Journal of Cryptology

, Volume 32, Issue 1, pp 84–150 | Cite as

On the Tightness of Forward-Secure Signature Reductions

  • Michel AbdallaEmail author
  • Fabrice Benhamouda
  • David Pointcheval


In this paper, we revisit the security of factoring-based signature schemes built via the Fiat–Shamir transform and show that they can admit tighter reductions to certain decisional complexity assumptions such as the quadratic-residuosity, the high-residuosity, and the \(\phi \)-hiding assumptions. We do so by proving that the underlying identification schemes used in these schemes are a particular case of the lossy identification notion introduced by Abdalla et al. at Eurocrypt 2012. Next, we show how to extend these results to the forward-security setting based on ideas from the Itkis–Reyzin forward-secure signature scheme. Unlike the original Itkis–Reyzin scheme, our construction can be instantiated under different decisional complexity assumptions and has a much tighter security reduction. Moreover, we also show that the tighter security reductions provided by our proof methodology can result in concrete efficiency gains in practice, both in the standard and forward-security setting, as long as the use of stronger security assumptions is deemed acceptable. Finally, we investigate the design of forward-secure signature schemes whose security reductions are fully tight.


Forward security Digital signatures Reduction tightness Lossy identification 



We would like to thank Mihir Bellare and Eike Kiltz for their helpful comments on a preliminary version of this paper, the anonymous referees of PKC 2013 for their valuable input, and Benoît Libert for his discussion with the second author on simulation-sound NIZK and random oracles. We would also like to thank the anonymous reviewers for Journal of Cryptology for their insightful comments. This work was supported in part by the French ANR-10-SEGI-015 PRINCE Project, in part by the CFM Foundation, and in part by the European Commission through the FP7-ICT-2011-EU-Brazil Program under Contract 288349 SecFuNet and the ICT Program under Contract ICT-2007-216676 ECRYPT II. The second author was supported in part by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C-0236.

Supplementary material


  1. 1.
    M. Abdalla, J.H. An, M. Bellare, C. Namprempre, From identification to signatures via the Fiat–Shamir transform: minimizing assumptions for security and forward-security, in EUROCRYPT 2002. LNCS, vol. 2332 (Springer, Heidelberg, 2002), pp. 418–433Google Scholar
  2. 2.
    M. Abdalla, J.H. An, M. Bellare, C. Namprempre, From identification to signatures via the Fiat-Shamir transform: Necessary and sufficient conditions for security and forward-security. IEEE Trans. Inf. Theory 54(8), 3631–3646 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    M. Abdalla, F. Ben Hamouda, D. Pointcheval, Tighter reductions for forward-secure signature schemes, in PKC 2013. LNCS, vol. 7778 (Springer, Heidelberg, 2013), pp. 292–311Google Scholar
  4. 4.
    M. Abe, B. David, M. Kohlweiss, R. Nishimaki, M. Ohkubo, Tagged one-time signatures: Tight security and optimal tag size, in PKC 2013. LNCS, vol. 7778 (Springer, Heidelberg, 2013), pp. 312–331Google Scholar
  5. 5.
    M. Abdalla, P.-A. Fouque, V. Lyubashevsky, M. Tibouchi, Tightly-secure signatures from lossy identification schemes, in EUROCRYPT 2012. LNCS, vol. 7237 (Springer, Heidelberg, 2012), pp. 572–590Google Scholar
  6. 6.
    M. Abdalla, P.-A. Fouque, V. Lyubashevsky, M. Tibouchi, Tightly-secure signatures from lossy identification schemes. J. Cryptol. 29(3), 597–631 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    R. Anderson, Two remarks on public-key cryptology. Manuscript. Relevant material presented by the author in an invited lecture at the 4th ACM Conference on Computer and Communications Security, CCS 1997, Zurich, Switzerland, 1–4 Apr 1997, Sept 2000Google Scholar
  8. 8.
    D. Boneh, X. Boyen, H. Shacham, Short group signatures, in CRYPTO 2004. LNCS, vol. 3152 (Springer, Heidelberg, 2004), pp. 41–55Google Scholar
  9. 9.
    F. Benhamouda, J. Herranz, M. Joye, B. Libert, Efficient cryptosystems from \(2^k\)-th power residue symbols. J. Cryptol. 20(2), 519–549 (2017)CrossRefzbMATHGoogle Scholar
  10. 10.
    C. Bader, T. Jager, Y. Li, S. Schäge, On the impossibility of tight cryptographic reductions, in EUROCRYPT 2016, Part II. LNCS, vol. 9666 (Springer, Heidelberg, 2016), pp. 273–304Google Scholar
  11. 11.
    M. Bellare, S.K. Miner, A forward-secure digital signature scheme, in CRYPTO’99. LNCS, vol. 1666 (Springer, Heidelberg, 1999), pp. 431–448Google Scholar
  12. 12.
    M. Bellare, S. Micali, R. Ostrovsky, The (true) complexity of statistical zero knowledge, in 22nd ACM STOC (ACM Press, New York, 1990), pp. 494–502Google Scholar
  13. 13.
    M. Bellare, C. Namprempre, G. Neven, Unrestricted aggregate signatures, in ICALP 2007. LNCS, vol. 4596 (Springer, Heidelberg, 2007), pp. 411–422Google Scholar
  14. 14.
    N. Bari, B. Pfitzmann, Collision-free accumulators and fail-stop signature schemes without trees, in EUROCRYPT’97. LNCS, vol. 1233 (Springer, Heidelberg, 1997), pp. 480–494Google Scholar
  15. 15.
    M. Bellare, B. Poettering, D. Stebila, From identification to signatures, tightly: a framework and generic transforms, in ASIACRYPT 2016, Part II. LNCS, vol. 10032 (Springer, Heidelberg, 2016), pp. 435–464Google Scholar
  16. 16.
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in ACM CCS 93 (ACM Press, New York, 1993), pp. 62–73Google Scholar
  17. 17.
    M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in EUROCRYPT 2006. LNCS, vol. 4004 (Springer, Heidelberg, 2006), pp. 409–426Google Scholar
  18. 18.
    E. Bach, J. Shallit, Algorithmic Number Theory. MIT Press, Cambridge (1996)zbMATHGoogle Scholar
  19. 19.
    R. Cramer, I. Damgård, Escure signature schemes based on interactive protocols, in CRYPTO’95. LNCS, vol. 963 (Springer, Heidelberg, 1995), pp. 297–310Google Scholar
  20. 20.
    J. Camenisch, M. Koprowski, Fine-grained forward-secure signature schemes without random oracles. Discrete Appl. Math. 154(2), 175–188 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    C. Cachin, S. Micali, M. Stadler, Computationally private information retrieval with polylogarithmic communication, in EUROCRYPT’99. LNCS, vol. 1592 (Springer, Heidelberg, 1999), pp. 402–414Google Scholar
  22. 22.
    J.-S. Coron, Optimal security proofs for PSS and other signature schemes, in EUROCRYPT 2002. LNCS, vol. 2332 (Springer, Heidelberg, 2002), pp. 272–287Google Scholar
  23. 23.
    R. Cramer, Modular design of secure yet practical cryptographic protocols. Ph.D. thesis, CWI and University of Amsterdam, Amsterdam, The Netherlands (Nov 1996)Google Scholar
  24. 24.
    P. Dusart, Autour de la fonction qui compte le nombre de nombres premiers. Thesis, Université de Limoges (1998)Google Scholar
  25. 25.
    ECRYPT II yearly report on algorithms and keysizes (2011)Google Scholar
  26. 26.
    U. Feige, A. Fiat, A. Shamir, Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    E. Fujisaki, T. Okamoto, Statistical zero knowledge protocols to prove modular polynomial relations, in CRYPTO’97. LNCS, vol. 1294 (Springer, Heidelberg, 1997), pp. 16–30Google Scholar
  28. 28.
    A. Fiat, A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, in CRYPTO’86. LNCS, vol. 263 (Springer, Heidelberg, 1987), pp. 186–194Google Scholar
  29. 29.
    S. Garg, R. Bhaskar, S.V. Lokam, Improved bounds on security reductions for discrete log based signatures, in CRYPTO 2008. LNCS, vol. 5157 (Springer, Heidelberg, 2008), pp. 93–107Google Scholar
  30. 30.
    S. Goldwasser, S. Micali, R.L. Rivest, A “paradoxical” solution to the signature problem (extended abstract), in 25th FOCS (IEEE Computer Society Press, Washington, 1984), pp. 441–448Google Scholar
  31. 31.
    S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    J.A. Garay, P.D. MacKenzie, K. Yang, Strengthening zero-knowledge protocols using signatures. J. Cryptol. 19(2), 169–209 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    O. Goldreich, Two remarks concerning the Goldwasser–Micali–Rivest signature scheme, in CRYPTO’86. LNCS, vol. 263 (Springer, Heidelberg, 1987), pp. 104–110Google Scholar
  34. 34.
    L.C. Guillou, J.-J. Quisquater, A practical zero-knowledge protocol fitted to security microprocessor minimizing both trasmission and memory, in EUROCRYPT’88. LNCS, vol. 330 (Springer, Heidelberg, 1988), pp. 123–128Google Scholar
  35. 35.
    J. Groth, Simulation-sound NIZK proofs for a practical language and constant size group signatures, in ASIACRYPT 2006. LNCS, vol. 4284 (Springer, Heidelberg, 2006), pp. 444–459Google Scholar
  36. 36.
    J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in EUROCRYPT 2008. LNCS, vol. 4965 (Springer, Heidelberg, 2008), pp. 415–432Google Scholar
  37. 37.
    K. Haralambiev, Efficient cryptographic primitives for non-interactive zero-knowledge proofs and applications. Ph.D. thesis, New York University (2011)Google Scholar
  38. 38.
    D. Hofheinz, T. Jager, Tightly secure signatures and public-key encryption, in CRYPTO 2012. LNCS, vol. 7417 (Springer, Heidelberg, 2012), pp. 590–607Google Scholar
  39. 39.
    S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in CRYPTO 2009. LNCS, vol. 5677 (Springer, Heidelberg, 2009), pp. 654–670Google Scholar
  40. 40.
    R. Impagliazzo, M. Naor, Efficient cryptographic schemes provably as secure as subset sum. J. Cryptol. 9(4), 199–216 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  41. 41.
    G. Itkis, L. Reyzin, Forward-secure signatures with optimal signing and verifying, in CRYPTO 2001. LNCS, vol. 2139 (Springer, Heidelberg, 2001), pp. 332–354Google Scholar
  42. 42.
    M. Joye, B. Libert, Efficient cryptosystems from \(2^k\)-th power residue symbols, in EUROCRYPT 2013. LNCS, vol. 7881 (Springer, Heidelberg, 2013), pp. 76–92Google Scholar
  43. 43.
    C.S. Jutla, A. Roy, Shorter quasi-adaptive NIZK proofs for linear subspaces, in ASIACRYPT 2013, Part I. LNCS, vol. 8269 (Springer, Heidelberg, 2013), pp. 1–20Google Scholar
  44. 44.
    S.A. Kakvi, E. Kiltz, Optimal security proofs for full domain hash, revisited, in EUROCRYPT 2012. LNCS, vol. 7237 (Springer, Heidelberg, 2012), pp. 537–553Google Scholar
  45. 45.
    E. Kiltz, A. O’Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in CRYPTO 2010. LNCS, vol. 6223 (Springer, Heidelberg, 2010), pp. 295–313Google Scholar
  46. 46.
    H. Krawczyk, Simple forward-secure signatures from any signature scheme, in ACM CCS 00 (ACM Press, New York, 2000), pp. 108–115Google Scholar
  47. 47.
    J. Katz, V. Vaikuntanathan, Signature schemes with bounded leakage resilience, in ASIACRYPT 2009. LNCS, vol. 5912 (Springer, Heidelberg, 2009), pp. 703–720Google Scholar
  48. 48.
    J. Katz, N. Wang, Efficiency improvements for signature schemes with tight security reductions, in ACM CCS 03 (ACM Press, New York, 2003), pp. 155–164Google Scholar
  49. 49.
    V. Lyubashevsky, D. Micciancio, Generalized compact Knapsacks are collision resistant, in ICALP 2006, Part II. LNCS, vol. 4052 (Springer, Heidelberg, 2006), pp. 144–155Google Scholar
  50. 50.
    S. Micali, A secure and efficient digital signature algorithm. Technical Memo MIT/LCS/TM-501b, Massachusetts Institute of Technology, Laboratory for Computer Science, Apr 1994Google Scholar
  51. 51.
    D. Micciancio, P. Mol, Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions, in CRYPTO 2011. LNCS, vol. 6841 (Springer, Heidelberg, 2011), pp. 465–484Google Scholar
  52. 52.
    T. Malkin, D. Micciancio, S.K. Miner, Efficient generic forward-secure signatures with an unbounded number of time periods, in EUROCRYPT 2002. LNCS, vol. 2332 (Springer, Heidelberg, 2002), pp. 400–417Google Scholar
  53. 53.
    S. Micali, L. Reyzin, Improving the exact security of digital signature schemes. J. Cryptol. 15(1), 1–18 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  54. 54.
    A. Menezes, N. Smart, Security of signature schemes in a multi-user setting. Des. Codes Cryptogr. 33(3), 261–274 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  55. 55.
    K. Ohta, T. Okamoto, A modification of the Fiat–Shamir scheme, in CRYPTO’88. LNCS, vol. 403 (Springer, Heidelberg, August 1990), pp. 232–243Google Scholar
  56. 56.
    H. Ong, C.-P. Schnorr, Fast signature generation with a Fiat–Shamir-like scheme, in EUROCRYPT’90. LNCS, vol. 473 (Springer, Heidelberg, 1991), pp. 432–440Google Scholar
  57. 57.
    P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, in EUROCRYPT’99. LNCS, vol. 1592 (Springer, Heidelberg, 1999), pp. 223–238Google Scholar
  58. 58.
    C. Peikert, A. Rosen, Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices, in TCC 2006. LNCS, vol. 3876 (Springer, Heidelberg, 2006), pp. 145–166Google Scholar
  59. 59.
    S. Patel, G.S. Sundaram, An efficient discrete log pseudo random generator, in CRYPTO’98. LNCS, vol. 1462 (Springer, Heidelberg, 1998), pp. 304–317Google Scholar
  60. 60.
    D. Pointcheval, J. Stern, Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar
  61. 61.
    P. Paillier, D. Vergnaud, Discrete-log-based signatures may not be equivalent to discrete log, in ASIACRYPT 2005. LNCS, vol. 3788 (Springer, Heidelberg, 2005), pp. 1–20Google Scholar
  62. 62.
    C.-P. Schnorr, Efficient identification and signatures for smart cards (abstract) (rump session), in EUROCRYPT’89. LNCS, vol. 434 (Springer, Heidelberg, 1990), pp. 688–689Google Scholar
  63. 63.
    Y. Seurin, On the exact security of Schnorr-type signatures in the random oracle model, in EUROCRYPT 2012. LNCS, vol. 7237 (Springer, Heidelberg, 2012), pp. 554–571Google Scholar
  64. 64.
    P.C. van Oorschot, M.J. Wiener, On Diffie–Hellman key agreement with short exponents, in EUROCRYPT’96. LNCS, vol. 1070 (Springer, Heidelberg, 1996), pp. 332–343Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Département d’informatique de l’ENS, École normale supérieure, CNRSPSL Research UniversityParisFrance
  2. 2.INRIAParisFrance
  3. 3.IBM ResearchYorktown HeightsUSA

Personalised recommendations