lec08-F24.tex

% !TEX root = collection.tex

\chapter{Digital Signatures}

In this chapter, we will introduce the notion of a digital signature. At an intuitive level, a digital signature scheme helps providing authenticity of messages and ensuring non-repudiation. We will first define this primitive and then construct what is called as one-time secure digital signature scheme. An one-time digital signature satisfies a weaker security property when compared to digital signatures. We then introduce the concept of collision-resistant hash functions and then use this along with a one-time secure digital signature to give a construction of digital signature scheme.

\section{Definition}

A digital signature scheme is a tuple of three algorithms $(\Gen,\Sign,\Verify)$ with the following syntax:
\begin{enumerate}
\item $\Gen(1^n)\to (vk,sk)$: On input the message length (in unary) $1^n$, $\Gen$ outputs a secret signing key $sk$ and a public verification key $vk$.
\item $\Sign(sk, m) \to \sigma$: On input a secret key $sk$ and a message $m$ of length $n$, the $\Sign$ algorithm outputs a signature $\sigma$.
\item $\Verify(vk, m, \sigma) \to \{0,1\}$: On input the verification key $vk$, a message $m$ and a signature $\sigma$, the $\Verify$ algorithm outputs either $0$ or $1$.
\end{enumerate}

We require that the digital signature to satisfy the following correctness and security properties.\\
\medskip
\noindent\textbf{Correctness.} For the correctness of the scheme, we have that
$\forall m \in \bin^n$,
\[\Pr \left[ (vk,sk) \gets \Gen(1^n), \sigma \leftarrow \Sign(sk,m) : \Verify(vk, m, \sigma) = 1 \right] = 1.\]

\medskip
\noindent\textbf{Security.} Consider the following game between an adversary and a challenger
.

\begin{enumerate}
    \item The challenger first samples $(vk,sk) \gets \Gen(1^n)$. The challenger gives $vk$ to the adversary.
    \item \textbf{Signing Oracle.} The adversary is now given access to a signing oracle. When the adversary gives a query $m$ to the oracle, it gets back $\sigma \gets \Sign(sk,m)$.
    \item \textbf{Forgery.} The adversary outputs a message, signature pair $(m^*,\sigma^*)$ where $m^*$ is different from the queries that adversary has made to the signing oracle.
    \item The adversary wins the game if $\Verify(vk,m^*,\sigma^*) = 1$.
\end{enumerate}
We say that the digital signature scheme is secure if the probability that the adversary wins the game is $\negl(n)$.

\section{One-time Digital Signature}
\label{lampart}
An one-time digital signature has the same syntax and correctness requirement as that of a digital signature scheme except that in the security game the adversary is allowed to call the signing oracle only once (hence the name one-time). We will now give a construction of one-time signature scheme from the assumption that one-way functions exists.

Let $f: \bin^n \rightarrow \bin^n$ be a one-way function.
\begin{itemize}
\item $\Gen(1^n)$: On input the message length (in unary) $1^n$, $\Gen$ does the following:
\begin{enumerate}
    \item Chooses $x_{i,b} \gets \bin^n$ for each $i \in [n]$ and $b \in \bin$.
    \item Output $vk = \left[ \begin{array}{ccc}
f(x_{1,0}) & \ldots & f(x_{n,0}) \\
f(x_{1,1}) & \ldots & f(x_{n,1}) \\
\end{array} \right]$ and $sk = \left[ \begin{array}{ccc}
x_{1,0} & \ldots & x_{n,0} \\
x_{1,1} & \ldots & x_{n,1} \\
\end{array} \right]$
\end{enumerate}
\item $\Sign(sk, m)$: On input a secret key $sk$ and a message $m \in \bin^n$, the $\Sign$ algorithm outputs a signature $\sigma = x_{1,m_1}\|x_{2,m_2}\| \ldots \| x_{n,m_n}$.
\item $\Verify(vk, m, \sigma)$: On input the verification key $vk$, a message $m$ and a signature $\sigma$, the $\Verify$ algorithm does the following:
\begin{enumerate}
    \item Parse $\sigma = x_{1,m_1}\|x_{2,m_2}\| \ldots \| x_{n,m_n}$.
    \item Compute $vk'_{i,m_i} = f(x_{i,m_i})$ for each $i \in [n]$.
    \item Check if for each $i \in [n]$, $vk'_{i,m_i} = vk_{i,m_i}$. If all the checks pass, output 1. Else, output 0.
\end{enumerate}
\end{itemize}

