Advertisement

Journal of Cryptology

, Volume 25, Issue 3, pp 484–527 | Cite as

Programmable Hash Functions and Their Applications

  • Dennis Hofheinz
  • Eike KiltzEmail author
Article

Abstract

We introduce a new combinatorial primitive called programmable hash functions (PHFs). PHFs can be used to program the output of a hash function such that it contains solved or unsolved discrete logarithm instances with a certain probability. This is a technique originally used for security proofs in the random oracle model. We give a variety of standard model realizations of PHFs (with different parameters).

The programmability makes PHFs a suitable tool to obtain black-box proofs of cryptographic protocols when considering adaptive attacks. We propose generic digital signature schemes from the strong RSA problem and from some hardness assumption on bilinear maps that can be instantiated with any PHF. Our schemes offer various improvements over known constructions. In particular, for a reasonable choice of parameters, we obtain short standard model digital signatures over bilinear maps.

Key words

Hash functions Digital signatures Standard model 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    M. Abdalla, D. Catalano, A. Dent, J. Malone-Lee, G. Neven, N. Smart, Identity-based encryption gone wild, in ICALP 2006: 33rd International Colloquium on Automata, Languages and Programming, Part II, ed. by M. Bugliesi, B. Preneel, V. Sassone, I. Wegener, Venice, Italy, July 10–14, 2006. Lecture Notes in Computer Science, vol. 4052 (Springer, Berlin, 2006), pp. 300–311 CrossRefGoogle Scholar
  2. [2]
    S. Agrawal, D. Boneh, X. Boyen, Efficient lattice (H)IBE in the standard model, in Advances in Cryptology—EUROCRYPT 2010, ed. by H. Gilbert, French Riviera, May 30–June 3, 2010. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 553–572 CrossRefGoogle Scholar
  3. [3]
    N. Bari, B. Pfitzmann, Collision-free accumulators and fail-stop signature schemes without trees, in Advances in Cryptology—EUROCRYPT’97, ed. by W. Fumy, Konstanz, Germany, May 11–15, 1997. Lecture Notes in Computer Science, vol. 1233 (Springer, Berlin, 1997), pp. 480–494 Google Scholar
  4. [4]
    M. Bellare, T. Ristenpart, Simulation without the artificial abort: Simplified proof and improved concrete security for Waters’ IBE scheme, in Advances in Cryptology—EUROCRYPT 2009, ed. by A. Joux, Cologne, Germany, April 26–30, 2009. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 407–424 CrossRefGoogle Scholar
  5. [5]
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in ACM CCS 93: 1st Conference on Computer and Communications Security, ed. by V. Ashby, Fairfax, Virginia, USA, November 3–5, 1993 (ACM, New York, 1993), pp. 62–73 CrossRefGoogle Scholar
  6. [6]
    M. Bellare, P. Rogaway, The exact security of digital signatures: How to sign with RSA and Rabin, in Advances in Cryptology—EUROCRYPT’96, ed. by U.M. Maurer, Saragossa, Spain, May 12–16, 1996. Lecture Notes in Computer Science, vol. 1070 (Springer, Berlin, 1996), pp. 399–416 Google Scholar
  7. [7]
    M. Bellare, O. Goldreich, S. Goldwasser, Incremental cryptography: the case of hashing and signing, in Advances in Cryptology—CRYPTO’94, ed. by Y. Desmedt, Santa Barbara, CA, USA, August 21–25, 1994. Lecture Notes in Computer Science, vol. 839 (Springer, Berlin, 1994), pp. 216–233 Google Scholar
  8. [8]
    O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Signatures on randomizable ciphertexts, in Public Key Cryptography (2011) Google Scholar
  9. [9]
