Short signatures have attracted much attention recently in the cryptology research community because they are very useful in practice. The size of the signature is also one of the important measures of the efficiency for a digital signature scheme. Recently, several proposals are proposed to shorten the signatures while preserving a high level of security [1, 2]. One of the most important techniques proposed for reducing the signature length is to construct signatures with functionality of message recovery [3-5]. In such systems, one encodes a part of the message into the signature thus shortening the total length of the message/signature pair.
Generally speaking, a digital signature scheme is a tuple of probabilistic algorithms, which enable the signer to transform an arbitrary message into a signed message, such that anyone can check the validity of the signed message [4]. A signed message contains not only the message but also the information to prove its validity. Traditionally, the signed message is actually the concatenation of the message and of a signature. The signature expansion of a signature scheme is the difference between the length of the signed message and the original message. If the signature does not allow message recovery, thus the expansion is just the length of the signature itself.
In fact, the security level of a properly designed signature scheme is determined by not only the hardness of the underlying mathematical problem but also the size of expansion of the signature scheme. For a specific signature scheme, one obvious lower bound of the security level is that k-bit signatures (or more exactly k bits of message expansion) cannot provide better than k bits of security, because the probability that a signature is valid is at least 2^{ − k}, assuming that the underlying hard problem is k ′ ≥ k bits secure. Hence, the problem of obtaining message expansion as small as possible while still preserving high level of security for signatures has been put forward in [4]. Now, it attracts more and more cryptologists’ attention [6, 7].
Optimal paddings for signature schemes To solve the problem as mentioned earlier, many researchers are looking for the signature schemes with optimal message recovery length. Granboulan [4] has shown a theorem that says that if we want a k-bit secure signature scheme, the message expansion should be at least k bits, and the signature scheme must have unique signature for each message. The author also proposed a signature scheme in the random permutation model [4]. Note that the signature scheme and its improved version in [4] achieve the lower bound of the message expansion.
However, security of those schemes in [4] is not tightly related to the hardness of the underlying cryptographic problems because the underlying trapdoor permutation is required to be 2k-bit secure if the signature scheme needs to achieve k bits of message expansion and security†. Hence, the signature schemes in [4] achieve only loose security. This makes the signature schemes both inefficient according to the theoretically secure parameters.
In CCS'03, Katz and Wang extended the result in [4] and showed a signature with optimal message recovery, based on the claw-free permutations in the random permutation model [7]. Different from Granboulan's signature schemes, the security is tightly related to the hardness of breaking a pair of claw-free permutation. Their scheme is essentially optimal in terms of the allowable message length, where a signature for each message is not unique. More recently, in [6], a similar padding scheme named Optimal Permutation-based Padding (OPbP) has been proposed, which achieves optimality both for signing and encrypting.
Idealized models and practical security To the best of our knowledge, most of signature schemes are usually proven secure in the following three idealized models: random permutation model, ideal cipher model, and random oracle model. An idealized (oracle) model replaces some components of the algorithm with the oracles simulated by the reduction. The number of calls to the oracles is often assumed to be upper bounded because the actual computation of the idealized components takes time in the real world. For a signature scheme, the number of all the queries to the oracle is always upper bounded as well.
In fact, security proofs of the signature schemes are the descriptions on how to construct a reduction algorithm, which reduces from forgery to the underlying hard problem. A reduction algorithm in an idealized model always gives random answers taken from the set of values that are consistent with previous answers. Although proofs in such models do not guarantee security when the oracles are instantiated by any particular cryptographic primitive [8], it is widely believed that a proof in an idealized model gives some confidence in the design of a cryptographic primitive.
Motivation As far as we know, all the optimal signature schemes use the random permutations with a block size same as the size of element that the underlying trapdoor one-way permutations act on. According to [4, 7], we are not aware of any appropriate way to instantiate the random permutation (or the ideal cihper) for large block sizes even for 1024-bit modulus RSA [9] by now. Even more, Granboulan's OPSSR, based on an ideal cipher, is suggested to use at least 1536-bit modulus for the case of RSA.
Although practical ciphers with large block size such as Halevi and Rogaway's Cipher-block chaining-Mask-Cipher-block chaining were proposed [10] to work well for encryption, these ciphers employ a secure underlying block cipher with small block size, and therefore one must run the underlying cipher many times to encrypt a plaintext. This makes the optimal signature schemes, which use large domain permutation inefficient in the real world. Therefore, these solutions are inefficient and impractical in the real applications. The problem also occurs in Katz and Wang's optimal signature scheme and universal padding of Chevallier-Mames et al. based on the random permutation (OPbP) when the padding is used to sign on messages.
On the other hand, all the practical signature schemes are not optimal in bandwidth including PSS-R, DSA, and those with message recovery used as the standards now. Recently proposed signatures without random oracles [11, 12] and most of the efficient signature schemes in the random oracle model [13] are neither optimal in bandwidth as well. The universal padding, based on the optimal asymmetric encryption padding (OAEP)-3 rounds proposed by Chevallier-Mames, Phan, and Pointcheval, is not optimal when it is used to sign on messages as well. Hence, how to design a more practical, efficient, and optimal signature scheme remains open.
