A secure signature scheme based on claw free permutations

LetDf be the common domain of the claw-free permutations pair Consider the following scheme, for signing messagesmi ∈ {0,1}^k wherei∈ {1,· · ·, B(k)} andB(k) is a polynomial ink:

Choose two pairs of claw-free permutations, (f₀, f₁) and (g₀, g₁) for which we know f₀⁻¹, f₁⁻¹, g⁻₀¹, g₁⁻¹. ChooseX ∈D_f. Let the public key containD_f, X, f₀, f₁, g₀, g₁and let the secret key containf₀⁻¹, f₁⁻¹, g₀⁻¹, g⁻₁¹.

PK SK

Df, X, f0, f1 f₀⁻¹, f₁⁻¹ g0, g1 g₀⁻¹, g⁻₁¹

Let◦be the concatenation function and set the historyH1=∅. To signmi, fori∈ {1,· · ·, B(k)}: 1. ChooseRi∈Dg uniformly.

2. Setz₁ⁱ =f_H⁻¹

i◦R_i(X).

3. Setz₂ⁱ =g⁻_m¹_i(Ri).

4. Set signatureσ(mi) = (z₁ⁱ, zⁱ₂, Hi).

5. SetHi+1=Hi◦Ri.

To verify a message-signature pair (m, s) wheres= (z1, z2, H), 1. LetR=g_m(z₂).

2. Check that fH◦R(z1) =X.

If so, then the signature is valid and the verification functionV(m, s) = 1. Otherwise, V(m, s) = 0. This scheme takes advantage of the fact that a new random elementz₁ⁱ can be used in place ofX for each message so that the forger is unable to gain information by requesting signatures for a polynomial number of messages.

It is clear that the signing and verification procedures can be performed in polynomial time as required. The following theorem also shows that it is secure:

Theorem 9.9 The claw-free permutation signature scheme is existentially secure against CMA if claw-free permutations exist.

Proof:(by contradiction) Suppose not. Then there is a forgerF^{CM A}(f₀, f₁, g₀, g₁, X) which consists of the following two stages:

Stage 1: F obtains signaturesσ(mi) for up toB(k) messagesmi of its choice.

Stage 2: F outputs ( ˆm,s) where ˆˆ s= (ˆz₁,zˆ₂,Hˆ) such that ˆmis different than allm_i’s requested in stage 1 andV( ˆm,s) = 1.ˆ

We show that if such anF did exist, then there would be a PTMAwhich would:

Input: Uniformly chosen (h0, h1, Dh) claw-free such thath⁻₀¹ andh⁻₁¹ are not known.

Output: Either a h-claw with probability greater than _Q(k)¹ whereQ(k) is a polynomial ink.

This is a contradiction by the definition ofh0 andh1.

PTMAis based on the fact that whenF is successful it does one of the following in stage 2:

Type 1 forgery: Find ag-claw Type 2 forgery: Find af-claw

Type 3 forgery: Find f₀⁻¹(ω) orf₁⁻¹(ω) forω=z₁^B(k)the last point in the history provided by the signer PTMAconsists of two PTM’s A1andA2 which are run one after the other. A1 attempts to find anh-claw based on the assumption thatF produces ag-claw. A2 attempts to find ah-claw based on the assumption thatF produces af-claw. BothA1andA2will useh0andh1in their public keys. In order to sign a message usingh0 andh1, these PTM’s will computev=hi(R) for someR∈Dhand useR ash⁻_b¹(v). Thus, neither A1 norA2 will need to inverthb when answering F’s requests. Note that since hb is a permutation, v will be random ifRis.

Description ofA1:

Cryptography: Lecture Notes 175

1. Choose (f0, f1, Df) claw-free such that we knowf₀⁻¹andf₁⁻¹. Let the public key containDf, X, f0, f1, g0= h0,andg1=h1. Let the secret key containf₀⁻¹andf₁⁻¹.

PK SK

D_f, X, f₀, f₁ f₀⁻¹, f₁⁻¹ g₀=h₀, g₁=h₁

2. Set historyH1=∅and runF(f0, f1, g0, g1, X). WhenF asks for the signature of a messagemi, (a) Choosez₂ⁱ ∈Dg at random.

(b) SetRi=gm_i(z₂ⁱ).

(c) Set z₁ⁱ =f_H⁻¹

i◦R_i(X).

(d) Output (z₁ⁱ, z₂ⁱ, Hi).

(e) Set Hi+1=Hi◦Ri.

F then outputs ( ˆm,ˆs) where ˆs= (ˆz1,ˆz2,H).ˆ 3. Test to see thatV( ˆm,ˆs) = 1. If not thenA₁ fails.

