Lower Bounds on Signatures from Symmetric Primitives

Lo w er Bounds on Signatures F rom Symmetric Primiti v es Boaz Barak ∗ Mohammad Mahmo o dy † July 5, 2010 Abstract W e show that every construction of one-time signature s chemes from a random o racle ac hieves black-box security at mos t 2 (1+ o (1)) q , where q is the total num b er of or acle queries asked by the key gener a tion, signing, and v eriﬁcatio n algo rithms. That is, any suc h sc heme can b e broken with probability close to 1 by a (computationally unbounded) adversar y making 2 (1+ o (1)) q queries to the o racle. This is tight up to a constant factor in the num ber of queries, since a simple mo diﬁcation of Lamp or t’s one-time sig natures (Lamp o rt ’79 ) achiev es 2 (0 . 812 − o (1)) q black-box security using q queries to the oracle . Our r e sult extends (with a los s o f a consta n t factor in the num ber o f q ue r ies) also to the ra n- dom p ermutation and ideal-cipher oracles. Since the symmetric primitiv es (e.g. blo ck cipher s, hash functions, a nd mes sage authentication co des) can b e constr ucted by a co nstant num b er of queries to the mentioned ora cles, as coro llary we get lower b ounds on the eﬃciency o f signatur e schemes from symmetric primitives when the construction is black-box. This can be taken as evidence of an inherent eﬃciency g a p b etw een signature schemes and symmetric primitiv es. 1 In tro duction Digital signatur e schemes allo w authen tication of messages betw een parties without shared k eys. Signature sc hemes p ose an in teresting disconnect b et w een the worlds of theoretical and applied cryptograph y . F rom a t heoretical p oin t of view, it is natural to d ivide cryptographic tools into those that can b e constructed using one-w a y f u nctions and those that are not kn o wn to hav e suc h constructions. Signatur e sc hemes, along w ith pr iv a te k ey encryp tion, message authen ticatio n co des, p seudorandom generators and functions, b elong to the form er camp. In con trast, the kno wn constructions of public key encryption are b ased on structur e d prob lems that are conjectured to b e hard (i.e., problems fr om n umb er theory or the theory of lattices). F r om a practical p oin t of view, it is more natural to divide the to ols according to the eﬃciency of their b est known constru ctions. The division is actually similar, since sc hemes based on s tructured problems t ypically requir e b oth more complicated computations and larger k ey size, as they often ha v e non-trivial attac ks (e. g., b ecause of the p erformance of the b est kn o wn factoring algorithms, to get 2 n securit y based on factorizat ion one needs to use ˜ Ω( n 3 ) b it long in tegers). Signature schemes are outlier to this rule: even though they can b e constructed using one-w a y functions, applied cryp tographers consider them as relativ ely ineﬃcien t since p ractical construc- tions are based on stru ctured hard problems, and th us are signiﬁcan tly less eﬃcient than priv ate key ∗ Department of Computer Science, Princeton U niversi ty . Email: boaz@cs.p rinceton.edu † Department of Computer Science, Princeton U niversi ty . Email: mohammad@ cs.princeton.e du encryption, messag e authen ticatio n co des, pseudorandom functions etc... In p articular, v ery high sp eed applications sh un digital signatures in fav or of message a uthentica tion codes, 1 ev en though the lat ter sometime incur a signiﬁcan t cost in k eeping shared priv ate k eys a mong the en titi es in- v olv ed (e.g., see [PCTS00] and the references therein). The reason is that kno wn constructions of suc h sc hemes f rom on e-wa y functions or other u n structured primitiv es are quite i ne ﬃc i ent . Th is problem a lready arises in one-time signatur es [Rab78, Lam79, Mer87], that are a relaxation of digital signatur es oﬀering securit y only in the case that the attac ker observ es at most a single v alid signature. The b est known constructions for this case require Ω( k ) i nv ocations of the one-wa y function (or even a rand om oracle) to ac hiev e 2 k securit y . In con trast, there are kno wn construc- tions of message authentic ation cod es, pr iv ate key encryptions, and pseudorandom generators and functions th at us e only O (1) queries to a random oracle . In this pap er, w e s tudy the question of whether there exist more eﬃcien t constructions of signature schemes from symmetric p rimitiv es s uc h as hash functions and b lo c k ciph ers. W e sho w to a certain extent that the ineﬃciency of the kno wn constructions is inher ent . 1.1 Our results W e consider the eﬃciency of constructions of one-time signatures using black b o xes / oracles that mo del ideal sym metric pr im itives: the rand om oracle, the r an d om p ermuta tion oracle, and the id eal cipher oracle (see S ection 3 f or deﬁnitions). W e wish to stud y the security of su c h constructions as a fu nction of the num b er of queries made to the oracle b y the construction (i.e., b y the generation, signing, and ve riﬁcation algorithms). Of course, we b eliev e th at on e-time signatures exist and so there are in fact signature schemes ac hieving sup er-p olynomial security without m aking an y quer y to the oracle. Hence we r estrict ourselv es to b oun ding the black-b ox securit y of suc h sc hemes. W e sa y that a cryptographic sc heme using oracle O h as black-b ox se curity S if for every 1 ≤ T ≤ S , a (potent ially computationally un b ound ed ) adv ersary th at m ak es at most T queries to O ca nn ot break the sc heme with probabilit y larger th an T /S (see Deﬁnition 3.6). Our main result is the follo wing: Theorem 1.1. Any one-time sig natur e scheme for n - bit messages using at most q ≤ n queries to a r a ndom or acle has black-b ox se curity at most 2 (1+ o (1)) q wher e o (1) go es to zer o with q . This is in con trast to other primitiv es su c h as message authentica tion co des, collision resistan t hash f unctions, p r iv a te-k ey encryption, and pseudorand om functions, that can all b e implemente d using one or t wo queries to a rand om oracle with blac k-b o x secur ity that dep ends exp onentiall y on th e le ngth of these queries. W e note that Theorem 1.1 is tight u p to a constant fac tor in the n umb er of queries, since a simple mo diﬁ cation of Lamp ort’s sc heme [Lam79] yields 2 ( α − o (1)) q blac k- b o x securit y , w here α ∼ 0 . 812 is equal to H ( c ) / (1 + c ), where H is the Shann on en trop y function and c = (3 − √ 5) / 2 (see Section 5). W e also pro v e sev eral extensions of the main resu lt: Other oracles. Since our goal is t o ﬁnd o ut whether signatures can be eﬃcien tly constructed from symm etric primitiv es, it make s sense to study also other pr imitiv es than the random oracle. Theorem 1.1 extends (with a loss of a constan t factor in the num b er of queries) to the ide a l c i pher or acle and r an dom p ermutation or acle that are also sometimes used to mo del the idealized securit y of symmetric pr imitiv es su c h as blo c k ciphers and one-w a y p ermutati ons. 1 In contrast t o digital signatures that have a pub lic veriﬁcatio n key and secret signing key , message authentic at ion c o des hav e a single key for b oth veriﬁcation and signing, and hence that key must be kept priv ate to maintain securit y . 2 Implemen ting adv ersary in BPP NP . Th e pro of of Theorem 1.1 shows that for e ve ry q -query one-time signature sc heme for { 0 , 1 } n from r andom oracle, there is an adv ersary th at breaks it with p robabilit y close to 1 using at most p oly( q )2 q queries. Ho w ev er, the running t ime of this a dversary can b e higher th an that. This is in h eren t, as otherwise we w ould b e pr o ving unconditionally the non-existence of o ne-time signature schemes. How ev er, we sh o w that this adve rsary can b e implemen ted in probabilistic p olynomial-time u sing an oracle to an NP -complete p roblem. Thus, similar to what Impaglia zzo and Rudich [IR89] show ed for k ey-exc hange, if there w ere a more eﬃcien t constru ction o f signature sc hemes from random oracles w ith a pro of of securit y relying on the adv ersary’s eﬃciency , then this is also a pro of that P 6 = NP . Imp erfect completeness. Wh ile the standard d eﬁnition of signature s chemes requires th e v eriﬁer to accept v a lid signatures with probability 1, one can also consider r elaxed v arian ts w here the v eriﬁer h as some small p ositiv e probabilit y of rejecting eve n v alid s ignatur es. W e sa y that suc h signature sc hemes satisfy imp erfe ct c omp leteness . W e can extend Theorem 1 .1 to this case, though to get an attac k s u cceeding with high probabilit y we lose a qu adratic facto r in the n um b er of queries. Eﬃciency of t he v eriﬁer. Because the signing and the v eriﬁcation algorithms are executed more often than the k ey generatio n algorithm, it mak es sense to study their eﬃciency separately rather than just studying the total n umber of queries. Although in the construction for signature sc hemes that w e will see later (see Section 5), the signing alg orithm a sks only one oracle query and th e total n umb er of q u eries is optimal u p to a constant factor, the question ab out the eﬃciency of the veriﬁer still r emains. W e show that (k eeping the num b er of signing queries ﬁ xed to one) there is a tradeoﬀ b et w een the num b er of queries aske d by th e veriﬁcat ion algorithm and the total num b er of queries, conditioned on getting certain blac k-b o x securit y . Blac k-b o x constructions. As mentio ned ab ov e, all the s ymmetric p rimitiv es can b e constructed from random oracle, random p ermuta tion oracle, or id eal cipher oracle b y only O (1) queries and get exp onen tial security o v er th e length of the queries. Therefore, our lo we r b ounds on signatures from ideal oracles yield as corollaries lo wer b ound s on the eﬃciency of signatures from symmetric p rimitiv es when th e construction is blac k b o x. This holds ev en when the one-w a y p ermutation us ed in the construction has n/ 2 hardcore bits. The l atter answ ers a question raised by [GGKT05]. Our results reject t he existence o f b lac k-b o x constru ctions unconditionally (similar to [HHRS07], while the r esults of [GGKT05] sho w the existe nce of one-w a y function as a consequence. W e prov e the strongest p ossible form of low er b ound on the eﬃciency of black b o x constructions of signatures from symmetric primitiv es. Namely , w e sho w that blac k-b ox c onstructions of s ignatur e sc hemes for n -bit message s based on ex- p onentia lly hard symmetric primitiv es of securit y parameter n , need to mak e at lea st Ω( n ) calls to the pr imitiv e. Note on the random oracle mo del. Although the r ando m or acle mo del [BR93] (and its cousin the ide al cipher mo del ) is frequently used as an idea lization of the prop erties enjo y ed by ce rtain constructions suc h as the S HA-1 h ash function [Nat 95] and the AES bloc k cipher [DR02], it has dra wn a lot of criticism as th is id ealiza tion is not generally justiﬁed [CGH98]. How ev er, for the sak e of l ower b ounds (as is our concern here) this idealizatio n seems app ropriate, as it is a cle an 3 w a y to encapsulate all the attrac tiv e prop erties that could b e obtained b y constructions su c h as SHA-1,AES, etc.. T axonom y of blac k-b o x reductions. Re ingold, T revisan and V adhan [R TV04] study v arious notions of “blac k-b o xness” of security p ro ofs in cr y p tograph y acco rdin g to whether a constru ction of a cry p tographic tool based on an underlying primitiv e uses th is primitive as a blac k b ox, and whether its securit y pro of uses the adversary as a black b ox. T hose deﬁnitions are not in the oracle mo del that w e are concerned here. They call a construction for pr imitiv e A from primitiv e B b lack- b o x, if the imp lementati on of A uses B as a b lack b o x. The security reduction which con v erts an adv ersary for th e implement ation of A to an adv ersary for B could h a v e d iﬀeren t lev els of b eing blac k b o x 2 . Ho w ev er, in th e oracle based constructions studied here, the implemen tation reduction is alwa ys force d to b e b lack- b o x, and for the pro of of securit y , there is n o security measure deﬁned f or th e p rimitiv e used (i.e. the oracle) to which we could reduce the securit y of our construction. One common wa y to pro v e sec urity for orac le based constru ctions is t o rely on the statistica l prop erties of the oracle and show th at any (eve n computationally