• Open Access

Generating signatures with optimal overhead: practical paddings for signature schemes

Authors


ABSTRACT

Optimal signatures (generating signatures as short as possible), which achieve the optimal bandwidth for communication, are extremely useful in bandwidth-critical networks. Previous approaches use the random permutations with large block size as building blocks, which incurs less efficient implementations in the real world. Meanwhile, all the practical signature schemes are not optimal in bandwidth including PSS-R (probabilistic signature scheme with message recovery ), FDH ( Full Domain Hash), and DSA (Digital Signature Algorithm). This paper presents three constructions for optimal signature schemes. All the proposals use both the random oracles and the ideal ciphers with smaller block sizes as building blocks to obtain optimal paddings for signature schemes. The ideal ciphers in our schemes can be implemented by real block ciphers (e.g., AES (Advanced Encryption Standard)-256). Concrete implementations of these signature schemes can utilize the trapdoor permutations of Rabin and RSA, respectively. Surprisingly, RSA and Rabin (trapdoor permutations) lead to not only optimality in bandwidth but also a tight security. Therefore, besides yielding secure signatures with high efficiency, our proposals can also be flexibly applied to the bandwidth-limited networks that reduces the communication cost as less as possible. Copyright © 2014 John Wiley & Sons, Ltd.

1 INTRODUCTION

Short signatures have attracted much attention recently in the cryptology research community because they are very useful in practice. The size of the signature is also one of the important measures of the efficiency for a digital signature scheme. Recently, several proposals are proposed to shorten the signatures while preserving a high level of security [1, 2]. One of the most important techniques proposed for reducing the signature length is to construct signatures with functionality of message recovery [3-5]. In such systems, one encodes a part of the message into the signature thus shortening the total length of the message/signature pair.

Generally speaking, a digital signature scheme is a tuple of probabilistic algorithms, which enable the signer to transform an arbitrary message into a signed message, such that anyone can check the validity of the signed message [4]. A signed message contains not only the message but also the information to prove its validity. Traditionally, the signed message is actually the concatenation of the message and of a signature. The signature expansion of a signature scheme is the difference between the length of the signed message and the original message. If the signature does not allow message recovery, thus the expansion is just the length of the signature itself.

In fact, the security level of a properly designed signature scheme is determined by not only the hardness of the underlying mathematical problem but also the size of expansion of the signature scheme. For a specific signature scheme, one obvious lower bound of the security level is that k-bit signatures (or more exactly k bits of message expansion) cannot provide better than k bits of security, because the probability that a signature is valid is at least 2 − k, assuming that the underlying hard problem is k ′ ≥ k bits secure. Hence, the problem of obtaining message expansion as small as possible while still preserving high level of security for signatures has been put forward in [4]. Now, it attracts more and more cryptologists’ attention [6, 7].

  • Optimal paddings for signature schemes To solve the problem as mentioned earlier, many researchers are looking for the signature schemes with optimal message recovery length. Granboulan [4] has shown a theorem that says that if we want a k-bit secure signature scheme, the message expansion should be at least k bits, and the signature scheme must have unique signature for each message. The author also proposed a signature scheme in the random permutation model [4]. Note that the signature scheme and its improved version in [4] achieve the lower bound of the message expansion.

    However, security of those schemes in [4] is not tightly related to the hardness of the underlying cryptographic problems because the underlying trapdoor permutation is required to be 2k-bit secure if the signature scheme needs to achieve k bits of message expansion and security. Hence, the signature schemes in [4] achieve only loose security. This makes the signature schemes both inefficient according to the theoretically secure parameters.

    In CCS'03, Katz and Wang extended the result in [4] and showed a signature with optimal message recovery, based on the claw-free permutations in the random permutation model [7]. Different from Granboulan's signature schemes, the security is tightly related to the hardness of breaking a pair of claw-free permutation. Their scheme is essentially optimal in terms of the allowable message length, where a signature for each message is not unique. More recently, in [6], a similar padding scheme named Optimal Permutation-based Padding (OPbP) has been proposed, which achieves optimality both for signing and encrypting.

  • Idealized models and practical security To the best of our knowledge, most of signature schemes are usually proven secure in the following three idealized models: random permutation model, ideal cipher model, and random oracle model. An idealized (oracle) model replaces some components of the algorithm with the oracles simulated by the reduction. The number of calls to the oracles is often assumed to be upper bounded because the actual computation of the idealized components takes time in the real world. For a signature scheme, the number of all the queries to the oracle is always upper bounded as well.

    In fact, security proofs of the signature schemes are the descriptions on how to construct a reduction algorithm, which reduces from forgery to the underlying hard problem. A reduction algorithm in an idealized model always gives random answers taken from the set of values that are consistent with previous answers. Although proofs in such models do not guarantee security when the oracles are instantiated by any particular cryptographic primitive [8], it is widely believed that a proof in an idealized model gives some confidence in the design of a cryptographic primitive.

