Separation Results on the “One More” Computational Problems

profil-zyak-2012

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

16 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

Niveau: Supérieur, Doctorat, Bac+8
Separation Results on the “One-More” Computational Problems? Emmanuel Bresson1, Jean Monnerat??2, and Damien Vergnaud3 1 DCSSI Crypto Lab, Paris, France 2 Department of Computer Science & Engineering, University of California San Diego, USA 3 Ecole Normale Superieure – C.N.R.S. – I.N.R.I.A. 45 rue d'Ulm, 75230 Paris CEDEX 05, France Abstract. In 2001, Bellare, Namprempre, Pointcheval and Semanko introduced the notion of “one-more” computational problems. Since their introduction, these problems have found numerous applications in cryptography. For instance, Bellare et al. showed how they lead to a proof of security for Chaum's RSA-based blind signature scheme in the random oracle model. In this paper, we provide separation results for the computational hierarchy of a large class of algebraic “one-more” computational problems (e.g. the one-more discrete logarithm problem, the one-more RSA problem and the one-more static Computational Diffie-Hellman problem in a bilinear setting). We also give some cryptographic implications of these results and, in particular, we prove that it is very unlikely, that one will ever be able to prove the unforgeability of Chaum's RSA-based blind signature scheme under the sole RSA assumption. Keywords.

randomness can hardly

signature scheme

time algorithm

black-box access

problem

chaum's rsa-based blind

sole rsa assumption

problem into

Sujets

France 2

Digital signature

Problem

Informations

Publié par	profil-zyak-2012
Nombre de lectures	12
Langue	English

Extrait

SeparationResultsonthe“One-More”ComputationalProblems?EmmanuelBresson1,JeanMonnerat??2,andDamienVergnaud31DCSSICryptoLab,Paris,France2DepartmentofComputerScience&Engineering,UniversityofCaliforniaSanDiego,USA3E´coleNormaleSupe´rieure–C.N.R.S.–I.N.R.I.A.45rued’Ulm,75230ParisCEDEX05,FranceAbstract.In2001,Bellare,Namprempre,PointchevalandSemankointroducedthenotionof“one-more”computationalproblems.Sincetheirintroduction,theseproblemshavefoundnumerousapplicationsincryptography.Forinstance,Bellareetal.showedhowtheyleadtoaproofofsecurityforChaum’sRSA-basedblindsignatureschemeintherandomoraclemodel.Inthispaper,weprovideseparationresultsforthecomputationalhierarchyofalargeclassofalgebraic“one-more”computationalproblems(e.g.theone-morediscretelogarithmproblem,theone-moreRSAproblemandtheone-morestaticComputationalDiﬃe-Hellmanprobleminabilinearsetting).Wealsogivesomecryptographicimplicationsoftheseresultsand,inparticular,weprovethatitisveryunlikely,thatonewilleverbeabletoprovetheunforgeabilityofChaum’sRSA-basedblindsignatureschemeunderthesoleRSAassumption.Keywords.“One-more”problems,Black-boxreductions,Randomself-reducibleproblems,Alge-braicalgorithms.1IntroductionBackground.Incryptography,aone-wayfunctionfisafunctionthatcanbecomputedbysomealgorithminpolynomialtime(withrespecttotheinputsize)butsuchthatnoprobabilisticpolynomial-timealgorithmcancomputeapreimageoff(x)withanon-negligibleprobability,whenxischosenuniformlyatrandominthedomainoff.Attheverybeginningofthecentury,ithasbeenobservedthatthereseemslittlehopeofprovingthesecurityofmanycryptographicconstructionsbasedonlyonthe“standard”one-waynessassumptionoftheusedprimitive.Thesecurityofsomeschemesseemstorelyondiﬀerent,andprobablystronger,propertiesoftheunderlyingone-wayfunction.Cryptographershavethereforesuggestedthatoneshouldformu-lateexplicitnewcomputationalproblemstoprovethesecurityoftheseprotocols.Forinstance,OkamotoandPointcheval[14]introducedin2001anovelclassofcomputationalproblems,thegapproblems,whichﬁndaniceandrichpracticalinstantiationwiththeDiﬃe-Hellmanproblems.TheyusedthegapDiﬃe-Hellmanproblemforsolvingamorethan10-yearoldopensecurityproblem:theunforgeabilityofChaum-vanAntwerpenundeniablesignaturescheme[11].In2001,Bellare,Namprempre,PointchevalandSemanko[2]introducedthenotionofone-moreone-wayfunction.Afunctionisone-moreone-wayifitcanbecomputedbysomealgorithminpolynomialtime(intheinputsize)butforwhichthereexistsnoprobabilisticpolynomial-timealgorithmAwithnon-negligibleprobabilitytowinthefollowinggame:–Agetsthedescriptionoffasinputandhasaccesstotwooracles;–aninversionoraclethatgivenyinf’scodomainreturnsxinf’sdomainsuchthatf(x)=y;–achallengeoraclethat,eachtimeitisinvoked(ittakesnoinputs),returnsarandomchallengepointfromf’scodomain;?ThispaperhasappearedinTopicsincryptology-CT-RSA2008,Lect.NotesComput.Sci.,T.Malkined.,Springer,Lect.NotesComput.Sci.vol.4964,2008,p.71-87.??SupportedbyafellowshipoftheSwissNationalScienceFoundation,PBEL2–116915