Draft of a Chapter on Signature Schemes

Home , Pseudorandom generator

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Draft of a chapter

on Signature Schemes

revised p osted version Nr

Extracts from a working draft for

Volume of Foundations of Cryptography

Oded Goldreich

Department of Computer Science and Applied Mathematics

Weizmann Institute of Science Rehovot Israel

June

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

to Dana

Permission to make copies of part or all of this work for p ersonal or classro om use

is granted without fee provided that copies are not made or distributed for prot or

commercial advantage and that new copies b ear this notice and the full citation on the

rst page Abstracting with credit is p ermitted

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice. II

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Preface

The current manuscript is a preliminary draft of the chapter on

signature schemes Chapter of the second volume of the work

Foundations of Cryptography This manuscript subsumes a previous

versions p osted in May and Feb

The bigger picture The current manuscript is part of a working draft of

Part of the threepart work Foundations of Cryptography see Figure The

three parts of this work are Basic Tools Basic Applications and Beyond the Ba

sics The rst part containing Chapters has b een published by Cambridge

University Press in June The second part consists of Chapters re

garding Encryptioni Schemes Signatures Schemes and General Cryptographic

Proto cols resp ectively We hop e to publish the second part with Cambridge

University Press within a couple of years

Part Introduction and Basic Tools

Chapter Introduction

Chapter Computational Diculty OneWay Functions

Chapter Pseudorandom Generators

Chapter ZeroKnowledge Pro ofs

Part Basic Applications

Chapter Encryption Schemes

Chapter Signature Schemes

Chapter General Cryptographic Proto cols

Part Beyond the Basics

Figure Organization of this work III

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

The partition of the work into three parts is a logical one Furthermore it

oers the advantage of publishing the rst part without waiting for the comple

tion of the other parts Similarly we hop e to complete the second part within a

couple of years and publish it without waiting for the third part

Prerequisites The most relevant background for this text is provided by

basic knowledge of algorithms including randomized ones computability and

elementary probability theory Background on computational number theory

which is required for sp ecic implementations of certain constructs is not really

required here

Using this text The text is intended as part of a work that is aimed to serve

b oth as a textb o ok and a reference text That is it is aimed at serving b oth the

b eginner and the exp ert In order to achieve this aim the presentation of the

basic material is very detailed so to allow a typical CSundergraduate to follow

it An advanced student and certainly an exp ert will nd the pace in these

parts way to o slow However an attempt was made to allow the latter reader

to easily skip details obvious to himher In particular pro ofs are typically

presented in a mo dular way We start with a highlevel sketch of the main ideas

and only later pass to the technical details Passage from highlevel descriptions

to lower level details is typically marked by phrases such as details fol low

In a few places we provide straightforward but tedious details in in

dented paragraphs as this one In some other even fewer places such

paragraphs provide technical pro ofs of claims that are of marginal rele

vance to the topic of the b o ok

More advanced material is typically presented at a faster pace and with less

details Thus we hop e that the attempt to satisfy a wide range of readers will

not harm any of them

Teaching The material presented in the full threevolume work is on one

hand way b eyond what one may want to cover in a course and on the other

hand falls very short of what one may want to know ab out Cryptography in

general To assist these conicting needs we make a distinction b etween basic

and advanced material and provide suggestions for further reading in the last

section of each chapter In particular sections subsections and subsubsections

marked by an asterisk are intended for advanced reading

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Table of Contents

Preface III

Signatures and Message Authentication

The Setting and Denitional Issues

The two types of schemes a brief overview

Introduction to the unied treatment

Basic mechanism

Attacks and security

Variants

Augmenting the attack with a verication oracle

Inessential generalities

Weaker notions of security and some p opular schemes

Lengthrestricted signature scheme

Denition

The p ower of lengthrestricted signature schemes

Signing augmented blo cks

Signing a hash value

Constructing collisionfree hashing functions

A construction based on clawfree p ermutations

Collisionfree hashing via blo ckchaining

Collisionfree hashing via treehashing

Constructions of Message Authentication Schemes

Applying a pseudorandom function to the do cument

A simple construction and a plausibility result

Using the hashandsign paradigm

A variation on the hashandsign paradigm or

using noncryptographic hashing plus hiding

More on HashandHide and statebased MACs

The basic idea underlying Construction as well as Prop osition is to

combine a weak tagging scheme with an adequate hiding scheme Sp eci

cally the weak tagging scheme should b e secure against forgery provided that

the adversary does not have access to the schemes outcome and the hiding

scheme implements the latter provision in a setting in which the actual adver

sary do es obtain the value of the MAC In Construction and in Prop o

sition the tagging scheme was implemented by ordinary hashing and

hiding was obtained by applying a pseudorandom function to the string that

one wishes to hide

One more natural hiding scheme which can also b e implemented using

pseudorandom functions is obtained by using certain privatekey encryption

schemes For example we may use Construction in which the plaintext x

We comment that this sp ecic hiding metho d is not and furthermore it is not clear

whether it can b e eciently inverted also when given the secret key ie the seed of the

pseudorandom function In contrast the alternative hiding metho d describ ed b elow is

and can b e eciently inverted when given the secret key

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

is encryptedhidden by the pair u x f u where u is uniformly selected

instead of hiding x by the value f x as ab ove The resulting MAC is as

follows

Keygeneration On input we select indep endently and uniformly r s

n mjr j

f g where r sp ecies a hashing function h f g f g

mjsj mjsj

and s sp ecies a pseudorandom function f f g f g

We output the keypair r s r s

Signing On input a signingkey r s and a do cument f g we uniformly

mjsj

select u f g and output the signaturetag u h f u

r s

Verication On input a verifyingkey r s a do cument f g and an

alleged signature u v we outputs if and only if v h f u

r s

Alternative implementations of the same underlying idea are more p opular es

p ecially in the context of statebased MACs We start by dening statebased

MACs and then show how to construct them based on the hashandhide or

rather tagandhide paradigm

The denition of statebased MACs

As in the case of steamciphers discussed in Section we extend the mech

anism of messageauthentication schemes MACs by allowing the signing and

verication pro cesses to maintain and up date a state Formally b oth the signing

and the verication algorithms take an additional input and emit an additional

output corresp onding to their state b efore and after the op eration The length

of the state is not allowed to grow by to o much during each application of the

algorithm see Item b elow or else eciency of the entire rep eated signing

pro cess can not b e guaranteed For sake of simplicity we incorp orate the key in

the state of the corresp onding algorithm Thus the initial state of each of the

algorithms is set to equal its corresp onding key Furthermore one may think of

the intermediate states as of up dated values of the corresp onding key

In the following denition we follow similar conventions to those used in

dening statebased ciphers ie Denition Sp ecically for simplicity

we assume that the verication algorithm ie V is deterministic otherwise

the formulation would b e more complex Intuitively the main part of the

verication condition ie Item is that the prop er iterative signingverifying

pro cess always accepts The additional requirement in Item is that the state of

the verication algorithm is up dated correctly as long as it is fed with strings of

length equal to the length of the valid do cumentsignature pairs The imp ortance

of this condition was discussed in Section and is further discussed b elow

Denition statebased MAC the mechanism A statebased message

authentication scheme is a triple G S V of probabilistic polynomialtime al

gorithms satisfying the fol lowing three conditions

The hashing function should b elong to an AXU family as dened in Section

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES

On input algorithm G outputs a pair of bit strings

For every pair s v in the range of G and every sequence of

i i i i i i i

s the fol lowing holds if s S s and v

i i i i

V v for i then for every i

(i) (i)

j j j j

Furthermore for every i and every f g f g it holds

i i i i

that V v v That is v is actual ly determined by v

i i

and j j j j

There exists a polynomial p such that for every pair s v in the range

n i i

of G and every sequence of s and s s as above it holds that

i i i i

js j js j j j pn Similarly for the v s

That is as in Denition the signingverication pro cess op erates prop

erly provided that the corresp onding algorithms get the corresp onding keys

states Note that in Denition the keys are mo died by the signing

verication pro cess and so correct verication requires holding the correctly

up dated vericationkey We stress that the furthermore clause in Item guar

antees that the vericationkey is correctly up dated as long as the verication

pro cess is fed with strings of the correct lengths but not necessarily with the

correct do cumentsignature pairs This extra requirement implies that given

the initial vericationkey and the current do cumentsignature pair as well as

the lengths of all previous pairs which may b e actually incorp orated in the cur

rent signature one may correctly decide whether or not the current do cument

signature pair is valid As in case of statebased ciphers cf Section this

fact is interesting for two reasons

A theoretical reason It implies that without loss of generality alas with p ossi

ble loss in eciency the verication algorithm may b e stateless Further

more without loss of generality alas with p ossible loss in eciency the

state of the signing algorithm may consist of the initial signingkey and

the lengths of the messages signed so far We assume here and b elow that

the length of the signature is determined by the length of the message and

the length of the signingkey

A practical reason It allows to recover from the loss of some of the message

signature pairs That is assuming that all messages have the same length

which is typically the case in MAC applications if the receiver knows

or is given the total number of messages sent so far then it can verify

the authenticity of the current messagesignature pair even if some of the

previous messagesignature pairs were lost

We stress that Denition refers to the signing of multiple messages

and is meaningless when considering the signing of a single message However

Alternatively we may decomp ose the verication resp signing algorithm into two

algorithms where the rst takes care of the actual verication resp signing and the second

takes care of up dating the state For details see Exercise

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Denition by itself do es not explain why one should sign the ith message

using the up dated signingkey s rather than by reusing the initial signing

key s where all corresp onding verications are done by reusing the initial

vericationkey v Indeed the reason for up dating these keys is provided by

the following security denition that refers to the signing of multiple messages

and holds only in case the signingkeys in use are prop erly up dated in the

multiplemessage authentication pro cess

Denition security of statebased MACs

A chosen message attack on a statebased MAC G S V is an interactive

process that is initiated with s v G and proceed as fol lows

In the i iteration based on the information gathered so far the attacker

i i i i i i

selects a string and obtains where s S s

Such an attack is said to succeed if it outputs a valid signature to a string

for which it has not requested a signature during the attack That is the

attack is successful if it outputs a pair such that is dierent from

al l signaturequeries made during the attack and V v

holds for some intermediate state vericationkey v as ab ove

A statebased MAC is secure if every probabilistic polynomialtime chosen

message attack as above succeeds with at most negligible probability

Note that Denition only diers from Denition in the way that the

i i

signatures s are pro duced ie using the up dated signingkey s rather

than the initial signingkey s Furthermore Denition guarantees

nothing regarding a signing pro cess in which the signature to the ith message is

obtained by invoking S s as in Denition

Statebased hashandhide MACs

We are now ready to present alternative implementations of the hashandhide

paradigm Recall that in Section the do cument was hashed by using an

adequate hashing function and the resulting hashvalue was authenticated and

hidden by applying a pseudorandom function to it In the current subsection

hiding will b e obtained in a more natural and typically more ecient way

that is by XORing the hashvalue with a new p ortion of a pseudorandom one

time pad Indeed the state is used in order to keep track of what part of the

onetime pad was already used and should not b e used again Furthermore

to obtain improved eciency we let the state enco de information that allows

In fact one may strengthen the denition by using a weaker notion of success in which it

i j

is only required that rather than requiring that f g That is the attack is

i i

successful if for some i it outputs a pair such that and V v

j j

where the s and v s are as ab ove The stronger denition provides replay protection

ie even if the adversary obtains a valid signature that authenticates as the j th message

it cannot pro duce a valid signature that authenticates as the ith message unless was

actually authenticated as the ith message

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES

fast generation of the next p ortion of the pseudorandom onetime pad This is

obtained using online pseudorandom generator see Sections and

Recall that online pseudorandom generators are a sp ecial case of variable

output pseudorandom generators see Section in which a hidden state

is maintained and up dated so to allow generation of the next output bit in

time p olynomial in the length of the initial seed regardless of the number of

bits generated so far Sp ecically the next hidden state and output bit are

pro duced by applying a p olynomialtime computable function g f g

f g to the current state ie s g s where s is the current state s

is the next state and is the next output bit Analogously to Construction

the suggested statebased MAC will use an online pseudorandom generator in

order to generate the required pseudorandom onetime pad and the latter will b e

used to hide and authenticate the hashvalue obtained by hashing the original

do cument

Construction a statebased MAC Let g f g f g such that

mjr j

jg sj jsj for every s f g Let fh f g f g g be

r fg

a family of functions having an ecient evaluation algorithm

Keygeneration and initial state Uniformly select s r f g and output the

keypair s r s r The initial state of each algorithm is set to s r s

We maintain the initial key s r and a stepcounter in order to al low

recovery from loss of messagesignature pairs

def

s For i mn com Signing message with state s r t s Let s

pute s g s where js j n and f g Output the signature

i i i i i

h and set the new state to s r t mn s

mn mn

Verication of the pair with resp ect to the state s r t s Compute

and s as in the signing process that is for i mn compute

def

s Set the new state to s r t mn s s g s where s

i i i

and accept if and only if h

Sp ecial recovery pro cedure When notied that some messagesignature

pairs may have been lost and that the current messagesignature pair has

index t one rst recovers the correct current state which as above wil l be

def

s and computing s denoted s This is done by setting s

it it t

g s for i t Indeed recovery of s is required only if t t

Note that b oth the signing and verication algorithms are deterministic and that

the state after authentication of t messages has length n log t mn n

provided that t mn

We now turn to analyze the security of Construction The hashing

prop erty of the collection of h s should b e slightly stronger than the one used

More generally if the verication pro cedure holds the state at time t t then it needs

only compute s s

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

in Section Sp ecically rather than a b ound on the collision probability

ie the probability that h x h y for any relevant xed x y and a random

r r

r we need a b ound on the probability that h x h y equals any xed string

r r

again for any relevant xed x y and a random r This prop erty is commonly

referred to by the name AlmostXorUniversal AXU That is fh f g

mjr j

f g g is called a AXU family if for every n N every x y

r fg

such that jxj jy j n and every z it holds that

y z n x h Pr h

U U

n n

References to constructions of such families are provided in Section

Prop osition Suppose that g is a pseudorandom generator and that

fh g is a AXU family for some superpolynomial and negligible Then

Construction constitutes a secure statebased MAC Furthermore security

holds even with respect to the stronger notion discussed in Footnote

Pro of Sketch By Exercise of Chapter if g is a pseudorandom generator

p p

then for every p olynomial p the ensemble fG g is pseudorandom where G

n n

is dened by the following random pro cess

Uniformly select s f g

For i to pn let s g s where f g and s f g

i i i i i

Output

Recall that in such a case we said that g is a nextstep function of an online

pseudorandom generator

As in previous cases it suces to establish the security of an ideal scheme in

which the sequence of mnbit long blo cks pro duced by iterating the nextstep

function g is replaced by a truly random sequence of mnbit long blo cks In

the ideal scheme all that the adversary may obtain via a chosen message attack

is a sequence of mnbit long blo cks which is uniformly distributed among all

such p ossible sequences Note that each of the signatures obtained during the

attack as well as the forged signature refers to a single blo ck in this sequence

eg the ith obtained signature refers to the ith blo ck We consider two types

of forgery attempts

In case the adversary tries to forge a signature referring to an unused

during the attack blo ck it may succeed with probability at most

b ecause we may think of this blo ck as b eing chosen after the adversary

makes its forgery attempt Note that is negligible b ecause n

mn mn

must hold ie lowerbounds the collision probability

The more interesting case is when the adversary tries to forge a signature

referring to a blo ck say the ith one that was used to answer the ith

query during the attack Denote the j th query by the random

In fact as shown in the pro of it suces to assume that g is a nextstep function of an

online pseudorandom generator

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF MESSAGE AUTHENTICATION SCHEMES

j th blo ck by b and the forged do cument by Then at the time

of outputting the forgery attempt the adversary only knows the

j j j

sequence of b h s as well as the s which were chosen by

it but this yields no information on r b ecause the b s are random and

unknown to the adversary Note that the adversary succeeds if and only

def

i i i i

if b h where b h is known to it Thus

r r

i i

the adversary succeeds if and only if h h where

r r

i i

are known to the adversary and r is uniformly distributed

Further clarication Considering the distribution of r conditioned on

partial transcripts of the attack ie the sequence of queries and

answers we claim that at any time r is uniformly distributed in

f g The claim holds b ecause for each p ossible value of r the

answers to the dierent queries are all uniformly distributed b e

cause they are XORed with random b s Thus r is uniformly

distributed also conditioned on the transcript at the time that the

adversary outputs its forgery attack which in turn is successful if

i i i i

and only if b h holds where b h and

r r

i i

are xed by this transcript Thus a successful forgery

i i i i

implies h h for xed and uni

r r

formly distributed r

Hence by the AXU prop erty the probability that the adversary succeeds

is at most n

The security of the real scheme follows or else one could have distinguished the

sequence pro duced by iterating the nextstep function g from a truly random

sequence

Construction versus the constructions of Section Recall

that all these schemes are based on the hashandhide paradigm The dierence

b etween the schemes is that in Section a pseudorandom function is applied

to the hashvalue ie the signature to is f h whereas in Construc

s r

tion the hashvalue is XORed with a pseudorandom value ie we may

view the signature as consisting of c h f c where c is a counter value

r s

and f c is the cth blo ck pro duced by iterating the nextstep function g starting

with the initial seed s We note two advantages of the statebased MAC over

the MACs presented in Section First applying an online pseudorandom

generator is likely to b e more ecient than applying a pseudorandom function

Second a counter allows to securely authenticate more messages than can b e se

curely authenticated by applying a pseudorandom function to the hashed value

Sp ecically the use of an a mbit long counter allows to securely authenticate

messages whereas using an mbit long hashvalue suers from the birth

messages are authenti day eect ie collisions are likely to o ccur when

cated Indeed these advantages are relevant only in applications in which using

statebased MACs is p ossible and are most advantageous in applications where

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

verication is p erformed in the same order as signing eg in fifo communica

tion In the latter case Construction oers another advantage replay

protection as discussed in Footnote

Constructions of Signature Schemes

In this section we present several constructions of secure publickey signature

schemes In the sequel we refer to such schemes as signature schemes which is

indeed the traditional term

Two central paradigms in the construction of signature schemes are the re

freshing of the eective signingkey see Section and the usage of

an authentication tree see Section In addition the hashand

sign paradigm employed also in the construction of message authentication

schemes plays a even more crucial role in the following presentation In ad

dition to the ab ove we use the notion of a onetime signature scheme see

Section

The current section is organized as follows In Section we dene and

construct various types of onetime signature schemes The hashandsign

paradigm plays a crucial role in one of these constructions which in turn is

essential for Section In Section we show how to use onetime signa

ture schemes to construct general signature schemes This construction utilizes

the refreshing paradigm as employed to onetime signature schemes and an

authentication tree Thus assuming the existence of collisionfree hashing we

obtain general signature schemes

In Section wishing to relax the conditions under which signature schemes

can b e constructed we dene universal oneway hashing functions and show how

to use them instead of collisionfree hashing in the ab ove constructions and in

particular within a mo died hashandsign paradigm Indeed the gain in

using universal oneway hashing rather than collisionfree hashing is that the

former can b e constructed based on any oneway function whereas this is not

known for collisionfree hashing Thus we obtain

Theorem Secure signature schemes exist if and only if oneway functions

exist

The dicult direction is to show that the existence of oneway functions implies

the existence of signature schemes For the opp osite direction see Exercise

Onetime signature schemes

In this section we dene and construct various types of onetime signature

schemes Sp ecically we rst dene onetime signature schemes next dene

a lengthrestricted version of this notion analogous to Denition then

present a simple construction of the latter and nally we show how such a con

struction combined with collisionfree hashing yields a general onetime signature scheme

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

Denitions

Lo osely sp eaking onetime signature schemes are signature schemes for which

the security requirement is restricted to attacks in which the adversary asks

for at most one string to b e signed That is the mechanics of onetime signa

ture schemes is as of ordinary signature schemes see Denition but the

security requirement is relaxed as follows

A chosen onemessage attack is a pro cess that can obtain a signature to at

most one string of its choice That is the attacker is given v as input and

obtains a signature relative to s where s v G for an adequate n

Note that in this section we fo cus on publickey signature schemes and

thus we present only the denition for this case

Such an attack is said to succeed in existential forgery if it outputs a valid

signature to a string for which it has not requested a signature during the

attack

Indeed the notion of success is exactly as in Denition

A onetime signature scheme is secure or unforgeable if every feasible

chosen onemessage attack succeeds with at most negligible probability

Moving to the formal denition we again mo del a chosen message attack as a

probabilistic oracle machine however since here we only care ab out onemessage

attacks we consider only oracle machines that make at most one query Let M

b e such a machine As b efore we denote by Q x the set of queries made by

M on input x and access to oracle O and let M x denote the output of the

corresp onding computation Note that here jQ xj ie M may either

make no queries or a single query

Denition security for onetime signature schemes A onetime signa

ture scheme is secure if for every probabilistic polynomialtime oracle machine

M that makes at most one query every polynomial p and al l suciently large

n it holds that

V Q

n S

v where s v G and M

where the probability is taken over the coin tosses of algorithms G S and V as

wel l as over the coin tosses of machine M

We now dene a lengthrestricted version of onetime signature schemes The

denition is indeed analogous to Denition

Denition lengthrestricted onetime signature schemes Let N

N An restricted onetime signature scheme is a triple G S V of probabilis

tic polynomialtime algorithms satisfying the the mechanics of Denition

That is it satises the fol lowing two conditions

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

As in Denition on input algorithm G outputs a pair of bit

strings

Analogously to Denition for every n and every pair s v in the

n n

range of G and for every f g algorithms S and D satisfy

Pr V S

v s

Such a scheme is called secure in the onetime mo del if the requirement of

Denition holds when restricted to attackers that only make queries of

length n and output a pair with jj n That is we consider only

attackers that make at most one query this query has to be of length n and

the output must satisfy jj n

Note that even the existence of secure restricted onetime signature schemes

implies the existence of oneway functions see Exercise

Constructing lengthrestricted onetime signature schemes

We now present a simple construction of lengthrestricted onetime signature

schemes The construction works for any length restriction function but the

keys will have length greater than The latter fact limits the applicability

of such schemes and will b e removed in the next subsection But rst we

construct restricted onetime signature schemes based on any oneway function

f Lo osely sp eaking the vericationkey will consist of pairs of images of f

and a signature will consist of preimages under f corresp onding to out of

these images where the selection of images is determined by the corresp onding

bits of the message We may assume for simplicity that f is length preserving

Construction an restricted onetime signature scheme Let N

N be polynomiallybounded and polynomialtime computable and f f g

f g be polynomialtime computable and lengthpreserving We construct an

restricted onetime signature scheme G S V as fol lows

we uniformly select s s s s Keygeneration with G On input

n n

j j

f g and compute v f s for i n and j We let

i i

s s s s s and v v v v v and

n n n n

output the keypair s v

Note that jsj jv j n n

Signing with S On input a signingkey s s s s s and an

n n

(n)

as a signature of nbit string we output s s

Verication with V On input a vericationkey v v v v v

n n

an nbit string and an al leged signature

n n

f for i n we accept if and only if v

i i

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

Prop osition If f is a oneway function then Construction consti

tutes a secure restricted onetime signature scheme

Note that Construction do es not constitute a general restricted sig

nature scheme An attacker that obtains signatures to two strings eg to the

n n

strings and can present a valid signature to any nbit long string

and thus totally break the system However here we consider only attackers

that may ask for at most one string of their choice to b e signed As a corollary

to Prop osition we obtain

Corollary If there exist oneway functions then for every polynomially

bounded and polynomialtime computable N N there exist secure restricted

onetime signature schemes

Pro of of Prop osition Intuitively forging a signature after seeing at

most one signature to a dierent message requires inverting f on some random

image corresp onding to a bit lo cation on which the two nbit long messages

dier The actual pro of is by a reducibility argument Given an adversary A

attacking the scheme G S V while making at most one query we construct

an algorithm A for inverting f

As a warmup let us rst deal with the case in which A makes no queries

at all In this case on input y supp osedly in the range of f algorithm A

pro ceeds as follows First A selects uniformly and indep endently a p osition

p in f ng a bit b and a sequence of n many nbit long strings

s s s s Actually s is not used and needs not b e selected For

n n

every i f ng n fpg and every j f g algorithm A computes v

b b b

f s Algorithm A also computes v f s and sets v y and v

p p p

v v v v Note that if y f x for a uniformly distributed

n n

x f g then for each p ossible choice of p and b the sequence v is distributed

identically to the publickey generated by G Next A invokes A on input

v hoping that A will forge a signature denoted to a message

so that b If this event o ccurs A obtains a preimage of y

v y under f b ecause the validity of the signature implies that f v

Observe that conditioned on the value of v and the internal coin tosses of A the

value b is uniformly distributed in f g Thus A inverts f with probability

n where n denotes the probability that A succeeds in forgery

We turn back to the actual case in which A may make a single query Without

loss of generality we assume that A always makes a single query see Exercise

In this case on input y supp osedly in the range of f algorithm A selects p b

j j

and the s s and forms the v s and v exactly as in the warmup discussion

i i

ab ove Recall that if y f x for a uniformly distributed x f g then

for each p ossible choice of p and b the sequence v is distributed identically to

b n

other than v y the publickey generated by G Also note that for each v

invokes A on under f Next A algorithm A holds a random preimage of v

input v and tries to answer its query denoted We consider two

cases regarding this query

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

If b then A can not supply the desired signature b ecause it lacks a

preimage of s y under f Thus in this case A ab orts However this

case o ccurs with probability indep endently of the actions of A b ecause

v yields no information on either p or b

That is conditioned on the value of v and the internal coin tosses of A

this case o ccurs with probability

If b then A can supply the desired signature b ecause it holds all

j j

the relevant s s ie random preimages of the relevant v s under f In

i i

particular A holds b oth s s for i p as well as s Thus A answers

(n)

s with s

Note that conditioned on the value of v the internal coin tosses of A and on the

second case o ccuring p is uniformly distributed in f ng When the second

case o ccurs A obtains a signature to and this signature is distributed exactly

as in a real attack We stress that since A asks at most one query no additional

query will b e asked by A Also note that in this case ie b algorithm

A outputs a forged messagesignature pair denoted with probability

exactly as in a real attack

We now turn to the analysis of A and consider rst the emulated attack

of A Recall that denotes the single query made by A and

where is the forged message s and s let

n n

signature pair output by A By our hypothesis that this is a forgerysuccess

for all is Now considering event it follows that and that f s v

the emulation of A by A recall that conditioned on all the ab ove p is uniformly

jfi gj

distributed in f ng Hence with probability it holds

n n

that and in that case A obtains a preimage of y under f since s

p p

y v which in turn equals v v satises f s

p p

To summarize assuming that A succeeds in a singlemessage attack on

G S V with probability n algorithm A inverts f on a random image ie

on f U with probability

jfi gj n

n n

Thus if A is a probabilistic p olynomialtime chosen onemessage attack that

forges signatures with nonnegligible probability then A is a probabilistic p olynomial

time algorithm that inverts f with nonnegligible probability in violation of the

hypothesis that f is a oneway function The prop osition follows

This follows from an even stronger statement by which conditioned on the value of v the

internal coin tosses of A and on the value of p the current case happ ens with probability