Before we prove any security property, we first observe that this scheme is completely broken if we allow the adversary to ask for two signatures. This is because the adversary can query for the signatures on $0^n$ and $1^n$ respectively and the adversary gets the entire secret key. The adversary can then use this secret key to sign on any message and break the security. 

We will now argue the one-time security of this construction. Let $\adv$ be an adversary who breaks the security of our one-time digital signature scheme with non-negligible probability $\mu(n)$. We will now construct an adversary $\advb$ that breaks the one-wayness of $f$. $\advb$ receives a one-way function challenge $y$ and does the following:
\begin{enumerate}
    \item $\advb$ chooses $i^*$ uniformly at random from $[n]$ and $b^*$ uniformly at random from $\bin$.
    \item It sets $vk_{i^*,b^*} = y$
    \item For all $i \in [n]$ and $b \in \bin$ such that $(i,b) \neq (i^*,b^*)$, $\advb$ samples $x_{i,b} \gets \bin^n$. It computes $vk_{i,b} = f(x_{i,b})$.
    \item It sets $vk = \left[ \begin{array}{ccc}
vk_{1,0} & \ldots& vk_{n,0} \\
vk_{1,1} & \ldots& vk_{n,1} \\
\end{array} \right]$ and sends $vk$ to $\adv$.
\item $\adv$ now asks for a signing query on a message $m$. If $m_{i^*} = b^*$ then $\advb$ aborts and outputs a special symbol $\abort_1$. Otherwise, it uses it knowledge of $x_{i,b}$ for $(i,b) \neq (i^*,b^*)$ to output a signature on $m$.
\item $\adv$ outputs a valid forgery $(m^*,\sigma^*)$. If $m^*_{i^*} = m_{i^*}$ then $\advb$ aborts and outputs a special symbol $\abort_2$. If it does not abort, then it parses $\sigma^*$ as ${1,m_1}\|x_{2,m_2}\| \ldots \| x_{n,m_n}$ and outputs $x_{i^*,b^*}$ as the inverse of $y$.
\end{enumerate}
We first note that conditioned on $\advb$ not outputting $\abort_1$ or $\abort_2$, the probability that $\advb$ outputs a valid preimage of $y$ is $\mu(n)$. Now, probability $\advb$ does not output $\abort_1$ or $\abort_2$ is $1/2n$ (this is because $\abort_1$ is not output with probability $1/2$ and conditioned on not outputting $\abort_1$, $\abort_2$ is not output with probability $1/n$). Thus, $\advb$ outputs a valid preimage with probability $\mu(n)/2n$. This completes the proof of security.

We will now upgrade this one-time signature scheme to a full digital signature scheme. For this purpose, we can use either universal one-way hash functions or collision-resistant hash functions.

\section{Universal One-way Hash Function -- UOWHF}
We now introduce a universal one-way hash function (UOWHF). UOWHF is pronounced as ``woof''.
UOWHFs are stronger than universal hash functions but weaker than collision-resistant hash functions (CRHFs). 

All three primitives (universal hash functions, UOWHFs, and CRHFs) guarantee that an attacker cannot find two colliding inputs, but they differ in when the attacker must output their collision. Universal hash functions require the attacker to output both colliding inputs \textit{before} seeing the hash function's key. Collision-resistant hash functions allow the attacker to output both colliding inputs \textit{after} seeing the hash function's key. UOWHFs are in between: they require the attacker to output one colliding input before seeing the key and allow the attacker to output the second colliding input after seeing the key.

Universal hash functions can be constructed unconditionally, without computational assumptions. UOWHFs can be constructed from OWFs. Finally, the existence of collision-resistant hash functions is believed to be a stronger assumption than the existence of OWFs.

