• Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. signatures of messages of the forger's choice. This is done via simulation of a signing oracle. In order for the forger to release its full capacity for signature forgery, the simulated signing oracle must behave indistinguishably from a true signer. Since the forger is polynomially bounded, it suffices for us to use the polynomial-time indistinguishability notion which follows Definition 4.15 (in § 4.7 ). In the rest of this chapter we name a forger Malice, who is an active attacker. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 16.3 Strong and Provable Security for ElGamal-family Signatures For a long period of time (1985–1996) after the birth of the ElGamal signature scheme (§ 10.4.6 ) and the family of such signatures (e.g., Schnorr § 10.4.8.1 and DSS § 10.4.8.2 ), it was widely believed that the difficulty of forging such a signature should somehow be related to solving the discrete logarithm in a large subgroup of a finite field. However, no formal evidence (formal proof) was ever established until 1996. Pointcheval and Stern succeed demonstrating affirmative evidence for relating the difficulty of signature forgery under a signature scheme in the ElGamal-family signatures to that of computing discrete logarithm [ 235 ]. They do so by making use of a powerful tool: the random oracle model (ROM) for proof of security [ 22 ]. The reader may review § 15.2.1 to refresh the general idea of using ROM for security proof (there, ROM-based proofs are for public-key encryption schemes). The ROM-based technique of Pointcheval and Stern is an insightful instantiation of the general ROM-based security proof technique to proving security for the ElGamal-family signatures. 16.3.1 Triplet ElGamal-family Signatures Let us now introduce a typical version of the ElGamal-family signature schemes which can be provably unforgeable under ROM. A scheme in this version takes as input a signing key sk , a public key pk and a message M which is a bit string, and outputs a signature of M as a triplet ( r, e, s ). Here r is called a commitment ; it commits an ephemeral integer called a committal which is independent of such values used in all previous signatures; the usual form for constructing a commitment is r = g (mod p ) where g and p are part of the public parameters of the signature scheme; e = H(M, r) where H() is a cryptographic hash function; and s is called a signature; it is a linear function of the commitment r , the committal , the message M , the hash function H () and the private signing key sk . Let us name such a signature scheme a triplet signature scheme . The original ElGamal signature scheme given in Alg 10.3 is not a triplet signature scheme because it does not use a hash function and does not resist an existential forgery (not to further consider adaptive chosen-message attack). However, the version which uses a hash function and thereby becomes existential-forgery resistant, i.e., the variation which we have described in § 10.4.7.2 , is a triplet version. The Schnorr signature scheme ( Alg 10.4 ) is also a triplet one. A signature of a message M produced by the signing algorithm of the Schnorr signature scheme is ( r, e, s ) where e = H(M, r) for some hash function H (), although in the Schnorr scheme there is no need to send the value r to the verifier since the value can be computed as g s y e . Let us now introduce the reduction technique of Pointcheval and Stern for proving unforgeability for a triplet signature scheme. It is called a forking reduction technique. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 16.3.2 Forking Reduction Technique We have shown in § 10.4.7.1 that a violation for the one-time use of an ephemeral key (committal or equivalently commitment r ) in a signature scheme in triplet ElGamal-family signatures will lead to uncovering of the signing private key. The uncovering of a signing private key is an efficient solution to a hard problem: extraction of the discrete logarithm of an element (a public key) in group modulo a large prime. A reductionist security proof for triplet ElGamal-family signature schemes makes use of this commitment replay technique to uncover the signing private key. A successful forger for such a signature scheme can be reduced, with a similar cost, to an extractor for the signing private key. Since the latter problem, extraction of the discrete logarithm of an element (a public key) in group modulo a large prime, is reputably hard ( Assumption 8.2 in § 8.4 ), the alleged successful signature forgery should also be similarly hard, where the similarity between the two efforts depends on the efficiency of the reduction. In the ROM-based reductionist security proof for a triplet ElGamal signature scheme, the hash function is