Hide-and-Seek and the Non-resignability of the BUFF Transform

Abstract

The BUFF transform, due to Cremers et al. (S&P’21), is a generic transformation for digital signature scheme, with the purpose of obtaining additional security guarantees beyond unforgeability: exclusive ownership, message-bound signatures, and non-resignability. Non-resignability (which essentially challenges an adversary to re-sign an unknown message for which it only obtains the signature) turned out to be a delicate matter, as recently Don et al. (CRYPTO’24) showed that the initial definition is essentially unachievable; in particular, it is not achieved by the BUFF transform. This led to the introduction of new, weakened versions of non-resignability, which are (potentially) achievable. In particular, it was shown that a salted variant of the BUFF transform does achieves some weakened version of non-resignability. However, the salting requires additional randomness and leads to slightly larger signatures. Whether the original BUFF transform also achieves some meaningful notion of non-resignability remained a natural open question.

In this work, we answer this question in the affirmative. We show that the BUFF transform satisfies the (almost) strongest notions of non-resignability one can hope for, facing the known impossibility results. Our results cover both the statistical and the computational case, and both the classical and the quantum setting. At the core of our analysis lies a new security game for random oracles that we call Hide-and-Seek. While seemingly innocent at first glance, it turns out to be surprisingly challenging to rigorously analyze.

Appendices

A Proof of Theorem 1

Proof

In the classical case, combining Lemma 1 and Theorem 2, for \( \mathcal{Z} = \mathcal{S}\mathcal{K}\times \mathcal{AUX}\) and \(q=q_A+q_S\) we obtain

$$\begin{aligned} \textbf{Adv}^{\textsf{sNR}^{H,\bot }}_{\textsf{BUFF}[ \mathcal{S} ,H]}( \mathcal{D} , \mathcal{A} ,\textsf{aux}) &\le q\cdot 4(q+1) ( \log | \mathcal{Z} | + \log (1/\epsilon ) + 1 )\epsilon + q_K\epsilon + \frac{q_D+1}{| \mathcal{Y} |}\\ &\le 8(q+1)^2 \big ( \log | \mathcal{Z} | + \log (1/\epsilon ) \big )\epsilon + q_K\epsilon + \frac{q_D+1}{| \mathcal{Y} |}\;, \end{aligned}$$

where the second inequality exploits that \(\log (1/\epsilon )\ge 1\). This concludes the classical bound.

Similarly, in the quantum case, combining Lemma 1 and Theorem 3, for \( \mathcal{Z} = \mathcal{S}\mathcal{K}\times \mathcal{AUX}\) and \(q=q_A+q_S\) we obtain

$$\begin{aligned} &\textbf{Adv}^{\textsf{sNR}^{H,\bot }}_{\textsf{BUFF}[ \mathcal{S} ,H]}( \mathcal{D} , \mathcal{A} ,\textsf{aux}) \le 2 q\cdot \sqrt{O\bigl ( ( \log | \mathcal{Z} | + \log (1/\epsilon ) + q) q \epsilon \bigr )} + q_K\epsilon + \frac{q_D+1}{| \mathcal{Y} |}\\ &\le O\bigl (\sqrt{ ( \log | \mathcal{Z} | + \log (1/\epsilon ) + q) q^3 \epsilon }\bigr ) + q_K\epsilon + \frac{q_D+1}{| \mathcal{Y} |}\text { as }\min (1/\epsilon ,| \mathcal{Z} |,q)\rightarrow \infty , \end{aligned}$$

where the constants in the asymptotic bounds are absolute constants. Hence, there are absolute constants \(n,C\ge 2\) such that

$$ \textbf{Adv}^{\textsf{sNR}^{H,\bot }}_{\textsf{BUFF}[ \mathcal{S} ,H]}( \mathcal{D} , \mathcal{A} ,\textsf{aux}) \le C\sqrt{ ( \log | \mathcal{Z} | + \log (1/\epsilon ) + q) q^3 \epsilon } + q_K\epsilon + \frac{q_D+1}{| \mathcal{Y} |}\;, $$

whenever \(\min (1/\epsilon ,| \mathcal{Z} |,q)\ge n\). In order to get a bound even when \(| \mathcal{Z} |<n\), we increase \(|\mathcal{AUX}|\) to \(n|\mathcal{AUX}|\) without actually changing the algorithm \(\textsf{aux}\), and so get

