View
218
Download
0
Category
Tags:
Preview:
Citation preview
Lecturer: Moni Naor
Foundations of Cryptography
Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem
Recap of last week’s lecture– Black-box zero-knowledge– Perfect and Statistical Zero-knowledge
• Limitations and relaxations– Proofs of knowledge
• Public-key identification – Random oracles– Interactive Authentication
Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.
To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V: Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he chose
Is it Safe?security: Existential unforgeability against adaptive chosen
message attack– Adversary can ask to authenticate any sequence of messages m1,
m2, …– Has to succeed in making V accept a message m not authenticated– Has complete control over the channels
• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r
• if E is semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)
• Malleability– not sufficient to verify correct form of ciphertext in simulation
• Closer to a chosen ciphertext attack
“just”
Encryption - Attacks • Chosen Plaintext
– Minimal attack relevant to PKCs. Assumes decrypted messages remain secret.
• CCA1: Chosen Ciphertext - preprocessing mode (Lunch-break) – Challenge ciphertext is given after adversary relinquishes control
of decryption device.– Good model for membership queries in computational learning.
• CCA2: Chosen Ciphertext - postprocessing mode– Challenge ciphertext is known when the attacks takes place– but cannot submit it!
Encryption - Notions of Breaking
• Semantic Security: whatever is computable about the plaintext given the ciphertext is computable without it.
– Minimal notion of security for single encrypter.
• Non-malleable security - whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it.
– Important for achieving independence of messages.
Application: auctions•Bidders submit their bids
Highest one should win
•Want to keep values secret until all bids submitted
independent
Example: AuctionsDifferent requirements - different notions.
• Semantic security is not sufficient for guaranteeing the independence of bids.
• If key is used for a Single auction and secrecy is not required after the auction is over – – Non-malleable security against chosen plaintext attacks.
• If key is used for many auctions and secrecy is not required after the auction is over – – Non-malleable security against – Chosen Ciphertext Attack in the preprocessing mode.
• If key is used for many auctions and secrecy is required after the auction is over – Non-malleable security against – Chosen Ciphertext Attacks in the postprocessing mode.
Semantic SecurityWhatever Adversary A can compute on encrypted string X 0,1n, so
can A’ that does not see the encryption of X, A selects:• Distribution Dn on 0,1n
• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an
pptm A’ so that for all pptm relation R for XR Dn
PrR(X,A(E(X)) - PrR(X,A’())
is negligible
In other words:
The outputs of A and A’ are indistinguishable even for a tester who is aware of X
X Y
R
E(X)
A
X Y
R
.
A’
A: Dn A’: Dn
¼
X 2R Dn
Non-Malleable SecurityWhatever Adversary A can compute on encrypted string X 0,1n, so
can A’ that does not see the encryption of X
A selects:• Distribution Dn on 0,1n
• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an
pptm A’ so that for all pptm relation R for XR Dn
PrR(X,D(A(E(X))) - PrR(X, D(A’()))
is negligible
In other words:
The outputs of A and A’ are indistinguishable even for a tester who gets the decryptions of what they output.
Encrypt
X D
R
E(X)
A
.
A: Dn A’: Dn
¼
X 2R Dn
Y
X D
R
A’
Y
Deal with invalid ciphertext
Combinations
AttackBreaking
CCA1
(lunch-time)
CCA2
(post-processing)
CPA
Semantic
Security
Non-
Malleability
All implications are proper
All combinations are useful in some circumstances
Principles for Increasing Security
Essentially all constructions achieving better than se-mantic security against chosen plaintext attacks use:• Redundancy in the encryption.• Validation that ciphertext is of the right form.
Validation is the trickiest part.• Relatively simple in:
– Private-key Encryption– Random Oracles
Private-key WorldPreventing CCA in the postprocing mode: add private-key authentication.• Shared key: S1 and S2, seeds to a pseudo-random function F
To encrypt m• Choose random r. Let Y=FS1
(r) © m and let Z= FS2(r ◦Y)
• Send (r,Y,Z)To decrypt (r,Y,Z):
let Z’ = FS2(r ◦Y) .
– If Z’ = Z let m = FS1(r) © Y
– If Z’ ≠ Z output invalid
Claim: scheme is NM-secure against CCA2• No adversary can generate another ciphertext that is not labeled invalid.
•No information from rejection!
DDN Lite: The Idea Start with a Semantic secure PKC against CPA.
• Have many different instances of the original scheme
• Each encryption should use a different subset of the keys – – enforce by one-time signatures.
• Before decryption - verify consistency.
• Properties: If the original scheme is SS against chosen plaintext attack the result is NM-secure against chosen plaintext attacks.
• If the original scheme is S-secure against CCA in the preprocessing mode, the result is NM-secure against CCA in the preprocessing mode.
DDN LitePublic-Key: hK1
0, K11i, hK2
0, K21i, … hKn
0, Kn1i
• A function h:{0,1}* {0,1}n - UOHWFPrivate-Key: Decryption keys of {Ki
b}.
Encryption of a message m: • Choose at random KOS, the public-key of a one-time signature
scheme • Let b1, b2, … bn = h(K).• Encrypt m using keys Ki
bi to obtain C1, C2, …, Cn.• Sign hC1, C2, … Cni using KOS
-1 and h; • Ciphertext is: KOS, hC1, …, Cni, S.
Decryption of ciphertext KOS, C1, … Cn, S• Verify the signature S on hC1, C2, … ,Cni using KOS.• Verify the consistency (equality) of all the plaintexts.• Decrypt using any one of the keys.
hard to find collision with target input
Let S be the result
Each is the public key of a SS PKC
Ideas for achieving resistance to CCA• Add redundancy - hard to generate frivolous ciphertexts• Add methods to check consistency
– This is the trickiest part:• Non interactive zero-knowledge• Specific schemes
• Decrypt only if given ciphertext passes the consistency checks
Important point: may decrypt with several different private keys
C2 Proof of consistencyC1
If we have consistency than can decrypt with either key
Proofs of consistency
• How to have a proof of consistency that does not leak the plaintext– Non-Interactive Zero-Knowledge (NIZK)
• How to make the proof itself non-malleable – Ow can change it and get a different ciphertext with the
same plaintext
Approaches for obtaining CCA/NM
• General NIZK
• Specific NIZK – Cramer-Shoup: special verifier
• Through IBE – Identity Based Encryption
Discrete Log Problem• Let G be a group and g an element in G.• Let y=gz and x the minimal non negative integer satisfying the equation.
x is called the discrete log of y to base g.• Example: y=gx mod p in the multiplicative group of Zp• In general: easy to exponentiate via repeated squaring
– Consider binary representation• What about discrete log?
– If difficult, f(g,x) = (g, gx) is a one-way function
DL Assumption for group G: • No efficient algorithm can solve for XR[0..n-1] whp the DL
problem for Y=ga
Discrete Log Problem
Very useful group for DL:• P and Q: Large primes, s.t. Q | P-1• g: an element of order Q in ZP
*.Best known algorithms -
– Q or– subexponential in log P
Randomized reduction:given Y generate Y’ = Ygr for rR [Q]
Diffie-Hellman The Diffie-Hellman assumption
Let G be a group and g an element in G.Given g, X=ga and Y=gb it is hard to find Z=gab
for random a and b the probability of a poly-time machine outputting gab is negligible
More accurately: a sequence of groups
Don’t know how to verify whether given Z’ is equal to gab
Decisional Diffie-Hellman Problem
For for generator g of a group of size Q and a,b [Q]
Given g, Y=ga, X=gb and Z decide whether Z =gab or Z gab
Equivalent: is logg Y = logX Z
DDH-Assumption:• The DDH-Problem is hard in the worst case.
