Abstract

In Africacrypt 2009, Galindo-Garcia [12] proposed a lightweight identity-based signature (IBS) scheme based on the Schnorr signature. The construction is simple and claimed to be the most efficient IBS till date. The security is based on the discrete-log assumption and the security argument consists of two reductions: \(\mathcal{B}_{1}\) and \(\mathcal{B}_{2}\), both of which use the multiple-forking lemma [4] to solve the discrete-log problem (DLP).

In this work, we revisit the security argument given in [12]. Our contributions are two fold: (i) we identify several problems in the original argument and (ii) we provide a detailed new security argument which allows significantly tighter reductions. In particular, we show that the reduction \(\mathcal{B}_{1}\) in [12] fails in the standard security model for IBS [1], while the reduction \(\mathcal{B}_{2}\) is incomplete. To remedy these problems, we adopt a two-pronged approach. First, we sketch ways to fill the gaps by making minimal changes to the structure of the original security argument; then, we provide a new security argument. The new argument consists of three reductions: \(\mathcal{R}_{1}\), \(\mathcal{R}_{2}\) and \(\mathcal{R}_{3}\) and in each of them, solving the DLP is reduced to breaking the IBS. \(\mathcal{R}_{1}\) uses the general forking lemma [2] together with the programming of the random oracles and Coron’s technique [8]. Reductions \(\mathcal{R}_{2}\) and \(\mathcal{R}_{3}\), on the other hand, use the multiple-forking lemma along with the programming of the random oracles. We show that the reductions \(\mathcal{R}_{1}\) and \(\mathcal{R}_{2}\) are significantly tighter than their original counterparts.