# Programmable Hash Functions and Their Applications

- 537 Downloads
- 12 Citations

## Abstract

We introduce a new combinatorial primitive called *programmable hash functions* (PHFs). PHFs can be used to *program* the output of a hash function such that it contains solved or unsolved discrete logarithm instances with a certain probability. This is a technique originally used for security proofs in the random oracle model. We give a variety of *standard model* realizations of PHFs (with different parameters).

The programmability makes PHFs a suitable tool to obtain black-box proofs of cryptographic protocols when considering adaptive attacks. We propose generic digital signature schemes from the strong RSA problem and from some hardness assumption on bilinear maps that can be instantiated with any PHF. Our schemes offer various improvements over known constructions. In particular, for a reasonable choice of parameters, we obtain short standard model digital signatures over bilinear maps.

## Key words

Hash functions Digital signatures Standard model## Preview

Unable to display preview. Download preview PDF.

## References

- [1]M. Abdalla, D. Catalano, A. Dent, J. Malone-Lee, G. Neven, N. Smart, Identity-based encryption gone wild, in
*ICALP 2006: 33rd International Colloquium on Automata, Languages and Programming, Part II*, ed. by M. Bugliesi, B. Preneel, V. Sassone, I. Wegener, Venice, Italy, July 10–14, 2006. Lecture Notes in Computer Science, vol. 4052 (Springer, Berlin, 2006), pp. 300–311 CrossRefGoogle Scholar - [2]S. Agrawal, D. Boneh, X. Boyen, Efficient lattice (H)IBE in the standard model, in
*Advances in Cryptology—EUROCRYPT 2010*, ed. by H. Gilbert, French Riviera, May 30–June 3, 2010. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 553–572 CrossRefGoogle Scholar - [3]N. Bari, B. Pfitzmann, Collision-free accumulators and fail-stop signature schemes without trees, in
*Advances in Cryptology—EUROCRYPT’97*, ed. by W. Fumy, Konstanz, Germany, May 11–15, 1997. Lecture Notes in Computer Science, vol. 1233 (Springer, Berlin, 1997), pp. 480–494 Google Scholar - [4]M. Bellare, T. Ristenpart, Simulation without the artificial abort: Simplified proof and improved concrete security for Waters’ IBE scheme, in
*Advances in Cryptology—EUROCRYPT 2009*, ed. by A. Joux, Cologne, Germany, April 26–30, 2009. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 407–424 CrossRefGoogle Scholar - [5]M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in
*ACM CCS 93: 1st Conference on Computer and Communications Security*, ed. by V. Ashby, Fairfax, Virginia, USA, November 3–5, 1993 (ACM, New York, 1993), pp. 62–73 CrossRefGoogle Scholar - [6]M. Bellare, P. Rogaway, The exact security of digital signatures: How to sign with RSA and Rabin, in
*Advances in Cryptology—EUROCRYPT’96*, ed. by U.M. Maurer, Saragossa, Spain, May 12–16, 1996. Lecture Notes in Computer Science, vol. 1070 (Springer, Berlin, 1996), pp. 399–416 Google Scholar - [7]M. Bellare, O. Goldreich, S. Goldwasser, Incremental cryptography: the case of hashing and signing, in
*Advances in Cryptology—CRYPTO’94*, ed. by Y. Desmedt, Santa Barbara, CA, USA, August 21–25, 1994. Lecture Notes in Computer Science, vol. 839 (Springer, Berlin, 1994), pp. 216–233 Google Scholar - [8]O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Signatures on randomizable ciphertexts, in
*Public Key Cryptography*(2011) Google Scholar - [9]D. Boneh, X. Boyen, Efficient selective-ID secure identity based encryption without random oracles, in
*Advances in Cryptology—EUROCRYPT 2004*, ed. by C. Cachin, J. Camenisch, Interlaken, Switzerland, May 2–6, 2004. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 223–238 CrossRefGoogle Scholar - [10]D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in
*Advances in Cryptology—CRYPTO 2004*, ed. by M. Franklin, Santa Barbara, CA, USA, August 15–19, 2004. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 443–459 CrossRefGoogle Scholar - [11]D. Boneh, X. Boyen, Short signatures without random oracles and the SDH assumption in bilinear groups.
*J. Cryptol.***21**(2), 149–177 (2008) MathSciNetzbMATHCrossRefGoogle Scholar - [12]D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, in
*Advances in Cryptology—CRYPTO 2001*, ed. by J. Kilian, Santa Barbara, CA, USA, August 19–23, 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229 CrossRefGoogle Scholar - [13]D. Boneh, M.K. Franklin, Identity based encryption from the Weil pairing.
*SIAM J. Comput.***32**(3), 586–615 (2003) MathSciNetzbMATHCrossRefGoogle Scholar - [14]D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in
*Advances in Cryptology—ASIACRYPT 2001*, ed. by C. Boyd, Gold Coast, Australia, December 9–13, 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 514–532 CrossRefGoogle Scholar - [15]D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing.
*J. Cryptol.***17**(4), 297–319 (2004) MathSciNetzbMATHCrossRefGoogle Scholar - [16]X. Boyen, General ad hoc encryption from exponent inversion IBE, in
*Advances in Cryptology—EUROCRYPT 2007*. Lecture Notes in Computer Science, vol. 4515 (Springer, Berlin, 2007), pp. 394–411 CrossRefGoogle Scholar - [17]X. Boyen, Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more, in
*PKC 2010: 13th International Conference on Theory and Practice of Public Key Cryptography*, ed. by P.Q. Nguyen, D. Pointcheval, Paris, France, May 26–28, 2010. Lecture Notes in Computer Science, vol. 6056 (Springer, Berlin, 2010), pp. 499–517 CrossRefGoogle Scholar - [18]X. Boyen, Q. Mei, B. Waters, Direct chosen ciphertext security from identity-based techniques, in
*ACM CCS 05: 12th Conference on Computer and Communications Security*, ed. by V. Atluri, C. Meadows, A. Juels, Alexandria, Virginia, USA, November 7–11, 2005 (ACM, New York, 2005), pp. 320–329 CrossRefGoogle Scholar - [19]S. Brands, An efficient off-line electronic cash system based on the representation problem. Report CS-R9323, Centrum voor Wiskunde en Informatica, March 1993 Google Scholar
- [20]J. Camenisch, A. Lysyanskaya, A signature scheme with efficient protocols, in
*SCN 02: 3rd International Conference on Security in Communication Networks*, ed. by S. Cimato, C. Galdi, G. Persiano, Amalfi, Italy, September 12–13, 2002. Lecture Notes in Computer Science, vol. 2576 (Springer, Berlin, 2002), pp. 268–289 Google Scholar - [21]J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in
*Advances in Cryptology—CRYPTO 2004*, ed. by M. Franklin, Santa Barbara, CA, USA, August 15–19, 2004. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 56–72 CrossRefGoogle Scholar - [22]D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in
*Advances in Cryptology—EUROCRYPT 2010*, ed. by H. Gilbert, French Riviera, May 30–June 3, 2010. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 523–552 CrossRefGoogle Scholar - [23]D. Chaum, J.-H. Evertse, J. van de Graaf, An improved protocol for demonstrating possession of discrete logarithms and some generalizations, in
