• Open Access

Key exposure free chameleon hash schemes based on discrete logarithm problem

Authors


Correspondence: Seongan Lim, Institute of Mathematical Sciences, Ewha Womans University, Seoul, South Korea.

E-mail: seongannym@ewha.ac.kr

ABSTRACT

A chameleon hash scheme is a trapdoor collision-resistant hash scheme, and it provides many interesting features in signature schemes with hash-and-sign construction. In this paper, we introduce the notion of key exposure threshold τ for a chameleon hash scheme for which a key exposure free chameleon hash scheme can be understood as the case with τ = . We propose chameleon hash schemes CHτ with the key exposure threshold τ based on discrete logarithm problem (DLP). For τ < , the proposed scheme is noninteractive and key exposure free as long as k ephemeral trapdoors are disclosed for k < τ. The proposed scheme CH is a key exposure free chameleon hash scheme based on DLP, and it requires a label directory that can be managed by a third party. This improves the only known efficient key exposure free chameleon hash scheme based on DLP, which requires one interaction with the trapdoor holder. Copyright © 2012 John Wiley & Sons, Ltd.

1 INTRODUCTION

A chameleon hash function is a trapdoor collision-resistant hash function. That is, the chameleon hash function is resistant to the computation of collisions without knowledge of the associated trapdoor. However, collisions are efficiently computable with knowledge of the trapdoor.

When a chameleon hash function is used in hash-and-sign construction of a signature scheme, it provides many interesting features of the signature scheme. In the chameleon signature schemes, the trapdoor collision resistance of a chameleon hash function makes the chameleon signatures to provide nontransferability of the signatures [1]. In the sanitizable signature schemes, the trapdoor collision resistance of a chameleon hash function allows the sanitizer to replace some portion of the signed document with other appropriate messages, without any interaction with the signer of the document [2]. One can strengthen the security of weakly secure signature scheme by using a chameleon hash scheme [3, 4].

Ateniese et al. considered the situation where hash collisions disclose the trapdoor of the underlying chameleon hash. They called this situation as the key exposure problem of the chameleon hash schemes and showed that it threats the transferability of the chameleon signatures in [5]. If the underlying chameleon hash scheme has the key exposure problem, any forged chameleon signature discloses the trapdoor of the chameleon hash as long as the underlying signature scheme is secure. Because any incidence of forgery would be serious to the receiver, one could believe that the receiver never forges. Therefore, one could approve the signature claims made by the receiver, and this threatens the nontransferability of chameleon signatures. Hence, a chameleon hash function should be key exposure free to be employed in chameleon signatures.

As a solution of the key exposure problem of chameleon hash schemes, a method of separating the long-term trapdoor and ephemeral trapdoors was proposed in [5]. The ephemeral trapdoor is associated to a label math formula, which is transaction dependent, and it includes a nonce and an information on the receiver. What is exposed by a hash collision is not the long-term trapdoor but the ephemeral trapdoor associated with math formula. One of the main issues of this approach is how to compose the label math formula.

In [5], Ateniese et al. first introduced the idea of identity (ID)-based chameleon hashing to solve the key exposure problem. The ephemeral label math formula is a customized ID of the receiver, and only the trusted authority will provide the trapdoor information associated with the math formula to the receiver as in any ID-based system. Therefore, the receiver must communicate with the trusted authority to obtain the trapdoor information associated with math formula. Their scheme offers only a partial solution to the key exposure problem. In [6], Chen et al. provided the first full construction of a key exposure free chameleon hash function, working in the setting of gap groups with bilinear pairings. In [7], Ateniese et al. proposed key exposure free chameleon hash functions based on the strong RSA problem, RSA[n, n], and the strong Diffie–Hellman assumption on a gap-decisional Diffie–Hellman (DDH) group. In the schemes of [6, 7], the ephemeral label math formula is chosen by the signer.

In [8], Gao et al. presented the first key exposure free chameleon hash function based on discrete logarithm problem (DLP). As claimed in [8], their chameleon hash function has all advantages of the previous schemes to be employed for chameleon signatures except the interaction between the signer and the verifier for every transaction. In their scheme, each ephemeral label math formula contains an auxiliary part (gt, ENCK(t)), where K is the secret key of the receiver. Therefore, the ephemeral labels math formula in the scheme of Gao et al. can be managed solely by the receiver, and an interaction with the receiver is inevitable.

