Digital Signatures

Disclaimer: This set of notes is a work in progress. It may have errors and be missing citations. It is certainly incomplete. Please let the staff know of any errors that you find. In the last section, our strategy for authentication depended on two parties sharing a secret key. In that discussion, we completely left out of the picture how these parties should exchange this secret key. Our implication was that they went to some private room and exchanged the key in secret, but in many cases this is not practical: if they could whisper a key, why not just whisper the message? Luckily, there is a way to get around this requirement for a shared secret using public-key cryptography.1 1 Whitfield Diffie and Martin E Hellman. New directions in cryptography. Transactions on Information Theory, 22(6), 1976 The original Diffie-Hellman paper from 1976, which introduced public-key cryptography, is a fascinating read. 1 Definitions

The original Diffie-Hellman paper from 1976, which introduced public-key cryptography, is a fascinating read.

Definitions
The basic idea of public-key cryptography, applied to authentication, is that each party will generate two linked keys-a secret signing key and a public verification key. The verification key will be good enough to verify that a signature is valid, but not to generate new signatures. Definition 1.1 (Signature Scheme). A signature scheme is associated with a message space M and three efficient algorithms (Gen, Sign, Ver).
In theoretical papers, people will write Gen(1 λ ) to indicate that the keygeneration algorithm takes as input a length-λ string of ones. This is just a hack to make the input given to Gen λ bits long so that the Gen algorithm can run in time polynomial in its input length: poly(λ). If we express λ in binary, then Gen(λ) gets a log 2 λbit input and can only run in time poly(log λ). This distinction is really unimportant, but if you see the 1 λ notation, you will now know what it means.
• Gen(λ) → (sk, vk). The key-generation algorithm as input a security parameter λ ∈ N and outputs a secret signing key sk and public verification key vk. The algorithm Gen runs in time poly(λ).
• Sign(sk, m) → σ. The signing algorithm takes as input a secret key sk and a message m ∈ M, and outputs a signature σ.

digital signatures 2
The standard security notion for digital signatures is very similar to that for MACs (??). The only difference here is that a digitalsignature scheme splits the single secret MAC key into two keys: a secret signing key and a public verification key. Otherwise the definition is essentially identical. Definition 1.3 (Digital signatures: Security -existential unforgeability under chosen message attack). A digital-signature scheme (Gen, Sign, Ver) is secure if all efficient adversaries win the following security game with only negligible probability: • The challenger runs (sk, vk) ← Gen(λ) and sends vk to the adversary. • For i = 1, 2, . . . (polynomially many times) -The adversary sends a message m i ∈ M to the challenger.
-The challenger replies with σ i ← Sign(sk, m i ).
Notice that this security definition does not guarantee that an attacker cannot forge a new signature on a message that it has already seen a signature of. Namely, given a valid message-signature pair (m, σ) an adversary may be able to produce additional valid message-signature pairs on the same message: (m, σ ′ ), (m, σ ′′ ), . . . .
In some applications, we want to prohibit an attacker from finding any new message-signature pair. We call this security notion "strong existential unforgeability under chosen message attack." The definition is the same as in Definition 1.3 except that we require the adversary to find a valid-message signature pair (m * , σ * ) such that (m * , σ * ) ̸ ∈ {(m 1 , σ 1 ), (m 2 , σ 2 ), . . . }. Standard digital-signature schemes, such as the elliptic-curve digital signature algorithm (EC-DSA) is believed to have this strong security property.

Constructing a Signature Scheme
In the following sections, we will show how to construct a digitalsignature scheme from any one-way function (??).
We will generate a signature scheme that is secure, but that has relatively large signatures and public keys: to achieve security against attackers running in time 2 λ , this signature scheme has signatures of O(λ 2 ) bits. Widely used modern digital signature schemes (e.g., EC-DSA) have signatures of O(λ) bits.
One benefit of the signature scheme that we present here is that-unlike EC-DSA, RSA, DSA, and other widely used signature schemes-this one is plausibly secure even against quantum adversaries.
We will construct this scheme in three stages: 1. Construct a signature scheme for signing a single bit. digital signatures 3 2. Construct a one-time secure signature scheme for signing a fixed length messages. With this scheme, an attacker who sees two signatures under the same signing key can forge signatures. In addition, the secret signing key for this scheme will be larger than the size of the message being signed.
3. Construct a one-time secure scheme for arbitrary-length messages.
Here, we construct a one-time signature scheme whose secret signing key is independent of the length of the signed message.
4. Construct a many-time secure scheme (i.e., a fully secure one under Definition 1.3) for arbitrary-length messages. This last scheme is a fully secure and fully functional digital-signature scheme.