*Advances in Cryptology—EUROCRYPT’87*, ed. by D. Chaum, W.L. Price, Amsterdam, The Netherlands, April 13–15, 1988. Lecture Notes in Computer Science, vol. 304 (Springer, Berlin, 1988), pp. 127–141 Google Scholar - [24]D. Chaum, E. van Heijst, B. Pfitzmann, Cryptographically strong undeniable signatures, unconditionally secure for the signer, in
*Advances in Cryptology—CRYPTO’91*, ed. by J. Feigenbaum, Santa Barbara, CA, USA, August 11–15, 1992. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1992), pp. 470–484 Google Scholar - [25]J.H. Cheon, Security analysis of the strong Diffie-Hellman problem, in
*Advances in Cryptology—EUROCRYPT 2006*, ed. by S. Vaudenay, St. Petersburg, Russia, May 28–June 1, 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 1–11 CrossRefGoogle Scholar - [26]B. Chevallier-Mames, M. Joye, A practical and tightly secure signature scheme without hash function, in
*Topics in Cryptology—CT-RSA 2007*, ed. by M. Abe, San Francisco, CA, USA, February 5–9, 2007. Lecture Notes in Computer Science, vol. 4377 (Springer, Berlin, 2007), pp. 339–356 CrossRefGoogle Scholar - [27]J.-S. Coron, On the exact security of full domain hash, in
*Advances in Cryptology—CRYPTO 2000*, ed. by M. Bellare, Santa Barbara, CA, USA, August 20–24, 2000. Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 229–235 CrossRefGoogle Scholar - [28]R. Cramer, V. Shoup, Signature schemes based on the strong RSA assumption.
*ACM Trans. Inf. Syst. Secur.***3**(3), 161–185 (2000) CrossRefGoogle Scholar - [29]I. Damgård, M. Koprowski, Generic lower bounds for root extraction and signature schemes in general groups, in
*Advances in Cryptology—EUROCRYPT 2002*, ed. by L.R. Knudsen, Amsterdam, The Netherlands, April 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 256–271 CrossRefGoogle Scholar - [30]Y. Dodis, R. Oliveira, K. Pietrzak, On the generic insecurity of the full domain hash, in
*Advances in Cryptology—CRYPTO 2005*, ed. by V. Shoup, Santa Barbara, CA, USA, August 14–18, 2005. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 449–466 CrossRefGoogle Scholar - [31]U. Feige, A. Fiat, A. Shamir, Zero-knowledge proofs of identity.
*J. Cryptol.***1**(2), 77–94 (1988) MathSciNetzbMATHCrossRefGoogle Scholar - [32]W. Feller,
*An Introduction to Probability Theory and Its Applications*, vol. 1, 3rd edn. (Wiley, New York, 1968) zbMATHGoogle Scholar - [33]M. Fischlin, The Cramer–Shoup strong-RSA signature scheme revisited, in
*PKC 2003: 6th International Workshop on Theory and Practice in Public Key Cryptography*, ed. by Y. Desmedt, Miami, USA, January 6–8, 2003. Lecture Notes in Computer Science, vol. 2567 (Springer, Berlin, 2003), pp. 116–129 CrossRefGoogle Scholar - [34]E. Fujisaki, T. Okamoto, Statistical zero knowledge protocols to prove modular polynomial relations, in
*Advances in Cryptology—CRYPTO’97*, ed. by B.S. Kaliski Jr., Santa Barbara, CA, USA, August 17–21, 1997. Lecture Notes in Computer Science, vol. 1294 (Springer, Berlin, 1997), pp. 16–30 Google Scholar - [35]J. Furukawa, H. Imai, An efficient group signature scheme from bilinear maps, in
*ACISP 05: 10th Australasian Conference on Information Security and Privacy*, ed. by C. Boyd, J.M. González Nieto, Brisbane, Queensland, Australia, July 4–6, 2005. Lecture Notes in Computer Science, vol. 3574 (Springer, Berlin, 2005), pp. 455–467 Google Scholar - [36]R. Gennaro, S. Halevi, T. Rabin, Secure hash-and-sign signatures without the random oracle, in
