1. Digital Signature Schemes
Instructor:
Mohammad Sadeq Dousti

2. Copyright Notice
These set of slides are licensed under Creative Commons Attribution-NonCommercial- ShareAlike (CC BY-NC-SA) 4.0.
Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as:
They credit the original author(s);
Their work is used non-commercially;
They license their work under CC BY-NC-SA 4.0.
For further information, please consult:
sa/4.0/legalcode

3. Outline
Overview
Definitions
The Paradox
The Hash-then-Sign Paradigm
RSA Signatures
Detour: Identification Schemes
DLP-based Digital Signatures
Signatures from Hash Functions

4. Overview

5. Similarities and differences with MACs
Digital signature schemes are similar to MACs in that they can be used to preserve message integrity.
However, there are two fundamental differences.
Digital signatures are in the public-key setting, where the sender has a pair of keys: public key (pk), and secret key (sk).
Signing is achieved by using sk, while verification is performed by pk.
Only one party can sign, but everyone (including the adversary) can verify.
Digital signatures can provide non-repudiation, a service that cannot be offered in the private-key setting. (Why?)

6. Definitions

7. Syntax

8. Security of signature schemes
As in MACs, the attack model of choice is chosen message attacks (CMA).
Furthermore, among all possible security definitions (total break, universal forgery, selective forgery, and existential forgery), we pick the strongest one: existential forgery.
We require that the adversary is not able to forge a signature on any new messages (UF-CMA security).
If we relax this definition, and only require that the adversary is not able to forge a new message-signature pair, we get strong UF-CMA (sUF-CMA) security.

9. UF-CMA Security
A signature scheme Π is UF-CMA secure if for every efficient 𝒜, there is a negligible function negl such that:
Pr Sig–forge 𝒜,Π cma (𝑛)=1 ≤negl 𝑛 .

10. The Paradox

11. Introduction to the paradox
In the early 1980s, Ron Rivest gave a fallacious proof that UF-CMA secure signature schemes do not exist!
The so-called proof first appeared in [Wil80]:
“Ron Rivest (personal communication) has pointed out to the author that the cryptosystem described here is vulnerable to a selected ciphertext attack. Any cryptosystem in which there exists a constructive proof of equivalence of factorization and breaking, the cipher will be vulnerable to such an attack.”
In 1984, they found the mistake, and proposed the first paradoxical signature scheme [GMR84].
It’s instrumental to learn about this “paradox”!

12. The paradox – 1
We now “prove” that it is impossible to have a signature scheme for which it is both true that:
Factoring (or any other hard problem) is provably equivalent to forgery.
The scheme is invulnerable to CMA.
Typical security proof: Given an adversary 𝒜 for forging signatures, a constructive method (a reduction ) is specified for factoring.
The other part of the equivalence, showing that factoring enables forgery, is usually easy, since factoring usually enables the enemy to totally break the scheme.

13. Overview of the security reduction
N  pq
Generate pk and sk based on N.
Give pk to 𝒜.
Sign any messages 𝒜 demands.
If 𝒜 succeeds in forgery, factor N. m1 1 mi i … 𝒜 pk
(m,)
p & q

14. The reduction expects a procedure which forges a signature.
The paradox – 2
Total break: The enemy merely executes the reduction  given in the proof.
The reduction expects a procedure which forges a signature.
Upon receiving a forgery,  must factor N.
To generate a forgery, the adversary merely performs a CMA, getting the real user to sign a message.
In the end the unwary user has enabled the enemy to factor his modulus!

15. The adversary 𝓑 Reduction () 𝒜 N  pq pk, sk N, pk m  (m, ) N
Honest User
N, pk 𝓑 m 
(m, ) N
Reduction () 𝒜
(m, )
Total Break
p & q
sk*

16. Where does the fallacy lie?
A careful inspection of figures reveals the following:
The reduction  works only when it has generated (pk, sk), and does not work for an external (pk, sk).
In other words, while the (m, ) is a valid signature with respect to (pk, sk), it is not a valid signature with respect to the internal (pk, sk) generated by .
Therefore,  will not generate the factorization of N, and the strategy of 𝓑 fails.

