Signature Schemes in Single and Multi-User Settings

Home , GMR (cryptography), Lamport signature

SIGNATURE SCHEMES IN SINGLE AND MULTI-USER SETTINGS

Vikt´oria I. Vill´anyi

A Dissertation Submitted to the Faculty of

The Charles E. Schmidt College of Science in Partial Fulﬁllment of the Requirements for the Degree of

Doctor of Philosophy

Florida Atlantic University

Boca Raton, Florida

August 2009 This dissertation was prepared under the direction of the candidate's dissertation advisor, Dr. Rainer Steinwandt, Department of Mathematical Sciences, and has been approved by the members of her supervisory committee. It was submitted to the faculty of the Charles E. Schmidt College of Science and was accepted in partial fulfillment of the requirements for the degree of Doctor of Philosophy.

SUPERVISORY COMMITTEE:

Rainer Steinwandt, Ph.D. Dissertation Advisor

stepheh C. Locke, Ph.D.

Ronald C. Mullin, Ph.D.

Lee Klingler, Ph.D. Fred Richman, Ph.D. matical Sciences

Dean, The Charles E. Schmidt College of Science

FLL*?P/9,;349 Barry T. Rosson, Ph.D. Date Dean, Graduate College Acknowledgements

I would like to say thank you to all those who were on my side and made it possible for me to ﬁnish my studies and write my dissertation.

First of all I would like to say thank you to my supervisor, Rainer Steinwandt, who is the most important person in the existence of this thesis. I will spend the rest of my life in deep debt to him. He happily accepted me as his student in 2005 when he joined the department. Since I met him, and he has been supervising me, my research developed very quickly. Thank you for guiding me, helping me and keeping my interest. I hope we will keep in touch and continue to work together in the future; otherwise I would miss you terribly.

I would like to say a special big thank you to Stephen Locke and his wife, Joanne Thomson Locke, who were with me when I had the hardest time in my life. I would like to say a big thank you to Robert Full´er,Ron Mullin and Bart Preneel for sup- porting my scientiﬁc career. I would like to say thank you to our former Chair, Spyros Magliveras, and our Chair, Lee Klingler, for their help.

I have to say thank you also to the Student Government for my son Matthew’s tuition waiver. I could never have ﬁnancially managed being a single mom and a full time student. It is hard to express how challenging it would have been to manage our lives from my scholarship, alone.

iii Thank you to all of my friends with whom I shared time and a bit of life. Thank you to Vladimir Boˇzovi´c,Basak Ay, Nicola Pace, Kenneth Mattheis, Nidhi Singhi, Marcella Chiorescu, Mary Hopkins (without Mary’s and Rainer’s help with LaTex, this dissertation would have never existed,) for being my friends and for listening and answering my never ending complaints.

Thank you to my parents, who raised me and emphasized the importance of thinking and solving problems. Thank you to my Dad, József, for teaching me how to play (basic) chess when I was 3 years old, giving me the world famous magic (Rubik) cube, and buying my first computer (ZX81) when I was 8 years old. Thank you to my Mom, Hajnalka, for having the patience to raise me and teach me to read and write. Thank you to my brother, Zoltán, for the hours we spent together when we were children, and thank you for being my best friend now.

Thank you to my son, M´at´e, for giving me the chance to be his mom, which made me strong and able to pursue my goals. Sorry for the hours that I couldn’t spend with you because I had to work on my Ph.D.

Thank you for all the love and support that you give me every single day.

iv Abstract

Author: Vikt´oria I. Vill´anyi Title: Signature Schemes in Single and Multi-User Settings Institution: Florida Atlantic University Dissertation advisor: Dr. Rainer Steinwandt Degree: Doctor of Philosophy Year: 2009

In the ﬁrst chapters we will give a short introduction to signature schemes in single and multi-user settings. We give the deﬁnition of a signature scheme and explain a group of possible attacks on them.

In Chapter 6 we give a construction which derives a subliminal-free RSA public key. In the construction we use a computationally binding and unconditionally hiding commitment scheme. To establish a subliminal-free RSA modulus n, we have to construct the secret primes p and q. To prove p and q are primes we use Lehmann’s primality test on the commitments. The chapter is based on the paper, “RSA signature schemes with subliminal-free public key” (Tatra Mountains Mathematical Publica- tions 41 (2008)).

v In chapter 7 a one-time signature scheme using run-length encoding is presented, which in the random oracle model offers security against chosen-message attacks. For parameters of interest, the proposed scheme enables about 33% faster verification with a comparable signature size than a construction of Merkle and Winternitz. The public key size remains unchanged (1 hash value). The main cost for the faster verification is an increase in the time required for signing messages and for key generation. The chapter is based on the paper “A one-time signature using run-length encoding” (Information Processing Letters Vol. 108, Issue 4, (2008)).

vi This manuscript is dedicated to my son, Matthew B. Szemes who has spent all his life with a full-time student mom. Contents

1 Introduction to digital signature schemes ...... 1

1.1 Preliminaries ...... 1

1.2 Deﬁning security of a family of hash functions ...... 5

2 The necessary assumptions ...... 8

2.1 The assumptions ...... 8

3 Signature schemes in a single-user setting ...... 11

3.1 Preliminaries ...... 11

3.2.1 Attacks on signature schemes in a single-user setting ...... 12

3.2.2 Subliminal channels in the signature ...... 14

4 Signature schemes in a multi-user settings ...... 18

4.1 Preliminaries ...... 18

4.3 Attacks on signature schemes in a multi-user setting ...... 19

4.3.1 Key substitution attacks ...... 20

vii 5 RSA cryptosytem and signature schemes ...... 22

5.2 RSA cryptosystem ...... 22

5.4 RSA signature scheme ...... 23

6 Subliminal channels in the RSA public veriﬁcation key ...... 25

6.1 Preliminaries ...... 25

6.2 Set up deﬁnitions ...... 26

6.5 Commitment scheme ...... 30

6.6 The basic setup of a subliminal-free public key construction ...... 33

6.7 The details of the construction ...... 35

6.8 Proof of subliminal-freeness ...... 38

6.8.1 Subliminal-freeness of our RSA-PSS ...... 38

6.9 The size of the proof ...... 40

6.10 Detailed protocols ...... 40

6.11 The estimation with chosen parameters ...... 41

7 One-time signature schemes ...... 43

7.1 Introduction to one-time signature schemes ...... 43

7.2 The Lamport signature scheme ...... 43

7.2.1 Number of hash function evaluations ...... 44

viii 7.2.2 Length of the public key and the signature ...... 45

7.3 The Merkle one-time signature scheme ...... 45

7.3.1 Number of hash function evaluations ...... 46

7.3.2 Length of the public key and the signature ...... 46

7.4 One-time signature scheme called HORS ...... 47

7.4.1 Number of hash function evaluations ...... 48

7.4.2 Length of the public key and the signature ...... 48

7.5 The Merkle-Winternitz one-time signature scheme ...... 48

7.6 Our scheme with faster veriﬁcation ...... 50

7.6.1 Key generation ...... 51

7.6.2 Signature generation ...... 51

7.7.1 Signature veriﬁcation ...... 55

7.7.2 Correctness and security ...... 56

7.8 Performance for parameters of interest ...... 61

7.9 Summary of our one-time signature scheme ...... 64

7.10 Combining one-time signatures ...... 65

7.10.1 Hash chain ...... 65

7.10.2 Merkle hash tree ...... 66

ix 7.10.3 Improved Merkle signature scheme ...... 68

8 Summary ...... 69

x Chapter 1

Introduction to digital signature schemes

1.1 Preliminaries

In [DH76] Diﬃe and Hellman introduced the concept of a “digital signature”. They formulated the properties that a digital signature scheme has to satisfy in order to be able to substitute for handwritten signatures. No longer is there a need for the parties to meet and sign the contract or establish a secure communication channel to share their keys and delay the communication. The digital signature scheme must satisfy the following requirements: every user should be able to verify a given signature but it must not be possible for anybody to forge the signature. The proposed cryptosystems, based on trapdoors, are good candidates for digital signature schemes.

We present the suggestion of Diﬃe and Hellman from [DH76].

Example 1. A public key cryptosystem is a pair of families {EK }K∈K and {DK }K∈K

1 of algorithms representing invertible transformations, where K is the key space.

EK : M → M

DK : M → M

on a ﬁnite message space M, such that

1) for every K ∈ K, EK is the inverse of DK ,

2) for every K ∈ K and M ∈ M, the algorithms EK and DK are easy to compute,

3) for almost every K ∈ K, each easily computed algorithm equivalent to DK is

computationally infeasible to derive from EK ,

4) for every K ∈ K, it is feasible to compute inverse pairs EK and DK from K.

The public key cryptosystem can be used to obtain a digital signature scheme. A’s

signature on the message M is DA(M), where DA is the secret deciphering key of A.

When the signature is received on the messages M the recipient uses A’s enciphering

key, EA, to authenticate the signature.

After [DH76] many proposals were announced and claimed to be secure but without security proofs. Many of them were broken eventually. Presently it is not enough to consider a protocol secure because it has not being broken. We need to prove it is secure and give the concrete probability of forgery. We will discuss later what

2 are the achievable security goals and what are the possible tools which the adversary may use. This security notion was established by Goldwasser, Micali and Rivest in

[GMR88] and in the same paper they gave the ﬁrst digital signature that was proven to be secure against adaptive chosen-message attacks (deﬁnition is in section 3.2.1).

We also distinguish diﬀerent kinds of security requirements, such as computational and unconditional security. Computational security does not suppose the system cannot be broken in principle but rather it supposes that to break the system would require more computing power than a realistic adversary would have. Unconditional security ensures that a system cannot be broken even if the adversary has unbounded computing power. Shamir’s secret sharing scheme is an example of an unconditionally secure scheme. In some cases unconditional security cannot be guaranteed and we have to rely on computational assumptions. RSA and discrete logarithm based schemes are examples of computationally secure schemes. We use the existence of one-way functions and one-way permutations (bijective one-way functions) as an assumption. Informally, f is a one-way function if it is easily computable but from knowledge of f and the value of the function at x, it is infeasible to compute x, a preimage of f(x).

3 When we talk about the security of schemes, we have to be very precise about what kind of tools (diﬀerent kinds of attack possibilities) we give to the adversary to attack the scheme, and what our security goals (diﬀerent kinds of forgeries) are. When we try to prove the security of a scheme, we usually use polynomial reduction from the attack to the underlying problem. We can conclude that to break the scheme is as hard as breaking the underlying problem or that the security model is violated.

Many schemes were proposed and proved to be secure in the “standard model”, but they rarely correspond to practical schemes. Most of the eﬃcient schemes are not proven to be secure in the standard model but are proven to be secure in the “random oracle model”, which was introduced by Fiat et al. in [FS86] and popularized by

Bellare et al. [BR93]. The random oracle produces a random looking string for each query, but if we query the same value again it should return the same random looking string. The reason for this extra expectation was to get eﬃcient schemes which are provably secure in the random oracle model. The random oracle model was realized by hash functions. If we replace the random oracle by a real hash function, which does not behave like a random oracle, then attackers could use the special properties

(weakness) of the hash function when they are performing an attack on the scheme.

Hash functions were originally established to make signing of long messages easier.

4 We usually expect the hash function to be ﬁrst and second-preimage resistant and

collision resistant. First we give an informal textbook deﬁnition [Sti06] of them. In

the next section we will give the precise deﬁnitions which are based on the concept

of a hash function family.

Suppose that h : X → Y is a hash function.

Informal Deﬁnition 1.1.1 (Preimage resistance). If y ∈ Y at random, then it is hard to ﬁnd x ∈ X such that h(x) = y.

Informal Deﬁnition 1.1.2 (Second-preimage resistance). If x ∈ X , then it is hard to ﬁnd x 6= x0 ∈ X such that h(x0) = h(x).

Informal Deﬁnition 1.1.3 (Collision resistance). It is hard to ﬁnd x 6= x0 ∈ X such that h(x0) = h(x).

The collision resistance property implies the second-preimage resistance property but does not imply the preimage resistance [RS04].

1.2 Deﬁning security of a family of hash functions

We gave an intuitive deﬁnition of preimage resistance, second-preimage resistance and collision resistance. Now we will give a precise deﬁnition of them based on [RS04].

5 We will need for this purpose the deﬁnition of a hash-function family.

Deﬁnition 1.3 (Family of hash functions). A hash-function family is a function

H : Kn × M → Yn where Kn and Yn are ﬁnite nonempty sets and M and Yn are

n sets of strings. We require that Yn = {0, 1} for some n > 0, the number n is called

the hash length of H. We also require that if M ∈ M then {0, 1}|M| ⊆ M. Often we

will write the ﬁrst argument of H as a subscript, so that HKn (M) = H(Kn,M) for

all M ∈ M.

We need the deﬁnition of a negligible function in order to state formal deﬁnitions of

preimage resistance, second-preimage resistance and collision resistance.

