroup τ

t





i

i

HQR N := { x 2

η

|

x ∈

ZZ



N

}

= {x ∈

ZZ



N

|

ord N ( x ) is odd }

of t he “highest quadrat ic” residues, namely t he 2η -t h powers (see, for example, [S96,H99]): P ro p o s it io n 1 . For an y odd m odulus N squarin g is a perm utation on HQR N .

Squaring permut es t he 2k -t h powers for any k ≥ η for any odd n -bit modulus N . In ot her words, as long as k ≥ η , t he set of t he 2k -t h powers of t he element s in ZZ N is t he subgroup of element s wit h odd order. Since η ≤ n , even wit hout knowledge of η t he set HQR N is effi cient ly samplable by t aking a random element from ZZ N and raising it t o it s 2n -t h power. Wit h t he similarity of Blum int egers and QR N t o general moduli and HQR N we are ready t o st at e t he fact oring represent at ion problem t urning out t o be equivalent t o t he fact oring problem. But before, some words of clarificat ion about t he paramet er τ follow. Recall t hat a represent at ion for X is a pair ( x , r ) wit h ∗



100

Marc F ischlin and Roger F ischlin τ

+

t

= gx r 2 mod N . In t he following we demand t hat τ ≥ η − 1 and t hus τ may reveal some informat ion about t he fact ors of N . But because 1 ≤ η ≤ n we can easily guess t his informat ion wit h probability n1 , or, in case of Blum moduli for inst ance, t he fact η = 1 is publicly known anyway. In part icular, for Blum int egers we may set τ = 0 and t he represent at ion problem in t his case equals t he one st at ed by Damg˚ard [D95]. Let F a c t I n d e x denot e an effi cient index generat or t hat out put s an n -bit RSA modulus N , τ ≥ η − 1, t ≥ 1 and an independent ly chosen element g ∈ R HQR N for input 1n , and writ e ( N , τ , t , g ) ← F a c t I n d e x (1n ) for t he sampling process.

X

D e fi n it io n 2 ( F a c t o rin g R e p re s e n t a t io n P ro b le m ) . G iven ( N , τ , t , g ) ← n ) return som e X ∈ ZZ ∗N as well as two diff eren t represen tation s ( x 1 , r 1 ) , ( x 2 , r 2 ) ∈ ZZ 2 × ZZ ∗N of X , i.e., with x 1 = x 2 . F a c t I n d e x (1

t

An import ant observat ion for our ident ificat ion and commit ment prot ocols is t hat each X ∈ HQR N has exact ly 2t diff erent represent at ions. It follows t hat for + a random represent at ion ( x , r ) t he value X := g x r 2 mod N does not reveal anyt hing about t he specific x . τ

2 .3

t

F a c t o rin g R e p re s e n t a t io n P ro b le m a n d F a c t o rin g

Given t he fact orizat ion of N it is easy t o comput e a 2τ + t -t h root of g ∈ HQR N and t he corresponding represent at ion problem becomes t ract able. On t he ot her hand, by solving t he represent at ion problem one effi cient ly det ermines t he prime fact ors of N . Before we prove t his we present a t echnical lemma: L e m m a 1 . If a probabilistic algorithm solves the factorin g represen tation problem ( N , τ , t , g ) ← F a c t I n d e x (1n ) , then a 2τ + 1 -th root b ∈ ZZ ∗N of g can be com puted within the sam e tim e boun d an d sam e success probability.

P roof. Given two diff erent represent at ions ( x 1 , r 1 ) and ( x 2 , r 2 ) of some X

let ∆ x := x 1



x2



and r := r 2 r 1 g

∆ x

= gx 1



x2

1





ZZ

,

N

mod N where 0 < | ∆ x | < 2t . T hen

= r 22

τ

+

t



r1



+

t

= r2

τ

+

t

mod N .

(1)

Not ice t hat t he exponent s ∆ x and 2τ + t may not be relat ively prime. So suppose 2k = gcd( ∆ x , 2τ + t ) where 0 ≤ k < t . Comput ing u , v ∈ ZZ sub ject t o u ∆ x + v 2τ + t = 2k by applying t he ext ended Euclidean algorit hm we derive g

2k

= gu ∆

x

+

v



+

t

= (g∆ x )u · (gv )2

τ

+

t

= (r u gv )2

τ

+

t

mod N .

Since g ∈ HQR N and squaring permut es HQR N , t he value b := ( r u g v ) 2 a 2τ + 1 -t h root of g modulo N .

t −

k −

1

is ⊓⊔

We next prove t hat fact oring is reducible t o t he fact oring represent at ion problem: T h e o re m 1 . If a probabilistic algorithm solves the factorin g represen tation n problem ( N , τ , t , g ) ← F a c t I n d e x (1 ) with probability ǫ , then N can be factored within the sam e tim e boun d an d success probability at least 21 ǫ .

T he Represent at ion P roblem Based on Fact oring τ

101

+ 1

and set g := a 2 mod N which is uniformly dist ribut ed in HQR N . Based on Lemma 1 comput e some 2τ + 1 -t h root b of g . Let c := ab 1 mod N . T hen:

P roof. P ick a random a



R

ZZ



N



c



+ 1

η

= 1 = c2 mod N .

T he second equat ion follows from τ + 1 ≥ η and since squaring is a permut at ion on HQR N . We next consider t he equat ion modulo t he prime fact ors p, q of N . Suppose p − 1 = 2η p and q − 1 = 2η q for odd p , q , and t herefore η = max{ η p , η q } . Wlog. let η = η p . Because of η q ≤ η p = η we have p

c c

2η 2

η



= 1 mod p

q





= 1 mod q

c c





1

η



1

2



= σ

p

mod p

= σ

q

mod q

for some σ p , σ q ∈ { ± 1} 2 . To complet e t he proof we show t hat σ p σ q = − 1 holds wit h probability 12 , because in t hat case one of t he GCD comput at ions   1 gcd c2 ± 1, N yields t he fact orizat ion of N . Not e t hat c is uniformly dist ribut ed among t he 2η -t h root s of 1, because g does not reveal any informat ion about t he random root a we have act ually chosen, t hus t he element b det ermined by t he represent at ion finder’ s out put is independent of a . Hence, c mod p and c mod q are independent ly and uniformly dist ribut ed among t he 2η -t h root s of 1 modulo p and modulo q. Consequent ly, σ p and σ q are independent . 1 For half of t he 2η -t h root s w of 1 modulo p we have w 2 = 1 mod p and 1 ot herwise w 2 = − 1 mod p . Since c mod p is a random 2η -t h root of 1 modulo p , t he value σ p is uniformly dist ribut ed in { ± 1} . As σ p does not depend on σ q ⊓⊔ we have σ p σ q = − 1 wit h probability 21 . η



η

η





Figure 1 illust rat es t he proof idea of T heorem 1. T he root of each t ree is labeled wit h + 1. Descending from one node t o t he successors corresponds t o t aking a square root modulo t he prime p or q, e.g., in t he left t ree t he t ree’ s root + 1 has t he successors + 1 and − 1 as squaring is st ill a 2:1-mapping modulo p , whereas in t he right t ree η q < η p and squaring permut es HQR q , implying t hat t he t ree’ s root + 1 only has t he square root + 1. Hence, t he leaves in each t ree represent all 2η and 2η many 2η -t h root s of 1 modulo p and q, respect ively. T he pat h t o t he left most leaf in each t ree represent s t he 2η -t h root 1 of 1 modulo p and modulo q (1-path ). In t he proof we use t he represent at ion finder t o derive a random 2η -t h root c of 1 in ZZ N . T hus, t he values c mod p and c mod q each describe a random pat h t o some leaf in t he corresponding t ree ( c-path ), and each pat h is independent of t he ot her one. We are able t o find t he prime fact ors of N if and only if at some level k one of t he c-pat hs branches from t he 1-pat h whilst t he ot her one st ill follows t he 1-pat h. For example, in Figure 1 1 t his happens in t he marked nodes for k = η p − 1: t here we have c2 = 1 mod p p

q



k −

2

W hile bot h values for σ p may occur, if η q < η t hen we always have squaring is one-t o-one on HQR q and + 1 is t he unique square root . σ

q

= + 1 as

102

Marc F ischlin and Roger F ischlin + 1

✟❡  ✟ ✚ ❩ ❩ + 1 ✚ ✚ ❩  ✡ ❏ ✡ ❏ + 1 ✡ ❏  ✡ ❏  ✂❇ ✂❇ ✂❇ ✂❇ ✂ ❇  ✂ ❇  ✂ ❇  ✂ ❇  + 1

+ 1

+ 1

✟ ❍ ❍ ✟ ✟

✛ ❍ ❍

❍  1 ✛ ✚✚ ❩ ❩❩  ✚ ✡ ❏ ✡ ❏ ✡ ❏  ✡ ❏  ✂❇ ✂❇ ✂❇ ✂❇ ✂ ❇  ✂ ❇  ✂ ❇  ✂ ❇ 

η q





+ 1

+ 1

+ 1

✡ ✂❇

✡ ❏

✂ ❇ 

❡ ✚ ❩ ❩ ✚ ✚ ❏  ✂❇ ✂ ❇ 

F ig. 1 .

p

❩  ✡ ❏

✡



1

❏  ✂❇ ✂ ❇ 

✂❇

✂ ❇ 

+ 1

c

2η -t h root s of 1 modulo

k −





η p

c

2η -t h root s of 1 modulo

q

Fact oring via 2η -t h root of 1

1

but c2 = − 1 mod q and a GCD comput at ion yields t he prime fact ors of N . In fact , in t he proof of T heorem 1 we only check t he divergence of t he pat hs for k = η p = η . T herefore, except for Blum int egers, t he probability is act ually higher t hen 12 . T heorem 1 even holds for fixed g ∈ HQR N , given t hat τ ≥ η and some 2τ + 1 -t h root a ∈ / QR N of g wit h − a ∈ / QR N is publicly known. Besides t hat variant t he fact oring represent at ion problem gives rise t o ot her modificat ions and generalizat ions: 1. One may subst it ut e t he RSA modulus by an arbit rary odd int eger N . T hen t he algorit hm of T heorem 1 ret rieves a non-t rivial fact or of N . 2. T he problem can be relaxed such t is not given as part of t he out put of F a c t I n d e x , but t he represent at ion finder rat her get s t he freedom t o select an arbit rary t ≥ 1 on it s own aft er seeing ( N , τ , g ). Given two represent at ions 1 2 ( x 1 , r 1 , t 1 ) and ( x 2 , r 2 , t 2 ) where wlog. t 1 ≥ t 2 use r := r 2 r 1 2 for t he proof of Lemma 1. 3. One may replace 2τ + t by eτ + t for some e = O (log n ). In t his case, η denot es t he smallest int eger such t hat eη + 1 neit her divides p − 1 nor q − 1 and use e { x | x ∈ ZZ N } inst ead of HQR N . T he hardness is also based on fact oring as Oht o and Okamot o [OO88] have shown t hat t aking e-t h root s in t his case is equivalent t o fact oring N . −

η

3

t



t



Id e n t ifi c a t io n a n d S ig n a t u re S ch e m e s

In t his sect ion we show how t o repair Okamot o’ s ident ificat ion prot ocol [Ok92] obt aining a provably secure ident ificat ion scheme wit hst anding parallel act ive at t acks. Exploit ing t he relat ionship t o signat ure schemes via t he Fiat -Shamir heurist ic [FS86], we t hen show t hat t his ident ificat ion prot ocol can be used for ordinary as well as blind signat ures.

T he Represent at ion P roblem Based on Fact oring 3 .1

103

I d e n t ifi c a t io n S ch e m e

Our ident ificat ion prot ocol in Figure 2 follows t he framework of Okamot o [Ok92] for t he RSA set t ing, which in t urn is an ext ension of t he Guillou-Quisquat er set up [GQ88]. T he values ( N , τ , t , g ) ← F a c t I n d e x (1n ) are public paramet ers. T he public key of a user is X ∈ R HQR N and t he corresponding secret key is a random represent at ion ( x , r ) ∈ ZZ 2 × ZZ N of X . T he user is not required t o be aware of t he fact orizat ion of N and several users may share t he same public paramet ers N , τ , g (even wit h diff erent t ’s). T he prover P t ries t o convince t he verifier V t hat ∗

t

P r ov e r

represent at ion pick y ∈ R y 2 Y := g s

ZZ + τ

t

(N

P

of

x,r

X

,s∈ mod N

2τ +

R

t

X

W

:=

+

y

:=

c

sr g

F ig. 2 .

mod 2

cx ⌊

2

+ τ

t

mod

V

N

N

Y

−− − − − − − − − − − − − −→

c

− − − − − − − − − − − − −−

pick

c ∈

R

[0, 2t )

+ t τ

(y + cx )/ 2

x

g r

V er if ier



ZZ



z

=

, τ , t , g)

τ

+

t



mod

W,z

N

−− − − − − − − − − − − − −→

Y X

c

!

=

W

2

τ

+

t

g

z

Ident ificat ion Scheme using Fact oring Represent at ion P roblem

knows a represent at ion of X wit h respect t o ( N , τ , t , g ). In t he first st ep P sends an init ial commit ment Y t o V who answers wit h a challenge c ∈ R [0, 2t ), and P finally hands t he response W , z t o V which det ermines accept ance or reject ion. Obviously, t his prot ocol is complet e in t he sense t hat t he honest prover P always passes t he examinat ion of honest verifiers V . We show t hat t his ident ificat ion scheme is secure against act ive at t acks, i.e., where t he adversary A may run execut ions wit h t he honest prover before t rying t o impersonat e. But first we st art wit h passive at t acks in which t he adversary t ries t o int rude given t he public key only: P

L e m m a 2 . If a passive adversary A passes the iden tifi cation schem e in F igure 2 with tim e boun d T an d success probability ǫ , then the m odulus N can be factored in expected tim e O ( T ) with probability at least 14 ( ǫ − 2− t ) .

P roof. T he proofs follows t he one in [Ok92] for RSA. Let N = pq , τ , t and a random g ∈ R HQR N be given, i.e., ( N , τ , t , g ) ← F a c t I n d e x (1n ). We show how t o comput e wit h probability 21 ( ǫ − 2 t ) some 2τ + 1 -t h root of g wit h t he help of A . As a result , t he claim is a consequence of T heorem 1. P ick x ∈ R ZZ 2 and r ∈ R ZZ N . Next , simulat e an at t ack of A for N , t , g, X := + gx r 2 mod N . Aft er A has sent W , z rewind t o t he sit uat ion where A faces t he challenge. By t his, we obt ain in expect ed t ime O ( T ) wit h probability ǫ − 2 t two −



t

τ

t



104

Marc F ischlin and Roger F ischlin

successful int rusion at t empt s in which A has sent t he same Y but has answered wit h W , z and W , z t o diff erent challenges c, c . T hen ′

X







c

W



z

+



t

g

z

c



= Y = X



(W )2 ′

τ

+

t

g

z



mod N

or, rewrit t en, g

z



+

x

(c′

c)



= (r c





c

W



1

W



)2

τ

+

t

mod N

(2)

Let ∆ z := z − z and ∆ c := c − c. Now we have an equat ion similar t o Equat ion (1) in t he proof of Lemma 1. If gcd( ∆ z + x ∆ c, 2τ + t ) = 2k for some k < t , t hen we are able t o ret rieve some 2τ + 1 -t h root of g . To complet e t he proof it t hus suffi ces t o give an upper bound of 21 for t he probability t hat t he GCD exceeds 2t 1 . Obviously, ′





gcd( ∆ z + x ∆ c, 2τ

+

t

)



2t ⇐

x ·∆c ⇒

=



mod 2t .

∆z

Whenever t his modular equat ion is solvable, t hen for fixed ∆ c, ∆ z t he number of solut ions for x equals 2j := gcd( ∆ c, 2t ) where 0 ≤ j < t because 0 < | ∆ c | < 2t . Observe t hat in t he act ual prot ocol execut ion t he select ion of t he paramet ers ∆ c, ∆ z for t he equat ion is done after t he variable x has been chosen. But ∆ c is dist ribut ed independent ly of x because t he challenges are simply picked at random, and t he dist ribut ion of t he adversary’s choice z , z for ∆ z does not depend on x eit her since t he public key X does not reveal anyt hing about t he specific choice of x . T herefore, we can view t he process as first fixing ∆ c, ∆ z and t hen picking x ∈ ZZ 2 at random. But t hen t he probability t hat t he random x mat ches t he equat ion is bounded above by 2j t . From j < t it follows t hat t his ⊓⊔ probability is at most 21 . ′

t



Not e t hat t his approach fact ors N but unlike t he corresponding RSA based scheme it does not ext ract a represent at ion of t he prover. Hence, once more we have a secure ident ificat ion prot ocol which does not const it ut e a proof of knowledge in t he sense of Bellare and Goldreich [BG92]. See [OS90,S96,Sh99] for ot her examples. In order t o prove security against act ive adversaries, we follow t he approach in [Ok92] and show t hat even execut ions wit h t he prover before t he int rusion at t empt do not disclose any informat ion about x (called wit ness-indist inguishability [FS90]): L e m m a 3 . T he protocol in F igure 2 is perfectly witn ess-in distin guishable.

P roof. We have t o just ify t hat even in t he case of a dishonest verifier V t he view (i.e., t he dist ribut ion of t he communicat ion Y , c, W , z ) is independent of t he represent at ion act ually known by t he prover P . We show t hat for any communicat ion ( Y , c, W , z ) of an execut ion of V wit h P , anot her prover P knowing anot her represent at ion ( x , r ) of X generat es t his communicat ion wit h t he same probability in an execut ion wit h V . ′





T he Represent at ion P roblem Based on Fact oring τ

+

t

105

Let ∆ x := x − x and ∆ r = r / r mod N . Since r 2 = X g x we have 2 + ∆ x ∆r = g . Assume t hat ( Y , c, W , z ) is a t ranscript of a communicat ion wit h P having chosen y , s at t he out set . T he probability t hat P picks y := y − c · ∆ x mod 2τ + t and s := s · ∆ r c mod N in t he first st ep is exact ly t he same as for P choosing y , s ; bot h t imes t he values are uniformly dist ribut ed. For t his choice of y , z we have Y = Y , and t herefore V ret urns t he challenge c = c wit h equal probability in bot h execut ions. Now, W , z and W , z are det erminist ically det ermined by t he secret key, t he challenge and t he random values from t he first st ep, and it is easily shown t hat ( W , z ) = ( W , z ) here. Hence, t he probability t hat a run wit h P generat es ( Y , c, W , z ) equals t he one for P . T his complet es t he proof. ⊓⊔ ′

τ





t

























It follows t hat t he ident ificat ion scheme is also secure against act ive at t acks: T h e o re m 2 . If an active adversary A passes the iden tifi cation schem e in F igure 2 with tim e boun d T an d success probability ǫ , then the m odulus N can be factored in expected tim e O ( T ) with probability at least 41 ( ǫ − 2− t ) .

P roof. Given N , t , g pick a random secret key ( x , r ) and simulat e an at t ack τ

+

t

on N , t , g and t he public key X := g x r 2 mod N . T his includes several int eract ions of A wit h t he prover before t rying t o fool t he verifier. But we can easily run t hese prover-adversary execut ions as we know t he secret key. Due t o t he wit ness-indist inguishability, t hese execut ions st ill hide x perfect ly, and t he argument of Lemma 2 applies. ⊓⊔ A

T he proposit ion even holds if t he adversary is allowed t o run concurrent execut ions wit h t he prover. Hence, t he scheme can be t urned int o one secure against reset at t acks under t he fact oring assumpt ion; for det ails see [BFGM01]. 3 .2

S ig n a t u re S ch e m e s

T he ident ificat ion scheme in Figure 2 gives rise t o a signat ure scheme secure against chosen-message at t acks [GMR88] using t he Fiat -Shamir heurist ic. T he challenge is generat ed by applying a hash funct ion H t o t he message and t he init ial commit ment of t he prover. More specifically, publish ( N , τ , t , g ) as public paramet er, X as public key and use t he represent at ion ( x , r ) as t he secret key of t he signer S . In order t o sign a message m pick y ∈ R ZZ 2 + and s ∈ R ZZ N + at random, calculat e Y := g y s 2 mod N , c := H ( Y , m ) and comput e z , W as in t he case of t he ident ificat ion scheme. T he signat ure t o m becomes σ ( m ) := ( Y , W , z ). Verificat ion is st raight forward. P rovided t he hash funct ion H behaves like a random funct ion, t hen even wit h t he help of an signat ure oracle any adversary fails t o come up wit h a valid signat ure for a new message of his own choice [P S00, Sec. 3.2]: ∗

τ

τ

t

t

P ro p o s it io n 2 . In the R an dom O racle M odel the sign ature schem e based on the factorin g represen tation problem is secure again st existen tially forgery un der adaptive chosen -m essage attacks relative to the hardn ess of factorin g.

106

Marc F ischlin and Roger F ischlin

Sign er

represent at ion pick y ∈ R y 2 Y := g s

ZZ + τ

x,r

(N

S

of

,s∈ mod N

X

2τ +

t

ZZ

R

t

x

=

X

, τ , t , g)

g r

2

+ τ

t

U se r

mod

U

N



N

Y

pick α , γ ∈ R ZZ 2 + pick β ∈ R ZZ N + α 2 γ Y := Y g β X c := H ( Y , m ) ∈ ZZ 2 τ + t c := c + γ mod 2 set c such t hat τ + t c+ γ = c + 2 c

−− − − − − − − − − − − − −→

τ

t



τ



t



t



′ ′



z



W

:= ′

y

:=



+ sr

mod 2

c x c



g



τ



c



− − − − − − − − − − − − −−

′ ′

+ t



(y + c x )/ 2

+ τ

t







W ,z

(N )

!



τ

+

t



z = (W )2 g τ + t z := z − α mod 2 set z such t hat τ + t z + α = z + 2 z z c W := W β g X (N ) c

Y X

−− − − − − − − − − − − − −→





′ ′



′ ′



c



T hen

Y X

=

W

2

+ τ

t

g

′ ′

′ ′

z

Blind Signat ure Scheme using Fact oring Represent at ion P roblem

F ig. 3 .

An import ant variant of signat ures schemes are blind signat ures. In t his case, t he user U blinds t he act ual message m and request s a signat ure from t he signer S , which U lat er t urns int o a valid signat ure for t he message m while t he signer S cannot infer somet hing about m . In a “one-more” forgery t he adversary A t ries t o generat e one more signed message t han A originally request ed from t he signer S [P S00]. For example, in t he ecash set t ing where messages signed by t he bank represent anonymous digit al coins, U cannot spent more money t han U has act ually wit hdrawn from t he bank. T he blind signat ure scheme based on t he fact oring problem is given in Figure 3; it is heavily influenced by t he discret e-log and RSA prot ocols of Point cheval and St ern [P S00]. In t he first st ep, t he signer S commit s t o Y . T hen t he user U + blinds Y by mult iplying wit h g α β 2 X γ for random values α , β , γ . T he act ual challenge c ∈ ZZ 2 is hidden by c := c + γ ∈ ZZ 2 + . S replies t he challenge by + sending W , z sub ject t o Y X c = ( W ) 2 g z . Now, U undoes t he blinding and finally ret rieves t he signat ure σ ( m ) := ( Y , W , z ): τ

t



t



τ





τ



t

t





W



+

t

g

z

′ ′

= (W β gz X ′

= YX

c



′ ′

c

′ ′

(β gz X

)2 c

′ ′

τ

+

t

z



g g τ

)2

+

t

z

z

g

z





z





= YX

c+ γ

β



+

t

g

α

= Y X c. ′

T he scheme is perfect ly blind as ( Y , c , W , z ) and ( Y , c, W , z ) are independent ly dist ribut ed. Security follows as in [P S00]: ′







T he Represent at ion P roblem Based on Fact oring

107

T h e o re m 3 . In the R an dom O racle M odel the blin d sign ature schem e based on the factorin g represen tation problem is secure again st a “on e-m ore” forgery un der a parallel attack ( where up to poly-logarithm ic sign ature gen eration s are executed con curren tly) relative to the hardn ess of factorin g.

Not e t hat t his scheme is provable secure against int erleaving at t acks meanwhile t he one based on t he Ong-Schnorr ident ificat ion is only known t o be secure against sequent ial at t acks [P S97].

4

C o m m it m e n t S ch e m e s

A commit ment scheme is a prot ocol of t hree st ages (init ializat ion, commit ment and decommit ment ) between t o part ies called t he sender S and t he receiver R . In t he commit ment st age S binds himself t o a message m by sending a commit ment meanwhile t he receiver R cannot deduce any informat ion about m . Lat er, t he sender S reveals m and R checks whet her t his message indeed mat ches t he commit ment . 4 .1

N o n - in t e ra c t iv e C o m m it m e n t S ch e m e

In t his sect ion we set up a commit ment scheme based on t he fact oring represent at ion problem following t he well-known scheme derived from t he RSA represent at ion problem and generalizing Halevi’ s scheme [H99]. Assume for t he moment t hat a t rust ed t hird party select s a valid inst ance ( N , τ , t , g ) ← F a c t I n d e x (1n ) for t he fact oring represent at ion problem and publishes it ; we aft erwards discuss how t o delegat e t his t ask t o t he receiver. In any case, S must not know t he fact orizat ion of N . To commit t o a message m ∈ ZZ 2 , t he sender S picks a random r ∈ R ZZ N and sends t



com( m , r ) := g m r 2

τ

+

t

mod N

(3)

t o t he receiver R . For t he decommit ment , S reveals t he commit ed message m and t he random value r . T he receiver R verifies t hat ( m , r ) is indeed a represent at ion of com( m , r ). If we let t he receiver inst ead choose ( N , τ , t , g ) ← F a c t I n d e x (1n ) and send it t o S in t he first st ep, t hen t here is no guarant ee t hat a malicious receiver does not select inproper values like g ∈ / HQR N or τ < η − 1. To prevent t his we t ake τ := n and use a met hod suggest ed in [H99] t o make sure t hat g really is an element from HQR N , even if N is not t he product of two primes. Namely, let t he sender verify t hat N is odd and raise g t o t he 2n -t h power first . S t hen t ransmit s   com( m , r ) := g 2 n

m

 r

2n



2t +

n

n

= gm 2 r 2

2n +

t

mod N

(4)

Given fact oring N is int ract able, t hen T heorem 1 implies t hat S cannot come up t he a diff erent represent at ion of com( m , r ), in eit her case (3) or (4). Hence, a commit ment is comput at ionally binding and S cannot ambiguously open t he

108

Marc F ischlin and Roger F ischlin

commit ment . On t he ot her hand, t he dist ribut ion of com( m , r ) ∈ HQR N is independent of t he message m , t hat is, even a comput at ionally unbounded malicious receiver R is unable t o deduce any informat ion about m given only t he commit ment . To summarize: P ro p o s it io n 3 . T he factorin g represen tation com m itm en t schem e (3) respectively (4) has the followin g properties:

1. C om putation al un am biguity relative to the hardn ess of factorin g. 2. P erfect privacy.

We compare t his commit ment scheme wit h t he one int roduced by Halevi [H99]. To commit t o a message m ∈ ZZ 2 wit h a t rust ed set up mechanism providing a correct N pick at random r ∈ R ZZ N and publish t



com( m , r ) := 4m r 2

t

+ 1

mod N

(5)

for a William int eger N , i.e., an RSA modulus N = pq wit h p = 3 mod 4 and q = 7 mod 8. T he binding property relat ive t o t he hardness of fact oring N can be proven in a direct way [H99]. Alt ernat ively one may apply T heorem 1. We have η = 1, τ := η and 4 ∈ HQR N because it s square root (+ 2, − 2) ∈ QR p × QR q is a square, t oo. As ± 2 ∈ QR N , t he adversary has t o comput e some ot her square root of 4 yielding t he fact orizat ion of N . 4 .2

N o n - m a lle a b le C o m m it m e n t S ch e m e

Roughly speaking a commit ment scheme is non-malleable if for any adversary A seeing t he commit ment of an honest sender S t o an unknown message m it is infeasible t o commit t o a relat ed (but diff erent ) message m . Depending on t he level of security, t he adversary may also be obliged t o provide a valid decommit ment aft er having learned t he decommit ment of S (called non-malleability wit h respect t o opening). See [DDN00,FF00] for det ails. Fischlin and Fischlin [FF00] and Di Crescenzo et al. [CKOS01] present efficient non-malleable commit ment schemes based eit her on t he discret e-log or t he RSA assumpt ion. All prot ocols work in t he public paramet er model, where public dat a like an RSA modulus N and a value g ∈ ZZ N are published by a t rust ed party. Also, bot h solut ions apply so-called t rapdoor or equivocable commit ment s: knowledge of a secret informat ion, t he t rapdoor, enables t o open a given commit ment wit h any message lat er on. For inst ance, for RSA an e-t h root of g allows t o fake commit ment s. Here, in case of t he fact oring represent at ion commit ment scheme (3), a 2τ + t -t h root h of g ∈ HQR N provides a t rapdoor, + because a commit ment g m r 2 can be opened for m by t ransmit t ing m and m m r := h r mod N . We discuss how t o modify t he non-malleable commit ment s schemes based on t he RSA represent at ion problem [FF00,CKOS01] t o derive non-malleable commit ment s schemes as secure as fact oring. Fischlin and Fischlin [FF00] present int eract ive schemes t hat work wit h t he RSA represent at ion problem, one t ime ∗



τ







t





T he Represent at ion P roblem Based on Fact oring

Sen d er

g, h 0 , h 1 ∈

message

m ∈

ZZ

(· ) HQR N

R e ce i v e r

N , τ , t, H

S

109

R

2t

commitment: ∗

pick r , s ∈ R ZZ N + m 2 X := g r mod N x := H ( X ) + 2 x m 2 M := ( h 0 h 1 ) s mod τ

t

τ

t

N

x,M

−− − − − − − − − − − − − −→

decommitment: m , r, s

−− − − − − − − − − − − − −→

X

:=

check M

F ig. 4 .

!

g

m

x

r !

=

2

τ

+

H

t

mod

N

,

( X ),

= ( h x0 h 1 ) m

s

2

τ

+ 2t

mod

N

Non-Int eract ive Non-Malleable Commit ment Scheme

using st andard proofs of knowledge, t he ot her t ime wit h a more sophist icat ed variant based on t he Chinese Remainder T heorem. We cannot plug in t he fact oring represent at ion problem int o t he proof-of-knowledge-based approach as t he prot ocol given in Figure 2 does not const it ut e a proof of knowledge. However, we can use t he Chinese Remainder T heorem prot ocol wit h t he fact oring represent at ion problem inst ead of t he RSA problem. By t his, we obt ain a non-malleable commit ment scheme wit h st at ist ical privacy. Det ails are omit t ed. T he non-int eract ive scheme in [CKOS01] achieves a weaker not ion of nonmalleability t han t he one in [FF00], where t he adversary does not have any side informat ion about t he message m of S . In Figure 4 we present a modificat ion of t heir RSA prot ocol which is based on t he fact oring represent at ion problem. Surprisingly, alt hough t his modificat ion works under a pot ent ially weaker assumpt ion t han RSA, it is even more effi cient t han t he RSA prot ocol in [CKOS01]. In fact , t ransferring our prot ocol t o t he RSA or discret e-log represent at ion problem set t ing also improves t hese prot ocols in [CKOS01] wit h respect t o comput at ional and communicat ion complexity. Basically, we let t he sender commit twofold t o t he message m : one t ime by X wit h t he st andard fact oring represent at ion problem, t he ot her t ime by M wit h a base where t he hash value of t he former commit ment ent ers (and for which we use τ + 2t rat her t han τ + t , see below). For t his, let H : HQR N → ZZ 2 be some universal one-way hash funct ion [NY90] wit h which we hash down X ∈ ZZ N t o x ∈ ZZ 2 . In case of t ≥ n one may eliminat e t he hash funct ion by using X as exponent x . t



t

T h e o re m 4 . T here exists ( effi cien t) com m itm en ts schem es with the followin g properties relative to the hardn ess of factorin g:

110

Marc F ischlin and Roger F ischlin

1. N on -m alleable with respect to open in g. 2. C om putation ally bin din g. 3. S tatistical privacy ( an d perfect privacy for the schem e in F igure 4) .

We out line t he non-malleability proof for t he non-int eract ive commit ment scheme given in Figure 4. T he definit ion of non-malleability essent ially requires t hat for any adversary t hat is given a commit ment of t he sender and generat es anot her commit ment for which it is also able t o adapt t he sender’ s opening t o one of a relat ed message, t here is a simulat or t hat is almost as successful but wit hout int eract ing wit h t he sender at all. We briefly recall t he proof met hod in [CKOS01]. T here, t he simulat or prepares a commit ment on behalf t he original sender which includes a t rapdoor. T he simulat or submit s it t o t he adversary who answers wit h it s commit ment . T hen t he simulat or samples a suffi cient number of random messages and sequent ially opens t he t rapdoor commit ment (by adapt ing t he decommit ment wit h t he t rapdoor accordingly). By t his, t he adversary reveals wit h suffi cient ly high probability a valid opening for it s commit ment t o som e message. T he probability t hat t he adversary finds diff erent valid openings is negligible under t he discret e-log or RSA assumpt ion, hence, t he simulat or ext ract s the message of t he adversary t hat is relat ed t o t he original message of t he sender. In our case, given a commit ment ( x , M ) for some unknown message m , t he adversary A t ries t o commit t o a relat ed but diff erent message m by sending ( x , M ). We first condit ion on t he event t hat t he adversary select s x = x . Assume t owards cont radict ion t hat t he adversary succeeds in an act ual at t ack by sending x = x wit h not iceable probability. For simplicity, we presume t hat + t he sender’s value X := g m r 2 mod N equals t he adversary’s choice X := + mod N ; ot herwise we find a collision for t he universal one-way hash gm (r )2 funct ion H . But t hen t he decommit ment st ep yields dist inct represent at ions of X and t his allows t o effi cient ly solve t he fact oring represent at ion problem wit h not iceable success. We may t hus consider only t he adversary’s success on values x = x wit hout sacrificing more t han a negligible probability. It remains t o describe t he t rapdoor in our scheme t o apply t he t echnique of [CKOS01]. Given ( N , τ , t , h 0 ) ← F a c t I n d e x (1n ) select a universal one-way hash + + + + 2 funct ion H and define M := s 2 , X := r 2 , g := u 2 , h 1 := h 0 x v 2 for random r , s, u , v ∈ R ZZ N and x := H ( X ). Take ( N , τ , t , H , g, h 0 , h 1 ) as public paramet ers and send ( x , M ) on behalf of t he honest sender. + 2 For t he dat a in t he simulat ion we know a 2τ + 2 t -root v of h x0 h 1 = v 2 . T his, τ + t t oget her wit h t he 2 -t h root of X , enables us t o correct ly open t he commit ment ( x , M ) wit h any message lat er. In cont rast , even if we know t he t rapdoor, t he adversary will not be able t o find dist inct openings for it s commit ment since, by assumpt ion, x = x . T he reason for t his is t hat any valid decommit ment s of t he adversary including ( m 1 , r 1 ), ( m 2 , r 2 ) for M imply t hat ∗









τ





τ

t



t



τ

t

τ

t

τ

t

τ



t



τ











( h x0 h 1 ) m 1 ( r 1 ) 2 ∗

and, subst it ut ing h 1 = h 0 x v 2 −





τ

τ

+ 2t

+ 2t

,

= M









= ( h x0 h 1 ) m 2 ( r 2 ) 2 ∗

τ

+ 2t

t

T he Represent at ion P roblem Based on Fact oring (x

h0





x

)m



1



(v m 1 r j )2

τ

+ 2t

= M





(x

= h0



x

)m



2



(v m 2 r 2 )2 ∗

τ

111

+ 2t

.

Since x − x = 0 and bot h product s wit h m 1 = m 2 are less t han 22 t t his result s in diff erent represent at ions wit h x -component s ( x − x ) m 1 , ( x − x ) m 2 ∈ ZZ 2 2 for M . T he probability t hat t his happens is t herefore negligible under t he fact oring assumpt ion. Wit h t hese preliminaries t he rest of t he proof is t he same as in [CKOS01]. ∗













t



A ck n o w le d g m e n t s T his work has been st imulat ed by discussions wit h St efan Brands at Crypt o 2000 about t he fact oring based represent at ion problem ment ioned in his Eurocrypt ’97 paper. We also t hank t he anonymous reviewers for t heir comment s.

R e fe re n c e s BFGM01. M. Bellare, M. Fischlin, S. Goldwasser and S. Micali: I dentification Protocols Secure Against Reset Attacks, Eurocrypt 2001, Lect ure Not es in Comput er Science, vol. 2045, pp. 495–511, Springer Verlag, 2001. BG92. M. Bellare and O. Goldreich: On Defining Proofs of K nowledge, Crypt o ’ 92, Lect ure Not es in Comput er Science, vol. 740, pp. 390–420, Springer Verlag, 1993. BR93. M. Bellare and P. Rogaway: Random Oracles are Practical: a Paradigm for Designing Effi cient Protocols, F irst ACM Conference on Comput er and Communicat ion Security, ACM P ress, pp. 62–73, 1993. B97. S. Brands: Rapid Demonstration of Linear Relations Connected by Boolean Operator s, Eurocrypt ’ 97, Lect ure Not es in Comput er Science, vol. 1233, pp. 318–333, Springer-Verlag, 1997. ´peau: Minimum Disclosure Proofs BCC88. G. Brassard, D. Chaum and C. Cre of K nowledge, J ournal Comput ing Syst em Science, vol. 37(2), pp. 156–189, 1988. BV98. D. Boneh and R. Venkatesan: Breaking RSA may Not be Equivalent to Factor ing, Eurocrypt ’ 98, Lect ure Not es in Comput er Science, vol. 1403, pp. 59–71, Springer Verlag, 1998. CKOS01. G. Di Crescenzo, J. Katz, R. Ostrovsky and A. Smith: Effi cient And Non-I nteractive Non-Malleable Commitment , Eurocrypt 2001, Lect ure Not es in Comput er Science, vol. 2045, pp. 40–59, Springer Verlag, 2001. D95. I. Damg˚ ard: Practical and Provable Secure Release of a Secret and Exchange of Signature, J ournal of Crypt ology, vol. 8, pp. 201–222, 1995. DDN00. D. Dolev, C. Dwork and M. Naor: Nonmalleable Cr yptography, SIAM J ournal on Comput ing, vol. 30(2), pp. 391-437, 2000. F F S88. U. Feige,A. Fiat and A. Shamir: Zero-K nowledge Proofs of I dentity, J ournal of Crypt ology, vol. 1(2), pp. 77–94, 1988. F S86. A. Fiat and A. Shamir: How to Prove Your self: Practical Solutions to I dentification and Signature Schemes, Crypt o ’ 86, Lect ure Not es in Comput er Science, vol. 263, Springer-Verlag, pp. 186–194, 1986.

112

Marc F ischlin and Roger F ischlin

F S90.

F F 00.

GQ88.

GMR88.

H99. NY90.

OS90.

OO88.

Ok92.

P S97.

P S00. RSA78.

S96.

S97.

Sh99.

A. Fiat and A. Shamir: Witness I ndistinguishable and Witness Hiding Protocols, P roceedings of t he 22n d Annual ACM Symposium on t he T heory of Comput ing (ST OC), pp. 416–426, ACM P ress, 1990. M. Fischlin and R. Fischlin: Effi cient Non-Malleable Commitment Schemes, Crypt o 2000, Lect ure Not es in Comput er Science, vol. 1880, pp. 414–432, Springer Verlag, 2000. L.C. Guillou and J.-J. Quisquater: A Practical Zero-K nowledge Protocol Fitted to Secur ity Microprocessor s Minimizing Both Transmission and Memor y, Eurocrypt ’ 88, Lect ure Not es in Comput er Science, vol. 330, pp. 123–129, Springer Verlag, 1988. S. Goldwasser, S. Micali and R.L. Rivest: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks, SIAM J ournal of Comput ing, vol. 17(2), pp. 281–308, 1988. S. Halevi: Effi cient Commitment Schemes with Bounded Sender and Unbounded Receiver , J ournal of Crypt ology, vol. 12(2), pp. 77–90, 1999. M. Naor and M. Yung: Univer sal Oneway Hash Functions and T heir Cr yptographic A pplications, P roceedings of t he 21s t Annual ACM Symposium on t he T heory of Comput ing (ST OC), pp. 33–43, ACM P ress, 1989. H. Ong and C.P. Schnorr: Fast Signature Generation with as FiatShamir -Like Scheme, Eurocrypt ’ 90, Lect ure Not es in Comput er Science, vol. 473, pp. 432–440, Springer Verlag, 1991. K. Ohta and T. Okamoto: A Modification of the Fiat-Shamir Scheme, Crypt o ’ 88, Lect ure Not es in Comput er Science, vol. 403, pp. 232–243, Springer Verlag, 1989. T. Okamoto: Provable Secure and Practical I dentification Schemes and Cor responding Signature Schemes, Crypt o ’ 92, Lect ure Not es in Comput er Science, vol. 740, pp. 31–53, Springer Verlag, 1993. D. Pointcheval and J. Stern: New Blind Signatures Equivalent to Factor ization, P roceedings of t he 4t h ACM Conference on Comput er and Communicat ions Security (CCS) ’ 97, pp. 92-99, ACM P ress, 1997. D. Pointcheval and J. Stern: Secur ity Arguments for Digital Signatures and Blind Signatures, J ournal of Crypt ology, vol. 13(3), pp. 361–396, 2000. R.L. Rivest, A. Shamir and L. Adleman: A Method for Obtaining Digital Signatures and Public-K ey Cr yptosystems, Communicat ions of t he ACM, vol. 21, pp. 120–126, 1978. C.P. Schnorr: Secur ity of 2t -Root I dentification and Signatures, Crypt o ’ 96, Lect ure Not es in Comput er Science, vol. 1109, pp. 143–156, Springer Verlag, 1996. C.P. Schnorr: Er ratum: Secur ity of 2t -Root I dentification and Signatures, in Crypt o ’ 97, Lect ure Not es in Comput er Science, vol 1294, page 540, Springer Verlag, 1997. V. Shoup: On the Secur ity of a Practical I dentification Scheme, J ournal of Crypt ology, vol. 12, pp. 247–260, 1999.

T he Represent at ion P roblem Based on Fact oring

A

113

O n O ka m o t o ’ s Id e n t ifi c a t io n S ch e m e

Okamot o [Ok92] present s wit ness-indist inguishable ident ificat ion schemes based on t he hardness of discret e log and RSA. In t he same paper he also suggest s t he modified RSA scheme given in Figure 5. Compared t o t he RSA based scheme t he prime RSA exponent is replaced by 2e for some prime e.

P r ov e r

represent at ion

x,r

pick y ∈ ZZ 2 e , s y 2e Y := g s mod

of

X

X

N

W

:=

y

:=

+

cx c

sr g



x

g r

2e

mod

N

Y

N

−− − − − − − − − − − − − −→ ←

z

=

V



ZZ ∈

V er if ier

N , e, g

P

c

− − − − − − − − − − − − −−

pick

c ∈

R

[0, 2e )

mod (2e ) (y + cx )/ 2e⌋

F ig. 5 .

mod

N

W,z

Y X

−− − − − − − − − − − − − −→

c

!

=

W

2e

g

z

Okamot o’ s Ident ificat ion Scheme

Okamot o claims t hat t he security is based on t he hardness of fact oring t he modulus N . However, we show t hat t he security de fact o relies on t he RSA problem rat her t han on t he fact oring problem. Namely, we show t hat comput ing e-t h root s enables an adversary t o pass t he prot ocol wit h probability 12 . Suppose we are given g ∈ QR N and t he public key X . Hence, X ∈ QR N . 1 Now, pick x ∈ R ZZ 2 e and comput e r 2 = ( X g x ) by solving t he RSA problem. Apparent ly, ( x , r ) is a represent at ion for X = g x r 2 e but we are just aware of x and t he square r 2 . Nevert heless, we are able t o comput e z := y + cx mod 2e and whenever t he challenge c is even t hen knowledge of r 2 suffi ces t o det ermine W : −

W

= sr c g ⌊

(y +

cx

)/ 2e⌋

e

c

= s(r 2 ) 2 g ⌊

(y +

cx

)/ 2e⌋

.

T hus, solving t he RSA problem allows t o pass t he prot ocol wit h probability 1 since t he challenge is even wit h t his probability. Whenever g ∈ / QR N , one 2 2 comput es r 4 = ( X g x ) and succeeds if t he challenge sat isfies c = 0 mod 4. It is t empt ing t o rest rict t he challenge c t o odd values. St ill, we are not aware of any proof in t his case (e.g., we were unable t o modify t he proof of Lemma 2 about security against passive adversaries t o work in t his case). −

e

C ip h e rs w it h A rb it rary F in it e D o m ain s J ohn Black1 and P hillip Rogaway2 1

Dept . of Comput er Science, University of Nevada, Reno NV 89557, USA [email protected], http://www.cs.unr.edu/˜jrb 2 Dept . of Comput er Science, University of California at Davis, Davis, CA 95616, USA [email protected], http://www.cs.ucdavis.edu/˜rogaway

We explore t he problem of enciphering members of a finit e set M where k = | M | is arbit rary (in part icular, it need not be a power of two). We want t o achieve t his goal st art ing from a block cipher (which requires a message space of size N = 2n , for some n ). We look at a few solut ions t o t his problem, focusing on t he case when M = [0, k − 1]. We see ciphers wit h arbit rary domains as a wort hwhile primit ive in it s own right , and as a pot ent ially useful one for making higher-level prot ocols. A b st ra c t .

K e y w o rd s:

Ciphers, Modes of Operat ion, P rovable security, Symmet ric

Encrypt ion.

1

Int ro d u ct io n

A Motivating Example. Consider t he following problem: a company wishes t o generat e dist inct and unpredict able t en-digit credit -card numbers. One way t o accomplish t his involves keeping a hist ory of all previously-issued numbers. But t he company wishes t o avoid st oring a large amount of sensit ive informat ion. Anot her approach is t o use some block cipher E under a randomly-select ed key K and t hen issue credit -card numbers E K (0) , E K (1) , · · · . But t he domains of cont emporary block ciphers are inconvenient for t his problem: t his company needs dist inct numbers in [0, 101 0 − 1] but block cipher have a domain [0, 2n − 1] for some n such as 64 or 128. Is t here an elegant solut ion t o t his problem? Enciphering with Arbitrary Domains. More generally now, we have good t ools—block ciphers—t o encipher point s when t he message space M is st rings n of some part icular lengt h, M = { 0, 1} . But what if you want t o encipher a number between one and a million? Or a point in Z N or Z N , where N is a 1024-bit number? Or a point from some ellipt ic-curve group? T his paper looks n at t he quest ion of how t o const ruct ciphers whose domain is n o t { 0, 1} . T hat is, we are int erest ed in how t o make a cipher which has some desired but “weird” domain: F : K × M → M where K is t he key space and M is t he finit e message space t hat we have in mind. A t ool from which we may st art our n n const ruct ion is a block cipher: a map E : K × { 0, 1} → { 0, 1} where K is t he key space and n is t he block lengt h. A solut ion t o t his problem immediat ely solves t he credit -card problem: for a block cipher F : K × [0, 101 0 − 1] → [0, 101 0 − 1], t he ∗



B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 1 1 4 – 1 3 0 , 2 0 0 2 .  c S p r in g e r -Ve r la g B e r lin H e id e lb e r g 2 0 0 2



Ciphers wit h Arbit rary F init e Domains

115

company chooses a random K ∈ K and issues t he (dist inct ) credit -card numbers F K (0) , F K (1) , F K (2) , . . . , F K ( i ), and has only t o remember t he last i value used. Measuring Success. We would like t o make clear right away what is t he security goal t hat we are aft er. Let ’ s do t his by way of an example. Suppose t hat you want t o encipher numbers between one and a million: M = [1, 106 ]. Following [7,2], we imagine two games. In t he first game one chooses a random key K from K and hands t o an adversary an oracle E K ( · ). In t he second game one chooses a random permut at ion π on [1, 106 ] and hands t he adversary an oracle for π ( · ). T he adversary should be unable t o dist inguish t hese two types of oracles wit hout spending a huge amount of t ime. Not e t hat t he domain is so small t hat t he adversary might well ask for t he value of t he oracle f ( · ) ∈ { E K ( · ) , π ( · ) } at e v e r y point in t he domain. T his shouldn’ t help t he adversary win. So, for example, if t he adversary asks t he value of E K ( · ) at all point s except 1 and 2 (a t ot al of 106 − 2 point s), t hen t he adversary will know what are t he two “missing” numbers, c1 and c2 , but t he adversary won’ t be able t o ascert ain ifE K (1) = c1 and E K (2) = c2 , or if E K (1) = c2 and E K (2) = c1 , inst ead. Our Contributions. T hough t he problem of enciphering on an arbit rary domain has been considered before [13], here we draw at t ent ion t o t his problem and give t he first rigorous t reat ment , providing a few solut ions t oget her wit h t heir analyses. Our solut ions focus on t he case in which t he message space is M = [0, k − 1], t hough we sket ch ext ensions t o some ot her message spaces, like Z p q and common ellipt ic-curve groups. Our first met hod assumes t hat we have a block cipher E t hat act s on N = 2n point s, where N ≥ k . To encipher M = [0, k − 1] one just enciphers t hese point s wit h block cipher E and uses t he ordering of E K (0), E K (1), up t o E K ( k − 1) t o name t he desired permut at ion on [0, k − 1]. T his met hod is comput at ionally reasonable only for small k , such as k < 23 0 . A second met hod, similar t o known t echniques used in ot her set t ings, enciphers a message m ∈ M by repeat edly applying t he block cipher, st art ing at m , unt il one get s back t o a point in M . (Assume once again t hat N ≥ k .) n T his met hod is good if M is “dense” in t he domain of t he block cipher, { 0, 1} . So, for example, one can use t his met hod t o encipher a st ring in Z N , where N is a 1024-bit number, using a block cipher wit h block lengt h of 1024 bit s. (A block cipher wit h a long block lengt h, like t his, can be const ruct ed from a “st andard” block cipher by following works like [9,11,3].) T his const ruct ion has been suggest ed before [13]; our main cont ribut ion here is t he analysis of t he const ruct ion. A final met hod which we look at chooses an a, b where ab ≥ k and performs a Feist el const ruct ion on t he message m , but uses a left -hand side in Z a and a right hand side in Z b . Our analysis of t his is an adapt at ion of Luby and Rackoff ’ s [9]. T his met hod can be quit e effi cient , t hough t he proven bounds are weak when t he message space is small (eg, k < 21 2 8 ). Wit h each of our ciphers we provide a deciphering algorit hm, t hough t his may not be required in all domains (eg, in our credit -card example above). ∗

116

J ohn Black and P hillip Rogaway

Not e t hat t he t hree met hods above solve our problem for small and large domains, but t here is a gap which remains: int ermediat e-sized values where our first met hod requires t oo much space and t ime, and our second met hod requires t oo many block-cipher invocat ions, and our t hird met hod may work but t he bound is t oo weak. T his gap occurs roughly from k = 23 0 up t o about k = 26 0 , depending on your point of view. Our credit -card example ( k = 101 0 ≈ 23 3 . 2 ) falls int o t his gap. T his problem remains open. Why Ciphers on Non-Standard Sets? Popular books on crypt ography speak of enciphering t he point s in t he message space M , what ever t hat message space may be, but few seem t o have t hought much about how t o act ually do t his when t he message space is somet hing ot her t han a set of bit st rings, oft en of one part icular lengt h. T his omission is no doubt due t o t he fact t hat it is usually fine t o embed t he desired message space int o a larger one, using some padding met hod, and t hen apply a st andard const ruct ion t o encipher in t he larger space. For example, suppose you want t o encipher a random number m between one and a million. Your t ool is a 128-bit block cipher E . You could encode m as a 128-bit st ring M by writ ing m using 20 bit s, prepending 108 zero-bit s, and comput ing C = E K ( M ). Ignoring t he fact t hat t he ciphert ext C “wast es” 108 bit s, t his met hod is usually fine. But not always. One problem wit h t he met hod above is t hat it allows one t o t ell if a candidat e key K might have been used t o produce C . To illust rat e t he issue, suppose t hat t he key space is small, say | K | = 23 0 . Suppose t he adversary sees a point C = E K ( M ). T hen t he adversary has everyt hing she needs t o decrypt ciphert ext C = E K ( M ): she just t ries all keys K ∈ K unt il she finds one for which E K 1′ ( C ) begins wit h 108 zeros. T his is almost cert ainly t he right key. T he ob ject ion t hat “we shouldn’ t have used a small key space” is not a product ive one if t he point of our eff ort s was t o make due wit h a small key space. If we had used a cipher wit h message space M = [1, 106 ] we would not have had t his problem. Every ciphert ext C , under every possible key K , would correspond t o a valid message M . T he ciphert ext would reveal not hing about which key had been used. Of course t here are several ot her solut ions t o t he problem we have described, but many of t hem have diffi cult ies of t heir own. Suppose, for example, t hat one pads wit h random bit s inst ead of zero bit s. T his is bet t er, but st ill not perfect : in part icular, an adversary can t ell t hat a candidat e key K could not have been used t o encipher M if decrypt ing C under K yields a final 20 bit s whose decimal value exceeds 1,000,000. If one had 1,000 ciphert ext s of random plaint ext s enciphered in t he manner we have described, t he adversary could, once again, usually det ermine t he correct key. As a more realist ic example relat ed t o t hat above, consider t he BellovinMerrit t “EKE” prot ocol [4]. T his ent ity-aut hent icat ion prot ocol is designed t o defeat password-guessing at t acks. T he prot ocol involves encrypt ing, under a possibly weak password K , a st ring gx mod p, where p is a large prime number and g is a generat or of Z p . In t his cont ext it is crucial t hat from t he result ing ciphert ext C one can not ascert ain if a candidat e password K could possibly have ′













Ciphers wit h Arbit rary F init e Domains

117

produced t he ciphert ext C . T his can be easily and effi cient ly done by enciphering wit h message space M = Z p . Ordinary encrypt ion met hods won’ t work. Anot her problem wit h ciphert ext -expansion occurs when we are const rained by an exist ing record format : suppose we wish t o encrypt a set of fields in a dat abase, but t he cost of changing t he record size is prohibit ive. Using a cipher whose domain is t he set of values for t he exist ing fields allows some measure of added security wit hout requiring a complet e rest ruct uring of t he dat abase. And if t he dat a have addit ional rest rict ions beyond size (eg, t he fields must cont ain print able charact ers), we can furt her rest rict t he domain as needed. In addit ion t o t hese (modest ) applicat ions, t he quest ion is int erest ing from a t heoret ical st andpoint : how can we const ruct new ciphers from exist ing ones? In part icular, can we const ruct ciphers wit h arbit rary domains wit hout resort ing t o creat ing new ciphers from scrat ch? It cert ainly “feels” like t here should be a good way t o const ruct a block cipher on 32 bit s given a block cipher on 64 bit s, but , even for t his case, no one knows how t o do t his in a pract ical manner wit h good security bounds. ∗

Related Work. We assume t hat one has in hand a good block cipher for any desired block lengt h. Since “st andard” block ciphers come only in “convenient ” block lengt hs, such as n = 128, here are some ways t hat one might creat e a block cipher for some non-st andard block lengt h. First , one could const ruct t he block cipher from scrat ch. But it is probably bet t er t o st art wit h a wellst udied primit ive like SHA-1 or AES. T hese could t hen be used wit hin a balanced Feist el network [14], which creat es a block cipher for any (even) block lengt h 2n , st art ing wit h somet hing t hat behaves as a pseudorandom funct ion (P RF) from n bit s t o n bit s. Luby and Rackoff [9] give quant it at ive bounds on t he effi cacy of t his const ruct ion (when using t hree and four rounds), and t heir work has spawned much relat ed analysis, t oo. Naor and Reingold [11] provide a diff erent const ruct ion which ext ends a block cipher on n bit s t o a block cipher on 2ni bit s, for any i ≥ 1. A variat ion on t heir const ruct ion due t o Pat el, Ramzan and Sundaram [12] yields a cipher on ni bit s for any i ≥ 1. Lucks [10] generalizes Luby-Rackoff t o consider a t hree-round unbalanced Feist el network, using hash funct ions for round funct ions. T his yields a block cipher for any given lengt h N st art ing wit h a P RF from r bit s t o ℓ bit s and anot her from ℓ bit s t o r bit s, where ℓ + r = N . St art ing from an n -bit block cipher, Bellare and Rogaway [3] n const ruct and analyze a lengt h-preserving cipher wit h domain { 0, 1} . T his is somet hing more t han making a block cipher on arbit rary N ≥ n bit s. Anderson and Biham [1] provide two const ruct ions for a block cipher (BEAR and LION) which use a hash funct ion and a st ream cipher. T his again uses an unbalanced Feist el network. It is unclear how t o make any of t he const ruct ions above apply t o message spaces which are not set s of st rings. P robably several of t he const ruct ions can modified, and in mult iple ways, t o deal wit h a message space M = [0, k − 1], or wit h ot her message spaces. ≥

118

J ohn Black and P hillip Rogaway

T he Hasty P udding Cipher of Schroeppel and Orman [13] is a block cipher which works on any domain [0, k − 1]. T hey use what is essent ially “Met hod 2,” int ernally it erat ing t he cipher unt il a proper domain point is reached. Schroeppel believes t hat t he idea underlying t his met hod dat es back t o t he rot or machines used in t he early 1900’ s. Our not ion of a pseudorandom funct ion is due t o Goldreich, Goldwasser and Micali [6]. P seudorandom permut at ions are defined and const ruct ed by Luby and Rackoff [9]. We use t he adapt at ion of t hese not ions t o deal wit h finit e ob ject s, which first appears in Bellare, Kilian and Rogaway [2].

2

P re lim in arie s

Notation. If A and B are set s t hen Rand( A , B ) is t he set of all funct ions from A t o B . If A or B is a posit ive number, n , t hen t he corresponding set is [0, n − 1]. We writ e Perm( A ) t o denot e t he set of all permut at ions on t he set A and if n is a posit ive number t hen t he set is assumed t o be [0, n − 1]. By x ← A we denot e t he experiment of choosing a random element from A . A funct ion family is a mult iset F = { f : A → B } , where A , B ⊆ { 0, 1} . Each element f ∈ F has a name K , where K ∈ K e y . So, equivalent ly, a funct ion family F is a funct ion F : K e y × A → B . We call A t he domain of F and B t he range of F . T he first argument t o F will be writ t en as a subscript . A cipher is a funct ion family F : K e y × A → A where F K ( · ) is always a permut at ion; a block n n cipher is a funct ion family F : K e y × { 0, 1} → { 0, 1} where F K ( · ) is always a permut at ion. An ideal block cipher is a block cipher in which each permut at ion n on { 0, 1} is realized by exact ly one K ∈ K e y . An adversary is an algorit hm wit h an oracle. T he oracle comput es some funct ion. We writ e A f ( ) t o indicat e an adversary A wit h oracle f ( · ). Adversaries are assumed t o never ask a query out side t he domain of t he oracle, and t o never repeat a query. Let F : K e y × A → B be a funct ion family and let A be an adversary. In t his paper, we measure security as t he maximum advant age obt ainable by some adversary; we use t he following st at ist ical measures: R



·

prf

d ef

A d v F (A ) =

P r[f

R



F :

A

F :

A

f (·)

= 1] − P r[R

f (·)

= 1] − P r[π

R



Rand( A , B ) :

A

R (·)

= 1] ,

and when A = B prp

d ef

A d v F (A ) =

P r[f

R



R



Perm( A ) :

A

π (·)

= 1] .

Useful Facts. It is oft en convenient t o replace random permut at ions wit h random funct ions, or vice versa. T he following proposit ion let s us easily do t his. For a proof see P roposit ion 2.5 in [2]. Le m m a 1 . [P R F / P R P S w it ch in g ] F ix n



1. L e t

A

be a n a d v e r s a r y t h a t

a s k s a t m o s t p qu e r ie s . T h e n



  P r[π

R



Perm( n ) :

A

π (·)

= 1]



P r[ρ

R



Rand( n, n ) :

A

ρ (·)

  = 1]



p2 / 2n + 1 .

Ciphers wit h Arbit rary F init e Domains

A l g o r i t h m Init P x K fo r j ← 0 to k − 1 do Ij ← fo r j ← 0 to k − 1 do Jj ← fo r j ← 0 to k − 1 do L Jj

A l g o r i t h m P xK re t u rn J m K (j ) Ord( I j

119

(m )



E

,{ Ij }

j ∈

[0 ,k −

1 ]

) A lg o rit h m re t u rn L

j

P xK 1 ( m ) −

m

F i g . 1 . Algorit hms for t he P refix Cipher. F irst t he init ializat ion algorit hm Init P x K is run. T hen encipher wit h P x K ( m ) and decipher wit h P x K 1 ( m ). −

3

M e t h o d 1 : P re fi x C ip h e r

Fix some int eger k and let M be t he set [0, k − 1]. Our goal is t o build a cipher wit h domain M . Our first approach is a simple, pract ical met hod for small values of k . We name t his cipher P x. Our cipher will use some exist ing block cipher E wit h keyspace K and whose domain is a superset of M . T he key space for P x will also be K . To comput e P xK ( m ) for some m ∈ M and K ∈ K we first comput e t he t uple I = ( E K (0) E K (1) · · · E K ( k − 1)) . Since each element of I is a dist inct st ring, we may replace each element in I wit h it s ordinal posit ion (st art ing from zero) t o produce t uple J . And now t o encipher any m ∈ M we comput e P xK ( m ) as simply t he m -t h component of J (again count ing from zero). T he enciphering and deciphering algorit hms are given in Figure 1. Example. Suppose we wish t o encipher M = { 0, 1, 2, 3, 4} . We choose some random key K for some block cipher E . Let ’ s assumeE is an 8-bit ideal block cipher; t herefore E K is a uniformly chosen random permut at ion on [0, 255]. Next we encipher each element of M . Let ’ s say E K (0) = 166, E K (1) = 6, E K (2) = 130, E K (3) = 201, and E K (4) = 78. So our t uple I is (166 6 130 201 78) and J is (3 0 2 4 1). We are now ready t o encipher any m ∈ M : we ret urn t he m -t h element from J , count ing from zero. For example we encipher 0 as 3, and 1 as 0, et c.. Analysis. Under t he assumpt ion t hat our underlying block cipher E is ideal, I is equally likely t o be any of t he permut at ions on M . T he proof of t his fact is t rivial and is omit t ed. T he met hod remains good when E is secure in t he sense of a P RP. T he argument is st andard and is omit t ed. Practical Considerations. Enciphering and deciphering are const ant -t ime operat ions. T he cost here is O ( k ) t ime and space used in t he init ializat ion st ep. T his clearly means t hat t his met hod is pract ical only for small values of k . A furt her pract ical considerat ion is t hat , alt hough t his init ializat ion is a one-t ime cost , it result s in a t able of sensit ive dat a which must be st ored somewhere.

120

J ohn Black and P hillip Rogaway Cy K ( m ) E K (m )

A lg o rit h m c ←

Cy K 1 ( m ) 1 E K (m ) −

A lg o rit h m c ←



if c ∈ M re t u rn c e l s e r e t u r n Cy K ( c )

if c ∈

M

re t u rn c

e ls e re t u rn

Cy K 1 ( c ) −

Algorit hms for t he Cycle-Walking Cipher. We encipher wit h Cy K ( · ) and decipher wit h Cy K 1 ( · ).

F ig . 2 .



4

M e t h o d 2 : C y cle -W alkin g C ip h e r

T his next met hod uses a block cipher whose domain is larger t han M , and t hen handles t hose cases where a point is out of range. Again we fix an int eger k , let M be t he set [0, k − 1], and devise a met hod t o encipher M . Let N be t he smallest power of 2 larger or equal t o k , let n be lg N , and let E K ( · ) be an n -bit block cipher. We const ruct t he block cipher Cy K on t he set M by comput ing t = E K ( m ) and it erat ing if c ∈ M . T he enciphering and deciphering algorit hms are shown in Figure 2. Example. Let M = [0, 106 ]. T hen N = 22 0 and so n = 20. We use some known met hod t o build a 20-bit block cipher E K ( · ) on t he set T = [0, 22 0 − 1]. Now suppose we wish t o encipher t he point m = 314159; we comput e c1 = E K (314159) which yields some number in T , say 1040401. Since c1 ∈ M , we it erat e by comput ing c2 = E K (1040401) which is, say, 1729. Since c2 ∈ M , we out put 1729 as Cy K (314159). Decipherment is simply t he reverse of t his procedure. Analysis. Let ’ s view t he permut at ion E K ( · ) as a family of cycles: any point m ∈ M lies on some cycle and repeat ed applicat ions of E K ( · ) can be viewed as a part icle walking along t he cycle, st art ing at m . In fact , we can now t hink of our const ruct ion as follows: t o encipher any point m ∈ M walk along t he cycle cont aining m unt il you encount er some point c ∈ M . T hen c = Cy K ( m ). Of course t his met hod assumes t hat one can effi cient ly t est for membership in M . T his is t rivial for our case when M = [0, k − 1], but might not be for ot her set s. Now we may easily see t hat Cy K ( · ) is well-defined: given any point m ∈ M if we apply E K ( · ) enough t imes, we will arrive at a point in M . T his is because walking on m ’ s cycle must event ually arrive back at s o m e point in M , even if t hat point is m it self. We can also see t hat Cy K ( · ) is invert ible since invert ing Cy K ( m ) is equivalent t o walking ba c k w a rd s on m ’ s cycle unt il finding some element in M . T herefore, we know Cy K ( · ) is a permut at ion on M . However t he quest ion arises, “how much security do we lose in deriving t his permut at ion?” T he fort unat e answer is, “not hing.” T h e o re m 1 . [S e c u rit y o f C y c le -W a lk in g C ip h e r] F ix k ≥ 1 a n d le t M = [0, k − 1]. L e t E K ( · ) be a n id ea l bloc k c ip h e r o n t h e s e t T w h e re M ⊆ T . C h oo s e a k e y K u n ifo r m ly a t ra n d o m a n d t h e n co n s t r u c t Cy K ( · ) u s in g E K ( · ) . T h e n

Cy K ( · ) is a u n ifo r m ra n d o m pe r m u t a t io n o n

M

.

Ciphers wit h Arbit rary F init e Domains

121

P roo f. Fix some permut at ion π on t he set M . We will show t hat an equal number of keys K will give rise t o π ; t his will imply t he t heorem. We proceed by induct ion, showing t hat t he number of permut at ions on { 0, . . . , k − 1, x } which give rise under our const ruct ion t o π is const ant . Since M ⊆ T we can repeat edly add all element s x ∈ T − M while maint aining t hat t he number of permut at ions which give rise t o π is const ant . Decompose π int o r cycles of lengt hs l 1 , l 2 , · · · , l r . We count t he number of ways t o insert t he new element x . T here are l i ways t o insert x int o t he i t h orbit corresponding t o t he i t h cycle, and one way t o insert x int o a  new orbit of it s r own (ie, t he permut at ion which fixes x ). T herefore t here are i = 1 l i + 1 = k ways t o add element x t o π yielding a permut at ion which will give rise t o π by repeat ed it erat ions. T his holds no mat t er what π we choose.  t Let | T | = t . T hen by induct ion we see t hat t here are exact ly i = k i keys K under which our const ruct ion reduces E K ( · ) t o π .