17. The Hash-then-Sign Paradigm

18. Introduction
Signature schemes are orders of magnitude less efficient than MACs.
It is much economical to first compute the hash of the (long) message, and then sign the hash.
This paradigm is similar to hash-then-MAC, and is called the hash-then-sign paradigm.

19. Hash-then-sign construction
THEOREM: If Π is a UF-CMA secure signature scheme for messages of length ℓ and ΠH is a CRHF, then the above construction is a UF-CMA secure signature scheme (for arbitrary-length messages).

20. RSA Signatures

21. RSA assumption
DEFINITION: The RSA problem is hard relative to GenRSA if for all PPT algorithms 𝓐, there exists a negligible function negl such that Pr RSA−inv 𝒜,GenRSA 𝑛 =1 ≤negl 𝑛 .
RSA Assumption: There exists a GenRSA algorithm relative to which the RSA problem is hard.

22. Plain (textbook) RSA signature

23. Security of RSA signature based on RSA assumption?!
The RSA assumption only implies hardness of computing a signature (that is, computing an eth root) of a uniform message m.
It says nothing about hardness of computing a signature on a non-uniform m or on some message m of the attacker’s choice.
Moreover, the RSA assumption says nothing about what an attacker might be able to do once it learns signatures on other messages.

24. The adversary does the following:
A no-message attack
The adversary does the following:
Given a public key pk  N, e,
Choose an arbitrary   ℤN,
Compute m  [e mod N],
Output (m, ).
 is a valid signature on m.
This is a forgery since no signatures at all were issued by the owner of the public key.

25. Forging a signature on an arbitrary message
Say the adversary wants to forge a signature on the message m  ℤN with respect to the public key pk  N, e.
He chooses arbitrary m1, m2  ℤN distinct from m such that m  m1  m2 mod N.
It then obtains signatures σ1, σ2 on m1, m2, respectively (by issuing CMA queries).
Finally, it outputs σ ≔ [σ1  σ2 mod N] as a valid signature on m.
𝜎 𝑒 = 𝜎 1 ⋅ 𝜎 2 𝑒 = 𝑚 1 𝑑 ⋅ 𝑚 2 𝑑 𝑒 = 𝑚 1 𝑒𝑑 ⋅ 𝑚 2 𝑒𝑑 = 𝑚 1 ⋅ 𝑚 2 =𝑚 mod 𝑁.
This is called the homomorphic property of RSA.

26. RSA encryption and decryption are group homomorphisms from ℤN to ℤN.
Given two groups, (G, ⊛) and (H, ⊡), a group homomorphism from (G, ⊛) to (H, ⊡) is a function h : G → H such that for all u and v in G, it holds that h(u ⊛ v)  h(u) ⊡ h(v).
RSA encryption and decryption are group homomorphisms from ℤN to ℤN.
Group operations ⊛ and ⊡ are multiplication modulo N.
This is sometimes referred to as “homomorphic encryption.”
It can be IND-CCA1 secure, but not IND-CCA2 secure. (WHY?)

27. Hash-then-“RSA Sign”

28. At a minimum, the hash function H must satisfy the following:
Security
There is no known way to choose H so that hash-then-“RSA sign” can be proven secure.
Since plain RSA is not a secure signature scheme, the hash-then-sign paradigm does not necessarily work for “RSA sign.”
At a minimum, the hash function H must satisfy the following:
OW: to prevent the no-message attack it should be infeasible for an attacker to start with σ, compute m ≔ [σe mod N], and then find a message m such that H(m)  m.
Non-homomorphic: it must be hard to find three messages m, m1, m2 with H(m)  H(m1)·H(m2) mod N.
CR: it must be hard to find collisions in H: if H(m1)  H(m2), then m1 and m2 have the same signature and forgery becomes trivial.