4. Let ˆR=gmˆ(ˆz2). If ˆR6=Ri for anyi, thenA1 fails sinceF did not produce a type 1 forgery

5. Otherwise, let j be such that ˆR =Rj. We now havehmˆ(ˆz2) = hm_j(z₂^j) = Rj. From this we easily obtain ah-claw.

Description ofA₂:

1. Choose (g0, g1, Dg) claw-free such that we know g₀⁻¹ and g₁⁻¹. Let f0 = h0 and f1 = h1. Choose R1, R2,· · ·, R_B(k)∈Dg,c∈ {0,1}andz∈Dfuniformly and independently. SetX =fR₁◦R₂◦···◦R_B(k)◦c(z).

Let the public key containDf, X, f0, f1, g0 andg1. Let the secret key containg₀⁻¹ andg⁻₁¹.

PK SK

Df, X, g0, g1 g₀⁻¹, g⁻₁¹ f0=h0, f1=h1

2. Set historyH₁=∅and runF(f₀, f₁, g₀, g₁, X). WhenF asks for signature of messagem_i, (a) Setz₁ⁱ =f_{Ri+1◦···◦RB(k)}(X).

(b) Setz₂ⁱ =g⁻_m¹_i(Ri).

(c) Output (z₁ⁱ, z₂ⁱ, Hi).

(d) SetHi+1=Hi◦Ri.

F then outputs ( ˆm,ˆs) where ˆs= (ˆz₁,ˆz₂,H).ˆ 3. Let ˆR=gmˆ(ˆz²).

4. There are three possibilities to consider:

F made type 1 forgery: This means ˆH◦Rˆ=Hi for some i. In this caseA2 fails.

F made type 2 forgery: There is some first bit in ˆH◦Rˆ which differs fromA2’s final historyHN. As a result, ˆH◦Rˆ=H◦b◦Sˆ andHN =H◦¯b◦S for someb∈ {0,1}and stringsH,S, S. From thisˆ we obtainf_b(f_Sˆ(ˆz₁)) =f¯b(f_S(z^N₁ )) which providesA₂ with ah-claw.

F made type 3 forgery: ˆH◦Rˆ =H_N◦b◦S for some bitband stringS. Since the bitdchosen byA₂ to follow H_N if another request were made is random,b will be different fromdwith probability 1/2. In this case,A₂ will haveh⁻₀¹(h⁻_H¹ and A₂ will succeed with probability p₂ + ^p₂³. Thus, A₁ or A₂ will succeed with probability at least max(p₁, p₂+^p₂³)≥_3Q(k)¹ .

Notes:

1. Unlike the previous scheme, the signature here need not contain all the previous messages signed by the scheme; only the elementsRⁱ ∈Dg are attached to the signature.

2. The length of the signature need not be linear with the number of messages signed. It is possible instead of linking theRⁱ together in a linear fashion, to build a tree structure, whereR¹authenticates R² andR³, andR² authenticatesR⁴andR⁵and so forth till we construct a full binary tree of depth logarithmic inB(k) whereB(k) is a bound on the total number of signatures ever to be signed. Then, relabel the R^j’s in the leafs of this tree as r¹, ..., r^B(k).

In the computation of the signature of the i-th message, we let z₂ⁱ =g⁻_m¹i(rⁱ), and let z₁ⁱ = f_r⁻i¹(R) whereR is the father ofrⁱ in the tree of authenticatedR’s. The signature of theith message needs to contain then allR⁰s on the path from the leafrⁱ to the root, which is only logarithmic in the number of messages ever to be signed.

3. The cost of computing af_m⁻¹(x) is|m|(cost of computingf⁻¹). Next we show that for the implemen-tation of claw-free functions based on factoring, themfactor can be saved.

Example: Efficient way to compute f_m⁻¹(z)

As we saw in Example 9.4.2, if factoring is hard, a particular family of trap-door permutations is claw free.

Letn=pq, where pandqare primes and p≡3 mod 8,q≡7 mod 8. forx∈QR_n: f_0,n(x) =x²modn f_1,n(x) = 4x²modn

is this family of claw-free trap-door permutations.

Notation: We write√

x=y when that y²=xandy∈QRn.

To computef_m⁻¹(z) we first compute (all computations below are modn):

f₀₀⁻¹(z) =p√

Leti(m) be the integer corresponding to the stringmreversed. It is easy to see that in the general case we get: f_m⁻¹(z) = (_4i(m)^z )^2|m|1

Now, all we need is to compute the 2^|m|th root modnonce, and this can be done efficiently, by raising to a power modΦ(n).

Cryptography: Lecture Notes 177