Abstract
We study how to construct secure digital signature schemes in the presence of kleptographic attacks. Our work utilizes an offline watchdog to clip the power of subversions via only onetime blackbox testing of the implementation. Previous results essentially rely on an online watchdog which requires the collection of all communicating transcripts (or active rerandomization of messages).
We first give a simple but generic construction, without random oracles, in the partialsubversion model in which key generation and signing algorithms can be subverted. Then, we give the first digital signature scheme in the completesubversion model in which all cryptographic algorithms can be subverted. This construction is based on the fulldomain hash. Along the way, we enhance the recent result of Russell et al. (CRYPTO 2018) about correcting a subverted random oracle.
S. S. M. Chow—Supported by GRF (CUHK 14210217) of the Research Grants Council, Hong Kong.
A. Russell—Supported in part by NSF award 1801487.
Q. Tang—Supported in part by NSF award 1801492.
H.S. Zhou—Supported in part by NSF award 1801470.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
 1.
This can be viewed as applying the inputtriggered attack [13] to signature schemes.
 2.
As elaborated above, the trusted computing base including operations like “\(\oplus \)” and “\(=\)” are still in place. They are actually necessary due to the known (simple) trigger attacks [13] assuming only an offline watchdog. Our goal is to reduce the number of trusted functional components, and keep the remaining as simple as possible, e.g., without any trusted large group operations.
 3.
 4.
\(\mathsf {RG}_\textsc {spec}\) and \(\mathsf {MG}_\textsc {spec}\) will be split into three pieces exactly in Fig. 14.
 5.
We remark here that the \(\mathsf {KG}_\textsc {spec}^{\mathcal {SS}}\) algorithm will be split into four pieces exactly as [25].
References
Abe, M., Chase, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Constantsize structurepreserving signatures: generic constructions and simple assumptions. J. Cryptology 29(4), 833–878 (2016)
Ateniese, G., Magri, B., Venturi, D.: Subversionresilient signature schemes. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 364–375. ACM Press, New York (2015)
Bellare, M., Hoang, V.T.: Resisting randomness subversion: fast deterministic and hedged publickey encryption in the standard model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 627–656. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468036_21
Bellare, M., Jaeger, J., Kane, D.: Masssurveillance without the state: strongly undetectable algorithmsubstitution attacks. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 1431–1440. ACM Press, New York (2015)
Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662443712_1
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, New York (1993)
Bellare, M., Rogaway, P.: The exact security of digital signatureshow to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3540683399_34
Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptology 21(2), 149–177 (2008)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001
Chen, R., Mu, Y., Yang, G., Susilo, W., Guo, F., Zhang, M.: Cryptographic reverse firewall via malleable smooth projective hash functions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 844–876. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538876_31
Coron, J.S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000). https://doi.org/10.1007/3540445986_14
Coron, J.S., Dodis, Y., Malinaud, C., Puniya, P.: MerkleDamgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_26
Degabriele, J.P., Farshim, P., Poettering, B.: A more cautious approach to security against mass surveillance. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 579–598. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662481165_28
Desmedt, Y.: Abuses in cryptography and how to fight them. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 375–389. Springer, New York (1990). https://doi.org/10.1007/0387347992_29
Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468005_5
Dodis, Y., Mironov, I., StephensDavidowitz, N.: Message transmission with reverse firewalls—secure communication on corrupted machines. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 341–372. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530184_13
Fischlin, M., Mazaheri, S.: Selfguarding cryptographic protocols against algorithm substitution attacks. In: 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, 9–12 July 2018, pp. 76–90 (2018)
Giacon, F., Heuer, F., Poettering, B.: KEM combiners. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 190–218. Springer, Cham (2018). https://doi.org/10.1007/9783319765785_7
Liu, C., Chen, R., Wang, Y., Wang, Y.: Asymmetric subversion attacks on signature schemes. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 376–395. Springer, Cham (2018). https://doi.org/10.1007/9783319936383_22
Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540246381_2
Mironov, I., StephensDavidowitz, N.: Cryptographic reverse firewalls. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 657–686. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468036_22
Perlroth, N., Larson, J., Shane, S.: NSA able to foil basic safeguards of privacy on web. The New York Times, September 2013
Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Cliptography: clipping the power of kleptographic attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 34–64. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538906_2
Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Destroying steganography via amalgamation: kleptographically CPA secure public key encryption. Cryptology ePrint Archive, Report 2016/530 (2016). http://eprint.iacr.org/2016/530
Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Generic semantic security against a kleptographic adversary. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 907–922. ACM Press, New York (2017)
Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Correcting subverted random oracles. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 241–271. Springer, Cham (2018). https://doi.org/10.1007/9783319968810_9
Young, A., Yung, M.: The dark side of “blackbox” cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). https://doi.org/10.1007/3540686975_8
Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). https://doi.org/10.1007/3540690530_6
Zhang, C., Cash, D., Wang, X., Yu, X., Chow, S.S.M.: Combiners for chosenciphertext security. In: Dinh, T.N., Thai, M.T. (eds.) COCOON 2016. LNCS, vol. 9797, pp. 257–268. Springer, Cham (2016). https://doi.org/10.1007/9783319426341_21
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A The Model: Crooked Indifferentiability
1.1 A.1 Preliminary: Indifferentiability
The notion of indifferentiability proposed in the elegant work of Maurer et al. [20] has been found very useful for studying the security of hash function and many other primitives. This notion is an extension of the classical notion of indistinguishability, when one or more oracles are publicly available. The indifferentiability notion is originally given in the framework of random systems [20] providing interfaces to other systems. Coron et al. [12] demonstrate an equivalent indifferentiability notion but in the framework of Interactive Turing Machines (as in [9]). The indifferentiability formulation in this subsection is essentially taken from Coron et al. [12]. In the next subsection, we will introduce our new notion, crooked indifferentiability.
Defining Indifferentiability. An ideal primitive is an algorithmic entity which receives inputs from one of the parties and returns its output immediately to the querying party. We now proceed to the definition of indifferentiability [12, 20]:
Definition 3
(Indifferentiability [12, 20]). A Turing machine \( C \) with oracle accesses to an ideal primitive \(\mathcal {G} \) is said to be \((t_\mathcal {D},t_\mathcal {S},q,\epsilon )\)indifferentiable from an ideal primitive \(\mathcal {F} \), if there is a simulator \(\mathcal {S} \), such that for any distinguisher \(\mathcal {D} \), it holds that:
The simulator \(\mathcal {S} \) has oracle accesses to \(\mathcal {F} \) and runs in time at most \(t_\mathcal {S} \). The distinguisher \(\mathcal {D} \) runs in time at most \(t_\mathcal {D} \) and makes at most q queries. Similarly, \( C ^\mathcal {G} \) is said to be (computationally) indifferentiable from \(\mathcal {F} \) if \(\epsilon \) is a negligible function of the security parameter \(\lambda \) (for polynomially bounded \(t_\mathcal {D} \) and \(t_\mathcal {S} \)). See Fig. 10.
As illustrated in Fig. 10, the role of the simulator is to simulate the ideal primitive \(\mathcal {G} \) so that no distinguisher can tell whether it is interacting with \( C \) and \(\mathcal {G} \), or with \(\mathcal {F} \) and \(\mathcal {S} \); in other words, the output of \(\mathcal {S} \) should look “consistent” with what the distinguisher can obtain from \(\mathcal {F} \). Note that the simulator does not see the distinguisher’s queries to \(\mathcal {F} \); however, it can call \(\mathcal {F} \) directly when needed for the simulation.
Replacement. It is shown that [20] if \( C ^\mathcal {G} \) is indifferentiable from \(\mathcal {F} \), then \( C ^\mathcal {G} \) can replace \(\mathcal {F} \) in any cryptosystem, and the resulting cryptosystem is at least as secure in the \(\mathcal {G} \) model as in the \(\mathcal {F} \) model.
We use the definition of [20] to specify what it means for a cryptosystem to be at least as secure in the \(\mathcal {G} \) model as in the \(\mathcal {F} \) model. A cryptosystem is modeled as an Interactive Turing Machine with an interface to an adversary \(\mathcal {A} \) and to a public oracle. The cryptosystem is run by an environment \(\mathcal {E} \) which provides a binary output and also runs the adversary. In the \(\mathcal {G} \) model, cryptosystem \(\mathcal {P} \) has oracle access to \( C \) whereas attacker \(\mathcal {A} \) has oracle access to \(\mathcal {G} \). In the \(\mathcal {F} \) model, both \(\mathcal {P} \) and \(\mathcal {A} \) have oracle access to \(\mathcal {F} \). The definition is illustrated in Fig. 11.
Definition 4
A cryptosystem is said to be at least as secure in the \(\mathcal {G} \) model with algorithm \( C \) as in the \(\mathcal {F} \) model, if for any environment \(\mathcal {E} \) and any attacker \(\mathcal {A} \) in the \(\mathcal {G} \) model, there exists an attacker \(\mathcal {S}_\mathcal {A} \) in the \(\mathcal {F} \) model, such that:
where \(\epsilon \) is a negligible function of the security parameter \(\lambda \). Similarly, a cryptosystem is said to be computationally at least as secure, etc., if \(\mathcal {E} \), \(\mathcal {A} \), and \(\mathcal {S}_\mathcal {A} \) are polynomialtime in \(\lambda \).
We have the following securitypreserving (replacement) theorem, which says that when an ideal primitive is replaced by an indifferentiable one, the security of the “bigger” cryptosystem remains.
Theorem 3
([12, 20]). Let \(\mathcal {P} \) be a cryptosystem with oracle accesses to an ideal primitive \(\mathcal {F} \). Let \( C \) be an algorithm such that \( C ^{\mathcal {G}}\) is indifferentiable from \(\mathcal {F} \). Then cryptosystem \(\mathcal {P} \) is at least as secure in the \(\mathcal {G} \) model with algorithm \( C \) as in the \(\mathcal {F} \) model.
1.2 A.2 Crooked Indifferentiability
The ideal primitives that we focus on in this paper are random oracles. A random oracle [6] is an ideal primitive which provides a random output for each new query, and for the identical input queries the same answer will be given. Next, we will formalize a new notion called crooked indifferentiability. Our formalization is for random oracles. We remark that the formalization can be trivially extended for all ideal primitives.
Crooked Indifferentiability for Random Oracles. As mentioned in the Introduction, we are considering to repair a subverted random oracle, such that the corrected construction can be used as good as an unsubverted one. It is thus natural to consider the indifferentiability notion. However, we need to adjust the notion to reflect the subversion and to avoid trivial impossibility. There are two main modifications to the original indifferentiability notion.

1.
The deterministic construction will have oracle accesses to the random oracle only via the subverted implementation \(\tilde{H}\) but not via the ideal primitive H. This creates lots of difficulty (and even impossibility) for us to develop a suitable construction. For that reason, the construction is allowed to access to trusted but public randomness r.

2.
The simulator will also have oracle accesses to the subverted implementation \(\tilde{H}\) and also the public randomness r.
The second one is necessary. It is clearly impossible to have an indifferentiability definition with a simulator that has no accesses to \(\tilde{H}\), as the distinguisher can simply make query an input such that \( C \) will use a value that is modified by \(\tilde{H}\) while \(\mathcal {S} \) has no way to reproduce it. More importantly, we will show below that, the security will still be preserved to replace an ideal random oracle with a construction satisfying our definition (with an augmented simulator). We will prove the securitypreserving (i.e., replacement) theorem from [20] and [12] similarly with our adapted notions.
Definition 5
(Hcrooked indifferentiability). Consider a distinguisher \(\widehat{\mathcal {D}} \) and the following multiphase real execution.
Initially, the distinguisher \(\widehat{\mathcal {D}} \) who has oracle accesses to ideal primitive H, publishes a subverted implementation of H, and denotes it by \(\tilde{H}\).
Secondly, a uniformly random string r is sampled and published.
Thirdly, a deterministic construction \( C \) is developed: the construction \( C \) has random string r as input, and has oracle accesses to \(\tilde{H}\) (which can be considered as a crooked version of H).
Finally, the distinguisher \(\widehat{\mathcal {D}} \), after having random string r as input, and oracle accesses to the pair \(( C , H)\), returns a decision bit b. Often, we call \(\widehat{\mathcal {D}} \) the Hcrookeddistinguisher.
In addition, consider the corresponding multiphase ideal execution with the same Hcrookeddistinguisher \(\widehat{\mathcal {D}} \), where ideal primitive \(\mathcal {F} \) is provided.
The first two phases are the same (as those in the real execution).
In the third phase, a simulator \(\mathcal {S} \) will be developed: the simulator has random string r as input, and has oracle accesses to \(\tilde{H}\), as well as the ideal primitive \(\mathcal {F} \).
In the last phase, the Hcrookeddistinguisher \(\widehat{\mathcal {D}} \), after having random string r as input, and having oracle accesses to an alternative pair \((\mathcal {F}, \mathcal {S})\), returns a decision bit b.
We say that construction \( C \) is \((t_{\widehat{\mathcal {D}}},t_\mathcal {S},q,\epsilon )\)Hcrookedindifferentiable from ideal primitive \(\mathcal {F} \), if there is a simulator \(\mathcal {S} \) so that for any Hcrookeddistinguisher \(\widehat{\mathcal {D}} \), it satisfies that the real execution and the ideal execution are indistinguishable. Specifically, the following difference should be upper bounded by \(\epsilon (\lambda )\):
Here u is the coins of \(\widehat{\mathcal {D}} \), \(H: {{\{0,1\}}^{}} ^\lambda \rightarrow {{\{0,1\}}^{}} ^\lambda \) and \(\mathcal {F}: {{\{0,1\}}^{}} ^k \rightarrow {{\{0,1\}}^{}} ^k\) denote random functions. See Fig. 12 for a detailed illustration of the last phase in both the real and ideal executions.
B StegoFree Specifications for Randomness Generation and Randomized Algorithms with Known Input Distribution
We recall the definition of stegofree randomness generation and stegofree randomized algorithms with public input distributions [25], and the general results that yield stegofree specifications for them in the trustedamalgamation model.
Definition 6
(Stegofree randomness generation [25, Definition 3.1]). For a randomized algorithm \(\mathsf {G}\) with specification \(\mathsf {G}_\textsc {spec}\), we say such specification \(\mathsf {G}_\textsc {spec}\) is stegofree in the offlinewatchdog model, if there exists a \(\textsc {ppt}\) watchdog \(\mathcal {W}\) so that for any \(\textsc {ppt}\) adversary \(\mathcal {A} \) playing the game in Fig. 13 with challenger \(\mathcal {C}\), at least one of the following conditions hold:
where \(\mathbf {Adv} _{\mathcal {A}}(1^\lambda ) = \Pr [b_{\mathcal {C}} = 1]  \frac{1}{2}\) and \(\mathbf {Det} _{\mathcal {W},\mathcal {A}}(1^\lambda ) = \Pr [\mathcal {W}^{\mathsf {G}_{\textsc {impl}}}(1^\lambda )~=~1]  \Pr [\mathcal {W}^{\mathsf {G}_{\textsc {spec}}}(1^\lambda ) = 1]\).
Theorem 4
([25, Theorem 3.4]). Consider randomness generation \(\mathsf {RG}\) with specification \((\mathsf {RG}^0_{\textsc {spec}}\), \(\mathsf {RG}^1_{\textsc {spec}}\), \(\varPhi _{\textsc {spec}})\) as described below (see Fig. 14):

Given \(1^\lambda \), \(\mathsf {RG}^0_{\textsc {spec}}\) and \(\mathsf {RG}^1_{\textsc {spec}}\) output uniformly random strings of length \(\lambda \);

\(\varPhi _{\textsc {spec}}\) is a hash function so that \(\varPhi _{\textsc {spec}}(w)\) has length \(\lceil w/2 \rceil \);

the specification for \(\mathsf {RG}(1^\lambda )\) is the trusted composition:
\(\varPhi _{\textsc {spec}}(\mathsf {RG}^0_{\textsc {spec}}(1^\lambda ), \mathsf {RG}^1_{\textsc {spec}}(1^\lambda ))\).
Then \(\mathsf {RG}_{\textsc {spec}}\) is stegofree if \(\varPhi _{\textsc {spec}}\) is modeled as a random oracle.
Note that the above theorem only asserts how to purify randomness generation algorithm \(\mathsf {G}\) in the random oracle model by splitting \(\mathsf {G}\) into a constant number of components. It is possible to extend the result to the standard model if we are willing to have polynomially many segments. Such result is demonstrated in the full version [24] of [25]. We quote their result as follows:
Proposition 1
([24]). There exists a specification for the randomness generation that outputs n bits that is stegofree with the trusted amalgamation and \(O(n^\epsilon / \log n)\) segments for any constant \(\epsilon \). Similar results hold for randomized algorithms with public input distribution.
The definition and theorems above cover elementary randomness generation algorithms that only takes a security parameter as input. They can be generalized to consider algorithms that take additional inputs from a large domain in which the adversary specifies a randomized input generator \(\mathsf {IG}\), which implicitly defines \(\mathsf {G}(1^\lambda , \mathsf {IG}(1^\lambda ))\). This class of randomized algorithm includes key generation and bit encryption etc.
Formally, let \(\mathsf {G}\) be a randomized algorithm using \(\lambda \) random bits for inputs of length n. The stegofree game is revised as follows: the challenges \(\{y_i\}\) are generated by first sampling \(m_i \leftarrow \mathsf {IG}(1^\lambda )\), and then obtaining \(y_i \leftarrow \mathsf {G}_\beta (1^\lambda , m_i)\) by calling \(\mathsf {G}_\beta \). The watchdog is provided oracle access to \(\mathsf {IG}\) to test \(\mathsf {G}_{\textsc {impl}}\).
Definition 7
(Stegofree randomized algorithm [25, Definition 3.2]). For a randomized algorithm \(\mathsf {G}\), we say the specification \(\mathsf {G}_\textsc {spec}\) is stegofree in the offlinewatchdog model, if there exists an offline \(\textsc {ppt}\) watchdog \(\mathcal {W}\), for any \(\textsc {ppt}\) adversary \(\mathcal {A} \) playing the following game in Fig. 15 with challenger \(\mathcal {C}\), such that either
\(\mathbf {Adv} _{\mathcal {A}}\) is negligible, or, \(\mathbf {Det} _{\mathcal {W},\mathcal {A}}\) is nonnegligible,
where \(\mathbf {Adv} _{\mathcal {A}}(1^\lambda ) = \Pr [b_{\mathcal {C}} = 1]  \frac{1}{2}\) and \(\mathbf {Det} _{\mathcal {W},\mathcal {A}}(1^\lambda ) = \Pr [\mathcal {W}^{\mathsf {G}_{\textsc {impl}}}(1^\lambda )~=~1]  \Pr [\mathcal {W}^{\mathsf {G}_{\textsc {spec}}}(1^\lambda ) = 1]\).
Russell et al. [25] established a general transformation yielding a stegofree specification for randomized algorithms with a public input distribution. Consider a randomized algorithm \(\mathsf {G}\) which uses \(\lambda \) random bits for inputs of length n. Let \((\mathsf {dG}, \mathsf {RG})\) denote the natural specification of \(\mathsf {G}\) that isolates randomness generation: \(\mathsf {RG}(1^\lambda )\) produces \(\lambda \) uniformly random bits and \(\mathsf {dG}(r,m)\) is a deterministic algorithm so that for every \(m \leftarrow \mathsf {IG}(1^\lambda )\), \(\mathsf {G}(m)\) is equal to \(\mathsf {dG}(\mathsf {RG}(1^\lambda , m))\) for \(n =m\). Consider the transformed specification for \(\mathsf {G}\) of the form \((\mathsf {RG}_0,\mathsf {RG}_1, \varPhi , \mathsf {dG})\) where \(\mathsf {dG}\) is as above. \(\mathsf {RG}_0(1^\lambda )\) and \(\mathsf {RG}_1(1^\lambda )\) output \(\lambda \) uniform bits, and \(\varPhi \) is a hash function that carries strings of length \(2\lambda \) to strings of length \(\lambda \). We have the following theorem:
Theorem 5
([25, Theorem 3.5]). For any randomized algorithm \(\mathsf {G}\), consider the specification \(\mathsf {G}_{\textsc {spec}}:=(\mathsf {RG}_\textsc {spec}, \mathsf {dG}_{\textsc {spec}})\), where \(\mathsf {RG}_\textsc {spec}\) and \(\mathsf {dG}_\textsc {spec}\) are as above. Let \((\mathsf {RG}^0_\textsc {spec},\mathsf {RG}^1_\textsc {spec}, \varPhi _\textsc {spec})\) be the doublesplit specification of \(\mathsf {RG}_\textsc {spec}\) as in Fig. 14. \(\mathsf {G}_\textsc {spec}\) is stegofree with a trusted amalgamation (according to Definition 7). Here \(\varPhi _\textsc {spec}\) is modeled as a random oracle.
C Signature Schemes
A signature scheme is a triple of algorithms \(\mathcal {SS}=(\mathsf {KGen}, \mathsf {Sign}, \mathsf {Verify})\). The \(\mathsf {KGen}\) algorithm takes as input the security parameter \(\lambda \) and outputs a pair of verification/signing key \((\mathsf {vk}, \mathsf {sk})\). The \(\mathsf {Sign}\) algorithm takes as input \(\mathsf {sk} \), a message \(m \in \mathcal {M}\) (and random coins \(r \in \mathcal {R}\) if \(\mathsf {Sign}\) is probabilistic), and outputs a signature \(\sigma \in \varSigma \). The \(\mathsf {Verify}\) algorithm takes as input \(\mathsf {vk} \) and a pair \((m, \sigma )\) and outputs a bit indicating whether the signature is valid for message m under \(\mathsf {vk} \).
Definition 8
(Existential unforgeability). Let \(\mathcal {SS} = (\mathsf {KGen}\), \(\mathsf {Sign}\), \(\mathsf {Verify})\) be a signature scheme. We say that \(\mathcal {SS}\) is \((t,q,\epsilon )\)existentially unforgeable under adaptive chosenmessage attack (\(\mathsf {EUF}\text {}\mathsf {CMA}\)secure) if for all \(\textsc {ppt}\) adversaries \(\mathcal {A}\) running in time t it holds:
where \(\mathcal {Q}=\{m_1, \ldots , m_q\}\) denotes the set of queries to the signing oracle. Whenever \(\epsilon (\lambda ) = \mathsf {negl} \) and \(q = \mathsf {poly}\), we simply say that \(\mathcal {SS}\) is \(\mathsf {EUF}\text {}\mathsf {CMA}\)secure.
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Chow, S.S.M., Russell, A., Tang, Q., Yung, M., Zhao, Y., Zhou, HS. (2019). Let a Nonbarking Watchdog Bite: Cliptographic Signatures with an Offline Watchdog. In: Lin, D., Sako, K. (eds) PublicKey Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11442. Springer, Cham. https://doi.org/10.1007/9783030172534_8
Download citation
DOI: https://doi.org/10.1007/9783030172534_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030172527
Online ISBN: 9783030172534
eBook Packages: Computer ScienceComputer Science (R0)