Our contribution This paper uses two random oracles and an ideal cipher with a smaller block size to design optimal paddings for signature schemes. In the real world, the ideal cipher here can be implemented with a real block cipher and the random oracles can be replaced by the cryptographic hash functions. Therefore, we provide a perfect solution to the open problem. That is to say, we design practical, efficient, and optimal paddings for signature schemes. We show that the paddings are provably secure if the underlying trapdoor permutations are secure in the random oracle model because the ideal cipher model and the random oracle model are equivalent [14]. These paddings for signatures enable the signature schemes to achieve tight security when the underlying trapdoor permutations are induced by claw-free permutations.
Particularly, in the case of RSA and Rabin, these paddings enable the signature scheme to achieve not only optimality in bandwidth but also a tight security reduction.
2 DEFINITION AND PRELIMINARIES
This section reviews the definitions of signature scheme and the basic cryptographic complexity assumptions.
Digital signature We review the functional definitions of both signature schemes as well as those supporting message recovery and the definition of security.
Definition 1. A signature scheme is a tuple of probabilistic algorithms (Gen, Sign, Ver) over a message space M such that
On input 1^{k} where k is the security parameter, the key-generation algorithm Gen outputs a public key pk and a secret key sk.
The signing algorithm Sign takes as input secret key sk and message m∈M and returns a signature Σ .
If message recovery is not supported, the verification algorithm Ver takes as input a public key pk, a message m∈M, and a signature Σ and returns accept or reject.
If message recovery is supported, verification algorithm Ver takes as input public key pk and signature Σ and returns either a message m∈M or reject.
We make the standard correctness requirement, given here for schemes supporting message recovery (the other case is analogous): for all (sk,pk) output by Gen and all m∈M, we have Ver_{pk}(Sign_{sk}(m)) = m.
Existential unforgeability under adaptive chosen-message attacks (EUF-CMA) [15] is a widely accepted standard notion for the security of digital signatures. In the following, we use a generalized version of EUF-CMA, named strong EUF-CMA [7, 16, 17].
Definition 2. (Strong EUF-CMA). A forger F (t,q_{s},q_{h},ϵ) breaks a signature scheme if F runs in time t, makes at most q_{s} signature queries and at most q_{h} hash queries; and furthermore,
where Σ* is the set of signatures received from the signing oracle. If the signature scheme supports message recovery, the definition is almost the same as earlier except that we are interested in the probability that F outputs a signature Σ such that Ver_{pk}(σ) = m, but Σ was never the response of a query to the signing oracle. That is,
In either case, a signature scheme is (t,q_{s},q_{h},ϵ)-secure if no forger can (t,q_{s},q_{h},ϵ) break it.
Complexity assumption Trapdoor (one-way) permutations are among the most popular cryptographic tools to design encryption schemes, signature schemes, and protocols. The explicit complexity definition of trapdoor permutations is as follows.
Definition 3. (Trapdoor permutations). A trapdoor permutation family is a tuple of probabilistic polynomial time algorithms (Gen, Eval, Invert) such that
Tp-Gen (1^{k}) outputs a pair (f,f^{ − 1}), where f is a permutation over {0,1}^{k}.
Eval (1^{k},f,x) is a deterministic algorithm, which outputs some y ∈ {0,1}^{k} (assuming f was output by Gen and x ∈ {0,1}^{k}). We will often simply write f(x) instead of Eval (1^{k},f,x).
Invert (1^{k},f^{ − 1},y) is a deterministic algorithm, which outputs some x ∈ {0,1}^{k} (assuming f^{ − 1} was output by Gen and y ∈ {0,1}^{k}). We will often simply write f^{ − 1}(y) instead of Invert (1^{k},f^{ − 1},y).
(Correctness.) For all k, all (f,f^{ − 1}) output by Gen, and all x ∈ {0,1}^{k}, we have f^{ − 1}(f(x)) = x.
A probabilistic polynomial time algorithm A is said to (t,ϵ)-break a family of trapdoor permutations if A runs in time at most t and outputs the preimage of a random chosen y ∈ {0,1}^{k} for f generated by Gen (1^{k}) with probability greater than ϵ:
A family of trapdoor permutations is (t,ϵ)-secure if no algorithm can (t,ϵ)-break it.
The existence of claw-free permutations seems to be reasonable. In fact, any random self-reducible permutation can be seen as a trapdoor permutation induced by a claw-free permutation [18], and almost all known examples of trapdoor permutations are self-reducible. Meanwhile, the trapdoor permutations induced by claw-free permutations can be used to obtain tight reductions [7].
Definition 4. (Claw-free permutations). A family of claw-free permutations is a tuple of algorithms { Gen; f_{i}; g_{i} | i ∈ I}for an index set i such that
Gen outputs a random index i and a trapdoor td.
f_{i}, g_{i} are both permutations over the same domain D_{i}.
there is an efficient sampling algorithm, which, on index i, outputs a random x ∈ D_{i}.
fi−1 (the inverse of f_{i}) and gi−1 (the inverse of g_{i}) are both efficiently computable given the trapdoor td.
