Skip to main content

Let a Non-barking Watchdog Bite: Cliptographic Signatures with an Offline Watchdog

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2019 (PKC 2019)

Abstract

We study how to construct secure digital signature schemes in the presence of kleptographic attacks. Our work utilizes an offline watchdog to clip the power of subversions via only one-time black-box testing of the implementation. Previous results essentially rely on an online watchdog which requires the collection of all communicating transcripts (or active re-randomization of messages).

We first give a simple but generic construction, without random oracles, in the partial-subversion model in which key generation and signing algorithms can be subverted. Then, we give the first digital signature scheme in the complete-subversion model in which all cryptographic algorithms can be subverted. This construction is based on the full-domain hash. Along the way, we enhance the recent result of Russell et al.  (CRYPTO 2018) about correcting a subverted random oracle.

S. S. M. Chow—Supported by GRF (CUHK 14210217) of the Research Grants Council, Hong Kong.

A. Russell—Supported in part by NSF award 1801487.

Q. Tang—Supported in part by NSF award 1801492.

H.-S. Zhou—Supported in part by NSF award 1801470.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    This can be viewed as applying the input-triggered attack [13] to signature schemes.

  2. 2.

    As elaborated above, the trusted computing base including operations like “\(\oplus \)” and “\(=\)” are still in place. They are actually necessary due to the known (simple) trigger attacks [13] assuming only an offline watchdog. Our goal is to reduce the number of trusted functional components, and keep the remaining as simple as possible, e.g., without any trusted large group operations.

  3. 3.

    In the full version [24] of [25], the authors discussed how to achieve subversion-resistant randomness generation in the standard model, at the cost of efficiency. See Appendix B and [24] for details.

  4. 4.

    \(\mathsf {RG}_\textsc {spec}\) and \(\mathsf {MG}_\textsc {spec}\) will be split into three pieces exactly in Fig. 14.

  5. 5.

    We remark here that the \(\mathsf {KG}_\textsc {spec}^{\mathcal {SS}}\) algorithm will be split into four pieces exactly as [25].

References

  1. Abe, M., Chase, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Constant-size structure-preserving signatures: generic constructions and simple assumptions. J. Cryptology 29(4), 833–878 (2016)

    Article  MathSciNet  Google Scholar 

  2. Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 364–375. ACM Press, New York (2015)

    Google Scholar 

  3. Bellare, M., Hoang, V.T.: Resisting randomness subversion: fast deterministic and hedged public-key encryption in the standard model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 627–656. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_21

    Chapter  MATH  Google Scholar 

  4. Bellare, M., Jaeger, J., Kane, D.: Mass-surveillance without the state: strongly undetectable algorithm-substitution attacks. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 1431–1440. ACM Press, New York (2015)

    Google Scholar 

  5. Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_1

    Chapter  Google Scholar 

  6. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, New York (1993)

    Google Scholar 

  7. Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34

    Chapter  Google Scholar 

  8. Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptology 21(2), 149–177 (2008)

    Article  MathSciNet  Google Scholar 

  9. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001

    Google Scholar 

  10. Chen, R., Mu, Y., Yang, G., Susilo, W., Guo, F., Zhang, M.: Cryptographic reverse firewall via malleable smooth projective hash functions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 844–876. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_31

    Chapter  Google Scholar 

  11. Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_14

    Chapter  Google Scholar 

  12. Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_26

    Chapter  Google Scholar 

  13. Degabriele, J.P., Farshim, P., Poettering, B.: A more cautious approach to security against mass surveillance. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 579–598. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_28

    Chapter  Google Scholar 

  14. Desmedt, Y.: Abuses in cryptography and how to fight them. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 375–389. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_29

    Chapter  Google Scholar 

  15. Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_5

    Chapter  Google Scholar 

  16. Dodis, Y., Mironov, I., Stephens-Davidowitz, N.: Message transmission with reverse firewalls—secure communication on corrupted machines. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 341–372. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_13

    Chapter  Google Scholar 

  17. Fischlin, M., Mazaheri, S.: Self-guarding cryptographic protocols against algorithm substitution attacks. In: 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, 9–12 July 2018, pp. 76–90 (2018)

