Proxy Cryptography with Post-Quantum PFDH

Telechargé par Mohamadou Sadio Diébakaté
Proxy Cryptography with Post-Quantum
Probabilistic Full Domain Hash
Bacar NOURDINE, Mouhamed Lamine MBAYE, and Demba SOW
Universit´e Cheikh Anta Diop de Dakar, Facult´e des Sciences et Techniques,
Abstract. Proxy cryptography is a valuable tool in signature schemes,
enabling a user to delegate signing capabilities to another entity in a
controlled manner. Proxy functions can transform a standard signature
scheme into a unidirectional variant, where the security of the resulting
construction is directly linked to that of the base scheme. Our scheme
introduces a random salt for each signing process and incorporates it into
the computation of the encryption exponent. The construction achieves
a tighter security reduction in the random oracle model, under the as-
sumption that inverting RSA remains hard.
While the scheme inherits the limitations of RSA with respect to Shor’s
algorithm, it strengthens practical security in pre-quantum and transi-
tional environments. We show how the unidirectional proxy function can
be applied to the enhanced pqPFDH to obtain a generic unidirectional
signature scheme that is existentially unforgeable under chosen message
attacks (UF-CMA).
Keywords: Signature scheme proxy function Full Domain Hash
post-quantum RSA security reduction Chosen Message Attack
1 Introduction
One of the fundamental roles that cryptography plays in the security of data
transmission lies in the digital signature process which guarantees authentica-
tion, data integrity and non-repudiation. Since the discovery of the RSA signing
system [25], research in this area has steadily increased and has generally led to
the establishment of signing techniques with significant advantages in terms of
functionality. In this context, Bellare and Rogaway have developed a process for
constructing signature schemes whose security is relative to that of the RSA. In
1993, they introduced the Full Domain Hash signature scheme and the Proba-
bilistic Signature Scheme [5] which were proven secure against chosen message
attack in the random oracle model [4] assuming that inverting RSA is hard.
The gap in this eminent work is that the security tightness of the FDH signa-
ture scheme can be enhanced. Then, it was revisited by other cryptographers
like Coron [10,11], in order to strengthen the tightness security by exhibiting
different proof which provides tighter security reduction. Thus, research efforts
directed towards the establishment of secure signature schemes remain more es-
sential than ever and further contribute to confirming the preponderant role that
2 Bacar NOURDINE, Mouhamed Lamine MBAYE, and Demba SOW
cryptography plays in the process of securing data and information.
Another method of producing secure signatures is to use the notion of atomic
proxy cryptography introduced in 1998 by Matt Blazz and Martin Strauss [1,2].
They highlighted the notion of proxy functions which are tools to convert a valid
signature for one key into another valid for another key without disclosing the
secret signature keys. This signing technical was first explained by Mambo, et
al., in 1996 [22], and allows for delegating signature rights which is an idea that
is the subject of several types of research [6,19,20,21]. It’s true that the objec-
tive of these seminal works can differ in terms of primitive construction but the
base always remains threshold cryptography which is still a very well updated
research field. This is illustrated by the fact that a project to drive an effort to
standardize threshold schemes for cryptographic primitives has been established
by the Computer Security Division at the National Institute of Standards and
Technology (NIST) [26]. But, in this work, we use the notion of unidirectional
proxy function [16] which is a category of proxy functions that allow one user
to generate signature corresponding to the secret key of another user even if the
first user doesn’t hold the secret key.
Another RSA-based signature scheme called post-quantum Probabilistic Full
Domain Hash (pqPFDH) [23] is a main idea in this work. It’s a variant of the
Full domain Hash signature scheme with a random generated for each signature
process. Its security, relatively close to that of RSA, was proven in the random
oracle model. In the security proof, it is assumed that the hash function used is
ideal and the RSA trapdoor permutation holds.
The goal, in this paper, is to construct the unidirectional version of pqPFDH
which is proven secure in the random oracle model. The security is not only
guaranteed against any user Ubut also against the proxy Pand the user F
that hold two secret parts delegated by Ufrom its private key so that they can
securely sign on behalf of him. This feature allows Fand Pto cooperate and
generate signatures corresponding to the secret key of Ubut they can’t perform
this functionality without collaboration. This construction can be very important
in the functioning of administrations. Indeed, an agent may be called upon to
sign important transactions without being bound by the required secrecy. It’s a
good idea that the owner of the secret can delegate his signing rights by giving
a proxy key to this representative without the risk of compromising security.
To prove the security of signature scheme against the proxy P, the users
Fand U, we generally proceeds by demonstrating that, if a polynomial-time
adversary Acan break the signature scheme, it can be used by a reduction
algorithm Rto invert in polynomial time some related one-way-function. Given
an attacker Awhich can break the signature in time τAwith success probability
at least εAfor the reduction proof, Rmust simulate the environment of A
and solve the problem (invert the one way function) with time τRτAand
success probability εRεA. For tightness of the reduction, it is required to
have εRεAand τRτA+polynom(k), where kis a security parameter.
The paper is structured as follows. The next section describes some previous
works on signature scheme based on RSA and their security. It also includes some
Proxy Cryptography with Post-Quantum Probabilistic Full Domain Hash 3
terms on the notion of threshold cryptography and particularly the concept of
proxy cryptography. In section 3, we present some preliminaries which help to
understand the rest of the paper (security model in 3.1, signature scheme in
3.2, unidirectional signature proxy function in 3.3 , unidirectional generic signa-
ture scheme in 3.4 and post-quantum RSA problem 3.5). Section 4 prescribes
the pqPFDH scheme which is a post-quantum version of the PFDH signature
scheme with a generated random allowing to compute the RSA exponent for
each signature process. In section 5, we produce the unidirectional version of the
pqPFDH signature scheme and a proof of security on this construction.
2 Related works
In order to strengthen the basic RSA signature, Bellare and Rogaway proposed
in [5] the Full Domain Hash signature scheme. Assuming that the used hash
function is ideal, they proved that their scheme is secure against chosen message
attack in the random oracle model [4]. If fis a trapdoor permutation and RO
is a random function from {0,1}to the domain of f, they proved that sign-
ing a message mvia f1(RO(m)) is secure and proposed a security reduction
for RSA-FDH where the reduction algorithm Rwill provide a perfect simu-
lation and (εR, τR)-solves RSA trapdoor permutation with success probability
εRεA
qh+qsig +1 and time bound τRτA+ (qh+qsig + 1)polynom(k), where
qhand qsig) are respectively the number of hash queries and signature queries
made by the attacker.
To improve the tightness of RSA-FDH, in 2002, Coron in [10], proposed a
security reduction where the reduction algorithm Rwill provide a perfect sim-
ulation and (εR, τR)-solves RSA trapdoor permutation with success probability
εR=εA
exp(1)qsig and time bound τR=τA+ (qh+qsig + 1)O(k3), where qh(re-
spectively qsig) is the number of queries made by the attacker to the oracle hash
(respectively to the oracle signature).
Coron studied also the tightness of probabilistic FDH (PFDH briefly) in [11],
and proposed a tight security reduction where the reduction algorithm Rwill
provide a perfect simulation and (εR, τR)-solves RSA trapdoor permutation with
success probability εR=εA
(1 + 6qsig
2k0)and time bound τR=τA+(qh+qsig)O(k3)
where qh(respectively qsig) is the number of queries made by the attacker to
the oracle hash (respectively to the oracle signature).
In 2001, in the case of proxy cryptography, Bellare and Sandhu proposed in
[6] the two-party RSA signautre scheme which allows a client and a server, each
holding a shared secret, to collaborate and compute an RSA signature under the
corresponding public key. In this same year, H. Kim et la. applied in [19] proxy
signature scheme to the mobile agent system to enhance security and efficiency.
4 Bacar NOURDINE, Mouhamed Lamine MBAYE, and Demba SOW
Here, a customer generates delegation key pair and allows the server to sign with
it on behalf of him.
In 2002, Dodis and Reyzin in [12], generalizing Coron’s work, showed that a
similar result holds for any trapdoor permutation induced by a family of claw-
free permutations. They proved that a tight security reduction is impossible for
RSA-FDH, RSA-PFDH, and PSS-R with small random. Moreover, they showed
that, this cases, for any signature scheme outputs sign(m) = f1(RO(m))or
signr(m) = f1(RO(m, r)), r, where f1is the inverse of the trapdoor per-
mutation, mis the message and ris a random, if the scheme is to be analyzed
with a general ”black-box” trapdoor permutation f.
In 2005, Dodis, Reyzin and Pietrzak in [13], using previous work of Dodis
and al., proved that one can’t hope to prove sign(m) = f1(RO(m))secure
under any assumption which is satisfied by random permutations. Pietrzak tells
that their work does not mean that RSA-FDH with SHA1 is insecure, but it is
just impossible to prove it (with a tight security reduction).
In 2009, B´egueline and Gr´egoire in [3] used a general framework called Cer-
tiCrypt, allowing to formalize exact security proofs of cryptographic systems in
the computational model, to prove the existential unforgeability under adaptive
chosen-message attacks of the FDH and PFDH.
In 2011, Boneh et al. in [7] proved that FDH and PFDH signature schemes
with preimage sampleable Trapdoor Functions has a history-free reduction. This
means that their security in the classical random oracle model implies their secu-
rity the quantum accessible random oracle model. They also proved the quantum
security of a variant of FDH due to Katz and Wang [17] which has tight security
reduction.
In 2018, Kiltz and Kakvi in [18] revisited Coron’s work and contradict the
fact tat Coron said that the security loss of qSin the proof of FDH is optimal
and cannot possibly be improved. They showed tat it only holds if the under-
lying trapdoor permutation is certified. They also use a stronger assumption
called Phi-Hiding assumption introduced by Cachin et al. [8] to give a new tight
security reduction of the FDH signature scheme.
In 2020, Yan Hue et al. proposed in [15] a signature scheme called the Easy
Simple Factoring-based (ESF) signature scheme proven secure in the random
oracle model. Compared to the FDH, their scheme has a more powerful efficiency
performance in signing and verifying algorithms in the case that public keys are
fixed to small bit lengths.
In 2022, M. L. Mbaye et al. proposed in [23] a signature scheme called
pqPFDH based on the post quamtum RSA principle. The idea here is to make
algorithms that we can use to sign and verify messages in a quantum area.
Proxy Cryptography with Post-Quantum Probabilistic Full Domain Hash 5
3 Preliminaries
In this section, we recall some definitions and known results about signatures.
Definitions, basic notations and classical results are followed in ”Introduction to
Modern Cryptography” [17] of Katz and Lindell, and in ”Provable Security for
Public Key Schemes” of Pointcheval [24].
3.1 Security model
Random Oracle Model: For any constant k, a random oracle is a function Frand
selected randomly in the set Fkof functions from {0,1}to {0,1}k.
Proof in the Random Oracle Model: Proof in the Random Oracle Model is de-
scribed in [4] and [9].
Suppose that the hash function is a random function i.e in the simulation
process, the hash function is replaced by a random oracle which outputs a
random value for each new input.
The only way to compute the hash function is to query the oracle hash.
The reduction algorithm Rmust simulate the environment of the attacker
Awith her public key only.
When the attacker Arequests the oracle hash, the reduction algorithm Rcan
choose the random to return as digest; hence Ris able to embed the challenge
(any information which able Rto invert the related one way function at the
end of the game) of his choice in the answer of a hash oracle query to A.
At the end of the simulation, if the attacker Aoutputs a valid forgery (which
be never returned by the oracle signature) then Rmust be able to invert the
related one-way function with good tightness.
3.2 Signature scheme
A Randomized signature scheme is a tuple of three algorithms S= (KG,SIG,VER)
described by as follows:
Key Generation algorithm(KG): with input a security parameter k, the KG
algorithm outputs a pair of keys (pubkey, seckey).
Signature algorithm (SIG):
- with input a security parameter k, the signing algorithm produces a random
r.
- with input (seckey , m, r), the SIG outputs a signature σ.
Verification algorithm (VER): with input (m, σ, pubkey ), the VER algorithm
returns 1 if the signature is valid, and 0 otherwise.
1 / 13 100%
La catégorie de ce document est-elle correcte?
Merci pour votre participation!

Faire une suggestion

Avez-vous trouvé des erreurs dans l'interface ou les textes ? Ou savez-vous comment améliorer l'interface utilisateur de StudyLib ? N'hésitez pas à envoyer vos suggestions. C'est très important pour nous!