*Advances in Cryptology—EUROCRYPT’99*, ed. by J. Stern, Prague, Czech Republic, May 2–6, 1999. Lecture Notes in Computer Science, vol. 1592 (Springer, Berlin, 1999), pp. 123–139 Google Scholar - [37]C. Gentry, Practical identity-based encryption without random oracles, in
*Advances in Cryptology—EUROCRYPT 2006*, ed. by S. Vaudenay, St. Petersburg, Russia, May 28–June 1, 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 445–464 CrossRefGoogle Scholar - [38]C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in
*40th Annual ACM Symposium on Theory of Computing*, ed. by R.E. Ladner, C. Dwork, Victoria, British Columbia, Canada, May 17–20, 2008 (ACM, New York, 2008), pp. 197–206 Google Scholar - [39]S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks.
*SIAM J. Comput.***17**(2), 281–308 (1988) MathSciNetzbMATHCrossRefGoogle Scholar - [40]J. Groth, Cryptography in subgroups of ℤ
_{n}, in*TCC 2005: 2nd Theory of Cryptography Conference*, ed. by J. Kilian, Cambridge, MA, USA, February 10–12, 2005. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 50–65 Google Scholar - [41]L.C. Guillou, J.-J. Quisquater, A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory, in
*Advances in Cryptology—EUROCRYPT’88*, ed. by C.G. Günther, Davos, Switzerland, May 25–27, 1988. Lecture Notes in Computer Science, vol. 330 (Springer, Berlin, 1988), pp. 123–128 Google Scholar - [42]J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function.
*SIAM J. Comput.***28**(4), 1364–1396 (1999) MathSciNetzbMATHCrossRefGoogle Scholar - [43]D. Hofheinz, E. Kiltz, Secure hybrid encryption from weakened key encapsulation, in
*Advances in Cryptology—CRYPTO 2007*, ed. by A. Menezes, Santa Barbara, CA, USA, August 19–23, 2007. Lecture Notes in Computer Science, vol. 4622 (Springer, Berlin, 2007), pp. 553–571 CrossRefGoogle Scholar - [44]D. Hofheinz, E. Kiltz, Practical chosen ciphertext secure encryption from factoring, in
*Advances in Cryptology—EUROCRYPT 2009*, ed. by A. Joux, Cologne, Germany, April 26–30, 2009. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 313–332 CrossRefGoogle Scholar - [45]S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in
*Advances in Cryptology—CRYPTO 2009*, ed. by S. Halevi, Santa Barbara, CA, USA, August 16–20, 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 654–670 CrossRefGoogle Scholar - [46]Q. Huang, D.S. Wong, New constructions of convertible undeniable signature schemes without random oracles. Cryptology ePrint Archive, Report 2009/517 (2009). http://eprint.iacr.org/
- [47]B.D. Hughes,
*Random Walks and Random Environments: Vol. 1: Random Walks*(Oxford University Press, London, 1995) zbMATHGoogle Scholar - [48]M. Joye, How (not) to design strong-RSA signatures. Des. Codes Cryptogr. (2011) Google Scholar
- [49]E. Kiltz, Chosen-ciphertext security from tag-based encryption, in
*TCC 2006: 3rd Theory of Cryptography Conference*, ed. by S. Halevi, T. Rabin, New York, NY, USA, March 4–7, 2006. Lecture Notes in Computer Science, vol. 3876 (Springer, Berlin, 2006), pp. 581–600 Google Scholar - [50]E. Kiltz, D. Galindo, Direct chosen-ciphertext secure identity-based key encapsulation without random oracles, in
*ACISP 2006*. Lecture Notes in Computer Science, vol. 4058 (Springer, Berlin, 2006), pp. 336–347 Google Scholar - [51]E. Kiltz, D. Galindo, Direct chosen-ciphertext secure identity-based key encapsulation without random oracles.