    Google Scholar 

  18. Giacon, F., Heuer, F., Poettering, B.: KEM combiners. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 190–218. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_7

    Chapter  Google Scholar 

  19. Liu, C., Chen, R., Wang, Y., Wang, Y.: Asymmetric subversion attacks on signature schemes. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 376–395. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_22

    Chapter  Google Scholar 

  20. Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_2

    Chapter  Google Scholar 

  21. Mironov, I., Stephens-Davidowitz, N.: Cryptographic reverse firewalls. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 657–686. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_22

    Chapter  Google Scholar 

  22. Perlroth, N., Larson, J., Shane, S.: NSA able to foil basic safeguards of privacy on web. The New York Times, September 2013

    Google Scholar 

  23. Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: clipping the power of kleptographic attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 34–64. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_2

    Chapter  Google Scholar 

  24. Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Destroying steganography via amalgamation: kleptographically CPA secure public key encryption. Cryptology ePrint Archive, Report 2016/530 (2016). http://eprint.iacr.org/2016/530

  25. Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Generic semantic security against a kleptographic adversary. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 907–922. ACM Press, New York (2017)

    Google Scholar 

  26. Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Correcting subverted random oracles. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 241–271. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_9

    Chapter  Google Scholar 

  27. Young, A., Yung, M.: The dark side of “black-box” cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_8

    Chapter  Google Scholar 

  28. Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_6

    Chapter  Google Scholar 

  29. Zhang, C., Cash, D., Wang, X., Yu, X., Chow, S.S.M.: Combiners for chosen-ciphertext security. In: Dinh, T.N., Thai, M.T. (eds.) COCOON 2016. LNCS, vol. 9797, pp. 257–268. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-42634-1_21

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yongjun Zhao .

Editor information

Editors and Affiliations

Appendices

A The Model: Crooked Indifferentiability

1.1 A.1 Preliminary: Indifferentiability

The notion of indifferentiability proposed in the elegant work of Maurer et al.  [20] has been found very useful for studying the security of hash function and many other primitives. This notion is an extension of the classical notion of indistinguishability, when one or more oracles are publicly available. The indifferentiability notion is originally given in the framework of random systems [20] providing interfaces to other systems. Coron et al.  [12] demonstrate an equivalent indifferentiability notion but in the framework of Interactive Turing Machines (as in [9]). The indifferentiability formulation in this subsection is essentially taken from Coron et al.  [12]. In the next subsection, we will introduce our new notion, crooked indifferentiability.

Defining Indifferentiability. An ideal primitive is an algorithmic entity which receives inputs from one of the parties and returns its output immediately to the querying party. We now proceed to the definition of indifferentiability [12, 20]:

Definition 3

(Indifferentiability [12, 20]). A Turing machine \( C \) with oracle accesses to an ideal primitive \(\mathcal {G} \) is said to be \((t_\mathcal {D},t_\mathcal {S},q,\epsilon )\)-indifferentiable from an ideal primitive \(\mathcal {F} \), if there is a simulator \(\mathcal {S} \), such that for any distinguisher \(\mathcal {D} \), it holds that:

$$\left| \Pr [\mathcal {D} ^{ C ,\mathcal {G}} = 1] - \Pr [\mathcal {D} ^{\mathcal {F},\mathcal {S}}= 1] \right| \le \epsilon \,.$$

The simulator \(\mathcal {S} \) has oracle accesses to \(\mathcal {F} \) and runs in time at most \(t_\mathcal {S} \). The distinguisher \(\mathcal {D} \) runs in time at most \(t_\mathcal {D} \) and makes at most q queries. Similarly, \( C ^\mathcal {G} \) is said to be (computationally) indifferentiable from \(\mathcal {F} \) if \(\epsilon \) is a negligible function of the security parameter \(\lambda \) (for polynomially bounded \(t_\mathcal {D} \) and \(t_\mathcal {S} \)). See Fig. 10.