Deﬁnition 1.4 (Negligible). A function µ : N → R is called negligible in n if for

1 every polynomial p(·) and all suﬃciently large n, it holds that |µ(n)| ≤ |p(n)| . We will use the notation negl(n) for a representative negligible function.

Definition 1.5 (Preimage resistance). Let H : Kn × M → Yn be a hash-function family and let m be a number such that {0, 1}m ⊆ M. Let A be a ppt (defined in section 3.1) adversary. We write M ← S for the experiment of choosing a random element from the set S and calling it M. Then we define:

AdvP re[m](A) = Pr[K ← K ; M ← {0, 1}m; Y ← H (M); M 0 ← A(K ,Y ): Hn n n n Kn n n

0 HKn (M ) = Yn]

6 If AdvP re[m](A) < negl(log|Y |) we say the hash function H is preimage resistant. Hn n Kn

Deﬁnition 1.6 (Second-preimage resistance). Let H : Kn × M → Yn be a hash- function family and let m be a number such that {0, 1}m ⊆ M. Let A be a ppt adversary. Then deﬁne:

AdvSec[m](A) = Pr[K ← K ; M ← {0, 1}m; M 0 ← A(K ,Y ):(M 6= M 0) ∧ Hn n n n n

0 (HKn (M) = HKn (M ))]

If AdvSec[m](A) < negl(log|Y |) we say the hash function H is second-preimage Hn n Kn resistant.

Deﬁnition 1.7 (Collision resistance). Let H : Kn × M → Yn be a hash-function family. Let A be a ppt adversary. Then deﬁne:

Coll 0 0 AdvHn (A) = Pr[Kn ← Kn;(M,M ) ← A(Kn):(M 6= M ) ∧ (HKn (M) =

0 HKn (M ))]

If AdvColl(A)(A) < negl(log|Y |) we say the hash function H is collision resistant. Hn n Kn

7 Chapter 2

The necessary assumptions

We will introduce a few assumptions which will be necessary in the rest of the thesis

when we discuss security of the schemes. These assumptions are used commonly in

many computationally secure cryptographic protocols. We have already deﬁned and

used the ﬁrst two assumptions.

2.1 The assumptions

Assumption 2.1.1. One-way functions exist. This implies the assumption P 6= NP .

Assumption 2.1.2. A random oracle exists.

We give the deﬁnition of discrete logarithm and the discrete logarithm assumption.

We need this assumption in subsection 6.5.

Deﬁnition 2.2. Let G be ﬁnite cyclic group. The discrete logarithm of y ∈ G to base

g ∈ G is any integer x such that y = gx.

8 Assumption 2.2.1 (discrete logarithm assumption (dlog)). The dlog assumption is

the following: given a generator g of an arbitrary cyclic group G of order n and an

element s ∈R G (uniformly randomly chosen) it is hard to ﬁnd a ∈ Zn such that

ga = s.

The security of the RSA based systems rely on the RSA assumption. We need it

when we use RSA-PSS in section 6.

Assumption 2.2.2 (RSA Assumption [RK05]). The RSA Assumption is that the

RSA Problem is hard to solve when the modulus n is suﬃciently large and randomly

generated, and the plaintext M (and hence the ciphertext C) is a random integer between 0 and n − 1. The assumption is the same as saying that the RSA function is a trapdoor one-way function. (The private key is the trapdoor.)

The RSA Problem: Given an RSA public key (n, e) (deﬁned in chapter 5.4) and a ciphertext C = M e (mod n), compute M. To solve the RSA problem, an adversary who does not know the private key must nonetheless invert the RSA function.

In chapter 6 “Subliminal channels in the RSA public veriﬁcation key”, we will need the following conjecture that was stated by Juels and Guajardo in [JG02]

Conjecture 2.2.1. For large r, the probability that the interval [r, r + l] contains

−λ 2e no prime p ≡ 3 (mod 4) such that e - (p − 1) is at most e for l = λ( e−1 ) ln r or,

9 l e−1 equivalently, for λ = ln r ( 2e ).

The above conjecture is based on the following conjecture.

Conjecture 2.2.2 (Gallagher Conjecture).

For any ﬁxed λ > 0 and integer k ≥ 0, we have

λk ]{integers x ≤ X : ϕ(x + λ ln x) − ϕ(x) = k} ≈ e−λ X k! where ϕ(·) is Euler’s ϕ function. This implies the probability of [x, x + λ ln x] not containing any prime to be approximately e−λ.

10 Chapter 3

Signature schemes in a single-user setting

3.1 Preliminaries

In this chapter we give a deﬁnition for a signature scheme and begin to discuss its

security. We show diﬀerent kinds of attacks on signature schemes and we discuss how

eﬀective an attack could be. Our discussion is based on Goldwasser et al. [GMR88].

In our deﬁnitions and theorems we use probabilistic polynomial time (ppt) and deter-

ministic polynomial time (dpt) algorithms. Let us ﬁrst introduce them.

Informal Deﬁnition 3.1.1. probabilistic polynomial time algorithm.

A randomized algorithm (i.e., a probabilistic Turing machine) is an algorithm whose

running time is bounded by a polynomial in the length of the input. The randomized

algorithm is allowed to make random moves (”internal coin tosses”).

Informal Deﬁnition 3.1.2. deterministic polynomial time algorithm.

The running time of the (deterministic) Turing machine is bounded by a polynomial

11 p(|x|), where x is the input string. No random moves are allowed in this algorithm.

Let us ﬁrst recall the standard deﬁnition of a signature scheme in a single user setting.

Deﬁnition 3.2 (signature schemes). A signature scheme S=(Gen, Sig, Ver) is a triple of algorithms, where

• Gen is a probabilistic polynomial time algorithm that takes the security parameter 1k (stands for the string of k ones) as input and returns a pair of public and private key (pk, sk).

• Sig is a probabilistic polynomial time algorithm that takes a message M and the private key sk as input and produces a valid signature σ for M under sk.

• Ver is a deterministic polynomial time algorithm that takes a message M, a signature σ and the public veriﬁcation key pk as input, and returns “valid” if σ is a valid signature for M w.r.t. pk, and “invalid” otherwise.

With overwhelming (i.e., 1 − negl(k) ) probability for a key pair (pk, sk), output by Gen is Ver(Sig)=valid for all messages.

3.2.1 Attacks on signature schemes in a single-user setting

We distinguish the following types of attacks.

• Key-only attack: Only the signer’s public key is known.

• Message attack: The attacker has message and signature pairs. We distinguish 4 diﬀerent kinds of message attacks:

12 – Known-message attack: The attacker has obtained a number of message signature pairs for the protocol participant, and his challenge is to come up with a diﬀerent but valid message and signature pair acceptable as from the same participant.

– Generic chosen-message attack: In this non-adaptive attack, the attacker can obtain the signatures of a list of messages chosen by himself. But it must be done before the attacker has seen the public key or any signatures.

– Directed chosen-message attack: This is very similar to the previous case. The only diﬀerence is the attacker may have seen the public key before he asked for the signatures of a list of messages but before any signature has been seen.

– Adaptive chosen-message attack: Here the attacker could have seen the public key and may ask the signer to give a signature on an adaptively chosen message which could depend on the public key and the previously obtained signatures.

We continue to analyze the signature schemes in the sense of how eﬀective an attack on them could be. We begin with the strongest possible breaking of the scheme and we will go down to the weakest one:

– Total break: The attacker can obtain the secret key.

– Universal forgery: The attacker can ﬁnd another signing algorithm that is equivalent to the one that he tries to break.

– Selective forgery: The attacker can forge the signature on one previously chosen message.

13 – Existential forgery: The attacker can forge the signature on one message. We can mix and match the above components. We can speak about schemes which are totally breakable under key-only attack or existentially unforgeable (EUF) under adaptive chosen-message attack (CMA) which is considered the highest security requirement in the model created by Goldwasser, Micali, Rivest.

Example 2.

– The trap-door signature schemes [DH76] (we presented them in 1) are existentially forgeable under key-only attack. The signature-message pair can be created as follows: at ﬁrst choose a random signature and by an application of the public veriﬁcation algorithm we can derive the corresponding message. Attempts have been made to eliminate this kind of security weakness of the trap-door signature schemes by the use of sparse message spaces (for example we increase the size of the messages by adding a reasonably long check sum to it).

– The Rivest-Shamir-Adleman [RSA78] scheme is selectively forgeable using the known-message attack. The attack is based on the homomorphic (mul- tiplicative) property of the scheme, the product of signatures on messages is the signature of the product of the messages.

3.2.2 Subliminal channels in the signature

Another kind of attack on signature schemes can be established by the use of subliminal channels. The history of subliminal channels in cryptography goes back to 1983 when Simmons published a paper with the title: The prisoners’ problem and the sub-

14 liminal channel [Sim84]. In this paper he introduces subliminal channels through an example: A warden enables two prisoners to communicate through signed messages, but the messages will be opened and read by the warden. Here the question arises if it is possible for the prisoners to communicate secretly through the non-secret channel, i.e. is it possible to establish a subliminal channel? The answer was yes. The solution: they sacriﬁced some of their ability of authentication to open a subliminal channel for secret communication through the signature. The next question pops up: is it possible to obtain a subliminal-free authentication and signature. Desmedt in [Des88] showed the existence of subliminal-free authentication systems. He made the Goldwasser-Micali-Rivest signature system subliminal-free by using commitments on the random values. In [BS05] Bohli and Steinwandt laid out a deﬁnition of subliminal channels in digital signatures.

Deﬁnition 3.3. A signature scheme with subliminal channel

S = (Gen, Sig, Ver, SubGen, SubSig, SubVer) is a 6-tuple of algorithms, where Gen, Sig, Ver are as in Deﬁnition 3.2 and

• SubGen is a ppt algorithm that takes the security parameter k as input and outputs a public and secret key pair (pk, sk) along with a subliminal secret key ssk that is to be used for subliminal communication. The resulting distribution of (pk, sk)-pairs is required to be indistinguishable from the ones that were produced by Gen.

• SubSig is a ppt algorithm that takes a message M, a subliminal message m, the secret key sk and the state information s that was output in the last activation

15 phase (initially we set s:=ssk) as input, and outputs a new state information a along with the signature σ for the message M such that this signature σ hides the subliminal message m.

• SubVer is a deterministic polynomial time algorithm that takes a message M with a signature σ on it, the public veriﬁcation key pk, and the subliminal secret key ssk as input, and returns a “valid” or “invalid” message. The Ver algorithm is applied to the triple (M, σ, pk) and returns “invalid” if and only if SubVer returns “invalid”. For a valid signature, the subliminal message embedded by SubSig is recovered by means of ssk. At this time, we require that in a single application of the signature scheme, an embedded message m can be recovered with overwhelming probability, i.e.,

P (m can be recovered) ≥ 1 − negl(k),

with the probability being over the random choices of SubGen and SubSig and the message M and m being chosen independently from the corresponding ﬁnite

message space M = M(k) resp. finite subliminal message space Ms = Ms(k) according to some (application) specific probability distributions. For all values of k, the subliminal message space must contain at least 2 different messages, and for all ppt algorithms W (wardens) we require

| Pr[Expward−ind−1(k) = 1] − Pr[|Expward−ind−0(k) = 1]| ≤ negl(k)

where for b ∈ {0, 1} the experiment Expward−ind−b(·) is deﬁned as follows: Experiment Expward−ind−0(k):

16 (pk, sk) ← Gen(1k);

d ← W Ssk(.,.) (pk); return d; Experiment Expward−ind−1(k): (pk, sk, ssk) ← Gen(1k);

d ← W Ssk,s(.,.) (pk); return d;

with Ssk(·, ·) an oracle which on input (M,m) returns σ ← Sig(M, sk) and

Ssk,s(·, ·) an oracle which returns σ with (σ, s) ← SubSig(M, m, sk, s) and up- dates its internal state s (initially equal to ssk) accordingly.

We deﬁned a signature scheme which contains a subliminal channel. Now we will deﬁne the opposite of it, a signature scheme which does not contain any subliminal channel − a signature scheme where we can’t embed a single bit of information.

Deﬁnition 3.4. Let S=(Gen, Sig, Ver) be a signature scheme. We call S subliminal- free if for all ppt algorithms SubGen, GetCoverMessage, BadSign, BadVerify we have

| Pr[Expsigner−1(k) = 1] − Pr[Expsigner−0(k) = 1]| ≤ negl(k)

At this, SubGen obeys the restrictions in Deﬁnition 1, and for b = 0, 1 the experiment Expsigner−bis deﬁned as follows: Experiment Expsigner−b (pk, sk, ssk) ← SubGen(1k); (M, s) ← GetCoverMessage(ssk, pk); (with M ∈ M) σ ← BadSign(M, b, sk, s); (signature σ with Ver(M, σ, pk) = valid); d ← BadV erify(M, σ, pk, s); (guess d for the hidden bit b); return d

17 Chapter 4

Signature schemes in a multi-user settings

4.1 Preliminaries

The main difference between the definition of a signature scheme in a single-user setting and in a multi-user setting is that, in the multi-user setting we need to validate the public key to be sure pk was generated honestly and it belongs to the signer’s secret key. We can prevent the possibility of different kinds of attacks, for example a key-substitution attack. In comparison with the signature scheme in a single-user setting we will introduce three new algorithms: D, Dv, Gv the first two are for domain

parameter generation and validation and Gv is for public key validation. The other

three algorithms G, S, Sv correspond to the algorithms from the single user settings;

G is the Gen, S is the Sig and Sv is the Ver algorithms. Next we will address the deﬁnition of the signature scheme in the multi-user settings [MS04].

