Zero­Finder­Resistance

國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

assessed over random choices of the key generation algorithm, the forger F , and the signing oracle.

4.1.2 Selective Forger

The only difference between aS­selective (ϵF, τ_F, q_F)­forger F and the existential forger mentioned above is that F has an additional input: the message M forged by F should be drawn at random fromS.

4.2 Property of Hash Function

We now describe some properties of hash function needed in our following schemes. As shown in Brown’s research [1], the hash function used in ECDSA, usually SHA­1 in practice, matches the following required properties.

4.2.1 One-Wayness (Preimage-Resistance)

(ϵ_I, τ_I)­inverter I_h of hash function h is an probabilistic algorithm which has the input e∈R H and the output message M ∈ {0, 1}^∗within running­time at most τ_I. Under the random choices of both e and I_h, the probability of h(M ) = e is at least ϵ_I. If no such I_h exists, then h is one­way or preimage­resistant of strength (ϵ_I, τ_I).

4.2.2 Second-Preimage-Resistance

Let S ⊆ {0, 1}^∗. (ϵ_S, τ_S,S)­second­preimage­finder Sh for hash function h is a probabilistic algorithm which has the input M ∈R S and the output message M^′ ∈ {0, 1}^∗ within running­time at most τ_S. Under the random choices of both M and S_h, the probability of M ̸= M^′ but h(M ) = h(M^′) is at least ϵ_S. If no such S_hexists, then h is second­preimage­

resistant of strength (S, τ_S,S).

4.2.3 Zero-Finder-Resistance

(ϵ , τ )­zero­finder Z for hash function h is a probabilistic algorithm which has the output

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

probability of h(M ) = 0 is at least τZ. If no such Zh is known, then h is zero­finder­resistant of strength (Z, τ_Z).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

Chapter 5

Generic Group Model

So far ECDSA has been formally proved secure only by Brown [1] under generic group model, which was first introduced by Nechaev [46] and improved by Shoup [47]. In the generic group model for secure group An, where a secure group An is defined as a group that have an intractable discrete logarithm problem, the group operation is assumed that can only be performed through an oracle. Moreover, the oracle of the group operation is assumed to be

“random” subject to the constraint of giving valid group operations.

In order to prove the security of ECDSA and DSA, Brown describes a variant of the generic group model. The generic group oracle is shown in Table 1.

We now describe the oracle in detail. There are three commands that oracle takes: push, subtract and hint. The push and subtract commands are the same as Brown’s but we modify the hint command a little. A forger can make push commands and subtract commands, but can not access to hint commands directly. Notice that in the first oracle hint command is never used, where forger can only make push, subtract command and verifying query, and in the second oracle hint command is invoked to response to the signing query. Each command appends an element pair (A_m+1, z_m+1) to the internal state, and the oracle maintain a the list of element pairs. The element pair consist of a public element A_m+1 ∈ Anand a private element z_m+1 ∈ Zn. A_m+1and z_m+1both depends on commands that forger makes and random values that the oracle picks. We now discuss some further details.

The argument of push command is an arbitrary element A∈ Anand its output is A_m+1 = A.

If A_m+1does not equal to some A_iin{A1,· · · , Am}, then oracle randomly selects a private value

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

Table 1: Generic Group Oracle Proposed by Brown

A_m+1 ←− Push (A ∈ An).

1.Let Am+1 = A.

2.If A_m+1 = A_i for some i∈ {1, · · · , m}, let zm+1 = zi.

3.If A_m+1 ∈ {A/ 1,· · · , Am}, choose zm+1 ∈RZn\{z1,· · · , zm}.

A_m+1 ←− Subtract (No argument)

1.Let zm+1 = (zm−1− zm) mod n.

2.If z_m+1 = z_i for some i∈ {1, · · · , m}, let Am+1 = A.

3.If z_m+1 ∈ {z/ 1,· · · , zm}, choose Am+1 ∈RAn\{A1,· · · , Am}.

(A_m+1, s_m+1)←− Hint (hm+1 ∈ Zn\{0})

1.Randomly choose zm+1 ∈ Zn except elements in {z1,· · · , zm}.

2.Randomly choose Am+1 ∈ An except elements in {A1,· · · , Am}.

3.sm+1 = zm+1−1(hm+1z1+ f (Am+1)z2) mod n where f :An −→ Zn is a certain fixed function.