Fig. 10.
figure 10

Indifferentiability: Distinguisher \(\mathcal {D} \) either interacts with algorithm \( C \) and ideal primitive \(\mathcal {G} \), or with ideal primitive \(\mathcal {F} \) and simulator \(\mathcal {S} \). Algorithm \( C \) has oracle access to \(\mathcal {G} \), while simulator \(\mathcal {S} \) has oracle access to \(\mathcal {F} \).

As illustrated in Fig. 10, the role of the simulator is to simulate the ideal primitive \(\mathcal {G} \) so that no distinguisher can tell whether it is interacting with \( C \) and \(\mathcal {G} \), or with \(\mathcal {F} \) and \(\mathcal {S} \); in other words, the output of \(\mathcal {S} \) should look “consistent” with what the distinguisher can obtain from \(\mathcal {F} \). Note that the simulator does not see the distinguisher’s queries to \(\mathcal {F} \); however, it can call \(\mathcal {F} \) directly when needed for the simulation.

Replacement. It is shown that [20] if \( C ^\mathcal {G} \) is indifferentiable from \(\mathcal {F} \), then \( C ^\mathcal {G} \) can replace \(\mathcal {F} \) in any cryptosystem, and the resulting cryptosystem is at least as secure in the \(\mathcal {G} \) model as in the \(\mathcal {F} \) model.

We use the definition of [20] to specify what it means for a cryptosystem to be at least as secure in the \(\mathcal {G} \) model as in the \(\mathcal {F} \) model. A cryptosystem is modeled as an Interactive Turing Machine with an interface to an adversary \(\mathcal {A} \) and to a public oracle. The cryptosystem is run by an environment \(\mathcal {E} \) which provides a binary output and also runs the adversary. In the \(\mathcal {G} \) model, cryptosystem \(\mathcal {P} \) has oracle access to \( C \) whereas attacker \(\mathcal {A} \) has oracle access to \(\mathcal {G} \). In the \(\mathcal {F} \) model, both \(\mathcal {P} \) and \(\mathcal {A} \) have oracle access to \(\mathcal {F} \). The definition is illustrated in Fig. 11.

Fig. 11.
figure 11

Environment \(\mathcal {E} \) interacts with cryptosystem \(\mathcal {P} \) and attacker \(\mathcal {A} \): In the \(\mathcal {G} \) model (left), \(\mathcal {P} \) has oracle access to \( C \) whereas \(\mathcal {A} \) has oracle access to \(\mathcal {G} \). In the \(\mathcal {F} \) model, both \(\mathcal {P} \) and \(\mathcal {S}_\mathcal {A} \) have oracle access to \(\mathcal {F} \).

Definition 4

A cryptosystem is said to be at least as secure in the \(\mathcal {G} \) model with algorithm \( C \) as in the \(\mathcal {F} \) model, if for any environment \(\mathcal {E} \) and any attacker \(\mathcal {A} \) in the \(\mathcal {G} \) model, there exists an attacker \(\mathcal {S}_\mathcal {A} \) in the \(\mathcal {F} \) model, such that:

$$ \Pr [\mathcal {E} (\mathcal {P} ^{ C ^{}},\mathcal {A} ^{\mathcal {G}})=1]-\Pr [\mathcal {E} (\mathcal {P} ^\mathcal {F},\mathcal {S}_\mathcal {A} ^\mathcal {F})=1]\le \epsilon . $$

where \(\epsilon \) is a negligible function of the security parameter \(\lambda \). Similarly, a cryptosystem is said to be computationally at least as secure, etc., if \(\mathcal {E} \), \(\mathcal {A} \), and \(\mathcal {S}_\mathcal {A} \) are polynomial-time in \(\lambda \).

We have the following security-preserving (replacement) theorem, which says that when an ideal primitive is replaced by an indifferentiable one, the security of the “bigger” cryptosystem remains.

Theorem 3

([12, 20]). Let \(\mathcal {P} \) be a cryptosystem with oracle accesses to an ideal primitive \(\mathcal {F} \). Let \( C \) be an algorithm such that \( C ^{\mathcal {G}}\) is indifferentiable from \(\mathcal {F} \). Then cryptosystem \(\mathcal {P} \) is at least as secure in the \(\mathcal {G} \) model with algorithm \( C \) as in the \(\mathcal {F} \) model.