We now give a formal definition of universal one-way hash functions. 
\begin{definition}[Universal One-way Hash Function (UOWHF)]
    Let $\ell$: $\mathbb{N}\rightarrow\mathbb{N}$. A \textit{collection of functions} 
    $\mathcal{H} = \{h_s: \bit^*\rightarrow\bit^{\ell(|s|)}\}_{s\in\bit^{*}}$ is a universal one-way hash function if:
    \begin{enumerate}
        \item (Sampling): $\exists$ PPT machine $I$ that takes $1^n$ and samples $s$.
        \item (Easy to compute): $\exists$ a deterministic machine $M$ such that $M(s,x)=h_s(x)$.
        \item (Hard to find collisions): Given a PPT attacker $\mathcal{A}$, the probability that $\mathcal{A}$ wins the UOWHF game (given below) is negligible. 
        \[
            \Pr[UOWHF^{\mathcal{H}}_{\mathcal{A}}(n)=1]=\negl
        \]
    \end{enumerate}
\end{definition}
Where $UOWHF^{\mathcal{H}}_{\mathcal{A}}$ is the following game:
\begin{enumerate}
    \item $(state, x)\leftarrow\mathcal{A}(1^n)$.
    \item $s\leftarrow I(1^n)$.
    \item $y\leftarrow\mathcal{A}(state, s)$
    \item Output $1$ if $x \neq y$ and $h_s(x)=h_s(y)$. Output $0$ otherwise.
\end{enumerate}


\subsection{Construction}
We construct a UOWHF from a one-way permutation in several steps, starting with a length-restricted notion, called a $(d,r)$-UOWHF, and relaxing the restriction gradually. 

\begin{definition}[$(d,r)$-UOWHFs]
Let $d,r$: $\mathbb{N}\rightarrow\mathbb{N}$ such that $d(n) > r(n)$ for all $n \in \mathbb{N}$. A $(d,r)$-UOWHF is a collection of functions $\mathcal{H} = \{h_s: \bit^{d(|s|)}\rightarrow\bit^{r(|s|)}\}_{s\in\bit^{*}}$ that satisfies the conditions of a UOWHF.
\end{definition}

The construction of a UOWHF from a OWP proceeds in the following 4 steps.

\noindent\textbf{Step I: $(d, d-1)$-UOWHFs}.
We construct a UOWHF that takes an input of arbitrary length and truncates its length by 1. 
\begin{construction}\label{construction-1}
    Let $f$: $\bit^{d}\rightarrow\bit^{d}$ be a one-way permutation, and $a,b\in GF(2^d)$. We construct $\mathcal{H}^{d, d-1} = \{h_s: \bit^{d}\rightarrow\bit^{d-1}\}_{s \in \bit^*}$ as follows: 
    \[
        h_{s=(a,b)}(x)=chop(a\cdot f(x)+b)
    \]
    where $chop(\cdot)$ is the function that removes the first bit of a given bit string. 
\end{construction}

\begin{claim}
    The $\mathcal{H}^{d, d-1}$ given in construction \ref{construction-1} is a $(d,d-1)$-UOWHF.
\end{claim} 

\begin{proof}
    We prove this by contradiction. If an adversary $\mathcal{A}$ can break the UOWHF security of $\mathcal{H}^{d, d-1}$, then we can construct an adversary $\mathcal{B}$ that breaks the OWP security of $f$. 

    \begin{enumerate}
        \item $\mathcal{B}$ receives from its challenger a value $y = f(x^*)$ for a uniformly random $x^* \in \bit^d$.
        \item $\mathcal{B}$ runs $\mathcal{A}$ internally. $\cA$ outputs the first preimage $x_0$.
        \item $\mathcal{B}$ computes a value of $s=(a,b)$ such that 
        \[a \cdot y + b = a \cdot f(x_0) + b + (1 || 0^{d-1})\] 
        In other words $h_s(x^*) = h_s(x_0)$. Then $\cB$ sends $s$ to $\cA$.
        \item Finally, $\mathcal{A}$ outputs $x_1$, which $\cB$ outputs as its guess for $x^*$. 
    \end{enumerate} 
    
    Every output of $h$ has exactly two pre-images. This is because the mapping $x \to a \cdot f(x) + b$ is one-to-one (as long as $a \neq 0$), and the mapping $y \to chop(y)$ is two-to-one.

