Signing a Hash Value

· 2^−(n) < m²· 2^−(n)/4

However, m= poly(n) (since A^runs in polynomial-time), and 2^−(n)/4is negligible (since is super-logarithmic). So this case occurs with negligible probability and may be ignored.

Note that A can easily determine which of the cases occurs and act accordingly.⁵Thus, assuming that A^forges relative to the complex scheme with non-negligible probabil-ity ε^(n), it follows that A forges relative to the length-restricted scheme with non-negligible probabilityε(n) ≥ ε^(n)− poly(n) · 2^−(n)/4, in contradiction to the proposi-tion’s hypothesis.

Comment. We call the reader’s attention to the essential role of the hypothesis that

 is super-logarithmic in the proof of Proposition 6.2.4. Indeed, Construction 6.2.3 is insecure in case(n) = O(log n). The reason is that by asking for polynomially many signatures, the adversary may obtain two S_s^-signatures that use the same (random) identifier. Furthermore, with some care, these signatures yield existential forgery (see Exercise 6).

6.2.2.2. Signing a Hash Value

In this subsection, we present an alternative method for constructing general signature schemes out of length-restricted ones. Loosely speaking, the method consists of hashing the document into a short (fixed-length) string (via an adequate hashing scheme), and applying the length-restricted signature scheme to the resulting hash-value. This two-stage process is referred to as thehash and signparadigm.

5 This observation only saves us a polynomial factor in the forging probability. That is, if A did not know which part of the forged complex-signature to use for its own forgery, it could have just selected one at random (and be correct with probability 1/poly(n) because there are only poly(n)-many possibilities).

6.2 LENGTH-RESTRICTED SIGNATURE SCHEME

Let and (G, S, V ) be as in Theorem 6.2.2. The second method of constructing a general signature scheme out of (G, S, V ) consists of first hashing the document into an(n)-bit long value and then applying the -restricted scheme to the hashed value.

Thus, in addition to an-restricted scheme, this method employs an adequate hashing scheme. In particular, one way of implementing this method is based on “collision-free hashing” (defined next). An alternative implementation, based on “universal one-way hashing,” is deferred to Section 6.4.3.

Collision-Free Hashing Functions. Loosely speaking, a collision-free hashing scheme (aka a collision-resistent hashing scheme) consists of a collection of functions{hs : {0, 1}^∗→ {0, 1}^|s|}s∈{0,1}^∗such that given s and x it is easy to compute hs(x), but given a random s it is hard to find x = x^such that h_s(x)= hs(x^).

Definition 6.2.5 (collision-free hashing functions): Let  : N → N. A collection of functions{hs :{0, 1}^∗→ {0, 1}^(|s|)}s∈{0,1}^∗is calledcollision-free hashingif there ex-ists a probabilistic polynomial-time algorithm I such that the following holds:

1. (admissible indexing – technical):⁶For some polynomial p, all sufficiently large n’s, and every s in the range of I (1ⁿ), it holds that n ≤ p(|s|). Furthermore, n can be computed in polynomial-time from s.

2. (efficient evaluation): There exists a polynomial-time algorithm that, given s and x , returns h_s(x).

3. (hard-to-form collisions): We say that the pair (x , x^) forms acollision under the function hif h(x)= h(x^) but x = x^. We require that every probabilistic polynomial-time algorithm, given I (1ⁿ) as input, outputs a collision under h_{I (1}ⁿ₎with negligible probability. That is, for every probabilistic polynomial-time algorithm A, every pos-itive polynomial p, and all sufficiently large n’s,

Pr

A(I (1ⁿ)) is a collision under h_{I (1}ⁿ₎

< 1 p(n)

where the probability is taken over the internal coin tosses of algorithms I and A.

The function is called therange specifierof the collection.

Note that the range specifier must be super-logarithmic (or else one may easily find a collision by selecting 2^(n)+ 1 different pre-images and computing their image under the function). In Section 6.2.3, we show how to construct collision-free hashing func-tions using claw-free collecfunc-tions. But first, we show how to use the former in order to convert a length-restricted signature scheme into a full-fledged one.

6 This condition is made merely in order to avoid annoying technicalities. In particular, this condition allows the collision-forming adversary to run for poly(n)-time (because by this condition n= poly(|s|)), as well as allows for determining n from s. Note that|s| = poly(n) holds by definition of I .