Similar t o t he P refix Cipher, our const ruct ion has ret ained all of t he security of t he underlying block cipher. T heorem 1 is an informat ion-t heoret ic result . Passing t o t he corresponding complexity-t heoret ic result is st andard. Because no security is lost in t he informat ion-t heoret ic set t ing, and because we apply E an expect ed two t imes (or fewer), an adversary’ s maximal advant age t o dist inguish E K ( · ) from a random permut at ion of Z 2 in expect ed t ime 2t approximat ely upper bounds an adversary’ s maximal advant age t o dist inguish CyK ( · ) from a random permut at ion on M in t ime t . n

5

M e t h o d 3 : G e n e ralize d -Fe ist e l C ip h e r

Our final met hod works as follows: we decompose all t he numbers in M int o pairs of “similarly sized” numbers and t hen apply t he well-known Feist el const ruct ion [14] t o produce a cipher. Again we fix an int eger k , let M be t he set [0, k − 1], and devise a met hod t o encipher M . We call our cipher Fe[r , a, b] where r is t he number of rounds we use in our Feist el network and a and b are posit ive numbers such t hat ab ≥ k . We use a and b t o decompose any m ∈ M int o two numbers for use as t he input s int o t he network. Wit hin t he network we use r random funct ions F 1 , . . . , F r whose ranges cont ain M . T he algorit hms t o encipher and decipher are given in Figure 3. Not ice t hat if using t he Feist el const ruct ion result s in a number not in M , we it erat e just as we did for t he Cycle-Walking Cipher. Example. In order t o specify some part icular Fe[r , a, b]K ( · ) we must specify t he numbers a and b, t he number of Feist el rounds r , and t he choice of underlying funct ions F 1 , · · · , F r we will use. As a concret e example, let ’ s t ake k = 23 5 , r = 3, and a = 185360 and b = 185368 (met hods for finding a and b will be discussed lat er). Not e t hat ab ≥ k as required. Since ab is 74112 larger t han k , our Feist el const ruct ion will be on t he set M = [0, (23 5 − 1) + 74112], meaning t here are 74112 values ′

122

J ohn Black and P hillip Rogaway Fe[r , a , b]K ( m ) fe[r , a , b]K ( m )

A lg o rit h m c ←

if c ∈ M re t u rn c e l s e r e t u r n Fe[r , a , b ]K

(c)

fe[r , a , b]K ( m ) mod a ; R ← ⌊ m / a ⌋ fo r j ← 1 to r do i f ( j is odd) t h e n t m p ← ( L + F j ( R )) mod e ls e t m p ← ( L + F j ( R )) mod b L ← R; R ← tmp i f ( r is odd) t h e n r e t u r n a L + R e ls e re t u rn aR + L

A lg o rit h m L ←

m

Fe[r , a , b]K 1 ( m ) fe[r , a , b]K 1 ( m ) −

A lg o rit h m



c ←

if c

a



M

re t u rn c

e ls e re t u rn

Fe[r , a , b]K 1 ( c ) −



1

A l g o r i t h m fe[r , a , b ]K ( m ) i f ( r is odd) t h e n R ← m mod a ; L ← ⌊ m / a⌋ e ls e L ← m mod a ; R ← ⌊ m / a⌋ fo r j ← r to 1 do i f ( j is odd) t h e n t m p ← ( R − F j ( L )) mod a e ls e t m p ← ( R − F j ( L )) mod b R ← L; L ← tmp re t u rn aR + L F i g . 3 . Algorit hms for t he Generalized-Feist el Cipher. We encipher wit h Fe[r , a , b ]K ( · ) and decipher wit h Fe[r , a , b]K 1 ( · ). Here a and b are t he numbers used t o biject ively map all m ∈ M int o L , and R , and r is t he number of rounds of Feist el we will apply. T he key K is implicit ly used t o select t he r funct ions F 1 , . . . , F r . −

which are in M − M for which we will have t o it erat e (just as we did for t he Cycle-Walking Cipher). Let ’ s use DES wit h independent keys as our underlying P RFs. DES is a 64-bit cipher which uses a 56-bit key; we will regard t he 64-bit st rings on which DES operat es as int egers in t he range [0, 26 4 − 1] in t he nat ural way. We need t hree P RFs so our key K = K 1 K 2 K 3 will be 3 × 56 = 168 bit s. Now t o comput e Fe[3, 185360, 185368]( m ) we comput e L = m mod 185360, and R = ⌊ m / 185360⌋ , and t hen perform t hree rounds of Feist el using DESK 1 ( · ), DESK 2 ( · ), and DESK 3 ( · ) as our underlying P RFs. T he first round result s in L ← ⌊ m / 185360⌋ and R ← ( m mod 185360+ D E SK 1 ( ⌊ m / 185360⌋ )) mod 185360, and so on. ′

Analysis. First we not e t hat Fe[r , a, b]( · ) is a permut at ion: it is well-known t hat t he Feist el const ruct ion produces a permut at ion, and we showed previously t hat

Ciphers wit h Arbit rary F init e Domains

123

it erat ing any permut at ion is a permut at ion. We now analyze t he how good is t his Generalized-Feist el Cipher for t he t hree-round case. Assuming t he underlying funct ions F 1 , F 2 , and F 3 used in our const ruct ion are t r u ly ra n d o m funct ions, we will compare how close Fe[3, a, b]( · ) is t o a t ruly random permut at ion. Passing t o t he complexity-t heoret ic set t ing is t hen st andard, and t herefore omit t ed. T h e o re m 2 . [S e c u rit y o f G e n e ra liz e d -Fe is t e l C ip h e r] F ix k ≥ 1 a n d le t = [0, k − 1]. F ix t w o n u m be r s a, b > 0 s u c h t h a t ab ≥ k . L e t ∆ = ab − k . F ix a n n s u c h t h a t 2n > a a n d 2n > b. L e t D be a n a d v e r s a r y w h ic h a s k s q qu e r ie s M

o f h e r o ra c le . T h e n prf

A d v F e ( D ) = P r[F 1 , F 2 , F 3

Rand(2n , 2n ) : D F e [3 , a , b ]( ) = 1]

R

·





P r[ρ

R



Rand( k , k ) : D ρ

(·)

= 1]

2



(q + ∆ ) ( ⌈ 2n / a⌉ + ⌈ 2n / b⌉ ) . 2n + 1

T he proof is an adapt at ion of Luby’ s analysis from Lect ure 13 of [8], which is in-t urn based on [9]. It can be found in Appendix A. Finally, we must adjust t his bound t o account for t he fact t hat we have compared Fe[3, a, b]K ( · ) wit h a random funct ion inst ead of a random permut at ion. We can invoke Lemma 1 which gives us a final bound quant ifying t he quality of our const ruct ion: prp

A d v F e ( D ) = P r[F 1 , F 2 , F 3

R



Rand(2n , 2n ) : D F e [3 , a , b ]( ) = 1] ·



2



6

P r[π

R



Perm( k ) : D π

(·)

= 1]

2

(q + ∆ ) + q ( ⌈ 2n / a⌉ + ⌈ 2n / b⌉ ) . 2n + 1

D iscu ssio n

Prefix Cipher. Our first met hod, t he P refix Cipher, is useful only for suit ably small k . Since enciphering one point requires enciphering all k point s in [0, k − 1], many applicat ions would find t his prohibit ively expensive for all but fairly small values of k . Cycle-Walking Cipher. Our second met hod, t he Cycle-Walking Cipher, can be quit e pract ical. If k is just smaller t han some power of 2, t he number of point s we have t o “walk t hrough” during any given encipherment is correspondingly small. In t he worst case, however, k is one larger t han a power of 2, and (wit h ext remely bad luck) might require k calls t o t he underlying block cipher t o encipher just one point . But if t he underlying block cipher is good we require, in t he worst case, an expect ed two calls t o it in order t o encipher and decipher any point . Generalized-Feistel Cipher. To get t he best bound we should select a and b such t hat t hese numbers are somewhat close t oget her and such t hat ∆ = ab− k

124

J ohn Black and P hillip Rogaway √

is small. One obvious t echnique is t o t ry numbers near k ; for example, t aking √ √ a = b = ⌈ k ⌉ means t hat ab − k will never be more t han 2 k + 1. But oft en one can do bet t er. Anot her way t o improve t he bound is t o ensure n is suit ably large. T he “t ail eff ect s” spoken of in t he proof are diminished as n grows (because as 2n get s larger ⌈ 2n / a⌉ / 2n get s closer t o 1/ a). The One-Off Construction. Anot her met hod, not ment ioned above, works well for domains which are one element larger t han a domain we can accommodat e effi cient ly. Say we have a cipher E wit h domain [0, k − 1] and we wish t o const ruct a cipher E wit h domain [0, k ]. We choose a key K = { K , r } for E by choosing a key K for E and a random number r ∈ [0, k ]. We t hen comput e E K ′ ( X ) as follows:  r if X = k  E K ′ (X ) = k if X = E K 1 ( r )  E K ( X ) ot herwise ′











T he security of t his const ruct ion is t ight ly relat ed t o t he security of E and t he met hod for select ing r . T he analysis is omit t ed. Of course we can use t his met hod t o repeat edly ext end t he domain of any cipher t o t he size of choice, but for most set t ings it is impract ical t o do t his more t han a few t imes. A typical met hod for generat ing r would be t o t ake r = E K ∗ (0) mod ( k + 1) where K is a new randomly-select ed key. T he “t ail eff ect ” here is not t oo bad, but will cause a rapid det eriorat ion of t he security bound when used t oo oft en. Also, t he scheme begins t o become quit e ineffi cient when we ext end t he domain in t his way t oo many t imes. ∗

Other Domains. T hough we have spoken in t erms of t he domain [0, k − 1] t he same met hods work for ot her domains, t oo. For example, t o encipher in Z N , where N = pq is a 1024-bit product of two primes, one can use eit her cyclewalking or t he generalized-Feist el const ruct ion, it erat ing in t he highly unlikely event t hat a point is in Z N but not in Z N . We may also use our met hods t o encipher point s from an ellipt ic curve group (EC group). T here are well-known “compact ” represent at ions of t he point s in EC groups, and t hese represent at ions form our st art ing point . For example, one finds in [5] simple algorit hms t o compress t he represent at ion of a point in an EC group. Consider t he EC group G over t he field F q where q is eit her a power of two or a prime. T hen any point ( x , y ) ∈ G may be represent ed as a member of F q t oget her wit h a single bit . Let ’ s consider first t he case whereq = 2m wit√ h m > 0. T he Hasse t heorem (see [5], page 8) guarant ees at least d( r ) = r + 1 − 2 r point s in G . Since it is possible t o represent any point in G wit h m + 1 bit s and it is also possible t o effi cient ly t est for membership in G , we could use t he cycle-walking const ruct ion over a 2m + 1 -bit cipher. T he expect ed number of invocat ions of t his cipher t o encipher a point in G is t hen 2m + 1 / d(2m ) ≈ 2. If q is inst ead a prime p, we can represent any point in G as a number x ∈ [0, p − 1] and a single bit y . We may again use any of our met hods t o ∗



Ciphers wit h Arbit rary F init e Domains

125

encipher t hese 2p point s. Here t he Hasse t heorem ([5], page 7) guarant ees at least d( p) point s in G and once again an effi cient t est for membership in G exist s. T herefore we may use t he cycle-walking const ruct ion over some ⌈ lg 2p⌉ bit cipher. However if 2p is not close t o a power of 2, we may wish t o inst ead use t he generalized-Feist el const ruct ion. Open Problems. As ment ioned already, we have not provided any const ruct ion which works well (and provably so) for int ermediat e-sized values of k . For example, suppose you are given an ideal block cipher Π on 128-bit st rings, and you want t o approximat e a random permut at ion π on, say, 40-bit st rings. P robably enough rounds of Feist el work, but remember t hat our security goal is t hat even if an adversary inquires about all 24 0 point s, st ill she should be unable t o dist inguish π from a random permut at ion on 40 bit s. Known bounds are not nearly so st rong. Of course t he prefix met hod works, but spending 24 0 t ime and space t o encipher t he first point is not pract ical.

A ckn ow le d g m e nt s Special t hanks t o Richard Schroeppel who made many useful comment s on an earlier draft . T hanks also t o Mihir Bellare, David McGrew, and Silvio Micali for t heir helpful comment s. T his paper was writ t en while Rogaway was on leave of absence from UC Davis, visit ing t he Depart ment of Comput er Science, Faculty of Science, Chiang Mai University. T his work was support ed under NSF CAREER award CCR-9624560, and by a generous gift from Cisco Syst ems.

R e fe re n ce s 1. Anderson, R., and Biham, E. T wo pract ical and provably secure block ciphers: BEAR and LION. In Fast Soft war e E n cr ypt i on (1996), vol. 1039 of L ect u r e N ot es i n C om pu t er Sci en ce, Springer-Verlag, pp. 114–120. 2. Bellare, M., Kilian, J., and Rogaway, P. T he security of t he cipher block chaining message aut hent icat ion code. J ou r n al of C om pu t er an d Syst em Sci en ces 61 , 3 (2000), 362–399. Earlier version in CRYP T O ’ 94. See www.cs.ucdavis.edu/ ˜ rogaway. 3. Bellare, M., and Rogaway, P. On t he const ruct ion of variable-input -lengt h ciphers. In Fast Soft war e E n cr ypt i on (1999), vol. 1636 of L ect u r e N ot es i n C om pu t er Sci en ce, Springer-Verlag. See www.cs.ucdavis.edu/ ˜ rogaway. 4. Bellovin, S., and Merritt, M. Encrypt ed key exchange: password-based prot ocols secure against dict ionary at t acks. In 1992 I E E E C om pu t er Soci et y Sym posi u m on R esear ch i n Secu r i t y an d P r i vacy (1992), IEEE Comput er Society P ress, pp. 72–84. 5. Certicom Research. St an dar ds for effi ci en t cr ypt ogr aphy, SE C 1: E l li pt i c cu r ve cr ypt ogr aphy , version 1, Sept . 2000. Available on-line at www.secg.org. 6. Goldreich, O., Goldwasser, S., and Micali, S. How t o const ruct random funct ions. J ou r n al of t he A C M 33 , 4 (1986), 210–217.

126

J ohn Black and P hillip Rogaway

7. Goldwasser, S., Micali, S., and Rivest, R. A digit al signat ure scheme secure against adapt ive chosen-message at t acks. SI A M J ou r n al of C om pu t i n g 17 , 2 (Apr. 1988), 281–308. 8. Luby, M. P seu dor an dom n ess an d cr ypt ogr aphi c appli cat i on s. P rincet on University P ress, P rincet on, New J ersey, 1996. 9. Luby, M., and Rackoff, C. How t o const ruct pseudorandom permut at ions from pseudorandom funct ions. SI A M J ou r n al of C om pu t i n g 17 , 2 (Apr. 1988). 10. Lucks, S. Fast er Luby-Rackoff ciphers. In Fast Soft war e E n cr ypt i on (1996), vol. 1039 of L ect u r e N ot es i n C om pu t er Sci en ce, Springer-Verlag. 11. Naor, M., and Reingold, O. On t he const ruct ion of pseudorandom permut at ions: Luby-Rackoff revisit ed. J ou r n al of C r ypt ology 12 , 1 (1999), 29–66. 12. Patel, S., Ramzan, Z., and Sundaram, G. Towards making Luby-Rackoff ciphers opt imal and pract ical. In Fast Soft war e E n cr ypt i on (1999), vol. 1636 of L ect u r e N ot es i n C om pu t er Sci en ce, Springer-Verlag. 13. Schroeppel, R., and Orman, H. Int roduct ion t o t he hasty pudding cipher. In P roceedings from t he F irst Advanced Encrypt ion St andard Candidat e Conference, Nat ional Inst it ut e of St andards and Technology, Aug. 1998. See http://www.cs.arizona.edu/˜rcs/hpc/. 14. Smith, J. L. T he design of Lucifer: A crypt ographic device for dat a communicat ions. Tech. Rep. IBM Research Report RC 3326, IBM T .J . Wat son Research Cent er, Yorkt own Height s, N.Y., 10598, U.S.A., Apr. 1971.

A

P ro o f o f T h e o re m 2

P roo f. To simplify t he exposit ion, we will init ially assume t hat k = ab. In ot her

words, t hat no it erat ing is required t o comput e Fe[3, a, b]K ( · ). Once we est ablish t he result in t his set t ing, we can make some minor changes t o get t he general result . We begin by defining a couple of games. Let us call “Game Fe” t he game in which we choose t hree random funct ions F 1 , F 2 , F 3 ← Rand(2n , 2n ) and t hen answer D ’ s queries according t o Fe[3, a, b]( · ) using F 1 , F 2 , and F 3 as our underlying funct ions. Let us call “Game Rn” t he game in which we choose a random funct ion ρ ∈ Rand( k , k ) and t hen answer D ’ s queries according t o ρ ( · ). Let ’ s denot e by PF e t he probability t hat D out put s 1 in Game Fe, and denot e by P R n t he probability t hat D out put s 1 in Game Rn. We are t rying t o show t hat PF e



PR n



( q + ab − k ) 2 ( ⌈ 2n / a⌉ + ⌈ 2n / b⌉ ) . 2n + 1

Wit hout loss of generality, assume D never repeat s a query. We begin by describing a new game called “Game B ”. Game B will look t he same t o adversary D as Game Fe, but Game B will be played complet ely diff erent ly. Inst ead of choosing t hree random funct ions F 1 , F 2 , F 3 , we’ ll choose only some random numbers x 1 , . . . , x q , y 1 , . . . , y q , and z1 , . . . , zq . Each of t hese numbers is in [0, 2n − 1]. T he o n ly random choices we will make in playing game B is in t he choice of t he x i , y i , and zi . We describe Game B in Figure 4. It is played as follows: first choose random numbers x 1 , . . . , x q , y 1 , . . . , y q , and z1 , . . . , zq . Now answer t he i -t h query wit h aβ i + γ i , where β i and γ i are described in t he figure. ′









Ciphers wit h Arbit rary F init e Domains

127

128

J ohn Black and P hillip Rogaway

Ciphers wit h Arbit rary F init e Domains

129

we are t aking t he sum of L i wit h a random member of [0, 2n − 1] and t hen t aking t his ( mod a). But of course 2n may not be divisible by a and t his modulus will creat e an “t ail eff ect ” slight ly biasing t he probability. We can easily measure t his, however, as follows: t he amount of probability mass on some point s will be n n n n ⌊ 2 / a⌋ / 2 and on t he ot hers it will be ⌈ 2 / a⌉ / 2 . We will simply t ake t he lat t er as a bound. If R i is a new, unrepeat ed value, t hen x u will be a random number in [0, 2n − 1] and so t he chance t hat α i will collide wit h any part icular prior α j is again bounded by ⌈ 2n / a⌉ / 2n . T hus t he chance t hat α i will collide wit h an earlier query is at most ( i − 1) ⌈ 2n / a⌉ / 2n , and t he chance t hat t here will event ually be  q 2 a collision in α i -values is at most ( i − 1) ⌈ 2n / a⌉ / 2n ≤ q2 ⌈ 2n / a⌉ / 2n . ♦ i= 1 i

C la im . P r[R E P E A T

β |R E P E A T α

q2 ⌈ 2n / b⌉

]≤

2n + 1

.

By assumpt ion, t he vi values are all dist inct , so y is being evaluat ed on dist inct point s. T he chance t hat two β i values coincide is det ermined similar t o t he case in t he previous claim where t he R i values were dist inct . So analogously we have  q 2 ♦ ( i − 1) ⌈ 2n / b⌉ / 2n ≤ q2 ⌈ 2n / b⌉ / 2n . i= 1 P ut t ing t his t oget her we have t hat C la im . P r[R E P E A T ] ≤

q2

2n + 1

( ⌈ 2n / a⌉ + ⌈ 2n / b⌉ ).

T he reason is t hat P r[R E P E A T ] = P r[R E P E A T α ] + P r[R E P E A T β ∧

REP EAT α

]

= P r[R E P E A T α ] + P r[R E P E A T β

| REP EAT α

] · P r[R E P E A T α ]

P r[R E P E A T α ] + P r[R E P E A T β

| REP EAT α

],



and we have just bounded each of t he above addends. ♦

Now for t he key observat ion: C la im . P r[D B = 1

| REP EAT

] = P r[D C = 1

| REP EAT

].

Bot h probabilit ies are over random choices of x , y, z . On t he right -hand we out put y i , zi in response t o t he i t h query. On t he left -hand side, assuming t hat R E P E A T does not hold in G a m e C, once again we out put y i , zi . T his would be clear if we had said “assuming t hat R E P E A T does not hold in G a m e B,” and we defined t his even in Game B in t he obvious manner. But not ice t hat as long as R E P E A T does not hold in Game C, Game C and Game B behave ident ically, always ret urning y i , zi in response t o query i . T his is easily est ablished by induct ion. ♦ We claim t hat , because of t he last claim, PF e



P R n = P r[D B = 1] − P r[D C ] = 1 ≤

P r[R E P E A T ]

130

J ohn Black and P hillip Rogaway

Let A , B , C be arbit rary event s and assume P r[A P r[A ] − P r[B ] = P r[A −

|

P r[B

|

C ] = P r[B

C ] P r[C ] + P r[A |

|

C ] P r[C ] − P r[B

|

C ]. Now

C ] P r[C ] |

C ] P r[C ]

and so P r[A | C ] = P r[B | C ] t ells us t hat first and t hird addends cancel. Now upperbound t he second addend by dropping t he P r[A | C ] (t hat is, upperbound t his by 1) and drop t he final addend (which is negat ive) ent irely, t hereby get t ing an upperbound of P r[C ], as desired. We now address t he case where we it erat e t he cipher. In ot her words, what happens when ab − k > 0? In t his case we may invoke fe[3, a, b]K ( · ) mult iple t imes per encipherment , and we must account for t his in t he bound. T he crucial point in t he proof aff ect ed by it erat ing is when we are calculat ing R E P E A T α . In t he worst case, t he first encipherment could cause us t o comput e fe[3, a, b]( m ) for a ll m ∈ [k , ab − 1]. In t his case up t o ab − k values of α i may already have been comput ed. We t herefore include t hese point s in t he comput at ion of P r[R E P E A T α ]. 2  q+ ( a b k ) T he new bound is t herefore i = 1 ( i − 1) ⌈ 2n / a⌉ / 2n ≤ ( q + a 2b k ) ⌈ 2n / a⌉ / 2n for P r[R E P E A T α ] and similarly for P r[R E P E A T β | R E P E A T α ]. So t he overall bound is now −

P r[R E P E A T ] ≤

( q + ab − k ) 2 ( ⌈ 2n / a⌉ + ⌈ 2n / b⌉ ) . 2n + 1

And set t ing ∆ = ab − k we obt ain t he bound of T heorem 2.



K n o w n P la in t e x t C o rre la t io n A t t a ck a g a in s t R C 5 At suko Miya ji1 , Masao Nonaka 1 , and Yoshinori Takii2 1

School of Informat ion Science, J apan Advanced Inst it ut e of Science and Technology 1-1, Asahidai, Tat sunokuchi, Nomi, 923-1292, J apan { miyaji,m-nonaka} @jaist.ac.jp http://grampus.jaist.ac.jp:8080/miyaji-lab/index.html 2 J apan Air Self Defense Force 5-1, Ichigaya Honmura-cho, Shinjyuku-ku, Tokyo, 162-0845, J apan

We invest igat e a known plaint ext at t ack on RC5 based on correlat ions. Compared wit h t he best previous known-plaint ext at t ack on RC5-32, a linear crypt analysis by Borst , P reneel, and Vandewalle, our at t ack applies t o a larger number of rounds. RC5-32 wit h r rounds can be broken wit h a success probability of 90% by using 26 1 4 + 2 2 7 plaint ext s. T herefore, our at t ack can break RC5-32 wit h 10 rounds (20 half-rounds) wit h 26 3 6 7 plaint ext s wit h a probability of 90%. W it h a success probability of 30%, our at t ack can break RC5-32 wit h 21 halfrounds by using 26 3 0 7 plaint ext s. A b st ract .

.

r

.

.

.

1

In t ro d u c t io n

RC5, designed by Rivest ([11]), is a block cipher which is const ruct ed by only simple arit hmet ic such as an addit ion, a bit -wise exclusive-or(XOR), and a dat a dependent rot at ion. T herefore, RC5 can be implement ed effi cient ly by software wit h small amount of memory. RC5-32/ r means t hat two 32-bit -block plaint ext s are encrypt ed by r rounds, where one round consist s of two half-rounds. Various at t acks against RC5 have been analyzed int ensively ([1,2,4,5,6,7]). T he best chosen-plaint ext at t ack ([1]), up t o t he present , breaks RC5-32/ 12 by using (24 4 , 25 4 . 5 ) pairs of chosen plaint ext s and known plaint ext s. However, it requires many st ored plaint ext s such as 25 4 . 5 . Even in t he case of RC5-32/ 10, it requires (23 6 , 25 0 . 5 ) pairs of chosen plaint ext s and known plaint ext s wit h st ored 25 0 . 5 plaint ext s. In a realist ic sense, it would be infeasible t o employ such an algorit hm on a modern comput er. On t he ot her hand, a known plaint ext at t ack can work more effi cient ly and pract ically, even t hough it has not been report ed far higher round like 12. T he best known-plaint ext at t ack against RC5 is a linear crypt analysis ([2]). T hey have report ed t hat RC5-32 wit h 10 rounds is broken by 26 4 plaint ext s under t he heurist ic assumpt ion, t hat is, RC5-32 wit h r rounds is broken wit h a success probability of 90% by using 26 r + 4 plaint ext s. However, t heir assumpt ion seems t o be highly opt imist ic. Table 1 shows bot h t heir result s and our result s. In fact , t heir experiment al result s report t hat RC5-32 wit h 3 or 4 rounds is broken wit h a B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 1 3 1 – 1 4 8 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

132

At suko Miya ji, Masao Nonaka, and Yoshinori Takii

T a b l e 1 . Required plaint ext s for at t ack on RC5. T he second column provides a t heoret ical est imat e based on heurist ics

r − r ou n d

2 rou n d s

est i m a t e [2 ] ou r a t t a ck

2

6 .8 r + 2 .4

2

(2

6 r + 4

6 .1 4 r + 2 .2 7

)

# t ex t s

# k ey s

2

1 6

92/ 100

2

1 5

2

1 4

100/ 100 95/ 100

3 rou n d s # t ex t s

# k ey s

2

2 2

81/ 100

2

2 2

2

2 1

100/ 100 95/ 100

4 rou n d s # t ex t s

# k ey s

2

2 8

82/ 100

2

2 8

2

2 7

99/ 100 96/ 100

5 rou n d s # t ex t s

# k ey s

2

3 4

9/ 10

2

3 3

2

3 2

90/ 100 60/ 100

success probability of 81% or 82% if we use 22 2 or 22 8 plaint ext s respect ively. T his means t hat t heir est imat ion does not hold even in such lower rounds as 3 or 4. On t he ot her hand, t hey also discussed t he t heoret ical complexity of breaking RC532 wit h r rounds: RC5-32 wit h r rounds can be broken wit h a success probability of 90% by using 26 . 8 r + 2 . 4 plaint ext s. According t o t heir t heoret ical assumpt ion, it requires 22 2 . 8 or 22 9 . 6 plaint ext s in order t o break RC5-32/ 3 or RC5-32/ 4 wit h a success probability of 90%. Act ually, it seems t hat t he t heoret ical est imat e reflect s t heir experiment al result s. Not e t hat , under t he t heoret ical assumpt ion, t heir known plaint ext at t ack can break RC5-32/ 9 but not RC5-32/ 10 wit h a success probability of 90%. In t his paper, we invest igat e a known plaint ext at t ack by improving a correlat ion at t ack against RC6 ([7]). RC6 is t he next version of RC5, which has almost t he same const ruct ion as RC5: RC6 consist s of a mult iplicat ion, an addit ion, XOR, and a dat a dependent rot at ion. While t he input of RC5 consist s of 2 words such as ( L 0 , R 0 ), t hat of RC6 consist s of 4 words. T his is why approach of at t acks on RC5 is similar t o t hat on RC6, but a slight diff erence is needed. Correlat ion at t ack makes use of correlat ions between an input and an out put , which is measured by t he χ 2 t est : t he specific rot at ion in bot h RC5 and RC6 is considered t o cause t he correlat ions between t he corresponding two 5-bit int eger values. In [7], correlat ion at t acks against RC6-32 recover subkeys from t he 1st round t o t he r -t h round by handling a plaint ext in such a way t hat t he χ 2 -t est aft er one round becomes significant ly higher value. T heir main idea is t o choose such a plaint ext t hat t he least significant five bit s in t he first and t hird words are const ant aft er one-round encrypt ion as follows: 1. t he least significant five bit s in t he first and t hird words are zero; 2. t he fourt h word is set t o t he values t hat int roduce a zero rot at ion in t he 1st round. T heir at t ack cont rols a plaint ext in two part s wit h 5 bit s: 5 bit s corresponding t o t he χ 2 -t est , and 5 bit s in relat ion t o dat a dependent rot at ions. We apply t heir at t ack t o RC5, where a plaint ext is represent ed by 2 words ( L 0 , R 0 ). According t o t heir approach, it is necessary t o cont rol a plaint ext in each block wit h each 5 bit s: 1. t he least significant five bit s of L 0 , l s b5 ( L 0 ), is 0; 2. l s b5 ( R 0 ) int roduces a zero rot at ion in t he 1st round. As a result , available plaint ext s are reduced by 21 0 . Compared wit h RC6, available plaint ext s t o at t ack RC5 are ext remely fewer because t he block size of RC5 is just half of RC6. T herefore, it is crit ical t o reduce available plaint ext s of RC5 by 21 0 in order t o break RC5 wit h a higher round. T his is why t heir at t ack does not work well on RC5 direct ly. In fact , t hey also report t hat t heir at t acks do not

Known P laint ext Correlat ion At t ack against RC5

133

work well on RC5 compared wit h t he exist ing at t ack ([1]). In [3], a correlat ion at t ack is also applied t o RC5. T heir algorit hm searches subkeys from t he final round t o t he 1st round by fixing bot h l s b5 ( R 0 ) and l s b5 ( L 0 ) t o be 0. T herefore, t heir at t ack also suff ers from t he same problem of fewer available plaint ext s. T he import ant fact or t o t arget at RC5 is how t o increase t he available plaint ext s. We invest igat e how an out put aft er h half-rounds, L h + 1 , depends on a chosen plaint ext , and find experiment ally t he following feat ures of RC5: 1. T he χ 2 -values for t he least significant five bit s on L h + 1 become significant ly high by simply set t ing such R 0 t hat fixes a rot at ion amount in t he 1st half-round. Not e t hat any rot at ion amount , even large one, out put s t he higher χ 2 -values. 2. Any consecut ive five bit s on L h + 1 out put s similarly high χ 2 -values by simply set t ing such R 0 t hat fixes a rot at ion amount in t he 1st half-round. Usually, we know t hat out put of RC5 is highly unlikely t o be uniformly dist ribut ed if a plaint ext int roduces small rot at ion amount s such as a zero in t he 1st half-round ([7]). However, from Feat ure 1, out put of RC5 is also highly unlikely t o be uniformly dist ribut ed if only a rot at ion in t he 1st half-round is fixed. Apparent ly, a rot at ion in t he 1st half-round is fixed if and only if t he least significant five bit s of R 0 is fixed. T his means t hat any given plaint ext can be used for correlat ion at t ack by classifying it in t he same least significant five bit s. In t his way, we can ext end a chosen plaint ext correlat ion at t ack t o a known plaint ext at t ack wit hout any cost . From Feat ure 2, any consecut ive five bit s on L h + 1 can be used t o comput e t he χ 2 -values in t he similar success probability. We improve a correlat ion at t ack as a known plaint ext at t ack by t aking full advant age of t he above feat ures. T he main point s of our at t ack on RC5 are as follows: 1. Use any plaint ext by classifying it int o t he same least significant five bit s; 2. Det ermine t he part s, on which t he χ 2 -st at ist ic is measured, according t o t he ciphert ext s. We also present two algorit hms t o recover 31 bit s of t he final half-round key: one recovers each 4 bit s in serial, and t he ot her recovers each 4 bit s in parallel. By employing our correlat ion at t ack, RC5-32 wit h r rounds( h half-rounds) can be broken wit h a success probability of 90% by using 26 . 1 4 r + 2 . 2 7 (23 . 0 7 h + 2 . 2 7 ) plaint ext s. As a result , our at t ack can break RC5-32/ 10 wit h 26 3 . 6 7 plaint ext s in a probability of 90%. In t he case of success probability 30%, our at t ack can break RC5-32 wit h r rounds( h half-rounds) by using 25 . 9 0 r + 1 . 1 2 (22 . 9 5 h + 1 . 1 2 ) plaint ext s. T herefore, our at t ack can break RC5-32 wit h 21 half-rounds by using 26 3 . 0 7 plaint ext s in a probability of 30%. T his paper is organized as follows. Sect ion 2 summarizes some not at ions and definit ions in t his paper. Sect ion 3 applies Knudsen-Meier’s correlat ion at t ack t o RC5, and discusses t he diff erences between RC5 and RC6. Sect ion 4 describes some experiment al result s including t he above feat ures of RC5. Sect ion 5 present s t he chosen plaint ext algorit hm, Main algorit hm. Sect ion 6 discusses how t o ext end Main algorit hm t o t he known plaint ext algorit hm, Ext ended algorit hm. Sect ion 7 applies Ext ended algorit hm t o 31-bit key recovery in t he final round.

134

2

At suko Miya ji, Masao Nonaka, and Yoshinori Takii

P re lim in a ry

T his sect ion denot es some not at ions, definit ions, and experiment al remarks. First we describe RC5 algorit hm aft er defining t he following not at ions. + ( − ): an addit ion (subt ract ion) mod 23 2 ; ⊕ : a bit -wise exclusive OR; r : t he number of rounds; h : t he number of half-rounds ( h = 2r ); a ≪ b( a ≫ b): a cyclic rot at ion of a t o t he left (right ) by b bit s; ( L i , R i ): an input of t he i -t h half-round, and ( L 0 , R 0 ) is a plaint ext ; We S i : t he i -t h subkey( S h + 1 is a subkey of t he h -t h half-round); l s bn ( X ) : t he least significant n bit s of X ; X i : denot es t he i -t h bit of X; [i , j ] X : denot es from t he i -t h bit t o t he j -t h bit of X ( i > j ); X : a bit -wise inversion of X . denot e t he least significant bit (LSB) t o t he 1st bit , and t he most significant bit (MSB) as t he 32-t h bit for any 32-bit element . RC5 encrypt ion is defined as follows: a plaint ext ( L 0 , R 0 ) is encrypt ed t o ( L h + 1 , R h + 1 ) by h half-rounds it erat ions of a main loop, which is called one half-round. T wo consecut ive half-rounds correspond t o one round of RC5. A lg o rit h m 1 ( E n c ry p t io n w it h R C 5 )

1. L 1 = L 0 + S 0 ; R 1 = 2. for i = 1 to h do:

R0

+

L i+ 1

S1;

=

Ri

;

Ri+ 1

= (( L i ⊕

Ri

) ≪Ri)+

S i + 1 ).

We make use of t he χ 2 -t est s for dist inguishing a random sequence from nonrandom sequence ([5,7,8]). Let X = X 0 , ..., X n 1 be a sequence wit h ∀ X i ∈ 2 { a0, · · ·, am 1 } . Let N a j ( X ) be t he number of X i which equals a j . T he χ 2 st at ist ic of X , χ ( X ), est imat es t he diff erence between X and t he uniform dis 2  m 1 n . We use t he t hreshold N a i (X ) − m t ribut ion as follows: χ 2 ( X ) = mn i= 0 for 31 degrees of freedom in Table 2. For example, (level, χ 2 )= (0.95, 44.99) in Table 2 means t hat t he value of χ 2 -st at ist ic exceeds 44.99 in t he probability of 5% if t he observat ion X is uniform. Here, we set t he level t o 0.95 in order t o dist inguish a sequence X from a random sequence. −





T a b le 2 . χ

2

-dist ribut ion wit h 31 degree of freedom

Level 0.50 0.60 0.70 0.80 0.90 0.95 0.99 0.999 0.9999 2 χ 30.34 32.35 34.60 37.36 41.42 44.99 52.19 61.10 69.11

In our experiment s, all plaint ext s are generat ed by using m -sequence ([9]). For example, Main or Ext ended algorit hm uses 59-bit or 64-bit random number generat ed by m -sequence, respect ively. T he plat forms are IBM RS/ 6000 SP (P P C 604e/ 332MHz × 256) wit h memory of 32 GB.

Known P laint ext Correlat ion At t ack against RC5

3

135

A p p ly in g K n u d s e n -M e ie r’ s C o rre la t io n A t t a ck t o R C 5

Knudsen and Meier ([7]) proposed a key-recovery at t ack t o RC6, which est imat es a subkey from t he 1st round t o t he r -t h round by handling a plaint ext . T heir main idea is t o choose such a plaint ext t hat t he least significant five bit s in t he first and t hird words are const ant aft er one-round encrypt ion. T herefore plaint ext s in RC6 are chosen as follows: 1. t he least significant five bit s in t he first and t hird words are zero; 2. t he fourt h word is set t o t he values t hat int roduce a zero rot at ion in t he 1st round. To sum up, t heir at t ack cont rols a plaint ext in two part s wit h 5 bit s: 5 bit s corresponding t o t he χ 2 -t est and 5 bit s in relat ion t o dat a dependent rot at ions. Let us apply t heir idea t o RC5 direct ly. A lg o rit h m 2 ( K nu d se n -M e ie r’ s at t ack t o R C 5 )

This algorithm recovers l s b5 ( S 1 ). Set s = l s b5 ( S 1 ), and l s b5 ( R 0 ) = x . 1. For each s ( s = 0, 1, · · · , 31), set such an x that leads to a zero rotation in the 1-st half-round, that is, set x + s = 0 (mod 32). 2. Choose plaintexts ( L 0 , R 0 ) with ( l s b5 ( L 0 ) , l s b5 ( R 0 )) = (0, x ), and set y = l s b5 ( L h + 1 ) 3. For each ( L 0 , R 0 ), update each array by incrementing cou n t [s ][y ]. 4. For each s , compute the χ 2 -value χ 2 [s ], and output s with the highest value χ 2 [s ] as l s b5 ( S 1 ).

T a b le 3 .

Success probability of Algorit hm 2 (in 100 t rials)

4 half-rounds 6 half-rounds 8 half-rounds # t ext s # keys χ 2 -value∗ # t ext s # keys χ 2 -value∗ # t ext s # keys χ 2 -value∗ 21 0 25 530.12 21 3 20 139.59 21 7 13 69.56 1 9 1 9 2 28 256034.12 2 31 6639.60 22 1 26 443.06 22 3 28 4097164.86 22 3 32 105660.92 22 6 29 13303.08 ∗

T he average of t he maximum χ

2

-value in each t rial.

Table 3 shows t he experiment al result s of Algorit hm 2. From Table 3, we see t hat a correct key can not be effi cient ly recovered, even t hough t he maximum χ 2 -value is enough high. Apparent ly, plaint ext s wit h a zero rot at ion in t he 1st round out put s t he high χ 2 -value, but a small-absolut e-value one such as ± 1, ± 2, et c., also out put s t he high χ 2 -value. Since Algorit hm 2 uses only plaint ext s wit h a zero rot at ion in t he 1st round, it suff ers from ot her high-χ 2 -value plaint ext s, and t hus cannot recover keys effi cient ly. Algorit hm 2 is dist inguishable, but unrecoverable. Furt hermore, Algorit hm 2 can use only 25 4 plaint ext s. In general, t he number of plaint ext s on RC5 is not so large as RC6. Anot her problem may occur in recovering ot her bit s of S 1 because t he rot at ion in t he 1st half-round is det ermined only by l s b5 ( S 1 ). In RC6, t he rot at ion in t he 1st half-round is det ermined by all bit s of S 1 , and t hus t heir algorit hm can work well t o recover all bit s of S 1 . T his is why it is not effi cient t o apply t heir at t ack t o RC5.

136

At suko Miya ji, Masao Nonaka, and Yoshinori Takii

χ

4

2

-S t a t is t ic o f R C 5

In t his sect ion, we invest igat e how t o reduce t he const raint of plaint ext s in order t o increase available plaint ext s. In RC5, l s b5 ( R 0 ) det ermines t he 1st half-round dat a dependent rot at ion, so it would be desirable t o handle l s b5 ( R 0 ) in some way. On t he ot her hand, t he eff ect of l s b5 ( L 0 ) = 0 deeply depends on l s b5 ( R 0 ) as follows: 1. if l s b5 ( R 0 ) is fixed t o a value t hat leads a zero rot at ion in t he 1st half-round like Algorit hm 2, t hen l s b5 ( L 0 ) = 0 can fix l s b5 ( R 2 ), t hat is, fix t he rot at ion amount of t he 2nd half-round, and can also fix l s b5 ( L 3 ) for any available plaint ext ; 2. if l s b5 ( R 0 ) is fixed t o just 0 ([3]), t hen l s b5 ( L 0 ) = 0 can not fix l s b5 ( R 2 ) (i.e. l s b5 ( L 3 )) for any available plaint ext . We experiment ally compare t he eff ect of l s b5 ( L 0 ) = 0, l s b5 ( R 0 ) = 0, or bot h. We also invest igat e which part s out put t he higher χ 2 -st at ist ics. To observe t hese, we conduct t he following five experiment s in each h half-round. χ 2 -t est

on l s b5 ( L h + 1 ) wit h l s b5 ( R 0 ) = l s b5 ( L 0 ) = 0. on l s b5 ( L h + 1 ) wit h l s b5 ( R 0 ) = 0. 2 -t est on l s b5 ( L h + 1 ) wit h l s b5 ( L 0 ) = 0. 2 -t est on l s b5 ( L h + 1 ) wit h l s b5 ( R 0 ) = x ( x = 0, 1, ..., 31). 2 -t est on any consecut ive 5bit s of L h + 1 wit h l s b5 ( R 0 ) = 0.

Te st Te st Te st Te st Te st

1: 2: 3: 4: 5:

4 .1

Te st 1 , 2 , an d 3

χ 2 -t est χ χ χ

Here we show t he experiment al result s of Test 1, 2, and 3 aft er discussing t he diff erences among t hese Test s. T he condit ion of l s b5 ( R 0 ) = 0 means t hat t he rot at ion amount of t he 1st half-round is fixed. T he purpose of Test s 1 and 2 is t o observe t he eff ect of handling a plaint ext in t he part corresponding t o t he χ 2 -t est : Test 1 handles it ; and Test 2 does not handle it . On t he ot her hand, Test 3 set s only l s b5 ( L 0 ) = 0, so it cannot cont rol t he rot at ion amount of t he 1st half-round at all. Table 4 shows t he experiment al result s of Test 1, 2, and 3 which represent t he number of plaint ext s required for χ 2 -value exceeding 44.99. T hese t est s are comput ed t o t he second decimal place, and t he χ 2 -value is comput ed on t he average of 100 diff erent keys. From Table 4, we see t hat t he χ 2 -value in Test 3 is much lower t han t hat in Test 1, and also lower t han t hat in Test 2. Test 3 requires about 25 (23 ) t imes as many plaint ext s as Test 1(Test 2) in order t o get t he same eff ect as Test 1(Test 2). As a result , we see t hat fixing t he rot at ion amount of t he 1st half-round, t hat is, l s b5 ( R 0 ) = 0, causes highly nonuniform dist ribut ion, and t hat Test 3 has no advant age t o bot h Test s 1 and 2. Next we focus on t he eff ect of l s b5 ( L 0 ) = 0 under l s b5 ( R 0 ) = 0. From Table 4, we see t hat in each half-round, t he χ 2 -value in Test 1 is higher t han t hat in Test 2, but t hat almost t he same eff ect of Test 1 is expect ed in Test 2 if we use about 22 t imes plaint ext s as many as Test 1. T he number of plaint ext s required for χ 2 -value exceeding 44.99 on h half-rounds, l og 2 (# t ex t ), is est imat ed l og 2 (# t ex t )

= 3. 03h



3. 21 (Test 1) ,

l og 2 (# t ex t )

= 2. 93h



0. 73 (Test 2)

Known P laint ext Correlat ion At t ack against RC5 T a b le 4 .

# t ext s required for χ

2

-value

>

137

44. 99 in Test 1, 2 and 3 (on t he average of

100 keys)

30

30

25

25

20

20 texts [log]

texts(log)

# half-rounds 4 5 6 7 8 9 Test 1(log2 (# t e x t s )) 9.08 11.77 14.92 18.05 20.93 24.36 Test 2(log2 (# t e x t s )) 10.94 14.05 16.83 19.84 22.79 25.74 Test 3(log2 (# t e x t s )) 14.26 17.26 19.62 23.14 25.75 —

15 10

half-rounds

4 6 8

5

5 7 9

0

10 26.98 28.57 —

15 10

half-rounds

4 6 8

5

5 7 9

0

0

4

8

12

16 LSB5(R0)

20

24

28

# t ext s required for χ 2 -value > 44. 99 in each l s b 5 ( R 0 ) (on t he average of 100 keys) F ig . 1 .

1

5

9

13 17 21 the first bit( i )

25

29

# t ext s required for χ 2 -value > 44. 99 in each consecut ive 5 bit s of L + 1 (on t he average of 100 keys) F ig . 2 .

h

by using t he least square met hod. On t he ot her hand, t he number of available plaint ext s in Test 1(Test 2) is 25 4 (25 9 ). By subst it ut ing t he number of available plaint ext s, we conclude t hat t he case of Test 1, or Test 2 is est imat ed t o be dist inguishable from a random sequence by 18 half-rounds, or 20 half-rounds, respect ively. As a result , Test 2 is more advant ageous t han Test 1. 4 .2

Te st 4 an d 5

We observe t he experiment al result s of Test 4 in Fig. 1. As we have discussed t he above, set t ing l s b5 ( R 0 ) = 0 means t o fix t he rot at ion amount in t he first round. Not e t hat t he rot at ion amount is not necessarily equal t o 0. T herefore, t he same eff ect as l s b5 ( R 0 ) = 0 would be expect ed if only fixing l s b5 ( R 0 ). Test 4 examines t he hypot hesis. In Fig. 1, t he horizont al line corresponds t o t he fixed value of l s b5 ( R 0 ) and t he vert ical line corresponds t o t he number of plaint ext s required for χ 2 -value exceeding 44.99. From Fig. 1, we see t hat any l s b5 ( R 0 ) can be dist inguished from a random sequence in almost t he same way as l s b5 ( R 0 ) = 0. To sum up, we do not have t o set l s b5 ( R 0 ) = 0 in order t o increase t he χ 2 -value. We can use any plaint ext ( L 0 , R 0 ) wit h any R 0 by just classifying it int o t he same l s b5 ( R 0 ). We observe t he experiment al result s of Test 4 in Fig. 1. In Test 5, we comput e t he χ 2 -value in each consecut ive 5 bit s of L h + 1 , and how many plaint ext s are required in order t o exceed t he t hreshold χ 2 -value of 44.99. Fig. 2 shows t he experiment al result s. T he horizont al line corresponds t o t he first bit of consecut ive 5 bit s of L h + 1 , and each plot present s t he number of plaint ext s required for χ 2 -value exceeding 44.99 for each consecut ive 5 bit s. For example, t he case

138

At suko Miya ji, Masao Nonaka, and Yoshinori Takii

L0

R0 00000

S0

S1

z

Lh+1 y-s x

x y-s s

Sh+1 4bits

Lh+1 F ig . 3 .

x 5bits

Rh+1

y 5bits

Out line of Main algorit hm [5 , 1 ]

[4 , 1 ]

of i = 1, or i = 32 corresponds t o L h + 1 , or { L 3h 2+ 1 , L h + 1 } . From Fig. 2, we see t hat any consecut ive five bit s can be dist inguished from a random sequence in [5 , 1 ] almost t he same way as L h + 1 . Correlat ions are observed on any consecut ive five bit s of L h + 1 .

5

A C h o s e n P la in t e x t C o rre la t io n A lg o rit h m

In t his sect ion, we present a key recovery algorit hm, called Main algorit hm. Main algorit hm is designed by making use of t he result s of t est s in Sect . 4 as follows: 1. Only l s b5 ( R 0 ) is fixed t o 0 ( Te st 1 , 2 ); 2. T he part s measured by χ 2 -st at ist ic are not fixed t o l s b5 ( L h + 1 ) ( Te st 5 ); 3. T he χ 2 -value is comput ed on z t o which consecut ive 5 bit s, y , is exact ly decrypt ed by 1 half-round (see Fig. 3); 4. T he decrypt ed, z , is classified int o 32 cases according t o l s b5 ( L h + 1 ) = x , and t he χ 2 -value is comput ed on each dist ribut ion of z for each l s b5 ( L h + 1 ) = x . A lg o rit h m 3 ( M ain alg o rit h m )

This algorithm recovers l s b4 ( S h + 1 ). Set ( l s b5 ( L h + 1 ) , l s b5 ( R h + 1 )) = ( x , y ), and l s b4 ( S h + 1 ) = s , where x is the rotation amount in the h -th half-round. 1. Choose a plaintext ( L 0 , R 0 ) with l s b5 ( R 0 )=0, and encrypt it. 2. For each s ( s = 0, 1, · · · , 15), set S h5 + 1 = 0, and decrypt R h + 1 by 1 half-round. Note that, from the rotation amount x in the h -th half-round, we exactly know where y is decrypted by 1 halfround, which is set to z .

Known P laint ext Correlat ion At t ack against RC5

139

100 90 Success Probability

80 70 60 50 half-rounds

40

4 5 6 7 8 9 10

30 20 10 0 8

F ig . 4 .

10

12

14

16

18

20 22 texts(log)

24

26

28

30

32

Success probability of Main algorit hm (in 100 t rials)

3. For each value s , x , and z , we update each array by incrementing cou n t [s ][x ][z ]. 4. For each s and x , compute χ 2 [s ][x ]. 5. Compute the average a v e [s ] of { χ 2 [s ][x ]} for each s , and output with the highest a v e [s ] as l s b4 ( S h + 1 ).

s

Main algorit hm comput es t he χ 2 -value on z , t o which y is decrypt ed by t he final round subkey. T herefore, t he χ 2 -value in l s b5 ( S h + 1 ) = 1s is coincident wit h t hat in l s b5 ( S h + 1 ) = 0s in t he following reason. For s = l s b4 ( S h + 1 ), we set two candidat es of l s b5 ( S h + 1 ), t = 1s and t = 0s . So t = t + 16 (mod 32). We also set each decrypt ed value of y = l s b5 ( R h + 1 ) by using each key, t or t , t o z or z , [4 , 1 ] , and z 5 = z 5 , and t hus z = z + 16 (mod 32). respect ively. T hen z [4 , 1 ] = z T wo dist ribut ion of cou n t [t ][x ][z ] and cou n t [t ][x ][z ] in Algorit hm 3 sat isfy ′













cou n t [t ][x ][z ] = cou n t [t







][x ][z + 16



(mod 32)].

So, we get χ 2 [t ][x ] = χ 2 [t ][x ] from t he definit ion of χ 2 -value. T his is why t he [5 , 1 ] [5 , 1 ] [4 , 1 ] χ 2 -value in S h + 1 = 1s is coincident wit h t hat in S h + 1 = 0s for s = S h + 1 . Figure 4 and Table 5 show t he success probability among 100 t rials for RC5 wit h 4 − 10 half-rounds. More precise experiment al result s are shown in Table 6. All experiment s are calculat ed t o t he second decimal place. In our policy, we design all experiment s as precisely as possible in order t o est imat e t he effi ciency of algorit hm st rict ly. From Table 6, t he number of plaint ext s required for recovering a key in r rounds( h half-rounds) wit h t he success probability of 90%, l og 2 (# t ex t ), is est imat ed 1 , ′

1

Our est imat ion is comput ed by using t he result s of 5-10 half-rounds except for 4 half-rounds because key recovery wit h 4 half-rounds depends deeply on t he choice of S 0 , and plaint ext s R 0 . T he key recovery wit h 4 half-rounds examines a bias for dist ribut ion of consecut ive 5 bit s in L 4 , which is coincident wit h t hat in L 2 . A bias for dist ribut ion of L 2 depends only on t he 2nd half-round operat ion, S 0 , and plaint ext s R 0 . In fact , t he coeffi cient of det erminat ion ([12]) for approximat ion polynomial including t he result of 4 half-rounds is worse t han t hat for approximat ion polynomial wit hout t he result of 4 half-rounds.

140

At suko Miya ji, Masao Nonaka, and Yoshinori Takii T a b le 5 .

Success probability of Main algorit hm (in 100 t rials) 4 half-rounds 5 half-rounds 6 half-rounds # t ext s # keys # t ext s # keys # t ext s # keys 21 0 31 21 4 42 21 7 48 1 1 1 5 2 69 2 75 21 8 72 21 2 93 21 6 99 21 9 94

7 half-rounds 8 half-rounds 9 half-rounds 10 half-rounds # t ext s # keys # t ext s # keys # t ext s # keys # t ext s # keys 22 0 46 22 3 41 22 6 35 22 9 44 22 2 88 22 5 89 22 8 84 23 1 88 22 3 100 22 6 98 22 9 98 23 2 99 # t ext s required for recovering a key wit h t he success probability 90% and 45% in Main algorit hm

T a b le 6 .

# half-rounds 4 5 6 7 8 9 10 log2 (# t e x t ) (90%) 11.89 15.43 18.78 22.07 25.15 28.28 30.92 log2 (# t e x t ) (45%) 10.76 13.94 17.23 19.96 23.22 26.59 29.30

l og 2 (# t ex t )

= 6. 23r + 0. 07, ( l og 2 (#

t ex t )

= 3. 12h + 0. 07) ,

by using t he least square met hod. In t he case of success probability of 45%, t he number of required plaint ext s is est imat ed as follows, l og 2 (# t ex t )

= 6. 18r



1. 47 ( l og 2 (#

t ex t )

= 3. 09h



1. 47) .

By subst it ut ing l og 2 (# t ex t ) = 59, Main algorit hm can break RC5-32 wit h 18 rounds wit h 25 6 . 2 3 plaint ext s wit h a probability of 90%. Wit h a success probability of 30%, Main algorit hm can break RC5-32 wit h 19 half-rounds by using 25 7 . 2 4 plaint ext s. From t hese result s, we see t hat it is indispensable t o increase available plaint ext s in order t o break RC5 wit h higher round.

6

A K n o w n P la in t e x t C o rre la t io n A lg o rit h m

In t his sect ion, we present a key recovery algorit hm, called Ext ended algorit hm, which applies Main algorit hm t o a known plaint ext at t ack. 6 .1

E x t e n d e d A lg o rit h m

Ext ended algorit hm classifies any plaint ext ( L 0 , R 0 ) int o t he same l s b5 ( R 0 ), and applies Main algorit hm as follows. A lg o rit h m 4 ( E x t e n d e d alg o rit h m )

This algorithm recovers l s b4 ( S h + 1 ). Set s = l s b4 ( S h + 1 ), and x = l s b5 ( L h + 1 ) in the same way as Algorithm 3.

Known P laint ext Correlat ion At t ack against RC5

141

100 half-rounds 4 5 6 7 8 9 10

90 Success Probability

80 70 60 50 40 30 20 10 0 8

F ig . 5 .

10

12

14

16

18

20 22 texts(log)

24

26

28

30

32

Success probability of Ext ended algorit hm (in 100 t rials)

T a b le 7 .

Success probability of Ext ended algorit hm (in 100 t rials) 4 half-rounds 5 half-rounds 6 half-rounds # t ext s # keys # t ext s # keys # t ext s # keys 21 3 43 21 6 30 21 9 30 1 4 1 7 2 95 2 65 22 0 71 21 5 100 21 8 94 22 1 95

7 half-rounds 8 half-rounds 9 half-rounds 10 half-rounds # t ext s # keys # t ext s # keys # t ext s # keys # t ext s # keys 22 2 41 22 5 27 22 8 35 23 1 37 2 3 2 6 3 0 2 72 2 57 2 88 23 2 60 22 4 96 22 7 96 23 1 99 23 3 90

1. Given n known plaintexts ( L 0 , R 0 ), set l = l s b5 ( R 0 ), and encrypt it. 2. For each l , compute χ 2 [l ][s ][x ] according to Step 2-4 in Algorithm 3. 3. Compute the average a v e [l ][s ] of { χ 2 [l ][s ][x ]} x for each  31 4. Compute s u m [s ] = a v e [l ][s ] for each s , and output l= 0 highest s u m [s ] as l s b4 ( S h + 1 ).

s s

and each l . with the

Figure 5 and Table 7 show t hat t he success probability among 100 t rials for RC5 wit h 4 − 10 half-rounds. More precise experiment al result s are shown in Table 8. From Table 8, t he number of plaint ext s required for recovering a key on r rounds( h half-rounds) wit h t he success probability of 90%, l og 2 (# t ex t ), is est imat ed, l og 2 (# t ex t )

= 6. 14r + 2. 27 ( l og 2 (#

t ex t )

= 3. 07h + 2. 27) ,

by using t he least square met hod. By subst it ut ing l og 2 (# t ex t ) = 64, we conclude t hat our algorit hm is est imat ed t o recover a key on RC5 wit h 20 half-rounds

142

At suko Miya ji, Masao Nonaka, and Yoshinori Takii

# t ext s required for recovering a key wit h t he success probability 90%, 45%, and 30% in Ext ended algorit hm

T a b le 8 .

# half-rounds 4 5 6 7 8 9 log2 (# t e x t ) (90%) 13.96 17.73 20.63 23.71 26.64 30.01 log2 (# t e x t ) (45%) 13.09 16.39 19.41 22.14 25.62 28.43 log2 (# t e x t ) (30%) 12.53 15.94 18.81 21.63 25.07 27.53 T a b le 9 .

T he χ

2

10 33.00 31.52 30.70

-value of correct keys and wrong keys in 4 half-rounds (in 100 t rials)

Key recovering Correct keys Wrong keys∗ # t ext s probability Average Variance Average Variance Main algorit hm 21 2 93% 40.50 3.69 38.42 2.41 Ext ended algorit hm 21 4 95% 32.31 0.10 32.08 0.09 ∗

T he highest χ

2

-value among wrong keys is used for each t rial.

wit h 26 3 . 6 7 plaint ext s in t he success probability of 90%. In t he case of success probability of 30%, t he number of required plaint ext s is est imat ed as follows, l og 2 (# t ex t )

= 5. 90r + 1. 12 ( l og 2 (#

t ex t )

= 2. 95h + 1. 12) .

T herefore, our algorit hm can recover a key on RC5 unt il 21 half-rounds wit h 26 3 . 0 7 plaint ext s in t he success probability of 30%.

6 .2

Fu rt h e r D isc u ssio n

Here we discuss t he diff erence between Ext ended algorit hm and Main algorit hm. Ext ended algorit hm requires about 22 t imes as many plaint ext s as Main algorit hm in order t o recover correct keys as we have seen in Table 7 and 5. Since all plaint ext s in our experiment s are randomly generat ed by m -sequences, l s b5 ( R 0 ) of plaint ext s in Ext ended algorit hm are roughly est imat ed t o be uniformly dist ribut ed in { 0, 1, · · · , 31} . As a result , t he χ 2 -value in Ext ended algorit hm is comput ed by using about 2 3 t imes as many plaint ext s as Main algorit hm because t he χ 2 -value in Ext ended algorit hm is comput ed for each l s b5 ( R 0 ). We invest igat e experiment ally t he relat ion between χ 2 -value of correct keys and t hat of wrong keys in bot h algorit hms. Table 9 shows each average and variance in 100 keys. As for wrong keys, t he highest χ 2 -value among wrong keys is shown, which oft en causes t o recover a wrong key. From Table 9, we see t hat t he average among χ 2 -value of correct keys in Ext ended algorit hm is lower and t he variance is much lower t han t hat in Main algorit hm. We expect t hat Ext ended algorit hm reduces t he variant of χ 2 -value by using not specific l s b5 ( R 0 ) but all l s b5 ( R 0 ), and recovers a key wit h t he lower χ 2 -value. T hus, Ext ended algorit hm can recover a key effi cient ly wit h t he lower χ 2 -value. −

Known P laint ext Correlat ion At t ack against RC5

143

100 90 Success Probability

80 70 60

4 half-rounds

50

6 half-rounds

40

8 half-rounds

30 20 1-4bit 17-20bit

10

5-8bit 21-24bit

9-12bit 25-28bit

13-16bit 28-31bit

0 12

F ig . 6 .

7

14

16

18

20 22 texts(log)

24

26

28

Success probability of serial key recovery (in 100 t rials)

3 1 -B it K e y R e c o v e ry in t h e F in a l R o u n d

Here discusses two algorit hms t hat recover 31-bit -final-round subkey: t he serial key recovery algorit hm, and t he parallel key recovery algorit hm. 7 .1

T h e S e rial K e y R e c ov e ry A lg o rit h m

T he serial key recovery algorit hm recovers each 4 bit s sequent ially from

[4 , 1 ]

Sh + 1

to

[2 8 , 2 5 ] [3 1 , 2 8 ] Sh + 1 and S h + 1 by using Algorit hm 4. For example, in t he case of recovering [4 , 1 ] [8 , 5 ] S h + 1 , we set S h + 1 t o t he value recovered before and apply Algorit hm 4 by set t ing [8 , 5 ] [9 , 5 ] [3 1 , 2 9 ] s = S h + 1 and y = R h + 1 . As for t he final 3 bit s, S h + 1 , we apply Algorit hm 4 [3 1 , 2 8 ] [3 1 , 2 8 ] by using s = S h + 1 and recover S h + 1 . Aft er repeat ing t he above procedures [3 1 , 1 ] by eight t imes, S h + 1 , t hat is, all bit s of S h + 1 except for MSB are recovered.

T he experiment al result s of serial key recovery are shown in Fig. 6. Compared [3 1 , 2 8 ] [8 , 5 ] wit h Fig. 6 and Table 7, we see t hat any key of any int erval from S h + 1 t o S h + 1 can be recovered wit h almost t he same high probability as

[4 , 1 ]

Sh + 1 .

In t he case of

[3 1 , 1 ]

[3 1 , 1 ]

4 half-rounds, 6 half-rounds, or 8 half-rounds, we can recover S 5 , S7 , or [3 1 , 1 ] S9 wit h a success probability of about 99%, 97%, and 92% by using about 21 5 , 22 1 , or 22 7 plaint ext s on t he average, respect ively. 7 .2

T h e P aralle l K e y R e c ov e ry A lg o rit h m

We have seen t hat t he serial key recovery algorit hm can recover t he final half[3 1 , 1 ] round key S h + 1 wit h t he significant ly high success probability. However, unfort unat ely, t he serial key recovery algorit hm can not work in parallel. T his sect ion [4 , 1 ] [3 1 , 2 8 ] invest igat es how t o recover each subkey of S h + 1 ,..., S h + 1 in parallel. Before showing our parallel key recovery algorit hm, we conduct t he next experiment .

144

At suko Miya ji, Masao Nonaka, and Yoshinori Takii 100 90 4 half-rounds

Success Probability

80

6 half-rounds

70 8 half-rounds

60 50 40 30 20 1-4bit 17-20bit

10

5-8bit 21-24bit

9-12bit 25-28bit

13-16bit 28-31bit

0 14

16

18

20

22 texts(log)

F ig . 7 .

Success probability of Test 6 (in 100 t rials)

[4 + 4 i , 1 + 4 i ]

Te st 6 : Apply Algorit hm 4 t o S h + 1 [4 + 4 i , 1 + 4 i ] Sh + 1

26

( i = 0, 1, · · · , 6) or

[3 1 , 2 8 ] Sh + 1

lower bit s of S h + 1 t han or which a correct key can be recovered.

24

28

[3 1 , 2 8 ]

Sh + 1

by set t ing

t o 0. Comput e t he probability wit h [4 , 1 ]

Figure 7 shows t he experiment al result s in Test 6. T he result of S h + 1 in Test 6 is t he same as t hat in Ext ended algorit hm (Table 7). Figure 7 shows t hat Test 6 suff ers complet ely from error bridging of lower bit s. More import ant ly, t he probability of Test 6 converges t o about 50%: however many plaint ext s are used, t he probability has never become higher t han an upper bound. From t his, we put forward a hypot hesis t hat some specific keys are not recovered. In fact , we [8 , 5 ] [8 , 5 ] see experiment ally t hat , in t he case of recovering keys of S h + 1 , S h + 1 wit h t he lower bit s wit h

[4 , 1 ]

Sh + 1

[4 , 1 ]

Sh + 1

= 8, · · · , 15 can not be almost recovered. Especially, any

= 13, · · · , 15 can not be recovered at all however many plaint ext s are

used. T he success probability of recovering keys in lower bit s

[8 , 5 ]

Sh + 1

[8 , 5 ]

Sh + 1

deeply depends on t he

[4 , 1 ] Sh + 1 .

For simplicity, let us invest igat e t he case of recovering discussion also holds in ot her cases of

[3 1 , 2 8 ] [1 2 , 9 ] Sh + 1 , · · · , Sh + 1 .

[8 , 5 ]

Sh + 1 .

T he same

In Test 6, we set

[8 , 5 ] lower 4 bit s t han S h + 1 t o be 0. To make t he discussion clear, we denot e t he [4 , 1 ] real value by S h + 1 , and t he assumed value by β . In Test s 6, β = 0. For any [9 , 5 ] [9 , 5 ] R h + 1 , ( R h + 1 − S h + 1 ) [9 , 5 ] is det ermined by S h + 1 , R h + 1 , and t he bridging on [4 , 1 ] [4 , 1 ] [4 , 1 ] ( R h + 1 − S h + 1 ), which is est imat ed by ( R h + 1 − β ). T his is why key recovering [4 , 1 ] is failed if and only if t he bridging on ( R h + 1 − β ) is not coincident wit h t hat [4 , 1 ] [4 , 1 ] [4 , 1 ] on ( R h + 1 − S h + 1 ). T he probability t hat bridging on ( R h + 1 − β ) is not coinci[4 , 1 ] [4 , 1 ] [4 , 1 ] dent wit h t hat on ( R h + 1 − S h + 1 ) is diff erent for each S h + 1 . For example, in [4 , 1 ] [4 , 1 ] t he case of S h + 1 = 0, a bridging on ( R h + 1 − 0) is apparent ly coincident wit h

Known P laint ext Correlat ion At t ack against RC5 T a b le 1 0 .

S

Error-bridging

[4 ,1 ] h + 1

error-bridging R P robability

[4 ,1 ] h + 1

R

[4 ,1 ] h + 1

and t he probability for

S

[4 ,1 ] h + 1

145

( β = 0)

0 1 2 3 4 5 6 7 - 0 0,1 0,1,2 0, · · · , 3 0, · · · , 4 0, · · · , 5 0, · · · , 6 0 1/ 16 2/ 16 3/ 16 4/ 16 5/ 16 6/ 16 7/ 16

8 9 10 11 12 13 14 15 0, · · · , 7 0, · · · , 8 0, · · · , 9 0, · · · , 10 0, · · · , 11 0, · · · , 12 0, · · · , 13 0, · · · , 14 1/ 2 9/ 16 10/ 16 11/ 16 12/ 16 13/ 16 14/ 16 15/ 16 Success probability of each key recovering in probability ( β = 0, in 100 keys)

T a b le 1 1 .

S

[8 ,5 ] h + 1

wit h each error-bridging

Error-bridging 4 half-rounds 6 half-rounds 8 half-rounds [4 1 ] probability S + 1 21 4 21 7 22 0 22 0 22 3 22 6 22 6 22 9 23 2 < 1/ 2 0, · · · , 7 33/ 55 55/ 55 55/ 55 30/ 51 51/ 51 51/ 51 31/ 51 50/ 51 51/ 51 ≥ 1/ 2 8, · · · , 15 7/ 45 4/ 45 5/ 45 4/ 49 3/ 49 2/ 49 10/ 49 3/ 49 2/ 49 ≥ 13/ 16 13, · · · , 15 0/ 13 0/ 13 0/ 13 0/ 23 0/ 23 0/ 23 0/ 22 0/ 22 0/ 22 ,

h

[4 , 1 ]

t hat on ( R h + 1 [4 , 1 ] Sh + 1

if t he [4 , 1 ] Sh + 1 ,

each probability,



[4 , 1 ]

Sh + 1 )

for any

[4 , 1 ]

R h + 1.

[4 , 1 ] bridging on ( R h + 1 − β ) [4 , 1 ] we comput e R h + 1 t hat

#

{

[4 , 1 ]

Rh+1



t

|

Here,

[4 , 1 ]

Rh+1

is called an error-bridging for [4 , 1 ]

is diff erent wit h t hat on ( R h + 1

[4 , 1 ]

S h + 1 ).

For

is an error-bridging, and t he error-bridging

t

is an error-bridging.}

#

{

[4 , 1 ]

.

R h + 1}

Table 10 shows t he result s. From Table 10, in t he case of [4 , 1 ]



[4 , 1 ]

Sh + 1

[4 , 1 ]

= 8, · [4 , 1 ]

· ·,

15, a

bridging on ( R h + 1 − 0) is not coincident wit h t hat on ( R h + 1 − S h + 1 ) wit h t he probability of 1/ 2 and over. In t hese keys, t he χ 2 -value is comput ed by using invalid value wit h t he probability of 1/ 2 and over. T herefore, it is expect ed t hat recovering such keys is diffi cult even if many plaint ext s are used. To observe t his, we conduct an experiment on t he relat ion between t he success probability of a key recovering and t he error-bridging probability. Table 11 shows t he success probability of keys wit h t he error-bridging probability of less t han 1/ 2, t hat of 1/ 2 or above, and t hat of 13/ 16 or above. In Table 11, we see t hat : 1. keys wit h t he error-bridging probability of less t han 1/ 2 can be recovered correct ly by using enough many plaint ext s; 2. keys wit h t he error-bridging probability of 1/ 2 and over cannot almost be recovered correct ly even if many plaint ext s are used; 3. any key wit h t he error-bridging probability of 13/ 16 and over cannot be recovered correct ly. From t hese observat ion, we est imat e t he lower bound of probability t o recover a correct key, P r( β ), as t he probability of keys wit h t he error-bridging-probability of less t han 1/ 2,

146

At suko Miya ji, Masao Nonaka, and Yoshinori Takii Error-bridging

T a b le 1 2 .

S

[4 ,1 ]

[4 ,1 ] h + 1

and t he probability for

S

[4 ,1 ] h + 1

( β = 8)

0 1 2 3 4 5 6 7 0, · · · , 7 1, · · · , 7 2, · · · , 7 3, · · · , 7 4, · · · , 7 5, 6, 7 6, 7 7 1/ 2 7/ 16 6/ 16 5/ 16 4/ 16 3/ 16 2/ 16 1/ 16

h + 1

error-bridging R P robability

R

[4 ,1 ] h + 1

8 9 10 11 12 13 14 15 – 8 8, 9 8, 9, 10 8, · · · , 11 8, · · · , 12 8, · · · , 13 8, · · · , 14 0 1/ 16 2/ 16 3/ 16 4/ 16 5/ 16 6/ 16 7/ 16 Success probability of each key recovering in probability ( β = 8, in 100 keys)

T a b le 1 3 .

S

[8 ,5 ] h + 1

wit h each error-bridging

Error-bridging 4 half-rounds 6 half-rounds 8 half-rounds [4 1 ] probability S + 1 21 4 21 7 22 0 22 0 22 3 22 6 22 6 22 9 23 2 < 1/ 2 1, · · · , 15 55/ 92 92/ 92 92/ 92 37/ 92 90/ 92 91/ 92 40/ 95 93/ 95 95/ 95 1/ 2 0 4/ 8 3/ 8 4/ 8 3/ 8 4/ 8 3/ 8 1/ 5 4/ 5 5/ 5 ,

h

P r( β ) =

#

{

[4 , 1 ]

Sh + 1



t

|

t he error-bridging probability of t #

[4 , 1 ] { S } h + 1

1 is recommendable in order t o having a chance t o cat ch two checks from t he same user wit h t he same serial number (rat her t han t hrowing out such a user lat er on “st at ist ical evidence”). Not ice t hat t he merchant may deposit at prescribed t imes, t 1 , t 2 , . . ., or at t imes of his choice. For inst ance, at a t ime t in which he has new checks t ot aling a given value (so t hat he does not want t o delay payment any furt her), or when he has suffi cient ly many new checks (and does not want t o st ore t hem any more). As in MR1 and MR2, users and merchant may collude, but again wit h lit t le or no benefit , since t he bank may adopt t he same defense mechanisms. Honest users who look suspicious may be t reat ed similarly t oo. Variants. Variant s of t he MR1/ MR2 schemes may also be applied here. In addit ion, t he merchant may make use of Merkle t rees t o commit t o L 1 , . . . , L n . Check value informat ion may be aut hent icat ed wit hin t he t ree or alongside wit h it . In part icular, t he Merkle t ree may aut hent icat e at each node t he t ot al value of t he checks “st ored below it ,” as well as t he t ot al value of t he check st ored below each child. T he same holds for check t ime informat ion. T he root of t he Merkle t ree may be digit ally signed by t he merchant – possibly t oget her wit h ot her dat a, such as (part ial or t ot al) check value and t ime informat ion. T he value of n may be variable or fixed. T he bank may choose k out t he n list s t o have t he merchant decommit , and pay t he merchant an amount t hat depends on k , n and t he value in t he checks cont ained in t he k de-commit t ed list s. For inst ance, if t he t ot al value of t hese checks is T V , t he bank may pay nT V/ k. Banks and merchant may agree not t o process deposit s whose checks t ot al more t han a given value, or deposit s cont aining a list t ot aling more t han a given value. (T his discourages a single cheat ing at t empt wit h t he goal of get t ing eit her a high payoff or going bust .) 5

C o n c lu s io n s

We believe t hat t he schemes present ed here provide eff ect ive solut ions t o t he micropayment s problem. Malicious behavior of a single player is generally prevent ed by design, while malicious behavior of a coalit ion of players is dealt wit h by a penalty syst em backed up by hard evidence. From a user’s point of view, t he int erface is beaut ifully simple: it is just like writ ing (small) checks. From t he bank’s point of view, it is just like processing (large) checks. And t he merchant is happy, because he can effi cient ly aggregat e small payment s from many users. R e fe r e n c e s 1. W . Alexi, B. Chor, O. Goldreich, and C. P. Schnorr. Rsa/ rabin funct ions: Cert ain part s are as hard as t he whole. SI A M J our n al on C om put i n g, 17(2):194–209, J une 13 1988.