A claw is a pair (x_{0},x_{1}) such that f(x_{0}) = g(x_{1}). Probabilistic algorithm A is said to (t,ϵ)-break a family of claw-free permutations if A runs in time at most t and outputs a claw with probability greater than ϵ:
Pr[(i,td)←Gen(1k);(x0,x1)←A(1k):fi(x0)=gi(x1)]≥ε.
A family of claw-free permutations is (t,ϵ)-secure if no algorithm can (t,ϵ)-break it.
We say a signature scheme is k-bit secure when there is no forger can (t,q_{s},ϵ)-break the scheme with log _{2}(t ∕ ϵ) ≤ k. In the same manner, we say a trapdoor permutation (including the claw-free permutation) or a mathematic problem is k ′ -bit secure if there is no adversary can (t ′ ,ϵ ′ )-break it with log _{2}(t ′ ∕ ϵ ′ ) ≤ k ′ . The value k (respectively, k ′ ) also depends on the time unit used for t (respectively, t ′ ). A reduction is said to be tight if t ∕ ϵ ≈ t ′ ∕ ϵ ′ . Hence, a tight reduction from forgery to the hard problem implies that the scheme achieves the same security level as the underlying hard problem.
3 MAIN CONSTRUCTION
Various paddings for signature schemes (with message recovery) were proposed through the last few years [3, 4, 6, 7, 17, 19-22]. Most of them are proven secure in the random oracle model. However, none of the schemes proven secure in the random oracle model achieves optimality in bandwidth including PSS-R, Katz and Wang's improved PSS-R in [7]. As far as we know, all the optimal signature schemes with message recovery are based on the random permutation or the ideal cipher for large block sizes (i.e., block sizes larger than the block size of a cipher such as AES) [4, 7]. Thus, the optimal signature paddings become less efficient because of the cause that larger domain cipher calls the underlying block cipher many times [10].
We propose a more practical, efficient, and optimal padding for signature schemes with message recovery. This padding uses a block cipher with smaller size, which can be implemented with the true block ciphers. Next, we shall prove the security of the padding for signature schemes in the random oracle model because the ideal cipher model and the random oracle model are equivalent [14].
Our construction The padding for signature schemes uses a keyed permutation E( ⋅ ) : {0,1}^{l} × {0,1}^{m} → {0,1}^{m} that we assume to behave like a truly ideal cipher. For each key κ ∈ {0,1}^{l} of the block cipher E defines a random permutation E_{κ} = E(κ, ⋅ ) on {0,1}^{m}. The ideal cipher E accepts both forward queries (E) as well as inverse queries (E^{ − 1}). Let ϕ : {0,1}^{n} → {0,1}^{n} be a trapdoor one-way permutation (or a claw-free permutation) whose inverse is ϕ^{ − 1}. The scheme uses two random oracles H : {0,1}* → {0,1}^{l} and G : {0,1}^{m} → {0,1}^{n − m}, where we assume n > m > k.
In the following, PRF_{θ}( ⋅ ) assigns a pseudorandom function that uses a secret key θ and generates 1 bit. The symbol “ ∥ ” denotes the bit-string concatenation. 0^{k} and 1^{k} denotes k bits of 0 and 1, respectively. The signature scheme is described as follows:
Key generation algorithm Gen: runs Tp-Gen (1^{n}) to obtain a pair of trapdoor permutation ϕ and ϕ^{ − 1}. Sets (pk,sk) = (ϕ,ϕ^{ − 1}) as the public key and secret key, respectively.
Signature algorithm Sign: The space of the messages is M={0,1}n−m×{0,1}m−k, the signature algorithm outputs a signature Σ into {0,1}^{n}: on a message M=(m1,m2)∈M, one computes b = PRF_{θ}(M), h = H(m_{1}), ω = E_{h}(m_{2} ∥ b^{k}), s = G(ω) ⊕ m_{1} and then σ = ϕ^{ − 1}(s ∥ ω).
Verification algorithm Ver: Given a signature Σ , one first computes (s ∥ ω) = ϕ(σ) where s ∈ {0,1}^{n − m}, ω ∈ {0,1}^{m} and then m_{1} = G(ω) ⊕ s, h = H(m_{1}), (m_{2} ∥ v) =Eh−1(ω)∈{0,1}m−k×{0,1}k. Finally, if v = 0^{k} or v = 1^{k}, the verifier returns the message M = (m_{1},m_{2}); otherwise returns reject.
Our scheme uses an ideal cipher with small block size, which can be implemented by a real block cipher. Because of this point, the signature scheme works effectively and efficiently in the real world. All the optimal signature schemes known use a full domain permutation. However, the existence of such a large block cipher is still an open problem according to [4, 7]. Therefore, the previous optimal signature schemes are theoretically effective only but cannot be implemented directly by any existing block ciphers.
Security proof. In the following, we prove that the security of the proposed padding for signatures is tightly related to that of the underlying trapdoor one-way permutation in the ideal cipher model and the random oracle model.
Theorem 1. Let F be adaptively chosen-message (to the signing oracle) adversaries, against the signature scheme. Let us assume that F can produce an existential forgery, with success probability ϵ (and within a time bound t, after qe=qE+qE−1, q_{s}, q_{h}, and q_{g} queries to the keyed permutation oracles [which includes q_{E} forward queries and qE−1 inverse queries], signing oracle, H-oracle, and G-oracle, respectively). Then, the underlying trapdoor permutation ϕ can be inverted with probability ϵ ′ within time t ′ ≤ t + (q_{E} + q_{s} + 1)T_{ϕ} where
Proof. We prove the theorem, with incremental games, to reduce the inversion of the permutation ϕ on a random instance y (i.e., find μ such that y = ϕ(μ)) to an attack against the signature scheme. We show that the forger algorithm F can help us to invert ϕ(x).
GAMEG_{0}: This is the attack game, in the ideal cipher model and the random oracle model. Several oracles are available to the adversary during the game: the ideal cipher oracles (both (E) and (E^{ − 1})), two random oracles (H( ⋅ ) and G( ⋅ )), and the signing oracle Signφ−1(·).
To break the signature, the adversary F outputs its forgery. We denote by Forge_{0} the event this forged signature is valid and use the notation Forge_{j} to denote this event in game G_{j}.
Note that if the adversary asks q_{s} signature queries to the signing oracle Signφ−1(·) and qe=qE+qE−1 queries to the ideal cipher oracles, there are at most q_{s} + q_{E} + 1 queries for encryption are asked to the ideal cipher during this game because each signing query may cause a new queries to the cipher oracle. Hence, ϵ = Pr[Forge_{0}].
GAMEG_{1}: In this game, we simulate the ideal cipher oracles E and E^{ − 1}, by maintaining a list E-List, using a truly ideal cipher E and its inverse E−1, the signing oracle Signφ−1(·) with a list Σ -list, and the random oracles H-oracle and G-oracle, by maintaining the lists H-list and G-list, respectively.
The simulation of the real attack game is described as follow:
E_{( ⋅ )}( ⋅ )-Oracle: A query E_{h}(m_{2} ∥ v) is answered by ω, whereRuleEvalE^{(1)}: ω=Eh(m2∥v), store the record (h,(m_{2} ∥ v),ω) in E-list.
E(⋅)−1(⋅)-Oracle: A query Eh−1(ω) is answered by m_{2} ∥ v, whereRuleInverE^{(1)}: (m2∥v)=Eh−1(ω), store the record (h,(m_{2} ∥ v),ω) in E-list.
G-Oracle: Answer to the query G(ω) is set as follow:RuleG^{(1)}:
if a record (ω,g) appears in G-List, the answer is G;
otherwise, the answer is randomly chosen from {0,1}^{n − m}, and the record (ω,g) is stored in G-list.
H-Oracle: Answer to the query H(m_{1}) is set as follow:RuleH^{(1)}:
if a record (m_{1},h) appears in H-List, the answer is H;
otherwise, the answer is randomly chosen from {0,1}^{l}, and the record (m_{1},h) is stored in H-list.
Signφ−1(·)-Oracle:RuleS^{(1)}: For a signing query Signφ−1(M), one first breaks up m as (m_{1},m_{2}) ∈ {0,1}^{n − m} × {0,1}^{m − k}, computes b = PRF_{θ}(m_{1},m_{2}), then asks for h = H(m_{1}) to the H-oracle, then asks for ω = E_{h}(m_{2} ∥ b^{k}) to E_{( ⋅ )}( ⋅ )-oracle, and then computes s = G(ω) ⊕ m_{1}. The signature Σ is ϕ^{ − 1}(s ∥ ω). We store the (m_{1},m_{2},b,h,ω,g,σ) in Σ-list.
Ver_{ϕ}( ⋅ )-Oracle:RuleV^{(1)}: The game ends with the verification of the output Σ from the adversary. One first computes s ∥ ω = ϕ(σ) where s ∈ {0,1}^{n − m}, ω ∈ {0,1}^{m} and then m_{1} = G(ω) ⊕ s, then asks for h = H(m_{1}) to the H-oracle, (m2∥v)=Eh−1(ω)∈{0,1}m−k×{0,1}k to the E(⋅)−1(⋅)-oracle, if v = 0^{k} or v = 1^{k}, returns the message M = (m_{1},m_{2}); otherwise, returns reject.
Now, we denote by Δ_{j} the statistical distance between the distribution of the adversary's view in the game G_{j} and in the game G_{j − 1}. We see that the perfect simulation does not modify any probability in GAMEG_{1}. Therefore, Δ_{1} = 0, and Pr[Forge_{0}] = Pr[Forge_{1}].
GAMEG_{2}: In this game, we modify the simulations of the (random oracles) H-oracle and G-oracle in GAMEG_{1} as follows:
G-Oracle: Answer to the query G(ω) is set as follow:RuleG^{(2)}:
if a record (ω,g) appears in G-List, the answer is G;
otherwise, one randomly chooses G from {0,1}^{n − m}, if G has been set as G(ω ′ ) for some ω ′ ≠ ω, abort or else return G as the answer, and stores the record (ω,g) in G-list.
H-Oracle: Answer to the query H(m_{1}) is set as follow:RuleH^{(2)}:
if a record (m_{1},h) appears in H-List, the answer is H;
otherwise, one randomly chooses H from {0,1}^{l}, if H has been set as H(m′) for some m′≠m1, abort or else return G as the answer and store the record (m_{1},h) in H-list.
Let Δ_{2} be the statistical distance between the distribution of the adversary's view in the game G_{2} and in the game G_{1}. The simulations of the H-oracle and G-oracle in the game are indistinguishable from those in the previous game unless the simulations abort, which event is denoted Abort. The event Abort happens only when a collision on either G or H has occurred, which event is denoted Col-H-G. Hence,
GAMEG_{3}: In this game, we modify the simulation of the ideal cipher oracles E and E^{ − 1} in GAMEG_{2}. The explicit rules of the simulations are set as follows:
E_{( ⋅ )}( ⋅ )-Oracle: When a query E_{h}(m_{2} ∥ v)† is submitted, we use the following rules:RuleEvalE^{(3)}: Look for the record (h,(m_{2} ∥ v),ω) in E-list:
if the record is found, E_{h}(m_{2} ∥ v) = ω;
otherwise, randomly choose a x ∈ {0,1}^{n}, compute (s ∥ ω) = ϕ(x) (if it is the i-th query, we may set (s ∥ ω) = y), and then look for the record (m_{1},h) § in H-list:
if the record (m_{1},h) is found, compute g = m_{1} ⊕ s, if G has been set as G(ω ′ ) for some ω ′ ≠ ω, stop (denoted by Stop1); otherwise, return E_{h}(m_{2} ∥ v) = ω and add (ω,g) to G-List.
otherwise, when the record (m_{1},h) is not found, randomly choose m_{1} ∈ {0,1}^{n − m}, if m_{1} is asked to H before, stop (denoted by Stop2) or else compute g = m_{1} ⊕ s, if G has been set as G(ω ′ ) for some ω ′ ≠ ω, stop (denoted by Stop3); otherwise, return E_{h}(m_{2} ∥ v) = ω, add (ω,g) to G-List and (m_{1},h) to H-list.
store the record (h,(m_{2} ∥ v),ω) in E-list and the record (m_{1},m_{2},b,h,ω,g,x) in Σ-list where v = b^{k} (for the i-th query, store the record (m_{1},m_{2},b,h,ω,g, ⟂ ) in Σ-list).
E(⋅)−1(⋅)-Oracle: A query Eh−1(ω) is answered according to the following rules:RuleInverE^{(3)}: Look for the record (h,(m_{2} ∥ v),ω) in E-list: if the record is found, return m_{2} ∥ v; otherwise, randomly choose (m_{2} ∥ ν) ∈ {0,1}^{m − k} × {0,1}^{k}:
if ν ∈ {1^{k},0^{k}}, stop (denoted by Stop4);
otherwise, return Eh−1(ω)=(m2∥ν) and store the record (h,(m_{2} ∥ ν),ω) in E-list.
There is no difference between GAMEG_{3} and GAMEG_{2} unless one of the events Stop1,Stop2, Stop3, and Stop4 happens. Therefore, the difference is the following probability
Because there are only q_{g} + q_{s} + 1 queries to G, we can compute Pr[Stop1]≤qE(qg+qs+1)2n−m, where q_{E} is the number of the queries to E_{( ⋅ )}( ⋅ )-oracle.
Similarly, we have Pr[Stop2]≤qE(qh+qs+1)2n−m and Pr[Stop3]≤qE(qg+qs+1)2n−m. The probability that the event Stop4 happens is upper bounded by 2qE−12k, where qE−1 is the number of queries to E(⋅)−1(⋅)-oracle. Therefore,
GAMEG_{4}: In this game, we shall use E-list, H-list, G-list, and Σ-list to generate signatures instead of using the trapdoor ϕ^{ − 1} in the simulation of the signing oracle (Signφ−1(·)-Oracle) of GAMEG_{3}. The rules of the simulation of Signφ−1(·)-Oracle is described as follows:
RuleS^{(1)}: For a signing query Signφ−1(M), one first breaks up m as (m_{1},m_{2}) ∈ {0,1}^{n − m} × {0,1}^{m − k}, randomly chooses 1 bit b ∈ {0,1}, then asks a query h = H(m_{1}) to the H-oracle and a query E_{h}(m_{2} ∥ b^{k}) to E_{( ⋅ )}( ⋅ )-oracle, and then finds the record (m_{1},m_{2},b,h,ω,g,x) in Σ-list. Hence, the signature x satisfies ϕ(x) = (s ∥ ω) where s = G(ω) ⊕ m_{1} according to the rules of E_{( ⋅ )}( ⋅ )-oracle in the previous game.