29. Full-Domain Hash (FDH)
It is possible to prove the security of hash-then-“RSA sign” if
​H is modeled as a random oracle.
The range of H is the entire domain of RSA. That is, ​H maps its inputs uniformly onto ℤ 𝑁 ∗ ;
The scheme in this case is called the RSA full-domain hash (RSA-FDH) signature scheme.
​Practical attacks are known if the output length of H is too small (e.g., if the output length is 160 bits as would be the case if SHA-1 were used directly as H).
If H is like SHA-1, use something like:
H(const ∥ 0 ∥ x) ∥ H(const ∥ 1 ∥ x) ∥ 

30. RSA-FDH is secure against no-message attacks
Let 𝓕 be a (tF, ϵF) forger who mounts a no-message attack against RSA-FDH.
​Without loss of generality, we assume that:
𝓕 never repeats a hash query.
𝓕 outputs (m, ) only for a message m for which it has already requested a hash.
We construct a (tI, ϵI) inverter 𝓘 against RSA, with: tI  tF  q  poly(n) and ϵI  ϵF.
Inverter uses the random self-reducibility (RSR) of RSA: a good algorithm for the average case implies a good algorithm for the worst case.

31. Algorithm of the inverter
Programming H
Since xi is uniform over ℤ 𝑁 ∗ , yi is uniform over ℤ 𝑁 ∗ as well. (WHY?) Therefore, the view of 𝓕 is identical to the case where H(mi) is uniform.

32. Forger with CMA ability
Handling the case when the adversary is allowed to request signatures on messages of its choice is more difficult.
The complication arises since the inverter 𝓘 does not know the decryption exponent d, yet now has to compute valid signatures on messages queried by 𝓕 to its signing oracle.
This seems impossible (and possibly even contradictory!) until we realize that 𝓘 can correctly compute a signature on a message m as long as it sets H(m) to equal to [σe mod N] for a known value σ.

33. Experiment Sig-forge Without loss of generality, we assume that:
𝓕 never repeats a hash or sign query.
𝓕 only requests a sign query for a message m for which it has already obtained a hash.
𝓕 makes exactly q  q(n) queries.
𝓕 outputs (m, ) only for a message m for which it has already obtained a hash.

34. Experiment Sig-forge
Since j is uniform and independent of everything else,
Pr Sig−forge ℱ,Π ′ 𝑛 =1 = 1 𝑞(𝑛) ⋅ Pr Sig−forge ℱ,Π 𝑛 =1

35. Experiment Sig-forge
This experiment is identical to experiment Sig-forge, except:
​Experiment is aborted if 𝓕 ever requests a signature on the message mj (where mj denotes the jth message queried to H, and j is the uniform value chosen at the outset).
This does not change the probability that the output of the experiment is 1, since if 𝓕 ever requests a signature on mj then it cannot possible output a forgery on mj.

36. Algorithm of the inverter
NOTE: This slide contains material which are hidden, and are shown one-by-one through animation.
Press SHIFT+F5 to go into “Slide Show” mode.
Then press spacebar to see the hidden elements.
Algorithm of the inverter

37. Analysis of 𝓘
Clearly, 𝓘 runs in probabilistic polynomial time.
The crucial observation is that the view of 𝓕 when run as a subroutine by 𝓘 is identical to the view of 𝓕 in experiment Sig-forge. (WHY?)
Whenever experiment Sig-forge would output 1, then 𝓘 outputs a correct solution to its given RSA instance. (WHY?) Therefore,
Pr RSA−inv ℐ, GenRSA 𝑛 =1 = Pr Sig−forge ℱ,Π ′′ 𝑛 =1 = Pr Sig−forge ℱ,Π 𝑛 =1 𝑞(𝑛)

38. Tightness of reduction
From a (tF, ϵF) forger 𝓕, we constructed a (tI, ϵI) inverter 𝓘 with tI  tF  q  poly(n) and ϵI  ϵF  q.
[BR96]: We note that ϵF could thus be considerably larger than ϵI.
This means that even if RSA is quite strong, the guarantee on the signature scheme could be quite weak.
Let a forger compute hashes on, q  260 strings.
Then even if the RSA inversion probability was originally as low as 261, all we can say is that the forging probability is now at most 1/2, which is not good enough.
In a tight reduction, we require ϵI  ϵF and tI  tF.

