DEScomputationandasinglemodularmultiplication.Westressthatthecostlymodular

Transcription

1 ShimonEveny On-Line/O-LineDigitalSignatures (non-nalversionfrom1994) OdedGoldreichz Abstract SilvioMicalix signatureschemeisusedfortheo-linestage. (basedonfactoring)anddes.intheon-linephase,allweuseisamoderateamountof usesone-timesignatureschemes,whichareveryfast,fortheon-linesigning.anordinary methodforconstructingsuchon-line/o-linesignatureschemesispresented.themethod performedo-line,beforethemessagetobesignedisevenknown.thesecondon-linephase isperformedoncethemessagetobesignedisknown,andissupposedtobeveryfast.a Inapracticalimplementationofourscheme,weuseavariantofRabin'ssignaturescheme Anewtypeofsignatureschemeisproposed.Itconsistsoftwophases.Therstphaseis DEScomputationandasinglemodularmultiplication.Westressthatthecostlymodular exponentiationoperationisperformedo-line.thisimplementationisideallysuitedfor electronicwalletsorsmartcards. patentprotectionunderu.s.patentno.5,016,274.analversionofthisworkwillappearinjournalofcryptology. ccopyright1996byinternationalassociationforcryptographicresearch. ApreliminaryversionappearedintheproceedingsofCrypto89.On-Line/O-LineDigitalSigninghasobtained ycomputersciencedepartment,technion-israelinstituteoftechnology,haifa32000,israel.e-address: zcomputersciencedepartment,technion-israelinstituteoftechnology,haifa32000,israel.e-address: xlaboratoryforcomputerscience,mit-massachusettsinstituteoftechnology,545technologysquare,cam- 0

2 asecretkey.u'ssignatureofamessagemisavalue,dependingonmandhissecretkey, 1Introduction Informally,inadigitalsignaturescheme,eachuserUpublishesapublickeywhilekeepingsecret suchthatucan(quickly)generateandanyonecan(quickly)verifythevalidityof,usingu's arbitrarilymanymessages,withonepairofkeys. stressthatsigningisanon-interactiveprocessinvolvingonlythesigner,andthatonecansign publickey.however,itishardtoforgeu'ssignatureswithoutknowledgeofhissecretkey.we signingprocess,andtheseinturnrequiremanymodularmultiplications.furthermore,these signatureschemesrequiretoperformmodularexponentiationwithlargemoduliaspartofthe eredtooslowformanypracticalapplications(e.g.,electronicwallets[5,4]).inparticular,these severalschemeshavebeenprovedsecureevenagainstchosenmessageattack[8,1,12,19].unfortunately,intheseschemes,thesigningprocessisnotsucientlyfastforsomepracticalpurposes. Furthermore,evenmoreecientschemeslikeRSA[16]andRabin'sschemeof[15],areconsid- Manysignatureschemesareknownbynow.Basedonvariousintractabilityassumptions, thesesignatureschemeswillbecomemuchmoreattractiveifonlyafew(say,twoorthree)modularmultiplicationsneedtobeperformedafterthemessagebecomesknown,whilethemorecostly operationscanbepreprocessed.thisleadstothenotionofanon-line/o-linesignaturescheme. ANewNotion costlyoperationscanstartonlyoncethemessagetobesignedbecomesknown.consequently, Tosummarize,inmanyapplicationssignatureshavetobeproducedveryfastoncethemessage ispresented.however,onecantolerateslowerprecomputations,providedthattheydonot havetobeperformedon-line(i.e.,oncethemessagetobesignedishandedtothesignerand isperformedon-line,oncethemessageispresented.wewillbeinterestedinon-line/o-line performedo-line,isindependentoftheparticularmessagetobesigned;whilethesecondphase whiletheverieriswaitingforthesignature).thissuggeststhenotionofanon-line/o-line signaturescheme,inwhichthesigningprocesscanbebrokenintotwophases.therstphase, Wepresentageneralconstructiontransforminganordinary,digitalsignatureschemetoanonline/o-lineone.Thisisdonebyproperlycombiningthreemainingredients: 1.An(ordinary)signaturescheme; 2.Afastone-timesignaturescheme(i.e.,asignatureschemeknowntobeunforgeable,pro- signatureschemesinwhichtheo-linestageisfeasible(thoughrelativelyslow)andbothon-line signingandvericationarefast. AGeneralConstruction videditisusedtosignasinglemessage);1

3 Theessenceoftheconstructionistousetheordinarysignatureschemetosign(o-line)arandomlyconstructedinstanceoftheinformationwhichenablesone-timesignature,andlaterto sign(on-line)themessageusingtheone-timesignatureschemewhichistypicallyveryfast.the 3.Afastcollision-freehashingscheme(i.e.,ahashingschemeforwhichitisinfeasibletond tags,butitisnotessentialforthebasicconstruction. hashingschemeismostlikelytobeusedinpracticeforcompressinglongmessagesintoshorter twostringswhichhashtothesamevalue). weuseamodicationofrabin'ssignaturescheme[15]intheroleoftheordinarysignaturescheme, anddesasabasisforaone-timesignaturescheme.thesecurityoftheseimplementationsis basedontheintractabilityoffactoringlargeintegersandtheassumptionthatdesbehaveslike arandomcipher.theonlycomputations(possibly)required,intheon-linephaseofthesigning process,areapplicationsofdes.vericationrequiressomedescomputations(yetnottoomany) andasinglemodularmultiplication.thecostlymodularcomputation,ofextractingsquareroots Wepresentseveralpracticalimplementationofthegeneralscheme.Intheseimplementations, One-timesignatureschemesplayacentralroleinourconstructionofon-line/o-linesignature computations(whichcanbeperformedmuchfasterthanexponentiation). One-timeSignatureSchemes moduloalarge(e.g.512-bit)compositeintegerwithknownfactorization,isperformedoline.areasonablechoiceofparametersallowstosign100-bittagsusingonly200on-linedes schemes.thisisduetothefactthattheyseemtooeramuchfastersigningprocessthan ordinarysignatureschemes.thedisadvantageofone-timesignaturescheme,namelythefact thatthesigning-keycanonlybeusedonce,turnsouttobeirrelevantforourpurposes. particular,weobservethatsigningerror-correctedencodingofmessagesrequirestheforgerto come-upwithsignaturesofstringswhichareverydierentfromthestringsforwhichithas Rabin[14]andseveralvariantsofithaveappearedsince(cf.[11]).Yet,arigorousanalysisof theirsecurityhasneverappeared.furthermore,theknownconstructionscanbeimprovedin oftheschemescanbeenhanced.wedescribeseveraltechniquesforachievingthesegoals.in severalrespects.inparticular,thelengthofthesignaturescanbedecreasedandthesecurity Ageneralmethodforconstructingone-timesignatureswasproposedinthelate70'sby obtainedsignaturesviaachosenmessageattack.thistranslatestoenhancedsecurityespecially whenthesignatureschemeinusedistheonedescribedin[14,11]. Security Todiscuss,eveninformally,theissueofsecurity,weneedsometerminology.Achosenmessage attackisanattemptofanadversarytoforgeasignatureofauseraftergettingfromhimsignatures tomessagesoftheadversary'schoice;inthisscenario,theuserbehaveslikeanoraclewhich answerstheadversary'squeries.theadversary'schoiceof(message)queriesmaydependonthe user'spublickeyandtheprevioussignaturestheadversaryhasreceived.aknownmessageattack 2

