Chameleon hash without key exposure based on Schnorr signature

Available online at www.sciencedirect.com

Computer Standards & Interfaces 31 (2009) 282 – 285 www.elsevier.com/locate/csi

Chameleon hash without key exposure based on Schnorr signature Wei Gao a,⁎,1 , Fei Li a , Xueli Wang b a

b

College of Mathematics and Information, Ludong University, Yantai, 264025, PR China College of Mathematics Science, South China Normal University, Guangzhou, 510630, PR China

Received 13 October 2005; received in revised form 17 December 2007; accepted 20 December 2007 Available online 31 December 2007

Abstract Based on the famous Schnorr signature scheme, we propose a new chameleon hash scheme which enjoys all advantages of the previous schemes: collision-resistant, message-hiding, semantic security, and key-exposure-freeness. © 2007 Elsevier B.V. All rights reserved. Keywords: Chameleon signature; Chameleon hash; Key-exposure; Digital signature standard

1. Introduction Chameleon signatures were introduced in [5]. It is constructed based on the well established hash-and-sign paradigm, where it is not a general hash function but a so-called chameleon hash function that is used to compute the message digest. A chameleon hash function is a trapdoor one-way hash function with some special properties. These properties ensure that the chameleon signature is non-transferable and non-repudiated. In the model of chameleon signature, assume that Alice wants to generate a signature which can only be verified by the designated receiver Bob. For Alice, the party without the trapdoor, a chameleon hash function is collision-resistant. However, for Bob, the trapdoor's holder, it is easy to find any collision. When Alice signs not the message itself but its chameleon hash value, Bob can present any message with this same hash value. In other words, Bob has the ability to deceive the third party believing that this signature is for any message. Because of this possibility, the third party will not believe Bob. So the non-transferability of the chameleon signature is obtained. On the other hand, if Bob reuses the hash value to obtain a

⁎ Corresponding author. E-mail address: [email protected] (W. Gao). 1 This work was partially supported by CNSF10771078. 0920-5489/$ - see front matter © 2007 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2007.12.001

signature on a second message, Alice can prove knowledge of hash collisions formed by the original signed message and the claimed signed message. Because computing hash collisions is infeasible for Alice, such a collision is seen as proof of forgery by Bob. So the chameleon hash signature is also non-repudiated. The original chameleon signature scheme [5] suffers from the problem of key exposure, i.e. that the signature forgery by Bob will result in exposing the trapdoor of himself. As stated in [1], the problem of key exposure threatens the claims of non-transferability provided by the scheme. To solve this problem, we will use the paradigm proposed in [2] as follows. The public key is divided into two components, one permanent and the other ephemeral. The ephemeral part, called the label, is specially formatted strings that describe the transaction, and which include the signer and recipient information as well as some nonce or time-stamp. Now what is disclosed by a pair of collisions is not the main trapdoor but the ephemeral trapdoor which is inessential for Bob. In [4], Chen et al. constructed a key-exposure-free chameleon hash scheme based on bilinear pairings. In [2], Ateniese and Medeiros propose three schemes based on Stong RSA, RSA [n,n] [6] and SDH (Strong Diffie-Hellman assumption) respectively. In fact, the ephemeral trapdoor recovered by a pair of collisions is a kind of signature of the label under the main trapdoor. So the property key exposure-freeness is due to the security of the signature applied to the label, such as the common RSA signature, the short signature based pairing [3].

W. Gao et al. / Computer Standards & Interfaces 31 (2009) 282–285

As we all know, the DLP (discrete logarithm problem) assumption is one of most popular tools applied in cryptography. For examples, there are many digital signature schemes based on DLP such as DSA/DSS signature, Schnorr signature and ElGamal signature. Especially, as the standard of digital signatures, the DSA/DSS signature scheme were published by Nation Institute of Standards and Technology and widely used in practice. Although signature schemes based on DLP are so popular, there has been no chameleon hash scheme with key-exposure-freeness working in this setting. In other words, when one wants to generate a chameleon signature using a certain DLP-based scheme such as DSS, he has to turn to the chameleon hash scheme working in other algebraic structure such as bilinear groups [2]. In this paper, we deal with this issue. At price of a round of interaction, we construct a DLP-based chameleon hash function which can be seen based on the well-known Schnorr signature [7] and have all advantages of the previous schemes. The rest of the paper is organized as follows. Some preliminary works are given in Section 2. In Section 3, based on Schnorr signature scheme, we construct a new chameleon hash scheme and then analyze its security. Its application to chameleon signature is discussed in Section 4. And the conclusion is Section 5. 2. Preliminary As formalized in [2], a key-exposure-free chameleon hash is specified by a tuple (GenKey, Hash, UForge, IForge) of efficient algorithms as follows.

283

security means that the conditional entropy H[m|h] of the message given its chameleon hash value h equals the total entropy H[m] of the message space. (3) Message hiding: assume the recipient Bob has computed a collision using the universal forgery algorithm, i.e., a second pair (m', r') s.t. h = Hash(pk, L, m, r) = Hash(pk, L, m', r'), where (m, r) was the original value signed. Then the signer, Alice, upon seeing the claimed values (m', r'), can successfully con-test this invalid claim by releasing a third pair (m", r") by running IForge, without revealing the original signed message. Moreover, the entropy of the original value (m, r) is unchanged by the revelation of the pairs (m', r'), (m", r"): H[(m, r)|h, (m', r'), (m", r")] =H[(m, r)|h]. (4) Key exposure freeness: if the recipient Bob with public key pk has never computed a collision under label L, then given h = Hash(PK, L, m, r) there is no efficient algorithm that can find a collision (a second pair (m', r') mapping to the same digest h). This must remain true even if the adversary has oracle access to UForge(sk,·,·,·) and is allowed polynomially many queries on triples (Li, mi, ri) of his choice, except that Li is not allowed to equal the challenge label L. Remark 1. In this paper, we slightly modify the above definition: we let Hash is a protocol with only one round between the signer Alice and the designated receiver Bob. But this modification has a very little effect on other parts of the above definition. And all these effects are trivial and can be easily understood from the context. 3. Chameleon Hash based on Schnorr signature

GenKey: on input a security parameter 1 k , outputs a pair (pk, sk) of a public key and a secret key. Hash: on inputs the public key pk, a label L, a message m, chooses an auxiliary random parameter r, and outputs a hash value h = Hash(pk, L, m, r). UForge(universal forge): on inputs the private key sk, the label L, a message m, the random parameter r, outputs a collision (m', r') for (m, r), i.e. Hash(pk, L, m', r') = Hash(pk, L, m, r). IForge(instance forge): on input a tuple (pk, L, m, r, m', r') of a public key, a label, and a pairs of collisions, computes another collision (m", r") for (m, r). Informally speaking, in the model of a key-exposure-free chameleon hash scheme, Alice can compute the hash value by algorithm Hash; Bob can find any new de-commitment (m', r') for a certain hash value of (m, r) by algorithm UForge ; given a pair of collisions (m', r'), (m", r"), Alice can obtain a third decommitment (m", r") by algorithm IForge. In [2], the security requirements of a chameleon hash includes: (1) Collision-resistance: there is no efficient algorithm that given only pk, L, m, and r, (but not the secret key sk) can find a second pair m', r' such that h = Hash(pk, L, m, r) = Hash(PK, L, m', r') with more than negligible probability over the choices of pk, L, m and r. (2) Semantic security: let H[X] denote the entropy of a random variable X , and H[X|Y] the entropy of the variable X given the value of a random function Y of X . Semantic

Since the Schnorr signature [7] is so well-known, we omit the details its description. Now we present the four polynomialtime algorithms (or simple protocols) of our chameleon hash scheme: • GenKey: on input the security parameter 1k , (1) generate a multiplicative group  of prime order q; (2) select an element g a , g ≠ 1; (3) randomly choose x a q* as the private key, and sets the public key y = g x. In the following, we assume the message m a q. And a semantically secure encryption (ENC (·), DEC (·)) with the secret key x' only known by the intended receiver Bob will be used. A cryptographic hash function H is also public. • Hash: the Hash protocol is run between the signer Alice and the designated receiver Bob. Bob does as follows: (1) randomly chooses t1 a q*; t (2) computes r1 = g 1; (3) encrypts t1: e = Enc(t1); (4) sends authentically (r1, e) to the signer. Given the public key y, the label L, the auxiliary message (r1, e) from Bob and the message m a q, Alice computes the hash value as follows: (1) computes c1 = H (L; r1); c (2) computes S1 = r1y 1; (3) randomly choose r2 a q; r (4) computes S2 = gmS12.

284

W. Gao et al. / Computer Standards & Interfaces 31 (2009) 282–285

(5) set Hash(y, L, m, r2) = S2. Note that for s1 = logg S1 = t1 + xc1, (r1, s1) forms a Schnorr signature on the label L. • UForge: on input the secret key (x, x'), the label L, the message m and its random string r2, and the ephemeral auxiliary parameters (r1, e) and the message m', does the following: 0 (1) compute t' = Dec(x', e) and check g t1 ¼ r1 . If no, return failure. (2) computes the ephemeral trapdoor s1 =t'1 +xH (L, r1) mod q; (3) set r'2 = s1− 1(m − m') + r2 mod q. 0 0 s1 ðmm0 Þþr2 0 0 Note that S20 ¼ gm0 S1r2 ¼ gm S11 ¼ g m gðmm Þ S1r2 ¼ r gm S12 ¼ S2 . Thus, the pair (m′, r2′ ) forms a collision of (m, r2). • IForge: on inputs a pair of collisions (m, r2), (m, r2) and the ephemeral auxiliary parameters (r1, e), first recover s1 = (m − m')(r'2 − r2) − 1 mod q. Next, as in UForge, with such ephemeral trapdoor s1 for the label L and r1, e, one can forge another pair (m", r") which has the hash value equal to Hash(y, L, m, r2). Remark 2. To compute the ephemeral trapdoor s1 in UForge, the receiver Bob need to know the random number t1 (s1 = t1 + xH(L; r1)). At price of encrypting t1 and padding the ciphertext e in the auxiliary part of the chameleon hash, the receiver can avoid to store it for future use. And the encryption scheme can be DES with the secret key known by the receiver. Below, we discuss the security of the above chameleon hash scheme: Theorem 3.1. The above chameleon hash scheme enjoys all advantages of the previous schemes: collision-resistant, message hiding, semantic security, and key-exposure-free. Proof. (1) Collision-resistance and key-exposure-freeness. As in the algorithm IForge, exposing a pair of collisions allows anybody to extract the secret key s1 associated to the label L. As (r1, s1) is a secure Schnorr signature on L, and computing collisions is equivalent to breaking this signature scheme, we conclude that finding collisions is hard without knowledge of the ephemeral trap-door. Finally, notice that since revealing collisions is equivalent to computing Schnorr signatures, the scheme is safe from key exposure as the Schnorr signature scheme is resistant against active attacks. (2) Semantic security. For a message m and fixed r1 , the value h = Hash(y, L, m, r2) is uniquely determined by the value r2 , and vice-versa. Therefore, the conditional probability c(m|h) = c(m|r2). And c(m|r2)) = c(m) since m and r2 are independent variables. So c(m|h) = c(m) which indicates that the chameleon hash value h disclose no information about the message m, i.e. that the conditional entropy H (m|h) is equal to the total entropy H (m). (3) Message hiding. Let h be the hash value. As stated in [2], it is sufficient to show that, once a collision is revealed,

a person who does not know the trapdoor can compute a de-commitment to h under any message m" of her choice. In fact, as in IForge, given (m', r') and (m, r) with the same chameleon hash value, one can get another collision (m", r") for any message m". 4. Chameleon Hash signature and Its relevance to standards Using the general paradigm [5,2] of chameleon-hashand-sign to construct chameleon signature, we can use the above chameleon hash and some discrete-logarithmassumption-based signature schemes (such as ElGamal signature, DSS, Schnorr signature) with the same public setting to construct a chameleon signature with message hiding and key-exposure-freeness. Because of the generality of the framework of the construction, we omit the details here. As we all know, DSS (Digital Signature Standard), published in 2000 by U.S. Department Of Commerce/ National Institute of Standards and Technology, is the most popular standard of digital signature and widely used in practice. The algebraic structure for DSS is a large prime finite field F p. However, all previous chameleon hash schemes [2,4] with full security are based on algebraic structures different from Fp, such as bilinear groups and the RSA ring. The application of the chameleon hash in practice is greatly restricted since all existing schemes can not easily cooperate with the DSS signature standard. Now, the proposed chameleon hash scheme in this paper works in the finite field Fp, and is constructed based on the popular Schnorr signature. So it will be very convenient to construct a chameleon signature by modularly combining the DSS signature standard and our chameleon hash scheme. Of course, it will largely extend the application area of chameleon signatures in practice. 5. Conclusion In this paper, based on Schnorr signature, we propose a new chameleon hash scheme. And we show that it enjoys the advantages of the previous schemes: collision-resistant, message hiding, semantic security, and key-exposure-freeness. Now in the setting of the popular discrete logarithm based public cryptography, our chameleon hash scheme can be naturally implemented. So with this scheme, some popular signature scheme such as DSS, ElGamal signature, Schnorr signature and their variants can be easily transformed into the corresponding chameleon hash signature. References [1] G. Ateniese, Medeiros B. de, ‘Identity-based chameleon hash and applications’, Financial Cryptography, (FC04), LNCS, Springer-Verlag, 2004. [2] G. Ateniese, Medeiros B. de, dOn the Key Exposure Problem in Chameleon HashesT, the Fourth Conference on Security in Communication Networks (SCNT04), LNCS, Springer-Verlag, Amalfi, 2004.

W. Gao et al. / Computer Standards & Interfaces 31 (2009) 282–285 [3] D. Boneh, X. Boyen, dShort signatures without random oraclesT, Advances in Cryptology C EUROCRYPT 04, LNCS3027, Springer-Verlag, 2004, pp. 56–73. [4] Chen, X., Zhang, F., Kim, K.: dChameleon Hashing without Key ExposureT. ISC04, Sep. 27-29, Palo Alto, USA. [5] H. Krawczyk, T. Rabin, dChameleon signaturesT, Proc. of NDSS 2000, 2000, pp. 143–154.

285

[6] P. Paillier, dPublic key cryptosystems based on composite degree residuosity classesT, Advances in Cryptology-EUROCRYPT99. LNCS, SpringerVerlag, 1592, pp. 223–238. [7] C. Schnorr, dEfficient identification and signatures for smartcardsT, CRYPTO 1989, LNCS 435, Springer-Verlag, 1990, pp. 239–252.