From 985b76b79a146f45631204d142ea76e86c66ae44 Mon Sep 17 00:00:00 2001 From: Nickolai Zeldovich Date: Wed, 20 Sep 2023 11:11:43 -0400 Subject: [PATCH] lec05 tweaks --- lecture-notes.tex | 3 ++- lectures/{lec05_06.tex => lec05.tex} | 20 ++++++++++++-------- 2 files changed, 14 insertions(+), 9 deletions(-) rename lectures/{lec05_06.tex => lec05.tex} (97%) diff --git a/lecture-notes.tex b/lecture-notes.tex index 6f2172e..56eb43e 100644 --- a/lecture-notes.tex +++ b/lecture-notes.tex @@ -45,7 +45,8 @@ \part{Authentication} \include{lectures/lec02} \include{lectures/lec03} \include{lectures/lec04} -\include{lectures/lec05_06} +\include{lectures/lec05} +%\include{lectures/lec06} \include{lectures/lec07} \part{Transport Security} diff --git a/lectures/lec05_06.tex b/lectures/lec05.tex similarity index 97% rename from lectures/lec05_06.tex rename to lectures/lec05.tex index 302a13e..2634753 100644 --- a/lectures/lec05_06.tex +++ b/lectures/lec05.tex @@ -88,8 +88,10 @@ \section{Definitions} new message-signature pair. We call this security notion ``\emph{strong} existential unforgeability under chosen message attack.'' The definition is the same as in \cref{def:sig-sec} except that we require the adversary to find a valid-message signature pair $(m^*, \sigma^*)$ -such that $(m^*, \sigma^*) \not \in \{ (m_1, \sigma_1), (m_2, \sigma_2), \dots \}$. Standard digital-signature schemes, such as the elliptic-curve digital signature -algorithm (EC-DSA) is believed to have this strong security property. +such that $(m^*, \sigma^*) \not \in \{ (m_1, \sigma_1), (m_2, \sigma_2), \dots \}$. +Standard digital-signature schemes, such as the elliptic-curve digital signature +algorithm (EC-DSA) or the RSA algorithm with full-domain hashing (RSA-FDH), +are believed to have this strong security property. \section{Constructing a Signature Scheme} In the following sections, we will show how to construct a digital-signature @@ -102,8 +104,8 @@ \section{Constructing a Signature Scheme} of $O(\lambda)$ bits.\marginnote{One benefit of the signature scheme that we present here is that---unlike EC-DSA, RSA, DSA, and other widely used signature schemes---this one is plausibly secure even against \emph{quantum} -adversaries.\todo{Cite NIST PQ signature schemes and compare} -} +adversaries. There is ongoing work to standardize signature schemes secure +against quantum adversaries; see \url{https://csrc.nist.gov/projects/pqc-dig-sig}} We will construct this scheme in three stages: @@ -367,11 +369,13 @@ \subsubsection{Security implications of hash and sign} Another reason to not use hash and MAC is that MACs can be faster to compute than collision-resistant hash functions.} -In practice, hash-and-sign can actually \emph{increase} the security of our signature scheme, in a certain sense. As shown in case 2 above, it is absolutely crucial that the hash function used is collision-resistant: if not, an adversary can find messages that cause collisions, and then a signature for one message will also be a valid signature for the other. However, in practice we often think of hash functions like SHA2 as behaving like \emph{random oracles}. +In practice, hash-and-sign can actually \emph{increase} the security of our signature scheme, in a certain sense. As shown in case 2 above, it is absolutely crucial that the hash function used is collision-resistant: if not, an adversary can find messages that cause collisions, and then a signature for one message will also be a valid signature for the other. However, in practice we often think of hash functions like SHA256 as behaving like \emph{random oracles}. That is, for a hash function $h \colon \zo^* \to \zo^\lambda$ and a string $x \in \zo^*$ we think of the value $h(x)$ as being an independently -sampled and uniformly random value from the co-domain of the hash function, $\zo^\lambda$.\marginnote{A real-world hash function -is \emph{never actually} a random oracle. A random oracle from $h \colon \zo^* \to \zo^\lambda$ -would take infinitely many bits to describe, while real-world hash functions have finite size (and polynomial-size descriptions).} +sampled and uniformly random value from the co-domain of the hash function, $\zo^\lambda$. +(Of course, a real-world hash function is \emph{never actually} a random +oracle. A random oracle from $h \colon \zo^* \to \zo^\lambda$ would take +infinitely many bits to describe, while real-world hash functions have +finite size (and polynomial-size descriptions).) Recall that the standard security definition for digital signatures (\cref{def:sig-sec}) allows