1.2 A.2 Crooked Indifferentiability

The ideal primitives that we focus on in this paper are random oracles. A random oracle [6] is an ideal primitive which provides a random output for each new query, and for the identical input queries the same answer will be given. Next, we will formalize a new notion called crooked indifferentiability. Our formalization is for random oracles. We remark that the formalization can be trivially extended for all ideal primitives.

Crooked Indifferentiability for Random Oracles. As mentioned in the Introduction, we are considering to repair a subverted random oracle, such that the corrected construction can be used as good as an unsubverted one. It is thus natural to consider the indifferentiability notion. However, we need to adjust the notion to reflect the subversion and to avoid trivial impossibility. There are two main modifications to the original indifferentiability notion.

  1. 1.

    The deterministic construction will have oracle accesses to the random oracle only via the subverted implementation \(\tilde{H}\) but not via the ideal primitive H. This creates lots of difficulty (and even impossibility) for us to develop a suitable construction. For that reason, the construction is allowed to access to trusted but public randomness r.

  2. 2.

    The simulator will also have oracle accesses to the subverted implementation \(\tilde{H}\) and also the public randomness r.

The second one is necessary. It is clearly impossible to have an indifferentiability definition with a simulator that has no accesses to \(\tilde{H}\), as the distinguisher can simply make query an input such that \( C \) will use a value that is modified by \(\tilde{H}\) while \(\mathcal {S} \) has no way to reproduce it. More importantly, we will show below that, the security will still be preserved to replace an ideal random oracle with a construction satisfying our definition (with an augmented simulator). We will prove the security-preserving (i.e., replacement) theorem from [20] and [12] similarly with our adapted notions.

Definition 5

(H-crooked indifferentiability). Consider a distinguisher \(\widehat{\mathcal {D}} \) and the following multi-phase real execution.

Initially, the distinguisher \(\widehat{\mathcal {D}} \) who has oracle accesses to ideal primitive H, publishes a subverted implementation of H, and denotes it by \(\tilde{H}\).

Secondly, a uniformly random string r is sampled and published.

Thirdly, a deterministic construction \( C \) is developed: the construction \( C \) has random string r as input, and has oracle accesses to \(\tilde{H}\) (which can be considered as a crooked version of H).

Finally, the distinguisher \(\widehat{\mathcal {D}} \), after having random string r as input, and oracle accesses to the pair \(( C , H)\), returns a decision bit b. Often, we call \(\widehat{\mathcal {D}} \) the H-crooked-distinguisher.

In addition, consider the corresponding multi-phase ideal execution with the same H-crooked-distinguisher \(\widehat{\mathcal {D}} \), where ideal primitive \(\mathcal {F} \) is provided.

The first two phases are the same (as those in the real execution).

In the third phase, a simulator \(\mathcal {S} \) will be developed: the simulator has random string r as input, and has oracle accesses to \(\tilde{H}\), as well as the ideal primitive \(\mathcal {F} \).

In the last phase, the H-crooked-distinguisher \(\widehat{\mathcal {D}} \), after having random string r as input, and having oracle accesses to an alternative pair \((\mathcal {F}, \mathcal {S})\), returns a decision bit b.

We say that construction \( C \) is \((t_{\widehat{\mathcal {D}}},t_\mathcal {S},q,\epsilon )\)-H-crooked-indifferentiable from ideal primitive \(\mathcal {F} \), if there is a simulator \(\mathcal {S} \) so that for any H-crooked-distinguisher \(\widehat{\mathcal {D}} \), it satisfies that the real execution and the ideal execution are indistinguishable. Specifically, the following difference should be upper bounded by \(\epsilon (\lambda )\):

$$\begin{aligned} \left| \mathop {\Pr }\limits _{u,r,H} \left[ \tilde{H} \leftarrow \widehat{\mathcal {D}}\ : \ \widehat{\mathcal {D}} ^{ C ^{\tilde{H}}(r),H}(\lambda , r) = 1\right] - \mathop {\Pr }\limits _{u,r,\mathcal {F}} \left[ \tilde{H} \leftarrow \widehat{\mathcal {D}}\ : \ \widehat{\mathcal {D}} ^{\mathcal {F},\mathcal {S} _{}^{\tilde{H},\mathcal {F}}(r)}(\lambda , r) = 1\right] \right| . \end{aligned}$$

Here u is the coins of \(\widehat{\mathcal {D}} \), \(H: {{\{0,1\}}^{}} ^\lambda \rightarrow {{\{0,1\}}^{}} ^\lambda \) and \(\mathcal {F}: {{\{0,1\}}^{}} ^k \rightarrow {{\{0,1\}}^{}} ^k\) denote random functions. See Fig. 12 for a detailed illustration of the last phase in both the real and ideal executions.

Fig. 12.
figure 12

H-crooked Indifferentiability: distinguisher \(\widehat{\mathcal {D}} \), in the first phase, manufactures and publishes a subverted implementation denoted by \(\tilde{H}\), for ideal primitive H; then in the second phase, a random string r is published; after that, in the third phase, algorithm \( C \), and simulator \(\mathcal {S} \) are developed; the H-crooked-distinguisher \(\widehat{\mathcal {D}} \), in the last phase, either interacting with algorithm \( C \) and ideal primitive H, or with ideal primitive \(\mathcal {F} \) and simulator \(\mathcal {S} \), returns a decision bit. Here, algorithm \( C \) has oracle accesses to \(\tilde{H}\), while simulator \(\mathcal {S} \) has oracle accesses to \(\mathcal {F} \) and \(\tilde{H}\).

B Stego-Free Specifications for Randomness Generation and Randomized Algorithms with Known Input Distribution

We recall the definition of stego-free randomness generation and stego-free randomized algorithms with public input distributions [25], and the general results that yield stego-free specifications for them in the trusted-amalgamation model.

Definition 6

(Stego-free randomness generation [25, Definition 3.1]). For a randomized algorithm \(\mathsf {G}\) with specification \(\mathsf {G}_\textsc {spec}\), we say such specification \(\mathsf {G}_\textsc {spec}\) is stego-free in the offline-watchdog model, if there exists a \(\textsc {ppt}\) watchdog \(\mathcal {W}\) so that for any \(\textsc {ppt}\) adversary \(\mathcal {A} \) playing the game in Fig. 13 with challenger \(\mathcal {C}\), at least one of the following conditions hold:

$$\mathbf {Adv} _{\mathcal {A}} is \,negligible \,or \,\mathbf {Det} _{\mathcal {W},\mathcal {A}} \,is \,non-negligible,$$

where \(\mathbf {Adv} _{\mathcal {A}}(1^\lambda ) = |\Pr [b_{\mathcal {C}} = 1] - \frac{1}{2}|\) and \(\mathbf {Det} _{\mathcal {W},\mathcal {A}}(1^\lambda ) = |\Pr [\mathcal {W}^{\mathsf {G}_{\textsc {impl}}}(1^\lambda )~=~1] - \Pr [\mathcal {W}^{\mathsf {G}_{\textsc {spec}}}(1^\lambda ) = 1]|\).

Fig. 13.
figure 13

Stego-freeness game for randomness generation

Theorem 4

([25, Theorem 3.4]). Consider randomness generation \(\mathsf {RG}\) with specification \((\mathsf {RG}^0_{\textsc {spec}}\), \(\mathsf {RG}^1_{\textsc {spec}}\), \(\varPhi _{\textsc {spec}})\) as described below (see Fig. 14):

  • Given \(1^\lambda \), \(\mathsf {RG}^0_{\textsc {spec}}\) and \(\mathsf {RG}^1_{\textsc {spec}}\) output uniformly random strings of length \(\lambda \);

  • \(\varPhi _{\textsc {spec}}\) is a hash function so that \(\varPhi _{\textsc {spec}}(w)\) has length \(\lceil |w|/2 \rceil \);

  • the specification for \(\mathsf {RG}(1^\lambda )\) is the trusted composition:

    \(\varPhi _{\textsc {spec}}(\mathsf {RG}^0_{\textsc {spec}}(1^\lambda ), \mathsf {RG}^1_{\textsc {spec}}(1^\lambda ))\).