un b ounded) adv ersary breaking the imp lemen tation needs to ask many q u eries from the orac le. This giv es a qu an titativ e securit y guaran tee and is call ed a black-b o x pro of of securit y in the orac le mo d el. A non-b lack- b ox pro of of securit y in this mo d el, is a pro of sho wing that an y adve rsary who run s in time p oly ( n, T ) where n is the input length and T the num b er of oracle queries it asks, needs to ask many queries from the oracle. In this w ork, w e giv e a low er b ound on the n umber of queries needed to get black-b ox securit y S f or one-time signat ur es in v a rious ideal o racle mo dels, and also sho w that if P = NP , then th is b oun d holds for non-black-b ox pro ofs of security as we ll. W e note that if one-w a y functions exist, then th ere do exist constru ctions making n o query to the random oracle w ith sup er- p olynomial non-blac k-b o x securit y . As w e mentio ned b efore, our lo w er b ound s in the ideal oracle mo dels yield some lo wer b oun ds on the eﬃciency of one-time signatures f r om symmetric p rimitiv es in t he standard mod el of [R TV04]. W e also note that there d o exist cryptographic co nstru ctions that use the primitiv e [GMW86, GMW87] or the adv ersary [Bar01] in a non-blac k-b ox w a y , bu t at th e moment all of the known highly eﬃcien t cryptographic constructions (e.g., those used in practice) are blac k b o x, in the sens e th at if they use a generic u nderlying primitive (i.e., not b ased on sp eciﬁc problems such as factoring) then it’s used as a blac k-b o x and if they h a v e a pro of of securit y then the pro of treats the adve rsary as a blac k b o x. 1.2 Prior work T o the b est of our kn o wledge, this is th e ﬁ rst lo wer b ound on the num b er of random oracle qu eries needed to constr u ct signatur e schemes. Starting with the semin al pap er of Impagliazzo and Rudich [IR89], that show ed that there is no constru ction of a k ey exchange p roto col from a random oracle with sup er-p olynomial b lac k-b o x securit y , and therefore rejecting b lac k-b o x constructions of k ey exc hange proto cols from one-w a y function, sev eral works ha v e in v estigated the existenc e of b lac k- b o x constructions reducing one kind of cryptographic sc heme to another. Ho w ev er, only few wo rks studied the eﬃciency of su c h constructions [KST99, GGKT05]. Of these, the most rele v an t is the pap er b y Gennaro, Gertner, Katz, and T revisan [GGKT05]. They considered the eﬃciency of basing v arious cryptographic primitiv es on one-w a y p ermutations (O WP) secure against S -sized 2 It could b e fully black-box, semi black-box, or n on - blac k-b ox, and if the implementation reduction is blac k b ox, the whole constru ct ion is called, (resp.) fully black-b o x, semi black-box, or w eakly black-b ox. 4 circuits, and pro v ed that to ac hiev e su p er-p olynomial security (1) pseudorandom generato rs with ℓ bits of stretc h require Ω( ℓ/ log S ) in vocations of the O WP , (2) un iv ersal one-wa y h ash fu nctions compressing their inpu t by ℓ b its require Ω( ℓ/ log S ) inv o cations, (3) priv ate key encryption sc hemes for messages of length n w ith ke y length k r equire Ω(( n − k ) / log S ) inv ocations, and (most relev ant for us ) (4) one-time signature sc hemes for n -bit message s require Ω ( n/ log S ) in v o cations. 3 Ho w ev er, the one-w a y p ermutat ion oracle u s ed by [GGKT05] wa s very far from b eing a r andom oracle. 4 Indeed, the applicati ons (1) , (2) , and (3) can b e implemented us ing only a constan t n umb er of calls to a random oracle, and corresp ondin gly are considered to h a v e eﬃcien t practical implemen tations. Th us, [GGKT05 ] did n ot answ er the question of w hether signatur e schemes ca n b e eﬃcien tly constructed from eﬃcien t symmetric k ey pr imitiv es such as h ash functions and blo ck ciphers. It is this qu estion that w e are concerned with in this pap er. T hus, on a tec hnical lev el our w ork is quite diﬀeren t fr om [GGKT] (as w e w ork with a random oracle and cannot “tamp er” with it t o pro v e our lo w er b ound) and in fac t is m ore similar to the tec hniques in t he original w ork of Impagliazzo and Rud ic h [IR89]. W e note that this w ork p artially answ ers a question of [GG KT05 ], as it implies th at any blac k-b o x construction of one-t ime signatures fr om one-wa y p ermutatio n p : { 0 , 1 } n 7→ { 0 , 1 } n with ev en n/ 2 hard-core bits requires at least Ω( n ) queries to the p erm utation. Sev eral works [Mer87, EGM89 , V au92, BM94, BM9 6] considered generaliz ations of Lamp ort’s one-time signature sc heme. Some of these ac hiev e sh orter k eys and signatures, although their relation b et w een the num b er of queries and securit y (up to a constan t factor) is at most a constan t factor b etter th an Lamp ort’s sc heme (as w e sh o w is inheren t). 2 Our tec hniques W e no w giv e a high leve l ov erview of the ideas b ehind the pro of of Theorem 1.1. Ou r description ignores sev eral subtle issues, and the reader is referr ed to Section 4 for the full pr o of. T o un derstand the p ro of of the lo w er b ound, 5 it is in s tructiv e to review the kno wn upp er b ounds and in p articular the simp le one-time signature sc heme of Lamp ort [Lam79]. T o sign messages of length n with securit y parameter ℓ using a random oracle O (that we mo del a s a rand om fun ction from { 0 , 1 } ℓ to { 0 , 1 } ℓ ) th e scheme wo rks as follo ws: • Generate the pu blic v eriﬁcation k ey V K by c ho osing 2 n random strings { x b i } i ∈ [ n ] ,b ∈{ 0 , 1 } in { 0 , 1 } ℓ and setting V K to b e the sequence { y b i } i ∈ [ n ] ,b ∈{ 0 , 1 } for y b i = O ( x b i ). • T o s ign a message α ∈ { 0 , 1 } n , simp ly reve al th e preimages in the set { x b i } i ∈ [ n ] ,b ∈{ 0 , 1 } that corresp ond to the bits of α . That is, the signature is x α 1 1 , . . . , x α n n . • T he veriﬁer chec ks that indeed O ( x α i i ) = y α i i for eve ry i ∈ [ n ]. This sc heme u ses 3 n quer ies. It can b e shown that it has 2 Ω( ℓ ) securit y . Note th at in this case the securit y can b e arbitrarily large indep endently of t he num b er of queries. Indeed, note that 3 Otherwise, w e can construct a one-w ay function d irectly . 4 They considered an oracle that applies a rand om p ermutation on the ﬁrst t bits of its n -b it inp ut, for t ≪ n , and lea ves the rest of the n − t bits unchanged. This is a one-wa y p ermutation with 2 Ω( t ) securit y . 5 W e use the terms “low er b oun d” and “up p er b ound” in their traditional cry pto/complexity meaning of negative results vs. positive results. O f course one can v iew Theorem 1.1 as either upp er-b oundin g the securit y or low er- b ounding t h e number of q ueries. 5 Theorem 1.1 requires that th e n um b er of queries q i s not larger than t he length of the messages to b e signed. Lamp ort’s sc heme can b e easily mo diﬁed to w ork for un b ounded siz e messages by follo wing the well kno wn “hash-and-sign” p aradigm: ﬁrst u se the random oracle to h ash the message to length k , and th en apply Lamp ort’s scheme to the hashed v alue. This will r esu lt in a sc heme with 3 k + 2 queries and (by the birthday b oun d ) 2 k / 2 blac k-b o x securit y (see Secti on 5 for some impro ve ments) . W e see that no w indeed the securit y is b ound ed by 2 O ( q ) (where q = 3 k + 2 is the n umb er of queries), regardless of the length ℓ of the queries. The ab o v e discussion shows that to pro v e Theorem 1.1, w e will need to u se the fact that there is a large n umber of p oten tial messages, wh ic h is ind eed w hat we do. Note that the reason th at the hash-and-sign v arian t of Lamp ort’s scheme only ac hiev es 2 k / 2 securit y is that if a pair of messages α, β satisﬁes O k ( α ) = O k ( β ) (where O k ( x ) denotes the ﬁrst k bits of O ( x )), then they ha ve the same signature, and so a signat ure for α allo ws an adv ersary to forge a signature on β . W e will try to generalize this observ a tion to arbitrary signature s c hemes. F or eve ry such scheme S and t w o messages α, β (after ﬁxin g the oracle and th e randomness of the system), w e will sa y that “ α is useful for β ” if they satisfy a certain condition. Then (roughly sp eaking) we will prov e that: (A) if α is us efu l for β t hen a signature on α ca n b e used to co mpu te a signature on β by asking at most 2 O ( q ) oracle queries (wh er e q is the total num b er of qu eries made by the sc heme S ) , and (B) if α and β are c hosen at rand om from a large enough space of messages, then α will b e usefu l for β with pr obabilit y at least 2 − O ( q ) . T ogether (A) and (B) imply that, as long as the sp ace of p ossible messages is large enough, then the black- b o x secur it y of S is b ounded by 2 O ( q ) , sin ce the adv ersary can ﬁ nd a useful pair of messages α, β with pr obabilit y 2 − q , ask for a signature on α and use that to forge a signature on β b y asking 2 q queries. 6 Defining t he u sefulne ss condition. This pro of strategy rests of course on the abilit y to ﬁnd an a pp ropriate condition “ α is u seful for β ” for ev ery one-time signature sc heme S . Th is is what we describ e no w. F or no w, we will assume that only the k ey generation algorithm of S is probabilistic, and th at both the signing and v eriﬁcat ion algorithms are d etermin istic. 7 F or every ﬁxed rand omn ess for the generation algorithm, ﬁxed oracl e, and a m essage α , we deﬁne G, S α and V α to b e the sets of queries (resp .) made b y the generati on, signing, and v eriﬁcatio n algorithms where th e last tw o are applied on the message α . First attempt. Observ e that in the hash -and-sign v arian t of Lamp ort’s s c heme, α a nd β ha v e the same signature if V α = V β . This motiv ates stipu lating for ev ery signatur e scheme that α is useful for β if V β ⊆ V α . This deﬁnition satisﬁes Prop ert y (A) ab o v e: if we kno w all the queries that the v eriﬁer w ill mak e on a signature of β , then ﬁnding a signature that makes it accept can b e d one by an exp onen tial-time exhaustiv e searc h that do es not make an y oracle queries at all. The pr oblem is that it might not sati sfy (B) : it’s easy to m ak e the v eriﬁer ask, when verifying a signature f or α , a query that un iquely dep ends on α , th us ensuring V β * V α for ev ery d istin ct α, β . Second attempt. A natural intuition is that v eriﬁer queries that do not corresp ond to qu eries made b y the generation algorithm are sort of “irrelev ant ”— after all, in Lamp ort’s sc heme all the 6 The actual adversary we’ll show will op erate by asking p oly ( q )2 q queries, and it succeeds with probability almost 1, see t he pro of of Theorem 4.1 . 7 W e study the randomized veriﬁer in Section 6.3, but assuming that the signer is deterministic is without loss of generalit y . That is b ecause the key generator can give, through the secret key , a secret seed s to the signer, and the signer would use O ( s, α ) as the randomness needed to sign the message α . 6 queries the veriﬁer make s are a sub set of the qu eries m ade by th e generation algo rithm. Thus, we migh t try to d eﬁne that α is useful for β if V β ∩ G ⊆ V α . Sin ce G has at m ost q qu eries, and so at most 2 q subsets, this deﬁnition satisﬁes Pr op ert y (B) since if α and β are randomly c hosen from a set of size 2 q then α will b e useful for β with probabilit y at lea st 2 − 2 q . Unfortu nately , it does not satisfy Pr op ert y (A) : there is a signature scheme f or which every p air of m essages α, β satisﬁes this condition ev en when a signature for α cannot b e u sed to forge a s ignature on β . 8 Our actual condition. The condition w e actually use, roughly sp eaking, is th at α is usefu l for β if V β ∩ ( G ∪ S α ) ⊆ V α . (1) Using Bollob´ as’s Inequalit y [Bol65 ] (see the p ro of of Claim 4.7) it can b e sh o wn th at the condition (1) satisﬁes Prop ert y (B) . It’s less ob vious why it satisﬁes Prop ert y ( A) — to see this we need to see h o w our adv ersary will op er ate. The high level description of our attac k is as follo w s: 1. I nput: Key Generation. Th e adve rsary receiv es th e veriﬁcatio n ke y V K . 2. Request Signature. Choose α 6 = β ← R { 0 , 1 } n at rand om, and get σ α , th e signature of α . 3. Le a rning Oracle Queries. Run V er ( V K, α, σ α ) to learn the set V α of oracle qu eries that it asks and their answe rs. ( Later we w ill mo dify this step somewh at, and ask some more oracle queries.) 