Micropayment s Revisit ed

163

2. Ross Anderson, Harry Manifavas, and Chris Sut herland. Net Card – A pract ical elect ronic cash syst em. In P r oceedi n gs Four t h C am br i dge W or kshop on Secur i t y P r ot ocols, volume 1189 of L ect ur e N ot es i n C om put er Sci en ce. Springer, 1996. 3. Shimon Even, Oded Goldreich, and Silvio Micali. On-line/ off -line digit al signat ures. In Gilles Brassard, edit or, A dvan ces i n C r ypt ology - C r ypt o ’ 89, pages 263– 277, Berlin, 1989. Springer-Verlag. Lect ure Not es in Comput er Science Volume 435. 4. P hillip Hallam-Baker. W 3C payment s resources, 1995. http://www.w3.org/hypertext/WWW/Payments/overview.html. 5. Ralf Hauser, Michael St einer, and Michael Waidner. Micro-payment s based on iKP . Technical Report 2791 (# 89269), J une 1996. 6. St anislaw J arecki and Andrew Odlyzko. An effi cient micropayment scheme based on probabilist ic polling. In P r oceedi n gs 1997 F i n an ci al C r ypt ogr aphy C on fer en ce, volume 1318 of L ect ur e N ot es i n C om put er Sci en ce, pages 173–191, Springer, 1997. 7. Charanjit J ut la and Mot i Yung. P ayTree: “amort ized-signat ure” for flexible MicroP ayment s. In P r oceedi n gs of t he Secon d U SE N I X W or kshop on E lect r on i c C om m er ce, pages 213–221. USENIX, 1996. 8. Laurie Law, Susan Sabet t , and J erry Solinas. How t o make a mint : t he crypt ography of anonymous elect ronic cash. Nat ional Security Agency, Offi ce of Informat ion Security Research and Technology, Crypt ology Division, J une 1996. 9. Richard J . Lipt on and Rafail Ost rovsky. Micro-payment s via effi cient coin-flipping. In P r oceedi n gs of Secon d F i n an ci al C r ypt ogr aphy C on fer en ce, ’ 98, volume 1465 of L ect ur e N ot es i n C om put er Sci en ce L N C S, pages 1–15, February 1998. 10. Mark S. Manasse. Millicent (elect ronic microcommerce), 1995. http:// www.research.digital.com/SRC/personal/Mark Manasse/uncommon/ ucom.html. 11. S. Micali, M. Rabin, and S. Vadhan. Verifiable random funct ions. In P r oc. 40t h Sym p. on Foun dat i on s of C om put er Sci en ce, pages 120–130, Oct ober 1999. 12. Silvio Micali. Cert ified e-mail wit h invisible post offi ces. In P roceedings RSA97, San Francisco, CA, J anuary 1997. Also, U.S. P at ent No. 5,666,420. 13. Silvio Micali. Effi cient cert ificat e revocat ion. In P roceedings RSA97, San Francisco, CA, J anuary 1997. Also U.S. P at ent No. 5,666,416. 14. Torben P. P edersen. Elect ronic payment s of small amount s. Technical Report DAIMI P B-495, Aarhus University, Comput er Science Depart ment , ˚A rhus, Denmark, August 1995. 15. Ronald L. Rivest . Elect ronic lot t ery t icket s as micropayment s. In P r oceedi n gs of F i n an ci al C r ypt ogr aphy ’ 97, volume 1318 of L ect ur e N ot es i n C om put er Sci en ce, pages 307–314. Springer, 1997. (Available as http://theory.lcs.mit.edu/˜rivest/lottery.pdf). 16. Ronald L. Rivest and Adi Shamir. P ayWord and MicroMint –two simple micropayment schemes. In Mark Lomas, edit or, P r oceedi n gs of 1996 I n t er n at i on al W or kshop on Secur i t y P r ot ocols, volume 1189 of L ect ur e N ot es i n C om put er Sci en ce, pages 69–87. Springer, 1997. (Also available in Crypt oByt es, volume 2, number 1 (RSA Laborat ories, Spring 1996), 7–11, and at http://theory.lcs.mit.edu/˜rivest/RivestShamir-mpay.pdf). 17. Adi Shamir, 2001. P ersonal communicat ion. 18. W 3C. Micropayment s overview. http://www.w3.org/ECommerce/Micropayments/. 19. David W heeler. Transact ions using bet s. In Mark Lomas, edit or, Secur i t y P r ot ocols, volume 1189 of L ect ur e N ot es i n C om put er Sci en ce, pages 89–92. Springer, 1996. (Also available by ft p from t he server ftp.cl.cam.ac.uk as /users/djw3/tub.ps.).

P ro p rie t a ry C e rt ifi c a t e s ( E x t e n d e d A b s t ra c t ) Markus J akobsson 1 , Ari J uels1 , and P hong Q. Nguyen 2 1

RSA Laborat ories { mjakobsson,ajuels} @rsasecurity.com 2 ´ CNRS/ Ecole normale sup´erieure [email protected] A b st r a c t . Cert ificat es play an essent ial role in public-key crypt ography, and are likely t o become a cornerst one of commerce-relat ed applicat ions. Tradit ional cert ificat es, however, are not secure against cer ti fi cate lendi ng, i.e., a sit uat ion in which a cert ificat e holder volunt arily shares wit h ot hers t he right s best owed upon him t hrough a cert ificat e. T his type of abuse is a concern in several types of applicat ions, such as t hose relat ed t o digit al right s management . In t his paper, we int roduce t he not ion of propr i etar y and col lateral cert ificat es. We present a scheme whereby one cert ificat e, known as a propr i etar y cert ificat e, may be linked t o anot her, known as a col lateral cert ificat e. If t he owner of t he propriet ary cert ificat e shares t he associat ed privat e key, t hen t he privat e key of t he collat eral cert ificat e is simult aneously divulged. Cert ificat es in our scheme can be int egrat ed easily int o st andard P KI models and work wit h bot h RSA and discret e-log-based keys (such as t hose for DSS). Our scheme leaks no significant informat ion about privat e keys, and leaks only a small amount of informat ion about cert ificat e ownership. T hus, use of propriet ary cert ificat es st ill allows users t o maint ain mult iple, unlinkable pseudonyms, and adds funct ionality wit hout posing any t hreat s t o user privacy. K e y w o r d s: cert ificat es, collat eral key, digit al right s, fair encrypt ion, propriet ary key

1

In t ro d u c t io n

A digit al cert ificat e assigns an ident ity or a right t o it s holder, t hat is, t o t he possessor of t he associat ed privat e key. T his assignment is made by way of a digit al signat ure t hat a cert ificat e aut hority (CA) applies t o t he corresponding public key and t o a descript ion of t he cert ificat e’ s scope of use. Cert ificat es may be employed for such broad purposes as binding a user ident ity t o a public key for purposes of encrypt ion, or t o assign an ent ity t he aut hority t o sign legal document s on it s own behalf. More specific sit uat ions in which cert ificat es may be useful include t he grant ing of access right s t o a building or t o a subscript ionbased service. It is implicit ly assumed t hat cert ificat es, and t he right s t hat come wit h t hem, belong solely t o t he person or ent ity t o which t hey were issued. T he issue of n on tran sferability of cert ificat es and t heir associat ed right s, however, has been only B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 1 6 4 – 1 8 1 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

P ropriet ary Cert ificat es

165

superficially addressed in t he lit erat ure. In t his paper we propose t he not ion of proprietary certifi cates , which are cert ificat es wit h t he property t hat t heir right s cannot be t ransferred (corresponding t o giving somebody t he privat e keys associat ed wit h t he cert ified public keys) wit hout punit ive leakage of collat eral informat ion. We believe t hat propriet ary cert ificat es may be import ant for t hree reasons. One is t he likely fut ure dependence on cert ificat es for applicat ions relat ing t o commerce, and t he benefit of incorporat ing new funct ionality int o cert ificat es. A second is t he need for user privacy, which our solut ion preserves t o a high degree. T he t hird and perhaps most crit ical reason is t he likely possibility of a proliferat ion of fair charging and access cont rol mechanisms for informat ionbased Web services in t he near fut ure. Wit h many forms of Web advert ising in decline (see, e.g., [19]), cont ent providers have expressed a growing need t o t urn t o subscript ion fees for revenue at some point . We t herefore see t he main cont ribut ion of our paper as t he concept of propriet ary cert ificat es, wit h it s possible impact on t he development of new services. Our primary focus is t o exhibit secure and reasonably effi cient st ruct ures for propriet ary cert ificat es. In doing so, we rely t o a large ext ent on a combinat ion of crypt ographic component s int roduced for ot her purposes. Our current proposal causes an increase of t he cert ificat e size of between 384 and 768 Byt es, depending on t he crypt osyst ems used. Alt ernat ively, t his cert ificat e augment at ion may be kept ext ernally, indexed by t he propriet ary cert ificat e it relat es t o. Such an approach would allow t he cert ificat es t o ret ain t heir exact format while ext ending t heir funct ionality by means of t his ext ernal record. We not e t hat a furt her st udy of appropriat e mechanisms – wit h a focus on t heir use in propriet ary cert ificat es – may result in more compact cert ificat es. We develop a mechanism t o ensure t hat users can produce mult iple unlinkable cert ified pseudonyms, wit h t he cert ificat es issued by one or many cert ificat e aut horit ies, such t hat it is impossible for a user t o give away t he right (t o anot her user) t o issue one or more types of signat ures or ot her secret funct ions relat ed t o t he cert ificat es. T his holds unless t he user gives away t he right t o issue all kinds of signat ures for all kinds of cert ificat es and pseudonyms he holds, which means a t ot al impersonat ion of t he “lender”. Also, it is possible t o produce a syst em in which some keys (but not all) are released, were some keys t o be given out . T hus, if a user is not willing t o give away t he right t o sell his home t o a second user, or t o sign ot her legal document s for t he first user, he can also not give away or share t he right t o access a subscript ion, or t o ent er a building, et c. (T his assumes off -line collaborat ion, which is a good model for many scenarii.) In ot her words, we show how we can const ruct cert ificat es on unlinkable pseudonyms such t hat t he disclosure of one privat e key (which we will call t he proprietary key) aut omat ically implies t he disclosure of a second privat e key (what we call t he collateral key). If two keys are each ot hers’ collat eral (direct ly or indirect ly), we call t he relat ionship sym m etric ; ot herwise asym m etric . A t rivial approach would be t o have t he user employ t he same privat e and public keys for every cert ificat e (or for many). T his approach has several draw-

166

Markus J akobsson, Ari J uels, and P hong Q. Nguyen

backs. First , it immediat ely and publicly links t he ident ity of t he holder t o all of t he associat ed cert ificat es, t hereby undermining t he privacy guarant ees aff orded by unlinkability. Second, t his approach is crude in t hat it does not permit t he est ablishment of asymmet ric relat ionships. In t he t rivial approach, disclosure of privat e keys is all or not hing, whereas our approach allows for a great deal more refinement , as we show below. Finally, in t he t rivial approach, t here is no clear way t o link cert ificat es employing diff erent crypt osyst ems. In cont rast , we demonst rat e in t his paper how t o off er t his kind of flexibility. Technically, t his can be achieved by incorporat ing a ciphert ext corresponding t o t he collat eral privat e key (or a represent at ion t hereof), eit her in t he propriet ary cert ificat e, or in an ext ernal dat abase. (Onwards, we assume t he ciphert ext t o be part of t he cert ificat e, for simplicity, but not e t hat t he opt ions are t echnically equivalent .) Given t hat t he encrypt ion of t he collat eral key would be performed using t he propriet ary public key, we have t hat a party wit h knowledge of t he propriet ary privat e key will be able t o derive t he collat eral privat e key by decrypt ion of t his ciphert ext . Assuming t he use of semant ically secure encrypt ion, t he ciphert ext will not reveal any informat ion about t he link between t he two public keys or t heir cert ificat es. It is import ant t o not e t hat it is not suffi cient simply t o encrypt one privat e key using anot her public key and incorporat e t he result in t he cert ificat e. Namely, it is import ant t o guarant ee robust ness (i.e., t o allow t he CA t o be cert ain about t he cont ent s of t he ciphert ext ) wit hout having t o give t he encrypt ed privat e key t o any party or set of part ies. Anot her t echnical diffi culty is t o provide t he above funct ionality for schemes support ed by st andards, as opposed t o schemes and st ruct ures designed solely for t he purpose of t he paper. While t he ”int erior” of our solut ion cont ains schemes t hat are not current ly support ed by st andards (such as Paillier’s encrypt ion scheme), it is import ant t o not e t hat t he ”ext erior” of our solut ion relat es t o st andard schemes, namely RSA and DSS. T his means t hat any RSA or DSS key can be used as a propriet ary or collat eral key. Out line. We begin in sect ion 2 by describing t he relat ed work, followed in sect ion 3.1 by an informal descript ion of our goals and a st at ement of t he cont ribut ions of t he paper. We t hen describe our t echnical approach in sect ion 3.2, but keep t he discussion on a det ail-free and int uit ive level. In sect ion 4, we t hen int roduce denot at ion and out line t he st ruct ure of our modified cert ificat es, and review t he building blocks we will use. In sect ion 5 we t hen describe our solut ion in t echnical det ail, using t he previously int roduced building blocks t o describe our prot ocols. We st at e t he propert ies of our solut ion in sect ion 6; Appendix A cont ains proofs of t hese claims.

2

R e la t e d W o rk

T he not ion of non-linkability and independence among signat ures arises frequent ly in t he lit erat ure on digit al payment s, while t he issue of non-t ransferability of access right s has been invest igat ed from one perspect ive by Dwork, Lot spiech,

P ropriet ary Cert ificat es

167

and Naor [9], and from anot her by Goldreich et al. [14]. T he combinat ion of t he two propert ies, however, has t o our knowledge not been considered yet , and poses int erest ing t echnical quest ions as well as t he possibility of new applicat ions. Our work is concept ually relat ed t o t he work on sign ets by Dwork, Lot spiech and Naor [9], in which a secret , such as a credit card number, is incorporat ed in a privat e key t o prevent t he lat t er from being given away. Similarly, our aim is t o some ext ent relat ed t o t hat of digit al wat ermarking, as surveyed in [17]. In a digit al wat ermarking syst em, ident ifying informat ion of some kind is embedded in an indelible way in an image so as t o discourage illicit copying. In neit her of t hese proposals, t hough, is t he embedded privat e (t he collat eral key in our t erminology) hidden from t he party who wishes t o verify t hat it is t here. In cont rast , t his is precisely what occurs in our solut ion. T he problem we st udy is also spirit ually relat ed t o a problem previously st udied by Goldreich et al. [14]. In t heir paper, a user owns a cert ificat e associat ed wit h some right s, and wishes t o delegat e a cert ain port ion of t hese t o himself. T his allows him t o delegat e right s for use on a lapt op, wit h t he benefit t hat if t his get s st olen, t hen t he damage is limit ed t o t he delegat ed port ion of t he right s (and t he lost machine.) T hus, t heir scenario is t he following: A user has a primary (long-t erm) key associat ed wit h some personalized access right s, some of which he wishes t o delegat e t o some secondary (and short -t erm) keys. If suffi cient ly many secondary keys are disclosed, t hen t he primary key can be recovered from t hese, t hereby prevent ing t he user from giving away his secondary keys. On t he ot her hand, if few secondary keys are disclosed (fewer t han a cert ain t hreshold), t hen t he primary key remains secure. If t he t hreshold is set t o one (as it is in our scheme), however, t hen t heir primary and secondary keys are ident ical. (In ot her words, t he issue of user privacy, or unlinkability of cert ificat es, is not addressed in [14].) On t he ot her hand, if t he t hreshold is set higher, a corrupt user can give out some keys wit hout any risk. T herefore, t heir solut ion – which was not int ended for securing int ellect ual property – is also not very well suit ed for t his t ask. T he problem we address in t his paper is relat ed t o t hat st udied by Camenisch and Lysyanskaya [4], who produce a credent ial scheme in which signat ures (and ot her aut hent icat ion element s) are generat ed from one and t he same privat e key wit hout being linkable t o each ot her. Addit ionally, and similar t o what is achieved in our scheme, t hey allow diff erent privat e keys associat ed wit h a user t o be t ied t o each ot her in a way t hat prevent s users from sharing some privat e keys wit hout sharing ot hers as a result of t his. However, while concept ually relat ed from a birds-eye view, t he two result s are diff erent on several count s. First , we do not provide unlinkability on a signat ure-by-signat ure basis. In our scheme, all signat ures associat ed wit h one public key can be linked t o t his public key, as is normal for st andard signat ures and a st andard P KI infrast ruct ure. While t his linkability is highly undesirable for, e.g., group signat ures (whose very goal is for t he opposit e t o hold), it is desirable in an infrast ruct ure wit h st andard signat ures where each public key and all it s signat ures get associat ed wit h it s owner. (However, it remains desirable t hat signat ures from diff eren t public keys

168

Markus J akobsson, Ari J uels, and P hong Q. Nguyen

remain unlinkable, which we provide.) Anot her diff erence between t he schemes is t hat t he leakage of one key in t heir scheme immediat ely result s in t he leakage of all ot her keys, while our approach allows a t ight er cont rol of t he inferrable relat ions between keys – namely, we can employ any graph of symmet ric or asymmet ric relat ionships between nodes / keys. T his result s in many pract ical advant ages. Furt hermore, and more import ant ly, we allow t he linking of privat e keys for stan dard signat ure schemes (such as DSS and RSA), while t he met hods in [4] relat e only t o a new signat ure scheme int roduced in t heir paper. It is wort hwhile t o not ice t hat t he employment of our met hods t o exist ing signat ure schemes is not only of pot ent ial t echnical value, but also of pract ical value in any legacy syst em (of which digit al signat ures may be one of t he best examples). Technically speaking, our solut ion depends most import ant ly on met hods for key escrow, for which similar crypt ographic building blocks are employed. Young and Yung [23] recent ly showed how t o obt ain a software key escrow syst em if users provide ciphert ext s t o cert ificat ion aut horit ies t hat permit t he recovery of users’ privat e keys. T hese ciphert ext s are encrypt ed under t he public key of an escrow aut hority. T he st ruct ure t hat is used t o assure t he CA t hat t he ciphert ext is of t he correct format has been called fair en cryption . T hus, t he encrypt ion key in an escrow applicat ion is t he public key of t he escrow aut hority, while in our syst em, it is t he public propriet ary key. Similarly, t he en crypted key in a escrow scheme is t he user’s privat e key, while it corresponds t o t he collat eral key in our scheme for propriet ary cert ificat es. T he fair encrypt ion scheme of [23] could be used for purposes of propriet ary cert ificat es. In fact , propriet ary cert ificat es const it ut e a new applicat ion for fair encrypt ion. In order t o allow for compat ibility wit h more common crypt o syst ems – namely RSA and st andard discret e-log based schemes – we do not employ t heir met hods, which are based on a “double decker” st ruct ure. We do, however, make direct use of t he rat her effi cient fair encrypt ion scheme of Poupard and St ern [21] for some of t he prot ocols of our scheme, namely t hose where t he propriet ary key is an RSA key. We develop and propose new schemes for t he case where t he propriet ary key is a discret e-log key. T hese new schemes const it ut e an ext ension of previous result s for fair encrypt ion and are t hus of independent int erest . Finally, we employ met hods from [12] for proving equality of discret e logs over composit e int egers. T hese, in t urn, are relat ed t o proof met hods of Chaum [7] for proving equality of discret e logs over prime-order fields.

3 3.1

G o a ls Overv iew

J ust as a person may carry several ident ifying t okens for access t o various resources and right s (such as a driver’s license, a passport , and various credit and debit cards), he or she may need several public keys, each one of which may be associat ed wit h a diff erent set s of right s. Diff erent public keys (and t heir cert ificat es) may also be associat ed wit h diff erent policy requirement s, such as

P ropriet ary Cert ificat es

169

requirement s on t he met hods used t o verify t he ident ity of t he cert ificat e owner at t he t ime t he cert ificat e is issued; t he possible escrowing of keys; and t he accept able uses of t he cert ified public key. Our aim is t o const ruct a propriet ary cert ificat e syst em t hat respect s t hese requirement s for het erogeneity and flexibility in a public key infrast ruct ure. We assume t hat cert ificat e aut horit ies publish direct ories cont aining public informat ion on t he cert ificat es t hey have issued. To make our goals precise, let us consider a case in which a cert ificat e aut hority CA1 wishes t o issue a propriet ary cert ificat e C 1 t o a cert ain user. T he user is t o provide a second cert ificat e C 2 , issued by a (possibly) dist inct ent ity CA2 , as collat eral. Informally st at ed, our goals in creat ing t he propriet ary/ collat eral relat ionship between C 1 and C 2 are as follows: 1. N on-t ransferability : Wit h high probability, any player who learns t he privat e key for C 1 will learn t he privat e key for C 2 , and be able t o locat e public informat ion for C 2 in t he direct ory maint ained by CA2 . T hus, given t hat t he user does not wish t o relinquish cont rol over C 2 , t he privat e keys associat ed wit h C 1 are non-t ransferable. 2. U nlinkability : CA1 learns t hat t he user knows t he privat e key associat ed wit h C 2 , and t hat CA2 issued C 2 . CA1 learns no addit ional informat ion about cert ificat es held by t he user, and no ot her player learns any informat ion about t he cert ificat es of t he user. 3. C ry pt osy st em agility : C 1 and C 2 can be based on diff erent crypt osyst ems: eit her can make use of an RSA key or a discret e-log key. 4. Lo cality : CA1 needs t o int eract only wit h t he user, and not CA2 . 5. Security : CA1 learns only a negligible amount of informat ion about t he privat e keys associat ed wit h C 1 and C 2 . No ot her party learns any informat ion relat ing t o t he cert ificat es. 6. Effi ciency : T he cert ificat e C 1 is not subst ant ially larger t han a convent ional cert ificat e of it s type. Moreover, t he comput at ional and communicat ion requirement s on CA1 and t he user in est ablishing t he propriet ary/ collat eral relat ionship are reasonable. 7. P K I com pat ibility : We require t hat t he modified cert ificat es allow for easy int egrat ion int o st andard P KI models. (While we require use of so-called “safe” RSA keys, t hese are fully compat ible wit h most exist ing mechanisms.) We may view t he collect ion of cert ificat es belonging t o a part icular user as a collect ion of nodes C = { C 1 , C 2 , . . . , C t } in a direct ed graph G = ( C , E ). An arc ( C i , C j ) ∈ E in t his graph represent s a binding of a propriet ary cert ificat e C i t o a collat eral one C j . If t here is an addit ional reverse arc ( C j , C i ), t hen t he relat ionship between C i and C j is called sym m etric ; ot herwise, it is called asym m etric . Nodes may have degrees of arbit rary size. In our syst em, t he size of a cert ificat e C i is linear in it s out -degree, as are t he comput at ional and communicat ion requirement s t o est ablish out going arcs. As an illust rat ion of exact ly what purpose an arc serves, we present t he following brief example.

170

Markus J akobsson, Ari J uels, and P hong Q. Nguyen

Mastercard Cj

Newsletter Ci

Encr. key Ck

F ig. 1 .

Example cert ificat e relat ionships.

E xam ple. Say t hat a user want s t o obt ain a cert ificat e for an on-line newslet t er. T his newslet t er requires t hat t he cert ificat e C i associat ed wit h one part icular

user of t heir service serve as a propriet ary one, wit h t he user’ s Mast ercard cert ificat e C j as collat eral. Moreover, t o guard against a sit uat ion in which t he user closes her Mast ercard account , t he newslet t er may require t hat t he user’ s public encrypt ion key and corresponding cert ificat e C k also serve as collat eral. (Alt ernat ively, t he newslet t er may blacklist t he cert ificat e C i once it det ect s t hat Mast ercard blacklist s C j .) Addit ionally, Mast ercard may employ t he user’ s decrypt ion key as collat eral for it s own cert ificat e. T hus, t he newslet t er creat es arcs ( C i , C j ) and ( C i , C k ) in t he graph G . See figure 1 for a graphical depict ion of t his scenario. P rivacy n ote. It is import ant t o not e t hat t he CA, while not learning eit her

t he collat eral or propriet ary secret key, learns t he associat ion between t he two public keys. Namely, he learns t hat t he public key of t he propriet ary cert ificat e is associat ed wit h t he same person as t he public key of t he collat eral cert ificat e. For many purposes, t his may not be so out landish, as long as t he public cannot infer t he same relat ion. To hide t he associat ion of keys from t he CA, it is possible t o use more heavy-weight prot ocols, in which t he user proves correct encrypt ion wit h respect t o an un specifi ed public key belonging t o some set of pot ent ial collat eral public keys. T he likely drawback of such solut ions, t hough, would be t he result ing reduct ion of t he effi ciency. Alt ernat ively, if we do allow t he CA t o learn t he associat ion, st andard t echniques [16] can be employed t o prevent him from convincing ot hers. 3.2

W hat D o es an A rc Lo ok Like?

Our approach is t o include in a propriet ary cert ificat e a ciphert ext on t he collat eral keys. T his ciphert ext (while not necessarily of a st andard format ) may be decrypt ed using t he public keys of t he propriet ary privat e keys, t hereby yielding t he collat eral keys. In order t o reach t his goal, we need secure prot ocols for a cert ificat e holder t o prove t o t he CA t hat t he generat ed ciphert ext s are of t he right format (namely t hat t hey cont ain valid represent at ions of t he collat eral

P ropriet ary Cert ificat es

171

privat e keys). T his must be done in a manner t hat is bot h effi cient and which limit s leaks of informat ion t o t he CA. T his will be achieved by basic fair encrypt ion t echniques, including use of zero-knowledge proofs and semant ically secure encrypt ion. Apart from including an encrypt ion of t he privat e collat eral key in t he cert ificat e, t he cert ificat e aut hority may addit ionally include a point er t o t he direct ory ent ry for t he collat eral key. For reasons of privacy, t his would also be encrypt ed, using a semant ically secure encrypt ion scheme and t he public key of t he propriet ary cert ificat e (making it possible t o decrypt given t he privat e key associat ed wit h t he propriet ary cert ificat e). Technically, t he encrypt ion of t he point er is st raight forward, as t he plaint ext informat ion does not need t o be hidden from t he CA issuing t he propriet ary cert ificat e. T hus, we will focus on t he encrypt ion of t he privat e key inst ead of t hat of t he public key. P ract ically, it is wort h ment ioning, t hough, as it allows t he ret rieval of privat e keys as well as an un derstan din g of what was retrieved , should t he propriet ary key be given away. In a fair encrypt ion syst em, a user holds a privat e/ public key pair ( P K , SK ), and a public key P K T is published for some t rust ed t hird party. T he user const ruct s a ciphert ext Γ 1 2 and a non-int eract ive proof t hat Γ 1 2 is an encrypt ion under P K T of a represent at ion of SK or dat a t hat enable effi cient reconst ruct ion of SK . In our syst em, Γ 1 2 is a ciphert ext on t he privat e key for C 2 (or somet hing equivalent ) under t he public key associat ed wit h C 1 . A crit ical diff erence in our syst em from convent ional use of fair encrypt ion is our assumpt ion t hat CA1 is responsible for ensuring t hat Γ is correct ly const ruct ed. (T his is t he case in all of t he applicat ions we envisage, as it is CA1 t hat wishes t o prevent abuse of C 1 .) Hence, t he owner of C 2 must prove correct const ruct ion of Γ only once t o CA1 . In consequence, t he proof may be int eract ive, and t he size of t he proof is of less import ance t han in a typical fair encrypt ion syst em, as it has no impact on t he size of C 1 , which only carries Γ 1 2 . In sect ion 5, we det ail t he various prot ocols for creat ing an arc ( C 1 , C 2 ) between two cert ificat es C 1 and C 2 . As explained above, we use t he PoupardSt ern fair encrypt ion syst em as t he basis for prot ocols in which C 1 is an RSA-keybased cert ificat e and C 2 is eit her RSA or DL-based. An import ant cont ribut ion of our paper is a pair of novel fair encrypt ion prot ocols for t he case where C 1 is inst ead a discret e-log-based cert ificat e and C 2 is eit her RSA or discret e-log based. →







4 4.1

N o t a t io n a n d B u ild in g B lo ck s N ot at ion

We define a crypt osyst em C R in t he broadest sense t o include a suit e of five algorit hms k ey g en C R , si g n C R , v er i f y C R , en c r y p t C R and d ec r y p t C R for t he respect ive operat ions of key generat ion, signing, verificat ion, encrypt ion, and decrypt ion. (T hus, where we consider a signing algorit hm such as, e.g., DSS, we assume a corresponding encrypt ion/ decrypt ion algorit hm over t he same algebraic st ruct ures, e.g., ElGamal.) We assume implicit ly t hat a secure suit e of algorit hms of

172

Markus J akobsson, Ari J uels, and P hong Q. Nguyen

t his kind are available for all crypt osyst ems under considerat ion. To produce a cert ificat e C 1 on a public/ privat e key pair ( P K 1 , SK 1 ), a given cert ificat e aut hority applies an algorit hm si g n C R t o P K 1 and possibly t o some addit ional policy informat ion aux 1 . Our cont ribut ion in t his paper is a set of prot ocols for arc creat ion, and a corresponding set of prot ocols for key ext ract ion, i.e., for comput at ion of a collat eral key given t he corresponding propriet ary one. A rc creation : Let ( P K 1 , SK 1 ) and ( P K 2 , SK 2 ) be t he public/ privat e key pairs respect ively for propriet ary cert ificat e C 1 and collat eral cert ificat e C 2 . Addit ionally, let C 1 be a cert ificat e on a public key for crypt osyst em type C R 1 and C 2 a cert ificat e for crypt osyst em type C R 2 . We let A r c C R 1 → C R 2 denot e an arc creat ion prot ocol on t he propriet ary/ collat eral cert ificat e pair ( C 1 , C 2 ).

T he prot ocol A r c C R 1 C R 2 t akes as input from t he prover t he two public/ privat e key pairs ( P K 1 , SK 1 ) and ( P K 2 , SK 2 ), and relevant security crypt osyst em security paramet ers. Input from t he verifier is a security paramet er specifying prot ocol soundness. T he out put of t he prot ocol is t he pair of public keys ( P K 1 , P K 2 ), t he collect ion of security paramet ers, and a ciphert ext Γ 1 2 . We require two security propert ies on a given algorit hm A r c C R 1 C R 2 : →





– Soundness: Wit h overwhelming probability over t he coin flips of t he prover and verifier, t he ciphert ext Γ 1 → 2 is well formed. In ot her words, given input SK 1 and Γ 1 → 2 , t he prot ocol E x t r a c t C R 1 → C R 2 described below yields out put SK 2 . – P rivacy : T he full t ranscript of t he prot ocol is simulat able in a comput at ionally indist inguishable manner by a player wit h knowledge of P K 1 and P K 2 only. (T hus, e.g., t he verifier learns no non-negligible informat ion about SK 1 or SK 2 .)

We consider two crypt osyst em types in t his paper, namely RSA and discret e log (DL). In ot her words, eit her C R 1 or C R 2 can be a crypt osyst em in which t he public key is an RSA modulus, e.g., RSA encrypt ion and signing or Paillier encrypt ion wit h RSA signing, or, alt ernat ively, a crypt osyst em based on discret e log, such as (ElGamal / DSS), (ElGamal / Schnorr,) et c. T hus, in our paper, we specify four generic arc creat ion prot ocols: A r c R S A D L , A r c R S A R S A , A r c D L R S A , and A r c D L D L . →







K ey extraction : Corresponding t o each arc creat ion algorit hm

A r c C R 1 C R 2 is a key ext ract ion algorit hm E x t r a c t C R 1 C R 2 . T his algorit hm t akes as input a ciphert ext Γ 1 2 and t he keys P K 2 and SK 1 . If successful, it out put s SK 2 . Involved here are some st andard decrypt ion operat ions in combinat ion wit h addit ional crypt ographic operat ions such as lat t ice reduct ion and gcd algorit hms. →





4.2

B uilding B lo cks

D iscrete-log-based sign ature schem es. If t he signat ure scheme associat ed wit h key pair ( P K , SK ) is discret e-log based (such as DSS [18] or Schnorr [22]), t hen

P ropriet ary Cert ificat es

173

P K = ( p, q, g, y ), for primes p, q, such t hat p = k q + 1, an element g of order q, and a value y = gx mod p. Here, t he privat e key SK = x is chosen uniformly at random from Zq . Example sizes of t he paramet ers are ( | p| , | q| ) = (1024, 160).

We refer t o [18,22] for more det ails on t he schemes. E lG am al en cryption . Let g be a generat or of a large subgroup G of Zn . Oft en, t he int eger n is chosen t o be prime, but we will also consider t he use of st rong RSA moduli, and we assume t hat all comput at ion is performed modulo n , where applicable. Let s denot e t he size of t he subgroup generat ed by g, and let y = gx be t he public key used for encrypt ion, where x ∈ Zs . To encrypt a message m , one picks a random element α ∈ u Zs and comput es t he pair ( a, b) = ( y α m , gα ). (We not e t hat s can be det ermined by a party who knows t he fact orizat ion of n , which will not be a rest rict ion in our set t ing.) To decrypt a ciphert ext ( a, b), one comput es m = a/ bx .

It is well-known t hat t he ElGamal scheme is semant ically secure under t he Decision Diffi e-Hellman (DDH) assumpt ion on t he subgroup G , and given t hat messages are chosen from G (see [1]). If messages are chosen from anot her set , t he ciphert ext may leak some informat ion, such as t he J acobi symbol of t he message. P roof of equality of discrete logs. Let y i = gi x i , for i ∈ { 1, 2} , where y 1 , y 2 , g1 , g2 ∈ G for some group G . We let E Q D L 1 ( y 1 , y 2 , g1 , g2 ) denot e a zero-knowledge proof prot ocol demonst rat ing t hat logg 1 y 1 = logg 2 y 2 . T here are many met hods pro-

posed in t he lit erat ure for implement ing E Q D L 1 , [7,22]. In t he appendix, we exhibit a version of [22] modified for use wit h RSA moduli, and discuss it s security. A useful variant employed in our prot ocols involves element s spanning two groups G 1 and G 2 . In part icular, we let E Q D L 2 ( y 1 , y 2 , g1 , g2 , n 1 , n 2 ) denot e a proof t hat y 1 = g1x 1 mod n 1 and y 2 = g2x 2 mod n 2 for x 1 = x 2 . (In general, G 1 and G 2 need not be modular mult iplicat ive groups, but t hese are t he only type used here.) We use t he very effi cient proof t echnique for E Q D L 2 int roduced in [5]. Bot h E Q D L 1 and E Q D L 2 are zero-knowledge. While t he soundness of bot h prot ocols relies on t he discret e log assumpt ion, we not e t hat t he soundness of t he effi cient , one-round version of t he prot ocol for E Q D L 2 depends addit ionally on t he stron g R S A assumpt ion. See [5] for more det ailed discussion. Let ( a, b) = ( m y k , gk ) represent an ElGamal ciphert ext under public key y . Observe t hat a prover wit h knowledge of t he privat e key x = logg y can prove in zero-knowledge t hat ( a, b) represent s a valid ciphert ext on plaint ext m simply by proving E Q D L 1 ( y, a/ m , g, b). P aillier en cryption . T he Paillier crypt osyst em was int roduced in [20]. It uses t he Carmichael lambda funct ion λ ( N ) defined as t he largest order of t he element s of Z∗N . Let N = P Q be an RSA modulus such t hat ϕ ( N ) is coprime t o N . Recall t hat λ ( N ) = l c m ( p − 1, q − 1). T he general Paillier’s crypt osyst em, as defined in [20], uses an int eger G of order mult iple of N modulo N 2 . It was not iced

174

Markus J akobsson, Ari J uels, and P hong Q. Nguyen

in [8,6] t hat t he simplest choice is probably G = 1 + N , because (1 + N ) M ≡ 1 + M N mod N 2 . T hus, in t his paper, we only use G = 1 + N , which slight ly simplifies t he descript ion of t he scheme and has no impact on t he semant ic security: we refer t o [20] for a general descript ion. T he public key is N and t he secret key is λ ( N ). To encrypt a message M ∈ ZN , randomly choose u ∈ ZN and comput e t he ciphert ext c = (1 + M N ) u N mod N 2 . To decrypt c, comput e: ∗

M =

L ( cλ

(N )

mod N 2 ) mod N , λ (N )

where t he L -funct ion t akes as input an element congruent t o 1 modulo N , and out put s L ( u ) = u N 1 . T he Paillier public-key crypt osyst em is semant ically secure under t he hardness of dist inguishing N -t h residues modulo N 2 (see [20]). −

Fair en cryption m ethods. Assume t hat users have pairs of public and privat e keys and give an encrypt ion E of t heir privat e key (or somet hing allowing t he recovery of t he privat e key) using t he public key P K T of a t rust ed t hird party. A fair en cryption is a publicly verifiable proof t hat t he t hird party is able t o

recover t he privat e key using his own privat e key and t he ciphert ext . Poupard and St ern proposed pract ical fair encrypt ion [21] using t he Paillier crypt osyst em (meaning t hat t he t hird party’ s public key is a Paillier public key). PoupardSt ern proposed two prot ocols: One t o encrypt ElGamal-type keys, and one for RSA keys. To t he best of our knowledge, no fair encrypt ion prot ocol in which t he t hird party uses a discret e log syst em exist s in t he lit erat ure. T here exist ot her fair encrypt ion prot ocols (see [10,2] for inst ance), but t hey do not seem t o be as effi cient as t he Poupard-St ern prot ocols for our applicat ion, so we do not use t hem. We will use fair encrypt ion as a proof t hat any person knowing t he privat e key corresponding t o P K T can recover t he privat e key encrypt ed in E . In ot her words, in t he set t ing of propriet ary cert ificat es, t he “t hird party” is any possessor of t he propriet ary privat e key, and t he fair encrypt ion is t he proof of collat eral privat e key recovery.

5

A rc C re a t io n P ro t o c o ls

We will now consider how one can perform t he various proofs of ciphert ext correct ness, wit h t he various types of encrypt ion needed. We will denot e t he various prot ocols by t he types of propriet ary and collat eral keys t hey relat e t o. T hus, a D L → R SA prot ocol is a prot ocol for proving t hat given a ciphert ext and t he correct discret e log privat e key (t he propriet ary key), one can decrypt and obt ain t he correct RSA privat e key (t he collat eral key). We not e t hat we will use Paillier’s encrypt ion scheme in lieu of RSA – however, since one can perform Paillier encrypt ion and decrypt ion using an RSA public versus privat e key, t his is not a rest rict ion.

P ropriet ary Cert ificat es

175

In t he following, we let ( y, x ) be a public key / privat e key pair for a discret elog-based scheme, as described previously, and ( e, d ) be t he public versus privat e keys of an RSA scheme wit h public modulus N . We use t he same moduli and generat ors as previously shown. For A r c D L R S A and A r c D L D L , it is necessary t o include in t he cert ificat es a generat or G as described below. We not e t hat t his does not impact t he unlinkability propert ies, since G relat es t o t he public key in whose cert ificat e it is included. →

5.1

R SA →



DL

Let ( e1 , d 1 ) denot e t he propriet ary public and privat e keys corresponding t o a public modulus N 1 , and ( y 2 , x 2 ) t he collat eral public and privat e keys, wit h associat ed modulus p. His Paillier public key is N 1 , and his privat e key is λ ( N 1 ). In t he prot ocol A r c R S A D L , t he user randomly chooses u ∈ ZN 1 and comput es t he ciphert ext Γ 1 2 = (1 + x 2 N 1 ) u N 1 mod N 1 2 , and a non-int eract ive proof (t o t he CA) of t he “t hird party”’ s ability t o comput e x 2 from y 2 and Γ 1 2 , using t he Poupard-St ern fair encrypt ion of ElGamal keys [21, Sect . 3.1]. ∗







E xtraction of keys. T he algorit hm

E x t r a c t R S A R S A involves applicat ion of t he key recovery process of t he Poupard-St ern fair encrypt ion [21, P roof of T heorem 1], based on Gauss lat t ice reduct ion algorit hm (not e: a simple Paillier decrypt ion presumably does not always enable t o recover t he privat e key, due t o some cheat ing st rat egy, as explained in [21]; t he proof refers t o t his key recovery process and not Paillier decrypt ion). T his yields x 2 .

5.2

R SA →



R SA

Let ( e1 , d 1 ) denot e t he propriet ary public and privat e keys associat ed wit h a public modulus N 1 , and ( e2 , d 2 ) t he collat eral public and privat e keys associat ed wit h a public modulus N 2 . His Paillier public key is N 1 , and his privat e key is λ ( N 1 ). In t he prot ocol A r c R S A R S A , t he user comput es x = N 2 − ϕ ( N 2 ), randomly chooses u ∈ ZN 1 and t he ciphert ext Γ = (1+ x N 1 ) u N 1 mod N 12 . He proves t o t he CA t hat a party wit h knowledge of t he decrypt ion key (i.e., our propriet ary key) is able t o fact or N 2 using Γ 1 2 and his Paillier privat e key, using t he PoupardSt ern fair encrypt ion of RSA keys [21, Sect 3.2]. →





E xtraction of keys. To recover t he collat eral privat e key using

E xt ract R SA R SA , one must apply t he key recovery process of t he Poupard-St ern fair encrypt ion [21, P roof of T heorem 2] t o obt ain t he fact orizat ion of N 2 from Γ and t he Paillier privat e key.

5.3

DL →



R SA

Let ( y 1 , x 1 ) be t he public/ privat e key pair for t he DL (i.e., propriet ary) cert ificat e, and let N 2 be t he modulus for t he RSA (i.e., collat eral) cert ificat e. For t he

176

Markus J akobsson, Ari J uels, and P hong Q. Nguyen

user t o ensure privacy of her privat e keys, we require t hat N be t he product of two safe primes. Namely, we should have N 2 = P Q where P , Q , ( P − 1) / 2 and ( Q − 1) / 2 are all large primes. (t hus, in part icular, P and Q are congruent t o 3 modulo 4). T he use of safe primes can be proved using [5]. To ensure soundness of t he prot ocol, however, t he user need only prove about N 2 t hat it is t he product of (at most ) two primes. T his can be accomplished wit h pract ical comput at ional and communicat ion requirement s by combining prot ocols from [11] or [15] wit h t hose in [3], as shown in, e.g., [13]. Apart from a proof t hat N 2 is a well-formed RSA modulus, t here are two key component s t o t he prot ocol A r c D L R S A . T he first is t hat of key tran slation . T his is a procedure whereby t he user const ruct s a generat or G wit h large order in ZN 2 and a public ElGamal key Y = G x 1 mod N 2 . Since x 1 is t he privat e key for t he DL cert ificat e of t he user, a player wit h access t o t his privat e key will be able t o decrypt any ElGamal ciphert ext under public key1 Y . T he user proves correct t ranslat ion t hrough st raight forward use of E Q D L 2 . T he second key component in t he prot ocol is encrypt ion of a non-t rivial root r of unity in ZN 2 . In part icular, t he user const ruct s an ElGamal ciphert ext ( a, b) on such a root r under t he public key Y . Given r , it is easy t o comput e a fact or of N 2 , and t hus comput e any privat e key for t he RSA cert ificat e (provided t hat N 2 is a well-formed RSA modulus). To prove t hat t he plaint ext r corresponding t o ( a, b) is indeed a root of unity, t he user must prove t hat ( a 2 , b2 ) has plaint ext 1. To see t hat r is a non-t rivial root , i.e., not equal t o 1 or − 1, t he CA must verify t he following t hree J acobi quant it ies: →



– T he int eger − 1 has J acobi symbol 1. (T his is always t he case if N is a product of two large safe primes.) – T he value b has J acobi symbol 1. – T he value a has J acobi symbol -1.

Toget her, t hese t hree checks ensure t hat ( a, b) has a plaint ext r wit h J acobi symbol -1, and t hus t hat r ∈ { − 1, 1} and is t hus non-t rivial. Wit h all of t he ot her proofs given above, t his ensures t hat a player wit h knowledge of x can use t he ciphert ext ( a, b) t o fact or N 2 and obt ain any privat e keys associat ed wit h t he RSA cert ificat e. Here is our prot ocol in det ail. If any of t he verificat ion performed by t he CA fails, or any of t he sub-prot ocols fails, t hen t he prot ocol is abort ed. P rotocol

A rcD L →

R SA

1. T he user select s an element G ∈ ZN 2 of J acobi symbol 1 such t hat G 2 ≡ 1 and G 2 − 1 is coprime t o N 2 . T hus, G has mult iplicat ive order of eit her ( P − 1)( Q − 1) / 4 or ( P − 1)( Q − 1) / 2 (see for inst ance [12]). Not e t hat t he DDH problem in t he subgroup spanned by G is believed t o be hard (see [1]). T he user sends G t o t he CA. ∗

1

Not e t hat t his public key will have order at least (P -1)(Q-1)/ 4 wit h overwhelming probability. T hus, wit h overwhelming probability, t he choice of public key will it self leak no informat ion about t he plaint ext root .

P ropriet ary Cert ificat es

177

2. T he user performs t he key t ranslat ion. She comput es Y = G x 1 mod N 2 and proves E Q D L 2 [g, y, G , Y, n , N ]. 3. T he user comput es a non-t rivial root r of unity wit h J acobi symbol -1. T his is easy t o accomplish given knowledge of P and Q and use of t he Chinese Remainder T heorem. 4. T he user select s an encrypt ion fact or α ∈ Z( P 1 ) ( Q 1 ) / 2 uniformly at random. She const ruct s an ElGamal ciphert ext on r of t he form ( a, b) = ( Y α r , G α ). She sends t his t o t he CA. 5. T he user proves t hat ( a, b) is a ciphert ext under Y of a root of unity. In part icular, she proves E Q D L 1 [G , Y, b2 , a 2 ]. 6. CA verifies t hat − 1 and b have J acobi symbol 1, and t hat a has J acobi symbol − 1. −



K ey extraction . T he algorit hm E x t r a c t D L → R S A int erpret s t he propriet ary key x 1 as a key X = x 1 for t he composit e ElGamal ciphert ext E = ( a, b), one can comput e r = a/ bX mod N 2 . One derives t he fact orizat ion of N 2 by simple gcd: Indeed, r 2 = 1 mod N 2 implies ( r − 1)( r + 1) = 0 mod N 2 where r = ± 1 mod N 2 , so t hat gcd( r − 1, N 2 ) is a non-t rivial fact or of N . T his yields t he privat e collat eral

key. 5.4

DL →

DL

In order t o use a discret e-log propriet ary key and a discret e-log collat eral key – alt hough possibly over diff erent group st ruct ures, we int roduce t he use of in term ediary keys. T his is a key whose only use is t o act as a connect or between exist ing prot ocols for put t ing up collat eral and performing ext ract ion. Namely, when performing ext ract ion, t he propriet ary key is used t o obt ain t he int ermediary key (serving as a collat eral), and t hen t he int ermediary key is used as propriet ary key t o obt ain t he real collat eral key. T hus, in t he prot ocol A r c D L D L , t he user select s a st rong RSA modulus N as an int ermediary public key (whose corresponding privat e key is ϕ ( N )). He t hen uses t he D L → R SA prot ocol above t o est ablish N as t he collat eral key of his propriet ary key. T hen, he uses N as t he propriet ary key in a R SA → D L prot ocol (Poupard/ St ern). T he result is two set s of ciphert ext s, one cont aining t he int ermediary key, and using t he propriet ary key for encrypt ion/ decrypt ion; t he second cont aining t he collat eral key, and using t he int ermediary key for encrypt ion/ decrypt ion. ′









K ey extraction . T he prot ocol E x t r a c t D L D L is an obvious composit ion of t he previous key ext ract ion prot ocols E x t r a c t D L R S A and E x t r a c t R S A D L . T his is a two-st ep process in which one first obt ains t he int ermediary key and t hen t he collat eral key. →



6



C la im s

We prove in appendix A t hat our solut ion sat isfies n on -tran sferability , un lin kability and security . It is clear from our prot ocol descript ion t hat it sat isfies

178

Markus J akobsson, Ari J uels, and P hong Q. Nguyen

cryptosystem agility ; locality ; and P K I com patibility . We address t he effi ciency

of our scheme in appendix A as well.

R e fe re n c e s 1. D. Boneh. T he decision Diffi e-Hellman problem. In P roc. of A N T S-I I I , volume 1423 of L N CS, pages 48–63. Springer-Verlag, 1998. 2. F . Boudot and J . Traor´e. Effi cient publicly verifiable secret sharing schemes wit h fast or delayed recovery. In I CI CS ’ 99, volume 1726 of L N CS, pages 87–102. Springer-Verlag, 1999. 3. J . Boyar, K. Friedl, and C. Lund. P ract ical zero-knowledge proofs: Giving hint s and using deficiencies. Jour nal of Cr yptology , 4(3):185–206, 1991. 4. J . Camenisch and A. Lysyanskaya. An effi cient syst em for non-t ransferable anonymous credent ials wit h opt ional anonymity revocat ion. In B. P fit zmann, edit or, E urocr ypt ’ 01, volume 2045 of L N CS, pages 93–117. Springer-Verlag, 2001. 5. J . Camenisch and M. Michels. Separability and effi ciency for generic group signat ure schemes. In M. W iener, edit or, Cr ypto ’ 99, volume 1666 of L N CS, pages 413–430. Springer-Verlag, 1999. 6. D. Cat alano, R. Gennaro, N. Howgrave-Graham, and P. Q. Nguyen. P aillier’s crypt osyst em revisit ed. In P. Samarat i, edit or, 8th A CM Conference on Computer and Communi cati ons Secur i ty . ACM P ress, 2001. To appear. 7. D. Chaum and H. Van Antwerpen. Undeniable signat ures. In G. Brassard, edit or, Cr ypto ’ 89, volume 435 of L N CS, pages 212–216. Springer-Verlag, 1989. 8. I. Damg˚ard and M. J urik. A generalisat ion, a simplificat ion and some applicat ions of P aillier’s probabilist ic public-key syst em. In P K C ’ 01, volume 1992 of L N CS, pages 119–136. Springer-Verlag, 2001. 9. C. Dwork, J . Lot spiech, and M. Naor. Digit al signet s: Self-enforcing prot ect ion of digit al informat ion. In P roc. of 28th ST OC , pages 489–498. ACM, 1996. 10. E. Fujisaki and T . Okamot o. A pract ical and provably secure scheme for publicly verifiable secret sharing and it s applicat ions. In K. Nyberg, edit or, E urocr ypt ’ 98, volume 1403 of L N CS, pages 32–46. Springer-Verlag, 1998. 11. Z. Galil, S. Haber, and M. Yung. Minimum-knowledge int eract ive proofs for decision problems. Si am J. of Computi ng, 18(4):711–739, 1989. 12. R. Gennaro, H. Krawczyk, and T . Rabin. RSA-based undeniable signat ures. In B. Kaliski, edit or, Cr ypto ’ 97, volume 1294 of L N CS, pages 132–149. SpringerVerlag, 1997. 13. R. Gennaro, D. Micciancio, and T . Rabin. An effi cient non-int eract ive st at ist ical zero-knowledge proof syst em for quasi-safe prime product s. In 5th A CM Conference on Computer and Communi cati ons Secur i ty , pages 67–72. ACM P ress, 1998. 14. O. Goldreich, B. P fit zmann, and R. L. Rivest . Self-delegat ion wit h cont rolled propagat ion - or what if you lose your lapt op. In H. Krawczyk, edit or, Cr ypto ’ 98, volume 1462 of L N CS, pages 153–168. Springer-Verlag, 1998. 15. J . van de Graaf and R. P eralt a. A simple and secure way t o show t he validity of your public key. In B. Kaliski, edit or, Cr ypto ’ 87, volume 293 of L N CS, pages 128–134. Springer-Verlag, 1987. 16. M. J akobsson, K. Sako, and R. Impagliazzo. Designat ed verifier proofs and t heir applicat ions. In U. Maurer, edit or, E urocr ypt ’ 96, LNCS, pages 143–154. SpringerVerlag, 1996.

P ropriet ary Cert ificat es

179

17. S. Kat ezenbeisser and F .A.P. P et it colas, edit ors. I nfor mati on H i di ng T echni ques for Steganography and D i gi tal W ater mar ki ng. Art ech House, 1999. 18. Nat ional Inst it ut e of St andards and Technology (NIST ). F I P S P ubli cati on 186: D i gi tal Si gnature Standard, May 1994. 19. Bloomberg News. Ad-revenue worries weigh down Yahoo. 1 Sept ember 2000. URL: ht t p:/ / yahoo.cnet .com/ news/ 0-1005-200-2670551.ht ml. 20. P. P aillier. P ublic-key crypt osyst ems based on composit e degree residuosity classes. In J . St ern, edit or, E urocr ypt ’ 99, volume 1592 of L N CS, pages 223–238. SpringerVerlag, 1999. 21. G. P oupard and J . St ern. Fair encrypt ion of RSA keys. In B. P reneel, edit or, E urocr ypt ’ 00, volume 1807 of L N CS, pages 173–190. Springer-Verlag, 2000. 22. C. P. Schnorr. Effi cient signat ure generat ion by smart cards. Jour nal of Cr yptology , 4:161–174, 1991. 23. A. Young and M. Yung. Aut o-recoverable aut o-cert ifiable crypt osyst ems. In K. Nyberg, edit or, E urocr ypt ’ 98, volume 1403 of L N CS, pages 17–31. Springer-Verlag, 1998.

A

A n a ly s is

N on -tran sferability. T he scheme sat isfies non-t ransferability if t he CA can be

guarant eed t hat for any cert ificat e he has issued, knowledge of it s propriet ary privat e key allows t he corresponding collat eral privat e key t o be comput ed wit h an overwhelming probability, and in polynomial t ime. T hus, t his direct ly corresponds t o t he soundness of t he prot ocol for proving t hat t he ciphert ext in an encrypt ion of t he appropriat e plaint ext (t he collat eral privat e key, or a represent at ion t hereof), and under t he appropriat e public key (t he propriet ary public key.) T he soundness of t he fair encrypt ion schemes used for arc A r c R S A D L and A r c R S A R S A has already been proven (see [21]). Since A r c D L D L is composed of A r c D L R S A and A r c R S A D L (t he lat t er which we know is sound), we see t hat only t he soundness of A r c D L R S A remains t o be proven. T he soundness of E Q D L 2 was proven in [5]. T hus, st ep two is sound, and est ablishes t hat X = x for Y = G X mod N , y = gx mod p. Furt hermore, st ep five is sound, given t he soundness of Schnorr signat ures (see [22]) and t heir ext ension t o composit e moduli (see appendix B.) T hus, t his st ep est ablishes t hat ( a 2 , b2 ) is a valid encrypt ion of 1, using public key Y and modulus N . T hus, ( a 2 , b2 ) = ( Y β , G β ). T his implies t hat t he plaint ext must be a root r of unity, and t hat ( a, b) = ( Y α r , G α ), where β ≡ ϕ ( N ) 2α . T he CA verifies (in st ep six) t hat b have J acobi symbol 1. T herefore, since Y is a power of G (as est ablished in st ep 2), a/ r is a power of b. Since a has J acobi symbol − 1, so must r . In st ep 6, it is est ablished t hat − 1 has J acobi symbol 1, and (obviously), t he same holds for t he value 1. T herefore, t he plaint ext r must be a non-t rivial root of 1. As was out lined in t he key ext ract ion prot ocol for A r c D L R S A , knowledge of such a value allows st raight forward fact oring of N . Since knowledge of t he propriet ary discret e log privat e key x implies knowledge of t he decrypt ion key X (as est ablished in st ep 2), we see t hat anybody wit h knowledge of t he propriet ary key can comput e t he privat e collat eral key, which concludes t he proof. →













180

Markus J akobsson, Ari J uels, and P hong Q. Nguyen

S ecurity. T he security of t he RSA

→ DL and t he RSA → RSA arc creat ion prot ocols is t he same as in t he Poupard-St ern fair encrypt ion prot ocols [21]. Namely t he proofs are zero-knowledge, and t he ciphert ext is wit h respect t o t he Paillier crypt osyst em which is semant ically secure under t he hardness of dist inguishing N -t h residues modulo N 2 (see [20]). For t he DL → RSA prot ocol, t he proofs are zero-knowledge. One needs t o assume, however, t hat t he key-t ranslat ion prot ocol does not weaken t he hardness of t he discret e log problem. For t his, we rely on a variant of t he DDH assumpt ion. Normally, t his assumpt ion is applied over a single group G of order q. It st at es t hat for generat ors µ 1 and µ 2 drawn uniformly at random, and exponent s a, b drawn uniformly at random from Zq , it is comput at ionally infeasible for a polynomial-t ime ent ity t o dist inguish between t he two dist ribut ions D 1 = { µ 1 , µ 2 , µ a1 , µ a2 } and D 2 = { µ 1 , µ 2 , µ a1 , µ b2 } . We int roduce a variant assumpt ion t hat we call t he cross-group D D H assum ption . We consider two groups G 1 and G 2 , where t he order of G 1 is q, and t hat of G 2 is at least q. T he dist ribut ions D 1 and D 2 are const ruct ed exact ly as above, except t hat µ 1 is a generat or of G 1 and µ 2 is a generat or of G 2 . In ot her words, t he cross-group DDH assumpt ion as applied t o G 1 and G 2 st at es t hat it is infeasible t o t est equality of discret e logs across groups. We apply t his assumpt ion in our paper t o two groups for which t he convent ional DDH assumpt ion is believed t o be hard. T he cross-group DDH assumpt ion may be seen t o arise in implicit form in earlier lit erat ure such as, e.g., [5], and seems a pot ent ially import ant assumpt ion for a wide range of prot ocols. T he ciphert ext E is an ElGamal encrypt ion of a non-t rivial root r of unity, and such an r does not belong t o t he subgroup G spanned by G because it has J acobi symbol -1. But t he semant ic security of ElGamal under t he DDH assumpt ion over G relat es t o plaint ext in G . However, one can easily not ice t hat if ElGamal wit h plaint ext s chosen in t he kernel of t he J acobi symbol is semant ically secure (which is equivalent t o t he DDH assumpt ion in t hat kernel, which it self is believed t o be t rue), t hen ElGamal wit h plaint ext s having J acobi symbol -1 is also semant ically secure. Indeed, if an at t acker is able t o build two part icular plaint ext s m 0 and m 1 having J acobi symbol -1, and t o det ermine wit h non-negligible advant age if a challenge ciphert ext (of eit her m 0 and m 1 ) is an encrypt ion of m 0 or m 1 , t hen he could also det ermine wit h non-negligible advant age if a challenge ciphert ext c (of eit her m 20 and m 0 m 1 ) is an encrypt ion of m 20 or m 0 m 1 (by division). T hus, since bot h m 20 and m 0 m 1 have J acobi symbol + 1, t his would break t he semant ic security of ElGamal for plaint ext s in t he kernel of t he J acobi symbol. Not e t hat t he DDH problem for t he kernel of t he J acobi symbol is believed t o be hard when t he modulus is a product of two safe primes (see [1]).

Un lin kability. We see t hat unlinkability follows from t he fact t hat we use seman-

t ically secure encrypt ion of t he collat eral privat e keys and t he point ers t o t he collat eral public keys and t heir associat ed CA; and t hat no informat ion about other keys associat ed wit h a user is used or included in a signat ure using one part icular public key.

P ropriet ary Cert ificat es

181

E ffi cien cy. All of t he prot ocols require t he inclusion of a ciphert ext describing or

point ing t o t he collat eral public key. Addit ionally, A r c D L R S A and A r c D L D L require t he inclusion of a generat or G as described above. Assuming (probabilist ically padded) RSA encrypt ion is used when t he propriet ary key is an RSA key, and ElGamal encrypt ion used when it is a discret e log key, t he encrypt ion of t he ”point er” has size | N | resp. 2| p| . T he two arc est ablishment prot ocols t hat are direct ly based on Paillier encrypt ion result in ciphert ext s of size 2| N | . T he prot ocol using composit e ElGamal alone result s in ciphert ext s of t hat same size, while t he prot ocol using bot h ElGamal encrypt ion and Paillier encrypt ion nat urally result s in ciphert ext s of size 4| N | . T hus, for | N | = | p| = 1024 bit s, t he t ot al cert ificat e expansion is between 3| N | = 384 and 4| N | + 2| p| = 768 Byt es. →



Stateless-Recipient Certified E-Mail System Based on Verifiable Encryption Giuseppe Ateniese and Cristina Nita-Rotaru Department of Computer Science The Johns Hopkins University {ateniese,crisn}@cs.jhu.edu

Abstract. In this paper we present a certified e-mail system which provides fairness while making use of a T T P only in exceptional circumstances. Our system guarantees that the recipient gets the content of the e-mail if and only if the sender receives an incontestable proof-of-receipt. Our protocol involves two communicating parties, a sender and a recipient, but only the recipient is allowed to misbehave. Therefore, in case of dispute, the sender solicits T T P ’s arbitration without involving the recipient. This feature makes our protocols very attractive in real-world environments in which recipients would prefer to assume a passive role rather than being actively involved in dispute resolutions caused by malicious senders. In addition, in our protocol, the recipient can be stateless, i.e., it does not need to keep state to ensure fairness.

1

Introduction

The Internet has revolutionized the computer and communications world like nothing before and it is today an important global resource for millions of people. With its continue growing, it generated tremendous benefits for the economy and our society. However, the Internet does not provide all the services required by the business communication model such as secure and fair electronic exchange or certified electronic delivery. A fair electronic exchange protocol ensures that, at the end of the exchange, either each player receives the item it expects or neither part receives any information about the other•s item. The classical solution to the fair exchange problem is based on the idea of gradually exchanging small parts of the items. However, practical solutions to the problem require a trusted third party (T T P ) as arbitrator. More specifically, in on-line protocols the trusted party is employed as a delivery channel whereas in off -line protocols the trusted party is involved only in case of dispute. On-line protocols require the presence of the T T P in every transaction and, usually, do not provide confidentiality of the items exchanged. In addition, in some cases, the sender receives a receipt signed by the T T P rather than by the original recipient of the message. In off-line protocols, the T T P is invoked only under exceptional circumstances, for example in case of disputes or emergencies. B. Preneel (Ed.): CT-RSA 2002, LNCS 2271, pp. 182–199, 2002. c Springer-Verlag Berlin Heidelberg 2002

Stateless-Recipient Certified E-Mail System

183

In a certified e-mail scheme the intended recipient gets the mail content if and only if the mail originator receives an irrefutable proof-of-delivery from the recipient. In this paper we present a certified e-mail system which implements an offline protocol that makes use of verifiable encryption of digital signatures as building block. A verifiable encryption of a digital signature represents a way to encrypt a signature under a designated public key and subsequently prove that the resulting ciphertext indeed contains such a signature. The rest of the paper is organized as follows. The next section discusses related work done in the areas of fair exchange and certified e-mail protocols. Section 3 outlines the certified e-mail protocol used by our system. We analyze the protocol in Section 4. Finally, we discuss the implementation of the system in Section 5.

2

Related Work

One approach in solving the fair exchange problem consists of gradually exchanging information about the items between the two parties. Works in this direction generally rely on the unrealistic assumption that the two parties have equal computational power ([12]) or require many rounds to execute properly ([5]). Another approach focuses on increasing the overall effi ciency by using T T P s. Notable works in this direction are the three-message off-line protocol for certified e-mail presented in [18] and the effi cient off-line fair exchange protocols in [1,2,7]. The protocol in [1] makes use of verifiable escrow schemes implemented via a cut and choose interactive proof. Although expensive, the protocol provides timely termination assuming only resilient channels. A on-line certified e-mail protocol is presented in[24]. The protocol uses as T T P a number of replicated servers. This has the drawback that each server must be trusted in order to have the protocol working properly. Having only one single compromised server would invalidate the entire scheme. Bahreman and Tygar [6] present an on-line scheme using six messages. The scheme does not address confidentiality from the T T P . An optimal on-line certified e-mail protocol using only four messages is described in [11]. Schneier and Riordan [21] present a protocol where the T T P acts as a public publishing location (which might be implemented as a secure database server). The authors describe both an on-line and an off-line version of the protocol. We note that the off-line solution requires a visible T T P , since the form of the receipt changes depending on whether the trusted entity was invoked or not. Moreover, the T T P must be directly involved in any secondary adjudication as it must provide, in the case involving dispute resolution, an additional signed proof-of-mailing with each query or deposit. Recently, Ateniese et al. [4] have shown how to realize hybrid schemes that combine the strengths of both the on-line and off-line approaches to achieve effi ciency while involving parties that are semi-trusted rather than fully trusted.

184

3

Giuseppe Ateniese and Cristina Nita-Rotaru

An Efficient Off-Line Protocol

In this section, we describe the setting in which we operate and the certified e-mail protocol built via verifiable encryption of RSA-based digital signatures. In the rest of the paper, we will assume that the communication is carried over private and authenticated channels. A certified e-mail protocol should minimally provide: – Fairness: No party should be able to interrupt or corrupt the protocol to force an outcome to his/her advantage. The protocol should terminate with either party having obtained the desired information, or with neither one acquiring anything useful. – Monotonicity: Each exchange of information during the protocol should add validity to the final outcome. That is, the protocol should not require any messages, certificates, or signatures to be revoked to guarantee a proper termination of the protocol. This is important, because if revocation in needed to ensure fairness, then the verification of the validity of the protocol outcome becomes a bottleneck as it requires T T P •s active participation. – T T P invisibility: A T T P is visible if the end result of an exchange makes it obvious that the TTP participated during the protocol. – Timeliness: It guarantees that both parties will achieve their desired items in the exchange within finite time. Occasionally, it is desirable to keep the content of confidential e-mails secret from trusted parties acting as intermediaries. Thus, an optional feature is: – Confi dentiality: In case the exchange is deemed confidential, the protocol should not need to disclose the message contents to any other party excepting the sender and the recipient. 3.1

Our Setting and Verifi able Encryption of RSA Signatures

Let n be the product of two large primes p and q, such that factoring n is computationally infeasible without knowing p or q. It is generally convenient to work inside some cyclic subgroup of large order. For that reason, we generate p and q as safe primes, i.e., p = 2p′ + 1 and q = 2q ′ + 1 where p′ and q ′ are primes. We then consider the subgroup QR(n) of quadratic residues, i.e., QR(n) contains all the elements y such that there exists x with y = x2 . It is easy to see that QR(n) is a cyclic group of order p′q ′. Finding a generator is also straightforward: randomly select g¯ and compute the generator g = g¯2 . Since elements in QR(n) have orders p′, q ′, or p′q ′, the order of g will be p′q ′ with overwhelming probability. We can also describe a proof of knowledge that allows a prover to convince a verifier of the equality of discrete logarithms. Let g, h ∈ QR(n) be publicly known generators. The prover selects a secret x and computes y1 = g x and y2 = hx . The prover must convince the verifier that: Dlogg y1 = Dlogh y2 .

Stateless-Recipient Certified E-Mail System

185

The protocol, drawn from [9], is run as follows: 1. The prover randomly chooses t and sends (a, b) = (g t , ht ) to the verifier. 2. The verifier chooses a random challenge c ∈ {0, 1}160 and sends it to the prover. 3. The prover sends s = t − cx mod p′q ′ to the verifier. 4. The verifier accepts the proof if: a = g s y1c and b = hs y2c . To turn the protocol above into a signature on an arbitrary message m, the signer can compute the pair (c, s) as: c = H(m y1 y2 g h g t ht ), s = t − cx mod p′q ′. where H(·) is a suitable hash function. To verify the signature (c, s) on m, it is suffi cient to check whether c′ = c, where c′ = H(m y1 y2 g h g s y1c hs y2c ). Following the notation in [3], we will denote an instance of this signature technique by EQ DLOG(m;g1x , g2x ; g1 ,g2 ). Substantially, EQ DLOG(·) is a Schnorrlike signature [23] based on a proof of knowledge performed non-interactively making use of an ideal hash function H(·) (`a la Fiat-Shamir [14]). In [3] it is shown that it is possible to define very effi cient protocols for verifiable encryption of several digital signature schemes. Given an instance S of a digital signature on an arbitrary message, we say that V E(S) is a T T P verifiable encryption of S, if such an encryption can be verified to contain S in a way that no useful information is revealed about S itself. Only T T P is able to recover the signature from the encryption V E(S). We focus our attention on RSA signatures [22], that is, if (e, n) is a public key with e prime then the secret key is d such that ed ≡ 1 mod 2p′q ′. To sign a message m, it is suffi cient to compute C = R(m)d , where R(·) is a publicly known redundancy function as defined in PKCS#1, ISO/IEC 9796, etc. (see [17] p. 442). For the sake of simplicity, we employ the hash-and-sign paradigm and assume that R(·) is a suitable hash function such as SHA-1. The signature is accepted only if C e = R(m). The encryption algorithm used to encrypt the RSA signature is the ElGamal algorithm: given a secret key x and a corresponding public key g x , a message s is encrypted by generating a random r and computing K1 = sg xr , K2 = g r . The value s can be recovered by computing s = K1 /(K2 )x . Each user first runs a one-time initialization phase by which the user and the trusted third party T agree on common parameters. More specifically (see [3] for details): 1. The user, U say, sends (e, n) to T ; 2. T authenticates the user then selects a random base g¯ and a random exponent x. It computes g = g¯2 and sends CERTT :U = SignT (g, y = g x , U, (e, n)) to the user, where SignT (·) denotes a signature computed by T .

186

Giuseppe Ateniese and Cristina Nita-Rotaru

It is assumed that the user provides a proof of n being a product of safe primes (see [8]). The signature CERTT :U is a publicly known certificate and, in a real-world implementation, will contain relevant information including protocol headers, timestamp, transaction ID, and certificate lifetime. Notice that, the trusted party T does not need to store the secret exponent x for each user. In fact, such a secret can be inserted into CERTT :U encrypted via a symmetric encryption algorithm. Thus, T needs to store only one value, the symmetric key, for all the users. The computation of a verifiable encryption of a RSA signature on a message m is performed as shown in [3]. In particular, the user U encrypts via ElGamal the signature R(m)d by computing a random r and: K1 = R(m)2d y r and K2 = g r . Notice that, the signature R(m)d is squared to make sure that the value encrypted belongs to the set of quadratic residues QR(n). Then, the user provides evidences that the encryption has been correctly computed by showing that: Dlogye (K1e /R(m)2 ) = Dlogg (K2 ), and this is done via EQ DLOG(·) w.r.t. the message m. (Observe that the verifier should recover the bases y = g x and g from CERTT :A .) We will denote the verifiable encryption of a RSA signature, R(m)d , with V ET (R(m)2d ). Let U denote a generic user, the value V ET (R(m)2d ) contains: CERTT :U , the ElGamal encryption of R(m)2d , and the signature of knowledge of the equality of discrete logarithms (EQ DLOG(·)). 3.2

The Protocol

A certified e-mail protocol using verifiable encryption is shown in Figure 1. Consider a scenario in which the sender A sends a message to B and wants a receipt signed by B in exchange. The recipient B has to generate and sign the receipt before being able to read the content of the message. The protocol has to provide fairness, specifically, it must ensure that the sender receives the receipt if and only if the recipient can read the message. The protocol is designed so that the T T P is invoked only in case of dispute. As long as both A and B are honest, there is no need to involve the trusted entity in the protocol. This is a big advantage compared to on-line protocols in which a trusted entity is needed for each transaction. Moreover, the protocol is designed to make sure that A cannot misbehave. Only B is allowed to cheat by not sending the message in the last step. This feature is highly desirable in the setting of certified e-mail, as the recipient would prefer to assume a passive role rather than being actively involved in dispute resolutions. Notice that, in a certified e-mail protocol, the sender initiates the exchange process, thus it is natural to desire that the recipient of the message be relieved by any burden caused by malicious senders.