$$\begin{aligned} &\textbf{Adv}^{\textsf{sNR}^{H,\bot }}_{\textsf{BUFF}[ \mathcal{S} ,H]}( \mathcal{D} , \mathcal{A} ,\textsf{aux}) \le C\cdot \sqrt{\left( \log \frac{|\mathcal{S}\mathcal{K}|\cdot n|\mathcal{AUX}|}{\epsilon } + q\right) q^3\epsilon } + q_K\epsilon + \frac{q_D+1}{| \mathcal{Y} |}\\ &\le C\sqrt{2}\cdot \sqrt{\left( \log \frac{|\mathcal{S}\mathcal{K}|\cdot |\mathcal{AUX}|}{\epsilon } + q\right) q^3\epsilon } + q_K\epsilon + \frac{q_D+1}{| \mathcal{Y} |} \end{aligned}$$

whenever \(\min (1/\epsilon ,q)\ge n\), where the second inequality is via \(q + \log n\le q + n\le 2q\). Finally, since \(q\ge q_A\), the boundary condition of the above inequality can be relaxed to \(\min (1/\epsilon ,q_A)\ge n\). This concludes the proof.    \(\square \)

B Proof of Lemma 2

Proof

First, we note that the input \(z^\circ \) can be omitted, as it can be hardwired into \( \mathcal{A} \).

For the case \(k = 1\), consider \(H'\) to be a fresh random oracle, independent of H. Then, the distributions of \( \mathcal{A} ^H(H(x^u))\) and \( \mathcal{A} ^{H'}(H(x^u))\) coincide, unless a query of \( \mathcal{A} \) to H happens to be a query on \(x^u\), which happens with probability at most \(\frac{q}{| \mathcal{X} |}\). Thus

$$ \Pr \bigl [ x^u = \mathcal{A} ^H(H(x^u)) \bigr ] \le \Pr \bigl [ x^u = \mathcal{A} ^{H'}(H(x^u)) \bigr ] + \frac{q}{| \mathcal{X} |} \le \frac{q+1}{| \mathcal{X} |} \,. $$

For the case \(k > 1\), instead of considering \( \mathcal{A} ^H(H(x_k^u))\), the run of \( \mathcal{A} \) on the k-th instance, we consider a run of \( \mathcal{A} _k^H(H(x_k^u),T_{k-1})\), specified as follows. \( \mathcal{A} _k\) is given as additional input the collection \(T_{k-1}\) of transcripts of the runs of \( \mathcal{A} \) on the previous instances \(x_1^u,\ldots ,x_{k-1}^u\); this includes each instance \(x_i^u\) and its hash \(H(x_i^u)\), as well as all the hash queries and responses of these \(k-1\) runs of \( \mathcal{A} \). \( \mathcal{A} _k\) then simply runs \( \mathcal{A} \), but whenever \( \mathcal{A} \) is about to query H on an input that is contained in \(T_{k-1}\), it reads out the hash from there, instead of querying H. \( \mathcal{A} _k^H(H(x_k^u),T_{k-1})\) then obviously behaves identically to \( \mathcal{A} ^H(H(x_k^u))\). Furthermore, conditioned on any fixed \(T_{k-1}\), the distributions of \( \mathcal{A} _k^H(H(x_k^u),T_{k-1})\) and \( \mathcal{A} _k^{H'}(H'(x_k^u),T_{k-1})\) coincide, where again \(H'\) is a fresh random oracle, unless \(x_k^u\) happens to be contained in \(T_{k-1}\), which happens with probability \(\frac{(k-1)(q+1)}{ \mathcal{X} }\). Thus,

$$\begin{aligned} \Pr \bigl [ & x_k^u = \mathcal{A} ^H(H(x_k^u)) \mid x_i^u = \mathcal{A} ^H(H(x_i^u)) \,\forall \, i < k \bigr ] \\ & = \Pr \bigl [ x_k^u = \mathcal{A} _k^H(H(x_k^u),T_{k-1}) \,\big |\, x_i^u = \mathcal{A} ^H(H(x_i^u)) \,\forall \, i < k \bigr ] \\ & \le \Pr \bigl [ x_k^u = \mathcal{A} _k^{H'}(H'(x_k^u),T_{k-1}) \,\big |\, x_i^u = \mathcal{A} ^H(H(x_i^u)) \,\forall \, i < k \bigr ] + (k-1)\frac{q+1}{| \mathcal{X} |} \\ & \le k \frac{q+1}{| \mathcal{X} |} \end{aligned}$$

where the last inequality follows from the fact for any fixed choice of \(T_{k-1}\), we are back to the case \(k = 1\) due to the freshness of \(H'\). Multiplying these probability gives the claimed bound.    \(\square \)