Construction 6.2.6 (hash and sign): Let and (G, S, V ) be as in Theorem 6.2.2, and let{hr :{0, 1}^∗→ {0, 1}^(|r|)}r∈{0,1}^∗ be as in Definition 6.2.5. We construct a general signature scheme, (G^, S^, V^), as follows:

Key-generation with G^: On input 1ⁿ, algorithm G^first invokes G to obtain (s,v) ← G(1ⁿ). Next, it invokes I , the indexing algorithm of the collision-free hashing col-lection, to obtain r← I (1ⁿ). Finally, G^outputs the pair ((r, s), (r,v)), where (r, s) serves as a signing-key and (r,v) serves as a verification-key.

Signing with S^: On input a signing-key (r, s) (in the range of G^₁(1ⁿ)) and a document α ∈ {0, 1}^∗, algorithm S^invokes S once to produce and output S_s(h_r(α)).

Verification with V^: On input a verifying-key (r,v) (in the range of G^₂(1ⁿ)), a docu-mentα ∈ {0, 1}^∗, and an alleged signatureβ, algorithm V^invokes V and outputs V_v(h_r(α), β).

Note that the resulting signature scheme applies the original one once (per each invo-cation of the resulting scheme). We stress that the length of resulting signatures only depend on the length of the signing-key and is independent of the document being signed; that is,|S_r,s^ (α)| = |Ss(hr(α))|, which in turn is bounded by poly(|s|, (|r|)).

Proposition 6.2.7: Suppose that (G, S, V ) is an -restricted signature scheme that is secure in the private-key (resp., public-key) model. Suppose that {hr :{0, 1}^∗→ {0, 1}^(|r|)}r∈{0,1}^∗ is indeed a collision-free hashing collection. Then (G^, S^, V^), as defined in Construction 6.2.6, is a full-fledged signature scheme that is secure in the private-key (resp., public-key) model.

Proof: Intuitively, the security of (G^, S^, V^) follows from the security of (G, S, V ) and the collision-freeness property of the collection{hr}. Specifically, forgery relative to (G^, S^, V^) can be obtained either by a forged S-signature to a hash-value different from all hash-values that appeared in the attack or by forming a collision under the hash function. The actual proof is by a reducibility argument. Given an adversary A^ attacking the complex scheme (G^, S^, V^), we construct an adversary A that attacks the

-restricted scheme, (G, S, V ), as well as an algorithm B forming collisions under the hashing collection{hr}. Both A and B will have running time related to that of A^. We show if A^is successful with non-negligible probability, than the same holds for either A or B. Thus, in either case, we reach a contradiction. We start with the description of algorithm A, which is designed to attack the-restricted scheme (G, S, V ). We stress that almost the same description applies in both the private-key and public-key case.

On input x, which equals the security parameter 1ⁿ in the private-key case and a verification-keyv otherwise (i.e., in the public-key case), the adversary A operates as follows. First, A uses I (the indexing algorithm of the collision-free hashing collection) to obtain r ← I (1ⁿ), exactly as done in the second step of G^. Next, A invokes A^(on input 1ⁿor (r,v), depending on the case) and uses r as well as its own oracle Ssin order to emulate the oracle S_r,s^ for A^. The emulation is done in a straightforward manner;

that is, algorithm A will act as S_r,s^ does by using the oracle Ss (i.e., to answer query q, algorithm A makes the query h_r(q)). When A^outputs a document-signature pair

6.2 LENGTH-RESTRICTED SIGNATURE SCHEME

relative to the complex scheme (G^, S^, V^), algorithm A tries to use this pair in order to form a document-signature pair relative to the-restricted scheme, (G, S, V ). That is, if A^outputs the document-signature pair (α, β), then A will output the document-signature pair (hr(α), β).

As in the proof of Proposition 6.2.4, we stress that the distribution of keys and oracle answers that A provides A^is exactly as in a real attack of A^ on (G^, S^, V^). This is a crucial point, because we use the fact that events that occur in a real attack of A^on (G^, S^, V^) occur with the same probability in the emulation of (G^, S^, V^) by A.

Assume that with (non-negligible) probabilityε^(n), the (probabilistic polynomial-time) algorithm A^ succeeds in existentially forging relative to the complex scheme (G^, S^, V^). We consider the following two cases regarding the forging event, letting (α^{(i )},β^{(i )}) denote the i -th query and answer pair made by A^, and (α, β) denote the forged document-signature pair that A^outputs (in case of success):

Case 1: h_r(α) = hr(α^{(i )}) for all i ’s. (That is, the hash-value used in the forged signature is different from all hash-values used in the queries to Ss.) In this case, the pair (hr(α), β) constitutes a success in existential forgery relative to the -restricted scheme.