    The only two preimages of $h_s(x^*)$ are $x^*$ and $x_0$ (assuming that $x^* \neq x_0$, which is true with overwhelming probability). In order to break UOWHF security, $\cA$ must output a preimage $x_1$ of $h_s(x_0)$ that is different from $x_0$. The only correct answer that $\cA$ can give is $x_1 = x^*$. If $x_1 = x^*$, then $\cB$ wins the OWP security game.
\end{proof}
\vspace{5mm}

\noindent\textbf{Step II: $(2n, n)$-UOWHFs}.
Now we construct length-restricted UOWHFs that shrink their input by a factor of 2.

\begin{construction}\label{construction-2}
    For any given $d \in \{n, \dots, 2n\}$, let $\mathcal{H}^{d, d-1} = \{h_s^{d, d-1}: \bit^{d}\rightarrow\bit^{d-1}\}_{s\in\bit^{*}}$ be a $(d, d-1)$-UOWHF. For a given $n$, we construct $\mathcal{H}^{2n, n} = \{H^{2n, n}_{s_1\cdots s_n}:\bit^{2n}\rightarrow\bit^{n}\}_{s \in \bit^*}$ as follows:
    \[
        H^{2n, n}_{s_1\cdots s_n}=h_{s_1}^{n+1,n}(h_{s_2}^{n+2,n+1}(\cdots h_{s_n}^{2n,2n-1}(x))\cdots)
    \]
\end{construction}

\begin{claim}
    The $\mathcal{H}^{2n, n}$ constructed in construction \ref{construction-2} is a $(2n, n)$-UOWHF.
\end{claim}
\begin{proof}
    We will show that if we have an attacker $\mathcal{A}$ that can break the UOWHF security of $H$, then we can construct an attacker $\mathcal{B}$ that can break the UOWHF security of $h$. The intuition is that the attacker $\mathcal{B}$ can randomly inject the challenge $s$ into a random layer of $H$, and $\mathcal{A}$ will, with non-negligible probability, find a collision in that layer.

    Let $H_{partial}^i$ compute the first $i$ layers of $H$. For any given $i \in [n]$ and $x \in \bit^{2n}$:
    \[H_{partial}^i(x) = h_{s_{n-i+1}}^{2n-i+1, 2n-i}( \dots h_{s_n}^{2n, 2n-1}(x) \dots )\]

    Formally we define the procedure of $\mathcal{B}$:
    \begin{enumerate}
        \item Sample $i \getsr [n]$.
        \item $\forall i'\neq i$, sample $s_{i'}$.
        \item Receive $x_0$ from $\mathcal{A}$.
        \item Compute $x_0' = H_{partial}^{i-1}(x_0)$, which is the input of $i$-th layer.
        \item Output $x_0'$ to the challenger.
        \item Receive $s$ from the challenger, and set $s_i = s$. Then send $(s_1,\dots,s_n)$ to $\mathcal{A}$.
        \item Receive $x_1$ from $\mathcal{A}$.
        \item Compute $x_1' = H_{partial}^{i-1}(x_1)$ and output it to the challenger.
    \end{enumerate}

If $\mathcal{A}$ can find two distinct inputs $x_0$ and $x_1$ that collide in $H$, then there must exist some layer $i^* \in [n]$ such that $H_{partial}^{i^*-1}(x_0) \neq H_{partial}^{i^*-1}(x_1)$, but $H_{partial}^{i^*}(x_0) = H_{partial}^{i^*}(x_1)$. That means $H_{partial}^{i^*-1}(x_0)$ and $H_{partial}^{i^*-1}(x_1)$ represent a collision in $h_{s_{n-i^*+1}}^{2n-i^*+1, 2n-i^*}$, the $i^*$-th layer of $H$. 

Furthermore, the index $i^*$ at which the collision occurs will, with probability $= 1/n$, be the $i$-value sampled by $\cB$. This is because $\cA$ has no information about which $i$-value $\cB$ sampled, so $i$ is uniformly random and independent of $i^*$.