4 securitymeanstheinfeasibilityofforgingasignaturetoanymessageforwhichtheuserhasnot suppliedthesignature(i.e.,existentialforgeryintheterminologyof[8]). isanattemptofanadversarytoforgeasignatureofauseraftergettingfromhimsignatures tomessageswhicharerandomlyselectedinthemessagespace.(thesemessagesareselected withstandknownmessageattack.thisisdemonstratedinthefollowingtheoreticalresult,where thatbothsignatureschemesusedintheconstruction(i.e.,(1)and(2))dowithstandsuchattacks. However,inparticularimplementationsitsucestorequirethattheseunderlyingschemesonly independentlyoftheadversary'sactions.)inbothcases(chosenandknownmessageattacks), weuseasignaturescheme,secureagainstknownmessageattack,bothintheroleoftheordinary signatureschemeandinordertoimplementaone-timesignaturescheme.one-wayhashingis notusedatall.theresultingschemeissecureagainstchosenmessageattack.henceweget Asucientconditionfortheresultingsignatureschemetowithstandchosenmessageattackis againstachosenmessageattack[19].however,thisalternativeproofismuchmorecomplexand isobtainedviaanimpracticalconstruction.furthermore,thepreliminaryversionofourwork[6] one-wayfunctions,whilethelatterimplytheexistenceofsignatureschemeswhicharesecure onlyifsignatureschemessecureagainstknownmessageattackexist. WeremarkthattheaboveTheoremcanbederivedfromRompel'sworkbyobservingthatthe Theorem:Digitalsignatureschemesthataresecureagainstchosenmessageattackexistifand (whichincludesaproofoftheabovetheorem),predatesrompel'swork[19]. Organization existenceofasignatureschemesecureagainstknownmessageattackimpliestheexistenceof BasicdenitionsconcerningsignatureschemesarepresentedinSection2.InSection3,the timesignatureschemeisaddressedinsection4.concreteimplementationsofthegeneralscheme, whichutilizedierentconstructionsofone-timesignatureschemes,arepresentedinsection5. WeconcludewithaproofoftheTheoremstatedabove(Sec.6). 2SomeBasicDenitions generalconstructionofon-line/o-linesignatureschemeispresented.theconstructionofone- polynomial-timealgorithmssatisfyingthefollowingconventions: Followingtheinformalpresentationintheintroduction,werecallthefollowingdenitionsdueto Goldwasseret.al.[8]. Signatureschemes Denition1(signatureschemes):Asignatureschemeisatriplet,(G;S;V),ofprobabilistic AlgorithmGiscalledthekeygenerator.Thereexistsapolynomial,k(),calledthekey length,sothatoninput1n,algorithmgoutputsapair(sk;vk)sothatsk;vk2f0;1gk(n). 3

5 AlgorithmSiscalledthesigningalgorithm.Thereexistsapolynomial,m(),calledthe Therstelement,sk,iscalledthesigningkeyandthesecondelementisthe(corresponding) AlgorithmViscalledthevericationalgorithm.Foreveryn,every(sk;vk)intherangeof vericationkey. algorithmsoutputsastringcalledasignature(ofmessagemwithsigning-keysk).the messagelength,sothatoninputapair(sk;m),wheresk2f0;1gk(n)andm2f0;1gm(n), randomvariables(sk;m)issometimeswrittenasssk(m). G(1n),everyM2f0;1gm(n)andeveryintherangeofSsk(M),itholdsthat Notethatnisaparameterwhichdeterminesthelengthsofthekeysandthemessagesas signing-keyskcorrespondingtotheverication-keyvk.however,thisintuitivelyappealing (OnemayalsorequirethatV(M;vk;)=1impliesthatisintherangeofSsk(M)fora requirementisirrelevanttotherealissues{inviewofthesecuritydenitionswhichfollow.) wellasthesecurityoftheschemeasdenedbelow.weemphasizethattheabovedenitiondoes notsayanythingaboutthesecurityofthesignatureschemewhichisthefocusofthesubsequent denitions.weremarkthatsignatureschemesaredenedtodealwithmessagesofxedand conventions.forexample,shortermessagescanalwaysbepaddedtothedesiredlength,and predeterminelength(i.e.,m(n)).messagesofdierentlengthsaredealbyoneofthestandard canbehashedintothedesiredlengthbyuseofacollision-freehashingfunction.formoredetails seesection3.3. Typesofattacks originalmessage(e.g.,theithpiecewillcontainaheaderreadingthatitistheithpieceoutoft longermessagescanbebrokenintomanypieceseachbearinganidrelatingthepiecetothe Goldwasseret.al.discussseveraltypesofattacksranginginseverenessfromatotallynon-adaptive piecesofmessagewithaspecic(randomlychosen)idnumber).alternatively,longermessages one(inwhichtheattackeronlyhasaccesstothevericationkey)uptothemostsevereattack everconsidered(i.e.,chosenmessageattack,inwhichtheattackergetstheverication-keyand attackaswellasaspecial(andhenceweak)formofknownmessageattack(whichwecallrandom maygetsignaturestomanymessagesofitschoice).inthispaperwediscussthechosenmessage messageattack). Denition2(typesofattacks): Achosenmessageattackonasignaturescheme(G;S;V)isaprobabilisticoraclemachine where(sk;vk)isintherangeofg(1n).the(randomized)oraclesskanswersaquery thatoninput(aparameter)1nand(averication-key)vkalsogetsoracleaccesstossk(), 4

6 Arandommessageattackonasignaturescheme(G;S;V)isaprobabilisticoraclemachine q2f0;1gm(n)withtherandomvariablessk(q)=s(sk;q).(forsimplicityweassumethat thesamequeryisnotaskedtwice.) theymake(resp.,numberofsignaturesthattheyreceive). wewillexplicitlyspecifytherunning-timeoftheattackersaswellasthenumberofqueriesthat Theabovedenitiondoesnotrefertothecomplexityoftheattackingmachines.Inourresults independentlyselectedfromf0;1gm(n). (ri;ssk(ri)),where(sk;vk)isintherangeofg(1n)andeachoftheri'sisuniformlyand thatoninput1nandvkalsogetsaccesstoarandomoraclethatonqueryireturnsapair Goldwasseret.al.alsodiscussseverallevelsofsuccessfulnessofthe(various)attacks,ranging keyvk. Successofattacks fromtotalforgery/breaking(i.e.,abilitytoforgeasignatureforeverymessage)uptoexistential forgery/breaking(i.e.,abilitytoforgeasignatureforsomemessage). Denition3(successofattacks):Consideranattackoninputparameter1nandaverication- Wesaythatanattackhasresultedinexistentialforgeryifitoutputsapair(M;),sothat Wesaythatanattackhasresultedintotalforgeryifitoutputsaprogramforatimebounded1universalmachine,U,sothatV(M;vk;U(;M))=1holds,foreveryM2 Theabovedenitiondoesnotrefertothesuccessprobabilityoftheattackingmachines.In signaturehasbeenhandedover(bythesigningoracle)duringtheattack. M2f0;1gm(n)andV(M;vk;)=1,andMisdierentfromallmessagesforwhicha f0;1gm(n). betakenoverallpossible(sk;vk)pairsaccordingtothedistributiondenedbyg(1n),andover allinternalcoinipsoftheattackingmachinesandtheansweringoracles. Securitydenitionsforsignatureschemesarederivedfromtheabovebycombiningatypeofan ourresultswewillexplicitlyspecifythesuccessprobabilityoftheattackers.theprobabilitywill attackwithatypeofforgeryandrequiringthatsuchattacks,restrictedtospeciedtimebounds, failtoproducethespeciedforgery,exceptforwithaspeciedprobability.forexample,consider thefollowingstandarddenition. choiceofthepolynomial,aslongasitisgreaterthan-say-n2,isimmaterial(cf.,[9]). 1Thetimeboundcanbexedtobeaspecicpolynomial.Usingpaddingarguments,onecanshowthatthe 5

7 n'sitholdsthatf(n)<1=p(n).) secureifeveryprobabilisticpolynomial-timechosenmessageattacksucceedsinexistentialforgery withnegligibleprobability. (Afunctionisf:IN7!INiscallednegligibleifforeverypolynomialp()andallsucientlylarge Denition4(standarddenitionofsecuresignatureschemes):Asignatureschemeissaidtobe ofthevariousnotions,butforderivingresultsconcerningpracticalschemesoneshouldpreboundorsuccess-probability.thischoiceisjustiedandconvenientforatheoreticaltreatmenprobabilities. 3TheGeneralConstruction ferthemorecumbersomealternativeofspecifyingfeasibletime-boundsandnoticeablesuccess- Noticethatthereisnothingsacredinthechoiceofpolynomialsasspecicationforthetime- chosen)messageattack(ofcertaintime-complexityandsuccess-probability)ifitissecureagainst Letusrstdenedigitalsignatureschemeswithlessstringentsecurityproperties.Namely, Denition5Aone-timesignatureschemeisadigitalsignatureschemewhichcanbeusedto suchattackswhicharerestrictedtoasinglequery. legitimatelysignasinglemessage.aone-timesignatureschemeissecureagainstknown(resp., ForfurtherdetailsseeSection4. avoidsuchanexchangeweresuggestedbylamport,die,winternitzandmerkle;see[11].in particular,aone-timesignatureschemecanbeeasilyconstructedusinganyone-wayfunction. longasonedoesnotusethesecretpadtwice.anearlyversionofone-timesignaturewassuggested byrabin[14].itrequiredanexchangeofmessagesbetweenthesignerandsignee.schemeswhich Webelievethattheimportanceofone-timesignatureschemesstemsfromtheirsimplicity Noticetheanalogywithaone-timepad,whichallowsonetosendprivatemessagessecurelyas andthefactthattheycanbeimplementedveryeciently.ourconstructiondemonstratesthat 3.1TheBasicScheme one-timesignaturescanplayanimportantroleinthedesignofverypowerfulandusefulsignature schemes. Let(G;S;V)denoteanordinarysignatureschemeand(g;s;v)denoteaone-timesignature wewillalwaysattachtheterm\one-time"totermssuchas\signing-key"and\verication-key" associatedwiththeone-timesignaturescheme.hopefully,thiswillhelptoavoidconfusion. Asourconstructionusesbothaone-timesignatureschemeandanordinarysignaturescheme, scheme.bellowwedescribeourgeneralon-line/o-linesignaturescheme.inourdescriptionwe assumethatthesecurityparameterisn. 6

8 signingkey,sk. KeyGeneration O-LineComputation keys(vk;sk).heannounceshisverication-key,vk,whilekeepinginsecretthecorresponding Thekeygenerationforouron-line/o-lineschemecoincideswiththeoneoftheordinaryscheme. Theo-linephaseconsistsofgeneratingapairofone-timesigning/verifyingkeys,andproducing Namely,thesignerrunsGoninput1ntogenerateapairofmatchingvericationandsigning determinedatthisstage.followingisadetaileddescriptionoftheo-linephase.thesigner computesthesignatureofvk,usingtheordinarysigningalgorithmswiththekeysk.namely, runsalgorithmgoninput1ntorandomlyselectaone-timeverication-keyvkanditsassociated one-timesigning-keysk.(thispairofone-timekeysisunlikelytobeusedagain.)hethen independentlyofthemessage(tobelatersigned).furthermore,themessagemayevennotbe anordinarysignatureoftheone-timevericationkey.bothone-timekeysandthesignature arestoredforfutureuseintheon-linephase.westressthattheo-linephaseisperformed def aprecomputedunusedpairofone-timekeys,andusingtheone-timesigning-keytosignthe On-LineSigning Theon-linephaseisperformedonceamessagetobesignedispresented.Itconsistsofretrieving Thesignerstoresthepairofone-timekeys,(vk;sk),aswellasthe\precomputedsignature",. =SSK(vk) thencomputesaone-timesignaturedef M,thesignerretrievesfrommemorytheprecomputedsignature,andthepair(vk;sk).He message.thecorrespondingone-timevericationkeyandtheprecomputedsignaturetothe one-timevericationkeyareattachedtoproducethenalsignature.namely,tosignmessage VK,theverieractsasfollows.First,heusesalgorithmVtocheckthatisindeedasignature Verication Toverifythatthetriple(vk;;)isindeedasignatureofMwithrespecttotheverication-key ThesignatureofMconsistsofthetriplet(vk;;). =ssk(m) runningv,thatisindeedasignatureofmwithrespecttotheone-timeverication-keyvk. Namely,vericationprocedureamountstoevaluatingthefollowingpredicate of(theone-timeverication-key)vkwithrespecttotheverication-keyvk.next,hechecks,by VVK(vk;)^vvk(M;) 7

9 Key,MessageandSignatureLengths Letusdenotebyk()andm()thekeyandmessagelengthfunctionsfortheordinarysignature scheme.letl:in7!inbeafunctionboundingthelengthofthesignatureintheordinarysignature m1()andl1(),andthefunctionsfortheresultingon-line/o-lineschemebyk(),m()and scheme,asafunctionoftheparametern(ratherthanasfunctionofthemessagelength,m(n)). l().then,thefollowingequalitiesholdk(n)=k(n) Similarly,wedenotebythecorrespondingfunctionsfortheone-timesignatureschemebyk1(), Namely,thekey-lengthoftheon-line/o-lineschemeequalstheoneoftheordinaryscheme, whereasthemessage-lengthfortheon-line/o-lineschemeequalstheoneoftheone-timescheme. Inaddition,theordinaryschememustallowsignaturestomessagesoflengthequaltothekeylengthoftheone-timescheme.Eciencyimprovementscanbeobtainedbyusingcollision-free hashing,aswellasallowm(n)k1(n)andsigningtheone-timeverication-keybyhashingit m(n)=k1(n) m(n)=m1(n) hashingfunctions.thismayallowsettingm(n)=nanddealingwithlongermessagesby rst.fordetailsseesubsection3.3. linearlywiththekey-lengthoftheone-timescheme,evenincasehashingisused!namely, 3.2Security Thebasicon-line/o-linesignatureschemecanbeprovensecureagainstadaptivechosenmessage Finally,weremarkthatthelengthofthesignaturesproducedbytheresultingschemegrow attacksprovidedthatboththeoriginalschemes(i.e.,theordinaryscheme(g;s;v)andtheonetimescheme(g;s;v))aresecureagainstchosenmessageattack.asusualincomplexity-based l(n)=k1(n)+l(n)+l1(n) cryptography,theabovestatementisnotonlyvalidinasymptotictermsbutalsohasaconcrete timet()andprobability().then,foreveryn2inatleastoneofthefollowingholds: interpretationwhichisapplicabletospecickeylengths.duetothepracticalnatureofthe line/o-linesignatureschemecanbeexistentiallybroken,viaachosenq()-messageattack,in currentwork,wetaketheuncommonapproachofmakingthisconcreteinterpretationexplicit2. Namely, Lemma1SupposethatQ;T:IN7!INand:IN7!IRarefunctionssothattheresultingon- thepriceisworthpaying. 2Thisclearlyresultsinamorecumbersomestatement,butwebelievethatinthecontextofthecurrentpaper Theunderlyingone-timesignatureschemecanbeexistentiallybroken,viaachosen(single) ts(n)+ts(n))q(n),whereta(n)isaboundonthetimecomplexityofalgorithma. messageattack,withprobabilityatleast(n)=(2q(n))andwithintimetg(n)+t(n)+(tg(n)+ 8

10 speciedinthehypothesis. Thelemmaistobeunderstoodinthecounter-positive.Namely,ifboththeunderlying(ordinary andone-time)signatureschemescannotbebrokenwithintheparametersspeciedintheconclusionofthelemmathentheon-line/o-lineschemecannotbebrokenwithintheparameters Theunderlyingordinarysignatureschemecanbeexistentiallybroken,viaachosenQ(n)- messageattack,withprobabilityatleast(n)=2andwithintimet(n)+(tg(n)+ts(n))q(n). bythesignerunderthechosenmessageattack),orusesaone-timeverication-keyvkwhichhas notappearedpreviously.thus,oneofthefollowingtwocasesoccurs. Proof:Letusdenotetheresultingon-line/o-linesignatureschemeby(G;S;V).Suppose Case1:Withprobabilityatleast(n)=2,algorithmFformsanewsignatureusingaone-time eitherusesaone-timeverication-key,vk,whichhasappearedinaprevioussignature(supplied successprobability(n),viaachosenq(n)-messageattack.intherestofthediscussionwexn andconsidertheforgedsignatureoutputbyf(attheendofitsattack).thisforgedsignature thatfisaprobabilisticalgorithmwhichintimet()forgessignaturesof(g;s;v),with verication-keyusedinaprevioussignature.inthiscaseweusealgorithmftoconstructan algorithm,f1,forgingsignaturesoftheone-timesignaturescheme(g;s;v).looselyspeaking, signatureschemeinoneofitsresponsestof.incasefhaltswithaforgesignatureinwhich algorithmf1operatesasfollows.itcreatesaninstanceoftheordinarysignatureschemeand willbeabletoproducesignatures.algorithmf1willusetheattackedinstanceoftheone-time manyadditionalinstancesoftheone-timesignaturescheme.foralltheseinstances,algorithmf1 thatfalwaysasksq(n)queries(i.e.,messagestobesigned).algorithmf1uniformlyselectsan respondingkeys(sk;vk)fortheordinarysignaturescheme.withoutlossofgenerality,assume attack.detailsfollow. integeri2f1;2;:::;q(n)g,andinvokesalgorithmfoninputvk.(motivatingremark:algorithm theattackedinstanceoftheone-timeschemeappears,thenalgorithmf1hassucceededinits operatorssk,algorithmf1proceedsasfollows.algorithmf1runsgtoobtainapairofcor- F1willusetheveryinstanceitattacksintheithmessagetobesignedforF.) Oninputvkandaccesstoachosen(single)messageattackonthecorrespondingsigning ordinarysigning-keysk,algorithmf1suppliestherequiredsignature(vk;ssk(vk);). signingkeys.incasej=i,algorithmf1usesitsthesinglemessageattack,whichitisallowed, toobtainasignaturetothemessagemi(relativetotheverication-keyvk).usingandthe NotethatF1hasnodicultydoingsosince,havingproducedSKandskj,itknowstherequired pairofone-timekeys3,denoted(skj;vkj),andanswerswiththetriplet(vkj;ssk(vkj);sskj(mj). thejthmessage,denotedmj,isproducedasfollows.ifj6=i,algorithmf1runsgtogeneratea Inthesequel,F1suppliesFwithsignaturestomessagesofF'schoice.Thesignatureto (whichitknows)inordertoforgesignatures,relativetovk(=vkj),toanymessage. 3Weremarkthatitisveryunlikelythatvkjequalsvk.Yet,ifthishappensthenalgorithmF1canuseskj 9

11 M6=Mi,algorithmF1obtains(andindeedoutputs)asignaturetoanewmessagerelativetothe one-timeverication-keyvk.hence,theattackontheone-timesignatureschemesucceedswith verication-keyswhichhasappearedbefore.withprobability1=q(n),conditionedontheevent one-timeverication-keyusedintheithsignature,namelytheone-timeverication-keyvk.since thatsuchaforgedsignatureisoutputbyf,theforgedsignatureoutputbyfusesthesame message,denotedm,inwhichtheone-timeverication-keyisidenticaltooneoftheone-time Eventually,withprobabilityatleast(n)=2,algorithmFhaltsyieldingasignaturetoanew Foreachoftheseinstances,algorithmF2willbeabletoproducesignatures.AlgorithmF2will algorithmf2operatesasfollows.itcreatesmanyinstancesoftheone-timesignaturescheme. algorithm,f2,forgingsignaturesoftheordinarysignaturescheme(g;s;v).looselyspeaking, verication-keynotusedinprevioussignatures.inthiscaseweusealgorithmftoconstructan Case2:Withprobabilityatleast(n)=2,algorithmFformsanewsignatureusingaone-time bytg(n)+t(n)+q(n)(tg(n)+ts(n)+ts(n)). 2Q(n).WeobservethatthetimecomplexityofalgorithmF1canbebounded supplyfwithsignaturestomessagesofitschoice.incasefhaltswithaforgesignaturein usethechosenmessageattackontheordinarysignatureschemetoobtainsignaturestothese attack.detailsfollow. whichanewinstanceoftheone-timeschemeappears,thenalgorithmf2hassucceededinits one-timeverication-keysandusingthecorrespondingone-timesigning-keysf2willbeableto thechosenmessageattacktoobtainanordinarysignature,denotedj,tovkj(relativetothe ordinaryverication-keyvk)andreplieswiththetriplet(vkj;j;sskj(mj).(notethatf2hasno dicultyproducingsskj(mj)sinceitknowstherequiredsigningkey.) SSK),algorithmF2invokesFoninputVKandsuppliesFwithsignaturestomessagesofF's choiceasfollows.tosupplyasignaturetothejthmessage,denotedmj,algorithmf2starts byrunninggtogenerateapairofone-timekeys,denoted(skj;vkj).algorithmf2thenuses OninputVK(andaccesstochosenmessageattackonthecorrespondingsigningoperator probabilityatleast(n) ordinaryverication-keyvk.hence,theattackontheordinarysignatureschemesucceedswith whichcontainsanssk-signatureofaone-timeverication-keywhichhasnotappearedsofar.in thiscase,algorithmf2obtains(andindeedoutputs)asignaturetoanewmessagerelativetothe Eventually,withprobabilityatleast(n)=2,algorithmFyieldsasignaturetoanewmessage natureschemeresistsgeneralchosenmessageattacks(whichmaydependonthecorresponding verication-key),eveniftheunderlyingordinaryandone-timesignatureschemesonlyresists 2,areobliviousofthecorrespondingverication-key.Hence,theresultingon-line/o-linesig- Remark:Thechosenmessageattacksdescribedintheaboveproof,bothinCase1andCase byt(n)+q(n)(tg(n)+ts(n))andthatitasksq(n)queries.thelemmafollows.2 2.WeobservethatthetimecomplexityofalgorithmF2canbebounded chosenmessageattackswhichareobliviousofthecorrespondingverication-key. Recallingthestandarddenitionofsecurity(i.e.,Def.4),weget 10

12 3.3EciencyConsiderations Theo-linecomputation,inourscheme,reducestogeneratinganinstanceoftheone-timesignatureschemeandcomputingthesignatureofasinglestring(specically,theone-timevericationkey)intheordinaryscheme.Theon-linephaseofthesigningprocessmerelyrequiresapplying providedthattheunderlyingordinaryandone-timesignatureschemesaresecure. Theorem1Theresultingon-line/o-linesignatureschemeissecure(inthestandardsense) fasterthansigningalgorithmsofordinaryschemes.indeedthisseemtobethecaseifoneusesthe DESisusedasaone-wayfunction. one-timesignatureschemesbasedonone-wayfunctions,describedinsection4,andespeciallyif vantageousforthesigneronlyifthesigningalgorithmsofone-timesignatureschemesaremuch signaturescheme)ismuchfasterthansigningintheordinaryscheme,theentireon-line(signing thesigningprocessoftheone-timesignaturescheme.hence,ouron-line/o-lineschemeisad- andverication)processissped-up.thecondition(i.e.,muchfasterverication)issatisedin Rabin'sschemeaswellasinRSAwhenusedwithsmallvericationexponent(e.g.,3).Hence, attractiveimplementationofthegeneralschemecanbepresented{seesection5. Incasethevericationprocedureintheordinarysignaturescheme(andintheone-time thesameimage.4assumingtheintractabilityoffactoring(alternativelyofextractingdiscrete thetimerequiredforsigning(aswellasverication)istouseveryfasthashingfunctionswhich maplongstringsintomuchshorterones.thishashingfunctionshavetobesecureinthesense Logarithms),suchfunctionscanbeconstructed[3,8].Yet,inpracticalimplementations,one thatitishardtoformcollisions;namely,ndtwostringswhicharemappedbythefunctionto theordinaryandone-timesigningalgorithmsareapplied.astandardpracticeusedtoreduce Amajorfactoreectingtheeciencyoftheaboveschemeisthelengthofthestringstowhich mayusemuchfasterhashingschemes.atypicalexampleisthemd5recentlysuggestedby doesnotappearintheforgedsignature.intherstcase,wederiveanalgorithmwhichcontradicts thecollision-freepropertyofthehashingfunction,whereasinthesecondcaseweproceedasin hashedvaluewhichhasappearedinprevioussignatures,andthecasethatsuchahashedvalue theproofoflemma1. Rivest[17,18]. oflemma1.namely,oneconsiderstwocases:thecasethataforgedsignatureisformedusinga 4Actually,alowerlevelofsecuritysucesforourpurposes.Specically,itsucesthatthefunctionisone-way Thesecurityofaschemewhichuseshashingcanbeproveninawayanalogoustotheproof underthehashingfunction,tothesameimage[12].itisknownthatone-wayhashingfunctionscanbeconstructed usinganyone-wayfunction[12,19],butthisconstructionisveryfarfrombeingpractical. hashing;namely,givenapreimagetothefunctionitisinfeasibletondadierentpreimagewhichismapped, 11

13 butnotintheon-lineone.thus,ourconstructionmaybecomeevenmoreusefulifordinary vericationandsecretkeyswillbenecessary.thiswillcauseaslowdownintheo-linestage, Mostordinarysigningalgorithmsarebasedonthecomputationaldicultyofintegerfactorization.Shouldsomemoderatelyfasterfactoringalgorithmcomeabout,thenlongerordinary 3.4ARemark signatureschemeswillbecomeslowerduetoincreasingsecurityrequirements. 4One-TimeSignatureSchemesBasedonOne-WayFunction One-timesignaturesschemesplayacentralroleinourconstructionofon-line/o-linesignature schemes.ageneralmethodforconstructingone-timesignatureshasbeenknownforarelatively Letfbeaone-wayfunction;namely,weassumethatfispolynomial-timecomputablebutit theknownconstructionscanbeimproved{asshownbelow. 4.1TheBasicConstruction Westartwiththebasicconstruction(ofone-timesignatureschemesbasedonone-wayfunctions). longtime;cf.,[14,11].yet,arigorousanalysisoftheirsecurityhasneverappeared.furthermore, whethertheymatchthecorrespondingstringsintheverication-key.looselyspeaking,this fromapplyingftoauniformlychosenpreimage).thesigning-keyconsistsofasequenceofm pairsofn-bitlongstrings,(x01;x1);:::;(x0m;x1m),andtheverication-keyconsistsoftheresultof applyingtheone-wayfunctionftoeachofthe2mstrings(i.e.,theverication-keyconsistsofthe 1:::m,thesignerrevealsx1 sequence(f(x01);f(x1));:::;(f(x0m);f(x1m)),wherefistheone-wayfunction).tosignthemessage isinfeasibletoinvertfwithnoticeablesuccessprobability(takenoverthedistributionresulting schemeissecuresinceotherwisewegetawaytoinverttheone-wayfunctionf.furtherdetails willbecomeobviouslater. 4.2Shorteningthelengthsofkeysandsignatures 1;:::;xm t,andthesigneeappliesftotherevealedstringsandchecks Asomewhatrepellingpropertyofthebasicconstructionisthatitusesverylongkeysandsignatures.Additionalideascanbeusedtoreducetheselengths.Westartwithanideawhictionisdoneintheobviousmanner(i.e.,applyingftothesuppliedxi'sandapplyingfm Pito message1:::m,thesignerrevealsthexi'sforwhichi=1aswellasydef insteadofthe2mstringsusedabove.thesigning-keyconsistsofasequenceofm+1(n-bitlong) strings,x0;x1;:::;xm,andtheverication-keyconsistsofthesequencefm(x0);f(x1);:::;f(xm), whereft(x)denotesthestringresultingfromxbyapplyingfsuccessivelymtimes.tosignthe y).intuitively,thezero-componentservesasan\accumulator"fortherest.toprovethatthe isattributedin[11]towinternitz.theideaistouseonlym+1strings,eachoflengthn, 12 =fpi(x0).verica-

14 byiteratingituptomtimes(cf.,[9]).detailsfollow. signatureschemeissecureweneedtoassumethatfisone-wayalsoonthedistributionobtained indicatordetermininghowmanytimesfhastobeappliedtoeachoftheindividualstringsin thesigning-keysotoformthesignature.notethatinthepreviousconstruction,dependingon thebitsofthemessagetobesigned,thefunctionfisappliedbetweenmand0timestox0,and eitheronceornotatalltoeachxi,fori6=0.aprecisedescription,whichcombinesbothideas, follows. Anotherideaistobreakthemessagetobesignedintoblocksandtouseeachblockasan functionm(). functionsothat1t(n)=poly(n)andf:f0;1g7!f0;1gbeafunction,bothcomputable Construction1(basedonaccumulatorandblockpartition):Lett:IN7!INbeaninteger inpolynomial-time.weconsiderthefollowingone-timesignatureschemeformessagelength signing:tosignamessagem2f0;1gm,itst-bitlongblocks,1;:::;m=t,areinterpreted keygeneration:oninput1n,thekey-generatoruniformlyselectsx0;x1;:::;xm=t2f0;1gn, wheremdef verication-keyisydef asintegers5andthesignature =m(n)andtdef =f(2t 1)(m=t)(x0);f2t 1(x1);:::;f2t 1(xm=t): =t(n).thesigning-keyconsistsofthesexi's,whereasthe verication:thecomponentsofthesignaturevectoraresubjectedtothecorresponding verication-keyy=(y0;y1;:::;ym=t),onecomputes toverifythat(z0;z1;:::;zm=t)constitutesasignaturetom=(1;:::;m=t)relativetothe numberofapplicationsoffandtheresultiscomparedtotheverication-key.namely, iscomputed. fpi(x0);f2t 1 1(x1);:::;f2t 1 m=t(xm=t) Lemma2SupposethatT:IN7!INand:IN7!IRarefunctionssothattheaboveone-time signatureschemecanbeexistentiallybroken,viaachosen(single)messageattack,intimet() andprobability().then,foreveryn2inandsomei(m=t)(2t 1)thefunctionfcanbe andcomparestheresultingvectortothevectory. f(2t 1)(m=t) Pi(z0);f1(z1);:::;fm=t(zm=t) arandomvariableuniformlydistributedoverf0;1gn. invertedondistributionfi(un)intimet(n)andsuccessprobability(n) 5i.e.,thestring0tisinterpretedas0,thestring0t 11as1,etc. 13 (m=t)2t+1,whereundenotes

15 InthestatementofLemma2,aswellasinallotherlemmatainthissection,weignorethetime requiredtocomputethefunctionf(intheforwarddirection!).namely,theinvertingalgorithm (oftheconclusion)actuallyrunsintimet(n)+2t(m=t)tf(n)(ratherthant(n)),where Tfdenotesthecomplexityofcomputingf.Thisomissionisjustiedsincetheadditivetermis negligibleinallreasonableapplicationsofsuchlemmata. iterateoff. chosen(single)messageattack,intimet()andprobability().hence,foreveryn2in,with casesoccurs. Case1:thereexistsanjsothatbj<cj.InthiscasewecanuseFtoinvertfonthe(2t 1 bj)th probability(n),algorithmfrstasksforasignatureofm2f0;1gmandthenproducesa signaturetom06=m.letm=b1bm=tandm0=c1cm=t.then,oneofthefollowingtwo proof:letfbeaprobabilisticalgorithmthatexistentiallybreakstheone-timescheme,viaa thealgorithmselectsbuniformlyinf1;:::;(m=t)2tg,andotherwisebisselecteduniformlyin formedasinthekey-generation,exceptthatthejthcomponentisfb(y).weinvokefwiththis f1;:::;2tg.setbdef selectsj=0withprobability12andjuniformlyinf1;:::;(m=t)gotherwise.incasej=0, Case2:Pmj=1bj>Pmj=1cj.InthiscasewecanuseFtoinvertfonthe(Pbj)thiterateoff. cansupply(i.e.,thejthcomponentisnotsmallerthanb)andreturnsasignatureofamessagein verication-key.withprobabilityatleast(n) Theactualinvertingalgorithmissimilarinthetwocases.Oninputy,theinvertingalgorithm whichthejthcomponentissmallerthanb.thisyieldsaninverseofyunderf,andthelemma follows.2 =(m=t)(2t 1) bifj=0andbdef (m=t)2t+1,algorithmfasksforthesignaturethatwe =2t 1 botherwise.theverication-keyis 4.3Enhancingsecuritybyuseoferror-correctingcodes (n))mm(n)(for(n)1=m).hence,incaset=1,thesecuritylossofafactormis ontheone-timesignatureschemewhichexistentiallyforgesasignaturewithprobability1 (1 inevitable.similarly,forgeneralt1,wegetaninevitablelossofsecuritybyamtfactor. invertingfwithprobability(n)(intimet(n))yieldsa(mt(n)-time)chosenmessageattack Remark:Fort=1,thestatementofLemma2istightinthefollowingsense.Anyalgorithm functiononmanypointsratherthanonasingleone.forsakeofsimplicity,letusapplytheidea Asjustremarked,thesecuritylossofafactorofm=tintheaboveconstructionisinevitable. rsttothebasicconstruction(ofsubsection4.1). Toavoidthisloss,weneedanewidea.Looselyspeaking,theideaistoencodemessagesviaa themoderateincreaseinthelengthofthemessagetobesignedwillprovideasubstantialbenet. Thereasonbeingthatinordertoforgeasignaturetheadversaryneedstoinverttheone-way gooderror-correctingcodeandsigntheencodedmessageratherthantheoriginalone.thisidea standsincontrasttothecommonpracticeoftryingtoshortenthemessagetobesigned.yet, 14

16 Backgroundonerror-correctingcodes Forourpurposes,wedon'trequirethecodetohaveanecientdecodingalgorithm.Hence,for Denition6(error-correctingcode[10]):A(m();m0();d())-codeisan(ecientlycomputable) ourpurposes,wecanuserandomlinearcodes(i.e.,amappingdenedbymultiplicationbya mapping,,ofm()-bitlongstringstom0()-bitlongstringssothat,foreverytwox6=y2 wheredist(;)denotesthehammingdistance(i.e.,numberofmismatches)betweenand. randomm-by-m0booleanmatrix).bythegilbert-varshamovbound[10,20]auniformlychosen f0;1gm(n), m-by-m0matrixdenesa(m;m0;d)-codewithprobability1 pprovidedthat dist((x);(y))d(n) d 1 Xi=1 andm0=160onegetsd=23(>0:143)[10,appendixa.1].form=128,weuseacodewith m=79andm0=128thereexistsacodewithdistanced=15(>0:117),whereasform=80 valuesofm0andmlargervaluesofareattainablebyspeciallydesignedcodes.forexample,for 6Alternatively,m0=3m,p=2 m=2andd=m0whereh2()12(=18willdo).forsmall Forexample,wecansetm0=2m,p=2 m=2andd=m0whereh2()14(=120willdo). i!<p2m0 m+1 checksthatcindeedequals(m).hence,achosenmessageattackneedstoproduceasignature Basicschemewitherror-correctingcodes distanced=13andcodewordsoflengthm0=185,yielding>0:07. toastringc0thatisnotonlydierentfromc,butisalsoatdistanceatleastdfromc. signsc.inadditiontoverifying,asusual,thatcisproperlysigned,thevericationprocedure Looselyspeaking,tosignamessageMonerstcomputesthecodewordCdef Construction2(usingerror-correctingcodes):Letf:f0;1g7!f0;1gbeaone-wayfunction and:f0;1g7!f0;1gbea(m();m0();d())-code.weconsiderthefollowingone-timesignature =(M)andthen schemeformessagelengthfunctionm(). signing:tosignamessagem2f0;1gm,onecomputes1m0def keygeneration:oninput1n,thekey-generatoruniformlyselectsx01;x1;:::;x0m0;x1m02f0;1gn, wherem0def f(x01);f(x1);:::;f(x0m0);f(x1m0). =m0(n).thesigning-keyconsistsofthesexji's,whereastheverication-keyis 6Asusual,H2(x)def asthesignaturetom. = (xlog2x+(1 x)log2(1 x))denotesthebinaryentropyfunction. x1 1;:::;xm0 =(M)andreveals 15

17 Lemma3SupposethatT:IN7!INand:IN7!IRarefunctionssothattheaboveone-time signatureschemecanbeexistentiallybroken,viaachosen(single)messageattack,intimet() andprobability().then,foreveryn2in,thefunctionfcanbeinvertedintimet(n)and verication:thecodewordc=(m)iscomputedandthefunctionfisappliedtothe successprobability(n) revealedstrings.theresultischeckedagainstthecorrespondingstringsinthevericationkey. andprobability().then,foreveryn2in,thefunctionfcanbeinvertedintimet(n)and (ofsubsection4.1)canbeexistentiallybroken,viaachosen(single)messageattack,intimet() Corollary4SupposethatT:IN7!INand:IN7!IRarefunctionssothatthebasicconstruction Asaspecialcase,wederiveaboundforthesecurityofthebasicconstruction.Namely, 2(n),where(n)def =d(n) successprobability1 m0(n). proofoflemma3:letfbeaprobabilisticalgorithmthatexistentiallybreakstheone-time scheme,viaachosen(single)messageattack,intimet()andprobability().hence,forevery thecode,bi6=ciforatleastafractionofthei2f1;:::;m0g. producesasignaturetom06=m.let(m)=b1bm0and(m0)=c1cm0.bydenitionof n2in,withprobability(n),algorithmfrstasksforasignatureofm2f0;1gmandthen 2m(n). thatthe(2(i 1)+j)stcomponentisy,andinvokesFwiththisverication-key.Withprobability withprobability(n),algorithmfreturnsasignatureofamessagem0andwithprobabilityat i2f1;:::;m0gandj2f0;1g.next,aformsaverication-keyasinthekey-generation,except leasttheithbitof(m0)isdierentfromtheithbitof(m).thisyieldsaninverseofyunder f,andthelemmafollows.2 12,algorithmFasksforthesignature,toamessagedenotedM,thatAcansupply.Inthiscase, Theinvertingalgorithm,A,operatesasfollows.Oninputy,algorithmAuniformlyselects key).thepartitionintoblockstsverynicelywitherror-correctingcodes,providedm0 t-bitlongblocks.eachblockisassignedapairofstringsinthesigning-key(resp.,verication- Infact,weonlyuseoftheshorteningideas;specically,thepartitionofthebinarystringinto Wenowcombinetheshorteningideasofsubsection4.2withthecodingideajustpresented. Schemewithblockcoding elementsingf(2t)specifyingapolynomialofdegree(m=t) 1overthiseld,andthecodeword isthesequenceofvaluesthispolynomialyieldson(m0=t)dierentelementsoftheeld(hence m=tblocksusingm0=tblocks(eachoflengtht).ourencodingschemeviewsthem=tblocksas Namely,wepartitionthem-bitlongmessageintom=tblocks(eachoflengtht)andencodethese therequirementm0 hasthepropertythatdierentmessages(viewedaspolynomials)aremappedtocodewordsthat t2t).thisencoding,knownasblock-codingandspecicallyasbchcode, t2t. 16