4. Sampling a P ossible T ra nscript. Conditioned on kno wing V K , σ α , and answ ers of V α , guess : the v alue o f S K , the sets G and S α , and their an s w ers. Let ˜ S K , ˜ G , and ˜ S α b e the guesses. 5. F orging. Sign the message β b y using ˜ S K and stic king to the oracle ans w ers guessed for queries in ˜ G ∪ ˜ S α to get σ β . That is, if we wan ted to ask a an oracle qu ery in ˜ G ∪ ˜ S α , use the guessed answ er, and otherwise ask the real oracle O . Output σ β . Note that the queries f or whic h we m ight h av e guessed a wron g answer are in the set ( ˜ G ∪ ˜ S α ) \ V α , b ecause we did the guesses conditioned on kno wing V α and its answ ers. Supp ose that du ring the v eriﬁcation of ( β , σ β ), n one of these queries is asked from the oracle (i.e. V β ∩ ( ˜ G ∪ ˜ S α ) ⊂ V α ). Then w e can pr etend that our guesses w ere correct . That is, b ecause the answ ers to diﬀeren t queries of random oracle are ind ep endent, as far as the veriﬁer is concerned our guesses co uld b e righ t, and hence b y deﬁn ition, the veriﬁcat ion of ( β , σ β ) must accept with pr obabilit y 1. The d escrip tion of the attac k ab o v e shows th at a similar cond ition to th e condition (1), namely V β ∩ ( ˜ G ∪ ˜ S α ) ⊂ V α , (2) has Prop ert y (A) . But condition (2) migh t not ha v e Prop ert y ( B) . W e cop e with th is by en s u ring that the attac k er has s uﬃcien t information so that (essen tially) wh enev er (1) happ ens, (2) also happ ens . Th is is accomplished b y learnin g more oracle q u eries b efore making the guesses. Namely , 8 Such an example can b e obtained by the v arian t of Lamport’s scheme where eac h signer uses t h e veri ﬁcation key V K to sign a new veriﬁcatio n key V K ′ (the randomness for whic h is part of th e secret key), and then signs the message using the secret key correspond ing to V K ′ . In this case V α ∩ G = V β ∩ G for eve ry pair α, β , even if a signature on α cann ot b e used to compute a signature on β . 7 w e learn all the qu er ies that are in the set ˜ G ∪ ˜ S α with some noticeable probabilit y (c onditioned on what w e kno w ab out them). W e th en use a careful h ybrid argumen t (that inv o lve s the most tec hnical part of the proof ) to sho w that after p erforming this learning, the cond ition (2) o ccurs with pr obabilit y at least as large as the prob ab ility that (2 ) o ccurs (up to s ome lo wer order term s ). Th us our actual u sefulness condition will b e (2), though for the complete deﬁnition of the sets ˜ G, ˜ S α in v olv ed in it, one needs to go in to the details of the pro of of Theorem 4.1). 3 Preliminaries 3.1 Basic P robabilit y F acts W e r ecall some simple but useful well kno wn facts and deﬁnitions ab out rand om v a riables. Deﬁnition 3.1. The statistic al distanc e of tw o ﬁnite random v ariables X, Y , denoted by SD ( X , Y ), is deﬁn ed to b e 1 2 P a | P r[ X = a ] − Pr[ Y = a ] | . Lemma 3.2. If A, B ar e r a ndom variables, and the event E is deﬁne d over Supp ( A ) ∪ S upp ( B ) (wher e Supp ( X ) denotes the supp ort of the r andom variable X ), then | Pr[ E ( A )] − Pr [ E ( B )] | ≤ SD ( A, B ) . Lemma 3.3. If the r andom v ariable A ′ is a function of r andom variable A , and the r andom v ariable B ′ is a function of B , then S D ( A ′ , B ′ ) ≤ SD ( A, B ) . Lemma 3.4. If the event E i s deﬁne d over the r andom variable A , and the eve nt D is deﬁne d over the r a ndom varia ble B , and we have S D ( A | E , B | D ) = 0 , then SD ( A, B ) ≤ (Pr[ E ] + Pr[ D ]) / 2 . By U n w e mean the uniformly distribu ted rand om v ariable o v er n -bit strin gs. 3.2 Signature Sc hemes in Oracle Mo dels W e deﬁ ne the n otion of one-time signature sc hemes and their b lac k-b o x securit y . W e s p ecialize our deﬁnition to the case that the signature sc hemes use an oracle O that ma y also b e c hosen f rom some pr obabilit y distribution. W e u s e the standard n otation A O ( x ) to denote the outpu t of an algorithm A on inp ut x with access to oracle O . Deﬁnition 3.5. An oracle signatur e scheme (with p erfect complete ness) for n bit messages is a triple of oracle algorithms ( Gen , Sign , V er ) (where Gen could b e pr obabilistic) with the follo wing prop erty: for ev ery oracle O , if ( S K, V K ) is a pair that is output b y Gen O (1 n ) with p ositiv e probabilit y , then for ev ery α ∈ { 0 , 1 } n , V er O ( V K , α, Sign O ( S K, α )) = 1. W e ca ll S K the signing key an d V K th e ve riﬁc ation key . One can also make a relaxed r equiremen t that th e v eriﬁcation alg orithm only needs to accept v a lid signatures w ith probab ility 0 . 9 (where this probabilit y is o v er the veriﬁer’s coins only). W e sa y that s uc h relaxed s ignatur e schemes hav e i mp erfe ct c ompleteness , and w e will consid er such sc hemes in S ection 6.3. If the oracle algorithms of th e Deﬁn ition 3.5 run in p olynomial-time, then w e call the signature sc heme eﬃcient . Not e that w e consid er (not necessarily eﬃcie nt) signature algorithms on a ﬁnite set of messages. F or upp er b ou n ds (i.e., p ositiv e results) one would w an t uniform e ﬃcient algorithms that c ould handle an y size of message, bu t for a low er b ound (i.e., a negativ e result), this simpler d eﬁnition will do. 8 So far, we d id not sa y anything ab out the secur it y . In the follo wing deﬁnition we sp ecify t he “game” in whic h the adv ersary participates and tries to break the system and giv e a quan titativ e measure for the secur it y . Deﬁnition 3.6. F or eve ry S ∈ N , the oracle signature sc heme ( Gen , Sign , V er ) is a one-time signa- ture scheme w ith black-b ox se curity S , if f or ev ery message α ∈ { 0 , 1 } n , 1 ≤ T ≤ S , and adv ersary algorithm A that mak es at m ost T qu eries to its o racle, Pr[ V er ( V K, α ∗ , σ ∗ ) = 1 where ( α ∗ , σ ∗ ) = A O ( V K , S ign O ( S K, α )) and α ∗ 6 = α ] ≤ T S , where ( S K, V K ) = Gen O (1 n ), and this p robabilit y is o v er the coins of all algorithms ( Gen , Sign , V er , and A ), and the choic e of the oracle O . This is a sligh tly wea ke r deﬁnition of securit y than the standard deﬁnition, since we are not allo wing the adv ersary to c ho ose the message α based on the public key . Ho w ev er, th is is again ﬁn e for lo w er b ound s (the known up p er b ound s do satisfy the stronger d eﬁnition). Also, some texts use 1 /S (rather than T /S ) as th e b oun d on the success probabilit y . Securit y according to either one of these deﬁn itions is alw a ys at m ost quadratically relat ed, but w e feel Deﬁn ition 3.6 is more p recise. In a non-black-b ox pr o of of securit y , the running time o f the adv ersary is utilized in ord er to pro v e the secur ity of th e sys tem: Deﬁnition 3.7. F or ev ery S ∈ N , th e oracle signature s c heme ( Gen , Sign , Ve r ) is a one-time signa- ture sc heme with non-black-b ox securit y S , if for ev ery message α ∈ { 0 , 1 } n , T ≤ S , and adv ersary algorithm A T that makes at most T o racle queries and runs in time p oly( n, T ), Pr[ V er ( V K , α ∗ , σ ∗ ) = 1 w h ere ( α ∗ , σ ∗ ) = A O T ( V K , S ign O ( S K, α )) and α ∗ 6 = α ] ≤ T S , where ( S K , V K ) = Gen O (1 n ), and this probabilit y is o v er the coins of all algorithms ( Gen , Sign , Ver , and A T ), and the c hoice of th e oracle O . Oracles. In this wo rk, as for the oracle s ignature schemes, we only use one of the f ollo wing oracles: (1) The r andom or acle retur ns on input x ∈ { 0 , 1 } n the v alue f ( x ) where f is a rand om f unction from { 0 , 1 } n to { 0 , 1 } n . 9 (2) The r a ndom p ermutation or acle returns on inpu t x ∈ { 0 , 1 } n the v a lue f ( x ) where f is a random p ermutatio n on { 0 , 1 } n . (3) The ide al ci pher or acle with message length n , returns on input ( k , x, d ) wh er e k ∈ { 0 , 1 } ∗ , x ∈ { 0 , 1 } n and d ∈ { F , B } , f k ( x ) if d = F and f − 1 k ( x ) if d = B , w here for ev ery k ∈ { 0 , 1 } ∗ , f k is a rand om p ermutat ion on { 0 , 1 } n . These three oracles are standard idealizations of (resp ectiv ely) hash f u nctions, one-w a y p ermutati ons, and blo c k ciphers (see also Section 7). 4 Pro of of the main result Theorem 4.1. L et ( Gen , Sign , V er ) b e a one-time or acle signatur e scheme (with p erfe ct c ompl ete- ness) in r andom or acle mo d el for the sp ac e of messages M in which the total numb er of o r acle queries as ke d b y Gen , Sign , and Ver is at most q , and |M| ≥ ( q q/ 2 ) λ . Then ther e is a (c omp utation- al ly unb o unde d) adversary wh ich as ks at most O ( q 2 ( q q/ 2 ) λδ 2 ) = O ( q 1 . 5 2 q λδ 2 ) or acle queries and br e aks the scheme with pr ob ability 1 − ( λ + δ ) . This pr ob ability is over the r andomness of the or acle as wel l as the c oin tosses of the key gener ation algorithm and the adversary. Theorem 4.1 implies T h eorem 1.1 via the follo wing corollary: 9 More generally , f can be a function from n to ℓ ( n ) for some function ℓ : N → N , but using standard padding arguments w e may assume ℓ ( n ) = n . 9 Corollary 4.2. L et ( Gen , Sign , Ve r ) b e a one-time or acle signatur e for the messages M = { 0 , 1 } n in the r ando m or a cle mo del in which th e tota l queries aske d by th e scheme is at mo st q wher e q ≤ n , then ther e is an adversary asking 2 (1+ o (1)) q queries br e aking the scheme with pr o b ability a t le ast 1 − o (1) and at le ast 0 . 49 for any q ≥ 1 . Pr o of. Let δ = λ =  q q / 2  / 2 q = θ ( q − 1 / 2 ) = o (1), so we ha ve |M| = 2 n ≥ 2 q =  q q / 2  /λ . Th erefore w e get an adv ersary asking O ( q 3 . 5  q q / 2  ) = O ( q 3 2 q ) = 2 (1+ o (1)) q queries breaking the sc heme with probabilit y 1 − o (1) . Th us the blac k-b o x securit y of the sc heme is at most by 2 (1+ o (1)) q 1 − o (1) = 2 (1+ o (1)) q . F or an y q ≥ 1, λ can b e as small as  1 0  / 2 1 = 1 / 2, and by taking δ = 0 . 01 the success probabilit y will b e at least 0 . 49. W e no w turn to pro ving Theorem 4.1. L et ( Gen , Sign , V er ) b e a s in the theorem’s statemen t. W e assume that only Gen is pr obabilistic, and Sign and V er a re d eterministic. W e also assume that all th e oracle queries are of length ℓ . Since w e assume the signature has p erfect completeness, these assum ptions can b e easily sho wn to be without loss o f generalit y . (In th e case of imp erfect completeness the veriﬁer algo rithm is inherently probabilistic; this case is stu died in Section 6.3.) W e will sho w an adve rsary that br eaks the signature system with pr obabilit y 1 − ( λ + O ( δ )), wh ic h implies Theorem 4.1 by simply c hanging δ to δ /c for some constan t c . The a dversar y’s a lgorithm. Our ad versary A dv will op erate as follo ws: Input: Key generation. The adv ersary receiv es a veriﬁcatio n key V K , wher e ( V K , S K ) = Gen (1 n ). Step 1: Request signature. Let β 0 , . . . , β N − 1 denote the ﬁrst N = ( q q/ 2 ) λ distinct message s (in lexicographic order) in M . Let α 0 , . . . , α N − 1 b e a random p ermutati on of β 0 , . . . , β N − 1 . Adv asks for a signature on α 0 and veriﬁes it (note that α 0 is c hosen ind ep endently of the public k ey). W e denote the obtained signature b y σ 0 , and we denote by T 0 the tr anscript of the algorithms run so far, w hic h includes the random tap e of th e k ey generatio n algorithm, all the queries made by the key generation, signing, and v eriﬁcation algorithms, and the answ ers to these queries. So T 0 completely describ es the run ning of the algorithms so far. (Note that Adv only h as partial information on T 0 .) Step 2: Learning query/answ er pairs. W e denote b y L 0 the information that Adv curr en tly has on the orac le O and the randomness of the generation algorithm: that is, L 0 consists of V K , σ 0 and the queries made by the v erifying algorithm V er on in put V K, σ 0 , along with the answ ers to th ese queries. Let ǫ = δ q N , and M = q ǫδ = q 2 N δ 2 . F or i = 1 , . . . , M , d o the follo wing: 1. Let D i − 1 b e the distribution of T 0 , the transcript of the ﬁrst step, conditioned on only kno wing L i − 1 . 