Constructing a Signature Scheme for Signing a Single Bit
This signature scheme is not useful on its own, and is given only as a step towards the final construction. It uses as a building block a oneway function f : X → Y. Recall that f a one-way function if it is easy to compute but hard to invert; namely there is an efficient algorithm that given x ∈ X outputs f (x), and at the same time any efficient algorithm given y = f (x) for a random x ← X , finds an inverse x ′ ∈ X such that f (x ′ ) = f (x) with only negligible probability.
• Gen() → (sk, vk). Choose two random elements x 0 , x 1 from X and In this construction, we leave the security parameter λ implicit. To be fully formal, Gen would take λ an input. The one-way function f and its domain X would both depend on λ. So we would write f λ and X λ . let (y 0 , y 1 ) = ( f (x 0 ), f (x 1 )). Output sk = (x 0 , x 1 ) and vk = (y 0 , y 1 ). construction is a straightforward generalization of the signature scheme constructed above: Each message is signed bit-by-bit, where each bit is signed using a fresh and independently generated secret key. Before giving the construction, we define one-time security for digital-signature schemes. This signature scheme is not generally useful on its own, but is useful as a building block. secure if all efficient adversaries win the following game with negligible probability: • The challenger generates (sk, vk) ← Gen(λ) and sends vk to the adversary. • The adversary sends the challenger single message m ∈ M.
Lamport signatures. We now construct a one-time secure signature scheme for messages in {0, 1} n , for some fixed message length n ∈ N.
To do this, we will define the following algorithms, which make use of a one-way function f : X → Y: • Gen() → (sk, vk). Choose 2n random elements from X , the domain of the one-way function f . Arrange these values in to a 2 × n matrix, which forms the secret signing key sk. The public verification key just consists of the 2n images of these values under the one-way function f : In other words, the routine accepts if applying the one-way function f to each symbol of the signature matches the corresponding value in the verification key. (Otherwise, the signing routine rejects.) This signature scheme has relatively large keys: the verification key, in particular consists of 2n values, where each is of length Ω(λ) bits. So the total length is roughly 2nλ bits-much longer than the n-bit message being signed.
In addition, notice that an adversary who sees signatures on even two messages can forge signatures on messages of its choice. In particular: • The adversary first asks for a signature on the message m 0 = 0 n . It receives σ 0 = (x 10 , . . . , x n0 ).
• The adversary then then asks for a signature on the message m 1 = 1 n . It receives σ 1 = (x 11 , . . . , x n1 ). • At this point, the adversary has the entire secret signing key! However, we will show that this scheme is indeed one-time secure.
Claim. The Lamport signature scheme is one-time secure under the assumption that f is a one-way function.
Remember that if P = NP, one-way functions, and also digital signature schemes, do not exist. So any proof of security of a digital-signature scheme will require some sort of cryptographic assumption.
In cryptography, we generally prove these security claims by reduction: we will show that if there exists an efficient adversary A that breaks the security of our scheme, then we can construct an efficient adversary B that breaks one of our assumptions. If we do this, we have reached a contradiction to one of our assumptions, so the first adversary cannot exist.
Proof of Claim. Suppose there exists an adversary A that wins the one-time-security game of Definition 4.1 with non-negligible probability ϵ. That is, the adversary can produces (m * , σ * ) such that Ver(vk, m * , σ * ) = 1 and m ̸ = m * given only σ = Sign(sk, m). We can then construct an adversary B that can use A to invert the one-way function.
Lamport's construction shows that if one-way functions exist, then so do digital signatures. Can you show that if digital signatures exist, then so do one-way functions?
In particular, our adversary B will use algorithm A as a subroutine to invert the one-way function. We will show that if A wins in the one-time signature security game often, then algorithm B will invert the one-way function often, which is a contradiction.
Assume our one-way function is of the form f : X → Y and that the Lamport signature scheme is on n-bit messages. The one-wayfunction adversary B operates as follows: • The adversary B is given a point y ∈ Y and its task is to produce a preimage of y under f . • The adversary B generates a signing keypair as follows: -It runs the key-generation algorithm for the Lamport signature scheme (sk, vk) ← Gen(). -The adversary chooses a random value i * ← R {1, . . . , n} and a random bit β * ← R {0, 1}. -The adversary sets vk i * ,β * ← y. That is, it inserts the one-wayfunction point it must invert into a random location in the verification key.
• The adversary then sends the verification key vk to the Lamportsignature adversary A. • Otherwise, the algorithm B returns the signature σ = (sk 1,m 1 , . . . , sk n,m n ) ∈ X n to algorithm A. • Algorithm A then produces a forged message-signature pair (m * , σ * ), where m ̸ = m * . • Algorithm B parses m * = m * 1 . . . m * n ∈ {0, 1} n and σ * = σ * 1 . . . σ * n ∈ X n . Then: First, notice that whenever (m * , σ * ) is a valid message-signature pair and whenever algorithm B does not output FAIL, algorithm B outputs a preimage x ∈ X of point y ∈ Y under the one-way function f . That is because, by the verification relation (1) for Lamport signatures, we must show that algorithm B does not output FAIL too often. Since algorithm B chooses the values i * and β * at random, and since the adversary A behavior is independent of these values, we can say: • the probability of the first failure event is 1/2, since there are two possible choices of m i * and only one of these is bad, and • the probability of the second failure event is at most 1/n, since m and m * must differ in at least one of n bits, and there is a 1/n probability that this differing bit is at index i * .
The events that A breaks the signature scheme and that either of these failures occur are all independent. Then if A breaks the oneway function with probability ϵ, our one-way-function adversary B inverts the one-way function with probability The probability of either bad is at most 1/2 + 1/n, by the union bound. Therefore if algorithm A breaks one-time security of Lamport's scheme with probability ϵ, If ϵ is non-negligible, then ϵ one-way = ϵ/2n is also non-negligible, and we have a contradiction.

A one-time signature scheme for arbitrary-length messages
In the Lamport signature scheme (Section 4), the length of the keys scales with the size of the message being signed. To adapt our scheme from above into a scheme that works on arbitrary-length messages without the key growing arbitrarily large, we will use a digital signatures 7 strategy called hash-and-sign. In essence, the signing algorithm will Essentially all signature schemes used in practice use this hash-and-sign construction.
pass the message through a hash function to generate a fixed-size digest before applying a signature scheme that works only on fixedlength messages.
This paradigm is called "hash and sign," and is very common. In practice, hashing is computationally cheap operation while signing turns out to be computationally relatively expensive. So it is common to hash a message before signing it in order to reduce the size of the message that must be signed.
The following claim gives the general construction: • Gen ′ := Gen. The key-generation algorithm is unchanged.
• Sign ′ (sk, m) := Sign(sk, h(m)). We hash the message using the hash function h before passing the hashed message to the original signing function.
• Ver ′ (vk, m, σ) := Ver(vk, h(m), σ). We use the original Ver to check that the tag matches hash of the original message.
Security Intuition. Suppose that there exists an efficiency adversary that breaks (Gen ′ , Sign ′ , Ver ′ ). In particular, given ((m 1 , σ 1 , . . . , (m t , σ t )), the adversary is able to construct a valid message-signature pair (m * , σ * ) such that m * / ∈ {m 1 , . . . , m t }. There are then two cases: such that h(m * ) = h(m i ). However, h is collision-resistant as in the definition, so this is a contradiction! 2. h(m * ) / ∈ {h(m 1 ), . . . , h(m t )}. Since the message that we pass to the underlying signature scheme is h(m), this means that the adversary has found a valid signature for h(m) under the original scheme (Gen, Sign, Ver) after seeing only signatures of h(m 1 ) ̸ = h(m), . . . , h(m t ) ̸ = h(m t ). This breaks the security of the underlying signature scheme, which is a contradiction! Application to Lamport. We can apply the hash-and-sign paradigm to the Lamport signature scheme from Section 4. We can fix our input to the Lamport scheme at, for example, 256 bits, and then run messages through a hash function that outputs 256 bits before passing them to the Lamport scheme. This gives a one-time-secure signature scheme for messages of arbitrary length.
Recall that we faced a similar problem in our MAC construction. Why not use hash and MAC there? The reason is that we used AES as our PRF, which takes input of {0, 1} 128 . As explained by the birthday paradox, it is possible to find a collision in an output space of size 2 128 in only time 2 64 ! This does not provide sufficient security for practical use, as it would be quite practical to find collisions. If we had a version of AES that outputted 256 bits, we could indeed apply hash and sign.
Another reason to not use hash and MAC is that MACs can be faster to compute than collision-resistant hash functions.
Security implications of hash and sign. In practice, hash-and-sign can actually increase the security of our signature scheme, in a certain sense. As shown in case 2 above, it is absolutely crucial that the hash function used is collision-resistant: if not, an adversary can find messages that cause collisions, and then a signature for one message will also be a valid signature for the other. However, in practice we often think of hash functions like SHA2 as behaving like random oracles. That is, for a hash function h : {0, 1} * → {0, 1} λ and a string x ∈ {0, 1} * we think of the value h(x) as being an independently sampled and uniformly random value from the co-domain of the hash function, {0, 1} λ .
A real-world hash function is never actually a random oracle. A random oracle from h : {0, 1} * → {0, 1} λ would take infinitely many bits to describe, while real-world hash functions have finite size (and polynomial-size descriptions).
Recall that the standard security definition for digital signatures (Definition 1.3) allows the attacker to request signatures on messages of its choice. If we pass a message through a hash function before signing it using an underlying signature scheme scheme, however, we effectively randomize the message-the adversary can no longer control the input to the underlying signature scheme. This allows us to define another meaningful definition of security: Definition 5.1 (Digital signatures: security against random message attacks). Any efficient adversary given the public verification key and a list of random message-signature pairs ((m 1 , σ 1 ), . . . , (m t , σ t )) cannot generate a forged message-signature pair (m * , σ * ) such that Ver(vk, m * , σ * ) = 1 and m * / ∈ {m 1 , . . . , m t }.
Note that this definition is not good enough on its own-an adversary often does have the ability to generate signatures for messages of his choice. However, paired with a hash function modeled as a random oracle, this definition becomes very useful-if the inputs are passed through the hash function before they are passed to the signature scheme, they become effectively random. We can even relax the definition further without losing practicality: by the same logic, with hash function in front of the signature scheme, what the adversary needs to sign is really not a message of their choise, but is the hash of a message of their choice-effectively a random value.
It is possible to formally argue that given a signature scheme satisfying Definition 5.2 and a random oracle, we can construct a scheme satisfying existential unforgeability under chosen message attacks.