In this paper, we introduce a notion of key exposure threshold that can be considered as an extended notion of key exposure freeness. Informally speaking, in the chameleon hash with key exposure threshold τ, the long-term trapdoor can be disclosed only after exposing τ or more ephemeral trapdoors. The key exposure free chameleon hash scheme can be considered as a chameleon hash with key exposure threshold τ = . We also construct chameleon hash schemes CHτ with the key exposure threshold τ based on DLP. In our schemes, the ephemeral labels are ElGamal encryption with the receiver's public key, and anyone can compute the ephemeral labels. The scheme CHτ does not require any interaction with the receiver for τ < . For τ = , the ephemeral labels math formula can be managed by a trusted party, and the interaction between the signer and verifier can be relaxed to an interaction with the trusted third party in CH. We believe this is a proper assumption in real-world business scenario such as auction systems because there is an authorized judge who should be able to determine the validity of the signature in the event of legal disputes between the signer and the receiver.

The rest of the paper is organized as follows. In Section 2, we review the definitions and requirements of chameleon hash scheme and propose a new notion of chameleon hash with key exposure threshold. In Section 3, we propose a new chameleon hash scheme CHτ with key exposure threshold τ and a key exposure free chameleon hash scheme CH based on Schnorr signature and ElGamal encryption with their security analysis. In Section 5, we conclude our paper.

2 PRELIMINARIES

A chameleon signature scheme is constructed from a regular signature scheme and a chameleon hash scheme by using the hash-and-sign method. In this section, we review the definitions and security requirements of the chameleon hash schemes to be employed in a chameleon signature scheme. We assume that the underlying regular signature of a chameleon signature is secure. We also review the key exposure freeness of a chameleon hash and introduce a new notion of the key exposure threshold in chameleon hash schemes.

2.1 Definitions of chameleon schemes

A basic chameleon hash scheme is a trapdoor collision-resistant hash scheme, and it consists of three algorithms

display math
  • KeyGen(λ): On inputting a security parameter λ, it outputs a pair (pk, sk), where pk is the public key and sk is the long-term trapdoor.
  • Hashmath formula: On inputting a public key pk, a label math formula, a message m, and an auxiliary random parameter r, it outputs a bitstring h of fixed length.
  • UForgemath formula (universal forge): On inputting the secret key sk associate to pk, a label math formula, a message m, and an auxiliary parameter r, it computes r′ such that math formula for any message m′ with m′ ≠ m.

In the construction of a chameleon signature based on a chameleon hash, the signer computes Hashmath formula by using the verifier's public key pk for the message m to be signed. The existence of the algorithm UForge guarantees the verifier can find a hash collision (m′, r′) to (m, r) for any of its chosen message m′ by using the long-term trapdoor sk.

When the signer repudiates a forged signature of a chameleon signature, the signer may not want to reveal the message signed originally. This can be achieved by adding the following algorithm IForge to the basic chameleon hash scheme.

  • IForgemath formula (instance forge): on input a tuple math formula with math formula, it computes another collision pair (m″, r″) for any m″ ≠ m′ that also satisfies math formula.

In this paper, we consider message-hiding chameleon hash schemes, and we assume that a message-hiding chameleon hash scheme consists of the four algorithms:

display math

2.2 Security requirements of chameleon hash schemes

As discussed in [7], the security requirements of a chameleon hash scheme include the following:

  • Collision resistance: collision resistance of a chameleon hash requires that given only math formula, and r (but not the secret key sk), there is no efficient algorithm to find a second pair (m′, r′) such that
    display math
    with more than negligible probability.
  • Semantic security: the chameleon hash value h does not reveal anything about the possible message m that was hashed.
  • Message hiding: assume the receiver has computed a collision by using the algorithm UForge, that is, a second pair (m′, r′) such that math formula, where (m, r) was the original data signed. Then the signer, upon seeing the claimed values (m′, r′), can successfully contest this invalid claim by releasing a new collision (m″, r″), without having to reveal the original signed message. Moreover, the entropy of the original data (m, r) is unchanged by the revelation of the pairs (m′, r′), (m″, r″) and any further collisions.

