Security Model

We adopt the security model proposed by Neven [Nev08] for sequential aggregate signatures. Moreover, we examine our lattice-based construction in a slightly dif-ferent setting that is build upon a stronger security assumption ExpSSAS−SU−CM A

and subsumes the former ones [Nev08, LMRS04]. Usually, a sequential aggregate signature scheme is considered to be secure, if it is infeasible to provide existential forgeries of a sequential aggregate signature. The core idea behind these security models is to let the forgerFcontrol the private keys and sequential aggregate signa-tures of all but at least one honest signer. Thus, the forger is allowed to select the public keys of the fake signers. Neven introduces the notion of a sequential forger S that can be built from a forger F with about the same success probability and running time [Nev08, Lemma 5.3]. Therefore, it is more convenient to consider a se-quential forger in our proof of security. The way the sese-quential forger is constructed out of F can directly be transferred to our setting with some minor changes. The properties of a sequential forger are as follows:

1. Any input to the random oracles H(·) and G_f·(·) is queried once, where f· denotes any preimage sampleable trapdoor function. The signing oracle OAggSign is also queried once for the same input.

2. Each input Qn to H(·) parses as Qn = (# »

fAk,m#»k,#»αk−1, σk−1) such that log₂(Rni)> l holds for 1≤i≤k and k≤kmax.

3. Before any queryQk= (# »

fAk,m# »k,#»αk−1, σk−1) toH(·) forn >1, the sequential forger must have made queries Q_i to H(·) for 1 ≤ i < k ≤ k_max such that dec_fA

i(α_i, f_Ai(σ_i)−G_fA

i(h_i)) =σi−1 forh_i=hi−1⊕H(Q_i).

4. Preceding any signing query OAggSign(T^∗, m_k,Σk−1) the sequential forger must have made the necessary H(·) and G_f·(·) queries in advance with due regard to Property 3. Furthermore, the input query Σk−1 must be valid such that verification algorithm AggVerify(Σk−1) does not fail.

8. Sequential Aggregate Signatures

5. Forgeries output by S must be valid and include the challenge public key at some index i such that fAi = fA^∗ for 1 ≤ i ≤ k ≤ kmax. We explicitly allow S to output forgeries on data Σi−1 that has been signed by the signing oracle. The only required restriction is that the signing oracle responses and the forgery must differ on the same input.

According to an adaptive chosen-message attack we permit S to make arbitrary many sequential aggregate signature queries to the honest signer on messages of its choice. The advantageAdvAggSign^∗_S of S is the success probability in the following experiments.

Setup

The key generation algorithm is invoked in order to produce the challenge key pair (T^∗,A^∗). The challenge key fA^∗ is then handed over to the sequential aggregate forger S.

Queries

The adversary S has access to the signing oracle OAggSign(T^∗,∗,∗). S acts adaptively and provides to the signing oracle a message mi to be signed, a sequential aggregate signature σi−1 on a sequence of messages m₁, . . . , mi−1

and data α1, . . . , αi−1 under public keys fA1, . . . , fAi−1. The oracle returns an aggregate signature under the challenge public key fA^∗. Furthermore, we allowS to have random oracle access to some random functions as required in the random oracle model.

Response

S eventually outputs a sequential aggregate signature σ_k on k distinct pub-lic keys f_A1, . . . , f_Ak, where one of them corresponds to the challenge key.

Moreover,S outputskmessagesm1, . . . , mk, each corresponding to one public key.

The forger wins the game ExpSSAS−EU−CM A

A,SAS (n), if he succeeds in outputting a non-trivial valid sequential signature on a sequence ofkmessagesm₁, . . . , m_kunder k distinct public keys fA1, . . . , fA_k containing the challenge public key fAi = fA∗

at some indexi. A valid signature is said to be non-trivial, whenS has never made a query to the signing oracle on messages m₁, . . . , m_i and public keysf_A1, . . . , f_Ai before, or he is able to output a forgery that differs from the received signing oracle responses. In the latter case we even allow the forger to use already signed mes-sages to output a forgery as opposed to the security models from [Nev08, LMRS04]

focusing on trapdoor permutations. This security notion reflects the strong sequen-tial aggregate signature unforgeability (SAS-SU-CMA), which can be formalized as follows.

8. Sequential Aggregate Signatures Experiment Exp^SSAS−SU_A,SAS ^{−CM A}(n)

(T^∗,A^∗)←−KeyGen(1ⁿ) Σ = (# »

f_Ai,m# »_i,α#»_i, σ_i, h_i)←− A^{OAggSign(T∗,∗,∗)}(f_A^∗) Letf_Ai =f_A^∗ be the challenge public key in # »

f_Ai = (f_A1, . . . , f_Ai) and m# »i = (m1, . . . , mi)

Let ((f_A^∗, m_l,Σl−1),Σ_l)^Q_l=1^AS be query-response tuples of OAggSign(T^∗,∗,∗) Return 1 ifAggVerify(Σ) = (# »

fAi, m#»i) and Σ∈ {Σ/ _l}^Q_l=1^AS

The adversary is said to be successful in this experiment if he efficiently provides a valid sequential aggregate signature with non-negligible advantage.

8.2.1. Security of our Construction

A collision-finding algorithmA is said to (t⁰, ⁰)-break a collision-resistant preimage sampleable trapdoor function family (PSTF) if it has running time t⁰ and outputs a collision with probability

P r[fB(x1) =fB(x2) |(B,T)←TrapGen(1ⁿ), (x1, x2)← A(f_B)]

of at least ⁰.

Proposition 8.3. If there exists a sequential forger S that (t, q_S, q_H, q_G, k_max, )-breaks SAS, then there exists a collision-finding algorithm A that (t⁰, ⁰)-breaks the collision-resistant PSTF for

⁰≥·(1−q_H(q_H +q_G)

2^l )− q_H 2^ω(logn) t⁰≤t+ (qH +kmax)·tf·+qH ·tSampleDom.

Proof : By contradiction, we assume that there exists a successful sequential forger S that breaks the SAS with non-negligible probability . Using S, we con-struct a poly-time algorithm A that finds a collision in the collision-resistant trap-door function f_Ai : B_ni −→ R_ni with probability negligibly close to . Given the challenge public keyA^∗of the trapdoor functionfA^∗,ArunsSon public keyA^∗with f_A^∗ :Bn−→Rn and simulates the environment as follows:

Setup : At the beginning of this game algorithmA sets up the empty lists HT[∗]

and GT[∗,∗].

H-Random oracle query H(Qi): After parsing the inputQias (# »

fAi, m#»i,#»αi−1, σi−1), A checks the indexi. If i= 1, A setsh₀ ←0ⁿ. In casei >1, following Prop-erty 3 of a sequential forger there exists a unique sequence of random oracle queriesQ1, . . . , Qi−1 with table entryH(Qi−1) = (σi−1, hi−1).

If the public keyf_Ai does not correspond to the challenge public keyf_A^∗, then A continues as follows:

8. Sequential Aggregate Signatures

• h←_R{0,1}^l, h_i =h⊕hi−1 and setsHT[Q_i]←(⊥, h_i).

Otherwise, if fAi =fA^∗, thenAperforms the following tasks:

• h←_R{0,1}^l, hi =h⊕hi−1

• (αi, βi)←enc_fA

i(σi−1)

• σi ← SampleDom(1ⁿ) and compute g←f_A^∗(σi)−βi ∈Rni, sinceRni is additive.

(By Property 1 of PSTFs according to Section 6.1.1,fA^∗(σi)∼ U(Rni)) If G_fA∗(hi) has not been defined, he sets G[fA^∗, hi] ← g, HT[Qi] ← (σ_i, h_i) and outputsh toS, otherwise BAD₁ occured andA aborts.

G-Random oracle query 1 G_fA

i(h): On input f_Ai and h algorithm A checks the entryGT[fAi, h]. If it is not defined, it selectsg←_RRni uniformly at random, setsGT[f_Ai, h] =g and returns g toS. By Property 1 of a sequential forger it does not make the same query again.

Sequential signing query OAggSign(T^∗, m_i,Σi−1): A extracts the values # » f_Ai−1, m#»i−1, #»αi−1, σi−1, hi−1 from Σi−1. As per Property 4 he finds a non-empty entry HT[Qi−1] = (σ_i, h_i) with Qi−1= (# »

f_Ai−1 |f_A^∗, m#»i−1 |m_i, α#»i−1, σi−1).

Then Areturns Σ_i= (# »

f_Ai, m#»_i, #»α_i, σ_i, h_i) with (α_i, β_i)←enc_fA

i(σi−1) Finally, the forger S outputs a valid forgery Σ⁰_k = (# »

f_Ak, m#»_k, #»α_k, σ_k) with proba-bilityas per property 5. Since Σ⁰_kis valid, we haveAggVerify(Σ⁰_k) = (# »

fA_k,m#»k) and

# »

f_Ak includes the challenge public key f_Ai = f_A^∗ at index 1 ≤ i ≤ k. During the execution of AggVerify(Σ⁰_k) we get m_i and Σ⁰_i containing σ_i⁰. A proceeds as follows in order to obtain a collision. We now have to differ two cases:

1. If S already made a signature query on (m_i,Σi−1), it received back Σ_i con-taining the signature σ^∗. Since Σ⁰_k is a forgery, we have σ_i⁰ 6= σ^∗ such that f_A^∗(σ_i⁰) =f_A^∗(σ^∗)

2. In the case, S did not request a signature on (mi,Σi−1) from the signing oracle, by Property 4 there exists an entry HT[Qi−1] = (σ^∗, h_i) with σ^∗ ←−

SampleDom(1ⁿ) and GT[fA^∗, hi] = gi such that fA^∗(σ^∗) = gi+βi = fAi(σ_i⁰) and h = hi⊕hi−1 is returned to S. If σ^∗ = σ_i⁰, then BAD2 occured and A aborts.

In both cases A found a collision in f_A^∗ (which is infeasible due to Property 4 of trapdoor functions from Section 6.1.1).

8. Sequential Aggregate Signatures

Analysis and security:

We define by ¬BAD_i the event that BAD_i does not occur. S’s environment is perfectly simulated as in the real system, when the eventsBAD1 andBAD2 do not occur. Thus, we have

P[S ouputs forgery| ¬BAD₁∧ ¬BAD2] = .

A wins the game when S succeeds in providing a valid forgery and the events BAD1 and BAD2 do not happen. Therefore, we need to estimate an upper bound for the probability of a successful forger:

P[A wins] = ·P[¬BAD₁]−P[BAD2]. P[A wins] = P[S outp. forgery∧ ¬BAD₁∧ ¬BAD₂]

= P[S outp. forgery| ¬BAD₁∧ ¬BAD₂]·P[¬BAD₁∧ ¬BAD₂]

= P[S outp. forgery| ¬BAD₁∧ ¬BAD₂]·(1−P[BAD1∨BAD2])

≥ P[S outp. forgery| ¬BAD₁∧ ¬BAD₂]·(1−X

i

P[BADi])

= P[S outp. forgery| ¬BAD₁∧ ¬BAD₂]·(P[¬BAD₁]−P[BAD₂])

≥ P[S outp. forgery| ¬BAD₁∧ ¬BAD₂]·P[¬BAD₁]−P[BAD₂]

= ·P[¬BAD₁]−P[BAD₂]

The event BAD1 occurs when algorithm A chooses a fresh random value h←_R{0,1}^l in the H-Random oracle query step and attempts to set a table entry GT[∗, h_k] that is already defined, whereh_k=h⊕h_k−1. The probability of this event is

P[BAD1] = |GT|

2^l ≤ qH(qH+qG) 2^l

where the last term follows by summation over all H-queries to the simulation.

The eventBAD2 occurs when the forger S outputs a valid forgery σ_i⁰ that is equal to the corresponding table entry HT(Qi−1) = (σ^∗,∗). Based on the conditional min-entropy property of σ^∗ given f_A^∗(σ^∗) the probability ofBAD₂ to happen is

P[BAD2]≤ q_H 2^ω(logn), which is negligible. Therefore, we obtain

⁰≥·(1− q_H(q_H+q_G)

2^l )− q_H 2^ω(logn).

We derive an upper bound for the running time of S taking into account only function evaluations and invocations of SampleDom. Each verification requires at most k_max function evaluations. Invoking H(·) implies at most one execution of

8. Sequential Aggregate Signatures

SampleDom and two function evaluations, thereof one evaluation to identify the sequence Qk−1, . . . , Q1. Therefore, the running time is upper bounded by:

t⁰ ≤t+ (2q_H+k_max)·t_f +q_H·t_SampleDom.

Proposition 8.4. The proposed sequential aggregate signature scheme is strongly existentially unforgeable under chosen-message attack.

Proof. By Proposition 8.3 finding collisions for preimage sampleable trapdoor functions can be reduced to the hardness of forging sequential aggregate signatures in the SAS described above. The authors of [GPV08] give the corresponding algo-rithms of how to instantiate preimage sampleable trapdoor functions by means of lattices satisfying the required properties and show by [GPV08, Theorem 5.9] that the task of finding collisions is as hard as solving SIS_q,n,2s^√_m.

The security proof of the unstateful probabilistic FDH scheme is almost identical to the stateful one. One notices, that the extended messagem||rto be signed always differs for repeated request queries on the same message m due to the random salt r. As in Proposition 8.4 one reduces collision-resistance to the unforgeability of sequential aggregate signatures.

Im Dokument On the Design and Improvement of Lattice-based Cryptosystems (Seite 169-174)