Then \(\mathsf {RG}_{\textsc {spec}}\) is stego-free if \(\varPhi _{\textsc {spec}}\) is modeled as a random oracle.

Fig. 14.
figure 14

Subversion-resistant specification for randomness generation

Note that the above theorem only asserts how to purify randomness generation algorithm \(\mathsf {G}\) in the random oracle model by splitting \(\mathsf {G}\) into a constant number of components. It is possible to extend the result to the standard model if we are willing to have polynomially many segments. Such result is demonstrated in the full version [24] of [25]. We quote their result as follows:

Proposition 1

([24]). There exists a specification for the randomness generation that outputs n bits that is stego-free with the trusted amalgamation and \(O(n^\epsilon / \log n)\) segments for any constant \(\epsilon \). Similar results hold for randomized algorithms with public input distribution.

The definition and theorems above cover elementary randomness generation algorithms that only takes a security parameter as input. They can be generalized to consider algorithms that take additional inputs from a large domain in which the adversary specifies a randomized input generator \(\mathsf {IG}\), which implicitly defines \(\mathsf {G}(1^\lambda , \mathsf {IG}(1^\lambda ))\). This class of randomized algorithm includes key generation and bit encryption etc.

Formally, let \(\mathsf {G}\) be a randomized algorithm using \(\lambda \) random bits for inputs of length n. The stego-free game is revised as follows: the challenges \(\{y_i\}\) are generated by first sampling \(m_i \leftarrow \mathsf {IG}(1^\lambda )\), and then obtaining \(y_i \leftarrow \mathsf {G}_\beta (1^\lambda , m_i)\) by calling \(\mathsf {G}_\beta \). The watchdog is provided oracle access to \(\mathsf {IG}\) to test \(\mathsf {G}_{\textsc {impl}}\).

Definition 7

(Stego-free randomized algorithm [25, Definition 3.2]). For a randomized algorithm \(\mathsf {G}\), we say the specification \(\mathsf {G}_\textsc {spec}\) is stego-free in the offline-watchdog model, if there exists an offline \(\textsc {ppt}\) watchdog \(\mathcal {W}\), for any \(\textsc {ppt}\) adversary \(\mathcal {A} \) playing the following game in Fig. 15 with challenger \(\mathcal {C}\), such that either

\(\mathbf {Adv} _{\mathcal {A}}\) is negligible, or, \(\mathbf {Det} _{\mathcal {W},\mathcal {A}}\) is non-negligible,

where \(\mathbf {Adv} _{\mathcal {A}}(1^\lambda ) = |\Pr [b_{\mathcal {C}} = 1] - \frac{1}{2}|\) and \(\mathbf {Det} _{\mathcal {W},\mathcal {A}}(1^\lambda ) = |\Pr [\mathcal {W}^{\mathsf {G}_{\textsc {impl}}}(1^\lambda )~=~1] - \Pr [\mathcal {W}^{\mathsf {G}_{\textsc {spec}}}(1^\lambda ) = 1]|\).

Fig. 15.
figure 15

Stego-freeness game for randomized algorithms with input distribution \(\{1^\lambda \} \times \mathsf {IG}\)

Russell et al.  [25] established a general transformation yielding a stego-free specification for randomized algorithms with a public input distribution. Consider a randomized algorithm \(\mathsf {G}\) which uses \(\lambda \) random bits for inputs of length n. Let \((\mathsf {dG}, \mathsf {RG})\) denote the natural specification of \(\mathsf {G}\) that isolates randomness generation: \(\mathsf {RG}(1^\lambda )\) produces \(\lambda \) uniformly random bits and \(\mathsf {dG}(r,m)\) is a deterministic algorithm so that for every \(m \leftarrow \mathsf {IG}(1^\lambda )\), \(\mathsf {G}(m)\) is equal to \(\mathsf {dG}(\mathsf {RG}(1^\lambda , m))\) for \(n =|m|\). Consider the transformed specification for \(\mathsf {G}\) of the form \((\mathsf {RG}_0,\mathsf {RG}_1, \varPhi , \mathsf {dG})\) where \(\mathsf {dG}\) is as above. \(\mathsf {RG}_0(1^\lambda )\) and \(\mathsf {RG}_1(1^\lambda )\) output \(\lambda \) uniform bits, and \(\varPhi \) is a hash function that carries strings of length \(2\lambda \) to strings of length \(\lambda \). We have the following theorem:

Theorem 5

([25, Theorem 3.5]). For any randomized algorithm \(\mathsf {G}\), consider the specification \(\mathsf {G}_{\textsc {spec}}:=(\mathsf {RG}_\textsc {spec}, \mathsf {dG}_{\textsc {spec}})\), where \(\mathsf {RG}_\textsc {spec}\) and \(\mathsf {dG}_\textsc {spec}\) are as above. Let \((\mathsf {RG}^0_\textsc {spec},\mathsf {RG}^1_\textsc {spec}, \varPhi _\textsc {spec})\) be the double-split specification of \(\mathsf {RG}_\textsc {spec}\) as in Fig. 14. \(\mathsf {G}_\textsc {spec}\) is stego-free with a trusted amalgamation (according to Definition 7). Here \(\varPhi _\textsc {spec}\) is modeled as a random oracle.

C Signature Schemes

A signature scheme is a triple of algorithms \(\mathcal {SS}=(\mathsf {KGen}, \mathsf {Sign}, \mathsf {Verify})\). The \(\mathsf {KGen}\) algorithm takes as input the security parameter \(\lambda \) and outputs a pair of verification/signing key \((\mathsf {vk}, \mathsf {sk})\). The \(\mathsf {Sign}\) algorithm takes as input \(\mathsf {sk} \), a message \(m \in \mathcal {M}\) (and random coins \(r \in \mathcal {R}\) if \(\mathsf {Sign}\) is probabilistic), and outputs a signature \(\sigma \in \varSigma \). The \(\mathsf {Verify}\) algorithm takes as input \(\mathsf {vk} \) and a pair \((m, \sigma )\) and outputs a bit indicating whether the signature is valid for message m under \(\mathsf {vk} \).

Definition 8

(Existential unforgeability). Let \(\mathcal {SS} = (\mathsf {KGen}\), \(\mathsf {Sign}\), \(\mathsf {Verify})\) be a signature scheme. We say that \(\mathcal {SS}\) is \((t,q,\epsilon )\)-existentially unforgeable under adaptive chosen-message attack (\(\mathsf {EUF}\text {-}\mathsf {CMA}\)-secure) if for all \(\textsc {ppt}\) adversaries \(\mathcal {A}\) running in time t it holds:

$$ \Pr \left[ \begin{array}{l}\mathsf {Verify}(\mathsf {vk},(m^*, \sigma ^*)) = 1 \\ \wedge ~m^*\notin \mathcal {Q} \end{array}: \begin{array}{l}(\mathsf {vk}, \mathsf {sk}) \leftarrow \mathsf {KGen}(1^\lambda ); \\ (m^*, \sigma ^*) \leftarrow \mathcal {A}^{\mathsf {Sign}(\mathsf {sk},\cdot )}(\mathsf {vk}) \end{array} \right] \le \epsilon $$

where \(\mathcal {Q}=\{m_1, \ldots , m_q\}\) denotes the set of queries to the signing oracle. Whenever \(\epsilon (\lambda ) = \mathsf {negl} \) and \(q = \mathsf {poly}\), we simply say that \(\mathcal {SS}\) is \(\mathsf {EUF}\text {-}\mathsf {CMA}\)-secure.

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chow, S.S.M., Russell, A., Tang, Q., Yung, M., Zhao, Y., Zhou, HS. (2019). Let a Non-barking Watchdog Bite: Cliptographic Signatures with an Offline Watchdog. In: Lin, D., Sako, K. (eds) Public-Key Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11442. Springer, Cham. https://doi.org/10.1007/978-3-030-17253-4_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17253-4_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17252-7

  • Online ISBN: 978-3-030-17253-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics