47.06.04 · theoretical-cs / 06-cryptographic-foundations

Digital Signatures and Collision-Resistant Hash Functions

shipped3 tiersLean: none

Anchor (Master): Arora and Barak 2009 Computational Complexity: A Modern Approach (Cambridge) Ch. 9-10; Naor and Yung 1989 Universal One-Way Hash Functions and Their Cryptographic Applications (STOC); Rompel 1990 One-Way Functions are Necessary and Sufficient for Secure Signatures (STOC)

Intuition Beginner

A handwritten signature on a document proves you approved it. Anyone can see the signature and compare it to a known sample. A digital signature does the same thing for electronic messages: you sign with a private key, and anyone verifies with your public key.

The key difference from a physical signature is that a digital signature cannot be forged. If you sign message with your private key , producing signature , then no one can produce a valid signature on a different message without knowing . This is guaranteed not by the difficulty of imitating handwriting but by the computational hardness of inverting a one-way function.

Hash functions are the compression workhorse of cryptography. A hash function takes an input of any length and produces a fixed-length output, like a fingerprint. A collision-resistant hash function has the property that no one can find two different inputs with the same output. This seems simple, but it is remarkably useful: you can sign the hash of a message instead of the message itself, compressing arbitrarily long messages to a fixed size before signing.

Together, signatures and hash functions form the backbone of digital trust. Every time you visit a secure website, your browser verifies a digital signature on the site's certificate. Every time you install a software update, the operating system verifies a signature on the update. And every one of those signatures involves a hash function.

Visual Beginner

Digital signature workflow:

  Signer (Alice):                    Verifier (Bob):
  Private key sk                     Public key vk
    
  Message m                          Message m
  Hash: h = H(m)                     
  Sign: s = Sign(sk, h)              
                                     Receive (m, s)
                                     Hash: h' = H(m)
                                     Verify: Verify(vk, h', s)?
                                     Yes -> authentic
                                     No  -> forged

Hash function collision resistance:

  Input space: 2^256 possible inputs (or more)
  Output space: 2^256 possible hashes
  
  Finding x, y with H(x) = H(y) by brute force:
    Birthday attack: ~2^128 trials needed
    (This is infeasible -- 2^128 ~ 10^38)
Primitive Input Output Security property
Hash function Any-length message Fixed-length digest Collision resistance
Signature Message + private key Signature Unforgeability
Verification Message + public key + sig Accept/Reject Completeness

Worked example Beginner

We illustrate RSA-based digital signatures with toy parameters. Alice uses RSA with , so and . She picks (coprime to 72) and computes . Since , .

Public key: . Private key: .

Signing. Alice wants to sign the message . She computes the signature .

Using repeated squaring: . . . .

Now . Stepwise: . . . So .

Verification. Bob computes . . . . Verified.

Check your understanding Beginner

Formal definition Intermediate+

Definition (digital signature scheme). A digital signature scheme is a triple of PPT algorithms :

  • : outputs a verification key and signing key.
  • : outputs a signature on message .
  • : outputs accept or reject.

Correctness: for all .

Definition (EUF-CMA security). A signature scheme is existentially unforgeable under chosen-message attack if for every PPT adversary :

where , has oracle access to with query set , and is 's output.

Definition (collision-resistant hash function). A family of functions is collision-resistant if for every PPT algorithm :

Definition (Merkle-Damgard construction). Given a compression function , the Merkle-Damgard hash of a message (with appropriate padding) is:

Counterexamples to common slips

  • "Collision resistance means no two inputs have the same hash." By the pigeonhole principle, collisions always exist (the input space is larger than the output space). Collision resistance means finding a collision is computationally infeasible, not that collisions do not exist.

  • "A signature proves who sent the message." A signature proves that someone with the private key signed it. The connection to identity (who holds the private key) is established by a public-key infrastructure (PKI), not by the signature scheme itself.

  • "MD5 and SHA-1 are collision-resistant." Both have been broken: Wang et al. (2004) found collisions in MD5, and Stevens et al. (2017) found collisions in SHA-1. SHA-256 and SHA-3 are the current recommendations.

Key theorem with proof Intermediate+

Theorem (RSA-FDH is EUF-CMA in the random oracle model). The RSA Full-Domain Hash signature scheme—where and checks —is EUF-CMA secure in the random oracle model assuming the RSA problem is hard.

Proof sketch. Let be an EUF-CMA adversary that makes hash queries, signing queries, and forges with probability . We build an algorithm that solves the RSA problem: given , find with .

sets and simulates the random oracle and signing oracle for :

Random oracle simulation. maintains a table of query-response pairs. For each new query : with probability , set for random (an RSA challenge embedded in the hash). With probability , set for random (a "signable" value). Record .

Signing oracle simulation. When asks for a signature on : if was a hash query of "signable" type, return (since , so ). If was not queried, handle it fresh as signable.

Forgery extraction. outputs with . If was a hash query where embedded the RSA challenge: , so . Then , and outputs as the RSA solution.

The probability is the challenge-embedded query is at least , giving a non-negligible RSA solver.

Bridge. The RSA-FDH construction is the foundational reason hash-then-sign works: the hash function randomises the message before the RSA operation, preventing algebraic attacks on structured messages, and this builds toward the Merkle-Damgard construction that extends fixed-size compression to arbitrary-length hashing. The central insight is that the hash function serves dual purposes—compressing the message to the RSA domain and randomising it to prevent exploitation of RSA's multiplicative structure—and this is exactly the pattern that appears again in 47.06.02 where hashing randomises the plaintext before RSA encryption (OAEP padding). Putting these together with the one-way function theory of 47.06.01 shows that collision-resistant hash functions can be built from one-way functions (via Naor-Yung UOWHFs), and this is the bridge between the abstract OWF and the concrete hash-then-sign paradigm.

Exercises Intermediate+

Lean formalization Intermediate+

Mathlib has no formalization of digital signature schemes, EUF-CMA security, or the Merkle-Damgard construction. The hash function framework in Mathlib is limited to basic function composition. A natural formalization target would be the Merkle-Damgard collision-resistance preservation proof, using Mathlib's List, Finset, and function composition structures. The EUF-CMA security proof would require modelling adversaries and oracles, which is beyond Mathlib's current scope. This unit ships without a lean_module.

Advanced results Master

Three results extend the signature and hash function framework.

Result 1 (Rompel's theorem: OWF implies signatures). Rompel (1990) proved that one-way functions are necessary and sufficient for the existence of EUF-CMA secure signature schemes. The sufficiency direction constructs a UOWHF from any OWF (via the Naor-Yung technique), then builds a tree-based signature scheme where each node in a Merkle tree authenticates its children. The construction is polynomial-time but impractical due to large constants. Practical signature schemes (RSA, DSA, EdDSA) use specific number-theoretic assumptions for efficiency [Rompel 1990].

Result 2 (sponge construction and SHA-3). The Keccak sponge construction (Bertoni, Daemen, Peeters and Van Assche, 2011), selected as SHA-3, uses a fixed-length permutation (where for SHA-3). The message is absorbed into the state in -bit blocks (rate ), with bits of capacity untouched. The output is squeezed from the state. The security proof shows that distinguishing the sponge output from random requires either inverting the permutation or finding a collision in the capacity part, both of which are assumed to be hard [Arora-Barak Ch. 9].

Result 3 (aggregate and multi-signatures). Boneh, Gentry, Lynn and Shacham (2003) introduced aggregate signatures, where signatures on different messages from different signers can be combined into a single short signature. This is achieved using bilinear pairings on elliptic curves: the pairing equation allows verification of multiple signatures simultaneously. Aggregate signatures are used in blockchain systems (certificates, block headers) to compress authentication data [Arora-Barak Ch. 9-10].

Synthesis. Digital signatures and collision-resistant hash functions form the authentication layer of cryptography: signatures provide unforgeable attestation, and hash functions provide the compression and randomisation that make signatures efficient and secure. The central insight is that the hash-then-sign paradigm reduces the security of the signature scheme to two independent assumptions (collision resistance of the hash and security of the underlying primitive), and this builds toward Rompel's theorem showing that the entire construction chain rests on one-way functions. This is exactly the pattern that appears again in 47.06.01 where OWFs provide the foundation, and it generalises to the full cryptographic stack: OWFs yield hash functions, hash functions yield signatures, and signatures yield authentication and non-repudiation. Putting these together with the zero-knowledge proofs of 47.06.03 shows that the Fiat-Shamir heuristic converts ZK identification protocols into signatures, bridging the privacy and authentication layers of cryptography.

Full proof set Master

Proposition 1 (Merkle-Damgard preserves collision resistance). If is a collision-resistant compression function, then the Merkle-Damgard hash built from with proper length padding is collision-resistant.

Proof. Suppose an adversary finds with . Let and after padding (which encodes the original message length in the final block).

Since and the length padding ensures different-length messages have different final blocks, there exists an index where the padded messages differ. Let be the largest index such that .

We have and . Since is the largest index where inputs differ, for all : . So (they propagate to the same final hash). Therefore with .

This is a collision in . So any collision in yields a collision in , contradicting 's collision resistance.

Proposition 2 (RSA-FDH security reduction). If there exists a PPT adversary that breaks EUF-CMA security of RSA-FDH with probability making hash queries, then there exists a PPT algorithm that solves the RSA problem with probability .

Proof. receives and must find with . picks a random index and simulates the random oracle:

  • For query : pick random and set .
  • For query : set .

When requests a signature on message : if was queried at index , return (since , so ). If was queried at , abort (cannot sign without knowing ). If was not queried, handle it as a new non- query.

outputs forgery . If (probability ), then , so is the RSA solution.

The probability succeeds is (subtracting the probability of aborting on a signing query for ).

Connections Master

  • 47.06.02 — RSA provides the trapdoor one-way function underlying RSA-FDH signatures; the same key generation and modular arithmetic appear in both encryption and signing.

  • 47.06.01 — One-way functions are the foundation: Rompel's theorem shows OWFs are necessary and sufficient for signatures, and collision-resistant hash functions are built from OWFs via the Naor-Yung construction.

  • 47.06.03 — The Fiat-Shamir heuristic converts zero-knowledge identification protocols into signature schemes; ZK protocols provide the interactive core that becomes non-interactive via hashing.

  • 47.05.01 — Universal hashing and pairwise independence are used in the birthday-bound analysis of collision resistance and in the Naor-Yung UOWHF construction.

Historical & philosophical context Master

The concept of digital signatures was introduced by Diffie and Hellman (1976) in the same paper that proposed public-key cryptography. The first practical signature scheme was RSA (1978), where signing is encryption with the private key.

The formal security definition (EUF-CMA) was given by Goldwasser, Micali and Rivest (1988), who also introduced the distinction between existential and universal forgery. The Rompel theorem (1990) showing that OWFs suffice for signatures was a landmark, establishing that the entire authentication infrastructure rests on the same minimal assumption as symmetric cryptography.

The practical importance of hash functions was underscored by the break of MD5 (Wang et al. 2004) and SHA-1 (Stevens et al. 2017), which demonstrated that collision resistance is a property of specific constructions, not an abstract guarantee. The transition to SHA-256 and SHA-3 is ongoing across the software ecosystem.

The philosophical lesson is that authentication, like encryption, reduces to computational hardness: the impossibility of forging a signature is no more absolute than the impossibility of factoring a number, but it is sufficient for practical purposes [Arora-Barak Ch. 9].

Bibliography Master

@book{arora2009computational,
  author    = {Arora, Sanjeev and Barak, Boaz},
  title     = {Computational Complexity: A Modern Approach},
  publisher = {Cambridge University Press},
  year      = {2009},
}
@inproceedings{rompel1990one,
  author    = {Rompel, John},
  title     = {One-Way Functions are Necessary and Sufficient for Secure Signatures},
  booktitle = {Proceedings of the 22nd ACM Symposium on Theory of Computing},
  year      = {1990},
  pages     = {387--394},
}
@inproceedings{naor1989universal,
  author    = {Naor, Moni and Yung, Moti},
  title     = {Universal One-Way Hash Functions and Their Cryptographic Applications},
  booktitle = {Proceedings of the 21st ACM Symposium on Theory of Computing},
  year      = {1989},
  pages     = {33--43},
}
@article{goldwasser1988digital,
  author  = {Goldwasser, Shafi and Micali, Silvio and Rivest, Ronald L.},
  title   = {A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks},
  journal = {SIAM Journal on Computing},
  volume  = {17},
  number  = {2},
  pages   = {281--308},
  year    = {1988},
}