39. Coron [Cor00] provided a better reduction.
In the previous reduction, 𝓘 programed H() to y at exactly one point (the jth query)
In Coron’s reduction, 𝓘 programs H() as follows:
With some probability p, H() is set to y.
With probability 1  p, H() is set to a uniform value.
Coron showed how to choose p to optimize ϵI, so that ϵI  ϵF  O(qsig), where qsig is the number of signature queries.
Signature queries must be online, while hash queries can be offline.  Much better reduction, but still untight.

40. Salted RSA-FDH: A tight reduction
When 𝓕 was a no-message forger, 𝓘 could program H() to 𝑦 𝑥 𝑖 𝑒 mod 𝑁 , so that it can invert y whenever 𝓕 succeeds.
𝓘 cannot do this when 𝓕 is a CMA forger, because it cannot sign 𝑦 𝑥 𝑖 𝑒 mod 𝑁 .
Can we combine these two approaches?
Idea: If m has many signatures, 𝓘 is free to pick any of them, regardless of the response to hash queries.
[BR96] suggested salting the signatures. They proposed two constructions: PSS and PSS-R.
Here, we show a less efficient but simpler construct.
PSS: Probabilistic Signature Scheme
PSS-R: PSS with message recovery

41. Salted RSA-FDH

42. Security of Salted RSA-FDH
Let 𝓕 be a (tF, ϵF) forger against strong UF-CMA security of RSA-FDH.
​Without loss of generality, we assume that:
𝓕 makes exactly q  q(n) queries.
𝓕 outputs (m, ) with   r, x only for a value m ∥ r for which it has already obtained a hash.
We next demonstrate a (tI, ϵI) inverter 𝓘 against RSA.
ASSIGNMENT: Analyze 𝓘, and show that the reduction is tight:
tI  tF  q  poly(n)
ϵI  ϵF  O(q2)  2k

43. NOTE: This slide contains material which are hidden, and are shown one-by-one through animation.
Press SHIFT+F5 to go into “Slide Show” mode.
Then press spacebar to see the hidden elements.
Algorithm 𝓘(N, e, y)

44. The FDH method can be generalized from RSA to any TDP.
In summary
The FDH method can be generalized from RSA to any TDP.
The salted FDH requires TDP’s with RSR property.
Otherwise, one cannot carry over the proof with tight reduction.
As mentioned before, two more efficient versions of the salted FDH, known as PSS and PSS-R, were presented by [BR96].
PSS is standardized in PKCS #1 v2.1, and is used in practice (see the next slide).

45. PSS in practice

46. Detour: Identification Schemes

47. Identification schemes
An identification scheme is an interactive protocol that allows a party, the prover P, to prove its identity (i.e., to authenticate itself) to another party, the verifier V.
Here, we are interested in the public-key setting where P and V do not share any secret information (such as a password) in advance; instead, V only knows the public key of the P.
Successful execution of the identification protocol convinces V that it is communicating with the intended P rather than an imposter.

48. 3-round identification schemes
We will only consider three-round identification protocols of a specific form, where the prover is specified by two algorithms 𝓟1, 𝓟2 and the verifier’s side of the protocol is specified by an algorithm 𝓥.
The prover runs 𝓟1(sk) using its private key sk to obtain an initial message I along with some state st, and initiates the protocol by sending I to the verifier.
In response, the verifier sends a challenge r chosen uniformly from some set Ωpk defined by the prover’s public key pk.
Next, the prover runs 𝓟2(sk, st, r) to compute a response s that it sends back to the verifier.
Finally, the verifier computes 𝓥(pk, r, s) and accepts if and only if this results in the initial message I.

49. A three-round identification scheme

50. Non-degeneracy
For technical reasons, we assume identification schemes that are “non-degenerate,” which intuitively means that:
there are many possible initial messages I, and none has a high probability of being sent.
Formally, a scheme is non-degenerate if for every private key sk and any fixed initial message I, the probability that 𝓟1(sk) outputs I is negligible.
Any identification scheme can be trivially modified to be non-degenerate by sending a uniform n-bit string along with the initial message.