Stateless-Recipient Certified E-Mail System

187

User B receives the certificate CERTT :B by engaging in an initialization phase with the trusted party T as explained in the previous section. Similarly, B•s public key is (e, n) with e prime and n product of safe primes and QR(n) is the subgroup of squares in which we operate. The protocol consists of the following steps (operations are taken modulo n): – Step 1 The sender A selects a random r, computes y = re R(m), and signs it including a protocol header P H. Such a signature, denoted by SA , is sent to B. – Step 2 The recipient B squares y and computes (y 2 )d = r2 R(m)2d . It then computes the verifiable encryption of y 2d , V ET (y 2d ), and sends the result to A. However, B has to sign the result in order to include a protocol header P H and the sender•s signature SA . More importantly, B•s signature (SB ) makes it possible to neutralize malleability attacks against the ElGamal encryption and also preserves B•s protocol view at that specific point in time. – Step 3 After receiving the message from B, A verifies the signature and that the encryption contains the correct receipt. If that is the case, A sends m to B. – Step 4 The recipient B reads the message m and sends the receipt Rec = R(m)d to A.

S A = Sign A (PH, y = r e R(m)) S B = Sign B (PH, S A , VE T (y 2d ) )

A

m

B

Rec = R(m) d

Fig. 1. Off-line certified e-mail protocol via verifiable encryption of RSA signatures

Notice that, a certified e-mail protocol is not a simultaneous exchange of items but rather a asymmetric exchange since the message has to be sent first to allow the recipient to compute a corresponding receipt based on the message received. This fact has some positive side effects on our scheme. For instance, the recipient does not need to include any time limit into the signature SB since the decisions of sending a particular message and when this has to happen are taken exclusively by the sender. If B does not send the receipt in Step 4, then A contacts the trusted entity and both run the following protocol:

188

Giuseppe Ateniese and Cristina Nita-Rotaru

– Step 1 A sends B•s signature, SB , to the T T P along with r and m. – Step 2 The T T P verifies first the signatures SA and SB (SA is contained in SB ). Then, it recovers y 2d from the verifiable encryption and computes y d (see Remark 2 below). Finally, the T T P checks whether the value s = y d /r is indeed a valid signature of the message m under B•s public key (i.e, it checks whether se = R(m)). If so, it sends s to A and forwards m to B. The T T P has to forward the message m to B to nullify any attempts of the sender A to successfully retrieve a receipt without revealing the message m to B. Specifically, A may not have sent the message m in Step 3 above. The protocol fairness is built around the assumption that the sender A can verify that the verifiable encryption indeed contains a valid receipt. Only the T T P can recover the receipt from the verifiable encryption. Remark 1. The protocol headers, P H and P H, contain relevant information such as the identities of the parties involved (A,B, and T T P ), the cryptographic algorithms employed, timestamps and transaction IDs to prevent replay attacks, and other pertinent information about the protocol. Remark 2. Notice that, the recipient B squares the value y = re R(m) sent by A to make sure that it is signing an element of the set QR(n) (d is odd since e is prime). Only the recipient B knows the factorization of n and it is usually infeasible to compute square roots modulo n without knowing the factors of n. However, given z = y 2d , the T T P can effi ciently compute y d by employing the following well-known method, based on the Euclidean algorithm, which we report here for convenience: 1. observe that z e = y 2 and that gcd(e, 2) = 1; 2. we can use the extended Euclidean algorithm to compute two integers u, v such that u2 = 1 + ve in ZZ; 3. raising both terms of the equation z e = y 2 by u, we obtain: z ue = y u2 = y 1+ve = yy ve 4. thus we have: z ue y −ve = y, or (z u y −v )e = y; 5. it is now clear that the term z u y −v is congruent to y d (modulo n). Remark 3. In our protocol, the sender A has to reveal the message m to the T T P in case of dispute. If message privacy has to be preserved, it is suffi cient to substitute m with P H||PB (m) in the protocol above, where PB (·) represents the public-key encryption under B•s public key and P H is a protocol header. Notice that the receipt assumes a new format: Rec = R(P H||PB (m))d , which has to be interpreted in a special way: it is considered a valid receipt of the message m only when accompanied by m and P H such that: (Rec)e = R(P H||PB (m)).

Stateless-Recipient Certified E-Mail System

189

The public-key encryption PB (·) should be deterministic or, if randomized, the sender A must reveal the random parameters used to encrypt the message. The approach we have taken for the implementation of the protocol is to encrypt the message m as Ek (M ACl (m)||m), PB (k||l), where: k, l are random secret values; M ACl (·) is a MAC function, such as HMAC-SHA-1; PB (·) is a deterministic public-key encryption algorithm, such as plain RSA; Ek (·) is a symmetric-key encryption algorithm, such as AES in CBC mode. The new protocol header P H has to be checked, either by B or the T T P , to contain the correct information relevant to the protocol. Moreover, it has to clearly state that the receipt Rec has to be interpreted in the special way described above. Remark 4. The certified e-mail protocol presented above works for RSA signatures but can easily be extended to work for other schemes based on a similar setting such as Rabin and Guillou-Quisquater [16] signature schemes, or provably unforgeable signature schemes such as Cramer-Shoup [10] and Gennaro-HaleviRabin [15]. In [3], it is shown how to extend the verifiable encryption protocol to work with such popular signature schemes.

4

Analysis and Comparisons

In this section we present an analysis of our protocol and we compare it with the state-of-the-art in the field. Our claim is the following: Claim: The protocol above is a certified e-mail protocol which provides fairness, monotonicity, timeliness, and T T P invisibility. Moreover, the protocol optionally provides confidentiality of the message, i.e., the arbitration can be performed without revealing the e-mail content to the trusted intermediary. Sketch: Clearly our protocol provides T T P invisibility since the structure of the receipt does not indicate whether the T T P was involved or not in dispute resolutions. The protocol provides also monotonicity since any signature (including the receipt) will not be revoked in order to guarantee a proper termination of the protocol. Confidentiality is achieved by encrypting the actual message content in such a way that only the recipient can open it and this is achieved through standard encryption technology. We assume only resilient channels. A resilient channel will eventually deliver a message sent through it within a time lapse which may be arbitrarily long, yet finite. Moreover, the recipient does not need to include any time limit into the signature SB and the sender A has the ability to decide to abort the protocol and adopt a scheme for protocol resolution that can be executed in a finite period of time. Therefore, our protocol provides timeliness. Regarding fairness, it is suffi cient to prove that: a message is read by the recipient B if and only if the sender A gets the corresponding receipt. Observe that the first two messages of our protocol are used just to collect evidences by which the sender A can solve disputes by interacting with the T T P . If the

190

Giuseppe Ateniese and Cristina Nita-Rotaru

T T P is not invoked then the relevant protocol messages are only those in Step 3 and Step 4 where a message m is sent in exchange of the corresponding receipt. Therefore, fairness is preserved in this case. If the T T P is invoked (by A) then B•s signature (SB ) will be sent to the T T P along with the message m and the blinding factor r. The T T P will compute y d from the verifiable encryption and will check whether: (y d /r)e = R(m). If that is the case, then A and B receive y d /r and m, respectively. Hence, even in this case fairness is preserved since the sender will receive a signature on a message which is forwarded to the recipient. ⊓⊔ It is interesting to notice that the recipient does not need to contact the T T P in case of dispute. This feature makes our protocols very attractive in realworld environments in which recipients would prefer to assume a passive role rather than being actively involved in dispute resolutions caused by malicious senders. More importantly, the recipient is stateless in the sense that it does not need to store state information regarding the transactions in which he is involved1 . Indeed, the recipient may not store anything about the first two steps of the protocol and, in principle, the message embedded by the sender in the value y in Step 1 of the protocol could be different from the message sent in Step 3. Obviously, this does not violate the fairness property since the sender A cannot use the message in Step 2, since it is encrypted, unless he contacts the T T P . However, the T T P will always forward the corresponding message to B, thus neutralizing de facto any attempt of the sender to force an outcome of the protocol to his advantage. We compare now our protocol with previously proposed protocols. Some of the off-line protocols are not monotonic, for instance, the protocol in [2] requires signatures to be revoked in order to guarantee fairness. Among monotonic and off-line protocols, we believe those in [18,1] represent the state-of-the-art in the field. The work of Micali [18] shows that it is possible to achieve a simple certified e-mail protocol with only three messages (one less than our protocol). However, it should be noticed that: 1. the recipient of the message has to be actively involved in the dispute resolution and is forced to keep state; 2. a time limit has to be incorporated into the message by the sender to force the recipient to send the receipt within a specified period of time. This has to be done in order to guarantee fairness; 3. a reliable channel (as opposed to a resilient channel) is required between the recipient and the trusted third party. A channel is reliable when it is always operational and operates without delays. It is very diffi cult to build a reliable channel in some network environments, such as wireless networks. This fact may limit the applicability of the protocol in 1

Notice however that implementations of the certified email scheme may require the recipient to store certain state information.

Stateless-Recipient Certified E-Mail System

191

[18]. Furthermore, for each message received, the recipient is forced to communicate with the trusted intermediary in case of dispute and such a communication has to happen before the time limit expires. The work in [1] presents a fair-exchange protocol which is provably secure in the random oracle model. The authors specialize their protocol to work as an off-line certified e-mail scheme that, similarly to our protocol, requires only resilient channels. Their protocol is based on verifiable escrow schemes, which essentially are verifiable encryptions where each encryption comes with an attached condition that specifies a decryption policy. As our scheme, their protocol works for a broad range of signature schemes. However, the scheme in [1] has some drawbacks, in particular: 1. it is expensive in terms of communication complexity, performance, and amount of data transmitted. This is mainly due to the cut-and-choose interactive proof technique employed to achieve a verifiable escrow. 2. the recipient has to keep state and both the sender and the recipient have to be actively involved in dispute resolutions; 3. the trusted third party needs to keep state. Notice that both protocols [18,1] and the version of our protocol that provides confidentiality are invasive, that is, the receipt generated by the receiver is not a regular signature but has to be interpreted in a special way. Our original protocol, however, is non-invasive as the receipt is precisely the signature of the recipient on the message received. We believe it is important to have a stateless recipient who is not involved in dispute resolution protocols. Imagine a scenario in which a user receives hundreds of messages and is forced to keep track of all of them, store state information, and engage in protocol resolutions with the T T P in case of dispute. This may be very unappealing for users, in particular for those operating in environments where servers may frequently crash, losing state information. In some case (such as in [18]), operations have to be made before a time limit expires which may make even impossible to guarantee fairness in some environments. Stateless-recipient protocols may be very useful when users are equipped with mobile devices such as cellular phones or wireless PDAs. Indeed, mobile devices are often switched off, which may cause some time limits to expire without giving the possibility to run any dispute resolution protocol2 .

5

System Architecture

In this section we present a description of the system we implemented. First, we give a brief overview of the technology behind electronic mail systems, then we show how to establish forms of interaction between our system and other 2

For instance, it is required to leave mobile devices off in proximity of hospitals or inside airplanes. Devices could also turn themselves off when, for instance, batteries are flat.

192

Giuseppe Ateniese and Cristina Nita-Rotaru

standard modules involved in the process of delivering electronic mail contents and, finally, we describe in detail our system. We called our prototype implementation TURMS, an Etruscan god, messenger of the gods and guide of the deceased to the underworld. 5.1

Overview of Electronic Mail

Electronic mail is today probably one of the most used services on the Internet. It provides support to send a message to a destination. The message is passed from one computer to another, often through computer networks and/or via modems over telephone lines. The process of sending, delivering and receiving e-mail is specified in some standards and makes use of three types of programs, each of them with a specific task. A Mail User Agent (MUA) is a program that allows the user to compose and read electronic mail messages. It provides the interface between the user and the Mail Transfer Agent (MTA). Outgoing mail is passed to an MTA for delivery while the incoming messages are picked up from a MTA. A MUA can also pick up mail remotely from, for instance, a POP3 server, via POP3 protocol. A Mail Transfer Agent (MTA) is a system program which accepts messages from the MUA and routes them to their destinations. It sometimes delivers mail into each user•s system mailbox. A MTA can also communicate with other MTA programs via the SMTP protocol, in order to deliver mail remotely. MTAs are responsible for properly routing messages to their destination, using so-called Mail eXchanger (MX) records. Mail eXchanger records are maintained by domain name servers (DNS) and tell MTAs where to send mail messages. More precisely, they tell an MTA which intermediate hosts should be used to deliver a message to the target host. The MX records vary depending on the domain. A Mail Delivery Agent (MDA) is used to place a message into a user•s mailbox. When the message arrives at its destination, the MTA will give the message to the appropriate MDA, who will add the message to the user•s mail-box. Our system works at the transport level, in connection with Exim [13], a mail transport agent. This approach has the advantage that allows a TURMS user to handle mail using theoretically any MUA. 5.2

TURMS and Exim

Exim [13] is a mail transfer agent developed at the University of Cambridge designed to work effi ciently on systems that are permanently connected to the Internet and are handling a general mix of mail. In addition, with special configuration, Exim can act as a mail delivery agent. Exim was built having a decentralized architecture, so there is no central process performing overall management of mail delivery, but some DBM files are maintained to make the delivery more effi cient in some cases. The system implements flexible retry algorithms, used for directing and routing addresses and for delivery.

Stateless-Recipient Certified E-Mail System

193

The system can handle a number of independent local domains on the same machine and provides support for multiple user mailboxes controlled by prefixes or suffi xes on the user name.

Mail User Agent

Mail User Agent

Mail Delivery Agent

Mail Delivery Agent Turms Agent

Mail Transfer Agent

Turms Agent Mail Transfer Agent Exim

Exim

Fig. 2. TURMS and Exim communication

The main delivery processing elements (drivers) of Exim are called directors, routers, and transports. A director is a driver that operates on a local address, either determining how to deliver the message, or converting the address into one or more new addresses (for example, via an alias file). A local address is one whose domain matches an entry in the list given in the •local domains• option, or has been determined to be local by a router. The fact that an address is local does not imply that the message has to be delivered locally; it can be directed either to a local or to a remote transport. A transport is a driver that transmits a copy of the message from Exim to some destination. There are two kinds of transport: for a local transport, the destination is a file or a pipe on the local host, while for a remote transport the destination is some other host. A message is passed to a specific transport as a result of successful directing or routing. If a message has several recipients, it may be passed to a number of different transports. A router is a driver that operates on an apparently remote address, that is an address whose domain does not match anything in the list given in •local domains•. When a router succeeds it can route an address either to a local or to a remote transport, or it can change the domain, and pass the address on to subsequent routers. Our system takes advantage of the following features of Exim: the ability to allow a message to be piped to another program, the possibility to have multiple user mailboxes controlled by prefixes or suffi xes on the user name and the ability to send messages (to remote or local e-mail addresses) using Exim. These features allow a process, the Turms agent, to intercept messages before they are delivered to a user and process them. Also, when needed, auxiliary messages can be generated by the TURMS agent and sent using Exim. The message exchange mechanism between a local TURMS agent and Exim is presented in Figure 2. Special entries in Exim•s configuration file indicate to

194

Giuseppe Ateniese and Cristina Nita-Rotaru

# directors configuration section turms_handler: driver = pipe 1 command =‘‘/bin/turms_agent$ {local_part}’’ user = crisn group = users # transport configuration section turms: driver = smartuser 2 transport = turms_handler 3 prefix = turms−

Fig. 3. Exim configuration file - TURMS entries

Exim that mail delivered to an user containing a certain prefix, turms- in our case (see Figure 3, Mark3), to be delivered using a specific transport, turms handler in our case (see Figure 3, Mark 2). The transport specified for that prefix is a pipe to a program, Turms agent (see Figure 3, Mark 1). This way, the message send to a local or remote user is delivered to a local Turms agent program. When Turms agent receives a message, it processes it according to the protocol specifications, it generates a new message and it sends it to the real user using Exim. If the message is sent to a domain for which Exim does not do local delivery, the message will be sent via SMTP to another Exim server on another machine. There, because of the prefix mechanism, the message will be delivered to a local Turms agent process which in turn will send a message to the local user, by using Exim. If the message is sent to a domain for which Exim does local delivery, the message will be delivered either to the end user or the Turms agent, depending on the protocol. The delivery address specifies to Exim if the destination is a Turms agent process or a local user inbox. Note that all the Exim servers running the certified e-mail protocol need to be configured to deliver special messages to a local TURMS agent, responsible of implementing the certified e-mail protocol. 5.3

System Implementation

We have actually implemented a slightly modified version of the protocol in Section 3.2. In particular, the value y in Step 1 is now M ACk (m), for a suitable MAC function such as HMAC-SHA-1. In Step 3, the sender reveals m and also k and the recipient checks whether the message m is the same received in Step 1. The receipt is a signature on the MAC function. The protocol itself requires an initialization phase which has to be done only once, and in case of dispute, a recovery phase. We provide support for all of these operations. The system consists of a web-based interface, Turms CA, providing support for the initialization and recovery off-line phases, and of an MTA, Turms agent, implementing the certified e-mail protocol.

Stateless-Recipient Certified E-Mail System

195

One of the design features we considered was encapsulating all the cryptographic operations in a library, used by both Turms CA and Turms agent. The library makes use of the openssl [19] library and provides facilities such as: strong RSA keys generation and managing, TURMS certificate definition and management (generating, signing, verifying), operations on Schnorr-like objects used in our protocol, RSA verifiable encryption definition and management (generation, verifying, ability to extract the RSA signature out of the verifiable encryption). In addition, the library also provides conversion from the computation data format (openssl specific data structure) to communication format for both verifiable encryption and TURMS certificate entities. For each of these data structures, the library provides a simple and easy to use API. Turms CA provides an interface allowing users to register and to obtain a certificate. The user submits his public RSA key along with some additional information and will receive the corresponding TURMS certificate In addition, for each user, we have decided to save the corresponding secret of the CA rather than incorporating it into the certificate This secret is used to extract RSA signatures out of a verifiable encryptions. Turms CA can also solve disputes. A user can submit a claim including the verifiable encryption file and the message. The CA computes the signature out of the verifiable encryption information, then sends the signature to the user that submitted the claim and the message to the user whose verifiable encryption was submitted. The core of the system is the Turms agent program which implements the certified e-mail protocol. Turms agent is a stateless program, a different instance of the program is invoked with every new message. The state of the protocol for different messages is saved on the disk. Every state of the protocol for a message has a correspondent file saved on disk. A message is uniquely identified by a concatenation of the process id, host id and current time. Every state also has a unique identifier associated with it. The security of the channel between two Turms agents is achieved via Blowfish encryption with a size key of 16 bytes. We used an HMAC with a key size of 10 bytes to obtain a randomized one-way function of the message. Turms agent also logs for each transaction information about the main important steps. The protocol consists of a sequence of actions taken by a Turms agent program upon receiving a message. Every message is associated with a specific transaction. The type of the message along with the transaction identifier are specified in the destination address. A transaction is opened when a user attempts to send a certified e-mail message and it ends in one of the following cases: the exchange was performed correctly, the exchange was canceled, or the exchange started but the recipient did not send the receipt. The protocol uses the following types of messages: – Original Mess is the message that has to be sent. It is generated by a MUA, no transaction identifier or type is associated with it. – Hmac Mess contains the value of an HMAC function applied on the body of an Original Mess. It is generated by a T urms agent.

196

Giuseppe Ateniese and Cristina Nita-Rotaru

– Invitation Mess is the message that notifies a user about a certified e-mail message. It is generated by a T urms agent. – Cancel Mess is an Invitation Mess which has the Subject field consisting only of the word •Cancel• indicating that the transaction was refused. The body of the message is ignored. It is generated by a MUA, in reply to an Invitation Mess coming from a T urms agent. – Accept Mess message is similar as structure with the Cancel Mess, but the Subject field consists of the word •Accept• indicating that the transaction was accepted. The body of the message is ignored. It is generated by a MUA, in reply to an Invitation Mess coming from a T urms agent. – Transaction Canceled Mess indicates that a transaction was canceled. It is generated by a T urms agent. – Verifiable Encryption Mess contains a verifiable encryption message. It is generated by a T urms agent. – Original Mess and Key contains the body of an Original Mess and the key used to compute the HMAC value applied on the Original Mess that was sent in the corresponding (has the same transaction identifier) Hmac Mess. It is generated by a T urms agent. – Signature Mess contains a RSA signature of an HMAC value of an Original Mess message. It is generated by a T urms agent. In response to an event, a T urms agent can take actions that will result in sending messages and/or saving additional data on the disk. Consider a scenario in which the sender A wants to send a certified e-mail to B. We make use of the following notation: A•s domain is denoted by domainA and B•s domain is denoted by domainB , the T urms agent programs corresponding to A•s mail server and B•s mail server are denoted by turms agentA and turms agentB , respectively . Finally, userA and userB represent the MUAs at A•s site and B•s site, respectively. The protocol consists of the following steps: Step 1. userA sends the Original Mess message. userA sends the Original Mess message to an alias defined for B, certif ied B say, which includes the address to which the mail is sent. The address should be prefixed with the prefix specified in the Exim configuration file (see Figure 3), should be sent to the local mail server and should contain enough information to allow to recover the actual remote address. Exim will deliver the message via the pipe transport to the turms agentA program. The result of this step is that turms agentA will receive the Original Mess. Step 2. turms agentA receives the Original Mess message. When the message is received by turms agentA , the agent creates a unique identifier for this new transaction: timestamp − process id − host id. Then it processes the message, saves the body of the message along with some header information. It generates a key that will be used to compute a HMAC of the body of the message, saves the key on the disk, computes HMAC of the message, saves the content of the message, recovers the real address, generates a Hmac Mess with the HMAC value just computed and sends it to turms agentB . The type of the message along with

Stateless-Recipient Certified E-Mail System

197

the identifier is specified in the address. Also the reply address is updated such that the mail appears as coming from a turms agent (by adding the prefix). The result of this step is that turms agentB will receive a Hmac Mess. Step 3. turms agentB receives the Hmac Mess message. When turms agentB receives the Hmac Mess, it saves this information on the disk and generates an Invitation Mess, and sends it to userB , notifying about a certified e-mail message for him, and asking him to reply to this message with •Accept• written in the subject, if he accepts the message, or •Cancel• if he refuses it. The result of this step is that userB will receive an Invitation Mess. Step 4. userB receives the Invitation Mess message. When userB receives the Invitation Mess, he will reply either with •Accept• or •Cancel• in the subject. The result of this step is that turms agentB will receive either an Accept Mess or a Cancel Mess. Step 5. turms agentB receives the Cancel Mess message. When turms agentB receives the Cancel Mess, it generates and sends two Transaction CanceledMess messages, one to userB and the other to turms agentA . The transaction is closed. The result of this step is that both userB and turms userA will receive a Transaction Canceled Mess. Step 6. turms agentB receives the Accept Mess message. When turms agentB receives the Accept Mess, it recovers the HMAC value of the message from the disk, then computes the verifiable encryption of B•s signature, and generates a Verifiable Encryption Mess message and sends it to turms agentA . The result of this step is that turms agentA will receive a Verifiable Encryption Mess. Step 7. turms agentB receives the Transaction Canceled Mess message. When turms agentB receives the Transaction Canceled Mess, he sends it to userA and deletes the HMAC and the OriginalL Mess information saved on the disk in step 2. The result of this step is that userA will receive a Transaction Canceled Mess. Step 8. turms agentA receives the Verifiable Encryption Mess message. When turms agentA receives the Verifiable Encryption Mess, it verifies that the message indeed contains a RSA signature. If yes, it recovers from the disk both the body of the Original Mess and the key used to compute HMAC value, generates the Original Mess and Key message by concatenating the key to the message and then sends it to turms agentB . Also the Verifiable Encryption Mess is sent to userA . The result of this step is that turms agentB will receive an Original Mess and Key message and userA will receive a Verifiable Encryption Mess. Step 9. turms agentB receives an Original Mess and Key message. Upon receiving an Original Mess and Key message, turms− agentB computes a HMAC on the body the received message with the key he just received and it compares it with the HMAC data saved on the disk in Step 2. If they are the same, it computes B•s RSA signature on the HMAC, generates a Signature Mess message and sends it to turms agentA . If the two HMAC values are not the same, then turms agentB generates and sends two Transaction Canceled Mess messages, one to userB and the other to turms agentA . The result of this step consists of two messages: userB receives the Original Mess and turms agentA

198

Giuseppe Ateniese and Cristina Nita-Rotaru

receives a Signature Mess, or both userB and turms agentA receive a Transaction Canceled Mess. Step 10. turms agentA receives a Signature Mess message. When turms agentA receives Signature Mess, it sends it to userA and cleans all the auxiliary files used during the transaction. In order to have the protocol described above working correctly in the case when the message contains one or more attached files, some additional processing needs to be done: the corresponding MIME information from the message header needs to be saved when the original message is processed. This information is used when the message is finally sent to the user (step 7), to make sure that MUA understands that the message carries some attached files. We used the following set up for developing and testing our system. The web interface running on a Linux machine dual 450MHz Pentium II, 128MB RAM, running Apache Web Server. We tested our system in a configuration of two virtual domain names (securemail1.cs.jhu.edu and securemail2.cs.jhu.edu), each served by an Exim server version 3.14. The machines were 300MHz Pentium II, 256 Mb RAM, Linux boxes (2.16 kernel). The program PINE [20] was used as Mail User Agent.

6

Conclusions

We presented a very effi cient off-line certified e-mail system. Both the recipient and the T T P can be set to be stateless and the recipient can assume a passive role without being involved in dispute resolutions so that the burden of solving a dispute is given only to the sender, the initiator of the protocol. We implemented a prototype (TURMS) of the protocol and we reviewed some of the technology available today that could be employed to effectively build any certified e-mail system.

Acknowledgements We would like to thank Theo Schlossnagle for his helpful suggestions on setting up the testing environment. Many thanks to the anonymous referees for their insightful comments.

References 1. N. Asokan, V. Shoup, and M. Waidner, “Optimistic fair exchange of digital signatures,” IEEE Journal on Selected Area in Communications, 2000. 2. N. Asokan, V. Shoup, and M. Waidner, “Asynchronous protocols for optimistic fair exchange,” in Proceedings of the IEEE Symposium on Research in Security and Privacy (I. C. S. Press, ed.), pp. 86–99, May 1998. 3. G. Ateniese, “Efficient verifiable encryption (and fair exchange) of digital signatures,” in Proceedings of the 6th ACM Conference on Computer and Communications Security, ACM Press, 1999.

Stateless-Recipient Certified E-Mail System

199

4. G. Ateniese, B. de Medeiros, M.T.Goodrich. TRICERT: Distributed Certified Email Schemes. In ISOC 2001 Network and Distributed System Security Symposium (NDSS’01), San Diego, CA, USA, 2001. 5. M. Ben-Or, O. Goldreich, S. Micali, and R. Rivest, “A fair protocol for signing contracts,” IEEE Transactions on Information Theory IT-36(1), pp. 40–46, 1990. 6. A. Bahreman and J. D. Tygar, “Certified electronic mail,” in Proceedings of Symposium on Network and Distributed Systems Security (I. Society, ed.), pp. 3–19, February 1994. 7. F. Bao, R. H. Deng, and W. Mao. Efficient and Practical Fair Exchange Protocols with Off-line TTP. In IEEE Symposium on Security and Privacy, Oakland, California, 1998. 8. J. Camenisch and M. Michels. Proving in zero-knowledge that a number is the product of two safe primes. In Advances in Cryptology – EUROCRYPT ’99, Lecture Notes in Computer Science, Springer-Verlag, 1999. 9. D. Chaum and T. Pedersen. Wallet databases with observers. In Advances in Cryptology – Crypto ’92, pages 89-105, 1992. 10. R. Cramer and V. Shoup. Signature Schemes Based on the Strong RSA Assumption. In 6th ACM Conference on Computer and Communication Security, ACM Press, 1999. 11. R. H. Deng, L. Gong, A. Lazar, and W. Wang, “Practical protocols for certified electronic e-mail,” Journal of Networks and Systems Management, vol. 4, no. 3, pp. 279–297, 1996. 12. S. Even, O. Goldreich, and A. Lempel, “A randomized protocol for signing contracts,” Comm. ACM 28, no. 6, pp. 637–647, 1985. 13. “http://www.exim.org.” 14. A. Fiat and A. Shamir. How to prove yourself: practical solutions to identification and signature problems. In Advances in Cryptology – CRYPTO ’86, volume 263 of Lecture Notes in Computer Science, pages 186–194, Springer-Verlag, 1987. 15. R. Gennaro, S. Halevi, and T. Rabin. Secure signatures, without trees or random oracles. In Advances in Cryptology – EUROCRYPT ’99, volume 1592 of Lecture Notes in Computer Science, pages 123–139, Springer-Verlag, 1999. 16. L. C. Guillou and J. J. Quisquater. A paradoxical identity-based signature scheme resulting from zero-knowledge. In Advances in Cryptology – CRYPTO ’88, volume 403 of Lecture Notes in Computer Science, pages 216–231, Springer-Verlag, 1988. 17. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of applied cryptography. CRC Press, 1996. ISBN 0-8493-8523-7. 18. S. Micali. Simultaneous electronic transactions. Technical Report 566420, http://www.delphion.com/cgi-bin/viewpat.cmd/US566420 , 1997. 19. OpenSSL Project team, “Openssl,” May 1999. http://www.openssl.org/. 20. Pine Information Center, http://www.washington.edu/pine/. 21. J. Riordan and B. Schneier, “A certified e-mail protocol,” in 13th Annual Computer Security Applications Conference, pp. 100–106, December 1998. 22. R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978. 23. C.P. Schnorr. Efficient signature generation by smart-cards. Journal of Cryptology, 4(3):161–174, 1991. 24. J. Zhou and D. Gollmann, “Certified electronic mail,” in Proceedings of Computer Security - ESORICS’96 (S. Verlag, ed.), pp. 55–61, 1996.

R SA -B ased U ndeniable Signat ures for G eneral M o duli St even D. Galbrait h 1 , Wenbo Mao2 , and Kennet h G. Pat erson 3 1

P ure Mat hemat ics Depart ment , Royal Holloway University of London, Egham, Surrey T W 20 0EX, UK [email protected] 2 Mat hemat ics, Crypt ography and Security Group Hewlet t -P ackard Laborat ories, Brist ol F ilt on Road, St oke Giff ord, Brist ol BS34 8QZ, UK [email protected] 3 Informat ion Security Group, Mat hemat ics Depart ment , Royal Holloway University of London, Egham, Surrey T W 20 0EX, UK [email protected]

Gennaro, Krawczyk and Rabin gave t he first undeniable signat ure scheme based on RSA signat ures. However, t heir solut ion required t he use of RSA moduli which are a product of safe primes. T his paper gives t echniques which allow RSA-based undeniable signat ures for general moduli. A b st r a c t .

K e y w o r d s:

1

Undeniable Signat ures, RSA-based Undeniable Signat ures.

Int ro duct ion

Undeniable signat ures were int roduced by Chaum and van Antwerpen [7,8]. T hey off er good privacy for t he signer since signat ures cannot be verified wit hout int eract ion wit h t he signer. Undeniable signat ures (and generalisat ions of t hem, such as confirmer and convert ible signat ures) have various applicat ions in crypt ography [2,3,10]. T he zero-knowledge undeniable signat ure scheme of Chaum [8] works in t he mult iplicat ive group of int egers modulo a prime. Alt hough Chaum, van Heijst and P fit zmann [9] provided an undeniable signat ure scheme wit h security relat ed t o fact oring, before 1997 t here was not a scheme based on t radit ional RSA signat ures. Gennaro, Krawczyk and Rabin [18] were t he first t o obt ain an RSAbased undeniable signat ure scheme. T heir scheme is closely relat ed t o t he scheme of Chaum [8] and bot h schemes have similar security and effi ciency. One significant drawback wit h t he scheme of [18] is t hat it requires t he use of RSA moduli which are product s of safe primes. It was explicit ly st at ed as an open problem in [18] t o provide an undeniable signat ure scheme based on RSA which does not require special moduli. T he goal of t he present paper is t o solve t his problem. B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 2 0 0 – 2 1 7 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

RSA-Based Undeniable Signat ures for General Moduli

201

Of course, it is t rivial t o const ruct an undeniable signat ure scheme for general moduli where t he confirmat ion prot ocol has soundness probability 1/ 2, but we seek solut ions where t he confirmat ion prot ocol is more effi cient (possibly at t he expense of more demanding key cert ificat ion). We must ment ion t hat general const ruct ions due t o Michels and St adler [23] and Camenisch and Michels [5] also give solut ions t o t his problem, however t heir syst ems require auxiliary t ools ([23] ut ilises confirmer commit ment schemes, while [5] requires a secure encrypt ion scheme). In t he course of solving t his problem we improve t he effi ciency and zeroknowledge property of t he denial prot ocols for RSA-based undeniable signat ures. T he met hods of t his paper are t herefore a useful addit ion t o t he prot ocol of [18], even when safe primes are being used. 1.1

P ros and C ons of Sp ecial M o duli

T he undeniable signat ure scheme of Gennaro, Krawczyk and Rabin [18] is modelled on RSA [27]. T hus a signat ure on a message m is a number s = m d (mod N ) where N is a product of two primes and where d is an int eger coprime t o ϕ ( N ). T he diff erence between usual RSA signat ures is t hat t he number e such t hat de ≡ 1 (mod ϕ ( N )) is not public, and so an int eract ive proof (preferably zeroknowledge) is required t o confirm t hat s is a valid signat ure for m (i.e. t hat s e ≡ m (mod N )). T his prot ocol relies on a public key having previously been cert ified by an aut hority. T here are various reasons why Gennaro, Krawczyk and Rabin [18] rest rict ed t o t he case where t he RSA modulus N is a product of safe primes (i.e. primes p such t hat ( p − 1) / 2 is also prime) but t he most import ant one is t hat , for product s of safe primes, t he group ZN does not have many element s of small order. If one runs t he scheme of Gennaro, Krawczyk and Rabin [18] wit h a general modulus t hen t here is a high probability t hat a dishonest signer can cheat (see Sect ion 3 for det ails). In general, rest rict ing t o moduli which are a product of safe primes makes many crypt ographic issues easier t o handle. However, t here are several drawbacks of schemes which require special moduli. One ma jor problem is t hat it is necessary for a cert ificat ion aut hority t o guarant ee t he propert ies of t he public key. As we discuss next , none of t he current ly known prot ocols for allowing a user t o prove t o a cert ificat ion aut hority t hat t heir modulus is a product of safe primes are fully sat isfact ory. Gennaro, Micciancio and Rabin [17] have given a very nice prot ocol t o prove t he a number is a product of two quasi-safe primes (i.e. primes p such t hat ( p − 1) / 2 is a power of a prime), but t his is significant ly less t han t he assurance we require. For inst ance, a prime of t he form 2 · 3k + 1 is a quasi-safe prime but a modulus const ruct ed as a product of primes of t his form would be vulnerable t o at t acks such as t hose out lined in Sect ion 3. Camenisch and Michels [4] have given a prot ocol t o prove t hat a number is a product of safe primes. T heir prot ocol requires performing t he Miller-Rabin primality t est in zero-knowledge on a hidden number. It t herefore requires an ∗

202

St even D. Galbrait h, Wenbo Mao, and Kennet h G. P at erson

enormous amount of communicat ion between t he prover and t he cert ificat ion aut hority. T his prot ocol is unsuit able for pract ical applicat ions. Anot her problem is t hat choosing special moduli goes against t he convent ional wisdom in crypt ography of avoiding special cases. Indeed, in Sect ion 8.2.3 of [22] and in [29] it is explicit ly st at ed t hat product s of random primes are advisable for crypt ography. T here are many ot her prot ocols which current ly require moduli which are a product of safe primes [6,14,16,26,28] and it is of great int erest in crypt ography t o provide solut ions which do not require t his assumpt ion. Some recent papers in t his direct ion include [13] and [15]. We hope t hat t he new t echniques int roduced in t his paper might be of wider applicability t o solve ot her problems in t he area. 1.2

Our Work

We provide an undeniable signat ure scheme for general RSA moduli. Our scheme is, in fact , a paramet erised family of crypt osyst ems depending on t hree paramet ers B , K 1 and K 2 . T he number 2 K 1 will be t he probability t hat a dishonest signer Alice will be able t o cheat t he cert ificat ion aut hority (CA) when cert ifying her public key. A value of K 1 should be agreed in advance between Alice and t he CA and could form part of Alice’ s cert ified public key. Similarly 2 K 2 will be t he probability t hat Alice can cheat a verifier Bob in eit her t he confirmat ion or denial prot ocols. We allow diff erent values of K 1 and K 2 for generality. Typical values t hat might be used in pract ice are K 1 = K 2 = 100. T he number 1/ B will be t he soundness probability for each it erat ion of t he signat ure confirmat ion and denial prot ocols. T he number of it erat ions required t o obt ain a cheat ing probability of 2 K 2 will be loKg 2 B . A typical choice of B 2 might be 21 0 in which case 10 it erat ions of our prot ocols are needed for K 2 = 100. T he value of B also det ermines how ‘ special’ t he moduli must be, and accordingly, how expensive public key cert ificat ion is. Essent ially, wit h B chosen, t he modulus N must have t he property t hat ϕ ( N ) is not divisible by any odd primes p < B . Alice will prove t his t o t he CA during key cert ificat ion. Large values of B will give effi cient signat ure and denial prot ocols, but t he moduli N will be rat her special (and t here is necessarily a lot of work required in our process for public key cert ificat ion). In some sense, moduli which are a product of safe primes as in [18] are a limit ing case of our crypt osyst em in which B = N 1 / 4 . Our public key cert ificat ion process has been designed wit h rat her general RSA moduli in mind (i.e. for small values of B ). If special RSA moduli (i.e. larger values of B ) are t o be used t hen cert ificat ion prot ocols should be developed using t echniques like t hose in [5]. Small values of B result in a scheme which does not require special moduli (and for which public key cert ificat ion is relat ively effi cient ), but t he result ing confirmat ion and denial prot ocols require many rounds t o achieve t he desired soundness probability of 2 K 2 . We t herefore have a t unable family of undeniable signat ure schemes. In part icular, we do obt ain an undeniable signat ure scheme which works for complet ely general RSA moduli (see Sect ion 8.4). For a fuller discussion of t he performance of our −







RSA-Based Undeniable Signat ures for General Moduli

203

schemes, see Sect ion 8.3. As we shall see, for t he typical values K 1 = K 2 = 100 and B = 21 0 , t he prot ocols are all perfect ly pract ical. T he next sect ion set s up some not at ion for t he rest of t he paper. In Sect ion 3 we review t he scheme of [18] and indicat e some of t he pit falls in adapt ing t his scheme t o general RSA moduli. Our process for public key cert ificat ion is specified in det ail in Sect ion 4. We emphasise t hat t he cost of cert ificat ion is a one-t ime cost . Our signat ure confirmat ion and denial prot ocols are described in Sect ion 5, wit h proofs of zero-knowledge and security against exist ent ial forgery appearing in t he following two sect ions. One import ant innovat ion here is a new signat ure denial prot ocol which is more effi cient and has a cleaner proof of zeroknowledge t han t he prot ocol used in [18]. In Sect ion 8 we give variat ions of t he scheme which provide confirmer signat ures and convert ible signat ures. We also discuss t he performance of our scheme t here.

2

P relim inary D efinit ions and N ot at ion

Let N be a posit ive int eger. We writ e ZN for t he mult iplicat ive group of int egers modulo N . We writ e Q N for t he subgroup of quadrat ic residues (squares) in ZN . We writ e ϕ ( N ) for t he Euler phi funct ion. A safe prime is an odd prime p such t hat ( p − 1) / 2 is prime. Given any g ∈ ZN we define t he order of g t o be ord( g ) = min { n ∈ Z : n ≥ 1 and g n ≡ 1 (mod N ) } . When N = p 1 p 2 is a product of two dist inct primes t hen every g ∈ ZN has order dividing t he least common mult iple lcm( p 1 − 1, p 2 − 1). ∗







3

T he Schem e of G ennaro, K rawczy k and R abin

In t his sect ion we briefly sket ch t he RSA-based undeniable signat ure scheme of Gennaro, Krawczyk and Rabin [18] for product s of safe primes. We also indicat e why it is nont rivial t o adapt t his t o t he case of a general RSA modulus. Alice possesses a public RSA modulus N , which is assumed t o be a product of two safe primes, and a pair of secret int egers ( e, d ) such t hat ed ≡ 1 (mod ϕ ( N )). Alice’ s undeniable signat ure on a message m ∈ ZN is s = m d (mod N ), i.e. a st andard RSA signat ure. Since e is not public knowledge, it is not possible for Bob t o verify t he validity of t he signat ure s wit hout int eract ing wit h Alice. Inst ead, Alice t he prover and Bob t he verifier engage in a zero-knowledge prot ocol t o show t hat se ≡ m (mod N ). For t his signat ure confirmat ion prot ocol it is necessary t o have some fixed commit ment t o t he value e. T his is achieved in [18] by t aking a random element g ∈ ZN (which can be shown t o have large order in t he case of special moduli) and publishing h = g d (mod N ) T he signat ure confirmat ion prot ocol of [18] (present ed for simplicity in t he case of honest verifiers) is t he following: ∗

1. Given t he public key ( N , g, h ) and an alleged message-signat ure pair ( m , s ) t he verifier chooses random int egers 1 ≤ i , j < N , const ruct s a challenge C = s 2 i h j (mod N ), and sends C t o t he prover.

204

St even D. Galbrait h, Wenbo Mao, and Kennet h G. P at erson

2. T he prover sends t he response R = C e (mod N ) t o t he verifier. 3. T he verifier checks whet her R ≡ m 2 i g j (mod N ). T he signat ure denial prot ocol suggest ed in [18] is an adapt at ion of a prot ocol due t o Chaum (originally developed for t he case of finit e fields Fq ). T he denial prot ocol requires t he prover t o perform an exhaust ive search over k values where k is a security paramet er. T he probability of successful cheat ing by a dishonest prover in t his case is 1/ k . T here is also a minor complicat ion about how abort ing t he prot ocol aff ect s t he zero-knowledge propert ies, t his is handled in [18] by using a commit ment t o zero. ∗

3.1

G eneralising t o G eneral M o duli, P roblem I

In t his and t he next subsect ion we mot ivat e t he need for our more complex prot ocols by considering what happens if t he prot ocol due t o [18] is naively used wit h a general RSA modulus N . T he problems we sket ch should be seen as part of a general phenomenon, t hat prot ocols developed in t he case of finit e fields do not necessarily give rise t o secure prot ocols when working wit h ZN . Let Alice be a dishonest prover. Since Alice cont rols t he fact orisat ion of t he modulus N she can choose N so t hat t here is a small prime ℓ wit h ℓ | ϕ ( N ). She can also find an element α ∈ ZN such t hat α has order ℓ . Suppose Alice publishes a signat ure s = α m d for a message m . What is t he probability t hat Alice can fool a verifier Bob t hat t his is a valid signat ure? In t he confirmat ion prot ocol Alice receives a challenge C = s 2 i h j (mod N ). In general Alice does not know t he value of i , but she can comput e a response R = α r C e (mod N ) where r is chosen at random. If r + 2i e ≡ 0 (mod ℓ ) t hen t he check performed by t he verifier will be sat isfied. Hence t he probability of successful cheat ing is at least 1/ ℓ . Since ℓ can be chosen t o be 3 t his probability is quit e high. T here is an analogous at t ack using element s of order 4 which has probability 1/ 2 of success. Hence t he confirmat ion prot ocol must be execut ed many t imes t o give an assurance t hat t he signat ure is valid. T his is unsat isfact ory. Not ice t hat when N is a quasi-safe prime product (see [17]), using a small ℓ as above will render N vulnerable t o well-known fact oring algorit hms, such as Pollard’ s P − 1 met hod or t he ellipt ic-curve met hod. So if Alice’ s ob ject ive is t o fool Bob wit h reasonable probability and she is not concerned about using a modulus t hat succumbs t o t hese fact oring algorit hms, t hen she can choose t o use a modulus t hat is a product of quasi-safe primes. We will solve t hese issues by giving a met hod for Alice t o cert ify t hat her public key N is such t hat t here are no small (up t o a bound B ) odd primes dividing ϕ ( N ). ∗



3.2

G eneralising t o G eneral M o duli, P roblem II

T here is a more subt le and devast at ing at t ack. Once again suppose Alice is a dishonest signer and suppose t hat (eit her by const ruct ion, or by accident ) her public key element g does not have maximal order in ZN . ∗

RSA-Based Undeniable Signat ures for General Moduli

205

For simplicity of present at ion we suppose t hat t here is a prime q such t hat ( N ) (i.e. q | ϕ ( N ) but q 2  | ϕ ( N )) and q  | ord( g ). We assume t hat q is not t oo large (less t han 80 bit s, say) so t hat t he discret e logarit hm problem in t he subgroup of order q can be solved using st andard met hods. Let α ∈ ZN be an element of order q . Alice const ruct s her public key h = g d (mod N ) as usual. Let m ∈ ZN be any message (it doesn’ t mat t er whet her q | ord( m ) or not ). Suppose Alice publishes s = α m d (mod N ) as her signat ure on m . Consider t he signat ure confirmat ion prot ocol. Alice receives t he challenge C = s 2 i h j . By raising C t o t he power ϕ ( N ) / q and solving a discret e logarit hm problem t o t he base α Alice can det ermine t he value of i (mod q ). Alice can t herefore respond wit h R = α r C e (mod N ) where r = − 2i e (mod q ) is const ruct ed so t hat t he check by t he verifier will always be sat isfied. In ot her words, Alice can fool t he verifier wit h probability one! Similarly, whenever Alice desires, she can successfully run a signat ure denial prot ocol on t hat signat ure. T his is an ext remely severe at t ack on an undeniable signat ure scheme. We address t his problem in our scheme by using a set of generat ors g1 , . . . , gk where we t ake k t o be large enough so t hat t he group generat ed by all t he gi is overwhelmingly likely t o cont ain Q N . q ϕ





4

P ublic K ey C ert ificat ion

Suppose Alice want s t o be able t o generat e undeniable signat ures. Let t he paramet ers B and K 1 be fixed as in Sect ion 2. T he public key for Alice is a t uple ( N , g1 , . . . , gk , h 1 , . . . , h k ) where k is such t hat g1 , . . . , gk generat e a subgroup of ZN which cont ains Q N wit h probability at least 1 − 2 K 1 . For example, for t he typical values B = 21 0 and K 1 = 100 we can t ake k = 11. More generally, we should t ake k so t hat k 2 1 ( B − 1) 1 k < 2 K 1 (see below). T he privat e key is a pair ( e, d ) (t hese values are also defined below). We emphasise t hat t his is diff erent from a st andard RSA public key, which would include t he signat ure verificat ion exponent e. Alice must regist er her public key wit h a CA, who will issue a cert ificat e which confirms t hat Alice’ s public key is suit able for t he undeniable signat ure scheme we propose. T he propert ies of t he public key which must be guarant eed by t his cert ificat e are: ∗









1. N is a product of two prime powers p s1 1 p s2 2 such t hat each p i ≡ 3 (mod 4). (See Sect ion 8.4 for discussion of how t o relax t he assumpt ion t hat p i ≡ 3 (mod 4).) 2. gcd( ∆ , ϕ ( N )) = 1 where ∆ is t he product of all primes 2 < l < B . 3. T he gi are chosen at random in a way which is not cont rolled by Alice. 4. T he gi and h i are correct ly relat ed by h i = gid (mod N ) for some secret int eger d which is coprime t o lcm(ord( g1 ) , . . . , ord( gk )). 4.1

C onst ruct ion of t he M o dulus

T he first st ep of key generat ion for Alice is t o const ruct an int eger N = p 1 p 2 which is a product of two primes such t hat p i ≡ 3 (mod 4). Let B be t he int eger

206

St even D. Galbrait h, Wenbo Mao, and Kennet h G. P at erson

specified in Sect ion 1.2 and which det ermines t he soundness probability of our confirmat ion and denial prot ocol. We demand t hat for all primes 2 < l < B one has l  | ( p i − 1) for i ∈ { 1, 2} . T his means t hat ϕ ( N ) is coprime t o ∆ = primes 2 < l < B l . Alice must prove t o t he CA t hat N is a product of primes p i such t hat p i ≡ 3 (mod 4). T his can be achieved using a prot ocol due t o van de Graaf and Peralt a [19]. T he prot ocol of [19] proves t hat N = p s1 1 p s2 2 where p i ≡ 3 (mod 4) and t he s i are odd int egers. T his is enough for our applicat ion (we do not need t o assume t hat s 1 = s 2 = 1 for our prot ocols) and if a st ronger assurance about t he diffi culty of fact oring N is required t hen more advanced t echniques may be used. 4.2

P ro of T hat ϕ

( N ) D o es N ot H ave Sm all P rim e Fact ors

Alice must prove t o t he CA t hat ϕ ( N ) is not divisible by any odd primes 2 < l < . In Figure 1 we give a prot ocol t o achieve t his in t he honest verifier case. Recall t hat ∆ is t he product of all primes 2 < l < B . So ∆ is approximat ely B bit s in lengt h (for B = 21 0 , ∆ has 1420 bit s). T he prot ocol involves exponent iat ions t o t he power ∆ . For small B , say up t o 21 0 , t his is a perfect ly feasible comput at ion. However, for large B (necessary when a modulus is being cert ified t o be ‘ special’ ), t his becomes infeasible. T he largest B one might wish t o use in pract ice would be, perhaps, B = 22 0 . B

P rot ocol Cert ificat ion–1( N

,∆

).

1. T he CA chooses a random int eger x ∈ Z∗N , comput es t he challenge C = ∆ x (mod N ) and sends C t o Alice. − 1 (mod N ) which is unique when 2. Alice sends t o t he CA t he response R = C ∆ gcd( ϕ ( N ) , ∆ ) = 1. 3. T he CA accept s if R = x . F ig. 1 .

P roof t hat gcd( ∆



( N )) = 1 in t he honest verifier case.

T his prot ocol can be made int o a perfect zero-knowledge prot ocol (i.e. robust against dishonest verifiers) in a st andard way: Replace t he second move (i.e. where Alice sends her response t o t he CA) wit h t he t ransmission of a perfect lyhiding commit ment t o R . T he CA t hen must send x t o Alice, so t hat she can check t hat t he init ial challenge was correct ly formed. Alice can t hen open t he commit ment t o R , allowing t he CA t o see t hat t he response is correct . T heorem 1. L et ( N , ∆ ) be as above. T he prot ocol C er t ifi cat ion –1 has t he follow in g proper t ies: C om plet eness: I f gcd( ∆ , ϕ ( N )) = 1 t hen t he C A w ill alw ay s accept A lice’ s proof.

RSA-Based Undeniable Signat ures for General Moduli

207

Soundness: I f gcd( ∆ , ϕ ( N )) =  1 t hen A lice, even com pu t at ion ally u n bou n ded, can n ot con vin ce t he C A t o accept her proof w it h probabilit y bet t er t han 1/ 3. Zero-know ledge: W hen A lice behaves cor rect ly , t he C A gain s n o in for m at ion abou t A lice’ s pr ivat e in pu t apar t from t he validit y of her pro of. P roof. T he proof of complet eness is immediat e from inspect ion of t he prot ocol.

We focus on t he furt her two propert ies. Soundness: Suppose t hat l is a prime such t hat l | gcd( ∆ , ϕ ( N )). T hen t here are at least l element s of ZN of order l (t here could be l 2 of t hem). Let α ∈ ZN be such an element . Let x ∈ ZN be chosen at random and define C = x ∆ (mod N ). T hen for each 0 ≤ i < l we have C ≡ ( x α i ) ∆ (mod N ). Alice t herefore has no informat ion about which of t he possibilit ies x is t he one chosen by t he CA. Hence Alice cannot respond wit h t he correct value wit h probability bet t er t han 1/ l . T his discussion applies t o all primes 2 < l < B , but in t he worst case (as far as t he CA knows) we have gcd( ∆ , ϕ ( N )) = 3. Zero-know ledge: Alice publishes a perfect ly hiding commit ment t o t he value R and only opens it if t he CA already knows t he value. Hence t he CA learns not hing. ⊓⊔ ∗





T he prot ocol must be repeat ed loKg 1 3 t imes t o achieve a probability of suc2 cessful cheat ing as low as 2 K 1 . T he flows of inst ances of t he prot ocol may all be sent in parallel. It would be very int erest ing t o have an effi cient prot ocol t o prove t hat ϕ ( N ) is coprime t o t he int eger ∆ which has a soundness probability smaller t han 1/ 3. It seems t o be highly non-t rivial t o const ruct such a prot ocol. −

4.3

C onst ruct ion of G enerat ors

T he next st ep of key generat ion is t o const ruct element s g1 , . . . , gk ∈ ZN . We cannot allow Alice t o generat e t hese element s as she might choose t hem t o have small order, in which case at t acks like t hose in Sect ion 3 apply. Hence t he values for t he gi should be generat ed using a prot ocol in which bot h Alice and t he CA joint ly cont ribut e randomness (t his is easy t o achieve using commit ment schemes). Anot her solut ion would be t o let t he CA choose t he values gi (indeed, t hey could even be fixed values for all users). T he reason for choosing many element s gi is t o ensure t hat t he whole of t he subgroup Q N ⊂ ZN is generat ed (see t he at t ack in Sect ion 3.2). A similar t echnique has been used in [25], [15]. T his will be import ant in t he soundness proof of our signat ure confirmat ion prot ocol. Wit h N = p 1 p 2 t he t echniques in [25] and [15] can be used t o show t hat t he number of k -t uples g1 , . . . , gk generat ing all of Q N ⊂ ZN is equal t o ∗





ϕ

where ϕ



(( p 1

k



i= 1

1) / 2) ϕ (( p 2



t

k



e qi i



t

=

ei



t

qi i= 1

1) / 2)



i= 1





1 − qi

k



208

St even D. Galbrait h, Wenbo Mao, and Kennet h G. P at erson

is a generalisat ion of t he Euler phi funct ion. From t his, using est imat es like t hose in [25], we can prove t hat t he probability t hat g1 , . . . , gk generat e all of Q N is at least 2 1− ( B − 1) 1 k k − 1 −

where B is t he bound on t he size of t he prime fact ors of ( p 1 − 1) / 2 and ( p 2 − 1) / 2. We can make t his probability arbit rarily close t o one by t aking k t o be suffi cient ly large. For example, wit h B = 21 0 we can t ake k = 11 t o guarant ee t hat t he gi generat e Q N ⊂ ZN wit h probability at least 1 − 2 1 0 0 In any case, we assume from now on t hat k has been chosen large enough t hat t he gi generat e a subgroup of ZN which cont ains Q N . T he next st ep is for Alice t o choose a secret key pair ( e, d ) such t hat ed ≡ 1 (mod ϕ ( N )). Alice should t hen const ruct h i = gid (mod N ) for i = 1, . . . , k . It is crucial t hat t he h i are correct ly calculat ed and so Alice must provide a proof t hat t his is t he case. We give such a proof in Figure 2. ∗





P rot ocol Cert ificat ion–2( N

, g1, . . . , gk , h 1, . . . , h k

).

1. Alice chooses random int egers 1 ≤ k 1 , k 2 ≤ ϕ ( N ), const ruct s u i = e+ k 1 hi (mod N ) , v i = g id + k 2 (mod N ) for i = 1, 2, . . . , k , and sends t he element s u i and v i t o t he CA. 2. T he CA sends t o Alice a random bit b ∈ { 0, 1} . 3. If t he bit is zero t hen Alice sends t he two int egers n 1 = ( e + k 1 ) (mod ϕ ( N )) and n n 2 = ( d + k 2 ) (mod ϕ ( N )). T he CA can t hen check whet her u i ≡ g i 1 (mod N ) n 2 and v i ≡ g i (mod N ) for all i = 1, 2, . . . , k . T he CA accept s if all t he checks pass and reject s ot herwise. If t he bit is one t hen Alice sends t he two int egers k 1 and k 2 . T he CA t hen checks whet her u i ≡ g i h ki 1 (mod N ) and v i ≡ h i g ik 2 (mod N ) for i = 1, 2, . . . , k . T he CA accept s if all t he checks pass and reject s ot herwise. F ig. 2 .

Key cert ificat ion prot ocol for

gi , h i

.

T heorem 2. L et ( N , gi , h i ) be as above. For N = p s1 1 p s2 2 defi n e M t o be t he expon en t of t he grou p ZN ( i. e. , M = λ ( N ) ) . A ssu m e t hat t he grou p gen erat ed by t he g i con t ain s Q N ( an d so, in par t icu lar , ( M / 2) | lcm(ord( g 1 ) , . . . , ord( g k )) ) . ∗

T he prot ocol C er t ifi cat ion –2 has t he follow in g proper t ies: g id

(mod N ) w here ed ≡ 1 (mod M / 2) t hen t he C A w ill accept A lice’ s proof. Soundness: I f som e h i ≡ gid (mod N ) or if ed ≡ 1 (mod M / 2) t hen A lice, even com pu t at ion ally u n bou n ded, can n ot con vin ce t he C A t o accept her proof w it h probabilit y bet t er t han 1/ 2. Zero-know ledge: W hen A lice behaves cor rect ly , t he C A gain s n o in for m at ion abou t A lice’ s pr ivat e in pu t apar t from t he validit y of her pro of. C om plet eness: I f h i



RSA-Based Undeniable Signat ures for General Moduli

209

P roof. T he proof of complet eness is immediat e from inspect ion of t he prot ocol.

We focus on t he furt her two propert ies. Soundness: If Alice can respond correct ly t o bot h choices of t he bit b t hen she knows numbers e and d such t hat h i ≡ gid (mod N ) and gi ≡ h ei (mod N ) for all i = 1, 2, . . . , k . T his proves t hat all t he gi and h i are relat ed by t he same numbers. We now show t hat t he prot ocol implies ed ≡ 1 (mod M ). Suppose t hat t here is some odd prime power q a | M such t hat ed ≡ x ≡ 1 (mod q a ). By assumpt ion, (ord (gi )/ qa ) (ord (gi )/ qa ) q a | ord( g i ) for some index i . Let g = g i and h = h i . We have g x ≡ g e d ≡ h e ≡ g (mod N ) which is a cont radict ion. Zero-know ledge: T his is immediat e, a st andard argument showing t hat t ranscript s of t he prot ocol can be simulat ed. ⊓⊔ T he prot ocol must be repeat ed K 1 t imes t o achieve a probability of successful cheat ing t o be 2 K 1 . T he flows of inst ances of t he prot ocol may all be sent in parallel. It would be very useful t o have a more effi cient prot ocol t o prove t he correct ness of t he gi and h i . It seems t o be non-t rivial t o find such a prot ocol. T he st andard met hods used when working in finit e fields Fq do not immediat ely t ranslat e int o secure prot ocols t o solve our problem – t hey are vulnerable t o at t acks of t he type described in Sect ion 3. −



5

U ndeniable R SA Signat ures

As usual wit h RSA it is not possible t o allow any number m ∈ ZN t o be a valid message. Inst ead we need t o use a crypt ographically st rong randomised padding scheme t o provide an int egrity check on messages. We ret urn t o t his issue in Sect ion 7, but for now we simply assume t hat t his has been performed and t hat we want t o provide a signat ure for some element m ∈ ZN . Alice’ s signat ure on m is t he usual RSA signat ure s = m d (mod N ). T here is one t echnicality as t he signat ure confirmat ion prot ocol does not dist inguish between signat ures which diff er by an element of order dividing 2. T his is also t he sit uat ion in [18]. T he problem is easily solved allowing all four values s such t hat s 2 e ≡ m 2 (mod N ) t o be valid signat ures. ∗



5.1

C onfirm at ion of an U ndeniable Signat ure

Let ( m , s ) be an alleged signat ure pair. In Figure 3 we give a prot ocol (in t he honest verifier case) for Alice t o prove t o a verifier Bob t hat t he alleged pair is a genuine one. We assume t hat Alice has sent ( m , s ) and her cert ified public key informat ion t o Bob. T here are two solut ions t o make t he prot ocol robust against dishonest verifiers (i.e. perfect zero-knowledge) and we discuss t hem short ly. T he security of t his prot ocol is discussed in Sect ion 6. T he prot ocol must be repeat ed K 2 / log2 B t imes (t he flows of each inst ance may be execut ed in parallel) t o achieve t he desired probability of 1 − 2 K 2 t hat t he signat ure is valid. −

210

St even D. Galbrait h, Wenbo Mao, and Kennet h G. P at erson

P rot ocol Confirm( N

, g 1 , . . . , g k , h 1 , . . . , h k , m , s ).

1. Bob chooses random int egers r 0 , r 1 , . . . , r k such t hat all 1 < r i < r comput es t he challenge C = s r 0 h r11 · · · h k k (mod N ). 2. Bob sends t o Alice t he challenge C . 3. Alice sends t o Bob t he response R = C e (mod N ). r 4. Bob accept s if R 2 ≡ ( m r 0 g 1r 1 · · · g k k ) 2 (mod N ) and reject s ot herwise. F ig. 3 .

N

. Bob

Undeniable signat ure confirmat ion prot ocol in t he honest verifier case

We now discuss how t o t ransform t his prot ocol int o a perfect zero-knowledge prot ocol (i.e. robust against dishonest verifiers). T he first solut ion uses t he st andard t echnique: Inst ead of sending t he response R , Alice publishes a commit ment t o it , and opens t he commit ment only once Bob has shown t hat t he challenge C is of t he correct form. We emphasise t hat t he zero-knowledge property of t he prot ocol only holds when t he input is a valid message-signat ure pair (ot herwise t he prot ocol gives a message corresponding t o a given signat ure). A signat ure confirmer must be careful t o only execut e t he confirmat ion prot ocol on valid input s (t he denial prot ocol given in t he next sect ion should be used in ot her cases). We not e t hat , for undeniable signat ures, it is usually preferable t o use designat ed verifier proofs in prot ocols such as t he one above. T his can be easily achieved using t he met hods of J akobsson, Sako and Impagliazzo [20]. T here is anot her solut ion which provides security only against forgery of signat ures. Inst ead of sending t he response R , Alice sends t = H ( R 2 (mod N )) where H is some crypt ographically st rong hash funct ion. Bob can t hen check whet her or not t is equal t o H (( m r 0 g1r 1 . . . gkr k ) 2 (mod N )). T his proof met hod does not allow Bob t o use Alice as a signing oracle, which prevent s Bob from being able t o forge signat ures. T he main problem wit h t his met hod is t hat Alice no longer knows which message signat ure pair ( m , s ) she is being request ed t o verify. T his is an at t ack on an undeniable signat ure scheme since one int ended feat ure of t hese schemes is t hat Alice should be aware which of her signat ures are being verified. Nevert heless, in some cont ext s t his proof t echnique might be of use. 5.2

D enial of an U ndeniable Signat ure

Given a pair ( m , s ) which is not a valid signat ure for Alice on t he message m (i.e. s ≡ ξ m d (mod N ) where ord( ξ ) | 2), it is import ant t o provide a prot ocol allowing Alice t o prove t hat t his is t he case. One way t o achieve t his would be t o comput e t he t rue signat ure m d (mod N ) for m , send it t o t he verifier, and t hen prove it s correct ness using t he signat ure confirmat ion prot ocol above. But t his leaves t he user open t o a chosen-message at t ack, since she can be forced t o publish valid signat ures on any message m . Inst ead, we proceed by allowing Alice t o modify t he alleged pair ( m , s ) t o obt ain a random relat ed pair ( m , s ) and t hen perform t he above process. To t he ′



RSA-Based Undeniable Signat ures for General Moduli

211

eye of a seasoned crypt ographer t his st ill looks like a security flaw, but it is wellknown t hat most undeniable signat ure schemes (e.g. [7], [18]) allow exist ent ial forgery using just t he public key. T hese issues are handled using padding schemes on messages (furt her discussion is given in Sect ion 7). Our denial prot ocol runs as follows: Bob (or Alice and Bob running a joint prot ocol) chooses a random int eger 1 < r < N . Bot h part ies can t hen comput e t he relat ed element s m = m r (mod N ) and s = s r (mod N ). Alice publishes her correct signat ure s for t he message m and proves it is correct using t he confirmat ion prot ocol above. T he verifier can t hen det ermine whet her ( s ) 2 ≡ ( s ) 2 (mod N ). T he denial process requires only two more exponent iat ions t han t he confirmat ion prot ocol per part icipant , and t he security is t he same as t hat of t he confirmat ion prot ocol. T his is in cont rast wit h Gennaro, Krawczyk and Rabin [18] where t he denial prot ocol is much less effi cient t han t he confirmat ion prot ocol. T here is no loss of security from performing signat ure denial using our met hods and so t he prot ocol of [18] can be improved by using our approach. We not e t hat Miyazaki [24] also gave an effi cient denial prot ocol for t his applicat ion based on t he denial prot ocol of Chaum and van Antwerpen [7], alt hough t hat prot ocol requires double t he comput at ion of ours. Not e t hat t his denial met hod cannot be used in t he classical case of undeniable signat ures in a finit e field Fq since t he verifier can undo t he t ransformat ion of exponent iat ion by r t o recover a signat ure on a chosen message. We not e t hat J akobsson [21] has given an effi cient denial prot ocol for Chaum’ s undeniable signat ures. It is st raight forward t o adapt J akobsson’ s ideas t o t he case of RSA-based undeniable signat ures, but we obt ain a denial prot ocol which t akes at least twice t he comput at ion t ime as our met hod. ′



′ ′





′ ′



6

Security of t he C onfirm at ion P rot o col

In t his sect ion we discuss t he security of t he confirmat ion and denial prot ocols. A discussion of security against exist ent ial forgery is given in t he next sect ion. T heorem 3. T he con fi r m at ion prot ocol has t he follow in g proper t ies: C om plet eness: I f ( m , s ) has been for m ed cor rect ly t hen B ob w ill accept A lice’ s proof.

Soundness: I f ( m , s ) is n ot valid, t hen A lice, even com pu t at ion ally u n bou n ded, can n ot con vin ce B ob t o accept her proof w it h probabilit y bet t er t han 1/ B . Zero-know ledge: W hen A lice behaves cor rect ly , B ob gain s n o in for m at ion abou t A lice’ s pr ivat e in pu t apar t from t he validit y of her pro of. P roof. T he proof of complet eness is immediat e from inspect ion of t he prot ocol.

We focus on t he furt her two propert ies. Soundness: We assume t hat N = p 1 p 2 has t he property t hat p i ≡ 3 (mod 4) and t hat all odd primes l < B are coprime t o ϕ ( N ). We also assume t hat t he gi generat e Q N . T his is cert ified wit h probability 1 − 2 K 1 by t he key cert ificat ion process. −

212

St even D. Galbrait h, Wenbo Mao, and Kennet h G. P at erson

Let ( m , s ) be an invalid signat ure prepared by a cheat ing Alice. T hen we can writ e s = α ξ m d (mod N ) where ξ 2 ≡ 1 (mod N ) and where α has odd order which is divisible only by powers of primes q where q ≥ B . Let q be such a prime. Since t he gi generat e Q N , t here exist s at least one index I such t hat q | ord( g I ). r Given a challenge C of t he correct form s 0 h r1 1 · · ·h rk k a cheat ing Alice must const ruct a response R which will sat isfy Bob’ s check. We now project all element s int o t he subgroup α of q element s which is generat ed by α (if q  ϕ ( N ) t hen t his is done by raising all element s t o t he power ϕ ( N ) / q ). We cont inue t o use t he same not at ion for t hese element s, but t he reader should be aware t hat t hey now only have order dividing q . Expressing all element s in t erms of powers of α we have m = α l 0 and gi = α l i . It follows t hat  k l i r i d (mod q ) (1) logα ( C ) ≡ r 0 (1 + l 0 d ) + ′





i= 1

where d ≡ 0 (mod q ) and l I ≡ 0 (mod q ) (where I is as above). T he response R (again, only considering t he image in t he subgroup of element s of order q ) must sat isfy  k logα ( R ) ≡ r 0 l 0 + l i r i (mod q ) . i= 1

Since Alice knows d , t he ability t o const ruct t he right response R is t herefore equivalent t o knowledge of r 0 (mod q ). But t his is informat ion-t heoret ically hidden: Given any solut ion ( r 0 , . . . , r k ) t o equat ion (1) and any int eger 0 < x < q , t here is anot her solut ion ( r 0 + x , r 1 , . . . , r I , . . . , r k ) where ′



rI

= ( r I l I d − x (1 + l 0 d )) / ( l I d ) (mod q ) .

