Acknowledge
致敬Katz J, Lindell Y. Introduction to modern cryptography[M]. Chapman and Hall/CRC, 2014. 推薦該書正版。
該書第12章的內容是數字簽名,具體推薦Katz J的另一本書:
Katz J. Digital signatures[M]. Springer Science & Business Media, 2010.
有興趣的人可以自己進行擴展閱讀,這裏不再貼出第12章的課後題解。
13.2 In this exercise we show a scheme that can be proven secure in the random oracle model, but is insecure when the random oracle is instantiated with SHA-1. (This exercise is a bit informal since SHA-1 is only defined for a fixed output length. Nevertheless, it illustrates the main idea.) Let Π be a signature scheme that is secure in the standard model. Construct a signature scheme Πy where signing is carried out as follows: if H(0)=y, then output the4 secret key; if H(0)=y, then return a signature computed using Π.
Prove that for any value y, the scheme Πy is secure in the random oracle model.
Show that there exists a particular y for which Πy is not secure when the random oracle is instantiated using SHA-1.
13.3 Consider a message authentication cod Π=(Gen,Mac,Vrfy) where Mack(m):=H(k∥m) for a function H:{0,1}∗→{0,1}λ (note that k←{0,1}λ and verification is carried out in the natural way). Show that if H is modeled as a random oracle, then Π is secure message authentication code. Show that if H is any concrete hash function that is constructed via the Merkle-Damgard transform, then Π is not a secure message authentication code.
13.5 Say a public-key encryption scheme (Gen,Enc,Dec) is one−way if any PPT adversary A has negligible probability of success in the following experiment:
Gen(1λ) is run to obtain keys (pk,sk).
A message m←{0,1}λ is chosen uniformly at random, and a ciphertext c←Encpk(m) is computed.
A is given pk and c, and outputs a message m∗. We say A succeeds if m∗=m.
(a) Show that a construction of a CPA-secure public-key encryption scheme in the random oracle model based on any one-way public-key encryption scheme.
(b) Can a public-key encryption scheme where encryption is deterministic be one-way? If not, give a proof; if so, show a construction based on any of the assumptions introduced in this book.
13.7 Let Π=Gen,Enc,Dec) be a public-key encryption scheme having indistinguishable encryptions under a chosen-plaintext attack, and let Π′=(Gen′,Enc′,Dec′) be a private-key encryption scheme having indistinguishable encryptions under a chosen-ciphertext attack. Consider the following construction of a public-key encryption scheme Π∗. Construction 13.12
Let H:{0,1}λ→{0,1}λ be a function. Construction a public-key encryption scheme as follows:
Gen∗: on input 1λ, run Gen(1λ) to obtain (pk,sk). Output these as the public and private keys,respectively.
Enc∗: on input a public key pk and a message m∈{0,1}λ, choose a random r←{0,1}λ and output the ciphertext ⟨Encpk(r),EncH(r)′(m)⟩.
Dec∗: on input a private key sk and ciphertext ⟨c1,c2⟩, compute r:=Decsk(c1) and set k:=H(r). Then output Deck′(c2).
Does the above construction have indistinguishable encryptions under a chosen-ciphertext attack, if H is modeled as a random oracle? If yes, provide a proof. If not, where does the approach used to prove Theorem 13.6 break down?
Construction 13.5可以看作是使用了單向安全的公鑰加密方案,而題述方案使用了CPA-安全的公鑰加密方案,已知一個CPA-安全的公鑰加密方案一定是單向安全的公鑰加密方案,既然Theorem 13.6已證Construction 13.5安全,那麼題述構造是安全的。