Average DDHFor a,bR [Q] and c which is either
– c= ab
– cR [Q]
Given Y=ga and X=gb and Z =gc
decide whether Z =gab or Z gab
DDH-Assumption average case:• The DDH-Problem is hard for above distribution
Worst to Average case reductionTheorem:The average case and worst case of the
DDH-Assumption are equivalent.• Given ga and gb and gc (and P, Q) • Sample r,s1,s2R [Q]
• compute ga’ = (ga)r gs1
gb’ = (gb) gs2
gc’ = (gc)r (ga)rs2 (gb)s1 gs1s2
a’ = ras1 mod Qb’ = bs2 mod Qa’b’=rab+ras2+bs1+s1s2
c is either ab or not
…Worst to average
If c = abe mod Q then – a’ = ras1 mod Q
– b’ = bs2 mod Q
– c'= a'b'+ e r mod Q
• Always: a’ and b' are uniformly distributed. • If e =0, then c' = a'b'. • Otherwise c' is uniform and independent in [Q]
a’ = ras1 mod Qb’ = bs2 mod Qa’b’=rab+ras2+bs1
+s1s2
Evidence to Validity of DDH
• Endured extensive research for DH search– DH-search related to discrete log
• Hard for generic algorithms – that work in a black-box group)
• Computing the most significant bits of gab is hard• Random-self-reducibility.
El-Gamal Cryptosystem variant:
• Private key a R [Q]
• Public key Y=ga and P, Q and h• To encrypt M
– choose rR [Q] compute X=gr and Yr
– send hX , h(Yr)Mi
• To decrypt hX, Wi:– compute Xa = Yr and – output h(Xa) W
How is h chosen?
Pair-wise independence suffices
ZP
Subgroup of size Q
{0,1}k
h
El-Gamal Security
Under the DDH assumption cryptosystem is semantically secure against chosen plaintext
but...• Scheme is malleable
– To change M to M’=MC :change hX, Wi to hX, WCi
Proving consistency of exponentiations
• Given g1, g2, X1 , X2
Is there is an r where X1=g1r and X2=g2
r
Honest verifier zero-knowledge proof: Verifier sends Z = g1
b1 g2b2 for random b1, b2
Prover sends V = Zr
Verifier accepts iff X1b1X2
b2 = V
Simulator: choose random b1, b2 and output (g1
b1 g2b2 , X1
b1 X2b2 )
Leaks only a linear equation for b1 and b2
generators
Proving consistency of exponentiations
• Given g1, g2, X1 , X2
Is there is an r where X1=g1r and X2=g2
r
Honest verifier zero-knowledge proof: Verifier sends Z = g1
b1 g2b2 for random b1, b2
Prover sends V = Zr
Verifier accepts iff X1b1X2
b2 = V
Soundness: if X1=g1r and X2=g2
r+e then
X1b1X2
b2 = g1rb1 g2
(r+e)b2 = g1rb1 g2
rb2 g2eb2
= Zr (g2e ) b2
Leaks only a linear equation for b1 and b2
Random in the group
Z can be known when X1 and X2 are chosen!
Cramer-Shoup Lite• Private key: a, b1, b2 R [Q]
• Public key: – g1, g2, Y=g1
a and Z=g1b1 g2
b2
• To encrypt M – choose rR [Q]
– compute Yr, X1=g1r, X2=g2
r and Zr
– send hX1, X2, h(Yr)M, Zri• To decrypt hX1, X2, W, Vi
– check validity: X1b1 X2
b2 = V and if yes
compute X1a = Yr. Output h(Yr)W
Cramer-Shoup Complexity
• Encryption: 4 modular exponentiations • Decryption: 3 modular exponentiations
Cramer Shoup SecurityUnder the DDH assumption cryptosystem is
semantically secure against chosen plaintext
Show that the scheme secure against chosen ciphertext attacks (preprocessing)
but...• Scheme is malleable
– To change M to M’=MC
change hX, Wi to hX,WCi
Chosen Ciphertext Attacks - Lunchtime
Adversary T has temporary access to decryption oracle. Then it is given a challenge• Semantic security - adversary chooses two message
hM0, M1i • For dR0,1 it is given E(Md) and has to guess d.
Let pd PrT(E(Md )) ‘1’ d
• T Wins if p1 - p0
Proof of security
Show how to use an adversary that can break CS scheme for breaking DDH
Given hg1, g2, X1, X2i want to distinguish
• X1=g1r , X2=g2
r for rR [Q] and random g1, g2
or• X1=g1
r1, X2=g2r2 for r1, r1 R [Q] and random g1,
g2
...Proof of security - simulationGiven hg1, g2, X1, X2 i generate
• Private key a1, a2, b1, b2 R [Q] and • Public key
hg1, g2, Y = g1a1 g2
a2, Z=g1b1g2
b2 i• To decrypt hX’1, X’2 , W, V i
– check X’1b1X’2
b2 = V and if pass
compute X’1a
1 X’2a2 = Yr . Output h(Yr)W
Normal operation, independent of X1, X2
...Proof of security - simulation
When adversary chooses hM0 , M1i: Generate For dR0,1 the ciphertext
hX1, X2 , h(X1a1 X2
a2 ) Md , V = X1
b1 X2
b2i
Claim:
If logg1X1 = logg2
X2 then ciphertext is valid
If logg1X1 logg2
X2 then ciphertext is inconsistent
and independent of d
Important property of scheme
For both real and simulated scheme: • no (even powerful) adversary can find an
inconsistent ciphertext that is considered `valid’.
• Key point: b1 and b2 are random in [Q]. Z=g1
b1g2b2 reveals
one linear equation still Q possibilities for (b1, b2 ).
Inconsistent = Invalid
• Each candidate ciphertext hX’1, X’2,W’,V’i such that logg1
X1 logg2X2
can be viewed as a query on value (b1, b2 ).
• With probability 1-1/Q the answer is invalid• Whp (1-q/Q) adversary never gets decryption on
invalid ciphertext• No ``information” from rejection!
• No decryption of consistent ciphertext reveals information regarding a1, a2
Y=g1a1g2
a2 reveals one linear equation decryptions do not reveal more equations
• The only inconsistent ciphertext that adversary sees is the challenge ciphertext.
If logg1X1 logg2
X2 then ciphertext is invalid and independent of d
• Let p0 PrT(E(M0 )) ‘1’ d 0
p1 PrT(E(M1 )) ‘1’ d 1
p’ PrT ‘1’ ciphertext is invalid
p1 - p0 either p1 - p’ /2 or
p0 - p’ /2
Can distinguish DDH with advantage /2
Cramer-Shoup: Full Strength• Private key: a, b1, b2, c1, c2 R [Q] • Public key:
– g1, g2, Y=g1a, Z=g1
b1 g2b2, Z’=g1
c1 g2c2 and H
• To encrypt M, choose rR [Q] and– compute Yr, X1=g1
r, X2=g2r, W = h(Yr)M
=H(W, X1 , X2 )
– send hX1, X2 ,W, Zr Z’ri• To decrypt hX1, X2, W, Vi
– check validity: X1b
1 + c
1 X1b
2 + c
2 = V and if pass
– compute X1a = Yr. Output h(Yr)W
One-way hash
A UOWHF
Cramer Shoup (full strength) Security
Under the DDH assumption cryptosystem is
• non-malleable against • chosen ciphertext attacks in postprocessing
mode
Conclusions
• The CS scheme is within a multiplicative constant of ``vanilla” Diffie-Hellman, yet enjoys provable resistance to CCA
• Authentication: given CCA resistance - the only known Diffie-Hellman based public-key authentication - – can be used for deniable authentication
Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.
To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V: Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he choose
Is it Safe?Want: Existential unforgeability against adaptive chosen message
attack– Adversary can ask to authenticate any sequence m1, m2, …– Has to succeed in making V accept a message m not authenticated– Has complete control over the channels
• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r
• Several problems: if E is “just” semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)
• Malleability– not sufficient to verify correct form of ciphertext in simulation
• Closer to a chosen ciphertext attack
No receipts
• Can the verifier convince third party that the prover approved a certain message?
Authentication and Non-Repudiation• Key idea of modern cryptography [Diffie-Hellman]:
can make authentication (signatures) transferable to third party - Non-repudiation.
– Essential to contract signing, e-commerce…• Digital Signatures: last 25 years major effort in
– Research• Notions of security• Computationally efficient constructions
– Technology, Infrastructure (PKI), Commerce, Legal
Is non-repudiation always desirable?
Not necessarily so:• Privacy of conversation, no (verifiable) record.
– Do you want everything you ever said to be held against you?
• If Bob pays for the authentication, shouldn't be able to transfer it for free
• Perhaps can gain efficiency
Alternative: (Plausible) DeniabilityIf the recipient (or any recipient) could have generated the conversation himself
or an indistinguishable one
Deniable AuthenticationSetting:• Sender has a public key known to receiver• Want to an authentication scheme such that the receiver
keeps no receipt of conversation.
This means:• Any receiver could have generated the conversation itself.
– There is a simulator that for any message m and verifier V* generates an indistinguishable conversation.
– Exactly as in Zero-Knowledge!– An example where zero-knowledge is the ends, not the means!
Proof of security consists of Unforgeability and Deniability
Ring Signatures and AuthenticationCan we keep the sender anonymous?Idea: prove that the signer is a member of an ad hoc set
– Other members do not cooperate– Use their `regular’ public-keys
• Encryption – Should be indistinguishable which member of the set is
actually doing the authentication
Bob
Alice? Eve
A Public Key Authentication Protocol
P has a public key PK of an encryption scheme E.To authenticate a message m:• V P : Choose r R {0,1}n and random bits
2{0,1}* Send Y=E(PK, mr, )• P V : Verify that prefix of plaintext is indeed m. If yes - send r.V accepts iff the received r’=r
Is it Unforgeable? Is it Deniable
Security of the schemeUnforgeability: depends on the strength of E• Sensitive to malleability:
– if given E(PK, mr, ) can generate E(PK, m’r’, ’) where m’ is related to m and r’ is related to x then can forge.
• The protocol allows a chosen ciphertext attack on E.– Even of the post-processing kind!
• Can prove that any strategy for existential forgery can be translated into a CCA strategy on E
• Works even against concurrent executions.
Deniability: does V retain a receipt??– It does not retain one for an honest V– Need to prove knowledge of r
We saw an encryption scheme satisfying the desired requirements
Simulator for honest receiverChoose r R {0,1}n. Output: hY=E(PK, mr, ), x, i
Has exactly the same distribution as a real conversation when the verifier is following the protocolStatistical indistinguishability
Verifier might cheat by checking whether certain ciphertext have as a prefix mNo known concrete way of doing harm this way
Encryption as Commitment
When the public key PK is fixed and known Y=E(PK, x, ) can be seen as commitment to x
To open x: reveal , the random bits used to create Y
Perfect binding: from unique decryption For any Y there are no two different x and x’ and and ’ s.t.
Y=E(PK, x, ) =E(PK, x’, ’)
Secrecy: no information about x is leaked to those not knowing private key PS
Deniable Protocol P has a public key PK of an encryption scheme E.
To authenticate message m:
• V P: Choose xR{0,1}n.
Send Y=E(PK, mx , )
• P V: Send E(PK, x, )
• V P: Send x and - opening Y=E(PK, mx, )
• P V: Open E(PK, x, ) by sending .
P commits to the value x. Does not want to reveal it
yet
Security of the schemeUnforgeability: as before - depends on the strength of E
can simulate previous scheme (with access to D(PK , . ))Important property: E(PK, x, ) is a non-malleable commitment (wrt
the encryption) to x.
Deniability: can run simulator:• Extract x by running with E(PK, garbage, ) and rewinding• Expected polynomial time• Need the semantic security of E - it acts as a commitment
scheme
Ring Signatures and AuthenticationWant to keep the sender anonymous by proving
that the signer is a member of an ad hoc set – Other members do not cooperate– Use their `regular’ public-keys– Should be indistinguishable which member of the set
is actually doing the authentication
Bob
Alice? Eve
Ring Authentication Setting• A ring is an arbitrary set of participants including the
authenticator • Each member i of the ring has a public encryption key
PKi
– Only i knows the corresponding secret key PSi
• To run a ring authentication protocol both sides need to know PK1
, PK2, …, PKn
the public keys of the ring members
...
An almost Good Ring Authentication ProtocolRing has public keys PK1
, PK2, …, PKn
of encryption scheme E
To authenticate message m with jth decryption key PSj:
V P: Choose x {0,1}n. Send E(PK1
, mx, r1), E(PK2, mx, r2), …, E(PKn
, mx, rn)
P V: Decrypt E(PKj, mx, rj), using PSj
and
Send E(PK1, x, 1), E(PK2
, x, 2), …, E(PKn, x, n)
V P: open all the E(PKi, mx, ri) by
Send x and r1, r2 ,… rn
P V: Verify consistency and open all E(PKi, x, ti) by
Send t 1, 2 ,… n
Problem: what if not all suffixes (x‘s) are equal
The Ring Authentication ProtocolRing has public keys PK1
, PK2, …, PKn
of encryption scheme E
To authenticate message m with jth decryption key PSj:
V P: Choose x {0,1}n. Send E(PK1
, mx, r1), E(PK2, mx, r2), …, E(PK1
, mx, rn)
P V: Decrypt E(PKj, mx, rj), using PSj
and
Send E(PK1, x1, t1), E(PK2
, x2, t2), …, E(PKn, xn, tn)
Where x=x1+x2 + xn
V P: open all the E(PKi, mx, ri) by
Send x and r1, r2 ,… rn
P V: Verify consistency and open all E(PKi, x, ti) by
Send t1, t2 ,… tn and x1, x2 ,…, xn
Complexity of the scheme
Sender: single decryption, n encryptions and n encryption verifications
Receiver: n encryptions and n encryption verifications
Communication Complexity: O(n) public-key encryptions
Security of the scheme
Unforgeability: as before (assuming all keys are well chosen) since
E(PK1, x1, t1), E(PK2
, x2, t2),…,E(PK1, xn, tn)
where x=x1+x2 + xn
is a non-malleable commitment to x
Source Hiding: which key was used (among well chosen keys) is – Computationally indistinguishable during protocol– Statistically indistinguishable after protocol
• If ends successfully
Deniability: Can run simulator `as before’
Properties of the Scheme
• Works with any good encryption scheme - members of the ring are unwilling participants.
• Fairly efficient scheme:– Need n encryptions n verifications and one decryption
• Can extend the scheme so that convince a verifier that At least k members confirm the message.
• What are the social implications of the existence of ring authentication?
Sources
• Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J. computing 2000. also Siam Review 2003
• Cramer and Shoup: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack (see www.shoup.net)
• Lindell: A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions. In Eurocrypt 2003,
Question: zero-knowledge protocol for subset sum
• Give a direct protocol (i.e. not through a reduction to hamiltoncity) for the subset sum problem
• Subset sum problem: given – n numbers 0 ≤ a1, a2 ,…, an < 2m
– Target sum T – Is there a subset S⊆ {1,...,n} such that
∑ i S ai,=T mod 2m
Question: statistically hiding, computationally biding commitments from collision intractable hash functions• Goal: construct a commitment scheme where • the induced distribution of the transcript is (nearly independent of the
string committed to• No PPT sender can with probability (1-negligible) reveal two different
strings following the commit phase.
Protocol for committing to a bit b. Let H be a family of collision intractable hash functions
Commit:• Receiver: choose h 2 H and give to sender• Sender: choose random z and r. Send h(z),r and hz¢ri©bReveal: publish z
Prove that the protocol satisfies the above requirements
Inner product over GF[2]
Find the errorLet E be an public-key encryption scheme which is errorless.Let H be a family of collision intractable hash functionsCommit: Sender chooses • Key for E(KP,KS) and h 2 H and sends
h,KP,E(KP,x),h(x ◦ E(Kp,x)) Reveal: publish KS
Show that there exists a family H be a family of collision intractable hash functions such that the scheme is insecure for any E.
Assuming collision intractable hash functions exists
Recommended