Furt hermore, since all values r i may be reduced modulo ϕ ( N ) t he condit ion 1 < r i < N is preserved. Hence, Alice has no bet t er st rat egy t han guessing t he right power of α in her response R . T his argument applies t o all primes q | ord( α ) but since Alice might choose α so t hat it s order is t he first prime power larger t han B we can only conclude t hat Alice’ s cheat ing probability is 1/ B . Zero-K now ledge: We analyse t he prot ocol in t he case where t he commit ment scheme is used. In t his case Alice verifies t he const ruct ion of C before giving Bob any informat ion. St andard t echniques show t hat t he prot ocol can be simulat ed. T here is an int erest ing subt lety here t hough: If Alice’ s responseR is act ually of t he form ξ C d t hen t aking rat ios gives an element ξ of order two, which is not simulat able. So only an “honest ” run of t he prot ocol is simulat able. In ot her words, if Alice at any t ime publishes signat ures which are of t he form ξ m d wit h ξ = 1 t hen she is pot ent ially giving Bob useful informat ion. ⊓⊔

RSA-Based Undeniable Signat ures for General Moduli

7

213

Security against Ex ist ent ial Forgery

We now t urn t o t he problem of whet her an adversary can const ruct a pair ( m , s ) which Alice is unable t o deny. As is well known, wit h st andard RSA [27] it is easy t o forge signat ures: Given ( N , e) one can choose any int eger s ∈ ZN , define m = s e (mod N ), and t hen s is a valid signat ure for t he message m . Similarly, for our syst em it is very easy t o const ruct random pairs ( m , s ) such t hat s ≡ m d (mod N ) using t he pairs gi , h i . Hence resist ance t o forgery must rely heavily on t he padding scheme. Met hods t o form secure RSA encrypt ion/ signat ure schemes are one of t he most import ant and well-known part s of crypt ography. T he precise t echniques used t o achieve t his are not relevant t o t he present paper. We simply assume t hat some padding scheme such as t hat developed by Bellare and Rogaway [1] is used. T he proof of security against exist ent ial forgery given by Gennaro, Krawczyk and Rabin in [18] applies direct ly t o our sit uat ion. T he proof shows t hat an adversary who is able t o forge a signat ure for t he undeniable signat ure scheme can be used t o const ruct an adversary which forges signat ures for t he same RSA modulus and t he same message padding scheme. T he security result applies t o any at t ack model, in part icular, it applies t o an adversary mount ing an adapt ive chosen ciphert ext at t ack (CCA2). T he det ails of t he message padding scheme do not aff ect t he proof. We refer t o [18] for t he det ails of t his, and also a discussion of indist inguishability of signat ures. ∗

8

D iscussion

As wit h t he scheme of Gennaro, Krawczyk and Rabin [18] it is possible t o add ext ra funct ionality such as confirmability and convert ibility. We discuss some of t hese ext ensions in t his sect ion. We also discuss t he effi ciency of t he scheme. 8.1

C onfirm ability

Confirmer signat ures are an ext ension of undeniable signat ures which were int roduced by Chaum [11]. T hese syst ems allow a signer t o delegat e t he t asks of signat ure confirmat ion and denial t o anot her party. T he secret key of Alice includes t he number e which is used for verifying signat ures. Alice may give t his number t o a designat ed confirmer. T his means t hat t he t ask of confirming signat ures can be performed eit her by Alice or by t he confirmer. Assuming t he hardness of t he RSA problem, since t he confirmer only knows e, t hey are unable t o forge Alice’ s signat ure. We not e t hat Alice cannot fool t he confirmer about t he validity of a given signat ure. To t he confirmer, Alice’ s signat ures are st andard RSA signat ures (up t o mult iplicat ion by an element of small order). 8.2

C onvert ibility

More generally, Alice could have a privat e key of t he form ( e, d, c) where edc ≡ 1 (mod ϕ ( N )) In t his case, e could be public, d and c known t o Alice, and c

214

St even D. Galbrait h, Wenbo Mao, and Kennet h G. P at erson

known t o a designat ed convert er. T he verificat ion prot ocol in t his case involves raising t o t he power ec rat her t han e and it is in all ot her respect s ident ical t o t he one in Figure 3. An undeniable signat ure ( m , s ) can t herefore be confirmed by t he convert er or t he signer. Any individual signat ure may be convert ed t o a st andard RSA signat ure by t he t ransformat ion ( m , s ) → ( m , s c (mod N )). T his process may be performed by t he convert er or t he signer. A proof analogous t o t hat in Figure 3 must be used t o show t hat t his has been performed correct ly. Once again, Alice cannot cheat against t he confirmer. Not e t hat Alice may choose several diff erent pairs ( ci , d i ) if she want s t o use several convert ers wit h disjoint jurisdict ion wit h t he same public key ( N , e). Finally, by publishing c, all Alice’ s signat ures become st andard RSA signat ures wit h respect t o t he exponent ec. 8.3

Effi ciency

Here we discuss t he performance of our scheme for general values of B , K 1 and K 2. T he one-off cost s of public key cert ificat ion are dominat ed by two fact ors. T here are loKg 1 3 it erat ions of t he prot ocol of Figure 1, each it erat ion requiring 2 one exponent iat ion by Alice and one by t he CA. As we have discussed, when B becomes large (and t he moduli special), t hese comput at ions become cost ly. T here are also K 1 it erat ions of t he prot ocol of Figure 2, each it erat ion requiring 2k exponent iat ions (where k was defined as a funct ion of K 1 and B earlier) for t he two part icipant s. T hese comput at ions become less cost ly as B increases. T he final public key is 2k + 1 t imes as long as t he modulus N . Each of t he loKg 2 B rounds of t he signat ure confirmat ion prot ocol (in t he zero2 knowledge version) requires k + 2 exponent iat ions for Alice and 2( k + 1) for Bob. As we have discussed above, t he denial prot ocol requires an addit ional pair of exponent iat ions in t ot al. For t he typical choices of K 1 = K 2 = 100 and B = 21 0 , we can t ake k = 11. T hen key cert ificat ion requires a few t housand exponent iat ions. For signat ure confirmat ion (and denial), Bob needs t o do around 240 exponent iat ions and Alice around 10 (disregarding t he cost of calculat ing and checking commit ment s). T his is eminent ly pract ical. When B is small t hen our signat ure confirmat ion is not as effi cient as t he scheme of [18]. On t he ot her hand, t he CA and t he users can agree on how large B should be t aken. Increasing t he size of B reduces t he size of k and improves t he cost of signat ure confirmat ion at t he expense of public key cert ificat ion. For large B , say B ≥ 22 0 , one would use diff erent cert ificat ion t echniques, e.g. t he met hods of [4]. T he ‘ limit ing case’ is t he case of [18], where signat ure confirmat ion is very effi cient and public key cert ificat ion is ext remely ineffi cient . We re-it erat e t hat t he scheme of [18] has improved effi ciency when our signat ure denial prot ocol is used.

RSA-Based Undeniable Signat ures for General Moduli

8.4

215

C om plet ely G eneral M o duli

We assumed t hat N = p 1 p 2 (or, more generally, N = p s1 1 p s2 2 ) where p i ≡ 3 (mod 4). One can const ruct a scheme which does not require any condit ion on p i (mod 4) but t his involves some ext ra t echniques. T he main diffi culty in t his case is t hat we no longer know which power of two divides t he exponent of ZN . First , we assume t hat ϕ ( N ) has at least one prime fact or of suffi cient ly large size. If t his is not t he case t hen t he modulus is easily fact ored using t he Pollard P − 1 met hod. No RSA-based crypt osyst em would be secure wit h such a modulus. T he public key cert ificat ion proceeds as before wit h some choice of B . For complet ely general moduli choose B = 3 (in which case it is not necessary t o execut e t he prot ocol of Figure 1). Let M = 2 lo g 2 ( N ) . A signat ure on a message m is now defined t o be any element of t he set d ∈ ZN : ξ M ≡ 1 (mod N ) } . { ξ m ∗







T he signat ure confirmat ion prot ocol proceeds as in Figure 3 except t he check is t hat M ≡ ( m r 0 g1r 1 · · · gkr k ) M (mod N ) . R T he probability of successful cheat ing by a dishonest signer in one inst ance of t he prot ocol is st ill 1/ B . T he proof of security against forgery of signat ures is a slight modificat ion of t he one given in [18]. 8.5

A not her A pproach

T he t rick used in t he above subsect  ion can be adapt ed t o give a diff erent solut ion t o our original problem. Let M = 2 l < B l lo g l ( N ) . T hen a signat ure on message m could be any element such t hat s e M ≡ m M (mod N ). T he advant age of t his approach is t hat it can be used wit h a complet ely general modulus and no cert ificat ion of t he st ruct ure of t he modulus is required. T here are two disadvant ages of t his approach. First , t he size of t he number M grows very quickly, and so only quit e small values of B may realist ically be used (not more t han B = 21 0 ). Second, t he size of candidat e signat ures could become ext remely large. T his has repercussions when analysing signat ure forgery, since for cert ain ‘ weak’ moduli t he probability of successful forgery might be relat ively large compared t o t he desired security. Nevert heless, we feel it is wort h ment ioning t his ot her approach. ⌊





9

C onclusion

We have present ed an undeniable signat ure scheme for complet ely general RSA moduli. Our work provides a t unable family of schemes described by t he paramet ers B , K 1 and K 2 . T hese det ermine a set of t rade-off s between effi ciency of key cert ificat ion (and generality of moduli) and t he effi ciency of signat ure confirmat ion/ denial. For typical values, B = 21 0 , K 1 = K 2 = 100, our scheme is

216

St even D. Galbrait h, Wenbo Mao, and Kennet h G. P at erson

complet ely pract ical. We also give a nat ural denial prot ocol for t he RSA set t ing which is more effi cient t han t he previous denial prot ocol of [18].

A cknow ledgm ent s T he aut hors would like t o t hank Ivan Damg˚ard, J an Camenisch and Markus J akobsson for helpful comment s. T he first aut hor would like t o t hank Hewlet t Packard Laborat ories Brist ol for support during t he t ime t his research was done.

R eferences 1. Bellare, M. and Rogaway, P. T he exact security of digit al signat ures–How t o sign RSA and Rabin, in U. Maurer (ed.), EUROCRYP T ’ 96, Springer LNCS 1070 (1996) 399–416. 2. Boyar, J ., Chaum, C., Damg˚ard, I. and P edersen, T . Convert ible undeniable signat ures, in A.J . Menezes and S.A. Vanst one (eds.), CRYP T O ’ 90, Springer LNCS 537, Springer (1991) 189–205. 3. Boyd, C. and Foo, E. Off -line fair payment prot ocols using convert ible signat ures, in K. Oht a et al (eds.), ASIACRYP T ’ 98, Springer LNCS 1514 (1998) 271-285. 4. Camenisch J . and Michels, M. P roving in zero-knowledge t hat a number is t he product of two safe primes, in J . St ern (ed.), EUROCRYP T ’ 99,Springer LNCS 1592 (1999) 106–121. 5. Camenisch, J . and Michels, M. Confirmer signat ure schemes secure against adapt ive adversaries, in B. P reneel (ed.), EUROCRYP T 2000, Springer LNCS 1870 (2000) 243-258. 6. Cat alano, D., Gennaro, R. and Halevi, S. Comput ing inverses over a shared secret modulus, in B. P reneel (ed.), EUROCRYP T 2000, Springer LNCS 1807 (2000) 190–206. 7. Chaum, D. and van Antwerpen, H. Undeniable signat ures, in G. Brassard (ed.), CRYP T O ’ 89, Springer LNCS 435 (1990) 212-216. 8. Chaum, D. Zero-knowledge undeniable signat ures, in I.B. Damg˚ard (ed.), CRYP T O ’ 90, Springer LNCS 473 (1991) 458-464. 9. Chaum, D., van Heijst , E., and P fit zmann, B, Crypt ographically st rong undeniable signat ures, uncondit ionally secure for t he signer, in J . Feigenbaum (ed.), CRYP T O ’ 91, Springer LNCS 576, (1992) 470–484. 10. Chaum, D. and P edersen, T . P. Wallet dat abases wit h observers, in E. Brickell (ed.), CRYP T O ’ 92, Springer LNCS 740 (1993) 89–105. 11. Chaum, D. Designat ed confirmer signat ures, in A. de Sant is (ed.), EUROCRYP T ’ 94, Springer LNCS 950 (1995) 86–91. 12. Damg˚ard, I. and P edersen, T . New convert ible undeniable signat ure schemes, in U. Maurer (ed.) EUROCRYP T ’ 96, Springer LNCS 1070 (1996) 372–386. 13. Damg˚ard, I. and Koprowski, M. P ract ical t hreshold RSA signat ures wit hout a t rust ed dealer, in B. P fit zmann (ed.), EUROCRYP T 2001, Springer LNCS 2045 (2001) 152–165. 14. Desmedt , Y., Frankel Y. and Yung, M. Mult i-receiver/ mult i-sender network security: effi cient aut hent icat ed mult icast / feedback, INFOCOM ’ 92 (1992) 2045–2054. 15. Fouque, P.-A., St ern, J . Fully dist ribut ed t hreshold RSA under st andard assumpt ions, in C. Boyd (ed.), ASIACRYP T 2001, Springer (2001).

RSA-Based Undeniable Signat ures for General Moduli

217

16. Gennaro, R., J erecki, S., Krawczyk, H. and Rabin, T . Robust and effi cient sharing of RSA funct ions, in N. Koblit z (ed.), CRYP T O ’ 96, Springer LNCS 1109 (1996) 157–172. 17. Gennaro, R., Miccianicio, D. and Rabin, T . An effi cient non-int eract ive st at ist ical zero-knowledge proof syst em for quasi-safe prime product s, 5t h ACM Conference on Comput er and Communicat ions Security, Oct ober 1998. 18. Gennaro, R., Krawczyk, H. and Rabin, T . RSA-based undeniable signat ures, in W . Fumy (ed.), CRYP T O ’ 97, Springer LNCS 1294 (1997) 132-149. Full version J o u r n a l o f C r y p t o l ogy (2000) 13:397–416. 19. van de Graaf, J . and P eralt a, R. A simple and secure way t o show t hat validity of your public key, in C. P omerance (ed.), CRYP T O ’ 87, SpringerLNCS 293 (1988) 128–134. 20. J akobsson, M., Sako, K. and Impagliazzo, R. Designat ed verifier proofs and t heir applicat ions, in U. Maurer (ed.) EUROCRYP T ’ 96, Springer LNCS 1070 (1996) 143–154. 21. J akobsson, M. Effi cient oblivious proofs of correct exponent iat ion, in B. P reneel (ed.), Communicat ions and mult imedia security, Kluwer (1999) 71–84. 22. Menezes, A.J ., van Oorschot , P.C. and Vanst one, S.A. H a n d boo k o f A p p l i ed C r y p t ogr a p h y , CRC P ress, 1997. 23. Michels, M. and St adler, M. Generic const ruct ions for secure and effi cient confirmer signat ure schemes, in K. Nyberg (ed.) EUROCRYP T ’ 98, Springer LNCS 1403 (1998) 406–421. 24. Miyazaki, T . An improved scheme of t he Gennaro-Krawczyk-Rabin undeniable signat ure syst em based on RSA, in D. Won (ed.), ICISC 2000, Springer LNCS 2015 (2001) 135–149. 25. P oupard, G. and St ern, J . Short proofs of knowledge for fact oring, in P KC 2000, Springer LNCS 1751 (2000) 147–166. 26. Rabin., T . A simplified approach t o t hreshold and proact ive RSA, in H. Krawczyk (ed.), CRYP T O ’ 98, Springer LNCS 1462 (1998) 89–104. 27. Rivest , R.L., Shamir, A. and Adleman, L.M. A met hod for obt aining digit al signat ures and public-key crypt osyst ems, C o m m u n i ca t i o n s o f t h e A C M v.21, n.2, 1978, pages 120–126. 28. Shoup, V. P ract ical t hreshold signat ures, in B. P reneel (ed.), EUROCRYP T 2000, Springer LNCS 1807 (2000) 207–220. 29. Silverman, R. D. Fast generat ion of random, st rong RSA primes, C r y p t o B y t es , 3, No. 1, 1997, pp. 9–13.

C o -o p e ra t iv e ly Fo rm e d G ro u p S ig n a t u re s Greg Mait land and Colin Boyd Informat ion Security Research Cent re Queensland University of Technology Brisbane, Aust ralia { g.maitland,c.boyd} @qut.edu.au

Group signat ures and t heir applicat ions have received considerable at t ent ion in t he lit erat ure in recent t imes. Subst ant ial gains have been made wit h respect t o designing provably secure and effi cient schemes. In pract ice, as wit h all signat ure schemes, deploying group signat ure schemes requires t he group member’s signing keys t o be bot h physically and elect ronically secure from t heft . Smart cards or similar devices are oft en off ered as a solut ion t o t his problem. We consider t he possibility of co-operat ively forming group signat ures so as t o balance t he processing load between a modest ly performed secure device and a much more powerful workst at ion. T he const ruct ions are based on t he observat ion t hat several recent group signat ure schemes have adopt ed a st ruct ure which ut ilises two values in signat ure creat ion - a privat e signing key and a group membership cert ificat e. We describe a co-operat ive group signat ure scheme based on a recent ly proposed scheme as well as a ‘wallet wit h observer’ variant . A b st r a c t .

1

Int ro d u c t io n

Unlike ordinary signat ures, group signat ures allow a group member t o creat e anonymous (and unlinkable) signat ures on behalf of a group. A single public key is required in order t o verify signat ures produced by any group member. Upon verifying a signat ure, t he verifier does not learn t he ident ity of t he group member who creat ed t he signat ure. However, should t he need arise, a group signat ure can be ‘ opened’ by a t rust ed party and t he ident ity of t he member who creat ed t he signat ure will be revealed. Specialized applicat ions, such as vot ing and auct ions, have been suggest ed as areas of applicat ion for group signat ures [16]. Group signat ures have also been int egrat ed int o elect ronic cash syst ems [14,19,17]. T he anonymity and unlinkability aff orded by group signat ures suggest t hat t hey may have a role t o play in t hese more specialized applicat ions. T he pract ical deployment of group signat ures schemes, like ot her signat ure schemes, must consider measures which secure a user’ s secret s from t heft . T he crypt ographic security of a scheme is rendered irrelevant if a user’ s secret s are not bot h physically and elect ronically secure. Since workst at ions do not represent secure environment s, it is necessary t o consider t he ut ilisat ion of some form of secure device in which a user’ s secret s can be st ored and processed. Because of B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 2 1 8 – 2 3 5 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

Co-operat ively Formed Group Signat ures

219

t heir cost and port ability, smart cards are typically considered suit able for t his t ask. While smart cards are cost eff ect ive, readily available and relat ively t amperresist ant , t hey are const rained in t erms of processing power and memory. In t he fut ure, t he gulf between smart cards and workst at ions wit h respect t o relat ive performance and st orage capacity will increase, not decrease. It is t herefore necessary t o consider carefully t he processing and st orage demands t hat a signat ure scheme may make upon it s host device. Smart cards may also be used as act ive agent s which are capable of enforcing various rules and regulat ions. Various elect ronic cash schemes [10,13,5] have suggest ed a ‘ wallet wit h observer’ model where t he smart card observer act ively prevent s double-spending of coins. T his is achieved by split t ing t he user’ s effect ive privat e key between t he observer and a user-supplied comput ing device. T he user can only produce valid signat ure wit h t he co-operat ion of t he t amperresist ant observer. M a in C o n t rib u t io n : We consider ways of co-operat ively forming group sig-

nat ures wit h a view t o balancing t he processing and st orage demands between workst at ion and smart card. We off er some general observat ions about t he st ruct ure of recent group signat ure schemes and t heir suit ability for t he t ask at hand. In part icular, we seek t o exploit t he nat ural occurrence of two secret values (privat e key and membership cert ificat e) in t hese schemes. An example of co-operat ive group signat ure generat ion is provided using a group signat ure scheme by At eniese et al. [2]. A furt her variat ion using t he ‘ wallet wit h observer’ paradigm is given which illust rat es t he flexibility of t his approach. O rg a n is a t io n o f t h e P a p e r: In t he next sect ion we provide background infor-

mat ion on group signat ures schemes, specifically t hose t arget ed at ‘ large’ groups. In sect ion 3, we discuss t he exist ing ways in which signat ures are co-operat ively formed and point out t he possibility of co-operat ive signat ure format ion wit h respect t o a class of group signat ure schemes. Sect ion 4 present s an example of such a scheme based around a recent ly proposed group signat ure scheme. A ‘ wallet wit h observer’ variat ion of t his same scheme is described in sect ion 5.

2

G ro u p S ig n a t u re B a ck g ro u n d

In t his sect ion we present t he concept s relevant t o group signat ure schemes and explain t he basic idea of Camenisch and St adler [6] which underpins several recent group signat ure schemes [2,4,19,8]. Group signat ure schemes were first int roduced by Chaum and van Heyst [9] in 1991. Unlike ordinary signat ures, group signat ures provide anonymity (and unlinkability) t o t he signer, i.e., a verifier can only t ell t hat a member of a group signed. However, in except ional cases, such as a legal disput e, any group signat ure can be ‘ opened’ by a designat ed revocat ion manager t o reveal unambiguously t he

220

Greg Mait land and Colin Boyd

ident ity of t he signat ure’ s originat or. At t he same t ime, no coalit ion of ent it ies (including t he group manager) can creat e a group signat ure which a verifier will accept as valid but cannot be opened. T he following definit ions are borrowed from At eniese et al. [1]. A group signat ure scheme is a digit al signat ure scheme comprised of t he following procedures: – SE T U P : an algorit hm for generat ing t he init ial group public key – – – –

Y and a group privat e key S . J O IN : a prot ocol between t he group manager ( G M ) and a user t hat result s in t he user becoming a new group member. SIGN : a prot ocol between a group member and a user whereby a group signat ure on a user-supplied message is comput ed by t he group member. V E R IF Y : an algorit hm for est ablishing t he validity of a group signat ure given a group public key and a signed message. O P E N : an algorit hm t hat , given a signed message and a group privat e key, allows t he revocat ion manager ( R M ) t o det ermine t he ident ity of t he signer.

A group signat ure scheme must sat isfy t he following security propert ies: – C orrectn ess: Signat ures formed by a group member using SIGN must be

accept ed by VERIFY. – Un forgeability: Only group members are able t o sign messages on behalf of

t he group. – A n on ym ity: Given a valid signat ure of some message, ident ifying t he act ual

signer is comput at ionally hard for everyone but t he revocat ion manager. – Un lin kability: Deciding whet her two diff erent valid signat ures were comput ed

by t he same group member is comput at ionally hard (except for

R M

).

– E xculpability: Neit her a group member nor t he group manager can sign on

behalf of ot her group members. A closely relat ed property is t hat of nonframing [12]. It capt ures t he not ion of a group member not being made responsible for a signat ure t hat t he group member did not produce. – T raceability: T he group manager is always able t o open a valid signat ure and ident ify t he signer. – C oalition -resistan ce: A colluding subset of group members (even if comprised of t he ent ire group) cannot generat e a valid signat ure t hat t he group manager cannot link t o one of t he colluding group members. T he effi ciency of a group signat ure scheme is typically based on t he following paramet ers: – – – –

T he T he T he T he

size of t he group public key Y . size of a group signat ure. effi ciency of SIGN and VERIFY. effi ciency of SET UP, OP EN and J OIN.

Wit h early group signat ure schemes, t he lengt h of t he public key was proport ional t o t he size of t he group and t herefore t he running t ime of t he verificat ion algorit hm depends on t he number of group members. T he scheme proposed by Camenisch and St adler [6] was t he first t o off er:

Co-operat ively Formed Group Signat ures

221

– a fixed sized group public key and a group signat ure independent of t he size

of t he group. – t he addit ion of new members at any t ime wit hout requiring changes t o t he

group public key. – t he comput at ional complexity of SIGN and V E R IF Y is also independent of

group size. Camenisch and St adler [6] proposed a general framework for const ruct ing group signat ure schemes suit able for large groups and t his approach has been followed by various recent ly proposed schemes [2,4,19,8]. An out line of t his framework is as follows: – SE T U P : A group’ s public key consist s of:

t he public key of an ordinary digit al signat ure scheme used by t he group manager ( G M ) t o sign membership cert ificat es. Let S i gG M ( m ) denot e t he signat ure of t his scheme on a message m . • t he public key of a probabilist ic encrypt ion scheme used by t he revocat ion manager ( R M ). Let E n cr R M ( r , m ) denot e t he probabilist ic encrypt ion of a message m using a randomizer r and let D ecr R M ( c) denot e t he decrypt ion of ciphert ext c. J O IN : A new group member M chooses a random privat e key x M and comput es a membership key z ← f ( x M ), where f is a suit able one-way funct ion. T he new member commit s t o z (for inst ance by signing it ) and sends z and t he commit ment t o t he group manager G M who ret urns a membership cert ificat e V ← S i gG M ( z ). T he group manager st ores t he associat ion between t he new member’ s ident ity and t he new alias (t he public keyz ) in t he membership t able. SIGN : To sign a message m on behalf of t he group, a member probabilist ically encrypt s z using t he public key of t he revocat ion manager (let c = E n cr R M ( r , z ) denot e t his ciphert ext for some randomiser r ) and issues a signat ure of knowledge proving knowledge of values x˜ and V˜ such t hat V˜ = S i gG M ( f ( x ˜ )) holds and t hat f ( x˜ ) is encrypt ed in c. V E R IF Y : T he verificat ion of such a group-signat ure is done by checking t he signat ure of knowledge. O P E N : T he revocat ion manager can easily revoke t he anonymity of a group signat ure by decrypt ing c t o recover z and forwarding t his value t o t he group manager. T he group manager can find t he member’ s real ident ity from t he st ored values in t he membership t able. •





– –

T he challenge is t o make suit able choices for t he primit ives used in t his framework. In part icular, one seeks t o find suit able choices for t he one-way funct ion, t he signat ure scheme and probabilist ic encrypt ion scheme t hat yield an effi cient signat ure of knowledge for t he values x˜ and V˜ . Recent ly, part icular at t ent ion has been paid t o t he t ask of designing membership cert ificat es which are coalit ion resist ant [1,3].

222

3

Greg Mait land and Colin Boyd

C o -o p e ra t iv e S ig n a t u re G e n e ra t io n

Ordinary signat ure schemes focus on t he roles of two principle part ies – t he signer and t he verifier. T he signer creat es a signat ure on a given message and t he verifier det ermines if t he signat ure is valid or not . P rior t o signing, t he signer chooses a privat e key and public key pair and t he verifier is supplied wit h t he public key for t he purposes of signat ure verificat ion. Because a signat ure is usually used as proof t hat t he signer commit s t o t he cont ent s of t he signed message, t he verifier is int erest ed in more t han t he fact t hat t he signat ure is correct ly const ruct ed wit h respect t o a given public key. T he verifier is also int erest ed in t he associat ion between t he public key and t he owner’ s ident ity. To t his end, public key infrast ruct ure (P KI) exist s for t he purpose of cert ifying t he ownership of public keys. T herefore, in pract ice, a signat ure must be accompanied eit her explicit ly or implicit ly by a cert ified public key. While two party signat ure schemes are common, examples of t hree party schemes also exist . Blind signat ure schemes [11] involve a signer and a recipient engaging in an int eract ive prot ocol so t hat t he recipient may gain a signat ure on a message of choice and t hat t his signat ure remains unknown t o t he signer. While t he recipient may verify t he result ing signat ure t o ensure t hat t he signer has act ed honest ly, t he recipient of t he blind signat ure is not t he int ended final dest inat ion for t he signat ure. T he recipient subsequent ly shows t he blinded signat ure t o a verifier for t he purpose of proving t o t he verifier t hat t hey possess a signat ure formed by t he signer. T he exact meaning of t his act depends on t he applicat ion and is not of direct int erest . Anot her t hree party example can be found in some elect ronic cash schemes [10,13,5]. T he ‘ wallet wit h observer’ paradigm ut ilises a combinat ion of a usersupplied comput ing device and an observer device charged wit h prot ect ing t he bank’ s int erest s. T he cust omer’ s eff ect ive privat e key is split int o two part s.T he cust omer’ s comput ing device st ores one part and t he observer t he ot her. Bot h devices must co-operat e in order t o form a valid cust omer signat ure. T he model for group signat ures int roduced by Camenisch and St adler [6] is quit e similar t o t he funct ional operat ion of ordinary signat ure schemes. T he user generat es a key pair, ( x M , z ), and acquires a cert ificat e, V , on t he public key of t he pair from a t rust ed party (in t his case t he group manager). T he diff erence is t hat t he subsequent use of t he key pair and cert ificat e must be carried out in such a way so as not t o reveal t he ident ity of t he signer (anonymity) or link t oget her signat ures creat ed by t he same user (unlinkability). Showing t he public key or t he cert ificat e wit h each signat ure would compromise t he anonymity and unlinkability required by t he group signat ure scheme. T he use of proofs of knowledge provides t he means by which t he public key and t he cert ificat e can be used in signat ure creat ion wit hout being disclosed. T his leads t o t he observat ion t hat t here are eff ect ively two secret values, x M and V , inherent ly present in t his model. As not ed in sect ion 2, t he user must form a signat ure of knowledge of values x M and V such t hat V = S i gG M ( f ( x M )) holds and t hat f ( x M ) has been encrypt ed under t he revocat ion manager’ s public key. T he not at ion suggest s t hat

Co-operat ively Formed Group Signat ures

223

t he proof will be provided in some at omic and indivisible fashion. In fact , t he two proposals in [6,7] demonst rat e such a proof by providing two proofs of knowledge – one proof of knowledge of x M such t hat z = f ( x M ) and anot her proof of knowledge of V such t hat V = S i gG M ( z ). T he two proofs are not independent of one anot her. Values used in t he const ruct ion of t he two proofs are shared which links t he two proofs t oget her and allows t he assert ion of knowledge of bot h x M and V . When t he group signat ure scheme allows for t he separat ion of t he roles of x M and V in forming t he proof of knowledge, it is possible for two co-operat ing ent it ies (one knowing x M and t he ot her knowing V ) t o form a group signat ure if t hey share t he required values during t he signing process. In t his sit uat ion, neit her of t he ent it ies can independent ly creat e a group signat ure and each needs t he co-operat ion of t he ot her ent ity. T he above observat ion leads t o an invest igat ion of t he usefulness of such co-operat ively formed group signat ures.

4

A C o -o p e ra t iv e G ro u p S ig n a t u re S ch e m e

T his sect ion describes a co-operat ive group signat ure scheme based on a group signat ure scheme proposed by At eniese, Camensich, J oye and T sudik [2]. In order t hat a group member M i creat e a signat ure on a message m of t he type described by At eniese et al. [2], knowledge of two undisclosed values is required – t he group member’ s secret keyx i and t he group membership cert ificat e V i . It is possible for a group member M i and a recipient R t o creat e a group signat ure co-operat ively if M i knows only t he group member’ s secret keyx i and R knows only t he group membership cert ificat e V i . Bot h part ies engage in an int eract ive variat ion of t he st eps described by At eniese et al. [2]. T he int eract ion is based on a proof of knowledge of discret e logs in a group of unknown order. Alt hough R knows t he group membership cert ificat e V i and can easily calculat e t he group member’ s public key, R cannot learn t he group member’ s secret key x i . If t his were possible, t he group manager who issues V i could also learn x i and t herefore sign on behalf of a group member. T his would cont radict t he security propert ies already claimed for t he original scheme. 4 .1

T h e G ro u p S ig n a t u re P ro c e d u re s

T he SE T U P , J O IN , V E R IF Y and O P E N procedures are as per t he original scheme [2] where a more det ailed discussion of t hese procedures can be found. For simplicity, we assume t hat t he group manager is also t he revocat ion manager. SE T U P :

public

Y

T he init ial phase involves t he group manager ( G M ) set t ing t he group and his secret key S .

p be security paramet ers where t he paramet er ℓ p set s t he size of t he modulus t o use and t he paramet er ǫ cont rols t he t ight ness of t he st at ist ical zero-knowledgeness.

– Let ǫ > 1, k , and ℓ

224

Greg Mait land and Colin Boyd

– Let λ

1,

λ

1

2,

λ

γ

> ǫ (λ

1,

2

and γ

2

+ k ) + 2, λ

T he int egral ranges Λ Λ

= [2λ

– Select

1





denot e lengt hs sat isfying

2

+ 1, 2λ

2

> 4ℓ

and Γ 1

p,

γ

> ǫ (γ

1

2

+ k ) + 2 and γ

2

> λ

1

+ 2.

are defined as

+ 2λ

2



= [2γ

1] and Γ

1





2

+ 1, 2γ

1

+ 2γ

2



1].

t o be a collision-resist ant hash funct ion such t hat

H

H

: { 0, 1} ∗ →

{

0, 1} k .

– Select random secret ℓ p -bit primes p ′ , q′ such t hat p = 2p ′ + 1 and q = 2q′ + 1





are prime. Set t he RSA modulus used t o sign group membership cert ificat es t o n = pq. Choose random generat ors a , a 0 , g , h for t he set of quadrat ic residues Q n . Not e t hat , by const ruct ion, t he order of Z∗n is ϕ ( n ) = 4p ′ q′ and t herefore t he order of Q n is p ′ q′ . Revealing t he order of Q n reveals ϕ ( n ) and so compromises t he security of RSA signat ures formed using modulus n . Hence, t he order of Q n must remain unknown t o all but t he group manager. Choose a random element x R ∈ R Z∗p q as t he revocat ion privat e key and set mod n as t he revocat ion public key. y R = gx T he group public key is: Y = ( n , a, a 0 , y , g, h , ǫ , k , ℓ p , λ 1 , λ 2 , γ 1 , γ 2 , H ). T he corresponding secret key (known only t o G M ) is: S = ( p ′ , q′ , x R ). ′



R

– –

JO I N : Each group member M i joins t he group by int eract ing wit h t he group manager G M in order t o acquire:

– A privat e key x i known only t o t he group member

M i such t hat x i ∈ Λ . T he associat ed public key is C 2 = a x mod n wit h C 2 ∈ Q n . – A membership cert ificat e [A i , ei ] where ei is a random prime chosen by G M such t hat ei ∈ R Γ and A i has been comput ed by t he G M as A i := ( C 2 a 0 ) 1 / e mod n . i

i

As part of J OIN, G M creat es a new ent ry in t he membership t able and st ores t he new member’ s real ident ity along wit h A [ i , ei ] in t he new ent ry. SI G N : A group member M i ( c, s 1 , s 2 , s 3 , s 4 , T 1 , T 2 , T 3 ) on

can co-operat ively creat e a group signat ure t uple a message m ∈ { 0, 1} ∗ by using knowledge of x i and int eract ing wit h a recipient R who knows [A i , ei ] as shown in fig.1. V ERIFY : sage m as

A verifier can verify a signat ure ( c, s 1 , s 2 , s 3 , s 4 , T 1 , T 2 , T 3 ) of t he mesfollows:

Co-operat ively Formed Group Signat ures Member M i (knows x i s.t . C 2 =

a

x i

)

(knows Select w ∈

Recipient R 1/ i = (C 2 a 0 ) 2ℓ R { 0, 1}

ei

A

,

ei

225

)

p

Comput e: w T 1 = A i y R mod n w T2 = g mod n e w T3 = g h mod n i

Choose: r2 ∈ W

(λ 2+ ± { 0, 1} ǫ

R

=

a

r

k

r1 ∈

± {

0, 1}

ǫ

(γ 2+

k

R

)

r3 ∈

± {

0, 1} 0, 1}

ǫ

(γ 1+

ℓ p

R

ǫ

( 2ℓ

)

r4 ∈

2

± {

R

p

+

k

+

k

+ 1)

)

W −− − − − − − − − −→

Comput e: r r d 1 = T 1 1 / ( W y R 3 ) mod r 1 r 3 d2 = T2 / g mod n r d 3 = g 4 mod n r r d 4 = g 1 h 4 mod n

n

T 1, T 2, T 3, d 1, d 2, d 3, d 4, m ← − − − − − − − − −−

Comput e: c = H (g 

s2

=

h 

yR 

a0 

T1 

T2 

T3 

d1 

d2 

d3 

r 2 − c(x i −

λ

Comput e: c = H (g 

a 

d4 

m

) s1

1

2 ) (in Z)

s2 −− − − − − − − − −→

=

h 

a0 

yR 

T1 

T2 

T3 

d1 

d2 

d3 

r 1 − c(ei −

Check

s2 ∈

± {

d4 

a  m

)

2γ 1 ) ,

0, 1}

Check a s 2 ( C 2 / a 2 s 3 = r 3 − cei w , s 4 = r 4 − cw (all in Z)

λ

1

(λ 2+ ǫ

c

?

) =

k

)+ 1

W

Out put ( c , s 1 , s 2 , s 3 , s 4 , T 1 , T 2 , T 3 ). F ig. 1 .

Co-operat ive Group Signat ure

S IG N

1. Comput e: c′ = H ( g  h  y R  a 0  a  T 1  T 2  T 3  γ s − c2 1

a0 c T1 1

γ

s1 − c2 1

T2

/g

s3

c

s4

c

γ s1 − c2 1

T2 g T3 g

/ (as 2 −

mod n

mod n h

λ c2 1

s4

p

mod n





mod n

2. Accept t he signat ure if and only if c = c′ and – s 1 ∈ ± { 0, 1} ǫ ( γ 2 + k ) + 1 – s 2 ∈ ± { 0, 1} ǫ ( λ 2 + k ) + 1 – s 3 ∈ ± { 0, 1} ǫ ( γ 1 + 2 ℓ + k + 1 ) + 1 – s 4 ∈ ± { 0, 1} ǫ ( 2 ℓ + k ) + 1 p

s

y R3 )



m)



226

Greg Mait land and Colin Boyd

In t he event t hat t he act ual signer must be subsequent ly ident ified (e.g., in case of a disput e) G M execut es t he following procedure:

O P EN :

1. Check t he signat ure’ s validity via t he VERIFY procedure. 2. Recover A i (and t hus t he ident ity of P i ) as A i = T 1 / T 2 x mod n . 3. P rove t hat l ogg y R = l ogT 2 ( T 1 / A i mod n ) R

4 .2

S e c u rit y

As t he int eract ive prot ocol derived from t he original group signat ure scheme is an honest -verifier zero-knowledge proof of knowledge [2], a verifier cannot learn any useful informat ion from t he co-operat ively formed signat ures produced by our scheme if t he hash funct ion H act s as a random oracle. T he ma jor concern is whet her or not t he recipient can learn informat ion about t he group member’ s privat e key by part icipat ing in t he int eract ive co-operat ive group signat ure prot ocol. D e fi n it io n 1 ( S t ro n g -R S A P ro b le m ) . Let n = pq be an R S A -like m odulus an d let G be a cyclic subgroup of Z∗n of order | G | . Let ⌈ log2 | G | ⌉ = ℓ G . G iven n an d z ∈ G , the S tron g-R S A P roblem con sists of fi n din g u ∈ G an d e ∈ Z>  satisfyin g z ≡ u e mod n . A s s u m p t io n 1 ( S t ro n g -R S A A s s u m p t io n ) . A probabilistic polyn om ial-tim e algorithm K exists which on in put of a security param eter ℓ G outputs a pair ( n , z ) such that, for all probabilistic polyn om ial-tim e algorithm s P , the probability that P can solve the S tron g-R S A P roblem is n egligible. T h e o re m 1 . Un der the S tron g-R S A assum ption , the in teractive protocol between the group m em ber an d the recipien t is an hon est-verifi er statistical zerokn ow ledge proof of kn ow ledge of the m em ber’ s private key for an y ǫ > 1.

If t he recipient is allowed t o choose t he challenge c, we cannot make a definit ive st at ement about t he security of t he scheme as t he recipient may not act honest ly. If we assume t hat t he hash funct ion H act s as a random oracle, t hen, by requiring t hat t he member M i calculat es t he challenge as t he out put from t he hash funct ion H , we force t he challenge t o be randomly chosen and hence we can claim t hat t he int eract ive prot ocol is a st at ist ical zero-knowledge proof of knowledge. T he proof is out lined in appendix A. 4 .3

P ra c t ic a l D e p lo y m e n t

T here is a real risk t hat a group member’ s signing secret s could be st olen by an at t acker if t hey were st ored on an insecure deskt op workst at ion. T he signing secret s need t o be st ored in a secure port able device such as a smart card. While t he group signat ure scheme of At eniese et al. [2] is significant ly more effi cient t han previous proposals, implement ing t he ent ire scheme wit hin current ly available

Co-operat ively Formed Group Signat ures

227

smart cards is likely t o result in performance which is unaccept able t o t hose well used t o t he high performance of current deskt op workst at ions. In part icular, t he smart card environment suff ers from t he inability t o perform pre-comput at ions when not in cont act wit h a reader. T he co-operat ive scheme described above is well suit ed t o t he scenario of a high performance workst at ion wit h at t ached smart card reader. T he group member’ s privat e key can be st ored securely on a smart card and t he corresponding membership cert ificat e can be st ored on t he workst at ion. T he two devices can cooperat ively form group signat ures. T heft of t he membership cert ificat e provides no more informat ion about t he member’ s privat e key t han was already available t o t he group manager. Since t he group manager cannot forge a group member’ s signat ure, t heft of t he membership cert ificat e alone does not compromise security. T he division of labour is part icularly well suit ed t o an implement at ion of t he group member’ s role by a modest ly performed smart card. Only one exponent iat ion is required by t he smart card compared t o around 10 exponent iat ions if t he original group signat ure scheme were implement ed ent irely by t he smart card.

5

A ‘ W a lle t w it h O b s e rv e r’ S ch e m e

T he ‘ wallet wit h observer’ model was first proposed by Chaum and Pedersen [10] and has been used by various elect ronic cash schemes [13,5] in order t o proact ively prot ect t he bank’ s int erest s. In t his model, t he bank-issued smartcard observer act ively prevent s t he double-spending of coins. Mait land and Boyd [15] have proposed a fair cash scheme based on t he group signat ure described by At eniese et al [2]. A nat ural ext ension of t his fair cash scheme would be t he int roduct ion of prior rest raint of double-spending. Since a new member int eract s wit h t he group manager t o obt ain a group membership cert ificat e, it is nat ural for t he group manager t o consider issuing a t amperresist ant observer which cont ains t his membership cert ificat e. In t his scenario, t he group member could only produce a valid signat ure wit h t he co-operat ion of t he t amper-resist ant observer. T he scheme described in sect ion 4 can be rearranged int o t he ‘ wallet wit h observer’ model t hrough a minor adjust ment t o t he J O IN procedure and a rest ruct uring of t he SIGN procedure. 5 .1

T h e R e s t ru c t u re d P ro c e d u re s

Except for Sect . 4.1.

J O IN

and

SIGN ,

t he ot her procedures are as per t hose described in

JO I N : T he J O IN procedure follows t he st eps used by t he J O IN present ed in Sect . 4.1. At t he conclusion of t he J O IN procedure, t he group manager G M issues t he new group member M i wit h a t amper-resist ant observer O i in which t he group manager has embedded t he new group member’ s cert ificat e A [ i , ei ].

228

Greg Mait land and Colin Boyd

SI G N : A group member M i can co-operat ively sages m ∈ { 0, 1} ∗ by using knowledge of x i and who knows [A i , ei ] as follows:

1.

O

i

creat e group signat ures on mesint eract ing wit h an observer O i

:

– Generat e a random value w T 1 = A i y Rw



R

{

0, 1} 2 ℓ

mod n ; T 2 = g w

p

and comput e:

mod n ; T 3 = g e h w i

mod n .

where t he pair ( T 1 , T 2 ) represent an ElGamal encrypt ion of A i using t he revocat ion manager’ s public keyy R . – Randomly choose: r 1 ∈ R ± { 0, 1} ǫ ( γ 2 + k ) , r 3 ∈ R ± { 0, 1} ǫ ( γ 1 + ℓ + k + 1 ) , r 4 ∈ R ± { 0, 1} ǫ ( 2 ℓ + k ) r1 ¯ – Comput e: d 1 = T 1 / y Rr 3 mod n ; d 2 = T 2r 1 / g r 3 mod n ; d3 = gr 4 mod n ; d 4 = g r 1 h r 4 mod n . ¯ – Send ( T 1 , T 2 , T 3 , d 1 , d 2 , d 3 , d 4 , ) t o M i . 2. M i : – Randomly choose r 2 ∈ R ± { 0, 1} ǫ ( λ 2 + k ) and – Comput e d 1 = d¯1 / a r 2 mod n and – c = H ( g  h  y R  a 0  a  T 1  T 2  T 3  d 1  d 2  d 3  d 4  m ). – Send d 1 t o O i . 3. O i : Comput e – c = H ( g  h  y R  a 0  a  T 1  T 2  T 3  d 1  d 2  d 3  d 4  m ). – s 1 = r 1 − c( ei − 2γ 1 ), s 3 = r 3 − cei w , s 4 = r 4 − cw (all in Z) – Send ( s 1 , s 3 , s 4 ) t o M i . 4. M i : Comput e – s 2 = r 2 − c( x i − 2λ 1 ), (in Z) – Use V E R IF Y t o confirm t hat ( c, s 1 , s 2 , s 3 , s 4 , T 1 , T 2 , T 3 ) is a valid signat ure on m . – Out put ( c, s 1 , s 2 , s 3 , s 4 , T 1 , T 2 , T 3 ). p

p

5 .2

S e c u rit y

We are int erest ed in whet her t he group member M t he membership cert ificat e st ored in t he observer t ions wit h t he observer.

i

O

can learn informat ion about i from t he prot ocol int erac-

T h e o re m 2 . Un der the S tron g-R S A assum ption , the in teractive protocol between the observer an d the group m em ber is an hon est-verifi er statistical zerokn ow ledge proof of kn ow ledge of a m em bership certifi cate correspon din g to the m em bership secret key.

If we assume t hat t he hash funct ion H act s as a random oracle, t hen, by requiring t he observer O i t o calculat e t he challenge as t he out put from t he hash funct ion H , we force t he challenge t o be randomly chosen and hence we can claim t hat t he int eract ive prot ocol is a st at ist ical zero-knowledge proof of knowledge. A proof of t heorem 2 is given in appendix A.

Co-operat ively Formed Group Signat ures 5 .3

229

P ra c t ic a l D e p lo y m e n t

T he use of an observer cont aining t he member’ s cert ificat e fit s in well wit h t he nat ural flow of t he J O IN procedure. T he last st ep in a successful J O IN procedure sees t he group manager providing t he new group member wit h t he membership cert ificat e necessary t o form group signat ures. As has already been raised, t here is a real risk t hat a group member’ s signing secret s could be st olen by an at t acker when st ored on an insecure workst at ion. If a secure comput ing device capable of accept ing a smart card (e.g. palmt op or mobile phone) is available, t he smart card observer can be placed in t his device and maint ained in an act ive st at e. In t his sit uat ion, t he pre-comput at ion of values is possible and t he division of labour aff orded by t he above scheme becomes viable. T he original work on ‘ wallet s wit h observers’ [10] raised t he possibility of an inflow/ out flow of informat ion between t he observer and it s issuer t hrough t he use of subliminal channels. T he prot ocol, as present ed, needs t o be prot ect ed against such informat ion leakage; ot herwise, t he anonymity of t he group member may be compromised. To t his end, t he observer’ s choice of random values used t o generat e t he commit ment s needs t o be salt ed by t he group member.

6

C o n c lu s io n s a n d Fu rt h e r W o rk

We have present ed a met hod for co-operat ively forming group signat ures t hat applies t o a number of t he recent ly proposed schemes. We have demonst rat ed t hat t he met hods have pract ical applicat ion in t he real deployment of group signat ure schemes. It is int ended t o invest igat e t he pract ical deployment of t hese met hods in t he cont ext of an elect ronic cash scheme. T he ’ wallet wit h observer’ model is suscept ible t o informat ion out flow t hrough a subliminal channel and will be t he sub ject of furt her work in order t o prot ect against t his possibility. T he not ions int roduced in t his paper can also be applied t o group blind signat ures. T he scheme proposed by Ramzan and Lysyanskaya [14] is based on t he group signat ure scheme of Camenisch and St adler [6] and uses two connect ed proofs of knowledge. It t herefore lends it self t o our const ruct ion. If t he blind signat ure recipient is provided wit h t he group member’ s cert ificat e, t he proof of knowledge of t he cert ificat e can be formed more effi cient ly by t he recipient . Only t he proof of knowledge of t he privat e key need be blinded. In t his way, t he recipient can be assured t hat t he group signat ure was formed by t he member concerned and not divert ed t o anot her member. T he group blind signat ures proposed by Ramzan and Lysyanskaya [14,18] are t he only ones published in t he lit erat ure. A group blind signat ure scheme wit h provable security and more effi cient const ruct ion is desirable. T he not ions present ed in t his paper are wort hy of furt her invest igat ion wit h a view t o designing an alt ernat ive group blind signat ure scheme.

230

Greg Mait land and Colin Boyd

A ck n ow le d g m e nt s We would like t o t hank t he anonymous referees for t heir insight ful observat ions and suggest ions. T his research is part of an ARC SP IRT project undert aken joint ly by Queensland University of Technology and Telst ra (Aust ralia).

R e fe re n c e s 1. G. At eniese and G. T sudik. Some open issues and new direct ions in group signat ures. In Mat t hew Franklin, edit or, Fi nanci al cr yptography: T hi rd I nter nati onal Conference, FC ’ 99, A ngui l la, Br i ti sh W est I ndi es, Febr uary 22–25, 1999: proceedi ngs, volume 1648 of Lecture Notes i n Computer Sci ence, pages 196–211, Berlin, Germany / Heidelberg, Germany / London, UK / et c., 1999. Springer-Verlag. 2. Giuseppe At eniese, J an Camenisch, Marc J oye, and Gene T sudik. A pract ical and provably secure coalit ion-resist ant group signat ure scheme. In Mihir Bellare, edit or, Advances i n Cr yptology— CRY PT O 2000, volume 1880 of Lecture Notes i n Computer Sci ence, pages 255–270. Springer-Verlag, 20–24 August 2000. 3. Giuseppe At eniese, Marc J oye, and Gene T sudik. On t he diffi culty of coalit ionresist ance in group signat ure schemes. In Second Conference Secur i ty i n Communi cati on Networ ks ( SCN ’ 99), 16–17 Sept ember 1999. 4. Giuseppe At eniese and Gene T sudik. Group signat ures ´a la cart e. In Proceedi ngs of the Tenth A nnual A CM -SI A M Symposi um on Di screte A lgor i thms ( SODA ) , pages 848–849, N.Y., J anuary 17–19 1999. ACM-SIAM. 5. St efan Brands. Unt raceable off -line cash in wallet s wit h observers. In Douglas R. St inson, edit or, Advances i n Cr yptology— CRY PT O ’ 93, volume 773 of Lecture Notes i n Computer Sci ence, pages 302–318. Springer-Verlag, 22–26 August 1993. 6. J . L. Camenisch and M. A. St adler. Effi cient group signat ure schemes for large groups. In J r. Burt on S. Kaliski, edit or, Advances i n Cr yptology— CRY PT O ’ 97, volume 1294 of Lecture Notes i n Computer Sci ence, pages 410–424. SpringerVerlag, 17–21 August 1997. 7. J an Camenisch. Group Si gnature Schemes and Payment Systems Based on the Di screte Logar i thm Problem . P hD t hesis, ET H, 1998. Reprint ed as Vol. 2 of ET HSeries in Informat ion Security an Crypt ography, edit ied by Ueli Maurer, Hart ungGorre Verlag, Konst anz, ISBN 3-89649-286-1. 8. J an Camenisch and Markus Michels. A group signat ure scheme based on an RSAvariant . BRICS Report Series RS-98-27, University of Aarhus, November 1998. 9. D. Chaum and E. van Heyst . Group signat ures. In D. W . Davies, edit or, Advances i n Cr yptology— EUROCRY PT 91, volume 547 of Lecture Notes i n Computer Sci ence, pages 257–265. Springer-Verlag, 8–11 April 1991. 10. D. Chaum and T . P ryds P edersen. Wallet dat abases wit h observers. In Ernest F . Brickell, edit or, Advances i n Cr yptology— CRY PT O ’ 92, volume 740 of Lecture Notes i n Computer Sci ence, pages 89–105. Springer-Verlag, 1993, 16–20 August 1992. 11. David Chaum. Blind signat ures for unt raceable payment s. In David Chaum, Ronald L. Rivest , and Alan T . Sherman, edit ors, Advances i n Cr yptology: Proceedi ngs of Cr ypto 82, pages 199–203. P lenum P ress, New York and London, 1983, 23–25 August 1982. 12. L. Chen and T . P. P edersen. New group signat ure schemes. In Alfredo De Sant is, edit or, Advances i n Cr yptology— EUROCRY PT 94, volume 950 of Lecture Notes i n Computer Sci ence, pages 171–181. Springer-Verlag, 1995, 9–12 May 1994.

Co-operat ively Formed Group Signat ures

231

13. Ronald Cramer and Torben P edersen. Improved privacy in wallet s wit h observers. In Tor Helleset h, edit or, Advances i n Cr yptology— EUROCRY PT 93, volume 765 of Lecture Notes i n Computer Sci ence, pages 329–343. Springer-Verlag, 1994, 23– 27 May 1993. 14. A. Lysyanskaya and Z. Ramzan. Group blind digit al signat ures: A scalable solut ion t o elect ronic cash. In R. Hirschfeld, edit or, Fi nanci al Cr yptography: Second I nter nati onal Conference, FC ’ 98, volume 1465 of Lecture Notes i n Computer Sci ence, pages 184–197. Springer-Verlag, February 1998. 15. Greg Mait land and Colin Boyd. Fair elect ronic cash based on a group signat ure scheme. In T hi rd I nter nati onal Conference on I nfor mati on and Communi cati ons Secur i ty ( I CI CS 2001) . Springer-Verlag, November 2001. To appear. 16. Toru Nakanishi, Toru Fujiwara, and Ha jime Wat anabe. A linkable group signat ure and it s applicat ion t o secret vot ing. PSJ Transacti ons, 40(7):3085–3096, 1999. 17. Toru Nakanishi and Yuji Sugiyama. Unlinkable divisible elect ronic cash. In E. Okamot o and J . P ieprzyk, edit ors, T he T hi rd I nter nati onal W or kshop on I nfor mati on Secur i ty ( I SW 2000) , volume 1975 of Lecture Notes i n Computer Sci ence, pages 121–134, 2000. 18. Zulfikar Ramzan. Group blind digit al signat ures: T heory and applicat ions. Mast er’ s t hesis, Depart ment of Elect rical Engineering and Comput er Science, MIT , 1999. 19. J acques Traor´e. Group signat ures and t heir relevance t o privacy-prot ect ing off -line elect ronic cash syst ems. In J . P ieprzyk, R. Safavi-Naini, and J . Seberry, edit ors, A ustralasi an Conference on I nfor mati on Secur i ty and Pr i vacy ( A CI SP’ 99), volume 1587 of Lecture Notes i n Computer Sci ence, pages 228–243. Springer-Verlag, 1999.

A

S e c u rit y P ro o fs

P ro o f o f T h e o re m 1 .

Hon est-verifi er Z ero K n ow ledge: To prove t hat t he prot ocol is st at ist ical honest -

verifier zero-knowledge for any ǫ > 1, we have t o show t hat an honest recipient , i.e., one who chooses t he challenge c uniformly random from { 0, 1} k , can simulat e a prot ocol-conversat ion t hat is st at ist ically indist inguishable from a prot ocolconversat ion wit h t he group member. T he recipient can const ruct a simulat or S as follows: – randomly choose c′ from { 0, 1} k according t o t he uniform dist ribut ion, – randomly choose s ′2 from ± { 0, 1} ǫ ( λ 2 + k ) according t o t he uniform dist ribut ion, ′

– comput e W ′ = a s 2 ( C 2 / a 2

λ

1

c



) . ( W ′ , c′ , s ′2 ) provides a simulat ed view of t he prot ocol as seen by t he recipient . Not e t hat each value in t he range occurs wit h probability 1/ (2ǫ ( λ 2 + k + 1 ) − 1). T hat is, t he probability dist ribut ion P S ( s ′2 ) according t o which t he simulat or S chooses s ′2 is as follows:   0 for s ′2 < − (2ǫ ( λ 2 + k ) − 1) 1 P S ( s ′2 ) = for − (2ǫ ( λ 2 + k ) − 1) ≤ s ′2 ≤ (2ǫ ( λ 2 + k ) − 1)  2 ( 2 + + 1 ) − 1 0 for s ′2 > (2ǫ ( λ 2 + k ) − 1) ǫ

λ

k

232

Greg Mait land and Colin Boyd

To prove t hat t hese values are st at ist ical indist inguishable from a view of a prot ocol run wit h t he group member, it suffi ces t o consider t he probability dist ribut ion P M ( s 2 ) of t he response s 2 of t he group member M and t he probability dist ribut ion P S ( s ′2 ) according t o which t he simulat or S chooses s ′2 . T he probability dist ribut ion of s 2 can be evaluat ed as follows. – T he group member chooses t he privat e key x i randomly from Λ according t o any dist ribut ion u i = x i − 2λ

1



{−



2

+ 1, . . . , 0, . . . , 2λ

2



– T he group member chooses r uniformly at random from r2 ∈

{−



(2ǫ

2+ k

)



1) , . . . , 0, . . . , (2ǫ



2+ k

)



1} . ± {

0, 1} ǫ



2+ k

)

1) } .

– T he recipient chooses c from { 0, 1} k according t o any dist ribut ion. c∈

0, 1, . . . , 2k

{



1} .

T herefore, in general, (c · u i ) ∈

and, since s 2 = r 2 s2 ∈

{−

(2ǫ



2+ k

)



(2λ

{−

2



1)(2k

1) , . . . , 0, . . . , (2λ



2

1)(2k





1) }

− cu i ,

1) − (2λ

2

1)(2k − 1) , . . . , 0, . . . , (2ǫ





2+ k

)



1)+ (2λ

2



1)(2k − 1) }

For a given group member, t he privat e key x i is fixed and hence u i = x i − 2λ 1 is fixed. T herefore, ( c · u i ) t akes on (2k − 1) possible values wit h ( c · u i ) ∈ { 0, u i , 2u i , . . . , (2k − 1) u i } if u i > 0 and, if u i < 0, ( c · u i ) ∈ { (2k − 1) u i , . . . , 2u i , u i , 0} . Wit hout loss of generality, assume u i > 0. T he case u i < 0 produces a dist ribut ion which is a mirror image of it s posit ive count erpart . T he probability t hat t he group member M select s r 2 is  1 for − (2ǫ ( λ 2 + k ) − 1) ≤ r 2 ≤ (2ǫ ( λ 2 + k ) − 1) 2 ( 2 + + 1) − 1 pM ( r 2 ) = 0 ot herwise ǫ

λ

k

Let p R ( c) be t he probability t hat t he recipient R select s t he challenge c. (T here 2 −1 fore, c = 0 p R ( c) = 1.) Because t he select ion processes for r 2 and c are independent , t he probability of a valid pair ( r 2 , c · u i ) being select ed is k

p M ( r 2 ) × p R ( c) =

Let N s 2 = { ( r 2 , c) | s 2 = r 2 int eract ive prot ocol is

− cu i }

 (r 2 ,c)∈ N



1)

.

. T he probability t hat s 2 is out put by t he

(2ǫ s



2+ k



+ 1) −

1)

2



1 (2ǫ

(2

p R ( c)

P M (s2 ) =

=

p R ( c) ǫ (λ 2 + k + 1)

2+ k

+ 1) −

1)

p R ( c) ≤ (r 2 ,c)∈ N

s

2

1 (2ǫ



2+ k

+ 1) −

1)

Co-operat ively Formed Group Signat ures

233

For − (2ǫ ( λ 2 + k ) − 1) ≤ s 2 ≤ 2ǫ ( λ 2 + k ) − (2k − 1)(2λ 2 − 1), each s 2 can be calculat ed in 2k ways using all possible values of c. T hat is, t he out put is s 2 when ( r 2 , cu i ) ∈ { ( s 2 , 0) , ( s 2 + u i , u i ) , ( s 2 + 2u i , 2u i ) , . . . , ( s 2 + (2k − 1) u i , (2k − 1) u i ) } . T he probability of s 2 being out put is exact ly P M (s2 ) =

2 k

1 (2ǫ



2+ k

+ 1) −

1)



1

p R ( c) = c= 0

1 (2ǫ



2+ k

+ 1) −

1)

For t he left t ail − (2ǫ ( λ 2 + k ) − 1) − (2λ 2 − 1)(2k − 1) ≤ s 2 < − (2ǫ ( λ 2 + k ) − 1), s 2 can be calculat ed in st rict ly less t han 2k ways and hence occurs wit h probability less t han ( 2 ( 2 + 1 + 1 ) − 1 ) . ǫ

λ

k

For t he right t ail (2ǫ ( λ 2 + k ) − 1) < s 2 ≤ (2ǫ ( λ 2 + k ) − 1) + (2λ 2 − 1)(2k − 1), s 2 can be calculat ed in at most 2k ways and hence occurs wit h probability less t han or equal t o ( 2 ( 2 + 1 + 1 ) − 1 ) . T hus we have   | P M (α ) − P S (α )| = | P M (α ) − P S (α )| + ǫ

α ∈

λ

k

Z

α ∈ L e ft T a il



(α ) − P S (α )|

|PM α ∈ R ig h t T a il



=

|PM

( α ) − 0| +

α ∈ L e ft T a il

 (α ) −

|PM α ∈ R ig h t T a il

1 (2ǫ



2+ k

+ 1) −

1)

|

(2λ 2 − 1)(2k − 1) (2λ 2 − 1)(2k − 1) + (2ǫ ( λ 2 + k + 1 ) − 1) (2ǫ ( λ 2 + k + 1 ) − 1) λ 2 k 2× 2 × 2 2λ 2 + k + 1 ≤ = (2ǫ ( λ 2 + k + 1 ) − 1) (2ǫ ( λ 2 + k + 1 ) − 1) 1 = (2( ǫ − 1 ) ( λ 2 + k + 1 ) − 2− ( λ 2 + k + 1 ) )



T hus, as t he number of act ive bit s in t he privat e key x i (namely λ 2 bit s) increases, t he diff erence between t he two dist ribut ions is driven t o zero for ǫ > 1 fast er t han any inverse polynomial funct ion of λ 2 . P roof of K n ow ledge: If t he group member follows t he prot ocol, t hen W = ar 2 = as 2 +

λ c(x i − 2 1 )

λ

1

c

λ

1

= as 2 (ax / a2 ) = as 2 (C 2 / a2 ) i

c

mod n

wit h s 2 ∈ ± { 0, 1} ǫ ( λ 2 + k ) + 1 . Hence, t he recipient will accept and t he prot ocol is complet e. Using t he usual const ruct ion for a knowledge ext ract or, it is suffi cient two show t hat t he knowledge ext ract or can comput e x i once two accept ing t riples wit h t he same commit ment have been found. Let ( W , c, s 2 ) and ( W , c′ , s ′2 ) be two

234

Greg Mait land and Colin Boyd c



such accept ing t riples. Since W = a r 2 = a s 2 ( C 2 / a λ 1 ) = a s 2 ( C 2 / a λ 1 ) c− c

aλ 1

′ ′

s − s



c



holds,



we have ( C 2 / ) = a . Let d = gcd( c − c , s − s ). Using t he ext ended Euclidean algorit hm, we obt ain values u and v such t hat u c −d c + v s d− s = 1 and hence we have  v +v = au (C 2 / aλ 1 ) a = au ′

c −

c −

c



s



d



c

s





d

d

v



By const ruct ion, d ≤ c − c′ . If d < c − c′ t hen a u ( C 2 / a λ 1 ) is a c −d c -root of a . Since t his cont radict s t he St rong-RSA assumpt ion, we must have d = c − c′ . Hence c − c′ divides s ′ − s , and we can comput e t he int eger s ′2 − s 2

xi =

c − c′

+ 2λ

1

such t hat a x = C 2 . ⊓⊔

i

P ro o f o f T h e o re m 2 .

T hat t he int eract ive prot ocol is honest -verifier st at ist ical zero-knowledge follows from t he proof given for t he original scheme [2]. We rest rict our at t ent ion t he proof of knowledge part . We have t o show t hat t he knowledge ext ract or is able t o recover t he group cert ificat e [A i , ei ] once it has found two accept ing t uples. Let ( c, s 1 , s 3 , s 4 ) and ( c′ , s ′1 , s ′3 , s ′4 ) be t uples t hat are derived from t he same commit ment s ( T 1 , T 2 , T 3 , d 3 , d 4 ). Wit hout loss of generality, assume t hat c′ > c. E xtractin g A i usin g T 1 , T 2 an d d 3 : Recall T 1 = A i y w mod n and T 2 = g w

mod n for a randomly chosen w ∈ R { 0, 1} 2 ℓ , d 3 = g r 4 mod n for a randomly chosen r 4 ∈ R ± { 0, 1} ǫ ( 2 ℓ + k ) and t he response is s 4 = r 4 − cw . p

p

d3 = gr 4 = gs 4 + g

s4

c

T2 = g ′

g

s4− s4

g

( s 4 − s ′4 ) / ( c ′



c)



s4

c



= T2



= g s 4 T 2c = g s 4 + c



w





= g s 4 T 2c

mod n

mod n

T2



c − c

= T2

cw

mod n

(1)

mod n

(2)

Let δ 4 = gcd( s 4 − s ′4 , c′ − c). T herefore, by t he ext ended Euclidean algorit hm, t here exist s α 4 , β 4 such t hat α 4 ( s 4 − s ′4 ) + β 4 ( c′ − c) = δ 4 and so, using equat ion (1), g = g [α



 ′

4 ( s 4 − s 4 ) + β 4 ( c − c ) ]/ δ 4



= T 2α 4 g β 4

(c





δ

4

c

)

=



= T 2α 4 g β 4

gα k



4(s4− s4)





4 (c − c)



1/ δ



4

=

mod n wit h int eger k =



α 4 (c − c)

T2

( c′





4 (c − c)

δ

1 4

− c)

δ

4

Since δ 4 = gcd( s 4 − s ′4 , c′ − c) and c′ > c, δ 4 divides ( c′ − c) and δ 4 ≤ ( c − c) = ⇒ 1 ≤ c δ −4 c = k . If k > 1, t hen T 2α 4 g β 4 is a k t h root of g which cont radict s t he St rong-RSA assumpt ion. T herefore k = 1 and δ 4 = ( c′ − c). ′



Co-operat ively Formed Group Signat ures ′

However, δ 4 also divides s 4 − s ′4 and so s 4 Because s 4 = r 4 − cw and s ′4 = r 4 − c′ w ,



= φ

− s4

4 (c −

235

c) for some int eger φ

4.

s 4 − s ′4 = ( c′ − c) w s 4 − s ′4

= w c′ − c φ 4 = w

and so A i = T 1 / y w = T 1 / y φ

mod n .

4



E xtractin g ei usin g φ

T 3 an d d 4 : Not e t hat φ

4,

d4 = gr 1 h r 4 = gs 1 + 2

= gs 1 h s 4 (g− g

h

(g





1

c

T3 ) = g ′

gs 1 − s 1

Let δ 1 = gcd( s 1 t here exist s α 1 , β (1), g = g [α

= h

h



s4− s4



(g



1





1

(g







1

T3 )

(h φ 4 g−



1

T3 )α

(h

g

′ γ c ( ei − 2 1 )

T3 )

c

T3 )





hs4+

=



α 1 (c − c)







c w



= gs 1 h s 4 (g−



1

T3 )c



mod n

mod n ′

c − c

= (h φ 4 g−



1

1



1

T3 )c





c

mod n

T herefore, by t he ext ended Euclidean algorit hm, s ′1 ) + β 1 ( c′ − c) = δ 1 and so, using equat ion





γ

i

1 (s1 −

1 ( s 1 − s 1 ) + β 1 ( c − c ) ]/ δ 1

φ 4

cw

i



such t hat α

1

 =



s4

− s 1 , c − c).

 =



s1

from above.

γ



s4

hs4+

s4− s4 c′ − c

=

= gs 1 h r 4 gc ( e − 2 ) h c w 1 e 1 g h w ) c = g s 1 h s 4 ( g − 2 T 3 ) c mod n

γ

d4 = gr 1 h r 4 = gs 1 + s1

γ c( ei − 2 1 )

4

gα ′

g



1(s1− s1)

β 1 (c − c)



1/ δ



1

=

j

1



1 (c − c)



wit h int eger j =

(h

φ 4

( c′

g



1/ δ

1



1

− c)

δ

T3 )

α 1

g

β 1

(c





δ

c

)

1

.

1

Since δ 1 = gcd( s 1 − s ′1 , c′ − c) and c′ > c, δ 1 divides ( c′ − c) and δ 1 ≤ 1 ( c − c) = ⇒ 1 ≤ c δ −1 c = j . If j > 1, t hen ( h φ 4 g − 2 T 3 ) α 1 g β 1 is a j t h root of g which cont radict s t he St rong-RSA assumpt ion. T herefore j = 1 and δ 1 = ( c′ − c). s − s However, δ 1 = ( c′ − c) also divides ( s 1 − s ′1 ) and so t here is an int eger φ 1 = c1 − c1 . Because s 1 = r 1 − c( ei − 2γ 1 ) and s ′1 = r 1 − c′ ( ei − 2γ 1 ), γ









s 1 − s ′1 = ( c′ − c)( ei − 2γ s 1 − s ′1 c′ − c ′

So ei =

s1− s1 c′ − c

+ 2γ

1

= φ

1

= ( ei



1

)

2γ 1 )

+ 2γ 1 . ⊓⊔

T ra n s it iv e S ig n a t u re S ch e m e s Silvio Micali and R onald L. R ivest Laborat ory for Comput er Science, Massachuset t s Inst it ut e of Technology, Cambridge, MA 02139 [email protected]

We int roduce and provide t he first example of a t ransit ive digit al signat ure scheme. Informally, t his is a way t o digit ally sign vert ices and edges of a dynamically growing, t ransit ively closed, graph G so as t o guarant ee t he following propert ies: – Given t he signat ures of edges ( u , v ) and ( v , w ), anyone can easily derive t he digit al signat ure of t he edge ( u , w ). – It is comput at ionaly hard for any adversary t o forge t he digit al signat ure of any new vert ex or ot her edge of G , even if he can request t he legit imat e signer t o digit ally sign any number of G ’ s vert ices and edges of his choice in an adapt ive fashion (i.e., even if he can choose which vert ices and edges t he legit imat e signer should sign next aft er he sees t he legit imat e signat ures of t he ones request ed so far). A b st r a c t .

K e y w o r d s:

public-key crypt ography, digit al signat ures, graphs, t ransi-

t ive closure.