2. W e let Q ( L i − 1 ) denote the qu eries app earing in L i − 1 . If th ere exists a string x ∈ { 0 , 1 } ℓ \ Q ( L i − 1 ) that is queried with probabilit y at least ǫ in D i , then Adv lets L i b e L i − 1 concatenate d with the query/answer p air ( x i , O ( x i )), where x i is the lexicographically ﬁrst suc h string. Otherwise, L i = L i − 1 . Step 3: Sampling a p ossible transcript. A dv generates a random transcript ˜ T 0 according to the distribution D M . No te that ˜ T 0 also determines a secret signing k ey , whic h w e d en ote by ˜ S K ( ˜ S K ma y or ma y not equal the “true” signing k ey S K ). ˜ T 0 ma y also determine some 10 query/answe r pairs that were not in L M , and hence may not agree with the the actual ans wers of the “true” oracle O . W e denote by ˜ O the oracle th at on input x , if x app ears as a quer y in ˜ T 0 then ˜ O ( x ) outputs the corresp onding answer, and otherw ise ˜ O ( x ) = O ( x ). Step 4: F orging. F or ev ery j = 1 , . . . , N − 1, Adv uses ˜ S K and th e oracle ˜ O to compute a signature on the message α j , whic h it then tr ies to v erify this time usin g V K and the “true” oracle O . Adv outputs the ﬁrst signature that passes veriﬁcati on. Anal ysis. The num b er of queries ask ed during the attac k is at most M + q N = q 2 N δ 2 + q N ≤ 2 q 2 N δ 2 = O ( q 2 ( q q/ 2 ) λδ 2 ). T o analyze the success pr obabilit y of Adv w e will pro v e the follo wing lemma: Lemma 4.3. F or every j ∈ [0 ..N − 1] , let V j denote the set of q u eries made by Adv when verifying the signatur e on α j . L et ˜ G and ˜ S 0 b e the sets of queries made by the gener ation and signing algorithms ac c or ding to the tr anscript ˜ T 0 . F or every j ≥ 1 , let E j b e the e v ent that V j ∩ ( ˜ G ∪ ˜ S 0 ) ⊆ V 0 . Then, Pr[ ∪ j ∈ [1 ..N − 1] E j ] = 1 − ( λ + 2 δ ) . Note that the ev en t E j corresp onds to the condition that “ α 0 is useful for α j ” describ ed in Section 2. Lemma 4.3 implies Theorem 4.1 since if the ev ent E j holds then wh en ve rifying the signature for α j , the v eriﬁer neve r asks a query on whic h the oracles O and ˜ O diﬀer (these oracles can d iﬀer only on queries in ( ˜ G ∪ ˜ S 0 ) \ V 0 ). B ut if the ve riﬁer u ses the same oracle ˜ O us ed by the generation and signing algorithm, then b y the deﬁnition of a signature sc heme, it must accept the signature. 4.1 Pro of of Lemma 4.3 It turns out that u sing kno wn com binatorial techniques, one can sho w that ∪ j E j holds with high probabilit y if all signatures and v eriﬁcations were to u se the “true” oracle O and signing key S K (as opp osed to ˜ O and ˜ S K ). The idea b ehin d the p ro of is to show this holds in our case using a hybrid argumen t. S p eciﬁcally , we deﬁ ne four distributions H 0 , H 1 , H 2 , H 3 , where H 0 corresp onds to ˜ T 0 join t with all the oracle queries/answers that the adversary gets during th e signing and v eriﬁcation algorithms on α j for j ≥ 1 (w e call this information the tr anscrip t of the exp erimen t), and H 3 corresp onds to T 0 (the real transcript of th e ﬁrst step) join t with the rest of the s y s tem’s transcript if we use th e “true” oracle and signing k ey (so the adv ersary is not doing an ything in generating H 3 ). W e will pro v e the lemma by sh o wing that the probabilit y of ∪ j E j is almost the same in all these f our distribu tions. Deﬁnition of h ybrid distributions. Th e four h ybrid d istributions H 0 , .., H 3 are deﬁned as follo ws: H 0 : This is th e distribution of ˜ T 0 , T 1 , . . . , T N − 1 , wh ere ˜ T 0 denotes the transcrip t sampled by Adv in Step 3, wh ile T j (for j ≥ 1) denotes the transcript of the j th signature (i.e., the queries and answers of the signing and ve riﬁcation algo rithms on α j ) as generated b y Adv in Step 4. Note that T 0 and ˜ T 0 describ e also the running of the k ey generation while T j for j ≥ 1 do not. H 1 : This is th e same d istribution as H 0 , except that now in Step 4 of the attac k, the adv ersary uses the modiﬁ ed o racle ˜ O for b oth signing and v erifying the signatures on α 1 , . . . , α N − 1 (recall that in H 0 the oracle ˜ O is only used for signing). 11 H 2 : This is the same distribution as H 1 , except that w e make a sligh t mo d iﬁcation in the deﬁn ition of ˜ O : f or every query x that was ask ed by the generation, signing, and veriﬁcati on algorithms in the Input step and Step 1 (i.e., for ev ery query in T 0 ), we answer with O ( x ) only if x also app ears in L M . Otherwise, we answer this query with a completely r andom v alue. Note that all th e queries of the ve riﬁcation are in L 0 and so in L M as w ell. In other w ords, ˜ O agrees with O on all the queries th at Ad v has ask ed f r om O till the end of Step 2, and all the others are ans wered completely at rand om. H 3 : This is the same distribution as the p revious ones, with the diﬀerence that ˜ T 0 is c hosen equal to T 0 (and so, there is no p oint in neither Step 2 of the attac k nor deﬁning ˜ O anymore). In other wo rds, this is the transcript (randomness and all query/answer pairs) of the follo wing exp eriment: (1) Generate sig ning a nd veriﬁcatio n k eys ( S K , V K ) using a random oracle O (2) for j = 0 . . . N − 1, sign α j and verify the signature us ing S K , V K and O . Note that the h ybr id distributions H i are o v er the coin tosses of the oracle, t he ke y generation algorithm, and the adversary . Lemma 4.3 follo ws immediately f rom the follo wing claims: Claim 4.4 . Pr H 0 [ ∪ j ≥ 1 E j ] = Pr H 1 [ ∪ j ≥ 1 E j ] . Claim 4.5 . SD ( H 1 , H 2 ) ≤ 2 δ . Thus, Pr H 1 [ ∪ j ≥ 1 E j ] ≥ Pr H 2 [ ∪ j ≥ 1 E j ] − 2 δ . Claim 4.6 . H 2 ≡ H 3 . Thus, Pr H 2 [ ∪ j ≥ 1 E j ] = Pr H 3 [ ∪ j ≥ 1 E j ] . Claim 4.7 . Pr H 3 [ ∪ j ≥ 1 E j ] ≥ 1 − λ . 4.2 Pro of of Claims 4.4 to 4.7 W e n o w complete the pr o of of Lemma 4.3 by p ro ving Claims 4.4 to 4.7. Claim 4.4 (Restated) . Pr H 0 [ ∪ j ≥ 1 E j ] = Pr H 1 [ ∪ j ≥ 1 E j ] . Pr o of. Su pp ose we sample th e hybrid distribu tions H 0 and H 1 using t he same oracle O , same randomness for k ey generation, and the same ran d omness for the adv ersary . Then it is easy to see that for an y j , the ev en t E j holds for H 0 iﬀ it holds for H 1 and so is the ev en t ∪ j ≥ 1 E j . This sh ows that the probabilit y of ∪ j ≥ 1 E j happ enin g in b oth distr ibutions is the same. Claim 4.5 (Restated) . SD ( H 1 , H 2 ) ≤ 2 δ . Thus, Pr H 1 [ ∪ j ≥ 1 E j ] ≥ Pr H 2 [ ∪ j ≥ 1 E j ] − 2 δ . Pr o of. Let B b e the even t t hat Adv asks a query in Q ( T 0 ) \ Q ( L M ), where Q ( T 0 ) den otes the queries in the transcript T 0 . It is easy to see that cond itioned on B doesn ’t happ en H 1 and H 2 are iden tically d istributed. That is because if w e use the same randomness for key generation, oracle and the adversary in the samp ling of H 1 and H 2 , conditioned on B not happ enin g (in b oth of them), the v alue of H 1 and H 2 is equal. In particular it sho ws that the probabilit y of of B is the same in b oth distr ibutions. Therefore the statistical dista nce b et w een H 1 and H 2 is b ounded by the probabilit y of B . In the follo wing, w e sho w that Pr H 2 [ B ] ≤ 2 δ . In the the follo w ing all the probabilities will b e in the exp eriment for H 2 . Let ǫ, δ and M b e as in Step 2 of Adv : ǫ = δ q N , and M = q ǫδ . W e start b y sho wing: Pr[ C ] ≤ δ where th e ev en t C is deﬁned as C : ∃ x 6∈ Q ( L M ) th at is obtained in D M with p rob ≥ ǫ and D i is deﬁn ed, as in Step 2 of Adv to b e the d istribution of the transcript of the ﬁrst signature conditioned on the information in L i . 12 Pr oof of Pr[ C ] ≤ δ . F or every p ossible query x to the rand om oracle, l et q x denote the probability , take n o v er b oth the rand om oracle and the rand omness used by Gen and Adv , that x is qu eried when generating a k ey and then signing a nd ve rifying α 0 . Then P x q x ≤ q ( *) since this sum is t he exp ected num b er of queries in this pro cess. Let p x denote the p robabilit y that x is lea rned at some iteration of Step 2. Then, q x ≥ ǫp x (**) . Indeed, if A i is the ev en t that x is learned at the i th iteration, then since th ese even ts are disjoint q x = Pr [ x is queried] ≥ P M i =1 Pr[ x is queried | A i ] P r [ A i ]. But by deﬁn ition of the learning pro cess , Pr[ x is queried | A i ] ≥ ǫ and hence q x ≥ ǫ P M i =1 Pr[ A i ] = ǫp x . But th e ev en t C on ly occurs if M distinct qu eries are learned in Step 2. Hence, if it happ ens w ith probabilit y more than δ then the exp ected n um b er of queries learned, w hic h is P x p x , is larger than δ M . Y et combining (*) and (**) , we get that δ M < P x p x ≤ P x q x /ǫ ≤ q /ǫ , con tradicting the fact that M = q / ( ǫδ ). No w w e will sho w that Pr[ B | ¬ C ] ≤ δ , and it means that Pr[ B ] ≥ Pr[ ¬ C ] Pr[ B | ¬ C ] ≥ (1 − δ ) 2 > 1 − 2 δ . Note that Adv m ak es all its op erations in S tep 4 based solely on the information in L M , and the answ ers chosen f or queries Q ( T 0 ) \ Q ( L M ) d o es not aﬀect it (b ecause ev en if queries in Q ( T 0 ) \ Q ( L M ) are ask ed by A dv , they w ill b e answered at random). So, it means that th e v a lue of H 2 is in dep endent of T 0 , conditioned on kno wing L M . Th us, in stead of thinking of T 0 b eing c hosen ﬁrst, then L M computed a nd then all queries of Step 4 b eing p erformed, w e can think of L M b eing c hosen ﬁrst, then Adv r uns Step 4 based on L M to sample H 2 , and then T 0 is c hosen conditioned on L M and H 2 . But b ecause of the indep endence of T 0 and H 2 conditioned on L M , the distribution of T 0 conditioned on L M and H 2 is that c onditioned on only L M whic h has the distribution D M . No w assu m e that L M mak es the ev en t ¬ C happ en (n ote that C is deﬁned b y L M .). Since at most q N queries are made in Step 4, and C has not happ ened , when T 0 is c hosen from D M , the pr obabilit y that Q ( T 0 ) \ Q ( L M ) co nta ins one of these queries is at most ǫq N = δ . Therefore we get Pr[ B | ¬ C ] ≤ δ , and P r[ B ] < 2 δ . Claim 4.6 (Restated) . H 2 ≡ H 3 . Thus, Pr H 2 [ ∪ j ≥ 1 E j ] = Pr H 3 [ ∪ j ≥ 1 E j ] . Pr o of. In the sampling of H 3 w e can think of L M b eing c hosen ﬁrst (although not needed), and then T 0 b eing c hosen conditioned on L M (i.e., from the distribution D M ), and then Step 4 of the exp eriment is done while an y qu ery in Q ( L M ) ∪ Q ( T 0 ) is a nswered according to L M , T 0 , and an y other qu ery is answered randomly . (That is we sample L M and T 0 in the rev erse order.) T he p oin t is that during the sampling p ro cess of H 2 w e are also doing exactly the same thing. Again, we sample L M ﬁrst. Then ˜ T 0 is chosen fr om the distribution D M . Then Step 4 is d on e while an y query in Q ( L M ) ∪ Q ( ˜ T 0 ) is answe red according to L M , ˜ T 0 , and all other qu eries (ev en the on es in Q ( T 0 ) \ Q ( L M )) are answ ered randomly . Therefore H 2 and H 3 ha v e the same distribution. Claim 4.7 (Restated) . Pr H 3 [ ∪ j ≥ 1 E j ] ≥ 1 − λ . Pr o of. W e w ill pr o v e that this holds for ev ery ﬁxed oracle and r andomness of all parties, as long as the p erm utation α 0 , . . . , α N − 1 is c hosen at random. F or ev ery ﬁxing of the oracle and randomness and j ∈ [0 ..N − 1], let U j = G ∪ S β j denote the set of queries made by either the k ey generat ion algorithm or the signing algorithm for message β j , and let V j b e the set of queries made by the v eriﬁcation algo rithm while v erifying this signature. T he pr o of will follo w fr om this fact: Combina to rial Lemma: If U 1 , . . . , U K , V 1 , . . . , V K are subsets of some universe satisfying | U i | + | V i | ≤ q and U i ∩ V j * V i for ev ery i 6 = j then K ≤  q q / 2  . 13 The Com binatorial Lemma immediately imp lies Claim 4.7. Indeed, for eve ry i, j with i 6 = j , deﬁne the ev en t E i,j to hold if U i ∩ V j ⊆ V i . Then , there m ust b e at lea st N −  q q / 2  = N (1 − λ ) n umb er of i ’s (i.e., 1 − λ fraction of them) such that E i,j holds for some j (otherwise w e could remo ve all such i ’s and obtain a larger than  q q / 2  -sized family contradicting the com binatorial Lemma). But, if we c ho ose a p ermutation α 0 , . . . , α N − 1 suc h that α 0 = β i for suc h an i then the ev en t ∪ j E j holds. Th us, all that is left is to pr o v e is the combinatorial lemma. It essen tially follo ws from Bollob´ as’s Inequalit y [Bol65], bu t w e rep eat the argum en t here. Assume for the sak e of con tradiction th at there is a family U 1 , . . . , U K , V 1 , . . . , V K satisfying conditions of the lemma with K >  q q / 2  . First, w e can r emo v e any elements from U i that are also in V i , sin ce it will n ot h urt any of the conditions. It means that no w w e ha ve : for every i, j , U i ∩ V j = ∅ iﬀ i = j . No w, tak e a random ordering of the un iv erse W = S i ( U i ∪ V i ), and let A i b e the eve nt that all the mem b ers of U i o ccur b efore the mem b ers of V i in this order. T h e pr ob ab ility of A i is | U i | ! | V i | ! ( | U i | + | V i | )! = 1 /  | U i | + | V i | | V i |  ≥ 1 /  q | V i |  ≥ 1 /  q q / 2  . Hence if K >  q q / 2  , there is a p ositiv e p robabilit y that both A i and A j hold for some i 6 = j . But it is not hard to see that in that case, either U i and V j are disj oint or U j and V i are disj oint, con tradicting our hypothesis. 