idealised by a random function called "random oracle" (RO) which has the behavior specified in § 10.3.1.2 . Under the ROM, all ROs are simulated by Simon Simulator. In addition, Simon will also simulate the signing procedure and so answer Malice's signature queries. Thus, Simon can provide Malice with the necessary training course which Malice is entitled to in order to prepare him well in his signature forgery task. If Malice is indeed a successful forger, then he should be educatable, and will output a forged message-signature pair with a non-negligible probability. Simon will use the forged signature to solve a hard problem, which in the case of a triplet ElGamal signature scheme, is the discrete logarithm problem in a finite field. Fig 16.1 illustrates a reduction technique in which Simon makes use of Malice to solve a hard problem. Figure 16.1. Reduction from a Signature Forgery to Solving a Hard Problem • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. In our description of the reduction technique of Pointcheval and Stern, which we will be giving in the next two sections, we will try to provide as much intuition as possible. As a result, our probability estimation result does not take the exact formula given by Pointcheval and Stern although our measurement follows the same logic of reasoning as theirs. In terms of the reduction tightness, our result is an upper bound in comparison to that obtained by Pointcheval and Stern. Nevertheless, our upper bound suffices to produce a reasonably meaningful contradiction for a large security parameter. The reader with a more investigative appetite is referred to [ 236 ] to study their more involved probability measurement. 16.3.2.1 Unforgeability under Non-adaptive Attack Let us first consider the case of the unforgeability property of triplet ElGamal signature schemes under non-adaptive attack. Let (Gen (1 k ), Sign, Verify) be an instance of the triplet version of the ElGamal signature scheme (i.e., the triplet version of Alg 10.3 ) where the prime p satisfies that there exists a k -bit prime q dividing p – 1 and ( p – 1)/ q has no large prime factors. Suppose that Malice is a successful forger against (Gen (1 k ), Sign, Verify) . Let Simon Simulator wrap all communication channels from and to Malice as illustrated in Fig 16.1 . However, under the non-adaptive attack scenario, there is no "simulated signing training" in the interaction between Malice and Simon since Malice never requests a signature. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Simon will pick a random element . His goal is to uncover the discrete logarithm of y to the generator base g modulo p , i.e., to uncover integer x satisfying y g x (mod p ). Simon will use Malice as a blackbox in such a way that Malice's successful forgery of a new signature on a chosen message will provide Simon enough information to uncover the discrete logarithm. We hope that by now the reader has become instinctively aware of the need for the input problem (i.e., y ) to be arbitrary: otherwise, the reduction will not be a useful algorithm. Let Malice's successful probability for signature forgery Adv(k) which is a significant quantity in k and let his time spent on signature forgery be t(k) which is a polynomial in k . We shall find out Simon's successful probability Adv '( k ) for discrete logarithm extraction and his time t '( k ) for doing the job. Of course we will relate ( t '( k ), Adv '( k )) to ( t ( k ), Adv ( k )). First Lot of Runs of Malice Now Simon runs Malice 1/ Adv(k) times. Since Malice is a successful forger, after having been satisfied of a condition (to be given in a moment), he will output, with probability 1 (since he has been run 1/ Adv(k) times) a valid signature ( r, e, s ) of message M under the scheme ( Gen, Sign, Verify ). That is, where | e | = k . The condition of which Simon must satisfy Malice is that the latter should be entitled to some number of evaluations of the RO function H . Under the ROM, as illustrated in Fig 16.1 , Malice has to make RO-queries to Simon. Simon's response is via the simulation of the RO: he simulates H by maintaining an H -list of sorted elements ( (M i , r i , e i ) (e.g., sorted by M i ) where ( M i , r i ) are queries and e i are random answers. Since Malice is polynomially bounded, he can only make n = q H RO queries where q H is polynomially (in k ) bounded. Let Equation 16.3.1 be n distinct RO queries from Malice. Let be the n answers from Simon. Since | H | = k , Simon's answers are uniformly random in the set {1, 2, 3, , 2 k }. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Due to the uniform randomness of Simon's answers, when Malice outputs a valid forgery ( r, e, s ) on M , he must have queried ( M, r ) and obtained the answer e = H(M, r ). That is, it must be the case that ( M, r ) = ( M i , r i ) and for some i [1, n ]. The probability for ( M, r ) not having been queried is 2 – k (i.e., Malice has guessed Simon's uniformly random answer R i = e i correctly without making a query to Simon). Considering the quantity 2 – k being negligible, we know that ( (M, r), e ) are in Simon's H -list. Let us recap an important point which we must bear in mind: without making an RO-query to Simon and without using Simon's answer, Malice cannot be successful except for a minute probability value 2 – k which is negligible. With this observation, we can imagine as if Malice has been "forced" to forge a signature on one of the n messages in ( 16.3.1 ). Second Lot of Runs of Malice to Achieve a Successful Forking Now Malice is re-run another 1/ Adv(k) times under exactly the same condition. That is, he will make exactly the same n queries in ( 16.3.1 ). However, this time Simon will reset his n answers at uniformly random. We must notice that since the reset answers still follow the uniform distribution in the set {1, 2, 3, , 2 k }, these answers remain being the correct ones since they have the correct distribution. (This point will be further explained in Remark 16.1 in a moment.) After having been fed the second lot of n correct answers, Malice must again fully release his forgery capacity and output, with probability 1, a new forgery ( r ', e ', s ') on M '. Again, as we have discussed in the first lot of runs of Malice, ( M ', r ') must be a Q j in ( 16.3.1 ) for some j [1, n ] except for a minute probability value 2 – k . An event of "successful forking of Malice's RO queries," which is illustrated in Fig 16.2, occurs when in the two lots of runs of Malice the two forged message-signature pairs ( M, (r, e, s) ) and ( M ', ( r ', e ', s ')) satisfy ( M, r ) = ( M ', r '). Notice that in each lot of runs of Malice, he can forge a signature for ( M i , r i ) where i U [1, n ] is uniformly random and needn't be fixed. Applying the birthday paradox (see § 3.6 ), we know that the probability for this event to occur (i.e., i = j = b ) is roughly . Notice: this is different from the case of fixing i in the second lot of runs, which will result in the probability for successful forking (at the fixed point i ) to be 1/ n . Figure 16.2. Successful Forking Answers to Random Oracle Queries • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Recall that n is polynomially bounded, so is a non-negligible quantity. That is, with the non-negligible probability value , Simon obtains two valid forgeries ( r, e, s ) and ( r, e', s '). Further notice that because in the second run Simon has reset his answers at uniformly random, we must have e ' e (mod q ) with the overwhelming probability value 1 – 2 – k . With a successful forking, Simon will be able to extract the targeted discrete logarithm value. Let us see how this is done. Extraction of Discrete Logarithm From the two valid forgeries Simon can compute Since g is a generator element modulo p , we can write r = g (mod p ) for some integer > p – 1. Also notice y = g x (mod p ), we have Since e ' e (mod q ) necessarily implies s ' s (mod q ), we have • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Finally, if q |r , then the reduction fails. This condition satisfies that for mounting Bleichenbacher's attacks [ 41 ] on the ElGamal signature scheme which we have warned as the first warning in § 10.4.7.1 . However, while Bleichenbacher's attacks are enabled by malicious choice of public key parameters, for randomly chosen public key instance, the event q |r obviously has the negligible probability value of 1/ q , and so we do not need to care if Malice may be successful in forging signatures ( M , x q, H ( M , x q ), s ) for some integer x since these successful forgeries form a negligible fraction of valid signatures. Thus, with an overwhelming probability: r is relatively prime to q and hence Simon can extract x (mod q ) as Recall that ( p – 1)/ q has no large prime factors, x (mod p – 1) can easily be further extracted. Since the numbers r, e, e ' are in Simon's two RO lists, and s, s ' are Malice's output, Simon can indeed use the described method to extract the discrete logarithm of y to the base g modulo p . In this method Simon uses Malice as a blackbox: he does not care nor investigate how Malice's technology works; but as long as Malice's technology works, so does Simon's. Reduction Result To this end we have obtained the following reduction results: Simon's advantage for extracting discrete logarithm is since q H is polynomially (in k ) bounded, the value Adv'(k) is non-negligible in k . i. Simon's time cost is roughly where t is Malice's time for forging a signature. We will discuss in § 16.3.2.3 the efficiency of this reduction algorithm. ii. The theoretic basis for this ROM-based reduction proof is called forking lemma [ 235 ]. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. . Remark 16.1 The forking reduction technique works because Simon Simulator resets the RO answers so that one set of questions from Malice are answered with two completely independent sets of answers. It seems that Malice is very stupid for not having detected the changed answers to the same set of questions. No, Malice is still very clever as a successful forger. We should consider that Malice is a probabilistic algorithm whose sole functionality is to output a valid forgery whenever the algorithm is working in a correct environment and has been responded to with RO answers of the correct distribution. We must not think that the probabilistic algorithm may have any additional functionality, such as that the algorithm may be conscious like a human being and may thereby be able to detect whether or not somebody in the communication environment is fooling around. In fact, by responding to Malice with correctly distributed answers, Simon is not fooling him at all . 16.3.2.2 Unforgeability under Adaptive Chosen-message Attack Now let us consider the case of unforgeability under adaptive chosen-message attack. The reduction technique will be essentially the same as that in the case of non-adaptive attack. However, now Malice is also allowed to make signing queries ( q s of them), in addition to making RO queries. Hence Simon Simulator must, in addition to responding to RO queries, also respond the signing queries with answers which can pass Malice's verification steps using Verify pk . Simon must do so even though he does not have possession of the signing key. The signing is the very piece of information he is trying to obtain with the help of Malice! Simon's procedure for signing is done via simulation. Therefore here it suffices for us to show that under the ROM, Simon can indeed satisfy Malice's signing queries with the perfect quality. Since the signing algorithm uses a hash function which is modeled by an RO, under the ROM, for each signing query M , Simon will choose a new element r < p and make the RO query ( M, r ) on behalf of Malice and then returns both the RO answer and the signing answer to Malice. The generation of a new r by Simon for each signing query follows exactly the signing procedure; Simon should never reuse any r which has been used previously. Here is precisely what Simon should do. For signing query M , Simon picks random integers u, v less than p – 1, and sets Simon returns e as the RO answer to the RO query ( M, r ) and returns ( r, e, s ) as the signature of M (i.e., as the signing answer to the signing query M ). The reader may verify that the returned • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. signature is indeed valid. In fact, this simulated signing algorithm is exactly the one with which we generated an existential forgery in § 10.4.7.2 ; there we have verified the validity of such an existential forgery. Under the ROM, this simulated signature has the identical distribution as one issued by the signing algorithm which uses an RO in place of the hash function H . That is why Malice cannot discern any abnormality. Thus, the "simulated signing training" provided by Simon (see Fig 16.1 ) is a high quality one, and thereby Malice can be satisfied with the signature responses, in addition to being satisfied with the RO responses. His forgery capacity should be fully released and the same reduction used in § 16.3.2.1 should also lead to a contradiction as desired. Now we are done. Theorem 16.1 summarizes the security result we have obtained. . Theorem 16.1 Let ( Gen (1 k ), Sign, Verify ) be an instance in triplet ElGamal-family signature schemes where the prime p satisfies that there exists a k-bit prime a dividing p – 1 and (p – 1)/q has no large prime factors. If an adaptive chosen-message forger can break the scheme in time t(k) with advantage Adv(k), then the discrete logarithm problem modulo p can be solved in time t'(k) with advantage Adv'(k) where where q s and q H are the numbers of signing and H oracle queries, respectively, and T is time for answering an H query . In this result, k 3 is the number of bit operations for computing exponentiation modulo a k -bit integer (we have derived the cubic time-complexity expression for modulo exponentiation in § 4.3.2.6 ). 