  • Motivation As far as we know, all the optimal signature schemes use the random permutations with a block size same as the size of element that the underlying trapdoor one-way permutations act on. According to [4, 7], we are not aware of any appropriate way to instantiate the random permutation (or the ideal cihper) for large block sizes even for 1024-bit modulus RSA [9] by now. Even more, Granboulan's OPSSR, based on an ideal cipher, is suggested to use at least 1536-bit modulus for the case of RSA.

    Although practical ciphers with large block size such as Halevi and Rogaway's Cipher-block chaining-Mask-Cipher-block chaining were proposed [10] to work well for encryption, these ciphers employ a secure underlying block cipher with small block size, and therefore one must run the underlying cipher many times to encrypt a plaintext. This makes the optimal signature schemes, which use large domain permutation inefficient in the real world. Therefore, these solutions are inefficient and impractical in the real applications. The problem also occurs in Katz and Wang's optimal signature scheme and universal padding of Chevallier-Mames et al. based on the random permutation (OPbP) when the padding is used to sign on messages.

    On the other hand, all the practical signature schemes are not optimal in bandwidth including PSS-R, DSA, and those with message recovery used as the standards now. Recently proposed signatures without random oracles [11, 12] and most of the efficient signature schemes in the random oracle model [13] are neither optimal in bandwidth as well. The universal padding, based on the optimal asymmetric encryption padding (OAEP)-3 rounds proposed by Chevallier-Mames, Phan, and Pointcheval, is not optimal when it is used to sign on messages as well. Hence, how to design a more practical, efficient, and optimal signature scheme remains open.

  • Our contribution This paper uses two random oracles and an ideal cipher with a smaller block size to design optimal paddings for signature schemes. In the real world, the ideal cipher here can be implemented with a real block cipher and the random oracles can be replaced by the cryptographic hash functions. Therefore, we provide a perfect solution to the open problem. That is to say, we design practical, efficient, and optimal paddings for signature schemes. We show that the paddings are provably secure if the underlying trapdoor permutations are secure in the random oracle model because the ideal cipher model and the random oracle model are equivalent [14]. These paddings for signatures enable the signature schemes to achieve tight security when the underlying trapdoor permutations are induced by claw-free permutations.

    Particularly, in the case of RSA and Rabin, these paddings enable the signature scheme to achieve not only optimality in bandwidth but also a tight security reduction.

2 DEFINITION AND PRELIMINARIES

This section reviews the definitions of signature scheme and the basic cryptographic complexity assumptions.

  • Digital signature We review the functional definitions of both signature schemes as well as those supporting message recovery and the definition of security.

    Definition 1. A signature scheme is a tuple of probabilistic algorithms (Gen, Sign, Ver) over a message space math formula such that

    • On input 1k where k is the security parameter, the key-generation algorithm Gen outputs a public key pk and a secret key sk.

    • The signing algorithm Sign takes as input secret key sk and message math formula and returns a signature Σ .

    • If message recovery is not supported, the verification algorithm Ver takes as input a public key pk, a message math formula, and a signature Σ and returns accept or reject.

    • If message recovery is supported, verification algorithm Ver takes as input public key pk and signature Σ and returns either a message math formula or reject.

    We make the standard correctness requirement, given here for schemes supporting message recovery (the other case is analogous): for all (sk,pk) output by Gen and all math formula, we have Verpk(Signsk(m)) = m.

    Existential unforgeability under adaptive chosen-message attacks (EUF-CMA) [15] is a widely accepted standard notion for the security of digital signatures. In the following, we use a generalized version of EUF-CMA, named strong EUF-CMA [7, 16, 17].

    Definition 2. (Strong EUF-CMA). A forger math formula (t,qs,qh,ϵ) breaks a signature scheme if math formula runs in time t, makes at most qs signature queries and at most qh hash queries; and furthermore,

    display math

    where Σ* is the set of signatures received from the signing oracle. If the signature scheme supports message recovery, the definition is almost the same as earlier except that we are interested in the probability that math formula outputs a signature Σ such that Verpk(σ) = m, but Σ was never the response of a query to the signing oracle. That is,

    display math

    In either case, a signature scheme is (t,qs,qh,ϵ)-secure if no forger can (t,qs,qh,ϵ) break it.

  • Complexity assumption Trapdoor (one-way) permutations are among the most popular cryptographic tools to design encryption schemes, signature schemes, and protocols. The explicit complexity definition of trapdoor permutations is as follows.