5 A One-Time Signature Sc heme The follo wing Th eorem sho ws that Theorem 1.1 is tight up to a constan t factor in the num b er of queries. Theorem 5.1. Ther e is a one-time signatur e scheme ( Gen , Sign , V er ) for messages { 0 , 1 } ∗ , using a total of q queries to a r andom or acle th at has se curity 2 (0 . 812 − o (1) ) q , wher e o (1) is a term tending to 0 with q . Pr o of. Th e sc heme is basically Lamp ort’s S c heme [Lam79] w ith t wo c hanges: (1) we use a more ef- ﬁcien t anti- c hain (family of incomparable sets) than Lamp ort’s s cheme (a w ell-kno wn optimization) and ( 2) we use a secret “salt” v al ue for the hash fu n ction to prev en t a birthd ay attac k. The Sc heme Description. Let c = (3 − √ 5) / 2 and k b e suc h that (1 + c ) k + 4 = q . • Generate the k eys by c ho osing k random strin gs x i ∈ { 0 , 1 } q + i for 0 ≤ i ≤ k − 1, and an additional rand om string z ∈ { 0 , 1 } 2 q . 10 The secret k ey consists of these v alues, and the public k ey is O ( x 1 ) , . . . , O ( x k ) , O ( z ). • L et h ( α ) b e the ﬁrst log  k ck  bits of O ( z , α ), wh ic h we iden tify with a ck -sized subset of 0 , . . . , k − 1. T he signature of α consists of { x i } i ∈ h ( α ) and th e string z . • T o verify a signature, w e ﬁrst verify th at O ( z ) is equal to its alleged v alue, then we ask O ( z , α ) to kn ow h ( α ), and then w e ask ck more queries to c hec k th at the released str ings are indeed preimages of the corresp onding en tries of the pu blic ke y indexed by h ( α ). The num b er of queries is q = (1 + c ) k + 4, while, as we will s ee, the securit y is at least Ω(  k ck  ) = 2 ( H ( c ) − o (1)) k = 2 H ( c ) − o (1) 1+ c q > 2 (0 . 812 − o (1) ) q where H ( · ) is the Shannon en trop y f u nction. 10 If we choose all of them from { 0 , 1 } q the scheme is still as secure as we claimed, b ut now t he analysis is simpler. 14 Let T be the total n umber of oracle queries aske d by the adversary and α 6 = β b e (in order) the message for whic h she asks a signature and the messag e for whic h she tries to f orge a signature. W e assu me w ithout loss of generalit y that T < 2 q − 1 , b ecause 2 q − 1 ≫  k ck  . W e divide the winning cases for the adversary into three cases: 1. T he adversary c hooses some z ′ ∈ { 0 , 1 } 2 q , z ′ 6 = z suc h that O ( z ) = O ( z ′ ), alleg ed to b e the real z in th e signature of β . 2. T he adversary uses the real z in the signature of β and h ( α ) = h ( β ). 3. T he adversary uses the real z in the signature of β and h ( α ) 6 = h ( β ). W e will sho w that the probabilit y that the adversary wins conditioned on b eing in case 3 is at most O ( T /  k ck  ), and the probabilit y th at either case 1 or case 2 happ ens at all is also at most O ( T /  k ck  ). So, the total probabilit y of w inning f or the adve rsary will b e at most O ( T /  k ck  ) as well. In case 1, even if we r ev eal z to the adv ersary in th e ﬁrs t place ( x i ’s are ir r elev ant), s he h as th e c hance of at most (1 + T ) / 2 q to ﬁnd some z ′ 6 = z such that O ( z ) = O ( z ′ ). Th at is b ecause she gets to kno w at most T oracle query/answer pairs (other than h z , O ( z ) i ), and th e probabilit y that she gets O ( z ) in one of them is at most T / 2 q . If she do es n ot see O ( z ) as an oracle answe r, she needs to guess z ′ blindly whic h succeeds with p robabilit y at most 1 / 2 q . In the case 2, we reve al all x i ’s to th e adv ersary at th e b eginning, although they are ind eed irrelev a nt to ﬁnd ing a pair α 6 = β suc h that h ( α ) = h ( β ) (b ecause they are of length < 2 q ). Be fore the adversary give s us α , it a sks at most T q u eries of length 2 q . So, the p robabilit y that she gets some z ′ ∈ { 0 , 1 } 2 q suc h that O ( z ′ ) = O ( z ) is at most T / 2 2 q = o ( T /  k ck  ). Let assume that this has not happ ened. So, we can pr etend that when we receiv e α , the v alue of z is c hosen at random d iﬀeren t from the m emb ers o f { 0 , 1 } 2 q that a re ask ed f rom th e oracle b y Adv . Thus, th e probabilit y that any adv ersary’s query so far with length more than 2 q has the preﬁx z will b e at most T / (2 q − T ) < T / 2 q − 1 = O ( T /  k ck  ). It means th at with pr obabilit y 1 − O ( T /  k ck  ), so f ar w ere no q u ery ask ed from the oracle whic h has z as preﬁx. Assuming this is the case, when we ask th e query ( z , α ) from the oracle, h ( α ) is c hosen uniformly at random fr om { 0 , 1 } log ( k ck ) . Hence, if the adv ersary asks T more oracle quer ies of the form ( z , γ ) where γ 6 = α , one of them will giv e h ( γ ) = h ( α ) with probabilit y at most T /  k ck  , and if it do es not happ en f or any of them, a blind guess β by the adv ersary will give h ( α ) = h ( β ) with p robabilit y 1 /  k ck  . S o, th e probabilit y of getting α 6 = β , h ( α ) = h ( β ) for the adversary is at most O ( T /  k ck  ). In the case 3, there alw a ys is some i ∈ h ( β ) \ h ( α ). W e c ho ose the smallest such i , call it i 0 , and c hange the game slightl y by rev ealing z to Adv from the b eginning and rev ealing all x j ’s f or j 6 = i 0 to th e her after s he giv es us β . It only migh t increases her c hance of success (although they are irrelev an t b ecause they h av e diﬀerent length). F or any ﬁxed i ∈ 0 , . . . , k − 1, we sh o w that the p robabilit y of the adversary to ﬁ nd a preimage for O ( x i ) conditioned on i = i 0 is at most ( T + 1) / 2 q + i 0 < ( T + 1) / 2 q (whic h is n ecessary for her to w in ), and then b y the union b ound , the probabilit y of success for the adv ersary in this case w ill b e at most k ( T + 1) / 2 q = O ( T /  k ck  ). The reason is that the adv ersary can ask at most T oracle queries after w e r ev eal in order to ﬁnd a preimage for O ( x i 0 ) . The probability that for one of the queries x among these T queries sh e asks w e ha v e O ( x i ) = O ( x ) is at most ( T ) / 2 q + i 0 , and when it do es not happ en, the adversary has to guess a preimage for O ( x i ) blind ly , which will b e correct with probability 1 / 2 q + i 0 . 15 The constant c in the d escription of th e scheme m aximizes  k ck  , conditioned on q ≈ (1 + c ) k . T he same ideas show that whenev er n ≤ dq where d ≈ 0 . 812 is obta ined a s a b ov e ( d = H ( c ) / (1 + c )), then there is a one-time signature sc heme for messages { 0 , 1 } n that mak es only q queries and ac hiev ed securit y expon ential in the length of its queries. 6 Extensions No w w e pr o v e several extensions of Th eorem 1.1. 6.1 Other oracles Using min or c hanges to the proof of Theorem 4 .1 w e can get a s im ilar lo w er bou n d for signature sc hemes based on the ideal cipher or a random p ermutatio n oracle s. This is imp ortant as these oracles are also sometimes u sed to mo del highly eﬃcien t s ymmetric-crypto primitiv es, and so it is an interesti ng question whether such oracles can b e used to co nstru ct signatur es m ore eﬃcien tly . Theorem 6.1. L et O b e either the i de al cipher or a cle. Then, f or every one-time signatur e scheme for messages { 0 , 1 } n using a tot al of q ≤ n/ 4 queries to O ther e is an adversary ma king 2 (4 − o (1)) q or acle queries th at br e aks the scheme with pr ob ability 1 − o (1) , wher e o (1) denotes a term tending to 0 with q . In c ase of O b eing the r andom p ermutation or acle, only q ≤ n / 2 is ne e de d to get and adversary asking 2 (2 − o (1)) q queries, br e aking the schem e w ith pr ob ability 1 − o (1) . Pr o of. W e explain the pro of for th e ideal cipher oracle. Extendin g the pro of f or the random p ermutatio n oracle is straigh tforw ard. W e c hange b oth the signature scheme and the oracle for the s ak e of the analysis. W e let the new oracle O ′ b e the same as O except that O ′ do es not answ er queries of th e form ( k, x, d ) whenever | x | < 2( q + log q ). Instead it answ ers queries of the t yp e ( k , n ) where n < 2( q + log q ), to whic h it returns the long string con taining the concatenation of O ( k , x, F ) for x ∈ { 0 , 1 } n . W e c hange the signature sc heme to get a new scheme ( Gen ′ , S ign ′ , Ver ′ ) as fo llo ws: (1) use O ′ instead of O and (2) wheneve r an algo rithm makes a query ( k, x, d ) and obta ins an answ er y , it will also make the “redundant” query ( k, y , ¯ d ) (where ¯ d = B if d = F and vice versa). Note that the tot al n umb er of queries of the new s c heme is at most q ′ = 2 q . Lemma 6.2. Given the scheme ( Gen ′ , S ign ′ , Ver ′ ) , ther e is an adversary Adv making at most p oly( q ′ )2 q ′ queries fr om O ′ that br e aks the scheme with pr ob ability 1 − o (1) . Lemma 6.2 implies Th eorem 6.1 since an y suc h adversary can b e implement ed using the oracle O with at most a q 2 2 2 q factor increase in the num b er of qu er ies, and the total n um b er of queries will b e p oly( q ′ )2 q ′ q 2 2 2 q = 2 (4 − o (1)) q . Pr o of. Th e description of the atta c k remains basically the same as that o f Theorem 4.1 set by parameters in Corollary 4.2 (i.e. N = 2 q , λ = δ = θ ( q − 1 / 2 )), and we hav e the same distributions H 0 , H 1 , H 2 , H 3 as b efore. Ho w ev er, there are some minor c hanges as follo ws: • Du ring Step 2 of the attac k, whenev er learn a query , we add b oth the query and its du al to L i . 16 • Du ring Step 4 of the attac h we m ight disco v er an inconsistency b etw ee n the guesses we made in the sampled transcript ˜ T 0 and th e answers we receiv e f rom the oracle O . That is, w e migh t get the same answ er for t w o diﬀerent plain texts with the same k ey . Ho we ve r, a s w e will see this will only happ en with small probabilit y , and we ignore this case safely . . • T he deﬁ nition of H 2 needs to c hange a little. Na mely , in the exp erimen t for the distribu tion H 2 , du ring the signing and v eriﬁcation of α 1 , . . . , α N , whenev er we make a new non-redu ndant query ( k , x, d ), w e lo ok at all queries of the form ( k , · , d ) app earing either in the transcrip t of the system so far (i.e. ˜ T 0 , T 1 , . . . ) or in the learned queries of L M . Then we choose a ran d om answ er y f r om the set of unused a nswers and use it as the oracle answ er for ( k , x, d ). The next redundant query ( k, y , ¯ d ) is simply answ ered by x . The d iﬀerences b et w een the pro of in this case and the pr o of of Theorem 4.1 are the follo w ing: • W e need to include the condition in the ev en t E j that the queries made in the j th signing and v eriﬁcation are consistent with (the k ey generation part of ) the tran s cript ˜ T 0 in the sense that they do not sp ecify t w o qu eries ( k , x, d ) , ( k , x ′ , d ), x 6 = x ′ whic h map to the same answe r y . The consistency condition guarante es (by deﬁnition) that if E j o ccurs, then the veriﬁer will accept the j th signature. The com binatorial cond ition V j ∩ ( ˜ G ∪ ˜ S 0 ) ⊆ V 0 still guaran tees that the j th v eriﬁcation do es not ask an y query for whic h we ha ve guessed the answer. 11 W e can still pro v e that Pr H 0 [ ∃ j E j ] = Pr H 1 [ ∃ j E j ] using b asically the same pro of as in Claim 4 .4. W e just ha v e to note that as long as E j happ ens in b oth experiments, there is no wa y to d istinguish their j th signing and v eriﬁcat ion, and the consistency also happ en s either in b oth or in n one of them. s • W e again sho w SD ( H 1 , H 2 ) = o (1). T he r eason is that the d iﬀeren ce b et w een the distributions H 1 and H 2 is due to some ev ents whic h happ en with probabilit y o (1). Th at is there a re ev en ts in the exp erimen ts of sampling H 1 and H 2 whic h happ en with p robabilit y o (1) and conditioned on they not happ ening, H 1 and H 2 ha v e the same distribution. – Similar to Claim 4.5 one of th e diﬀerences betw een the distributions H 1 , H 2 migh t b e b ecause of Adv asking a query in Q ( T 0 ) \ Q ( L M ). Because of the same analysis give n in the p ro of of Claim 4.5 the probabilit y that w e ask an y su c h quer y (in b oth exp eriment s) is at most 2 δ = o (1). S o, in the follo wing w e assume that this case do es not happ en. – In exp eriment of sampling H 1 , wh en a new non-redun dan t qu er y ( k , x, d ) i s ask ed in the 1 ≤ i th signing or v eriﬁcatio n, the returned answ er y m igh t b e e qual to a guessed answ er for a query ( k, x ′ , d ) of ˜ T 0 (w e call this ev en t F 1 ), bu t it is neve r equal to the answ er of a query ( k , x ′′ , d ) ∈ Q ( T 0 ) \ Q ( L M ). The situation for H 2 is the rev erse: On a new n on-redund ant qu ery ( k , x, d ) during th e 1 ≤ i th signing or v eriﬁcation, the answer is neve r e qual to a guessed answ er for a qu ery ( k , x ′ , d ) in ˜ T 0 , but it might b e equal to the answ er of a qu ery ( k, x ′′ , d ) ∈ Q ( T 0 ) \ Q ( L M ) (w e call this eve nt F 2 ). No te that ( H 1 | ¬ F 1 ) ≡ ( H 2 | ¬ F 2 ). As w e w ill see , Pr[ F i ] = o (1) for i = 1 , 2 whic h sho ws t hat SD ( H 1 , H 2 ) = o (1). 