51. Security against eavesdroppers
An adversary who does not know sk should be unable to fool the verifier into accepting.
This should hold even if the attacker is able to passively eavesdrop on multiple (honest) executions of the protocol between P and V.
We formalize such eavesdropping via an oracle Transsk that, when called without any input, runs an honest execution of the protocol and returns to the adversary the entire transcript (I, r, s) of the interaction.
Let Π  (Gen, 𝓟1, 𝓟2, 𝓥) be an identification scheme, and consider the following experiment for an adversary 𝓐 and parameter n.

52. Definition of security
An identification scheme Π is secure against a passive attack, or just secure, if for all efficient adversaries 𝓐, there exists a negligible function negl such that:
Pr Ident 𝒜,Π (𝑛)=1 ≤negl 𝑛 .

53. From identification schemes to signatures
The Fiat–Shamir transform provides a way to convert any (interactive) identification scheme into a (non- interactive) signature scheme.
The basic idea is for the signer to act as a prover, running the identification protocol by itself.
That is, to sign a message m, the signer first computes I, and next generates the challenge r by applying some function H to I and m. It then derives the correct response s.
The signature on m is (r, s), which can be verified by:
Re-computing I ≔ 𝓥(pk, r, s), and
Checking that H(I, m) ≟ r.

54. The Fiat–Shamir transform

55. Security of the Fiat–Shamir transform
THEOREM: Let Πid be an identification scheme, and let Πsig be the signature scheme that results by applying the Fiat–Shamir transform to it. If
​Πid is (tid, ϵid) secure, and
​H is modeled as a random oracle mapping inputs uniformly onto Ωpk,
then Πsig is (tsig, ϵsig) secure, where (q  q(n) is the total number of hash and signature queries in the reduction):
tsig  tid  q  poly(n)
ϵsig  q  ϵid  negl(n)
Proof: See THEOREM in [KL14, p. 454].

56. DLP-based Digital Signatures
The Schnorr Signature Scheme

57. Discrete-logarithm assumption
DEFINITION: The discrete-logarithm problem (DLP) is hard relative to 𝓖 if for all PPT algorithms 𝓐, there exists a negligible function negl such that Pr DLog 𝒜,𝒢 𝑛 =1 ≤negl 𝑛 .
DLP Assumption: There exists a 𝓖 for which DLP is hard.

58. The Schnorr identification scheme

59. Security of the Schnorr identification scheme
THEOREM: If the DLP is hard relative to 𝓖, then the Schnorr identification scheme is secure.
Informal Proof:
Passive eavesdropping is of no help to the attacker.
The attacker can generate an honest transcript (I, r, s) of Schnorr identification without using the secret key sk.
To do this, the attacker chooses uniform and independent r,  s  ℤq and then sets I ≔ gs  yr.
Simulated transcripts constructed by an attacker have the same distribution as honest transcripts. (WHY?)
We may effectively assume that when attacking the identification scheme, an attacker does not eavesdrop on honest executions at all.

60. Informal proof (Cont’d)
So, we have reduced to an attacker who gets a public key y, sends an initial message I, is given in response a uniform challenge r, and then must send a response s for which gs  yr  I.
Forking Lemma: Informally, if an attacker is able to do this with probability ϵ, then it must be able to compute correct responses s1, s2 to two different challenges r1, r2  ℤq with probability  ϵ2.
This implies 𝑔 𝑠 1 ⋅ 𝑦 − 𝑟 1 =𝐼= 𝑔 𝑠 2 ⋅ 𝑦 − 𝑟 2 , and so 𝑔 𝑠 1 − 𝑠 2 = 𝑦 𝑟 1 − 𝑟 2 . Therefore, the reduction can compute the discrete log:
log 𝑔 𝑦 = 𝑠 1 − 𝑠 2 ⋅ 𝑟 1 − 𝑟 2 −1 mod 𝑞 .