1

In t ro d u c t io n

Somet imes crypt osyst ems have (or can b e designed t o have) algebraic prop ert ies t hat make t hem except ionally useful for cert ain applicat ions. For example, crypt osyst ems wit h appropriat e homomorphisms can b e used for “comput ing wit h encrypt ed dat a” [14,8,9,15]. Similarly, blind signat ures [4,5] ut ilize similar homomorphic prop ert ies. Of course, algebraic prop ert ies of crypt osyst ems are oft en undesirable; t hey may yield avenues for at t acking t he crypt osyst em such as undesirable “malleability” prop ert ies [7]. We prop ose here a new prop erty for signat ure schemes t hat may have int erest ing applicat ions. We call signat ure schemes wit h t his prop erty “t ransit ive” signat ure schemes, b ecause t he signat ure scheme is compat ible wit h comput ing t he t ransit ive closure of t he graph b eing signed. Subsequent t o our work, J ohnson et al. [11] have invest igat ed relat ed generalizat ions under t he rubric of “homomorphic signat ure schemes.” Graphs are commonly used t o represent a binary relat ion on a finit e set . A graph G = ( V , E ) has a finit e set V of vert ices and a finit e set E ⊆ V × V of edges. We writ e an edge from u t o v as t he ordered pair ( u , v ) in any case, whet her t he graph is direct ed or undirect ed. Cormen et al. [6] describ e graph represent at ions and algorit hms. B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 2 3 6 – 2 4 3 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

Transit ive Signat ure Schemes

237

Many graphs are nat urally t ra n s i t i v e : t hat is, t here is an edge from u t o v whenever t here is a pat h from u t o v . For a direct ed example, consider a graph represent ing a milit ary chain-ofcommand. Here vert ices represent p ersonnel and a direct ed edge ( u , v ) from u t o v means t hat u commands (or cont rols) v . Clearly, if u commands v and v commands w , t hen u commands w . For an undirect ed example, consider a graph represent ing a set of administ rat ive domains. T he vert ices represent comput ers and an undirect ed edge means t hat u and v are in t he same administ rat ive domain. Again, it is clear t hat if u and v are in t he same administ rat ive domain, and if v and w are in t he same administ rat ive domain, t hen u and w are in t he same administ rat ive domain. Transit ive (and reflexive) undirect ed graphs represent equivalence relat ions. We are int erest ed in sit uat ions where someone (let ’ s call her Alice) wishes t o publish a t ransit ive graph in an aut hent icat ed (i.e., signed) manner. Signing t he graph allows ot hers t o know t hat t hey are working wit h t he aut hent ic graph (or wit h aut hent ic comp onent s of t he graph). Of course, Alice could just sign a represent at ion of t he ent ire graph as a single signed message. T his approach may, however, b e awkward in pract ice, part icularly if t he graph changes frequent ly or t he comp onent s are large. R egarding t he effi ciency of represent at ion, we observe t hat a graph wit h n vert ices may have O ( n 2 ) edges. It may b e more effi cient for Alice t o sign a smaller graph, wit h t he explicit underst anding t hat t he int ended graph is t he t ra n s i t i v e c lo s u re of t he signed graph. In t his way she never needs t o sign more t han O ( n ) edges (in t he undirect ed case). T he t ra n s i t i v e c lo s u re G ∗ = ( V ∗ , E ∗ ) of a graph G = ( V , E ) is defined t o have V ∗ = V and t o have an edge ( u , v ) in E ∗ if and only if t here is a pat h (of lengt h zero or great er) from u t o v in G . (T his is more prop erly called t he reflexive t ransit ive closure, but we st ick wit h st andard usage.) For furt her effi ciency, we now rest rict our at t ent ion t o schemes wherein Alice signs t he vert ices and edges of t he graph G individually. T his allows G t o grow dynamically: vert ices and edges may b e added lat er on wit hout Alice having t o re-sign everyt hing done b efore. (We assume t hat vert ices and edges are never delet ed.) Alice t hus has two signat ure schemes for signing t he comp onent s of t he graph G : one signat ure scheme for signing vert ices, and one for signing edges. We denot e her signat ure of t he vert ice v as σ ( v ) and her signat ure of t he edge ( u , v ) as σ ( u , v ), wit h t he underst anding t hat t he underlying signat ure schemes may b e diff erent . Because we are focussing on t he sit uat ion where t he graph Alice int ends t o sign is t ransit ive, she need only sign a subset of t he edges, as long as t he t ransit ive closure of t hat subset is equal t o t he int ended graph. For example, in t he chain-of-command example, she need only sign edges represent ing t he relat ionship b etween an individual and his immediat e sup erior; ot her edges can b e inferred from t hese. Or, for anot her example, in t he administ rat ive domain

238

Silvio Micali and Ronald L. Rivest

example, she need only sign enough edges t o form a spanning t ree wit hin each administ rat ive domain. An observer who t hen sees a signed edge σ ( u , v ) and anot her signed edge σ ( v , w ) can t hen infer t hat ( u , w ) is also in t he graph b eing signed by Alice. It is as if Alice had act ually signed t he edge ( u , w ) direct ly. And t hen if t he observer sees anot her edge ( w , x ), he can infer t hat ( u , x ) is in t he graph as well. In some applicat ions, however, it may b e necessary for a party t o act ually p ro v e t hat Alice signed (eit her explicit ly or implicit ly by t ransit ivity) an edge. For example, a party x may need t o prove t hat he is in t he chain of command underneat h party u . Or, party x may need t o prove t hat he is in t he same administ rat ive domain as party u . How can t his b e done, if t he edge ( u , x ) was not explicit ly signed, but is only inferrable by t ransit ivity? A st raight forward approach t o proving t hat ( u , x ) is in t he graph is t o produce a “proof” consist ing of a sequence of signed edges forming a pat h from u t o x (wit h t heir signat ures). In t his example, a proof t hat ( u , x ) is in t he graph might consist of t he sequence: (u , v ), (v , w ), (w , x ) (1) and t heir corresp onding signat ures: (u , v ), σ (v , w ), σ (w , x ) σ

.

(2)

(Act ually, t he proof includes Alice’ s signat ures on each oft he vert ices as well: σ

(u ), σ (v ), σ (w ), σ (x ) .)

(3)

T his sequence of signed edges forms a pat h from u t o x , t hus proving t hat t he edge ( u , x ) is in t he graph b eing signed by Alice. T he problem wit h using such “pat h-proofs” is t hat t hey may b ecome cumb ersome if t he pat h is long, and may int roduce unnecessary det ail and informat ion in t he proof. (W hy should a soldier need t o ment ion each of his sup erior offi cers if all he is t rying t o prove is t hat he is in t he U.S. Army?) We are t hus led t o wonder whet her some signat ure schemes might b e compat ible wit h a “pat h compression” op erat or t hat produces an inferred signat ure t hat is indist inguishable from one t hat might have b een produced by Alice. More sp ecifically, let us informally define a “ t ra n s i t i v e s i gn a t u re s c h e m e ” t o be a s c h e m e f o r s i gn i n g t h e v e r t i ce s a n d ed ge s o f a gra p h s u c h t h a t i f s o m eo n e s ee s A li ce ’ s s i gn a t u re s o n v e r t i ce s u , v , a n d w a n d a ls o s ee s A li ce ’ s s i gn a t u re s o n

( u , v ) a n d ( v , w ) , t h e n t h a t s o m eo n e ca n ea s i ly co m p u t e a v a li d s i gn a t u re ( u , w ) t h a t i s i n d i s t i n gu i s h a ble f ro m a s i gn a t u re o n t h a t ed ge t h a t A li ce w o u ld h a v e p rod u ced h e r s e lf . See F igure 1. W it h a t ransit ive signat ure scheme Alice only needs t o sign a minimum numb er of edges t hat has t he same t ransit ive closure as her int ended graph; an observer can infer her signat ures on t he remaining (inferred) edges. We not e for t he record t hat t his minimum subset of edges having t he same t ransit ive closure is called t he t ra n s i t i v e red u c t i o n of a graph and can b e comput ed effi cient ly in b ot h t he undirect ed and direct ed cases [1]. ed ge s

o n t h e ed ge

Transit ive Signat ure Schemes

239

v

 ✒



  

❅ ❅ ❅ ❅







❅ ❅❘

 u



w

W it h a t ransit ive signat ure scheme anyone can comput e a signat ure on edge ( u , w ) given signat ures on edges ( u , v ) and ( v , w ).

F ig. 1 .

W it h a t ransit ive signat ure scheme, anyone can produce a short “proof” t hat a given edge is in t he graph. Even if Alice didn’ t sign t hat edge explicit ly, t he proof is a signat ure t hat might as well b een produced by Alice. Most convenient ly, one does not need t o have t he verifier underst and chains or sequences of signed edges (as one typically has t o do for cert ificat e chains in an analagous sit uat ion, for example [12, Sect ion 13.6.2]). Having providing some mot ivat ion, we can t hen ask: do t ransit ive signat ure schemes exist ? We provide a part ial answer b elow.

2

A n U n d ire c t e d T ra n s it iv e S ig n a t u re S ch e m e

In t his sect ion we describ e a t ransit ive signat ure scheme for working on undirect ed graphs (which we dub a u n d i rec t ed t ra n s i t i v e s i gn a t u re s c h e m e ) and prove it secure. It is based on t he diffi culty of t he discret e logarit hm problem. U s e r s e t u p : Each user select s a public-key signat ure scheme for signing vert ices.

T he vert ex signat ure scheme should have t he usual security prop ert ies, but need not have any sp ecial algebraic prop ert ies. For example, t he scheme prop osed by Goldwasser, Micali, and R ivest [10] is sat isfact ory here as a vert ex signat ure scheme. T he user select s a public-key/ privat e-key pair, and publishes t he publickey. For use in signing edges, each user select s and publishes t he following paramet ers: – large primes p and q such t hat q divides p − 1, and – generat ors g and h of t he subgroup G q of order q of Z ∗p , such t hat t he base-g

logarit hm of

h

modulo

p

is infeasible for ot hers t o comput e.

C re a t in g a n e w v e rt e x : W hen a user Alice wishes t o creat e a new vert ex and

add it t o t he graph, she does t he following: – Let n denot e t he numb er of vert ices previously creat ed. Increment n by 1. – Select two values x n and y n indep endent ly at random from Z q . – Comput e v n as g x n h y n (mod p ).

240

Silvio Micali and Ronald L. Rivest

– Comp ose, sign, and publish a st at ement of t he form, “T he n -t h vert ex of

t he graph is represent ed by t he value v n .” (T he message is signed using t he vert ex-signing public-key signat ure scheme. T he value v n is given explicit ly in t he message. T he values x n and y n are kept secret by Alice.) j ) : To sign t he edge b etween t he i -t h vert ex and t he j -t h vert ex, Alice comput es and publishes t he quadruple:

S ig n in g t h e e d g e ( i ,

(i , j , α

i j



)

i j

where α β

i j

=

xi



xj

(mod q )

i j

=

yi



yj

(mod q )

.

We not e t hat t he vert ex-signing procedure is very similar t o t he informat iont heoret ically secure commit ment scheme of P edersen [13] (or equivalent ly, of Chaum, van Heijst , and P fit zmann [3]). V e rify in g a n e d g e s ig n a t u re : Anyone can verify t he signat ure on an edge by

checking t hat =

vi

α

vj g

ij

h

β ij

(mod q )

.

(4)

C o m p o s in g e d g e s ig n a t u re s : Given a signat ure ( i , j , α

and a signat ure ( j , k , α

j k



j k

i j , β i j ) of edge ( i , j ) ) of edge ( j , k ), anyone can comput e t he signat ure

(i , k , α

i k



i k

)

on edge ( i , k ) as: α

i k

=

i k

= β

=

yi

α

= β

α



i j

xi





β yk

(mod q ) (mod q )

xk



i k

j k

i k

(mod q )

.

T his signat ure is ident ical t o what Alice would produce when signing t he edge ( i , k ).

3

S e c u rit y

As wit h any signat ure scheme, proving security means proving t hat an adversary will not b e able t o forge new signat ures having seen some previous legit imat e signat ures. Of course, when t he signat ure scheme has t he kind of algebraic property considered in t his pap er, t he adversary is int ent ionally given for free t he ability t o “forge” signat ures on new edges, as long as t hey are in t he t ransit ive closure of previously signed edges. Since t he adversary is b eing explicit ly given t his capability for free, it is considered a feat ure (and not a defect ) t hat t he adversary can comput e t hese signat ures. It is t hus t he ability of t he adversary t o comput e signat ures on edges o u t s i d e t he t ransit ive closure of previously signed edges t hat should b e considered as “forgery” and a break of t he signat ure

Transit ive Signat ure Schemes

241

scheme; our proof shows t hat forging signat ures out side of t he t ransit ive closure of previously signed edges is provably hard. T here is anot her subt le issue regarding t he definit ion of security, regarding how t he previously signed edges are det ermined. T he simplest sort of “st at ic” adversary would b e asked t o forge a signat ure on a “new” edge, given as input a graph wit h a given set of edge signat ures. A more p owerful adversary, which our scheme is capable of defeat ing, would b e given t he following capabilit ies, which he could exercise at will, unt il he is ready t o at t empt a forgery. T he adversary can make t he following request s of t he signer. – I n it ia liz e . Ask t he signer t o discard any previously signed vert ices and

edges, and b egin wit h a “clean slat e”; ask t he signer t o make up a new name N for a new graph t o b e const ruct ed. – A d d a n e w v e rt e x i . Ask t he signer t o sign a st at ement saying t hat “vert ex i is now part of t he graph N .” – A d d a n e w e d g e ( i , j ) . Ask t he signer t o sign a st at ement saying t hat “edge ( i , j ) is now part of t he graph N .” Once t he adversary is done wit h his request s, he is challenged t o forge an edge signat ure on any edge of his choice, as long as t he edge is not in t he t ransit ive closure of t he edges previously signed. It is imp ort ant t o emphasize t hat t he adversary is a d a p t i v e in t he sense t hat each such request need b e formulat ed by t he adversary only aft er he has seen t he resp onse t o all previous request s. T he adversary does not need t o commit t o all of his request s in advance; he makes t hem up as he goes along. (We not e t hat if t he adversary is st at ic rat her t han adapt ive, in t he sense t hat he must commit t o a l l of request s b efore seeing t he resp onses t o any of t hem, t hen ot her simpler schemes will work. For example, it suffi ces for t he signer t o publicly assign a random numb er x i t o each vert ex i , and t o sign edge ( i , j ) by giving an R SA signat ure on t he value x i / x j , t hat is, ( x i / x j ) d (mod n ). T he mult iplicat ive prop erty of R SA ensure t he desired t ransit ive prop erty. However, we don’t know how t o prove t his scheme is secure against an adapt ive adversary, as t he usual reduct ion t echniques seem t o require knowing ahead of t ime (when t he x i values are commit t ed t o) what t he final connect ed comp onent s will b e, so t hat t he x i values can b e appropriat ely set up for t he reduct ion, and t here are t oo many p ossible arrangement s of t he connect ed comp onent s t o guess it correct ly wit h a inverse p olynomial chance of success.) In our scheme, st art ing a new graph means making up a new set of syst em paramet ers for t hat graph, and publishing t he det ails of t he corresp onding vert ex and edge signat ure schemes. Each vert ex and edge signat ure is accomplished as describ ed in t he previous sect ion. T h e o re m 1 . T h e p ro po s ed u n d i rec t ed t ra n s i t i v e s i gn a t u re s c h e m e i s s ec u re i n t h e s e n s e t h a t a n a d v e r s a r y ca n n o t f o rge a s i gn a t u re f o r a n ed ge n o t i n t h e t ra n s i t i v e c lo s u re o f ed ge s a lrea d y s ee n , e v e n i f h e ca n a d a p t i v e ly requ e s t n e w v e r t i ce s t o be c rea t ed a n d s i gn ed a n d requ e s t ed ge s t o be s i gn ed , a s s u m i n g t h a t co m p u t i n g d i s c re t e loga r i t h m s i s h a rd .

242

Silvio Micali and Ronald L. Rivest

P ro o f s ke t ch : A st raight forward reduct ion from t he discret e logarit hm in G q ,

t he subgroup of prime order q modulo p . Given an inst ance ( g , y , p , q ) of t he discret e logarit hm problem (where g and y are in G q and t he goal is t o comput e log g ( y ) mod p ) we creat e a t ransit ive signat ure scheme wit h g = g and h = y . It is easy t o see how a simulat or can resp ond successfully t o request s for signat ures of edges. However, t he usual linear algebra (see P edersen [13]) can b e used t o show t hat it is hard for an adversary t o forge signat ures since it would imply b eing able t o comput e log g ( h ). One needs t o argue t hat t he adversary learns not hing ab out t he t rue x i and y i values from t he signat ures he observes. T he adversary’ s forgery on an edge is t hus ext remely unlikely t o b e equal t o t he simulat or’ s signat ure for t hat edge. Given two signat ures on t he same edge, log g ( h ) can b e comput ed. (A more complet e proof will b e given in t he complet e version of t his pap er.) ⊓⊔

4

R e m a rk s a n d D is c u s s io n

T he problem of finding a d i rec t ed t ransit ive signat ure scheme remains a very int erest ing op en problem. We have not b een able t o make much progress on t his problem. We not e t hat t here is some similarity b etween our problem and t he problem of “at omic proxy crypt ography” due t o Blaze et al. [2]. However, we have not b een able t o come up wit h a provably secure undirect ed t ransit ive signat ure scheme for a scheme modelled on t heir ideas wit hout losing t oo much effi ciency in t he proof. Anot her int erest ing op en problem is t he following: Given Alice’s signat ure on message M and on (in some sp ecial way) Bob’s public key, Bob can t hen “cut himself out of t he middle” and produce Alice’s signat ure on M and on (in t he same sp ecial way) Carol’s public key. T his would b e very useful for collapsing chains of delegat ion or cert ificat ion.

A ck n o w le d g m e n t s We would like t o t hank Shafi Goldwasser for Mihir Bellare for many int erest ing discussions, encouragement , and suggest ions. (In part icular, Mihir Bellare sent us a proof t hat t he R SA-based scheme give works against a st at ic adversary.)

R e fe r e n c e s 1. A. V. Aho, M. R. Garey, and J . D. Ullman. T he t ransit ive reduct ion of a direct ed graph. SI A M J . C om put . , 1:131–137, 1972. 2. Mat t Blaze, Gerrit Bleumer, and Mart in St rauss. Divert ible prot ocols and at omic proxy crypt ography. In Kaisa Nyberg, edit or, P roceedi ngs E U RO C RY P T ’ 98, pages 127–144. Springer, 1998. 3. D. Chaum, E. van Heijst , and B. P fit zmann. Crypt ographically st rong undeniable signat ures, uncondit ionally secure for t he signer. In J . Feigenbaum, edit or, P roceedi ngs C RY P T O ’ 91, pages 470–484. Springer, 1992. Lect ure Not es in Comput er Science No. 576.

Transit ive Signat ure Schemes

243

4. David Chaum. Blind signat ures for unt raceable payment s. In R. L. Rivest , A. Sherman, and D. Chaum, edit ors, P roceedi ngs C RY P T O 82 , pages 199–203, New York, 1983. P lenum P ress. 5. David Chaum. Security wit hout ident ificat ion: Transact ion syst ems t o make big brot her obsolet e. C om m uni cat i ons of t he A C M , 28(10):1030–1044, Oct 1985. 6. T homas H. Cormen, Charles E. Leiserson, and Ronald L. Rivest . I nt roduct i on t o A lgor i t hm s. MIT P ress/ McGraw-Hill, 1990. 7. D. Dolev, C. Dwork, and M. Naor. Non-malleable crypt ography. In P roc. ST O C ’ 91, pages 542–552. ACM, 1991. 8. J oan Feigenbaum. Encrypt ing problem inst ances: Or...can you t ake advant age of someone wit hout having t o t rust him? In H. C. W illiams, edit or, P roceedi ngs C RY P T O 85 , pages 477–488. Springer, 1986. Lect ure Not es in Comput er Science No. 218. 9. J oan Feigenbaum and Michael Merrit t . Open quest ions, t alk abst ract s, and summary of discussions. In D I M A C S Ser i es i n D i scret e M at hem at i cs and T heoret i cal C om put er Sci ence, volume 2, pages 1–45, 1991. 10. Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest . A digit al signat ure scheme secure against adapt ive chosen-message at t acks. SI A M , 17(2):281–308, April 1988. 11. Robert J ohnson, David Molnar, Dawn Song, and David Wagner. Homomorphic signat ure schemes. In T opi cs i n C r ypt ology— C T -R SA 2002 , pages 244–262. Springer, 2002. Lect ure Not es in Comput er Science No. 2271 (T his Volume). 12. Alfred J . Menezes, P aul C. van Oorschot , and Scot t A. Vanst one. H andbook of A ppli ed C r ypt ography . CRC P ress, 1997. 13. T .P. P edersen. Non-int eract ive and informat ion-t heoret ic secure verifiable secret sharing. In J . Feigenbaum, edit or, P roceedi ngs C RY P T O ’ 91, pages 129–140. Springer, 1992. Lect ure Not es in Comput er Science No. 576. 14. Ronald L. Rivest , Leonard Adleman, and Michael L. Dert ouzos. On dat a banks and privacy homomorphisms. In R. DeMillo, D. Dobkin, A. J ones, and R. Lipt on, edit ors, Foundat i ons of Secure C om put at i on , pages 169–180. Academic P ress, 1978. 15. Tomas Sander, Adam Young, and Mot i Yung. Non-int eract ive crypt ocomput ing for 1 N C . In P roceedi ngs 40t h I E E E Sym posi um on Foundat i ons of C om put er Sci ence, pages 554–566, New York, 1999. IEEE.

H o m o m o rp h ic S ig n a t u re S ch e m e s Robert J ohnson 1 , David Molnar 2 , Dawn Song1 , ⋆ , and David Wagner 1 1

University of California at Berkeley 2 ShieldIP

P rivacy homomorphisms, encrypt ion schemes t hat are also homomorphisms relat ive t o some binary operat ion, have been st udied for some t ime, but one may also consider t he analogous problem of homomorphic signat ure schemes. In t his paper we int roduce basic definit ions of security for homomorphic signat ure syst ems, mot ivat e t he inquiry wit h example applicat ions, and describe several schemes t hat are homomorphic wit h respect t o useful binary operat ions. In part icular, we describe a scheme t hat allows a signat ure holder t o const ruct t he signat ure on an arbit rarily redact ed submessage of t he originally signed message. We present anot her scheme for signing set s t hat is homomorphic wit h respect t o bot h union and t aking subset s. F inally, we show t hat any signat ure scheme t hat is homomorphic wit h respect t o int eger addit ion must be insecure. A b st r a c t .

1

Int ro d u c t io n

A crypt osyst em f : G → R defined on a group ( G, · ) is said t o be homomorphic if f forms a (group) homomorphism. T hat is, given f ( x ) and f ( y ) for some unknown x , y ∈ G , anyone can comput e f ( x · y ) wit hout any need for t he privat e key. Somewhat surprisingly, t his property has a wide range of applicat ions, including secure vot ing prot ocols [8] and mult iparty comput at ion [26]. In a series of t alks, Rivest suggest ed t he invest igat ion of homomorphic sign atu re schemes. For inst ance, t he RSA signat ure scheme is a group homomorphism, as m d1 · m d2 = ( m 1 · m 2 ) d . T his property was previously considered t o be undesirable and much energy has been spent on eliminat ing it [5]. T he quest ion is whet her t his property can be put t o posit ive use inst ead. More generally, Rivest asked whet her homomorphic signat ure schemes wit h posit ive applicat ions can be found. Our goal is t o shed light on t his quest ion. In t he process, we give a formal definit ion of what it means t o be a secure homomorphic signat ure scheme (see Sect ion 3). T hen, we const ruct a redact able signat ure scheme where, given a signat ure S i g ( x ), anyone can comput e a signat ure S i g ( w ) on any redact ion w of x obt ained by rubbing out some posit ions of x (Sect ion 4). We give proofs of ⋆

T his research was support ed in part by t he Defense Advanced Research P roject s Agency under DARPA cont ract N6601-99-28913 (under supervision of t he Space and Naval Warfare Syst ems Cent er San Diego) and by t he Nat ional Science foundat ion under grant s F D99-79852 and CCR-0093337.

B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 2 4 4 – 2 6 2 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

Homomorphic Signat ure Schemes

245

security for t his scheme (Appendix A). We present a scheme for signing set s t hat allows anyone t o comput e t he signat ure on t he union of two signed set s, and t he signat ure on any subset of a signed set , and corresponding proofs of security (Sect ion 5). We also consider addit ively homomorphic signat ure schemes S i g : Z/ m Z → R . We argue t hat all such schemes are insecure: t hey unavoidably possess propert ies t hat are likely t o render t hem useless in pract ice (Sect ion 6). T he problemat ic propert ies of addit ive signat ure schemes are general and complet ely independent of t he way t he scheme is implement ed. In response, we define and consider sem igrou p-hom om orphic signat ure schemes, which would permit us t o avoid t hese bad propert ies. We pose as an open problem t o find a signat ure scheme t hat is semigroup-homomorphic but not group-homomorphic.

2

R e la t e d W o rk

T he not ion of homomorphic signat ure schemes was first given by Rivest in a series of t alks on “two new signat ure schemes” [24]. T he first of t hese signat ure schemes, due t o Micali and Rivest , is a “t ransit ive signat ure scheme” for undirect ed graphs [19]. In t his scheme, given a signat ure on two graph edges S i g (( x , y )), S i g (( y, z )), a valid signat ure S i g (( x , z )) on any edge in t heir t ransit ive closure can be comput ed wit hout access t o t he secret key. T his scheme works only for undirect ed graphs; given signat ures on t he t ransit ive closure edge S i g (( x , z )) and t he edge S i g (( x , y )), a signat ure on t he “int ermediat e” edge S i g (( y, z )) can be comput ed It was left as an open problem t o find a similar scheme for directed graphs. T he second signat ure scheme, due t o Rivest , Rabin, and Chari, allows “prefix aggregat ion” [24]. Given two signat ures S i g ( p 0) and S i g ( p 1) on t he two messages obt ained from p by appending a zero and one bit , t heir scheme allows comput at ion of a signat ure S i g ( p) on p wit hout access t o t he secret key. T he scheme as present ed has a property similar t o t he t ransit ive graph signat ure scheme: t he signat ure S i g ( p 1) can be easily comput ed. from S i g ( p) and S i g ( p 0). It was left as an open problem t o find a similar scheme t hat does not have t his property. Rivest also posed t he open problem of finding a “concat enat ion signat ure scheme,” in which given two signat ures S i g ( x ) and S i g ( y ) a signat ure S i g ( x  y ) on t heir concat enat ion can be comput ed. Rivest also suggest ed invest igat ing what ot her “signat ure algebras” can be const ruct ed. In Sect ion 4 we give a const ruct ion for “redact able signat ures.” T hen in Sect ion 5 we show t hat RSA accumulat ors can be used t o const ruct signat ures homomorphic wit h respect t o t he union and subset operat ions. Homomorphic signat ure schemes are int riguing in part because homomorphic crypt osyst ems have proved t o be so useful. Rivest , Adleman, and Dert ouzos not ed applicat ions of “privacy homomorphisms” t o comput ing on encrypt ed dat a soon aft er t he int roduct ion of RSA [25]. Peralt a and Boyar showed t hat an xor-homomorphic bit commit ment could be exploit ed t o yield more effi cient zero-knowledge proofs of circuit sat isfiability [23]. Feigenbaum and Merrit t not ed t hat a “crypt osyst em which is a ring homomorphism on Z/ 2Z could be used t o

246

Robert J ohnson et al.

implement complet ely non-int eract ive secure circuit evaluat ion” and called such crypt osyst ems “algebraic” [14]. Benaloh gave a secure elect ion scheme based on a homomorphic encrypt ion scheme [12]. Cramer and Damgard use homomorphic bit commit ment s t o drast ically simplify zero-knowledge proofs [13]. Many ot her examples exist in which homomorphic propert ies are used t o const ruct crypt ographic prot ocols. T he init ial promise of privacy homomorphisms was t empered by a st ring of negat ive result s. Ahit uv, Lapid, and Neumann showed t hat any crypt osyst em t hat is xor-homomorphic on GF (26 4 ) is insecure under chosen ciphert ext at t ack [1]. Boneh and Lipt on showed t hat any det erminist ic crypt osyst em t hat is a field homomorphism must fall vict im t o a subexponent ial at t ack [10]. T hey furt her conject ured t hat any field-homomorphic crypt osyst em, which t hey called “complet ely malleable,” would prove t o be insecure. Brickell and Yacobi broke a number of candidat e const ruct ions of privacy homomorphisms [11]. T hese negat ive result s have t heir analogue in our result s of Sect ion 6 showing t he t riviality of signat ure schemes t hat are group homomorphisms on (Z, + ). Besides RSA, several ot her homomorphic crypt osyst ems are current ly known. Goldwasser-Micali encrypt ion t akes t he form of a group homomorphism Z/ 2Z → (Z/ n Z) [17], and ot hers have proposed a number of ot her public-key encrypt ion schemes t hat have various useful homomorphic propert ies [15,8,22,20]. Of part icular int erest is Sander, Young, and Yung’ s slick const ruct ion of an encrypt ion algorit hm t hat is bot h and- and xor-homomorphic [26]; t hey not e t hat t his is t he first crypt osyst em homomorphic over a semigroup. Redact able signat ure schemes are relat ed in bot h spirit and const ruct ion t o t he “increment al crypt ography” of Goldwasser, Goldreich, and Bellare [3]. Our not ion of privacy for redact able signat ures has a parallel in t heir not ion of privacy for increment al signat ures [4]. ∗

3

D e fi n it io n s

We define t he not ion of a homomorphic signat ure scheme as follows. A specificat ion of a signat ure scheme includes a message space M , a set of privat e keys K , a set of public keys K , a (possibly randomized) signat ure algorit hm Sig : K × M → Y , and a verificat ion algorit hm V r f y : K × M × Y → { o k , b a d } so t hat V r f y ( k , x , S i g ( k , x )) = o k for all x ∈ M when ( k , k ) is a mat ching privat e key and public key. As a not at ional mat t er, for conciseness we oft en omit t he privat e and public keys, writ ing S i g ( x ) inst ead of S i g ( k , x ) and V r f y ( x , s) inst ead of V r f y ( k , x , s) when t his abbreviat ion will not cause confusion. Also, for a binary operat ion ⊙ : M × M → M and a set S ⊆ M , we let span ( S ) denot e t he least set T wit h S ⊆ T and x ⊙ y ∈ T for all x , y ∈ T . ′











D e fi n i t i o n 1 . F ix a sign atu re schem e S i g

:

K

×

M



Y

,

V rfy

:

K



×

M

×

an d a bin ary operation ⊙ : M × M → M . W e say that S i g is hom om orphic with respect to ⊙ if it com es with an effi cien t fam ily of bin ary ′ x ′ ) for all x , x ′ , y, y ′ Y so that y ⊗ k ′ y = S i g ( x ⊙ operation s ⊗ k ′ : Y × Y → ′ ′ satisfy in g V r f y ( x , y ) = V r f y ( x , y ) = o k . Y



{ b ad , ok }

Homomorphic Signat ure Schemes

247

As an example, if ( G, × G ) and ( R , × R ) are two groups and we have a signat ure scheme S i g : K × G → R t hat is also a group homomorphism from G t o R for each k ∈ K , t hen t his will qualify as a signat ure scheme t hat is homomorphic wit h respect t o × G , since we may t ake y ⊗ k ′ y = y × R y . T his definit ion requires t hat signat ures derived via ⊗ k ′ be indist inguishable from signat ures generat ed by t he privat e key holder, which we refer t o as hist oryindependence. T his precludes t rivial schemes t hat , for example, allow t he ordered pair ( y, y ) t o serve as a signat ure on x ⊙ x . Alt hough t he definit ion above is for det erminist ic signat ure schemes, ext ending it t o probabilist ic schemes is st raight forward; one can simply require t hat t he dist ribut ion of y ⊗ k ′ y be indist inguishable from t hat of S i g ( x ⊙ x ). For homomorphic signat ure schemes, we need a new definit ion of security. T he st andard not ion of security against exist ent ial forgeries is t oo st rong: no homomorphic signat ure scheme could ever sat isfy it , because given two signat ures on messages x and x , one can generat e a signat ure on t he new message x = x ⊙ x wit hout asking t he signer for a signat ure on x explicit ly. Fort unat ely, t here is a nat ural ext ension. Suppose t he adversary has obt ained signat ures on queries x 1 , . . . , x q . Such an adversary can deduce signat ures on x i ⊙ x j , ( x i ⊙ x j ) ⊙ x k , and so on; in ot her words, no message in span ( x 1 , . . . , x q ) seems t o be safe. T herefore, we will require t hat no adversary be able t o deduce a valid signat ure on anyt hing out side span ( x 1 , . . . , x q ). ′













′ ′



′ ′





( t , q, ǫ ) secu re again st existen tial forgeries with respect to ⊙ if every adversary A m akin g at m ost q chosen -m essage qu eries an d ru n n in g in tim e at m ost t has advan tage A dv A ≤ ǫ . T he advan tage of an adversary A is defi n ed as the probability that, after qu eries on the m essages x 1 , . . . , x q , A ou tpu ts a valid sign atu re  x ′ , y ′ on som e m essage x ′ ∈ / span ⊙ ( x 1 , . . . , x q ) . In other words, A dv A = P r[A S i g ( k , · ) = ′ ′ ′ ′ ′  x , y ∧ V r f y ( x , y ) = o k ∧ x ∈ / span ⊙ ( x 1 , . . . , x q )].

D e fi n i t i o n 2 . W e say that a hom om orphic sign atu re schem e S i g is

In some cases, we might want an addit ional guarant ee t hat t he operat ion ⊙ does not allow t he adversary t o creat e t oo many new signat ures. Consider t he addit ive signat ure schemes broken lat er in Sect ion 6: T hey are good candidat es t o sat isfy Definit ion 2, yet knowledge of a single signat ure could allow an at t acker t o sign every ot her possible message. T herefore, we int roduce t he concept of security against random forgeries: : K × M → Y is said to be ( t , q, ǫ ) secu re again st ran dom forgeries if every adversary A m akin g at m ost q chosen m essage qu eries an d ru n n in g in tim e at m ost t has advan tage A dv A ≤ ǫ . T he advan tage of an adversary is the probability that it can ou tpu t a valid sign atu re on a n ew m essage x ′ chosen by the referee u n iform ly at ran dom from M an d in depen den tly of all the adversary ’s chosen -m essage qu eries. In other words, A dv A = P r[V r f y ( x ′ , A S i g ( k , · ) , c ′ ) = o k ] where c x ′ is the con stan t fu n ction that alway s retu rn s x ′ an d where the adversary is n ot allowed to m ake an y fu rther qu eries to its sign in g oracle after lookin g at the valu e x ′ . D e fi n i t i o n 3 . T he sign atu re schem e S i g

x

248

Robert J ohnson et al.

For example, one might reasonably conject ure t hat t ext book RSA signat ures are secure against random forgeries. T he security of a homomorphic signat ure scheme seems t o depend on two relat ed not ions: t he size of span ( x 1 , . . . , x q ) for small set s of messages, and t he diffi culty of t he decomposit ion problem, i.e. given x ∈ span ( x 1 , . . . , x q ), find an explicit decomposit ion of x in t erms of t he x i ’s and t he ⊙ operat ion. If decomposit ion is hard, t hen t he scheme may be secure even if t he spans of small set s of messages are quit e large, as is t he case wit h RSA. T he scheme may also be secure if t he decomposit ion problem is easy, but most set s of messages only span a small port ion of t he message space. Redact able signat ures are just such a scheme. T he t rouble occurs when a scheme admit s bot h easy decomposit ion and large spans. Indeed, t his is exact ly what renders addit ive schemes so vulnerable t o random forgeries. One can easily generalize t he above not ions t o operat ions t hat t ake an arbit rary number of operands, and t o schemes t hat are simult aneously homomorphic wit h respect t o more t han one operat ion. We can also consider signat ure schemes t hat are homomorphic wit h respect t o a number of int erest ing mat hemat ical st ruct ures. If ( G, × G ) is a group, t hen we say t hat S i g : G → Y is a group-homomorphic signat ure scheme if it is homomorphic wit h respect t o t he binary operat or × G as well as t he unary inversion operat ion x → x 1 . If ( M , × M ) is a semigroup 1 , t hen we say t hat S i g : M → Y is a semigroup-homomorphic signat ure scheme if it is homomorphic wit h respect t o t he binary operat or × M . If ( R , × R , + R ) is a ring, we say t hat S i g : R → Y is a ring-homomorphic signat ure scheme if it is homomorphic wit h respect t o bot h 2 × R and + R . Boneh et al. have shown t hat every field-homomorphic signat ure scheme S i g : F → Y can be broken in subexponent ial t ime [10]. ⊙





4

R e d a c t a b le S ig n a t u re s

T he problem . Redact able signat ures are int ended t o model a sit uat ion where a

censor can delet e cert ain subst rings of a signed document wit hout dest roying t he ability of t he recipient t o verify t he int egrity of t he result ing (redact ed) document . In part icular, we allow t he censor t o replace arbit rary bit posit ions in t he document wit h a special symbol ♯ represent ing t he locat ion of t he delet ions. (Our const ruct ion can be readily generalized t o any alphabet , so t hat t he signer can limit redact ions t o whole words, sent ences, et c., but for simplicity we describe only t he case of bit st rings here.) Redact able signat ures might have several applicat ions. T hey permit delet ion of arbit rary subst rings of a document , and t hus might be useful in proxy cryp1

2

Recall t hat a sem i group is a set M t oget her wit h an associat ive binary operat or × M wit h t he property t hat M is closed under × M . Boneh et al. not ed t hat t heir at t ack applies t o all det er m i ni st i c field-homomorphic encrypt ion schemes, but not t o randomized encrypt ion schemes. We observe t hat t heir result also applies t o all field-homomorphic signat ure schemes, whet her t he signat ure scheme is det erminist ic or randomized.

Homomorphic Signat ure Schemes Alice spends 60 hours a week t rying t o find ways t o add value t o our bot t om line, and never have I known her t o shirk her dut ies. Alice is a t rue asset t o our company, and I cannot t hink of one person bet t er suit ed t o your requirement s.

Alice spends 60 hours a week t rying t o find ways t o shirk her dut ies, and I can t hink of one person bet t er suit ed t o your requirement s.

249

Alice spends 60 hours a week t rying t o find ways to ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯

shirk her dut ies

♯ ♯ ♯ ♯ ♯ ♯

♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ ♯ , and I can ♯ ♯ ♯ t hink of one person bet t er suit ed t o your requirement s.

An illust rat ion of t he need t o disclose t he locat ion of redact ions. T he left shows a sample document t hat one might sign wit h a redact able signat ure scheme. T he middle shows one subst ring t hat might be obt ained if t he locat ion of redact ions is not made explicit in t he result ; not e how t he meaning of t he original document has been violat ed. T he right shows t he corresponding redact ion obt ained if delet ions are disclosed explicit ly; not e how t he at t empt ed t rickery is revealed by t his count ermeasure. Because of t his pot ent ial for t his sort of semant ic at t ack when t he locat ion of delet ions are not made explicit , as illust rat ed here, all our const ruct ions follow t he model shown on t he right of making delet ions explicit .

F ig. 1 .

t ography or increment al crypt ography. As t heir name suggest s, t hey also permit redact ion and censorship of signed records wit h an unt rust ed censor: t he censor cannot forge document s, except t hose obt ained by redact ion of a legit imat ely signed document . S em an tic attacks an d ou r form u lation of redaction . Making t he problem st at e-

ment more precise exposes a subt le t rap here. A nat ural first at t empt at a definit ion might require t hat , given a signat ure S i g ( x ) on x , one can obt ain a signat ure S i g ( w ) on any subst ring w of x t hat is obt ained by delet ing some of t he symbols in x . However, t his formulat ion of t he problem has a serious limit at ion: such a scheme will conceal t he presence of delet ions, which int roduces t he risk of semant ic at t acks. Wit hout indicat ion of where t he redact ion has occurred, an at t acker might legally be able t o t runcat e t he end of one sent ence, delet e t he beginning of t he next , and slice t hem t oget her t o get a message t he sender would not have aut horized. For an example, see Figure 1. To defeat semant ic at t acks, we inst ead use a formulat ion where t he presence of redact ed segment s are made explicit . We define t he concept more formally as follows. Let us t ake Σ = { 0, 1, ♯ } . We define a part ial order on Σ so t hat ♯ 0, ♯ 1, and a a for each a ∈ Σ (and no ot her non-t rivial relat ions hold). T his induces a part ial order on Σ by pointwise comparison, namely, w 1 · · ·w n x 1 · · ·x n holds if w i x i for each i . We say t hat t he document w is a redaction of x if w x , or in ot her words, if w can be obt ained from x by replacing some posit ions of x wit h t he ♯ symbol. T he signat ure scheme S i g : Σ → R is called redactable if we can derive from a signat ure S i g ( x ) on x a signat ure S i g ( w ) on any redact ion w x we like, wit hout t he help of t he signer. ∗



250

Robert J ohnson et al.

Not e t hat , in t his model, we do not at t empt t o hide t he locat ion of t he censored port ions of t he document s. T hus, a signat ure S i g ( w ) on a redact ion w of x may legit imat ely reveal which port ions of x were delet ed, and specifically, t he presence and locat ion of redact ed segment s is prot ect ed from t ampering by t he signat ure. However, it does not reveal t he previous cont ent s of t he redact ed port ions of t he document . We expect t hat t his privacy property may be import ant t o many applicat ions. Redact able signat ures may be viewed as an inst ance of a homomorphic signat ure scheme endowed wit h operat ions D i : Σ → Σ t hat replace t he i -t h bit posit ion wit h a ♯ symbol. T he requirement t hat signed document s be redact able is equivalent t o requiring t hat our signat ure scheme be homomorphic wit h respect t o t hese unary operat ors. ∗



A trivial con stru ction . T here is one obvious way t o build redact able signat ures.

We fix a t radit ional signat ure scheme S i g 0 ; no special homomorphic propert ies are required from S i g 0 . We assume for simplicity t hat our base signat ure scheme permit s message recovery, but t his assumpt ion is not essent ial. In t he t rivial const ruct ion, t o sign a message x of lengt h n , we generat e a fresh key pair ( s, v ) for some secure convent ional signat ure scheme, and t hen t he signat ure on x is S i g (x )

=

 S i g 0 ( n, v ) , s(1, x 1 ) , . . . , s( n, x n )

.

Verificat ion is st raight forward. T he key pair essent ially serves as a document ID. Wit hout it , an at t acker could replace t he i t h component of any signed message wit h t he i t h component of any ot her signed message, which we do not wish t o allow. To redact a signed message, we simply erase t he appropriat e segment s of t he message and t he corresponding posit ions in t he signat ure. For inst ance, redact ing t he first symbol in S i g ( x ) yields a signat ure  S i g 0 ( n, v ) , s(2, x 2 ) , . . . , s( n, x n ) . T his scheme support s a privacy property: redact ed signat ures do not reveal t he redact ed part s of t he original message. We can see t hat t hey reveal t he locat ions t hat have been redact ed, much like typical redact ion of paper document s does, but t his is all t hat is leaked. However, t his t rivial scheme has a serious limit at ion: t he signat ure S i g ( x ) is very long. If s produces m -bit signat ures, t hen t he const ruct ion above yields signat ures of lengt h m n + O (1), which is likely t o be large compared t o t he lengt h of t he message, n . T herefore, t he challenge is t o find a scheme wit h much short er signat ures. O u r con stru ction . We describe how t o build a secure redact able signat ure scheme

out of any t radit ional signat ure scheme. T he main idea is t o combine Merkle hash t rees [18] wit h t he GGM t ree const ruct ion for increasing t he expansion fact or of a pseudorandom generat or [21]. We first generat e a pseudorandom value at each leaf by working down t he t ree (using GGM), t hen we comput e a hash at t he root by working up t he t ree (using Merkle’ s t ree hashing). We describe in det ail how t o sign a message x of lengt h n . First , we arrange t he symbols of t he message at t he left most leaves of a binary t ree, wit h each leaf

Homomorphic Signat ure Schemes

 k

=

0, k η 1 η

G

✘ ✘ ✘ ✘

(k η )

✘✾ ✘ ✘ ❩ ✚ ✚

❂✚

✁☛ x

=

( )=

S ig x

❳ ❳ ❳

G



G

G

✁ ✁ ❆ ❆❯

✁☛

G

, S i g 0 (v ǫ ǫ

v1

✚❃ ✚

✚ ❆

✁✕ ❆ ✁ ❆❯

H

3❥

)

2❥

❩} ❩

H



v 10

k 01



 k

❳ ❳

H

❩⑦

k 00



✲ ❳② ❳

k0

1❥



kǫ , vǫ

251

v 11

✁✕

❆❑

❆ ❆

✁ ❆



❆❑

H

✁ ❆

k 000

k 001

k 010

k 011

v 100

v 101

v 110

v 111

x 000

x 001

x 010

x 011

x 100

x 101

x 110

x 111



=

H

(0, k η

, x η

)

F i g . 2 . A redact able signat ure on t he message x =  x 000 , x 001 , . . . , x 111  . T he message is signed in t hree phases: first , we generat e k -values by recursing down t he t ree wit h t he P RG G ; t hen, we generat e v -values by recursing up t he t ree wit h t he hash H ; finally, we sign v ǫ using our convent ional signat ure scheme. To avoid clut t ering t he diagram, we show t he downward phase only on t he left branch of t he t ree, and t he upwards phase only on t he right branch of t he t ree, but t he full scheme requires we t raverse bot h branches in bot h direct ions.

at dept h ⌈ lg n ⌉ . We ident ify nodes of t he t ree wit h element s of { 0, 1} , so t hat a node η has children η 0 and η 1, and t he empty st ring ǫ denot es t he root node. Let G : K → K × K be a lengt h-doubling pseudorandom generat or, let H be a crypt ographic hash funct ion, and pick k ǫ ∈ K uniformly at random. We use a t hree-phase algorit hm (see Figure 2, which shows phase one on t he left and phase two on t he right ): ∗

We use t he GGM t ree const ruct ion t o associat e a key k η t o each node η . In ot her words, we define a key for each node of t he t ree by t he recursive relat ion  k η 0 , k η 1 = G ( k η ). H a sh i n g : We t hen comput e a hash value v ℓ for each leaf a as v ℓ = H (0, k ℓ , x ℓ ) and apply t he Merkle hash const ruct ion, i.e., we recursively comput e vη = H (1, vη 0 , vη 1 ) (or, if only a left child exist s, H (1, vη 0 )). S i g n i n g : Finally, we sign t he root of t he hash t ree using our base signat ure scheme S i g 0 , and comput e t he signat ure on x as S i g ( x ) =  k ǫ , S i g 0 ( vǫ ) .

E x p a n si o n :

Verificat ion is st raight forward, since given k ǫ and x we can comput e vǫ and check t he signat ure. Next , we describe how t o redact a signed message. To erase posit ion ℓ from a signed message x , we need t o reveal vℓ . At first sight , revealing vℓ = H (0, k ℓ , x ℓ ) would appear t o be very dangerous, since given k ǫ we can comput e k ℓ and t hen it erat e over all possible values of x ℓ t o learn t he value of t he erased symbol. T his would violat e t he secrecy property. To rest ore secrecy, we t ake advant age of t he GGM t ree. When we erase x ℓ , we will also erase k ǫ , and reveal only what is needed t o verify t he signat ure wit hout

252

Robert J ohnson et al.

F i g . 3 . A redact ion of t he signat ure on x , wit h t he two bit s x 100 and x 101 delet ed. Like in F ig. 2, we show only part of t he signat ure process, t o avoid clut t ering t he diagram.

leaking k ℓ . T he not ion we need is as follows: define t he co-n odes associat ed t o a leaf ℓ t o be t he siblings of t he nodes along t he pat h from ℓ t o t he root . We reveal k η at each co-node η associat ed t o ℓ , as t his is exact ly what is needed t o check t he result ing signat ure. T hus, redact ing x ℓ from S i g ( x ) would yield  v ℓ , { k η : η a co-node of ℓ } , S i g 0 ( v ǫ ) . Not e t hat t here are at most lg n co-nodes associat ed t o any single leaf. We can repeat t he above procedure t o furt her redact an already-redact ed signat ure, if we like. In t he case of redact ions in consecut ive part s of t he document , we compact t he signat ure by using t he t ree st ruct ure: if t he signat ure cont ains simult aneously vη 0 and vη 1 for some η , t hen we replace t hese two quant it ies wit h t he single value vη , and we similarly replace k η 0 , k η 1 wit h k η . T his bot h short ens t he signat ure and hides t he order in which redact ions were performed, ensuring a sort of pat h-independence property. T hus, t hough signat ures will grow in lengt h, t he lengt h may grow only slowly if t here is some locality t o t he sequence of redact ions. At worst , each consecut ive segment of erasures of lengt h n from a message of lengt h n adds O (lg n ) hash values and O (lg n ) key values t o t he signat ure. T his signat ure scheme produces signat ures t hat are relat ively short . If S i g 0 yields m -bit signat ures and if we use m -bit hash values and keys, t hen an unredact ed signat ure is only m + m bit s long. T his is a const ant in n , t he lengt h of t he message. Aft er erasing s segment s, each of lengt h at most n , t he signat ure will be m + O ( sm lg( nn )) bit s long. In general, signat ures could be as long as m + O ( nm ) bit s aft er many redact ions, but we can expect t hat in pract ice t he number of erased segment s will typically not be t oo large and hence signat ures should oft en be quit e short . T herefore, t his is a considerable improvement over t he t rivial const ruct ion out lined earlier. T his signat ure scheme also has an addit ional homomorphic property. For a fixed message x , we can form t he lat t ice of subst rings L x = { w ∈ Σ : w x} , where t he join v ⊔ v is t he unique least w ∈ L x sat isfying v w and v w , and ′























Homomorphic Signat ure Schemes

253

t he meet is defined dually. We not e t hat given two redact ions S i g ( v ) and S i g ( v ) of a common signat ure on a message x , we can comput e signat ures S i g ( v ⊔ v ) and S i g ( v ⊓ v ) on t heir join and meet . In ot her words, our scheme is also homomorphic wit h respect t o t he binary operat ions ⊔ and ⊓ . We imagine t hat t his might be useful in some applicat ions. ′





S ecu rity an aly sis. We show in Appendix A t hat t his const ruct ion is secure

against exist ent ial forgeries under reasonable crypt ographic assumpt ions3 . See t he appendix for det ails.

5

S e t -H o m o m o rp h ic S ig n a t u re s

We now t urn t o operat ions on set s and derive a scheme which simult aneously support s t he union and subset operat ions. More precisely, t he scheme allows anyone possessing set s U1 , U2 and S i g ( U1 ) , S i g ( U2 ) t o comput e S i g ( U1 ∪ U2 ) and S i g ( U ) for any U ⊆ U1 . Not e t hat t hese two operat ions, union and subset , can be combined t o creat e many ot hers, such as set diff erence, symmet ric diff erence, and int ersect ion, so t his scheme seems part icularly powerful. As an example applicat ion, at t he end of t his sect ion we will const ruct an alt ernat e redact able signat ure scheme which has many advant ages over t he one present ed in Sect ion 4. T he const ruct ion is based on t he accumulat or t echnique [9]. To begin, let h be a public hash funct ion so t hat , for all x , h ( x ) is uniformly dist ribut ed over  t he odd primes less t han n [16]. If we ext end h t o set s via h ( U ) = u U h ( u ), t hen h ( U1 ∪ U2 ) = lcm( h ( U1 ) , h ( U2 )), assuming t here are no h -collisions between element s of U1 and U2 . Each user creat es a rigid RSA modulus n and v ∈ ( Z / n Z) select ed uniformly at random. Recall t hat an RSA modulus n = pq is rigid if p 1 and q 2 1 are prime and | p| = | q| [9]. By choosing n t his way, we ensure t hat 2 gcd( h ( x ) , ϕ ( n )) = 1 for almost all x . To sign a set U , one comput es S i g ( U ) = 1 v ( ) mod n . Not e t hat since h ( U ) is relat ively prime t o ϕ ( n ), t here is exact ly one solut ion y t o t he equat ion y h ( U ) = v . To verify a signat ure y on a set U , one need only check t hat y h ( U ) = v mod n . 1 1 Given U1 , U2 and signat ures v ( 1 ) , v ( 2 ) , comput ing t he signat ure on U1 ∪ U2 is easy. First use t he Euclidean algorit hm t o find a and b such t hat a · h ( U1 ) + 1 1 1 b · h ( U2 ) = gcd( h ( U1 ) , h ( U2 )). T hen ( v ( 1 ) ) b ( v ( 2 ) ) a = v l c m ( ( 1 ) ( 2 ) ) , which is t he desired signat ure. If U ⊆ U1 t hen S i g ( U1 \ U ) = S i g ( U1 ) h ( U ) , so comput ing subset signat ures is also st raight forward. As wit h t he redact able signat ure problem, we’d like t o show t his scheme is resist ant t o forgeries and t hat it sat isfies t he hist ory-independence requirement for homomorphic signat ure schemes. T he lat t er is clearly sat isfied since t he signat ure on a set U is independent of how we obt ain t hat signat ure: st art ing wit h a signat ure S i g ( U1 ) on U1 and t hen removing t he element s in U2 t o get h (U2 ) S i g ( U1 ) yields exact ly t he same result as asking for t he signat ure on U1 \ U2 ∈





h



U

h

U

h

h

U

U

h

U

h

U

, h

U



3

We do not address security against random forgeries, as it is not clear what is t he right dist ribut ion on t he message space.

254

Robert J ohnson et al.

direct ly, i.e., S i g ( U1 ) h ( U 2 ) = S i g ( U1 \ U2 ). A similar property holds for t he union operat ion, and so t his scheme is hist ory-independent . T he resist ance of t his scheme t o forgeries requires a more det ailed security analysis, but basically it rest s on t he diffi culty of comput ing k t h root s modulo an RSA modulus and on t he randomness of t he hash funct ion. Before we give t he proof, we should st at e clearly t he paramet erizat ion of t he diffi culty of t he RSA problem. We assume t hat RSA behaves as a good t rapdoor permut at ion, as ot hers have suggest ed before [6,7]. T his assumpt ion appears t o be weaker t han t he so-called St rong RSA assumpt ion [2]. D e fi n i t i o n 4 . Let H k = { pq : p an d q are safe prim es, p = q, an d | p| = | q| = k } . W e say R S A is a ( t , ǫ r ) -secu re trapdoor perm u tation if for an y adversary A with ru n n in g tim e less than t , we have P r[A ( n, e, x e ) = x ] < ǫ r , where the probability is taken over the choice of n ∈ H k , e ∈ ( Z / ϕ ( n ) Z ) ∗ , x ∈ ( Z / nZ ) ∗ , an d the coin tosses of A .

T he following t heorem relat es t he security of t he set -homomorphic signat ure scheme t o t he security of RSA, and shows essent ially t hat if t he signat ure scheme is insecure, t hen an at t acker could exploit t hat weakness t o break RSA wit hout t oo much more work. Not e t hat t he t heorem guarant ees security even when t he adversary can make a number of adapt ively chosen signat ure queries, which seems t o be an ext ension of previous result s. (t , ǫ r )secu re on e-way fu n ction . T hen the set-hom orphic sign atu re schem e S i g defi n ed above is ( t ′ , qh , ǫ ) -secu re again st existen tial forgery with respect to su bset an d u n ion operation s given that the total n u m ber of hash oracle qu eries perform ed is less than qh , where ǫ ≈ qh ǫ r log n + qh2 log n/ n an d t ′ ≈ t 4 . T h e o r e m 1 . Let h be a ran dom oracle as above. A ssu m e that R S A is a

P roof. (sket ch) We give a proof by cont radict ion. Assume t he above t heorem is false, meaning t here exist s an adversary A which can ( t ′ , ǫ )-break t he set homomorphic signat ure scheme S i g . Assume aft er A performs a number of random oracle queries and obt ains signat ures on set s x 1 , . . . , x q , A out put s a forgery on x ∗ where x ∗ is not in t he span of x 1 , . . . , x q under subset and union operat ions. T his means t here exist s an element y ∈ x ∗ such t hat y ∈ x i , for all 1 ≤ i ≤ qs , and A knows u such t hat u h ( y ) = v . T here are two cases: s

s

– –

We have h ( y ) = h ( y ) for all y ∈ ∪ 1 i q x i . We have h ( y ) = h ( y ) for some y ∈ ∪ 1 i q x i . T his happens wit h probability at most qh2 log n/ n (by t he prime number t heorem and t he birt hday paradox). ′









s







s

If t he first case happens wit h probability higher t han qh ǫ r log n , we show as following t hat we can const ruct an adversary B ( n, e, z ) using A which can ( t , ǫ r )break RSA. In part icular, if e is prime, B runs t he following game using A . (Ot herwise, t he simulat ion fails; t his happens wit h probability at most about 1/ log n , by t he prime number t heorem.) 4

T he t ot al number of hash oracle queries include t he ones made by made by t he signing procedure.

A

and t he ones

Homomorphic Signat ure Schemes

255

first select s uniformly randomly qh primes p1 , . . . , pq not equal t o e. T hen f mod n . Due t o t he choice of n , we have 1 i q pi and v = z gcd( f , ϕ ( n )) = 1 wit h overwhelming probability, and t hus t he map z → z f mod n is biject ive on ( Z / n Z) . T his means t hat v is uniformly dist ribut ed on ( Z / n Z) , since z is, so we can feed v as an input t o A and it will have t he right dist ribut ion. B also select s a random int eger k ∈ { 1, . . . , qh } . B const ruct s t he hash oracle as follows. Given a hash oracle query on element w , if w has been queried before, t hen ret urns t he previous corresponding answer. For t he j -t h unique hash oracle query w j , if j = k , t hen ret urn t he prime pj ; ot herwise, ret urn e. B const ruct s t he signing oracle t hat A queries as follows. Given a signing query on a set of m element s U = { a1 , . . . , am } , B queries t he hash oracle t o obt ain h ( a1 ) , . . . , h ( am ).If for some 1 ≤ i ≤ m , h ( ai ) = e, t hen abort ; ot herwise, ret urn b = z f / ( 1 ≤ ≤ h ( a ) ) . It is easy t o see t hat b is a valid signat ure on t he set U . If at t he end of t he game, A out put s an exist ent ial forgery on a set of element s t hat includes an element y such t hat h ( y ) = e, t hen B can learn from A ’ s forgery a value u sat isfying u h ( y ) = v = z f . Because e is prime, gcd( e, f ) = 1, and we can comput e α and β such t hat α e + β f = 1 using t he Eulidean algorit hm. T hus z = ( u β z α ) e , and B out put s u β z α as t he e-t h root of z . Ot herwise, abort t he game.

– B

h

B set s f =





h









i



m

i

If A out put s an exist ent ial forgery and e is prime, t he probability t hat B succeeds is at least 1/ qh . So if t here exist s an adversary A t hat ( t , ǫ )-breaks t he set homomorphic signat ure scheme, we can const ruct an adversary B t hat ( t , ǫ r )breaks RSA. ′

T he set -union scheme suggest s anot her solut ion t o t he redact able document signat ure problem. To sign t he document x = ( x 1 , . . . , x k ), first select a random unique document ident ifier, k x , and t hen sign t he set of t riples D = { ( k x , i , x i ) } , say y = S i g ( D ). T he complet e redact able signat ure is ( k x , y ), and verificat ion is st raight forward. To comput e t he signat ure on t he message wit h word i redact ed, simply comput e y = S i g ( D \ { ( k x , i , x i ) } ) = y h ( k , i , x ) , and t he new signat ure is ( k x , y ). Not e t hat t his scheme also reveals t he locat ions of t he redact ions, prevent ing t he semant ic at t acks described in Sect ion 4. Not only is t his scheme much simpler t o implement and easier t o underst and t han our prior redact able scheme, t he signat ures produced in t his scheme are of const ant lengt h. ′

x

i



6

A d d it iv e S ig n a t u re S ch e m e s

We describe next a number of schemes t hat we have st udied in our search for an addit ive signat ure scheme. All of t hem t urn out t o be insecure, and in int erest ing ways. More precisely, t he schemes we examine all have an undesirable property t hat is likely t o make t hem useless in pract ice: given signat ures on a small set of known messages, we can forge signat ures on all ot her possible messages. T hus, such schemes are insecure against random forgeries as described in Definit ion 3.

256

Robert J ohnson et al.

C on stru ction s bu ilt from m u ltiplicative sign atu re schem es. If we have a mult iplicat ive signat ure scheme S i g : G → R as well as a group homomorphism ϕ : Z/ m Z → G from t he addit ive group Z/ m Z t o t he mult iplicat ive group G , t hen a nat ural candidat e for an addit ive signat ure scheme S i g + : Z/ m Z → R is S i g + = S i g ◦ ϕ . For inst ance, we can inst ant iat e S i g wit h RSA. In t his case, G = (Z/ n Z) , and every homomorphism from Z/ m Z t o (Z/ n Z) t akes t he form ϕ ( x ) = gx (mod n ) for some g ∈ G , so our const ruct ion t akes t he form xd S i g + (x ) = g (mod n ). To see why any such scheme must be insecure against random forgeries, suppose S i g + : Z → G is a group-homomorphic signat ure scheme. T hen S i g + is ent irely det ermined by S i g + (1). T hus, if we can recover a few messages m 1 , . . . , m k such t hat gcd( m 1 , . . . , m k ) = 1, t hen since  t here exist a1 , . . . , ak ∈ Z such t hat  ai S i g + ( m i ). Given t his informat ion, a m = 1, we can comput e S i g (1) = i i + i i we can comput e S i g + ( m ) = m S i g + (1) for any m . T his at t ack easily ext ends t o group homomorphic signat ures S i g + : Z/ n Z → G by lift ing t o Z, applying t he Euclidean algorit hm, and project ing back down t o Z/ n Z. Since any small set of messages will likely have gcd 1, t his scheme is vulnerable t o random forgeries aft er only a few messages have been signed. T hese weaknesses are very general. In part icular, t hey apply t o almost any inst ance of t he const ruct ion S i g + = S i g ◦ ϕ . As anot her import ant example, every addit ive signat ure scheme t hat forms a group homomorphism is insecure against random forgeries. It is perhaps count erint uit ive t hat mult iplicat ive signat ure schemes are plent iful while fully-addit ive schemes do not exist . T he explanat ion seems t o be t he fact t hat Z/ m Z has a Euclidean algorit hm, but (Z/ n Z) does not . In ot her words, it is not t hat t he span is larger in Z/ m Z, but t hat t he decomposit ion problem is easy in Z/ m Z but hard in (Z/ n Z) . One might imagine t hat t he problem is t he need t o be homomorphic wit h respect t o bot h addit ion as well as negat ion, and t hus one idea might be t o look for a scheme t hat respect s only t he addit ion operat or but not t he negat ion. In ot her words, given S i g + ( x ) , S i g + ( y ), we st ill want t o be able t o comput e S i g + ( x + y ), but it should be hard t o comput e S i g + ( − x ) from S i g + ( x ). Not e t hat t he problems wit h addit ive signat ures arise because one can find a, a ∈ Z so t hat ax + a x = 1 and t hen comput e S i g + (1) = S i g + ( ax ) × S i g + ( a x ); yet one of a, a will necessarily be negat ive. If we can somehow ensure t hat comput ing S i g + ( − x ) from S i g + ( x ) is hard, t hen t he Euclidean algorit hm will no longer apply, and t he above at t acks will fail. T his suggest s t hat we may want t o look for an addit ive signat ure scheme wit hout inverses (a semigroup-homomorphism), as such a scheme would resist t he at t acks described so far. ×

×

×





×

















Fu rther challen ges. Yet even an addit ive signat ure scheme wit hout inverses st ill

has some propert ies t hat might not be expect ed. In part icular, t here is t he problem t hat signat ures can always be forged on all large enough messages, given signat ures on two messages m , m . T his is because t he equat ion ′

am + a′ m ′ = x

(in Z)

Homomorphic Signat ure Schemes

257

typically has solut ions wit h a, a ≥ 0 when x ≥ lcm( m , m ), and in t his case a signat ure on x can be obt ained from signat ures on m , m . More generally, if we have signat ures S i g ( m 1 ) , . . . , S i g ( m k ), t hen we can forge a signat ure S i g ( x ) whenever we can writ e x in t he form x = a1 m 1 + · · ·+ ak m k for some known a1 , . . . , ak ∈ Z 0 . T his is a subset sum problem, and t he issue is t hat if t he m i are small enough, t he subset sum problem is easy t o solve. So our only hope is t o choose addit ive signat ures wit hout inverses, only sign messages large enough t hat subset sum is hard (require m i ≥ ℓ for some lower bound ℓ ), and refuse t o accept unusually large messages (enforce m i ≪ ℓ 2 ) in t he verificat ion algorit hm. ′







A dditive schem es in higher dim en sion s. More generally, we could look for an addit ive scheme S i g + : (Z/ m Z) d → R in dimension d > 1. Unfort unat ely, t his

does not seem t o off er much opport unity t o design a secure signat ure scheme, eit her. Alt hough increasing t he dimension does make more work for t he at t acker, a slight ext ension of t he previous remarks st ill applies. O b se r v a t i o n 1 In an y additive sign atu re schem e on the lattice L

= (Z/ m Z) d ,

if on e can obtain sign atu res S i g ( x 1 ) , . . . , S i g ( x d ) , where x 1 , . . . , x d are a basis for L , then on e can su cceed at an y ran dom forgery .

Knowing t he signat ures on a basis is useless if comput ing t he represent at ion of a given message in t hat basis is hard. If we could comput e t he signat ures of t he st andard basis element s given t he signat ures on t he element s of anot her basis, t hen commit t ing random forgeries would be easy. Not e t hat t he element s of t he st andard basis are t he short est vect ors in t he lat t ice Zd , so lat t ice reduct ion t echniques may be used t o discover represent at ions of t he st andard basis element s in t erms of messages wit h known signat ures. T he t heoret ical bounds on t he lengt h of t he short est vect or ret urned by LLL are not very t ight , but in pract ice it can find a represent at ion of t he st andard basis of (Z/ m Z) d wit h only (1 + ǫ ) d input vect ors. T hus, we only need t o collect (1 + ǫ ) d signed messages before we can commit random forgeries wit h ease. T herefore, it seems t o be a challenging open problem t o find a secure addit ive signat ure scheme.

7

O p e n P ro b le m s

S et-hom om orphic sign atu res. We may look for a set -homomorphic signat ure

scheme t hat is homomorphic wit h respect t o operat ions ot her t han union and subset . For example, consider t he following const ruct ion: Let S i g : G → R be an arbit rary mult iplicat ive signat ure scheme on some group G . For a set U = { x 1 , . . . , x k } , define t he hash funct ion f h ( U ) = h ( x 1 ) · · · h ( x k ), where h : X → G is a crypt ographic hash funct ion on element s in X . T hen S i g = S i g ◦ f h is a signat ure scheme wit h t he property t hat wit h signat ures, S i g ( U ) and S i g ( V ), on two disjoint set s U and V , one can comput e t he signat ure on t heir union, ×

×

258

Robert J ohnson et al.

S i g (U ∪

V ) = S i g ( U ) × S i g ( V ). If U ⊆ V , one can also comput e t he signat ure on t heir diff erence, S i g ( V \ U ) = S i g ( V ) × S i g ( U ) 1 . We gave anot her example of a set -homomorphic scheme, based on RSA accumulat ors, in Sect ion 5. One int erest ing quest ion is whet her we can design a signat ure scheme t hat is homomorphic only wit h respect t o t he union operat ion. −

C on caten able sign atu res. Let

: { 0, 1} → R be a signat ure scheme. We say t hat it is a concat enable signat ure scheme if, given S i g ( x ) , S i g ( y ), one can comput e (wit hout help from t he signer) a signat ure S i g ( x  y ) on t he concat enat ion of x and y . In ot her words, a concat enable signat ure scheme should be homomorphic wit h respect t o t he semigroup ( { 0, 1} ,  ) of bit -st rings wit h t he concat enat ion operat or  . Rivest has asked [24]: can we design a concat enable signat ure scheme? Sig





S em igrou p sign atu res withou t in verses. Giving an example of a secure semigroup-

homomorphic signat ure scheme seems t o be an int riguing open problem t hat is suggest ed by t his work. We have point ed out inst ances of t his problem several t imes t hroughout t his paper. Micali and Rivest asked whet her t here exist s a t ransit ive signat ure scheme on direct ed graphs [19], and t his domain has a semigroup st ruct ure. One might seek a redact able signat ure scheme support ing only redact ion but not t he join operat ion. An addit ive scheme t hat doesn’t respect subt ract ion might have a chance of being secure. A set -homomorphic scheme t hat allows only t he union operat ion (but not subset t ing) would have a semigroup-homomorphic property, as would a concat enable signat ure scheme. More generally, we suspect t hat any scheme t hat is semigroup-homomorphic but not group-homomorphic might yield insight s int o t hese open problems.

8

C o n c lu sio n s

Homomorphic signat ure schemes present a promising new direct ion for research. Since such schemes necessarily do not sat isfy t radit ional definit ions of security, we have proposed new definit ions of security for t hese new schemes. We have shown t hat a variety of homomorphic signat ure schemes can be designed. We also examined limit s on t heir exist ence, showing t hat , for example, no addit ively group-homomorphic scheme can ever be secure against random forgeries. Perhaps most import ant ly, we have suggest ed several open problems t hat , if solved, might provide useful new schemes support ing a variety of applicat ions.

A ckn ow le d g e m e nt s We t hank Eric Bach and Mika R.S. Kojo for early observat ions on weaknesses in addit ive signat ure schemes. Adrian Perrig originally suggest ed t he idea of using Merkle hash t rees t o support redact ion, which was a key st ep in t he development of t he scheme present ed in Sect ion 4. We also grat efully acknowledge many helpful comment s from Ron Rivest and t he anonymous referees.

Homomorphic Signat ure Schemes

259

R e fe re n c e s 1. Niv Ahit uv, Yeheskel Lapid, and Seev Neumann. P rocessing encrypt ed dat a. C om m uni cat i ons of t he A C M , 30(9):777–780, 1987. 2. Niko Baric and Birgit P fit zmann. Collision-free accumulat ors and fail-st op signat ure schemes wit hout t rees. In A dvances i n C r ypt ology–E U RO C RY P T ’ 97, volume 1233 of L ect ure N ot es i n C om put er Sci ence, pages 480–494. Springer-Verlag, 1997. 3. M. Bellare, O. Goldreich, and S. Goldwasser. Increment al crypt ography: t he case of hashing and signing. In Yvo Desmedt , edit or, A dvances i n C r ypt ology–C RY P T O ’ 94, pages 216–233, Berlin, 1994. Springer-Verlag. Lect ure Not es in Comput er Science Volume 839. 4. M. Bellare, O. Goldreich, and S. Goldwasser. Increment al crypt ography wit h applicat ion t o virus prot ect ion. In F O C S 1995, Berlin, 1995. Springer-Verlag. 5. M. Bellare and P. Rogaway. T he exact security of digit al signat ures–how t o sign wit h RSA and Rabin. In Ueli Maurer, edit or, A dvances i n C r ypt ology– E U RO C RY P T ’ 96, pages 399–416, Berlin, 1996. Springer-Verlag. Lect ure Not es in Comput er Science Volume 1070. 6. Mihir Bellare and P hillip Rogaway. Random oracles are pract ical: A paradigm for designing effi cient prot ocols. In F i r st A C M C onference on C om put er and C om m uni cat i ons Secur i t y , pages 62–73, Fairfax, 1993. 7. Mihir Bellare and P hillip Rogaway. T he exact security of digit al signat ures–how t o sign wit h RSA and Rabin. In Ueli Maurer, edit or, A dvances i n C r ypt ology– E U RO C RY P T 96 , volume 1070 of L ect ure N ot es i n C om put er Sci ence. SpringerVerlag, 1996. 8. J Benaloh. Dense probabilist ic encrypt ion. In Select ed A reas i n C r ypt ography , 1994. 9. J .C. Benaloh and M. de Mare. One-way accumulat ors: A decent ralized alt ernat ive t o digit al signat ures. In E U RO C RY P T ’ 93, 1993. 10. D. Boneh and R. J . Lipt on. Algorit hms for black-box fields and t heir applicat ion t o crypt ography. In Neal Koblit z, edit or, A dvances i n C r ypt ology–C RY P T O ’ 96, pages 283–297, Berlin, 1996. Springer-Verlag. Lect ure Not es in Comput er Science Volume 1109. 11. E. F . Brickell and Y. Yacobi. On privacy homomorphisms. In David Chaum and W yn L. P rice, edit ors, A dvances i n C r ypt ology–E U RO C RY P T ’ 87, pages 117–126, Berlin, 1987. Springer-Verlag. Lect ure Not es in Comput er Science Volume 304. 12. J . Cohen and M. F ischer. A robust and verifiable crypt ographically secure elect ion scheme. In 26t h Sym posi um on t he Foundat i ons of C om put er Sci ence, 1985. 13. Cramer and Damgard. Zero knowledge proofs for finit e field arit hmet ic – or, can zero knowledge be for free? In A dvances i n C r ypt ology–C RY P T O ’ 98, Berlin, 1998. Springer-Verlag. 14. J . Feigenbaum and Merrit t . Open quest ions, t alk abst ract s, and summary of discussions. In D I M A C S Ser i es i n D i scret e M at hem at i cs and T heoret i cal C om put er Sci ence, pages 1–45, 1991. 15. E. Fujisaki, T . Okamot o, and Uchiyama. EP OC : Effi cient probabilist ic encrypt ion. In Subm i ssi on t o I E E E P 1363, 1998. 16. Rosario Gennaro, Shai Halevi, and Tal Rabin. Secure hash-and-sign signat ures wit hout t he random oracle. In A dvances i n C r ypt ology–E U RO C RY P T ’ 99, pages 123–139. Springer-Verlag, 1999. Lect ure Not es in Comput er Science Volume 1592.