The stronger statement holds b ecause conditioned on all the ab ove b is uniformly distributed

in f g and so b happ ens with probability exactly

Recall that without loss of generality we may assume that A always makes a single

query see Exercise

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

From lengthrestricted schemes to general ones

Using the hashandsign paradigm ie Construction we transform length

restricted onetime signature schemes into onetime signature schemes That

is we use collisionfree hashing and apply Construction except that here

G S V is an restricted onetime signature scheme rather than an restricted

general signature scheme Analogously to Prop osition we obtain

Prop osition Suppose that G S V is a secure restricted onetime sig

jr j

nature scheme and that fh f g f g g is a collisionfree

r fg

hashing collection Then G S V as dened in Construction is a se

cure onetime signature scheme

Pro of The pro of is identical to the pro of of Prop osition we merely no

tice that if the adversary A attacking G S V makes at most one query

then the same holds for the adversary A that we construct in that pro of to

attack G S V In general the adversary A constructed in the pro of of Prop o

sition makes a single query p er each query of the adversary A

Combining Prop osition Corollary and the fact that collisionfree

hashing collections imply oneway functions see Exercise we obtain

Corollary If there exist collisionfree hashing collections then there exist

secure onetime signature schemes Furthermore the length of the resulting

signatures only depends on the length of the signingkey

Comments We stress that when using Construction signing each do cu

ment under the general scheme G S V only requires signing a single string

under the restricted scheme G S V This is in contrast to Construction

in which signing a do cument under the general scheme G S V requires

signing many strings under the restricted scheme G S V where the number

of such strings dep ends linearly on the length of the original do cument

Construction calls for the use of collisionfree hashing The latter can b e

constructed using any clawfree p ermutation collection see Prop osition

however it is not know whether collisionfree hashing can b e constructed based

on any oneway function Wishing to construct signature schemes based on

any oneway function we later avoid in Section the use of collisionfree

hashing Instead we use universal oneway hashing functions to b e dened

and present a variant of Construction that uses these functions rather than

collisionfree ones

From onetime signature schemes to general ones

In this section we show how to construct general signature schemes using one

time signature schemes That is we shall prove

Theorem If there exist secure onetime signature schemes then secure

general signature schemes exist as wel l

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Actually we can use lengthrestricted onetime signature schemes provided that

the length of the strings being signed is at least twice the length of the verication

key Unfortunately Construction do es not satisfy this condition Neverthe

less Corollary do es provide onetime signature schemes Thus combining

Theorem and Corollary we obtain

Corollary If there exist collisionfree hashing collections then there exist

secure signature schemes

Note that Corollary asserts the existence of secure publickey signature

schemes based on an assumption that do es not mention trap do ors We stress

this p oint b ecause of the contrast to the situation with resp ect to publickey

encryption schemes where a trap do or prop erty seems necessary for the con

struction of secure schemes

The refreshing paradigm

The socalled refreshing paradigm plays a central role in the pro of of Theo

rem Lo osely sp eaking the refreshing paradigm suggests to reduce the

dangers of a chosen message attack on the signature scheme by using fresh

instances of the scheme for signing each new do cument Of course these fresh

instances should b e authenticated by the original instance corresp onding to the

vericationkey that is publicly known but such an authentication refers to a

string selected by the legitimate signer rather than by the adversary

Example To demonstrate the refreshing paradigm consider a basic signature

scheme G S V used as follows Supp ose that the user U has generated a key

pair s v G and has placed the vericationkey v on a publicle When

a party asks U to sign some do cument the user U generates a new fresh

keypair s v G signs v using the original signingkey s signs using

as a signature the new fresh signingkey s and presents S v v S

s s

to An alleged signature v is veried by checking whether b oth

hold Intuitively the gain in terms of security V v and V

v v

is that a fulledged chosen message attack cannot b e launched on G S V All

that an attacker may obtain via a chosen message attack on the new scheme

is signatures relative to the original signingkey s to randomly chosen strings

taken from the distribution G as well as additional signatures each relative

to a random and indep endently chosen signingkey

We refrain from analyzing the features of the signature scheme presented in

the ab ove example Instead as a warmup to the actual construction used in

the next section in order to establish Theorem we present and analyze a

similar construction which is in some sense a hybrid of the two constructions

The reader may skip this warmup and pro ceed directly to Section

Construction a warmup Let G S V be a signature scheme and

G S V be a onetime signature scheme Consider a signature scheme G S V

with G G as fol lows

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

Signing with S On input a signingkey s in the range of G and a docu

ment f g rst invoke G to obtain s v G Next invoke

S to obtain S v and S to obtain S The nal output

is v

Verication with V On input a verifyingkey v a document f g and

an al leged signature v we output if and only if both

V v and V

Construction diers from the ab ove example only in that a onetime

signature scheme is used to generate the second signature rather than using

the same ordinary signature scheme The use of a onetime signature scheme is

natural here b ecause it is unlikely that the same signingkey s will b e selected

in two invocations of S

Prop osition Suppose that G S V is a secure signature scheme and

that G S V is a secure onetime signature scheme Then G S V as

dened in Construction is a secure signature scheme

We comment that the prop osition holds even if G S V is only secure against

attackers that select queries according to the distribution G Furthermore

G S V need only b e restricted for some suitable function N N

Pro of Sketch Consider an adversary A attacking the scheme G S V

We may ignore the case in which two queries of A are answered by triplets

containing the same onetime vericationkey v b ecause if this event o ccurs

with nonnegligible probability then the onetime scheme G S V cannot b e

secure We consider two cases regarding the relation of the onetime verication

and the onetime vericationkey keys included in the signatures provided by S

included in the signature forged by A

In case for some i the onetime vericationkey v contained in the forged

message equals the onetime vericationkey v contained in the answer

to the i query we derive violation to the security of the onetime scheme

G S V

Sp ecically consider an adversary A that on input a vericationkey v

for the onetime scheme G S V generates s v G at ran

dom selects i at random among p olynomially many p ossibilities in

vokes A on input v and answers its queries as follows The i query of

A denoted is answered by making the only query to S obtaining

S and returning S v v to A Note that A holds

s Each other query of A denoted is answered by invoking G

j j n j j j

to obtain s v G and returning S v v S to

(j )

A If A answers with a forged signature and v is the vericationkey

contained in it then A obtains a forged signature relative to the onetime

scheme G S V ie a signature to a message dierent from which

is valid wrt the vericationkey v Furthermore conditioned on the case

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

hypothesis and a forgery event the second event ie v is the verication

key contained in the forged signature o ccurs with probability p olyn

Note that indeed A makes at most one query to S and that the distri

bution seen by A is exactly as in an actual attack on G S V

In case for al l i the onetime vericationkey v contained in the forged

message is dierent from the onetime vericationkey v contained in the

answer to the i query we derive violation to the security of the scheme

G S V

Sp ecically consider an adversary A that on input a vericationkey v for

the scheme G S V invokes A on input v and answers its queries as

th j

follows To answer the j query of A denoted algorithm A invokes

j j n j

G to obtain s v G queries S for a signature to v and

j j j

returns S v v S to A When A answers with a forged

(j )

signature and v fv j p olyng is the onetime verication

key contained in it A obtains a forged signature relative to the scheme

G S V ie a signature to a string v dierent from all v s which is

valid wrt the vericationkey v Note again that the distribution seen

by A is exactly as in an actual attack on G S V

Thus in b oth cases we derive a contradiction to some hypothesis and the prop o

sition follows

Authenticationtrees

The refreshing paradigm by itself ie as employed in Construction do es

not seem to suce for establishing Theorem Recall that our aim is to

construct a general signature scheme based on a onetime signature scheme

The refreshing paradigm suggests to use a fresh instance of a onetime signature

scheme in order to sign the actual do cument however whenever we do so as

in Construction we must authenticate this fresh instance relative to the

single vericationkey that is public A straightforward implementation of this

scheme as presented in Construction calls for many signatures to b e

signed relative to the single vericationkey that is public and so a onetime sig

nature scheme cannot b e used for this purp ose Instead a more sophisticated

metho d of authentication is called for

Let us try to sketch the basic idea underlying the new authentication metho d

The idea is to use the public vericationkey of a onetime signature scheme in

order to authenticate several eg two fresh instances of the onetime signature

scheme use each of these instances to authenticate several fresh instances and

so on We obtain a tree of fresh instances of the onetime signature where

each internal no de authenticates its children We can now use the leaves of this

tree in order to sign actual do cuments where each leaf is used at most once

Thus a signature to an actual do cument consists of a onetime signature to

Furthermore all queries to S are distributed according to G justifying the comment

made just b efore the pro of sketch

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

this do cument authenticated with resp ect to the vericationkey asso ciated with

some leaf and a sequence of onetime vericationkeys asso ciated with the

no des along the path from the ro ot to this leaf where each such vericationkey

is authenticated with resp ect to the vericationkey of its parent see Figures

and We stress that each instance of the onetime signature scheme is used

to sign at most one string ie several vericationkeys if the instance resides in

an internal no de and an actual do cument if the instance resides in a leaf

sxv x

+ authx

x0 x1

sx0v x0 sx1v x1

+ authx0 + authx1

The vericationkey of a no de lab eled x authenticates the verication

keys of its children lab eled x and x resp ectively The authentication

is via a onetime signature of the text v v using the signingkey s and

x x x

it is veriable with resp ect to the vericationkey v

Figure Authentication trees the basic authentication step

The ab ove description may leave the reader wondering as to how one actually

signs and veries signatures using the pro cess outlined ab ove We start with

a description that do es not t our denition of a signature scheme b ecause it

requires the signer to keep a record of its actions during all previous invocations

of the signing pro cess We refer to such a scheme as memory dependent and

dene this notion rst

Denition memorydep endent signature schemes

Mechanics Item of Denition stays as it is and the initial state of

the signing algorithm is dened to equal the output of the keygenerator

This memory requirement will b e removed in the next section

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Item is modied such that the signing algorithm is given a state denoted

as auxiliary input and returns a modied state denoted as auxiliary

output It is required that for every pair s v in the range of G

and for every f g if S then V and

s v

j j j j jj p oly n

That is the verication algorithm accepts the signature and the state

do es not grow by to o much

Security The notion of a chosen message attack is modied so that the oracle

S now maintains a state that it updates in the natural manner that is

when in state and faced with query the oracle sets S

returns and updates its state to The notions of success and security

are dened as in Denition except that they now refer to the modied

notion of an attack

The denition of memorydep endent signature schemes ie Denition is

related to the denition of statebased MACs ie Denition However

there are two dierences b etween the two denitions First Denition

refers to publickey signature schemes whereas Denition refers to

MACs Second in Denition only the signing algorithm is statebased or

memorydep endent whereas in Denition also the verication algorithm

is statebased The latter dierence reects the dierence in the applications

envisioned for b oth types of schemes Typically MACs are indented for com

munication b etween a predetermined set of mutually synchronized parties

whereas signature schemes are intended for pro duction of signatures that may

b e universally veriable at any time

We note that memorydep endent signature schemes may suce in many

applications of signature schemes Still it is preferable to have memoryless ie

ordinary signature schemes Below we use any onetime signature schemes to

construct a memorydep endent signature scheme The memory requirement will

b e removed in the next section so to obtain a memoryless signature scheme

as in Denition

The memorydep endent signature scheme presented in Construction

b elow maintains a binary tree of depth n asso ciating to each no de an instance

of a onetime signature scheme Each no de in the tree is lab eled by a binary

string denoted for some i f ng and is asso ciated with a sign

The ro ot of the tree is v ing and verication keypair denoted s

1 i 1 i

lab eled by the empty string and the the vericationkey v asso ciated with

it is used as the vericationkey of the entire memorydep endent signature

scheme The children of an internal no de lab eled are lab eled

i i

and and their vericationkeys ie v and v are authen

1 i 1 i

With the exception of the ticated with resp ect to the vericationkey v

1 i

onetime instance asso ciated with the ro ot of the tree all the other instances

are generated when needed onthey and are stored in memory along with

their authentication with resp ect to their parents A new do cument is signed

by allo cating a new leaf authenticating the actual do cument with resp ect to

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

sλv λ

+ authλ

0 1

s0v 0 s1v 1

+ auth0 + auth1

00 01

s00v 00 s01v 01

+ auth00 + auth01

010 011

s010v 010 s011v 011

+ auth010 + auth011

Figure An authentication path for no des and

the vericationkey asso ciated with this leaf and authenticating each relevant

vericationkey with resp ect to the vericationkey asso ciated with its parent

The relevant keypairs as well as their authentication with resp ect to their par

ents are generated onthey unless they are already stored in memory which

means that they were generated in the course of signing a previous do cument

Thus the vericationkey asso ciated with the relevant leaf is authenticated with

resp ect to the vericationkey asso ciated with its parent which in turn is au

thenticated with resp ect to the vericationkey asso ciated with its own parent

and so on up to the authentication of the vericationkeys of the ro ots chil

dren with resp ect to the vericationkey asso ciated with the ro ot The latter

sequence of authentications of each no des vericationkey with resp ect to the

vericationkey of its parent is called an authentication path see Figure

We stress that the onetime instance asso ciated with each no de is used to au

thenticate at most one string A formal description of this memorydep endent

signature scheme follows

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Construction a memorydep endent signature scheme Let G S V

be a onetime signature scheme Consider the fol lowing memorydependent sig

nature scheme G S V with G G On security parameter n the scheme

uses a ful l binary tree of depth n Each of the nodes in this tree is lab eled by a

binary string so that the root is labeled by the empty string denoted and the

left resp right child of a node labeled by x is labeled by x resp x Below

we refer to the current state of the signing process as to a record

Initiating the scheme To initiate the scheme on security parameter n we in

n n

voke G and let s v G We record s v as the keypair asso

ciated with the root and output v as the public vericationkey

In the rest of the description we denote by s v the keypair associated

x x

with the node labeled x thus s v s v

Signing with S using the current record Recall that the current record contains

the signingkey s s which is used to produce auth dened below

To sign a new document denoted we rst al locate an unused leaf Let

be the label of this leaf For example we may keep a counter of

the number of documents signed and determine according to the

counter value eg if the counter value is c then we use the c string in

lexicographic order

Next for every i n and every f g we try to retrieve from our

record the keypair associated with the node labeled In case

such a pair is not found we generate it by invoking G and store it ie

add it to our record for future use that is we let s v

1 i1 1 i1

Next for every i n we try to retrieve from our record a signature to

In case the string v v relative to the signingkey s

1 i1 1 i1 1 i1

and such a signature is not found we generate it by invoking S

v v store it for future use that is we obtain S

1 i1 1 i1

The ability to retrieve this signature from memory for repeated use is

the most important place in which we rely on the memorydependence of

our signature scheme We let

def

v v v v S auth

1 i1 1 i1 1 i1 1 i1 1 i1

the no de lab eled authenticates the Intuitively via auth

1 i1

vericationkeys asso ciated with its children

and output Final ly we sign by invoking S

S auth auth auth

s n

1 n1 1

Alternatively as done in Construction we may select the leaf at random while

ignoring the negligible probability that the selected leaf is not unused

This allows the signing pro cess S to use each onetime signingkey s for pro ducing a

single S signature In contrast the use of a counter for determining a new leaf can b e easily

avoided by selecting a leaf at random

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

Verication with V On input a vericationkey v a document and an al

leged signature we accept if and only if the fol lowing conditions hold

has the form

v v v v v v

n n n n n

where the s are bits and al l other symbols represent strings

Jumping ahead we mention that v is supp osed to equal v

1 i

that is the vericationkey asso ciated by the signing pro cess with

is supp osed to equal the no de lab eled In particular v

i i

1 i

V v v

That is the publickey ie v authenticates the two strings v and

v claimed to corresp ond to the instances of the onetime signature

scheme asso ciated with the no des lab eled and resp ectively

v v For i n it holds that V

i i i v

which is already b elieved to b e That is the vericationkey v

authentic and supp osedly corresp onds to the instance of the onetime

signature scheme asso ciated with the no de lab eled authen

ticates the two strings v and v that are supp osed to corresp ond

i i

to the instances of the onetime signature scheme asso ciated with the

no des lab eled and resp ectively

i i

n v

which is already b elieved to b e That is the vericationkey v

authentic authenticates the actual do cument

Regarding the verication algorithm note that Conditions and establish

That is v v authenticates is authentic ie equals v that v

1 i i+1 i+1

The fact that the and so on upto v which authenticates v v

1 n 1 2 1

v s are also proven to b e authentic ie equal the v s where

i+1 i+1 1 i

is not really useful when signing a message using the leaf asso ciated with

only once This excess is merely an artifact of the need to use s

1 i

during the entire op eration of the memorydep endent signature scheme In the

currently constructed S signature we may not care ab out the authenticity of

some v signatures For but we may care ab out it in some other S

1 i i+1

example if we use the leaf lab eled to sign the rst do cument and the leaf

lab eled to sign the second then in the rst S signature we only care

whereas in the second S signature we care ab out ab out the authenticity of v

the authenticity of v

Prop osition If G S V is a secure onetime signature scheme then

Construction constitutes a secure memorydependent signature scheme

Pro of Recall that a S signature to a do cument has the form

S auth auth auth

s n

1 n1 1

n 1

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

where the auth s v s and s s satisfy

x x x

v v auth v v S

x x x x x s

See Figure In this case we say that this S signature uses the leaf lab eled

auth For every i n we call the sequence auth auth

1 i1 1

see Figure Note that the ab ove sequence an authentication path for v

1 i

Thus a valid is also an authentication path for v where

1 i1 i

S signature to a do cument consists of an nbit string authentica

i n and a signature to with resp ect to the tion paths for each v

1 i

onetime scheme G S V using the signingkey s

1 n

Intuitively forging an S signature requires either using an nelement long

as part of an authentication path supplied by the signer ie supplied by S

answer to a query or pro ducing an authentication path dierent from all paths

supplied by the signer In b oth cases we reach a contradiction to the security

of the onetime signature scheme G S V Sp ecically in the rst case the

forged S signature contains a onetime signature that is valid with resp ect to

the onetime vericationkey asso ciated by the signing pro cess with the leaf

lab eled b ecause by the cases hypothesis the forged signature utilizes

an authentication path provided by the signer for this leaf This yields forgery

with resp ect to the instance of the onetime signature scheme asso ciated with

signed by the forger the leaf lab eled b ecause the do cument that is S

must b e dierent from all S signed do cuments and thus the forged do cument

is dierent from all strings to which a onetime signature asso ciated with a leaf

was applied We now turn to the second case ie forgery with resp ect to

G S V is obtained by pro ducing an authentication path dierent from all

paths supplied by the signer In this case there must exists an i f n g

is the and an i bit long string such that auth auth

1 i1

longest prex of the authentication path pro duced by the forger that is a prex

of some authentication path supplied by the signer Note that i corresp onds

to an empty prex whereas i n by the case hypothesis For this i the

signature pro duced v v that is contained in the S triple auth

1 i

i i i

that is valid with resp ect by the forger contains a onetime signature ie

to the onetime vericationkey asso ciated by the signing pro cess with the no de

lab eled Furthermore by maximality of i the latter signature is to a

string ie v v that is dierent from the string to which the S signer has

i i

This yields forgery with resp ect to the instance of the onetime applied S

signature scheme asso ciated with the no de lab eled

The actual pro of is by a reducibility argument Given an adversary A attack

ing the complex scheme G S V we construct an adversary A that attacks

the onetime signature scheme G S V In particular the adversary A will

use its onetime oracle access to S in order to emulate the memorydep endent

signing oracle for A We stress that the adversary A may make at most one

signed by the forger is dierent Note that what matters is merely that the do cument S

was applied by the S signer in case S from the single do cument to which S

s s

n n

1 1

was ever applied by the S signer s

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

query to its S oracle Below is a detailed description of the adversary A Since

we care only ab out probabilistic p olynomialtime adversaries we may assume

that A makes at most t p oly n many queries where n is the security param

eter

The construction of adversary A Supp ose that s v is in the range of G

On input v and onequery oracle access to S adversary A pro ceeds as follows

Initial choice A uniformly selects j f n tg

The integer j sp ecies an instance of G S V generated during the em

ulated attack of A on G S V This instance will b e attacked by A

Note that since n instances of G S V are referred to in each sig

nature relative to G S V the quantity n t upp er b ounds the

total number of instances of G S V that app ear during the entire attack

of A This upp er b ound is not tight

Invoking A If j then A sets v v and invokes A on input v In

this case A do es not know s which is dened to equal s yet A can obtain

a single signature relative to the signingkey s by making a single query

to the its own oracle ie the oracle S

Otherwise ie j machine A invokes G obtains s v G

sets s v s v and invokes A on input v We stress that in this

case A knows s

Indeed in b oth cases A is invoked on input v Also in b oth cases

the onetime instance asso ciated with the ro ot ie the no de lab eled is

called the rst instance

Emulating the memorydependent signing oracle for A The emulation is

analogous to the op eration of the signing pro cedure as sp ecied in Con

struction The only exception refers to the j instance of G S V

that o ccurs in the memorydep endent signing pro cess Here A uses the

verication key v and if an S signature needs to b e pro duced then A

queries S for it We stress that at most one signature needs ever b e

pro duced with resp ect to each instance of G S V that o ccurs in the

memorydep endent signing pro cess and therefore S is queried at most

once Details follow

Machine A maintains a record of all keypairs and onetime signatures it

has generated andor obtained from S When A is asked to supply a

signature to a new do cument denoted it pro ceeds as follows

a A allo cates a new leaflab el denoted exactly as done by the

signing pro cess

b For every i n and every f g machine A tries to retrieve

from its record the onetime instance asso ciated with the no de lab eled

If such an instance do es not exist in the record ie the

onetime instance asso ciated with the no de lab eled did

not app ear so far then A distinguishes two cases

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

i If the record so far contains exactly j onetime instances ie

the current instance is the j one to b e encountered then A sets

v v and adds it to its record In this case A do es not

1 i1

know s which is dened to equal s yet A can obtain a

1 i1

single signature relative to s by making a single query to its

own oracle ie the oracle S

From this p oint on the onetime instance asso ciated with the

no de lab eled will b e called the j instance

ii Otherwise ie the current instance is not the j one to b e en

countered A acts as the signing pro cess It invokes G ob

tains s v G and adds it to the record

1 i1 1 i1

Note that in this case A knows s and can generate by

1 i1

itself signatures relative to it

The onetime instance just generated is given the next serial num

b er That is the onetime instance asso ciated with the no de la

b eled will b e called the k instance if the current

record ie after the generation of the onetime keypair asso

ciated with the no de lab eled contains exactly k in

stances

c For every i n machine A tries to retrieve from its record a

onetime signature to the string v v relative to the

1 i1 1 i1

If such a signature do es not exist in the record signingkey s

1 i1

then A distinguishes two cases

i If the onetime signature instance asso ciated with the no de la

b eled is the j such instance then A obtains the one

v v by querying S time signature S

s s

1 i1 1 i1

and adds this signature to the record

Note that by the previous steps ie Step bi as well as Step

and that the instance asso ciated s is identied with s

1 i1

with a no de lab eled is only used to pro duce a single

signature that is to the string v v Thus in this

1 i1 1 i1

case A queries S at most once

We stress that the ab ove makes crucial use of the fact that for

every the vericationkey asso ciated with the no de lab eled

is identical in all executions of the current step This

fact guarantees that A only needs a single signature relative to

the instance asso ciated with a no de lab eled and thus

queries S at most once and retrieves this signature from memory

if it ever needs this signature again

ii Otherwise ie the onetime signature instance asso ciated with

the no de lab eled is not the j such instance A

obtains the acts as the signing pro cess It invokes S

v v and adds it onetime signature S

1 i1 1 i1

and can to the record Note that in this case A knows s

1 i1

generate by itself signatures relative to it

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

v v Thus in b oth cases A obtains auth

1 i1 1 i1 1 i1

v v where S

i s

1 i1 1 i1

d Machine A now obtains a onetime signature of relative to S

Since a new leaf is allo cated for each query made by A we need

to generate at most one signature relative to the onetime instance

asso ciated with the leaf This is done analogously S

n s

to the previous step ie Step c Sp ecically

i If the onetime signature instance asso ciated with the leaf no de

lab eled is the j instance then A obtains the onetime

by querying S signature S

s s

and that an Note that in this case s is identied with s

1 n

instance asso ciated with a leaf is only used to pro duce a single

signature Thus also in this case which is disjoint of Case ci

A queries S at most once

ii Otherwise ie the onetime signature instance asso ciated with

the no de lab eled is not the j instance A acts as the

and obtains the onetime signing pro cess It invokes S

and Again in this case A knows s signature S

1 n

can generate by itself signatures relative to it

Thus in b oth cases A obtains S

n s

e Finally A answers the query with

auth auth auth

n n

1 n1 1

Using the output of A When A halts with output machine A

checks whether this is a valid do cumentsignature pair with resp ect to

V and whether the do cument did not app ear as a query of A If

b oth conditions hold then A tries to obtain forgery with resp ect to S

To explain how this is done we need to take a closer lo ok at the valid

do cumentsignature pair output by A Sp ecically supp ose that

has the form

v v v v v v

n n n n n

and that the various comp onents satisfy all conditions stated in the verica

tion pro cedure In particular the sequence v v v v

n n n

is the authentication path for v output by A Recall that strings

of the form v denote the vericationkeys included in the output of A

whereas strings of the form v denote the vericationkeys as used in the

answers given to A by A and as recorded by A

Let i b e maximal such that the sequence of keypairs v v v v

i i

app ears in some authentication path supplied to A by A Note that

i f ng where i means that v v diers from v v

the That is i is such that for some which may but need not equal

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

and i n means that the sequence v v v v equals

n n

the sequence v v v v In general the sequence

1 1

n1 n1

v v v v equals the sequence v v v v

i i

1 1

i1 i1

In particular for i it holds that v v whereas for i

we shall only refer to v which is the vericationkey attacked by A

In b oth cases the output of A contains a onetime signature relative to

v and this signature is to a string dierent from the p ossibly only

one to which a signature was supplied to A by A Sp ecically as in the

motivating discussion ab ove we distinguish the cases i n and i n

a In case i n the output of A contains the onetime signature

that satises V Furthermore is dierent from

the p ossibly only do cument to which S was applied during the

emulation of the S signer by A since by our hypothesis the do cument

did not app ear as a query of A Recall that by the construction of

A instances of the onetime signature scheme asso ciated with leaves

are only applied to the queries of A

b In case i n the output of A contains the onetime signature

v v Furthermore v v is dier that satises V

i i i i i

ent from v v which is the p ossibly only string to which

1 1

i i

S was applied during the emulation of the S signer by A where

the last assertion is due to the maximality of i and the construction

of A

Thus in b oth cases A obtains from A a valid onetime signature rela

tive to the onetime instance asso ciated with the no de lab eled

Furthermore in b oth cases this onetime signature is to a string that

did not app ear in the record of A The question is whether the instance

is the j instance for which A asso ciated with the no de lab eled

In case the answer is yes A obtains forgery with resp ect set v v

to the onetime vericationkey v which it attacks

In view of the ab ove discussion A acts as follows It determines i as

in the discussion and checks whether v v or almost equiva

lently whether the j instance is the one asso ciated with the no de la

b eled In case i n machine A outputs the stringsignature

pair otherwise ie i n it outputs the stringsignature pair

v v

i i i

sequence v v v v is a prex of some authentication path for

i i

some v supplied to A by A We stress that here we only care ab out whether

i+1

s equal the corresp onding vericationkeys supplied by A and ignore the or not some v

question of whether in case of equality the vericationkeys were authenticated using the

very same onetime signature We mention that things will b e dierent in the analogous

part of the pro of of Theorem which refers to sup ersecurity

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

This completes the admittingly long description of adversary A We rep eat

again some obvious observations regarding this construction Firstly A makes

at most one query to its onetime signing oracle S Secondly assuming that

A is probabilistic p olynomialtime so is A Thus all that remains is to relate

the success probability of A when attacking a random instance of G S V to

the success probability of A when attacking a random instance of G S V

As usual the main observation is that the view of A during the emulation of

the memorydep endent signing pro cess by A is identically distributed to its

view in an actual attack on G S V Furthermore this holds conditioned

on any p ossible xed value of j selected in the rst step of A It follows

that if A succeeds to forge signatures in an actual attack on G S V with

probability n then A succeeds to forge signatures with resp ect to G S V

where the n t factor is due to the with probability at least

probability that the choice of j is a go o d one ie so that the j instance is

the one asso ciated with the no de lab eled where and i are as

dened in Step of As construction

We conclude that if G S V can b e broken by a probabilistic p olynomial

time chosen message attack with nonnegligible probability then G S V can

b e broken by a probabilistic p olynomialtime singlemessage attack with non

negligible probability in contradiction to the prop ositions hypothesis The

prop osition follows

The actual construction

In this section we remove the memorydep endency of Construction and

obtain an ordinary rather than memorydep endent signature scheme Towards

this end we use pseudorandom functions as dened in Denition The

basic idea is that the record maintained in Construction can b e determined

onthey by an application of a pseudorandom function to certain strings For

example instead of generating and storing an instance of a onetime signature

scheme for each no de that we encounter we can determine the randomness for

the corresp onding invocation of the keygeneration algorithm as a function of

the lab el of that no de Thus there is no need to store the keypair generated

b ecause if we ever need it again then regenerating it in the very same way

will yield exactly the same result The same idea applies also to the generation

of onetime signatures In fact the construction is simplied b ecause we need

not check whether or not we are generating an ob ject for the rst time

For simplicity let us assume that on security parameter n b oth the key

generation and signing algorithms of the onetime signature scheme G S V

use exactly n internal coin tosses This assumption can b e justied by us

ing pseudorandom generators which exist anyhow under the assumptions used

n n n

here For r f g we denote by G r the output of G on input and

internal cointosses r Likewise for r f g we denote by S r the output

of S on input a signingkey s and a do cument when using internal cointosses

r For simplicity we shall b e actually using generalized pseudorandom functions

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

as in Denition rather than pseudorandom functions as dened in Deni

tion Furthermore for simplicity we shall consider applications of such

pseudorandom functions to sequences of characters containing f g as well as

a few additional sp ecial characters

Construction Removing the memory requirement from Construction

jr j

Let G S V be a onetime signature scheme and ff f g f g g

r fg

be a generalized pseudorandom function ensemble as in Denition Con

sider the fol lowing signature scheme G S V which refers to a ful l binary

tree of depth n as in Construction

n n

Keygeneration algorithm G On input algorithm G obtains s v G

and selects uniformly r f g Algorithm G outputs the pair r s v

where r s is the signingkey and v is the vericationkey

Signing algorithm S On input a signingkey r s in the range of G and

a document the algorithm proceeds as fol lows

It selects uniformly f g

Algorithm S will use the leaf lab eled f g to sign the

current do cument Indeed with exp onentiallyvanishing probability

the same leaf may b e used to sign two dierent do cuments and this

will lead to forgery but only with negligible probability

Alternatively to obtain a deterministic signing algorithm one may

set f selectleaf where selectleaf is a sp ecial

n r

character

Next for every i n and every f g the algorithm invokes

G and sets

s v G f keygen

r i

1 i1 1 i1

where keygen is a special character

and sets For every i n the algorithm invokes S

def

v v auth

1 i1 1 i1 1 i1

v v f sign S

r i s

1 i1 1 i1

We shall make comments regarding the minor changes required in order to use ordinary

pseudorandom functions The rst comment is that we shall consider an enco ding of strings

of length upto n by strings of length n eg for i n the string x f g is

enco ded by x

In case we use ordinary pseudorandom functions rather than generalized ones we select

n n n

r uniformly in f g such that f f g f g Actually we shall b e using the

n n

function f f g f g derived from the ab ove by dropping the last bits of the

function value

In case we use ordinary pseudorandom functions rather than generalized ones this alter

native can b e directly implemented only if it is guaranteed that jj n In such a case we

apply the f to the n bit enco ding of

In case we use ordinary pseudorandom functions rather than generalized ones the argu

ment to f is the n bit enco ding of

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

where sign is a special character

and outputs Final ly the algorithm invokes S

f sign S auth auth auth

r n s n

1 n1 1

Verication algorithm V On input a vericationkey v a document and an

al leged signature algorithm V behaves exactly as in Construction

Specically assuming that has the form

v v v v v v

n n n n n

algorithm V accepts if and only if the fol lowing three conditions hold

V v v

v v For i n it holds that V

i i i v

n v

Prop osition If G S V is a secure onetime signature scheme and

jr j

ff f g f g g is a generalized pseudorandom function ensem

r fg

ble then Construction constitutes a secure general signature scheme

Pro of Following the general metho dology suggested in Section we con

sider an ideal version of Construction in which a truly random function is

used rather than a pseudorandom one The ideal version is almost identical to

Construction with the only dierence b eing the way in which is

selected Sp ecically applying a truly random function to determine onetime

keypairs and onetime signatures is equivalent to generating these keys and

signatures at random onthey and reusing the stored values whenever nec

essary Regarding the way in which is selected observe that the pro of

of Prop osition is oblivious of this way except for the assumption that the

same leaf is never used to sign two dierent do cuments However the probabil

ity that the same leaf is used twice by the memoryless signing algorithm when

serving p olynomiallymany signing requests is exp onentiallyvanishing and thus

can b e ignored in our analysis We conclude that the ideal scheme in which a

truly random function is used instead of f is secure It follows that also the

actual signature scheme as in Construction is secure or else one can

eciently distinguish a pseudorandom function from a truly random one which

is imp ossible Details follow

Assume towards the contradiction that there exists a probabilistic p olynomial

time adversary A that succeeds to forge signatures with resp ect to G S V

with nonnegligible probability but succeeds only with negligible probability

when attacking the ideal scheme We construct a distinguisher D that on input

In case we use ordinary pseudorandom functions rather than generalized ones the argu

ment to f is the n bit enco ding of

In case we use ordinary pseudorandom functions rather than generalized ones the argu

ment to f is the n bit enco ding of

r n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

n n

and oracle access to f f g f g b ehaves as follows Machine D

generates r s v G and invokes A on input v Machine D answers

the queries of A by running the signing pro cess using the signingkey r s

x by f x That is whenever with the exception that it replaces the values f

the signing pro cess calls for the computation of the value of the function f on

some string x machine D queries its oracle ie f on the string x and uses

x When A outputs an alleged signature to a the resp ond f x instead of f

new do cument machine M evaluates whether or not the signature is valid with

resp ect to V and output if and only if A has indeed succeeded ie the

signature is valid Observe that if D is given oracle access to a truly random

function then the emulated A attacks the ideal scheme whereas if D is given

oracle access to a pseudorandom function f then the emulated A attacks the

real scheme It follows that D distinguishes the two cases in contradiction to

the pseudorandomness of the ensemble ff g

Conclusions and comments

Theorem follows by combining Prop osition with the fact that the

existence of secure onetime signature schemes implies the existence of one

way functions see Exercise which in turn imply the existence of general

ized pseudorandom functions Recall that combining Theorem and Corol

lary we obtain Corollary that states that the existence of collision

free hashing collections implies the existence of secure signature schemes Fur

thermore the length of the resulting signatures only dep ends on the length of

the signingkey

We comment that Constructions and can b e generalized as

follows Rather than using a depth n full binary tree one can use any tree

that has a sup erp olynomial in n number of leaves provided that one can

enumerate the leaves resp uniformly select a leaf and generate the path from

the ro ot to a given leaf We consider a few p ossibilities

For any d N N b ounded by a p olynomial in n eg d or dn n

are indeed extreme cases we may consider a full dnary tree of depth

en so that dn is greater than any p olynomial in n The choice of

parameters in Constructions and ie d and en n

is probably the simplest one

Natural complexity measures for a signature scheme include the length of

signatures and the signing and verication times In a generalized con

struction the length of the signatures is linear in dn en and the num

b er of applications of the underlying onetime signature scheme p er each

general signature is linear in en where in internal no des the onetime

signature scheme is applied to string of length linear in dn Assuming

that the complexity of onetime signatures is linear in the do cument length

all complexity measures are linear in dn en and so d is the b est

generic choice However the ab ove assumption may not hold when some

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

sp ecic onetime signatures are used For example the complexity of pro

ducing a signature to an bit long string in a onetime signature scheme

may b e of the form pn p n where p n pn In such sp ecial

cases one may prefer to use a larger d N N see Section

For the memorydep endent construction it may b e preferable to use un

balanced trees ie having leaves at various levels The advantage is that

if one utilizes rst the leaves closer to the ro ot then one can obtain a saving

on the cost of signing the rst do cuments

For example consider using a ternary tree of sup erlogarithmic depth

ie d and en log n in which each internal no de of level

i f en g has a two children that are internal no des and a

single child that is a leaf and the internal no des of level en have only

leaves as children Thus for i there are leaves at level i If we

use all leaves of level i b efore using any leaf of level i then the length

of the j signature in this scheme is linear in log j and so is the number

of applications of the underlying onetime signature scheme

When actually applying these constructions one should observe that in variants

of Construction the size of the tree determines the number of do cuments

that can b e signed whereas in variants of Construction the tree size has

even a more drastic eect on the number of do cuments that can b e signed

In some cases a hybrid of Constructions and may b e preferable

We refer to a memorydep endent scheme in which leaves are assigned as in

Construction ie according to a counter but the rest of the op eration

is done as in Construction ie the onetime instances are regenerated

onthey rather than b eing recorded and retrieved from memory In some

applications the introduction of a do cumentcounter may b e tolerated and the

gain is the ability to use a smaller tree ie of size merely greater than the

number of do cuments that should b e ever signed

More generally we wish to stress that each of the following ingredients of the

ab ove constructions is useful in a variety of related and unrelated settings We

refer sp ecically to the refreshing paradigm the authentication tree construction

and the notion and constructions of onetime signatures For example

It is common practice to authenticate messages sent during a commu

nication session via a fresh sessionkey that is typically authenticated

by a masterkey One of the reasons for this practice is the prevention

of a chosen message attack on the more valuable masterkey Other

reasons include allowing the use of a faster alas less secure authentica

tion scheme for the actual communication and introducing indep endence

b etween sessions

In particular the number of do cuments that can b e signed should denitely b e smaller

than the square ro ot of the size of the tree or else two do cuments are likely to b e assigned

the same leaf Furthermore we cannot use a small tree eg of size even if we know

that the total number of do cuments that will ever b e signed is small eg b ecause in this

case the probability that two do cuments are assigned the same leaf is to o big eg

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Observe the analogy b etween the treehashing of Construction

and the authentication tree of Construction Despite the many

dierences in b oth cases the value of each internal no de authenticates

the values of its children Thus the value of the ro ot may b e used to

authenticate a very large number of values asso ciated with the leaves

Furthermore the value asso ciated with each leaf can b e veried within

complexity that is linear in the depth of the tree

Recall the application of onetime signatures to the construction of CCA

secure publickey encryption schemes see the pro of of Theorem

Universal OneWay Hash Functions and using them

So far we have established that the existence of collisionfree hashing collections

implies the existence of secure signature schemes cf Corollary We seek

to weaken the assumption under which secure signature schemes can b e con

structed and b ear in mind that the existence of oneway functions is certainly a

necessary condition cf for example Exercise In view of Theorem we

may fo cus on constructing secure onetime signature schemes Furthermore re

call that secure lengthrestricted onetime signature schemes can b e constructed

based on any oneway function cf Corollary Thus the only b ottleneck

we face with resp ect to the assumption used is the transformation of length

restricted onetime signature schemes into general onetime signature schemes

For the latter transformation we have used a sp ecic incarnation of the hash

andsign paradigm ie Prop osition which refers to Construction

This incarnation utilizes collisionfree hashing and our goal is to replace it by

a variant of Construction that uses a seemingly weaker notion called

Universal OneWay Hash Functions

Denition

A collection of universal oneway hash functions is dened analogously to a

collection of collisionfree hash functions The only dierence is that the hardness

to form collisions requirement is relaxed Recall that in case of a collection of

collisionfree hash functions it was required that given the functions description

it is hard to form an arbitrary collision under the function In case of a collection

of universal oneway hash functions we only require that given the functions

description h and a preimage x it is hard to nd an x x so that hx hx

We refer to this requirement as to hardness to form designated collisions

Our formulation of the hardness to form designated collisions is actually

seemingly stronger Rather than b eing supplied with a random preimage x

the collisionforming algorithm is allowed to select x by itself but must do so

before being presented with the functions description That it the attack of the

collisionforming algorithm pro ceeds in three stages rst the algorithm selects a

preimage x next it is given a description of a randomly selected function h and

nally it is required to output x x such that hx hx We stress that

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

the third stage in the attack is also given the random coins used for pro ducing

the initial preimage at the rst stage This yields the following denition

where the rst stage is captured by a deterministic p olynomialtime algorithm

A which maps a sequence of coin tosses denoted U to a preimage of the

q n

function and the third stage is captured by algorithm A which is given the

very same coins U as well as the functions description

q n

Denition universal oneway hash functions UOWHF Let N

jsj

N A collection of functions fh f g f g g is called uni

sfg

versal oneway hashing UOWHF if there exists a probabilistic polynomialtime

algorithm I so that the fol lowing holds

admissible indexing technical For some polynomial p al l suciently

large ns and every s in the range of I it holds that n pjsj Fur

thermore n can be computed in polynomialtime from s

ecient evaluation There exists a polynomialtime algorithm that given

s and x returns h x

hard to form designated collisions For every polynomial q every deter

ministic polynomialtime algorithm A every probabilistic polynomialtime

algorithm A every polynomial p and al l suciently large ns

n n

h AI U h A U

I q n I q n

and AI U A U

q n q n

where the probability is taken over U and the internal coin tosses of

q n

algorithms I and A

The function is called the range sp ecier of the collection

We stress that the hardness to form designated collisions condition refers to the

q n

following threestage pro cess rst using a uniformly distributed r f g

the initial adversary generates a preimage x A r next a function h is

selected by invoking I and nally the residual adversary A is given h

as well as r used at the rst stage and tries to nd a preimage x x such that

def

hx hx Indeed Eq refers to the probability that x Ah r x

and yet hx hx

Note that the range sp ecier ie must b e sup erlogarithmic or else given

s and x U one is to o likely to nd an x x such that h x h x

n s s

by uniformly selecting x in f g Also note that any UOWHF collection

yields a collection of oneway functions see Exercise Finally note that any

collisionfree hashing is universally oneway hashing but the converse is false see

Exercise Furthermore it is not known whether collisionfree hashing can

b e constructed based on any oneway functions in contrast to Theorem

b elow

This condition is made merely to avoid annoying technicalities Note that jsj p oly n

holds by denition of I

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Constructions

We construct UOWHF collections in several steps starting with a related but

restricted notion and relaxing the restriction gradually until we reach the un

restricted notion of UOWHF collections The ab ovementioned restriction refers

to the length of the arguments to the function Most imp ortantly the hardness

to form designated collisions requirement will refer only to argument of this

length That is we refer to the following technical denition

Denition d r UOWHFs Let d r N N A collection of func

djsj r jsj

tions fh f g f g g is called d r UOWHF if there

sfg

exists a probabilistic polynomialtime algorithm I so that the fol lowing holds

For al l suciently large ns and every s in the range of I it holds that

jsj n

djsj

There exists a polynomialtime algorithm that given s and x f g

returns h x

For every polynomial q every deterministic polynomialtime algorithm A

mapping q nbit long strings to djsjbit long strings every probabilistic

polynomialtime algorithm A every polynomial p and al l suciently large

ns Eq holds

Of course we care only ab out d r UOWHF for functions d r N N satisfy

ing dn r n The case dn r n is trivial since collisions can b e avoided

altogether say by the identity map The minimal nontrivial case is when

dn r n Indeed this is our starting p oint Furthermore the construc

tion of such a minimal d d UOWHF undertaken in the rst step b elow is

the most interesting step to b e taken on our entire way towards the construction

of fulledged UOWHF We start with an overview of the steps taken along the

way

Step I Constructing d d UOWHFs This construction utilizes a oneway p er

mutation f and a family of hashing functions mapping nbit long strings

to n bit long strings A generic function in the constructed collection

is obtained by comp osing a hashing function with f that is the resulting

n n n n

function is h f f g f g where h f g f g is a

hashing function Hence the constructed functions shrink their input by

a single bit

Intuitively a random hashing function h maps the f images in a random

manner whereas the preimages under h f are the f inverses of the preim

ages under h Thus seeking to invert f on y we may select x f g

and h at random such that hf x hy and seek a collision with the

Here we chose to make a more stringent condition requiring that jsj n rather than

n p oly jsj In fact one can easily enforce this more stringent condition by mo difying I into

ln n

I so that I I for a suitable function l N N satisfying l n p oly n and

n p oly l n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

designated preimage x under h f It follows that the ability to form

designated collisions can b e translated to inverting f on a random image

Transforming this intuition into an actual pro of is the most interesting

part of the current section

Step I I Constructing d d UOWHFs Here we merely comp ose random func

tions taken from collections as constructed in Step I Successively applying

d such functions we map the d bit long preimage to a d bit long im

age

Intuitively ability to form designated collisions with resp ect to the con

structed collection yields such an ability with resp ect to one of the orig

inal collections In the actual argument we rely on the fact that the

denition of d d UOWHF refers also to adversaries that get the ran

dom coins used for pro ducing the designated preimage and not merely the

designated preimage itself

Step I I I In this step we construct lengthunrestricted quasiUOWHFs that

shrink their input by a factor of two These functions are constructed by

applying a single random function taken from a collection as constructed

in Step II to each blo ck of d consequetive bits of the preimage Clearly

a collision of the entire sequence of blo cks yields collisions at some blo ck

Step IV Obtaining fulledged UOWHFs This construction is analogous to the

one used in Step I I We merely comp ose random functions taken from a

collection as constructed in Step I I I Successively applying t such functions

we essentially map nbit long preimages to nbit long images

Detailed descriptions of these four steps follow

Step I Constructing d d UOWHFs We show how to construct

lengthrestricted UOWHFs that shrink their input by a single bit Our con

struction can b e carried out using any oneway p ermutation In addition we

use a family of hashing functions S as dened in Section Recall that

n n n

a function selected uniformly in S maps f g to f g in a pairwise

indep endent manner that the functions in S are easy to evaluate and that

for some p olynomial p it holds that log jS j pn

Construction a d d UOWHF Let f f g f g be a

and length preserving function and let S be a family of hashing functions

such that log jS j pn for some polynomial p Specically suppose that

log jS j fn ng as in Exercises and of Chapter Then for

def

n pn n

every s S f g and every x f g we dene h x h f x

n s

def

Tedious details In case jsj fpn n N g we dene h h where s

is the longest prex of s satisfying js j fpn n N g We refer to an

m m

index selection algorithm that on input uniformly selects s f g

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

djsj djsj

That is h f g f g where dm is the largest integer n

satisfying pn m Note that d is monotonically nondecreasing and that for

ps the corresp onding d is onto ie dpn n for every n

The analysis presented b elow uses in an essential way an additional prop

erty of the ab ovementioned families of hashing functions sp ecically we assume

that give two preimageimage pairs it is easy to uniformly generate a hashing

function in the family that is consistent with these two mapping conditions

Furthermore to facilitate the analysis we use a sp ecic family of hashing func

tions presented in Exercise of Chapter functions in S are describ ed by

a pair of elements of the nite eld GF so that the pair a b describ es the

function h that maps x GF to the n bit prex of the nbit repre

sentation of ax b where the arithmetics is of the eld GF This sp ecic

family satises all the additional prop erties required in the next prop osition see

Exercise

Prop osition Suppose that f is a oneway permutation and that S is

j a family of hashing functions as dened in Section such that log jS

satises the fol lowing two conditions n Furthermore suppose that S

C Al l but a negligible fraction of the functions in S are to

C There exists a probabilistic polynomialtime algorithm that given y y

n n

f g and z z f g outputs a uniformly distributed element of

fs S h y z i f gg

s i i

Then fh g as in Construction is a d d UOWHF for dm

sfg

bmc

h f yields Pro of Sketch Intuitively forming designated collisions under h

the ability to invert f on a random y b ecause the collisions are due to h which

may b e selected such that h y h f x for any given y and x We stress

s s

one b eing x itself x under h that typically there are only two preimages of h

s s

which is given to the collisionnder and the other b eing f y Thus ability

to form a designated collision with x yields ability to invert f on a random

y by selecting a random s such that h y h x and forming a designated

collision under h More precisely supp ose we wish to invert f on a random

image y Then we may invoke a collisionnder which rst outputs some x

supply it with a random s satisfying h y h x and hop e that it forms a

collision ie nds a dierent preimage x satisfying h x h x Indeed

s s

typically the dierent preimage must b e f y which means that whenever

the collisionnder succeeds we also succeed ie invert f on y Details follow

Evidently the pro of is by a reducibility argument Supp ose that we are given

a probabilistic p olynomialtime algorithm A that forms designated collisions

under fh g with resp ect to preimages pro duced by a deterministic p olynomial

time algorithm A which maps pnbit strings to nbit strings Then we

construct an algorithm A that inverts f On input y f x where n jy j jxj

algorithm A pro ceeds as follows

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

Select r uniformly in f g and compute x A r and y f x

Select s uniformly in fs S h y h y g

s s

Recall that y is the input to A and y is generated by A at Step

Invoke A on input s r and output whatever A do es

By Condition C Step can b e implemented in probabilistic p olynomialtime

Turning to the analysis of algorithm A we consider the b ehavior of A on

input y f x for a uniformly distributed x f g which implies that y

is uniformly distributed over f g We rst observe that for every xed r

selected in Step if y is uniformly distributed in f g then s as determined

in Step is almost uniformly distributed in S

q n

On the distribution of s as selected in Step Fixing r f g means

that y f A r f g is xed Using the pairwise indep endence

n n

it follows that for each y f g n fy g the cardinality prop erty of S

def

n n n

j Furthermore h y h y g equals jS fs S of S

s s y

n n

in case h is to the string s resides in exactly two sets S s one b eing

s y

Recalling that all but a negligible fraction of the h s are to S

s y

ie Condition C it follows that each such function is selected with

n n n n

j Other functions ie j jS probability jS

n n

nonto functions are selected with negligible probability

By the construction of A which ignores y in Step the probability that

f x y is negligible but we could have taken advantage of this case to o by

augmenting Step such that if y y then A halts with output x Note

that in case f x y and h is to if A returns x such that x x and

h x h x then it holds that f x y

s s

def

Justifying the last claim Let v h y and supp ose that h is to

s s

Then by Step and f x y it holds that x f y and x are the

two preimages of v h x h x under h where h h f is to

s s s s

b ecause f is to and h is to Since x x is also a preimage of v

under h it follows that x x

We conclude that if A forms designated collisions with probability n then

A inverts f with probability n n where is a negligible function ac

counting for the negligible probability that h is not to Indeed we rely on

the fact that s as selected in Step is distributed almost uniformly and fur

thermore that each to function app ears with exectly the right probability

The prop osition follows

Step I I Constructing d d UOWHFs We now take the second step

on our way and use any d d UOWHF in order to construct a d d

UOWHF That is we construct lengthrestricted UOWHFs that shrink their

input by a factor of The construction is obtained by comp osing a sequence

of dierent functions taken from dierent d d UOWHFs That is each

function in the sequence shrinks the input by one bit and the comp osition of

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

d functions shrinks the initial d bit long input by a factor of For simplicity

we assume that the function d N N is onto and monotonically nondecreasing

In such a case we denote by d m the smallest natural number n satisfying

dn m and so d dn n

djsj djsj

Construction a d d UOWHF Let fh f g f g g

sfg

s s s where d N N is onto and nondecreasing Then for every

ddne

d dni dn

where each s f g and every x f g we dene

def

x h h x h h

s s s

1 2 s s

dd(n)2e

def

x for i ddne we set x and x h That is letting x

i i s

h x x Note that djs j dn i and jx j dn i

i i

ddn e

indeed hold

Tedious details We refer to an index selection algorithm that on input

def

ddne

determines the largest integer n such that m m d dn

d dni

i uniformly selects s s such that s f g

ddne

def

and s f g and lets h h

s s s s s

0 1 1

dd(n)2e dd(n)2e

dn bdnc

sj we have h f g f g where n is the That is for m j

ddne

d dn i Thus d m dn largest integer such that m

d j sj dd jsje

where n is as ab ove that is we have h f g f g with

sj dn Note that for dn n as in Construction it d j

m follows More generally if holds that d O n dn and d m

for some p olynomial p it holds that pdn n dn for all ns then for

some p olynomial p it holds that p d m m d m for all ms b ecause

d dn n dn We call such a function sucientlygrowing that is d N N

is sucientlygrowing if there exists a p olynomial p so that for every n it holds

that pdn n Eg for every xed the function dn n is

sucientlygrowing

Prop osition Suppose that fh g is a d d UOWHF where

sfg

d N N is onto nondecreasing and sucientlygrowing Then for some

sucientlygrowing function d N N Construction is a d dd e

UOWHF

Pro of Sketch Intuitively a designated collision under h yields a des

s s

def

x x and x h s That is let x ignated collision under one of the h

i i s s

i i

s s s one can nd an for i ddne Then if given x and

x x such that h x h x then there exists an i so that x x and

s s

x x where the x s are dened analogously to the x h x h

i s i s

i i

i i j

We stress that b ecause x s Thus we obtain a designated collision under h

j s

do es not shrink its input to o much the length of s is p olynomially related h

by using the s and thus forming collisions with resp ect to h to the length of

collisionnder for h yields a contradiction s

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

The actual pro of uses the hypothesis that it is hard to form designated col

lisions when one is also given the coins used in the generation of the preimage

and not merely the preimage itself In particular we construct an algorithm

s when given not only x that forms designated collision under one of the h

i s

but rather also x which yields x as ab ove The following details are quite

tedious and merely provide an implementation of the ab ove idea

As stated the pro of is by a reducibility argument We are given a prob

abilistic p olynomialtime algorithm A that forms designated collisions under

g with resp ect to preimages pro duced by a deterministic p olynomialtime fh

algorithm A that maps p nbit strings to nbit strings We construct al

gorithms A and A such that A forms designated collisions under fh g with

resp ect to preimages pro duced by algorithm A which maps pnbit strings to

nbit strings for a suitable p olynomial p Sp ecically p N N is and

pn p d dn n n d dn where the factor of app earing in

the expression is due to the shrinking factor of h

We start with the description of A that is the algorithm that generates

preimages of fh g Intuitively A selects a random j uses A to obtain a

preimage x of fh g generates random s s and outputs a preimage

x for i j Algorithm A will g computed by x h x of fh

i i s j s

i j

and b e given x or rather the coins used to generate x and a random h

j j s

will try to form a collision with x under h

j s

Detailed description of A Recall that p is a p olynomial dn n and

def def

d n p oly n Let pn n n q n p q n where q n

d dn On input r f g algorithm A pro ceeds as follows

Write r r r r such that jr j n jr j n q n and jr j p q n

Using r determine m in fn n q ng and j f q ng such that

b oth m and j are almost uniformly distributed in the corresp onding sets

ddn e

Compute the largest integer n such that m d dn i

If d dn j n then output the dnbit long sux of r

Comment the output in this case is immaterial to our pro of

Otherwise ie n d dn j which is the case we care ab out do

Let s s s b e a prex of r such that

ddn e

js j m d dn i

and js j d dn i for i j

Let x A r where r is the p d dn bit long sux of r

Comment x f g

x For i j compute x h

i i s

Output x f g Note that dn dn j

As stated ab ove we only care ab out the case in which Step is applied

This case o ccurs with noticeable probability and the description of the

following algorithm A refers to it

Algorithm A will b e given x as pro duced ab ove along with or actually

and will try only the coins used in its generation as well as a random h

On input s f g viewed as s to form a collision with x under h

j j s j

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

and the coins given to A algorithm A op erates as follows First A selects

j and s s s exactly as A do es which is the reason that A needs the

coins used by A Next A tries to obtain a collision under h by invoking

A r s where r is the sequence of coins that A handed to A and s

s s s s s s where s s are uniformly selected

j j j

dn dn

A r s h by A Finally A outputs h

s s

1 j 1

n pn

Detailed description of A On input s f g and r f g algo

rithm A pro ceeds as follows

Using r determine m j and n exactly as done by A

If d dn j n then ab ort

Otherwise ie n d dn j do

Determine s s s and r exactly as A do es at its Step

d dn i

Uniformly select s s such that s f g

j i

ddn e

and set s s s s s s s

j j

ddn e

A s r Invoke A on input s r and obtain x

Comment x f g

x h For i j compute x

i i

Output x f g

Clearly if algorithms A and A run in p olynomialtime then so do A and A

and if p is a p olynomial then so is p We now lower b ound the probability that

A succeeds to form designated collisions under fh g with resp ect to preimages

pro duced by A We start from the contradiction hypothesis by which the

is nonnegligible corresp onding probability for A wrt A

Let use denote by m the success probability of A on uniformly distributed

m p m

input s r f g f g Let n b e the largest integer so that m

ddn e

d dn i Then there exists a j f dn g such that with

probability at least md n on input s r where s s s s

ddn e

def

x h is as ab ove A outputs an x x A r such that h

s s

1 j 1

x Fixing this h x h h x and h h h

s s s s s s

1 j 1 j 1 j 1

m j and n let n d dn j and consider what happ ens when A is

n pn

invoked on uniformly distributed s r f g f g With probability

def

at least n nq n over the p ossible r s the values of m and j are

determined to equal the ab ove Conditioned on this case A is invoked on

m p m

uniformly distributed input s r f g f g and so a collision

at the j hashing function o ccurs with probability at least md n Note

that m p oly n n p olyn and d n p oly n This implies that A

def

m p olyn

succeeds with probability at least n n with resp ect

d n p olyn

to preimages pro duced by A Thus if is nonnegligible then so is and the

prop osition follows

Step I I I Constructing lengthunrestricted quasiUOWHFs that shrink

their input by a factor of two The third step on our way consists of us

ing any d dUOWHF in order to construct quasi UOWHFs that are ap

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

plicable to any input length but shrink each input to half its length rather

than to a xed length that only dep ends on the function description The re

sulting construct do es not t Denition b ecause the functions output

length dep ends on the functions input length yet the function can b e applied

to any input length rather than only to a single length determined by the func

tions description Thus the resulting construct yields a d d UOWHF for

any p olynomiallyb ounded function d eg d n n whereas in Construc

tion the function d is xed and satises d n n The construction

itself amounts to parsing the input into blo cks and applying the same function

taken from a d dUOWHF to each blo ck

djsj

Construction a d d UOWHF for any d Let fh f g

bdjsjc

f g g where d N N is onto and nondecreasing Then for

sfg

every s f g and every x f g we dene

def

dnjx j

h x h x h x

s s t

where x x x jx j dn and jx j dn for i t The

t t i

index selection algorithm of fh g is identical to the one of fh g

Clearly jh xj djxj dne bdnc which is approximately jxj pro

vided jxj dn Furthermore Construction satises Conditions and

of Denition provided that fh g satises the corresp onding conditions of

Denition We thus fo cus of the hardness to form designated collisions

ie Condition

Prop osition Suppose that fh g is a d dUOWHF where

sfg

d N N is onto nondecreasing and sucientlygrowing Then Construc

tion satises Condition of Denition

yields a designated Pro of Sketch Intuitively a designated collision under h

collision under h That is consider the parsing of each string into blo cks of

length dn as in the ab ove construction Now if given x x x and s one

can nd an x x x x such that h x h x then t t and there

s s

exists an i such that x x and h x h x Details follow

i s i s

i i

The actual pro of is by a reducibility argument Given a probabilistic p olynomial

time algorithm A that forms designated collisions under fh g with resp ect to

preimages pro duced by a p olynomialtime algorithm A we construct algorithms

A and A such that A forms designated collisions under fh g with resp ect to

preimages pro duced by algorithm A Sp ecically algorithm A invokes A

and uses extra randomness supplied in its input to uniformly select one of the

dnbit long blo cks in the standard parsing of the output of A That is the

randomtap e used by algorithm A has the form r i and A outputs the i

blo ck in the parsing of the string A r Algorithm A is derived analogously

That is given s f g and the coins r r i used by A algorithm A

invokes A on input s and r obtains the output x and outputs the i blo ck

in the standard parsing of x

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Note that whenever we have a collision under h ie a pair x x such

that h x h x we obtain at least one collision under the corresp onding

s s

h ie for some i the ith blo cks of x and x dier and yet b oth blo cks are

mapp ed by h to the same image Thus if algorithm A succeeds in forming

designated collisions wrt fh g with probability n then algorithm A succeeds

in forming designated collisions wrt fh g with probability at least ntn

where tn is a b ound on the runningtime of A which also upp erb ounds the

length of the output of A and so tn is a lower b ound on the probability that

the colliding strings dier at a certain uniformly selected blo ck The prop osition

follows

Step IV Obtaining fulledged UOWHFs The last step on our way

consists of using any quasiUOWHFs as constructed in Step I I I ab ove to obtain

fulledged UOWHFs That is we use quasiUOWHFs that are applicable to

any input length but shrink each input to half its length rather than to a xed

length that only dep ends on the function description The resulted construct

is a UOWHF as dened in Denition The construction is obtained by

comp osing a sequence of dierent functions each taken from the same quasi

UOWHF that is the following construction is analogous to Construction

Construction a UOWHF Let fh f g f g g such

sfg

ijsj

that jh xj jxj for every x f g where i N Then for every

n n

s s f g every t N and x f g we dene

def

x h h x t h h

s s s

1 2 t s s

1 n

def

x for i t x and x h That is we let x

i i s

Tedious details Strings of length that is not of the form n are padded

into strings of such form in a standard manner We refer to an index

selection algorithm that on input determines n b mc uniformly

def

n mn

selects s s f g and s f g and lets h

s s s

0 1

s s

x implies that b oth equal the pair x h Observe that h

s s s s s s

0 1 n 0 1 n

x where t dlog jxjn e dlog jx jne Note that h h t h

s s s

1 2 t

nlog n

f g f g and that m js s s j n h

s s s

0 1 n

Prop osition Suppose that fh g satises the conditions of De

sfg

nition except that it maps arbitrary input strings to outputs having half

the length rather than a length determined by jsj Then Construction

constitutes a collection of UOWHFs

The pro of of Prop osition is omitted b ecause it is almost identical to the

pro of of Prop osition

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

Conclusion Combining the ab ove four steps we obtain a construction of full

edged UOWHFs based on any oneway p ermutation That is combining

Prop osition and we obtain

Theorem If oneway permutations exist then universal oneway hash

functions exist

Note that the only barrier towards constructing UOWHF based on arbitrary

oneway functions is Prop osition which refers to oneway permutations

Thus if we wish to construct UOWHF based on any oneway function then

we need to present an alternative construction of a d d UOWHF ie an

alternative to Construction which fails in case f is to Such a

construction is actually known and so the following result is known to hold but

its pro of it to o complex to t in this work

Theorem Universal oneway hash functions exist if and only if oneway

functions exist

We stress that the dicult direction is the one referred to ab ove ie from one

way functions to UOWHF collections For the much easier converse direction

see Exercise

Onetime signature schemes based on UOWHF

Using universal oneway hash functions we present an alternative construc

tion of onetime signature schemes based on lengthrestricted onetime signature

schemes Sp ecically we replace the hashandsign paradigm ie Construc

tion in which collisionfree hashing functions were used by the following

variant ie Construction in which universal oneway hash functions are

used instead The dierence b etween the two constructions is that here the de

scription of the hashing function is not a part of the signing and verication

keys but is rather selected onthey by the signing algorithm and app ears as

part of the signature Furthermore the description of the hash function is b eing

authenticated by the signer together with the hash value It follows that the

forging adversary which is unable to break the lengthrestricted onetime sig

nature scheme must form a designated collision rather than an arbitrary one

However the latter is infeasible to o by virtue of the UOWHF collection in use

We comment that the same new construction is applicable to lengthrestricted

signature schemes rather than to onetime ones we stress that in the lat

ter case a new hashing function is selected at random each time the signing

algorithm is applied In fact we present the more general construction

Actually there is a minor gap b etween Constructions and In the former

we constructed functions that hash every x into a value of length djxj dn e bdn c

whereas in the latter we used functions that hash every x f g into a value of length

i n

For example if f x f x for f g then forming designated collisions

under Construction is easy Given x one outputs x and indeed a collision is

formed already under f

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Construction the hash and sign paradigm revisited Let N N

such that n n n Let G S V be an restricted signature scheme as

jr j

in Denition and fh f g f g g be a collection of

r fg

functions with an indexing algorithm I as in Denition We construct

a general signature scheme G S V with G identical to G as fol lows

Signing with S On input a signingkey s in the range of G and a docu

ment f g algorithm S proceeds in two steps

Algorithm S invokes I to obtain I

Algorithm S invokes S to produce S h

Algorithm S outputs the signature

Verication with V On input a verifyingkey v a document f g and an

al leged signature algorithm V invokes V and outputs V h

Recall that secure restricted onetime signature schemes exist for any p oly

nomial provided that oneway function exist Thus the fact that Construc

tion requires n n is not a problem In applying Construction

jr j

one should rst choose a family of UOWHFs fh f g f g g

r fg

then determine n n n and use a corresp onding secure restricted one

time signature scheme

Let us pause to compare Construction with Construction Re

call that in Construction the function description I is pro duced

and xed as part of b oth keys by the keygeneration algorithm Thus the

function description is trivially authenticated ie by merely b eing part of

the vericationkey Consequently in Construction the S signature of

In contrast in Construction a fresh new function equals S h

description is selected p er each signature and thus needs to b e authen

Since we ticated Hence the S signature equals the pair S h

want to b e able to use lengthrestricted onetime signatures we let the signing

via a single signature Alternatively algorithm authenticate b oth and h

we could have used two instances of the onetime signature scheme G S V

one for signing the function description and the other for signing the hash

value h

Prop osition Suppose that G S V is a secure restricted signature

jr jjr j

scheme and that fh f g f g g is a collection of UOWHFs

r fg

Then G S V as dened in Construction is a secure fulledged sig

nature scheme Furthermore if G S V is only a secure restricted onetime

signature scheme then G S V is a secure onetime signature scheme

Pro of Sketch The pro of follows the underlying principles of the pro of of

Prop osition That is forgery with resp ect to G S V yields either

forgery with resp ect to G S V or a collision under the hash function where in

the latter case a designated collision is formed in contradiction to the hypothesis

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

regarding the UOWHF For the furthermorepart the observation underlying

the pro of of Prop osition still holds ie the number of queries made by

the forger constructed for G S V equals the number of queries made by the

forger assumed towards the contradiction for G S V Details follow

Given an adversary A attacking the complex scheme G S V we con

struct an adversary A that attacks the restricted scheme G S V The ad

versary A uses I the indexing algorithm of the UOWHF collection and its

oracle S in order to emulate the oracle S for A This is done in a straightfor

ward manner that is algorithm A emulates S by using the oracle S exactly

as S actually do es Sp ecically to answer a query q algorithm A generates

q to its own oracle ie S and answers with a I forwards a h

s a

q We stress that A issues a single S query a a where a S a h

s s a

query made by A When A outputs a do cumentsignature pair p er each S

relative to the complex scheme G S V algorithm A tries to use this pair

in order to form a do cumentsignature pair relative to the restricted scheme

G S V That is if A outputs the do cumentsignature pair where

then A will output the do cumentsignature pair where

def

Assume that with nonnegligible probability n the probabilistic p olynomial

time algorithm A succeeds in existentially forging relative to the complex

i i th

scheme G S V Let denote the i query and answer pair made

by A and b e the forged do cumentsignature pair that A outputs in case

i i

and We consider the following of success where

two cases regarding the forging event

for all is That is the S signed value h Case h

(i)

is dierent from all in the forged signature ie the value h

queries made to S In this case the do cumentsignature pair h

constitutes a success in existential forgery relative to the restricted scheme

G S V

h for some i That is the S signed value Case h

(i)

used in the forged signature equals the i query made to S although

i i i

h although In Thus and h

(i)

this case the pair forms a designated collision under h and

(i)

we do not obtain success in existential forgery relative to the restricted

scheme We stress that A selects b efore it is given the description of

the function h and thus its ability to later pro duce such that

(i)

h yields a violation of the UOWHF prop erty h

(i)

Thus if Case o ccurs with probability at least n then A succeeds in

its attack on G S V with probability at least n which contradicts the

security of the restricted scheme G S V On the other hand if Case o ccurs

with probability at least n then we derive a contradiction to the diculty

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

of forming designated collision with resp ect to fh g Details regarding Case

We start with a sketch of the construction of an algorithm that attempts

to form designated collisions under a randomly selected hash function Lo osely

sp eaking we construct an algorithm B that tries to form designated collisions

by emulating the attack of A on an random instance of G S V that B

selects by itself Thus B can easily answer any signingquery referred to it by

A but in one of these queries the index of which is selected at random by B

algorithm B will use a hash function given to it from the outside rather than

generating such a function at random by itself In case A forges a signature

while using this sp ecic functionvalue pair as in Case algorithm B obtains

and outputs a designated collision

We now turn to the actual construction of algorithm B which attempts to

form designated collisions under a randomly selected hash function Recall that

such an algorithm op erates in three stages see discussion in Section rst

the algorithm selects a preimage x next it is given a description of a function

h and nally it is required to output x x such that hx hx We

stress that the third stage in the attack is also given the random coins used for

pro ducing the preimage x at the rst stage Now on input algorithm B

pro ceeds in three stages

Stage Algorithm B selects uniformly i f tng where tn b ounds the

and thus the number of queries it makes runningtime of A G

Next B selects s v G and emulate the attack of A v on S

as follows All queries except the i one while answering the queries of S

are emulated in the straightforward manner ie by executing the program

th j

of S as stated That is for j i the j query denoted is answered

j j j

n j

by pro ducing I computing S h using

(j )

j j

The i query the knowledge of s and answering with the pair

i i

of A denoted will b e used as the designated preimage Once is

issued by A algorithm B completes its rst stage without answering

this query and the rest of the emulation of A will b e conducted by the

third stage of B

Stage At this p oint ie after B has selected the designated preimage

B obtains a description of a random hashing function h thus completing

its second op eration stage That is this stage consists of B b eing given

r I

th i

Stage Next algorithm B answers the i query ie by applying S to

the pair r h Subsequent queries are emulated in the straightfor

ward manner as in Stage When A halts B checks whether A has

output a valid do cumentsignature pair as in Case ie

h for some j and whether the collision formed is and h

(j )

th i

indeed on the i query ie j i which means that h h

r r

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CONSTRUCTIONS OF SIGNATURE SCHEMES

When this happ ens B outputs which is dierent than and doing

so it succeeded in forming a designated collision with under h

and A makes at most tn Now if Case o ccurs with probability at least

queries then B succeeded in forming a designated collision with probability at

least b ecause the actions of A are oblivious of the random value of

i This contradicts the hypothesis that fh g is UOWHF

As mentioned ab ove the furthermore part of the prop osition follows by ob

serving that if the forging algorithm A makes at most one query then the same

holds for the algorithm A constructed ab ove Thus if G S V can b e broken

via a singlemessage attack then either G S V can b e broken via a single

message attack or one can form designated collisions wrt fh g In b oth cases

we reach a contradiction

Conclusion Combining the furthermorepart of Prop osition Corol

lary and the fact that UOWHF collections imply oneway functions see

Exercise we obtain

Theorem If there exist universal oneway hash functions then secure

onetime signature schemes exist too

Conclusions and comments

Combining Theorems and we obtain

Corollary If oneway permutations exists then there exist secure signa

ture schemes

Like Corollary Corollary asserts the existence of secure public

key signature schemes based on an assumption that do es not mention trap

do ors Furthermore the assumption made in Corollary seems weaker

than the one made in Corollary We can further weaker the assump

tion by using Theorem which was stated without a pro of rather than

Theorem Sp ecically combining Theorems and we

establish Theorem That is secure signature schemes exist if and only

if oneway functions exist Furthermore as in the case of MACs see Theo

rem the resulting signature schemes have signatures of xed length

Comment the hashandsign paradigm revisited We wish to high

light the revised version of the hashandsign paradigm that underlies Construc

tion Similar to the original instantiation of the hashandsign paradigm

ie Construction Construction is useful in practice We warn

that using the latter construction requires verifying that fh g is a UOWHF

rather than collisionfree The advantage of Construction over Con

struction is that the former relies on a seemingly weaker construct that is

hardness of forming designated collisions as in UOWHF is a seemingly weaker

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

condition than hardness of forming any collision as in collisionfree hashing

On the other hand Construction is simpler and more ecient eg one

need not generate a new hashing function p er each signature

Additional Prop erties

We briey discuss several prop erties of interest that some signature schemes

enjoy We rst discuss prop erties that seem unrelated to the original purp ose of

signature schemes but are useful towards utilizing signature scheme as a building

blo ck towards constructing other primitives eg see Section These

related prop erties are having unique valid signatures and b eing supersecure

where the latter term indicates the infeasibility of nding a dierent signature

even to a do cument for which a signature was obtained during the attack We

next turn to prop erties that oer some advantages in the originallyintended

applications of signature schemes Sp ecically we consider prop erties that allow

to sp eedup resp onsetime in some settings see Sections and and a

prop erty supp orting legitimate revoking of forged signatures see Section

Unique signatures

Lo osely sp eaking we say that a signature scheme G S V either a privatekey

or a publickey one has unique signatures if for every p ossible vericationkey v

and every do cument there is a unique such that V

Note that this prop erty is related but not equivalent to the question of

whether or not the signing algorithm is deterministic which is considered in

Exercise Indeed if the signing algorithm is deterministic then for every key

pair s v and do cument the result of applying S to is unique and indeed

V S Still this do es not mean that there is no other which

v s

is never pro duced by applying S to such that V On the other

s v

hand the unique signature prop erty may hold even in case the signing algorithm

is randomized but as mentioned ab ove this randomization can b e eliminated

anyhow

Can secure signature schemes have unique signatures The answer

is denitely armative and in fact we have seen several such schemes in the

previous sections Sp ecically all privatekey signature schemes presented in

Section have unique signatures Furthermore every secure privatekey sig

nature scheme can b e transformed into one having unique signatures eg by

combining deterministic signing as in Exercise with canonical verication as

in Exercise Turning to publickey signature schemes we observe that if the

oneway function f used in Construction is then the resulting secure

lengthrestricted onetime publickey signature scheme has unique signatures

b ecause each f image has a unique preimage In addition Construction

ie the basic hashandsign paradigm preserves the unique signature prop erty

Let use summarize all these observations

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ADDITIONAL PROPERTIES

Theorem secure schemes with unique signatures

Assuming the existence of oneway functions there exist secure message

authentication schemes having the unique signature property

Assuming the existence of oneway functions there exist secure length

restricted onetime publickey signature schemes having the unique sig

nature property

Assuming the existence of oneway functions and collisionfree hash

ing collections there exist secure onetime publickey signature schemes

having the unique signature property

In addition it is known that secure fulledged signature schemes having the

unique signature prop erty can b e constructed based on a mild variant on the

standard RSA assumption see reference in Section Still this leaves

op en the question of whether or not secure signature schemes having the unique

signature prop erty exist if and only if secure signature schemes exist

Sup ersecure signature schemes

In case the signature scheme do es not p osses the unique signature prop erty

it makes sense to ask whether given a messagesignature pair it is feasible to

pro duce a dierent signature to the same message More generally we may

ask whether it is feasible for a chosen message attack to pro duce a dierent

signature to any of the messages to which it has obtained signatures Such

ability may b e of concern in some applications but indeed not in the most

natural applications Combining the new concern with the standard notion of

security we derive the following notion which we call sup ersecurity A signature

scheme is called sup ersecure if it is infeasible for a chosen message attack to

pro duce a valid messagesignature pair that is dierent from all queryanswer

pairs obtained during the attack regardless of whether or not the message used

in the new pair equals one of the previous queries Recall that ordinary security

only requires the infeasibility of pro ducing a valid messagesignature pair such

that the message part is dierent from all queries made during the attack

Do sup ersecure signature schemes exist Indeed every secure signature

scheme that has unique signatures is sup ersecure but the question is whether

sup ersecurity may hold for a signature scheme that do es not p osses the unique

signature prop erty We answer this question armatively

Theorem sup ersecure signature schemes Assuming the existence of

oneway functions there exist supersecure publickey signature schemes

In other words sup ersecure signature schemes exist if and only if secure signa

ture schemes exist We comment that the signature scheme constructed in the

following pro of do es not have the unique signature prop erty

Pro of Starting from Part of Theorem we can use any oneway

function to obtain sup ersecure lengthrestricted onetime signature schemes

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

However wishing to use arbitrary oneway functions we will rst show that uni

versal oneway hashing functions can b e used instead of oneway functions

in order to obtain sup ersecure lengthrestricted onetime signature schemes

Next we will show that sup ersecurity is preserved by two transformations

presented in Section sp ecically the transformation of lengthrestricted

onetime signature schemes into onetime signature schemes ie Construc

tion and the transformation of the latter to fulledged signature

schemes ie Construction Applying these transformations to the

rst scheme we obtained the desired sup ersecure signature scheme Recall

that Construction also uses universal oneway hashing functions but the

latter can b e constructed using any oneway function cf Theorem

Claim If there exist universal oneway hashing functions then for every

p olynomiallyb ounded N N there exist supersecure restricted onetime

signature schemes

Pro of sketch We mo dify Construction by using universal oneway hashing

functions UOWHFs instead of oneway functions Sp ecically for each preim

age placed in the signingkey we select at random and indep endently a UOWHF

and place its description b oth in the signing and verication keys That is

n n

f g and UOWHFs s on input we uniformly select s s s

n n

j j j

and compute v h s for i n and j h h h h

i i i

n n

We let s s s s s h h h h h and v

n n n n

h s h v or and output the keypair s v v v v v

n n

s h v Signing and verication are mo died actually we may set s v

accordingly that is the sequence is accepted as a valid signature

i i

v of the string wrt the vericationkey v if and only if h

i i

for every i In order to show that the resulting scheme is sup ersecure under

a chosen onemessage attack we adapt the pro of of Prop osition Sp eci

cally xing such an attacker A we consider the event in which A violated the

sup ersecurity of the scheme There are two cases to consider

The valid signature formed by A is to the same do cument for which A has

obtained a dierent signature via its single query In this case for at least

one of the UOWHFs contained in the vericationkey we obtain a preim

age of the image also contained in the vericationkey that is dierent

from the one contained in the signingkey Adapting the construction pre

sented in the pro of of Prop osition we derive in this case an ability

to form designated collisions in contradiction to the UOWHF prop erty

We stress that the preimages contained in the signingkey are selected

indep endently of the description of the UOWHFs b ecause b oth are se

lected indep endently by the keygeneration pro cess In fact we obtain a

designated collision for a uniformly selected preimage

We comment that a simpler pro of suces in case we are willing to use a oneway p ermu

tation rather than an arbitrary oneway function In this case we can start from Part

of Theorem rather than prove Claim and use Theorem rather than

Theorem which has a more complicated pro of

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ADDITIONAL PROPERTIES

The valid signature formed by A is to a do cument that is dierent from

the one for which A has obtained a signature via its single query In

this case the pro of of Prop osition yields ability to invert a randomly

selected UOWHF on a randomly selected image which contradicts the

UOWHF prop erty as shown in Exercise

Thus in b oth cases we derive a contradiction and the claim follows 2

Claim When applying the revisedhashandsign construction ie Con

struction to a supersecure lengthrestricted signature scheme the result

is a supersecure signature scheme In case the lengthrestricted scheme is only

sup ersecure under a chosen onemessage attack the same holds for the the

resulting lengthunrestricted scheme

Pro of sketch We follow the pro of of Prop osition and use the same con

struction of a forger for the lengthrestricted scheme based on the forger for the

complex scheme Furthermore we consider the two forgery cases analyzed in

the pro of of Prop osition

for all is In this case the analysis is h Case h

(i)

exactly as in the original pro of Note that it do es not matter whether or

not since in b oth sub cases we obtain a valid signature for a new

string with resp ect to the lengthrestricted signature scheme Thus in this

case we derive a violation of the ordinary security of the lengthrestricted

scheme

i i

for some i The case was han h Case h

(i)

dled in the original pro of by showing that it yields a designated collision

under h which is supp osedly a UOWHF so here we only handle the

(i)

case Now supp ose that sup ersecurity of the complex scheme

i i

Then by the case hypothesis was violated that is

i i

which implies it must b e that This means that we

derive a violation of the supersecurity of lengthrestricted scheme b ecause

h is a dierent valid S signature of h

(i)

h Actually we have to consider all is for which h

(i)

holds and observe that violation of sup ersecurity for the complex

scheme means that must b e dierent from each of the corresp ond

ing s Alternatively we may rst prove that with overwhelmingly

high probability all s must b e distinct

Recall that denotes the do cumentsignature pair output by the original forger

i i th

ie for the complex scheme whereas denotes the i queryanswer pair to that

scheme The do cumentsignature pair that we output as a candidate forgery wrt length

def

restricted scheme is where h and Recall that a generic

valid do cumentsignature for the complex scheme has the form where

satises V h

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Thus in b oth cases we reach a contradiction to the sup ersecurity of the length

restricted signature scheme which establishes our claim that the resulting com

plex signature scheme must b e sup ersecure We stress that like in Prop osi

tion the ab ove pro of establishes that sup ersecurity for onetime attacks

is preserved to o b ecause the constructed forger makes a single query p er each

query made by the original forger 2

Claim Construction when applied to sup ersecure onetime sig

nature schemes yields sup ersecure signature schemes

Pro of sketch We follow the pro of of Prop osition which actually means

following the pro of of Prop osition Sp ecically we use almost the same

construction of a forger for the onetime scheme G S V based on the forger

for the complex scheme G S V The only dierence is in the last step ie

the use of the output where we consider two forgery cases that are related but

not equal to the forgery cases analyzed in the pro of of Prop osition

The rst case is when the forged signature for the complex scheme G S V

contains an authentication path for a leaf that equals some authentica

tion path provided by the signingoracle as part of the answer to some

oraclequery of the attacker In this case the onetime vericationkey

asso ciated with this leaf must b e authentic ie equal the one used by

the signingoracle and we derive violation of the sup ersecurity of the in

stance of G S V asso ciated with it We consider two sub cases regarding

the actual do cument authenticated via this leaf

a The rst sub case is when no oracleanswer has used the instance

asso ciated with this leaf for signing an actual do cument This may

happ en if the instance asso ciated with the sibling of this leaf was used

for signing an actual do cument In this sub case as in the pro of of

Prop osition we obtain ordinary forgery with resp ect to the

instance of G S V asso ciated with the leaf without making any

query to that instance of the onetime scheme

b Otherwise ie the instance asso ciated with this leaf was used for

signing an actual do cument the forged do cumentsignature pair dif

fers from the queryanswer pair that used the same leaf The dier

ence is either in the actual do cument or in the part of the complex

signature that corresp onds to the onetime signature pro duced at the

leaf b ecause by the case hypothesis the authentication paths are

identical In b oth sub cases this yields violation of the sup ersecurity

of the instance of G S V asso ciated with that leaf Sp ecically

in the rst subsubcase we obtain a onetime signature to a dierent

Recall that forging a signature for the general scheme requires either using an authen

tication path supplied by the general signingoracle or pro ducing an authentication path

dierent from all paths supplied by the general signingoracle These are the cases consid

ered b elow In contrast in the pro of of Prop osition we only considered the text part of

these paths ignoring the question of whether or not the authenticating onetime signatures

provided as part of these paths are equal

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ADDITIONAL PROPERTIES

do cument ie violation of ordinary security whereas in the sec

ond subsubcase we obtain a dierent onetime signature to the same

do cument ie only a violation of sup ersecurity We stress that

in b oth sub cases the violating signature is obtained after making a

single query to the instance of G S V asso ciated with that leaf

We now turn to the second case ie forgery with resp ect to G S V

is obtained by pro ducing an authentication path dierent from all paths

supplied by the signingoracle In this case we obtain violation of the

onetime sup ersecurity of the scheme G S V asso ciated with one of

the internal no des sp ecically the rst no de on which the relevant paths

dier The argument is similar but not identical to the one given in the

pro of of Prop osition Sp ecically we consider the maximal prex of

the authentication path provided by the forger that equals a corresp onding

prex of an authentication path provided by the signingoracle as part of

its answer The extension of this path in the complexsignature provided

by the forger either uses a dierent pair of onetime vericationkeys or

uses a dierent onetime signature to the same pair In the rst subcase

we obtain a onetime signature to a dierent do cument ie violation of

ordinary security whereas in the second subcase we obtain a dierent

onetime signature to the same do cument ie only a violation of sup er

security We stress that in b oth sub cases the violating signature is

obtained after making a single query to the instance of G S V asso ciated

with that internal no de

Thus in b oth cases we reach a contradiction to the sup ersecurity of the one

time signature scheme which establishes our claim that the general signature

scheme must b e sup ersecure 2

Combining the three claims and recalling that universal oneway hashing func

tions can b e constructed using any oneway function cf Theorem the

theorem follows

Olineonline signing

Lo osely sp eaking we say that a signature scheme G S V either a private

key or a publickey one has an olineonline signing process if signatures are

pro duced in two steps where the rst step is indep endent of the actual message

to b e signed That is the computation of S can b e decoupled into two steps

o on

p erformed by randomized algorithms that are denoted S and S resp ectively

on o

such that S S S s Thus one may prepare or precompute

S s b efore the do cument is known ie oline and pro duce the actual

signature online once the do cument is presented by invoking algorithm

on o

S on input S s This yields improvement in online resp onsetime

to signing requests provided that S is signicantly faster than S itself This

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

improvement is worthwhile in many natural settings in which online resp onse

time is more imp ortant than oline pro cessing time

o o

We stress that S must b e randomized b ecause otherwise S s can b e

incorp orated in the signingkey Indeed one may view algorithm S as an

augmentation of the keygeneration algorithm that pro duces random extensions

of the signingkey onthey ie after the vericationkey was already deter

mined We stress that algorithm S is invoked once p er each do cument to

b e signed but this invocation can take place at any time and even b efore the

do cument to b e signed is even determined In contrast it may b e insecure to

reuse the result obtained from S for two dierent signatures

Can secure signature schemes employ meaningful olineonline sign

ing algorithms Of course any algorithm can b e vacuously decoupled into

two steps but we are only interested in meaningful decouplings in which the

oline step takes most of the computational load Interestingly schemes based

on the refreshing paradigm cf Section lend themselves to such a de

coupling Sp ecically in Construction only the last step in the signing

pro cess dep ends on the actual do cument and needs to b e p erformed online

Furthermore this last step amounts to applying the signing algorithm of a one

time signature scheme which is typically much faster than all the other steps

which can b e p erformed oline

Incremental signatures

Lo osely sp eaking we say that a signature scheme G S V either a privatekey

or a publickey one has an incremental signing process if the signing pro cess

can b e sp edup when given a valid signature to a textually related do cument

The actual denition refers to a set of text editing op erations such as delete

word and insert word where more p owerful op erations like cutting a do cument

into two parts and pasting two do cuments may b e supp orted to o Sp ecically

we require that given a signingkey a do cumentsignature pair and a

sequence of edit op erations ie sp ecifying the op eration type and its lo cation

one may mo dify into a valid signature for the mo died do cument in

time prop ortional to the number of edit op erations rather than prop ortional to

j j Indeed here time is measured in a directaccess mo del of computation Of

course the time saving on the signing side should not come at the exp ense of

a signicant increase in verication time In particular verication time should

only dep end on the length of the nal do cument and not on the number of edit

For example when using the onetime signature scheme suggested in Prop osition

pro ducing onetime signatures amounts to applying a collisionfree hashing function and out

putting corresp onding parts of the signingkey This is all that needs to b e p erformed in the

online step of Construction In contrast the oline step of Construction calls

for n applications of a pseudorandom function n applications of the keygeneration algorithm

of the onetime signature scheme and n applications of the signing algorithm of the onetime

signature scheme

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

ADDITIONAL PROPERTIES

op erations

An incremental signing pro cess is b enecial in settings where one needs to

sign many textually related do cuments eg in simple contracts much of the

text is almost identical and the few edit changes refer to the partys sp ecic

details as well as to sp ecic clauses that may b e mo died from their standard

form in order to meet the partys sp ecic needs In some cases the privacy

of the edit sequence may b e of concern that is one may require that the nal

signature b e distributed in a way that only dep ends on the nal do cument rather

than dep end also on do cuments that contributed signatures to the pro cess of

generating the nal signature

Can secure signature schemes employ a meaningful incremental sign

ing pro cess Here meaningful refers to the set of supp orted textmo dication

op erations The answer is armative and furthermore these schemes may even

protect the privacy of the edit sequence Below we refer to edit op erations that

deleteinsert xlength bitstrings called blo cks fromto a do cument as well as

to the cut and paste op erations mentioned ab ove

Theorem secure schemes with incremental signing pro cess

Assuming the existence of oneway functions there exist secure message

authentication schemes having an incremental signing process that supports

block deletion and insertion Furthermore the scheme uses a xedlength

authentication tag

Assuming the existence of oneway functions there exist secure private

key and publickey signature schemes having an incremental signing pro

cess that supports block deletion and insertion as wel l as cut and paste

Furthermore in both parts the resulting schemes protect the privacy of the edit

sequence

Part is proved by using a variant of an ecient message authentication scheme

that is related to the schemes presented in Section Part is proved by using

an arbitrary secure privatekey or publickey signature scheme that pro duces n

bit long signatures to O nbit long strings where n is the security parameter

Indeed the scheme need only b e secure in the O nrestricted sense The

do cument is stored in the leaves of a tree and the signature essentially

consists of the tags of all internal no des where each internal no de is tagged by

applying the basic signature scheme to the tags of its children One imp ortant

observation is that a tree supp orts the said op erations while incurring only a

logarithmic in its size cost that is by mo difying only the links of logarithmic

many no des in the tree Thus only the tags of these no des and their ancestors

This rules out the naive unsatisfactory solution of providing a signature of the original

do cument along with a signature of the sequence of edit op erations More sophisticated variants

of this naive solution eg refreshing the signature whenever enough edits have o ccurred are

not ruled out here but typically they will not satisfy the privacy requirement discussed in the sequel

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

in the tree needs to b e mo died in order to form the corresp ondingly mo died

signature Privacy of the edit sequence is obtained by randomizing the standard

mo dication pro cedure for trees By analogy to Construction and

Prop osition the incremental signature scheme is secure

Failstop signatures

Lo osely sp eaking a failstop signature scheme is a signature scheme augmented

by a noninteractive pro of system that allows the legitimate signer to prove

to anybo dy that a particular do cumentsignaturepair was not generated by

himher Actually keygeneration involves interaction with an administrating

entity which publicizes the resulting vericationkeys rather than just hav

ing the user publicize hisher vericationkey In addition we allow memory

dep endent signing pro cedures as in Denition The system guarantees

the following four prop erties where the rst two prop erties are the standard

ones

Proper operation In case the user is honest the signatures pro duced by

it will pass the verication pro cedure with resp ect to the corresp onding

vericationkey

Infeasibility of forgery In case the user is honest forgery is infeasible in

the standard sense That is every feasible chosen message attack may suc

ceed to generate a valid signature to a new message only with negligible

probability

Revocation of forged signatures In case the user is honest and forgery

is committed the user can prove that indeed forgery has b een commit

ted That is for every chosen message attack even a computationally

unbounded one that pro duces a valid signature to a new message ex

cept for with negligible probability the user can eciently convince anyone

which knows the vericationkey that this valid signature was forged ie

pro duced by someb o dy else

Infeasibility of revoking unforged signatures It is infeasible for a user to

create a valid signature and later convince someone that this signature was

forged ie pro duced by someb o dy else Indeed it is p ossible but not

feasible for a user to cheat here

Furthermore Prop erty ie revocation of forged signatures holds also in

case the administrating entity participates in the forgery and even if it b ehaves

improp erly at the keygeneration stage In contrast the other items hold only

if the administrating entity b ehaves prop erly during the keygeneration stage

Allowing memorydep endent signing is essential to the existence of secure failstop signa

ture schemes see Exercise

It seems reasonable to restrict even computationallyunbounded adversaries to

p olynomiallymany signing requests

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

To summarize failstop signature schemes allow to prove that forgery has o c

curred and so oer an informationtheoretic security guarantee to the p otential

signers yet the guarantee to p otential signaturerecipients is only a computa

tional one In contrast when following the standard semantics of signature

schemes the p otential signers have only a computational security guarantee and

the signature recipients have an absolute guarantee whenever the verication

algorithm accepts a signature it is by denition an unrevocable one

Do secure failstop signature schemes exist Assuming the intractability

of either the Discrete Logarithm Problem or of integer factorization the answer

is armative Indeed in failstop signature schemes each do cument must have

sup erp olynomially many p ossible valid signatures with resp ect to the publicly

known vericationkey but only a negligible fraction of these will b e prop erly

pro duced by the legitimate signer who knows a corresp onding signingkey which

is not uniquely determined by the vericationkey Furthermore any strategy

even an infeasible one is unlikely to generate signatures corresp onding to the

actual signingkey On the other hand it is infeasible given one signingkey to

pro duce valid signatures ie wrt the vericationkey that do not corresp ond

to the prop er signing with this signingkey

Miscellaneous

On Using Signature Schemes

Once dened and constructed signature schemes may b e and are actually

used as building blo cks towards various goals that are dierent from the original

motivation Still the original motivation ie reliable communication of infor

mation is of great imp ortance and in this subsection we discuss several issues

regarding the use of signature schemes towards achieving it The discussion is

analogous to a similar discussion conducted in Section but the analogous

issues discussed here are even more severe

Using privatekey schemes the key exchange problem As discussed

in Section using a privatekey signature scheme ie a message authentica

tion scheme requires the communicating parties to share a secret key This key

can b e generated by one party and secretly communicated to the other party

by an alternative exp ensive secure and reliable channel Often a preferable

solution consists of employing a keyexchange or rather keygeneration proto

col which is executed over the standard unreliable communication channel

We stress that here unlike in Section we must consider active adver

saries Consequently the fo cus should b e on keyexchange proto cols that are

secure against active adversaries and are called unauthenticated keyexchange

The ab ove refers to the natural convention by which a pro of of forgery frees the signer of

any obligations implied by the do cument In this case when accepting a valid signature the

recipient is only guaranteed that it is infeasible for the signer to revoke the signature

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

proto cols b ecause the messages received over the channel are not necessarily

authentic Such proto cols are to o complex to b e treated in this section and

the interested reader is referred to

Using statedep endent message authentication schemes In many com

munication settings it is reasonable to assume that the authentication device may

maintain and mo dify a state eg a counter or a clo ck Furthermore in many

applications a changing state eg a clo ck must b e employed anyhow in order

to prevent reply of old messages ie each message is authenticated along with

its transmission time In such cases statedep endent schemes as discussed in

Section may b e preferable See further discussion in Section and

analogous discussion in Section

Using signature schemes publickey infrastructure The standard use

of publickey signature schemes in reallife applications requires a mechanism

for providing the veriers with the signers authentic vericationkey In small

systems one may assume that each user holds a lo cal record of the verication

keys of all other users However this is not realistic in largescale systems and

so the verier must obtain the relevant vericationkey onthey in a reliable

way ie typically certied by some trusted authority In most theoretical

work one assumes that the vericationkeys are p osted and can b e retrieved

from a publicle that is maintained by a trusted party which makes sure that

each user can p ost only vericationkeys b earing its own identity Alternatively

such trusted party may provide each user with a signed certicate stating the

authenticity of the users vericationkey In practice maintaining such a public

le andor handling such certicates is a ma jor problem and mechanisms

that implement these abstractions are typically referred to by the generic term

publickey infrastructure PKI For a discussion of the practical problems

regarding PKI deployment see eg Chap

On Information Theoretic Security

In contrast to the bulk of our treatment which fo cuses on computationally

b ounded adversaries in this section we consider computationallyunbounded ad

versaries Sp ecically we consider computationallyunbounded chosen message

attacks but do b ound as usual by an unknown p olynomial the total number

of bits in the signingqueries made by such attackers We call a privatekey or

publickey signature scheme p erfectlysecure or informationtheoretically secure

if even such computationallyunbounded attackers may succeed in forgery only

with negligible probability

It is easy to see that no publickey signature scheme may b e p erfectly

secure not even in a lengthrestricted onetime sense The reason is that a

computationallyunbounded adversary that is given a vericationkey can nd

without making any queries a corresp onding signingkey which allows it to

forge signatures to any message of its choice

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

In contrast restricted types of message authentication schemes ie private

key signature schemes may b e p erfectlysecure Sp ecically given any p oly

nomial b ound on the total number of messages to b e authenticated one may

construct a corresp onding statebased p erfectlysecure message authentication

scheme In fact a variant of Construction will do where a truly random

onetime pad is used instead of the pseudorandom sequence generated using the

nextstep function g Indeed this onetime pad will b e part of the key which

in turn must b e longer than the total number of messages to b e authenticated

We comment that the use of a state is essential for allowing several messages to

b e authenticated in a p erfectlysecure manner Pro ofs of b oth statements can

b e derived following the ideas underlying Exercise

On Some Popular Schemes

The reader may note that we have avoided the presentation of several p opular

signature schemes ie publickey ones As noted in Section some of

these schemes eg RSA and DSS seem to satisfy some weak ie

weaker than Denition notions of security Variants of these schemes can

b e proven to b e secure in the random oracle model provided some standard

intractability assumptions hold cf eg However we are not satised

with either of these types of results and articulate our opinion next

On using weaker denitions We distinguish b etween weak denitions that

make clear reference to the abilities of the adversary eg onemessage attacks

lengthrestricted message attacks and weak notions that make hidden and un

sp ecied assumptions regarding what may b e b enecial to the adversary eg

forgery of signatures for meaningful do cuments In our opinion the fact that

the hidden assumptions often feel right makes them even more dangerous

b ecause it means that they are never seriously considered and not even formu

lated For example it is often claimed that existential forgery see Section

is merely of theoretical concern but these claims are never supp orted by any

evidence or by a sp ecication of the types of forgery that are of real practical

concern Furthermore it has b een demonstrated that this merely theoretical

issue yields a real security breach in some imp ortant practical applications Still

weak denition of security may make sense provided that they are clearly stated

and that one realizes their limitations and in particular their nongenerality

The interested reader is referred to for a comprehensive treatment of var

ious security notions Since the current work fo cuses on generallyapplicable

denitions we chose not to discuss such weaker notions of security and not to

present schemes that can b e evaluated only with resp ect to these weaker notions

On the Random Oracle Metho dology The Random Oracle Methodol

ogy consists of two steps First one designs an ideal system in which all

parties including the adversary have oracle access to a truly random function

and proves this ideal system to b e secure in which case one says that the system

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

is secure in the random oracle model Next one replaces the random oracle by

a go o d cryptographic hashing function providing all parties including the

adversary with the succinct description of this function and hop es that the re

sulting actual scheme is secure We warn that this hop e has no justication

Furthermore there exist encryption and signature schemes that are secure in

the Random Oracle Mo del but replacing the random function used in them

by any function ensemble yields a totally insecure scheme cf

Historical Notes

As in case of encryption schemes the rigorous study of the security of private

key signature schemes ie message authentication schemes has lagged b ehind

the corresp onding study of publickey signature schemes The current section is

organized accordingly

Signature Schemes

The notion of a publickey signature scheme was introduced by Die and

Hellman who also suggested to implement it using trap do or p ermutations

Concrete implementations were suggested by Rivest Shamir and Adleman

and by Rabin However denitions of security for signature schemes were

presented only a few years afterwards

A rst rigorous treatment of security notions for signature schemes was sug

gested by Goldwasser Micali and Yao but their denition is weaker than

the one followed in our text Sp ecically the adversarys queries in the deni

tion of are determined nonadaptively and obliviously of the publickey

Assuming the intractability of factoring they also presented a signature scheme

that is secure under their denition We mention that the security denition

of considers existential forgery and is thus stronger than security notions

considered b efore

A comprehensive treatment of security notions for signature schemes which

culminates in the notion used in our text was presented by Goldwasser Micali

and Rivest Assuming the intractability of factoring they also presented a

signature scheme that is secure in the sense of Denition This was the

rst time that a signature scheme was proven secure under a simple intractability

assumption such as the intractability of factoring Their pro of has refuted a

folklore attributed to Ron Rivest by which no such constructive pro of may

exist b ecause the mere existence of such a pro of was b elieved to yield a forging

pro cedure Whereas the two schemes of were inherently memory

Recall that in contrast the metho dology of Section which is applied often in the

current chapter refers to a situation in which the adversary do es not have direct oracle access

to the random function and do es not obtain the description of the pseudorandom function

used in the latter implementation

The aw in this folklore is ro oted in implicit unjustied assumptions regarding the

notion of a constructive pro of of security based on factoring In particular it was implicitly

assumed that the signature scheme uses a vericationkey that equals a comp osite number

and that the pro of of security reduces the factoring of such a comp osite N to forging with

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

dep endent the scheme of has a memoryless variant cf and

Following Goldwasser Micali and Rivest research has fo cused on con

structing secure signature schemes under weaker assumptions In fact as noted

in their construction of secure signature schemes can b e carried out using

any collection of clawfree trapdoor p ermutation pairs The clawfree require

ment was omitted in whereas the seemingly more fundamental trap do or

requirement was omitted by Naor and Yung Finally Romp el showed that

one may use arbitrary oneway functions rather oneway p ermutations and

thus established Theorem The progress briey summarized ab ove was en

abled by the use of many imp ortant ideas and paradigms some of them were

introduced in that b o dy of work and some were only revisited and prop erly

formalized Sp ecically we refer to the introduction of the refreshing paradigm

in the use of authentication trees cf and the use of the

hashandsign paradigm rigorously analyzed in the introduction of Univer

sal OneWay Hash Functions and the adaptation of the hashandsign paradigm

to them in and the use of onetime signature schemes cf

We comment that our presentation of the construction of signature schemes

is dierent from the one given in any of the ab ove cited pap ers Sp ecically the

main part of Section ie Sections and is based on a variant of

the signature scheme of in which collisionfree hashing cf are used

instead of universal oneway hashing cf

Message Authentication Schemes

Message authentication schemes were rst discussed in the information theoretic

setting where a onetime pad was used Such schemes were rst suggested

in and further developed in The onetime pad can b e implemented

by a pseudorandom function or a online pseudorandom generator yielding

only computational security as we have done in Section Sp ecically

Construction is based on In contrast in Section we

have followed a dierent paradigm that amounts to applying a pseudorandom

function to the message or its hashedvalue rather than using a pseudorandom

function or a online pseudorandom generator to implement a onetime pad

This alternative paradigm is due to and is followed in works such as

Indeed following this paradigm one may fo cus on constructing generalized

pseudorandom function ensembles as in Denition based on ordinary

pseudorandom functions as in Denition See comments on alternative

resp ect to the vericationkey N In such a case the folklore suggested that the reduction

yields an oracle machine for factoring the vericationkey where the oracle is the corresp onding

signingoracle asso ciated with N and that the factorization of the vericationkey allows to

eciently pro duce signatures to any message However none of these assumptions is justied

In contrast the vericationkey in the scheme of consists of a pair N x and its security

is proven by reducing the factoring of N to forging with resp ect to the vericationkey N r

where r is randomly selected by the reduction Furthermore on input N the factoring

reduction pro duces a vericationkey N r that typically do es not equal the vericationkey

N x b eing attacked and so given access to a corresp onding signingoracle do es not allow to

factor N

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

presentations at the end of Sections and as well as in Section C

Additional topics

Collisionfree hashing was rst dened in Construction is also due

to with underlying principles that can b e traced to Construction

is due to Construction is due to

Unique signatures and sup ersecurity have b een used in several works but

were not treated explicitly b efore The notion of olineonline signature scheme

was introduced and rst instantiated in The notion of incremental cryp

tographic schemes and in particular incremental signature schemes was intro

duced and instantiated in In particular the incremental MAC of

ie Part of Theorem builds on the message authentication scheme

of and the incremental signature scheme that protects the privacy of the

edit sequence is due to building up on Failstop signatures were

dened and constructed in

Suggestion for Further Reading

As mentioned ab ove the work of Goldwasser Micali and Rivest contains a

comprehensive treatment of security notions for signature schemes Their

treatment refers to two parameters the type of attack and the type

of forgery that follows from it The most severe type of attack allows the ad

versary to adaptively select the do cuments to b e signed as in Denition

The most lib eral notion of forgery refers to pro ducing a signature to any do c

ument for which a signature was not obtained during the attack again as in

Denition Thus the notion of security presented in Denition is

the strongest among the notions discussed in Still in some applications

weaker notions of security may suce We stress that one may still b enet from

the denitional part of but the constructive part of should b e ignored

b ecause it is sup erseded by later work on which our presentation is based

Ptzmanns b o ok contains a comprehensive discussion of many asp ects

involved in the integration of signature schemes in reallife systems In addition

her b o ok surveys variants and augmentations of the notion of signature schemes

viewing the one treated in the current b o ok as ordinary The fo cus is on fail

stop signature schemes Chap but much attention is given to the

presentation of a general framework Chap and to review of other non

ordinary schemes Sec

As hinted in Section our treatment of the construction of message

authentication schemes is merely the tip of an iceb erg The interested reader

is referred to for details on the onetime pad approach

and to for alternative approaches Constructions and dis

cussion of AXU hashing functions which are stronger than generalized hashing

functions can b e found in

The constructions of universal oneway hash functions presented in Sec

tion use any oneway p ermutation and do so in a generic way The number

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

of applications of the oneway p ermutation in these constructions is linearly re

lated to the dierence b etween the number of input and output bits in the hash

function In it is shown that as far as generic blackbox constructions

go this is essentially the b est p erformance that one can hop e for

In continuation to the discussion in Section regarding the construc

tion of signature schemes based on authentication trees we refer to reader

to in which sp ecic implementations of a generalization of Construc

tions and are presented Sp ecically these works utilize an authen

tication tree of large degree rather than binary trees as in Section

In continuation to the discussion in Section we mention that signature

schemes having unique signatures are related but not equivalent to veriable

pseudorandom functions as dened and constructed in In particular

the construction in do es yield signature schemes having unique signatures

and thus the latter exist under a quite standard assumption regarding RSA

We comment that signature schemes having unique signatures are stronger than

invariant signature schemes as dened in and studied in

Op en Problems

The known construction of signature schemes from arbitrary oneway func

tions is merely a feasibility result It is indeed an imp ortant op en problem

to provide an alternative construction that may b e practical and still utilize an

arbitrary oneway function We b elieve that providing such a construction may

require the discovery of imp ortant new paradigms

Exercises

Exercise Deterministic Signing and Verication algorithms

Using a pseudorandom function ensemble show how to transform

any privatekey or publickey signature scheme into one employing

a deterministic signing algorithm

Using a pseudorandom function ensemble show how to transform

any message authentication scheme into one employing deterministic

signing and verication algorithms

Verify that all signature schemes presented in the current chapter

employ a deterministic verication algorithm

By Boaz Barak Show that any lengthrestricted signature scheme

can b e easily transformed into one employing a deterministic veri

cation algorithm

Guideline for Part Augment the signingkey with a description of

a pseudorandom function and apply this function to the string to b e signed

in order to extract the randomness used by the original signing algorithm

Guideline for Part Analogous to Part Highlight your use of

the privatekey hypothesis Alternatively see Exercise

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Guideline for Part First transform the signature scheme into one

in which all valid signatures are of length that is b ounded by a p olynomial in

the security parameter and the length of the messages Let n denote the

length of the do cuments and mn denote the length of the corresp onding

signatures Next amplify the verication algorithm such that its error

nmnn

probability is smaller than Finally incorp orate the coin

tosses of the verication algorithm in the vericationkey making the former

deterministic

Exercise Canonical verication in the privatekey version Show that with

out loss of generality the verication algorithm of a privatekey signature

scheme may consist of comparing the alleged signature to one pro duced

by the verication algorithm itself that is the verication algorithm uses

a vericationkey that equals the signingkey and pro duces signatures ex

actly as the signing algorithm

Why do es this claim fail with resp ect to publickey schemes

Guideline Use Part of Exercise and conclude that the on a xed

input the signing algorithm always pro duces the same output Use the

fact that by Exercise the existence of message authentication schemes

implies the existence of pseudorandom functions which are used in Part

of Exercise

Exercise Augmented attacks in the privatekey case In continuation to the

discussion in Section consider the denition of an augmented at

tack on a privatekey signature scheme in which the adversary is allowed

vericationqueries

Show that in case the privatekey signature scheme has unique valid

signatures it is secure against augmented attacks if and only if it is

secure against ordinary attacks as in Denition

Assuming the existence of secure privatekey signature schemes as in

Denition present such a secure scheme that is insecure under

augmented attacks

Guideline Part Analyze the emulation outlined in the pro of of

Prop osition Sp ecically ignoring the redundant vericationqueries

for which the answer is determined by previous answers consider the

probability that the emulation has gambled correctly on all the verication

queries upto and including the rst such query that should b e answered

armatively

Guideline Part Given any secure MAC G S V assume without

loss of generality that in the keypairs output by G the vericationkey

equals the signingkey Consider the scheme G S V with G G

where S S V V and V i

s v

s v v

if b oth V and the i bit of v is Prove that G S V is secure

under ordinary attacks and present an augmented attack that totally breaks

it ie obtains the signingkey s v

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

Exercise The signature may reveal the document Both for privatekey and

publickey signature schemes show that if such secure schemes exist then

there exist secure signature schemes in which any valid signature to a

message allows to eciently recover the entire message

Exercise On the triviality of some lengthrestricted signature schemes

Show that for logarithmically b ounded secure restricted private

key signature schemes ie message authentication schemes can b e

trivially constructed without relying on any assumption

In contrast show that the existence of a secure restricted public

key signature scheme even for implies the existence of oneway

functions

Guideline Part On input the key generator uniformly selects

(n)

s f g and outputs the key pair s s View s s s

(n)

where each s is an nbit long string and consider any xed ordering of the

n n

strings of length n The signature to f g is dened as s

where i is the index of in the latter ordering

Guideline Part Let G S V b e a restricted publickey signature

n n

scheme Dene f r v if on input and coins r algorithm G

generates a keypair of the form v Assuming that algorithm A inverts

f with probability n we construct a forger that attacks G S V as

follows On input a verication key v the forger invokes A on input v

With probability n the forger obtains r such that f r v In such

a case the forger obtains a matching signingkey s ie s v is output by

G on coins r and so can pro duce valid signatures to any string of its

choice

Exercise Failure of Construction in case n O log n Show that

if Construction is used with a logarithmically b ounded then the

resulting scheme is insecure

Guideline Note that by asking for p olynomiallymany signatures the ad

versary may obtain two S signatures that use the same random identier

Sp ecically consider making the queries for all p ossible f g

and note that if and are S signed using the same identier then

we can derive a valid S signature to

Exercise Secure MACs imply oneway functions Prove that the existence

of secure message authentication schemes implies the existence of oneway

functions Sp ecically let G S V b e as in the hypothesis

To simplify the following two items show that without loss of gen

erality G uses n coins and outputs a signingkey of length n

Assume rst that S is a deterministic signing algorithm Prove that

def

f r S S is a oneway func

m s s m m

tion where s G r is the signingkey generated with coins r all

s are of length n jr j and m n i

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Extend the pro of to handle randomized signing algorithms thus es

tablishing the main result

Guideline Parts and Note that with high probability over

the choice of the s the m signatures ie S s determine a set

i i

R such that for every r R it holds that S S for most

G r

f g Note that G r do es not necessarily equal s Show that this

implies that the ability to invert f yields the ability to forge under a chosen

message attack Hint use m random signingqueries to pro duce a random

image of f and use the obtained preimage under f which contains an

adequate signingkey to forge a signature to a new random message The

extension to randomized signing is obtained by augmenting the preimage

of the oneway function with the coins used by the m invocations of the

signing algorithm

Exercise General pseudorandom functions yield general secure MACs Us

jsj

ing a pseudorandom function ensemble of the form ff f g f g g

sfg

construct a general secure message authentication scheme rather than a

lengthrestricted one

Guideline The construction is identical to Construction except

that here we use a general pseudorandom function ensemble rather than

the one used there The pro of of security is analogous to the pro of of

Prop osition

Exercise Consider a generalization of Construction in which the pseu

dorandom function is replaced by an arbitrary secure MAC such that on

input a signingkey r s a do cument f g is signed by applying

the MAC with signingkey s to h Show that for some secure MAC

and some collections of hash functions with negligible collision probability

the ab ove scheme is insecure

Guideline Use the fact that the MAC may reveal the rst part of its

argument whereas the hashing function may yield an output value in which

the second part is xed Furthermore it may b e easy to infer the hashing

function from suciently many inputoutput pairs and it may b e easy to

nd a random preimage of a given hash function on a given image Present

constructions that satisfy all these conditions and show how combining

them yields the desired result

Exercise Easily obtaining pseudorandom functions from certain MACs ad

vanced exercise based on Let G S V b e a secure message au

thentication schemes and supp ose that S is deterministic Furthermore

n n

supp ose that jG j n and that for every s x f g it holds

def

that jS xj n jS j Consider the Bo olean function ensem

s s

js j

where s is selected according to f g f gg ble ff

s s s s

1 2 1 2

n n

is G and s f g is uniformly distributed such that f

s s

1 2

and s Prove that dened to equal the innerpro duct mo d of S

this function ensemble is pseudorandom as dened in Denition for

the case dn n n and r n

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

Guideline Consider hybrid exp eriments such that in the ith hybrid the

rst i queries are answered by a truly random Bo olean function and the

Note rest of the queries are answered by a uniformly distributed f

s s

1 2

that it seems imp ortant to use this nonstandard order of random versus

pseudorandom answers Show that distinguishability of the ith and i st

hybrids implies that a probabilistic p olynomialtime oracle machine can

have a nonnegligible advantage in the following game In the game the

is uniformly selected and the machine is rst asked to select next f

s s

1 2

but is not allowed the machine is given s as well as oracle access to S

or equivalently to distinguish query and is asked to guess f

s s

1 2

from a truly random bit At this p oint one may apply the f

s s

1 2

pro of of Theorem and deduce that the said oracle machine can b e

with nonnegligible probability when given mo died to construct S

but not b eing allowed the query in contradiction to oracle access to S

the security of the MAC

Exercise Prove that without loss of generality one can always assume that

a chosen message attack makes at least one query This holds for general

signature schemes as well as for lengthrestricted andor onetime ones

Guideline Given an adversary A that outputs a messagesignature pair

without making any query mo dify it such that it makes an arbitrary

j j

query f g n f g just b efore pro ducing that output

Exercise On perfectlysecure onetime message authentication MAC schemes

By p erfect or informationtheoretic security we mean that even computationally

unbounded chosen message attacks may succeed in forgery only with

negligible probability

Dene p erfect or informationtheoretic security for onetime MACs and

lengthrestricted onetime MACs Be sure to b ound the length of do cu

ments eg by some sup erp olynomial function also in the unrestricted

case see Part of the current exercise as well as Exercise

Prove the following without relying on any intractability assumptions

which are useless anyhow in the informationtheoretic context

For any p olynomiallyb ounded and p olynomialtime computable func

tion N N p erfectlysecure restricted onetime MACs can b e

trivially constructed

Using a suitable AXU family of hashing functions present a construc

tion of a p erfectlysecure onetime MAC Furthermore present such

a MAC in which the authenticationtags have xed length ie de

p ending on the length of the key but not on the length of the message

b eing authenticated

Note that the particular order of random versus pseudorandom answers in the hybrids

allows this oracle machine to generate the corresp onding hybrid while playing this game

prop erly That is the player answers the rst i queries at random sets to equal the i st

query uses the tested bit value as the corresp onding answer and uses s and the oracle S

to answer the subsequent queries It is also imp ortant that the game b e dened such that s

is given only after the machine has selected see

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Show that any p erfectlysecure onetime MAC that utilizes xed length

authenticationtags and a deterministic signing algorithm yields a

generalized hashing ensemble with negligible collision probability Sp ecif

ically for any p olynomial p this ensemble has a p pcollision

prop erty

Guideline For Part combine the ideas underlying Exercise and

Construction For Part use the ideas underlying Construction

and the pro of of Prop osition For Part given a MAC as in the

def

claim consider the functions h x S x where s is selected as in the

s s

keygeneration algorithm

Exercise Secure onetime publickey signatures imply oneway functions

In contrast to Exercise prove that the existence of secure onetime sig

nature schemes implies the existence of oneway functions Furthermore

prove that this holds even for restricted signature schemes that are secure

only under attacks that make no signingqueries

Guideline See guideline for Item in Exercise

Exercise Prove that the existence of collisionfree hashing collections im

plies the existence of oneway functions

Guideline Given a collisionfree hashing collection fh f g

jr j

f g g consider the function f r x r h x where say

r fg

jxj jr j jr j Prove that f is a oneway function by assuming towards

the contradiction that f can b e eciently inverted with nonnegligible prob

ability and deriving an ecient algorithm that forms collisions on random

h s Given r form a collision under the function h by uniformly se

r r

jr jjr j

lecting x f g and feeding the inverting algorithm with input

r h x Observe that with nonnegligible probability a preimage is ob

tained and that only with exp onentially vanishing probability this preimage

is r x itself Thus with nonnegligible probability we obtain a preimage

r x r x such that h x h x

r r

Exercise Secure MACs that hide the message In contrast to Exercise

show that if secure message authentication schemes exist then there exist

such schemes in which it is infeasible for a party not knowing the key

to extract from the signature any partial information ab out the message

except for the message length Indeed privacy of the message is for

mulated as the denition of semantic security of encryption schemes see

Chapter

Guideline Combine a message authentication scheme with an adequate

privatekey encryption scheme Refer to issues such as the type of secu

rity required of the encryption scheme and why the hypothesis yields the

existence of the ingredients used in the construction

Exercise In continuation to Exercise show that if there exist collision

free hashing functions then there exist message authentication schemes in

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

which it is infeasible for a party not knowing the key to extract from the

signature any partial information ab out the message including the message

length How come we can hide the message length in this context whereas

we cannot do this in the context of encryption schemes

Guideline Combine a message authentication scheme having xed length

signatures with an adequate privatekey encryption scheme Again refer to

issues as in Exercise

Exercise Alterntaive formulation of statebased MACs by Boaz Barak

For S S S and V V V consider the following reformula

tion of Item of Denition For every pair s v in the range

n i

of G every sequence of messages s and every i it holds that

(j )

i i i i j j j j

V v S s where s S s and

(j )