16.3.2.3 Discussions We have again witnessed the power of the ROM for security proof. Here is a fact revealed by the ROM-based security proof for triplet ElGamal-family signature schemes: if the signing algorithm is a truly random function, then the easiest way to forge a signature is to solve the discrete logarithm first and then do as a true signer does. This is compatible to the bit-security investigation result which we have conducted in Chapter 9 . Thus, an ROM-based proof suggests that for a real world signature scheme which uses real world hash functions rather than ROs, the most vulnerable point to mount an attack is probably the hash functions used in the scheme, unless an attacker considers that attacking the hash functions is harder than solving the discrete logarithm problem. We therefore consider that the ROM-based technique for security proof manifests its importance in that it [...]... Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR Pub Date: July 25, 2003 ISBN: 0-13-06 694 3-1 Pages: 648 The signing and verifying algorithms make use of two hash functions The first, H, called the Many cryptographic schemes and protocols,k1 especially those based on public-keycryptography, compressor, maps as H: {0, 1}* crypto" 1} and the... foundation for Fig 16.4 cryptography pictures of the PSS-R padding; one for the original version of Bellare and modern illustrates two Rogaway [26], and the other for the variation of Coron et al [83] The universal padding scheme for signature and encryption is specified in Alg 16.2 Figure 16.4 The PSS-R Padding • Table of Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company... a letter, it has been a common practice that the author of the letter should sign and then seal the letter in an envelope, before handing it over to a deliverer This common practice in secure communications applies to digital • Table of Contents signature and data encryption, often separately and straightforwardly: signing a message and Modern Cryptography: Theory and Practice then encrypting the result... for example, AES is a good candidate for e *) The parameters (p, q, g, H, e ) are publicized for use by system-wide users • Setup of a Principal's Public/Private Key Table of Contents Modern Cryptography: Theory and Practice User Alice picks a random number xA U ByWenbo Mao Hewlett-Packard Company and computes Publisher: Prentice Hall PTR Pub Date: July 25, 2003 ISBN: 0-13-06 694 3-1 Pages: 648 Alice's... return (False || Null) Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company In this universal RSA-padding scheme, the signing and encryption procedure will be called PSSR-Padding Prentice Hall PTR Publisher: It takes as input a message M {0, 1}k–k1–k0 , an RSA exponent and an RSA modulus; the RSA2003 Pub Date: July 25, exponent is d for signature generation, and e for encryption... to fix the "chopped bit" back • Table of Contents Modern Cryptography: Theory and Practice 16.5.2.1 RSA-TBOS ByWenbo Mao Hewlett-Packard Company The RSA-TBOS scheme of Malone-Lee and Mao [182] applies the PSS-R padding scheme Publisher: Prentice Hall PTR (§16.4.4) The signcryption scheme is specified in Alg 16.4 Pub Date: July 25, 2003 ISBN: 0-13-06 694 3-1 The point of step 6 in signcryption is to ensure... Fit-for-application Ways for Signing in RSA and Rabin The RSA and Rabin functions are one-way trapdoor permutations (OWTP, review §14.3.6.1 for • Table of Contents why and how a recommended way of using the Rabin function forms OWTP) As a result, the Modern Cryptography: Theory and Practice based on these functions (the textbook RSA signature textbook-version signature schemes scheme Mao Hewlett-Packard Company Rabin... 16.3 is both a cryptosystem and a signature scheme, i.e., (i) Bob's decryption procedure will actually return the same plaintext message that Alice has signcrypted; and (ii) Alice has signed the message • Table of Contents To show (i), it suffices to show that Bob can recover Modern Cryptography: Theory and Practice recovery procedure is as Alice has encoded Bob's ByWenbo Mao Hewlett-Packard Company... the proof of unforgeability for triplet ElGamal-family Modern Cryptography: Theory and Practice signature schemes The technique is called heavy row and is invented by Feige, Fiat and Shamir [106] for proving a soundness property for a zero-knowledge identification scheme of Fiat and ByWenbo Mao Hewlett-Packard Company Shamir [1 09] (we will study the soundness property of a zero-knowledge protocol in §18.2.2)... the RSA-PSS-R padding scheme for encryption has a rather low bandwidth for message recovery: the size of the recovered message must be below half the size of the modulus In the typical key setting of k = |N| = Table of Contents Modern Cryptography: Theory and can obtain 2048 and k0 = 160, we Practice |M| is Hewlett-Packard Company ByWenbo Mao only up to 42% of |N| as maximum |M|= – k0 = 1024 – 160 = . • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-06 694 3-1 Pages : 648 Many. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-06 694 3-1 Pages : 648 Many. and Stern for proving unforgeability for a triplet signature scheme. It is called a forking reduction technique. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao