Generic Double-Authentication Preventing Signatures and a Post-quantum Instantiation

Abstract

Double-authentication preventing signatures (DAPS) are a variant of digital signatures which have received considerable attention recently (Derler et al. EuroS&P 2018, Poettering Africacrypt 2018). They are unforgeable signatures in the usual sense and sign messages that are composed of an address and a payload. Their distinguishing feature is the property that signatures on two different payloads with respect to the same address allow to publicly extract the secret signing key. Thus, they are a means to disincentivize double-signing and are a useful tool in various applications.

DAPS are known in the factoring, the discrete logarithm and the lattice setting. The majority of the constructions are ad-hoc. Only recently, Derler et al. (EuroS&P 2018) presented the first generic construction that allows to extend any discrete logarithm based secure signature scheme to DAPS. However, their scheme has the drawback that the number of potential addresses (the address space) used for signing is polynomially bounded (and in fact small) as the size of secret and public keys of the resulting DAPS are linear in the address space. In this paper we overcome this limitation and present a generic construction of DAPS with constant size keys and signatures. Our techniques are not tailored to a specific algebraic setting and in particular allow us to construct the first DAPS without structured hardness assumptions, i.e., from symmetric key primitives, yielding a candidate for post-quantum secure DAPS.

The full version of this paper is available as IACR Cryptology ePrint Archive Report. All authors have been supported by EU H2020 project Prismacloud, grant agreement n\(^{\circ }\)644962.

A One-Way Functions and Pseudorandom Function Families

We recall the definitions of one-way functions and pseudorandom function (families).

Definition 10

(OWF). Let \(f: S \rightarrow P\) be a function. For a PPT adversary \(\mathcal {A}\) we define the advantage function as

The function f is one-way function (OWF) if it is efficiently computable and for all PPT adversaries \(\mathcal {A}\) there exists a negligible function \(\varepsilon (\cdot )\) such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {OWF}}_{{\mathcal {A}},{f}}(\kappa ) \le \varepsilon (\kappa ) \text {.} \end{aligned}$$

Definition 11

(PRF). Let \(\mathcal {F}: \mathcal {S} \times D \rightarrow \mathsf {R}\) be a family of functions and let \(\varGamma \) be the set of all functions \(D \rightarrow \mathsf{R}\). For a PPT distinguisher \(\mathcal {D}\) we define the advantage function as

\(\mathcal {F}\) is a pseudorandom function (family) if it is efficiently computable and for all PPT distinguishers \(\mathcal {D}\) there exists a negligible function \(\varepsilon (\cdot )\) such that

$$\begin{aligned} \mathsf {Adv}^\mathsf{PRF}_{\mathcal {D},\mathcal {F}}(\kappa ) \le \varepsilon (\kappa ) \text {.} \end{aligned}$$

Below, we provide a slightly stronger variant of a definition of a notion introduced in [11, 18].

Definition 12

(Fixed-Value-Key-Binding PRF). A PRF family \(\mathcal {F}: \mathcal {S} \times D \rightarrow \mathsf {R}\) and a \(\beta \in D\), is fixed-value-key-binding if for all adversaries \(\mathcal {A}\)

Moreover, we present a relaxed (computational) version of the above definition.

Definition 13

(Computational Fixed-Value-Key-Binding PRF). For a PRF family \(\mathcal {F}: \mathcal {S} \times D \rightarrow \mathsf {R}\) and a \(\beta \in D\), we define the advantage function of a PPT adversary \(\mathcal {A}\) as

\(\mathcal {F}\) is computationally fixed-value-key-binding if for all PPT adversaries there exists as negligible function \(\varepsilon (\cdot )\) such that

$$ \mathsf {Adv}^{\mathsf {cFKVB}}_{{\mathcal {A}},{\mathcal {F}}}(\kappa ) = \varepsilon (\kappa ) \text {.} $$