(j ) (j 1) j )j

j j j j jS e j

v V v for j i Prove the

equivalence of the two formulations

Exercise Prove that the existence of collections of UOWHF implies the

existence of oneway functions Furthermore show that uniformly chosen

functions in any collection of UOWHFs are hard to invert in the sense of

Denition

Guideline Note that the guidelines provided in Exercise can b e mo d

ied to t the current context Sp ecically the suggested collisionforming

algorithm is given uniformly distributed r and x and invokes the inverter

on input r h x hoping to obtain a designated collision with x under h

r r

Note that the furthermore clause is implicit in the pro of

Exercise Assuming the existence of oneway functions show that there ex

ists a collection of universal oneway hashing functions that is not collision

free

Guideline Given a collection of universal oneway hashing functions

jsj

ff f g f g g consider the collection F ff f g

jsj

f g g dened so that f x f x if the jsjbit long prex of x is

dierent from s and f sx s otherwise Clearly F is not collision

free Show that F is a collection of universal oneway hashing functions

Exercise Show that for every nite family of functions H there exists

x y such that hx hy for every h H Furthermore show that for

H fh f g f g g this holds even for jxj jy j m jH j

Guideline Consider the mapping x h x h x where H

m t t

Since the number of p ossible images is at most we get a fh g

collision as so on as we consider more than preimages

Exercise Constructions of Hashing Families with Bounded Col lision Prob

ability In continuation to Exercise in Chapter consider the set of

functions S asso ciated with bym Toeplitz matrix that is h x T x

where T T is a Toeplitz matrix ie T T for all i j

ij ij ij

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

CHAPTER SIGNATURES AND MESSAGE AUTHENTICATION

Show that this family has collision probability Note that each by

m Toeplitz matrix is sp ecied using m bits

Guideline Note that we have eliminated the shifting vector b used in

Exercise of Chapter but this do es not eect the relevant analysis

Exercise Constructions of Generalized Hashing Families with Bounded Col

lision Property See denition in Section

Using a variant of the treehashing scheme of Construction

construct a generalized hashing ensemble with a f f collision

prop erty where f n Hint use a dierent hashing function

at each level of the tree

By Hugo Krawczyk Show that the treehashing scheme of Con

struction where the same hashing function is used in al l levels

of the tree fails in the current context That is there exists a hashing

mjr j mjr j

ensemble fh f g f g g with negligible collision

r r

probability such that applying Construction to it even with

depth two yields an ensemble with high collision probability

As in Part show that the blo ckchaining metho d of Construc

tion fails in the current context even for three blo cks

mjr j mjr j

Guideline Part Let fh f g f g g b e a

r r

hashing ensemble with collision probability cp Recall that such ensem

bles with mn n and cp n can b e constructed see Exer

cise Then consider the function ensemble fh f g

r r

m(n)

f g g where all r s are of length n such that h x is

r r

m(n)

dened as follows

def

dlog jxjmne

As in Construction break x into t consec

utive blo cks denoted x x and let d log t

def

x For j d and i Let i t let y

y y The hash value equals y jxj let y h

j i j i ji

def

The ab ove functions have description length N mn n and map strings

of length at most to strings of length mn It is easy to b ound

the collision probability for strings of equal length by the probability of

collision o ccuring in each of the levels of the tree In fact for x x

it suces to b ound the sum of the probabil x x such that x x

holds given that y ities that y y

d(j +1)

jdi e

j di e

jdi e

for j d Thus this generalized hashing y

d(j +1)

j di e

ensemble has a collision prop erty where N and N

mn cpn We stress that the collision probability of the treehashing

scheme grows linearly with the depth of the tree rather than linearly with

its size Recalling that we may use mn n and cpn we

12 12

N N

obtain using N n mn N and

as desired N N N

Guideline Part Given a hashing family as in the hypothesis mo d

m m m

ify it into fh f g f g g where s f g such that

rs rs

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

MISCELLANEOUS

m m m

w h w for sv for all v f g and h s h h

rs rs rs

each other w f g Note that the new family maintains the collision

probability of the original one upto an additive term of O On the

m m

other hand for every w f g it holds that TreeHash w

m m

w s v where v h w h h h h

rs rs rs rs rs

Guideline Part For h as in Part and every v f g it

m m m

holds that ChainHash v h h v h sv

rs rs rs

Exercise On the additional properties required in Proposition In

continuation to Exercise of Chapter show that the function family

S presented there satises the following two prop erties

All but a negligible fraction of the functions in S are to

There exists a probabilistic p olynomialtime algorithm that given

n n

y y f g and z z f g outputs a uniformly dis

tributed element of fs S h y z i f gg

s i i

Guideline Recall that each function in S is describ ed by a pair

of elements of the nite eld GF where the pair a b describ es the

function h that maps x GF to the n bit prex of the nbit

representation of ax b where the arithmetics is of the eld GF The

rst condition follows by observing that the function h is to if and

only if a The second condition follows by observing that h y z

i i

if and only if ay b v for some v that is a singlebit extension of z

i i i i

Thus generating a pair a b such that h y z for b oth is amounts to

i i

selecting random singlebit extensions v s and assuming y y solving

the system fay b v g for the variables a and b

i i i

Exercise Failstop signatures require a memorydependent signing process

In continuation to Section prove that a secure failstop signature

scheme must employ a memorydep endent signing pro cess as in Deni

tion

Guideline Supp ose towards the contradiction that there exist a secure

memoryless failstop signature scheme For every signingkey s f g

consider the randomized pro cess P in which one rst selects uniformly

x f g pro duces a random signature y S x and outputs the

pair x y Show that given p olynomiallymany samples of P one can

nd in exp onential time a string s f g such that with probability

at least the statistical distance b etween P and P is at most

Thus a computationally unbounded adversary making p olynomiallymany

signing queries can nd a signingkey that typically pro duces the same

signatures as the true signer It follows that either these signatures cannot

b e revoked or that the user may also revoke its own signatures

Authors Note First draft written mainly in May Ma jor re

visions completed and p osted in Feb and Feb Minor

revision completed and p osted in June

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Bibliography

LM Adleman and M Huang Primality Testing and Abelian Varieties

Over Finite Fields SpringerVerlag Lecture Notes in Computer Science

Vol Preliminary version in th ACM Symposium on the

Theory of Computing

W Aiello and J Hastad Perfect ZeroKnowledge Languages can b e Rec

ognized in Two Rounds In th IEEE Symposium on Foundations of

Computer Science pages

M Ajtai Generating Hard Instances of Lattice Problems In th ACM

Symposium on the Theory of Computing pages

M Ajtai J Komlos E Szemeredi Deterministic Simulation in LogSpace

In th ACM Symposium on the Theory of Computing pages

W Alexi B Chor O Goldreich and CP Schnorr RSARabin Functions

Certain Parts are As Hard As the Whole SIAM Journal on Computing

Vol April pages

N Alon and JH Sp encer The Probabilistic Method John Wiley Sons

Inc

JH An and M Bellare Constructing VILMACs from FILMACs Mes

sage Authentication under Weakened Assumptions In Crypto Springer

Lecture Notes in Computer Science Vol pages

TM Ap ostol Introduction ot Analytic Number Theory Springer

H Attiya and J Welch Distributed Computing Fundamentals Simula

tions and Advanced Topics McGrawHill

L Babai Trading Group Theory for Randomness In th ACM Sympo

sium on the Theory of Computing pages

E Bach Analytic Methods in the Analysis and Design of Number

Theoretic Algorithms ACM Distinguished Dissertation MIT Press

Cambridge MA

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

E Bach and J Shallit Algorithmic Number Theory Volume I Ecient

Algorithms MIT Press

B Barak How to Go Beyond the BlackBox Simulation Barrier In nd

IEEE Symposium on Foundations of Computer Science pages

B Barak ConstantRound CoinTossing with a Man in the Middle or

Realizing the Shared Random String Mo del In th IEEE Symposium on

Foundations of Computer Science to app ear

B Barak and O Goldreich Universal arguments and their applications In

the th IEEE Conference on Computational Complexity pages

B Barak O Goldreich R Impagliazzo S Rudich A Sahai S Vadhan

and K Yang On the imp ossibility of software obfuscation In Crypto

SpringerVerlag Lecture Notes in Computer Science Vol pages

B Barak and Y Lindell Strict Polynomialtime in Simulation and Ex

traction In th ACM Symposium on the Theory of Computing pages

D Beaver Foundations of Secure Interactive Computing In Crypto

SpringerVerlag Lecture Notes in Computer Science Vol pages

D Beaver Secure MultiParty Proto cols and ZeroKnowledge Pro of Sys

tems Tolerating a Faulty Minority Journal of Cryptology Vol pages

M Bellare A Note on Negligible Functions Journal of Cryptology Vol

pages

M Bellare R Canetti and H Krawczyk Pseudorandom functions Revis

ited The Cascade Construction and its Concrete Security In th IEEE

Symposium on Foundations of Computer Science pages

M Bellare R Canetti and H Krawczyk Keying Hash Functions for

Message Authentication In Crypto Springer Lecture Notes in Computer

Science Vol pages

M Bellare R Canetti and H Krawczyk Mo dular Approach to the Design

and Analysis of Authentication and Key Exchange Proto cols In th ACM

Symposium on the Theory of Computing pages

M Bellare A Desai D Pointcheval and P Rogaway Relations among no

tions of security for publickey encryption schemes In Crypto Springer

Lecture Notes in Computer Science Vol pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

M Bellare and O Goldreich On Dening Pro ofs of Knowledge In

Crypto SpringerVerlag Lecture Notes in Computer Science Vol

pages

M Bellare O Goldreich and S Goldwasser Incremental Cryptography

the Case of Hashing and Signing In Crypto SpringerVerlag Lecture

Notes in Computer Science Vol pages

M Bellare O Goldreich and S Goldwasser Incremental Cryptography

and Application to Virus Protection In th ACM Symposium on the

Theory of Computing pages

M Bellare O Goldreich and H Krawczyk Stateless Evaluation of Pseu

dorandom Functions Security b eyond the Birthday Barrier In Crypto

Springer Lecture Notes in Computer Science Vol pages

M Bellare and S Goldwasser New Paradigms for Digital Signatures

and Message Authentication Based on NonInterative Zero Knowledge

Pro ofs In Crypto SpringerVerlag Lecture Notes in Computer Science

Vol pages

M Bellare R Guerin and P Rogaway XOR MACs New Metho ds

for Message Authentication using Finite Pseudorandom Functions In

Crypto SpringerVerlag Lecture Notes in Computer Science Vol

pages

M Bellare S Halevi A Sahai and S Vadhan Trapdo or Functions and

PublicKey Cryptosystems In Crypto Springer Lecture Notes in Com

puter Science Vol pages

M Bellare R Impagliazzo and M Naor Do es Parallel Rep etition Lower

the Error in Computationally Sound Proto cols In th IEEE Symposium

on Foundations of Computer Science pages

M Bellare J Kilian and P Rogaway The Security of Cipher Blo ck Chain

ing In Crypto SpringerVerlag Lecture Notes in Computer Science

Vol pages

M Bellare and S Micali How to Sign Given Any Trapdo or Function

Journal of the ACM Vol pages

D Beaver S Micali and P Rogaway The Round Complexity of Secure

Proto cols In nd ACM Symposium on the Theory of Computing pages

M Bellare and P Rogaway Random Oracles are Practical a Paradigm

for Designing Ecient Proto cols In st Conf on Computer and Commu

nications Security ACM pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

M Bellare and P Rogaway Entity Authentication and Key Distribu

tion In Crypto SpringerVerlag Lecture Notes in Computer Science

Vol pages

M Bellare and P Rogaway Provably Secure Session Key Distribution

The Three Party Case In th ACM Symposium on the Theory of Com

puting pages

M Bellare and P Rogaway The Exact Security of Digital Signatures How

to Sign with RSA and Rabin In EuroCrypt Springer Lecture Notes in

Computer Science Vol

M Bellare and M Yung Certifying Permutations Noninteractive Zero

Knowledge Based on Any Trapdo or Permutation Journal of Cryptology

Vol pages

S BenDavid B Chor O Goldreich and M Luby On the Theory of Av

erage Case Complexity Journal of Computer and System Science Vol

No April pages

M BenOr R Canetti and O Goldreich Asynchronous Secure Computa

tion In th ACM Symposium on the Theory of Computing pages

See details in

M BenOr O Goldreich S Goldwasser J Hastad J Kilian S Micali

and P Rogaway Everything Provable is Probable in ZeroKnowledge In

Crypto SpringerVerlag Lecture Notes in Computer Science Vol

pages

M BenOr S Goldwasser J Kilian and A Wigderson MultiProver In

teractive Pro ofs How to Remove Intractability In th ACM Symposium

on the Theory of Computing pages

M BenOr S Goldwasser and A Wigderson Completeness Theorems

for NonCryptographic FaultTolerant Distributed Computation In th

ACM Symposium on the Theory of Computing pages

ER Berlekamp Factoring Polynomials over Large Finite Fields Mathe

matics of Computation Vol pages

ER Berlekamp RJ McEliece and HCA van Tilb org On the Inher

ent Intractability of Certain Co ding Problems IEEE Trans on Inform

Theory

J Black S Halevi H Krawczyk T Krovetz and P Rogaway UMAC

Fast and Secure Message Authentication In Crypto Springer Lecture

Notes in Computer Science Vol pages

M Blum How to Exchange Secret Keys ACM Trans Comput Sys

Vol pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

M Blum Coin Flipping by Phone In the th IEEE Computer Confer

ence CompCon pages February See also SIGACT News

Vol No

L Blum M Blum and M Shub A Simple Secure Unpredictable Pseudo

Random Number Generator SIAM Journal on Computing Vol

pages

M Blum A De Santis S Micali and G Persiano NonInteractive Zero

Knowledge Pro of Systems SIAM Journal on Computing Vol No

pages Considered the journal version of

M Blum P Feldman and S Micali NonInteractive ZeroKnowledge and

its Applications In th ACM Symposium on the Theory of Computing

pages See

M Blum and S Goldwasser An Ecient Probabilistic PublicKey En

cryption Scheme which hides all partial information In Crypto Lecture

Notes in Computer Science Vol SpringerVerlag pages

M Blum and S Micali How to Generate Cryptographically Strong Se

quences of PseudoRandom Bits SIAM Journal on Computing Vol

pages Preliminary version in rd IEEE Symposium on

Foundations of Computer Science

R Boppana J Hastad and S Zachos Do es CoNP Have Short Interactive

Pro ofs Information Processing Letters May pp

JB Boyar Inferring Sequences Pro duced by PseudoRandom Number

Generators Journal of the ACM Vol pages

G Brassard A Note on the Complexity of Cryptography IEEE Trans

on Inform Th Vol pages

G Brassard Quantum Information Pro cessing The Go o d the Bad

and the Ugly In Crypto Springer Lecture Notes in Computer Science

Vol pages

G Brassard D Chaum and C Crepeau Minimum Disclosure Pro ofs of

Knowledge Journal of Computer and System Science Vol No

pages Preliminary version by Brassard and Crepeau in

th IEEE Symposium on Foundations of Computer Science

G Brassard and C Crepeau ZeroKnowledge Simulation of Bo olean Cir

cuits In Crypto SpringerVerlag Lecture Notes in Computer Science

Vol pages

G Brassard C Crepeau and M Yung ConstantRound Perfect Zero

Knowledge Computationally Convincing Proto cols Theoretical Computer

Science Vol pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

EF Brickell and AM Odlyzko Cryptanalysis A Survey of Recent Re

sults In Proceedings of the IEEE Vol pages

C Cachin and U Maurer Unconditional security against memory

b ounded adversaries In Crypto Springer Lecture Notes in Computer

Science Vol pages

R Canetti Studies in Secure MultiParty Computation and Applications

PhD Thesis Department of Computer Science and Applied Mathematics

Weizmann Institute of Science Rehovot Israel June Available from

from httptheorylcsmitedutcryptolBOOKSranphdhtml

R Canetti Security and Comp osition of Multiparty Cryptographic Pro

to cols Journal of Cryptology Vol No pages

R Canetti Universally Comp osable Security A New Paradigm for Cryp

tographic Proto cols In nd IEEE Symposium on Foundations of Com

puter Science pages Full version with dierent title is

available from Cryptology ePrint Archive Rep ort

R Canetti I Damgard S Dziembowski Y Ishai and T Malkin On

adaptive versus nonadaptive security of multiparty proto cols Journal of

Cryptology to app ear

R Canetti U Feige O Goldreich and M Naor Adaptively Secure Multi

party Computation In th ACM Symposium on the Theory of Comput

ing pages

R Canetti O Goldreich and S Halevi The Random Oracle Metho dology

Revisited In th ACM Symposium on the Theory of Computing pages

R Canetti O Goldreich S Goldwasser and S Micali Resettable Zero

Knowledge In nd ACM Symposium on the Theory of Computing pages

R Canetti S Halevi and A Herzb erg How to Maintain Authenticated

Communication in the Presence of BreakIns Journal of Cryptology

Vol No pages

R Canetti and A Herzb erg Maintaining Security in the Presence of

Transient Faults In Crypto SpringerVerlag Lecture Notes in Computer

Science Vol pages

R Canetti J Kilian E Petrank and A Rosen BlackBox Concurrent

ZeroKnowledge Requires log n Rounds In rd ACM Symposium on

the Theory of Computing pages

R Canetti Y Lindell R Ostrovsky and A Sahai Universally Com

p osable TwoParty and MultiParty Secure Computation In th ACM

Symposium on the Theory of Computing pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

