Introductionto Modern Cryptograph 第十三章部分課後題答案

Acknowledge
致敬Katz J, Lindell Y. Introduction to modern cryptography[M]. Chapman and Hall/CRC, 2014. 推薦該書正版。

該書第12章的內容是數字簽名，具體推薦Katz J的另一本書：
Katz J. Digital signatures[M]. Springer Science & Business Media, 2010.
有興趣的人可以自己進行擴展閱讀，這裏不再貼出第12章的課後題解。

---

13.2 In this exercise we show a scheme that can be proven secure in the random oracle model, but is insecure when the random oracle is instantiated with SHA-1. (This exercise is a bit informal since SHA-1 is only defined for a fixed output length. Nevertheless, it illustrates the main idea.) Let $\Pi$ be a signature scheme that is secure in the standard model. Construct a signature scheme $\Pi_y$ where signing is carried out as follows: if $H(0) = y$, then output the4 secret key; if $H(0) \neq y$, then return a signature computed using $\Pi$.

• Prove that for $\it{any}$ value $y$, the scheme $\Pi_y$ is secure in the random oracle model.
• Show that there exists a particular $y$ for which $\Pi_y$ is not secure when the random oracle is instantiated using SHA-1.

（a）概率分析如下：
$\begin{aligned} \mathrm{Pr} [ \mathscr{A} ~ \text{wins} ] &= \mathrm{Pr} [ \mathscr{A} ~ \text{wins} \land y = H(0)] + \mathrm{Pr} [ \mathscr{A} ~ \text{wins} \land y \neq H(0) ] \\ &\leq \mathrm{Pr} [ y = H(0) ] + \mathrm{Pr} [ y \neq H(0) | \mathscr{A} ~ \text{wins}] \cdot \mathrm{Pr} [ \mathscr{A} ~ \text{wins} ] \\ &= \mathsf{negl}(\lambda) + \mathrm{Pr} [ y \neq H(0) | \mathscr{A} ~ \text{wins}] \cdot \mathrm{Pr} [ \mathscr{A} ~ \text{wins} ] \end{aligned}$
假設$\mathscr{A}$可以破解方案$\Pi_y$，那麼可以構造$\mathscr{A}_{\Pi}$來破解方案$\Pi$，其編碼如下：

• 從$\mathscr{C}_\Pi$處獲取$pk$，隨機挑選$y \gets \{0, 1\}^\lambda$，（表示猜測未來隨機諭言機開始運作時$H(0) \neq y$），將$(pk, y)$交給$\mathscr{A}$，同時給$\mathscr{A}$模擬出諭言機$\mathcal{O}_{\mathsf{Sign}}$和$\mathcal{O}_H$：
  • 諭言機$\mathcal{O}_{\mathsf{Sign}}(m)$工作如下：從$\mathscr{A}$處獲取消息$m$，直接將其交給$\mathscr{C}_{\Pi}$，得到對應的簽名$\sigma$，將$\sigma$返回給$\mathscr{A}$。
  • 諭言機$\mathcal{O}_H(x)$工作如下：若記錄$(x, y_x)$存在則直接返回$y_x$，否則，隨機挑選$y_x \gets \{0, 1\}^\lambda$，若$x = 0$且$y_x = y$，直接中斷遊戲，否則，生成記錄$(x, y_x)$並返回$y_x$。
• 從$\mathscr{A}$處獲取僞造$(m^*, \sigma^*)$，將其直接發送給$\mathscr{C}_{\Pi}$。

易知$\mathrm{Pr} [ y \neq H(0) | \mathscr{A} ~ \text{wins}] = 1 - 1 / 2^\lambda$，假設$\mathscr{A}$以不可忽略概率破解$\Pi_y$，有
$\mathsf{negl}(\lambda) \geq \mathrm{Pr} [ \mathscr{A}_\Pi ~ \text{wins} ] \geq (1 - 1 / 2^\lambda) \cdot \mathrm{Pr} [ \mathscr{A} ~ \text{wins} ]，$
上述式子與假設互相矛盾，故假設不成立，方案在隨機諭言機模型下是安全的。
（b）$H$換成SHA-1後，$H(0)$恆等於${\it SHA}\text{-} 1(0)$，對於$y = {\it SHA}\text{-} 1(0)$的簽名方案，消息$m$恆輸出一個常數，故不再安全。

---

13.3 Consider a message authentication cod $\Pi = ( \mathsf{Gen}, \mathsf{Mac}, \mathsf{Vrfy})$ where $\mathsf{Mac}_k(m) := H(k \| m)$ for a function $H : \{0, 1\}^* \to \{0, 1\}^\lambda$ (note that $k \gets \{0, 1\}^\lambda$ and verification is carried out in the natural way). Show that if $H$ is modeled as a random oracle, then $\Pi$ is secure message authentication code. Show that if $H$ is any concrete hash function that is constructed via the Merkle-Damgard transform, then $\Pi$ is $\it{not}$ a secure message authentication code.

當$H$是隨機諭言機時，$m^*$對應的標籤$H(k \| m^*)$是不確定的，敵手所給僞造有效的概率爲可忽略函數，即$1/2^\lambda$。後面小題在第4章課後題出現過，這裏不再詳述。

---

13.5 Say a public-key encryption scheme $(\mathsf{Gen}, \mathsf{Enc}, \mathsf{Dec})$ is $\it{one-way}$ if any PPT adversary $\mathscr{A}$ has negligible probability of success in the following experiment:

• $\mathsf{Gen}(1^\lambda)$ is run to obtain keys $(pk, sk)$.
• $\mathscr{A}$ message $m \gets \{0, 1\}^\lambda$ is chosen uniformly at random, and a ciphertext $c \gets \mathsf{Enc}_{pk}(m)$ is computed.
• $\mathscr{A}$ is given $pk$ and $c$, and outputs a message $m^*$. We say $\mathscr{A}$ succeeds if $m^* = m$.

(a) Show that a construction of a CPA-secure public-key encryption scheme in the random oracle model based on any one-way public-key encryption scheme.
(b) Can a public-key encryption scheme where encryption is $\it{deterministic}$ be one-way? If not, give a proof; if so, show a construction based on any of the assumptions introduced in this book.

（a）方案構造如下：

• $\mathsf{SGen}(1^\lambda) \to (pk, sk):$ 輸入安全參數$1^\lambda$，生成$(pk, sk) \gets \mathsf{Gen}(1^\lambda)$，設置$\big< pk:=pk, sk:=sk \big>$並輸出。
• $\mathsf{SEnc}(pk, m) \to c:$ 輸入消息$m \in \{0, 1\}$，隨機挑選$x \gets \mathcal{M}$，其中$\mathcal{M}$是公鑰加密方案$(\mathsf{Gen}, \mathsf{Enc}, \mathsf{Dec})$的消息域，計算$c_1 \gets \mathsf{Enc}_{pk}(x)$，若$m=0$，設置$c_2 \gets \{0, 1\}^\lambda \backslash H(x)$，若$m=1$，設置$c_2 := H(x)$，輸出密文$c = \big<c_1, c_2\big>$。
• $\mathsf{SDec}(sk, c) \to m$：拆分$c = \big<c_1, c_2\big>$，計算$x := \mathsf{Dec}_{sk}(c_1)$，若$H(x) = c_2$，則輸出$m:=1$，否則輸出$m:=0$。

（b）詳見第10章，The “textbook RSA” encryption scheme。

---

13.7 Let $\Pi = \mathsf{Gen}, \mathsf{Enc}, \mathsf{Dec})$ be a public-key encryption scheme having indistinguishable encryptions under a chosen-plaintext attack, and let $\Pi' = (\mathsf{Gen}', \mathsf{Enc}', \mathsf{Dec}')$ be a private-key encryption scheme having indistinguishable encryptions under a chosen-ciphertext attack. Consider the following construction of a public-key encryption scheme $\Pi^*$.
Construction 13.12
Let $H:\{0, 1\}^\lambda \to \{0, 1\}^\lambda$ be a function. Construction a public-key encryption scheme as follows:

• $\mathsf{Gen}^*:$ on input $1^\lambda$, run $\mathsf{Gen}(1^\lambda)$ to obtain $(pk, sk)$. Output these as the public and private keys,respectively.
• $\mathsf{Enc}^*:$ on input a public key $pk$ and a message $m \in \{0, 1\}^\lambda$, choose a random $r \gets \{0, 1\}^\lambda$ and output the ciphertext $\big< \mathsf{Enc}_{pk}(r), \mathsf{Enc}'_{H(r)}(m) \big>$.
• $\mathsf{Dec}^*:$ on input a private key $sk$ and ciphertext $\big< c_1, c_2 \big>$, compute $r:= \mathsf{Dec}_{sk}(c_1)$ and set $k := H(r)$. Then output $\mathsf{Dec}'_k(c_2)$.

Does the above construction have indistinguishable encryptions under a chosen-ciphertext attack, if $H$ is modeled as a random oracle? If yes, provide a proof. If not, where does the approach used to prove Theorem 13.6 break down?

Construction 13.5可以看作是使用了單向安全的公鑰加密方案，而題述方案使用了CPA-安全的公鑰加密方案，已知一個CPA-安全的公鑰加密方案一定是單向安全的公鑰加密方案，既然Theorem 13.6已證Construction 13.5安全，那麼題述構造是安全的。