Another Look at Some Isogeny Hardness Assumptions

Abstract

The security proofs for isogeny-based undeniable signature schemes have been based primarily on the assumptions that the One-Sided Modified SSCDH problem and the One-More SSCDH problem are intractable. We challenge the validity of these assumptions, showing that both the decisional and computational variants of these problems can be solved in polynomial time. We further demonstrate an attack, applicable to two undeniable signature schemes, one of which was proposed at PQCrypto 2014. The attack allows to forge signatures in \(2^{4\lambda /5}\) steps on a classical computer. This is an improvement over the expected classical security of \(2^{\lambda }\), where \(\lambda \) denotes the chosen security parameter.

A Undeniable (Blind) Signature Schemes

Undeniable signature schemes were introduced by Chaum and van Antwerpen [5], differing from traditional signature schemes in that verification of a signature cannot be completed without cooperation from the signer. Following the notation of [17] we denote an undeniable signature scheme \(\varSigma \) by

$$\varSigma = \{\texttt {KeyGen},\texttt {Sign},\texttt {Check},\texttt {Sim},\pi _{\textit{con}},\pi _{\textit{dis}}\}. $$

KeyGen is the PPT (probabalistic polynomial time) key generation algorithm, which outputs (vk, sk) - a verification and signing key, respectively. Sign is the PPT signing algorithm, taking a message m and sk as input to generate a signature \(\sigma \). Check is a deterministic validity checking algorithm, such that Check((vk,m,\(\sigma \)),sk) returns 1 if (\(m,\sigma \)) is a valid message-pair and 0 if not. Sim is a PPT algorithm outputting a simulated signature \(\sigma '\) on input of vk and m. Finally, \(\pi _{\textit{con}}\) and \(\pi _{\textit{dis}}\) are confirmation and disavowal protocols, respectively, with which the signer can prove the validity (or invalidity) of a signature to the verifier. These are zero-knowledge interactive protocols.

An undeniable signature scheme must satisfy undeniability, unforgeability and invisibility. We use the definitions as stated in [5, 8, 17]. An undeniable blind signature scheme must also satisfy blindness, as defined in [22].

Undeniability requires that a signer cannot use the disavowal protocol to deny a valid signature. A signer is also unable to convince the verifier that an invalid signature is valid.

Unforgeability is the notion that an adversary cannot compute a valid message-signature pair with non-negligible probability. It is defined using the following security game:

1. 1.

   The challenger generates a key pair, giving the verification key to the adversary.

2. 2.

   The adversary is given access to a signing oracle and makes queries adaptively with messages \(m_i\), for \(i = 1,2,\dots ,k\), for some k, receiving corresponding signatures \(\sigma _i\).

   1. (a)

      The adversary additionally has access to a confirmation/disavowal oracle for the protocol, which they can query adaptively with message-signature pairs throughout step 2.

3. 3.

   The adversary outputs a pair \((m,\sigma )\).

The adversary wins the game (i.e. successfully forges a signature) if \((m,\sigma )\) is a valid message-signature pair and \(m \ne m_i\) for any \(i = 1,2,\dots k\). A signature scheme is unforgeable if any PPT adversary wins with only negligible probability.

Invisibility requires that an adversary cannot distinguish between a valid signature and a simulated signature with non-negligible probability. It is defined by the following security game:

1. 1.

   The challenger generates a a key pair, giving the verification key to the adversary.

2. 2.

   The adversary is given access to a signing oracle and makes queries adaptively with messages \(m_i\), for \(i = 1,2,\dots ,k\), for some k, receiving corresponding signatures \(\sigma _i\).

   1. (a)

      The adversary additionally has access to a confirmation/disavowal oracle for the protocol, which they can query adaptively with message-signature pairs throughout step 2.

3. 3.

   The adversary sends a new message \(m_j\) to the challenger.

4. 4.

   The challenger computes a random bit b. If \(b=1\), the challenger computes \(\sigma = \texttt {Sign}(m_j,sk)\). If \(b=0\) the challenger computes \(\sigma = \texttt {Sim}(m_j,vk)\). The challenger sends \(\sigma \) to the adversary.

5. 5.

   The adversary is able to query the signing oracle again, with access to the confirmation/disavowal oracles. They cannot submit (\(m_j,\sigma \)) to either oracle.

6. 6.

   The adversary outputs a bit \(b^*\).

The adversary wins the game if \(b^*=b\). An undeniable signature scheme is invisible if \(\mid \)Pr(\(b=b^*\))\(-1/2\mid \) is negligible.

Blindness requires that an adversary cannot relate message-signature pairs with their associated blind versions with non-negligible probability. It is defined by the following security game:

1. 1.

   The adversary generates a key pair (sk, vk).

2. 2.

   The adversary chooses two messages, \(m_0\) and \(m_1\), and sends them to the challenger.

3. 3.

   The challenger computes a random bit b and reorders the messages as \((m_b, m_{b-1})\).

4. 4.

   The challenger blinds the messages and sends them to the adversary.

5. 5.

   The adversary signs the blinded messages, generating the signatures \(\sigma ^{blind}_b\) and \(\sigma ^{blind}_{b-1}\), which are returned to the challenger.

6. 6.

   The challenger applies an unblinding algorithm to \(\sigma ^{blind}_b\) and \(\sigma ^{blind}_{b-1}\) and reveals the unblinded signatures, \(\sigma _b\) and \(\sigma _{b-1}\), to the adversary.

7. 7.

   The adversary outputs a bit \(b'\).

The adversary wins if \(b' = b\). A signatures scheme is blind if \(\mid \)Pr(\(b=b^*\))\(-1/2\mid \) is negligible.