Advertisement

Generalized First Pre-image Tractable Random Oracle Model and Signature Schemes

  • Xiao Tan
  • Duncan S. Wong
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7372)

Abstract

Weakened Random Oracle Models (WROMs) are variants of the Random Oracle Model (ROM) under some weakened collision resistance assumptions. Cryptographic schemes proven secure in WROMs can ensure security even when the underlying random oracles are susceptible to certain extent of collision attacks, second pre-image attacks, or first pre-image attacks. In this paper, we show that a WROM variant called FPT-ROM (First Pre-Image Tractable ROM) can further be weakened to a Generalized FPT-ROM which can capture more practical attacks, for example, the chosen prefix collision attack by Stevens et al. (CRYPTO 2009). This type of attacks has never been captured by any existing WROMs. Achieving security against FPT-ROM has been known as one of the most challenging problems in constructing cryptographic schemes in WROMs. In the second part of this paper, we propose a generic transformation which converts a large class of signature schemes secure in ROM to a class of variants, which can be proven secure in all the WROMs, including our newly proposed Generalized FPT-ROM. The transformation does not increase the signature size, and it can apply to many practical and highly efficient signature schemes such as the Full-Domain Hash signature, Schnorr signature, and many others.

Keywords

Random Oracle Model (ROM) Weakened ROM First Pre-Image Tractable ROM 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bellare, M., Micali, S.: How to sign given any trapdoor permutation. Journal of the ACM 39(1), 214–233 (1992)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) CCS 1993, pp. 62–73. ACM Press, New York (1993)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Collision-Resistant Hashing: Towards Making UOWHFs Practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)Google Scholar
  5. 5.
    MacKenzie, P.D., Yang, K.: On Simulation-Sound Trapdoor Commitments. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 382–400. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. Journal of Cryptology 17(4), 297–319 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  7. 7.
    De Cannière, C., Rechberger, C.: Preimages for Reduced SHA-0 and SHA-1. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 179–202. Springer, Heidelberg (2008)Google Scholar
  8. 8.
    Coron, J.-S.: On the Exact Security of Full Domain Hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Coron, J.-S.: Optimal Security Proofs for PSS and Other Signature Schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Cramer, R., Shoup, V.: Signature schemes based on the strong RSA assumption. ACM Transactions on Information and System Security 3(3), 161–185 (2000)CrossRefGoogle Scholar
  11. 11.
    Dwork, C., Naor, M.: An Efficient Existentially Unforgeable Signature Scheme and Its Applications. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 234–246. Springer, Heidelberg (1994)Google Scholar
  12. 12.
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  13. 13.
    Gennaro, R., Halevi, S., Rabin, T.: Secure Hash-and-Sign Signatures without the Random Oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999)Google Scholar
  14. 14.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Dwork, C. (ed.) STOC 2008, pp. 197–206. ACM Press, New York (2008)CrossRefGoogle Scholar
  15. 15.
    Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen message attacks. SIAM Journal on Computing 17(2), 281–308 (1988)MathSciNetzbMATHCrossRefGoogle Scholar
  16. 16.
    Halevi, S., Krawczyk, H.: Strengthening Digital Signatures Via Randomized Hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Hess, F.: Efficient Identity Based Signature Schemes Based on Pairings. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 310–324. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Hofheinz, D., Jager, T., Kiltz, E.: Short signatures from weaker assumptions (2011), http://eprint.iacr.org/2011/296.pdf
  19. 19.
    Hofheinz, D., Kiltz, E.: Programmable Hash Functions and Their Applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 21–38. Springer, Heidelberg (2008)Google Scholar
  20. 20.
    Hohenberger, S., Waters, B.: Short and Stateless Signatures from the RSA Assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Kawachi, A., Numayama, A., Tanaka, K., Xagawa, K.: Security of Encryption Schemes in Weakened Random Oracle Models (Extended Abstract). In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 403–419. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  22. 22.
    Leurent, G.: MD4 is Not One-Way. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 412–428. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Liskov, M.: Constructing an Ideal Hash Function from Weak Ideal Compression Functions. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 358–375. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
    Mironov, I.: Collision-Resistant No More: Hash-and-Sign Paradigm Revisited. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 140–156. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  25. 25.
    Naito, Y., Wang, L., Ohta, K.: How to construct cryptosystems and hash functions in weakened random oracle models. Cryptology ePrint Archive, Report 2009/550 (2009)Google Scholar
  26. 26.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Johnson, D.S. (ed.) STOC 1989, pp. 33–43. ACM Press, New York (1989)CrossRefGoogle Scholar
  27. 27.
    Numayama, A., Isshiki, T., Tanaka, K.: Security of Digital Signature Schemes in Weakened Random Oracle Models. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 268–287. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  28. 28.
    Pasini, S., Vaudenay, S.: Hash-and-Sign with Weak Hashing Made Secure. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 338–354. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MathSciNetzbMATHCrossRefGoogle Scholar
  30. 30.
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Ortiz, H. (ed.) STOC 1990, pp. 387–394. ACM Press, New York (1990)CrossRefGoogle Scholar
  31. 31.
    Schnorr, C.P.: Efficient signature generation by smart cards. Journal of Cryptology 4(3), 161–174 (1991)MathSciNetzbMATHCrossRefGoogle Scholar
  32. 32.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  33. 33.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  34. 34.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  35. 35.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  36. 36.
    Waters, B.: Efficient Identity-Based Encryption Without Random Oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Xiao Tan
    • 1
  • Duncan S. Wong
    • 1
  1. 1.Department of Computer ScienceCity University of Hong KongHong Kong

Personalised recommendations