11 This also guarantees t hat there is no inconsistency b etw een th e j th veriﬁcatio n and t h e transcript ˜ T 0 , b u t later w e will show that the t otal consistency h app ens with go od probabilit y 17 The reason for Pr[ F 1 ] = o (1) is that wh enev er we ha v e a new non-redundant query in the 1 ≤ i th signing or veriﬁcat ion, its answer is c hosen fr om a set of size at least q 2 2 2 q − q ′ 2 q ′ whic h migh t hit a guessed answer for a query in ˜ T 0 with p robabilit y at most q ′ / ( q 2 2 2 q − q ′ 2 q ′ ) = o (1). The same argument holds for Pr[ F 2 ] = o (1). • C laim 4.6 still holds with the similar pro of b ecause of the w a y we deﬁned H 2 for the case of ideal ciph er . • C laim 4.7 is still correct with the same pro of. Note that all the signing and v eriﬁcations are consisten t. A similar and simpler pr o of works for the c ase of a random p ermutat ion orac le. In this case, w e again c hange the oracle by merging small queries in to a single query with a huge answ er, but w e don’t hav e the issue of adding “dual” queries, and therefore the condition q ≤ n/ 2 (rather than q ≤ n/ 4) is en ough to get an adversary w ho breaks the scheme w ith probabilit y 1 − o (1) by asking 2 (2 − o (1)) q queries (rather than 2 (4 − o (1)) q queries). 6.2 Implemen ting A dv ersary in BPP NP . If the signatur e sc heme is eﬃcien t, using an NP oracl e, our adve rsary can run in time p oly( n , 2 q ), where n is the length of messages to b e signed. 12 That is, w e pr o v e the follo wing lemma: Lemma 6.3. If the signatur e scheme is eﬃci e nt, the adversar y of the pr o of of The or em 4.1 c an b e implemente d in p oly( n, 2 q ) time using an or acle to an NP -c omplete pr oblem. Lemma 6.3 can b e in terpreted as saying that a non-black- b o x pro of of securit y for a signature sc heme more eﬃcien t than the lo w er b ounds pr o vided by Theorem 4.1 will necessarily imply a pro of that P 6 = NP . The only place in which th e adv ersary uses its u nb ounded computational p ow er is in Step 2 wh ere it c ho oses x i to b e the lexicographically ﬁrst unlearned string in { 0 , 1 } l suc h that x i is queried in D i with p robabilit y at least ǫ , and in Step 3 when it samples a random ˜ T 0 from D M . W e sh o w that: • Usin g an N P oracle, we can samp le fr om a distribu tion D ′ i in exp ected p oly( n, 2 q ) time suc h that S D ( D ′ i , D i ) ≤ ǫ , where ǫ is as deﬁned in S tep 2. • Usin g the D ′ i sampler, w e can implement the adv ersary in p oly( n, 2 q ) time with similar success probabilit y . W e ﬁr st show ho w to use a D ′ i sampler to implemen t the adve rsary eﬃcien tly and then will sho w h o w to sample f rom D ′ i eﬃcien tly using an NP oracle. 12 In general, the security parameter could b e diﬀerent from the length of th e messages n . F or example, in Section 5 , the securit y parameter w as q (so t h e security was 2 Ω( q ) ), and th e run ning time of the algorithms was p oly ( n, q ). H ere, for simplicity , we assume that ℓ = p oly( n ), and all the algorithms’ queries are of length ℓ . 18 Eﬃcien t adv ersary using a D i appro ximate-sampler. So, here we assume that we can sample eﬃcie ntly from a d istribution D ′ i suc h that SD ( D ′ i , D i ) ≤ ǫ . In order to c ho ose x i in the i th step of th e learning phase, w e do the follo wing. Let m = ( l + log M − log δ ) /ǫ 2 . W e sample m times from D ′ i to get D 1 i , . . . , D m i . Then w e c hoose x i to b e the lexicographically ﬁrst unlearned query (i.e. not in L i − 1 ) which app ears in at lea st 2 ǫ fr action of Q ( D j i )’s. Claim 6.4. With pr ob ability at le ast 1 − δ we get th e fol lowing: F or every x ∈ { 0 , 1 } l , and every 1 ≤ i ≤ M : 1. If Pr[ x ∈ Q ( D i )] ≥ 3 ǫ , then x app e ars in mor e tha n 2 ǫ fr action of Q ( D j i ) ’s. 2. If Pr[ x ∈ Q ( D i )] ≤ ǫ , then x ap p e ars in less than 2 ǫ fr action of Q ( D j i ) ’s. If the ev en t ab o v e happ ens, it means that the learning algo rithm learns all the 3 ǫ -hea vy qu er ies in its M roun d s with pr obabilit y at least 1 − δ (using the same argument as b efore). Therefore we get a we ak er, y et strong enough, v ersion of Claim 4.6 sa ying th at the S D ( H 1 , H 2 ) ≤ 3 δ + δ + δ = o ( δ ). The Claim 6.4 follo ws from the Cher n oﬀ b ound. The probabilit y that an y sp eciﬁc x vio lates the cla im’s condition in an y of the rounds is at most e − mǫ 2 < 2 − mǫ 2 = 2 − l − log M +l og δ . By union b ound , the pr obabilit y th at the ev en t is not violated at m ost M 2 l 2 − l − log M +l og δ = δ . Sampling D ′ i eﬃcien tly using an NP oracle. Note that L i whic h captur es our knowle dge of the system after the i th round of the learning ph ase can b e enco ded with p oly( n, 2 q ) bits. The n umb er of random bits used b y th e adversary till the end of the i th round of the learning ph ase is also p oly( n, 2 q ). F or some tec hnical reason whic h will b e clear later, w e add the randomness used b y the adv ersary to the description of L i . Similarly , any (p ossible) transcr ip t D whic h Pr[ D i = D ] > 0 can b e rep resen ted with p oly( n, q ) < p oly( n , 2 q ) bits. In the f ollo wing w e alwa y s assume that su ch enco dings are used to represent L i and D . In ord er to sample from a distrib u tion close to D i w e use the follo wing Lemma: Lemma 6.5. Ther e is a function f : { 0 , 1 } ∗ × { 0 , 1 } ∗ 7→ N which is eﬃciently c om putable (i.e. time p oly ( n, 2 q ) ), with the fol lowing pr op erties: 1. f ( L i , D ) = ⌊ c P [ D i = D ] ⌋ for some c onstant c dep ending on L i . So we have f ( L i , D ) = 0 if Pr[ D i = D ] = 0 . 2. f ( L i , D ) ≥ 10 /ǫ w henever Pr[ D = D ] > 0 wher e ǫ is as deﬁne d in Step 2. . Before pr o ving the lemma, w e see ho w it is used . Corollary 6.6. We c an sample f r om a distribution D ′ i such that S D ( D i , D ′ i ) ≤ ǫ in time p oly ( n , 2 q ) (wher e the time p oly( n , 2 q ) is indep endent of i for 1 ≤ i ≤ M ). Pr o of. Let W i = { ( D , j ) | 1 ≤ j ≤ f ( L i , D ) } b e the set of “witnesses” for L i , where f is the f unction in Lemma 6.5. Lemma 6.5 sho ws that the relatio n R = { ( L i , w ) | w ∈ W i } is a n NP relati on. It is kno wn [BGP00] that for any NP relation, there is a w itness-sampling alg orithm that giv en an y x , samples one of the witnesses of x uniformly in exp ected p oly( | x | ) time. Therefore, w e sample a random w = ( D , j ) such that w ∈ W i in exp ected p oly ( n , 2 q )-time, and output D . It is easy to that the distribution D ′ i of our output has statistic al distance at most ǫ from the d istr ibution D i . 19 Pr o of. (Lemma 6.5) Recall that D i is th e distribution of transcripts T 0 conditioned on the infor- mation giv en in L i . Let the ev en t E ( L i ) b e the ev en t that during the running of the system (and our attac k) adve rsary’s kno wledge ab out the system and its randomness after the i th round of the learning is what L i denotes. S imilarly , let E ( D ) b e the even t that D = T 0 is the case in our exp eriment. Th us, for ev ery transcript D , Pr[ D i = D ] = Pr[ E ( D ) | E ( L i )]. If w e could compute Pr[ E ( D ) | E ( L i )], w e could someho w use it in th e Lemma 6.5, but instead of doing that, we will rather compute Pr[ E ( D ) ∧ E ( L i )] whic h is prop ortional to Pr [ E ( D ) | E ( L i )] u p to a constan t factor dep end in g on L i , an d will scale it u p to some big in teger. Giv en L i and D , in order to compute Pr[ E ( D ) ∧ E ( L i )], w e trac k the whole exp eriment from the b eginning in the follo wing order: • K ey Generation • S igning α 0 • T he attac k (whic h includes the v eriﬁcation of α 0 as its ﬁ rst step) to the end of the i th round of th e Learning. A t an y moment that some coin tossing is in v olv ed (i.e. in the key generation algorithm, in the attac k, or ﬁ n an oracle answ er), the result is determined b y the description of L i and D . Thus, we can calculate the p r obabilit y that giv en v alues of L i and D w ill b e the ones in the real ru n ning of the exp eriment 13 . More quantita tiv ely , durin g the simulation of the exp eriment, we receiv e any sp eciﬁc oracle answ er with probability at least 2 − l whenev er it is a p ossible an s w er and the prob ab ility of getting a sp eciﬁc random tap e for the k ey generation and the adversary is at least 2 − pol y ( n, 2 q ) . Since the total probabilit y of Pr[ E ( D ) ∧ E ( L i )] is the m ultiplication of all th ose probabilities that w e get during the simulat ion of the system, and b ecause the num b er of oracle qu eries that we examine is at m ost 2 O ( q ) , w e get Pr[ E ( D ) ∧ E ( L i )] > 2 − pol y ( n, 2 q ) whenev er P r[ E ( D ) ∧ E ( L i )] 6 = 0. Note that ǫ in the attac k is 2 − O ( q ) . T herefore, for a big enough constan t c = p oly( n , 2 q ), the fun ction f ( L i , D ) = ⌊ c P r [ E ( D ) ∧ E ( L i )] ⌋ is computable in time p oly( n, 2 q ) and w e h a v e f ( L i , D ) > 10 /ǫ as w ell. 6.3 Handling imp erfect completeness While the t ypical deﬁnition of a signature scheme stipulates that a v alid signat ure (generate d by the signing algorithm with the correct key) sh ou ld b e accepted w ith probabilit y one, it mak es sense to consid er (esp ecially in the cont ext of negativ e results) also signatures where the veriﬁer ma y reject suc h signatures with small probability , sa y 1 / 10. W e are able to extend our result to this case as w ell: Theorem 6.7. F or every one-time signatur e scheme for messages { 0 , 1 } n , ac c epting c orr e ct signa- tur e s with pr ob ability at le ast 0 . 9 (over the r andomness of the veriﬁer), and asking a total q ≤ √ n/ 20 queries to a r ando m or acle, ther e is (1) an adversary making 2 (1+ o (1)) q queries that br e aks the scheme with pr ob ability at le ast 2 − q and (2) an adversa ry making 2 O ( q 2 ) or acle queries that br e aks the scheme with c onstan t pr ob ability. 13 F or the case of id eal cipher or random p erm utation oracles, w e need to keep trac k of the oracle an swers so far during the simulatio n of the ex p erimen t, in order to know what is that probability of receiving a sp eciﬁc answ er from the oracle at any p oint. 20 The pro of of part (1) is a straigh tforw ard extension of the p ro of of Theorem 4.1 and so w e bring here the pr o of of part (2) : Lemma 6.8. F or every o ne-time signatur e scheme with imp erfe ct c ompleteness (i.e., veriﬁer c an r e j e ct valid signatur es with pr ob ability at most 1 / 10 over its c oins) ther e is an adversary asking 2 O ( q 2 ) queries that ﬁnds with pr ob ability 1 − o (1) a message/signatur e p air which p asses the veriﬁc ation with pr ob ability at le ast 0 . 7 . 14 Pr o of. Th e main diﬀerence b et w een the pr o of of this lemma compared to that of Theorem 4. 1 is the w a y we deﬁne the set s V j ’s. They are not simply the queries that the v eriﬁcations ask from the oracle. F or sak e of analysis, for ev ery j , we deﬁne t he set V j to b e the set compu ted b y the follo wing p ro cess: run the j th v eriﬁcation algorithm on the generated message/sig nature pair m = times (for m to b e deﬁn ed later), and let V j b e th e set of queries that app eared in at least a 1 / (20 q ) fraction of these veriﬁcatio ns. Hence, we hav e | V j | ≤ 20 q 2 . Note that the deﬁnition of V j dep end s on th e oracle used to do the v eriﬁcations. W e will treat the sets V j ’s in the analysis similar to what w e did to them with their pr evious deﬁnition. So, we deﬁne the n ew parameter r = 20 q 2 to the u pp er b oun d on | G | + | S j | + | V j | , while q is still an upp er b ound for | G | + | S j | . As w e will see, the pro of will b e similar to that of Theorem 4.1 and the p arameters are set similar to those of Corollary 4.2: N = 2 r , λ = δ = ( r r / 2 ) 2 r = θ ( r − 1 / 2 ) = θ (1 /q ) , m = 20 3 q 4 , ǫ = δ mq N , M = q ǫδ . Other than the parameters, the diﬀerences compared to th e p revious attac k are: 1. When obtaining the signature σ 0 in Step 1, w e run th e v eriﬁcati on algorithm m times and record in L 0 all the resulting query/answ er p airs. 2. In Step 4 we test q 3 times eac h generated message/signature pair and output the ﬁ rst signature that p asses the v eriﬁcation at least a 0 . 