18 functionm()<m0(). to(m0 m)=t. Construction3(basedonblockpartitionandcoding):Lett:IN7!INbeanintegerfunctionso inpolynomial-time.weconsiderthefollowingone-timesignatureschemeformessagelength that1t(n)=poly(n)andm0(n) agreeonatmost(m=t) 1values.Hence,the`blockdistance'betweencodewordscorresponds keygeneration:oninput1n,thekey-generatoruniformlyselectsx01;x1;:::;x0m0=t;x1m0=t2 f0;1gn,wherem0def =m0(n)andtdef t(n)2t(n),andf:f0;1g7!f0;1gbeafunction,bothcomputable signing:tosignamessagem2f0;1gm,itst-bitlongblocks,1;:::;m=t,areinterpretedas elementsingf(2t)specifyingapolynomialofdegreet 1overtheeld(i.e.,iisinterpreted theverication-keyisf2t 1(x01);f2t 1(x1);:::;f2t 1(x0m0=t;f2t 1(x1m0=t) =t(n).thesigning-keyconsistsofthesexji's,whereas verication:thepolynomialanditsvaluesatthem0=tpointsisconstructedasabove,the iscomputed. thesignaturef1(x01);f2t 1 1(x1);:::;fm0=t(x0m0=t);f2t 1 m0=t(x1m=t) eldelementsarenowinterpretedasintegers,denoted1;:::;m0=t2f0;1;:::;2t 1g,and asthei 1stcoecientofthepolynomial).Thevaluesofthepolynomialatsomem0=t componentsofthesignaturevectoraresubjectedtothecorrespondingnumberofapplicationsoffandtheresultiscomparedtotheverication-key. successprobability Lemma5Letm0(n)=(1+)m(n),forsomeconstant>0.SupposethatT:IN7!INand :IN7!IRarefunctionssothattheaboveone-timesignatureschemecanbeexistentiallybroken, andsomei(2t 1)thefunctionfcanbeinvertedondistributionfi(Un)intimeT(n)and viaachosen(single)messageattack,intimet()andprobability().then,foreveryn2in proof:usingthesameideasasintheproofsofthelasttwolemmata.2 Remark:Wecanset2t=m0 f0;1gn. (1+)2t(n),whereUndenotesarandomvariableuniformlydistributedover than1. constructionwhileusingkeysandsignatureswhichareonly4timesaslargeasthoseusedin Construction1.Ingeneral,theboundonsuccessprobabilityofattacksinthenewconstruction isrelatedtotheboundinthebasicconstructionbyafactorof(1+)2 tand=1.then,fort4,wegetsecurityatleastasinthebasic 17 t,whichistypicallysmaller

19 4.4Furtherenhancingsecurity Thereadermaynotethatintheenhancedsecurityassertedintheprevioussubsectionstemsfrom thefactthatwhenusingaforgingalgorithmwehaveabetterchancethatitinvertsthefunctionon thedesiredcomponent(providedthatwechoosethedesiredcomponentatrandom).wedidnot takeadvantageofthefactthatthisforgingalgorithminvertsthefunctiononmanycomponents. Todosowehavetoconsidertheproblemofsimultaneouslyinvertingaone-wayfunctiononmany images,andtoshowhowthisproblemreducestoforgingsignaturesinconstructions2and3. Oncethisisdone,thesecurityofthesignatureschemeisbasedonthedicultyofinvertingthe functiononmanyimages,ataskthatmaybemoredicultthaninvertingthefunctiononasingle image.forexample,time-probabilitytrade-osinexhaustivesearchforinvertingafunctionare invertedonk(n)images,intimet(n)andsuccessprobability k:in7!insothatk(n)d(n).then,foreveryn2in,thefunctionfcanbesimultaneously existentiallybroken,viaachosen(single)messageattack,intimet()andprobability().let thesubsequentsection). Lemma6SupposethatT:IN7!INand:IN7!IRarefunctionssothatConstruction2canbe lessfavorablewhenoneneedstoinvertthefunctiononseveralinstances(seeassumption2in proof:similartotheproofoflemma3.fixinganyn2in,theinvertingalgorithm,a,operatesasfollows.oninputy1;:::;yk,algorithmauniformlyselectskdierentelements,denoted 1 i1;i2;:::;ik,inf1;:::;m0gandj1;:::;jk2f0;1g.next,aformsaverication-keyasinthekeygeneration,exceptthatforeverylkthe(2(il 1)+jl)stcomponentisyl,andinvokesthe Yl=0d(n) l 2(m0(n) l)1ak(n)(n) rithmfreturnsasignatureofamessagem0.withprobabilityatleastdm0d 1 signature,toamessagedenotedm,thatacansupply.inthiscase,withprobability(n),algo- bitlocationsi1throughikof(m0)and(m)areallindisagreement.thisyieldsinverseofy1 throughykunderf,andthelemmafollows.2 Usingsimilarideas,weget forgingalgorithm,f,withthisverication-key.withprobability1 2k,algorithmFasksforthe Lemma7Letm0(n)=(1+)m(n),forsomeconstant>0.SupposethatT:IN7!INand m0 1d k+1 m0 k+1,the :IN7!IRarefunctionssothatConstruction3canbeexistentiallybroken,viaachosen(single) denotearandomvariableuniformlydistributedoverf0;1gn.then,foreveryn2inandsome messageattack,intimet()andprobability().letk:in7!insothatk(n)m(n)andun i1;:::;ik(n)(2t(n) 1)thefunctionfcanbesimultaneouslyinvertedonk(n)images,takenfrom 18

20 thedistributionsfi1(un)throughfik(n)(un),intimet(n)andsuccessprobability 5ConcreteImplementations 1 Yl=0(1+ (l=m))2t(n)1ak(n)(n) AlltheconcreteimplementationuseRabin'sscheme[15]inroleoftheordinarysignaturescheme andthedesasaone-wayfunctionusedtoconstructaone-timesignaturescheme.theimplementationsdierbytheconstructiontheyuseforaone-timesignaturescheme.theconstructions ofone-timesignatureschemeusedarethosepresentedintheprevioussection. Wenowsuggestconcreteimplementationsofourgeneralon-line/o-linesignatureschemeoering faston-linecomputations(bothforsignerandverier). 5.1TheIngredients everyintegerv2zn(themultiplicativegroupmodulon)exactlyoneoftheelementsintheset Theordinarysignaturescheme Svdef modication,weuseintegerswhicharetheproductoftwolarge(say256bitslong)primes,one congruentto3modulo8andtheothercongruentto7modulo8.forsuchanintegernandfor IntheroleoftheordinarysignatureschemeweuseamodicationofRabin'sscheme[15].Inthis andisconsideredintractableotherwise. denotedextpvmodn,tobeadistinguishedsquarerootmodulon(say,thesmallestone)ofthe exactly4distinctsquarerootsmodn.letusdenetheextendedsquarerootofvmodulon, appropriatememberofsv.computingextpvmodnisfeasibleifthefactorizationofnisknown, =fv; v;2v; 2vgisasquaremoduloN(see[21,8]).Moreover,eachsquaremoduloNhas squarerootofm,modulona.anyonecanverifythatisalegitimatesignatureofmby 2ndeighthofZN(i.e.,fv2ZN:N8<v<N4g). ofna.signingmessagem,inthemodiedrabinscheme,amountstoextractinganextended messagesarersthashedintosuchanelement.itisassumedthatthemessagespacesatisesthe followingcondition:ifv6=uthensv\su=;.thiscanbeenforcedbyusingonlyvaluesofthe Themessagespaceisassociatedwiththeelementsoftheabovemultiplicativegroup.Larger thisproblemisreallyimportanttoourapplication,neverthelesspaddingbyarandomsux(cf., [15])overcomestheobviousattack. computing2modnaandcheckingthatitindeedbelongstothesetsm. ConsiderauserA,whosepublic-keyisamoduloNA.UserAaloneknowsthefactorization Theschemedescribedsofarisnotsecureagainstexistentialforgery.Itisnotclearwhether 19