Deﬁnition 4.2 (signature schemes). A signature scheme S is a triple of algorithm

pairs (D, Dv), (G, Gv), (S, Sv) where, for security parameter k:

•D, the domain parameter generation algorithm, is a randomized algorithm which takes as input 1k and outputs a set D of domain parameters between one or more users.

18 •Dv, the domain parameter validation algorithm, is a deterministic algorithm.

•G is the key generation algorithm which is a randomized algorithm and on input of a set of domain parameters D, it outputs a private key- public key pair (sk, pk).

•Gv, the public key validation algorithm, is a two-party zero-knowledge protocol. The protocol allows demonstration to the veriﬁer that pk is a valid public key corresponding to the private key sk.

•S, the signature generation algorithm, which is randomized, and on inputs m, x and D outputs a digital signature s where s = S(m, x, D).

•Sv, the signature veriﬁcation algorithm, is a deterministic algorithm which on inputs m, s, D and y outputs “valid” or “invalid” message. For a valid signa-

ture we require that Sv(m, s, D, pk) = V alid.

4.3 Attacks on signature schemes in a multi-user

setting

We can have different kinds of attacks on signature schemes if we extend signature schemes to a multi-user setting instead of the single-user setting. We will discuss several attacks on multi-user settings based on Menezes and Smart [MS04] and Bohli , Röhrich and Steinwandt [BRS06]. We can do the same extension, define the security in a single user setting and later define the security in multi-user settings with encryption schemes. Bellare et al. in [BBM00] proved that a public key encryption which is secure in the single-user setting is also secure in the multi-user setting. Obviously we can’t state the same for signature schemes. Let us see some examples for different kinds of

19 attacks:

4.3.1 Key substitution attacks

In a key substitution attack, the adversary has all publicly available information and has access to the signing oracles. The adversary by querying the signing oracles

gathers the following triples (pki, mi, σi) where pki’s are the public keys, mi’s are the messages that were chosen by him, and σi are the corresponding signatures. The challenge for the adversary is to come up with a triple which has never been queried from the signing oracle. Possible attacks on the signature schemes in the multi-user setting:

• pk = pki for some i, but there isn’t any m 6= mi for all j ∈ {j : pk = pkj} then the adversary produced an existential forgery in the GMR (Goldwasser-Micali- Rivest) sense.

• (m, σ) = (mi, σi) but pk 6= pki for some i, the adversary produced a key substitution attack.

• (pk, m) = (pki, mi), the adversary produced a second signature on the same message under the same unknown public key. We will call it a “malleable signature algorithm”. ECDSA is a malleable signature scheme but so far no attack is known that would exploit this weakness of the scheme.

• σ = σi for some i, but pk 6= pki and m 6= mi for these σi’s. We call this a “message and key substitution attack” (MKS). We do not consider this a serious attack.

• pk 6= pki and σ 6= σi. We do not consider it an attack because everyone can generate a public key/secret key pair and sign messages with it.

20 As we did in the single-user setting we deﬁne EUF-CMA security of a signature scheme in the multi-user setting.

Deﬁnition 4.4. We say the signature scheme S = [(D, Dv), (G, Gv), (S, Sv)] is GMR- WKS (or EUF-CMA weak key substitution) secure if any polynomial-time (randomized) adversary algorithm has at most a negligible chance to produce one of the following two cases, where the adversary has all public information. The adversary has the domain parameters (D) the public key (pk), access to the signing oracle and was able to produce a new secret-public key pair (sk, pk).

1. If Sv(m, σ, D, pk) =Valid where pk = pk and m has never been asked from the signing oracle. 2. If m has been asked from the signing oracle and σ is the signature on it such that

σ = σ but pk 6= pk and Gv((D, pk), (D, pk, sk)) =Valid and Sv(m, σ, D, pk) =Valid also.

Part 1 corresponds to the EUF-CMA security in a single-user setting and part 2 corresponds to the security against a key-substitution attack.

It can be proven that if the signature scheme is secure in the single-user setting (GMR or EUF-CMA), it can be converted into a signature scheme which is secure in the multi-user setting (GMR-SKS or EUF-CMA-SKS).

21 Chapter 5

RSA cryptosytem and signature schemes

In this subsection we give a short introduction to RSA-based signature schemes [Lab02]. Later we discuss the subliminal-freeness of an instance of this type of scheme (RSA-PSS). To be able to characterize the capacity of the scheme to transmit subliminal messages we will now deﬁne the notation of broadband and narrowband channels.

Deﬁnition 5.1. We call a subliminal channel broadband if its bandwidth grows at least linearly in the security parameter, k. We call a subliminal channel narrowband if its bandwidth grows no more than logarithmically in k.

5.2 RSA cryptosystem

The following deﬁnition of the RSA cryptosystem is taken from Coron [Cor02].

Deﬁnition 5.3. (The RSA cryptosystem) The RSA cryptosystem is a family of trapdoor permutations, speciﬁed by: -The RSA generator RSA, which on input 1k, randomly selects two distinct k/2-bit integers p and q and computes the modulus N = p·q. It randomly picks an encryption

∗ exponent e ∈ Zφ(n) and computes the corresponding decryption exponent d such that e · d = 1 (mod φ(N)). The generator returns (N, e, d).

22 ∗ ∗ e -The encryption function f : ZN → ZN deﬁned by f(x) = x (mod N).

−1 ∗ ∗ −1 d -The decryption function f : ZN → ZN deﬁned by f (y) = y (mod N).

5.4 RSA signature scheme

We can derive a signature scheme from the above RSA cryptosystem as was presented in Example 1. The signing procedure imitates the deciphering procedure, the veri- ﬁcation procedure imitates enciphering procedure. We will call the derived system “text-book RSA signature scheme”. The scheme is obviously not EUF-CMA secure. We introduce an improved EUF-CMA secure version of it in Example 3.

Example 3. RSA based EUF-CMA secure signature scheme: RSA-PSS We sign as we did earlier but at ﬁrst we perform the following transformation of the message:

E(M) = [(0 ... 0||1||salt) ⊕ MGF (H0, emLen − hLen − 1)]||H0||bc

with H0 = H(0 ... 0||H(M)||salt) a hash value of length hLen, emLen the length of the string E(M) in octets, and bc an octet with the hexadecimal value bc. The salt is a random value, ⊕ is the XOR operation and MGF is the mask generation function. The mask generation function is taking a bit string of any length as input and outputs a bit string of a desired bit length. The MGF function in practise is based on secure hash functions. We will sign the derived value, E(M), the same way as described in the text-book RSA signature scheme, basically the RSA-PSS signature σ on message M is just the text-book RSA signature on E(M). The signature verification will have two steps. At first we do the textbook RSA verification to derive E(M), then we have to verify the

23 transformation of M to E(M).

We could open a broadband subliminal channel through the salt in the signature scheme. We can derive a deterministic variant of RSA-PSS by omitting the salt which does not have the above subliminal channel, however the security reduction of the scheme is less tight. If we exclude the above subliminal channel (salt), it is still possible to establish subliminal channels in RSA-PSS. We can use the fact that we can not check, without a given proof in the key generation procedure, that gcd(φ(n), e) = 1. Suppose gcd(φ(n), e) = k then we have k or 0 e-th roots of an element in Zn. In the second case no decryption exponents exist i.e. @d st. de ≡ 1 (mod φ(n)). In the ﬁrst case by choosing the “right” e-th root we can establish a subliminal channel. However we

1 sacriﬁce the ability of signing arbitrary messages because just k of the elements in Zn have e-th roots. If the participants of the protocol can prove that gcd(φ(n), e) = 1, then this kind of subliminal channel could be eliminated as well.

24 Chapter 6

Subliminal channels in the RSA public veriﬁcation key

6.1 Preliminaries

We already discussed subliminal channels in the signing procedure of digital signature schemes and how to eliminate them from the signing procedure of RSA-PSS. Here our goal is to avoid secret communication through the public verification key of the digital signature scheme. In our contribution we give the definition of a signature scheme where the public key contains a subliminal channel and give the definition of a subliminal-free public key in existentially unforgeable signature schemes. We show an example of constructing a subliminal-free RSA public key; if we combine it with the subliminal-free deterministic RSA-PSS from [BS05] we get a version of RSA-PSS which is subliminal-free in the sense of the public key and the signature. At first let us see and discuss some examples of subliminal channels in the public key. We can easily find narrowband channels in an RSA public key, for example: choose p, q such that the product of the last few (binary) digits (of course the very last one is always 1) encode the subliminal message. If we could factor the RSA modulus with some extra information (subliminal secret key) then we could easily

25 establish a broadband subliminal channel, simply taking one of the primes to be the encoded subliminal message. We could avoid broadband subliminal channels by veriﬁable randomness [JG02]. In our set up we need more, according to our deﬁnition we would like to have a public key which does not contain one single bit that serves as subliminal message with more than negligible probability.

6.2 Set up deﬁnitions

We modify the deﬁnition of the signature scheme (3.2) to set up the deﬁnition of a signature scheme which contains a subliminal channel in the public key. To this aim we introduce 3 new algorithms SGen, Embed and Extract. The SGen algorithm generates the subliminal secret key (ssk) before the public key, secret key pair generation is done. The Embed algorithm embeds the subliminal message in the public key by using ssk. The subliminal message receiver, by using the Extract algorithm, should be able to recover the subliminal message with overwhelming probability. To establish a subliminal channel we need a public key generation, where a public key containing a subliminal message is indistinguishable from one which doesn’t.

Deﬁnition 6.3. A signature scheme where a public key contains a subliminal channel S=(Gen, Sig, Ver, SGen, Embed, Extract) is a 6-tuple of algorithms, where Gen, Sig, Ver are as in deﬁnition 3.2 and

• SGen is a ppt algorithm whose input is security parameter k and its output is the subliminal secret key ssk.

• Embed is a ppt algorithm whose inputs are the subliminal message m and subliminal secret key ssk and its output is a public/secret key pair.

• Extract is a ppt algorithm whose inputs are the subliminal secret key ssk and

26 the public key pk’ which contains the subliminal message and its output is the embedded message with overwhelming probability.

For all values of k, the subliminal message space must contain at least 2 diﬀerent messages, and for all ppt algorithms W (wardens) we require

| Pr[Expward−ind−1(k) = 1] − Pr[Expward−ind−0(k) = 1]| ≤ negl(k). (6.1)

where for b ∈ {0, 1} the Experiment Expward−ind−b(k) is deﬁned as a follows: Experiment Expward−ind−1(k) (st, m) ← W (1k);(st is a state information) (pk, sk) ← Gen(1k);

d ← W Ssk(·)(pk, st); (d is the guess for b) return d Experiment Expward−ind−0(k) (ssk) ← SGen(1k); (st, m) ← W (1k); (st is state information) (pk∗, sk∗) ← Embed(m, ssk);

d ← W Ssk∗(·) (pk∗, st); return d

with Ssk(·) an oracle which on input the message (M) returns the signature σ ←

Sig(M, sk) and Ssk∗ (·) an oracle which on input the message (M) returns the signature σ ← Sig(M, sk∗).

We are now at the point of setting up the deﬁnition of the public key subliminal- free signature scheme. In our deﬁnition we have an active warden who participates in the secret/public key generation process. The so called warden’s task is to be sure the public key doesn’t contain any subliminal messages. Let us call Alice the participant

27 who is establishing her secret/public key pair. We will have an interactive key generation between Alice and the warden. At first Alice sends some auxiliary information to the warden about her public keys and the warden sends her an algorithm about what kind of modification she has to do on her keys. After that she sends the new public key with proof that the required modifications have been made, to the warden. The warden has to be able to verify the proof and accept or deny the new public key based on the given proof. The proof is usually a zero knowledge proof but in some cases it could be omitted. We give an example of a scheme where the proof that the warden algorithm was executed could be omitted.

Example 4. In EC-DSA the warden asks Alice to add the multiple of a base point to the public key to make the public key subliminal-free, then the warden can easily check the modiﬁcation was made without an extra proof.

In our model we prefer to have signature schemes which are existentially unforgeable. We will have the extra restriction on the signature schemes, that the original signature scheme and the subliminal-free variant both have to be existentially unforgeable.