    Definition 3. (Trapdoor permutations). A trapdoor permutation family is a tuple of probabilistic polynomial time algorithms (Gen, Eval, Invert) such that

    1. Tp-Gen (1k) outputs a pair (f,f − 1), where f is a permutation over {0,1}k.
    2. Eval (1k,f,x) is a deterministic algorithm, which outputs some y ∈ {0,1}k (assuming f was output by Gen and x ∈ {0,1}k). We will often simply write f(x) instead of Eval (1k,f,x).
    3. Invert (1k,f − 1,y) is a deterministic algorithm, which outputs some x ∈ {0,1}k (assuming f − 1 was output by Gen and y ∈ {0,1}k). We will often simply write f − 1(y) instead of Invert (1k,f − 1,y).
    4. (Correctness.) For all k, all (f,f − 1) output by Gen, and all x ∈ {0,1}k, we have f − 1(f(x)) = x.

    A probabilistic polynomial time algorithm math formula is said to (t,ϵ)-break a family of trapdoor permutations if math formula runs in time at most t and outputs the preimage of a random chosen y ∈ {0,1}k for f generated by Gen (1k) with probability greater than ϵ:

    display math

    A family of trapdoor permutations is (t,ϵ)-secure if no algorithm can (t,ϵ)-break it.

The existence of claw-free permutations seems to be reasonable. In fact, any random self-reducible permutation can be seen as a trapdoor permutation induced by a claw-free permutation [18], and almost all known examples of trapdoor permutations are self-reducible. Meanwhile, the trapdoor permutations induced by claw-free permutations can be used to obtain tight reductions [7].

Definition 4. (Claw-free permutations). A family of claw-free permutations is a tuple of algorithms { Gen; fi; gi | i ∈ I}for an index set i such that

  1. Gen outputs a random index i and a trapdoor td.

  2. fi, gi are both permutations over the same domain Di.

  3. there is an efficient sampling algorithm, which, on index i, outputs a random x ∈ Di.

  4. math formula (the inverse of fi) and math formula (the inverse of gi) are both efficiently computable given the trapdoor td.

A claw is a pair (x0,x1) such that f(x0) = g(x1). Probabilistic algorithm math formula is said to (t,ϵ)-break a family of claw-free permutations if math formula runs in time at most t and outputs a claw with probability greater than ϵ:

display math

A family of claw-free permutations is (t,ϵ)-secure if no algorithm can (t,ϵ)-break it.

We say a signature scheme is k-bit secure when there is no forger can (t,qs,ϵ)-break the scheme with log 2(t ∕ ϵ) ≤ k. In the same manner, we say a trapdoor permutation (including the claw-free permutation) or a mathematic problem is k ′ -bit secure if there is no adversary can (t ′ ,ϵ ′ )-break it with log 2(t ′ ∕ ϵ ′ ) ≤ k ′ . The value k (respectively, k ′ ) also depends on the time unit used for t (respectively, t ′ ). A reduction is said to be tight if t ∕ ϵ ≈ t ′ ∕ ϵ ′ . Hence, a tight reduction from forgery to the hard problem implies that the scheme achieves the same security level as the underlying hard problem.

3 MAIN CONSTRUCTION

Various paddings for signature schemes (with message recovery) were proposed through the last few years [3, 4, 6, 7, 17, 19-22]. Most of them are proven secure in the random oracle model. However, none of the schemes proven secure in the random oracle model achieves optimality in bandwidth including PSS-R, Katz and Wang's improved PSS-R in [7]. As far as we know, all the optimal signature schemes with message recovery are based on the random permutation or the ideal cipher for large block sizes (i.e., block sizes larger than the block size of a cipher such as AES) [4, 7]. Thus, the optimal signature paddings become less efficient because of the cause that larger domain cipher calls the underlying block cipher many times [10].

We propose a more practical, efficient, and optimal padding for signature schemes with message recovery. This padding uses a block cipher with smaller size, which can be implemented with the true block ciphers. Next, we shall prove the security of the padding for signature schemes in the random oracle model because the ideal cipher model and the random oracle model are equivalent [14].

  • Our construction The padding for signature schemes uses a keyed permutation E( ⋅ ) : {0,1}l × {0,1}m → {0,1}m that we assume to behave like a truly ideal cipher. For each key κ ∈ {0,1}l of the block cipher E defines a random permutation Eκ = E(κ, ⋅ ) on {0,1}m. The ideal cipher E accepts both forward queries (E) as well as inverse queries (E − 1). Let ϕ : {0,1}n → {0,1}n be a trapdoor one-way permutation (or a claw-free permutation) whose inverse is ϕ − 1. The scheme uses two random oracles H : {0,1}* → {0,1}l and G : {0,1}m → {0,1}n − m, where we assume n > m > k.

