Acknowledge
致敬Katz J, Lindell Y. Introduction to modern cryptography[M]. Chapman and Hall/CRC, 2014. 推荐该书正版。
该书第12章的内容是数字签名,具体推荐Katz J的另一本书:
Katz J. Digital signatures[M]. Springer Science & Business Media, 2010.
有兴趣的人可以自己进行扩展阅读,这里不再贴出第12章的课后题解。
13.2 In this exercise we show a scheme that can be proven secure in the random oracle model, but is insecure when the random oracle is instantiated with SHA-1. (This exercise is a bit informal since SHA-1 is only defined for a fixed output length. Nevertheless, it illustrates the main idea.) Let Π \Pi Π be a signature scheme that is secure in the standard model. Construct a signature scheme Π y \Pi_y Πy where signing is carried out as follows: if H ( 0 ) = y H(0) = y H(0)=y, then output the4 secret key; if H ( 0 ) ≠ y H(0) \neq y H(0)=y, then return a signature computed using Π \Pi Π.
- Prove that for a n y \it{any} any value y y y, the scheme Π y \Pi_y Πy is secure in the random oracle model.
- Show that there exists a particular y y y for which Π y \Pi_y Πy is not secure when the random oracle is instantiated using SHA-1.
(a)概率分析如下:
P
r
[
A
wins
]
=
P
r
[
A
wins
∧
y
=
H
(
0
)
]
+
P
r
[
A
wins
∧
y
≠
H
(
0
)
]
≤
P
r
[
y
=
H
(
0
)
]
+
P
r
[
y
≠
H
(
0
)
∣
A
wins
]
⋅
P
r
[
A
wins
]
=
n
e
g
l
(
λ
)
+
P
r
[
y
≠
H
(
0
)
∣
A
wins
]
⋅
P
r
[
A
wins
]
\begin{aligned} \mathrm{Pr} [ \mathscr{A} ~ \text{wins} ] &= \mathrm{Pr} [ \mathscr{A} ~ \text{wins} \land y = H(0)] + \mathrm{Pr} [ \mathscr{A} ~ \text{wins} \land y \neq H(0) ] \\ &\leq \mathrm{Pr} [ y = H(0) ] + \mathrm{Pr} [ y \neq H(0) | \mathscr{A} ~ \text{wins}] \cdot \mathrm{Pr} [ \mathscr{A} ~ \text{wins} ] \\ &= \mathsf{negl}(\lambda) + \mathrm{Pr} [ y \neq H(0) | \mathscr{A} ~ \text{wins}] \cdot \mathrm{Pr} [ \mathscr{A} ~ \text{wins} ] \end{aligned}
Pr[A wins]=Pr[A wins∧y=H(0)]+Pr[A wins∧y=H(0)]≤Pr[y=H(0)]+Pr[y=H(0)∣A wins]⋅Pr[A wins]=negl(λ)+Pr[y=H(0)∣A wins]⋅Pr[A wins]
假设
A
\mathscr{A}
A可以破解方案
Π
y
\Pi_y
Πy,那么可以构造
A
Π
\mathscr{A}_{\Pi}
AΠ来破解方案
Π
\Pi
Π,其编码如下:
- 从
C
Π
\mathscr{C}_\Pi
CΠ处获取
p
k
pk
pk,随机挑选
y
←
{
0
,
1
}
λ
y \gets \{0, 1\}^\lambda
y←{0,1}λ,(表示猜测未来随机谕言机开始运作时
H
(
0
)
≠
y
H(0) \neq y
H(0)=y),将
(
p
k
,
y
)
(pk, y)
(pk,y)交给
A
\mathscr{A}
A,同时给
A
\mathscr{A}
A模拟出谕言机
O
S
i
g
n
\mathcal{O}_{\mathsf{Sign}}
OSign和
O
H
\mathcal{O}_H
OH:
- 谕言机 O S i g n ( m ) \mathcal{O}_{\mathsf{Sign}}(m) OSign(m)工作如下:从 A \mathscr{A} A处获取消息 m m m,直接将其交给 C Π \mathscr{C}_{\Pi} CΠ,得到对应的签名 σ \sigma σ,将 σ \sigma σ返回给 A \mathscr{A} A。
- 谕言机 O H ( x ) \mathcal{O}_H(x) OH(x)工作如下:若记录 ( x , y x ) (x, y_x) (x,yx)存在则直接返回 y x y_x yx,否则,随机挑选 y x ← { 0 , 1 } λ y_x \gets \{0, 1\}^\lambda yx←{0,1}λ,若 x = 0 x = 0 x=0且 y x = y y_x = y yx=y,直接中断游戏,否则,生成记录 ( x , y x ) (x, y_x) (x,yx)并返回 y x y_x yx。
- 从 A \mathscr{A} A处获取伪造 ( m ∗ , σ ∗ ) (m^*, \sigma^*) (m∗,σ∗),将其直接发送给 C Π \mathscr{C}_{\Pi} CΠ。
易知
P
r
[
y
≠
H
(
0
)
∣
A
wins
]
=
1
−
1
/
2
λ
\mathrm{Pr} [ y \neq H(0) | \mathscr{A} ~ \text{wins}] = 1 - 1 / 2^\lambda
Pr[y=H(0)∣A wins]=1−1/2λ,假设
A
\mathscr{A}
A以不可忽略概率破解
Π
y
\Pi_y
Πy,有
n
e
g
l
(
λ
)
≥
P
r
[
A
Π
wins
]
≥
(
1
−
1
/
2
λ
)
⋅
P
r
[
A
wins
]
,
\mathsf{negl}(\lambda) \geq \mathrm{Pr} [ \mathscr{A}_\Pi ~ \text{wins} ] \geq (1 - 1 / 2^\lambda) \cdot \mathrm{Pr} [ \mathscr{A} ~ \text{wins} ],
negl(λ)≥Pr[AΠ wins]≥(1−1/2λ)⋅Pr[A wins],
上述式子与假设互相矛盾,故假设不成立,方案在随机谕言机模型下是安全的。
(b)
H
H
H换成SHA-1后,
H
(
0
)
H(0)
H(0)恒等于
S
H
A
-
1
(
0
)
{\it SHA}\text{-} 1(0)
SHA-1(0),对于
y
=
S
H
A
-
1
(
0
)
y = {\it SHA}\text{-} 1(0)
y=SHA-1(0)的签名方案,消息
m
m
m恒输出一个常数,故不再安全。
13.3 Consider a message authentication cod Π = ( G e n , M a c , V r f y ) \Pi = ( \mathsf{Gen}, \mathsf{Mac}, \mathsf{Vrfy}) Π=(Gen,Mac,Vrfy) where M a c k ( m ) : = H ( k ∥ m ) \mathsf{Mac}_k(m) := H(k \| m) Mack(m):=H(k∥m) for a function H : { 0 , 1 } ∗ → { 0 , 1 } λ H : \{0, 1\}^* \to \{0, 1\}^\lambda H:{0,1}∗→{0,1}λ (note that k ← { 0 , 1 } λ k \gets \{0, 1\}^\lambda k←{0,1}λ and verification is carried out in the natural way). Show that if H H H is modeled as a random oracle, then Π \Pi Π is secure message authentication code. Show that if H H H is any concrete hash function that is constructed via the Merkle-Damgard transform, then Π \Pi Π is n o t \it{not} not a secure message authentication code.
当 H H H是随机谕言机时, m ∗ m^* m∗对应的标签 H ( k ∥ m ∗ ) H(k \| m^*) H(k∥m∗)是不确定的,敌手所给伪造有效的概率为可忽略函数,即 1 / 2 λ 1/2^\lambda 1/2λ。后面小题在第4章课后题出现过,这里不再详述。
13.5 Say a public-key encryption scheme ( G e n , E n c , D e c ) (\mathsf{Gen}, \mathsf{Enc}, \mathsf{Dec}) (Gen,Enc,Dec) is o n e − w a y \it{one-way} one−way if any PPT adversary A \mathscr{A} A has negligible probability of success in the following experiment:
- G e n ( 1 λ ) \mathsf{Gen}(1^\lambda) Gen(1λ) is run to obtain keys ( p k , s k ) (pk, sk) (pk,sk).
- A \mathscr{A} A message m ← { 0 , 1 } λ m \gets \{0, 1\}^\lambda m←{0,1}λ is chosen uniformly at random, and a ciphertext c ← E n c p k ( m ) c \gets \mathsf{Enc}_{pk}(m) c←Encpk(m) is computed.
- A \mathscr{A} A is given p k pk pk and c c c, and outputs a message m ∗ m^* m∗. We say A \mathscr{A} A succeeds if m ∗ = m m^* = m m∗=m.
(a) Show that a construction of a CPA-secure public-key encryption scheme in the random oracle model based on any one-way public-key encryption scheme.
(b) Can a public-key encryption scheme where encryption is d e t e r m i n i s t i c \it{deterministic} deterministic be one-way? If not, give a proof; if so, show a construction based on any of the assumptions introduced in this book.
(a)方案构造如下:
- S G e n ( 1 λ ) → ( p k , s k ) : \mathsf{SGen}(1^\lambda) \to (pk, sk): SGen(1λ)→(pk,sk): 输入安全参数 1 λ 1^\lambda 1λ,生成 ( p k , s k ) ← G e n ( 1 λ ) (pk, sk) \gets \mathsf{Gen}(1^\lambda) (pk,sk)←Gen(1λ),设置 < p k : = p k , s k : = s k > \big< pk:=pk, sk:=sk \big> ⟨pk:=pk,sk:=sk⟩并输出。
- S E n c ( p k , m ) → c : \mathsf{SEnc}(pk, m) \to c: SEnc(pk,m)→c: 输入消息 m ∈ { 0 , 1 } m \in \{0, 1\} m∈{0,1},随机挑选 x ← M x \gets \mathcal{M} x←M,其中 M \mathcal{M} M是公钥加密方案 ( G e n , E n c , D e c ) (\mathsf{Gen}, \mathsf{Enc}, \mathsf{Dec}) (Gen,Enc,Dec)的消息域,计算 c 1 ← E n c p k ( x ) c_1 \gets \mathsf{Enc}_{pk}(x) c1←Encpk(x),若 m = 0 m=0 m=0,设置 c 2 ← { 0 , 1 } λ \ H ( x ) c_2 \gets \{0, 1\}^\lambda \backslash H(x) c2←{0,1}λ\H(x),若 m = 1 m=1 m=1,设置 c 2 : = H ( x ) c_2 := H(x) c2:=H(x),输出密文 c = < c 1 , c 2 > c = \big<c_1, c_2\big> c=⟨c1,c2⟩。
- S D e c ( s k , c ) → m \mathsf{SDec}(sk, c) \to m SDec(sk,c)→m:拆分 c = < c 1 , c 2 > c = \big<c_1, c_2\big> c=⟨c1,c2⟩,计算 x : = D e c s k ( c 1 ) x := \mathsf{Dec}_{sk}(c_1) x:=Decsk(c1),若 H ( x ) = c 2 H(x) = c_2 H(x)=c2,则输出 m : = 1 m:=1 m:=1,否则输出 m : = 0 m:=0 m:=0。
(b)详见第10章,The “textbook RSA” encryption scheme。
13.7 Let Π = G e n , E n c , D e c ) \Pi = \mathsf{Gen}, \mathsf{Enc}, \mathsf{Dec}) Π=Gen,Enc,Dec) be a public-key encryption scheme having indistinguishable encryptions under a chosen-plaintext attack, and let Π ′ = ( G e n ′ , E n c ′ , D e c ′ ) \Pi' = (\mathsf{Gen}', \mathsf{Enc}', \mathsf{Dec}') Π′=(Gen′,Enc′,Dec′) be a private-key encryption scheme having indistinguishable encryptions under a chosen-ciphertext attack. Consider the following construction of a public-key encryption scheme Π ∗ \Pi^* Π∗.
Construction 13.12
Let H : { 0 , 1 } λ → { 0 , 1 } λ H:\{0, 1\}^\lambda \to \{0, 1\}^\lambda H:{0,1}λ→{0,1}λ be a function. Construction a public-key encryption scheme as follows:
- G e n ∗ : \mathsf{Gen}^*: Gen∗: on input 1 λ 1^\lambda 1λ, run G e n ( 1 λ ) \mathsf{Gen}(1^\lambda) Gen(1λ) to obtain ( p k , s k ) (pk, sk) (pk,sk). Output these as the public and private keys,respectively.
- E n c ∗ : \mathsf{Enc}^*: Enc∗: on input a public key p k pk pk and a message m ∈ { 0 , 1 } λ m \in \{0, 1\}^\lambda m∈{0,1}λ, choose a random r ← { 0 , 1 } λ r \gets \{0, 1\}^\lambda r←{0,1}λ and output the ciphertext < E n c p k ( r ) , E n c H ( r ) ′ ( m ) > \big< \mathsf{Enc}_{pk}(r), \mathsf{Enc}'_{H(r)}(m) \big> ⟨Encpk(r),EncH(r)′(m)⟩.
- D e c ∗ : \mathsf{Dec}^*: Dec∗: on input a private key s k sk sk and ciphertext < c 1 , c 2 > \big< c_1, c_2 \big> ⟨c1,c2⟩, compute r : = D e c s k ( c 1 ) r:= \mathsf{Dec}_{sk}(c_1) r:=Decsk(c1) and set k : = H ( r ) k := H(r) k:=H(r). Then output D e c k ′ ( c 2 ) \mathsf{Dec}'_k(c_2) Deck′(c2).
Does the above construction have indistinguishable encryptions under a chosen-ciphertext attack, if H H H is modeled as a random oracle? If yes, provide a proof. If not, where does the approach used to prove Theorem 13.6 break down?
Construction 13.5可以看作是使用了单向安全的公钥加密方案,而题述方案使用了CPA-安全的公钥加密方案,已知一个CPA-安全的公钥加密方案一定是单向安全的公钥加密方案,既然Theorem 13.6已证Construction 13.5安全,那么题述构造是安全的。