Deﬁnition 6.4 (interactively generated subliminal-free public key in existentially unforgeable signature schemes). Let S=(Gen, Sig, Ver) be an existentially unforgeable signature scheme where we denote the public key with pk’. We call the signature scheme subliminal-free in the sense of public key if there exists a ppt algorithm “Warden” such that for all ppt algorithms SGen, BadEmbed, Warden, BadExtract we have

| Pr[Expsigner−1(k) = 1] − Pr[Expsigner−0(k) = 1]| ≤ negl(k). (6.2)

The experiment Expsigner−b for b = 0, 1 is deﬁned as follows:

28 Experiment Expsigner−b

(ssk) ← SGen(1k) (pk∗, sk∗, s) ← BadEmbed(b, ssk) a ← A(s) (W Algorithm) ← W arden(a) (pk0, sk0, proof) ← W Algorithm(s) d ← BadExtract(pk0, ssk) return d; where

• SGen is a ppt algorithm whose input is security parameter k and its output is the subliminal key ssk.

• BadEmbed is a ppt algorithm whose inputs are the subliminal bit b and subliminal secret key (ssk) and its outputs are the public/secret key pair and a state information.

• A is a ppt algorithm whose input is s (the state information) and its output is auxiliary information a.

• Warden is a ppt algorithm whose input is the auxiliary information and its output is a ppt WAlgorithm.

• WAlgorithm is a ppt algorithm which gives instruction on how to modify the secret/public key pairs. Its input is the state information and its output is a new secret key, a subliminal-free public key and a proof. By the using the proof it should be veriﬁable whether or not WAlgorithm was applied. We want S=(Gen*,

29 Sig, Ver), where Gen* is the algorithm which generates the subliminal-free public/secret key pair, to be existentially unforgeable (like the original signature scheme) even if we can use all the additional information from the generation process.

• BadExtract is a ppt algorithm whose inputs are the modiﬁed public key (pk’), and the subliminal secret key and its output is 0 or 1 (guess for the hidden bit).

6.5 Commitment scheme

In the construction of our protocol we will use the Pedersen commitment scheme [Ped91], [CD98], [CM99]. We assume we have a cyclic group G = hgi of known large order Q and we have a second generator of this group h whose discrete logarithm

(Deﬁnition 2.2) to the base g is unknown. The commitment ca on a ∈ ZQ is the

a r group element g h from G, where r is randomly chosen from ZQ. The security of the commitment scheme depends on the assumption that computing discrete logarithms is infeasible (Assumption 2.2.1). The infeasibility of the computation of the discrete logarithm assures the computationally binding property, the multiplication with the power of h takes care of the unconditionally hiding property. We will adopt the notations from paper [CM99]. We denote the protocol which proves the knowledge of:

• discrete logarithm x of the group element y to basis g by PK{(x): gx}

r The procedure: the prover chooses a random r ∈R ZQ, computes t := g and

0 k sends it to the verifier. The verifier picks a random challenge c ∈R {0, 1} , and sends it back to the prover. The prover sends s := r − cx (mod Q) to the verifier. In what follows we think of c as the integer the bit string c0 represents with respect to base 2. The verifier checks if gsyc = t holds, then he accepts

30 the proof.

• A representation of the element y to the bases g1 . . . gl by

Ql αi PK{(α1, . . . , αl): y = i=1 gi } The procedure: Note this protocol is an extension of the previous ones. The

Ql ri prover chooses r1, . . . , rl ∈R ZQ, computes t := i=1 gi and sends it to the

0 k veriﬁer. The veriﬁer picks a random challenge c ∈R {0, 1} and sends it back to

the prover. The prover sends si := ri − cxi (mod Q) for all i ∈ {1, . . . , l} to the veriﬁer. In what follows we think of c as the integer the bit string c0 represents

c Ql si with respect to base 2. The veriﬁer accepts if t = y i=1 gi holds.

• equality of the discrete logarithms of elements y1 and y2 to the bases g and h,

α α respectively by PK{(α): y1 = g ∧ y2 = h }.

The procedure: The prover wants to prove y1 and y2 have the same discrete

logarithm, call it x, to base g and h. The prover chooses a random r ∈ ZQ,

r r computes t1 := g and t2 := h and sends them to the verifier. The verifier picks a random challenge c0 ∈ {0, 1}k and sends it to the prover. The prover sends s := r − cx (mod Q) to the verifier. In what follows we think of c as the integer the bit string c0 represents with respect to base 2. The verifier checks if

s c s c g y1 = t1 and h y2 = t2 holds, then he accepts the proof.

• (at least) one of the discrete logarithms of the elements y1, y2 to base g by

α β PK{(α, β): y1 = g ∨ y2 = g }

The procedure: W.l.o.g, we assume the prover knows x := logg y1. The prover

0 k r1 s2 c2 chooses random r1, s2 ∈R ZQ and c2 ∈R {0, 1} and sends t1 = g , t2 := g y2

0 (c2 ∈ ZQ is the converted version of c2) to the veriﬁer. The veriﬁer picks a random challenge c0 ∈ {0, 1}k and sends it to the prover. The prover sends

0 0 0 c1 := c ⊕ c2 and s1 := r1 − c1x (mod Q) (where ⊕ denotes the bit-wise XOR

31 0 0 operation and c1 ∈ ZQ is the converted version of c1) and sends s1, s2, c1 and

0 0 0 0 si ci c2 to the veriﬁer. The veriﬁer accepts, if c1 ⊕ c2 = c and ti = g yi holds for i ∈ {1, 2}.

l1 l2 l1 l2 • a discrete logarithm that lies in a given range (2 − 2 < logg y < 2 + 2 , for

α l1 ¨l2 l1 ¨l2 some parameter, l1 and l2) by PK{(α): y = g ∧ 2 − 2 < α < 2 + 2 }

With the proving technique from [CM99] if α lies in the interval (2l1 −2l2 , 2l1 +2l2 )

we can only prove 2l1 − 2l2+2 < α < 2l1 + 2l2+2 where > 1 is a security ¨ parameter. We denote l2 + 2 by l2 in the protocol. We denote the zero knowledge computation protocols:

x x y y z z n n • addition S+:= PK{(x, y, z, n, x,e y,e z,e ne): g he ∧ g he ∧ g he ∧ g he ∧ z = x + y (mod n)}

The protocol: Let us suppose we have already obtained the commitments cx,

cy, cz and cn on x, y, z and n respectively. The prover can convince the veriﬁer that x + y ≡ z (mod n) by using the following protocol k times.

x x ¨l ¨l ∗ S+ := PK{(x, y, z, n, x,e y,e z,e n,e π, λ): cx = g he ∧ (−2 < x < 2 ) ∧ y y ¨l ¨l z z ¨l ¨l cy = g he ∧ (−2 < y < 2 ) ∧ cz = g he ∧ (−2 < z < 2 ) ∧ ¨ ¨ ¨ ¨ c = gnhne ∧ (−2l < n < 2l) ∧ cz = cπhλ ∧ (−2l < π < 2l)} n cxcy n

x x y y z z n n • multiplication S∗:= PK{(x, y, z, n, x,e y,e z,e ne): g he∧g he∧g he∧g he ∧z = x·y (mod n)}

The protocol: Let us suppose we have already obtained the commitments cx,

cy, cz and cn on x, y, z and n respectively. The prover can convince the veriﬁer that xy ≡ z (mod n) by using the following protocol k times.

x x ¨l ¨l ∗ S∗ := PK{(x, y, z, n, x,e y,e z,e n,e π, λ): cx = g he ∧ (−2 < x < 2 ) ∧ y y ¨l ¨l z z ¨l ¨l cy = g he ∧ (−2 < y < 2 ) ∧ cz = g he ∧ (−2 < z < 2 ) ∧

32 ¨ ¨ ¨ ¨ n ne l l x π ze l l cn = g h ∧ (−2 < n < 2 ) ∧ cz = cy cnh ∧ (−2 < π < 2 )}

x x y y z z n n • exponentiation Sexp:= PK{(x, y, z, n, x,e y,e z,e ne): g he ∧g he ∧g he ∧g he ∧z = xy (mod n)} The detailed protocol can be found in [CM99].

p p 1 • primality checking Sp:= PK{(p, pe): g he ∧ p ∈ pseudoprimes (t)}, where t is a security parameter The detailed protocol can be found in [CM99].

6.6 The basic setup of a subliminal-free public key

construction

We show that an RSA public key without subliminal channel can be constructed. The RSA public key is a pair of an exponent and a modulus (e, n) where n is big enough to be infeasible to factor and e and ϕ(n) are relatively prime. We suppose n is the product of 2 publicly unknown k bit prime numbers. The subliminal-free public/secret key generation is an interactive process between the person who needs this key pair, call her Alice, and the warden who is taking care of the public key’s subliminal-freeness. For this purpose the warden and Alice will generate the public/secret key pair in the following interactive way:

1We call a number a pseudoprime if it behaves like a prime number, for example if a composite number satisﬁes Fermat’s little theorem we call it a Fermat pseudoprime.

33 Step 1: The public exponent e is a prime number and it is chosen by the warden. Step 2: To generate the subliminal-free modulus Alice chooses a 2k−1 bit number y randomly and sends a commitment on it to the warden. Step 3: The warden chooses a 2k−1 bit random number z and sends it back to Alice. Step 4: Alice has to add these two number (mod 2k) let x := y + z (mod 2k) and she has to prove the sum of them is x. Step 5: Alice has to ﬁnd the smallest prime p after x + 2k (2k is an initial value, taking care of p and q having the right size). She has to prove with zero-knowledge proofs that this is the smallest prime just after x + 2k so there will not be any prime number s ∈ [x + 2k, p) and she also has to prove gcd(p − 1, e) = 1. Step 6: Alice and the warden have to repeat the above process to get the prime q, which is the ﬁrst prime after x∗ + 2k (x∗ = y∗ + z∗ (mod 2k) where y∗ and z∗ is chosen by Alice and the warden respectively). Step 7: The product of p, q, call it n, will be a subliminal-free RSA modulus. Where the computation (n = pq) will be performed on the commitment and later this commitment will be opened to reveal n.

34 6.7 The details of the construction

We will describe a more detailed version of the above protocol.

• The warden chooses the public exponent e and he sends it to Alice.

• Alice chooses a random number y ∈ {0, 1, 2 ... 2k −1} and sends a computation-

ally binding commitment cy on it to the warden, the warden chooses a random number z ∈ {0, 1, 2 ... 2k − 1} and sends it to Alice. The natural commitment

z cz = g on z is easily computable by both parties if z is known. We can omit the multiplication by the power of the other (h) group generator element because the hiding property is not needed here.

• Alice has to add z and y modulo 2k, let this sum be x := z + y (mod 2k) the

commitment on it cx. She uses the addition protocol to prove she did the addition:

x x k S+ := PK{(x, xe): cx = g he ∧ x = y + z (mod 2 )} We omitted from the

protocol the proof of commitment cy and cz being a commitment on y and z because it was shown previously.

• To prove Alice has found the two primes p and q just after x + 2k and x∗ + 2k respectively she uses zero knowledge proofs again. It is needed because Alice does not want to reveal any of x, x∗, p, q, as would this be a disclosure of her secret key. She has to prove that p, q are primes generated by the given method but the only thing that she publishes is, n the product of p and q.

• To prove p and q are primes, Alice uses the Sp protocol which by using Lehmann’s Primality Test, statistically proves the primality of a committed number. We present a protocol to prove that any s ∈ [x + 2k, p) ∪ [x∗ + 2k, q) is not prime. The protocol is based on Lehmann’s Primality Test. Let us recall:

35 Theorem 6.7.1 (Lehmann’s Primality Test [Leh82, CM99]). An odd integer s > 1 is prime if and only if

s−1 s−1 ∗ 2 × 2 ∀a ∈ Zs a ≡ ±1 (mod s) and ∃a ∈ Zs a ≡ −1 (mod s).

We use the contrapositive of a variation of this theorem. Let us see this variation: An odd integer s > 1 is prime if and only if

s−1 s−1 2 × 2 ∀a ∈ Zs\{0} a ≡ ±1 (mod s) and ∃a ∈ Zs a ≡ −1 (mod s).

The contrapositive of it:

Corollary 6.7.2. An odd integer s > 1 is not a prime if and only if

s−1 ∃a ∈ Zs\{0} a 2 6= ±1 (mod s).