*Theor. Comput. Sci.***410**(47–49), 5093–5111 (2009) MathSciNetzbMATHCrossRefGoogle Scholar - [52]E. Kiltz, Y. Vahlis, CCA2 secure IBE: Standard model efficiency through authenticated symmetric encryption, in
*Topics in Cryptology—CT-RSA 2008*, ed. by T. Malkin, San Francisco, CA, USA, April 7–11, 2008. Lecture Notes in Computer Science, vol. 4964 (Springer, Berlin, 2008), pp. 221–238 CrossRefGoogle Scholar - [53]E. Kiltz, K. Pietrzak, D. Cash, A. Jain, D. Venturi, Efficient authentication from hard learning problems, in
*EUROCRYPT*(2011) Google Scholar - [54]V. Lyubashevsky, D. Micciancio, Asymptotically efficient lattice-based digital signatures, in
*TCC 2008: 5th Theory of Cryptography Conference*, ed. by R. Canetti, San Francisco, CA, USA, March 19–21, 2008. Lecture Notes in Computer Science, vol. 4948 (Springer, Berlin, 2008), pp. 37–54 Google Scholar - [55]A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FR-reduction.
*IEICE Trans. Fundam.***E84-A**(5), 1234–1243 (2001) Google Scholar - [56]D. Naccache, D. Pointcheval, J. Stern, Twin signatures: An alternative to the hash-and-sign paradigm, in
*ACM CCS 01: 8th Conference on Computer and Communications Security*, Philadelphia, PA, USA, November 5–8, 2001 (ACM, New York, 2001), pp. 20–27 CrossRefGoogle Scholar - [57]T. Okamoto, Efficient blind and partially blind signatures without random oracles, in
*TCC 2006: 3rd Theory of Cryptography Conference*, ed. by S. Halevi, T. Rabin, New York, NY, USA, March 4–7, 2006. Lecture Notes in Computer Science, vol. 3876 (Springer, Berlin, 2006), pp. 80–99 Google Scholar - [58]C. Peikert, B. Waters, Lossy trapdoor functions and their applications, in
*40th Annual ACM Symposium on Theory of Computing*, ed. by R.E. Ladner, C. Dwork, Victoria, British Columbia, Canada, May 17–20, 2008 (ACM, New York, 2008), pp. 187–196 Google Scholar - [59]R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on pairing, in
*SCIS 2000*, Okinawa, Japan, January 2000 Google Scholar - [60]S. Schäge, Tight proofs for signature schemes without random oracles, in
*EUROCRYPT*(2011) Google Scholar - [61]S. Schäge, J. Schwenk, A CDH-based ring signature scheme with short signatures and public keys, in
*FC 2010: 14th International Conference on Financial Cryptography and Data Security*, ed. by R. Sion, Tenerife, Canary Islands, Spain, January 25–28, 2010. Lecture Notes in Computer Science, vol. 6052 (Springer, Berlin, 2010), pp. 129–142 Google Scholar - [62]Secure hash standard. National Institute of Standards and Technology, NIST FIPS PUB 180-1, U.S. Department of Commerce, April 1995 Google Scholar
- [63]V. Shoup,
*A Computational Introduction to Number Theory and Algebra*(Cambridge University Press, Cambridge, 2005) zbMATHGoogle Scholar - [64]B. Waters, Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions, in
*Advances in Cryptology—CRYPTO 2009*, ed. by S. Halevi, Santa Barbara, CA, USA, August 16–20, 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 619–636 CrossRefGoogle Scholar - [65]B.R. Waters, Efficient identity-based encryption without random oracles, in
*Advances in Cryptology—EUROCRYPT 2005*, ed. by R. Cramer, Aarhus, Denmark, May 22–26, 2005. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 114–127 CrossRefGoogle Scholar - [66]H. Zhu, New digital signature scheme attaining immunity to adaptive chosen-message attack.
*Chin. J. Electron.***10**(4), 484–486 (2001) Google Scholar - [67]H. Zhu, A formal proof of zhu’s signature scheme. Cryptology ePrint Archive, Report 2003/155 (2003). http://eprint.iacr.org/