75 f r action of these q 3 times. W e also d eﬁne the set U j to b e the s et of queries that the j th v eriﬁcation asks from the oracle with probabilit y at least 1 / (10 q ) o v er its o wn rand omn ess after w e ﬁx the rand om oracle. Hence w e ha v e | U j | ≤ 10 q 2 W e sa y that E j holds if (as b efore) V j ⊆ ( ˜ G ∪ ˜ S 0 ) ∩ V 0 . W e also sa y that the eve nt E holds if U j ⊂ V j for eve ry j . Claim 6.9. If E j ∧ E holds, then the j th signatur e wil l b e ac c ept e d by the v e riﬁer with pr ob ability at le as t 0 . 9 − 0 . 1 = 0 . 8 over the r an domness of the veriﬁer. Pr o of. Th e only wa y this w on’t h app en is that with probabilit y at lea st 1 / 10, th e v eriﬁer mak es a query in the (at most q -sized) se t ˜ G ∪ ˜ S 0 \ V 0 . But if this h app ens, then there is a query in that set that is queried ﬁrs t with p robabilit y at least 1 / (10 q ), y et b ecause E holds that means that it will b e con tained in U j ⊂ V j , contradicting E j . F or an y sp eciﬁc 1 ≤ j < N , by C h ernoﬀ b ound, th e p robabilit y that the fraction of times that w e accept the generated signature for α j is 0 . 05 far from its real probabilit y of b eing accepted by the v eriﬁer is at most e − 0 . 05 2 q 3 and b y union b ound , th e probabilit y that it happ ens for some j is at most 2 20 q 2 e − q 3 / 400 = o (1). No w su pp ose E j ∧ E h olds for some j = j 0 . So b y Claim 6 .3, ﬁstly w e w ill outpu t a p air of messag e and signature, and secondly this pair is ac cepted b y the v eriﬁer with p robabilit y at least 0 . 7. 14 The probability 0 . 7 could b e substituted by any constant less than 0.9 with changing the constan ts in the pro of. 21 Claim 6.1 0. We have Pr[ E ] ≥ 1 − o (1) . Pr o of. By the C h ernoﬀ b ound , the probabilit y that a particular memb er of U j is n ot in V j is at most e − ( 1 20 q ) 2 m = e − 20 q 2 . By union b ou n d o v er the members of U j , and j we ha v e Pr[ (2) fails for some j ] ≤ 10 q 2 2 20 q 2 e − 20 q 2 = o (1). No w that we kn ow E h olds almost alw a ys, it only remains to sho w that with high probabilit y E j happ ens for some j . This time we deﬁne the four hybrid distr ib utions H 0 , H 1 , H 2 , H 3 a bit d iﬀeren t. Instead o f putting in H i the qu ery/answ er pairs that w e receiv ed dur ing one v eriﬁcat ion, we pu t in H i all suc h pairs that we get at some p oin t d uring the m times that we run the v eriﬁcation. The p ro ofs of Claims 4.4–4.7 also work basically in the same wa y as b efore: • C laim 4.4 still holds with the same p ro of. • C laim 4.5 still h olds with the same pro of b ecause of the new smaller v alue of ǫ that we u sed. • C laim 4.6 still holds with the same p ro of. • C laim 4.7 i s still correct with the sa me pro of b ecause the co ndition q ≤ √ n/ 20 guaran tees that ther e is enough ro om to c ho ose N ≤ 2 n diﬀeren t messages in the attac k. So, our adv ersary asks at most N mq + M + N q 3 = p oly( q )2 r = 2 O ( q 2 ) queries, and with probabilit y 1 − o (1) ﬁnds a pair of message/signature passing the v eriﬁcation with probabilit y at least 0 . 7 . W e note that th e combinatio n of all the ab o v e extensions holds as w ell (e.g., we can implemen t in BPP NP an adv ersary that breaks any signature scheme w ith imp erfect completeness that is based on the id eal cipher). 6.4 Eﬃciency of the veriﬁ er Because th e signin g and v eriﬁcation algorithms are run more often than the k ey generatio n, low er b ound s on their o wn eﬃciency is still meaningful. In Section 5 we saw that th e signing algo rithm can b e ve ry eﬃcien t wh ile the total n umb er of quer ies w as almost optimal . Here w e sho w that if w e w an t to ge t an eﬃc ient v eriﬁer a nd exp onent ial securit y at t he same time, it mak es the total n umb er of queries to b e ineﬃcien t. Theorem 6.11. F or ev e ry one-time signatur e scheme for messages M with total q or acle queries wher e, if the veriﬁc ation asks at most v , v ≤ q / 2 or acle queries and |M| ≥ ( q v ) λ then ther e is an adversary asking at most O ( q 2 ( q v ) λδ 2 ) queries that br e aks the scheme with pr o b ability at le ast 1 − λ − δ . Before goi ng o v er the pro of note that for a ny v , k ∈ N , where 3 ≤ v ≤ q 2 (i.e. 1 ≤ v − 2 ≤ k where v + k + 2 = q ) the sc heme of Section 5 ca n b e simply c hanged to g et a new sc heme in whic h the v eriﬁer asks v queries by rev ealing v − 2 sized s ubsets of x i ’s as the signature rather than ck sized ones. A similar pro of to that of Theorem 5.1 sho ws that this new sc heme h as securit y Ω(  k v − 2  ) = Ω(  q − v − 2 v − 2  ). So, if v = dq f or constant d , the maxim um securit y S one can get by askin g at m ost v = q /d queries in v eriﬁcation and q qu eries tota lly is b ounded as H ( 1 d − 1 )(1 − 1 /d ) − o (1) ≤ log S q ≤ H ( 1 d ) + o (1) where H ( · ) is the Shannon’s en tropy function and o (1) goes to zero with q . 22 Pr o of. (Theorem 6.11) The pro of is almost the same as that of Theorem 4.1 . The only diﬀerence is in Claim 4.7 in whic h w e ha v e a restriction that | V j | ≤ v , and we conclude that K ≤  q v  . The only diﬀerence in the p ro of of Claim 4.7 is that n ow the ev en t A i has probabilit y at l east | U i | ! | V i | ! ( | U i | + | V i | )! = 1 /  | U i | + | V i | | V i |  ≥ 1 /  q | V i |  ≥ 1 /  q v  b ecause v ≤ q / 2. 7 Lo w er b ounds on blac k-b o x c onstructions In a constru ction for signature schemes, one migh t u se a standar d primitive (e.g., on e wa y f unction) rather than one with ideal security (e.g., ran d om f unction). Th ese constru ctions could ha v e diﬀeren t lev els o f “b lack- b o xness” discussed thoroughly in [R TV04]. What w e will call b lac k-b o x, is called fully blac k-b o x in [R TV04]. H ere w e giv e a more quan titat ive deﬁnition of s u c h c onstructions. F or simplicit y we only deﬁn e the blac k-b o x constructions of s ignatur e schemes from hard one-w a y functions, and the others are similar. After giving the formal deﬁnitions we w ill pr o v e strong low er b ound s on th e eﬃciency of signature sc hemes from symmetric pr imitiv es when the construction is blac k-b o x. Deﬁnition 7.1. Let F ℓ denote the set of all functions f : { 0 , 1 } ℓ → { 0 , 1 } ℓ o v er ℓ bits. W e call a family of fun ctions { f ℓ | ℓ ∈ N , f ℓ ∈ F ℓ } , s -har d (to in v ert), if for an y p r obabilistic algorithm A runn in g in time at m ost s ( ℓ ), w e hav e Pr x ← R { 0 , 1 } ℓ [ A ( f ( x )) ∈ f − 1 ( f ( x ))] ≤ 1 s ( ℓ ) where the prob ab ility is o ve r the c hoice of x and the coin tosses of A . By S -hard functions, for a set of fu nctions S , we mean all those whic h are s -hard for some s ∈ S . ( Thin k of S as the set of all the functions whic h are su p er-p olynomial, quasi-p olynomial, or exp onenti al etc.. .) So, w e will k eep the notation that the capital S denotes a set of functions. F or simplicit y w e use n , the length of the messag es to b e signed, a s t he s ecurit y p arameter of the signature sc heme (i.e, t he eﬃcient sc hemes will run in time p oly( n ) and for larger v alues of n the sc heme b ecomes more secure). Deﬁnition 7.2. A black-b ox construction of one-time sig nature sc hemes for n -bit messages from S -hard one-w a y functions, with secur ity paramete r con traction ℓ ( n ) is made of the follo wing t w o families of reductions for all n ∈ N : • T he imp lemen tation reduction I = ( Gen , Sign , Ver ) has th ree c omp on ents w h ic h a re algo - rithms runn ing in time p oly( n ) ( Gen is probabilistic) and I f = ( Gen f , S ign f , Ver f ) satisﬁes in Deﬁnition 3.5 by setting O = f for any f ∈ F ℓ ( n ) . • W e call A a I f -br e aker if A is a (not necessarily eﬃcien t) adversary wh o breaks the securit y of I f with non -n egligible pr ob ab ility o v er its own randomn ess b y pla ying in the game deﬁn ed in Deﬁnition 3.6. Th e security reduction R is an algorithm ru nning in time t ( n ) where: (1): F or an y f ∈ F ℓ ( n ) and an y I f -break er A , Pr x ← R { 0 , 1 } ℓ ( n ) [ R A,f ( f ( x )) ∈ f − 1 ( f ( x ))] ≥ 1 w ( n ) where the probab ility is ov er the c hoice of x and the coin tosses of R and A , (2): t ( n ) p ( n ) < s ( ℓ ( n )) for a ny p ( n ) = p oly ( n ), an y s ( · ) ∈ S and and large enough n , and (3): w ( n ) < s ( ℓ ( n )) for an y s ∈ S and large enough n . The security parameter con traction factor ℓ ( n ) in Deﬁnition 7.2 measures how small the length of the function used in the reduction is (i.e., the security parameter of the pr im itive u sed) compared to 23 n (i.e., the securit y parameter of the signature scheme). The term “securit y parameter expansion” is used in [HHRS07] for th e inv erse of the cont raction parameter. Note that ha ving su c h a reduction, the existence of any eﬃcien tly computable family of fun ctions f : { 0 , 1 } ℓ → { 0 , 1 } ℓ whic h is s -hard to in ve rt for s ome s ∈ S implies the existence of (eﬃcien t) one-time signature sc hemes which are secur e against p olynomial-time adv ersaries. That is b ecause (1): W e get an eﬃcien t implementa tion of the sc heme by eﬃcien tly implementing f for I f , and (2): If A is a I f -break er ru nning in time p oly ( n ), the reduction R com bined w ith its sub routine A breaks the s -hardn ess of f whic h is n ot p ossible. No w w e prov e a strong lo w er b ound on the eﬃciency of signature sc hemes relying on the eﬃciency of strong one-w a y functions. Then we will sho w how it ge neralizes to an y symmetric primitiv e and also functions with man y hard-core bits. Theorem 7.3. L et E denote the set of functions E = { f ( ℓ ) | f = 2 Ω( ℓ ) } . Any black- b o x c onstruc- tion of one-time signatur e sc hemes for n -big messages fr om E - har d one-way functions with se curity p ar ameter c ontr action ℓ ( n ) ne e ds to ask min(Ω( ℓ ( n )) , n ) qu e ries fr om the one-way function. Before going o v er the p ro of we mak e tw o observ ations. First, if construction u ses E -hard functions, it means th at w e should ha ve t ( n ) = 2 o ( ℓ ( n )) and w ( n ) = 2 − o ( ℓ ( n ) in the security reduction. Another p oint is that the existence of suc h a r eduction regardless of h o w man y queries it asks, mak es ℓ ( n ) to b e ω (log n ) for otherwise the condition t ( n )p oly ( n ) < s ( ℓ ( n )) in Deﬁnition 7.2 will b e violated. Therefore without loss of generalit y , we assume that q ≥ log n , b ecause otherwise w e can ask log n redundant queries in the k ey generation algorithm without c hanging the condition q ≤ min(Ω( ℓ ( n )) , n ). Pr o of. F or sak e of cont radiction su pp ose th at th er e is a b lac k-b o x construction of signature sc hemes ( I , R ) where I asks q ≤ n qu eries from the one-wa y fu nction and log n ≤ q = o ( ℓ ( n )). The pro of w ill go in tw o steps. W e will ﬁrst sho w th at an y su c h construction results in a (computationally unb ounded) adv ersary asking 2 o ( ℓ ) queries from a a rand om function f ← R F ℓ and inv erting it on a random p oin t with p robabilit y at least 2 − o ( ℓ ) (where this probabilit y is also o v er the c hoice of f ). Then w e will show that it is n ot p ossible to ha v e suc h an adv ersary , namely an y adv ersary asking 2 ℓ/ 3 queries has c hance of at most 2 − ℓ/ 3 for doing so. Step 1. Let A be the adv ersary of Coroll ary 4.2 for the implementati on of the signature s c heme I (note q ≤ n ) asking at most 2 (1+ o (1)) o ( ℓ ( n )) queries from the fun ction f (note q ≤ o ( ℓ ( n )) and breaking I f with probabilit y at lea st 1 − o (1) when f is c hosen at random f ← R F ℓ ( n ) where o (1) go es to zero w ith q . F or la rge enough ℓ ( n ), n b ecomes large e nough too, and so does q (b ecause q ≥ log n ). T herefore A asks at most 2 o ( ℓ ( n )) queries from f and br eaks the scheme with probabilit y at least 3 / 4 when f ← R F ℓ ( n ) for large enough ℓ ( n ). By an av erag e argumen t, w ith probabilit y at least 1 / 2 o v er the choic e of f , A breaks I f with pr ob ab ility at least 1 / 2 o v er its o wn randomness. W e call su c h f ’s the go o d ones. Whenev er f is go o d , R A f ,f in v erts f on a rand om p oint with probabilit y at least 2 − o ( ℓ ( n )) , and b ecause f is go o d w ith pr obabilit y at least 1 / 2, R A,f in v erts f on a random p oint with p r obabilit y at least 2 − o ( ℓ ( n )) for a rand omly c hosen f ← R F ℓ ( n ) where the prob ab ility is o v er the c hoice of f , th e c hoice of the image to b e in v erted, and the randomness of A . By merging the cod e of R with A , we get an adve rsary B = R A who asks at most 2 o ( ℓ ( n )) 2 o ( ℓ ( n )) = 2 o ( ℓ ( n )) queries fr om f ← R F ℓ ( n ) and inv erts it on a random p oin t (i.e., y = f ( x ) for x ← R { 0 , 1 } ℓ ( n ) ) with probabilit y at least 2 − o ( ℓ ( n )) . 