To prove s is not a prime use the following protocols.

a a o o Sa6=0 := PK{(a, ea, o, oe): ca = g he ∧ co = g he ∧ oa ≡ 1 (mod r)} Here, r is a publicly known prime number of size k + 2 bits, that ensures all s ∈ ((x, p) or (x∗, q)) will be relatively prime to r.

b eb d de b Sexp := PK{(b,eb, d, de): cb = g h ∧ cd = g h ∧ a ≡ d (mod s)}

2 where s = 2b + 1 and cs = cb · g

z z Sd6=±1 := PK{(z, ze): cz = g he ∧ z(d − 1)(d + 1) ≡ 1 (mod r)}

where cd−1 := cd/g and cd+1 := cd · g

• Alice needs to prove for consecutive numbers they are not primes with the above protocols. We know every other number is even, so it is enough to verify only

36 that the odd numbers are not primes. The commitments on the odd numbers

k ∗ k 2k 2l s in the intervals [x + 2 , p) and [x + 2 , q) are in the form cs := cx · g · g

2k 2l+1 2k 2l ∗ if x is odd (or cs := cx · g · g if x is even) and cs := cx∗ · g · g if x is

2k 2l+1 ∗ odd (or cs := cx∗ · g · g if x is even) where l ∈ N ∪ {0}. Alice and the

warden have to run the protocols Sa6=0,Sexp,Sd6=±1 on the odd s ∈ (x, p) and

∗ s ∈ (x , q) to prove s is not prime where cs is already given. If Alice tries to fool the warden and prove for the even numbers instead of odd numbers that they are not primes she will never get a prime number [x + 2k, p) ∪ [x ∗ +2k, q) so she could never generate the RSA modulus. If somehow she would manage it, when she sends n to the warden he could immediately recognize n is even, so the fraud would be detectable.

• When Alice proves that all numbers in the given intervals [x+2k, p0) and [x∗+2k,

0 p p q ) are not primes, she derives a commitment on p and q. Let them be cp := g he

q q and cq := g he Alice needs to prove p and q are prime numbers, she uses protocol

Sp for p and q.

p p Sp:= PK{(p, pe): g he ∧ p ∈ pseudoprimes(t)}

• Alice has to prove ϕ(p · q) and e are relatively prime, what is equivalent to e is relatively prime to p−1 and to q −1 so there exists an inverse of e (mod p−1) and (mod q − 1). The commitment on p − 1 and on q − 1 is easily computable

from the commitment on p (cp) and on q (cq). To prove e and ϕ(n) are relatively prime Alice uses the following protocol:

k ek Sp−1 := PK{(k, ek): ck = g · h ∧ k · e ≡ 1 (mod p − 1)}

l el Sq−1 := PK{(l,el): cl = g · h ∧ l · e ≡ 1 (mod q − 1)}

• Alice sends n = p · q, the RSA modulus, to the warden but she needs to prove n is a product of the committed p and q.

37 Alice uses the S∗ protocol to prove the product of p and q is n.

p p q q n n S∗:= PK{(p, q, n, p,e q,e ne): g he ∧ g he ∧ g he ∧ n = p · q}

6.8 Proof of subliminal-freeness

6.8.1 Subliminal-freeness of our RSA-PSS

Proposition 6.8.1. The public key, where e is chosen by the warden and n generated by the above method is subliminal-free in respect to our Deﬁnition 2.2.1 under the RSA and the discrete logarithm assumption.

Proof: We will prove it in 3 steps. In the first step we will prove our public key subliminal-free signature scheme is indistinguishable from the original one. In the second step we will prove our scheme with the zero knowledge proofs is as secure as the original RSA-PSS. In the last step we will prove our signature scheme is subliminal-free. Step 1: We will prove our public key subliminal-free signature scheme is computationally “indistinguishable” from the original one. Because of the signing and verification algorithm not having changed we only have to focus on our public key being indistinguishable from the honest RSA-PSS public key. Claim: Experiment1 is indistinguishable from Experiment2, where Experiment1: Honest RSA prime generation: Generate a random k − 1 digit number and add 2k initial values to this number and find the next prime in the row [BD93]. Experiment2: Our RSA prime generation: Take the sum of 2 independently generated random k − 1 bit numbers (mod 2k), add 2k initial values to this random number, and find the next prime in the row. The random number from Experiment1 is indistinguishable from our random number

38 from Experiment2 if at least one of the numbers in the sum (y + z) is a random number that implies the product of two in the above manner generated primes is indistinguishable from the honestly generated RSA modulus. It also implies our public key subliminal-free signature scheme is EUF-CMA secure because it is indistinguishable from the original scheme which was supposed to be EUF-CMA secure. Handling the failure property of the above experiments: The probability of indistinguishable Experiments not terminating can be bounded by the probability given in (Conjecture 2.2.1) that was introduced by Juels and Gua- jardo in [JG02]. From this conjecture we know the probability of [x, x + λ ln x] not

−λ( e−1 ) containing any prime is at most e 2e .

Step 2: Our public key subliminal-free scheme with the proof is as secure as the original RSA-PSS. The proof is “unconditionally hiding zero-knowledge” so we can’t get any useful information from it. The only extra information we will get from the proof is the number of non-primes (call it l) between the random numbers and ﬁrst prime. Let us see how we could use this information to factor the RSA modulus. We know the gap between our prime and the previous prime is at least l. We also know from the Juels and Guajardo’s conjecture that the probability of the gap being greater than λ ln x is less

−λ( e−1 ) then e 2e . Let us fix the previous λ and if we can not find a prime until x + λ ln x then we begin the search again choosing another random value for x to find the next prime after x + 2k. Then, we could maximize the size of the gap which would be polynomial in the size of the security parameter. If the gap size is polynomial then a probabilistic polynomial time adversary algorithm could guess it. If it is possible to factor n with the knowledge of the gap size then it would be possible without it too, with simply guessing the size.

39 Step 3: Our signature scheme is subliminal-free. The public exponent is subliminal-free because it was chosen by the warden. We claim our RSA modulus n is subliminal-free. Let us see how Alice could hide a subliminal message in the public key. If she tries to hide it in the generation of y or y∗ the warden would add the random number to them so the probability of the subliminal message to be recoverable will no longer be overwhelming. If she tries to hide it by the addition or by proving she found the next prime she would have again just a negligible probability (computationally biding and the probabilistic primality proof).

Thus, we can claim Alice has a subliminal-free public key. We combine a signature subliminal-free deterministic RSA-PSS [BS05] with our public key subliminal-free RSA we will derive a signature scheme which is subliminal- free in sense of the public key and the signature as well.

6.9 The size of the proof

We will give an estimate of the zero-knowledge proofs space requirement. The group in which we will perform zero-knowledge proofs, will be a prime order group of order Q > 22(k+1)+5 where is a security parameter and the prime factors p and q are less than 2k+1.

6.10 Detailed protocols

We give a detailed variant of some of the protocols of the construction with the purpose of estimating the size of the proof:

k x x `¨ `¨ cx 2 q S+ := PK{(x, x, q): cx = g he ∧ −2 < x < 2 ∧ z = (g ) ∧ e cy·g

40 − 2`¨ < q < 2`¨ }

a a `¨ `¨ o o Sa6=0 := PK{(a, ea, o, o,e s, se): ca = g he ∧ −2 < a < 2 ∧ co = g he ∧ ¨ ¨ ¨ ¨ ` ` a s se ` ` − 2 < o < 2 ∧ g = co · cr h ∧ 2 < s < 2 }

b eb `¨ `¨ d de Sexp := PK{(b,eb, d, de): cb = g h ∧ −2 < b < 2 ∧ cd = g h ∧ − 2`¨ < d < 2`¨ ∧ ab ≡ d (mod s)}

Sd6=±1 := PK{(z, z,e f, f,e s, s,e t, et): z z `¨ `¨ f fe `¨ `¨ cz = g he ∧ −2 < z < 2 ∧ cf = g h ∧ −2 < f < 2 ∧ ¨ ¨ ¨ ¨ d+1 s se ` ` z t et ` ` cf = cd−1 · crh ∧ 2 < s < 2 ∧ g = cf · cr h ∧ 2 < t < 2 }

¨ ¨ c S := PK{(k, k, r, r): c = gk · hek ∧ −2` < k < 2` ∧ g = ce · ( p )rhre ∧ p−1 e e k k g − 2`¨ < r < 2`¨}

6.11 The estimation with chosen parameters

Proving p and q are primes results in a communication cost of about 14t log(2k+1) log Q + 4t log(2k+1)l = 14t(k + 1) log Q + 4t(k + 1)l bit for p and q separately. Proving the number s is not prime costs about 2 log(Q)(3 + 7(k + 1) + 4) + l · (3 + 4(k + 1) + 4) = 14(k + 2) log(Q) + (4k + 11)l bit.

k+1 We have to prove that about 2 numbers are not primes until we ﬁnd the ﬁrst prime k+1 number p (or q). The size of these proofs is about 2 · (14(k + 2) log Q + (4k + 11)l) for both intervals. The computation cost of the remaining operation is about 2 log Q(2+2·2+1)+(2+2·

41 2)l = 14 log Q+6l. Thus, the full cost of the protocol is about 2·(14t(k +1) log Q+

k+1 4t(k + 1)l + 3 · (14(k + 2) log Q + (4k + 11)l) + 7 log Q + 3l). Let us see a concrete estimation: if we choose k = 512, = 1 · √1 ≈ 1.11 and t = 80 and l = 80 then log Q 80 2·1.11·513+5 513 will be about log 2 ≈ 1145, 2·(79.86+1.76+ 2 (0.98+0.02)+0.001)Mbytes ≈ 676Mbytes Let us see the security of the full protocol with these chosen parameters.

1 The probability of forgery for the primality test is about 280 . To save space we can omit the numbers which are divisible by 3, 5, 7..., i.e. prime √ numbers up to k in which our case is 19 (k = 512). We apply a little sieve for the intervals. If we can omit one number we can gain 1Mbyte. We can reduce the size approximately 337Mbytes. Here the space cost for the primality test is 163Mbytes and the proofs for the numbers between the random number and the prime number not being primes is 176Mbyte.

42 Chapter 7

One-time signature schemes

7.1 Introduction to one-time signature schemes

The design of digital signature schemes has received a lot of attention in the cryptographic literature. In recent years, there is an increasing interest in signature schemes that can be implemented by means of symmetric primitives like a block cipher or a cryptographic hash function only, i. e., without relying on a number-theoretic assumption. One motivation is provided by Shor’s well-known quantum algorithms for factoring and discrete logarithms [Sho97], but also specific efficiency needs in low power devices stimulate research along this line [SP05]. The first signature scheme in which security is based only on the assumption of the existence of a one-way function was the Lamport signature scheme [Lam79]. We will introduce a few one-time signature schemes to derive and compare them with our new one-time signature scheme which uses run-length encoding.

7.2 The Lamport signature scheme

The one-time signature scheme that was designed by Lamport is the ﬁrst example of a signature scheme which is based on the existence of a one-way function only. Let

43 us take a look at Lamport’s signature scheme: We have to ﬁx the length (k) of the message that we want to sign. The secret key is a list of 2k random elements:

sk = (a1,0, a1,1, a2,0, a2,1, . . . , ak,0, ak,1)

Now we apply a one-way function (f) to the list of elements to derive the public key:

(f(a1,0), f(a2,0), . . . , f(ak,0),

f(a1,1), f(a2,1), . . . , f(ak,1))

We sign a k-bit message in the following manner:

We sign it bit by bit. If the i-th bit is 1 we reveal the value ai,0 otherwise the value ai,1. We verify the signature in the following manner: We apply the one-way function to the signature values and compare them with the published, corresponding public key. If the values are equal the signature is valid, otherwise invalid. Note that the security of the scheme relies solely on the one-way property of the used hash function, f. When we verify the signature we reveal a part of the secret key therefore we can use the given secret key public key pair only once. Later we will introduce two methods to re-use the same public key many times.

7.2.1 Number of hash function evaluations

The number of hash function evaluations in the key generation process is twice the expected length of a message. However we don’t need to hash in order to sign a

44 message. To verify a signature we need to hash as many times as there are bits in the message.

7.2.2 Length of the public key and the signature

The length of the public key is twice the expected length of the message times the output length of the hash function. The length of the signature length is half the public key length.

7.3 The Merkle one-time signature scheme

Merkle suggested an improved version of Lamport signature scheme in his dissertation [Mer79]. He reduced the size of the secret key, public key pair close to half the size of the original Lamport scheme’s key sizes. His idea was to store just one secret and one public value for every bit of a message. When we sign a message we would reveal the

secret value ai if and only if the value is 1. The problem with this approach is that the scheme would not be EUF-CMA secure anymore. If we have a signature message pair (where the message is diﬀerent from the all 0’s message) we could easily come up with another valid message signature pair, we just need to change a message bit 1 to a 0. To avoid this kind of attack Merkle suggested to sign the number of 0s contained in the message as well. He suggested another modiﬁcation, making it possible to sign any message without knowing its length during the secret/public key pair generation. He proposed to hash the message and sign the message digest hereafter. The secret key is a list of k + 1 + blog kc random elements

sk = (a1, a2, . . . , ak, ak+1 . . . , ak+1+blog kc)

45 We apply a one-way function to the list of elements to derive the public key:

pk = (f(a1), f(a2), . . . , f(ak), f(ak+1) . . . , f(ak+1+blog kc))

We sign a k-bit message in the following way:

We sign bitwise, as in the Lamport scheme. If the i-th bit is 1 we reveal the ai value, otherwise we use the public (hash) value for the bit. Additionally we will count the number of 0s in the message and represent this number in base 2. If we have 1 in the representation we reveal the corresponding secret value otherwise we use the public (hash) value again. The sequence of these values is the signature on the message. We verify the signature in the following manner: We imitate the signing procedure. At ﬁrst we have to hash the message, just as we did earlier. We apply the one-way function to the bits of the message digest if they are 1s and compare them with the published corresponding public key value. We perform the same signing procedure for the check sum as well. If the values are the same, the signature is valid otherwise it is invalid.

