At each moment t, repository contains set of hashes.
R.get(t : int) : (hash fset) option
More specifically, the valid signature of message m at time t must contain an entry R.get(t) = Some hs so that
{ h(tag sk t || m), h(tag sk t) } ⊆ hs.
Adversary A can react on repository writes, by adding new entries:
R.put(x : hash fset) := {
t := t + 1;
y := A.react(x);
R.r[t] = y ∪ x;
return t;
}
- Tag-and-Hash non-malleability
- Tag-and-Hash unpredictability (optional)
- Tag-system phantom-freeness
Assume that A makes a forgery.
-
Oracle not used: Tag-system is unsafe.
-
Oracle used at time
tand signature is forged for timet'.2.1.
t < t': Tag-system is unsafe.2.2.
t > t': Use Tag-&-Hash unpredictability assumption and construct adversairesA₁andA₂.A₁: Run A with no oracles provided. Uniformly choose an entry from repository from the interval [1..t]. A₂: Run A with tagging oracle.Clearly, with probability
1/tA₁will choose correct entry (same asAwould choose with full info). The rest follows.2.3.
t = t': Let the signature be forged for messagem; in this case one of the entries atR.r[t]must containh(tg || m), h(tg)which the adversary produced from knowledge of
h(tg || m'), h(tg)So,
Afor Tag-&-Hash non-malleability can be constructed by sending an oracle two requestsm'andEMPTY. After this adversaryAwill generatey = h(tg || m').