All the signature queries are answered by valid signatures if the signing oracle does not use the i-th query of E_{( ⋅ )}( ⋅ )-oracle. However, in this game, one needs to submit at most q_{s} queries to G, H, and E_{( ⋅ )}( ⋅ ) oracles, respectively, which may lead to the abortion of the simulation. Exactly, whether such events will happen is the only difference between GAMEG_{4} and GAMEG_{3}. If the events are denoted by AbortG, AbortH, and AbortE, respectively, Δ_{4} is upper bounded by the probability of these events. Therefore,
GAMEG_{5}: Finally, the forger will return a valid signature Σ on message (m_{1},m_{2}). We have ϕ(σ) = s ∥ ω, s ∈ {0,1}^{n − m}, ω ∈ {0,1}^{m} and m_{1} = G(ω) ⊕ s. We ask for h = H(m_{1}) to the H-oracle, (m2∥v)=Eh−1(ω)∈{0,1}m−k×{0,1}k to the E(⋅)−1(⋅)-oracle. Hence, v = b ′ k, where b ′ ∈ {0,1}. The event that E_{h}(m_{2} ∥ b ′ k) is the i-th query to E_{( ⋅ )}( ⋅ )-oracle, which is denoted by Good, happens with probability 1qE+qs+1. In this case, we shall know that ϕ(σ) = y and the reduction succeeds, which is denoted by Success. Otherwise, we abort the game. Hence, we have
The running time t of the reduction includes the running time of F and is otherwise dominated by the computation of ϕ denoted T_{ϕ} performed for each query to the signing oracle and the ideal cipher oracle (E_{( ⋅ )}( ⋅ )) at most. Therefore, we have t ′ ≤ t + (q_{E} + q_{s} + 1)T_{ϕ}□
If the underlying trapdoor permutation is induced by a claw-free permutation, we can use the idea of the Katz–Wang construction [7] to achieve tight security in signature. More precisely, we only need to modify the simulation of the signing oracle and the ideal cipher oracle in the previous proof, then the following theorem holds.
Theorem 2. Let F be adaptively chosen-message (to the signing oracle) adversaries, against the signature scheme. Let us assume that F can produce an existential forgery, with success probability ϵ (within a time bound t, after qe=qE+qE−1, q_{s}, q_{h}, and q_{g} queries to the keyed permutation oracles [which includes q_{E} forward queries and qE−1 inverse queries], the signing oracle, H-oracle, and G-oracle, respectively). If the function ϕ is induced by a claw-free permutation, then we can inverse ϕ in time t ′ , with probability ϵ ′ where t ′ ≤ t + (q_{E} + q_{s} + 1)T_{ϕ} and
The padding of our proposal for signature schemes only allows one to sign messages of length n − k. To sign a message m of arbitrary length greater than n − k, the message is split m=(m0,m1,m2)∈M={0,1}*×{0,1}n−m×{0,1}m−k. m_{1},m_{2} will be recovered from the signed message. While m_{0} will be transmitted in the clear.
4.1 How to sign long messages
We show two approaches to solve the problems. Details of the paddings for signature schemes are described in Figure 1.
The first structure of padding is shown in the left side of Figure 1, which is quite similar to our main construction. The details are describe as follows:
Gen:
runs Tp-Gen (1^{n}) to obtain a pair of trapdoor permutation ϕ and ϕ^{ − 1}. Sets (ϕ,ϕ^{ − 1}) as the public key and secret key, respectively.
Sign:
The space of the messages is M={0,1}*×{0,1}n−m×{0,1}m−k, the signature algorithm outputs a signature (m_{0} ∥ σ) into {0,1}* × {0,1}^{n}: on a message M=(m0,m1,m2)∈M, one computes b = PRF_{θ}(M), h = H(m_{0},m_{1}), ω = E_{h}(m_{2} ∥ b^{k}), s = G(ω) ⊕ m_{1} and then σ = ϕ^{ − 1}(s ∥ ω), returns (m_{0} ∥ σ).
Ver:
On a signature (m_{0} ∥ σ), one first computes s ∥ ω = ϕ(σ), where s ∈ {0,1}^{n − m}, ω ∈ {0,1}^{m}, and then m_{1} = G(ω) ⊕ s, h = H(m_{0},m_{1}), (m2∥v)=Eh−1(ω)∈{0,1}m−k×{0,1}k. Finally, if v = 0^{k} or v = 1^{k}, the verifier returns the message M = (m_{0},m_{1},m_{2}); otherwise, returns reject.
Therefore, the padding for signature schemes can be used to sign on long messages. More precisely, part of the message can be recovered from the signed message. The bandwidth in communication can be optimal if we use this kind of padding for signature scheme to sign long messages.
However, there is also a restriction that the two paddings earlier both requires that the size of the block cipher should be larger than the size of trapdoor permutation. To get rid of the restriction, we present the following proposal, which is described in the right side of Figure 1.
