CryptoDB
Sandwich BUFF: Achieving Non-Resignability Using Iterative Hash Functions
Authors: |
|
---|---|
Download: | |
Conference: | TCC 2025 |
Abstract: | We revisit the BUFF transform, which was proposed by Cremers et al. (S&P'21) as a means to achieve security properties beyond standard unforgeability for digital signature schemes. One of these properties, non-resignability (NR), has recently drawn some attention due to a strong impossibility result for the original definition of the property. Recent follow-up work then considered a variant (sNR) of the original definition, and showed that it is satisfied by the BUFF transform when the underlying hash function is modeled as a random oracle --- while the original impossibility result still applies for the plain model. This raises the natural question of whether the BUFF transform satisfies sNR in a more fine-grained use of the random oracle model, when we consider a real-life iterative-hash-function design (such as Merkle-Damgard or Sponge) and instead idealize the round function. Our discoveries in this direction are two-fold: First, contrary to what one might expect, we show that there is a simple attack on the non-resignability property sNR of the BUFF-transform when instantiated with an iterative hash function. The attack relies on leaking an intermediate result of the hash computation to the adversary who is challenged to ``resign'' the message. This negative result once more shows the subtlety in the non-resignability property. Second, on the positive side, we propose a small modification to the original BUFF transform, which we call Sandwich BUFF (for reasons to become clear), and prove the non-resignability property sNR of Sandwich BUFF both for Merkle-Damgard-based hash functions in the random oracle model, and for Sponge-based hash functions in the random permutation model. |
BibTeX
@inproceedings{tcc-2025-36244, title={Sandwich BUFF: Achieving Non-Resignability Using Iterative Hash Functions}, publisher={Springer-Verlag}, author={Serge Fehr and Yu-Hsuan Huang and Julia Kastner}, year=2025 }