digital signatures 9
6 From one-time security to many-time security After applying the hash-and-sign strategy above to our Lamport scheme, we have a signature scheme that is one-time secure for messages of arbitrary length. In order for the scheme to be useful and satisfy our security definition, we need to be able to sign polynomially many messages with a single key pair. To do this, we will use a construction very similar to he Merkle tree construction we have seen before.
We will show how to do this for a message space of size {0, 1} n , but hash and sign can be applied to make this work for arbitrarylength messages.
Claim. Assume that we are given: • a pseudorandom function, and • a one-time secure signature scheme (Gen 0 , Sign 0 , Ver 0 ). Then, for any t ≥ 0, we can construct a many-time secure signature scheme (Gen t , Sign t , Ver t ) on message space {0, 1} t , where the running time of all algorithms on security parameter λ is poly(λ, t).
By taking t ≈ 256, and combining this signature scheme with the hash-and-sign paradigm, we can get a many-time-secure signature scheme for arbitrary-length messages.
Proof (Informal). By induction on t.
Base case (t = 0). The signature scheme is just (Gen 0 , Sign 0 , Ver 0 ). Induction step. Assume the claim for t − 1. Then we construct the signature scheme for t.
Let the PRF keyspace be K. For a PRF key k ∈ K and string s, we write Gen F(k,s) 0 () to indicate the process of running the key-generation algorithm Gen 0 using randomness derived from the output of the PRF F(k, s).
The efficiency claim follows by inspection. To sketch the security proof: In a forged message-signature pair, consider the pair (vk 0 , vk 1 ). Either • These keys are different from those that the signer generated. In this case, the adversary has broken the one-time signature scheme. Or: • These keys are the same as those that the signer generated. In this case, the adversary has broken the signature scheme for (t − 1)-bit messages. This violates the induction hypothesis.
Either way, we get a contradiction. So we have (informally) proved the claim.

Choosing Signature Schemes
The signature scheme we presented in Section 6 is not particularly efficient in terms of signature size.  Many deployed systems today use the ECDSA256 signature scheme. Legacy application still use RSA signatures, though because of their relatively large public-key and signature sizes, few new applications use these schemes.
Hashing is much, much faster than signing-the commonly used SHA256 hashing algorithm can compute around 10,000,000 hashes per second. This is one reason the hash-and-sign paradigm is so useful.