Gen:
runs Tp-Gen (1^{n}) to obtain a pair of trapdoor permutation ϕ and ϕ^{ − 1}. Sets (ϕ,ϕ^{ − 1}) as the public key and secret key, respectively.
Sign:
The space of the messages is M={0,1}*×{0,1}n−m×{0,1}m−k, the signature algorithm outputs a signature (m_{0} ∥ σ) into {0,1}* × {0,1}^{n}: on a message M=(m0,m1,m2)∈M, one computes b = PRF_{θ}(M), h = H(m_{0},m_{1}), ω = E_{h}(m_{2} ∥ b^{k}), s = G(ω) ⊕ m_{1} and then σ = ϕ^{ − 1}(s), returns (m_{0},σ,ω).
Ver:
On a signature (m_{0},σ,ω), one first computes s = ϕ(σ) and then let m_{1} = G(ω) ⊕ s, h = H(m_{0},m_{1}), (m2∥v)=Eh−1(ω)∈{0,1}m−k×{0,1}k. Finally, if v = 0^{k} or v = 1^{k}, the verifier returns the message M = (m_{0},m_{1},m_{2}); otherwise, returns reject.
Note that the security proof still holds for both cases if all answers to oracle queries are independent for different values of (m_{0},m_{1}), and we can obtain the same results by similar theorems.
4.2 How to implement in the real world
As we have mentioned previously, the padding for signature with message recovery is also practical and efficient in the real world. Here, we explain the details on how to implement such a padding for signature schemes using the existing cryptographical primitives. Because the most popular trapdoor (one-way) permutations are the RSA permutations, we can use the RSA permutations as the underlying permutations. Luckily, the RSA permutations are claw-free as well. Therefore, the RSA permutations are widely used in all kinds of cryptographical standards, such as the standards: RSA-PSSR, RSA-OAEP, and so on.
Our theorem shows that the padding for signature schemes leads to a tight security. Hence, for the particular case of RSA, we can use a 1024-bit modulus. Because of the Lenstra–Verheul's estimation [23], if RSA is (t ′ ,ϵ ′ )-secure, then t ′ ∕ ϵ ′ ≥ 280. Therefore, the parameters are suggested to be n = 1024, k = 81 and m = l = 256 > 3k = 243, then we shall obtain a signature with 80-bit security level.
We shall use two hash functions H : {0,1}* → {0,1}^{256} and G : {0,1}^{256} → {0,1}^{768}, which can be viewed as random oracles. For the ideal cipher, we may choose the block cipher, NUSH (LAN Crypto, Int., Russia), or a variant of the NIST (National Institute of Standards and Technology) AES standard, 256-bit plaintext block Rijndael, with a 256-bit key over 14 round [24], to instantiate the keyed permutation E( ⋅ ) : {0,1}^{l} × {0,1}^{m} → {0,1}^{m}. Both the key length and the block size can be 256 bits.
5 COMPARISON AND PARAMETERS
For the purpose of efficiency and practicality, n and m is much greater than the bit size of the redundancy k (where m ≤ 256 because the existing largest block ciphers cannot be directly used to encrypt a plaintext with block size greater than 256 bits [24]). On the other hand, all the queries to the oracles is upper bounded, we may assume that 1+qs+qh+qg+qE+qE−1≤Q. Without loss of generosity, assuming that Q ≤ t ′ ≈ t ≤ t + Q ≤ 2k, the quantity Q ⋅ 2^{ − l}, Q ⋅ 2^{m − n}, or even Q^{2} ⋅ 2^{ − l}, Q^{2} ⋅ 2^{m − n} can be ignored in front of Q ⋅ 2^{ − k} if we assume l > 3k and n − m > 3k. Therefore, the aforementioned reduction cost implies that
ϵt≤Qϵ′t+22kin the general caseϵt≤2ϵ′t+22kclaw‐free permutation(9)
In the general case, if the underlying trapdoor permutation is 2k-bit secure, we shall get a signature scheme, which is nearly k-bit secure with only k bits of redundancy (or message expansion). According to the first theorem in [4], our padding leads to an optimal signature. Because ϵt≤Qϵ′t+22k, we only require that ϵ′t≤2−2k, then we shall roughly obtain ϵt≤c⋅2−k where c is a small constant.
If ϕ is induced by a claw-free permutation, the padding not only achieves the lower bounds of message expansion for signature schemes (optimal for the length of message recovery) but also leads to a tight security reduction. Namely, we need not require the underlying permutation to be 2k-bit secure. Because a tight security reduction implies that the signature scheme and underlying trapdoor permutation achieve the same security level, the padding for signature schemes is also optimal.
With a usual setting of the security bound, if ϕ is induced by a claw-free permutation, k = 80 is secure enough in the real world.
Comparison Various practical signature schemes (with message recovery) were proposed through the last few years. However, most of them are proven secure in the random oracle model. None of the schemes proven secure in the random oracle model can achieve optimality in bandwidth including the RSA-PSSR, Katz–Wang's improved PSSR.