    In the following, PRFθ( ⋅ ) assigns a pseudorandom function that uses a secret key θ and generates 1 bit. The symbol “ ∥ ” denotes the bit-string concatenation. 0k and 1k denotes k bits of 0 and 1, respectively. The signature scheme is described as follows:

  • Key generation algorithm Gen: runs Tp-Gen (1n) to obtain a pair of trapdoor permutation ϕ and ϕ − 1. Sets (pk,sk) = (ϕ,ϕ − 1) as the public key and secret key, respectively.
  • Signature algorithm Sign: The space of the messages is math formula, the signature algorithm outputs a signature Σ into {0,1}n: on a message math formula, one computes b = PRFθ(M), h = H(m1), ω = Eh(m2 ∥ bk), s = G(ω) ⊕ m1 and then σ = ϕ − 1(s ∥ ω).
  • Verification algorithm Ver: Given a signature Σ , one first computes (s ∥ ω) = ϕ(σ) where s ∈ {0,1}n − m, ω ∈ {0,1}m and then m1 = G(ω) ⊕ s, h = H(m1), (m2 ∥ v) math formula. Finally, if v = 0k or v = 1k, the verifier returns the message M = (m1,m2); otherwise returns reject.

    Our scheme uses an ideal cipher with small block size, which can be implemented by a real block cipher. Because of this point, the signature scheme works effectively and efficiently in the real world. All the optimal signature schemes known use a full domain permutation. However, the existence of such a large block cipher is still an open problem according to [4, 7]. Therefore, the previous optimal signature schemes are theoretically effective only but cannot be implemented directly by any existing block ciphers.

  • Security proof. In the following, we prove that the security of the proposed padding for signatures is tightly related to that of the underlying trapdoor one-way permutation in the ideal cipher model and the random oracle model.

Theorem 1. Let math formula be adaptively chosen-message (to the signing oracle) adversaries, against the signature scheme. Let us assume that math formula can produce an existential forgery, with success probability ϵ (and within a time bound t, after math formula, qs, qh, and qg queries to the keyed permutation oracles [which includes qE forward queries and math formula inverse queries], signing oracle, H-oracle, and G-oracle, respectively). Then, the underlying trapdoor permutation ϕ can be inverted with probability ϵ ′ within time t ′ ≤ t + (qE + qs + 1)Tϕ where

display math(1)

Proof. We prove the theorem, with incremental games, to reduce the inversion of the permutation ϕ on a random instance y (i.e., find μ such that y = ϕ(μ)) to an attack against the signature scheme. We show that the forger algorithm math formula can help us to invert ϕ(x).

  • GAME G0: This is the attack game, in the ideal cipher model and the random oracle model. Several oracles are available to the adversary during the game: the ideal cipher oracles (both (E) and (E − 1)), two random oracles (H( ⋅ ) and G( ⋅ )), and the signing oracle math formula.

    To break the signature, the adversary math formula outputs its forgery. We denote by Forge0 the event this forged signature is valid and use the notation Forgej to denote this event in game Gj.

    Note that if the adversary asks qs signature queries to the signing oracle math formula and math formula queries to the ideal cipher oracles, there are at most qs + qE + 1 queries for encryption are asked to the ideal cipher during this game because each signing query may cause a new queries to the cipher oracle. Hence, ϵ = Pr[Forge0].

  • GAME G1: In this game, we simulate the ideal cipher oracles E and E − 1, by maintaining a list E-List, using a truly ideal cipher math formula and its inverse math formula, the signing oracle math formula with a list Σ -list, and the random oracles H-oracle and G-oracle, by maintaining the lists H-list and G-list, respectively.

    The simulation of the real attack game is described as follow:

    • E( ⋅ )( ⋅ )-Oracle: A query Eh(m2 ∥ v) is answered by ω, whereRule EvalE(1): math formula, store the record (h,(m2 ∥ v),ω) in E-list.

    • math formula-Oracle: A query math formula is answered by m2 ∥ v, whereRule InverE(1): math formula, store the record (h,(m2 ∥ v),ω) in E-list.

    • G-Oracle: Answer to the query G(ω) is set as follow:Rule G(1):

      1. if a record (ω,g) appears in G-List, the answer is G;

      2. otherwise, the answer is randomly chosen from {0,1}n − m, and the record (ω,g) is stored in G-list.

    • H-Oracle: Answer to the query H(m1) is set as follow:Rule H(1):

      1. if a record (m1,h) appears in H-List, the answer is H;

      2. otherwise, the answer is randomly chosen from {0,1}l, and the record (m1,h) is stored in H-list.

    • math formula-Oracle:Rule S(1): For a signing query math formula, one first breaks up m as (m1,m2) ∈ {0,1}n − m × {0,1}m − k, computes b = PRFθ(m1,m2), then asks for h = H(m1) to the H-oracle, then asks for ω = Eh(m2 ∥ bk) to E( ⋅ )( ⋅ )-oracle, and then computes s = G(ω) ⊕ m1. The signature Σ is ϕ − 1(s ∥ ω). We store the (m1,m2,b,h,ω,g,σ) in Σ-list.

