Introductionto Modern Cryptograph 第十三章部分课后题答案

Acknowledge
致敬Katz J, Lindell Y. Introduction to modern cryptography[M]. Chapman and Hall/CRC, 2014. 推荐该书正版。

该书第12章的内容是数字签名，具体推荐Katz J的另一本书：
Katz J. Digital signatures[M]. Springer Science & Business Media, 2010.
有兴趣的人可以自己进行扩展阅读，这里不再贴出第12章的课后题解。

---

13.2 In this exercise we show a scheme that can be proven secure in the random oracle model, but is insecure when the random oracle is instantiated with SHA-1. (This exercise is a bit informal since SHA-1 is only defined for a fixed output length. Nevertheless, it illustrates the main idea.) Let $\Pi$ be a signature scheme that is secure in the standard model. Construct a signature scheme ${\Pi }_y$ where signing is carried out as follows: if $H(0)=y$, then output the4 secret key; if $H(0)\ne y$, then return a signature computed using $\Pi$.

• Prove that for $any$ value $y$, the scheme ${\Pi }_y$ is secure in the random oracle model.
• Show that there exists a particular $y$ for which ${\Pi }_y$ is not secure when the random oracle is instantiated using SHA-1.

（a）概率分析如下：
$$\begin{array}{rl}\mathrm{P}\mathrm{r}[\mathcal{A}\text{wins}]& =\mathrm{P}\mathrm{r}[\mathcal{A}\text{wins}\wedge y=H(0)]+\mathrm{P}\mathrm{r}[\mathcal{A}\text{wins}\wedge y\ne H(0)]\\ & \le \mathrm{P}\mathrm{r}[y=H(0)]+\mathrm{P}\mathrm{r}[y\ne H(0)|\mathcal{A}\text{wins}]\cdot \mathrm{P}\mathrm{r}[\mathcal{A}\text{wins}]\\ & =\mathsf{n}\mathsf{e}\mathsf{g}\mathsf{l}(\lambda )+\mathrm{P}\mathrm{r}[y\ne H(0)|\mathcal{A}\text{wins}]\cdot \mathrm{P}\mathrm{r}[\mathcal{A}\text{wins}]\end{array}$$
假设$\mathcal{A}$可以破解方案${\Pi }_y$，那么可以构造${\mathcal{A}}_{\Pi }$来破解方案$\Pi$，其编码如下：

• 从${\mathcal{C}}_{\Pi }$处获取$pk$，随机挑选 y ← { 0 , 1 } λ y \gets \{0, 1\}^\lambda y←{0,1}λ，（表示猜测未来随机谕言机开始运作时$H(0)\ne y$），将$(pk,y)$交给$\mathcal{A}$，同时给$\mathcal{A}$模拟出谕言机${\mathcal{O}}_{\mathsf{S}\mathsf{i}\mathsf{g}\mathsf{n}}$和${\mathcal{O}}_H$：
  • 谕言机${\mathcal{O}}_{\mathsf{S}\mathsf{i}\mathsf{g}\mathsf{n}}(m)$工作如下：从$\mathcal{A}$处获取消息$m$，直接将其交给${\mathcal{C}}_{\Pi }$，得到对应的签名$\sigma$，将$\sigma$返回给$\mathcal{A}$。
  • 谕言机${\mathcal{O}}_H(x)$工作如下：若记录$(x,y_x)$存在则直接返回$y_x$，否则，随机挑选 y x ← { 0 , 1 } λ y_x \gets \{0, 1\}^\lambda yx​←{0,1}λ，若$x=0$且$y_x=y$，直接中断游戏，否则，生成记录$(x,y_x)$并返回$y_x$。
• 从$\mathcal{A}$处获取伪造$(m^{\ast },{\sigma }^{\ast })$，将其直接发送给${\mathcal{C}}_{\Pi }$。

易知$\mathrm{P}\mathrm{r}[y\ne H(0)|\mathcal{A}\text{wins}]=1-1/2^{\lambda }$，假设$\mathcal{A}$以不可忽略概率破解${\Pi }_y$，有
$$\mathsf{n}\mathsf{e}\mathsf{g}\mathsf{l}(\lambda )\ge \mathrm{P}\mathrm{r}[{\mathcal{A}}_{\Pi }\text{wins}]\ge (1-1/2^{\lambda })\cdot \mathrm{P}\mathrm{r}[\mathcal{A}\text{wins}]，$$
上述式子与假设互相矛盾，故假设不成立，方案在随机谕言机模型下是安全的。
（b）$H$换成SHA-1后，$H(0)$恒等于$SHA\text{-}1(0)$，对于$y=SHA\text{-}1(0)$的签名方案，消息$m$恒输出一个常数，故不再安全。

---

13.3 Consider a message authentication cod $\Pi =(\mathsf{G}\mathsf{e}\mathsf{n},\mathsf{M}\mathsf{a}\mathsf{c},\mathsf{V}\mathsf{r}\mathsf{f}\mathsf{y})$ where ${\mathsf{M}\mathsf{a}\mathsf{c}}_k(m):=H(k\Vert m)$ for a function H : { 0 , 1 } ∗ → { 0 , 1 } λ H : \{0, 1\}^* \to \{0, 1\}^\lambda H:{0,1}∗→{0,1}λ (note that k ← { 0 , 1 } λ k \gets \{0, 1\}^\lambda k←{0,1}λ and verification is carried out in the natural way). Show that if $H$ is modeled as a random oracle, then $\Pi$ is secure message authentication code. Show that if $H$ is any concrete hash function that is constructed via the Merkle-Damgard transform, then $\Pi$ is $not$ a secure message authentication code.

当$H$是随机谕言机时，$m^{\ast }$对应的标签$H(k\Vert m^{\ast })$是不确定的，敌手所给伪造有效的概率为可忽略函数，即$1/2^{\lambda }$。后面小题在第4章课后题出现过，这里不再详述。

---

13.5 Say a public-key encryption scheme $(\mathsf{G}\mathsf{e}\mathsf{n},\mathsf{E}\mathsf{n}\mathsf{c},\mathsf{D}\mathsf{e}\mathsf{c})$ is $one-way$ if any PPT adversary $\mathcal{A}$ has negligible probability of success in the following experiment:

• $\mathsf{G}\mathsf{e}\mathsf{n}(1^{\lambda })$ is run to obtain keys $(pk,sk)$.
• $\mathcal{A}$ message m ← { 0 , 1 } λ m \gets \{0, 1\}^\lambda m←{0,1}λ is chosen uniformly at random, and a ciphertext $c\leftarrow {\mathsf{E}\mathsf{n}\mathsf{c}}_{pk}(m)$ is computed.
• $\mathcal{A}$ is given $pk$ and $c$, and outputs a message $m^{\ast }$. We say $\mathcal{A}$ succeeds if $m^{\ast }=m$.

(a) Show that a construction of a CPA-secure public-key encryption scheme in the random oracle model based on any one-way public-key encryption scheme.
(b) Can a public-key encryption scheme where encryption is $deterministic$ be one-way? If not, give a proof; if so, show a construction based on any of the assumptions introduced in this book.

（a）方案构造如下：

• $\mathsf{S}\mathsf{G}\mathsf{e}\mathsf{n}(1^{\lambda })\to (pk,sk):$ 输入安全参数$1^{\lambda }$，生成$(pk,sk)\leftarrow \mathsf{G}\mathsf{e}\mathsf{n}(1^{\lambda })$，设置$⟨pk:=pk,sk:=sk⟩$并输出。
• $\mathsf{S}\mathsf{E}\mathsf{n}\mathsf{c}(pk,m)\to c:$ 输入消息 m ∈ { 0 , 1 } m \in \{0, 1\} m∈{0,1}，随机挑选$x\leftarrow \mathcal{M}$，其中$\mathcal{M}$是公钥加密方案$(\mathsf{G}\mathsf{e}\mathsf{n},\mathsf{E}\mathsf{n}\mathsf{c},\mathsf{D}\mathsf{e}\mathsf{c})$的消息域，计算$c_1\leftarrow {\mathsf{E}\mathsf{n}\mathsf{c}}_{pk}(x)$，若$m=0$，设置 c 2 ← { 0 , 1 } λ \ H ( x ) c_2 \gets \{0, 1\}^\lambda \backslash H(x) c2​←{0,1}λ\H(x)，若$m=1$，设置$c_2:=H(x)$，输出密文$c=⟨c_1,c_2⟩$。
• $\mathsf{S}\mathsf{D}\mathsf{e}\mathsf{c}(sk,c)\to m$：拆分$c=⟨c_1,c_2⟩$，计算$x:={\mathsf{D}\mathsf{e}\mathsf{c}}_{sk}(c_1)$，若$H(x)=c_2$，则输出$m:=1$，否则输出$m:=0$。

（b）详见第10章，The “textbook RSA” encryption scheme。

---

13.7 Let $\Pi =\mathsf{G}\mathsf{e}\mathsf{n},\mathsf{E}\mathsf{n}\mathsf{c},\mathsf{D}\mathsf{e}\mathsf{c})$ be a public-key encryption scheme having indistinguishable encryptions under a chosen-plaintext attack, and let ${\Pi }^{\prime }=({\mathsf{G}\mathsf{e}\mathsf{n}}^{\prime },{\mathsf{E}\mathsf{n}\mathsf{c}}^{\prime },{\mathsf{D}\mathsf{e}\mathsf{c}}^{\prime })$ be a private-key encryption scheme having indistinguishable encryptions under a chosen-ciphertext attack. Consider the following construction of a public-key encryption scheme ${\Pi }^{\ast }$.
Construction 13.12
Let H : { 0 , 1 } λ → { 0 , 1 } λ H:\{0, 1\}^\lambda \to \{0, 1\}^\lambda H:{0,1}λ→{0,1}λ be a function. Construction a public-key encryption scheme as follows:

• ${\mathsf{G}\mathsf{e}\mathsf{n}}^{\ast }:$ on input $1^{\lambda }$, run $\mathsf{G}\mathsf{e}\mathsf{n}(1^{\lambda })$ to obtain $(pk,sk)$. Output these as the public and private keys,respectively.
• ${\mathsf{E}\mathsf{n}\mathsf{c}}^{\ast }:$ on input a public key $pk$ and a message m ∈ { 0 , 1 } λ m \in \{0, 1\}^\lambda m∈{0,1}λ, choose a random r ← { 0 , 1 } λ r \gets \{0, 1\}^\lambda r←{0,1}λ and output the ciphertext $⟨{\mathsf{E}\mathsf{n}\mathsf{c}}_{pk}(r),{\mathsf{E}\mathsf{n}\mathsf{c}}_{H(r)}^{\prime }(m)⟩$.
• ${\mathsf{D}\mathsf{e}\mathsf{c}}^{\ast }:$ on input a private key $sk$ and ciphertext $⟨c_1,c_2⟩$, compute $r:={\mathsf{D}\mathsf{e}\mathsf{c}}_{sk}(c_1)$ and set $k:=H(r)$. Then output ${\mathsf{D}\mathsf{e}\mathsf{c}}_k^{\prime }(c_2)$.

Does the above construction have indistinguishable encryptions under a chosen-ciphertext attack, if $H$ is modeled as a random oracle? If yes, provide a proof. If not, where does the approach used to prove Theorem 13.6 break down?

Construction 13.5可以看作是使用了单向安全的公钥加密方案，而题述方案使用了CPA-安全的公钥加密方案，已知一个CPA-安全的公钥加密方案一定是单向安全的公钥加密方案，既然Theorem 13.6已证Construction 13.5安全，那么题述构造是安全的。