Indeed, Katz and Wang proves that PSS with a 1-bit salt is sufficient when the underlying permutation is induced by a claw-free permutation. However, their scheme is not optimal either. From Theorem 3 in [7] and the suggestion in [3], we have that expansion (length of redundancy and randomness), in other words, the difference between the length of the signed message and the original message should be nearly k_{1} + 1 = 180 bits if taking Q = 2^{60}, ϵ ′ = 2 − 60, in order to achieve optimality. With the same assumption that Q = 2^{60}, ϵ ′ = 2 − 60, we may see that our padding for signature schemes only needs nearly k = 120 bits of expansion. More exactly, Katz–Wang's construction reduces the randomness to 1 bit but keeps the original redundancy of PSS, while our padding for signature schemes bounds the length of redundancy and randomness as small as possible. Therefore, Katz–Wang's improved PSS is not optimal in bandwidth, but ours is optimal.
On the other hand, all the optimal signature schemes (with message recovery) depend on either the random permutations or the ideal ciphers. However, these permutations (including the ideal ciphers) all require large block sizes (i.e., block sizes larger than the block size of a cipher such as AES) [4, 6, 7]. Therefore, these proposals are less efficient in the real world because the larger domain ciphers often call the underlying block cipher many times when they encipher the message (and decipher the ciphertext) [10].
We compare our main construction (denoted by Σ) with practical signature schemes: Katz–Wang's improved PSSR [7], the signature scheme from OAEP3r [6](denoted by Σ_{OAEP3r}), and the signature schemes in [1, 2]. Of course, we compare our scheme with all the optimal signature schemes known up to date: Granboulan's proposal [4](denoted by Σ_{OPSSR}), the signature scheme from the universal padding OPbP in [6] (denoted by Σ_{OPbP}) and Katz–Wang's scheme in [7]. We let TP and CFP denote trapdoor permutations and claw-free permutations, respectively. CDHP denotes the computational Diffie–Hellman problem in gap of Diffie–Hellman problems groups. Details are showed in Table 1.
Table 1. Comparison of practical signature schemes.
Note that our design uses the block cipher as a building block, which is quite different from all previous approaches to achieve optimal signatures. However, optimality from this technique is not at the price of efficiency because the computation cost of enciphering is the same as that of a normal hash function. The computation cost of signing (or verification) is dominated by computing the permutation ϕ (or ϕ^{ − 1}) that cost thousands of time of computing a hash value. The following table compares the cost of computation of each primitive, which use the RSA permutation as an example where all the tests were run on a notebook with an Intel Core Duo T7500 2.20 GHz processor and 2 GB random-access memory using Windows Vista (Table 2).
Table 2. Comparisons of time costs of RSA, MD, SHA-1 and AES.
Algorithm
Enc (Ver.)
Dec. (Sign.)
Exec.
RSA
1567 μs
1.2 × 10^{6} μs
1.2 × 10^{6} μs
MD
7 μs
—
7 μs
SHA-1
18 μs
—
7 μs
AES
12 μs
8 μs
12 μs
Each of our paddings only costs computation time of three hashes and a block cipher, roughly computing four hash function is enough for one padding. Therefore, the computation cost of our paddings is comparable with that of improved PSSR [7] (and OAEP _{3r}) [6]. Compared with all known optimal signature paddings (paddings in OPSSR [4], OPbP [6], and OPbP in [7]), our paddings cost at most half of the computation, if Halevi and Rogaway's computer-mediated communication mode [10] is used to construct to block ciphers with large block size (e.g., 1024 bits). Therefore, our paddings are rather efficient and practical in the real world because others use at least nine AES computation in the padding of a signature.
6 CONCLUSIONS
This paper proposed practical, efficient optimal paddings for signature schemes with message recovery. These paddings are simple and efficient, only employing two random oracles and an ideal cipher with a practical small block size. We provided a perfect solution to the problem on whether there exists a practical optimal padding for signatures with message recovery that can be efficiently implemented in the real world. We showed that these paddings are provably secure if the underlying trapdoor permutations are secure. These paddings for signature schemes lead to tight security reductions when the underlying trapdoor permutation is induced by claw-free permutations.
ACKNOWLEDGEMENTS
The authors would like to thank anonymous referees for their helpful suggestions on improving the paper. Besides, this work has been supported by the National Natural Science Foundation of China, grant numbers 61172085, 11061130539, 61103221, 61271118, 61272536, and 61021004 and Key Program of Natural Science Foundation of Shaanxi Province(Grant No.2013JZ020).
^{†}
Even using a random self-reducible permutation, the underlying trapdoor permutation is still required to be (k + q_{s})-bit secure.
^{†}
Here, we may assume v = b^{k} in a query E_{h}(m_{2} ∥ v) where b ∈ {0,1}, otherwise the signature will not be valid.
^{§}
In GAMEG_{2}, H has no collisions, then we can find a unique m_{1} as the preimage of a given H under H if H has been set.