Chapter

Public Key Cryptography – PKC 2012

Volume 7293 of the series Lecture Notes in Computer Science pp 66-83

Waters Signatures with Optimal Security Reduction

  • Dennis HofheinzAffiliated withInstitut für Kryptographie und Sicherheit, Karlsruhe Institute of Technology
  • , Tibor JagerAffiliated withInstitut für Kryptographie und Sicherheit, Karlsruhe Institute of Technology
  • , Edward KnappAffiliated withDepartment of Combinatorics and Optimization, University of Waterloo

* Final gross prices may vary according to local VAT.

Get Access

Abstract

Waters signatures (Eurocrypt 2005) can be shown existentially unforgeable under chosen-message attacks under the assumption that the computational Diffie-Hellman problem in the underlying (pairing-friendly) group is hard. The corresponding security proof has a reduction loss of O(ℓ·q), where ℓ is the bitlength of messages, and q is the number of adversarial signature queries. The original reduction could meanwhile be improved to \(O(\sqrt{\ell}\cdot q)\) (Hofheinz and Kiltz, Crypto 2008); however, it is currently unknown whether a better reduction exists. We answer this question as follows:

  1. (a)

    We give a simple modification of Waters signatures, where messages are encoded such that each two encoded messages have a suitably large Hamming distance. Somewhat surprisingly, this simple modification suffices to prove security under the CDH assumption with a reduction loss of O(q).

     
  2. 1

    We also show that any black-box security proof for a signature scheme with re-randomizable signatures must have a reduction loss of at least Ω(q), or the underlying hardness assumption is false. Since both Waters signatures and our variant from (a) are re-randomizable, this proves our reduction from (a) optimal up to a constant factor.

     

Understanding and optimizing the security loss of a cryptosystem is important to derive concrete parameters, such as the size of the underlying group. We provide a complete picture for Waters-like signatures: there is an inherent lower bound for the security loss, and we show how to achieve it.

Keywords

Digital signatures Waters signatures provable security black-box reductions