    D. Boneh, X. Boyen, Efficient selective-ID secure identity based encryption without random oracles, in Advances in Cryptology—EUROCRYPT 2004, ed. by C. Cachin, J. Camenisch, Interlaken, Switzerland, May 2–6, 2004. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 223–238 CrossRefGoogle Scholar
  10. [10]
    D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in Advances in Cryptology—CRYPTO 2004, ed. by M. Franklin, Santa Barbara, CA, USA, August 15–19, 2004. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 443–459 CrossRefGoogle Scholar
  11. [11]
    D. Boneh, X. Boyen, Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptol. 21(2), 149–177 (2008) MathSciNetzbMATHCrossRefGoogle Scholar
  12. [12]
    D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, in Advances in Cryptology—CRYPTO 2001, ed. by J. Kilian, Santa Barbara, CA, USA, August 19–23, 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229 CrossRefGoogle Scholar
  13. [13]
    D. Boneh, M.K. Franklin, Identity based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003) MathSciNetzbMATHCrossRefGoogle Scholar
  14. [14]
    D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in Advances in Cryptology—ASIACRYPT 2001, ed. by C. Boyd, Gold Coast, Australia, December 9–13, 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 514–532 CrossRefGoogle Scholar
  15. [15]
    D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004) MathSciNetzbMATHCrossRefGoogle Scholar
  16. [16]
    X. Boyen, General ad hoc encryption from exponent inversion IBE, in Advances in Cryptology—EUROCRYPT 2007. Lecture Notes in Computer Science, vol. 4515 (Springer, Berlin, 2007), pp. 394–411 CrossRefGoogle Scholar
  17. [17]
    X. Boyen, Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more, in PKC 2010: 13th International Conference on Theory and Practice of Public Key Cryptography, ed. by P.Q. Nguyen, D. Pointcheval, Paris, France, May 26–28, 2010. Lecture Notes in Computer Science, vol. 6056 (Springer, Berlin, 2010), pp. 499–517 CrossRefGoogle Scholar
  18. [18]
    X. Boyen, Q. Mei, B. Waters, Direct chosen ciphertext security from identity-based techniques, in ACM CCS 05: 12th Conference on Computer and Communications Security, ed. by V. Atluri, C. Meadows, A. Juels, Alexandria, Virginia, USA, November 7–11, 2005 (ACM, New York, 2005), pp. 320–329 CrossRefGoogle Scholar
  19. [19]
    S. Brands, An efficient off-line electronic cash system based on the representation problem. Report CS-R9323, Centrum voor Wiskunde en Informatica, March 1993 Google Scholar
  20. [20]
    J. Camenisch, A. Lysyanskaya, A signature scheme with efficient protocols, in SCN 02: 3rd International Conference on Security in Communication Networks, ed. by S. Cimato, C. Galdi, G. Persiano, Amalfi, Italy, September 12–13, 2002. Lecture Notes in Computer Science, vol. 2576 (Springer, Berlin, 2002), pp. 268–289 Google Scholar
  21. [21]
    J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in Advances in Cryptology—CRYPTO 2004, ed. by M. Franklin, Santa Barbara, CA, USA, August 15–19, 2004. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 56–72 CrossRefGoogle Scholar
  22. [22]
    D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in Advances in Cryptology—EUROCRYPT 2010, ed. by H. Gilbert, French Riviera, May 30–June 3, 2010. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 523–552 CrossRefGoogle Scholar
  23. [23]
    D. Chaum, J.-H. Evertse, J. van de Graaf, An improved protocol for demonstrating possession of discrete logarithms and some generalizations, in Advances in Cryptology—EUROCRYPT’87, ed. by D. Chaum, W.L. Price, Amsterdam, The Netherlands, April 13–15, 1988. Lecture Notes in Computer Science, vol. 304 (Springer, Berlin, 1988), pp. 127–141 Google Scholar
  24. [24]
    D. Chaum, E. van Heijst, B. Pfitzmann, Cryptographically strong undeniable signatures, unconditionally secure for the signer, in Advances in Cryptology—CRYPTO’91, ed. by J. Feigenbaum, Santa Barbara, CA, USA, August 11–15, 1992. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1992), pp. 470–484 Google Scholar
  25. [25]
    J.H. Cheon, Security analysis of the strong Diffie-Hellman problem, in Advances in Cryptology—EUROCRYPT 2006, ed. by S. Vaudenay, St. Petersburg, Russia, May 28–June 1, 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 1–11 CrossRefGoogle Scholar
  26. [26]
    B. Chevallier-Mames, M. Joye, A practical and tightly secure signature scheme without hash function, in Topics in Cryptology—CT-RSA 2007, ed. by M. Abe, San Francisco, CA, USA, February 5–9, 2007. Lecture Notes in Computer Science, vol. 4377 (Springer, Berlin, 2007), pp. 339–356 CrossRefGoogle Scholar
  27. [27]
    J.-S. Coron, On the exact security of full domain hash, in Advances in Cryptology—CRYPTO 2000, ed. by M. Bellare, Santa Barbara, CA, USA, August 20–24, 2000. Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 229–235 CrossRefGoogle Scholar
  28. [28]
    R. Cramer, V. Shoup, Signature schemes based on the strong RSA assumption. ACM Trans. Inf. Syst. Secur. 3(3), 161–185 (2000) CrossRefGoogle Scholar
  29. [29]
    I. Damgård, M. Koprowski, Generic lower bounds for root extraction and signature schemes in general groups, in Advances in Cryptology—EUROCRYPT 2002, ed. by L.R. Knudsen, Amsterdam, The Netherlands, April 28–May 2, 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 256–271 CrossRefGoogle Scholar
  30. [30]
    Y. Dodis, R. Oliveira, K. Pietrzak, On the generic insecurity of the full domain hash, in Advances in Cryptology—CRYPTO 2005, ed. by V. Shoup, Santa Barbara, CA, USA, August 14–18, 2005. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 449–466 CrossRefGoogle Scholar
  31. [31]
    U. Feige, A. Fiat, A. Shamir, Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988) MathSciNetzbMATHCrossRefGoogle Scholar
  32. [32]
    W. Feller, An Introduction to Probability Theory and Its Applications, vol. 1, 3rd edn. (Wiley, New York, 1968) zbMATHGoogle Scholar
  33. [33]
    M. Fischlin, The Cramer–Shoup strong-RSA signature scheme revisited, in PKC 2003: 6th International Workshop on Theory and Practice in Public Key Cryptography, ed. by Y. Desmedt, Miami, USA, January 6–8, 2003. Lecture Notes in Computer Science, vol. 2567 (Springer, Berlin, 2003), pp. 116–129 CrossRefGoogle Scholar
  34. [34]
    E. Fujisaki, T. Okamoto, Statistical zero knowledge protocols to prove modular polynomial relations, in Advances in Cryptology—CRYPTO’97, ed. by B.S. Kaliski Jr., Santa Barbara, CA, USA, August 17–21, 1997. Lecture Notes in Computer Science, vol. 1294 (Springer, Berlin, 1997), pp. 16–30 Google Scholar
  35. [35]
    J. Furukawa, H. Imai, An efficient group signature scheme from bilinear maps, in ACISP 05: 10th Australasian Conference on Information Security and Privacy, ed. by C. Boyd, J.M. González Nieto, Brisbane, Queensland, Australia, July 4–6, 2005. Lecture Notes in Computer Science, vol. 3574 (Springer, Berlin, 2005), pp. 455–467 Google Scholar
  36. [36]
    R. Gennaro, S. Halevi, T. Rabin, Secure hash-and-sign signatures without the random oracle, in Advances in Cryptology—EUROCRYPT’99, ed. by J. Stern, Prague, Czech Republic, May 2–6, 1999. Lecture Notes in Computer Science, vol. 1592 (Springer, Berlin, 1999), pp. 123–139 Google Scholar
  37. [37]
    C. Gentry, Practical identity-based encryption without random oracles, in Advances in Cryptology—EUROCRYPT 2006, ed. by S. Vaudenay, St. Petersburg, Russia, May 28–June 1, 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 445–464 CrossRefGoogle Scholar
  38. [38]
    C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in 40th Annual ACM Symposium on Theory of Computing, ed. by R.E. Ladner, C. Dwork, Victoria, British Columbia, Canada, May 17–20, 2008 (ACM, New York, 2008), pp. 197–206 Google Scholar
  39. [39]
    S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988) MathSciNetzbMATHCrossRefGoogle Scholar
  40. [40]
    J. Groth, Cryptography in subgroups of ℤn, in TCC 2005: 2nd Theory of Cryptography Conference, ed. by J. Kilian, Cambridge, MA, USA, February 10–12, 2005. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 50–65 Google Scholar
  41. [41]
    L.C. Guillou, J.-J. Quisquater, A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory, in Advances in Cryptology—EUROCRYPT’88, ed. by C.G. Günther, Davos, Switzerland, May 25–27, 1988. Lecture Notes in Computer Science, vol. 330 (Springer, Berlin, 1988), pp. 123–128 Google Scholar
  42. [42]
    J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999) MathSciNetzbMATHCrossRefGoogle Scholar
  43. [43]
    D. Hofheinz, E. Kiltz, Secure hybrid encryption from weakened key encapsulation, in Advances in Cryptology—CRYPTO 2007, ed. by A. Menezes, Santa Barbara, CA, USA, August 19–23, 2007. Lecture Notes in Computer Science, vol. 4622 (Springer, Berlin, 2007), pp. 553–571 CrossRefGoogle Scholar
  44. [44]
    D. Hofheinz, E. Kiltz, Practical chosen ciphertext secure encryption from factoring, in Advances in Cryptology—EUROCRYPT 2009, ed. by A. Joux, Cologne, Germany, April 26–30, 2009. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 313–332 CrossRefGoogle Scholar
  45. [45]
    S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in Advances in Cryptology—CRYPTO 2009, ed. by S. Halevi, Santa Barbara, CA, USA, August 16–20, 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 654–670 CrossRefGoogle Scholar
  46. [46]
    Q. Huang, D.S. Wong, New constructions of convertible undeniable signature schemes without random oracles. Cryptology ePrint Archive, Report 2009/517 (2009). http://eprint.iacr.org/
  47. [47]
    B.D. Hughes, Random Walks and Random Environments: Vol. 1: Random Walks (Oxford University Press, London, 1995) zbMATHGoogle Scholar
  48. [48]
    M. Joye, How (not) to design strong-RSA signatures. Des. Codes Cryptogr. (2011) Google Scholar
  49. [49]
    E. Kiltz, Chosen-ciphertext security from tag-based encryption, in TCC 2006: 3rd Theory of Cryptography Conference, ed. by S. Halevi, T. Rabin, New York, NY, USA, March 4–7, 2006. Lecture Notes in Computer Science, vol. 3876 (Springer, Berlin, 2006), pp. 581–600 Google Scholar
  50. [50]
    E. Kiltz, D. Galindo, Direct chosen-ciphertext secure identity-based key encapsulation without random oracles, in ACISP 2006. Lecture Notes in Computer Science, vol. 4058 (Springer, Berlin, 2006), pp. 336–347 Google Scholar
  51. [51]
    E. Kiltz, D. Galindo, Direct chosen-ciphertext secure identity-based key encapsulation without random oracles. Theor. Comput. Sci. 410(47–49), 5093–5111 (2009) MathSciNetzbMATHCrossRefGoogle Scholar
  52. [52]
    E. Kiltz, Y. Vahlis, CCA2 secure IBE: Standard model efficiency through authenticated symmetric encryption, in Topics in Cryptology—CT-RSA 2008, ed. by T. Malkin, San Francisco, CA, USA, April 7–11, 2008. Lecture Notes in Computer Science, vol. 4964 (Springer, Berlin, 2008), pp. 221–238 CrossRefGoogle Scholar