Note that the algorithm IForge enables a collision-resistant chameleon hash to have message-hiding property. The signer, upon seeing the claimed collision (m′, r′) to the signed message (m, r) by the signer, can successfully compute a new collision (m″, r″) to (m′, r′) by using the IForge, and this is a proof that the claimed message is forged by the owner of the secret key because of the collision resistance of the chameleon hash and the unforgeability of the underlying signature scheme. In this process, the signer does not have to reveal the original signed message m. Moreover, the entropy of the original value m is unchanged by the revelation of the pairs (m′, m″) because m″ is randomly chosen from the messages that differ from m′.

2.3 Chameleon hash schemes with key exposure threshold

The key exposure freeness of a chameleon hash scheme guarantees the confidentiality of the long-term trapdoor even after polynomially many ephemeral trapdoors are disclosed. The definition of the key exposure freeness of chameleon hash in [7] considers the confidentiality of any new ephemeral trapdoor, and this guarantees the confidentiality of the long-term trapdoor. Now, we consider chameleon hash schemes with the key exposure threshold τ. Informally, a chameleon hash scheme has the key exposure threshold τ if it guarantees the confidentiality of any new ephemeral trapdoor and the long-term trapdoor as long as ephemeral trapdoors of k labels are disclosed for k < τ.

  • Key exposure freeness: assume that a receiver with the key pair (pk, sk) has never computed a collision under label math formula. A chameleon hash has key exposure freeness if given math formula; there is no efficient algorithm that can find a hash collision for the label math formula. This must remain true even if the adversary has oracle access to UForge(sk,⋅,⋅,⋅) with polynomially many labels math formula with (mi, ri) of his choice, for all i.
  • Key exposure freeness with a threshold τ: assume that a receiver with public key pk has never computed a collision under label math formula. Suppose that the adversary has oracle access to UForge(sk,⋅,⋅,⋅) for k labels math formula with (mi, ri) of its choice, for all i = 1 to k. A chameleon hash has key exposure with threshold τ if given math formula; no efficient algorithm that can find the long-term trapdoor sk or a hash collision (m′, r′) for the label math formula if and only if k < τ.

3 OUR PROPOSED SCHEMES

3.1 CHτ: a chameleon hash scheme with key exposure threshold τ

Our proposed key exposure free chameleon hash CHτ consists of four polynomial time algorithms

display math

KeyGenτ(λ): On inputting the security parameter λ, it proceeds the following.

  1. Generate a multiplicative group G of prime order q, with a generator g ∈ G.
  2. Set two cryptographically secure hash functions math formula and math formula.
  3. Choose math formula at random, compute math formula for i = 1 to τ and j = 1 to τ − 1, and output the following public key pk and long-term trapdoor sk.
display math

Hashτ: On inputting (pk, m),

  1. Choose t ∈ G randomly and compute
    display math
  2. Choose math formula randomly.
  3. Compute math formula for math formula.
  4. Output the chameleon hash value math formula.

UForgeτ: On inputting the secret key sk = (α, x1, x2, …, xτ), a hash value math formula with math formula, and a new message m′,

  1. Compute math formula and check the validity of hash value from the equality math formula.
  2. To compute a collision for the new message m′, it proceeds to the following:
    1. Compute math formula and checks if math formula. If no, math formula is not a legal label and return failure.
    2. Compute math formula and math formula. We note that math formula.
    3. Compute r′ = s− 1(m − m′) + r  mod q.
    4. Output (m′, r′).

IForgeτ: On inputting a pair of CH collisions (m, r) and (m′, r′) for the label math formula, it proceeds the following.

  1. Compute math formula.
  2. For any message m″, compute a hash collision (m″, r″) with r″ = s− 1(m′ − m″) + r′  mod q by using the recovered s.

We have some remarks on CHτ.

Remark 1. In the scheme CHτ, we have public key pk and the trapdoor sk as

display math

The secrecy of the trapdoor sk is guaranteed with the public key pk because the infeasibility of DLP.

