Adaptive Pseudo-Free Groups and Applications⋆
Dario Catalano1 , Dario Fiore2⋆⋆ and Bogdan Warinschi3
1
2
Dipartimento di Matematica e Informatica,
Università di Catania, Italy.
catalano@dmi.unict.it
École Normale Supérieure, CNRS - INRIA, Paris, France.
dario.fiore@ens.fr
3
Dept. Computer Science, University of Bristol, UK
bogdan@cs.bris.ac.uk
Abstract. A computational group is pseudo-free if an adversary cannot find solutions in this group
for equations that are not trivially solvable in the free group. This notion was put forth by Rivest as a
unifying abstraction of multiple group-related hardness assumptions commonly used in cryptography.
Rivest’s conjecture that the RSA group is pseudo-free had been settled by Micciancio for the case of
RSA moduli that are the product of two safe primes. This result holds for a static setting where the
adversary is only given the description of the group (together with a set of randomly chosen generators)
and has to come up with the equation and the solution.
In this paper we explore a powerful extension of the notion of pseudo-freeness. We identify, motivate,
and study pseudo-freeness in face of adaptive adversaries who may learn solutions to other non-trivial
equations before having to solve a new non-trivial equation.
Our first contribution is a carefully crafted definition of adaptive pseudo-freeness that walks a fine line
between being too weak and being unsatisfiable. We give generic constructions that show how any
group that satisfies our definition can be used to construct digital signatures and network signature
schemes.
Next, we prove that the RSA group meets our more stringent notion of pseudo-freeness and as a
consequence we obtain different results. First, we obtain a new network (homomorphic) signature
scheme in the standard model. Secondly, we demonstrate the generality of our framework for signatures
by showing that all existing strong RSA-based signature schemes are instantiations of our generic
construction in the RSA group.
1
Introduction
Background. The search for abstractions that capture the essential security properties of primitives and protocols is crucial in cryptography. Among other benefits, such abstractions allow for
modular security analysis, reusable and scalable proofs. The random oracle model [5], the universal composability framework [9] and variants [1, 3, 19] of the Dolev-Yao models [11] are results of
this research direction. Most of the existing results in this direction (the above examples included)
tackle mostly primitives and protocols and are not concerned with the more basic mathematical
structures that underlie current cryptographic constructions. One notable exception is the work on
pseudo-free groups, a notion put forth by Hohenberger [16] and later refined by Rivest [20]. In this
paper we continue the investigation of this abstraction.
Roughly speaking, a computational group G (a group where the group operations have efficient
implementations) is pseudo-free if it behaves as a free group as far as a computationally bounded
⋆
⋆⋆
An extended abstract of this paper appears in the proceedings of Eurocrypt 2011. The work described in this
paper has been supported in part by the European Commission through the ICT programme under contract
ICT-2007-216676 ECRYPT II.
Work partially done while student at University of Catania.
adversary is concerned. More specifically, a group is pseudo-free if an adversary who is given a
description of the group cannot find solutions for non-trivial equations. Here, non-triviality means
that the equation does not have a solution in the free group. For instance, in a pseudo-free group
given a random element a it should be hard to find a solution for an equation of the form xe = a,
when e 6= 1, or for the equation x21 x42 = a5 , but not for the equation x1 x32 = a5 . This last equation
is trivial since it can be solved over the free group (it has x1 = a2 , x2 = a as solution in the free
group) and a solution in the free group immediately translates to a solution over G. The notion
of pseudo-freeness generalizes the strong RSA assumption (when G is an RSA group) but also
numerous other assumptions currently used in cryptography; see [20] for further details. Rivest’s
conjecture that the RSA group is pseudo-free was largely settled by Micciancio [18] who proved
that this is indeed the case when the RSA modulus is the product of two safe primes.
In its most basic form that had been studied so far, the notion of pseudo-free groups did not lend
itself easily to applications. The problem is that in most of the interesting uses of the RSA group
the adversary is not only given a description of the group, but often he is allowed to see solutions
to non-trivial equations before having to come up with his own new equation and solution. This
is the case for example in RSA-based signature schemes where one can think of a signature as
the solution to some non-trivial equation. A chosen-message attack allows the adversary access to
an oracle that solves (non-trivial) equations over the group, and a forgery is a solution to a new
equation.
This problem was recognized early on by Rivest [20] who also left as open problems the design
of a notion of pseudo-freeness for adaptive adversaries and, of course, whether such groups exist.
In this paper we put forth such a notion, prove that the RSA group is adaptive pseudo-free, and
exhibit several applications for adaptive pseudo-free groups. We detail our results next.
Adaptive pseudo-free groups. We first extend the notion of pseudo-freeness to adaptive
adversaries. Informally, we consider an adversary that can see solutions for some equations and has
as goal solving a new non-trivial equation. As explained above, this scenario captures typical uses
of groups in cryptography.
Our definition involves two design decisions. The first is to fix the type of equations for which
the adversary is allowed to see solutions and how are these equations chosen: too much freedom in
selecting these equations immediately leads to potentially unsatisfiable notions, whereas too severe
restrictions may not model the expected intuition of what an adaptive adversary is and may not
allow for applications. In the definition that we propose, equations are selected from a distribution
over the set of equations. Importantly, the distribution depends on a parameter supplied by the
adversary. This models the idea that in applications, the adversary may have some control over how
the equations are selected. Different choices for this distribution lead to a variety of adversaries from
very weak ones where no equation is provided (precisely the setting of pseudo-freeness proposed
earlier), to a setting where the adversary has no influence on the choice of equations, and ending
with the very strong notion where the adversary basically selects the equations on his own.
The second issue is to define what is a non-trivial equation in the adaptive setting. Indeed,
previous definitions of triviality do not apply since in our new setting the adversary knows additional
relations between the group elements which in turn may help him in solving additional equations.
We define non-triviality in a way motivated by existing uses of groups in cryptography and an
analysis of equations over quotients of free groups.
Our definition is for the case of univariate equations but can be easily extended to multivariate
equations as well as systems of equations.
2
Generic constructions for signatures. Our definition of pseudo-freeness is parametrized
by a distribution over equations. We show that for any distribution in a class of distributions that
satisfy certain criteria, one can construct secure digital signatures and network coding signature
schemes. The requirements on the distribution include the ability to efficiently check membership
in the support of the distribution, and a property on the distribution of the exponents in the
equation. Informally, these requirements are used to enforce that each equation freshly drawn from
the distribution is most likely non-trivial with respect to previously sampled equations. We show
that an adversary that breaks the signature scheme must also contradict the pseudo-freeness of the
underlying group.
Our generic construction for network coding signatures is secure in the vanilla model based only
on the adaptive pseudo-freeness of the underlying group. Any instantiation of such groups would
thus yield network signature schemes secure in the standard model. Indeed, given the instantiation
that we discuss below, our framework yields the first RSA-based network coding homomorphic
signature scheme secure in the standard model.
The RSA group is adaptive pseudo-free. Next, we turn to proving that the RSA group is
adaptive pseudo-free. We do so for a class of distributions closely related but slightly more general
than the distributions that yield signatures schemes. We show that an adversary that contradicts
pseudo-freeness of the RSA group with respect to the distribution can be used to contradict the
strong RSA assumption. We also prove that the RSA group is pseudo-free for a weaker version of
adaptive adversaries who output their inputs to the distribution non-adaptively, but in this case
the proof is for a larger class of distributions.
We do not attempt to prove adaptive pseudo-freeness of the RSA group for multivariate equations. While this is potentially an interesting topic for further research, we are not aware of cryptographic applications where such equations are used.
Instantiations. An appealing interpretation of the proof of adaptive pseudo-freeness for the RSA
group is that it distills the core argument that underlies the typical security proofs for signatures
based on the strong RSA assumption. Each such proof explains how a signature forgery can be used
to break strong RSA. In this sense our proof is a generalization to a broader (abstractly defined)
set of equations rather than the particular equations that define an individual signature scheme.
Indeed, we show that virtually all strong RSA signature schemes are instances of our generic
construction. We explain how to obtain the schemes by Cramer and Shoup [10], Fischlin [12],
Camenisch and Lysyanskaya [8], Zhu [22], Hofheinz and Kiltz [15], and that by Gennaro, Halevi,
and Rabin [13] by instantiating our generic distribution in appropriate ways. The security of all of
these schemes follows as a corollary from the security of our generic construction.
2
Preliminaries
A number N is called a RSA modulus if it is the product of two distinct prime numbers p, q.
QRN ⊆ Z∗N is called the set of quadratic residues modulo N , namely QRN = {τ ∈ Z∗N : τ =
z 2 mod N, z ∈ Z∗N }.
Definition 1 (Safe primes). A prime p is called safe prime if p = 2p′ + 1 where p′ is also prime.
The Strong RSA Assumption was introduced by Baric and Pfitzmann in [4]. Essentially it is a
variant of RSA where the adversary is allowed to choose the exponent e for which it has to extract
the root. It is formally defined as follows.
3
Definition 2 (Strong RSA). Let N be a random RSA modulus of length k where k ∈ N is the
security parameter and τ be a random element in Z∗N . Then we say that the Strong RSA assumption
holds if for any PPT adversary A the probability
P r[(y, e)←A(N, τ ) : y e = τ mod N ]
is negligible in k.
In this paper we use a variant of this assumption where τ is taken from the set QRN . As shown in
[10] such variant is implied by the standard Strong RSA.
2.1
Division Intractable Functions
In our work we use the notion of division intractable functions. Informally, a function H is division
intractable if an adversary A cannot find x1 , x2 , . . . , xt , y such that: y 6= xi and H(y) divides the
product of the H(xi )’s. It is easy to see that this notion is satisfied by any function that maps inputs
to (distinct) prime numbers. Such mappings can be instantiated without making any cryptographic
assumptions (see [7] for a construction), but they are not very efficient in practice.
Gennaro et al. introduced in [13] the notion of division intractable hash functions and also
showed how to get practical implementations of them. We recall below the formal definition.
Definition 3 (Division Intractable Hash Functions). Let H be a family of hash functions with
poly(k)-bit input and k bit output. We say that H is division intractable if for any PPT adversary
it is hard to win the following game:
1. a function H is chosen at random from H;
Q
2. the adversary outputs x1 , x2 , . . . , xt , y such that: (i) y 6= xi ∀i = 1, . . . , t and (ii) H(y)| ti=1 H(xi ).
2.2
Signatures
A digital signature scheme Π is given by a triple of algorithms (KG, Sign, Ver) for key generation,
signing, and verifying respectively. Key generation takes as input a security parameter k and returns
a pair of keys (sk, vk) for producing and verifying signatures, respectively. On input a signing key
sk and a message m, the signature algorithm produces a signature σ. The verification algorithm
takes as input a triple vk, m, σ and tests if signature σ is a valid signature on m with respect to
verification key vk.
We recall two security notions for signature schemes.
Definition 4 (Security of signature schemes). Consider the experiment Expuf -cma (k) where
A,Π
a signing, verification key-pair (sk, vk) is generated for security parameter k. Then, the adversary
is given vk and is provided with a signing oracle that produces signatures on the messages that the
adversary (adaptively) queries. Eventually, the adversary outputs a tentative forgery (m∗, σ∗). The
experiment returns 1 if σ ∗ is a valid signature on m∗ and m∗ had not been queried to the signature
suf -cma
oracle. We call ExpA,Π
(k) the related experiment where (m∗, σ∗) is considered a forgery if it is
different from all the pairs (mi , σi ) obtained from the signature oracle. A signature scheme Π is
unforgeable under chosen message attack if for any probabilistic, polynomial time adversary A the
uf -cma
uf -cma
advantage of AdvA,Π
(k) = Pr[ExpA,Π
(k) = 1] is a negligible function. The signature scheme
suf -cma
-cma (k) = 1] is a negligible function.
is strongly-unforgeable if AdvA,Π (k) = Pr[Expsuf
A,Π
It is also possible to consider a relaxed experiment where the adversary is required to choose
the messages for which it wants to see the signatures, before receiving the public key. Signature
schemes that are proved with respect to such experiment are said to be weakly-secure.
4
3
Static pseudo-free groups
As warm up, we recall the notion of pseudo-free groups as introduced by Rivest [20]. To distinguish
it from the notions that we develop in this paper we refer to the older notion as static pseudo-free
groups.
Free abelian groups. For any set of symbols A = {a1 , a2 , . . . , am } we write A−1 for the
−1
−1
set of symbols A−1 = {a−1
1 , a2 , . . . , am }. Let X = {x1 , . . . , xn } and A = {a1 , . . . , am } be two
disjoint sets of variables and constant symbols. An equation over X with constants in A is a
pair λ = (w1 , w2 ) ∈ (X ∗ × A∗ ). We usually write an equation λ = (w1 , w2 ) as w1 = w2 and
looking ahead (we will only consider these equations over abelian groups), we may also write it as
sm where {e , . . . , e } and {s , . . . , s } are integers.
xe11 xe22 · · · xenn = as11 as22 · · · am
1
n
1
m
Let (G, ·) be an arbitrary abelian group and α : A → G be an interpretation of the constants
in A as group elements. We write λα for the equation λ interpreted over G via α. An evaluation
ψ : X → G is a solution for λα if
ψ(x1 )e1 · · · ψ(xn )en = α(a1 )s1 · · · α(am )sm .
Any equation λ over X and A can be viewed as an equation over the free group F(A) via the
interpretation 1A : A → F(A) that maps a to a. It can be easily shown [20, 18] that the equation
λ1A has a solution in F(A) if and only if ∀i = 1, . . . , m, it holds gcd(e1 , . . . , en ) | si . We call such
equations trivial, in the sense that these equations have solutions over the free group. All of the
other equations are deemed non-trivial.
Static pseudo-free groups. A computational group consists of a (finite) set of representations
for the group elements together with efficient implementations for the two group operations. Informally, a computational group is pseudo-free if it is hard to find an equation which is unsatisfiable
over the free group, together with a solution in the computational group. It is worth noting that
if the order of the group is known then finding solutions for non-trivial equations may be easy.
Therefore, the notion of pseudo-free groups holds for families G = {GN }N ∈Nk of computational
groups where N is chosen at random from the set of indexes Nk (typically these are the strings of
length k) and the corresponding order ord(GN ) is hidden to the adversary.
In the following we recall the formal definition given by Micciancio in [18] (which is similar to
that of Rivest [20]). The adversary that is considered in the following definition is static (in that it
is only allowed to see a description of the group, but obtains no further information). To distinguish
this class of groups from others that we define in this paper we call them static pseudo-free groups.
Definition 5 (Static Pseudo-Free Groups [18]). A family of computational groups G = {GN }N
is static pseudo-free if for any set A of polynomial size |A| = p(k) (where k is a security parameter), and PPT algorithm A, the following holds. Let N ∈ Nk be a randomly chosen group index,
and define α : A → GN by choosing α(a) uniformly at random in GN , for each a ∈ A. Then, the
probability (over the selection of α) that on input (N, α) adversary A outputs an equation λ and a
solution ψ for λα is negligible in k.
4
Adaptive pseudo-free groups
A rough definition. The notion described above requires an adversary to produce a solution for
some non-trivial equation only given some randomly chosen generators to be used in the equation,
5
but no additional information. In contrast, the notion that we develop attempts to capture the idea
that an adversary against the computational group gets to see several equations with solutions, and
then attempts to solve a new non-trivial equation. A typical cryptographic game that captures this
situation involves an adversary A who works against a Challenger as follows.
Setup The Challenger chooses a random instance of the computational group GN (by picking a
$
random index N ← Nk ) from a family G = {GN }N ∈Nk . Then he fixes an assignment α : A → GN
for the set of constants and gives (α, GN ) to the adversary.
Equations queries In this phase the adversary is allowed to see non-trivial equations together
with their solutions.
Challenge At some point the adversary is supposed to output a new “non-trivial” equation λ∗
(defined by (e∗ , s∗)) together with a solution ψ ∗ .
Notice that the above description incorporates an assumption that we make for simplicity, namely
that all equations are univariate. In general, any univariate equation over A is of the form: xe =
as11 as22 · · · asmm . For the case of static pseudo-free groups, this restriction is justified by the following
lemma that was proved by Micciancio in [18]. Informally the lemma says that any (multivariate)
equation and solution (λ, ψ) can be efficiently transformed into a univariate equation and solution
(λ′ , ψ ′ ). Whilst we extend the definition of trivial equations to the multivariate case in Appendix
A, it would be interesting to see if a similar lemma is possible in the context of adaptive pseudofreeness.
Lemma 1 ([18]). For any computational group family G, there is a PPT algorithm that on input
an equation λ over constants A and variables X,a group G from G, and a variable assignment
ψ : X → G, outputs a univariate equation λ′ and value ψ ′ ∈ G such that: (1) if λ is unsatisfiable
over the free group F(A), then λ′ is also unsatisfiable over F(A) and (2) for any assignment
α : A → G, if ψ is a solution to λα , then ψ ′ is a solution to λ′α .
The general definition of pseudo-freeness that we sketched above leaves open two important
points: 1) How are the equations for which the adversary sees solutions produced? and 2) What
does “non-trivial equation” mean when other equations and solutions are given? We discuss and
give answers to these two problems in Sections 4.1 and 4.2 respectively.
4.1
A spectrum of adaptive adversaries
The second phase of the above generic game requires that adversaries be given non-trivial equations
together with their solutions, so we need to clarify how are these equations produced. Here we
identify a whole spectrum of possible choices. The weakest definition one might consider is one
where the adversary does not have any control over these equations. For instance, this means that,
whenever the Challenger is queried in the second phase, the Challenger chooses an equation λi
(more precisely it chooses its exponents (ei , si)) and gives λi and its solution in G, ψi , to the
adversary. Unfortunately, in such a game the adversary is not really adaptive: it may receive all
the equations and solutions at once.
The strongest possible notion, and perhaps the most natural one, would be to consider an adversary that is allowed to choose equations λi (namely their respective exponents (ei , si)) in any
way it wants. In particular the choice of the equations can be done in an adaptive way, namely
A asks for an equation, sees its solutions, then chooses another equation and so on. We call this
6
definition “Strong Adaptive Pseudo-freeness”. Unfortunately this choice seems to lead to an unrealizable notion.4 We therefore settle on an intermediary variant where the adversary is allowed
to be adaptive, but still cannot choose the equations in a completely arbitrary way. Instead, we
consider a setting where the equations are selected from the set of all equations according to some
distribution over which the adversary has some limited control. We formulate this limitation via a
parametric distribution ϕ over the set of all possible equations. Sampling from such a distribution
requires some parameter M of some appropriate length which is provided by the adversary. The
distribution then produces a tuple of m + 1 integers which for expressivity we write (e, s). Here e
is an integer (the exponent for the variable) and s is a vector of m integers (the exponents for the
generators). The idea is that once the parameter M is fixed, ϕ(M ) is some fixed distribution from
which (e, s) are drawn. Notice that the two ends of the spectrum can be modeled via appropriate
choices of ϕ.
4.2
Non-trivial equation w.r.t. other equations
Our definition of adaptive pseudo-freeness requires an adversary to find a solution to a non-trivial
equation. In the original setting of Rivest, non-triviality of an equation simply meant that the
equation has no solution in the free group. In our setting, non-triviality is less clear: the adversary
is already given solutions for some equations which may lead to solutions for other equations that
are difficult to solve otherwise. In this section we develop a notion of triviality for equations given
solutions to other equations. Our ultimate goal is to characterize, using the world and vocabulary
afferent to free groups those equations that cannot be solved in the computational group.
General deducibility modulo equations. We frame the discussion in slightly more general
terms to obtain a framework suitable for talking about non-triviality of both univariate and multivariate equations.
Let F be the free abelian group generated by the set {a1 , a2 , . . . , am } and let Λ ⊆ F × F be an
arbitrary binary relation on F that models equalities between words in F (equations with solutions
can be thought of as such relations). We therefore aim to characterize the set of all equalities that
can be derived from Λ. Recall that eventually these equalities are interpreted over computational
groups, hence there are two ways for an adversary to derive new equalities. The first is to use
the group operations and their properties. For example, if Λ = {a1 a2 = a21 a4 }, then it can also
be derived that a1 a22 = a21 a4 a2 = a31 a24 , where the first equality is obtained by simply multiplying
a2 to the known equation, and the second equality follows using the commutativity of F and
the known equality. The second possibility reflects an ability that computational adversaries have
(when working against computational groups). Specifically, if an equality of the form w1q = w2q can
be derived in a computational group, then the equality w1 = w2 can also be derived (provided that
q is relatively prime with the order of the group). Furthermore, since we search for an abstraction
independent of the order of the group, we have to consider the above possibility for any q. The
following definition is motivated by the above discussion.
Definition 6. Let F be a freely generated abelian group and let Λ ⊆ F × F be an arbitrary binary
relation on F. Let ≡Λ be the smallest congruence on F that:
– Λ ⊆≡Λ
4
For example, it is not clear at all if a group like Z∗N can be proved strongly-adaptive pseudo-free under any
reasonable assumption (e.g. Strong RSA).
7
– ∀q ∈ N, ∀w1 , w2 ∈ F, w1q ≡Λ w2q =⇒ w1 ≡Λ w2 .
Then, w1 and w2 are trivially equal with respect to Λ if w1 ≡Λ w2 .
Next, we derive an explicit description for ≡Λ . Let Λ = {(w1,1 , w2,1 ), (w1,2 , w2,2 ), . . . , (w1,t , w2,t )}.
Consider the binary relation RΛ on F defined by: (w1 , w2 ) ∈ RΛ if and only if there exist l1 , l2 , . . . , lt ∈
Q such that
−1
t
w1 = w2 · Πi=1
(w1,i
· w2,i )li
Here, exponentiation of a word w = as11 as22 . . . asnn with a rational number l = p/q is defined (in the
obvious way) if and only if q divides gcd1≤i≤n p · si
The following proposition states that ≡Λ and RΛ are one and the same relation.
Proposition 1. Let RΛ and ≡Λ defined as above. Then (w1 , w2 ) ∈ RΛ if and only if (w1 , w2 ) ∈≡Λ .
The proposition follows by the next two lemmas:
Lemma 2. ≡Λ ⊆ RΛ
Proof. We prove that RΛ is a congruence and has all of the closure properties required from ≡Λ
(so the desired inclusion follows since ≡Λ is the smallest congruence with these properties).
– RΛ is reflexive. Let w ∈ F arbitrary. Then we derive that (w, w) ∈ RΛ by setting l1 = l2 =
. . . = lt = 0
– RΛ is symmetric. for w1 and w2 such that (w1 , w2 ) ∈ RΛ , so there exists l1 , l2 , . . . , lt ∈ Q such
lk
−1
t
w1,k
w2,k . Then (w2 , w1 ) ∈ RΛ by fixing the coefficients for the linear
that w1 = w2 · Πk=1
combination to −l1 , −l2 , . . . , −lt .
– RΛ is transitive. If l1 , l2 , . . . , lt show that RΛ (w1 , w2 ) and m1 , m2 , . . . , mt show that RΛ (w2 , w3 )
then l1 + m1 , l2 + m2 , . . . , lt + mt show that RΛ (w1 , w3 ).
– RΛ commutes with the operations. Let w1 , w2 , w1′ , w2′ such that (w1 , w2 ), (w1′ , w2′ ) ∈ RΛ , so
lk
−1
t
there exists l1 , l2 , . . . , lt , m1 , m2 , . . . , mt such that w1 = w2 · Πk=1
w1,k
w2,k
and w1′ = w2′ ·
mk
−1
t
w1,k
w2,k
. Then (w1 w1′ , w2 w2′ ) ∈ RΛ (take the coefficients for the required linear
Πk=1
combination to be lk + mk for any 1 ≤ k ≤ t). Also, we have that (w1−1 , w1′−1 ) ∈ RΛ : take
the required coefficients to be −l1 , −l2 , . . . , −lt .
– Λ ⊆ RΛ . To show that (w1,k , w2,k ) ∈ RΛ for any 1 ≤ k ≤ t, set all of l1 , l2 , . . . , lt be equal 0 with
the exception of lk for an arbitrary 1 ≤ k ≤ t which is set to 1.
– Let w1 , w2 be such that (w1q , w2q ) ∈ RΛ . By the definition of RΛ there exists l1 , l2 , . . . , lt such
lk
−1
t
that w1q = w2q · Πk=1
w1,k
w2,k . It follows that (w1 , w2 ) ∈ RΛ by setting the coefficients of
the linear combination to l1 /q, l2 /q, . . . , lt /q.
Since RΛ satisfies all of the properties that ≡Λ satisfies, and the latter is the smallest congruence
with these properties, it follows that ≡Λ ⊆ RΛ .
Lemma 3. RΛ ⊆≡Λ
Proof. Define the operations R, S, T, I, Q : P(F × F) → P(F × F) as follows.
– S(S) = {(x, y) | (y, x) ∈ S}
8
–
–
–
–
T (S) = {(x, y) | ∃z ∈ F : (x, z), (z, y) ∈ S}
Q(S) = {(x, y) | ∃q ∈ Z, (xq , y q ) ∈ S}
I(S) = {(x, y) | (x−1 , y −1 ) ∈ S}
M (S) = {(x1 x2 , y1 y2 ) | (x1 , y1 ), (x2 , y2 ) ∈ S}
Since all of the operations above commute with each other, the congruence≡Λ is the closure of the
set (F × F ∪ Λ) under the above operations. It is easy to see that F × F ∪ Λ ⊆ RΛ and that for
any set S if S ⊆ RΛ then O(S) ⊆ RΛ for any operation O ∈ {S, T, Q, I, M }. The desired inclusion
then follows.
Trivial equations. Using the notion of deducibility modulo equations developed above we can
now specify the class of equations that we consider trivial (given solutions for the equations in some
set Λ). For simplicity, we focus on the case of univariate equations which is more relevant for the
cryptographic applications of this paper. The definition easily extends to the case of multivariate
equations (for completeness we give this variation in Appendix A). Assume that we are given a set
of equations
ot
n
k
sk
Λ = xek = a11 · · · asmm
k=1
{φk }tk=1 ,
together with
their corresponding solutions. (Notice that these are equations in a computational group; solutions for these equations may simply not exist in a free group). Let F be the
the free abelian group generated by {φ1 , φ2 , . . . , φt , a1 , a2 , . . . , am } (interpreted as symbols). The
equations in Λ induce a binary relation on F which (by a slight abuse of notation) we also call Λ.
sk
sk
So Λ = {(φekk , a11 · · · amm ) | 1 ≤ k ≤ t}. The following definition simply is a particular instance of
Definition 6 to the case of univariate equations.
∗
s∗
s∗
Definition 7. Equation xe = a11 · · · amm is trivial with respect to Λ if the equation has a solution
over F/ ≡Λ .
We use the characterization of ≡Λ that we gave earlier to explicitly determine the class of trivial
equations. Let
∗
∗
s∗
xe = a11 · · · asmm
(1)
be an equation that has a solution over F/Λ. Let φ = φk11 · · · φkt t av11 · · · avmm be such a solution. From
the explicit characterization of ≡Λ there exists l1 , . . . , lt in Q such that
∗
∗
−si li
s∗ s∗
m
t
ak k
φei i · Πk=1
(φk11 · · · φkt t av11 · · · avmm )e = a11 a22 · · · asmm · Πi=1
(2)
Since equality is standard equality over F, the relation above translates (via symbol by symbol
matching of exponents) into the following requirement. Equation (1) has a solution if there exist
v1 · · · vm , k1 · · · kt in Z and l1 , . . . , lt ∈ Q such that:
1. ki e∗ = ei · li (for all 1 ≤ i ≤ t)
P
(j)
2. vi e∗ = s∗i − tj=1 lj si (for all 1 ≤ i ≤ m)
The converse of the above statement is also true: if integers v1 , · · · vm , k1 , . . . , kt and rationals
l1 , · · · , lt exist such that Equation 2 holds then φ = φk11 · · · φkt t av11 · · · avmm is a solution for Equation (1) over F/ ≡Λ .
9
Finally, we express these two conditions in a more compact matrix form which will be simpler
to use in our proofs. Given the set of equations
ot
n
k
sk
Λ = xek = a11 · · · asmm
k=1
we define the following quantities:
s11
Σ = ...
s1m
0
1/e1
···
1/e2
.. and E =
.
..
.
t
· · · sm
st1
0
1/et
These quantities are dependent on Λ but we do not show the dependency explicitly to avoid heavy
notation.
∗
s∗
s∗
Proposition 2 (Trivial equation w.r.t. a set of equations). Equation λ∗ : xe = a11 · · · amm
is trivial w.r.t Λ if and only if:
∃k ∈ Zt , V ∈ Zm : e∗ (ΣEk + V ) = s∗
where s∗ = [s∗1 · · · s∗m ]T .
∗
Proof. The proposition follows by simply setting li = ki eei for all 1 ≤ i ≤ t.
4.3
A definition of adaptive pseudo-free groups
The definition of adaptive pseudo-freeness that we give below is for a set A of m generators, a
computational group {GN }N and is parameterized by a distribution ϕ(·) as discussed in Section 4.1.
Setup The Challenger chooses a random instance of the computational group GN (by picking
$
a random index N ← Nk ) from a family G = {GN }N ∈Nk . Then he fixes an assignment α :
A → GN for the set A of generators and a specific parametric distribution ϕ for the exponents.
The adversary is given in input the assignment α : A → GN and the descriptions of the
computational group and the parametric distribution ϕ.
Equations queries In this phase the adversary is allowed to adaptively query the Challenger
on equations and see their solutions. More precisely, A controls the queried equations via the
parametric distribution ϕ. Namely, for each query it chooses a parameter Mi and hands it to
the Challenger. The Challenger runs (ei , si)←ϕ(Mi ), computes the solution ψi for the equation
si
si
λi , which is xei = a11 · · · amm and gives (ψi , ei , si) to A.
Challenge Once the adversary has seen the solutions, then it is supposed to output an equation
λ∗ (defined by (e∗ , s∗)) together with a solution ψ ∗ . We say that A wins this game if λ∗ is a
non-trivial equation.
Definition 8 (Adaptive pseudo-free groups). G is a family of adaptive pseudo-free groups
w.r.t. distribution ϕ, if for any set A of polynomial size, any PPT adversary A wins in the game
above with at most negligible probability.
10
We restate several of the reasons that justify the above definition. Although the definition
is parametrized by a distribution, we feel this is the right way of modeling an adversary who
is adaptive but not all-powerful. As explained, by varying the distribution one obtains a large
spectrum of potentially interesting instantiations, starting with static pseudo-freeness all the way
to strong adaptive pseudo-freeness. Finally, we show that for some fixed distributions adaptive
pseudo-freeness implies immediately secure signature schemes.
5
Applications of adaptive pseudo-free groups
As an application of adaptive pseudo-free groups we show how to obtain signature and network
coding signature schemes out of pseudo-free groups. For our signature construction we exhibit a class
of parametric distributions ϕℓ and show that any family of groups that is adaptive pseudo-free w.r.t.
ϕ ∈ ϕℓ immediately yields a signature scheme that is strongly-unforgeable under chosen-message
attack. We also explain how to adapt the distribution and the proof to obtain the analogous result
for (non-strongly) unforgeable schemes.
5.1
Signatures from adaptive pseudo-free groups
The class of parametric distributions ϕℓ . In this section we introduce a specific class of
parametric distributions ϕℓ : {0, 1}ℓ → Z1+m × {0, 1}a(ℓ) .
For any input M ∈ {0, 1}ℓ and an integer ℓ, ϕℓ (M ) outputs a tuple (e, s, r) such that:
– r is a binary string taken according to some arbitrary distribution Dr ;
– e = H(r) where H : {0, 1}a(ℓ) → {0, 1}b(ℓ) is a division intractable function (see Section 2) and
a(·) and b(·) are polynomials;
– s1 = 1;
– si ∈ Ze (i.e. si < e) ∀i = 2, . . . , m for some efficiently samplable distribution Dsi .
Also we require that ϕℓ (M ) produces an output (e, s, r) for which one can efficiently tell that
it belongs to the support of ϕℓ (M ). Formally, we require that ϕℓ is equipped with an efficient
algorithm V erϕℓ (·, ·, ·, ·) that, on input (e, s, r, M ), outputs 1 if (e, s, r) is in the support of ϕℓ (M )
and 0 otherwise. Moreover we require V erϕℓ (e, s, r, M ) to be such that, for all PPT adversaries A
the probability
Pr [(e, s, r, M1 , M2 )←A(ϕℓ ) : M1 6= M2 ∧ V erϕℓ (e, s, r, M1 ) = 1 ∧ V erϕℓ (e, s, r, M2 ) = 1]
is at most negligible.
Signature scheme construction. We now show how to build a signature scheme from any
family of groups G that is adaptive pseudo-free w.r.t. ϕ̂ ∈ ϕℓ .
Let ϕ̂ be a parametric distribution taken from the class ϕℓ and let G be a family of groups that is
adaptive pseudo-free w.r.t. ϕ̂. Then we have the following signature scheme PFSig = (KG, Sign, Ver):
KG(1k ) Let A = {a1 , . . . , am } and X = {x} be the sets of constants variable symbols. The key
generation algorithm selects a random group G from G, fixes an assignment α : A → G for
the symbols in A and finally it sets vk = (X, A, α, G, ϕ̂) as the public verification key and
sk = ord(G) as the secret signing key. The input space of ϕ̂, M, is taken as the message space
of the signature scheme.
11
Sign(sk, M ) The signing algorithm proceeds as follows:
– (e, s, r)←ϕ̂(M )
– Use ord(G) to solve the equation xe = as11 · · · asmm . Let ψ : X → G be the satisfying assignment for x. The algorithm outputs σ = (e, s, r, ψ) as the signature for M .
Ver(vk, M, σ) To verify a signature σ for a message M , the verification algorithm proceeds as
follows:
– Check if V erϕ̂ (e, s, r, M ) = 1 and if the equation xe = as11 · · · asmm is satisfied in G by ψ(x).
– If both the checks are true, output 1, otherwise 0.
Security of the signature scheme. In this section we prove the security of the proposed
signature scheme under the assumption that G is adaptive pseudo-free w.r.t. ϕ̂. In particular we
can state the following theorem:
Theorem 1. If G is a family of adaptive pseudo-free groups w.r.t. distribution ϕ̂ ∈ ϕℓ , then the
signature scheme PFSig is strongly-unforgeable under chosen-message attack.
Proof. For sake of contradiction, assume there exists an adversary A that is able to break the
security of PFSig with non-negligible probability. Then we can build a simulator algorithm B that
is able to break adaptive pseudo-freeness of G w.r.t. ϕ̂.
Let X and A be the sets of variable and constant symbols. At the beginning of the game B
receives (α, G) and the description of ϕ̂ from its challenger. It sets vk = (X, A, α, G) and runs A
on input vk.
Whenever A asks for a signature on a message Mi ∈ M, B hands Mi to its challenger and
gets back (ei , si , ri , ψi ) where (ei , si , ri ) is taken from ϕ̂(Mi ) (i.e. V erϕ̂ (ei , si , ri , Mi ) = 1) and ψi
is a valid solution for the equation λi defined by the exponents (ei , si ). B gives σi = (ei , si , ri , ψi )
as a signature for the message Mi . It is easy to see that σi are valid signatures and that they are
distributed as in the real case.
In the end A is supposed to output a valid forgery (M ∗ , σ ∗ ) (i.e. it holds that (M ∗ , σ ∗ ) 6=
(Mi , σi ) ∀i = 1, . . . , t where t is the number of queries made by the adversary). Finally B outputs
σ ∗ = (e∗ , s∗ , r∗ , ψ ∗ ) to its challenger.
∗
s∗
s∗
Since (M ∗ , σ ∗ ) is a valid forgery, we have that ψ ∗ is a solution for the equation xe = a11 · · · amm
and that V erϕ̂ (e∗ , s∗ , r∗ , M ∗ ) = 1. To conclude the proof of security it remains to show that the
equation (e∗ , s∗ ) is non-trivial.
More precisely, we will prove the following lemma.
Lemma 4. Let (M ∗ , σ ∗ ) = (M ∗ , (e∗ , s∗ , r∗ , ψ ∗ )) be a valid forgery for the scheme PFSig w.r.t. to
the set {(Mi , σi )}ti=1 of previously issued signatures, then the equation defined by (e∗ , s∗ ) is nontrivial w.r.t. to the set of equations Λ = {(ei , si )}ti=1 .
Proof (Lemma 4). According to Proposition 2 (and for properly defined Σ, E) we want to show
that
∀k ∈ Zt , V ∈ Zm : e∗ (ΣEk + V ) 6= s∗ .
For sake of contradiction, assume there exist k̂ ∈ Zt and V̂ ∈ Zm such that e∗ (ΣE k̂ + V̂ ) = s∗ .
Then we show
Q that this contradicts at least one of our assumptions.
Let P = ti=1 ei and ρj be the j-th row of (ΣE k̂):
Pt
Q
l
s1j k̂1
stj k̂t
i6=l ei )
l=1 (sj k̂l
ρj =
+ ... +
=
.
e1
et
P
12
∀j = 1, . . . , m it holds e∗ ρj = s∗j − e∗ V̂j or equivalently
t
X
Y
s∗j P
l
=
k̂
(s
ei ) + V̂j P.
l
j
e∗
(3)
i6=l
l=1
P
Q
s∗j P
t
l k̂
e
s
and
(
V̂
P
)
are
integers,
then
Since both
i
j
l
j
i6=l
l=1
e∗ must be an integer too. In partic∗
ular this must hold even for j = 1 and thus it must be that e | P (as s∗1 = 1).
Then we can have different cases that contradict our assumptions:
– e∗ | P and r∗ 6= rj . This contradicts that H (in ϕℓ ) is division intractable.
– e∗ | P and r∗ = rj (i.e. e∗ = ej ). In this case, ∀i = 1, . . . , m we have
!
Pt
Q
l k̂ (
e
)
s
i
l
i
i6
=
l
l=1,l6
=
j
s∗i = sji k̂j + e∗
+ V̂i
P
from which s∗ = sj k̂j mod e∗ . For any choices of k̂i , i 6= j, the last equation is satisfied for
k̂j = 1 mod e∗ (as s∗1 = sj1 = 1) and thus s∗ = sj (since s∗ , sj ∈ Zm
e∗ ). This means that in this
∗
∗
∗
j
case we have (e , s , r ) = (ej , s , rj ).
Then we can have two different subcases:
• M ∗ 6= Mj . This contradicts the security property on the verification algorithm of ϕ̂.
• M ∗ = Mj . This contradicts that (M ∗ , σ ∗ ) is a forgery.
Notice that if one relaxes a bit the requirements on the parametric distribution ϕ̂, Theorems 1
leads to different flavors of digital signature schemes. For instance, one might consider the distribution ϕ̂′ , which slightly generalizes the parametric distribution ϕ̂ as follows. ϕ̂′ is exactly as ϕ̂ with
the only difference that s2 is chosen unformly in ZB for some value B > e. It is easy to rewrite the
proof of Theorem 1 in order to show the following
Corollary 1. If G is a family of adaptive pseudo-free groups w.r.t. distribution ϕ̂′ , then the signature scheme PFSig is unforgeable under chosen-message attack.
Informally, what this corollary is saying is that by (slightly) generalizing the parametric distribution one gets a signature scheme where unforgeability is guaranteed only for previously unsigned
messages (i.e. the scheme is not strongly unforgeable).
5.2
Network coding signatures from adaptive pseudo-free groups
In this section we show that our framework allows to encompass network coding signature schemes
as defined and constructed by [6, 14]. In particular, by combining previous theorems with ideas
from [14] we construct the first RSA-based network coding homomorphic signature scheme provably
secure without random oracle. In the following we will represent files V to be signed as collections
(v (1) , . . . , v (m) ) where each v (i) is a n-dimensional vector of the form (v1 , . . . , vn ). To sign V the
signer signs every single vector v (i) separately. Informally this is done using a signature scheme that
allows some form of (controlled) malleability. In this way, if we interpret signatures as solutions
of non trivial equations, one can easily compute solutions for any linear combination of the given
equations. This simple observation, when combined with ideas from [14], can be used to construct
a secure signature scheme for network coding without random oracles.
13
Background on linear coding schemes. In linear network coding [2, 21], a file to be transmitted is viewed as an ordered sequence of n-dimensional vectors v1 , ...vm (defined over the integers
or over some finite field). Before transmission, the source node creates the m augmented vectors
w1 , . . . , wm obtained by prepending to vi a vector ui , of length m. Each ui contains a 1 in ith position and 0 in all the remaining positions (m is typically much smaller than n). These augmented
vectors are then sent by the source as packets in the network. Each node in the network processes
packets as follows. When receiving w1 . . . wm , a node computes some linear combination of the received packets (e.g., using coefficients randomly chosen from a suitable domain) and transmits the
resulting vector on its outgoing edges. In other words, each node transmits a linear combination of
the vectors it receives. To recover the original file a node must receive m (valid) vectors wi of the
form described above, for which the corresponding ui ’s are linearly independent. Thus, denoting
with U the matrix whose rows are u1 , . . . , um and V the matrix whose rows are v1 , . . . , vm the
original message can be retrieved as
M = U −1 V
The idea sketched above is susceptible to pollution attacks where malicious nodes inject invalid
vectors in the network so that to make reconstruction of the original file impossible. To overcome
this problem a viable solution is to use network coding signatures. The basic requirement of such
schemes is that they allow to efficiently check if a given vector is valid, i.e. if it has been obtained as
linear combination of valid vectors w1 , . . . wk . More details about network signatures can be found
in [6, 14]. We recall the formal definitions in Appendix B.
Our Network Coding Signature Scheme Here we describe our network coding signature
scheme. First, however, we discuss some additional details required to properly present the scheme.
As already mentioned, a file to be signed is expressed as a set of vectors (v (1) , . . . , v (m) ) of n
components each. Such vectors will be prepended with m unitary vectors u(i) (of m components
each). Let us denote with w(i) the resulting vectors.
Using a similar notation as [14] we denote with Q = {0, . . . , q − 1} (for some prime q) the set
from which coefficients are (randomly) sampled. We denote with L an upper bound on the path
length from the source to any target. By these positions B = mq L denotes the largest possible
value of u-coordinates in (honestly-generated) vectors. Moreover denoting with M an upper bound
on the magnitude of the coordinates of initial vectors v (1) , . . . , v (m) , we set B ∗ = M B.
Let ϕN be the following parametric distribution. It takes as input some random identifier fid,
a vector space V and a bound B ∗ . Let ℓs be a security parameter and ℓ be an integer such that
2ℓ > B ∗ , compute e = H(fid) where H : {0, 1}∗ → {0, 1}ℓ is a division intractable function. Next,
(i)
(i)
for each v (i) = (v1 , . . . , vn ) ∈ V it proceeds as follows. First, it samples (uniformly and at random)
a ℓ + ℓs -bit random integer si and outputs (si , u(i) , v (i) ). The global output of ϕN is then
(e, {(si , u(i) , v (i) )}m
i=1 )
Notice that ϕN is a simple extension of distribution ϕ̂′ described above. It is straightforward to
show that it fits the requirements of corollary 1 as well.
Let G be a family of groups that is adaptive pseudo-free w.r.t. ϕN . Then we have the following
signature scheme NetPFSig = (NetKG, NetSign, NetVer):
NetKG(1k , n) Let A = {g, g1 , . . . , gn , h1 , . . . , hm } and X = {x} be the sets of constants variable
symbols. The key generation algorithm selects a random group G from G, fixes an assignment
14
α : A → G for the symbols in A and finally it sets vk = (X, A, α, G, ϕN ) as the public verification
key and sk = ord(G) as the secret signing key. The input space of ϕN , M, is taken as the set
of m-dimensional vectors whose components are positive integers of magnitude at most M .
Sign(sk, V ) The signing algorithm proceeds as follows. A random identifier fid for the vector space
V is chosen. Next, it runs ϕN (V, B ∗ , fid) to get back (e, {(si , u(i) , v (i) )}m
i=1 ). Finally, for i = 1 to
m, it uses ord(G) to solve the equation
xei
=g
si
m
Y
(i)
u
hj j
j=1
n
Y
v
(i)
gj j
j=1
Let ψ : X → G be the satisfying assignment for xi and σi = (e, si , u(i) , v (i) , fid, ψ) the signature
for w(i) The algorithm outputs σ = (σ1 , . . . σm ) as the signature for V .
Ver(vk, V, σ) To verify a signature σ for a vector space V , the verification algorithm proceeds as
follows
5
– Check if V erϕN (e, V, B ∗ , fid, {(si , u(i) , v (i) )}m
i=1 ) = 1, and if the equations
v
(i)
(i)
(i)
(i)
um are all satisfied in G by ψ(x ).
xei = g si g11 · · · gnvn hu1 · · · hm
i
– If all the checks are true, output 1, otherwise 0.
Combine(vk, fid, w1 , . . . , wℓ , σ1 , . . . , σℓ ) To combine signatures σi , corresponding to vectors wi sharing the same fid, a node proceeds as follows.
– It discards any wi having u coordinates negative or larger than B/(mq), or having v coordinates negative or larger than B ∗ /(mq). Without loss of generality we keep calling w1 , . . . wℓ
the remaining vectors.
Pℓ
– It chooses random α1 , . . . αℓ ∈ Q, set w =
i=1 αi wi and it outputs the signature σ =
(e, s, w, fid, ψ) on w which is obtained by computing
ψ=
ℓ
Y
ψiαi ,
i=1
s=
ℓ
X
αi si
i=1
One can easily rewrite the proof of corollary 1 to prove the following.
Theorem 2. If G is a family of adaptive pseudo-free groups w.r.t. distribution ϕN , then the
NetPFSig signature scheme described above is a secure (homomorphic) network coding signature.
6
The RSA group is adaptive pseudo-free
In Section 4 we have defined the notion of adaptive pseudo-free groups and in Section 5 have
showed a class of parametric distributions (called ϕℓ ) that allows to build signatures from the
sole assumption that a family of groups is adaptive pseudo-free w.r.t. ϕ̂ ∈ ϕℓ . At this stage, it is
therefore interesting to find a computational group candidate to be proved adaptive pseudo-free.
As proved by Micciancio in [18], the only group that we know to be pseudo-free is the RSA group
Z∗N of integers modulo N , where N is the product of two “safe” primes and the sampling procedure
takes elements from QRN . Therefore we aim to prove adaptive pseudo-freeness for the same group.
5
We implicitly assume that the V erϕN verification algorithm rejects immediately if any of the u coordinates is
negative or larger than B, or if any of the v coordinates is negative or larger than B ∗
15
A parametric distribution ϕ̂. First of all we need to define the specific parametric distribution
for which we will prove adaptive pseudo-freeness of the RSA group.
Let us consider the following ϕ̂ : M → Z × Zm × {0, 1}∗ , where M = {0, 1}ℓ . For any input
M ∈ M, ϕ̂(M ) outputs a tuple (e, s, r) that is defined as follows:
– r is a random binary string
– e = H(r) where H : {0, 1}∗ → {0, 1}ℓ is a division intractable function (see definition in Section
2)
– s1 = 1
– s2 is uniformly distributed in Ze
– For 3 ≤ i ≤ m, each si is taken with an arbitrary (but efficiently samplable) distribution Dsi in
Ze such that the tuple s3 , . . . , sm is binding to M 6 .
The verification algorithm V erϕ̂ (e, s, r, M ) checks that e = H(r) and that s3 , . . . , sm are binding
w.r.t. M . It is straightforward to verify that ϕ̂ is contained in the class ϕℓ defined in section 5.1.
We state the following theorem.
Theorem 3. If the Strong-RSA Assumption holds, then Z∗N is adaptive pseudo-free w.r.t. ϕ̂.
Proof. For sake of contradiction, we assume that Z∗N is not adaptive pseudo-free w.r.t. ϕ̂. According
to Definition 8, this means that there exists an efficient PPT adversary A that with non-negligible
probability is able to output an equation λ∗ (defined by (e∗ , s∗)) together with a solution ψ ∗ such
that λ∗ is non-trivial w.r.t. to the set Λ of previously queried equations. In order to prove the
theorem we will show that we can build an algorithm B out of A that breaks the Strong-RSA
Assumption (more precisely its variant where τ ∈ QRN ).
For i = 1 to t (where t is the number of queries made by A), let (ei , si , ri )←ϕ̂(Mi ).
If we consider e∗ and the set {e1 , . . . , et } we can distinguish two types of adversaries:
Q
Type I the adversary outputs e∗ such that e∗ ∤ ti=1 ei ,
Q
Type II the adversary outputs e∗ such that e∗ | ti=1 ei .
At the beginning of the game we guess on the type of adversary we have and will set up the proper
simulation according to such guess. Notice that the guess will be right with probability at least 1/2.
Type I. In the case of a Type I adversary we show how to build a simulator B that breaks StrongRSA with non-negligible probability. B takes as input (N, τ ) where N is the product of two safe
primes p, q (where p = 2p′ + 1 and q = 2q ′ + 1) and τ ∈ QRN . Its goal is to find an e-th root y of
τ for e of its choice.
In the following we describe the simulator B during the three phases of the game.
Setup B chooses in advance t random strings r1 , . . . , rt and computes ei = H(ri ) ∀1 = 1, . . . , t.
Then it fixes the assignment α for the constant symbols as follows:
$
6
– pick random z1 , z2 , . . . , zm ← {1, . . . , N 2 }
Q
– let E = ti=1 ei and set α(a1 ) = τ Ez1 and α(ai ) = α(a1 )zi for all i = 2 to m.
This means that there exists an efficient algorithm that on input (M, s3 , . . . , sm ) outputs 1 if s3 , . . . , sm are created
w.r.t. M
16
Finally B gives α (and the description of Z∗N ) to the adversary A.
For ease of exposition we will use ai instead of α(ai ) to refer group elements. For all 2 ≤ i ≤ m
let zi = bi p′ q ′ + ci where 0 ≤ ci < p′ q ′ . Since each zi is chosen from a suitably large interval, the
distributions of each (zi mod p′ q ′ ) is statistically indistinguishable from the uniform distribution
over Zp′ q′ . So a1 , a2 , . . . , am are distributed like random quadratic residues of Z∗N . Moreover
the conditional distribution of bi given ci is statistically indistinguishable from the uniform
distribution over {0, . . . , ⌊N 2 /p′ q ′ ⌋}.
Equations queries At this stage A is allowed to adaptively query equations by submitting parameters M 1 , . . . , M t for ϕ̂. Therefore B has to solve such equations and give the corresponding solutions to A. For all i ∈ {1, . . . , t}, each query M i is managed as follows. B chooses the exponents
si
si
si2 , . . . , sim ∈ Zei according to ϕ̂(M i ). Then B computes the solution of λi ≡ xei = a1 · a22 · · · amm
as follows:
Q
– let Ei = tj=1,j6=i ej
Pm
i
– ψi (x) = (τ Ei )z1 + j=2 sj zj
Finally B gives (ei , si , ri , ψi ) to A. It is easy to see that ψi is a valid solution for λi and that
the equations are distributed as in the real case.
Challenge Once the previous phase is over, A is supposed to output an equation λ∗ , for M ∗
(together with a solution ψ ∗ ) which is non-trivial w.r.t. Λ = {λi }ti=1 . Since (e∗ , s∗, r∗ ) are
distributed according to ϕ̂(M ∗ ) we have:
∗
s∗
∗
ψ ∗ (x)e = a1 a22 · · · asmm = τ E(z1 +
Pm
∗
j=2 zj sj )
.
P
∗
∗
′
∗
′
Let E ′ = E(z1 + m
j=2 zj sj ) and d = gcd(e , E ). Provided that e ∤ E B can use standard
∗
techniques (i.e. Shamir’s trick) to extract an (e /d)-th root y of τ and thus it can output
(e∗ /d, y) to break Strong-RSA.
Therefore we are left with the task of showing that e∗ ∤ E ′ with non-negligible probability. Let r be
a prime dividing e∗ .PSince we are assuming a Type I adversary it holds r ∤ E. Thus the point is to
∗
show that r ∤ (z1 + m
j=2 zj sj ) with non-negligible probability.
As pointed out before, let zi = bi p′ q ′ + ci . Since each bi is essentially hidden to the view of any
adversary, r may depend only on the ci ’s. Since r ∤ p′ q ′ the probability that r | (z1 +z2 s∗2 +. . .+zm s∗m ),
or equivalently (z1 + z2 s∗2 + . . . + zm s∗m ) = 0 mod r, is close to 1/r. This means that e∗ ∤ E ′ with
probability close to 1 − 1/r, for the smallest prime factor r of e∗ .
Q
Type II. The case of a Type II adversary is a bit more complicated. Since e∗ | ti=1 ei we can
have two cases:
1. r∗ 6= ri ∀i = 1, . . . , t. In this case it is easy to see that our assumption on ϕ̂ is not satisfied as we
would be able to break the division intractabilityQ
of the function H. Indeed we have (r1 , . . . , rt )
∗
∗
∗
and r 6= ri , ∀i = 1, . . . , t such that H(r ) = e | ti=1 ei (where ei = H(ri )).
2. r∗ = rj for some j ∈ {1, . . . , t} (i.e. e∗ = ej ). The simulation for this case is described below.
Precisely we will show how to build an algorithm B that breaks Strong-RSA with non-negligible
probability.
Before giving the details of the simulation we first give some intuitions that will be useful to
understand our approach.
17
Let {(ei , si )}ti=1 be the exponents of the t queried equations and (e∗ , s∗ ) be the ones of λ∗ . Since
λ∗ is non-trivial we have that ∀k ∈ Zt and ∀V ∈ Zm :
V1
k1 /e1
1
1 1 ··· 1
s1 s2 · · · st k2 /e2 V2 s∗
2
2
2 2
e∗ .
.. .. + .. 6= .. .
.
.
. . . .
s1m s2m · · · stm
kt /et
s∗m
Vm
Namely, at least one of the following m inequalities must hold:
1. e∗ (k1 e2 · · · et + . . . + e1 e2 · · · et−1 kt ) 6= (1 − V1 e∗ )(e1 · · · et )
2. e∗ (s12 k1 e2 · · · et + . . . + st2 kt e1 e2 · · · et−1 ) 6= (s∗2 − V2 e∗ )(e1 · · · et )
..
.
m. e∗ (s1m k1 e2 · · · et + . . . + e1 e2 · · · et−1 stm kt ) 6= (s∗m − Vm e∗ )(e1 · · · et )
Since the fact above holds for all integer vectors k ∈ Zt and V ∈ Zm , then it must hold even
for k̂ and V̂ such that: k̂j = 1, k̂i = 0 ∀i 6= j and V̂ = 0m .
In particular, for such choices of k and V , wlog we assume that the ν-th inequality holds. Since
we are in the case that e∗ = ej , observe that the first equation is always satisfied for such k̂ and V̂ .
Thus it must hold sjν 6= s∗ν for some ν ∈ {2, . . . , m}.
B can guess j and ν with non-negligible probability 1/(t(m − 1)) by picking them at random in
{1, . . . , t} and {2, . . . , m} respectively. Then it performs the following simulation.
$
Setup B chooses r1 , . . . , rt and computes ei = H(ri ) ∀i = 1, . . . , t. Then B picks random u1 , . . . , um ←
$
QRN , zν , β ← {1, . . . , N 2 }. and fixes the assignmentQfor the constant symbols
as follows:
Q
t
Qt
t
e
e
α(a2 ) = τ i=1,i6=j ei , α(aν ) = α(a2 )zν , α(a1 ) = α(a2 )−β u1 i=1 i and α(ai ) = ui l=1 l for i = 3 to
m and i 6= ν. Finally it gives α and the description of the group Z∗N to A.
For ease of exposition, in the following we will use ai instead of α(ai ) to refer group elements.
Solving equations In this phase B is adaptively asked by A to solve at most t equations with
parameters M 1 , . . . , M t respectively. For each parameter M i , B chooses si2 , . . . , sim according to
si
si
ϕ̂(M i ). For all i ∈ {1, . . . , t}\{j} B solves λi ≡ xei = a1 a22 · · · amm by computing
ψi (x) = (τ
Q
l6=i,j
el 1+zν siν −β
)
m
Y
si
j=1,j6=2,ν
Ql6=i,j el
uj j
.
It is easy to observe that ψi is a valid solution for λi .
In order to solve the j-th equation B uses a different approach. Let M j be the queried parameter
and sj3 , . . . , sjm be chosen according to M j . B sets sj2 = β − zν sjν mod ej and find ω such that
β − zν sjν = sj2 + ωej . It then computes:
ψj (x) = τ
−ω
m
Y
i=1,i6=2,ν
Ql6=j el
sj
ui i
q
j
sj
a1 a22 · · · asmm .
=
ej
After having solved each equation, the simulator hands (ei , si , ri , ψi ) to A.
18
Challenge In this phase A is supposed to output a non-trivial equation λ∗ (defined by (e∗ , s∗)),
together with a solution ψ ∗ . If it is the case we show that B can extract a root of τ as follows.
Let
(Ql6=j el )ej
∗
e∗
m
m
Q
Y (s∗ −sj )
Y (s∗ −sj )
j
j
ψ (x)
∗
∗
(s∗ −sj )+z (s∗ −sj )
ai i i = (τ l6=j el )(s2 −s2 )+zν (sν −sν )
ui i i
= a2 2 2 ν ν ν
.
ψj (x)
i=3,i6=ν
i=3,i6=ν
Since e∗ = ej we obtain:
(Ql6=j el ) e∗
∗
m
Q
Y
j
(s −s∗ )
ψ (x)
e (s∗ −sj )+z (s∗ −sj )
ui i i
= (τ l6=j l ) 2 2 ν ν ν .
ψj (x)
i=3,i6=ν
Q
Let E ′ = ( l6=j el )(s∗2 − sj2 + zν (s∗ν − sjν )). In order to extract
Q a root of τ we have to show that
e∗ ∤ E ′ with non-negligible probability. Observe that e∗ ∤ l6=j el and that zν = bp′ q ′ + c where
b is information theoretically hidden to any adversary. Since s∗ν − sjν 6= 0 (by our guess) and
s∗2 , sj2 ∈ Ze∗ , we have that e∗ | (s∗2 − sj2 ) + zν (s∗ν − sjν ) only with negligible probability. Thus
B can use standard techniques (i.e. Shamir’s trick) to extract an (e∗ /d)-th root y of τ where
d = gcd(e∗ , E ′ ).
⊓
⊔
As a corollary of the above theorem we can prove adaptive pseudo-freeness of the RSA group
w.r.t. two new parametric distributions ϕˆs , ϕˆch 6= ϕ̂ which still are within the class ϕℓ defined in
section 5.1. In particular ϕˆs is a variant of ϕ̂ where: s2 = 0 and for all i = 3 to m, si ∈ {0, . . . , p}
such that p is at most polynomial in the security parameter (and of course p < e).
Corollary 2. If the Strong-RSA Assumption holds, then Z∗N is adaptive pseudo-free w.r.t. ϕˆs .
The proofs follows from that of theorem 3. The intuition here is that when the si ’s are small they
can be guessed in advance with non-negligible probability.
Instead ϕˆch is a variant of ϕ̂ where: s2 = 0 and s3 , . . . , sm ∈ Ze are obtained as output of a
chameleon hash function CH(M ; R) computed on the parameter M and with randomness R.
Corollary 3. If the Strong-RSA Assumption holds, and CH is a chameleon hash function, then
Z∗N is adaptive pseudo-free w.r.t. ϕˆch .
The proof is the same as in Corollary 2. The intuition here is that one can use the chameleon
property of CH in the simulation to “prepare” the si ’s in advance.
Weak adaptive pseudo-freeness of the RSA group. One may also consider a weaker notion
of adaptive pseudo-freeness where the adversary is forced to choose the parameters M 1 , . . . , M t of
its queries at the beginning of the game, i.e. before receiving the description of the group from the
challenger.
If we consider such a notion, then we notice that our proof of theorem 3 still holds even w.r.t. a
slightly more general distribution than ϕ̂ where the entire tuple (e, s2 , . . . , sm ) needs to be bound
to M . To see this, observe that all ri ’s can be still computed at the beginning of the game as the
simulator now knows M1 , . . . , Mt in advance.
It is trivial to see that starting from a weak-adaptive pseudo-free group our results of section
5.1 lead to the construction of signature schemes that are weakly-secure (see Definition 4).
19
7
A framework for Strong RSA-based Signatures
In this section we show that, in light of the results of theorems 1 and 3, and by appropriately
instantiating the parametric distribution ϕ̂, we get all the known constructions of Strong RSAbased digital signatures in the standard model (to the best of our knowledge).
Cramer Shoup Signatures. Cramer-Shoup’s [10] signature scheme works as follows:
Key Generation Generate N as the product of two safe primes p and q. Also randomly choose
two quadratic residues a1 , a3 ∈ QRN and an (ℓ + 1)-bit prime e′ . The public key is (N, a1 , a3 , e)
and the private key is (p, q).
Sign To sign m, compute ℓ-bit hash value H(m) with a collision-resistant hash function H and
′ H(m)
then compute c = y e a3
for a random y ∈ QRN . Next pick a random (ℓ + 1)-bit prime e 6= e′
H(c)
and solve (for x) the following equation xe = a1 a3
mod N . The signature is (y, e, x)
Verification Check that the two equations above hold and that e is an ℓ + 1-bit (odd) integer
different from e′ .
While the signature above may look like based on a system of two equations, we observe that
only for the second equation the signing process is required to find a solution (using the secret
′ H(m)
key) while the first equation (i.e. c = y e a3
) is, de facto, a chameleon hash function computed
on the message m and randomness y. In particular it is a chameleon hash based on the RSA
assumption which, for efficiency, is implemented by sharing some parameters with the signature
scheme. Therefore we can see Cramer-Shoup’s scheme as a special case of our general framework
when considering the following distribution.
ϕCS Choose r at random and set e = H ′ (r) (where H ′ : {0, 1}∗ → {0, 1}ℓ+1 is a function that maps
into primes of length ℓ + 1)
Let c = CH(m; y) (CH is a chameleon hash function) and set s1 = 1 and s3 = H(c) (H is a
collision resistant hash function) All the remaining si ’s are set to 0.
It is easy to check that ϕCS is a special instantiation of ϕˆch , and so the security of the scheme is
implied by Corollary 3.
Fischlin Signatures. Fischlin’s [12] signature scheme can be seen as a simplification of CramerShoup signature. The scheme works as follows:
Key Generation Generate N as the product of two safe primes p and q. Also randomly choose
three quadratic residues a1 , a2 , a3 ∈ QRN . The public key is (N, a1 , a2 , a3 ) and the private key
is (p, q).
Sign To sign m compute the ℓ-bit hash value H(m) with a collision-resistant hash function H. Next
output a random (ℓ + 1)-bit prime e, a random ℓ-bit integer α and solve (for x) the following
α⊕H(m)
equation xe = a1 aα2 a3
mod N . The signature is (e, x, α)
Verification Check that the equation above holds, that e is an ℓ + 1-bit (odd) integer and that α
is an ℓ bit value.
The signature above can be seen as a special case of our general framework when considering the
following distribution.
20
ϕFis Choose r at random and set e = H ′ (r) (where H ′ : {0, 1}∗ → {0, 1}ℓ+1 is a function that maps
into primes of length ℓ + 1)
Let α ∈R {0, 1}ℓ and set s1 = 1, s2 = α and s3 = α ⊕ H(m) (H is a collision resistant hash
function) All the remaining si ’s are set to 0.
It is easy to check that ϕFis is a special instantiation of ϕ̂.
Camenisch-Lysyanskaya Signatures. The scheme by Camenisch and Lysyanskaya [8] scheme
works as follows
Key Generation Generate N as the product of two safe primes p and q. Also randomly choose
three quadratic residues a1 , a2 , a3 ∈ QRN . The public key is (N, a1 , a2 , a3 ) and the private key
is (p, q).
Sign To sign m of length ℓm output a random (ℓm + 2)-bit prime e, a random ℓ-bit integer s of
length ℓs = |N | + ℓm + ℓ where ℓ is a security parameter and solve (for x) the following equation
xe = a1 as2 am
3 mod N . The signature is (e, x, s)
Verification Check that the the equation above holds and that e and s are of appropriate length.
The signature above can be seen as a special case of our general framework when considering the
following distribution ϕCL (which is a special instantiation of ϕ̂′ ) and Corollary 1.
ϕCL Choose r at random and set e = H ′ (r) (where H ′ : {0, 1}∗ → {0, 1}ℓ+1 is a function that maps
into primes of length ℓ + 1)
Let s ∈R ZB where B > e is some bound of size at most ℓs and set s1 = 1, s2 = s and s3 = m
(H is a collision resistant hash function) All the remaining si ’s are set to 0.
Zhu’s Signatures. Zhu proposed in [22] a variation of Cramer-Shoup’s signature scheme. The
proof of security was found incorrect and later fixed in [23]. This signature scheme is basically the
same as the one by Camenisch and Lysyanskaya described above except that s is a random string
of ℓ bits.
We can show that the Zhu’s scheme is a special case of our general framework when considering
the following distribution.
ϕZhu Choose r at random and set e = H(r) (where H : {0, 1}∗ → {0, 1}ℓ+1 is a function that maps
into primes of length ℓ + 1)
$
Let s ← Ze and set s1 = 1, s2 = s and s3 = m. All the remaining si ’s are set to 0.
Again, it is easy to check that ϕZhu is a special instantiation of ϕ̂.
Hofheinz-Kiltz Signatures. Hofheinz and Kiltz show in [15] how to use programmable hash
functions to get a new efficient signature scheme based on Strong RSA. The description follows.
Key Generation Generate N as the product of two safe primes p and q. Also randomly choose
ℓ + 1 quadratic residues a0 , a1 , . . . , aℓ ∈ QRN . The message space is {0, 1}ℓ . The public key is
(N, a0 , a1 , . . . aℓ ) and the private key is (p, q).
Sign To sign M compute the ℓ-bit integer m = m1 · · · mℓ as the output of some appropriate
collision resistant hash function H. Next choose a random (ℓ)-bit prime e and solve (for x) the
following equation
ℓ
Y
e
i
x = a0
am
i mod N
i=1
21
The signature is (e, x)
Verification Check that the the equation above holds and that e is an ℓ-bit (odd) integer.
It is easy to notice that its security emerges from corollary 2.
Gennaro-Halevi-Rabin Signatures. In [13] it is presented an efficient signature scheme that
comes in two flavors. A basic (weakly secure) signature scheme and a fully secure (slightly less
efficient) one that requires chameleon hash functions [17]. Here we discuss only the first version of
the scheme.
Key Generation Generate N as the product of two safe primes p and q 7 . Also randomly choose
a quadratic residues a1 ∈ QRN . The public key is (N, a1 ) and the private key is (p, q).
Sign To sign m (of arbitrary length) compute the ℓ-bit hash value H(m) with a division intractable
hash function H and solve (for x) the following equation xe = a1 mod N . The signature is (e, x)
Verification Check that the equation above holds and that e = H(m).
The scheme above fits our framework for weakly-secure signature scheme (see section 6) when
using the following distribution :
ϕGHR Choose r = m and set e = H(m) (where H : {0, 1}∗ → {0, 1}ℓ+1 is a division intractable
hash function that maps into integers of length ℓ + 1)
Set s1 = 1. All the remaining si ’s are set to 0.
7.1
A new network signature from Strong RSA
It is easy to see that combining the results of Theorem 3 and Theorem 2 we obtain a concrete
instantiation of the network coding signature scheme given in Section 5.2 whose security is thus
based on Strong RSA in the standard model. We notice that our scheme is not as efficient as the
one proposed by Gennaro et al. in [14], but it is secure in the standard model.
8
Conclusion
In this paper we have introduced a formal definition of adaptive pseudo-freeness. We have shown
that under reasonable conditions the RSA group is adaptive pseudo-free for moduli that are products of safe primes, and exhibited the first direct cryptographic applications of adaptive pseudo-free
groups: under some mild conditions, pseudo-free groups yield secure digital signature schemes. We
have shown that all the RSA based signatures in the literature (to the best of our knowledge) can
be seen as instantiations of our framework and furthermore we showed that our methodology yields
a new network coding signature scheme in the standard model.
There are several interesting problems that we have not addressed. Here we enumerate some of
them. The first obvious one, originally posed by Rivest, is what other groups used in cryptography
are pseudo-free. A new construction would lead via our example to new signature schemes for
example. Our results for RSA are only for univariate equations. It should be interesting to either
justify this restriction through an analogue of Lemma 1 or if this is not possible, extend our study to
multi-variate equations. A one-more RSA inversion problem where the adversary needs to compute
the e’th root of n + 1 random group elements with access to only n RSA inversion queries has a
7
In [13] this assumption is relaxed to consider safe primes or quasi-safe primes.
22
strong flavor of adaptive pseudo-freeness. The lack of a relation between the strong RSA problem
and the one-more-RSA-inversion problem thus shows that proving general adaptive pseudo-freeness
of the RSA group is difficult. Nevertheless, studying the relation between these two problems within
our framework seems to be an interesting direction. Finally, we manage to prove pseudo-freeness
for a large class of parametric distributions sufficient for cryptographic applications. It should be
interesting to understands how far one can go with the limitations that we impose on the adversary
by trying to enlarge this class.
References
1. Martı́n Abadi and Phillip Rogaway. Reconciling two views of cryptography (the computational soundness of
formal encryption). Journal of Cryptology, 20(3):395, July 2007.
2. R. Ahlswede, Ning-Cai, S. Li, and R.W. Yeung. Network information flow. IEEE Transactions on Information
Theory, 46(4):1204–1216, 2000.
3. Michael Backes, Birgit Pfitzmann, and Michael Waidner. A composable cryptographic library with nested operations. In Sushil Jajodia, Vijayalakshmi Atluri, and Trent Jaeger, editors, ACM CCS 03, pages 220–230,
Washington D.C., USA, October 27–30, 2003. ACM Press.
4. Niko Bari and Birgit Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. In
Walter Fumy, editor, EUROCRYPT’97, volume 1233 of LNCS, pages 480–494, Konstanz, Germany, May 11–15,
1997. Springer, Berlin, Germany.
5. Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols.
In V. Ashby, editor, ACM CCS 93, pages 62–73, Fairfax, Virginia, USA, November 3–5, 1993. ACM Press.
6. Dan Boneh, David Freeman, Jonathan Katz, and Brent Waters. Signing a linear subspace: Signature schemes for
network coding. In Stanislaw Jarecki and Gene Tsudik, editors, PKC 2009, volume 5443 of LNCS, pages 68–87,
Irvine, CA, USA, March 18–20, 2009. Springer, Berlin, Germany.
7. Christian Cachin, Silvio Micali, and Markus Stadler. Computationally private information retrieval with polylogarithmic communication. In Jacques Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 402–414,
Prague, Czech Republic, May 2–6, 1999. Springer, Berlin, Germany.
8. Jan Camenisch and Anna Lysyanskaya. A signature scheme with efficient protocols. In Stelvio Cimato, Clemente
Galdi, and Giuseppe Persiano, editors, SCN 02, volume 2576 of LNCS, pages 268–289, Amalfi, Italy, September 12–13, 2002. Springer, Berlin, Germany.
9. Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In 42nd FOCS,
pages 136–145, Las Vegas, Nevada, USA, October 14–17, 2001. IEEE Computer Society Press.
10. Ronald Cramer and Victor Shoup. Signature schemes based on the strong RSA assumption. In ACM CCS 99,
pages 46–51, Kent Ridge Digital Labs, Singapore, November 1–4, 1999. ACM Press.
11. D. Dolev and A.C. Yao. On the security of public key protocols. In Proceedings of the 22nd Annual Symposium
on Foundations of Computer Science, pages 350–357, 1981.
12. Marc Fischlin. The Cramer-Shoup strong-RSA signature scheme revisited. In Yvo Desmedt, editor, PKC 2003,
volume 2567 of LNCS, pages 116–129, Miami, USA, January 6–8, 2003. Springer, Berlin, Germany.
13. Rosario Gennaro, Shai Halevi, and Tal Rabin. Secure hash-and-sign signatures without the random oracle. In
Jacques Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 123–139, Prague, Czech Republic, May 2–6,
1999. Springer, Berlin, Germany.
14. Rosario Gennaro, Jonathan Katz, Hugo Krawczyk, and Tal Rabin. Secure network coding over the integers. In
PKC 2010, LNCS, pages 142–160. Springer, Berlin, Germany, 2010.
15. Dennis Hofheinz and Eike Kiltz. Programmable hash functions and their applications. In David Wagner, editor,
CRYPTO 2008, volume 5157 of LNCS, pages 21–38, Santa Barbara, CA, USA, August 17–21, 2008. Springer,
Berlin, Germany.
16. Susan Hohenberger. The cryptographic impact of groups with infeasible inversion. Master’s thesis, Massachusetts
Institute of Technology, EECS Dept., 2003.
17. Hugo Krawczyk and Tal Rabin. Chameleon signatures. In NDSS 2000, San Diego, California, USA, February 2–4,
2000. The Internet Society.
18. Daniele Micciancio. The RSA group is pseudo-free. In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494
of LNCS, pages 387–403, Aarhus, Denmark, May 22–26, 2005. Springer, Berlin, Germany.
23
19. Daniele Micciancio and Bogdan Warinschi. Soundness of formal encryption in the presence of active adversaries.
In Moni Naor, editor, TCC 2004, volume 2951 of LNCS, pages 133–151, Cambridge, MA, USA, February 19–21,
2004. Springer, Berlin, Germany.
20. Ronald L. Rivest. On the notion of pseudo-free groups. In Moni Naor, editor, TCC 2004, volume 2951 of LNCS,
pages 505–521, Cambridge, MA, USA, February 19–21, 2004. Springer, Berlin, Germany.
21. Shuo-Yen Robert-Li, Raymond Y. Yeung, and Ning Cai. Linear network coding. IEEE Transactions on Information Theory, 49(2):371–381, 2003.
22. Huafei Zhu. New digital signature scheme attaining immunity to adaptive chosen-message attack. Chinese
Journal of Electronics, 10(4):484–486, October 2001.
23. Huafei Zhu. A formal proof of zhu’s signature scheme. Cryptology ePrint Archive, Report 2003/155, 2003.
http://eprint.iacr.org/.
A
Non-trivial multivariate equations
Here we obtain an explicit description of trivial multi-variate equations. Let
ek ek
sk sk
k
k
Λ = {x11 x22 . . . xenn = a11 a22 . . . asmm }k=1...t
be a set of multivariate equations over F, and let {φk1 , φk2 , . . . , φkn | k = 1 . . . t} solutions for these
equations.
As for the case of univariate equations we interpret these equations together with their solutions,
as relations between words in the free group generated by
{φ1,k , φ2,k , . . . , φn,k | k = 1 . . . t} ∪ {a1 , a2 , . . . , am }.
e∗ e∗
s∗ s∗
e∗
s∗
Then, an equation x11 x22 . . . xnn = a11 a22 . . . amm is trivial if it has a solution over F/≡Λ . Assume
that
m
n
t
i
Y
vji Y Y kl,j
∗
φi =
aj ·
φj,l
j=1
j=1 l=1
i (with 1 ≤ j ≤ m, 1 ≤ l ≤ n, 1 ≤ i ≤ n). Using the
is a solution for the equation (for some vji , kl,j
explicit characterization of ≡Λ we obtain that there exist l1 , l2 , . . . , lt ∈ Q such that:
n
Y
φ∗i
=
s∗ s∗
a11 a22
∗
. . . asmm
t Y
n
m
Y
−eji Y sij li
(
φi,j
aj )
i=1 j=1
i=1
j=1
By replacing the expressions for φ∗i in the above relation and matching the exponents of the
s∗ s∗
e∗ e∗
s∗
e∗
different symbols we obtain that equation: x11 x22 . . . xnn = a11 a22 . . . amm is trivial with respect to
i with 1 ≤ j ≤ m, 1 ≤ l ≤ n, 1 ≤ i ≤ n and rationals l , l , . . . , l such
Λ if there exist integers vji , kl,j
1 2
t
that:
– For all 1 ≤ u ≤ t, 1 ≤ j . . . n
n
X
i
ku,j
e∗i = euj lu
i=1
– For 1 ≤ j ≤ m
m
X
vji e∗i = s∗j −
t
X
u=1
i=1
24
suj lu
B
Network Coding Signatures
We recall the definitions of network coding signatures and network coding homomorphic signatures.
Definition 9. A network coding signature is defined by a triple of algorithms (NetKG, Sign, Ver)
such that:
NetKG(1k , N ) On input the security parameter k and a parameter N , this algorithm outputs (vk, sk)
where sk is the secret signing key and vk is the public verification key. N defines the size of the
signed vectors.
Sign(sk, V, fid) The signing algorithm takes as input the secret key sk, a random file identifier fid
and an m-dimensional subspace V ⊂ FN and outputs a signature σ.
Ver(vk, fid, v, σ) Given the public key vk, a file identifier fid, a vector v ∈ FN and a signature σ, the
algorithm outputs 0 (reject) or 1 (accept).
For correctness, we require that for all honestly generated key pairs (vk, sk), all identifiers fid and
all V ⊂ FN , if σ←Sign(sk, fid, V ) then Ver(vk, fid, v, σ) = 1 ∀v ∈ V .
A network coding signature is secure if it satisfies the following definition.
Definition 10. Consider the following experiment between an adversary A and a challenger. At
the beginning the adversary chooses a positive integer N and gives it to the Challenger, who runs
(vk, sk)←NetKG(1k , N ) and gives vk to A. Then the adversary can adaptively ask for signatures on
vector spaces Vi ⊂ FN of its choice and finally A outputs a tuple (fid∗ , v ∗ , σ ∗ ). We say that the
adversary wins if Ver(vk, fid∗ , v ∗ , σ ∗ ) = 1 and either one of the following cases holds: (1) fid∗ 6= fidi
for all i; (2) fid∗ = fidi for some i but v ∗ ∈
/ Vi .
Finally we give the formal definition of homomorphic network coding signature. As noticed
by Boneh et al. [6] homomorphic network coding signatures are a special case of network coding
signatures.
Definition 11. A homomorphic network coding signature scheme is defined by a 4-tuple of algorithms (NetKG, Sign, Ver, Combine) such that:
NetKG(1k , N ) On input the security parameter k and a parameter N , this algorithm outputs (vk, sk)
where sk is the secret signing key and vk is the public verification key. N defines the size of the
signed vectors.
Sign(sk, v, fid) The signing algorithm takes as input the secret key sk, a random file identifier fid
and a vector v ∈ FN and outputs a signature σ.
Combine(vk, fid, {(wi , σi )}ℓi=1 ) This algorithm takes as input the public key vk, a file identifier fid,
and a set of tuples (wi , σi ) where σi is a signature and wi ∈ F is a coefficient. This algorithm
outputs a new signature σ such that: if each σi is a valid
Pℓ signature on vector vi , then σ is a
valid signature for v obtained from linear combination i=1 wi vi .
Ver(vk, fid, v, σ) Given the public key vk, a file identifier fid, a vector v ∈ FN and a signature σ, the
algorithm outputs 0 (reject) or 1 (accept).
25