‧

Table 2: Notations in Brown’s [1]

B The set of the index of each basic pair

C_ij ∈ Zn, i∈ {1, · · · , m}, j ∈ B Coefficients of derived private elements A = (A₁,· · · , Am) The vector of public elements

C The coefficient matrix (C_ij) over Zn, where i∈ {1, · · · , m}

and j ∈ B

S The response to the hint commands

z_B = (z_j)_j∈B The basic vector z = (z_i)_1≤i≤m The private vector

∆_i = (C_ij)_j∈B The derivation of (A_i, z_i) (row vector)

We assume that two push commands are made at first with arguments A1 and A2 that randomly selected by forger. Besides, the base generator G = A₁ and the public key Q = A₂. The only condition is that A1 ̸= A2. Forger can subsequently submit arbitrary elements inAn

through push command.

Subtract command subtract the two previous element pairs. The output is the public value A_m+1. Actually the oracle subtract previous private values z_m−1 and z_m to obtain z_m+1 = zm−1−zm first, ant then determine whether there is a previous ziequals zm+1 or not. If not, the public value A_m+1 will be a random element chose fromAn\{A1,· · · , Am}.

The input of hint command is hm+1 and the output is (Am+1, sm+1), where the extra information is included in the s_m+1. s_m+1 will later be a part of the signature for message Mi||Rm+1(for scheme 3), where Miis the input of signing query and Rm+1is a random element.

The hint command can be regarded as a part of signing query, since when forger makes a signing query the oracle actually invokes the hint command to obtain required objects to return to forger as the response for the signing query, which is a signature (f (A_m+1), s_m+1, R_m+1) for message Mi||Rm+1 (for scheme 3). Notice that hint command is not used in the oracle for our variant­ECDSA­1.

Additionally, we call the pair (Ai, zi) generated from a push command and different from any previous pair the basic pair. And we call all the rest pairs derived pair. We can present every derived private element zias aZn­linear combination of previous basic private element.

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

Table 3: Derivations Push

1.If A_m+1 = A_i for some i∈ {1, · · · , m} then:

(a) Let i be the least such index.

(b) Let C_(m+1)j = C_ij for all j ∈ B.

2.If A_m+1 ∈ {A/ 1,· · · , Am} then:

(a) Add index m + 1 to the set B.

(b) Let C_i(m+1)= 0 for all i∈ {1, · · · , m}.

(c) Let C_(m+1)(m+1)= 1.

Subtract

1.Let C_(m+1)j = C_mj − C(m−1)j for all j ∈ B.

Hint

1.Let C_(m+1)1 = s⁻¹_m+1h_m+1. 2.Let C_(m+1)2 = s⁻¹_m+1f (A_m+1).

3.Let C_(m+1)j = 0 for all j ∈ B\{1, 2}.

From above notations we have z = Cz_B. Besides, the derivation of a basic pair (A_j, z_j) only has one non­zero coefficient which is in the j position. Furthermore, if there exist two pairs with same public elements (A_i = A_j) but different derivation (∆_i ̸= ∆j) for some 1 ≤ j < i ≤ m, we say there has occurred a coincidence. Coincidence­free means that there are no coincidences at any j . We show the generation of coefficients and derivations in push, subtract and hint command in Table 3.

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

Chapter 6

Variant-ECDSA

We recall that Yi et al. [14]’s blind ECDSA only transfers one bitcoin with one signature, which means it has expensive computational cost in practical. Hence a partially blind ECDSA scheme which can transfer arbitrary amount of bitcoins by release the amount, may have a significantly improvement on computational efficiency. The common information is necessary in partially blind signature, however it is impractical to transfer Yi’s blind ECDSA into partially blind ECDSA by directly adding the common information. Therefore, we introduced two variants of ECDSA: variant­ECDSA­1 and variant­ECDSA­2, which will be used to construct partially blind signatures that are compatible with ECDSA.

We define the variant­ECDSA in this Chapter. The concrete schemes are described in Chapter 7 and Chapter 8.

6.1 Definition of Variant-ECDSA

• Setup algorithm takes a security parameter λ as input and outputs public parameter pp = (E, G, q, H).

• KeyGen algorithm takes the public parameter pp as input and outputs public key Q and secret key d.

• Sign algorithm takes the message to be signed m and the secret key d as inputs and outputs a signature σ = (t, s, R) on message m, based on the public key Q.

‧

Q as inputs and outputs 1 if the signature pass the verification.

在文檔中 基於ECDSA之部分盲簽章及其在比特幣上應用之研究 - 政大學術集成 (頁 25-32)