Then $\Pr[\cB \text{ finds a collision in } h] \geq \frac{1}{n} \cdot \Pr[\cA \text{ finds a collision in } H]$. If $\cA$'s success probability is non-negligible, then so is $\cB$'s success probability. 
\end{proof}
\vspace{5mm}

\noindent\textbf{Step III: UOWHF that shrinks any input by a factor of two}.
Let us define a $(2{*}, {*})$-UOWHF to be a hash function that takes inputs $x$ of arbitrary length, outputs a string that is half the length of the input, and satisfies the conditions of a UOWHF.

\begin{construction}[a $(2{*}, {*})$-UOWHF]
    For a given $n$, let $\mathcal{H}^{2n, n} = \{h_s:\bit^{2n}\rightarrow\bit^{n}\}_{s\in\bit^{*}}$ be a $(2n, n)-UOWHF$. Then we construct a function $H_s:\bit^{2*} \to \bit^*$ as follows. 
    
    For any $x \in \bit^*$, let us split it into chunks: $x=x_1 || \dots || x_t$ where $|x_i|=2n$ for $i=1,\dots,t-1$, and $0\leq|x_t|\leq 2n$. Then
    \[
    \text{let } H_s(x)=h_s(x_1)\cdots h_s(x_{t}10^{2n-|x_t|-1})
    \]
    Finally, let $\mathcal{H}^{2*, *} = \{H_s\}_{s \in \bit^*}$.
\end{construction}
Note that we reuse the same $s$ for every component of the output $h_s(x_i)$, which is an important gain in efficiency.

\begin{claim}
    $\mathcal{H}^{2*, *}$ is a $(2{*}, {*})$-UOWHF.
\end{claim}
\begin{proof}
If there is an adversary $\mathcal{A}$ that can create a collision, $x^0$ and $x^1$, in $H$, then we can construct an adversary $\mathcal{B}$ that can create a collision in $h$. The construction of $\mathcal{B}$ is as follows:
\begin{enumerate}
    \item Run $\mathcal{A}$ until it outputs $x^0$. Compute $t = \lceil\frac{|x^0|}{2n}\rceil$.
    \item Sample $i \getsr [t]$. Then output $x'^0 = x^0_{i}$ to the challenger.
    \item Receive seed $s$ from the challenger and send $s$ to $\mathcal{A}$.
    \item Run $\mathcal{A}$ until it outputs $x^1$. Then output $x'^1 = x^1_{i}$.
\end{enumerate}

If $\mathcal{A}$ breaks the UOWHF security of $H$, then with non-negligible probability, it outputs an $x^0$ and $x^1$ such that $x^0 \neq x^1$ but $h_s(x^0_{i'})=h_s(x^1_{i'})$ for every $i' \in [t]$. If $x^0 \neq x^1$, then there is at least one component $i^* \in [t]$ for which $x^0_{i^*} \neq x^1_{i^*}$. With probability $\geq \frac{1}{t}$, $\mathcal{B}$ will sample an $i \in [t]$ such that $x^0_{i} \neq x^1_{i}$.
\end{proof}
\vspace{5mm}

\noindent\textbf{Step IV: Full-Fledged UOWHFs}. 
\begin{construction}[(a UOWHF)]
Let $\mathcal{H}^{2*, *} = \{h_s:\bit^{*}\rightarrow\bit^{*}\}_{s\in\bit^{*}}$ be a $(2*, *)$-UOWHF. Then for any $(s_1,\cdots,s_n) \in \bit^*$, any $n, t\in\mathbb{N}$ and $x\in\bit^{2^t\cdot n}$, we define
\[
    H_{s_1,\dots,s_n}(x)=(t,h_{s_t}(\cdots(h_{s_2}(h_{s_1}(x)))\cdots))
\]
Also let $\mathcal{H} = \{H_s\}_{s \in \bit^*}$.
\end{construction}
\begin{claim}
    $\mathcal{H}$ is a secure UOWHF.
\end{claim}
The proof is similar to the one in Step II.\\