61. The Schnorr signature scheme

62. DLP-based Digital Signatures
The Digital Signature Standard (DSS)

63. The DSS includes two DLP-based algorithms:
DSA: Digital Signature Algorithm
ECDSA: Elliptic-Curve Digital Signature Algorithm
Both are based on the DLP, but in different classes of groups.
DSA: In a subgroup of ℤ 𝑝 ∗ with prime order q.
ECDSA: In an order-q subgroup of an elliptic-curve group.
They have been around in some form since 1991, and are both included in the current Digital Signature Standard (DSS) issued by NIST.
FIPS PUB in 2013.
DSA is a variant of the ElGamal Signature Scheme.

64. The underlying identification scheme
Prover’s private key is x.
Public key is (𝔾, q, g, y) with y = gx.
s  0 unless   xr mod q, which occurs with negligible probability.

65. Correctness
Assuming s  0, the inverse s−1 mod q exists and:
We thus see that correctness holds with all but negligible probability.

66. Security of the identification scheme
One can show that this identification scheme is secure if DLP is hard relative to 𝓖.
As in Schnorr identification, transcripts of honest executions can be simulated. (WHY?)
Similarly, logg h can be computed if the attacker gives correct responses to distinct challenges (α1, r), (α2, r).
HOW?
Applying the Forking Lemma, we get the desired security proof.

67. From identification to signature
The DSA/ECDSA signature schemes are constructed by “collapsing” the previous identification scheme into a non-interactive algorithm run by the signer.
In contrast to the Fiat–Shamir transform, however, the transformation here is carried out as follows:
Set α ≔ H(m), where m is the message being signed and H is a cryptographic hash function.
Set r ≔ F(I) for a (specified) function F : 𝔾  ℤq. Here, F is a “simple” function that is not intended to act like a random oracle.
Example: In DSA, F(I) ≝ [I mod q].

68. DSA and ECDSA—abstractly.

69. Security of DSA/ECDSA
Assuming hardness of DLP, both DSA and ECDSA can be proven secure if H and F are modeled as random oracles.
No proofs of security are known for the specific choices of F in the standard.
Nevertheless, DSA and ECDSA have been used and studied for decades without any attacks being found.

70. Attack on Sony PlayStation (PS3)
Subtracting gives s1 − s2 = k−1  (H(m1) − H(m2)) mod q, from which k can be computed.
Given k, the attacker can determine the private key x. (HOW?)
This very attack was used by hackers to extract the master private key from the Sony PlayStation (PS3) in 2010.
In DSA/ECDSA, k must be chosen uniformly.
The attacker can compute the signer’s private key if the same k is ever used to generate two different signatures. (Total Break!)
The attacker can easily tell when this happens because then r repeats as well.
Say (r, s1) and (r, s2) are signatures on messages m1 and m2, respectively. Then:

71. Signatures from Hash Functions
Lamport’s One-Time Signatures

72. Introduction
Interestingly—and perhaps somewhat surprisingly— signature schemes can be constructed based on cryptographic hash functions, without relying on number-theoretic assumptions.
This is in contrast to public-key encryption, which seems to require hard problems with some algebraic structure.
Next, we explore such constructions.
The schemes we will see are also interesting in that they do not rely on random oracles, as opposed to all the constructions we have described previously.

73. Secure “one-time” signatures
A signature scheme Π is existentially unforgeable under a single- message attack, or is a one-time-secure signature scheme, if for every efficient 𝒜, there is a negligible function negl such that:
Pr Sig–forge 𝒜,Π 1−time (𝑛)=1 ≤negl 𝑛 .

74. Example of Lamport’s one-time signatures
yi,j  H(xi,j)

75. The Lamport signature scheme.

76. ASSIGNMENT: Prove the above theorem.
Security
THEOREM: Let ℓ be any polynomial. If H is a OWF, then the Lamport signature scheme is a one-time- secure signature scheme.
ASSIGNMENT: Prove the above theorem.
Hint: Show that how a forger can be used to invert H.
Solution: See THEOREM of [KL14, p. 462].
COROLLARY: If OWFs exist, then for any polynomial ℓ there is a one-time-secure signature scheme for messages of length ℓ.