21 Fortheone-timesignaturescheme,weuseanyoftheconstructionspresentedinSection4.These messageattack,whentheintegerswhichareusedaretheproductoftwolarge(say256bitslong) primes. Theone-timesignaturescheme WeassumethatitisinfeasibletobreakthemodiedRabinscheme,evenafterachosen message,m,usingdeswithkeyx. aone-wayfunctionf(x)def Thecollision-freehashingscheme constructionsexhibitatrade-obetweenkeyandsignaturesize,ononehand,andcomputationtimeandsecurityontheotherhand.inparticular,weproposetousethedesalgorithmas Inroleofthecollision-freehashingfunctionweuseanystandardwayofusingDESinahashing mode.(see,forexample,[14].)alternatively,onemayusetherecentlysuggestedmd4ormd5 =DESx(M);thatis,thevalueobtainedbyencryptingastandard (cf.,[17,18]).werecommendthathmapsarbitrarilylongstringsto128-bitlongstrings(i.e., ordinarysignatureschemeandthedesasaone-wayfunctionusedforaone-timesignature implementationofthegeneralschemewiththemodiedrabinschemeplayingtheroleofthe Wenowdescribefourversionsoftheconcreteimplementation.Westartwithastraightforward 5.2FourImplementations m=128).forsomeapplications,onemaybecontentwithm=64. therstoneonlyinthewayinwhichtheone-wayfunctionisusedtoconstructaone-time scheme(asinthebasicconstructionofsection4).theotherthreeimplementations,dierfrom Implementation1ThemodiedRabinscheme,withprimesoflength256,isusedastheordinarysignaturescheme.Asone-timesignaturescheme,formessagelengthm=128,weusethwayfunctionn=56.Thetotallengthofthesignatureintheresultingon-line/o-lineschemeis 3mn+512,whichforourchoiceofparameters(i.e.,m=128andn=56)yields22;016.The basicconstructionofsection4withdesinroleoftheone-wayfunction.finally,fastcollisionfreehashingfunctionsareusedtohasharbitrarilylongstringstom-bitstrings. mosttime-consumingoperationintheo-linesigningphaseisthecomputationofanordinary amountstomdescomputations,thatmaybeperformedinparallel,andasinglemultiplication signatureinthemodiedrabinscheme,whichamounttoextractingsquarerootsmodulo256-bit primes.on-linesigningonlyinvolvesretrievingrelevantinformationfrommemory.verication Thekey-lengthfortheone-timesignatureschemeis2mn,whereincaseofDES-basedone- byafactorof2t 1.Fort=4thistradeoseemsworthwhile.Namely, moduloa512-bitinteger(i.e.,vericationinthemodiedrabinscheme).thesignaturesandkeys canbeshortenedbyafactoroftifwearewillingtoincreasethenumberofdescomputations 20

22 Implementation2Theordinarysignatureschemeandthecollision-freehashingfunctionare weuseconstruction1(ofsection4),witht=4.again,desisusedinroleoftheone-way asinthepreviousimplementation.asone-timesignaturescheme,formessagelengthm=128, ofdesoperationsincreasesbyafactorof2t 1=15.However,thesecurityofthecurrent implementationisdecreasedbyafactorof2t 1 parameters(i.e.,m=128,t=4andn=56)wegetsignaturelengthof4;208.thenumber signatureintheresultingon-line/o-lineschemeisthus2(1+mt)n+512.forourchoiceof function. usingconstruction3asabasisfortheone-timesignaturescheme.namely, Now,thekey-lengthfortheone-timesignatureschemeis(1+mt)n,andtotallengthofthe Implementation3Theordinarysignatureschemeandthecollision-freehashingfunctionare asinthepreviousimplementations.asone-timesignaturescheme,formessagelengthm=120, weuseconstruction3(ofsection4),withm0=160andt=5.again,desisusedinroleof theone-wayfunction. t=3:75.improvedsecuritycanbeobtainedby signatureintheresultingon-line/o-lineschemeis4m0 (i.e.,m=120,m0=160,t=5andn=56)wegetsignaturelengthof7;680.thenumber ofdesoperationsisaboutthreetimesasmuchasinthepreviousimplementation.however, thesecurityofthecurrentimplementationisevenbetterthaninimplementation1.togeteven bettersecurityweusedconstruction2 Now,thekey-lengthfortheone-timesignatureschemeis2m0 tn+512.forourchoiceofparameters tn,andthetotallengthofthe Implementation4Theordinarysignatureschemeandthecollision-freehashingfunctionare asinthepreviousimplementations.asone-timesignaturescheme,formessagelengthm=120, weuseconstruction2(ofsection4),withm0=185andd=13.again,desisusedinroleof theone-wayfunction. parametersspeciedabove).forthereader'sconveniencewealsopresenttherelativesecurity (i.e.,m=128,m0=185andn=56)wegetsignaturelengthof31;592.thenumberofdes operationsis185(insteadof128inimplementation1). Thecomplexityboundsforthefourimplementationsaretabulatedbelow(forthechoiceof signatureintheresultingon-line/o-lineschemeisthus3m0n+512.forourchoiceofparameters Now,thekey-lengthfortheone-timesignatureschemeis2m0n,andtotallengthofthe oftheseimplementations.thesecurityguresareupperboundonthesuccessprobabilityof somereasonablyrestrictedattacksfullydescribedandanalyzedbelow.(hence,thelowerthe 21

23 security-guresare{thebetter.)implem:1implem:2implem:3implem:4 messagelen. keylen. signaturelen. DESoperations14;336 22; ; ; otherwords,weassumethattheprobabilitythatsuchapracticalattacksucceedsisnegligible tentiallyforgesignaturestothemodiedrabinscheme,evenafterachosenmessageattack.in Security Ouranalysisisbasedontwoassumptions.Therstisthatitinpracticallyinfeasibletoexis- security furthermore,thatitbehavesasarandomfunctionoveradomainwith256elements.amoreaccuratestatementfollows.westressthatthisassumptionisnotincontradictionwiththecurrent knowledgeconcerningthecryptanalysisofdes[2]. andhenceweignoreitalltogether.oursecondassumptionsisthatthedes-basedone-way breachofsecurityinthemodiedrabinschemeorabreachofsecurityintheone-timescheme. Westressthatthislemmaassertsthatiftheon-line/o-lineschemeisbrokenwithprobability functioncannotbeinvertedbetterthanbyexhaustivesearch(inthef0;1g56keyspace),and, broken.assumingthatabreachofsecurityinthemodiedrabinschemeisinfeasible,weignore therstpossibilityandareleftwiththesecond.beforecontinuing,wenowexplicitlystateour (n)theneitherrabin'sschemeisbrokenwithprobability(n)=2(withinthesametimeand querycomplexities)or,withprobability(n)=2,oneoftheinstancesoftheone-timeschemeis BytheproofofLemma1,abreachofsecurityintheon-line/o-lineschemeyieldseithera assumptionconcerningthesecurityofthedes-basedone-wayfunction. mentation1).combiningassumption1,lemma1andcorollary4,weconcludethatachosen Assumption1LetDdef one-wayfunction.then,arandomizedalgorithmrunningintimethatallowsmakingonlytdes evaluations,succeedsininvertingthedes-basedfunctiononagivenimage,withprobabilityat mosttd. Westartbyevaluatingthesecurityoftherstimplementationpresentedabove(i.e.,Imple- =256denotethenumberofelementsinthedomainoftheDES-based lengthm=128.letrdef realisticimplementationsatmostq=10;000messagesarelikelytobesignedandeachisof asksforqmessagestobesignedandrunsintimeallowingtdescomputationsisboundedby Q-messageattackoftimeTsucceedsinexistentialforgerywithprobabilityatmostT(2mQ) =Qm1:3106.Thus,thesuccessprobabilityofanattackwhich 2TR D22 D.In