260

Robert J ohnson et al.

17. S. Goldwasser and S. Micali. P robabilist ic encrypt ion. J our nal of C om put er and Syst em Sci ences, 28(2):270–299, April 1984. 18. Ralph Merkle. P rot ocols for public key crypt osyst ems. In P roceedi ngs of t he I E E E Sym posi um on Research i n Secur i t y and P r i vacy , Oakland, CA, April 1980. IEEE Comput er Society P ress. 19. S. Micali and R. Rivest . Transit ive signat ure schemes. In T opi cs i n C r ypt ology– C T -R SA 2002 , pages 236–243. Springer-Verlag, 2002. Lect ure Not es in Comput er Science Volume 2271 (T his Volume). 20. D. Naccache and J . St ern. A new public key crypt osyst em based on higher residues. In 5t h A C M Sym posi um on C om put er and C om m uni cat i ons Secur i t y , 1998. 21. Goldreich Oded, Shafi Goldwasser, and Silvio Micali. How t o const ruct random funct ions. J our nal of t he A C M , 33(4):792–807, Oct ober 1986. 22. P P aillier. P ublic-key crypt osyst ems based on composit e degree residuosity classes. In A dvances i n C r ypt ology–E U RO C RY P T ’ 99, volume 1592 of L N C S, 1999. 23. R P eralt a and J . Boyar. Short discreet proofs. In J our nal of C r ypt ology , 2000. 24. R. Rivest . T wo new signat ure schemes. P resent ed at Cambridge seminar; see http://www.cl.cam.ac.uk/Research/Security/seminars/2000/ rivest-tss.pdf, 2001. 25. R. Rivest , L. Adleman, and M.L. Dert ouzos. On dat a banks and privacy homomorphisms. In Foundat i ons of Secure C om put at i on , pages 169–178. Academic P ress, 1978. 26. T . Sander, A Young, and M Yung. Non-int eract ive crypt ocomput ing in NC 1 . In F O C S ’ 99, 1999.

A

S e c u rit y A n a ly sis fo r t h e Tre e R e d a c t io n S ch e m e

T he combinat ion of redact ion and randomizat ion in t he t ree redact ion scheme int roduces one t ricky aspect int o t he definit ion of security. T he adversary might choose a message x ∈ { 0, 1} , and t hough t he censor might be unwilling t o reveal S i g ( x ), t he adversary might be able t o gain access t o a redact ed signat ure S i g ( w ) on some message w x of t he at t acker’ s choice. In t his case our security analysis should ensure t hat t he at t acker cannot use t his part ial knowledge t o obt ain, e.g., a signat ure S i g ( x ) on t he full message x . T herefore, in our model we give t he adversary access t o two diff erent oracles, denot ed R and S . Invoking R ( x ) denot es regist rat ion of a chosen message x ∈ { 0, 1} , and t he regist ered messages are st ored in a list x 1 , x 2 , . . . , x q . Calling S ( i , w ) ret urns t he signat ure S i g ( w ) on t he redact ed message w ∈ Σ , if w x i ; ot herwise, if w is not a valid redact ion of t he message x i specified in t he i -t h call t o R , t he comput at ion abort s. Let W i denot e t he join of all values w t hat appear in some oracle query of t he form S ( i , w ). If an adversary can out put a signat ure on a message t hat is not a redact ion of W i for some i , we say t hat t he adversary has found an exist ent ial forgery. ∗





( t , ǫ G ) -secu re pseu doran dom gen erator, H a ( t , pH ) collision -resistan t hash fu n ction , an d S i g 0 a con ven tion al sign atu re schem e that is ( t , q, pS ) -secu re again st existen tial forgery . S u ppose that F k ( x ) = H (0, k , x ) is

T h e o r e m 2 . Let G be a

Homomorphic Signat ure Schemes

261

a ( t , q, ǫ H ) -secu re pseu doran dom fu n ction . T hen the redactable sign atu re schem e defi n ed above for m essages of len gth at m ost n is ( t ′ , q, p′ ) -secu re again st existen tial forgery with respect to redaction , where p′ = q⌈ lg n ⌉ ǫ G + nqǫ H + pS + ′ pH + 2nq/ 2m an d t ′ ≈ t .

Sig

P roof. (sket ch) Consider any adversary t hat at t empt s t o break t he result ing

modified scheme by exhibit ing exist ent ial forgeries, i.e., by finding a valid signat ure on a message w t hat is not a redact ion of t he join of it s previous queries. We let x i denot e t he i -t h message regist ered wit h R , k η i , vη i denot e t he key and hash value at node η , and we int roduce t he not at ion u iη for t he input t o t he hash funct ion at η so t hat vη i = H ( u iη ). For example, k ǫ i denot es t he key randomly chosen for use wit h x i and it s redact ions, and vǫ i denot es t he root of t he hash t ree on t he signat ure for message x i .   Suppose t he adversary forges a signat ure { vℓ } , { k η } , S i g ( vǫ ) on w . If vǫ = vǫ i for all i , t hen we have found an exist ent ial forgery of S i g 0 , which by assumpt ion happens wit h probability at most pS . T herefore, we assume t hat for some i we have vǫ = vǫ i . Let T denot e t he t ree corresponding t o w , i.e., t he leaf nodes corresponding t o unredact ed symbols in w along wit h all t heir ancest ors. T hanks t o t he propert ies of Merkle t ree hashing, we see t hat T must be a sub-t ree of t he t ree corresponding t o x i . (Ot herwise, t here is some node ℓ t hat is a leaf node in t he t ree for x i but is an int ernal node in T , but t hen we have a hash collision H ( u ℓ ) = H ( u iℓ ) since u ℓ st art s wit h a 1 and u iℓ st art s wit h a 0, which cont radict s t he collision-resist ance of H .) Similarly, t he leaves of T must form leaves in t he t ree for x i , and t he int ernal nodes in T form int ernal nodes in t he t ree for x i . Moreover, t he hash pre-images u η must sat isfy u η = u iη for each η ∈ T . T his t ells us t hat vη = vη i for all η ∈ T . It also t ells us t hat k ℓ = k ℓ i and w ℓ = x iℓ for each leaf node ℓ . T his shows t hat w is a redact ion of x i . T he only case left t o worry about is t hat possibly w includes some symbol not present in W i (recall t hat W i denot es t he join of t he redact ions of x i t hat were queried under oracle S ). In t his case, t here is some leaf node ℓ ∈ T so t hat w ℓ = x iℓ but ℓ is not found in t he t ree corresponding t o W i . In t his case, t he forged signat ure must reveal k η where η is some ancest or of ℓ . But now we can not e t hat k η was never disclosed by any of t he oracle queries (nor was any of t he key values at η ’ s ancest ors). We argue t hat t his would const it ut e a break of G . We can imagine replacing t he key k η and t he keys at each of it s descendant nodes wit h t ruly random values, chosen independent ly of everyt hing else. If any adversary can recognize t his subst it ut ion wit h advant age bet t er t han q⌈ lg n ⌉ ǫ G , t hen according t o t he proof of security for t he GGM t ree const ruct ion [21], t hey can dist inguish G from random wit h advant age bet t er t han ǫ G ; t hus we can assume t hat t his subst it ut ion makes no not iceable diff erence. Now t he only values relat ed t o k η t hat are disclosed is vℓ i = H (0, k ℓ , x iℓ ) for leaves ℓ t hat are descendant s of k η . But , since H (0, k , · ) is a good P RF, we can in t urn imagine replacing each such vℓ i by t ruly random values, chosen ∗



















































262

Robert J ohnson et al.

independent ly of everyt hing else, and no at t acker can recognize t his subst it ut ion wit h advant age bet t er t han nqǫ H wit hout breaking t he P RF assumpt ion. Since t he adversary must present t he value k η in t he forged signat ure, t his means t hat t he adversary has guessed t he value of k η , even t hough k η has never been disclosed and was chosen independent ly of everyt hing else. We can bound ′ t he probability t hat t his happens by 1/ 2m per node, and summing over all t he ′ nodes gives at most 2nq/ 2m . Adding up each of t hese dist inguishing probabilit ies yields t he claimed bound. ∗



G E M : A G e n e ric C h o s e n - C ip h e rt e x t S e c u re E n c ry p t io n M e t h o d J ean-S´ebast ien Coron 1 , Helena Handschuh 1 , Marc J oye2 , P ascal P aillier 1 , David P oint cheval3 , and Christ ophe Tymen 1 , 3 1

Gemplus Card Int ernat ional 34 rue Guynemer, 92447 Issy-les-Moulineaux, France { jean-sebastien.coron, helena.handschuh, pascal.paillier, christophe.tymen} @gemplus.com 2 Gemplus Card Int ernat ional P arc d’ Act ivit´es de G´emenos, B.P. 100, 13881 G´emenos Cedex, France [email protected], http://www.geocities.com/MarcJoye/ 3 ´ Ecole Normale Sup´erieure, Comput er Science Depart ment 45 rue d’ Ulm, 75230 P aris Cedex 05, France [email protected], http://www.di.ens.fr/˜pointche/

T his paper proposes an effi cient and provably secure t ransform t o encrypt a message wit h any asymmet ric one-way crypt osyst em. T he result ing scheme achieves adapt ive chosen-ciphert ext security in t he random oracle model. Compared t o previous known generic const ruct ions (Bellare, Rogaway, Fujisaki, Okamot o, and P oint cheval), our embedding reduces t he encrypt ion size and/ or speeds up t he decrypt ion process. It applies t o numerous crypt osyst ems, including (t o name a few) ElGamal, RSA, Okamot oUchiyama and P aillier syst ems. A b st r a c t .

K e y w o r d s. P ublic-key encrypt ion, hybrid encrypt ion, chosen-ciphert ext security, random oracle model, generic conversion, block ciphers, st ream ciphers.

1

I n t ro d u c t io n

A ma jor cont ribut ion of crypt ography is in form ation privacy : t hrough encrypt ion, part ies can securely exchange dat a over an insecure channel. Loosely speaking t his means t hat unaut horized recipient s can learn not hing useful about t he exchanged dat a. Designing a “good” encrypt ion scheme is a very challenging t ask. T here are basically two crit eria t o compare t he performances of encrypt ion schemes: effi cien cy and security . Security is measured as t he ability t o resist at t acks in a given adversarial model [1,8]. T he st andard security not ion is I N D - C C A 2 security , i . e . , indist inguishability under adapt ive chosen-ciphert ext at t acks (cf. Sect ion 2). Usually, an (asymmet ric) encrypt ion scheme is proven secure by exhibit ing a reduction : if an adversary can break t he I N D - C C A 2 security t hen t he same adversary can solve a relat ed problem assumed t o be infeasible. B . P r e n e e l ( E d .) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 2 6 3 – 2 7 6 , 2 0 0 2 .  c S p r in g e r -Ve r la g B e r lin H e id e lb e r g 2 0 0 2

264

J ean-S´ebast ien Coron et al.

T his paper is aimed at simplifying t he security proof by providing a G en eric E n cryption M ethod ( gem) t o convert an y asymmet ric one-way crypt osyst em int o a provably secure encrypt ion scheme. Hence, when a new asymmet ric one-way funct ion is ident ified, one can easily design a secure encrypt ion scheme. Moreover, t he conversion we propose is very effi cient (comput at ionally and memorywise): t he convert ed scheme has roughly t he same cost as t hat of t he one-way crypt osyst em it is built from.

1.1

P rev ious Work

In [3], Bellare and Rogaway described oaep, a generic conversion t o t ransform a I N D - C C A 2 secure encrypt ion scheme in t he random oracle model [2,7]. Lat er, Fujisaki and Okamot o [5] present ed a way t o t ransform, in t he random oracle model, any chosen -plain text ( I N D - C P A ) secure encrypt ion scheme int o an I N D - C C A 2 one. T hey improved t heir result s in [6] where t hey gave a generic met hod t o convert a on e-way ( O W - C P A ) crypt osyst em int o an I N D - C C A 2 secure encrypt ion scheme in t he random oracle model. A similar result was independent ly discovered by P oint cheval [13]. More recent ly, Okamot o and P oint cheval [12] proposed a more effi cient generic conversion, called react, t o convert any one-way crypt osyst em secure under plain text-checkin g attacks ( O W - P C A ) int o an I N D - C C A 2 encrypt ion scheme. Cont rary t o [5,6,13], re-encrypt ion is unnecessary in t he decrypt ion process t o ensure I N D - C C A 2 security. “partial-dom ain” on e-way trapdoor perm utation int o an

1.2

Our R esult s

T his paper present s gem, a generic I N D - C C A 2 conversion. T he convert ed scheme, Epk , built from any O W - P C A asymmet ric encrypt ion E pk and any lengt h-preserving I N D -secure symmet ric encrypt ion scheme EK , is secure in t he sense of I N D - C C A 2 , in t he random oracle model. As discussed in Sect ion 2, t he security levels we require for E pk and EK are very weak and t he security level we obt ain for Epk is very high.

1.3

Organizat ion of t he P ap er

T he rest of t his paper is organized as follows. In Sect ion 2, we review t he security not ions for encrypt ion, in bot h t he symmet ric and t he asymmet ric set t ings. Sect ion 3 is t he core of t he paper. We present our new padding t o convert , in t he random oracle model, any asymmet ric one-way crypt osyst em int o an encrypt ion scheme t hat is secure in t he stron gest sense. We prove t he security of our const ruct ion in Sect ion 4 by providing and proving a con crete reduct ion algorit hm. F inally, we illust rat e t he merit s of our conversion in Sect ion 5.

2

S e c u rit y N o t io n s

In t his sect ion, we recall t he definit ion of an encrypt ion scheme and discuss some relat ed security not ions. A good reference t o t he sub ject is [1].

GEM: A Generic Chosen-Ciphert ext Secure Encrypt ion Met hod

2.1

265

Encry pt ion Schem es

D efinit ion 1. A n encrypt ion scheme con sists of three algorithm s ( K

, E pk , D sk ) .

1. O n in put a security param eter k , the key gen eration algorithm K (1k ) outputs a ran dom m atchin g pair ( pk , sk ) of en cryption / decryption keys. For the sym m etric case, we assum e w log that the en cryption an d decryption keys are iden tical, K := pk = sk . T he key pk is public an d the keys sk an d K are secret. 2. T he en cryption algorithm E pk ( m , r ) outputs a ciphertext c correspon din g to a plain text m ∈ MSPC ⊆ { 0, 1} ∗ , usin g the ran dom coin s r ∈ Ω . W hen the process is determ in istic, we sim ply write E pk ( m ) . In the sym m etric case, we n ote EK in stead of E pk . 3. T he decryption algorithm D sk ( c ) outputs the plain text m associated to the ciphertext c or a n otifi cation ⊥ that c is n ot a valid ciphertext. In the sym m etric case, we use the n otation s DK . Furtherm ore, we require that for all

m ∈

MSPC an d

r ∈



,

D sk ( E pk ( m , r

)) =

m

.

T he convert ed scheme we propose in t his paper is a combinat ion of an asymmet ric encrypt ion scheme and a lengt h-preserving symmet ric encrypt ion scheme. We assume very weak security propert ies from t hose two schemes. Namely, we require t hat t he asymmet ric scheme is O W - P C A and t hat t he symmet ric scheme is I N D , as defined below.

2.2

Security R equirem ent s

An at t acker is said passive if, in addit ion t o t he ciphert ext , s/ he only obt ains some auxiliary informat ion s , which may depend on t he pot ent ial plaint ext s (but not on t he key) [9, § 1.5] and ot her public informat ion ( e . g . , t he security paramet er k and t he public key pk ). Not e t hat in t he asymmet ric case an at t acker can always const ruct valid pairs of plaint ext / ciphert ext from t he public encrypt ion key pk . A minimal security requirement for an encrypt ion scheme is on e-wayn ess ( O W ). T his capt ures t he property t hat an adversary cannot recover t he whole plaint ext from a given ciphert ext . In some cases, part ial informat ion about a plaint ext may have disast rous consequences. T his is capt ured by t he not ion of sem an tic security or t he equivalent not ion of in distin guishability [10]. Basically, indist inguishability means t hat t he only st rat egy for an adversary t o dist inguish t he encrypt ions of any two plaint ext s is by guessing at random. In t he asymmet ric case, suppose t hat t he at t acker has access t o an oracle t elling whet her a pair ( m , c ) of plaint ext / ciphert ext is valid; i . e . , whet her m = D sk ( c ) holds. Following [12], such an at t ack scenario is referred t o as t he plain text-checkin g attack ( P C A ). From t he pair of adversarial goal ( O W ) and adversarial model ( P C A ), we derive t he security not ion of O W - P C A .

266

J ean-S´ebast ien Coron et al.

D efinit ion 2. A n asym m etric en cryption schem e is

O W - P C A if n o attacker with access to a plain text-checkin g oracle O pca can recover the whole plain text correspon din g to a ciphertext with n on -n egligible probability. M ore form ally, an asym m etric en cryption schem e is ( τ , q , ε ) -secure in the sen se of O W - P C A if for an y adversary A which run s in tim e at m ost τ , m akes at m ost q queries to O pca , its success ε satisfi es

 Pr

( sk , pk ) ←

(1k ) , c ← ( c, s ) =

K

E pk ( m , r

):

 ≤

ε

where the probability is also taken over the ran dom choices of

A

m ←

{

0, 1}

r ←

A ∗

O

pca

m



.

For t he symmet ric case, we consider a passive at t acker who t ries t o break t he indist inguishability property of t he encrypt ion scheme. T he at t acker A = ( A 1 , A 2 ) runs in two st ages. In t he first st age (or fi n d stage ), on input k , A 1 out put s a pair of messages ( m 0 , m 1 ) and some auxiliary informat ion s . Next , in t he second st age (or guess stage ), given t he encrypt ion c b of eit her m 0 or m 1 and t he auxiliary informat ion s , A 2 t ells if t he challenge ciphert ext c b encrypt s m 0 or m 1 .

D efinit ion 3. A sym m etric en cryption schem e is

I N D if n o attacker can distin guish the en cryption s of two equal-len gth plain texts with probability n on -n egligibly greater than 1/ 2. M ore form ally, a sym m etric en cryption schem e is ( τ , ν ) -secure in the sen se of I N D if for an y adversary A = ( A 1 , A 2 ) which run s in tim e at m ost τ , its advan tage ν satisfi es

 K ←

Pr b←

{

cb ←

0, 1}

(1k ) , ( m 0 , m 1 , s ) ← A 1 ( k ) , EK ( m b ) : A 2 ( m 0 , m 1 , c b , s ) = b



K



where the probability is also taken over the ran dom choices of

1+ 2 A

ν

.

In cont rast , for our convert ed encrypt ion scheme we require t he highest security level, namely I N D - C C A 2 security. T he not ion of I N D - C C A 2 for an asymmet ric encrypt ion scheme considers an active at t acker who t ries t o break t he syst em by probing wit h chosen-ciphert ext messages. Such an at t ack can be non-adapt ive ( C C A 1 ) [11] or adapt ive ( C C A 2 ) [14]. In a C C A 2 scenario, t he adversary may run a second chosen ciphert ext at t ack upon receiving t he challenge ciphert ext c b (t he only rest rict ion being not t o probe on c b ).

D efinit ion 4. A n asym m etric en cryption schem e is I N D - C C A 2 if n o attacker with access to a decryption oracle O D sk can distin guish the en cryption s of two equal-len gth plain texts with probability n on -n egligibly greater than 1/ 2. M ore form ally, an asym m etric en cryption schem e is ( τ , q , ε ) -secure in the sen se of I N D C C A 2 if for an y adversary A = ( A 1 , A 2 ) which run s in tim e at m ost τ , m akes at m ost q queries to O D sk , its advan tage ε satisfi es  Pr b ←

{

r ←

0, 1}





D

A



(1k ) , sk O A 1 ( k , pk ) ,   cb ← E pk ( m b , r ) : sk O (m 0 , m 1 , cb , s ) = b 2

( sk , pk )  (m 0 , m 1 , s ) ← 



K

D



1+ 2 ε

GEM: A Generic Chosen-Ciphert ext Secure Encrypt ion Met hod

where the probability is also taken over the ran dom choices of allowed to query on c b .

3

A

, an d

A 2

267

is n ot

G E M : G e n e ric E n c ry p t io n M e t h o d

A very appealing way t o encrypt a message consist s in using a hybrid en cryption mode. A random session key R is first encrypt ed wit h an asymmet ric crypt osyst em. T hen t he message is encrypt ed under t hat session key wit h a symmet ric crypt osyst em. Alt hough seemingly sound, t his scheme does not achieve I N D - C C A 2 security under weak security assumpt ions for t he two underlying crypt osyst ems. T his sect ion shows how t o modify t he above paradigm for at t aining t he I N D - C C A 2 security level.

3.1

R EA C T Transform

T he aut hors of react imagined t o append a checksum t o t he previous const ruct ion and prove t he I N D - C C A 2 security of t he result ing scheme in t he random oracle model [12]. Briefly, react works as follows. A plaint ext m is t ransformed int o t he ciphert ext ( c 1 , c 2 , c 3 ) given by

react( m ) = E pk ( R , u ) EK ( m ) H( R , m , c 1 , c 2 )



=

where

u

is a random,

K

=

c1

=

c2

c3

= G( R ), and G , H are hash funct ions.

Building on t his, we propose a new generic encrypt ion met hod. Our met hod is aimed at short ening t he whole ciphert ext by incorporat ing t he checksum ( i . e . , c 3 ) int o c 1 while maint aining t he I N D - C C A 2 security level, in t he random oracle model.

3.2

N ew M et ho d

Let E pk and EK denot e an asymmet ric and a lengt h-preserving symmet ric encrypt ion algorit hms, respect ively, and let F , G , H denot e hash funct ions. Let also D sk and DK denot e t he decrypt ion algorit hms corresponding t o E pk and EK , respect ively. For convenience, for any element x defined over a domain A , we writ e ♯ x for | { x ∈ A } | . So, for example, ♯ m represent s t he cardinality of t he message space, i . e . , t he number of diff erent plaint ext s.

Encry pt ion In put : P laint ext m , random ρ = r  O utput : Ciphert ext ( c 1 , c 2 ) given by

Epk ( m , ρ ) =

E pk ( w , u )



=

where s = F ( m , r ), and K = G( w , c 1 ).

u.

w

=



EK ( m ) =

c1

s 

r ⊕

c2

H( s ),

268

J ean-S´ebast ien Coron et al.

D ecry pt ion In put : Ciphert ext ( c 1 , c 2 ). O utput : P laint ext m˙ or symbol 

Dsk ( c 1 

c2 )

according t o if s˙ = F ( m˙ , r˙) ot herwise ⊥



=



where w˙ := s˙ t˙ = D sk ( c 1 ), K˙ = G( w˙ , c 1 ), m˙ = DK˙ ( c 2 ), and r˙ = t˙ ⊕ H( s˙).

4

S e c u rit y A n a ly s is

We now prove t he security of our conversion. We show t hat if t he hybrid encrypt ion scheme Epk can be broken under an adapt ive chosen-ciphert ext at t ack t hen eit her t he lengt h-preserving symmet ric encrypt ion scheme EK or t he asymmet ric encrypt ion scheme E pk underlying our const ruct ion is highly insecure, namely t he I N D -security of EK or t he O W - P C A security of E pk get s broken.

T heorem 1. S uppose that there exists an adversary that breaks, in the ran dom oracle m odel, the I N D - C C A 2 security of our con verted schem e Epk within a tim e boun d τ , after at m ost q F , q G , q H , q Dsk queries to hash fun ction s F , G , H an d decryption oracle O Dsk , respectively, an d with an advan tage ε . T hen , for all 0 < ν < ε , there exists I N D security of EK within a tim e boun d τ an d an advan tage ν ; or – an adversary with access to a plain text-checkin g oracle O pca ( respon din g in tim e boun ded by τ pca ) that breaks the O W - P C A security of E pk within a tim e boun d

– an adversary that breaks the



τ

= τ

+ ( qF

qH

+

q Dsk ( q F

+

qG

+

q G )) ( τ pca

+

O

(1)) ,

ν

+

1

after at m ost q pca ≤ q F q H

queries to ε

O ′

pca

qG

+

q Dsk ( q F

+

qG )

, an d with success probability

ε − ν ≥

+

2



qF ♯ r

 − q Dsk

 1 ♯ s

+

qF

 1 ♯ r

+

1 ♯ s

 +

♯ m

.

From t his, we immediat ely obt ain:

C orollary 1. For an y O W - P C A asym m etric en cryption E pk an d an y len gthpreservin g I N D -secure sym m etric en cryption schem e EK , our con verted schem e Epk is I N D - C C A 2 secure in the ran dom oracle m odel. ⊓⊔ To prove T heorem 1, we suppose t hat t here exist s an adversary A = ( A 1 , A 2 ) able t o break t he I N C - C C A 2 security of Epk . We furt her suppose t hat EK is ( τ , ν )-secure in t he sense of I N D . From A , we t hen exhibit an adversary B ( i . e . , a reduct ion algorit hm) t hat invert s E pk using a plaint ext -checking oracle, and t hus breaks t he O W - P C A security of E pk .

GEM: A Generic Chosen-Ciphert ext Secure Encrypt ion Met hod

4.1

269

A U seful Lem m a

T he assumpt ion t hat EK is lengt h-preserving and ( τ following lemma.



)-I N D secure implies t he

Lem m a 1. A ssum e that EK is a len gth-preservin g ( τ

, ν ) - I N D sym m etric en cryption schem e, where τ den otes the tim e n eeded for evaluatin g EK ( · ) . T hen given a pair ( m , c ) of plain text/ ciphertext, we have

P r [EK ( m ) = c ] ≤

+ ν

K

1

.

♯ m

P roof. Given t he pair ( m , c ), we consider t he following dist inguisher A . A randomly chooses a bit d ∈ { 0, 1} , set s m d = m and m ¬ d t o a random value m ′ . T he pair ( m d , m ¬ d ) is t hen sent t o t he encrypt ion oracle which ret urns c b = EK ( m b ) for a random key K and a random b ∈ { 0, 1} . A t hen checks if c b = c , ret urns d if t he equality holds and ¬ d ot herwise. Let t ing ε t he advant age of A , we have ε

= 2

Pr ′

m

[A

= 2

Pr m



1

[( c b = c ) ∧ ( d = b)] +

,K ,d ,b

2

Pr m

= 2





[( c b = c ) ∧ ( ¬ d = b )] − 1

,K ,d ,b

[( EK ( m ) = c ) ∧ ( d = b)] +

Pr m

r e t u r n s b] −

,K ,d ,b

,K ,d ,b

2

Pr m



[( EK ( m ′ ) = c ) ∧ ( ¬ d = b )] − 1

,K ,d ,b

= P r [EK ( m ) = c ] + P r [EK ( m ′ ) = c] − 1 K

m

,K

P r [EK ( m ′ ) = c ] ≤

= P r [EK ( m ) = c ] − K



m



ν

.

,K

T he proof follows by not ing t hat as EK is lengt h-preserving, it permut es t he set of messages for any key K and so P r m , K [EK ( m ′ ) = c ] = 1/ ♯ m . ⊓⊔ ′

4.2

D escript ion of t he R educt ion A lgorit hm

is given a challenge encrypt ion y = E pk ( w , ∗ ), an oracle O pca which answers plaint ext -checking request s on E pk , and an adversary A = ( A 1 , A 2 ) t hat breaks t he I N D - C C A 2 security of Epk . B ’ s goal is t o ret rieve all t he bit s ofw . Wlog, we assume t hat O pca responds t o any of B ’ s request s wit h no error and wit hin a t ime bounded by τ pca . B

T hroughout , t he following not at ions are used. For any predicat e R( x ), R( ∗ ) st ands for ∃ x s.t . R( x ). If O is an oracle t o which A has access, we denot e by query → respon se t he correspondence O est ablishes between A ’ s request query and t he value respon se ret urned t o A . Hist [O ] st ands for t he set of correspondences est ablished by O as t ime goes on: Hist [O ] can be seen as an hist ory t ape which get s updat ed each t ime A makes a query t o O . We denot e by q O t he number of calls A made t o O during t he simulat ion.

270

J ean-S´ebast ien Coron et al.

Overv iew of B . At t he beginning, B chooses a random value K . B t hen runs A and provides a simulat ion for F , G, H and Dsk . A = ( A 1 , A 2 ) runs in two st ages. At t he end of t he first st age (find st age), A 1 out put s a pair ( m 0 , m 1 ). B t hen randomly chooses b ∈ { 0, 1} , comput es c 2 = EK ( m b ) and builds ( y , c 2 ). T his challenge is provided t o A 2 , which out put s some bit at t he end of t he second st age (guess st age). Once finished, B checks whet her some w has been defined during t he game. If so, w is ret urned as t he inverse of E pk on y ; ot herwise a failure answer is ret urned. T he det ailed descript ion of t he simulat ion follows. Wlog, we assume t hat A keeps t rack of all t he queries t hroughout t he game so t hat A never has t o make t he same query twice t o t he same oracle. Simulat ion of F . For each new query ( m , r ), if processing guess st age and m = m b and t here exist s s → h ∈ Hist [H] such t hat y = E pk ( s  r ⊕ h , ∗ ) t hen F set s w := s  r ⊕ h , ret urns s and updat es it s hist ory, ( n o e v e n t ) else F out put s a random value and updat es it s hist ory.

( E v en t E 1 )

Simulat ion of G . For each new query ( w , c 1 ), if c 1 = y and y = E pk ( w , ∗ ) t hen G set s w := w , ret urns K and updat es it s hist ory, ( E v e n t E 3 ) else if c 1 = y and y = E pk ( w , ∗ ) t hen G set s w  := w , ret urns a random value and updat es it s hist ory, ( n o e v e n t ) else G out put s a random value and updat es it s hist ory. ( E v en t E 2 )

Simulat ion of H . For each new query s , H out put s a random value and updat es it s hist ory. Simulat ion of Dsk ( P laint ex t Ex t ract or) . For each new query ( c 1 , c 2 ), Dsk first checks (t his verificat ion st ep only st ands while t he guess st age A 2 is running) t hat ( c 1 , c 2 ) = ( y , c 2 ) since if t his equality holds, t he query must be reject ed as A at t empt s t o decrypt it s own challenge ciphert ext . T hen, Dsk t ries t o find t he only (if any) message m mat ching t he query. To achieve t his, Dsk invokes t he simulat ion of G, H and F provided by B as follows. – F ind t he unique pair ( r , s ) such t hat ( ∗ , r ) → s ∈ Hist [F ], s → h ∈ Hist [H] and c 1 = E pk ( s  r ⊕ h , ∗ ). If such a pair exist s, • query G t o get K = G( s  r ⊕ h , c 1 ), • let t ing m = DK ( c 2 ), query F t o check if F ( m , r ) = s . If t he equality holds, ret urn m ; ot herwise reject t he query ( E v e n t R J 1 ) . – If t he search for ( r , s ) is unsuccessful, check if t here exist s w wit h ( w , c 1 ) → K ∈ Hist [G] and c 1 = E pk ( w , ∗ ). If such an w exist s, • define s and t by w = s  t , and query H t o get h = H( s ), • let t ing m = DK ( c 2 ), query F t o check if F ( m , t ⊕ h ) = s . If t he equality holds, ret urn m ; ot herwise reject t he query ( E v e n t R J 2 ) . – If t he search for w is unsuccessful, reject t he query ( E v e n t R J 3 ) .

GEM: A Generic Chosen-Ciphert ext Secure Encrypt ion Met hod

4.3

Soundness of

271

B

Unless ot herwise ment ioned, all probabilit ies are t aken over t he random choices of A and B .

Simulat ion of R andom Oracles. T he plaint ext w uniquely defines s and t such t hat w = s  t . We not e r t he random variable t ⊕ H( s ). b , r ) is queried and answered wit h some value s = s before s appears in Hist [H]. Let q F1 denot e t he number of oracle queries A 1 made t o F during t he find st age. Since r˜ is a uniformly-dist ribut ed random variable t hroughout t he find st age, we cert ainly have P r[F i n c o r r e c t i n t h e fi n d st a g e ] ≤ q F1 / ♯ r . Moreover, t hroughout t he guess st age, A 2 cannot gain any informat ion about 2 r wit hout knowing H( s ) because H is a random funct ion. Hence, let t ing q F t he number of oracle queries A 2 made t o F during t he guess st age, we have P r[F i n c o r r e c t i n t h e g u e ss st a g e ] ≤ q F2 / ♯ r . Consequent ly, t he probability t hat an error occurs while B simulat es t he oracle F is upper-bounded by

S oun dn ess of F . T he simulat ion of F fails when ( m

1

P r[F

in c o r r ec t ] ≤

qF

2

+

qF

♯ r

=

qF

.

♯ r

S oun dn ess of G . T he simulat ion is perfect . S oun dn ess of H . T he simulat ion is perfect .

P laint ex t Ex t ract ion. T he simulat ion of Dsk fails when Dsk ret urns ⊥ alt hough t he query c = ( c 1 , c 2 ) is a valid ciphert ext . Let t hen m , r , s , t , h , w , K be t he unique random variables associat ed t o c in t his case. Obviously, c was reject ed t hrough event R J 3 , because a reject ion t hrough R J 1 or R J 2 refut es t he validity of c . T herefore, if Dsk is incorrect for c , we must have 

(m , r ) ∈

:=

Hist [F ] ∨ s

¬

EF



 Hist [H]

:=

¬

EH

 ∧



(w , c1 ) →

K ∈



:=

¬

 Hist [G]

.

EG

Hence, P r[Dsk

i n c o r r e c t f o r c ] = P r[( ¬ E F ∨ ¬ E H ) ∧ ¬ E G ] = P r[(( m , r ) = ( m b , r )) ∧ ( ¬ E F ∨ ¬ E H ) ∧ ¬ E G ] + P r[(( m , r ) = ( m b , r )) ∧ ( ¬ E F ∨ ¬ E H ) ∧ ¬ E G ] ≤ P r[(( m , r ) = ( m b , r )) ∧ ( ¬ E F ∨ ¬ E H )] + P r[(( m , r ) = ( m b , r )) ∧ ¬ E G ] = P r[(( m , r ) = ( m b , r )) ∧ ¬ E F ] + P r[(( m , r ) = ( m b , r )) ∧ ( E F ∧ ¬ E H )] + P r[(( m , r ) = ( m b , r )) ∧ ¬ E G ] .

272

J ean-S´ebast ien Coron et al.

1. Assume ( m , r ) = ( m b , r ) and ( m , r ) ∈ Hist [F ]. Since F is a random funct ion, F ( m , r ) is a uniformly dist ribut ed random value unknown t o A . T he fact t hat c is a valid ciphert ext implies t hat F ( m , r ) = s , which happens wit h probability P r[c

(m , r )

is v alid ∧

1

Hist [F ]] = ∈

.

♯ s

2. Assume ( m , r ) = ( m b , r ) and ( m , r ) ∈ Hist [F ]∧ s → h ∈ Hist [H]. Suppose t hat s = s . Since H is a random funct ion, H( s ) is a uniformly dist ribut ed random value unknown t o A . T he validity of c implies t hat ( m , t ⊕ H( s )) → s ∈ Hist [F ], which happens wit h probability P r[( m , t

H( s )) ⊕

qF

Hist [F ]] ≤

s ∈ →

.

♯ r

Now assume s = s . In t his case, we must have ( m , r ) wit h probability qF P r[( m , r ) → s ∈ Hist [F ]] ≤

s ∈ →

F which occurs

.

♯ s

3. Assume ( m , r ) = ( m b , r ) and ( w , c 1 ) → K ∈ Hist [G]. T his implies s = s , t = t , w = w and c 1 = y . Hence, if c is valid, we must have EK ( m b ) = c 2 for a uniformly dist ribut ed K . By virt ue of Lemma 1, t his is bounded by P r [EK ( m b ) =

c2 ] ≤ ν

1

+

.

♯ m

K

Gat hering all preceding bounds, we get P r[c

D sk

is v alid ∧

1



♯ s

+

which, t aken over all queries of

qF

in c o r r ec t ] ≤



1

+

♯ r

+

♯ s

ν

1

+

,

♯ m

, leads t o

A

 P r[Dsk

i n c o r r ec t f o r c]

1

q Dsk



1 ♯ s

+

1

qF

1

♯ r

+



♯ s

+ ν

+

1

 .

♯ m

C onclusion. We have P r[B

in c o r r ec t ]



qF ♯ r

4.4

+

=  P r[F 1

q Dsk

♯ s

P r[ Dsk 1 + +

in c o r r ec t ] +



+

qF

1 ♯ r

♯ s

ν

in c o r r ec t ]

+

1



.

♯ m

R educt ion C ost

Success P robability. Let us suppose t hat A dist inguishes Epk wit hin a t ime bound τ wit h advant age ε in less t han q F , q H , q G , q Dsk oracle calls. Defining P r 2 [· ] = P r[· | ¬ ( B i n c o r r e c t )], t his means t hat P r 2 [A →

b] ≥

1+ 2 ε

.

GEM: A Generic Chosen-Ciphert ext Secure Encrypt ion Met hod

273

Suppose also t hat EK is ( τ , ν )-indist inguishable. Assuming t hat t he oracles are correct ly simulat ed, if none of t he event s E 1 , E 2 or E 3 occurs, t hen A never asked r t o t he random oracle F , neit her did it learn t he key K under which m b was encrypt ed in c 2 (t his is due t o t he randomness of F and G). T his upper-limit s t he informat ion leakage on b by ν , since A ’ s running t ime is bounded by τ . Not ing E wi n = E 1 ∨ E 2 ∨ E 3 , t his implies P r 2 [A

b | ¬ E wi n ] ≤ →

1+ 2 ν

.

We t hen get 1+ 2 ε

P r 2 [A



b] ≤ →

P r 2 [A →

1+ 2

+ P r 2 [E wi n ] ,



whence P r 2 [E wi n ] ≥ ( ε P r[B

w →

) / 2. But P r 2 [B

− ν

] ≥ P r 2 [B

w ] − →

ε − ν ≥

B

qF



2

1 ♯ s

w →

P r[B

P r 2 [E wi n ]

] = P r 2 [E wi n ] and finally,

in c o r r ec t ]



♯ r



q Dsk

Hence

ν

b | ¬ E wi n ] +

 +

qF

1 ♯ r

+

1 ♯ s

 +

+ ν

1

 .

♯ m

succeeds wit h non-negligible probability.

Tot al N umb er of C alls t o O pca . Checking t hat a pair of t he form ( w , y ) sat isfies y = E pk ( w , ∗ ) is done t hanks t o t he plaint ext -checking oracle O pca . T herefore, oracle F makes at most q F · q H queries t o O pca , and oracle G makes at most q G · 1 queries t o O pca . Moreover, it is easy t o see t hat oracle O Dsk makes at most q Dsk ( q F + q G ) calls since in t he worst case Dsk has t o call O pca for all element s (( ∗ , r ) → s ) ∈ Hist [F ] and for all element s (( w , c 1 ) → K ) ∈ Hist [G]. In conclusion, t he t ot al number of calls act ually needed by B is upper-bounded by q pca ≤ q F q H + q G + q Dsk ( q F + q G ) . Tot al R unning T im e. T he reduct ion algorit hm runs in t ime bounded by τ

B

= τ

+ ( qF

qH

+

qG

+

q Dsk ( q F

+

q G )) ( τ pca

+

O

(1))

.

T his complet es t he proof of T heorem 1.

5

C o n c lu d in g R e m a rk s

A very popular way t o (symmet rically) encrypt a plaint ext is t o use a stream cipher . T he simplest example is t he Vernam cipher where a plaint ext m is processed bit -by-bit t o form t he ciphert ext c under t he secret key K . Wit h t his

274

J ean-S´ebast ien Coron et al.

cipher, each plaint ext bit m i is xor-ed wit h t he key bit K i t o produce t he ciphert ext bit c i = m i ⊕ K i . If K is t ruly random and changes for each plaint ext m being encrypt ed, t hen t he syst em is uncondit ionally secure. T his ideal sit uat ion is, however, impract ical for a real-world implement at ion. To resolve t he key management problem, a st ream cipher is usually combined wit h a publickey crypt osyst em. Cont rary t o t he obvious solut ion consist ing in encrypt ing a random session key wit h an asymmet ric crypt osyst em and t hen using t hat key wit h a st ream cipher, our hybrid scheme achieves provable security. Compared t o a purely asymmet ric solut ion, our scheme present s t he advant age t o encrypt lon g messages orders of m agn itude faster t hanks t o t he use of a symmet ric crypt osyst em. Anot her merit of our scheme resides in it s generic nat ure. T he set of possible applicat ions of t he new conversion scheme is similar t o t hat of react: it concerns an y asymmet ric funct ion t hat is O W - P C A under a conject ured int ract ability assumpt ion. A specificity of react is t hat it can operat e “on t he fly”. T he session key does not depend on t he plaint ext t o be encrypt ed and can t hus be comput ed in advance. T his property is part icularly advant ageous when t he asymmet ric encrypt ion is expensive, as is t he case for discret e-log based crypt osyst ems. Remark t hat our scheme does not allow “on-t he-fly” encrypt ion, t hat was t he price t o pay for short ening t he ciphert ext . In ot her cases such as for rsa (wit h a low encrypt ion exponent , e . g . , 3 or 21 6 + 1) or Rabin crypt osyst em, on-t he-fly encrypt ion is not an issue and our scheme may be preferred because t he result ing ciphert ext is short er. Furt hermore, it is wort h not ing t hat for a det erminist ic asymmet ric encrypt ion scheme E pk , t he not ions of O W - P C A and O W - C P A are ident ical: t he validity of a pair ( m , c ) of plaint ext / ciphert ext can be publicly checked as c = E pk ( m ). So, our met hod allows one t o const ruct , for example, an effi cient I N D - C C A 2 hybrid encrypt ion scheme whose security relies on t he hardness of invert ing t he rsa funct ion or fact oring large numbers. In conclusion, our generic conversion may be seen as t he best alt ernat ive t o react when t he underlying asymmet ric encrypt ion is relat ively fast or when memory/ bandwidt h savings are a priority.

R e fe re n c e s 1. Mihir Bellare, Anand Desai, David P oint cheval, and P hillip Rogaway. Relat ions among not ions of security for public-key encrypt ion schemes. Full paper (30 pages), February 1999. An ext ended abst ract appears in H. Krawczyk, ed., Advances in Crypt ology – CRYP T O ’ 98, volume 1462 of Lect ure Not es in Comput er Science, pages 26–45, Springer-Verlag, 1998. 2. Mihir Bellare and P hillip Rogaway. Random oracles are pract ical: A paradigm for designing effi cient prot ocols. In F i r st A CM Conference on Comput er and Communi cat i ons Secur i t y , pages 62–73. ACM P ress, 1993. 3. Mihir Bellare and P hillip Rogaway. Opt imal asymmet ric encrypt ion. In A. De Sant is, edit or, A dvances i n Cr ypt ology – E U ROCRY P T ’ 94, volume 950 of L ect ure N ot es i n Comput er Sci ence, pages 92–111. Springer-Verlag, 1995.

GEM: A Generic Chosen-Ciphert ext Secure Encrypt ion Met hod

275

4. Vict or Boyko. On t he security propert ies of OAEP as an all-or-not hing t ransform. Full paper (28 pages), August 1999. An ext ended abst ract appears in M. W iener, ed., Advances in Crypt ology – CRYP T O ’ 99, volume 1666 of Lectu re Not es in Comput er Science, pages 503–518, Springer-Verlag, 1999. 5. Eiichiro Fujisaki and Tat suaki Okamot o. How t o enhance t he security of public-key encrypt ion at minimum cost . I E I CE T ransact i on on of Fundament als of E lect roni c Communi cat i ons and Comput er Sci ence E 8 3 - A (1): 24–32, J anuary 2000. 6. Eiichiro Fujisaki and Tat suaki Okamot o. Secure int egrat ion of asymmet ric and symmet ric encrypt ion schemes. In M. W iener, edit or, A dvances i n Cr ypt ology – CRY P T O ’ 99, volume 1666 of L ect ure N ot es i n Comput er Sci ence, pages 537–554. Springer-Verlag, 1999. 7. Eiichiro Fujisaki, Tat suaki Okamot o, David P oint cheval, and J acques St ern. RSAOAEP is secure under t he RSA assumpt ion. In J . Kilian, edit or, A dvances i n Cr ypt ology – CRY P T O 2001, volume 2139 of L ect ure N ot es i n Comput er Sci ence, pages 260–274. Springer-Verlag, 2001. 8. Oded Goldreich. On t he foundat ions of modern crypt ography. In B. Kaliski, edit or, A dvances i n Cr ypt ology – CRY P T O ’ 97, volume 1294 of L ect ure N ot es i n Comput er Sci ence, pages 46–74. Springer-Verlag, 1997. 9. Oded Goldreich. M oder n cr ypt ography, probabi li st i c proofs and pseudo-randomness, volume 17 of A lgor i t hms and Combi nat or i cs. Springer-Verlag, 1999. 10. Shafi Goldwasser and Silvio Micali. P robabilist ic encrypt ion. Jour nal of Comput er and Syst em Sci ences, 28:270–299, 1984. 11. Moni Naor and Mot i Yung. P ublic-key crypt osyst ems provably secure against chosen ciphert ext at t acks. In 22nd A CM A nnual Symposi um on t he T heor y of Comput i ng ( ST OC ’ 90), pages 427–437. ACM P ress, 1990. 12. Tat suaki Okamot o and David P oint cheval. REACT : Rapid Enhanced-security Asymmet ric Crypt osyst em Transform. In D. Naccache, edit or, T opi cs i n Cr ypt ology – CT -R SA 2001, volume 2020 of L ect ure N ot es i n Comput er Sci ence, pages 159–175. Springer-Verlag, 2001. 13. David P oint cheval. Chosen-ciphert ext security for any one-way crypt osyst em. In H. Imai and Y. Zheng, edit ors, P ubli c K ey Cr ypt ography , volume 1751 of L ect ure N ot es i n Comput er Sci ence, pages 129–146. Springer-Verlag, 2000. 14. Charles Rackoff and Daniel R. Simon. Non-int eract ive zero-knowledge proof of knowledge and chosen ciphert ext at t ack. In J . Feigenbaum, edit or, A dvances i n Cr ypt ology – CRY P T O ’ 91, volume 576 of L ect ure N ot es i n Comput er Sci ence, pages 433–444. Springer-Verlag, 1992. 15. Ronald L. Rivest . All-or-not hing encrypt ion and t he package t ransform. In E. Biham, edit or, Fast Soft ware E ncr ypt i on , volume 1267 of L ect ure N ot es i n Comput er Sci ence, pages 210–218. Springer-Verlag, 1997.

276

J ean-S´ebast ien Coron et al.

F ig. 1 .

Descript ion of gem in encrypt ion mode.

F ig. 2 .

Descript ion of gem in decrypt ion mode.

S e c u rin g “ E n c ry p t io n + P ro o f o f K n ow le d g e ” in t h e R a n d o m O ra c le M o d e l Masayuki Abe NT T Informat ion Sharing P lat form Laborat ories Nippon Telegraph and Telephone Corporat ion 1-1 Hikari-no-oka, Yokosuka-shi, Kanagawa-ken, 239-0847 J apan [email protected]

To creat e encrypt ion schemes t hat off er security against adapt ive chosen ciphert ext at t acks, t his paper shows how t o securely combine a simple encrypt ion scheme wit h a proof of knowledge made nonint eract ive wit h a hash funct ion. A typical example would be combining t he ElGamal encrypt ion scheme wit h t he Schnorr signat ure scheme. W hile t he st raight forward combinat ion will fail t o provide security in t he random oracle model, we present a class of encrypt ion schemes t hat uses a proof of knowledge where t he security can be proven based on t he random oracle assumpt ion and t he number t heoret ic assumpt ions. T he result ing schemes are useful as any casual party can be assured of t he (in)validity of t he ciphert ext s. A b st r a c t .

1

In t ro d u c t io n

Submit t ing ciphert ext s t o validity t est ing is crucial t o achieve security against adapt ive chosen message at t acks. So far, many validity t est ing met hods have been suggest ed in a variety of set t ings t o st rengt hen weak encrypt ion schemes against such st rong at t acks, e.g., [22,3,5,9,4,13]. T heir validity t est s, however, can be done only if t he verifier knows t he decrypt ion key; hence t hey are privately checkable . T his type of validity t est ing is, in general, quit e effi cient . For inst ance, just comput e a hash funct ion and compare t he result wit h a known st ring. A pract ical drawback, however, is t hat when a ciphert ext is reject ed, no one but t he owner of t he decrypt ion key can be convinced. Suppose t hat Alice sent a ciphert ext t o Bob and it was reject ed by privat e validity t est ing. Alice may claim t hat t he ciphert ext is valid, while Bob claims t he opposit e. Alice does not want t o reveal t he message t o support herself and Bob does not want t o reveal t he privat e key. T here are some encrypt ion schemes where anyone can check t he validity of ciphert ext s; hence publicly checkable schemes, e.g., [12,21,20,19]. In t hese schemes, t he validity t est verifies a non-int eract ive zero-knowledge proof of knowledge/ membership. So t he overhead for encrypt ion/ checking is relat ively large. T he schemes in [20], which are secure in t he random oracle model [2], cost t hree or four exponent iat ions for creat ing a zero-knowledge proof and two or t hree exponent iat ions for checking it , t hough t hey have ext ra security for t hreshold B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 2 7 7 – 2 8 9 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

278

Masayuki Abe

decrypt ion. T he scheme in [5] is not publicly checkable but it can provide a proof of legit imat e reject ion according t o t he t echnique of [4], t hough it is st ill cost ly. T he most effi cient publicly checkable scheme is t he combinat ion of ElGamal encrypt ion [6] and Schnorr signat ure [18] formally discussed in [21,19]. T his scheme is at least twice as fast as ot her publicly checkable ones but it s security is proven only in t he st ronger model. In [21], an on-line knowledge ext ract or t hat does not rewind t he prover is assumed, and in [19], t he at t acker is rest rict ed t o yield group element s via t he group operat ion only and not t o use t he group element s t o comput e any non-group value except for hashing t hem. T he diffi culty posed by such schemes in proving t he security, in which a proof of knowledge is used rat her t han membership, is t hat t he simulat or has t o rewind t he prover t o ext ract t he knowledge t o answer t o decrypt ion queries, and t his rewinding simulat ion will not t erminat e in polynomial t ime as t his rewinding causes anot her rewinding which result s in an avalanche. T his paper provides a way of securely combining a simple encrypt ion scheme and a proof of knowledge so t hat t he result ing scheme feat ures a publicly checkable validity t est and security against adapt ive chosen message at t acks can be proven based on t he underlying number t heoret ic assumpt ions and t he random oracle assumpt ion. Among t he many combinat ions possible, we show two concret e schemes: ElGamal(Diffi e-Hellman) + Schnorr and RSA [17] + GuillouQuisquat er [11]. T he lat t er is based on t he higher order residuosity problem and t he former is based on t he Gap-Diffi e-Hellman problem [14]. Alt hough all examples in t his paper use proof of knowledge made non-int eract ive by t he Fiat Shamir t echnique [7], our generic scheme shows t hat t he proof-part is not necessarily a proof of knowledge but a signat ure scheme. T his is a nat ural consequence as our security proof does not at t empt t o ext ract t he knowledge from t he proof part . In some cases, we may even be able t o use somewhat weaker signat ure schemes t han t he st rongest ones. T he rest of t his paper is organized as follows. Sect ion 2 present s some concret e examples t hat belong t o t he class for which we prove security. A generic descript ion of t he class and t he security proof is given in Sect ion 3. Sect ion 4 concludes t his paper wit h some discussion on t he advant ages and drawbacks of t he encrypt ion schemes addressed here. It also st at es some open problems.

2

C o n c re t e E x a m p le s

T his sect ion present s two concret e examples t hat belongs t o t he class of provably secure publicly checkable secure encrypt ion schemes we describe in Sect ion 3. Alt hough we only present simple schemes, it is possible t o derive variat ions or adapt at ions of symmet ric encrypt ion as shown in t he generic descript ion. 2.1

E lG am al E n cry p t ion + S ch n orr S ign at u re

T his scheme is secure assuming t he int ract ability of t he Gap-Diffi e-Hellman problem (Gap-DH) [14]. Informally, Gap-DH is t o comput e g a b from g a and g b having

Securing “Encrypt ion + P roof of Knowledge” in t he Random Oracle Model

279

access t o t he decision Diffi e-Hellman oracle t hat decides if given ( g a , g b , g c ) sat isfies a b = c . Let G be a probabilist ic polynomial-t ime algorit hm t hat generat es a descript ion of a group, say ( p, q, g ), where Gap-DH is int ract able. Here, g is an element of t he group defined by p and t he order of g is q . K e y G e n e rat ion : ( p, q, g ) ← G (1κ ). Select privat e key x ∈ 2 y (= g x mod p ), p, q, g and hash funct ions, H :  g  → { 0, 1} ℓ where ℓ m is t he message lengt h. E n cry p t ion : Ciphert ext C of message m h

=

g

where

r

mod r, w ∈

p, U

ZZ

c

=

q

and

m ⊕ ⊕

H (h , y

r

mod p ) ,



{

0, 1} ℓ

u

=

m

is

G ( c, g

C w

U

ZZ

m

,G



. P ublic key is : { 0, 1} → ZZ q

q



= ( h , c, u , s ) such t hat

),

s

=

w − ur

mod

q,

denot es bitwise XOR. ?

Valid ity Te st : Given a ciphert ext , check if u = G ( c, g s h u mod p ). D e cry p t ion : For a valid ciphert ext t hat passes t he above t est , out put c mod p ) as a plaint ext . ⊕

H (h , h x

2.2

R S A + G Q S ign at u re

Since RSA is t he most common encrypt ion scheme in t he current public-key infrast ruct ure it useful t o provide an inst ant iat ion t hat suit s RSA public-key syst ems, t hough t he result ing cost is higher t han may be expect ed from t he previous sect ion. T he security of t he following scheme is proven under t he RSA assumpt ion. K e y G e n e rat ion : Choose RSA public key ( n , e ) and privat e key d according t o security paramet er k . Lengt h of e must also be a polynomial in κ . Select a hash funct ion H : ZZ ∗n × ZZ ∗n → { 0, 1} ℓ m , G : { 0, 1} ∗ → { 0, 1} ℓ where ℓ is also a security paramet er. E n cry p t ion : Ciphert ext C of message m h

=

where

r

e

mod

r, w ∈

U

n, ZZ

c ∗

n

=

m ⊕

H (h , r ),

u

=



{

0, 1} ℓ

G ( c, w

e

m

is

C

= ( h , c, u , s ) such t hat

mod n ) ,

s

=

wr

u

mod

n,

. ?

Valid ity Te st : Given a ciphert ext , check if u = G ( c, s e h −

u

mod n ).

D e cry p t ion : For a valid ciphert ext t hat passes t he above t est , out put c mod n ) as a plaint ext . ⊕

H (h , h d

2.3

O t h e r C om b in at ion s

We can also creat e combinat ions of Paillier encrypt ion [16] and a proof of knowledge from t he Schnorr and Guillou-Quisquat er schemes, and t he Oakmot oUchiyama encrypt ion [15] and t he st at ist ical zero-knowledge proof by Fujisaki [8].

280

3

Masayuki Abe

G e n e ric D e s c rip t io n a n d P ro o f o f S e c u rit y

3.1

N ot at ion s

Here we describe, in general, public-key encrypt ion, symmet ric-key encrypt ion, and signat ure schemes. T hese follow st andard definit ions. We t hen define “bridge funct ions” which is necessary t o join t he encrypt ion and signat ure schemes. All algorit hms below are polynomial-t ime wit h regard t o t he security paramet ers. P ublic-key encrypt ion scheme E pub = ( G pub , E pub , D pub ): G pub (1κ

)

pub

E ek

( ek , dk ) →

(m ; r )

pub

D dk

h

(h )



m →

A probabilist ic key-generat ion algorit hm t hat t akes security paramet er κ and out put s privat e decrypt ion key dk and public encrypt ion key ek . P ublic-key ek det ermines message space M pub , randomness space R pub and ciphert ext space C pub . A (probabilist ic) encrypt ion algorit hm t hat encrypt s message m ∈ M pub int o ciphert ext h wit h regard t o public-key ek and randomness r ∈ R pub . pub A decrypt ion algorit hm t hat sat isfies D dpub ( E ek ( m ; r )) = k m for any ( dk , ek ) ∈ G pub (1κ ), r ∈ R pub , and m ∈ M pub .

To t reat asymmet ric session-key delivery schemes as encrypt ion schemes, we pub may allow D dpub ( E ek ( m ; r )) = m when a funct ion, K ( m ) → m , is available. For k inst ance, in t he Diffi e-Hellman scheme, m = g i and m = i . T he security not ions for encrypt ion schemes also apply t o such cases. ′





Symmet ric-key encrypt ion scheme E sym = ( K sym , M K sym M sym sym

(m )

sym

( c)

Ek D

k

c →

m →

sym

, E sym , D

sym

):

Key space Message space An encrypt ion algorit hm for message m ∈ M sym and common key k ∈ K sym . A decrypt ion algorit hm such t hat D ksym ( E ksym ( m )) = m for any k ∈ K sym and m ∈ M sym .

Signat ure scheme S = ( G sig , S sig , V sig ): G sig (1κ

)

( sk , vk ) →

sig

S sk ( m sig

V v k (m , σ

) →

) →

σ

1/ 0

A probabilist ic key-generat ion algorit hm t hat out put s privat e signing key sk and public verificat ion key vk . A (probabilist ic) signat ure-generat ion algorit hm t hat out put s signat ure σ for message m wit h signing key sk . A signat ure verificat ion algorit hm t hat out put s 1 if σ is sig in t he domain of S sk ( m ), or out put s 0 ot herwise.

To seamlessly joins t he schemes, t he following polynomial-t ime comput able funct ions must exist .

Securing “Encrypt ion + P roof of Knowledge” in t he Random Oracle Model J s ( m , r , ek ) →

sk

J p ( h , ek ) →

vk

J d ( vk , dk ) →

h

281

A funct ion t hat generat es a privat e signing key of sigpub nat ure scheme S from m , r , ek used in E ek ( m ; r ). It is also necessary t hat out put sk have t he same dist ribut ion as t he signing keys generat ed by G sig when m , r and ek dist ribut e uniformly in t heir respect ive spaces. A funct ion t hat , from t he ciphert ext h and t he public pub key ek where h = E ek ( m ; r ), generat es t he public key of t he signat ure scheme t hat corresponds t o sk generat ed by J s ( m , r , ek ). A probabilist ic funct ion t hat generat es h from signat ure verificat ion key vk and decrypt ion key sk such t hat vk = J p ( h , ek ). (Decrypt ion key dk is used only for generality. It can be encrypt ion key ek .)

Int uit ively, J s and J d t oget her work as Gs t o generat e a t emporary key-pair for t he signat ure scheme. J d can be underst ood as t he inversion funct ion of J p . It is needed only for t he security proof. T hese funct ions would be as simple as out put t ing one of t he input variables. 3.2

G e n e ric D e scrip t ion

A publicly checkable encrypt ion scheme; E p c = ( G , E , V , D ); G (1κ

) →

(x , y )

Ey ( m ; r ) →

D

3.3

V y (C

)

(C ) →

x



C

b

m

Execut e Gp (1κ ) → ( dk , ek ) and select a hash funct ion, H : C pub × M pub → K sym . Out put privat e decrypt ion key x = ( dk , H ) and public encrypt ion key y = ( ek , H ). Divide r int o two part s ( z , w ) ∈ M pub × R pub , and compub put e h = E ek ( z ; w ). Comput e session key k = H ( h , z ) and encrypt m as c = E ksym ( m ). Generat e signing key sig s = J s ( z , w , ek ) and sign c wit h s as σ = S sk ( c ). Out put ciphert ext C = ( h , c, σ ). Parse C int o ( h , c, σ ). Generat e signat ure verificat ion key v = J p ( h , e ) and out put t he result of signat ure verificat ion, b := V vsigk ( c, σ ). Parse C int o ( h , c, σ ). Decrypt h as D dpub ( h ) → z wit h k decrypt ion key dk embedded in x . Comput e session key sym k = H ( h , z ) and ret rieve message m = D k ( c ) if V y ( C ) = 1, ot herwise m = ⊥ .

S e cu rity D e fi n it ion s

T his sect ion briefly reviews t he security definit ions and int ract ability assumpt ions. We use well-known not ions and popular not at ions for encrypt ion schemes such as OW(one-way), IND(indist inguishable), CPA(chosen plaint ext at t ack), CCA2(adapt ive chosen ciphert ext at t ack) wit hout definit ion by referring t o [1]. T he following set of problems is defined wit h regard t o t he encrypt ion scheme.

282

Masayuki Abe

pub D e fi n it ion 1. Let ( dk , ek ) ← G pub (1κ ) and h = E ek ( m ; r ) for m ∈ pub r ∈ U R . Let T be a set of all possible ( m , h , ek ) that satisfies m = Let F be a set of all random ( m , h , ek ) taken from each dom ain.

U

D

M pub , pub dk

(h ).

– T he com putational problem (CP) is, given ( h , ek ) , to output m such that ( m , h , ek ) ∈ T . – T he decisional problem (DP) is, given ( m , h , ek ) taken random ly from T or F with equal probability, to decide which set, T or F , the given instance belongs to. – T he gap-problem (GP) is to solve CP having access to the decision oracle for DP, which returns yes if the query is in T , otherwise n o .

T he gap-problem is a rat her new class of problems and was int roduced in [13]. From t he definit ion, t he following relat ions among t hose problems are derived easily. DP easy GP easy ⇔



GP = CP DP = CP

It follows t hat a gap-problem is hard if t he corresponding comput at ional problem is hard and st rict ly harder t han t he decisional problem. For inst ance, t he comput at ional Diffi e-Hellman problem seems t o be hard and harder t han t he decision Diffi e-Hellman problem. It is clear t hat if E pub is det erminist ic, t he decision problem is easy (anyone can encrypt t he message and see if it equals t he ciphert ext ) and t he gap-problem is equivalent t o t he comput at ional problem. T he gap-problems are relat ed t o t he following at t ack model. D e fi n it ion 2. (PCA : plaintext checking attack) T he adversary is given access to a plaintext checking oracle that takes plaintext m , ciphertext h and publickey ek and outputs 1 if m is produced by decrypting h with decryption key dk corresponding to ek.

OW-P CA security is relat ed t o t he gap-problems. For inst ance, t he ElGamal encrypt ion scheme is OW-P CA under t he Gap Diffi e-Hellman assumpt ion [14]. T he RSA crypt osyst em is also OW-P CA under t he Gap-RSA assumpt ion, which is act ually equivalent t o t he RSA assumpt ion as RSA encrypt ion is det erminist ic. For signat ure schemes, we require EUF(exist ent ially unforgeable) against CMA(chosen message at t acks). More precisely, we require t he signat ure scheme be EUF-CMA1 as defined below. T his is a slight ly weaker requirement t han t he original EUF-CMA defined in [10], which allows polynomially many queries t o t he signing oracle. D e fi n it ion 3. (EUF-CMA 1) Consider that adversary ( A 1 , A 2 ) plays the following gam e;

1. 2. 3. 4.

( sk , vk ) ← (m , ω ) ← σ ←

sig

G sig (1κ

S sk ( m

( m˜ , σ ˜ ) ←

)

A 1 ( vk )

)

A 2 (σ , ω

)

Securing “Encrypt ion + P roof of Knowledge” in t he Random Oracle Model

283

A signature schem e is EUF-CMA 1 if, for any poly-tim e algorithm ( A 1 , A 2 ) , ( m , σ ) = ( m˜ , σ ˜ ) and V vsigk ( m˜ , σ ˜ ) = 1 hold only with negligible probability.

Not e t hat m = m˜ is allowed in t he above definit ion as is t rue in t he original definit ion of EUF-CMA in [10]. A similar not ion EUF-RMA1 (exist ent ially unforgeable against randomly chosen message at t acks wit h 1 query) can be defined by choosing m uniformly from t he message space. Furt hermore, we need S t o be simulat able in t he random oracle model. T hat is, S involves a hash funct ion, say G , and t here exist s a polynomial-t ime algorit hm such t hat , given public verificat ion key v and a polynomially bounded list of input -out put pairs for G , say L G , out put message-signat ure pair ( m , σ ) and a pair of input -out put values, say i o , which is consist ent wit h L G and makes t he result ing signat ure valid. By ( σ , i o ) = S vs i m ( m , L G ) we denot e such a simulat ion. We say t hat S provides t he property of SIMR if such a simulat ion is successful wit h overwhelming probability. SIMR is feat ured in many pract ical EUF-CMA signat ure schemes, especially in t he ones made from t he honest verifier zeroknowledge proofs focused on in t his paper. 3.4

S e cu rity P ro of

T h e ore m 1. If E pub is OW -PCA , E sym is IN D-CPA , and S is EUF-CMA 1 and SIM R , then E p c is IN D-CCA 2 in the random oracle m odel.

Proof. We assume t hat E pub is not IND-CCA2. T hat is, t here exist s polynomialt ime adversary A d v t hat succeeds in breaking t he indist inguishability of E pub wit h adapt ive chosen ciphert ext at t acks. We show t hat if such A d v exist s we can const ruct a polynomial-t ime simulat or t hat breaks eit her E pub or E sym or S using A d v as a black-box. In t he adapt ive chosen ciphert ext at t acks, A d v accesses t he encrypt ion oracle ( E O ), t he random oracle ( H ) and t he decrypt ion oracle ( D O ). E O is given two equal lengt h messages m 0 and m 1 chosen from M sym , and ret urns challenge ciphert ext C = E y ( m b ; r ) for b ∈ U { 0, 1} and random r . H is given query z i ∈ M pub and ret urns k i ∈ U K sym . D O is given ciphert ext C i and ret urns D x ( C i ). A d v also accesses random oracle G embedded in t he signat ure scheme, which does not explicit ly appear in t he following high level descript ion. We first const ruct S 1 t hat breaks t he OW-P CA property of E pub assuming t hat E sym and S is secure in t he above sense. Let ( h , e k , CO ) be a randomly chosen OW-P CA inst ance where CO is a plaint ext checking oracle for E pub . C on st ru ct ion of S 1 : Simulat or S 1 maint ains a list , say L H , whose ent ry consist s of four-t uples, ( m sg , e n c , k e y , a n s ), where m sg st ores messages in M pub , e n c st ores encrypt ion of m sg wit h E pub , k e y st ores H ( m sg ), and a n s st ores y e s / n o ret urned from checking oracle CO in response t o query ( m sg , e n c , e k ). L H is empty at t he beginning. S 1 also maint ains list L G for defining hash funct ion G in S . L G is empty at t he beginning, t oo. By convent ion, “ ∗ ” mat ches any st ring and “ − ” denot es an empty st ring in t he list s. At init ializat ion S 1 runs G (1κ ) → ( x , y ) and replace ek in y wit h e k (accordingly, x is rendered useless). S 1 t hen runs A d v by giving

284

Masayuki Abe

y and answers t he queries from out put s b ∈ { 0, 1} .

A dv

in t he following way. When

A dv

st ops, it



[S 1 : S im u lat ion of O racle s] E O ( m 0 , m 1 ):

Ret urn challenge ciphert ext C = ( h , c, σ ) where h = h , = E ksym ( m b ) where k ∈ U K sym and b ∈ U { 0, 1} , and ( σ , i o ) = S vski m ( c, L G ) where vk = J p ( h , ek ). S s i m fails if i o is inconsist ent wit h L G , or ( ∗ , h , ∗ , ∗ ) is already in L H . Ot herwise, append i o t o L G and ( − , h , k , y e s ) t o L H . a1. If h i = h and CO ( z i , h , ek ) = y e s , t hen out put z i and st op. ( S 1 wins.) a2. If h i = h , CO ( z i , h i , ek ) = y e s , and ( − , h i , ( k i ) , y e s ) exist s in L H , t hen ret urn t he k i in t he ent ry and replace ’− ’ wit h z i . a3. Ret urn k i ∈ U K sym and append ( z i , h i , k i , a n s ) t o L H where a n s is t he answer of CO ( z i , h i , ek ). c

H ( h i , z i ):

D O ( C i ):

Parse

Ci

int o ( h i , c i , σ i ).

b1. If C i = C or V y ( C i ) = 0, ret urn ⊥ . (If G is not yet defined wit h regard t o t he query needed for verificat ion, define it wit h a random value.) b2. If V y ( C i ) = 1 and h i = h , simulat ion fails. b3. Ot herwise, search L H for ( ∗ , h i , ( k i ) , y e s ). c1. If it exist s, ret urn m i = D ksym ( c i ) by using k i in i t he ent ry. c2. Ot herwise, choose k i ∈ U K sym , append ( − , h i , k i , sym y e s ) t o L H , and ret urn m i = D k ( c i ). i Queries for hash funct ion G are simulat ed wit h random values chosen from t he appropriat e domain defined by J p ( h , ek ). List L G maint ains t he input -out put correspondence of G . E valu at ion of S 1 : We first claim t hat t he simulat ion of E O works unless S s i m fails or t here is ( ∗ , h , ∗ , ∗ ) in L H before t he query is made t o E O . T he first case occurs wit h negligible probability as we assume t hat S is SIMR . Since h = h and h is in t he randomly chosen inst ance, such a failure happens wit h negligible probability if t he size of h is polynomial against t he security paramet er. As E pub is assumed t o be one-way, t he size of it s ciphert ext space must be at least | M pub | + | R pub | , which is polynomial in κ . T hus, E O is simulat ed correct ly wit h overwhelming probability. We next claim t hat event b2 happens only wit h negligible probability. Assume t hat A d v sends valid ciphert ext C i = ( h i , c i , σ i ) where h i = h . Since any query t o D O must not be ident ical t o challenge ciphert ext C , t he remaining part of t he query must sat isfy ( c i , σ i ) = ( c, σ ). So b2 means t hat A d v out put s a forged Schnorr signat ure wit h regard t o public key vk = J p ( h , ek ) by a chosen message

Securing “Encrypt ion + P roof of Knowledge” in t he Random Oracle Model

285

at t ack1 . Since S is assumed t o be EUF-CMA1 and only one signat ure is issued wit h regard t o public-key vk , b2 happens only wit h negligible probability. From t he above observat ion we see t hat h i = h for all valid ciphert ext asked t o D O wit h overwhelming probability. Now we claim t hat D O is simulat ed successfully. Observe t hat when ciphert ext C i is asked t o D O , t here are two cases; A d v has already asked H ( h i , z i ) wit h correct z i , i.e., t he one such t hat CO ( z i , h i , ek ) = y e s , or such query has not asked yet . If such a query has been already made, L H has an ent ry t hat cont ains correct k i t hat corresponds t o z i . T hus, m i ret urned from case c1 is t he same as t he one ret urned from t he real D O . (Alt hough A d v may have creat ed c i independent ly from such correct k i , it does not mat t er since even t he real D O decrypt s c i wit h correct k i .) If such query has not been asked, we can t emporary choose k i as done in case c2 and lat er det ect t he corresponding query t o H and backpat ch as in case a2 so t hat t he answer looks consist ent . T hus m i from case c2 is also t he same as t he one from t he real D O . Unless a1 happens, t he simulat ion of H is perfect since all ret urn values, k i , are select ed randomly from K sym in a3 and c2. What remains t o prove is t hat b = b happens wit h negligible advant age unless a1 happens. As we have already seen, h i = h for all valid ciphert ext s asked t o D O wit h overwhelming probability. Hence all k i are independent of k due t o t he randomness of H , and so are all m i and b. (T his is t he reason why h i must be input t o H . Ot herwise, m i could be relat ed t o b.) T hus, int eract ing wit h D O does not help A d v in guessing b. Next , assume t hat a1 does not happen. One can t hen see t hat h is independent of c due t o t he ideal randomness of H . Furt hermore, σ is relat ed t o c only in a t rivial way. T herefore, only c is relat ive t o b. However, since E sym is indist inguishable, b can be guessed solely from c only wit h negligible advant age. T hus, if b = b happens wit h probability 1/ 2 + ǫ , a4 happens and S 1 wins wit h probability close t o ǫ . ′



C on st ru ct ion of S 2 : We next const ruct S 2 t hat breaks t he IND-CPA property of E sym assuming t hat E pub and S are secure. S 2 sends ( m 0 , m 1 ) t o t he ext ernal symmet ric encrypt ion oracle E sym t hat has a randomly chosen secret key k . S 2 finally decides which message corresponds t o t he ciphert ext c ret urned from E sym . At init ializat ion, S 2 runs G (1κ ) → ( x , y ). T his t ime, x is used as it is. Queries from A d v are answered as follows. [S 2 : S im u lat ion of O racle s] E O ( m 0 , m 1 ):

1

Pass ( m 0 , m 1 ) t o t he ext ernal symmet ric encrypt ion oracle E sym . T he oracle select s b ∈ U { 0, 1} and creat es challenge ciphert ext c = E ksym ( m b ) wit h k ∈ U K sym . It

W hen E sym is a random permut at ion wit h regard t o fixed lengt h messages we allow S t o be EUF -RMA1 where t he message is chosen uniformly from a fixed domain. In general, however, EUF -CMA1 is needed as we do not see how c dist ribut es over t he message space of S when t he corresponding plaint ext is chosen by t he adversary.