77. Signatures from Hash Functions
Chain-Based Signatures

78. Introduction
Being able to sign only a single message with a given private key is obviously a significant drawback.
We show here an approach based on CRHFs that allows a signer to sign arbitrarily many messages,…
… at the expense of maintaining state that must be updated after each signature is generated.
Notice that the verification algorithm need not keep state.

79. Stateful signature schemes: The syntax

80. A stateful “t-time-secure” signature scheme
For any polynomial t  t(n), we can easily construct a stateful “t-time-secure” signature scheme.
Set pk ≔ pk1, …, pkt and sk ≔ sk1, …, skt where each (pki, ski) is an independently generated key-pair for some one-time-secure signature scheme.
The state is a counter i initially set to 1.
​Sign a message m using the private key sk and current state i ≤ t: Compute σ←Sign 𝑠𝑘 𝑖 𝑚 output (σ, i).
​Verify of a signature (σ, i) on a message m: Check whether σ is a valid signature on m with respect to pki.

81. In the scheme just described, the public key has length linear in t.
A trade-off
In the scheme just described, the public key has length linear in t.
It is possible to trade off the length of the public key and signature.
The signer computes a Merkle tree h ≔ 𝓜𝓣t (pk1, …, pkt).
The public key will now be t, h.
The signature on the ith message will include (σ, i), along with the ith value pki and a proof πi that this is the correct value corresponding to h.
The public key now has constant size, and the signature length grows only logarithmically with t.

82. The Drawback
Since t can be an arbitrary polynomial, why don’t the previous schemes give us the solution we are looking for?
The main drawback is that they require the upper bound t on the number of messages that can be signed to be fixed in advance, at the time of key generation.
This is a potentially severe limitation since once the upper bound is reached a new public key would have to be generated and distributed.
We would prefer instead to have a single, fixed public key that can be used to sign an unbounded number of messages.

83. Solution: Chain-based scheme
Let the public key consists of just a single public key pk1 generated using Gen, and the private key is just the associated private key sk1.
To sign the first message m1, the signer first generates a new key-pair (pk2, sk2) using Gen, and then signs both m1 and pk2 using sk1 to obtain σ 1 ←Sign 𝑠𝑘 1 𝑚 1 ∥𝑝 𝑘 2 .
The signature that is output includes both pk2 and σ1, and the signer adds (m1, pk2, sk2, σ1) to its current state.

84. To sign the ith message mi, the signer:
More generally…
Before signing the ith message, the signer has stored 𝑚 𝑗 , 𝑝𝑘 𝑗+1 , 𝑠𝑘 𝑗+1 , 𝜎 𝑗 𝑗=1 𝑖−1 as part of its state.
To sign the ith message mi, the signer:
Generates a new key-pair (pki1, ski1) using Gen,
Signs mi and pki1 using ski to obtain a signature σ 𝑖 ←Sign 𝑠𝑘 𝑖 𝑚 𝑖 ∥𝑝 𝑘 𝑖+1 .
The actual signature that is output includes pki1, σi, and also the values 𝑚 𝑗 , 𝑝𝑘 𝑗+1 , 𝜎 𝑗 𝑗=1 𝑖−1 .
The signer then adds (mi, pki1, ski1, σi) to its state.

85. Pictorially: Situation before and after signing m3

86. The Lamport scheme does not have this property.
Security
Every (compressing) CRHF is also a OWHF. Therefore, we get the following theorem:
THEOREM: If CRHFs exist, then there exists a (stateful) UF-CMA signature scheme (for messages of arbitrary length).
In the chain-based scheme, each public key pki is used to sign both a message and another public key.
Thus, it is essential that the underlying one-time- secure signature scheme Π is capable of signing messages longer than the public key.
The Lamport scheme does not have this property.
However, if we apply the hash-then-sign paradigm to the Lamport scheme, we obtain a one-time-secure signature scheme that can sign messages of arbitrary length.

87. It has a number of disadvantages, though:
The chain-based signature scheme is a stateful signature scheme that is UF-CMA secure.
It has a number of disadvantages, though:
There is no immediate way to eliminate the state.
It is also not very efficient: the signature length, size of the state, and verification time are all linear in the number of messages that have been signed.
Each signature reveals all previously signed messages, and this may be undesirable in some contexts.