7.3.1 Number of hash function evaluations

The number of hash function evaluations in the key generation is k + 1 + blog kc. To sign the message we only need 1 hashing. The number of hashings in the veriﬁcation procedure depends on the Hamming weight of the message.

7.3.2 Length of the public key and the signature

The public key and the signature both have the length k+1+blog kc times the output length of the hash function.

46 7.4 One-time signature scheme called HORS

In this section we would like to introduce the HORS signature scheme, that was designed by Reyzin and Reyzin [RR02]. The HORS signature scheme has for an advantage, its fast veriﬁcation, but it also has a disadvantage also, the huge public key size. Let us sketch the scheme: The key generation: For security parameter 1k we generate t random k-bit long strings for the secret key

sk = (s1, s2, . . . , st).

The corresponding public key will be

pk = (v1, v2, . . . , vt) = (f(s1), f(s2), . . . , f(st)), where f is a one-way function operating on k-bit strings. In the signing procedure when we sign an h-bit long message, we ﬁrst split h into l substrings h1, h2, . . . , hl each of length log2 t (h = l · log2 t). We interpret each hi

1 ≤ i ≤ l as an integer ji. The signature of the message is the list of the corresponding secret values

σ = (si1 , si2 , . . . , sil ).

0 0 0 To verify a signature σ = (s1, s2, ··· , sl) on a message m we should imitate the steps which we had in the signing procedure. We hash the message m and split it into h1, h2, . . . , hl substrings of length log2 t. We interpret the hash of the message again

0 as an integer ij for 1 ≤ j ≤ l. We accept the signature if for each j, 1 ≤ j ≤ l,

0 f(ij) = vij , otherwise reject it.

47 7.4.1 Number of hash function evaluations

The number of hash function evaluations in the key generation is 2h/l where h the length of the message and l is the number of substrings. The signing and the veriﬁ- cation procedure both need l + 1 hashings.

7.4.2 Length of the public key and the signature

The length of the public key is 2h/l times the output length of the hash function. The signature’s length is l times the output length of the hash function.

7.5 The Merkle-Winternitz one-time signature scheme

The Merkle-Winternitz one-time signature scheme [Mer88, Mer90] is the most mentioned, discussed and “used” one-time signature scheme. We could consider this scheme as a generalization of the Merkle one-time signature [Mer88, Mer90] in the sense that here we have a flexible but constant block-length scheme (every block in the message has the same length) which allows a trade-off between space and time. The length of the blocks in the Merkle one-time signature scheme was always 1 which implied that the secret key and the signature size will be as long as a preprocessed (h = Hash(m)) message. By using flexible but constant length we can decrease both the secret key and the signature size. We can (linearly) decrease the size of the secret key and signature but the number of hashings in the key generation increases exponentially. There is another improvement provided by the scheme, the size of the public key is reduced to the length of one hash value. Subsequently we denote by H : {0, 1}∗ −→ {0, 1}s a cryptographic hash function, which will be modeled as a random oracle. We write Hi for i-fold functional compo-

48 sition of H: Hi(x) := H(H(...H (x) ... )), | {z } i applications of H where H0(x) := x. Figure 7.1 summarizes the key generation, signature generation and signature veriﬁcation of the Merkle-Winternitz construction, where

& ' l s m log s + 1 + w t := + 2 w w w and ←R denotes the selection of an element uniform at random.

Figure 7.1: Merkle-Winternitz one-time signature

Key generation: Signature verification: Input: block width w Input: message M, verification key pk, Output: verification key pk, signature σ = (σ1, . . . , σt) signing key sk Output: true, if σ is a valid signature for M, false else R s (x1, . . . , xt) ← {0, 1} w t 2 −1 t find (bi)i=1 as during signing (y1, . . . , yt) ← (H (xi))i=1 w (γ , . . . , γ ) ← (H2 −1−bi (σ ))t sk ← (x1, . . . , xt) 1 t i i=1 if H(γ k · · · k γ ) = pk pk ← H(y1 k · · · k yt) 1 t then return true return (pk, sk) else return false

Signature generation: Input: message M, signing key sk = (x1, . . . , xt) Output: a signature σ for M under sk

m ← H(M) pad m with zeros from the left, so that its length is a multiple of w split the (padded) bitstring m into w-bit blocks b1, . . . bds/we treat each bi as binary representation of a w-bit integer and compute Pds/we w c ← binary representation of i=1 (2 − bi) pad c with zeros from the left, so that its length is a multiple of w split the (padded) bitstring c into w-bit blocks bds/we+1, . . . , bt b bt σ ← (H 1 (x1),...,H (xt)) return σ

49 The public key size of only s bits (one hash value) is quite attractive, and it can be derived by means of t · (2w − 1) + 1

applications of H in the key generation. If in a (message-independent) oﬀ-line phase

i w we store the possible H (xj)-values (1 ≤ i ≤ 2 − 1, 1 ≤ j ≤ t) in a look-up table, the (on-line) computation of a signature requires only a single application of H. The exact number of applications of H when verifying a (message, signature)-pair (M, σ) depends on the Hamming weight of H(M). For an attack aiming at a denial of service this could be of interest, and in the scheme proposed in the next section the number of applications of H in the verification does not depend on the particular (message, signature)-pair. Taking H(M) to be uniformly at random distributed, the expected number of applications of H in the verification phase of the Merkle-Winternitz scheme computes to 2w − 1 t · + 2 . (7.1) 2 7.6 Our scheme with faster verification

The Merkle-Winternitz scheme makes no assumption about the hash value H(M). The construction discussed below assumes the hash value to have a particular structure, however. Similarly, as in the BiBa scheme [Per01], we will use a counter r to ensure this: Starting with r = 0, we increase r until H(M k r) (the hash of M con- catenated with r ) has the desired structure. While this repeated hashing increases the cost of signing a message, it has no significant influence on the verification part (as in BiBa), the correct value r will be part of the signature.

Remark 7.6.1. For a hash function like SHA-1 which uses the Merkle-Damg˚ard construction it is not necessary to process the complete (and potentially long) string

50 M k r for each new counter value r “from scratch”: Storing the internal state of the hash function after completing the “M-part”, it is enough to apply the compression function with the “r-part”.

Speciﬁcally, for system parameters Rmin, Rmax and `, in the signature generation we can only handle hash values m = H(M k r) satisfying the following: the hash value m consists of at least Rmin and at most Rmax non-overlapping runs of consecutive 0s and 1s, and each of these runs is of length ≤ `. We take H for a random oracle with an output length of s bits, and unless speciﬁed otherwise, subsequently we use

` := blog2(s) − 1c, which corresponds to the longest expected run.

7.6.1 Key generation

In terms of the mentioned parameters, the key generation of the proposed one-time signature scheme can be summarized as in Figure 7.2. It is similar to the construction of Merkle and Winternitz, the main diﬀerence being that in the new scheme there is only one “checksum block” and the number of applications of H is chosen diﬀer- ently. Figure 7.3 illustrates the basic steps of the signature computation. The main parameters of the proposed scheme can be summarized as follows:

Secret key size: (Rmax + 1) · s bits

Public key size: s bits

Applications of H: ` · Rmax − Rmin + 1

7.6.2 Signature generation

As mentioned already, we have to assume that the hash value m of the message we sign consists of at least Rmin and at most Rmax non-overlapping runs of consecutive 0s or

51 Key generation: Signature verification: Input: parameters Rmin, Rmax, ` Input: message M, verification Output: verification key pk, key pk, signature (σ, r) with

signing key sk σ = (σ1, . . . , σRmax+1) Output: true, if (σ, r) is a valid sig- R s nature for M, false else (x1, . . . , xRmax+1) ← {0, 1} Rmax `−1 Rmax (yi)i=1 ← (H (xi))i=1 Rmax−Rmin m ← H(M k r) yRmax+1 ← H (xRmax+1) Rmax ﬁnd (bi) as during signing sk ← (x1, . . . , xRmax+1) i=1 µ ← NumberOfRuns(m) − Rmin pk ← H(y1 k · · · k yRmax+1) if µ < 0 or return (pk, sk) b1 + ··· + bNumberOfRuns(m) 6= s then return false µ else γRmax+1 ← H (σRmax+1) bi−1 Rmax (γ1, . . . , γRmax ) ← (H (σi))i=1

if H(γ1 k · · · k γRmax+1) = pk then return true else return false

Signature generation:

Input: message M, signing key sk = (x1, . . . , xRmax+1) Output: a signature (σ, r) for M under sk

r ← 0 repeat r ← r + 1; m ← H(M k r) until Rmin ≤ NumberOfRuns(m) ≤ Rmax and MaxRunLength(m) ≤ `

th let bi be the length of the i run in m (1 ≤ i ≤ NumberOfRuns(m))

(bNumberOfRuns(m)+1, . . . , bRmax ) ← (1,..., 1) `−b1 `−bRmax (σ1, . . . , σRmax ) ← (H (x1),...,H (xRmax )) Rmax−NumberOfRuns(m) σRmax+1 ← H (xRmax+1)

σ ← (σ1, . . . , σRmax+1) return (σ, r)

Figure 7.2: our new one-time signature scheme consecutive 1s and that each run is of length ≤ `. Therefore the signature generation shown in Figure 7.2 ﬁrst determines a value r with m = H(M k r) having the desired properties. At this, the functions NumberOfRuns(·) and MaxRunLength(·) are deﬁned in the obvious way:

52 Deﬁnition 7.7. Let m ∈ {0, 1}∗, and write m as the concatenation of non-overlapping runs of consecutive 0s or 1s, i. e., m = B1 k · · · k Bv such that

∗ ∗ • Bi ∈ {0} ∪ {1} , and

• Bi and Bi+1 have no substring in common (1 ≤ i ≤ v − 1).

Denoting by |Bi| the length of the run Bi, we have NumberOfRuns(m) := v and

MaxRunLength(m) := max{|B1|,..., |Bv|}.

Example 5. Suppose Rmin = 2, Rmax = 4, ` = 3 and m =00011100. Then

m consists of the NumberOfRuns(m) = 3 runs ‘000’, ‘111’, ‘00’. We obtain

MaxRunLength(m) = 3, b1 = 3, b2 = 3, b3 = 2.

Once an acceptable m has been found, essentially a run-length encoding is com-

puted: We deﬁne values b1, . . . , bRmax such that bi ∈ {1, . . . , `} is the length of the

th i run of 0s or 1s in m. If m has less than Rmax runs, the “superﬂuous” bi-values

bNumberOfRuns(m)+1, . . . , bRmax are set to 1. The value NumberOfRuns(m) is encoded in a “checksum block”.

Remark 7.7.1. It is worth noting that the condition imposed on the runs occurring

in m can be checked by a single pass through the bit representation of m. In this pass,

all the bi-values can be determined.

In combination with NumberOfRuns(m), the values b1, . . . , bRmax describe m uniquely up to complementing all bits in m: As we store run lengths only, the bit-wise com-

plement of m results in the same bi-values and an identical number of runs. From a √ practical perspective, the (factor 2) loss in security resulting from this ambiguity seems to be outweighed by the gain in performance.

53 Message Signature

0 σ1 ` 3 σ 0 b1 =3,σ1 = H − (x1) .2 0 . 1 b =2,σ = H` 2(x ) . 1 2 2 − 2 . M H(M r)= . . . . k . . . . 0 σk

1 σk+1 b =3,σ = H` 3(x ) 1 k k − k σk+2 . 1 . . ` 1 . . bk+1 =1,σk+1 = H − (xk+1). . σRmax .