    • Verϕ( ⋅ )-Oracle:Rule V(1): The game ends with the verification of the output Σ from the adversary. One first computes s ∥ ω = ϕ(σ) where s ∈ {0,1}n − m, ω ∈ {0,1}m and then m1 = G(ω) ⊕ s, then asks for h = H(m1) to the H-oracle, math formula to the math formula-oracle, if v = 0k or v = 1k, returns the message M = (m1,m2); otherwise, returns reject.

    Now, we denote by Δj the statistical distance between the distribution of the adversary's view in the game Gj and in the game Gj − 1. We see that the perfect simulation does not modify any probability in GAME G1. Therefore, Δ1 = 0, and Pr[Forge0] = Pr[Forge1].

  • GAME G2: In this game, we modify the simulations of the (random oracles) H-oracle and G-oracle in GAME G1 as follows:

    • G-Oracle: Answer to the query G(ω) is set as follow:Rule G(2):

      1. if a record (ω,g) appears in G-List, the answer is G;

      2. otherwise, one randomly chooses G from {0,1}n − m, if G has been set as G(ω ′ ) for some ω ′ ≠ ω, abort or else return G as the answer, and stores the record (ω,g) in G-list.

    • H-Oracle: Answer to the query H(m1) is set as follow:Rule H(2):

      1. if a record (m1,h) appears in H-List, the answer is H;

      2. otherwise, one randomly chooses H from {0,1}l, if H has been set as math formula for some math formula, abort or else return G as the answer and store the record (m1,h) in H-list.

    Let Δ2 be the statistical distance between the distribution of the adversary's view in the game G2 and in the game G1. The simulations of the H-oracle and G-oracle in the game are indistinguishable from those in the previous game unless the simulations abort, which event is denoted Abort. The event Abort happens only when a collision on either G or H has occurred, which event is denoted Col-H-G. Hence,

    display math(2)
  • GAME G3: In this game, we modify the simulation of the ideal cipher oracles E and E − 1 in GAME G2. The explicit rules of the simulations are set as follows:

    • E( ⋅ )( ⋅ )-Oracle: When a query Eh(m2 ∥ v) is submitted, we use the following rules:Rule EvalE(3): Look for the record (h,(m2 ∥ v),ω) in E-list:

      1. if the record is found, Eh(m2 ∥ v) = ω;

      2. otherwise, randomly choose a x ∈ {0,1}n, compute (s ∥ ω) = ϕ(x) (if it is the i-th query, we may set (s ∥ ω) = y), and then look for the record (m1,h) § in H-list:

        1. if the record (m1,h) is found, compute g = m1 ⊕ s, if G has been set as G(ω ′ ) for some ω ′ ≠ ω, stop (denoted by Stop1); otherwise, return Eh(m2 ∥ v) = ω and add (ω,g) to G-List.

        2. otherwise, when the record (m1,h) is not found, randomly choose m1 ∈ {0,1}n − m, if m1 is asked to H before, stop (denoted by Stop2) or else compute g = m1 ⊕ s, if G has been set as G(ω ′ ) for some ω ′ ≠ ω, stop (denoted by Stop3); otherwise, return Eh(m2 ∥ v) = ω, add (ω,g) to G-List and (m1,h) to H-list.

        3. store the record (h,(m2 ∥ v),ω) in E-list and the record (m1,m2,b,h,ω,g,x) in Σ-list where v = bk (for the i-th query, store the record (m1,m2,b,h,ω,g, ⟂ ) in Σ-list).

    • math formula-Oracle: A query math formula is answered according to the following rules:Rule InverE(3): Look for the record (h,(m2 ∥ v),ω) in E-list: if the record is found, return m2 ∥ v; otherwise, randomly choose (m2 ∥ ν) ∈ {0,1}m − k × {0,1}k:

      1. if ν ∈ {1k,0k}, stop (denoted by Stop4);

      2. otherwise, return math formula and store the record (h,(m2 ∥ ν),ω) in E-list.

    There is no difference between GAME G3 and GAME G2 unless one of the events Stop1,Stop2, Stop3, and Stop4 happens. Therefore, the difference is the following probability

    display math(3)

    Because there are only qg + qs + 1 queries to G, we can compute math formula, where qE is the number of the queries to E( ⋅ )( ⋅ )-oracle.

    Similarly, we have math formula and math formula. The probability that the event Stop4 happens is upper bounded by math formula, where math formula is the number of queries to math formula-oracle. Therefore,

    display math(4)
  • GAME G4: In this game, we shall use E-list, H-list, G-list, and Σ-list to generate signatures instead of using the trapdoor ϕ − 1 in the simulation of the signing oracle (math formula-Oracle) of GAME G3. The rules of the simulation of math formula-Oracle is described as follows:

    • Rule S(1): For a signing query math formula, one first breaks up m as (m1,m2) ∈ {0,1}n − m × {0,1}m − k, randomly chooses 1 bit b ∈ {0,1}, then asks a query h = H(m1) to the H-oracle and a query Eh(m2 ∥ bk) to E( ⋅ )( ⋅ )-oracle, and then finds the record (m1,m2,b,h,ω,g,x) in Σ-list. Hence, the signature x satisfies ϕ(x) = (s ∥ ω) where s = G(ω) ⊕ m1 according to the rules of E( ⋅ )( ⋅ )-oracle in the previous game.

    All the signature queries are answered by valid signatures if the signing oracle does not use the i-th query of E( ⋅ )( ⋅ )-oracle. However, in this game, one needs to submit at most qs queries to G, H, and E( ⋅ )( ⋅ ) oracles, respectively, which may lead to the abortion of the simulation. Exactly, whether such events will happen is the only difference between GAME G4 and GAME G3. If the events are denoted by AbortG, AbortH, and AbortE, respectively, Δ4 is upper bounded by the probability of these events. Therefore,

    display math(5)
  • GAME G5: Finally, the forger will return a valid signature Σ on message (m1,m2). We have ϕ(σ) = s ∥ ω, s ∈ {0,1}n − m, ω ∈ {0,1}m and m1 = G(ω) ⊕ s. We ask for h = H(m1) to the H-oracle, math formula to the math formula-oracle. Hence, v = b ′ k, where b ′ ∈ {0,1}. The event that Eh(m2 ∥ b ′ k) is the i-th query to E( ⋅ )( ⋅ )-oracle, which is denoted by Good, happens with probability math formula. In this case, we shall know that ϕ(σ) = y and the reduction succeeds, which is denoted by Success. Otherwise, we abort the game. Hence, we have

    display math(6)

For all, we have

display math(7)

The running time t of the reduction includes the running time of math formula and is otherwise dominated by the computation of ϕ denoted Tϕ performed for each query to the signing oracle and the ideal cipher oracle (E( ⋅ )( ⋅ )) at most. Therefore, we have t ′ ≤ t + (qE + qs + 1)Tϕ

If the underlying trapdoor permutation is induced by a claw-free permutation, we can use the idea of the Katz–Wang construction [7] to achieve tight security in signature. More precisely, we only need to modify the simulation of the signing oracle and the ideal cipher oracle in the previous proof, then the following theorem holds.

Theorem 2. Let math formula be adaptively chosen-message (to the signing oracle) adversaries, against the signature scheme. Let us assume that math formula can produce an existential forgery, with success probability ϵ (within a time bound t, after math formula, qs, qh, and qg queries to the keyed permutation oracles [which includes qE forward queries and math formula inverse queries], the signing oracle, H-oracle, and G-oracle, respectively). If the function ϕ is induced by a claw-free permutation, then we can inverse ϕ in time t ′ , with probability ϵ ′ where t ′ ≤ t + (qE + qs + 1)Tϕ and

display math(8)

4 EXTENSION AND IMPLEMENTATION

The padding of our proposal for signature schemes only allows one to sign messages of length n − k. To sign a message m of arbitrary length greater than n − k, the message is split math formula. m1,m2 will be recovered from the signed message. While m0 will be transmitted in the clear.

4.1 How to sign long messages

We show two approaches to solve the problems. Details of the paddings for signature schemes are described in Figure 1.

Figure 1.

Structure of the paddings.

The first structure of padding is shown in the left side of Figure 1, which is quite similar to our main construction. The details are describe as follows:

Gen:

runs Tp-Gen (1n) to obtain a pair of trapdoor permutation ϕ and ϕ − 1. Sets (ϕ,ϕ − 1) as the public key and secret key, respectively.

Sign:

The space of the messages is math formula, the signature algorithm outputs a signature (m0 ∥ σ) into {0,1}* × {0,1}n: on a message math formula, one computes b = PRFθ(M), h = H(m0,m1), ω = Eh(m2 ∥ bk), s = G(ω) ⊕ m1 and then σ = ϕ − 1(s ∥ ω), returns (m0 ∥ σ).

Ver:

On a signature (m0 ∥ σ), one first computes s ∥ ω = ϕ(σ), where s ∈ {0,1}n − m, ω ∈ {0,1}m, and then m1 = G(ω) ⊕ s, h = H(m0,m1), math formula. Finally, if v = 0k or v = 1k, the verifier returns the message M = (m0,m1,m2); otherwise, returns reject.

Therefore, the padding for signature schemes can be used to sign on long messages. More precisely, part of the message can be recovered from the signed message. The bandwidth in communication can be optimal if we use this kind of padding for signature scheme to sign long messages.

However, there is also a restriction that the two paddings earlier both requires that the size of the block cipher should be larger than the size of trapdoor permutation. To get rid of the restriction, we present the following proposal, which is described in the right side of Figure 1.

Gen:

runs Tp-Gen (1n) to obtain a pair of trapdoor permutation ϕ and ϕ − 1. Sets (ϕ,ϕ − 1) as the public key and secret key, respectively.