286

Masayuki Abe pub t hen ret urns C = ( h , c, σ ) where c = c , h = E ek (z ; w ) sig pub pub for z ∈ U M , w ∈ U R , and σ = S sk ( c ) where sk = J s ( z , w , ek ). If ( h , z ) has been already asked t o H , simulat ion fails.

H ( h i , z i ):

D O ( C i ):

a0. If H is already defined for t his input , ret urn t he assigned value. a1. If h i = h and z i = z , simulat ion fails. a2. If h i = h or z i = z , ret urn k i ∈ U K sym . Parse

Ci

int o ( h i , c i , σ i ).

b1. If C = C i or V y ( C i ) = 0, ret urn ⊥ . b2. If V y ( C i ) = 1 and h i = h , simulat ion fails. b3. Ot herwise, ret urn m i = D ksym ( c i ) where k i = i pub H ( h i , z i ), z i = D d k ( h i ). (T his is possible as S 2 has dk in x . Define H for input ( h i , z i ) if it has not been asked yet .) Simulat ion of G in S is done wit h using only random values from t he appropriat e domain. When A d v out put s b , S 2 out put s it . ′

E valu at ion of S 2 : T he simulat ion of E O fails if ( h , z ) has been asked t o H before E O is invoked. As h is generat ed wit h random z and w , such a failure happens wit h negligible probability. We claim t hat case a1 happens wit h negligible probability if E pub is OWP CA. It suffi ces t o show t hat t he simulat ion of H and D O works just as t he plaint ext checking oracle in P CA at t acks and not more t han t hat . Suppose t hat A d v is given m i for c i in b3. Since k i in b3 is independent of z i due t o t he randomness of H , A d v can get no informat ion about z i from m i except for t he fact t hat H is defined as k i for input ( h i , z i ). A d v can now exploit t his fact t o check whet her some z i is t he correct decrypt ion of h i or not by examining if decrypt ing c i wit h k i obt ained by asking ( h i , z i ) t o H result s in m i or not . T his argument is irrelevant t o whet her valid σ i can be made wit hout knowing z i or not . Next , we claim t hat case b2 does not happen since C i = C and h i = h implies ( c i , σ i ) = ( c, σ ) which cont radict s t he assumpt ion t hat S is EUF-CMA1. Not e t hat each h i is used only once wit h overwhelming probability. Independence of all ret urned m i in b3 from b det ermined by c can be argued in t he same way as done in t he evaluat ion of S 1 based on t he fact t hat h i = h for all valid queries t o D O . T hus, t he simulat ion works wit h overwhelming probability and all values viewed by A d v are independent of b except for c . T herefore S 2 wins if A d v wins. ′





C on st ru ct ion of S 3 : Finally, we const ruct S 3 t hat breaks S assuming t hat E pub and E sym are secure. Let v k be a given randomly select ed signat ure verificat ion key for which S 3 forges a signat ure by accessing t he ext ernal signing oracle t hat has sk corresponding

Securing “Encrypt ion + P roof of Knowledge” in t he Random Oracle Model

t o v k . At init ializat ion, as follows.

S3

runs G (1κ ) →

( x , y ). Queries from

A dv

287

are answered

[S 3 : S im u lat ion of O racle s] E O ( m 0 , m 1 ):

Select b ∈ U { 0, 1} , and comput e h = J d ( v k , dk ) by using dk in x . T hen comput e z = D dpub ( h ), k = H ( h , z ), c = k sym E k ( m b ). ( H is defined wit h k for input ( h , z ). If H has been already defined at t his point , simulat ion fails.) T hen ask t he ext ernal signing oracle t o sign c wit h key sk and get signat ure σ . Ret urn C = ( h , c, σ ).

H ( h i , z i ):

a0. If H is already defined for t his input , ret urn t he assigned value. a1. If h i = h and z i = z , simulat ion fails. a2. If h i = h or z i = z , ret urn k i ∈ U K sym .

D O ( C i ):

Parse

Ci

int o ( h i , c i , σ i ).

b1. If C = C i or V y ( C i ) = 0, ret urn ⊥ . b2. Else if h i = h , out put ( c i , σ i ) and st op. b3. Ot herwise, ret urn m i = D ksym ( c i ) where i pub H ( h i , z i ), z i = D d k ( h i ), and dk in y .

ki

Queries t o G in S are passed t o t he corresponding ext ernal oracle. When out put s b , S 3 out put s it .

=

A dv



E valu at ion of S 3 : T he simulat ion of E O works if H has not been defined at ( h , z ) before. Clearly, such a failure happens only wit h negligible probability. We can claim t hat case a1 happens wit h negligible probability if E pub is OW-P CA in t he same way as was done for S 2 . We next claim t hat if case b2 and a1 do not happen and E sym is IND-CPA, A d v can win only wit h negligible advant age over 1/ 2. T he case for a1 has already been made. It suffi ces t o show t hat case b2 should happen if A d v is t o win wit h meaningful advant age. Observe t hat k i in case b3 is independent of k due t o t he randomness of H . Hence, m i does not have more informat ion about b t han c has regardless of t he relat ion between c and c i . T herefore, if b2 does not happen, issuing queries t o D O does not help in guessing b. T hus, A d v can win only wit h t he same probability as breaking t he IND-CPA property of E sym . Since t his is assumed t o be infeasible, t here is a cont radict ion. T hus, b2 must happen and S 3 get s a forged signat ure-message pair ( c i , σ i ) wit h regard t o J p ( h , ek ) = v k .

4

C o n c lu s io n

T his paper st udied encrypt ion schemes t hat use proof of knowledge but whose security can be proven in t he random oracle model under t he st andard int ract ability assumpt ions of number t heoret ic problems.

288

Masayuki Abe

A weakness of such schemes is t he lack of homomorphism in t he encrypt ion part . T his is inevit able as it is essent ial for t he security proofs t hat t he message be encrypt ed wit h a session key generat ed by a hash funct ion. On t he ot her hand, such a hybrid st ruct ure allows long messages t o be encrypt ed effi cient ly. It should also be not ed t hat public verifiability of ciphert ext s does not imply security in t erms of t hreshold set t ing. T he main reason is t hat , in t hreshold set t ing, comput at ion of H must be done in public (shown t o all decrypt ors) so t he simulat or has t o ext ract correct z i given t o H but t he schemes addressed here do not provide such a back door, unlike t he schemes t hat combine signat ure schemes derived from proofs of language [20].

R e fe re n c e s 1. M. Bellare, A. Desai, D. P oint cheval, and P. Rogaway. Relat ions among not ions of security for public-key encrypt ion schemes. In H. Krawczyk, edit or, A dvances i n Cr yptology – CRY PT O ’ 98, volume 1462 of Lecture N otes i n Computer Sci ence, pages 26–45. Springer-Verlag, 1998. 2. M. Bellare and P. Rogaway. Random oracles are pract ical: a paradigm for designing effi cient prot ocols. In F i r st A CM Conference on Computer and Communi cati on Secur i ty , pages 62–73. Associat ion for Comput ing Machinery, 1993. 3. M. Bellare and P. Rogaway. Opt imal asymmet ric encrypt ion. In Alfredo De Sant is, edit or, A dvances i n Cr yptology – EU ROCRY PT ’ 94, volume 950 of Lecture N otes i n Computer Sci ence, pages 92–111. Springer-Verlag, 1995. 4. R. Canet t i and S. Goldwasser. An effi cient t hreshold public key crypt osyst em secure against adapt ive chosen ciphert ext at t ack. In J acques St ern, edit or, A dvances i n Cr yptology – EU ROCRY PT ’ 99, volume 1592 of Lecture N otes i n Computer Sci ence, pages 90–106. Springer-Verlag, 1999. 5. R. Cramer and V. Shoup. A pract ical public key crypt osyst em provably secure against adapt ive chosen ciphert ext at t ack. In H. Krawczyk, edit or, A dvances i n Cr yptology – CRY PT O ’ 98, volume 1462 of Lecture N otes i n Computer Sci ence, pages 13–25. Springer-Verlag, 1998. 6. T . ElGamal. A public key crypt osyst em and a signat ure scheme based on discret e logarit hms. In G. R. Blakley and D. Chaum, edit ors, A dvances i n Cr yptology – CRY PT O ’ 84, volume 196 of Lecture N otes i n Computer Sci ence, pages 10–18. Springer-Verlag, 1985. 7. U. Feige, A. F iat , and A. Shamir. Zero-knowledge proofs of ident ity. Jour nal of Cr yptology , 1:77–94, 1988. 8. E. Fujisaki. A simple approach t o secret ly sharing a fact oring wit ness in publiclyverifiable manner. (unpublished manuscript ), 2001. 9. E. Fujisaki and T . Okamot o. Secure int egrat ion of asymmet ric and symmet ric encrypt ion schemes. In M. W iener, edit or, A dvances i n Cr yptology – CRY PT O ’ 99, volume 1666 of Lecture N otes i n Computer Sci ence, pages 537–554. SpringerVerlag, 1999. 10. S. Goldwasser, S. Micali, and R. Rivest . A digit al signat ure scheme secure against adapt ive chosen-message at t acks. SI A M Jour nal of Computi ng, 17(2):281–308, April 1988.

Securing “Encrypt ion + P roof of Knowledge” in t he Random Oracle Model

289

11. L. C. Guillou and J .-J . Quisquat er. A pract ical zero-knowledge prot ocol fit t ed t o security microprocessor minimizing bot h t ransmission and memory. In C. G. G u¨ nt her, edit or, A dvances i n Cr yptology – EU ROCRY PT ’ 88, volume 330 of Lecture N otes i n Computer Sci ence, pages 123–128. Springer-Verlag, 1988. 12. M. Naor and M. Yung. P ublic-key crypt osyst ems provably secure against chosen ciphert ext at t acks. In Proceedi ngs of the 22st annual A CM Symposi um on the T heor y of Computi ng, pages 427–437, 1990. 13. T . Okamot o and D. P oint scheval. T he gap-problems: a new class of problems for t he security of crypt ographic schemes. In PK C 2001, Lect ure Not es in Comput er Science. Springer-Verlag, 2001. 14. T . Okamot o and D. P oint scheval. REACT : Rapid enhanced-security asymmet ric crypt osyst em t ransform. In RSA ’ 2001, Lect ure Not es in Comput er Science. Springer-Verlag, 2001. 15. T . Okamot o and S. Uchiyama. A new public-key crypt osyst em as secure as fact oring. In K. Nyberg, edit or, A dvances i n Cr yptology – EU ROCRY PT ’ 98, volume 1403 of Lecture N otes i n Computer Sci ence, pages 308–318. Springer-Verlag, 1998. 16. P. P aillier. P ublic-key crypt osyst ems based on composit e degree residuosity classes. In J acques St ern, edit or, A dvances i n Cr yptology – EU ROCRY PT ’ 99, volume 1592 of Lecture N otes i n Computer Sci ence, pages 223–238. Springer-Verlag, 1999. 17. R. L. Rivest , A. Shamir, and L. M. Adleman. A met hod for obt aining digit al signat ures and public-key crypt osyst ems. Communi cati ons of the A CM , 21(2):120– 126, 1978. 18. C. P. Schnorr. Effi cient signat ure generat ion for smart cards. Jour nal of Cr yptology , 4(3):239–252, 1991. 19. C.P. Schnorr and M. J akobsson. Security of signed elgamal encrypt ion. In T . Okamot o, edit or, A dvances i n Cr yptology – A SI A CRY PT 2000, volume 1976 of Lecture N otes i n Computer Sci ence, pages 73–89. Springer-Verlag, 2000. 20. V. Shoup and R. Gennaro. Securing t hreshold crypt osyst ems against chosen ciphert ext at t ack. In K. Nyberg, edit or, A dvances i n Cr yptology – EU ROCRY PT ’ 98, volume 1403 of Lecture N otes i n Computer Sci ence, pages 1–16. Springer-Verlag, 1998. 21. Y. T siounis and M. Yung. On t he security of El Gamal based encrypt ion. In H. Imai and Y. Zheng, edit ors, F i r st I nter nati onal W or kshop on Practi ce and T heor y i n Publi c K ey Cr yptography – PK C ’ 98, volume 1431 of Lecture N otes i n Computer Sci ence, pages 117–134. Springer-Verlag, 1998. 22. Y. Zheng and J . Seberry. P ract ical approaches t o at t aining security against adapt ively chosen ciphert ext at t acks. In E. F . Brickell, edit or, A dvances i n Cr yptology – CRY PT O ’ 92, volume 740 of Lecture N otes i n Computer Sci ence, pages 292–304. Springer-Verlag, 1993.

N o nu n ifo rm P o ly n o m ial T im e A lg o rit h m t o S o lv e D e c isio n al D iffi e -H e llm an P ro b le m in F in it e F ie ld s u n d e r C o n je c t u re Qi Cheng1 and Shigenori Uchiyama 2 , ⋆ 1

School of Comput er Science University of Oklahoma, Norman, OK 73019, USA 2 NT T Laborat ories 1-1 Hikarinooka, Yokosuka-shi, 239-0847 J apan

In t his paper, we show t hat curves which are defined over a number field of small degree but have a large t orsion group over t he number field have considerable crypt ographic significance. If t hose curves exist and t he height s of t orsions are small, t hey can serve as a bridge for prime shift ing, which result s a nonuniform polynomial t ime algorit hm t o solve DDH on finit e fields and a nonuniform subexpont ial t ime algorit hm t o solve ellipt ic curve discret e logarit hm problem. At t his t ime we are unable t o prove t he exist ence of t hose curves. To t he best of our knowledge, t his is t he first at t empt t o apply t he ideas relat ed t o t he Uniform Boundedness T heorem(UBT ), formerly known as Uniform Boundedness Conject ure, in crypt ography. A b st r a c t .

1

Int ro d u c t io n

Since t he proposal of t he concept of public-key crypt ography, cert ain kinds of comput at ional problems such as t he int eger fact oring, t he discret e logarit hm problem, t he Diffi e-Hellman problem [3] and t he RSA problem [15] have been much researched for t he last two decades. So far, t hese comput at ional problems are widely believed t o be int ract able. One of t he most import ant t opics in crypt ography is t o propose a pract ical and provably-secure crypt ographic scheme under such a reasonable comput at ional assumpt ion. Here, we usually say a crypt ographic scheme is provably secure if it is proven t o be as secure as such an int ract able comput at ional problem. Besides, in order t o prove t he security of a crypt ographic scheme, we somet imes use some ot her kinds of comput at ional problems what we call decisional problems such as t he Decisional Diffi e-Hellman problem, t he DDH problem for short . T his kind of decision problem was first ly int roduced in [6] t o prove t he semant ical security of a public-key encrypt ion scheme from a crypt ographic point of view. Since t hen, such a decisional problem has been typically employed t o prove t he semant ical security of public-key ⋆

P art of t he research was done while t he first aut hor was a st udent in t he University of Sout hern California and t he second aut hor was visit ing t here. T he first aut hor was part ially support by NSF grant CCR-9820778.

B . P r e n e e l ( E d . ) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 2 9 0 – 2 9 9 , 2 0 0 2 .  c S p r in g e r -V e r la g B e r lin H e id e lb e r g 2 0 0 2

Nonuniform P olynomial T ime Algorit hm t o Solve DDH P roblem

291

encrypt ion schemes such as t he ElGamal and Cramer-Shoup encrypt ion schemes [4,17,2]. More precisely, t he Cramer-Shoup encrypt ion scheme is secure against adapt ive chosen ciphert ext at t ack under t he DDH and t he universal one-way hash assumpt ions. T he DDH problem is especially useful and has a lot of applicat ions, so it has been very at t ract ive t o crypt ography. Wit h respect t o applicat ions and a survey of t he DDH problem, see t he following excellent papers [13,1]. Here, we briefly review t he definit ions, basic propert ies of t he DDH and relat ed problems. In t he following, G denot es a mult iplicat ive finit e cyclic group generat ed by an element g from G , and let l be t he order of G . From a crypt ographic point of view, we may assume t hat l is prime. ·

· ·

T h e D is c re t e L o g a rit h m p ro b le m : Given two element s x and y , t o find an int eger m so t hat y = x m . T h e D iffi e -H e llm a n p ro b le m : Given two element s g x and g y , t o find g x y . T h e D e c is io n a l D iffi e -H e llm a n p ro b le m : Given two dist ribut ions ( g x , g y , g x y ) and ( g x , g y , g z ), where x , y , z are randomly chosen from Z / l Z , t o

dist inguish between t hese two dist ribut ions. In ot her words, given t hree element s g x , g y and g z , where x , y , z are chosen at random from Z / l Z , t o decide whet her x y ≡ z (mod l ) or not . Here, it is well-known t hat t he Diffi e-Hellman problem can be effi cient ly reduced t o t he Discret e Logarit hm problem and t he DDH problem can be effi cient ly reduced t o t he Diffi e-Hellman problem. When it comes t o relat ionships between t hese problems, Maurer and Wolf [10] showed t hat t he Discret e Logarit hm problem can be reduced t o t he Diffi e-Hellman problem, if t here exist s some auxiliary group defined over F l and it has some nice propert ies. More precisely, t he Maurer and Wolf’s idea is given by t he following. An auxiliary group can be t aken as t he rat ional point s on an ellipt ic curve defined over F l whose order is suffi cient ly smoot h, t hen we can easily solve t he Discret e Logarit hm problem over t his ellipt ic curve by using t he Pohlig-Hellman algorit hm. Furt hermore, since we can reduce t he Discret e Logarit hm problem over G t o t hat over t his ellipt ic curve by employing t he Diffi e-Hellman oracle, t he Discret e Logarit hm problem over G can be reduced t o t he Diffi e-Hellman problem. Namely, in t his case, we can say t hat t he Diffi e-Hellman problem is as hard as t he Discret e Logarit hm problem. So far, t he best known algorit hm for t hese problems over a general group, is a generic algorit hm such as t he Baby-St ep Giant -St ep (BSGS) and P holig-Hellman. T heir √ run t ime are given by O ( l ), where l is t he order of t he base group G . Besides, Shoup [16] showed t hat t he lower bound on comput at ion of t he DDH problem is t he same as t hat of t he Discret√ e Logarit hm problem under t he generic model, i.e., t he lower bound is given by c l , where c is some const ant , for t he DDH problem as well as t he Discret e Logarit hm problem. More precisely, Shoup showed t hat an algorit hm such as t he BSGS is t he best possible generic algorit hm for t he DDH, Diffi e-Hellman and Discret e Logarit hm problems. On t he ot her hand, very recent ly, J oux and Nguyen [8] present ed very int erest ing examples such t hat t he DDH problem is easy while t he Diffi e-Hellman

292

Qi Cheng and Shigenori Uchiyama

problem is as int ract able as t he Discret e Logarit hm problem over cert ain groups of t he rat ional point s on ellipt ic curves defined over finit e fields. It is obvious t hat t he DDH problem over an ellipt ic curve defined over a finit e field is very easy if we can comput e a pairing such as t he Weil and Tat e pairing. Act ually, we assume t hat  ,  l is t he l -t h Tat e pairing, where l is prime and also t he DDH problem over t he group generat ed by a point P whose order is prime l , t hen we have  x P , y P  l =  P , P  xl y and  z P , P  l =  P , P  zl . So, in t his case, deciding whet her x y ≡ z (mod l ) or not is very easy unless  P , P  l = 1. Anyhow, in such a case, t he DDH problem can be solved in polynomial t ime on t he size of t he input . Here we not e t hat we are not able t o evaluat e t he Tat e pairing for all ellipt ic curves but special classes of curves such as supersingular and t race 2 ellipt ic curves. Besides, as ment ioned above, according t o t he result by Maurer and Wolf, if we can generat e some auxiliary group for t hese ellipt ic curves which sat isfy cert ain good propert ies, t he Diffi e-Hellman problem is as hard as t he Discret e Logarit hm problem. T hat is, J oux and Nguyen present ed supersingular and t race 2 ellipt ic curves wit h such good auxiliary groups (see for det ails in [8]). Here, t his observat ion raises t he following quest ion: Is t here an effi cient reduct ion from t he DDH problem in a finit e field t o t he DDH problem over some special ellipt ic curve? T his paper will explore t he possibility. More precisely, t his paper proposes an at t ack against t he DDH problem in finit e fields under some reasonable assumpt ion. Suppose t hat our t arget field is F p . l is t he largest prime fact or of p − 1. T he correct ness of our algorit hm relies on a conject ure, which concerns about t he number of K -rat ional t orsion point s on an ellipt ic curve over number field K . Let [K : Q ] = d and E an ellipt ic curve defined over K . T he celebrat ed Uniform Boundedness T heorem assert s t hat t he number of t orsion point s of E rat ional over K is bounded by a const ant B d depending only on d . Eff ect ive version of UBT shows t hat t he bound B d depends exponent ially on d . We conject ure t hat for prime l , t here exist a number field K and an ellipt ic curve E / K such t hat [K : Q ] ≤ logO ( 1 ) l and E has non-t rivial K -rat ional l -t orsion point s. In addit ion, we assume (1) E has mult iplicat ive reduct ion E at a place above p ; (2) All t he K -rat ional l -t orsions reduce t o non-singular point s on E ; (3) all t he t orsion point s has reasonable size. We can effi cent ly map t he element s in t he l -part of t he Fp t o t he point s on E . Suppose t hat p -adic represent at ion of E of cert ain precision is given, we t hen find t he p -adic represent at ions of t he coresponding point s on E upt o t o t he precision. Since t he degree of K is low, we employ L L L -algorit hm t o get t he minimum polynomials of t he coordinat es of t he point s. T here cert ainly exist s anot her prime r , such t hat l | r − 1 and E has good reduct ion E at a place above r . T he coordinat es of t he coresponding point s on E will be comput ed. T he Tat e-pairing on t he l -part of E ( F r ) is non-t rivial and is effi cent ly comput able. Hence we have t he reduct ion of DDH problem in finit e fields t o DDH problem over special ellipt ic curves. T his paper is organized as follows. First , we int roduce t he reduct ion from t he mult iplicat ive group of a finit e field t o t he addit ive group on a singular cubic ′







′ ′



′ ′

Nonuniform P olynomial T ime Algorit hm t o Solve DDH P roblem

293

curve. In t he sect ion 4, we formulat e t he conject ure. In t he sect ion 5, we describe an algorit hm t o lift t he point s over finit e field t o t orsions over number field. In t he sect ion 6, we discuss t he idea of shift ing prime and prove t he main t heorem. In t he sect ion 7, we apply t he idea t o ellipt ic curve discret e logarit hm problem.

2

N o n -u n ifo rm alg o rit h m

In t his paper, when we t alk about non-uniform polynomial t ime algorit hm t o solve DDH problem, we mean t hat given a cyclic group G wit h generat or g , t here exist s a circuit C G , depending on G , such t hat if t he input of t he circuit is g x , g y , g z , out put 1 iff z ≡ x y (mod | G | ), and t he size of t he circuit C G grows polynomially wit h log | G | . If we know how t o const ruct C G effi cient ly, t hen we have a uniform polynomial t ime algorit hm t o solve DDH problem. Perhaps t he best known non-uniform algorit hm in crypt ography is t he reduct ion from DH problem t o DL problem, proposed by Maurer and Wolf[10]. Given an arbit rary finit e field F p , it is not known how t o const ruct an ellipt ic curve over F p wit h suffi cient ly smoot h order. Somet imes, even t he exist ence of such a curve is in quest ion.

3

R e d u c t io n fro m F in it e F ie ld t o S in g u lar C u b ic C u rv e ∗

We first fix some not at ions. Suppose we are given a prime power q, g ∈ F q generat e a subgroup S . Assume t hat l = | S | is a prime. a, b, c ∈ S . Cert ainly t here exist t hree int egers x , y and z such t hat a = g x , b = g y , c = g z . We want t o det ermine whet her x y ≡ z mod l . T his is called t he Decision Diffi eHellman(DDH) problem in a finit e field. T here is an analogy problem in ellipt ic curve crypt ography. Given a curve E defined over F q . W.l.o.g., assume t hat t he order of E ( F q ) is a prime l . Let G be a generat or of E ( F q ). A , B , C ∈ E ( F q ). T here exist t hree int egers x , y and z such t hat A = x G , B = y G and C = z G . T he DDH problem is t o det ermine whet her x y ≡ z mod l . It is believed t hat in general t he DDH problem over an ellipt ic curve is harder t han t he DDH problem in a finit e field if t he groups have t he same size. However, in some special case, most not ably when t he Tat e-pairing is non-t rivial and is easy t o comput e, DDH problem over t he ellipt ic curve admit s polynomial t ime algorit hm. In t his paper, we st udy how t o reduce t he DDH problem in a finit e field t o t he DDH problem over some special ellipt ic curve. It t urns out t hat t he isomorphism from t he mult iplicat ive group of a finit e field t o t he addit ive group of a cubic curve is well-known, and is effi cient ly comput able, as shown in t he following proposit ion. It is not however scient ifically int erest ing because t he cubic curve is singular, hence t he Tat e-pairing is t rivial. P ro p o s it io n 1 . Let K be a fi n ite fi eld an d E / K be a curve given by y 2 + a1 x y + a3 y = x 3 + a2 x 2 + a4 + a6

294

Qi Cheng and Shigenori Uchiyama

with discrim in an t ∆ = 0. S uppose E has a n ode S , an d let y = α

1x

+ β

1

and

y = α

2x

+ β

2

be the two distin ct tan gen t lin es to E at S . T he the m ap φ Ens →

(x , y ) →

K¯ y



y





α α

1x − 2x −

β β

1 2

is an isom orphism of abelian groups, which can be com puted effi cien tly. T he reverse m ap can also be com puted effi cien tly.

4

C o n je c t u re

We can imagine t hat t here is a global ellipt ic curve, which has a mult iplicat ive reduct ion at p or a place above p . T he Tat e pairing on t his global curve is nont rivial. By lift ing point s from t he singular cubic curve t o t he global curve, we will reduce t he DDH problem in finit e field t o t he DDH problem over t he global ellipt ic curve. T he approach sounds appealing. But we are required t o lift point s over finit e field t o t orsion point s over number field. T he group order is usually very large in crypt ography applicat ion. One of t he obst acles is t o describe t he global curve, since t he curve, as well as t he t orsions, may be defined over a number field of very high degree. Fort unat ely, t he current research seems t o indicat e t hat t he maximum possible number of t orsions over a number field grows exponent ially wit h t he degree of t he number field. Even if t he curve and it s t orsions are defined over a number field wit h low degree, t he size of t he curve is t oo large t o even be writ t en down. We can, however, writ e down t he p -adic version of t his curve up t o t he cert ain precision. T he biggest obst acle is t hat some of it s l -t orsions may have huge size t oo. Not ice t hat if E is represent ed by Weiest rass equat ion y 2 = x 3 + ax + b, a, b ∈ Z K , t hen t he l -t orsions have very large coordinat es. But at least all t he y -coordinat es share a lot of common fact ors. We could hope t hat t he Weiest rass equat ion will be birat ionally equivalent t o an equat ion wit h all t orsions in reasonable size. Our expect at ion of t he curve are summarized in t he conject ure 1. D e fi n it io n 1 . T he height of an in teger n is defi n ed to be log | n | . T he height of a ration al n um ber mn , n , m ∈ Z , ( n , m ) = 1, is defi n ed to be log | n | + log | m | .

C on jecture 1. T here is a const ant c, such t hat for any given prime p , t here exist s an ellipt ic curves E / K , [K : Q ] ≤ (log p ) c , K = Q [x ]/ ( k ( x )) = Q ( α ), and

1. T he height s of all t he coeffi cient s of k ( x ) are bounded by (log p ) c . k ( x ) is separable over F p and it split s complet ely over F p . ∈

Z [x ]

Nonuniform P olynomial T ime Algorit hm t o Solve DDH P roblem

295

2. T here are l -t orsion point s P 1 , P 2 , ..., P l = 0 ∈ E ( K ), where l is t he largest prime divisor of p − 1 (we assume t hat l 2  | p − 1). T hey form a group. E has a mult iplicat ive reduct ion at place v above p . all t he P i ’ s reduce t o non-singular point s. 3. E can be represent ed by an equat ion f (x , y ) = 0

such t hat for any 1 ≤ i ≤ l , if P i = ( x i , y i ), t he minimum polynomials in Q [x ] for x i and y i are gi ( x ) and h i ( x ), t hen t he height of all t he coeffi cient s of gi and h i are bounded by (log p ) c . We would like t o ment ion several very deep result s proved by Mazur[11], Kamienny[9], Merel[12], Parent [14], Hindry and Silverman[7] respect ively about t he t orsions on t he ellipt ic curves. It is t hese result s t hat mot ivat e us t o formulat e t he conject ure. P ro p o s it io n 2 . Let E be an elliptic curve over a n um ber fi eld K . W e den ote the order of the torsion subgroup of E ( K ) by N . Let d = [K : Q ]. S uppose that p is a prim e divisor of N , an d p n the largest power of p dividin g N

1. If d = 1, the torsion subgroup of E ( Q ) , is isom orphic to on e of the followin g groups: Z / m Z for m ≤ 10, or Z / 2Z × Z / 2m Z for m ≤ 4. 2. If d = 2, there is a positive in teger B such that N ≤ B . M oreover, p ∈ { 2, 3, 5, 7, 11, 13} . 3. W e have p pn



(1 + 3d / 2 ) 2



65(3d



1)(2d ) 6 .

4. If the curve E has good reduction everywhere, then the n um ber of K -ration al torsion poin ts of E is boun ded by 1 977 408d log d

5

To rsio n -t o -To rsio n Lift

In t his sect ion, we describe an algorit hm t o lift t he point s over finit e field (which are cert ainly t orsions) t o t orsion point s over number field. We use t he same not at ion as in t he conject ure sect ion. First we fix one embedding: K →

Qp,

by mapping α t o one of p -adic root s of k ( x ). If a p -adic number a is an image of x ∈ K by t his embedding, t hen t he minimum polynomial over Q of x can be comput ed in polynomial t ime on log p and t he size of t he minimum polynomial. In t he comput ing, we only need know t he first m digit s of a , where m is also bounded by polynomial on log p and t he size of t he minimum polynomial.

296

Qi Cheng and Shigenori Uchiyama

Let f˜ ( x , y ) = 0

be p -adic represent at ion of f ( x , y ) = 0 upt o m digit s, where m will be set lat er. Let F ( x , y ) be t he curve on f˜ mod p . F ( x , y ) = 0 is a singular cubic curve wit h a node. Suppose we want t o solve t he DDH problem in subgroup S of F p wit h order l , where l | p − 1 is a prime. For any point Q = ( a, b) = φ 1 ( x ) on F , ∗



l Q = 0 mod p.

T here is a l -t orsion point P = ( x , y ) on f which will reduce t o Q . We first find out t he p -adic represent at ion of P . Let P = ( a + a 1 p + a 2 p 2 + · · · , b + b1 p + b2 p 2 + · · · ). From l ( a + a 1 p, b + b1 p ) = 0 mod p 2 ,

by using squaring t echnique, combined wit h t he curve equat ion, f˜ ( a + a 1 p, b + b1 p ) = 0

(mod p 2 ) ,

we can solve a 1 and b1 effi cient ly. Not e t hat a 1 or b1 only occur in linear t erms. Similarly, from  l ( a + a 1 p + a 2 p 2 , b + b1 p + b2 p 2 ) = 0 (mod p 3 ) f˜ ( a + a 1 p + a 2 p 2 , b + b1 p + b2 p 2 ) = 0 (mod p 3 ) we can get a 2 and b2 . Generalize t his idea, we will obt ain t he p -adic represent at ion up t o m digit al in t ime ( m log p ) O ( 1 ) . On t he ot her hand, we know t hat t he minimum polynomials of x and y have coeffi cient s whose sizes are bounded by (log p ) c . T hose polynomial, denot ed by g and h respect ively, can be comput ed using L L L -algorit hm when m is big enough. By fact oring g and h over K , we get t he represent at ion of x and y as element s in K .

6

S h ift in g P rim e

T here cert ainly exist s a prime r , sat isfying 1. l | r − 1 and l 2  | r − 1. 2. T here is a place u over r wit h degree 1 in K . 3. T he reduct ion of f at place u is non-singular, hence it is an ellipt ic curve. Fix an embedding: K →

Qr .

Let t ( x , y ) = 0 be t he reduct ion of f at place u . All t he l -t orsion point s will reduce t o a F r -rat ional point s on g . T hey form a subgroup in t ( F r ). T he key observat ion here is t hat t he calculat e of Tat e-pairing on t his subgroup is nont rivial and effi cient . T his concludes t he whole reduct ion, which can be illust rat ed by following pict ure.

Nonuniform P olynomial T ime Algorit hm t o Solve DDH P roblem E

(K )

ր

F

(n

s

)

297

ց

(F q )

t (F

r

)



F

∗ q

T h e o re m 1 . A dopt the n otation in the con jecture 1. A ssum e that the con jecture is true. G iven the p -adic represen tation of f upto to m digits an d the reduction of f m odulo the place u , there is a polyn om ial tim e algorithm to solve D D H problem in the l -subgroup of F ∗p .

T he algorit hm is summarized in t he following: N o n -u n ifo rm in fo rm a t io n : p ; T he p -adic represent at ion of digit s; P rime r ; T he reduct ion of f at place u . I n p u t : a, b, c ∈ F p .

E

upt o t o m

1. From p -adic represent at ion of E , comput e E = E mod p . We get a singular cubic curve wit h a node. 2. Comput e A = φ 1 ( a ), B = φ 1 ( b), C = φ 1 ( c) on E . 3. Fix K → Q p . 4. Lift A , B and C t o A , B and C on E . We comput e t he p -adic represent at ions of A , B and C first . T hen we use L L L -algorit hm t o comput e A , B , C ∈ K 2. 5. Fix K → Q r . Comput e t he reduct ion of A , B and C on E . Denot e t hem by A , B and C . 6. Solve DDH problem of A , B and C . Out put t he answer. ′





















′ ′

′ ′

′ ′

′ ′

′ ′

′ ′

′ ′

Here we not e t hat , since t he prime l sat isfies t hat l 2  | r − 1, so we can evaluat e t he l -t h Tat e-pairing  A , A  l = 1 (See [8,5]). T hat is, we can solve t he DDH problem A , B and C . T he algorit hm is non-uniform, because for every p , we need t he p -adic represent at ion of f , t he special prime r and t he reduct ion of f modulo t he place u . We don’ t know how t o comput e t hese paramet ers at t his t ime. ′ ′

′ ′

7

′ ′

′ ′

′ ′

A p p lic at io n t o t h e E llip t ic C u rv e D isc re t e Lo g arit h m

Let E be a curve defined over a number field K . E t o r ( K ) has order l . For simplicity, we assume t hat l is a prime. Assume t hat E has good reduct ion E / F q at place v . W.l.o.g, we assume t hat | E ( F q ) | = l . ′



C o ro lla ry 1 . T he discrete logarithm on E ′ ( F q ) has n on un iform subexpon tial algorithm if there is a con stan t c such that,

1. K = Q [x ]/ k ( x ) = Q [α ], [K : Q ] ≤ (log p ) c . T he heights of all the coeffi cien ts of k ( x ) are boun ded by (log p ) c . k ( x ) ∈ Z [x ] is separable an d it splits com pletely over F p .

298

Qi Cheng and Shigenori Uchiyama

2. T here are l -torsion poin ts P 1 , P 2 , ..., P l = 0 3. E can be represen ted by an equation ∈

E

( K ) . T hey form a group.

f (x , y ) = 0

such that for an y 1 ≤ i ≤ l , if P i = ( x i , y i ) , the m in im um polyn om ials in Q [x ] for x i an d y 1 are gi ( x ) = an d h i ( x ) = 0, then the height of all the coeffi cien ts of gi an d h 1 are boun ded by (log p ) c . S ke t ch o f t h e p ro o f: If t he condit ions in t he corollary hold, t hen t here must exist a prime p such t hat r | p − 1 and t he reduct ion of E , denot ed by E / F p , at place u over p is non-singular. Because E has a t orsion group over K , E ( F p ) has l -part subgroup and t he Tat e-pairing of element s in t he subgroup can be effi cient ly comput ed. We can apply FR-algorit hm here [5]. Hence t he discret e logarit hm over t he r -part of E ( F q ) has non-uniform subexpont ial t ime solut ion. ′ ′

′ ′



8

D isc u ssio n

In conject ure 1, we don’t require t hat t he size of curve E is small. In fact , it is impossible. Since curve E has a large t orsion group of prime order, it must have bad reduct ions at a lot of small primes. T he j -invariant of E will have very large height , hence t he plain represent at ion of E will t ake huge amount of space. T he p -adic represent at ion of E is not complet e, in t he sense t hat we only have t he represent at ion up t o t he precision of polynomial bound (log p ) O ( 1 ) . However, since t he size of t orsions are assumed t o be small, we will get complet e informat ion of t orsions.

A ckn ow le d g e m e nt s We t hank Dr. Ming-Deh Huang, Dr. Sheldon Kamienny and Dr. Len Adleman for helpful discussions.

R e fe re n c e s 1. D. Boneh, “T he Decisional Diffi e-Hellman P roblem,” P roc. of A N T S-I V , LNCS 1423, Springer-Verlag, pp.48–63, 1998. 2. R. Cramer and V. Shoup, “A P ract ical P ublic Key Crypt osyst em P rovably Secure against Adapt ive Chosen Ciphert ext At t ack,” P roc. of C r ypt o’ 98, LNCS 1462, Springer-Verlag, pp.13–25, 1998. 3. W . Diffi e and M.E. Hellman, “New Direct ions in Crypt ography,” I E E E T ransact i ons on I nfor m at i on T heor y , IT -22(6), pp.644–654, 1976. 4. T . ElGamal, “A public key crypt osyst em and a signat ure scheme based on discret e logarit hms,” I E E E T ransact i ons on I nfor m at i on T heor y , 33, pp.469–472, 1985. 5. G. Frey, H.G. Ruck, A remark concerning m -divisibility and t he discret e logarit hm in t he divisor class group of curves. M at hem at i cs of C om put at i on , Volume 62, Issue 206, 1994, 865-874.

Nonuniform P olynomial T ime Algorit hm t o Solve DDH P roblem

299

6. S. Goldwasser and S. Micali, “P robabilist ic Encrypt ion,” J our nal of C om put er and Syst em Sci ences, 28, pp.270–299, 1984. 7. M. Hindry, J . Silverman, Sur le nombre de point s de t orsion rat ionnels sur une courbe ellipt ique. (French. English, French summary) [On t he number of rat ional t orsion point s on an ellipt ic curve] C. R. Acad. Sci. P aris Ser. I Mat h. 329 (1999), no. 2, 97–100. 8. A. J oux and K. Nguyen, “Separat ing Decisional Diffi e-Hellman from Diffi eHellman in crypt ographic groups,” C r ypt ology eP r i nt A rchi ve: Repor t 2001/ 003 , http://eprint.org/2001/003 9. S. Kamienny, Torsion point s on ellipt ic curves, B ul l. A m er . M at h. Soc. ( N .S.) 23 (1990), no. 2, 371–373. 10. U. Maurer and S. Wolf, “T he relat ionship between breaking t he Diffi e-Hellman prot ocol and comput ing discret e logarit hms,” SI A M J . C om put . , 28(5), pp.1689– 1731, 1999. 11. B. Mazur, Rat ional point s on modular curves, In: Modular Funct ions of One Variable, V, L ect ure N ot es i n M at hem at i cs, Vol. 601. New York: Spring-Verlag, 1976. 12. L. Merel, Bornes pour la t orsion des courbes ellipt iques sur les corps de nombres. (French) [Bounds for t he t orsion of ellipt ic curves over number fields] I nvent . M at h. 124 (1996), no. 1-3, 437–449. 13. M. Naor and O. Reingold, “Number t heoret ic const ruct ions of effi cient pseudo random funct ions,” P roc. F O C S’ 97, pp.458–467, 1997. 14. P. P arent , Bornes eff ect ives pour la t orsion des courbes ellipt iques sur les corps de nombres. (French. French summary) [Eff ect ive bounds for t he t orsion of ellipt ic curves over number fields] J . Reine Angew. Mat h. 506 (1999), 85–116. 15. R. Rivest , A. Shamir and L.M. Adleman, “A Met hod for Obt aining Digit al Signat ures and P ublic Key Crypt osyst ems,” C om m uni cat i ons of t he A C M , 21(2), pp.120–126, 1978. 16. V. Shoup, “Lower bounds for discret e logarit hms and relat ed problems,” P roc. of E urocr ypt o’ 97, LNCS 1233, Springer-Verlag, pp.256–266, 1997. 17. Y. T siounis and M. Yung, “On t he security of ElGamal based encrypt ion,” P roc. of P K C ’ 98, LNCS 1431, Springer-Verlag, pp.117–134, 1998.

S e c u re K e y - E v o lv in g P ro t o c o ls fo r D is c re t e L o g a rit h m S ch e m e s Cheng-Fen Lu and ShiuhP yng Winst on Shieh ⋆ Comput er Science and Informat ion Engineering Depart ment Nat ional Chiao Tung University, Taiwan 30050 { cflu,ssp} @csie.nctu.edu.tw

T his paper addresses t he security and effi ciency of key-evolving prot ocols. We ident ify forward-secrecy and backward-secrecy as t he security goals for key-evolving and present two prot ocols t o achieve t hese goals. T he first prot ocol is operat ed in Z p and is effi cient for t he secret key holder; t he second one is operat ed in Z n , and is effi cient for t he public-key holder. For bot h prot ocols, we provide proofs and analysis for correct ness, security and effi ciency.

A b st r a c t .





Key Management , Key-Evolving, Forward-Secrecy, Backward-Secrecy. K e y w o r d s:

1

In t ro d u c t io n

Over t he past 20 years, public key crypt ography has provided many signat ure schemes and public key crypt osyst ems. However, if a signing key or decrypt ion key is compromised, it is regarded a t ot al break of t he syst em. To avoid t his undesirable sit uat ion, one common pract ice is assigning each key a cert ain usage period and updat ing t he key when ent ering a new period. T herefore, t he security and effi ciency of key updat ing or key-evolving becomes an import ant t opic for key management [11]. Key-evolving is commonly employed for symmet ric crypt osyst ems, where t he sender and t he receiver of a message share a common mast er key. Inst ead of using t his shared key direct ly, t hey use it t o derive a set of sub-keys and each sub-key is valid for a cert ain period or for a specific applicat ion [1]. In t his paper, we focus on t he key-evolving of asymmet ric key syst ems, where t he communicat ion part ies no longer possess t he same mast er key. Inst ead, t he secret key holder (t he decrypt or or t he signer) generat es t he public and secret key base and t he public key holder (t he encrypt or or t he verifier) ret rieves t his public key base. In t he beginning, t he public key base is first signed by a Cert ificat e Aut hority (CA). And t hen it is ret rieved and verified by t he public key holder. Wit hout a key-evolving prot ocol, t he cert ificat e ret rieval and verificat ion operat ions must be performed periodically. Wit h a key-evolving prot ocol, t he cert ificat e ret rieval and verificat ion operat ion is performed only once for t he public ⋆

T his work is support ed in part by Minist ry of Educat ion, Nat ional Science Council of Taiwan, and Lee & MT I Cent er, Nat ional Chiao Tung University.

B . P r e n e e l ( E d .) : C T -R S A 2 0 0 2 , L N C S 2 2 7 1 , p p . 3 0 0 – 3 0 9 , 2 0 0 2 .  c S p r in g e r -Ve r la g B e r lin H e id e lb e r g 2 0 0 2

Secure Key-Evolving P rot ocols for Discret e Logarit hm Schemes

301

key base. T hereaft er, bot h part ies updat e t heir corresponding public or secret keys for t he fut ure periods. T he goal of secure key-evolving is t o reduce t he damage in case of a secret key compromise. T he corresponding security not ions have been invest igat ed in papers of key management and key agreement [12,8,14]. T here t he propert ies such as forward-secrecy, backward-secrecy, key-independence were defined. Informally, forward-secrecy refers t o t hat t he compromise of one or several secret keys does not compromise previous secret keys. Likewise, backward-secrecy refers t o t hat t he compromise of one or several secret keys does not compromise fut ure secret keys. Key-independence means t he secret keys used in diff erent periods are basically independent . T hus, even if t he at t acker finds out t he secret key of a cert ain period, it gives him lit t le advant age in finding t he secret keys of ot her periods. One relat ed concept of t he forward-secrecy is t he perfect forward-secrecy , which assures t hat t he “compromise of long-t erm keys does not compromise past session keys” [7,11]. Also in recent papers of forward-secure signat ure, signat ures schemes wit h forward-secrecy propert ies were proposed [4,9]. T he relat ed concept of t he backward-secrecy is t he resist ance t o t he kn own -key attack , which assures t he compromise of past sessions keys will allow neit her a passive adversary t o compromise fut ure session keys nor an act ive adversary t o impersonat e in t he fut ure [5,17,16,11]. Recent ly, T zeng proposed two public key encrypt ion schemes which also enjoy t he property of key-independence but t hey require t he help of t he ext ra t rust ed agent (TA) in init ial key dist ribut ion and at each key-evolving [15]. T he security not ions for t he key-evolving prot ocol have been lit t le invest igat ed. T hus, we redefined t he above security not ions in t he key-evolving set t ing. Besides, we present ed and analyzed two key-evolving prot ocols for discret e logarit hm schemes. T he advant age of t hese key-evolving prot ocols is t hat no t rust ed agent is needed and t hey are applicable for bot h public key encrypt ion schemes and signat ure schemes. T his paper is organized as follows. Sect ion 2 describes t he model and definit ions. Sect ion 3 present s t he prot ocol based on t he diffi culty of comput ing discret e logarit hm in Z p . Sect ion 4 present s t he prot ocol based on t he diffi culty of fact oring a large composit e n . Sect ion 5 discusses t he possible ext ensions of t he prot ocols. Sect ion 6 concludes t his paper. ∗

2

M o d e l a n d D e fi n it io n s

Let ( P K B , S K B ) denot e t he pair of t he public/ secret key base, which is used t o derive t he key-pair in i − t h period, ( P K i , S K i ). D efi n it ion 1

A key-evolvin g protocol con sists of three algorithm s ( K G , g , f ) :

1. P ublic/ S ecret K ey B ase G en eration A lgorithm K G ( k ) G iven a security param eter k , the secret key holder gen erates the public/ secret key base ( P K B , S K B ) . S K B is kept secret at the secret key holder an d P K B is then distributed to the users in the form of public certifi cate.

302

Cheng-Fen Lu and ShiuhP yng W inst on Shieh

2. P ublic K ey-E volvin g A lgorithm g () G iven the period i an d P K B , the public key holder com putes P K i = g ( P K B , i ) . 3. S ecret K ey-E volvin g A lgorithm f () G iven the period i an d S K B , the secret key holder com putes S K i = f ( S K i − 1 ) or f ( S K B , i ) .

Next , some desirable propert ies of t he key-evolving prot ocols are present ed as follows: D e fi n i t i o n 2 A key-evolvin g protocol is forward-secret if the com prom ise of S K will n ot com prom ise S K j for all j < i .

i

A key-evolvin g protocol is backward-secret if the com prom ise of will n ot com prom ise S K j for all j > i .

D efi n it ion 3

SK

i

D e fi n i t i o n 4 A key-evolvin g protocol is key-in depen den t if it is forward-secret an d backward-secret.

D efi n it ion 5

A key-evolvin g protocol is t-boun ded key-in depen den t if

1. T he com prom ise of a set of secret keys C an d | C | > the secret keys. 2. T he com prom ise of a set of secret keys C an d | C | com prom ise addition al secret keys.

3

t



will com prom ise all t

does n ot help to

P ro t o c o l 1

T he first prot ocol is based on t he diffi culty of comput ing discret e logarit hm in Z p . It applies a t echnique of Feldman for t he const ruct ion of a non-int eract ive verifiable secret sharing scheme [6]. T his t echnique uses t he secret sharing scheme of Shamir [13], where a polynomial f ( x ) of degree t is employed. Polynomials have t he following propert ies: ∗

I. Given t + 1 dist inct point s on t he polynomial f ( x ) degree t , namely ( x 0 , y 0 ), ( x 1 , y 1 ), · · · , ( x t , y t ) and y i = f ( x i ), all t he t + 1 coeffi cient s can be det ermined. In ot her words, t he polynomial can be uniquely det ermined. II. Given t dist inct point s on t he polynomial f ( x ) degree t , namely ( x 1 , y 1 ) , ( x 2 , y 2 ) , · · · , ( x t , y t ) and y i = f ( x i ), t he t + 1 coeffi cient s cannot be uniquely det ermined. T he P rot ocol is present ed in Figure 1, consist ing of t hree algorit hms: First , t he secret key holder execut es t he key base generat ion algorit hm and publishes t he public key base P K B = ( P 0 , P 1 , · · ·P t ) = ( g a 0 , g a 1 , · · · , g a t ), where a 0 , a 1 , · · · , a t are random. In cont rast , S K B = ( a 0 , a 1 , · · ·a t ), t he set of coeffi cient s of f ( x ), is kept secret . Also he publishes a hash funct ion h t hat works as a simple randomizer and t akes t he index of t he period t o a number in Z q , i.e. h ( i ) ∈ Z q . Depending on t he applicat ion, t his h ( · ) can be required t o be collision-free or be a permut at ion in Z q .

Secure Key-Evolving P rot ocols for Discret e Logarit hm Schemes

303

1. P ublic/ Secret Key Base Generat ion Algorit hm K G (1n , t ) (1) T he secret key holder chooses a n − bit prime p = 2q + 1 wit h t hat q is a prime of at least 160-bit s long, i.e. q > 2160 . Let G q denot e t he subgroup of t he quadrat ic residues modulo p and g t he generat or of G q . (2) T he secret key holder chooses a t -degree polynomial f ( x ) wit h it s coeft ficient s randomly chosen from Z q and f ( x ) = ( a j x j ) (mod q ). SK B = j = 0 ( a 0 , a 1 , · · · , a t ), t he coeffi cient s of f ( x ), will be kept secret and used t o derive t he secret keys for lat er periods. (3) T he secret key holder publishes t he public key base informat ion and a hash funct ion, including: PK B = ( P 0 , P 1 , ·

· ·

and

h

Pt

) = (g a 0 , g a 0 , · · ·

:N

Z →

q

,g

a t

),

.

2. P ublic Key-Evolving Algorit hm Given t he index i , t he public key holder will updat e it s public key of period as follows: t  j (P j )h ( i ) (mod p ) . PK i = j

i

=0

3. Secret Key-Evolving Algorit hm Given t he index i , t he secret key holder will updat e t he key of period SK i =

f

( h ( i ))

i

as:

(mod q ) .

Key-evolving prot ocol using Feldman’s t echnique

F ig. 1 .

T he public key holder ret rieves and verifies P K B and h ( · ). Suppose t hat he  t j needs t he public key of t he period i . He would t hen comput e P K i = j = 0 ( P j ) h ( i ) (mod p ). S K B is t he long-t erm syst em secret , prot ect ed separat ely from S K i at t he secret -key holder. It s prot ect ion follows t he paper of Shamir secret -sharing scheme [13]. At t he beginning of t he period i , t he secret key holder evaluat es t he secret key as S K i = f ( h ( i )) (mod q ). T he analysis of t his prot ocol is as follows: C orrectn ess. T he relat ion of P K

 PK

i

=

=

g

SK i

is est ablished because 

t

(P j )h ( i )

= j

i

j

=0

g

t

j = 0

t

(g a j )h ( i )

(mod p ) =

(i )j

(m od

q)

=

g

(mod p )

=0

j a j ·h

j

f

(h (i ))

(m od

q)

=

g

SK i

.

S ecurity. T he following lemmas summarize t he security property. T he ability of the attacker, who is able to com pute the correspon din g S K of a given P K , is equivalen t to the solvin g of the D iscrete Logarithm problem in Z p∗ .

L em m a 1 .

304

Cheng-Fen Lu and ShiuhP yng W inst on Shieh

P roof: ( ⇐ ) T his is t rivial because S K = logg P K . ( ⇒ ) We can build a DL-oracle using t his at t acker. Suppose we want t o find a x = logg y . We choose P K = y g and give it t he at t acker. If t he at t acker out put s t he secret key S K corresponding t o P K , we can comput e x = logg y = logg ( P K / g a ) = logg P K − a = S K − a . Q.E.D. C on j ect u r e 1

T he protocol in F igure 1 is t-boun ded key-in depen den t.

Remark: Given t + 1 set s of keys of ( S K i 0 , i 0 ) , ( S K i 1 , i 1 ) , · · · , ( S K i t , i t ), t he at t acker can det ermine t he coeffi cient s of f ( x ) and t hus t he secret keys of all periods. If less t han t + 1 secret s keys are compromised, t hen t he polynomial for t he secret key-evolving can not be unique det ermined, i.e. it has at least q ≥ 21 6 0 free choices for t he coeffi cient s. T herefore, t he only way t o comput e one ext ra secret key corresponding t o a public key seems t o comput e t he discret e logarit hm in Z p , which is int ract able. T he int erest ing problems include (1) building a DL oracle using t he successful at t acker of breaking t -bounded key-independence property and (2) using t he successful at t acker t o const ruct t he oracle for Diffi e-Hellman (DH) or Decisional Diffi e-Hellman (DDH) problem. ∗

E ffi cien cy. For t he secret key holder, t his prot ocol is very effi cient , requiring

only t he evaluat ion of a t -degree polynomial over Z q . For t he public key holder, t his prot ocol requires t modular exponent iat ions and t modular mult iplicat ions. However, t o reduce t he on-line comput at ion, t he t modular exponent iat ions can be pre-comput ed.

4

P ro t o c o l 2

T his prot ocol is based on t he diffi culty of comput ing discret e logarit hms in Z n , where n is t he product of several large primes. It uses t he same t echnique of Maurer-Yacobi in t he design of non-int eract ive public-key dist ribut ion syst em [10]. Recent ly, t his t echnique was also suggest ed by Anderson t o build a forwardsecret signat ure scheme [2]. All operat ions are performed in Z n , where fact oring n is hard and g is t he element of t he maximal order in Z n . A lemma from Maurer and Yacobi showed t hat every square modulo n has a discret e logarit hm t o t he base of g . And t he knowledge of t he fact orizat ion of n is t he t rapdoor for solving t he discret e logarit hm problem; namely, ∗





1. For t he secret key holder, wit h t he t rapdoor knowledge of t he fact ors of n , he can comput e S K i = l o g g ( P K i ). 2. For someone wit hout t his t rapdoor knowledge, given P K i , t he comput at ion of S K i is int ract able. T his prot ocol is present ed in Figure 2, consist ing of t hree algorit hms. In t he beginning, t he secret key holder first execut es t he key base generat ion

Secure Key-Evolving P rot ocols for Discret e Logarit hm Schemes

305

1. P ublic/ Secret Key Base Generat ion Algorit hm T he secret key holder chooses a k -bit composit e n = p 1 p 2 · · · p r where t he fact orizat ion of n is int ract able and ( p 1 − 1) / 2, ( p 2 − 1) / 2, · · · , ( p r − 1) / 2 are pairwise relat ively prime. Next , he chooses an element g of t he maximal order in Z n . T hen he broadcast s t he public key base PK B = ( n , g , H , PK 0 ), where t he following requirement s are met . (a) SK B = ( p 1 , p 2 , · · · , p r ), t he set of fact ors of n , is kept secret t o t he secret key holder, (b) H ( · ) : { 0, 1} → Z n is a crypt ographic hash funct ion, (c) PK 0 is a random number. 2. P ublic Key-Evolving Algorit hm Given t he period i , t he public key holder evaluat es for j = 1 t o i , ∗





PK

j

= ( H ( PK

j −

1 ))

2

(mod

n

) ∈

QR n

.

3. Secret Key-Evolving Algorit hm In t he beginning of period i , t he secret key holder first comput e t he public key by one hash-and-square PK i = ( H ( PK

i −

1 ))

2

(mod

n

) ∈

QR n

.

W it h t he knowledge of t he fact ors of n , t he secret key holder comput es SK i = F ig. 2 .

l ogg

( PK i ) .

Key-Evolving based on Maurer-Yacobi Scheme

algorit hm and publishes t he public key base P K B = ( n , g , H , P K 0 ), where n and g are defined as above, H is a crypt ographic hash funct ion, and P K 0 is a random number. T he secret key base S K B , consist ing of t he fact ors of n , is kept secret . T he public key holder ret rieves and verifies t he public key base P K B . Suppose t hat he needs t he public key of t he period i . He would t hen perform a series of hash-and-square operat ions t o get P K 1 = ( H ( P K 0 )) 2 (mod n ), P K 2 = ( H ( P K 1 )) 2 (mod n ), · · · , P K i = ( H ( P K i 1 )) 2 (mod n ). If he could st ore some of t hese int ermediat e values, he can reduce t he hash-and-square comput at ions. S K B is t he long-t erm syst em secret , prot ect ed separat ely from S K i at t he secret holder. It s prot ect ion follows t he paper of Maurer and Yacobi [10]. At t he beginning of t he period i , t he secret key holder performs t he hash-and-square P K i = ( H ( P K i 1 )) 2 (mod n ) and t hen calculat es t he corresponding secret key S K i = l o g g ( P K i ) wit h his t rapdoor knowledge. T he analysis of t his prot ocol is as follows: −



= g S K i is est ablished because S K i is comput ed by t he secret key holder using t he fact ors of n (t rapdoor informat ion).

C orrectn ess. P K

i

306

Cheng-Fen Lu and ShiuhP yng W inst on Shieh

S ecurity. We will show t hat t he security of t his prot ocol depends on t he follow-

ing relat ions between t he comput ing discret e logarit hm in [3,10,11].

Z



n

and fact oring

n

I. If t he discret e logarit hm problem in Z n can be solved effi cient ly, t hen n can be fact ored effi cient ly. II. If n can be fact ored effi cient ly and if t he discret e logarit hm in every Z p , p | n can be solved effi cient ly, t hen t he discret e logarit hm problem in Z n can be solved effi cient ly. ∗





T he following lemmas summarize t he security property. First , we show t hat successful at t acker can be used t o const ruct a DL oracle in Z n . Next , we st at e a lemma from Maurer and Yacobi about t he fact orizat ion of n using a DL-oracle [10]. For det ailed algorit hm, please refer t o t he original paper. Finally, we prove t he security in t he random oracle model. ∗

T he ability of the attacker, who is able to com pute the correspon din g S K of a given P K , is equivalen t to the solvin g of the D iscrete Logarithm problem over Z n∗ .

L em m a 2 .

P roof: ( ⇐ ) T his is t rivial because S K = logg P K . ( ⇒ ) We can build a DL-oracle using t his at t acker. Suppose we want t o find a x = logg y . We choose P K = y g and give it t he at t acker. If t he at t acker out put s t he secret key S K corresponding t o P K , we can comput e x = logg y = logg ( P K / g a ) = logg P K − a = S K − a . Q.E.D. [10] Let n be the product of distin ct odd prim es p 1 , · · · , p r an d let g be prim itive in each of the prim e fi elds GF( p i ) for 1 ≤ i ≤ r . T hen com putin g discrete logarithm s m odulo n to the base of g is at least as diffi cult as factorin g n com pletely. L em m a 3 .

In the ran dom oracle m odel, the key-evolvin g protocol in F igure 2 is key-in depen den t if factorin g n is hard.

T h eor em 1 .

P roof: We will show how t o fact or n if t he successful at t acker breaks t he key-independent property. First , we will build a DL oracle using t he successful at t acker. Next , we follow t he algorit hm of Maurer-Yacobi t o fact or n using t his DL oracle. Given y in t he maximal cyclic group of Z n , we will use t he successful at t acker t o comput e x = logg y . First , we will generat e a set of random numbers { r i | i = 1, 2, · · · , T + 1} . And we cont rol t he random oracle t o out put { r 1 , r 2 , · · · , r k 1 } at t he first k − 1 queries. T hus, t he following relat ions hold. ∗



r1 r2

rk− 1

= = =

(P K 0 ), H (P K 1 ), .. .

PK PK

H

H

(P K

k −

2 ),

PK

k −

1 2

= =

.. . 1 =

2

r1

2

r2

2

r k − 1.

Secure Key-Evolving P rot ocols for Discret e Logarit hm Schemes

At t he beginning of t he k periods, we force t he random oracle t o out put

307 yg

a

,

i.e. yg

a

=

H

(P K

k −

1 ),

PK

k

=

2 2a

y g

.

For periods from k + 1 t o T + 1, t he random oracle proceeds as usual. Second, we give ( P K i , S K i ) and t he above public key set t o t he at t acker A . If he successes t o break forward-secrecy and forward-secrecy, A would ret urn ( P K j , S K j ) for some j = i . T he probability t hat j = k is T1 . If t his happens, we have S K j = S K k = logg P K k = logg y 2 g 2 a = 2 logg y + 2a = 2x + 2a . Because P K j = P K k is a square in Z n , S K j will be even. T hough t he order λ ( n ) is unknown, t he discret e logarit hm of y can be comput ed as follows: ∗

1 SK j − a. 2 Given t his DL oracle, we follow Maurer-Yacobi’ s met hod t o fact or n . T herefore, if fact oring n is hard, t his key-evolving prot ocol is key-independent in t he random oracle model. Q.E.D. x

=

E ffi cien cy. T his prot ocol is especially effi cient for t he public key holder because only i hash-and-square operat ions are needed and t his can be pre-comput ed. Also if t he public key holder st ores some int ermediat e values, t he load of t he public key-evolving is furt her reduced. T hus it is suit able for public key holders wit h low comput at ion power such as mobile devices or smart cards. T he load of secret key holder is mainly t he comput at ion of discret e logarit hm of Z p , p | n . T he comput at ion of discret e logarit hm relies on t he choices of p [10]; for example, one can employ Pohlig-Hellman algorit hm when p | n , ( p − 1) / 2 is chosen t o be t he product of primes of moderat e size. ∗

5

P o s s ib le E x t e n s io n s

T he possible ext ensions of t he prot ocols include: First , t he immediat e problem is t o prove t he conject ure 1 using st ronger assumpt ion such as DH or DDH assumpt ion or using DL assumpt ion in a rest rict ed model. Second, can we provide a public-key holder effi cient prot ocol in Z p inst ead of in Z n ? And is it possible t o use t his key-evolving model for specific algebraic st ruct ure or RSA relat ed schemes? T hird, since each DL key pair is associat ed wit h a period, it will be desirable t o provide period-st amping or t ime-st amping service of t he public key. Furt hermore, applying t hese two party prot ocols t o mult i-party comput at ion would be an int erest ing t ask. ∗



6

C o n c lu s io n

We first discussed about t he import ance of key-evolving and t hen ident ified several security not ions, namely forward-secrecy, backward-secrecy, and key independence. Next , two concret e const ruct ions were proposed. One prot ocol is

308

Cheng-Fen Lu and ShiuhP yng W inst on Shieh

based on a t echnique of Feldman, and it is effi cient for t he secret -key holder; t he ot her one is a variant of t he Maurer-Yacobi prot ocol, and it is effi cient for t he public-key holder. Besides, we provide proofs and analysis for correct ness, security and effi ciency. Finally, we point ed out t he possible ext ensions for fut ure work.

R e fe re n c e s 1. M. Abdalla and M. Bellare. Increasing t he lifet ime of a key: a comparat ive analysis of t he security of re-keying t echniques. In T . Okamot o, edit or, Advances i n Cr yptology – A SI A CRY PT ’ 2000, Kyot o, J apan, 2000. 2. R.J . Anderson. T wo remarks on public key crypt ology. In Rump Sessi on Eurocr ypt’ 97. 3. E. Bach. Discret e logarit hm and fact oring. Repor t no. UCB/ CSD 84/ 186, Comp. Sc. Di vi si on ( EECS) , Uni ver si ty of Cali for ni a, Ber keley, J une 1984. 4. M. Bellare and S. K. Miner. A forward-secure digit al signat ure scheme. In Proc. 19th I nter nati onal Advances i n Cr yptology Conference – CRY PT O ’ 99, pages 431– 448, 1999. 5. D. E. Denning and M. S. Sacco. T imest amps in key dist ribut ion prot ocols. Communi cati ons of the A CM , 24(7):533–536, 1981. 6. P. Feldman. A pract ical scheme for non-int eract ive verifiable secret sharing. In 28th Symposi um on Foundati ons of Computer Sci ence ( FOCS) , pages 427–437. IEEE Comput er Society P ress, 1987. 7. C. G. Guent her. An ident ity-based key-exchange prot ocol. In J ean-J acques Quisquat er and J oos Vandewalle, edit ors, Advances i n Cr yptology - EuroCr ypt ’ 89, pages 29–37, Berlin, 1989. Springer-Verlag. Lect ure Not es in Comput er Science Volume 434. 8. Y. Kim, A. P errig, and G. T sudik. Simple and fault -t olerant key agreement for dynamic collaborat ive groups. In Proceedi ngs of the 7th A CM conference on Computer and communi cati ons secur i ty ( CCS-00) , pages 235–244. ACM P ress, 2000. 9. H. Krawczyk. Simple forward-secure signat ures from any signat ure scheme. In Sushil J a jodia and P ierangela Samarat i, edit ors, Proceedi ngs of the 7th A CM Conference on Computer and Communi cati ons Secur i ty ( CCS-00) , pages 108–115. ACM P ress, 2000. 10. U. M. Maurer and Y. Yacobi. A non-int eract ive public-key dist ribut ion syst em. Desi gns, Codes and Cr yptography, vol. 9, no. 3:305–316, 1996. 11. A. J . Menezes, P. C. van Oorschot , and S. A. Vanst one. Handbook of A ppli ed Cr yptography. Boca Rat on, 1997. 12. A. P errig. Effi cient collaborat ive key management prot ocols for secure aut onomous group communicat ion. In I nter nati onal W or kshop on Cr yptographi c Techni ques and E-Commerce ( Cr ypT EC ’ 99), J uly 1999. 13. A. Shamir. How t o share a secret . Communi cati on of A CM , pages 612–613, (Nov. 1979). 14. M. St einer, G. T sudik, and M. Waidner. Key agreement in dynamic peer groups. I EEE Transacti ons on Paral lel and Di str i buted Systems, 11(8):769–780, August 2000. 15. W . T zeng and Z. T zeng. Robust key-evolving public key encrypt ion schemes. Record 2001/ 009, Crypt ology eP rint Archive, 2001.

Secure Key-Evolving P rot ocols for Discret e Logarit hm Schemes

309

16. Y. Yacobi. A key dist ribut ion s “paradox”. In Alfred J . Menezes and Scot t A. Vanst one, edit ors, Advances i n Cr yptology - Cr ypto ’ 90, pages 268–273, Berlin, 1990. Springer-Verlag. Lect ure Not es in Comput er Science Volume 537. 17. Y. Yacobi and Z. Shmuely. On key dist ribut ion syst ems. In Gilles Brassard, edit or, Advances i n Cr yptology - Cr ypto ’ 89, pages 344–355, Berlin, 1989. Springer-Verlag. Lect ure Not es in Comput er Science Volume 435.

A u t h or I n d ex

Ab e, Masayuki 277 At eniese, Giuseppe 182

Muurling, Geeke

40

Nguyen, P hong Q. 164 Nit a-Rot aru, Crist ina 182 Nonaka, Masao 131

Bat ina, Lejla 40 Black, J ohn 114 Boyd, Colin 218

Oswald, Elisab et h Cheng, Qi 290 Coron, J ean-S´ebast ien F ischlin, Marc F ischlin, Roger

263

79, 96 96

Galbrait h, St even D. Handschuh, Helena

200 263

J akobsson, Markus 164 J ohnson, Rob ert 244 J oye, Marc 17, 263 J uels, Ari 164 Kaliski J r., Burt on S. Lamberger, Mario 67 Lu, Cheng-Fen 300 Mait land, Greg 218 Mao, Wenbo 200 Micali, Silvio 149, 236 Miya ji, At suko 131 Molnar, David 244

1

67

P aillier, P ascal 263 P at erson, Kennet h G. 200 P oint cheval, David 263 Quisquat er, J ean-J acques Rivest , Ronald L. Rogaway, P hillip

17

149, 236 114

Shieh, ShiuhP yng W inst on Song, Dawn 244 Takii, Yoshinori 131 T ymen, Christ ophe 263 Uchiyama, Shigenori

290

Wagner, David 244 Walt er, Colin D. 30, 53 Wolkerst orfer, J ohannes 67 Yen, Sung-Ming Yung, Mot i 17

17

300