Case 2: hr(α) = hr(α^{(i )}) for some i . (That is, the hash-value used in the forged sig-nature equals the hash-value used in the i -th query to S_s, althoughα = α^{(i )}.) In this case, the pair (α, α^{(i )}) forms a collision under hr (and we do not obtain success in existential forgery relative to the-restricted scheme).

Thus, if Case 1 occurs with probability at leastε^(n)/2, then A succeeds in its attack on (G, S, V ) with probability at least ε^(n)/2, which contradicts the security of the

-restricted scheme (G, S, V ). On the other hand, if Case 2 occurs with probability at leastε^(n)/2, then we derive a contradiction to the collision-freeness of the hashing collection{hr :{0, 1}^∗→ {0, 1}^(|r|)}r∈{0,1}^∗. Details (regarding the second case) follow.

We construct an algorithm, denoted B, that given r ← I (1ⁿ), attempts to form col-lisions under hr as follows. On input r , algorithm B generates (s,v) ← G(1ⁿ) and emulates the attack of A on this instance of the-restricted scheme, with the exception that B does not invoke algorithm I to obtain an index of a hash function but rather uses the index r (given to it as input). Recall that A, in turn, emulates an attack of A^on the signing-oracle S_r,s^ , and that A answers the query q^made by A^by forwarding the query q = hr(q^) to Ss. Thus, B actually emulates the attack of A^(on the signing-oracle S_r,s^ ) and does so in a straightforward manner; that is, to answer query q^made by A^, algorithm B first obtains q = hr(q^) (using its knowledge of r ) and then answers with S_s(q) (using its knowledge of s). Finally, when A^outputs a forged document-signature pair, algorithm B checks whether Case 2 occurs (i.e., whether h_r(α) = hr(α^{(i )}) holds for some i ), in which case it obtains (and outputs) a collision under h_r. (Note that in the public-key case, B invokes A^on input (r,v), whereas in the private-key case, B invokes A^ on input 1ⁿ. Thus, in the private-key case, B actually does not use r but rather only uses an oracle access to h_r.)

We stress that from the point of view of the emulated adversary A, the execu-tion is distributed exactly as in its attack on (G, S, V ). Thus, since we assumed that

the second case occurs with probability at least ε^(n)/2 in a real attack, it follows that B succeeds in forming a collision under h_{I (1}ⁿ₎with probability at least ε^(n)/2.

This contradicts the collision-freeness of the hashing functions, and the proposition follows.

Comment. For the private-key case, the proof of Proposition 6.2.7 actually established a stronger claim than stated. Specifically, the proof holds even for a weaker definition of collision-free hashing in which the adversary is not given a description of the hashing function, but can rather obtain its value at any pre-image of its choice. This observation is further pursued in Section 6.3.1.3.

On Using the Hash-and-Sign Paradigm in Practice. The hash-and-sign paradigm, underlying Construction 6.2.6, is often used in practice. Specifically, a document is signed using a two-stage process: First, the document is hashed into a (relatively) short bit string, and next, a basic signature scheme is applied to the resulting string. One appealing feature of this process is that the length of resulting signatures only depends on the length of the signing-key (and is independent of the document being signed). We stress that this process yields a secure signature scheme only if the hashing scheme is collision-free (as defined previously). In Section 6.2.3, we present several constructions of collision-free hashing functions (based on general assumptions). Alternatively, one may indeed postulate that certain off-the-shelf products (such as MD5 or SHA) are collision-free, but such assumptions need to be seriously examined (and indeed may turn out false).⁷ We stress that using a hashing scheme, in the two-stage (hash-and-sign) process, without seriously evaluating whether or not it is collision-free is a very dangerous practice.

We comment that a variant on the hash-and-sign paradigm will be presented in Construction 6.4.30. The two variants are compared in Section 6.4.3.4.

6.2.3.* Constructing Collision-Free Hashing Functions

In view of the relevance of collision-free hashing to signature schemes, we now take a small detour from the main topic and consider the construction of collision-free hash-ing. Most importantly, we show how to construct collision-free hashing functions using a claw-free collection of permutations. In addition, we show two different construc-tions that use a restricted type of collision-free hashing in order to obtain full-fledged collision-free hashing.