Educación De Adultos: Una Mirada Freiriana.

1. Un breve recorrido de la Educación De Adultos en Colombia.

3.4. Educación De Adultos: Una Mirada Freiriana.

Our impossibility result for unique signatures also applies to the more general class ofrerandomiz- ablesignatures, which are signature schemes that need not be unique but are “efficiently rerandomizable” in the sense that there exists some algorithm Rerandwhich can select a rerandomization of a signature uniformly randomly from the set of possible signatures of a message. Formally:

Definition 8. Arerandomizable signature scheme is a tuple (Gen,Sign,Ver,Rerand) of prob- abilistic polynomial-time algorithms such that, for everyn∈N:

• Gen, on input 1n, produces a pair (pk, sk)

• Sign, on input (sk, m) for anym∈ {0,1}n_{, produces a signature}_σ_{. (We write}_σ _←_Sign

sk(m).) • Ver, on input (pk, m, σ), produces either AcceptorReject. (We writeout←Verpk(m, σ).) • Rerand, on input (pk, m, σ), produces a signature σ0. (We writeσ0 ←Rerandpk(m, σ).)

and, in addition, the following properties hold: • Correctness: For everyn∈N andm∈ {0,1}n:

Pr [(pk, sk)←Gen(1n) :Verpk(m,Signsk(m)) =Accept] = 1

• Rerandomizability: For anypk∈ {0,1}∗,m∈ {0,1}n_{, and}_σ_{∈ {}₀_,₁_}∗_{such that}_Ver

pk(m, σ) =

Accept, the output ofRerandpk(m, σ) is uniformly distributed over the set Σpk,m of all signa- turesσ0 whereVerpk(m, σ0) =Accept.

We note that this is of course a strict generalization of unique signatures, as we may take

Rerandpk(m, σ) = σ to trivially transform any unique signature scheme into a rerandomizable signature scheme.

The impossibility results presented in [HJK12,BJLS16] are generalized to the case of rerandomizable signatures, but are notably still restricted to the case of straight-line or “simple” reductions. Through a slight alteration to the meta-reduction we use to prove Theorem 2 for the case of unique signatures, we can generalize our result (for arbitrary fixed-parameter reductions and any bounded- round assumption) to rerandomizable signatures by proving the following analogue of Theorem 2:

Theorem 3. Let Π = (Gen,Sign,Ver,Rerand) be a rerandomizable signature scheme, and let (C, t(·)) be some r(·)-round intractability assumption for polynomial r(·). If there exists some fixed-parameter black-box reduction R for basing weak unforgeability of Π on the hardness of (C, t(·)), then either:

(1) Ris not a linear-preserving reduction, or

(2) there exists a polynomial-time adversary Bthat breaks the assumption (C, t(·)).

While it is tempting to believe that we could directly apply the ideal adversary A and meta- reduction B from Theorem 2 to show this, while simply using the rerandomizability property as a substitute for uniqueness (that is, have A and B respectively rerandomize their forgeries to guarantee that the results, and hence transcripts, are identically distributed), there is a subtle

• Initially, receive a messagepk, the public key; respond (i.e., generatem1) according to the next step fori= 1.

• On receiving a message consisting of a partial transcript τ = (pk, m1, σ1,· · · , mi−1, σi−1) for some i∈[`(n)], do the following:

– Generate mi by taking the firstn bits resulting from applying the oracleO to the input

(pk, i,Valid(O, τ)).

– Return the new partial transcriptτ||miwhich results from appendingmito the transcript

τ.

• On receiving a message consisting of a complete transcriptτ = (pk, m1, σ1,· · ·, m`(n), σ`(n)) (we shall refer to such a message as a “forgery request” or “end message”), do the following:

– IfValid(O, τ) returns 0, then return⊥.

– Otherwise, generate a random message m∗ (distinct from eachmi inτ) by applyingOto

the transcriptτ0, use brute force to find a signatureσ∗ for whichVerpk(m∗, σ∗) =Accept,

and return the forgery (m∗,Rerandpk(m∗, σ∗)).

LetValid(O, τ) be defined as follows: • Parseτ= (pk, m1, σ1, . . . , mk, σk).

• Verify that, for each signatureσi,Verpk(mi, σi) =Accept. If not true for alli, return 0.

• Verify that, for each messagemi,miis equal to the firstnbits resulting from applying the oracle

O to the input (pk, i,1). If not true for alli, then return 0. • Otherwise, return 1.

Figure 5: Formal description of the “ideal” adversaryAO for rerandomizable signatures.

issue that precludes doing so. In particular, it is no longer without loss of generality that R is unable to rewindA; instead, since we no longer have the uniqueness property, R may attempt to influence the signature queries generated byAby rewinding to a prior query and offering a different (valid) signature for the respective message, which will change the random transcript to which the oracleO is applied and thus influence subsequent queries from A.

Hence, we instead require the subtlely altered ideal adversary and meta-reduction presented in Figures 5 and 6, respectively. The key difference is that the input to the oracleO depends not on the prior responses from R, but only on whether the prior responses were valid; in this way, we can once again assert that Ris without loss of generality unable to rewind A (as, for a particular O, every sequence of valid responses from R will produce the same sequence of queries from A, irrespective of the responses themselves), while also preserving Claim 1 in that Rmust still give a valid response to each ofA’s queries in order to receive the correct subsequent queries fromA(and so it must still answer every query correctly, or guess the output of the random oracle, in order to receive a forgery).

Using this, we can now proceed to prove Theorem 3 in an identical manner to Theorem 2, with the aforementioned exception that, for the purposes of showing that A’s and B’s forgeries (now rerandomized before returning) are identically distributed in the case whereBsucceeds (i.e., Claim 3), we replace the uniqueness property with the fact that the rerandomizations of any two valid

• Set initial viewv← ⊥and setk←1. ExecuteR, updating the current viewvaccording to the following rules.

• When R begins a new instance of A and sends a public key pk, label this instance as instance k. Generate and store 2`(n) random queriesm~0k= (m

0 k,1, . . . , m 0 k,`(n)) andm~ 1 k= (m 1 k,1, . . . , m 1 k,`(n)) and a

target forgerym∗k. (Abort and returnFailifm

∗

kis equal to a message in eitherm~

∗

k.) Also letpkk←pk and initialize the forgeryfk← {}. Lastly, respond withτk∗=pkk||mk,1 and incrementk.

• WhenR attempts to communicate externally withC, forward the message, returnC’s response toR, and updatevaccordingly.

• WhenRsends a transcriptτ= (pk, mI,1, σI,1,· · ·, mI,j, σI,j) to some simulated instanceI ofA: – IfValid(τ, ~m1) = 1 then store the signatureσI,j.

– Ifj=`(n) (i.e., this is an end message), then do the following:

∗ If Valid(τ, ~m1I) = 0 or if there exists some j ∈ [`(n)] for which no response σI,j has been storeda_{, return}_⊥_.

∗ Otherwise, run the procedureRewinddetailed below for the instanceI.

∗ If, after running Rewind, there is a stored forgery fI = (m∗I, σ

∗

I), then return (m∗I,Rerandpk(m∗I, σ∗I)) and continue executing R as above. Otherwise, abort the entire execution ofBand returnFail.

– Lastly, respond withτ||mValid(τ, ~m1I)

I,j+1 and continue the execution ofR.

Rewindprocedure:

• Given instanceI, forj∈[`(n)] let (vjopen, v j

close) denote the slot corresponding to thej

signature query for instance I (i.e., the first instance whereB sends to R the messagem1I,j; note that there must be such an instance forBto have stored the respective signature).

• For eachj∈[`(n)], “rewind” the slot (vopenj , vclosej ) as follows: Letk

0_←

k, and begin executingRfrom the viewv0=vj

open||m

∗

I as in the main routine, with the following exceptions: – Replace any other instances of the messagem1I,jwithm

∗

I (e.g., ifRattempts to rewind and make a query to the same slot).

– WhenRbegins a new instance ofA, label this instance as instancek0 and incrementk0. (That is, continue creating new instances, but preserve the counterkin the outer execution for after the rewinding.)

– When Rattempts to communicate externally with C, abort the rewinding and continue to the next j.

– WhenRsends an end message for an instanceI0 6=I ofA, abort the rewinding and continue to the nextj,unless Rhas not sent responses to `(n) signature queries for that instance (in which case respond with⊥).

– Ifv0 ever contains a message whose transcript contains a responseσ∗I to any query form

∗

I, then, if it is the case thatVerpkI(m

∗

I, σ∗I) =Accept, storefi←(m∗I, σI∗) and end theRewindprocedure (i.e., return to the outer execution); otherwise, ifVerpkI(m

∗

I, σ

∗

I) =Reject, store nothing tofIand continue to the next j.

LetValid(τ, ~m1_{) be defined as follows:}

• Parseτ as (pk, m1, σ1,· · ·, mj, σj). If this fails, return 0.

• If, for anyj,Verpk(mj, σj) =Rejectormj6=m1j, then return 0. Otherwise, return 1.

a_{This can occur with at most negligible probability if}_Valid_{= 1, as in that case}_R_{would have to guess some}

element ofm~1.

signatures of the same message are by definition identically distributed. As the proof is identical aside from this detail, we omit it.

In document Educación de adultos en Bogotá D C (1992 1997) (página 82-86)