Sign:

The space of the messages is math formula, the signature algorithm outputs a signature (m0 ∥ σ) into {0,1}* × {0,1}n: on a message math formula, one computes b = PRFθ(M), h = H(m0,m1), ω = Eh(m2 ∥ bk), s = G(ω) ⊕ m1 and then σ = ϕ − 1(s), returns (m0,σ,ω).

Ver:

On a signature (m0,σ,ω), one first computes s = ϕ(σ) and then let m1 = G(ω) ⊕ s, h = H(m0,m1), math formula. Finally, if v = 0k or v = 1k, the verifier returns the message M = (m0,m1,m2); otherwise, returns reject.

Note that the security proof still holds for both cases if all answers to oracle queries are independent for different values of (m0,m1), and we can obtain the same results by similar theorems.

4.2 How to implement in the real world

As we have mentioned previously, the padding for signature with message recovery is also practical and efficient in the real world. Here, we explain the details on how to implement such a padding for signature schemes using the existing cryptographical primitives. Because the most popular trapdoor (one-way) permutations are the RSA permutations, we can use the RSA permutations as the underlying permutations. Luckily, the RSA permutations are claw-free as well. Therefore, the RSA permutations are widely used in all kinds of cryptographical standards, such as the standards: RSA-PSSR, RSA-OAEP, and so on.

Our theorem shows that the padding for signature schemes leads to a tight security. Hence, for the particular case of RSA, we can use a 1024-bit modulus. Because of the Lenstra–Verheul's estimation [23], if RSA is (t ′ ,ϵ ′ )-secure, then t ′ ∕ ϵ ′ ≥ 280. Therefore, the parameters are suggested to be n = 1024, k = 81 and m = l = 256 > 3k = 243, then we shall obtain a signature with 80-bit security level.

We shall use two hash functions H : {0,1}*  → {0,1}256 and G : {0,1}256 → {0,1}768, which can be viewed as random oracles. For the ideal cipher, we may choose the block cipher, NUSH (LAN Crypto, Int., Russia), or a variant of the NIST (National Institute of Standards and Technology) AES standard, 256-bit plaintext block Rijndael, with a 256-bit key over 14 round [24], to instantiate the keyed permutation E( ⋅ ) : {0,1}l × {0,1}m → {0,1}m. Both the key length and the block size can be 256 bits.

5 COMPARISON AND PARAMETERS

For the purpose of efficiency and practicality, n and m is much greater than the bit size of the redundancy k (where m ≤ 256 because the existing largest block ciphers cannot be directly used to encrypt a plaintext with block size greater than 256 bits [24]). On the other hand, all the queries to the oracles is upper bounded, we may assume that math formula. Without loss of generosity, assuming that Q ≤ t ′ ≈ t ≤ t + Q ≤ 2k, the quantity Q ⋅ 2 − l, Q ⋅ 2m − n, or even Q2 ⋅ 2 − l, Q2 ⋅ 2m − n can be ignored in front of Q ⋅ 2 − k if we assume l > 3k and n − m > 3k. Therefore, the aforementioned reduction cost implies that

display math(9)

In the general case, if the underlying trapdoor permutation is 2k-bit secure, we shall get a signature scheme, which is nearly k-bit secure with only k bits of redundancy (or message expansion). According to the first theorem in [4], our padding leads to an optimal signature. Because math formula, we only require that math formula, then we shall roughly obtain math formula where c is a small constant.

If ϕ is induced by a claw-free permutation, the padding not only achieves the lower bounds of message expansion for signature schemes (optimal for the length of message recovery) but also leads to a tight security reduction. Namely, we need not require the underlying permutation to be 2k-bit secure. Because a tight security reduction implies that the signature scheme and underlying trapdoor permutation achieve the same security level, the padding for signature schemes is also optimal.

With a usual setting of the security bound, if ϕ is induced by a claw-free permutation, k = 80 is secure enough in the real world.

  • Comparison Various practical signature schemes (with message recovery) were proposed through the last few years. However, most of them are proven secure in the random oracle model. None of the schemes proven secure in the random oracle model can achieve optimality in bandwidth including the RSA-PSSR, Katz–Wang's improved PSSR.

Indeed, Katz and Wang proves that PSS with a 1-bit salt is sufficient when the underlying permutation is induced by a claw-free permutation. However, their scheme is not optimal either. From Theorem 3 in [7] and the suggestion in [3], we have that expansion (length of redundancy and randomness), in other words, the difference between the length of the signed message and the original message should be nearly k1 + 1 = 180 bits if taking Q = 260, ϵ ′ = 2 − 60, in order to achieve optimality. With the same assumption that Q = 260, ϵ ′ = 2 − 60, we may see that our padding for signature schemes only needs nearly k = 120 bits of expansion. More exactly, Katz–Wang's construction reduces the randomness to 1 bit but keeps the original redundancy of PSS, while our padding for signature schemes bounds the length of redundancy and randomness as small as possible. Therefore, Katz–Wang's improved PSS is not optimal in bandwidth, but ours is optimal.

On the other hand, all the optimal signature schemes (with message recovery) depend on either the random permutations or the ideal ciphers. However, these permutations (including the ideal ciphers) all require large block sizes (i.e., block sizes larger than the block size of a cipher such as AES) [4, 6, 7]. Therefore, these proposals are less efficient in the real world because the larger domain ciphers often call the underlying block cipher many times when they encipher the message (and decipher the ciphertext) [10].

We compare our main construction (denoted by Σ) with practical signature schemes: Katz–Wang's improved PSSR [7], the signature scheme from OAEP3r [6](denoted by ΣOAEP3r), and the signature schemes in [1, 2]. Of course, we compare our scheme with all the optimal signature schemes known up to date: Granboulan's proposal [4](denoted by ΣOPSSR), the signature scheme from the universal padding OPbP in [6] (denoted by ΣOPbP) and Katz–Wang's scheme in [7]. We let TP and CFP denote trapdoor permutations and claw-free permutations, respectively. CDHP denotes the computational Diffie–Hellman problem in gap of Diffie–Hellman problems groups. Details are showed in Table 1.

Table 1. Comparison of practical signature schemes.
Signature schemes:Message recoveryTight securityAssumptionOptimalEfficient
  1. TP, trapdoor permutations; CFP, claw-free permutations; CDHP, computational Diffie-Hellman problem.

Improved RSA-PSSR [7]YesYesRSANoYes
ΣOAEP3r [6]YesNo/yesTP/CFPNoyes
Short signatures in [1, 2]NoNoCDHPNoYes
Optimal signature schemes:     
ΣOPSSR [4]YesNoTPYesNo
Katz and Wang's proposal [7]YesYesCFPYesNo
ΣOPbP [6]YesYesTP/CFPYesNo
Our Σ YesYesTP/CFPYesYes

Note that our design uses the block cipher as a building block, which is quite different from all previous approaches to achieve optimal signatures. However, optimality from this technique is not at the price of efficiency because the computation cost of enciphering is the same as that of a normal hash function. The computation cost of signing (or verification) is dominated by computing the permutation ϕ (or ϕ − 1) that cost thousands of time of computing a hash value. The following table compares the cost of computation of each primitive, which use the RSA permutation as an example where all the tests were run on a notebook with an Intel Core Duo T7500 2.20 GHz processor and 2 GB random-access memory using Windows Vista (Table 2).

Table 2. Comparisons of time costs of RSA, MD, SHA-1 and AES.
AlgorithmEnc (Ver.)Dec. (Sign.)Exec.
RSA1567  μs1.2 × 106  μs1.2 × 106  μs
MD7  μs7  μs
SHA-118  μs7  μs
AES12  μs8  μs12  μs

Each of our paddings only costs computation time of three hashes and a block cipher, roughly computing four hash function is enough for one padding. Therefore, the computation cost of our paddings is comparable with that of improved PSSR [7] (and OAEP 3r) [6]. Compared with all known optimal signature paddings (paddings in OPSSR [4], OPbP [6], and OPbP in [7]), our paddings cost at most half of the computation, if Halevi and Rogaway's computer-mediated communication mode [10] is used to construct to block ciphers with large block size (e.g., 1024 bits). Therefore, our paddings are rather efficient and practical in the real world because others use at least nine AES computation in the padding of a signature.

6 CONCLUSIONS

This paper proposed practical, efficient optimal paddings for signature schemes with message recovery. These paddings are simple and efficient, only employing two random oracles and an ideal cipher with a practical small block size. We provided a perfect solution to the problem on whether there exists a practical optimal padding for signatures with message recovery that can be efficiently implemented in the real world. We showed that these paddings are provably secure if the underlying trapdoor permutations are secure. These paddings for signature schemes lead to tight security reductions when the underlying trapdoor permutation is induced by claw-free permutations.

ACKNOWLEDGEMENTS

The authors would like to thank anonymous referees for their helpful suggestions on improving the paper. Besides, this work has been supported by the National Natural Science Foundation of China, grant numbers 61172085, 11061130539, 61103221, 61271118, 61272536, and 61021004 and Key Program of Natural Science Foundation of Shaanxi Province(Grant No.2013JZ020).

  • Even using a random self-reducible permutation, the underlying trapdoor permutation is still required to be (k + qs)-bit secure.

  • Here, we may assume v = bk in a query Eh(m2 ∥ v) where b ∈ {0,1}, otherwise the signature will not be valid.

  • §

    In GAME G2, H has no collisions, then we can find a unique m1 as the preimage of a given H under H if H has been set.

Ancillary