88. Signatures from Hash Functions
Tree-Based Signatures

89. Chain vs. binary trees
A chain-based signature can be viewed as a tree of degree 1, rooted at the public key pk1, and with depth equal to the number of messages signed so far.
A natural way to improve efficiency is to use a binary tree in which each node has degree 2.
Imagine a binary tree of depth n where the root is labeled by ε (i.e., the empty string), and a node that is labeled with the binary string w (of length less than n) has left-child labeled w0 and right-child labeled w1.
For every node w, we associate a pair of keys pkw, skw for a one-time-secure signature scheme Π.
The public key of the root, pkε, is the actual public key of the signer.

90. How to sign a message m  {0,1}n?
The final signature on m consists of the signature on m with respect to pkm, as well as all the information needed to verify the path from the leaf labeled m to the root.
Generate keys (as needed) for all nodes on the path from the root to the leaf labeled m.
Some of these public keys may have been generated in the process of signing previous messages, and in that case are not generated again.
“Certify” the path from the root to the leaf labeled m by computing a signature on 𝑝𝑘 𝑤0 ∥ 𝑝𝑘 𝑤1 , using private key skw, for each string w that is a proper prefix of m.
“Certify” m itself by computing a signature on m using the private key skm.

91. Pictorially: Tree-based signatures

92. It still allows for signing an unbounded number of messages.
Advantages
It still allows for signing an unbounded number of messages.
Although there are only 2n leaves, the message space contains only 2n messages.
In any case, 2n is eventually larger than poly(n).
Efficiency: the signature length and verification time are now proportional to the message length n but are independent of the number of messages signed.
The scheme is still stateful, but we will see how this can be avoided.
Security Theorem: Let Π be a one-time-secure signature scheme. Then tree-based signature is a secure signature scheme.

93. A stateless solution
The signer can generate the entire tree in advance, at the time of key generation.
Generate the keys {(pkw, skw)} and the signatures {σw} for all binary strings w of length at most n.
If key generation were done in this way, the signer would not have to update its state at all; these values could all be stored as part of a (huge) private key, and we would obtain a stateless scheme.
The problem with this approach is that generating all these values would require exponential time, and storing them all would require exponential memory.

94. Workaround
An alternative is to store some randomness that can be used to generate the values {(pkw, skw)} and {σw}, as needed, rather than storing the values themselves.
Generating and storing sufficiently many random strings, however, still requires exponential time and memory.
Simple idea: Keep a short, random key k for a PRF F, and generate the required randomness on the fly:
Compute rw ≔ Fk(w).
Compute (pkw, skw) ≔ Gen(1n; rw).

95. Security
Since the existence of CRHFs implies the existence of OWFs, and the latter implies the existence of PRFs, we have:
THEOREM: If CRHFs exist, then there exists a (stateless) secure signature scheme.
It is possible to construct UF-CMA secure signature schemes satisfying from the (minimal) assumption that OWFs exist; see Section 3.3 of [Kat10, p. 94] and [KK05].

96. References Chapter 12 of [KL14].
[BR96] M. Bellare & P. Rogaway. “The Exact Security of Digital Signatures: How to Sign with RSA and Rabin,” EUROCRYPT, 1996.
[Cor00] J.-S. Coron. “On the Exact Security of Full Domain Hash,” CRYPTO,
[GMR84] S. Goldwasser, S. Micali & R.L. Rivest. “A Paradoxical Solution to the Signature Problem (Extended abstract),” FOCS, 1984.
[KK05] J. Katz & C.-Y. Koo, “On Constructing Universal One-Way Hash Functions from Arbitrary One-Way Functions,” IACR ePrint 2005/328, 2005, Available from
[KL14] J. Katz & Y. Lindell. “Introduction to Modern Cryptography: Principles and Protocols,” 2nd Edition, CRC Press, 2014.
[Kat10] J. Katz. “Digital Signatures,” Springer, 2010.
[Wil80] H.C. Williams. “A Modification of the RSA Public-Key Encryption Procedure,” IEEE Trans. Inf. Theory, 1980.