` 1 σRmax+1 bRmax =1,σRmax = H − (xRmax ) ∆ r σRmax+1 = H (xRmax+1)

Figure 7.3: computing a signature, where k := NumberOfRuns(H(M k r)) indicates the last run actually used by the message digest

In a message-independent oﬀ-line phase we can precompute a look-up table with

i all Rmax · ` − Rmin possible H (xj) values. In this case, no further applications of H are needed after a suitable value for m has been found. Without such a look-up table, we obtain the following number of

(Oﬄine) applications of H: Rmax · ` − Rmin

To derive the expected number of hashes in the precomputation, we model H as a random oracle. Then the probability P (NiceHash) of an s-bit hash value to consist

54 of at least Rmin and at most Rmax runs of length ` is

Rmax X nd P (NiceHash) = 2 · , 2s d=Rmin

where nd denotes the number of partitions of an s-bit string into exactly d runs, each

s of which has a length ≤ `. Each nd is given as the coeﬃcient of X in the polynomial d P` i i=1 X ∈ Z[X]. For parameters of interest, nd can thus be computed easily by expanding this product in a computer algebra system like Magma [BCP97], for instance. We obtain

1 Expected number of (online) applications of H: P (NiceHash)

7.7.1 Signature veriﬁcation

As the veriﬁer learns the correct value r from the signature to be checked, there is no precomputation needed, and we count the following number of

Applications of H: s + 2 − Rmin

This number is independent of the (message, signature)-pair considered. Typically

Rmin is close to s/2, so we expect ≈ s/2 applications of H for a signature veriﬁca- tion. Approximating in (7.1) the value t by s/w, for the veriﬁcation in the Merkle-

(2w−1)s Winternitz scheme we obtain ≈ 2w expected applications of H. So for w = 2, we expect to save about 33% of the applications of H. Before looking at the performance of the suggested scheme more closely, in the next section we discuss the correctness and the security under a chosen-message attack.

55 7.7.2 Correctness and security

Before proving security of the scheme we will prove some necessary lemmas to derive some upper bounds.

Lemma 7.7.1. The probability of ﬁnding an “ordinary” collision with qH number of

2 s+1 tries is bounded by qH /2 .

Proof We know (Birthday attack) the probability to have no collision is

q −1 YH 2s − i 2s i=1

If qH is odd than we can represent the product the following way:

qH −1 qH −1 qH −1 s 2 2 Y 2 − i Y i qH − i Y i qH − i = (1 − )(1 − ) ≥ 1 − − 2s 2s 2s 2s 2s i=1 i=1 i=1

i We used the fact 0 < 1 − 2s ≤ 1 for i ≥ 0.

qH −1 2 Y qH qH (qH − 1) = (1 − ) ≥ 1 − 2s 2s+1 i=1 We used the Bernoulli inequality. The probability to ﬁnd a collision is bounded by

qH −1 s 2 Y 2 − i (qH − 1)qH q 1 − ≤ < H 2s 2s+1 2s+1 i=1

If qH is even instead of qH −1 2 Y i qH − i (1 − )(1 − ) 2s 2s i=1

56 we can use

qH 2 Y i qH + 1 − i (1 − )(1 − ) because of 2s 2s i=1 .

qH qH −1 s qH −1 s s qH s 2 Y 2 − i Y 2 − i 2 − qH Y 2 − i Y i qH + 1 − i ≥ · = = (1 − )(1 − ) 2s 2s 2s 2s 2s 2s i=1 i=1 i=1 i=1

2 qH Now we can perform the previous proof to get the previous upper bound 2s+1 again.

Lemma 7.7.2. We will prove

−s qH −s 1 − (1 − 2 ) ≤ qH 2 (∗)

is true for all qH ∈ N.

−s qH −s The inequality is satisﬁed if and only if (1 − 2 ) ≥ 1 − qH 2 which we will prove by induction.

−s 1 −s For qH = 1 we have (1 − 2 ) ≥ 1 − 2

Suppose (∗) holds for qH = k. We will prove this implies that (∗) will hold for k + 1.

(1 − 2−s)k+1 = (1 − 2−s)(1 − 2−s)k ≥

(1 − 2−s)(1 − 2−sk) = 1 − (k + 1)2−s + 2−2sk ≥

1 − (k + 1)2−s

Theorem 7.7.1. The proposed one-time signature is existentially unforgeable under chosen-message attack.

Proof: It is straightforward to check that any signature computed by the signature generation passes the verification successfully: For i = 1,...,Rmax, signer and verifier together apply H exactly `−1 times to xi, which allows the verifier to recover

the values y1, . . . , yRmax from the key generation. Similarly, the correct value yRmax+1 is recovered, as together signer and veriﬁer perform Rmax − Rmin applications of H to

xRmax+1.

To verify existential unforgeability under chosen-message attack, we resort to a random oracle model with a random oracle H : {0, 1}∗ −→ {0, 1}s. By existential unforgeability under chosen-message attack we mean that there is no probabilistic polynomial time algorithm A satisfying the following: A obtains an honestly generated public key pk as input, can then query a signature for an arbitrary message M, and produces with non-negligible probability a valid (message, signature)-pair with a message M˜ 6= M. This security requirement can be taken for an adaptation of the usual security requirement for “multi-time” signatures [GMR88]. Assume we have found an adversary A that violates the above security requirement: Without loss of generality, we may assume that before the output of a forgery, A at some point queries the signing oracle with a message M to obtain a signature (σ, r). Let M˜ 6= M be the message for which A has managed to forge a signature

(˜σ, r˜). We write σi respectivelyσ ˜i (1 ≤ i ≤ Rmax + 1) for the components of σ respectivelyσ ˜. We also assume that A veriﬁes the signatures (σ, r) and (˜σ, r˜), and we write qH for the total number of random oracle queries submitted by A (including

58 queries used for verifying a signature). Let

ρ := (b1, . . . , bRmax , NumberOfRuns(m)) and ˜ ˜ ρ˜ := (b1,..., bRmax , NumberOfRuns(m ˜ )) be the values derived from m := H(M k r) andm ˜ := H(M˜ k r˜) in the signature veriﬁcation. The values ρ andρ ˜ determine these hash values up to a simultaneous negation of all bits, and we denote by CollisionOrComplement the event that A ﬁnds messages M 6= M˜ with ρ =ρ ˜. To bound the probability of CollisionOrComplement,

2 s+1 we double the upper bound qH /2 for ﬁnding an “ordinary” collision (lemma 7.7.1):

q2 P (CollisionOrComplement) ≤ H 2s

Suppose now ρ 6=ρ ˜, and let δ := NumberOfRuns(m ˜ ) − NumberOfRuns(m) be the diﬀerence in the number of runs betweenm ˜ and m. We consider two cases:

• Suppose that δ is positive. If

NumberOfRuns(m ˜ )−Rmin NumberOfRuns(m)−Rmin H (˜σRmax+1) 6= H (σRmax+1),

then A has come up with a 2nd preimage of the public veriﬁcation key pk

st under H—the 1 preimage being (γ1 k · · · k γRmax+1) as derived from σ in the veriﬁcation procedure. The probability of ﬁnding such a second preimage of the s-bit value pk is bounded by

−s qH −s 1 − (1 − 2 ) ≤ qH · 2 (lemma ??) (7.2)

59 So we may assume there is a value 0 ≤ i ≤ NumberOfRuns(m) − Rmin with

i δ i H (H (˜σRmax+1)) = H (σRmax+1), and one of the following two conditions must hold:

δ – H (˜σRmax+1) 6= σRmax+1 (and therefore i > 0): This means that A has

nd i+δ−1 i−1 found the 2 preimage H (˜σRmax+1) of H(H (σRmax+1)) under H. Again, as in Equation (7.2) we see that the probability of ﬁnding such a

−s qH −s second preimage can be bounded by 1 − (1 − 2 ) ≤ qH · 2 .

δ – H (˜σRmax+1) = σRmax+1: In this case, A has found a preimage of σRmax+1,

δ−1 namely H (˜σRmax+1), under H. As in Equation (7.2), this probability

−s qH −s can be bounded by 1 − (1 − 2 ) ≤ qH · 2 —for a random oracle H the probability of ﬁnding a preimage can be bounded in the same way as the probability of ﬁnding a second preimage.

• Suppose δ ≤ 0, i. e., we have NumberOfRuns(m ˜ ) ≤ NumberOfRuns(m). As ˜ ˜ ρ 6=ρ ˜ and at the same time b1 + ··· + bNumberOfRuns(m ˜ ) = s, there exists an index ˜ 0 0 i0 ∈ {1,...,Rmax} with bi0 = bi0 + δ and δ > 0. Now we can argue analogously as in the previous case:

˜ bi0 −1 bi0 −1 nd If H (˜σi0 ) 6= H (σi0 ), then A has constructed a 2 preimage of the public veriﬁcation key pk under H. As in Equation (7.2), we can bound the

−s probability of such an event by qH · 2 , and we may assume there is a minimal

number 0 ≤ i ≤ bi0 − 1 with

i δ0 i H (H (˜σi0 )) = H (σi0 ).

δ0 – In case of H (˜σi0 ) 6= σi0 (and therefore i > 0), this means that A has

nd i+δ0−1 i−1 found the 2 preimage H (˜σi0 ) of H(H (σi0 )) under H.

60 δ0 – In case of H (˜σi0 ) = σi0 , the adversary A has found a preimage of σi0 ,

δ0−1 namely H (˜σi0 ), under H.

With the same reasoning as above, we can bound the probability of each of

−s these events by qH · 2 .

Summarizing the above discussion, we see that for a successful forgery, one of the following events must occur: CollisionOrComplement, the adversary A ﬁnds a second preimage of pk, or the adversary A ﬁnds a preimage or second preimage of an output of H obtained during signing M. Consequently, the probability for a successful forgery is bounded by q2 q H + (R · ` − R + 1) · H , 2s max min 2s

which for a polynomial number of queries qH is negligible (in s). It is worth noting that the collision resistance of H is only used when arguing that the message digests, H(M k r) and H(M˜ k r˜), diﬀer and this accounts for the quadratic

2 term qH in the above bound. All the other arguments refer to the construction of preimages or 2nd preimages under H. Consequently, other than for the derivation of the message digest, one could consider the substitution of H by a hash function h with output length smaller than that of H. Accordingly, the secret xi-values would be chosen to be equal to the smaller output length of h.

7.8 Performance for parameters of interest

The construction of Merkle and Winternitz is one of the most popular one-time signatures. In [DSS05], Dods et al. compare this proposal with a construction of Bleichenbacher and Maurer [BM96], taking into account experimental results, and they recommend to use the Merkle-Winternitz construction with w = 2 “since it is very fast, easy to implement and provides short signatures”. The implementation

61 complexity of the scheme proposed in the previous section seems comparable to the Merkle-Winternitz construction, and Table 7.1 compares the new proposal with the Merkle-Winternitz construction for w = 2 and w = 3. We also included Lamport’s scheme [Lam79] and the HORS scheme from [RR02]. The latter offers very attractive signature size, signing and verification cost, but suffers from a large public key size and key generation cost.

signature veriﬁcation key gener- public key signing cost size cost ation cost size Lamport 160s1 1 161 320 320s Merkle- 129.5 85s 1 256 s Winternitz (expected) (w = 2) Merkle- 201.5 57s 1 400 s Winternitz (expected) (w = 3) HORS 16s1 1 17 1024 1024s new scheme 8.8 (R = 76, 84.4s 86 423 s min (expected) Rmax = 83) new scheme 16.4 (R = 70, 80.4s 92 405 s min (expected) Rmax = 79)

1 more precisely, here we had to multiply with the length of a secret key component xi, instead of s

Table 7.1: performance of diﬀerent one-time signature schemes with s = 160; “cost” speciﬁes the (expected) number of applications of H and “size” is given in bit; in the new scheme we reserve (conservatively) 0.4s = 64 bit in the signature for the counter r

The table builds on a hash output length of s = 160 bit and considers a scenario where arbitrary length messages are signed by hashing them ﬁrst to a 160 bit value. This hashing of the message is counted as 1 application of H. A possible optimization using a second hash function h 6= H with shorter output length as indicated in the

62 previous section is not taken into account. For the signing we assume a look-up table to be available. This look-up table can be obtained by simply storing intermediate results when computing the hash chains in the key generation. For HORS we use parameters put forward in [RR02]. The table illustrates the main characteristics of the new scheme:

• As in the Merkle-Winternitz scheme, the public key is a single hash value.

• For a comparable signature size as the Merkle-Winternitz construction with w = 2, signing and key generation cost increase. The key generation cost is still much lower than for HORS, however.

• Unlike for the Merkle-Winternitz construction and for HORS, signature sizes with 80s bit are not practical (the event NiceHash becomes too unlikely).

• The veriﬁcation cost in the new scheme is message-independent and about 2/3 of the expected cost in the Merkle-Winternitz construction with w = 2.

Remark 7.8.1. The overall picture does not change much when using a hash function with s = 256, and Table 7.2 gives a comparison of the Merkle-Winternitz construction with the proposed scheme for such a setting. The table also lists a parameter choice for the new scheme with ` = 6 (instead of blog2(256) − 1c = 7): For the price of an increased signing cost, this choice of ` enables a signiﬁcant reduction in the cost for key generation.

63 signature signing veriﬁcation key gener- public key size cost cost ation cost size Merkle- 201.5 133s 1 400 s Winternitz (expected) (w = 2) Merkle- 317 90s 1 631 s Winternitz (expected) (w = 3) new scheme 7.1 (R = 123, 132.4s 135 795 s min (expected) Rmax = 131) new scheme (` = 6, 24.1 132.4s 136 665 s Rmin = 122, (expected) Rmax = 131)

Table 7.2: comparison of the proposed scheme and the Merkle-Winternitz construction with s = 256; “cost” speciﬁes the (expected) number of applications of H and “size” is given in bit; in the new scheme we reserve (conservatively) 0.4s = 64 bit in the signature for the counter r

7.9 Summary of our one-time signature scheme

The one-time signature scheme presented has some similarity with the Merkle-Winternitz scheme, but builds on a run-length encoding instead of blocks of fixed size. For parameters of interest, this enables a faster and message-independent signature verification cost without giving up the short public key size of a single hash value. The main price is an increased key generation and signing cost. Summarizing, the new scheme appears to be a viable alternative to the Merkle-Winternitz construction, if short public key size and fast verification have priority. In absolute terms, the increased signing cost and more expensive key generation look still acceptable.

64 7.10 Combining one-time signatures

We already introduced several one-time signatures. We can sign with the secret/public key pairs only once, if we need to sign repeatedly we would need to publish a new public key every time when we sign a new message, which would be ‘a bit’ of an inconvenience. We would need one public key which would be able to verify several signatures where the signature were generated by diﬀerent secret keys. We will explain two ways how we could solve this problem, one of them is the hash chain the other is the Merkle hash tree.

7.10.1 Hash chain

Lamport [Lam81] suggested the use of the hash chain to use one-time signatures many times but do the veriﬁcation with the same public key. A hash chain of length N is constructed by using the initial secret (random) value and we hash it recursively. hN (s) = h(h(...h(s))) | {z } Ntimes

The hN (s) will be our public key, call it pk. The secret keys are all the other component in the hash chain. To verify h(s)i we need to hash N − i times and check the derived value (h(s)i)N−i which is equal to the public key, pk. Our ﬁrst secret key would be hN−1(s) the last secret key would be s, the last element of the hash chain. If we ﬁnished the chain we need to establish a new hash chain to sign more messages. There was some research done on how could we join the old and the new chains to relate the old and new public keys could to each other[Goy04].

65 7.10.2 Merkle hash tree

Another idea for reusing the same public key many times came from Merkle [Mer79]. He presented an eﬃcient method to sign 2h messages by using a one-time signature scheme 2h times and we need to publish only one public key.

Secret key, public key generation

h At ﬁrst we generate the 2 secret key/public key pairs (ski/pki) i ∈ {1 . . . h} using an arbitrary one-time signature scheme but instead of publishing the 2h public keys we will build a binary tree (with depth h) from these public keys and publish the value at the root of the tree like a common public key (PK). We call the hash of the 2h public keys leaves. These are the values at the bottom level of the tree. We call all the other values nodes, “root node” refers to the common public key. The way we are building the tree is to hash together 2 neighbor (sibling) leaves on the ﬁrst level to derive the parents of these leaves. We continue this procedure to derive the parents of the parents and continue it until we get only one hash value which will be the public key that belongs to every single secret key.

Signing procedure

We sign the i-th message, mi with the (ski, pki) key pair the same way as we did in the single one-time signature scheme case but additionally we have to reveal the authentication path in our binary tree. The elements of the authentication path are the sibling of the leaf which was used in the signing procedure, their parent’s sibling, the sibling of their parents’ parents and so on, until we will reach the children of the root node. The length of the authentication path is equal to the depth of the tree

h what is log2 2 = h. Let us summarize it, the signature has the following form:

sk Figure 7.4: the Merkle hash tree

(index(i), pki, σi(one-time signature computed by the (ski, pki))) (1)

(sibling(H(pki)), sibling(parent(H(pki))), . . . , children(PK)) (2)

Veriﬁcation procedure

The verification has two steps. At first we have to verify the values in line (1) like we usually do in the single one-time signatures case. If it does not pass the verification procedure we stop with an invalid signature message. Otherwise we need to verify, line (2), the given authentication path, by going from the leaf up to the root (in the hash tree) by hashing together (same level) values in the authentication path. If the derived value is equal with the public key we say the signature is valid. Otherwise we say the signature is invalid.

67 7.10.3 Improved Merkle signature scheme

Buchmann et al. improved the above mentioned scheme in [BGD+06] and [BDK+07]. The problem was that the original Merkle scheme limited the number of the messages which could be signed by using the same public key. If we would make a tree with depth 25 the original scheme would become impractical because of the large size of secret keys and the long key generation cost. The reason it deserves more attention is the fact that it is a very promising candidate to be post-quantum computer secure because the security of the scheme solely relies on the existence of cryptographic hash functions. Buchmann et al. reduced the private key size, key generation time, and signature generation time. Their implementation shows the modified Merkle signature scheme is practical and the verification time is faster than for commonly used signature schemes (RSA’s, ECDSA’s verification time). With these main ideas in the improved version, they allow to sign “cryptographically unlimited” (280) number of messages with only one key pair.

68 Chapter 8

Summary

In the beginning we gave a short (historical) introduction to signature schemes and a deﬁnition of the signature scheme in both single- and multi-user settings. We described the desired security properties of them. We collected and introduced the assumptions, which we used in our computationally secure security proofs in this thesis.

Later on, we discussed subliminal channels in the signing and in the key generation phases of a signature scheme. We gave a deﬁnition of a subliminal-free signature scheme and we gave a protocol to generate a subliminal-free RSA public key. Along the construction we had a brief introduction to zero-knowledge proofs and then we proved the generated EUF-CMA secure public key of RSA-PSS is subliminal-free.

Finally, we presented a one-time signature scheme whose public key and signature size are comparable with those of the Merkle-Winternitz signature scheme, but our scheme has a 33% faster veriﬁcation. In the construction of our EUF-CMA secure signature scheme, we used the run-length encoding. The security of our scheme is based on the security of the hash functions used. One question still remains open: Is

69 it possible to generalize the signature scheme with run-length encoding and decrease the size of the signature?

70 Bibliography

[BBM00] Mihir Bellare, Alexandra Boldyreva, and Silvio Micali. Public-key encryption in a multi-user setting: Security proofs and improvements. In EUROCRYPT, pages 259–274, 2000.

[BCP97] Wieb Bosma, John J. Cannon, and Catherine Playoust. The Magma Algebra System I: The User Language. Journal of Symbolic Computation, 24:235–265, 1997.

[BD93] Jørgen Brant and Ivan D˚amgard. On generation of provable primes by incremental search. In Advances in Cryptology – CRYPTO ’92, volume 740 of Lecture Notes in Computer Science, pages 358–370. Springer Berlin / Heidelberg, 1993.

[BDK+07] Johannes Buchmann, Erik Dahmen, Elena Klintsevich, Katsuyuki Okeya, and Camille Vuillaume. Merkle signatures with virtually unlimited signature capacity. In ACNS, pages 31–45, 2007.

[BGD+06] Johannes Buchmann, Luis Carlos Coronado Garc´ıa,Erik Dahmen, Martin D¨oring, and Elena Klintsevich. Cmss - an improved merkle signature scheme. In INDOCRYPT, pages 349–363, 2006.

[BM96] Daniel Bleichenbacher and Ueli M. Maurer. On the Eﬃciency of One-Time

71 Digital Signature Schemes. In Advances in Cryptology – ASIACRYPT ’96, volume 1163 of Lecture Notes in Computer Science, pages 145–158. Springer, 1996.

[BR93] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing eﬃcient protocols. In ACM Conference on Com- puter and Communications Security, pages 62–73, 1993.

[BRS06] Jens-Matthias Bohli, Stefan R¨ohrich, and Rainer Steinwandt. Key substitution attacks revisited: Taking into account malicious signers. Int. J. Inf. Sec., 5(1):30–36, 2006.

[BS05] Jens-Matthias Bohli and Rainer Steinwandt. On Subliminal Channels in Deterministic Signature Schemes. In Choonsik Park and Seongtaek Chee, editors, Information Security and Cryptology - ICISC 2004, volume 3506 of Lecture Notes in Computer Science, pages 182–194. Springer, 2005.

[CD98] Ronald Cramer and Ivan Damg˚ard. Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free? In Advances in Cryptology – CRYPTO ’98, volume 1642 of Lecture Notes in Computer Science, pages 424–441. Springer-Verlag, 1998.

[CM99] Jan Camenisch and Markus Michels. Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes. In Advances in Cryptology – EUROCRYPT ’99, volume 1592 of Lecture Notes in Computer Science, pages 107–122. Springer-Verlag, 1999.

[Cor02] Jean-S´ebastien Coron. Optimal security proofs for pss and other signature schemes. In EUROCRYPT, pages 272–287, 2002.

72 [Des88] Yvo Desmedt. Subliminal-Free Authentication and Signature (Extended Abstract). In Advances in Cryptology - EUROCRYPT ’88, volume 330/1988 of Lecture Notes in Computer Science, page 23. Springer, 1988.

[DH76] Whitﬁeld Diﬃe and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, 1976.

[DSS05] Chris Dods, Nigel P. Smart, and Martijn Stam. Hash Based Digital Signa- ture Schemes. In Cryptography and Coding 2005, volume 3796 of Lecture Notes in Computer Science, pages 96–115. Springer, 2005.

[FS86] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identiﬁcation and signature problems. In CRYPTO, pages 186–194, 1986.

[GMR88] Shaﬁ Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput., 17(2):281–308, 1988.

[Goy04] Vipul Goyal. How to re-initialize a hash chain. http://eprint.iacr. org/2004/097, 2004.

[JG02] Ari Juels and Jorge Guajardo. Key Generation with Veriﬁable Random- ness. In 5th International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2002, volume 2274 of Lecture Notes in Com- puter Science, pages 357–374. Springer Berlin / Heidelberg, 2002.

[Lab02] RSA Laboratories. PKCS #1 v.2.1: RSA Cryptography Standard. ftp:// ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf, June 2002.

[Lam79] Leslie Lamport. Constructing digital signatures from a one way function. Technical Report CSL-98, SRI International, October 1979.

73 [Lam81] Leslie Lamport. Passport authentication with secure communication. Commun. ACM, 24(11):770–772, 1981.

[Leh82] Daniel J. Lehmann. On primality tests. SIAM journal on computing, 11(2):374–375, May 82.

[Mer79] Ralph Charles Merkle. Secrecy, Authentication and Public Key Systems. Dissertation, Department of Electric Engineering, Stanford University,

1979. Available at http://www.merkle.com/papers/Thesis1979.pdf.

[Mer88] Ralph C. Merkle. A Digital Signature Based on a Conventional Encryp- tion Function. In Advances in Cryptology – CRYPTO ’87, volume 293 of Lecture Notes in Computer Science, pages 369–378. Springer, 1988.

[Mer90] Ralph C. Merkle. A certiﬁed digital signature. In Advances in Cryptology – CRYPTO ’89, volume 435 of Lecture Notes in Computer Science, pages 218–238. Springer, 1990.

[MS04] Alfred Menezes and Nigel P. Smart. Security of signature schemes in a multi-user setting. Des. Codes Cryptography, 33(3):261–274, 2004.

[Ped91] Torben Bach Pedersen. Non-interactive and information-theoretic secure veriﬁable secret sharing. In Advances in Cryptology – CRYPTO ’91, volume 576 of Lecture Notes in Computer Science, pages 129–140. Springer- Verlag, 1991.

[Per01] Adrian Perrig. The BiBa One-Time Signature and Broadcast Authenti- cation Protocol. In Proceedings of the 8th ACM Conference on Computer and Communications Security, pages 28–37. ACM, 2001.

[RK05] Ronald L. Rivest and Burton S. Kaliski. RSA problem, 2005.

74 [RR02] Leonid Reyzin and Natan Reyzin. Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying. In Information Security and Privacy: 7th Australasian Conference, ACISP 2002, volume 2384 of Lec- ture Notes in Computer Science, pages 144–153. Springer, 2002.

[RS04] Phillip Rogaway and Thomas Shrimpton. Cryptographic hash-function basics: Deﬁnitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In FSE, pages 371– 388, 2004.

[RSA78] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120–126, 1978.

[Sho97] Peter Shor. Polynomial time algorithms for prime factorization and discrete logarithms on quantum computer. SIAM Journal on Computing, 26(5):1484–1509, 1997.

[Sim84] Gustavus J. Simmons. The Prisoners’ Problem and the Subliminal Chan- nel. In Advances in Cryptology – CRYPTO ’83, pages 51–67. Plenum Press, New York and London, 1984.

[SP05] Stefaan Seys and Bart Preneel. Power Consumption Evaluation of Eﬃcient Digital Signature Schemes for Low Power Devices. In Proceedings of the 2005 IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (IEEE WiMob 2005), volume 1, pages 79–86. IEEE, 2005.

[Sti06] Douglas R. Stinson. Cryptography. Theory and Practice. Discrete Mathe- matics and Its Applications. Chapman & Hall/CRC, third edition, 2006.