24 Step 2. Sup p ose B is an adve rsary asking 2 ℓ/ 3 queries from a r andom function f ← R F ℓ trying to ﬁnd a preimage for f ( x ) where x ← R { 0 , 1 } ℓ . W e can p retend that th e v alue of f at eac h p oint is determined at random wh enev er it is ask ed for the ﬁrst time. S o, at ﬁ rst x is c hosen, f ( x ) is c hosen, and it is giv en to B . A t ﬁrst B do es not ha v e an y information ab out x , so the probabilit y that B asks x in an y of its 2 ℓ/ 3 queries is at m ost 2 − 2 ℓ/ 3 . Assu ming it d o es not ask x , the probabilit y that B receiv es the answ er f ( y ) = f ( x ) by asking an y y 6 = x is at most 2 − 2 ℓ/ 3 . Assuming that none of the men tioned eve nts hap p ens, if it outputs y d iﬀeren from all queries it has ask ed from f , f ( y ) = f ( x ) happ ens with probabilit y 2 − ℓ . So it s c hance of winning is at most 2 − 2 ℓ/ 3 + 2 − 2 ℓ/ 3 + 2 − ℓ < 2 − ℓ/ 3 (for ℓ ≥ 4). As it is clear from the theorem, o ur lo wer b ound b ecomes stronger for larger v alues of ℓ ( n ) whic h is also the case in the sim ilar (unconditional) lo w er b ound resu lts [HHRS07, W ee07 ]. In order to extend the lo w er b ound to other symmetric primitive s (and f unctions with many hard-core bits) w e can follo w th e same steps of th e p ro of of Th eorem 7.5 u sing the follo wing lemma. Lemma 7.4. L et P b e a symmetric primitive (i.e, one-way function, one-way p ermutation, c ol lision r e si stent hash function, p esudor and om gener ator, pse o dor andom function, message authentic atio n c o de, or blo ck cipher) , or the primitive of functions f : { 0 , 1 } ℓ → { 0 , 1 } ℓ with ℓ/ 2 har d -c or e bits. Then, ther e is an imp lementation for P for se curity p ar am eter ℓ with ac c ess to either, r and om or acle, r and om p ermutation or acle, or ide al c i pher or acle which asks only a c onstant numb er o f queries of length θ ( ℓ ) fr o m th e or acle, and any (c omputa tional ly unb o unde d) adversa ry Adv who asks a t most 2 o ( ℓ ) queries fr om th e or acle has chanc e o f at most 2 − Ω( ℓ ) of br e aking it (over the r andomness of Adv and the o r acle use d). Pr o of. W e will describ e th e natural implemen tations and will sho w the pr o of of securit y only for the case that P is the pr imitiv e of fu nctions with ℓ/ 2 hard-core b its. The securit y pr o ofs for other implemen tations are also easy to get (in fact, w e already gav e the pro of for the case of one-w a y function in the pro of of Theorem 7.5). • O ne-wa y function using random oracle: T o deﬁn e the v a lue of th e function f on in put x ∈ { 0 , 1 } ℓ , we simply use the oracle’s answ er: f ( x ) = O ( x ). • O ne-wa y p ermutation using random p ermutation oracle: T o d eﬁne the v alue of the p er- m utation p on input x ∈ { 0 , 1 } ℓ , we simply use the oracle ’s answer: p ( x ) = O ( x ). • C ollision resisten t ha sh function using rand om oracle: The v alue of the hash fu nction h on input x ∈ { 0 , 1 } ℓ is made by u sing th e ﬁ rst ℓ / 2 bits of the oracle’s an s w er: h ( x ) = b 1 . . . b ℓ/ 2 where O ( x ) = b 1 . . . b ℓ . • Pseudorandom generat or using random oracle: Th e stretc hed output of the ge nerator g on input x ∈ { 0 , 1 } ℓ is the output of the oracle on the padded query: g ( x ) = O ( x | 0 ℓ ). • Pseudorandom function using random oracle: Using the k ey k ∈ { 0 , 1 } ℓ on inpu t x ∈ { 0 , 1 } ℓ , the output of the function will b e the ﬁrst ℓ b its of the oracle’s answ er on the qu er y made b y attac hing k and x : f k ( x ) = b 1 . . . b ℓ where O ( k | x ) = b 1 . . . b 2 ℓ . • Message Authen tication C o de using random oracle: Usin g the key k ∈ { 0 , 1 } ℓ , the authen tication cod e of the message x ∈ { 0 , 1 } ℓ is deﬁn ed s im ilar to that of pseu d orandom function. The v eriﬁcation is clear. 25 • Blo c k cipher usin g ideal cipher oracle: Usin g the k ey k ∈ { 0 , 1 } ℓ and th e input x ∈ { 0 , 1 } ℓ , and th e direction d w e simply use the oracle’s answ er O ( k , x, d ) as our cipher. • F unction with ℓ/ 2 hard-core bits using r andom oracle: The v alue of the function f on input x = x 1 . . . x ℓ uses the oracle’s answer: f ( x ) = O ( x ) and the hard-core bits for x will b e the ﬁrst ℓ/ 2 bits of it: H C ( x ) = x 1 . . . x ℓ/ 2 . No w w e prov e the claim for the last primitive (i.e., fun ctions with ℓ / 2 h ard-core b its). Sup p ose the adv ersary A asks at most 2 ℓ/ 4 queries from the function f . Again, w e assume that f c h o oses its answe rs randomly whenev er ask ed f or the ﬁrst ti me. In order to b reak the h ard -core prop erty of the function f , the adversary A n eeds to distinguish b et w een t w o exp erimen ts. In the ﬁrst one she is given ( f ( x ) , U ℓ/ 2 ) as in put, and in the s econd one she is giv en ( f ( x ) , H C ( x )), and in b oth of th e exp eriment s f ← R F ℓ and x ← R { 0 , 1 } ℓ are chosen at random. Not e that as long as A do es not ask x from the orac le, the t w o exp eriments are the same. A t the b eginning A do es not kno ws the second half of the bits of x . So th e probabilit y that she asks x fr om th e oracle in one of her 2 ℓ/ 4 queries is at m ost 2 ℓ/ 4 2 − ℓ/ 2 = 2 − ℓ/ 4 . Hence, if the p robabilit y that she outputs 1 in the exp eriment i is p i (for 1 ≤ i ≤ 2), we hav e | p 1 − p 2 | ≤ 2 − ℓ/ 4 . So b y using Lemma 7.4 and follo wing the steps of the pro of of T heorem 7.5 w e get the follo wing theorem: Theorem 7.5. L et E denote th e set of functions E = { f ( ℓ ) | f = 2 Ω( ℓ ) } , and P b e either a sym- metric primitive or the primitive of functions with ℓ/ 2 har d -c or e bits. Any black- b o x c ons truction of one-time signatur e schemes for n - b it messages fr om an E -har d primitive P with se curity p ar ameter c on tr action ℓ ( n ) ne e d s to ask min(Ω( ℓ ( n )) , n/ 4) queries fr om th e primitive P . 8 Conclusions and op en questions W e believ e that lo w er b ounds of this form— the eﬃciency of constructing v arious schemes us ing blac k b ox idealized p rimitiv es— can giv e us imp ortant information on the eﬃciency and optimalit y of v arious constru ctions. In particular, thr ee natural questions related to this w ork are: • C an one p in p oint more precisely the optimal num b er of queries in the c onstruction of one- time signature sc hemes based on random oracles? In p articular, p erh ap s our low er b ound can b e improv ed to show that the v ariant of Lamp ort’s sc heme giv en in Section 5 is optimal up to lo wer ord er terms. • Wh at is th e thr esh old d that whenever n ≤ dq , we c an get signature sc hemes for messages { 0 , 1 } n using q oracle queries, and arbitrary large securit y? Again, it seems that the v arian t of Lamp ort’s sc heme giv en in Section 5 (w orking for log  k ck  bit m essages without hashing) giv es this threshold (i.e., d ≈ 0 . 812). • C an we obtain a 2 O ( q ) -query attac k succeeding w ith h igh probability against s ignatur e schemes with imp erfect complete ness? • Ar e there stronge r b ounds for gener al (n ot one-time) signatures? A plausible conject ur e is that obtaining a T -time signature with blac k-b o x security S requires Ω(log T log S ) queries. 26 Ac kno wledgemen ts: W e thank David Xiao for useful discussions. References [Bar01] B. B arak. Ho w to go b ey ond the blac k-b o x sim ulation barrier. In Pr o c. 42 nd FOCS , pages 106–115. IEEE, 2001. [BGP00] M. Bellare, O. Goldreic h, and E . P etrank. Uniform Generation of NP-Wi tnesses Using an NP-Oracle. Inf. Comp ut , 163(2):5 10–526, 20 00. [BR93] M. Bellare and P . Roga w a y . Random orac les are p ractical: A paradigm for designing eﬃcien t proto cols. In Pr o c e e dings of the First Annual Confer enc e on Computer and Communic ations Se cu rity , p ages 62–73. A CM, Nov e mber 1993. [BM94] D. Bleic h en bac her and U. M. Maurer. Direct ed Acyclic Graphs, One-w a y F unctions and Digital Signatures (Extended Abstract). In Y. G. Desmedt, editor, A dvanc es in Cryptolo gy—CR YPTO ’9 4 , v olume 839 of L e ctur e Notes in Computer Scienc e , p ages 75–82 . S p ringer-V erlag, 21–25 Aug. 1994. [BM96] D. Bleic hen bac her and U. M. Maurer. O n the Eﬃ ciency of One-Time Digital Signatures. In K. Kim and T. Matsumoto, editors, ASIACR YPT , v olume 1163 of L e ctur e Notes in Computer Scienc e , pages 145 –158. Spr in ger, 1996 . [Bol65 ] B. Bollob´ as. On generalized graphs. A cta Math. A c ad. Sci. H ungar , 16:447–452 , 1965 . [CGH98] R. Canetti, O. Goldreic h, and S. Halevi. T he Random O racle Metho dology , Revisited. In P r o c. 30 th STOC , pages 209–218 . A CM, 1998. [DR02] J. Daemen and V. Rijmen. The Design of Rijnd ael: AES - The A d vanc e d Encryption Standar d . Springer, 2002. [EGM89] S. Ev en, O. Goldreic h, and S. Micali. O n-Line/Oﬀ-Line Digita l Signatures. J. Crypt ol- o gy , 9(1):35– 67, 19 96. Preliminary ve rsion in CR YPTO ’89. [GGK03] R. Gennaro, Y. Gertner, and J. Katz. Lo wer Bounds on the Eﬃ ciency of En cryption and Digital Signature Sc hemes. In P r o c. 35 th STO C . A CM, 2003. [GGKT05] R. Gennaro, Y. Gertner, J. Katz, and L. T revisan. Bounds on th e Eﬃciency of Generic Cryptographic C onstructions. SICOMP: SIAM Journal on Comp uting , 35, 2005 . Pre- liminary versions in F OCS’ 00 [GT00] and STOC’ 03 [GGK03]. [GT00] R. Gennaro and L. T revisan. Lo w er Bounds on the Eﬃciency of Generic Cryptographic Constructions. In Pr o c. 41 st FOCS , p ages 305–3 13. IE E E, 2000. [Gol04] O. Goldreic h. F oundations of Crypto g r aphy: Basic Applic a tions . Cam bridge Un iv ersit y Press, 2004. [GMW87] O. Goldr eich, S . Micali, and A. Wigderson. Ho w to pla y ANY men tal game. In A CM, editor, Pr o c. 19 th STOC , pages 218–229 . A CM, 1987. S ee [Gol04, C h ap. 7] for more details. 27 [GMW86] O. Goldr eich, S. Micali, and A. Wigderson. Pro ofs that Yield Nothing But Their V alid- it y or All Languages in NP Ha v e Zero-Kn owledge Pro of Systems. J. ACM , 38(3):691 – 729, Ju ly 1991. P reliminary version in F OCS’ 86. [HHRS07] Haitner, Ho c h, Reingold, and Segev. Find ing Collisions in In teractiv e Pr oto cols – A Tigh t Lo w er Bound on the Round Complexit y of Statistically- Hiding Commitmen ts. In ECCCTR: Ele c tr onic Co l lo quium on Computational Complexity, te chnic al r ep orts , 2007. [IR89] R. Impagliazzo and S. Rudic h. Limits on the p ro v able consequences of one-w a y p ermu- tations. In Pr o c. 21 st STO C , pages 44– 61. A CM, 1989 . [KST99] J. H. Kim, D. R. Simon, and P . T etali. Limits on the Eﬃ ciency of One-W a y P erm utation-Based Hash F unctions. In FOCS , pages 535–542, 1999. [Lam79] L. Lamp ort. Cons tructing Digital Signatures from a One-W a y F u nction. T ec hnical Rep ort C SL-98, S R I In ternational, O ct. 1979. [Mer87] R. C . Merkle. A Digital Signature Based on a Con ve ntio nal Encryption F un ction. In C. Pomerance, editor, A d vanc es in Cryptolo gy—CR YPTO ’87 , volume 293 of L e ctur e Notes in Computer Scienc e , pages 369– 378. Sp ringer-V erlag, 1988, 16– 20 Aug. 1987. [Nat95] Nat ional Institute of Standards and T ec hnology . FIPS PUB 180-1: Se cur e Hash Stan- dar d . National In stitute for Standards and T ec hnolog y , Apr. 1995 . [PCTS00] A. Perrig, R. Canetti, J. D. Tyga r, and D. Song. Eﬃcient authentica tion and signing of m ulticast streams o v er lossy c hannels. In Pr o c e e ding 2000 IEEE Symp osium on Se curity and Privacy. S&P 2000 , pages 56–73. IEEE, 2000. [Rab78] M. O. Rabin . Dig italized Signatures. In R. A. DeMillo, D. P . Dobkin, A. K. Jones, and R. J. Lipton, editors, F oundations of Se cur e Computa tion , pages 155–1 68. Ac ademic Press, 1978. [R TV04] O. Reingold, L. T revisan, and S. P . V adhan. Notions of Reducibilit y b et w een Crypto- graphic Primitive s. In M. Naor, editor, TCC , v olume 2951 of L e ctur e Notes in Computer Scienc e , pages 1–20. Sprin ger, 2004. [V au92] S. V a ud en a y . One-time id en tiﬁcation with lo w m emory . In E ur o c o de 92 , n umber 339 in C ISM Cours es and Lectures, pages 217–228, Wien, 1992. Springer-V erlag , Berlin German y . [W ee0 7] H. W ee. One-W a y P erm utations, In teract ive Hashing an d Statistically Hiding Com- mitmen ts. In S. P . V adh an , editor, TCC , v olume 43 92 of L e ctur e Notes in Computer Scienc e , pages 419–433. Springer, 2007. 28

Lower Bounds on Signatures from Symmetric Primitives

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment