Adaptive Pseudo-Free Groups and Applications⋆ Dario Catalano1 , Dario Fiore2⋆⋆ and Bogdan Warinschi3 1 2 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it École Normale Supérieure, CNRS - INRIA, Paris, France. dario.fiore@ens.fr 3 Dept. Computer Science, University of Bristol, UK bogdan@cs.bris.ac.uk Abstract. A computational group is pseudo-free if an adversary cannot find solutions in this group for equations that are not trivially solvable in the free group. This notion was put forth by Rivest as a unifying abstraction of multiple group-related hardness assumptions commonly used in cryptography. Rivest’s conjecture that the RSA group is pseudo-free had been settled by Micciancio for the case of RSA moduli that are the product of two safe primes. This result holds for a static setting where the adversary is only given the description of the group (together with a set of randomly chosen generators) and has to come up with the equation and the solution. In this paper we explore a powerful extension of the notion of pseudo-freeness. We identify, motivate, and study pseudo-freeness in face of adaptive adversaries who may learn solutions to other non-trivial equations before having to solve a new non-trivial equation. Our first contribution is a carefully crafted definition of adaptive pseudo-freeness that walks a fine line between being too weak and being unsatisfiable. We give generic constructions that show how any group that satisfies our definition can be used to construct digital signatures and network signature schemes. Next, we prove that the RSA group meets our more stringent notion of pseudo-freeness and as a consequence we obtain different results. First, we obtain a new network (homomorphic) signature scheme in the standard model. Secondly, we demonstrate the generality of our framework for signatures by showing that all existing strong RSA-based signature schemes are instantiations of our generic construction in the RSA group. 1 Introduction Background. The search for abstractions that capture the essential security properties of primitives and protocols is crucial in cryptography. Among other benefits, such abstractions allow for modular security analysis, reusable and scalable proofs. The random oracle model [5], the universal composability framework [9] and variants [1, 3, 19] of the Dolev-Yao models [11] are results of this research direction. Most of the existing results in this direction (the above examples included) tackle mostly primitives and protocols and are not concerned with the more basic mathematical structures that underlie current cryptographic constructions. One notable exception is the work on pseudo-free groups, a notion put forth by Hohenberger [16] and later refined by Rivest [20]. In this paper we continue the investigation of this abstraction. Roughly speaking, a computational group G (a group where the group operations have efficient implementations) is pseudo-free if it behaves as a free group as far as a computationally bounded ⋆ ⋆⋆ An extended abstract of this paper appears in the proceedings of Eurocrypt 2011. The work described in this paper has been supported in part by the European Commission through the ICT programme under contract ICT-2007-216676 ECRYPT II. Work partially done while student at University of Catania. adversary is concerned. More specifically, a group is pseudo-free if an adversary who is given a description of the group cannot find solutions for non-trivial equations. Here, non-triviality means that the equation does not have a solution in the free group. For instance, in a pseudo-free group given a random element a it should be hard to find a solution for an equation of the form xe = a, when e 6= 1, or for the equation x21 x42 = a5 , but not for the equation x1 x32 = a5 . This last equation is trivial since it can be solved over the free group (it has x1 = a2 , x2 = a as solution in the free group) and a solution in the free group immediately translates to a solution over G. The notion of pseudo-freeness generalizes the strong RSA assumption (when G is an RSA group) but also numerous other assumptions currently used in cryptography; see [20] for further details. Rivest’s conjecture that the RSA group is pseudo-free was largely settled by Micciancio [18] who proved that this is indeed the case when the RSA modulus is the product of two safe primes. In its most basic form that had been studied so far, the notion of pseudo-free groups did not lend itself easily to applications. The problem is that in most of the interesting uses of the RSA group the adversary is not only given a description of the group, but often he is allowed to see solutions to non-trivial equations before having to come up with his own new equation and solution. This is the case for example in RSA-based signature schemes where one can think of a signature as the solution to some non-trivial equation. A chosen-message attack allows the adversary access to an oracle that solves (non-trivial) equations over the group, and a forgery is a solution to a new equation. This problem was recognized early on by Rivest [20] who also left as open problems the design of a notion of pseudo-freeness for adaptive adversaries and, of course, whether such groups exist. In this paper we put forth such a notion, prove that the RSA group is adaptive pseudo-free, and exhibit several applications for adaptive pseudo-free groups. We detail our results next. Adaptive pseudo-free groups. We first extend the notion of pseudo-freeness to adaptive adversaries. Informally, we consider an adversary that can see solutions for some equations and has as goal solving a new non-trivial equation. As explained above, this scenario captures typical uses of groups in cryptography. Our definition involves two design decisions. The first is to fix the type of equations for which the adversary is allowed to see solutions and how are these equations chosen: too much freedom in selecting these equations immediately leads to potentially unsatisfiable notions, whereas too severe restrictions may not model the expected intuition of what an adaptive adversary is and may not allow for applications. In the definition that we propose, equations are selected from a distribution over the set of equations. Importantly, the distribution depends on a parameter supplied by the adversary. This models the idea that in applications, the adversary may have some control over how the equations are selected. Different choices for this distribution lead to a variety of adversaries from very weak ones where no equation is provided (precisely the setting of pseudo-freeness proposed earlier), to a setting where the adversary has no influence on the choice of equations, and ending with the very strong notion where the adversary basically selects the equations on his own. The second issue is to define what is a non-trivial equation in the adaptive setting. Indeed, previous definitions of triviality do not apply since in our new setting the adversary knows additional relations between the group elements which in turn may help him in solving additional equations. We define non-triviality in a way motivated by existing uses of groups in cryptography and an analysis of equations over quotients of free groups. Our definition is for the case of univariate equations but can be easily extended to multivariate equations as well as systems of equations. 2 Generic constructions for signatures. Our definition of pseudo-freeness is parametrized by a distribution over equations. We show that for any distribution in a class of distributions that satisfy certain criteria, one can construct secure digital signatures and network coding signature schemes. The requirements on the distribution include the ability to efficiently check membership in the support of the distribution, and a property on the distribution of the exponents in the equation. Informally, these requirements are used to enforce that each equation freshly drawn from the distribution is most likely non-trivial with respect to previously sampled equations. We show that an adversary that breaks the signature scheme must also contradict the pseudo-freeness of the underlying group. Our generic construction for network coding signatures is secure in the vanilla model based only on the adaptive pseudo-freeness of the underlying group. Any instantiation of such groups would thus yield network signature schemes secure in the standard model. Indeed, given the instantiation that we discuss below, our framework yields the first RSA-based network coding homomorphic signature scheme secure in the standard model. The RSA group is adaptive pseudo-free. Next, we turn to proving that the RSA group is adaptive pseudo-free. We do so for a class of distributions closely related but slightly more general than the distributions that yield signatures schemes. We show that an adversary that contradicts pseudo-freeness of the RSA group with respect to the distribution can be used to contradict the strong RSA assumption. We also prove that the RSA group is pseudo-free for a weaker version of adaptive adversaries who output their inputs to the distribution non-adaptively, but in this case the proof is for a larger class of distributions. We do not attempt to prove adaptive pseudo-freeness of the RSA group for multivariate equations. While this is potentially an interesting topic for further research, we are not aware of cryptographic applications where such equations are used. Instantiations. An appealing interpretation of the proof of adaptive pseudo-freeness for the RSA group is that it distills the core argument that underlies the typical security proofs for signatures based on the strong RSA assumption. Each such proof explains how a signature forgery can be used to break strong RSA. In this sense our proof is a generalization to a broader (abstractly defined) set of equations rather than the particular equations that define an individual signature scheme. Indeed, we show that virtually all strong RSA signature schemes are instances of our generic construction. We explain how to obtain the schemes by Cramer and Shoup [10], Fischlin [12], Camenisch and Lysyanskaya [8], Zhu [22], Hofheinz and Kiltz [15], and that by Gennaro, Halevi, and Rabin [13] by instantiating our generic distribution in appropriate ways. The security of all of these schemes follows as a corollary from the security of our generic construction. 2 Preliminaries A number N is called a RSA modulus if it is the product of two distinct prime numbers p, q. QRN ⊆ Z∗N is called the set of quadratic residues modulo N , namely QRN = {τ ∈ Z∗N : τ = z 2 mod N, z ∈ Z∗N }. Definition 1 (Safe primes). A prime p is called safe prime if p = 2p′ + 1 where p′ is also prime. The Strong RSA Assumption was introduced by Baric and Pfitzmann in [4]. Essentially it is a variant of RSA where the adversary is allowed to choose the exponent e for which it has to extract the root. It is formally defined as follows. 3 Definition 2 (Strong RSA). Let N be a random RSA modulus of length k where k ∈ N is the security parameter and τ be a random element in Z∗N . Then we say that the Strong RSA assumption holds if for any PPT adversary A the probability P r[(y, e)←A(N, τ ) : y e = τ mod N ] is negligible in k. In this paper we use a variant of this assumption where τ is taken from the set QRN . As shown in [10] such variant is implied by the standard Strong RSA. 2.1 Division Intractable Functions In our work we use the notion of division intractable functions. Informally, a function H is division intractable if an adversary A cannot find x1 , x2 , . . . , xt , y such that: y 6= xi and H(y) divides the product of the H(xi )’s. It is easy to see that this notion is satisfied by any function that maps inputs to (distinct) prime numbers. Such mappings can be instantiated without making any cryptographic assumptions (see [7] for a construction), but they are not very efficient in practice. Gennaro et al. introduced in [13] the notion of division intractable hash functions and also showed how to get practical implementations of them. We recall below the formal definition. Definition 3 (Division Intractable Hash Functions). Let H be a family of hash functions with poly(k)-bit input and k bit output. We say that H is division intractable if for any PPT adversary it is hard to win the following game: 1. a function H is chosen at random from H; Q 2. the adversary outputs x1 , x2 , . . . , xt , y such that: (i) y 6= xi ∀i = 1, . . . , t and (ii) H(y)| ti=1 H(xi ). 2.2 Signatures A digital signature scheme Π is given by a triple of algorithms (KG, Sign, Ver) for key generation, signing, and verifying respectively. Key generation takes as input a security parameter k and returns a pair of keys (sk, vk) for producing and verifying signatures, respectively. On input a signing key sk and a message m, the signature algorithm produces a signature σ. The verification algorithm takes as input a triple vk, m, σ and tests if signature σ is a valid signature on m with respect to verification key vk. We recall two security notions for signature schemes. Definition 4 (Security of signature schemes). Consider the experiment Expuf -cma (k) where A,Π a signing, verification key-pair (sk, vk) is generated for security parameter k. Then, the adversary is given vk and is provided with a signing oracle that produces signatures on the messages that the adversary (adaptively) queries. Eventually, the adversary outputs a tentative forgery (m∗, σ∗). The experiment returns 1 if σ ∗ is a valid signature on m∗ and m∗ had not been queried to the signature suf -cma oracle. We call ExpA,Π (k) the related experiment where (m∗, σ∗) is considered a forgery if it is different from all the pairs (mi , σi ) obtained from the signature oracle. A signature scheme Π is unforgeable under chosen message attack if for any probabilistic, polynomial time adversary A the uf -cma uf -cma advantage of AdvA,Π (k) = Pr[ExpA,Π (k) = 1] is a negligible function. The signature scheme suf -cma -cma (k) = 1] is a negligible function. is strongly-unforgeable if AdvA,Π (k) = Pr[Expsuf A,Π It is also possible to consider a relaxed experiment where the adversary is required to choose the messages for which it wants to see the signatures, before receiving the public key. Signature schemes that are proved with respect to such experiment are said to be weakly-secure. 4 3 Static pseudo-free groups As warm up, we recall the notion of pseudo-free groups as introduced by Rivest [20]. To distinguish it from the notions that we develop in this paper we refer to the older notion as static pseudo-free groups. Free abelian groups. For any set of symbols A = {a1 , a2 , . . . , am } we write A−1 for the −1 −1 set of symbols A−1 = {a−1 1 , a2 , . . . , am }. Let X = {x1 , . . . , xn } and A = {a1 , . . . , am } be two disjoint sets of variables and constant symbols. An equation over X with constants in A is a pair λ = (w1 , w2 ) ∈ (X ∗ × A∗ ). We usually write an equation λ = (w1 , w2 ) as w1 = w2 and looking ahead (we will only consider these equations over abelian groups), we may also write it as sm where {e , . . . , e } and {s , . . . , s } are integers. xe11 xe22 · · · xenn = as11 as22 · · · am 1 n 1 m Let (G, ·) be an arbitrary abelian group and α : A → G be an interpretation of the constants in A as group elements. We write λα for the equation λ interpreted over G via α. An evaluation ψ : X → G is a solution for λα if ψ(x1 )e1 · · · ψ(xn )en = α(a1 )s1 · · · α(am )sm . Any equation λ over X and A can be viewed as an equation over the free group F(A) via the interpretation 1A : A → F(A) that maps a to a. It can be easily shown [20, 18] that the equation λ1A has a solution in F(A) if and only if ∀i = 1, . . . , m, it holds gcd(e1 , . . . , en ) | si . We call such equations trivial, in the sense that these equations have solutions over the free group. All of the other equations are deemed non-trivial. Static pseudo-free groups. A computational group consists of a (finite) set of representations for the group elements together with efficient implementations for the two group operations. Informally, a computational group is pseudo-free if it is hard to find an equation which is unsatisfiable over the free group, together with a solution in the computational group. It is worth noting that if the order of the group is known then finding solutions for non-trivial equations may be easy. Therefore, the notion of pseudo-free groups holds for families G = {GN }N ∈Nk of computational groups where N is chosen at random from the set of indexes Nk (typically these are the strings of length k) and the corresponding order ord(GN ) is hidden to the adversary. In the following we recall the formal definition given by Micciancio in [18] (which is similar to that of Rivest [20]). The adversary that is considered in the following definition is static (in that it is only allowed to see a description of the group, but obtains no further information). To distinguish this class of groups from others that we define in this paper we call them static pseudo-free groups. Definition 5 (Static Pseudo-Free Groups [18]). A family of computational groups G = {GN }N is static pseudo-free if for any set A of polynomial size |A| = p(k) (where k is a security parameter), and PPT algorithm A, the following holds. Let N ∈ Nk be a randomly chosen group index, and define α : A → GN by choosing α(a) uniformly at random in GN , for each a ∈ A. Then, the probability (over the selection of α) that on input (N, α) adversary A outputs an equation λ and a solution ψ for λα is negligible in k. 4 Adaptive pseudo-free groups A rough definition. The notion described above requires an adversary to produce a solution for some non-trivial equation only given some randomly chosen generators to be used in the equation, 5 but no additional information. In contrast, the notion that we develop attempts to capture the idea that an adversary against the computational group gets to see several equations with solutions, and then attempts to solve a new non-trivial equation. A typical cryptographic game that captures this situation involves an adversary A who works against a Challenger as follows. Setup The Challenger chooses a random instance of the computational group GN (by picking a $ random index N ← Nk ) from a family G = {GN }N ∈Nk . Then he fixes an assignment α : A → GN for the set of constants and gives (α, GN ) to the adversary. Equations queries In this phase the adversary is allowed to see non-trivial equations together with their solutions. Challenge At some point the adversary is supposed to output a new “non-trivial” equation λ∗ (defined by (e∗ , s∗)) together with a solution ψ ∗ . Notice that the above description incorporates an assumption that we make for simplicity, namely that all equations are univariate. In general, any univariate equation over A is of the form: xe = as11 as22 · · · asmm . For the case of static pseudo-free groups, this restriction is justified by the following lemma that was proved by Micciancio in [18]. Informally the lemma says that any (multivariate) equation and solution (λ, ψ) can be efficiently transformed into a univariate equation and solution (λ′ , ψ ′ ). Whilst we extend the definition of trivial equations to the multivariate case in Appendix A, it would be interesting to see if a similar lemma is possible in the context of adaptive pseudofreeness. Lemma 1 ([18]). For any computational group family G, there is a PPT algorithm that on input an equation λ over constants A and variables X,a group G from G, and a variable assignment ψ : X → G, outputs a univariate equation λ′ and value ψ ′ ∈ G such that: (1) if λ is unsatisfiable over the free group F(A), then λ′ is also unsatisfiable over F(A) and (2) for any assignment α : A → G, if ψ is a solution to λα , then ψ ′ is a solution to λ′α . The general definition of pseudo-freeness that we sketched above leaves open two important points: 1) How are the equations for which the adversary sees solutions produced? and 2) What does “non-trivial equation” mean when other equations and solutions are given? We discuss and give answers to these two problems in Sections 4.1 and 4.2 respectively. 4.1 A spectrum of adaptive adversaries The second phase of the above generic game requires that adversaries be given non-trivial equations together with their solutions, so we need to clarify how are these equations produced. Here we identify a whole spectrum of possible choices. The weakest definition one might consider is one where the adversary does not have any control over these equations. For instance, this means that, whenever the Challenger is queried in the second phase, the Challenger chooses an equation λi (more precisely it chooses its exponents (ei , si)) and gives λi and its solution in G, ψi , to the adversary. Unfortunately, in such a game the adversary is not really adaptive: it may receive all the equations and solutions at once. The strongest possible notion, and perhaps the most natural one, would be to consider an adversary that is allowed to choose equations λi (namely their respective exponents (ei , si)) in any way it wants. In particular the choice of the equations can be done in an adaptive way, namely A asks for an equation, sees its solutions, then chooses another equation and so on. We call this 6 definition “Strong Adaptive Pseudo-freeness”. Unfortunately this choice seems to lead to an unrealizable notion.4 We therefore settle on an intermediary variant where the adversary is allowed to be adaptive, but still cannot choose the equations in a completely arbitrary way. Instead, we consider a setting where the equations are selected from the set of all equations according to some distribution over which the adversary has some limited control. We formulate this limitation via a parametric distribution ϕ over the set of all possible equations. Sampling from such a distribution requires some parameter M of some appropriate length which is provided by the adversary. The distribution then produces a tuple of m + 1 integers which for expressivity we write (e, s). Here e is an integer (the exponent for the variable) and s is a vector of m integers (the exponents for the generators). The idea is that once the parameter M is fixed, ϕ(M ) is some fixed distribution from which (e, s) are drawn. Notice that the two ends of the spectrum can be modeled via appropriate choices of ϕ. 4.2 Non-trivial equation w.r.t. other equations Our definition of adaptive pseudo-freeness requires an adversary to find a solution to a non-trivial equation. In the original setting of Rivest, non-triviality of an equation simply meant that the equation has no solution in the free group. In our setting, non-triviality is less clear: the adversary is already given solutions for some equations which may lead to solutions for other equations that are difficult to solve otherwise. In this section we develop a notion of triviality for equations given solutions to other equations. Our ultimate goal is to characterize, using the world and vocabulary afferent to free groups those equations that cannot be solved in the computational group. General deducibility modulo equations. We frame the discussion in slightly more general terms to obtain a framework suitable for talking about non-triviality of both univariate and multivariate equations. Let F be the free abelian group generated by the set {a1 , a2 , . . . , am } and let Λ ⊆ F × F be an arbitrary binary relation on F that models equalities between words in F (equations with solutions can be thought of as such relations). We therefore aim to characterize the set of all equalities that can be derived from Λ. Recall that eventually these equalities are interpreted over computational groups, hence there are two ways for an adversary to derive new equalities. The first is to use the group operations and their properties. For example, if Λ = {a1 a2 = a21 a4 }, then it can also be derived that a1 a22 = a21 a4 a2 = a31 a24 , where the first equality is obtained by simply multiplying a2 to the known equation, and the second equality follows using the commutativity of F and the known equality. The second possibility reflects an ability that computational adversaries have (when working against computational groups). Specifically, if an equality of the form w1q = w2q can be derived in a computational group, then the equality w1 = w2 can also be derived (provided that q is relatively prime with the order of the group). Furthermore, since we search for an abstraction independent of the order of the group, we have to consider the above possibility for any q. The following definition is motivated by the above discussion. Definition 6. Let F be a freely generated abelian group and let Λ ⊆ F × F be an arbitrary binary relation on F. Let ≡Λ be the smallest congruence on F that: – Λ ⊆≡Λ 4 For example, it is not clear at all if a group like Z∗N can be proved strongly-adaptive pseudo-free under any reasonable assumption (e.g. Strong RSA). 7 – ∀q ∈ N, ∀w1 , w2 ∈ F, w1q ≡Λ w2q =⇒ w1 ≡Λ w2 . Then, w1 and w2 are trivially equal with respect to Λ if w1 ≡Λ w2 . Next, we derive an explicit description for ≡Λ . Let Λ = {(w1,1 , w2,1 ), (w1,2 , w2,2 ), . . . , (w1,t , w2,t )}. Consider the binary relation RΛ on F defined by: (w1 , w2 ) ∈ RΛ if and only if there exist l1 , l2 , . . . , lt ∈ Q such that −1 t w1 = w2 · Πi=1 (w1,i · w2,i )li Here, exponentiation of a word w = as11 as22 . . . asnn with a rational number l = p/q is defined (in the obvious way) if and only if q divides gcd1≤i≤n p · si The following proposition states that ≡Λ and RΛ are one and the same relation. Proposition 1. Let RΛ and ≡Λ defined as above. Then (w1 , w2 ) ∈ RΛ if and only if (w1 , w2 ) ∈≡Λ . The proposition follows by the next two lemmas: Lemma 2. ≡Λ ⊆ RΛ Proof. We prove that RΛ is a congruence and has all of the closure properties required from ≡Λ (so the desired inclusion follows since ≡Λ is the smallest congruence with these properties). – RΛ is reflexive. Let w ∈ F arbitrary. Then we derive that (w, w) ∈ RΛ by setting l1 = l2 = . . . = lt = 0 – RΛ is symmetric. for w1 and w2 such that (w1 , w2 ) ∈ RΛ , so there exists l1 , l2 , . . . , lt ∈ Q such   lk −1 t w1,k w2,k . Then (w2 , w1 ) ∈ RΛ by fixing the coefficients for the linear that w1 = w2 · Πk=1 combination to −l1 , −l2 , . . . , −lt . – RΛ is transitive. If l1 , l2 , . . . , lt show that RΛ (w1 , w2 ) and m1 , m2 , . . . , mt show that RΛ (w2 , w3 ) then l1 + m1 , l2 + m2 , . . . , lt + mt show that RΛ (w1 , w3 ). – RΛ commutes with the operations. Let w1 , w2 , w1′ , w2′ such that (w1 , w2 ), (w1′ , w2′ ) ∈ RΛ , so   lk −1 t there exists l1 , l2 , . . . , lt , m1 , m2 , . . . , mt such that w1 = w2 · Πk=1 w1,k w2,k and w1′ = w2′ ·  mk −1 t w1,k w2,k . Then (w1 w1′ , w2 w2′ ) ∈ RΛ (take the coefficients for the required linear Πk=1 combination to be lk + mk for any 1 ≤ k ≤ t). Also, we have that (w1−1 , w1′−1 ) ∈ RΛ : take the required coefficients to be −l1 , −l2 , . . . , −lt . – Λ ⊆ RΛ . To show that (w1,k , w2,k ) ∈ RΛ for any 1 ≤ k ≤ t, set all of l1 , l2 , . . . , lt be equal 0 with the exception of lk for an arbitrary 1 ≤ k ≤ t which is set to 1. – Let w1 , w2 be such that (w1q , w2q ) ∈ RΛ . By the definition of RΛ there exists l1 , l2 , . . . , lt such   lk −1 t that w1q = w2q · Πk=1 w1,k w2,k . It follows that (w1 , w2 ) ∈ RΛ by setting the coefficients of the linear combination to l1 /q, l2 /q, . . . , lt /q. Since RΛ satisfies all of the properties that ≡Λ satisfies, and the latter is the smallest congruence with these properties, it follows that ≡Λ ⊆ RΛ . Lemma 3. RΛ ⊆≡Λ Proof. Define the operations R, S, T, I, Q : P(F × F) → P(F × F) as follows. – S(S) = {(x, y) | (y, x) ∈ S} 8 – – – – T (S) = {(x, y) | ∃z ∈ F : (x, z), (z, y) ∈ S} Q(S) = {(x, y) | ∃q ∈ Z, (xq , y q ) ∈ S} I(S) = {(x, y) | (x−1 , y −1 ) ∈ S} M (S) = {(x1 x2 , y1 y2 ) | (x1 , y1 ), (x2 , y2 ) ∈ S} Since all of the operations above commute with each other, the congruence≡Λ is the closure of the set (F × F ∪ Λ) under the above operations. It is easy to see that F × F ∪ Λ ⊆ RΛ and that for any set S if S ⊆ RΛ then O(S) ⊆ RΛ for any operation O ∈ {S, T, Q, I, M }. The desired inclusion then follows. Trivial equations. Using the notion of deducibility modulo equations developed above we can now specify the class of equations that we consider trivial (given solutions for the equations in some set Λ). For simplicity, we focus on the case of univariate equations which is more relevant for the cryptographic applications of this paper. The definition easily extends to the case of multivariate equations (for completeness we give this variation in Appendix A). Assume that we are given a set of equations ot n k sk Λ = xek = a11 · · · asmm k=1 {φk }tk=1 , together with their corresponding solutions. (Notice that these are equations in a computational group; solutions for these equations may simply not exist in a free group). Let F be the the free abelian group generated by {φ1 , φ2 , . . . , φt , a1 , a2 , . . . , am } (interpreted as symbols). The equations in Λ induce a binary relation on F which (by a slight abuse of notation) we also call Λ. sk sk So Λ = {(φekk , a11 · · · amm ) | 1 ≤ k ≤ t}. The following definition simply is a particular instance of Definition 6 to the case of univariate equations. ∗ s∗ s∗ Definition 7. Equation xe = a11 · · · amm is trivial with respect to Λ if the equation has a solution over F/ ≡Λ . We use the characterization of ≡Λ that we gave earlier to explicitly determine the class of trivial equations. Let ∗ ∗ s∗ xe = a11 · · · asmm (1) be an equation that has a solution over F/Λ. Let φ = φk11 · · · φkt t av11 · · · avmm be such a solution. From the explicit characterization of ≡Λ there exists l1 , . . . , lt in Q such that   ∗ ∗ −si li s∗ s∗ m t ak k φei i · Πk=1 (φk11 · · · φkt t av11 · · · avmm )e = a11 a22 · · · asmm · Πi=1 (2) Since equality is standard equality over F, the relation above translates (via symbol by symbol matching of exponents) into the following requirement. Equation (1) has a solution if there exist v1 · · · vm , k1 · · · kt in Z and l1 , . . . , lt ∈ Q such that: 1. ki e∗ = ei · li (for all 1 ≤ i ≤ t) P (j) 2. vi e∗ = s∗i − tj=1 lj si (for all 1 ≤ i ≤ m) The converse of the above statement is also true: if integers v1 , · · · vm , k1 , . . . , kt and rationals l1 , · · · , lt exist such that Equation 2 holds then φ = φk11 · · · φkt t av11 · · · avmm is a solution for Equation (1) over F/ ≡Λ . 9 Finally, we express these two conditions in a more compact matrix form which will be simpler to use in our proofs. Given the set of equations ot n k sk Λ = xek = a11 · · · asmm k=1 we define the following quantities:  s11  Σ =  ... s1m 0  1/e1 ···  1/e2 ..  and E =   .  ..  . t · · · sm st1   0 1/et     These quantities are dependent on Λ but we do not show the dependency explicitly to avoid heavy notation. ∗ s∗ s∗ Proposition 2 (Trivial equation w.r.t. a set of equations). Equation λ∗ : xe = a11 · · · amm is trivial w.r.t Λ if and only if: ∃k ∈ Zt , V ∈ Zm : e∗ (ΣEk + V ) = s∗ where s∗ = [s∗1 · · · s∗m ]T . ∗ Proof. The proposition follows by simply setting li = ki eei for all 1 ≤ i ≤ t. 4.3 A definition of adaptive pseudo-free groups The definition of adaptive pseudo-freeness that we give below is for a set A of m generators, a computational group {GN }N and is parameterized by a distribution ϕ(·) as discussed in Section 4.1. Setup The Challenger chooses a random instance of the computational group GN (by picking $ a random index N ← Nk ) from a family G = {GN }N ∈Nk . Then he fixes an assignment α : A → GN for the set A of generators and a specific parametric distribution ϕ for the exponents. The adversary is given in input the assignment α : A → GN and the descriptions of the computational group and the parametric distribution ϕ. Equations queries In this phase the adversary is allowed to adaptively query the Challenger on equations and see their solutions. More precisely, A controls the queried equations via the parametric distribution ϕ. Namely, for each query it chooses a parameter Mi and hands it to the Challenger. The Challenger runs (ei , si)←ϕ(Mi ), computes the solution ψi for the equation si si λi , which is xei = a11 · · · amm and gives (ψi , ei , si) to A. Challenge Once the adversary has seen the solutions, then it is supposed to output an equation λ∗ (defined by (e∗ , s∗)) together with a solution ψ ∗ . We say that A wins this game if λ∗ is a non-trivial equation. Definition 8 (Adaptive pseudo-free groups). G is a family of adaptive pseudo-free groups w.r.t. distribution ϕ, if for any set A of polynomial size, any PPT adversary A wins in the game above with at most negligible probability. 10 We restate several of the reasons that justify the above definition. Although the definition is parametrized by a distribution, we feel this is the right way of modeling an adversary who is adaptive but not all-powerful. As explained, by varying the distribution one obtains a large spectrum of potentially interesting instantiations, starting with static pseudo-freeness all the way to strong adaptive pseudo-freeness. Finally, we show that for some fixed distributions adaptive pseudo-freeness implies immediately secure signature schemes. 5 Applications of adaptive pseudo-free groups As an application of adaptive pseudo-free groups we show how to obtain signature and network coding signature schemes out of pseudo-free groups. For our signature construction we exhibit a class of parametric distributions ϕℓ and show that any family of groups that is adaptive pseudo-free w.r.t. ϕ ∈ ϕℓ immediately yields a signature scheme that is strongly-unforgeable under chosen-message attack. We also explain how to adapt the distribution and the proof to obtain the analogous result for (non-strongly) unforgeable schemes. 5.1 Signatures from adaptive pseudo-free groups The class of parametric distributions ϕℓ . In this section we introduce a specific class of parametric distributions ϕℓ : {0, 1}ℓ → Z1+m × {0, 1}a(ℓ) . For any input M ∈ {0, 1}ℓ and an integer ℓ, ϕℓ (M ) outputs a tuple (e, s, r) such that: – r is a binary string taken according to some arbitrary distribution Dr ; – e = H(r) where H : {0, 1}a(ℓ) → {0, 1}b(ℓ) is a division intractable function (see Section 2) and a(·) and b(·) are polynomials; – s1 = 1; – si ∈ Ze (i.e. si < e) ∀i = 2, . . . , m for some efficiently samplable distribution Dsi . Also we require that ϕℓ (M ) produces an output (e, s, r) for which one can efficiently tell that it belongs to the support of ϕℓ (M ). Formally, we require that ϕℓ is equipped with an efficient algorithm V erϕℓ (·, ·, ·, ·) that, on input (e, s, r, M ), outputs 1 if (e, s, r) is in the support of ϕℓ (M ) and 0 otherwise. Moreover we require V erϕℓ (e, s, r, M ) to be such that, for all PPT adversaries A the probability Pr [(e, s, r, M1 , M2 )←A(ϕℓ ) : M1 6= M2 ∧ V erϕℓ (e, s, r, M1 ) = 1 ∧ V erϕℓ (e, s, r, M2 ) = 1] is at most negligible. Signature scheme construction. We now show how to build a signature scheme from any family of groups G that is adaptive pseudo-free w.r.t. ϕ̂ ∈ ϕℓ . Let ϕ̂ be a parametric distribution taken from the class ϕℓ and let G be a family of groups that is adaptive pseudo-free w.r.t. ϕ̂. Then we have the following signature scheme PFSig = (KG, Sign, Ver): KG(1k ) Let A = {a1 , . . . , am } and X = {x} be the sets of constants variable symbols. The key generation algorithm selects a random group G from G, fixes an assignment α : A → G for the symbols in A and finally it sets vk = (X, A, α, G, ϕ̂) as the public verification key and sk = ord(G) as the secret signing key. The input space of ϕ̂, M, is taken as the message space of the signature scheme. 11 Sign(sk, M ) The signing algorithm proceeds as follows: – (e, s, r)←ϕ̂(M ) – Use ord(G) to solve the equation xe = as11 · · · asmm . Let ψ : X → G be the satisfying assignment for x. The algorithm outputs σ = (e, s, r, ψ) as the signature for M . Ver(vk, M, σ) To verify a signature σ for a message M , the verification algorithm proceeds as follows: – Check if V erϕ̂ (e, s, r, M ) = 1 and if the equation xe = as11 · · · asmm is satisfied in G by ψ(x). – If both the checks are true, output 1, otherwise 0. Security of the signature scheme. In this section we prove the security of the proposed signature scheme under the assumption that G is adaptive pseudo-free w.r.t. ϕ̂. In particular we can state the following theorem: Theorem 1. If G is a family of adaptive pseudo-free groups w.r.t. distribution ϕ̂ ∈ ϕℓ , then the signature scheme PFSig is strongly-unforgeable under chosen-message attack. Proof. For sake of contradiction, assume there exists an adversary A that is able to break the security of PFSig with non-negligible probability. Then we can build a simulator algorithm B that is able to break adaptive pseudo-freeness of G w.r.t. ϕ̂. Let X and A be the sets of variable and constant symbols. At the beginning of the game B receives (α, G) and the description of ϕ̂ from its challenger. It sets vk = (X, A, α, G) and runs A on input vk. Whenever A asks for a signature on a message Mi ∈ M, B hands Mi to its challenger and gets back (ei , si , ri , ψi ) where (ei , si , ri ) is taken from ϕ̂(Mi ) (i.e. V erϕ̂ (ei , si , ri , Mi ) = 1) and ψi is a valid solution for the equation λi defined by the exponents (ei , si ). B gives σi = (ei , si , ri , ψi ) as a signature for the message Mi . It is easy to see that σi are valid signatures and that they are distributed as in the real case. In the end A is supposed to output a valid forgery (M ∗ , σ ∗ ) (i.e. it holds that (M ∗ , σ ∗ ) 6= (Mi , σi ) ∀i = 1, . . . , t where t is the number of queries made by the adversary). Finally B outputs σ ∗ = (e∗ , s∗ , r∗ , ψ ∗ ) to its challenger. ∗ s∗ s∗ Since (M ∗ , σ ∗ ) is a valid forgery, we have that ψ ∗ is a solution for the equation xe = a11 · · · amm and that V erϕ̂ (e∗ , s∗ , r∗ , M ∗ ) = 1. To conclude the proof of security it remains to show that the equation (e∗ , s∗ ) is non-trivial. More precisely, we will prove the following lemma. Lemma 4. Let (M ∗ , σ ∗ ) = (M ∗ , (e∗ , s∗ , r∗ , ψ ∗ )) be a valid forgery for the scheme PFSig w.r.t. to the set {(Mi , σi )}ti=1 of previously issued signatures, then the equation defined by (e∗ , s∗ ) is nontrivial w.r.t. to the set of equations Λ = {(ei , si )}ti=1 . Proof (Lemma 4). According to Proposition 2 (and for properly defined Σ, E) we want to show that ∀k ∈ Zt , V ∈ Zm : e∗ (ΣEk + V ) 6= s∗ . For sake of contradiction, assume there exist k̂ ∈ Zt and V̂ ∈ Zm such that e∗ (ΣE k̂ + V̂ ) = s∗ . Then we show Q that this contradicts at least one of our assumptions. Let P = ti=1 ei and ρj be the j-th row of (ΣE k̂): Pt Q l s1j k̂1 stj k̂t i6=l ei ) l=1 (sj k̂l ρj = + ... + = . e1 et P 12 ∀j = 1, . . . , m it holds e∗ ρj = s∗j − e∗ V̂j or equivalently t X Y s∗j P l = k̂ (s ei ) + V̂j P. l j e∗ (3) i6=l l=1  P Q s∗j P t l k̂ e s and ( V̂ P ) are integers, then Since both i j l j i6=l l=1 e∗ must be an integer too. In partic∗ ular this must hold even for j = 1 and thus it must be that e | P (as s∗1 = 1). Then we can have different cases that contradict our assumptions: – e∗ | P and r∗ 6= rj . This contradicts that H (in ϕℓ ) is division intractable. – e∗ | P and r∗ = rj (i.e. e∗ = ej ). In this case, ∀i = 1, . . . , m we have ! Pt Q l k̂ ( e ) s i l i i6 = l l=1,l6 = j s∗i = sji k̂j + e∗ + V̂i P from which s∗ = sj k̂j mod e∗ . For any choices of k̂i , i 6= j, the last equation is satisfied for k̂j = 1 mod e∗ (as s∗1 = sj1 = 1) and thus s∗ = sj (since s∗ , sj ∈ Zm e∗ ). This means that in this ∗ ∗ ∗ j case we have (e , s , r ) = (ej , s , rj ). Then we can have two different subcases: • M ∗ 6= Mj . This contradicts the security property on the verification algorithm of ϕ̂. • M ∗ = Mj . This contradicts that (M ∗ , σ ∗ ) is a forgery. Notice that if one relaxes a bit the requirements on the parametric distribution ϕ̂, Theorems 1 leads to different flavors of digital signature schemes. For instance, one might consider the distribution ϕ̂′ , which slightly generalizes the parametric distribution ϕ̂ as follows. ϕ̂′ is exactly as ϕ̂ with the only difference that s2 is chosen unformly in ZB for some value B > e. It is easy to rewrite the proof of Theorem 1 in order to show the following Corollary 1. If G is a family of adaptive pseudo-free groups w.r.t. distribution ϕ̂′ , then the signature scheme PFSig is unforgeable under chosen-message attack. Informally, what this corollary is saying is that by (slightly) generalizing the parametric distribution one gets a signature scheme where unforgeability is guaranteed only for previously unsigned messages (i.e. the scheme is not strongly unforgeable). 5.2 Network coding signatures from adaptive pseudo-free groups In this section we show that our framework allows to encompass network coding signature schemes as defined and constructed by [6, 14]. In particular, by combining previous theorems with ideas from [14] we construct the first RSA-based network coding homomorphic signature scheme provably secure without random oracle. In the following we will represent files V to be signed as collections (v (1) , . . . , v (m) ) where each v (i) is a n-dimensional vector of the form (v1 , . . . , vn ). To sign V the signer signs every single vector v (i) separately. Informally this is done using a signature scheme that allows some form of (controlled) malleability. In this way, if we interpret signatures as solutions of non trivial equations, one can easily compute solutions for any linear combination of the given equations. This simple observation, when combined with ideas from [14], can be used to construct a secure signature scheme for network coding without random oracles. 13 Background on linear coding schemes. In linear network coding [2, 21], a file to be transmitted is viewed as an ordered sequence of n-dimensional vectors v1 , ...vm (defined over the integers or over some finite field). Before transmission, the source node creates the m augmented vectors w1 , . . . , wm obtained by prepending to vi a vector ui , of length m. Each ui contains a 1 in ith position and 0 in all the remaining positions (m is typically much smaller than n). These augmented vectors are then sent by the source as packets in the network. Each node in the network processes packets as follows. When receiving w1 . . . wm , a node computes some linear combination of the received packets (e.g., using coefficients randomly chosen from a suitable domain) and transmits the resulting vector on its outgoing edges. In other words, each node transmits a linear combination of the vectors it receives. To recover the original file a node must receive m (valid) vectors wi of the form described above, for which the corresponding ui ’s are linearly independent. Thus, denoting with U the matrix whose rows are u1 , . . . , um and V the matrix whose rows are v1 , . . . , vm the original message can be retrieved as M = U −1 V The idea sketched above is susceptible to pollution attacks where malicious nodes inject invalid vectors in the network so that to make reconstruction of the original file impossible. To overcome this problem a viable solution is to use network coding signatures. The basic requirement of such schemes is that they allow to efficiently check if a given vector is valid, i.e. if it has been obtained as linear combination of valid vectors w1 , . . . wk . More details about network signatures can be found in [6, 14]. We recall the formal definitions in Appendix B. Our Network Coding Signature Scheme Here we describe our network coding signature scheme. First, however, we discuss some additional details required to properly present the scheme. As already mentioned, a file to be signed is expressed as a set of vectors (v (1) , . . . , v (m) ) of n components each. Such vectors will be prepended with m unitary vectors u(i) (of m components each). Let us denote with w(i) the resulting vectors. Using a similar notation as [14] we denote with Q = {0, . . . , q − 1} (for some prime q) the set from which coefficients are (randomly) sampled. We denote with L an upper bound on the path length from the source to any target. By these positions B = mq L denotes the largest possible value of u-coordinates in (honestly-generated) vectors. Moreover denoting with M an upper bound on the magnitude of the coordinates of initial vectors v (1) , . . . , v (m) , we set B ∗ = M B. Let ϕN be the following parametric distribution. It takes as input some random identifier fid, a vector space V and a bound B ∗ . Let ℓs be a security parameter and ℓ be an integer such that 2ℓ > B ∗ , compute e = H(fid) where H : {0, 1}∗ → {0, 1}ℓ is a division intractable function. Next, (i) (i) for each v (i) = (v1 , . . . , vn ) ∈ V it proceeds as follows. First, it samples (uniformly and at random) a ℓ + ℓs -bit random integer si and outputs (si , u(i) , v (i) ). The global output of ϕN is then (e, {(si , u(i) , v (i) )}m i=1 ) Notice that ϕN is a simple extension of distribution ϕ̂′ described above. It is straightforward to show that it fits the requirements of corollary 1 as well. Let G be a family of groups that is adaptive pseudo-free w.r.t. ϕN . Then we have the following signature scheme NetPFSig = (NetKG, NetSign, NetVer): NetKG(1k , n) Let A = {g, g1 , . . . , gn , h1 , . . . , hm } and X = {x} be the sets of constants variable symbols. The key generation algorithm selects a random group G from G, fixes an assignment 14 α : A → G for the symbols in A and finally it sets vk = (X, A, α, G, ϕN ) as the public verification key and sk = ord(G) as the secret signing key. The input space of ϕN , M, is taken as the set of m-dimensional vectors whose components are positive integers of magnitude at most M . Sign(sk, V ) The signing algorithm proceeds as follows. A random identifier fid for the vector space V is chosen. Next, it runs ϕN (V, B ∗ , fid) to get back (e, {(si , u(i) , v (i) )}m i=1 ). Finally, for i = 1 to m, it uses ord(G) to solve the equation xei =g si m Y (i) u hj j j=1 n Y v (i) gj j j=1 Let ψ : X → G be the satisfying assignment for xi and σi = (e, si , u(i) , v (i) , fid, ψ) the signature for w(i) The algorithm outputs σ = (σ1 , . . . σm ) as the signature for V . Ver(vk, V, σ) To verify a signature σ for a vector space V , the verification algorithm proceeds as follows 5 – Check if V erϕN (e, V, B ∗ , fid, {(si , u(i) , v (i) )}m i=1 ) = 1, and if the equations v (i) (i) (i) (i) um are all satisfied in G by ψ(x ). xei = g si g11 · · · gnvn hu1 · · · hm i – If all the checks are true, output 1, otherwise 0. Combine(vk, fid, w1 , . . . , wℓ , σ1 , . . . , σℓ ) To combine signatures σi , corresponding to vectors wi sharing the same fid, a node proceeds as follows. – It discards any wi having u coordinates negative or larger than B/(mq), or having v coordinates negative or larger than B ∗ /(mq). Without loss of generality we keep calling w1 , . . . wℓ the remaining vectors. Pℓ – It chooses random α1 , . . . αℓ ∈ Q, set w = i=1 αi wi and it outputs the signature σ = (e, s, w, fid, ψ) on w which is obtained by computing ψ= ℓ Y ψiαi , i=1 s= ℓ X αi si i=1 One can easily rewrite the proof of corollary 1 to prove the following. Theorem 2. If G is a family of adaptive pseudo-free groups w.r.t. distribution ϕN , then the NetPFSig signature scheme described above is a secure (homomorphic) network coding signature. 6 The RSA group is adaptive pseudo-free In Section 4 we have defined the notion of adaptive pseudo-free groups and in Section 5 have showed a class of parametric distributions (called ϕℓ ) that allows to build signatures from the sole assumption that a family of groups is adaptive pseudo-free w.r.t. ϕ̂ ∈ ϕℓ . At this stage, it is therefore interesting to find a computational group candidate to be proved adaptive pseudo-free. As proved by Micciancio in [18], the only group that we know to be pseudo-free is the RSA group Z∗N of integers modulo N , where N is the product of two “safe” primes and the sampling procedure takes elements from QRN . Therefore we aim to prove adaptive pseudo-freeness for the same group. 5 We implicitly assume that the V erϕN verification algorithm rejects immediately if any of the u coordinates is negative or larger than B, or if any of the v coordinates is negative or larger than B ∗ 15 A parametric distribution ϕ̂. First of all we need to define the specific parametric distribution for which we will prove adaptive pseudo-freeness of the RSA group. Let us consider the following ϕ̂ : M → Z × Zm × {0, 1}∗ , where M = {0, 1}ℓ . For any input M ∈ M, ϕ̂(M ) outputs a tuple (e, s, r) that is defined as follows: – r is a random binary string – e = H(r) where H : {0, 1}∗ → {0, 1}ℓ is a division intractable function (see definition in Section 2) – s1 = 1 – s2 is uniformly distributed in Ze – For 3 ≤ i ≤ m, each si is taken with an arbitrary (but efficiently samplable) distribution Dsi in Ze such that the tuple s3 , . . . , sm is binding to M 6 . The verification algorithm V erϕ̂ (e, s, r, M ) checks that e = H(r) and that s3 , . . . , sm are binding w.r.t. M . It is straightforward to verify that ϕ̂ is contained in the class ϕℓ defined in section 5.1. We state the following theorem. Theorem 3. If the Strong-RSA Assumption holds, then Z∗N is adaptive pseudo-free w.r.t. ϕ̂. Proof. For sake of contradiction, we assume that Z∗N is not adaptive pseudo-free w.r.t. ϕ̂. According to Definition 8, this means that there exists an efficient PPT adversary A that with non-negligible probability is able to output an equation λ∗ (defined by (e∗ , s∗)) together with a solution ψ ∗ such that λ∗ is non-trivial w.r.t. to the set Λ of previously queried equations. In order to prove the theorem we will show that we can build an algorithm B out of A that breaks the Strong-RSA Assumption (more precisely its variant where τ ∈ QRN ). For i = 1 to t (where t is the number of queries made by A), let (ei , si , ri )←ϕ̂(Mi ). If we consider e∗ and the set {e1 , . . . , et } we can distinguish two types of adversaries: Q Type I the adversary outputs e∗ such that e∗ ∤ ti=1 ei , Q Type II the adversary outputs e∗ such that e∗ | ti=1 ei . At the beginning of the game we guess on the type of adversary we have and will set up the proper simulation according to such guess. Notice that the guess will be right with probability at least 1/2. Type I. In the case of a Type I adversary we show how to build a simulator B that breaks StrongRSA with non-negligible probability. B takes as input (N, τ ) where N is the product of two safe primes p, q (where p = 2p′ + 1 and q = 2q ′ + 1) and τ ∈ QRN . Its goal is to find an e-th root y of τ for e of its choice. In the following we describe the simulator B during the three phases of the game. Setup B chooses in advance t random strings r1 , . . . , rt and computes ei = H(ri ) ∀1 = 1, . . . , t. Then it fixes the assignment α for the constant symbols as follows: $ 6 – pick random z1 , z2 , . . . , zm ← {1, . . . , N 2 } Q – let E = ti=1 ei and set α(a1 ) = τ Ez1 and α(ai ) = α(a1 )zi for all i = 2 to m. This means that there exists an efficient algorithm that on input (M, s3 , . . . , sm ) outputs 1 if s3 , . . . , sm are created w.r.t. M 16 Finally B gives α (and the description of Z∗N ) to the adversary A. For ease of exposition we will use ai instead of α(ai ) to refer group elements. For all 2 ≤ i ≤ m let zi = bi p′ q ′ + ci where 0 ≤ ci < p′ q ′ . Since each zi is chosen from a suitably large interval, the distributions of each (zi mod p′ q ′ ) is statistically indistinguishable from the uniform distribution over Zp′ q′ . So a1 , a2 , . . . , am are distributed like random quadratic residues of Z∗N . Moreover the conditional distribution of bi given ci is statistically indistinguishable from the uniform distribution over {0, . . . , ⌊N 2 /p′ q ′ ⌋}. Equations queries At this stage A is allowed to adaptively query equations by submitting parameters M 1 , . . . , M t for ϕ̂. Therefore B has to solve such equations and give the corresponding solutions to A. For all i ∈ {1, . . . , t}, each query M i is managed as follows. B chooses the exponents si si si2 , . . . , sim ∈ Zei according to ϕ̂(M i ). Then B computes the solution of λi ≡ xei = a1 · a22 · · · amm as follows: Q – let Ei = tj=1,j6=i ej Pm i – ψi (x) = (τ Ei )z1 + j=2 sj zj Finally B gives (ei , si , ri , ψi ) to A. It is easy to see that ψi is a valid solution for λi and that the equations are distributed as in the real case. Challenge Once the previous phase is over, A is supposed to output an equation λ∗ , for M ∗ (together with a solution ψ ∗ ) which is non-trivial w.r.t. Λ = {λi }ti=1 . Since (e∗ , s∗, r∗ ) are distributed according to ϕ̂(M ∗ ) we have: ∗ s∗ ∗ ψ ∗ (x)e = a1 a22 · · · asmm = τ E(z1 + Pm ∗ j=2 zj sj ) . P ∗ ∗ ′ ∗ ′ Let E ′ = E(z1 + m j=2 zj sj ) and d = gcd(e , E ). Provided that e ∤ E B can use standard ∗ techniques (i.e. Shamir’s trick) to extract an (e /d)-th root y of τ and thus it can output (e∗ /d, y) to break Strong-RSA. Therefore we are left with the task of showing that e∗ ∤ E ′ with non-negligible probability. Let r be a prime dividing e∗ .PSince we are assuming a Type I adversary it holds r ∤ E. Thus the point is to ∗ show that r ∤ (z1 + m j=2 zj sj ) with non-negligible probability. As pointed out before, let zi = bi p′ q ′ + ci . Since each bi is essentially hidden to the view of any adversary, r may depend only on the ci ’s. Since r ∤ p′ q ′ the probability that r | (z1 +z2 s∗2 +. . .+zm s∗m ), or equivalently (z1 + z2 s∗2 + . . . + zm s∗m ) = 0 mod r, is close to 1/r. This means that e∗ ∤ E ′ with probability close to 1 − 1/r, for the smallest prime factor r of e∗ . Q Type II. The case of a Type II adversary is a bit more complicated. Since e∗ | ti=1 ei we can have two cases: 1. r∗ 6= ri ∀i = 1, . . . , t. In this case it is easy to see that our assumption on ϕ̂ is not satisfied as we would be able to break the division intractabilityQ of the function H. Indeed we have (r1 , . . . , rt ) ∗ ∗ ∗ and r 6= ri , ∀i = 1, . . . , t such that H(r ) = e | ti=1 ei (where ei = H(ri )). 2. r∗ = rj for some j ∈ {1, . . . , t} (i.e. e∗ = ej ). The simulation for this case is described below. Precisely we will show how to build an algorithm B that breaks Strong-RSA with non-negligible probability. Before giving the details of the simulation we first give some intuitions that will be useful to understand our approach. 17 Let {(ei , si )}ti=1 be the exponents of the t queried equations and (e∗ , s∗ ) be the ones of λ∗ . Since λ∗ is non-trivial we have that ∀k ∈ Zt and ∀V ∈ Zm :        V1 k1 /e1 1 1 1 ··· 1  s1 s2 · · · st  k2 /e2   V2   s∗  2     2   2 2 e∗  . ..   ..  +  ..  6=  ..  . .  . .   .   .   .  s1m s2m · · · stm kt /et s∗m Vm Namely, at least one of the following m inequalities must hold: 1. e∗ (k1 e2 · · · et + . . . + e1 e2 · · · et−1 kt ) 6= (1 − V1 e∗ )(e1 · · · et ) 2. e∗ (s12 k1 e2 · · · et + . . . + st2 kt e1 e2 · · · et−1 ) 6= (s∗2 − V2 e∗ )(e1 · · · et ) .. . m. e∗ (s1m k1 e2 · · · et + . . . + e1 e2 · · · et−1 stm kt ) 6= (s∗m − Vm e∗ )(e1 · · · et ) Since the fact above holds for all integer vectors k ∈ Zt and V ∈ Zm , then it must hold even for k̂ and V̂ such that: k̂j = 1, k̂i = 0 ∀i 6= j and V̂ = 0m . In particular, for such choices of k and V , wlog we assume that the ν-th inequality holds. Since we are in the case that e∗ = ej , observe that the first equation is always satisfied for such k̂ and V̂ . Thus it must hold sjν 6= s∗ν for some ν ∈ {2, . . . , m}. B can guess j and ν with non-negligible probability 1/(t(m − 1)) by picking them at random in {1, . . . , t} and {2, . . . , m} respectively. Then it performs the following simulation. $ Setup B chooses r1 , . . . , rt and computes ei = H(ri ) ∀i = 1, . . . , t. Then B picks random u1 , . . . , um ← $ QRN , zν , β ← {1, . . . , N 2 }. and fixes the assignmentQfor the constant symbols as follows: Q t Qt t e e α(a2 ) = τ i=1,i6=j ei , α(aν ) = α(a2 )zν , α(a1 ) = α(a2 )−β u1 i=1 i and α(ai ) = ui l=1 l for i = 3 to m and i 6= ν. Finally it gives α and the description of the group Z∗N to A. For ease of exposition, in the following we will use ai instead of α(ai ) to refer group elements. Solving equations In this phase B is adaptively asked by A to solve at most t equations with parameters M 1 , . . . , M t respectively. For each parameter M i , B chooses si2 , . . . , sim according to si si ϕ̂(M i ). For all i ∈ {1, . . . , t}\{j} B solves λi ≡ xei = a1 a22 · · · amm by computing ψi (x) = (τ Q l6=i,j el 1+zν siν −β )   m Y si j=1,j6=2,ν Ql6=i,j el uj j  . It is easy to observe that ψi is a valid solution for λi . In order to solve the j-th equation B uses a different approach. Let M j be the queried parameter and sj3 , . . . , sjm be chosen according to M j . B sets sj2 = β − zν sjν mod ej and find ω such that β − zν sjν = sj2 + ωej . It then computes:  ψj (x) = τ −ω m Y i=1,i6=2,ν Ql6=j el sj ui i  q j sj a1 a22 · · · asmm . = ej After having solved each equation, the simulator hands (ei , si , ri , ψi ) to A. 18 Challenge In this phase A is supposed to output a non-trivial equation λ∗ (defined by (e∗ , s∗)), together with a solution ψ ∗ . If it is the case we show that B can extract a root of τ as follows. Let (Ql6=j el )ej   ∗ e∗ m m Q Y (s∗ −sj ) Y (s∗ −sj ) j j ψ (x) ∗ ∗ (s∗ −sj )+z (s∗ −sj ) ai i i = (τ l6=j el )(s2 −s2 )+zν (sν −sν )  ui i i  = a2 2 2 ν ν ν . ψj (x) i=3,i6=ν i=3,i6=ν Since e∗ = ej we obtain:  (Ql6=j el ) e∗   ∗  m Q Y j (s −s∗ )  ψ (x)   e (s∗ −sj )+z (s∗ −sj ) ui i i    = (τ l6=j l ) 2 2 ν ν ν . ψj (x) i=3,i6=ν Q Let E ′ = ( l6=j el )(s∗2 − sj2 + zν (s∗ν − sjν )). In order to extract Q a root of τ we have to show that e∗ ∤ E ′ with non-negligible probability. Observe that e∗ ∤ l6=j el and that zν = bp′ q ′ + c where b is information theoretically hidden to any adversary. Since s∗ν − sjν 6= 0 (by our guess) and s∗2 , sj2 ∈ Ze∗ , we have that e∗ | (s∗2 − sj2 ) + zν (s∗ν − sjν ) only with negligible probability. Thus B can use standard techniques (i.e. Shamir’s trick) to extract an (e∗ /d)-th root y of τ where d = gcd(e∗ , E ′ ). ⊓ ⊔ As a corollary of the above theorem we can prove adaptive pseudo-freeness of the RSA group w.r.t. two new parametric distributions ϕˆs , ϕˆch 6= ϕ̂ which still are within the class ϕℓ defined in section 5.1. In particular ϕˆs is a variant of ϕ̂ where: s2 = 0 and for all i = 3 to m, si ∈ {0, . . . , p} such that p is at most polynomial in the security parameter (and of course p < e). Corollary 2. If the Strong-RSA Assumption holds, then Z∗N is adaptive pseudo-free w.r.t. ϕˆs . The proofs follows from that of theorem 3. The intuition here is that when the si ’s are small they can be guessed in advance with non-negligible probability. Instead ϕˆch is a variant of ϕ̂ where: s2 = 0 and s3 , . . . , sm ∈ Ze are obtained as output of a chameleon hash function CH(M ; R) computed on the parameter M and with randomness R. Corollary 3. If the Strong-RSA Assumption holds, and CH is a chameleon hash function, then Z∗N is adaptive pseudo-free w.r.t. ϕˆch . The proof is the same as in Corollary 2. The intuition here is that one can use the chameleon property of CH in the simulation to “prepare” the si ’s in advance. Weak adaptive pseudo-freeness of the RSA group. One may also consider a weaker notion of adaptive pseudo-freeness where the adversary is forced to choose the parameters M 1 , . . . , M t of its queries at the beginning of the game, i.e. before receiving the description of the group from the challenger. If we consider such a notion, then we notice that our proof of theorem 3 still holds even w.r.t. a slightly more general distribution than ϕ̂ where the entire tuple (e, s2 , . . . , sm ) needs to be bound to M . To see this, observe that all ri ’s can be still computed at the beginning of the game as the simulator now knows M1 , . . . , Mt in advance. It is trivial to see that starting from a weak-adaptive pseudo-free group our results of section 5.1 lead to the construction of signature schemes that are weakly-secure (see Definition 4). 19 7 A framework for Strong RSA-based Signatures In this section we show that, in light of the results of theorems 1 and 3, and by appropriately instantiating the parametric distribution ϕ̂, we get all the known constructions of Strong RSAbased digital signatures in the standard model (to the best of our knowledge). Cramer Shoup Signatures. Cramer-Shoup’s [10] signature scheme works as follows: Key Generation Generate N as the product of two safe primes p and q. Also randomly choose two quadratic residues a1 , a3 ∈ QRN and an (ℓ + 1)-bit prime e′ . The public key is (N, a1 , a3 , e) and the private key is (p, q). Sign To sign m, compute ℓ-bit hash value H(m) with a collision-resistant hash function H and ′ H(m) then compute c = y e a3 for a random y ∈ QRN . Next pick a random (ℓ + 1)-bit prime e 6= e′ H(c) and solve (for x) the following equation xe = a1 a3 mod N . The signature is (y, e, x) Verification Check that the two equations above hold and that e is an ℓ + 1-bit (odd) integer different from e′ . While the signature above may look like based on a system of two equations, we observe that only for the second equation the signing process is required to find a solution (using the secret ′ H(m) key) while the first equation (i.e. c = y e a3 ) is, de facto, a chameleon hash function computed on the message m and randomness y. In particular it is a chameleon hash based on the RSA assumption which, for efficiency, is implemented by sharing some parameters with the signature scheme. Therefore we can see Cramer-Shoup’s scheme as a special case of our general framework when considering the following distribution. ϕCS Choose r at random and set e = H ′ (r) (where H ′ : {0, 1}∗ → {0, 1}ℓ+1 is a function that maps into primes of length ℓ + 1) Let c = CH(m; y) (CH is a chameleon hash function) and set s1 = 1 and s3 = H(c) (H is a collision resistant hash function) All the remaining si ’s are set to 0. It is easy to check that ϕCS is a special instantiation of ϕˆch , and so the security of the scheme is implied by Corollary 3. Fischlin Signatures. Fischlin’s [12] signature scheme can be seen as a simplification of CramerShoup signature. The scheme works as follows: Key Generation Generate N as the product of two safe primes p and q. Also randomly choose three quadratic residues a1 , a2 , a3 ∈ QRN . The public key is (N, a1 , a2 , a3 ) and the private key is (p, q). Sign To sign m compute the ℓ-bit hash value H(m) with a collision-resistant hash function H. Next output a random (ℓ + 1)-bit prime e, a random ℓ-bit integer α and solve (for x) the following α⊕H(m) equation xe = a1 aα2 a3 mod N . The signature is (e, x, α) Verification Check that the equation above holds, that e is an ℓ + 1-bit (odd) integer and that α is an ℓ bit value. The signature above can be seen as a special case of our general framework when considering the following distribution. 20 ϕFis Choose r at random and set e = H ′ (r) (where H ′ : {0, 1}∗ → {0, 1}ℓ+1 is a function that maps into primes of length ℓ + 1) Let α ∈R {0, 1}ℓ and set s1 = 1, s2 = α and s3 = α ⊕ H(m) (H is a collision resistant hash function) All the remaining si ’s are set to 0. It is easy to check that ϕFis is a special instantiation of ϕ̂. Camenisch-Lysyanskaya Signatures. The scheme by Camenisch and Lysyanskaya [8] scheme works as follows Key Generation Generate N as the product of two safe primes p and q. Also randomly choose three quadratic residues a1 , a2 , a3 ∈ QRN . The public key is (N, a1 , a2 , a3 ) and the private key is (p, q). Sign To sign m of length ℓm output a random (ℓm + 2)-bit prime e, a random ℓ-bit integer s of length ℓs = |N | + ℓm + ℓ where ℓ is a security parameter and solve (for x) the following equation xe = a1 as2 am 3 mod N . The signature is (e, x, s) Verification Check that the the equation above holds and that e and s are of appropriate length. The signature above can be seen as a special case of our general framework when considering the following distribution ϕCL (which is a special instantiation of ϕ̂′ ) and Corollary 1. ϕCL Choose r at random and set e = H ′ (r) (where H ′ : {0, 1}∗ → {0, 1}ℓ+1 is a function that maps into primes of length ℓ + 1) Let s ∈R ZB where B > e is some bound of size at most ℓs and set s1 = 1, s2 = s and s3 = m (H is a collision resistant hash function) All the remaining si ’s are set to 0. Zhu’s Signatures. Zhu proposed in [22] a variation of Cramer-Shoup’s signature scheme. The proof of security was found incorrect and later fixed in [23]. This signature scheme is basically the same as the one by Camenisch and Lysyanskaya described above except that s is a random string of ℓ bits. We can show that the Zhu’s scheme is a special case of our general framework when considering the following distribution. ϕZhu Choose r at random and set e = H(r) (where H : {0, 1}∗ → {0, 1}ℓ+1 is a function that maps into primes of length ℓ + 1) $ Let s ← Ze and set s1 = 1, s2 = s and s3 = m. All the remaining si ’s are set to 0. Again, it is easy to check that ϕZhu is a special instantiation of ϕ̂. Hofheinz-Kiltz Signatures. Hofheinz and Kiltz show in [15] how to use programmable hash functions to get a new efficient signature scheme based on Strong RSA. The description follows. Key Generation Generate N as the product of two safe primes p and q. Also randomly choose ℓ + 1 quadratic residues a0 , a1 , . . . , aℓ ∈ QRN . The message space is {0, 1}ℓ . The public key is (N, a0 , a1 , . . . aℓ ) and the private key is (p, q). Sign To sign M compute the ℓ-bit integer m = m1 · · · mℓ as the output of some appropriate collision resistant hash function H. Next choose a random (ℓ)-bit prime e and solve (for x) the following equation ℓ Y e i x = a0 am i mod N i=1 21 The signature is (e, x) Verification Check that the the equation above holds and that e is an ℓ-bit (odd) integer. It is easy to notice that its security emerges from corollary 2. Gennaro-Halevi-Rabin Signatures. In [13] it is presented an efficient signature scheme that comes in two flavors. A basic (weakly secure) signature scheme and a fully secure (slightly less efficient) one that requires chameleon hash functions [17]. Here we discuss only the first version of the scheme. Key Generation Generate N as the product of two safe primes p and q 7 . Also randomly choose a quadratic residues a1 ∈ QRN . The public key is (N, a1 ) and the private key is (p, q). Sign To sign m (of arbitrary length) compute the ℓ-bit hash value H(m) with a division intractable hash function H and solve (for x) the following equation xe = a1 mod N . The signature is (e, x) Verification Check that the equation above holds and that e = H(m). The scheme above fits our framework for weakly-secure signature scheme (see section 6) when using the following distribution : ϕGHR Choose r = m and set e = H(m) (where H : {0, 1}∗ → {0, 1}ℓ+1 is a division intractable hash function that maps into integers of length ℓ + 1) Set s1 = 1. All the remaining si ’s are set to 0. 7.1 A new network signature from Strong RSA It is easy to see that combining the results of Theorem 3 and Theorem 2 we obtain a concrete instantiation of the network coding signature scheme given in Section 5.2 whose security is thus based on Strong RSA in the standard model. We notice that our scheme is not as efficient as the one proposed by Gennaro et al. in [14], but it is secure in the standard model. 8 Conclusion In this paper we have introduced a formal definition of adaptive pseudo-freeness. We have shown that under reasonable conditions the RSA group is adaptive pseudo-free for moduli that are products of safe primes, and exhibited the first direct cryptographic applications of adaptive pseudo-free groups: under some mild conditions, pseudo-free groups yield secure digital signature schemes. We have shown that all the RSA based signatures in the literature (to the best of our knowledge) can be seen as instantiations of our framework and furthermore we showed that our methodology yields a new network coding signature scheme in the standard model. There are several interesting problems that we have not addressed. Here we enumerate some of them. The first obvious one, originally posed by Rivest, is what other groups used in cryptography are pseudo-free. A new construction would lead via our example to new signature schemes for example. Our results for RSA are only for univariate equations. It should be interesting to either justify this restriction through an analogue of Lemma 1 or if this is not possible, extend our study to multi-variate equations. A one-more RSA inversion problem where the adversary needs to compute the e’th root of n + 1 random group elements with access to only n RSA inversion queries has a 7 In [13] this assumption is relaxed to consider safe primes or quasi-safe primes. 22 strong flavor of adaptive pseudo-freeness. The lack of a relation between the strong RSA problem and the one-more-RSA-inversion problem thus shows that proving general adaptive pseudo-freeness of the RSA group is difficult. Nevertheless, studying the relation between these two problems within our framework seems to be an interesting direction. Finally, we manage to prove pseudo-freeness for a large class of parametric distributions sufficient for cryptographic applications. It should be interesting to understands how far one can go with the limitations that we impose on the adversary by trying to enlarge this class. References 1. Martı́n Abadi and Phillip Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption). Journal of Cryptology, 20(3):395, July 2007. 2. R. Ahlswede, Ning-Cai, S. Li, and R.W. Yeung. Network information flow. IEEE Transactions on Information Theory, 46(4):1204–1216, 2000. 3. Michael Backes, Birgit Pfitzmann, and Michael Waidner. A composable cryptographic library with nested operations. In Sushil Jajodia, Vijayalakshmi Atluri, and Trent Jaeger, editors, ACM CCS 03, pages 220–230, Washington D.C., USA, October 27–30, 2003. ACM Press. 4. Niko Bari and Birgit Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. In Walter Fumy, editor, EUROCRYPT’97, volume 1233 of LNCS, pages 480–494, Konstanz, Germany, May 11–15, 1997. Springer, Berlin, Germany. 5. Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In V. Ashby, editor, ACM CCS 93, pages 62–73, Fairfax, Virginia, USA, November 3–5, 1993. ACM Press. 6. Dan Boneh, David Freeman, Jonathan Katz, and Brent Waters. Signing a linear subspace: Signature schemes for network coding. In Stanislaw Jarecki and Gene Tsudik, editors, PKC 2009, volume 5443 of LNCS, pages 68–87, Irvine, CA, USA, March 18–20, 2009. Springer, Berlin, Germany. 7. Christian Cachin, Silvio Micali, and Markus Stadler. Computationally private information retrieval with polylogarithmic communication. In Jacques Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 402–414, Prague, Czech Republic, May 2–6, 1999. Springer, Berlin, Germany. 8. Jan Camenisch and Anna Lysyanskaya. A signature scheme with efficient protocols. In Stelvio Cimato, Clemente Galdi, and Giuseppe Persiano, editors, SCN 02, volume 2576 of LNCS, pages 268–289, Amalfi, Italy, September 12–13, 2002. Springer, Berlin, Germany. 9. Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In 42nd FOCS, pages 136–145, Las Vegas, Nevada, USA, October 14–17, 2001. IEEE Computer Society Press. 10. Ronald Cramer and Victor Shoup. Signature schemes based on the strong RSA assumption. In ACM CCS 99, pages 46–51, Kent Ridge Digital Labs, Singapore, November 1–4, 1999. ACM Press. 11. D. Dolev and A.C. Yao. On the security of public key protocols. In Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, pages 350–357, 1981. 12. Marc Fischlin. The Cramer-Shoup strong-RSA signature scheme revisited. In Yvo Desmedt, editor, PKC 2003, volume 2567 of LNCS, pages 116–129, Miami, USA, January 6–8, 2003. Springer, Berlin, Germany. 13. Rosario Gennaro, Shai Halevi, and Tal Rabin. Secure hash-and-sign signatures without the random oracle. In Jacques Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 123–139, Prague, Czech Republic, May 2–6, 1999. Springer, Berlin, Germany. 14. Rosario Gennaro, Jonathan Katz, Hugo Krawczyk, and Tal Rabin. Secure network coding over the integers. In PKC 2010, LNCS, pages 142–160. Springer, Berlin, Germany, 2010. 15. Dennis Hofheinz and Eike Kiltz. Programmable hash functions and their applications. In David Wagner, editor, CRYPTO 2008, volume 5157 of LNCS, pages 21–38, Santa Barbara, CA, USA, August 17–21, 2008. Springer, Berlin, Germany. 16. Susan Hohenberger. The cryptographic impact of groups with infeasible inversion. Master’s thesis, Massachusetts Institute of Technology, EECS Dept., 2003. 17. Hugo Krawczyk and Tal Rabin. Chameleon signatures. In NDSS 2000, San Diego, California, USA, February 2–4, 2000. The Internet Society. 18. Daniele Micciancio. The RSA group is pseudo-free. In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 387–403, Aarhus, Denmark, May 22–26, 2005. Springer, Berlin, Germany. 23 19. Daniele Micciancio and Bogdan Warinschi. Soundness of formal encryption in the presence of active adversaries. In Moni Naor, editor, TCC 2004, volume 2951 of LNCS, pages 133–151, Cambridge, MA, USA, February 19–21, 2004. Springer, Berlin, Germany. 20. Ronald L. Rivest. On the notion of pseudo-free groups. In Moni Naor, editor, TCC 2004, volume 2951 of LNCS, pages 505–521, Cambridge, MA, USA, February 19–21, 2004. Springer, Berlin, Germany. 21. Shuo-Yen Robert-Li, Raymond Y. Yeung, and Ning Cai. Linear network coding. IEEE Transactions on Information Theory, 49(2):371–381, 2003. 22. Huafei Zhu. New digital signature scheme attaining immunity to adaptive chosen-message attack. Chinese Journal of Electronics, 10(4):484–486, October 2001. 23. Huafei Zhu. A formal proof of zhu’s signature scheme. Cryptology ePrint Archive, Report 2003/155, 2003. http://eprint.iacr.org/. A Non-trivial multivariate equations Here we obtain an explicit description of trivial multi-variate equations. Let ek ek sk sk k k Λ = {x11 x22 . . . xenn = a11 a22 . . . asmm }k=1...t be a set of multivariate equations over F, and let {φk1 , φk2 , . . . , φkn | k = 1 . . . t} solutions for these equations. As for the case of univariate equations we interpret these equations together with their solutions, as relations between words in the free group generated by {φ1,k , φ2,k , . . . , φn,k | k = 1 . . . t} ∪ {a1 , a2 , . . . , am }. e∗ e∗ s∗ s∗ e∗ s∗ Then, an equation x11 x22 . . . xnn = a11 a22 . . . amm is trivial if it has a solution over F/≡Λ . Assume that m n t i Y vji Y Y kl,j ∗ φi = aj · φj,l j=1 j=1 l=1 i (with 1 ≤ j ≤ m, 1 ≤ l ≤ n, 1 ≤ i ≤ n). Using the is a solution for the equation (for some vji , kl,j explicit characterization of ≡Λ we obtain that there exist l1 , l2 , . . . , lt ∈ Q such that: n Y φ∗i = s∗ s∗ a11 a22 ∗ . . . asmm t Y n m Y −eji Y sij li ( φi,j aj ) i=1 j=1 i=1 j=1 By replacing the expressions for φ∗i in the above relation and matching the exponents of the s∗ s∗ e∗ e∗ s∗ e∗ different symbols we obtain that equation: x11 x22 . . . xnn = a11 a22 . . . amm is trivial with respect to i with 1 ≤ j ≤ m, 1 ≤ l ≤ n, 1 ≤ i ≤ n and rationals l , l , . . . , l such Λ if there exist integers vji , kl,j 1 2 t that: – For all 1 ≤ u ≤ t, 1 ≤ j . . . n n X i ku,j e∗i = euj lu i=1 – For 1 ≤ j ≤ m m X vji e∗i = s∗j − t X u=1 i=1 24 suj lu B Network Coding Signatures We recall the definitions of network coding signatures and network coding homomorphic signatures. Definition 9. A network coding signature is defined by a triple of algorithms (NetKG, Sign, Ver) such that: NetKG(1k , N ) On input the security parameter k and a parameter N , this algorithm outputs (vk, sk) where sk is the secret signing key and vk is the public verification key. N defines the size of the signed vectors. Sign(sk, V, fid) The signing algorithm takes as input the secret key sk, a random file identifier fid and an m-dimensional subspace V ⊂ FN and outputs a signature σ. Ver(vk, fid, v, σ) Given the public key vk, a file identifier fid, a vector v ∈ FN and a signature σ, the algorithm outputs 0 (reject) or 1 (accept). For correctness, we require that for all honestly generated key pairs (vk, sk), all identifiers fid and all V ⊂ FN , if σ←Sign(sk, fid, V ) then Ver(vk, fid, v, σ) = 1 ∀v ∈ V . A network coding signature is secure if it satisfies the following definition. Definition 10. Consider the following experiment between an adversary A and a challenger. At the beginning the adversary chooses a positive integer N and gives it to the Challenger, who runs (vk, sk)←NetKG(1k , N ) and gives vk to A. Then the adversary can adaptively ask for signatures on vector spaces Vi ⊂ FN of its choice and finally A outputs a tuple (fid∗ , v ∗ , σ ∗ ). We say that the adversary wins if Ver(vk, fid∗ , v ∗ , σ ∗ ) = 1 and either one of the following cases holds: (1) fid∗ 6= fidi for all i; (2) fid∗ = fidi for some i but v ∗ ∈ / Vi . Finally we give the formal definition of homomorphic network coding signature. As noticed by Boneh et al. [6] homomorphic network coding signatures are a special case of network coding signatures. Definition 11. A homomorphic network coding signature scheme is defined by a 4-tuple of algorithms (NetKG, Sign, Ver, Combine) such that: NetKG(1k , N ) On input the security parameter k and a parameter N , this algorithm outputs (vk, sk) where sk is the secret signing key and vk is the public verification key. N defines the size of the signed vectors. Sign(sk, v, fid) The signing algorithm takes as input the secret key sk, a random file identifier fid and a vector v ∈ FN and outputs a signature σ. Combine(vk, fid, {(wi , σi )}ℓi=1 ) This algorithm takes as input the public key vk, a file identifier fid, and a set of tuples (wi , σi ) where σi is a signature and wi ∈ F is a coefficient. This algorithm outputs a new signature σ such that: if each σi is a valid Pℓ signature on vector vi , then σ is a valid signature for v obtained from linear combination i=1 wi vi . Ver(vk, fid, v, σ) Given the public key vk, a file identifier fid, a vector v ∈ FN and a signature σ, the algorithm outputs 0 (reject) or 1 (accept). 25