Remark 2. Without knowing α, the label math formula is of the form (gz, tyz) with random z; therefore, math formula is a ciphertext of ElGamal encryption scheme.

Remark 3. We note that the output S of Hash satisfies that math formula with math formula. This implies that s is the ephemeral trapdoor corresponds to the label math formula. Because we have math formula, we see that math formula is a Schnorr signature on math formula with the signing key xτ.

Remark 4. Note that the algorithm UForge outputs a hash collision of CHτ. The reason is as follows:

display math

3.2 CH: a key exposure free chameleon hash scheme

Our proposed key exposure free chameleon hash CH consists of four algorithms

display math

KeyGen(λ): On inputting the security parameter λ, it proceeds the following.

  1. Generate a multiplicative group G of prime order q, with a generator g ∈ G.
  2. Set two cryptographically secure hash functions math formula and math formula.
  3. Choose math formula at random, compute math formula.
  4. Send (y1, ω1) to the label manager and output the public key pk = y2 and the trapdoor sk = (α, x1, x2).
  5. The label manager generates a directory math formula of labels for the public key pk,
    display math

Hash: On inputting (pk, m), it proceeds the following.

  1. Obtain a label math formula from the label manager.
  2. Choose math formula randomly.
  3. Compute math formula for math formula.
  4. Output the chameleon hash value math formula.

UForge: On inputting the secret key sk = (α, x1, x2), a hash value math formula with math formula, and a new message m′, it proceeds the following.

  1. Compute math formula and check the validity of hash value from the equality
    display math
  2. To compute a hash value for the new message m′, it proceeds to the following:
    1. Compute math formula and checks if math formula. If no, math formula is not a legal label and return failure.
    2. Compute math formula and s = x1H2(t) + x2c mod q. We note that math formula.
    3. Compute r′ = s− 1(m − m′) + r mod q.
    4. Output (m′, r′).

IForge: On inputting a pair of CH collisions (m, r) and (m′, r′) for the label math formula, it proceeds the following.

  1. Compute math formula.
  2. For any message m″, compute hash collision (m″, r″) with r″ = s− 1(m′ − m″) + r′  mod q by using the recovered s.

As in the remarks for the scheme CHτ, we see that the following holds for the scheme CH.

  • The long-term trapdoor sk is kept secret.
  • The label math formula is a ciphertext of ElGamal encryption scheme.
  • For the hash value math formula, (L, s) is a Schnorr signature on math formula with the signing key x2.
  • The algorithm UForge is correct

4 SECURITY ANALYSIS

Now, we show that the security features of our schemes CH and CHτ. Assume that the Schnorr signature and the ElGamal encryption schemes in the cyclic group G of order q are secure.

Theorem 1. The proposed chameleon hash scheme CH is collision resistant, semantically secure, message hiding, and key exposure free.

Proof.
  1. Collision resistance: now, we show that without knowing the long-term trapdoor sk, it is hard to find collisions of our chameleon hash. As in the algorithm IForge, exposing a pair of collisions allows to extract the ephemeral trapdoor s associated to the label math formula. Moreover, (L, s) is a Schnorr signature on R with respect to the signing key x2 because
    display math
    Hence, computing collisions breaks the Schnorr signature. However, the existential unforgeability Schnorr signature is proven in [9], and we conclude that it is hard to compute collisions without knowing the Schnorr secret key x2,, that is, without the long-term trapdoor sk = (α, x1, x2).
  2. Semantic security: for a message m and fixed math formula, the hash value S is math formula, and the semantic security of m from the hash value follows from the hardness of computing DLP.
  3. Message hiding: because CH is shown to be collision resistant, the algorithm IForge of CH makes the scheme CH to have message-hiding property.
  4. Key exposure freeness:
    • We see that a collision for the label math formula of chameleon hash CH gives the ephemeral trapdoor s = x1H2(t) + x2c. Because the label is not computed by the signer, the signer cannot compute H2(t) from math formula because of the security of ElGamal encryption, and the signer cannot compute x2 from s = x1H2(t) + x2c because two unknowns x1H2(t), x2 are involved in one linear equation. Adding one more ephemeral trapdoor introduces a linear system with one more unknown. Therefore, we see that the Schnorr signing key x2 is kept secret even after polynomially many ephemeral trapdoors are disclosed.
    • Suppose that a receiver with public key pk has never computed a collision under the label math formula and a valid math formula is given. We want to show that there is no efficient algorithm for the receiver that can find the ephemeral trapdoor s for the label math formula even with the oracle access to UForge(sk,⋅,⋅,⋅) and is allowed polynomially many queries on triples math formula with (mi, ri) of its choice. This oracle access allows the adversary to compute the ephemeral trapdoors si for labels math formula. Hence, the oracle access allows the adversary to have polynomially many valid Schnorr signatures (Li, si) on the message math formula. We note that finding a collision for the label math formula gives the ephemeral trapdoor s for the label math formula, and then, (L, s) is a valid Schnorr signature on the message math formula. Because math formula for all i, this implies that (L, s) is a forged Schnorr signature, which is a contradiction to the unforgeability of Schnorr signature.

Now, we show that CHτ is a secure message-hiding chameleon hash with key exposure threshold τ.

Theorem 2. The proposed chameleon hash scheme CHτ is collision resistant, semantically secure, message hiding with the key exposure threshold τ.

The collision resistance, semantic security, and message-hiding property of CHτ can be proven exactly the same as in CH. The confidentiality of a new ephemeral trapdoor of CHτ is guaranteed as long as the Schnorr signing key xτ is kept secret with the same reason as CH. Now, we want to investigate when the Schnorr signing key xτ is disclosed. Suppose that the adversary (includes the signer) obtains collisions math formula for label math formula for the chosen (mi, ri) by the adversary for i = 1 to k. We note that any pair of collisions discloses the ephemeral trapdoors si for the label math formula for i = 1 to k. The collisions imply that we have a system of k linear equations

display math

The signer, who is considered as an adversary for the chameleon hash, has the values si, H2(ti), ci because they are chosen by the signer. Therefore, the aforementioned system of linear equations consists of k linear equations for τ unknowns x1, x2, …, xτ.

For k < τ, the adversary cannot solve the equation, and the long-term trapdoor sk = (α, x1, x2, …, xτ) is kept secret. For k = τ, a matrix representation of the aforementioned linear system is as follows. By setting αi = H2(ti), we have

display math

From the randomness of the output of a cryptographic hash function, we can assume that αi ≠ αj if i ≠ j. Therefore, the left aforementioned (τ − 1) × (τ − 1) submatrix of the coefficient matrix is a Vandermonde matrix, which is known to be nonsingular because αi ≠ αj if i ≠ j. By applying elementary row operations to the coefficient matrix, we have the following.

display math

Therefore, we see that the coefficient matrix is singular only if

display math(1)

From the randomness of cτ, which is an output of hash function, and all the terms math formula are given a priori, we see that the probability for ((1)) to occur is 1/q. This implies that the coefficient matrix is nonsingular with the probability (1 − 1/q). Therefore, if k ≥ τ, then the adversary can compute the long-term trapdoor sk with high probability.

5 CONCLUDING REMARKS

Many efficient key exposure free chameleon hash schemes were proposed under the RSA type assumption and the Diffie–Hellman assumption on a gap-DDH group. For DLP-based key exposure free chameleon hash schemes, the only known scheme from [8], up to the present time, requires interaction of the signer and the verifier. In this paper, we introduce the chameleon hash scheme with key exposure threshold τ, where it includes the key exposure free chameleon hash scheme for τ = . We also present a chameleon hash scheme CHτ with key exposure threshold τ and a key exposure free chameleon hash scheme CH based on Schnorr signature and ElGamal encryption scheme. The proposed scheme CHτ is noninteractive and key exposure free as long as k ephemeral trapdoors are disclosed for k < τ. In the proposed key exposure chameleon hash scheme CH, the interaction between the signer and verifier can be relaxed to a label directory that can be managed by a third party.

ACKNOWLEDGEMENTS

This work was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (2010-0023247).

Ancillary