ER Caneld P Erdos and C Pomerance On a problem of Opp enheim

concerning factorisatio numerorum J Number Theory Vol pages

L Carter and M Wegman Universal Hash Functions Journal of Com

puter and System Science Vol pages

D Chaum Blind Signatures for Untraceable Payments In Crypto

Plenum Press pages

D Chaum C Crepeau and I Damgard Multiparty unconditionally Se

cure Proto cols In th ACM Symposium on the Theory of Computing

pages

B Chor S Goldwasser S Micali and B Awerbuch Veriable Secret

Sharing and Achieving Simultaneity in the Presence of Faults In th

IEEE Symposium on Foundations of Computer Science pages

B Chor and E Kushilevitz A ZeroOne Law for Bo olean Privacy SIAM

J on Disc Math Vol pages

R Cleve Limits on the Security of Coin Flips when Half the Pro cessors

are Faulty In th ACM Symposium on the Theory of Computing pages

JD Cohen and MJ Fischer A Robust and Veriable Cryptographically

Secure Election Scheme In th IEEE Symposium on Foundations of

Computer Science pages

A Cohen and A Wigderson Disp ensers Deterministic Amplication

and Weak Random Sources th IEEE Symposium on Foundations of

Computer Science pages

R Cramer and I Damgard New Generation of Secure and Practical

RSAbased Signatures In Crypto Springer Lecture Notes in Computer

Science Vol pages

R Cramer and V Shoup A Practical PublicKey Cryptosystem Prov

ably Secure Against Adaptive Chosen Ciphertext Attacks In Crypto

SpringerVerlag Lecture Notes in Computer Science Vol pages

C Crepeau Ecient Cryptographic Proto cols Based on Noisy Channels

In EuroCrypt Springer Lecture Notes in Computer Science Vol

pages

I Damgard Collision Free Hash Functions and Public Key Signature

Schemes In EuroCrypt SpringerVerlag Lecture Notes in Computer

Science Vol pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

I Damgard A Design Principle for Hash Functions In Crypto Springer

Verlag Lecture Notes in Computer Science Vol pages

I Damgard Concurrent ZeroKnowledge in Easy in Practice Theory

of Cryptography Li

brary June httpphilbyucsdeducryptolib See also

Ecient Concurrent ZeroKnowledge in the Auxiliary String Mo del in

Eurocrypt

I Damgard O Goldreich T Okamoto and A Wigderson Honest Verier

vs Dishonest Verier in Public Coin ZeroKnowledge Pro ofs In Crypto

SpringerVerlag Lecture Notes in Computer Science Vol pages

A De Santis G Di Crescenzo R Ostrovsky G Persiano and A Sahai

Robust Noninteractive ZeroKnowledge In Crypto Springer Lecture

Notes in Computer Science Vol pages

Y Desmedt and Y Frankel Threshold Cryptosystems In Crypto

SpringerVerlag Lecture Notes in Computer Science Vol pages

W Die and ME Hellman New Directions in Cryptography IEEE

Trans on Info Theory IT Nov pages

H Dobb ertin The Status of MD after a Recent Attack In CryptoBytes

RSA Lab Vol No

D Dolev C Dwork and M Naor NonMalleable Cryptography In rd

ACM Symposium on the Theory of Computing pages Full

version available from authors

D Dolev C Dwork O Waarts and M Yung Perfectly secure message

transmission Journal of the ACM Vol pages

D Dolev and AC Yao On the Security of PublicKey Proto cols IEEE

Trans on Inform Theory Vol No pages

D Dolev and HR Strong Authenticated Algorithms for Byzantine Agree

ment SIAM Journal on Computing Vol pages

C Dwork U Feige J Kilian M Naor and S Safra Low Communication

Perfect Zero Knowledge Two Provers Pro of Systems In Crypto Springer

Verlag Lecture Notes in Computer Science Vol pages

C Dwork and M Naor An Ecient Existentially Unforgeable Signature

Scheme and its Application Journal of Cryptology Vol pages

C Dwork M Naor and A Sahai Concurrent ZeroKnowledge In th

STOC pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

S Even and O Goldreich On the Security of Multiparty PingPong

Proto cols In th IEEE Symposium on Foundations of Computer Science

pages

S Even O Goldreich and A Lemp el A Randomized Proto col for Signing

Contracts CACM Vol No pages

S Even O Goldreich and S Micali OnlineOline Digital signatures

Journal of Cryptology Vol pages

S Even AL Selman and Y Yacobi The Complexity of Promise Prob

lems with Applications to PublicKey Cryptography Inform and Control

Vol pages

S Even and Y Yacobi Cryptography and NPCompleteness In pro ceed

ings of th ICALP SpringerVerlag Lecture Notes in Computer Science

Vol pages See

U Feige Error reduction by parallel rep etition the state of the art Tech

nical rep ort CS Computer Science Department Weizmann Institute

of Science Rehovot isreal

U Feige A Fiat and A Shamir ZeroKnowledge Pro ofs of Identity

Journal of Cryptology Vol pages

U Feige D Lapidot and A Shamir Multiple NonInteractive Zero

Knowledge Pro ofs Under General Assumptions SIAM Journal on Com

puting Vol pages

U Feige and A Shamir ZeroKnowledge Pro ofs of Knowledge in Two

Rounds In Crypto SpringerVerlag Lecture Notes in Computer Science

Vol pages

U Feige and A Shamir Witness Indistinguishability and Witness Hiding

Proto cols In nd ACM Symposium on the Theory of Computing pages

W Feller An Introduction to Probability Theory and Its Applications

John Wiley New York

A Fiat and A Shamir How to Prove Yourself Practical Solution to Iden

tication and Signature Problems In Crypto SpringerVerlag Lecture

Notes in Computer Science Vol pages

M Fischer S Micali C Racko and DK Wittenberg An Oblivi

ous Transfer Proto col Equivalent to Factoring Unpublished manuscript

Preliminary versions were presented in EuroCrypt and in the NSF

Workshop on Mathematical Theory of Security Endicott House

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

R Fischlin and CP Schnorr Stronger Security Pro ofs for RSA and Ra

bin Bits In EuroCrypt Springer Lecture Notes in Computer Science

Vol pages

L Fortnow The Complexity of Perfect ZeroKnowledge In th ACM

Symposium on the Theory of Computing pages

AM Frieze J Hastad R Kannan JC Lagarias and A Shamir Re

constructing Truncated Integer Variables Satisfying Linear Congruences

SIAM Journal on Computing Vol pages

O Gab er and Z Galil Explicit Constructions of Linear Size Sup erconcen

trators Journal of Computer and System Science Vol pages

MR Garey and DS Johnson Computers and Intractability A Guide to

the Theory of NPCompleteness WH Freeman and Company New York

PS Gemmell An Introduction to Threshold Cryptography In Crypto

Bytes RSA Lab Vol No

R Gennaro M Rabin and T Rabin Simplied VSS and Fasttrack Mul

tiparty Computations with Applications to Threshold Cryptography In

th ACM Symposium on Principles of Distributed Computing pages

R Gennaro and L Trevisan Lower b ounds on the eciency of generic

cryptographic constructions ECCC TR May

EN Gilb ert FJ MacWilliams and NJA Sloane Co des which detect

deception Bel l Syst Tech J Vol pages

O Goldreich Two Remarks Concerning the GMR Signature Scheme In

Crypto SpringerVerlag Lecture Notes in Computer Science Vol

pages

O Goldreich Towards a Theory of Software Protection and Simulation by

Oblivious RAMs In th ACM Symposium on the Theory of Computing

pages

O Goldreich Foundation of Cryptography Class Notes Preprint Spring

Sup erseded by the current work

O Goldreich Lecture Notes on Encryption Signatures and

Cryptographic Protocol Extracts from Available from

httpwwwwisdomweizmannacilodedfochtml Sup erseded by

the current work

O Goldreich A Note on Computational Indistinguishability Information

Processing Letters Vol pages May

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

O Goldreich A Uniform Complexity Treatment of Encryption and Zero

Knowledge Journal of Cryptology Vol No pages

O Goldreich Foundation of Cryptography Fragments of a Book Febru

ary Available from

httpwwwwisdomweizmannacilodedfochtml Sup erseded by

the current work

O Goldreich Notes on Levins Theory of AverageCase Complexity

ECCC TR Dec

O Goldreich Modern Cryptography Probabilistic Proofs and Pseudoran

domness Algorithms and Combinatorics series Vol Springer

O Goldreich Secure MultiParty Computation Unpublished manuscript

Available from

httpwwwwisdomweizmannacilodedfochtml Sup erseded by

the current work

O Goldreich

Encryption Schemes fragments of a chapter December Avail

able from httpwwwwisdomweizmannacilodedfocbookhtml

Sup erseded by the current work

O Goldreich Signature Schemes fragments of a chapter May

Avail

able from httpwwwwisdomweizmannacilodedfocbookhtml

Sup erseded by the current work

O Goldreich Foundation of Cryptography Basic Tools Cambridge

University Press

O Goldreich Concurrent ZeroKnowledge With Timing Revisited In

th ACM Symposium on the Theory of Computing pages

O Goldreich S Goldwasser and S Halevi CollisionFree Hashing from

Lattice Problems ECCC TR

O Goldreich S Goldwasser and S Micali How to Construct Random

Functions Journal of the ACM Vol No pages

O Goldreich S Goldwasser and S Micali On the Cryptographic Appli

cations of Random Functions In Crypto SpringerVerlag Lecture Notes

in Computer Science Vol pages

O Goldreich R Impagliazzo LA Levin R Venkatesan and D Zuck

erman Security Preserving Amplication of Hardness In st IEEE

Symposium on Foundations of Computer Science pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

O Goldreich and A Kahan How to Construct ConstantRound Zero

Knowledge Pro of Systems for NP Journal of Cryptology Vol No

pages Preliminary versions date to

O Goldreich and H Krawczyk On the Comp osition of ZeroKnowledge

Pro of Systems SIAM Journal on Computing Vol No February

pages

O Goldreich and H Krawczyk On Sparse Pseudorandom Ensembles

Random Structures and Algorithms Vol No pages

O Goldreich H Krawcyzk and M Luby On the Existence of Pseudo

random Generators SIAM Journal on Computing Vol pages

O Goldreich and E Kushilevitz A Perfect ZeroKnowledge Pro of for a

Decision Problem Equivalent to Discrete Logarithm Journal of Cryptol

ogy Vol pages

O Goldreich and LA Levin Hardcore Predicates for any OneWay Func

tion In st ACM Symposium on the Theory of Computing pages

O Goldreich and Y Lindell SessionKey Generation using Human Pass

words In Crypto SpringerVerlag Lecture Notes in Computer Science

Vol pages

O Goldreich Y Lustig and M Naor On Chosen Ciphertext Security of

Multiple Encryptions Cryptology ePrint Archive Rep ort

O Goldreich and B Meyer Computational Indistinguishability Algo

rithms vs Circuits Theoretical Computer Science Vol pages

O Goldreich S Micali and A Wigderson Pro ofs that Yield Nothing

but their Validity or All Languages in NP Have ZeroKnowledge Pro of

Systems Journal of the ACM Vol No pages Pre

liminary version in th IEEE Symposium on Foundations of Computer

Science

O Goldreich S Micali and A Wigderson How to Play any Mental Game

A Completeness Theorem for Proto cols with Honest Ma jority In th

ACM Symposium on the Theory of Computing pages

O Goldreich N Nisan and A Wigderson On Yaos XORLemma ECCC

O Goldreich and Y Oren Denitions and Prop erties of ZeroKnowledge

Pro of Systems Journal of Cryptology Vol No pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

O Goldreich and E Petrank Quantifying Knowledge Complexity Com

putational Complexity Vol pages

O Goldreich R Rubinfeld and M Sudan Learning p olynomials with

queries the highly noisy case To app ear in SIAM Journal on Discrete

Mathematics

O Goldreich A Sahai and S Vadhan HonestVerier Statistical Zero

Knowledge equals general Statistical ZeroKnowledge In th ACM Sym

posium on the Theory of Computing pages

O Goldreich and M Sudan Computational Indistinguishability A Sam

ple Hierarchy Journal of Computer and System Science Vol pages

O Goldreich and S Vadhan Comparing Entropies in Statistical Zero

Knowledge with Applications to the Structure of SZK In th IEEE

Conference on Computational Complexity pages

O Goldreich and R Vainish How to Solve any Proto col Problem An

Eciency Improvement In Crypto Springer Verlag Lecture Notes in

Computer Science Vol pages

S Goldwasser and J Kilian Primality Testing Using Elliptic Curves

Journal of the ACM Vol pages Preliminary version in

th ACM Symposium on the Theory of Computing

S Goldwasser and LA Levin Fair Computation of General Functions

in Presence of Immoral Ma jority In Crypto SpringerVerlag Lecture

Notes in Computer Science Vol pages

S Goldwasser and Y Lindell Secure Computation Without Agree

ment In th International Symposium on Distributed Computing DISC

SpringerVerlag LNCS pages

S Goldwasser and S Micali Probabilistic Encryption Journal of Com

puter and System Science Vol No pages Preliminary

version in th ACM Symposium on the Theory of Computing

S Goldwasser S Micali and C Racko The Knowledge Complexity of

Interactive Pro of Systems SIAM Journal on Computing Vol pages

Preliminary version in th ACM Symposium on the Theory

of Computing

S Goldwasser S Micali and RL Rivest A Digital Signature Scheme Se

cure Against Adaptive ChosenMessage Attacks SIAM Journal on Com

puting April pages

S Goldwasser S Micali and P Tong Why and How to Establish a Private

Co de in a Public Network In rd IEEE Symposium on Foundations of

Computer Science pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

S Goldwasser S Micali and AC Yao Strong Signature Schemes In th

ACM Symposium on the Theory of Computing pages

S Goldwasser and R Ostrovsky Invariant Signatures and NonInteractive

ZeroKnowledge Pro ofs are Equivalent In Crypto SpringerVerlag Lec

ture Notes in Computer Science Vol pages

S Goldwasser and M Sipser Private Coins versus Public Coins in Interac

tive Pro of Systems Advances in Computing Research a research annual

Vol Randomness and Computation S Micali ed pages

S Hab er and S Micali Private communication

J Hastad R Impagliazzo LA Levin and M Luby A Pseudorandom

Generator from any Oneway Function SIAM Journal on Computing

Volume Number pages Preliminary versions by

Impagliazzo et al in st ACM Symposium on the Theory of Computing

and Hastad in nd ACM Symposium on the Theory of Computing

J Hastad A Schrift and A Shamir The Discrete Logarithm Mo dulo a

Comp osite Hides O n Bits Journal of Computer and System Science

Vol pages

M Hirt and U Maurer Complete characterization of adversaries tolerable

in secure multiparty computation Journal of Cryptology Vol No

pages

R Impagliazzo and M Luby OneWay Functions are Essential for Com

plexity Based Cryptography In th IEEE Symposium on Foundations of

Computer Science pages

R Impagliazzo and M Naor Ecient Cryptographic Schemes Provable as

Secure as Subset Sum Journal of Cryptology Vol pages

R Impagliazzo and S Rudich Limits on the Provable Consequences of

OneWay Permutations In st ACM Symposium on the Theory of Com

puting pages

R Impagliazzo and A Wigderson PBPP if E requires exp onential cir

cuits Derandomizing the XOR Lemma In th ACM Symposium on the

Theory of Computing pages

R Impagliazzo and D Zuckerman How to Recycle Random Bits In

th IEEE Symposium on Foundations of Computer Science pages

R Impagliazzo and M Yung Direct ZeroKnowledge Computations In

Crypto SpringerVerlag Lecture Notes in Computer Science Vol

pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

A Juels M Luby and R Ostrovsky Security of Blind Digital Signatures

In Crypto Springer Lecture Notes in Computer Science Vol

J Justesen A class of constructive asymptotically go o d alegbraic co des

IEEE Trans Inform Theory Vol pages

N Kahale Eigenvalues and Expansion of Regular Graphs Journal of the

ACM Vol pages

J Kahn M Saks and C Smyth A Dual Version of Reimers Inequality

and a Pro of of Rudichs Conjecture In th IEEE Conference on Compu

tational Complexity

BS Kaliski Elliptic Curves and Cryptography A Pseudorandom Bit

Generator and Other Tools PhD Thesis LCS MIT

J Katz and M Yung Complete Characterization of Security Notions for

Probabilistic PrivateKey Encryption In nd ACM Symposium on the

Theory of Computing pages

J Kilian Basing Cryptography on Oblivious Transfer In th ACM

Symposium on the Theory of Computing pages

J Kilian A Note on Ecient ZeroKnowledge Pro ofs and Arguments In

th ACM Symposium on the Theory of Computing pages

J Kilian and E Petrank An Ecient NonInteractive ZeroKnowledge

Pro of System for NP with General Assumptions Journal of Cryptology

Vol pages

J Kilian and E Petrank Concurrent and Resettable ZeroKnowledge in

Polylogarithmic Rounds In rd ACM Symposium on the Theory of Com

puting pages

H Krawczyk LFSRbased Hashing and Authentication In Crypto

Lecture Notes in Computer Science Vol SpringerVerlag pages

H Krawczyk New Hash Functions For Message Authentication In Euro

Crypt SpringerVerlag Lecture Notes in Computer Science Vol

pages

JC Lagarias and AM Odlyzko Solving LowDensity Subset Sum Prob

lems Journal of the ACM Vol pages

D Lapidot and A Shamir Fully parallelized multiprover proto cols for

NEXPtime Journal of Computer and System Science Vol pages

April

A Lemp el Cryptography in Transition Computing Surveys Dec

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

AK Lenstra HW Lenstra L Lovasz Factoring p olynomials with ratio

nal co ecients Mathematische Annalen pages

LA Levin Average Case Complete Problems SIAM Journal on Com

puting Vol pages

LA Levin OneWay Function and Pseudorandom Generators Combina

torica Vol pages

LA Levin Randomness and Nondeterminism J Symb Logic Vol

pages

M Li and P Vitanyi An Introduction to Kolmogorov Complexity and its

Applications Springer Verlag August

Y Lindell A Simpler Construction of CCASecure PublicKey Encryp

tion Under General Assumptions In EuroCrypt Springer Lecture Notes

in Computer Science Vol pages

Y Lindell Parallel CoinTossing and ConstantRound Secure TwoParty

Computation In Crypto Springer Lecture Notes in Computer Science

Vol pages

Y Lindell A Lysyanskaya and T Rabin On the Comp osition of Authen

ticated Byzantine Agreement In th ACM Symposium on the Theory of

Computing pages

JH van Lint Introduction to Coding Theory SpringerVerlag Graduate

Texts in Mathematics New York

A Lub otzky R Phillips P Sarnak Ramanujan Graphs Combinatorica

Vol pages

M Luby Pseudorandomness and Cryptographic Applications Princeton

University Press

M Luby and C Racko How to Construct Pseudorandom Permutations

from Pseudorandom Functions SIAM Journal on Computing Vol

pages

C Lund L Fortnow H Karlo and N Nisan Algebraic Metho ds for

Interactive Pro of Systems Journal of the ACM Vol No pages

N Lynch Distributed Algorithms Morgan Kaufmann Publishers San

Mateo CA

U Maurer Secret Key Agreement by Public Discussion from Common

Information IEEE Trans on Inform Th Vol No pages

May

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

AJ Menezes PC van Oorschot and SA Vanstone Handbook of Applied

Cryptography CRC Press

RC Merkle Secure Communication over Insecure Channels CACM

Vol No pages

RC Merkle Proto cols for public key cryptosystems In Proc of the

Symposium on Security and Privacy

RC Merkle A Digital Signature Based on a Conventional Encryption

Function In Crypto SpringerVerlag Lecture Notes in Computer Science

Vol pages

RC Merkle A Certied Digital Signature Scheme In Crypto Springer

Verlag Lecture Notes in Computer Science Vol pages

RC Merkle and ME Hellman Hiding Information and Signatures in

Trapdo or Knapsacks IEEE Trans Inform Theory Vol pages

S Micali MO Rabin and S Vadhan Veriable Random Functions In

th IEEE Symposium on Foundations of Computer Science pages

S Micali C Racko and B Sloan The Notion of Security for Probabilistic

Cryptosystems SIAM Journal on Computing Vol pages

S Micali and P Rogaway Secure Computation In Crypto Springer

Verlag Lecture Notes in Computer Science Vol pages

D Micciancio Oblivious Data Structures Applications to Cryptography

In th ACM Symposium on the Theory of Computing pages

GL Miller Riemanns Hyp othesis and Tests for Primality Journal of

Computer and System Science Vol pages

R Motwani and P Raghavan Randomized Algorithms Cambridge Uni

versity Press

National Bureau of Standards Federal Information Processing Standards

Publ DES

National Institute for Standards and Technology Digital Signature Standard

dss Federal Register Vol No August

M Naor Bit Commitment using Pseudorandom Generators Journal of

Cryptology Vol pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

M Naor R Ostrovsky R Venkatesan and M Yung ZeroKnowledge

Arguments for NP can b e Based on General Assumptions Journal of

Cryptology Vol pages

M Naor and O Reingold Synthesizers and their Application to the Paral

lel Construction of PseudoRandom Functions In th IEEE Symposium

on Foundations of Computer Science pages

M Naor and O Reingold On the Construction of PseudoRandom Per

mutations LubyRacko Revisited Journal of Cryptology Vol

pages

M Naor and O Reingold From Unpredictability to Indistinguishabil

ity A Simple Construction of Pseudorandom Functions from MACs In

Crypto Springer Lecture Notes in Computer Science Vol pages

M Naor and M Yung Universal OneWay Hash Functions and their Cryp

tographic Application st ACM Symposium on the Theory of Computing

pages

M Naor and M Yung PublicKey Cryptosystems Provably Secure

Against Chosen Ciphertext Attacks In nd ACM Symposium on the

Theory of Computing pages

N Nisan and D Zuckerman Randomness is Linear in Space Journal of

Computer and System Science Vol pages

AM Odlyzko The future of integer factorization CryptoBytes The

technical newsletter of RSA Lab oratories Vol No pages

Available from httpwwwresearchattcomamo

AM Odlyzko Discrete logarithms and smo oth p olynomials In Finite

Fields Theory Applications and Algorithms G L Mullen and P Shiue

eds Amer Math So c Contemporary Math Vol pages

Available from httpwwwresearchattcomamo

T Okamoto On relationships b etween statistical zeroknowledge pro ofs

In th ACM Symposium on the Theory of Computing pages

R Ostrovsky R Venkatesan and M Yung Secure Commitment Against

Powerful Adversary A Security Primitive based on Average Intractability

In Proceedings of the th Symposium on Theoretical Aspects of Computer

Science STACS pages

R Ostrovsky and A Wigderson OneWay Functions are essential for Non

Trivial ZeroKnowledge In nd Israel Symp on Theory of Computing and

Systems IEEE Comp So c Press pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

R Ostrovsky and M Yung How to Withstand Mobile Virus Attacks

In th ACM Symposium on Principles of Distributed Computing pages

TP Pedersen and B Ptzmann FailStop Signatures SIAM Journal on

Computing Vol pages Based on several earlier work

see rst fo otnote in the pap er

B Ptzmann Digital Signature Schemes General Framework and Fail

Stop Signatures Springer Lecture Notes in Computer Science Vol

M Prabhakaran A Rosen and A Sahai Concurrent ZeroKnowledge

Pro ofs in Logarithmic Number of Rounds In rd IEEE Symposium on

Foundations of Computer Science

V Pratt Every Prime has a Succinct Certicate SIAM Journal on

Computing Vol pages

MO Rabin Probabilistic Algorithm for Testing Primality Journal of

Number Theory Vol pages

MO Rabin Digitalized Signatures In Foundations of Secure Computa

tion RA DeMillo et al eds Academic Press

MO Rabin Digitalized Signatures and Public Key Functions as In

tractable as Factoring MITLCSTR

MO Rabin How to Exchange Secrets by Oblivious Transfer Tech Memo

TR Aiken Computation Lab oratory Harvard U

C Racko and DR Simon NonInteractive ZeroKnowledge Pro of of

Knowledge and Chosen Ciphertext Attack In Crypto Springer Verlag

Lecture Notes in Computer Science Vol pages

R Raz A Parallel Rep etition Theorem SIAM Journal on Computing

Vol pages

R Richardson and J Kilian On the Concurrent Comp osition of Zero

Knowledge Pro ofs In EuroCrypt Springer LNCS pages

R Rivest A Shamir and L Adleman A Metho d for Obtaining Digital

Signatures and Public Key Cryptosystems CACM Vol Feb

pages

P Rogaway The

Round Complexity of Secure Proto cols MIT PhD Thesis June

Available from httpwwwcsucdavisedurogawaypapers

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

J Romp el Oneway Functions are Necessary and Sucient for Secure

Signatures In nd ACM Symposium on the Theory of Computing

pages

A Sahai NonMalleable NonInteractive Zero Knowledge and Achieving

ChosenCiphertext Security In th IEEE Symposium on Foundations of

Computer Science pages

A Sahai Improved Constructions Achieving ChosenCiphertext Security

In preparation See

A Sahai and S Vadhan A Complete Promise Problem for Statistical

ZeroKnowledge In th IEEE Symposium on Foundations of Computer

Science pages

CP Schnorr and HH Horner Attacking the ChorRivest Cryptosystem

by Improved Lattice Reduction In EuroCrypt SpringerVerlag Lecture

Notes in Computer Science Vol pages

A Shamir On the Crypto complexity of Knapsack systems th ACM

Symposium on the Theory of Computing pages

A Shamir How to Share a Secret CACM Vol Nov pages

A Shamir A PolynomialTime Algorithm for Breaking the Merkle

Hellman Cryptosystem In rd IEEE Symposium on Foundations of Com

puter Science pages

A Shamir IP PSPACE Journal of the ACM Vol No pages

A Shamir RL Rivest and L Adleman Mental Poker MITLCS Rep ort

CE Shannon Communication Theory of Secrecy Systems Bel l Sys Tech

J Vol pages

M Sipser A Complexity Theoretic Approach to Randomness In th

ACM Symposium on the Theory of Computing pages

M Sipser Introduction to the Theory of Computation PWS Publishing

Company

R Solovay and V Strassen A Fast MonteCarlo Test for Primality SIAM

Journal on Computing Vol pages Addendum in SIAM

Journal on Computing Vol page

D Stinson Universal hashing and authentication co des Designs Codes

and Cryptography Vol pages

Extracted from a working draft of Goldreich's FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BIBLIOGRAPHY

M Sudan Deco ding of ReedSolomon Co des b eyond the errorcorrection

Bound Jour of Complexity Vol pages

M Tompa and H Woll Random SelfReducibility and ZeroKnowledge

Interactive Pro ofs of Possession of Information In th IEEE Symposium

on Foundations of Computer Science pages

S Vadhan A Study of Statistical ZeroKnowledge Pro ofs PhD Thesis

Department of Mathematics MIT

S Vadhan On Constructing Lo cally Computable Extractors and Cryp

tosystems in the Bounded Storage Mo del Cryptology ePrint Archive Re

p ort

A Vardi Algorithmic Complexity in Co ding Theory and the Minimun

Distnace Problem In th ACM Symposium on the Theory of Computing

pages

UV Vazirani and VV Vazirani Ecient and Secure PseudoRandom

Number Generation th IEEE Symposium on Foundations of Computer

Science pages

M Wegman and L Carter New Hash Functions and their Use in Au

thentication and Set Equality Journal of Computer and System Science

Vol pages

A D Wyner The WireTap Channel Bel l System Technical Journal

Vol No pages Oct

AC Yao Theory and Application of Trapdo or Functions In rd IEEE

Symposium on Foundations of Computer Science pages

AC Yao How to Generate and Exchange Secrets In th IEEE Sympo

sium on Foundations of Computer Science pages