  53. [53]
    E. Kiltz, K. Pietrzak, D. Cash, A. Jain, D. Venturi, Efficient authentication from hard learning problems, in EUROCRYPT (2011) Google Scholar
  54. [54]
    V. Lyubashevsky, D. Micciancio, Asymptotically efficient lattice-based digital signatures, in TCC 2008: 5th Theory of Cryptography Conference, ed. by R. Canetti, San Francisco, CA, USA, March 19–21, 2008. Lecture Notes in Computer Science, vol. 4948 (Springer, Berlin, 2008), pp. 37–54 Google Scholar
  55. [55]
    A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. E84-A(5), 1234–1243 (2001) Google Scholar
  56. [56]
    D. Naccache, D. Pointcheval, J. Stern, Twin signatures: An alternative to the hash-and-sign paradigm, in ACM CCS 01: 8th Conference on Computer and Communications Security, Philadelphia, PA, USA, November 5–8, 2001 (ACM, New York, 2001), pp. 20–27 CrossRefGoogle Scholar
  57. [57]
    T. Okamoto, Efficient blind and partially blind signatures without random oracles, in TCC 2006: 3rd Theory of Cryptography Conference, ed. by S. Halevi, T. Rabin, New York, NY, USA, March 4–7, 2006. Lecture Notes in Computer Science, vol. 3876 (Springer, Berlin, 2006), pp. 80–99 Google Scholar
  58. [58]
    C. Peikert, B. Waters, Lossy trapdoor functions and their applications, in 40th Annual ACM Symposium on Theory of Computing, ed. by R.E. Ladner, C. Dwork, Victoria, British Columbia, Canada, May 17–20, 2008 (ACM, New York, 2008), pp. 187–196 Google Scholar
  59. [59]
    R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on pairing, in SCIS 2000, Okinawa, Japan, January 2000 Google Scholar
  60. [60]
    S. Schäge, Tight proofs for signature schemes without random oracles, in EUROCRYPT (2011) Google Scholar
  61. [61]
    S. Schäge, J. Schwenk, A CDH-based ring signature scheme with short signatures and public keys, in FC 2010: 14th International Conference on Financial Cryptography and Data Security, ed. by R. Sion, Tenerife, Canary Islands, Spain, January 25–28, 2010. Lecture Notes in Computer Science, vol. 6052 (Springer, Berlin, 2010), pp. 129–142 Google Scholar
  62. [62]
    Secure hash standard. National Institute of Standards and Technology, NIST FIPS PUB 180-1, U.S. Department of Commerce, April 1995 Google Scholar
  63. [63]
    V. Shoup, A Computational Introduction to Number Theory and Algebra (Cambridge University Press, Cambridge, 2005) zbMATHGoogle Scholar
  64. [64]
    B. Waters, Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions, in Advances in Cryptology—CRYPTO 2009, ed. by S. Halevi, Santa Barbara, CA, USA, August 16–20, 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 619–636 CrossRefGoogle Scholar
  65. [65]
    B.R. Waters, Efficient identity-based encryption without random oracles, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer, Aarhus, Denmark, May 22–26, 2005. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 114–127 CrossRefGoogle Scholar
  66. [66]
    H. Zhu, New digital signature scheme attaining immunity to adaptive chosen-message attack. Chin. J. Electron. 10(4), 484–486 (2001) Google Scholar
  67. [67]
    H. Zhu, A formal proof of zhu’s signature scheme. Cryptology ePrint Archive, Report 2003/155 (2003). http://eprint.iacr.org/

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  1. 1.Institut für Kryptographie und SicherheitKarlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.Fakultät für MathematikRuhr-Universität BochumBochumGermany

Personalised recommendations