# On the Tightness of Forward-Secure Signature Reductions

- 127 Downloads

## Abstract

In this paper, we revisit the security of factoring-based signature schemes built via the Fiat–Shamir transform and show that they can admit tighter reductions to certain decisional complexity assumptions such as the quadratic-residuosity, the high-residuosity, and the \(\phi \)-hiding assumptions. We do so by proving that the underlying identification schemes used in these schemes are a particular case of the lossy identification notion introduced by Abdalla et al. at Eurocrypt 2012. Next, we show how to extend these results to the forward-security setting based on ideas from the Itkis–Reyzin forward-secure signature scheme. Unlike the original Itkis–Reyzin scheme, our construction can be instantiated under different decisional complexity assumptions and has a much tighter security reduction. Moreover, we also show that the tighter security reductions provided by our proof methodology can result in concrete efficiency gains in practice, both in the standard and forward-security setting, as long as the use of stronger security assumptions is deemed acceptable. Finally, we investigate the design of forward-secure signature schemes whose security reductions are fully tight.

## Keywords

Forward security Digital signatures Reduction tightness Lossy identification## Notes

### Acknowledgements

We would like to thank Mihir Bellare and Eike Kiltz for their helpful comments on a preliminary version of this paper, the anonymous referees of PKC 2013 for their valuable input, and Benoît Libert for his discussion with the second author on simulation-sound NIZK and random oracles. We would also like to thank the anonymous reviewers for Journal of Cryptology for their insightful comments. This work was supported in part by the French ANR-10-SEGI-015 PRINCE Project, in part by the CFM Foundation, and in part by the European Commission through the FP7-ICT-2011-EU-Brazil Program under Contract 288349 SecFuNet and the ICT Program under Contract ICT-2007-216676 ECRYPT II. The second author was supported in part by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C-0236.

## Supplementary material

## References

- 1.M. Abdalla, J.H. An, M. Bellare, C. Namprempre, From identification to signatures via the Fiat–Shamir transform: minimizing assumptions for security and forward-security, in
*EUROCRYPT 2002*. LNCS, vol. 2332 (Springer, Heidelberg, 2002), pp. 418–433Google Scholar - 2.M. Abdalla, J.H. An, M. Bellare, C. Namprempre, From identification to signatures via the Fiat-Shamir transform: Necessary and sufficient conditions for security and forward-security.
*IEEE Trans. Inf. Theory***54**(8), 3631–3646 (2008)MathSciNetCrossRefzbMATHGoogle Scholar - 3.M. Abdalla, F. Ben Hamouda, D. Pointcheval, Tighter reductions for forward-secure signature schemes, in
*PKC 2013*. LNCS, vol. 7778 (Springer, Heidelberg, 2013), pp. 292–311Google Scholar - 4.M. Abe, B. David, M. Kohlweiss, R. Nishimaki, M. Ohkubo, Tagged one-time signatures: Tight security and optimal tag size, in
*PKC 2013*. LNCS, vol. 7778 (Springer, Heidelberg, 2013), pp. 312–331Google Scholar - 5.M. Abdalla, P.-A. Fouque, V. Lyubashevsky, M. Tibouchi, Tightly-secure signatures from lossy identification schemes, in
*EUROCRYPT 2012*. LNCS, vol. 7237 (Springer, Heidelberg, 2012), pp. 572–590Google Scholar - 6.M. Abdalla, P.-A. Fouque, V. Lyubashevsky, M. Tibouchi, Tightly-secure signatures from lossy identification schemes.
*J. Cryptol.***29**(3), 597–631 (2016)MathSciNetCrossRefzbMATHGoogle Scholar - 7.R. Anderson, Two remarks on public-key cryptology. Manuscript. Relevant material presented by the author in an invited lecture at the 4th ACM Conference on Computer and Communications Security, CCS 1997, Zurich, Switzerland, 1–4 Apr 1997, Sept 2000Google Scholar
- 8.D. Boneh, X. Boyen, H. Shacham, Short group signatures, in
*CRYPTO 2004*. LNCS, vol. 3152 (Springer, Heidelberg, 2004), pp. 41–55Google Scholar - 9.F. Benhamouda, J. Herranz, M. Joye, B. Libert, Efficient cryptosystems from \(2^k\)-th power residue symbols.
*J. Cryptol.***20**(2), 519–549 (2017)CrossRefzbMATHGoogle Scholar - 10.C. Bader, T. Jager, Y. Li, S. Schäge, On the impossibility of tight cryptographic reductions, in
*EUROCRYPT 2016, Part II*. LNCS, vol. 9666 (Springer, Heidelberg, 2016), pp. 273–304Google Scholar - 11.M. Bellare, S.K. Miner, A forward-secure digital signature scheme, in
*CRYPTO’99*. LNCS, vol. 1666 (Springer, Heidelberg, 1999), pp. 431–448Google Scholar - 12.M. Bellare, S. Micali, R. Ostrovsky, The (true) complexity of statistical zero knowledge, in
*22nd ACM STOC*(ACM Press, New York, 1990), pp. 494–502Google Scholar - 13.M. Bellare, C. Namprempre, G. Neven, Unrestricted aggregate signatures, in
*ICALP 2007*. LNCS, vol. 4596 (Springer, Heidelberg, 2007), pp. 411–422Google Scholar - 14.N. Bari, B. Pfitzmann, Collision-free accumulators and fail-stop signature schemes without trees, in
*EUROCRYPT’97*. LNCS, vol. 1233 (Springer, Heidelberg, 1997), pp. 480–494Google Scholar - 15.M. Bellare, B. Poettering, D. Stebila, From identification to signatures, tightly: a framework and generic transforms, in
*ASIACRYPT 2016, Part II*. LNCS, vol. 10032 (Springer, Heidelberg, 2016), pp. 435–464Google Scholar - 16.M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in
*ACM CCS 93*(ACM Press, New York, 1993), pp. 62–73Google Scholar - 17.M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in
*EUROCRYPT 2006*. LNCS, vol. 4004 (Springer, Heidelberg, 2006), pp. 409–426Google Scholar - 18.E. Bach, J. Shallit,
*Algorithmic Number Theory*. MIT Press, Cambridge (1996)zbMATHGoogle Scholar - 19.R. Cramer, I. Damgård, Escure signature schemes based on interactive protocols, in
*CRYPTO’95*. LNCS, vol. 963 (Springer, Heidelberg, 1995), pp. 297–310Google Scholar - 20.J. Camenisch, M. Koprowski, Fine-grained forward-secure signature schemes without random oracles.
*Discrete Appl. Math.***154**(2), 175–188 (2006)MathSciNetCrossRefzbMATHGoogle Scholar - 21.C. Cachin, S. Micali, M. Stadler, Computationally private information retrieval with polylogarithmic communication, in
*EUROCRYPT’99*. LNCS, vol. 1592 (Springer, Heidelberg, 1999), pp. 402–414Google Scholar - 22.J.-S. Coron, Optimal security proofs for PSS and other signature schemes, in
*EUROCRYPT 2002*. LNCS, vol. 2332 (Springer, Heidelberg, 2002), pp. 272–287Google Scholar - 23.R. Cramer,
*Modular design of secure yet practical cryptographic protocols*. Ph.D. thesis, CWI and University of Amsterdam, Amsterdam, The Netherlands (Nov 1996)Google Scholar - 24.P. Dusart, Autour de la fonction qui compte le nombre de nombres premiers. Thesis, Université de Limoges (1998)Google Scholar
- 25.ECRYPT II yearly report on algorithms and keysizes (2011)Google Scholar
- 26.U. Feige, A. Fiat, A. Shamir, Zero-knowledge proofs of identity.
*J. Cryptol.***1**(2), 77–94 (1988)MathSciNetCrossRefzbMATHGoogle Scholar - 27.E. Fujisaki, T. Okamoto, Statistical zero knowledge protocols to prove modular polynomial relations, in
*CRYPTO’97*. LNCS, vol. 1294 (Springer, Heidelberg, 1997), pp. 16–30Google Scholar - 28.A. Fiat, A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, in
*CRYPTO’86*. LNCS, vol. 263 (Springer, Heidelberg, 1987), pp. 186–194Google Scholar - 29.S. Garg, R. Bhaskar, S.V. Lokam, Improved bounds on security reductions for discrete log based signatures, in
*CRYPTO 2008*. LNCS, vol. 5157 (Springer, Heidelberg, 2008), pp. 93–107Google Scholar - 30.S. Goldwasser, S. Micali, R.L. Rivest, A “paradoxical” solution to the signature problem (extended abstract), in
*25th FOCS*(IEEE Computer Society Press, Washington, 1984), pp. 441–448Google Scholar - 31.S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems.
*SIAM J. Comput.***18**(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar - 32.J.A. Garay, P.D. MacKenzie, K. Yang, Strengthening zero-knowledge protocols using signatures.
*J. Cryptol.***19**(2), 169–209 (2006)MathSciNetCrossRefzbMATHGoogle Scholar - 33.O. Goldreich, Two remarks concerning the Goldwasser–Micali–Rivest signature scheme, in
*CRYPTO’86*. LNCS, vol. 263 (Springer, Heidelberg, 1987), pp. 104–110Google Scholar - 34.L.C. Guillou, J.-J. Quisquater, A practical zero-knowledge protocol fitted to security microprocessor minimizing both trasmission and memory, in
*EUROCRYPT’88*. LNCS, vol. 330 (Springer, Heidelberg, 1988), pp. 123–128Google Scholar - 35.J. Groth, Simulation-sound NIZK proofs for a practical language and constant size group signatures, in
*ASIACRYPT 2006*. LNCS, vol. 4284 (Springer, Heidelberg, 2006), pp. 444–459Google Scholar - 36.J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in
*EUROCRYPT 2008*. LNCS, vol. 4965 (Springer, Heidelberg, 2008), pp. 415–432Google Scholar - 37.K. Haralambiev, Efficient cryptographic primitives for non-interactive zero-knowledge proofs and applications. Ph.D. thesis, New York University (2011)Google Scholar
- 38.D. Hofheinz, T. Jager, Tightly secure signatures and public-key encryption, in
*CRYPTO 2012*. LNCS, vol. 7417 (Springer, Heidelberg, 2012), pp. 590–607Google Scholar - 39.S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in
*CRYPTO 2009*. LNCS, vol. 5677 (Springer, Heidelberg, 2009), pp. 654–670Google Scholar - 40.R. Impagliazzo, M. Naor, Efficient cryptographic schemes provably as secure as subset sum.
*J. Cryptol.***9**(4), 199–216 (1996)MathSciNetCrossRefzbMATHGoogle Scholar - 41.G. Itkis, L. Reyzin, Forward-secure signatures with optimal signing and verifying, in
*CRYPTO 2001*. LNCS, vol. 2139 (Springer, Heidelberg, 2001), pp. 332–354Google Scholar - 42.M. Joye, B. Libert, Efficient cryptosystems from \(2^k\)-th power residue symbols, in
*EUROCRYPT 2013*. LNCS, vol. 7881 (Springer, Heidelberg, 2013), pp. 76–92Google Scholar - 43.C.S. Jutla, A. Roy, Shorter quasi-adaptive NIZK proofs for linear subspaces, in
*ASIACRYPT 2013, Part I*. LNCS, vol. 8269 (Springer, Heidelberg, 2013), pp. 1–20Google Scholar - 44.S.A. Kakvi, E. Kiltz, Optimal security proofs for full domain hash, revisited, in
*EUROCRYPT 2012*. LNCS, vol. 7237 (Springer, Heidelberg, 2012), pp. 537–553Google Scholar - 45.E. Kiltz, A. O’Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in
*CRYPTO 2010*. LNCS, vol. 6223 (Springer, Heidelberg, 2010), pp. 295–313Google Scholar - 46.H. Krawczyk, Simple forward-secure signatures from any signature scheme, in
*ACM CCS 00*(ACM Press, New York, 2000), pp. 108–115Google Scholar - 47.J. Katz, V. Vaikuntanathan, Signature schemes with bounded leakage resilience, in
*ASIACRYPT 2009*. LNCS, vol. 5912 (Springer, Heidelberg, 2009), pp. 703–720Google Scholar - 48.J. Katz, N. Wang, Efficiency improvements for signature schemes with tight security reductions, in
*ACM CCS 03*(ACM Press, New York, 2003), pp. 155–164Google Scholar - 49.V. Lyubashevsky, D. Micciancio, Generalized compact Knapsacks are collision resistant, in
*ICALP 2006, Part II*. LNCS, vol. 4052 (Springer, Heidelberg, 2006), pp. 144–155Google Scholar - 50.S. Micali, A secure and efficient digital signature algorithm. Technical Memo MIT/LCS/TM-501b, Massachusetts Institute of Technology, Laboratory for Computer Science, Apr 1994Google Scholar
- 51.D. Micciancio, P. Mol, Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions, in
*CRYPTO 2011*. LNCS, vol. 6841 (Springer, Heidelberg, 2011), pp. 465–484Google Scholar - 52.T. Malkin, D. Micciancio, S.K. Miner, Efficient generic forward-secure signatures with an unbounded number of time periods, in
*EUROCRYPT 2002*. LNCS, vol. 2332 (Springer, Heidelberg, 2002), pp. 400–417Google Scholar - 53.S. Micali, L. Reyzin, Improving the exact security of digital signature schemes.
*J. Cryptol.***15**(1), 1–18 (2002)MathSciNetCrossRefzbMATHGoogle Scholar - 54.A. Menezes, N. Smart, Security of signature schemes in a multi-user setting.
*Des. Codes Cryptogr.***33**(3), 261–274 (2004)MathSciNetCrossRefzbMATHGoogle Scholar - 55.K. Ohta, T. Okamoto, A modification of the Fiat–Shamir scheme, in
*CRYPTO’88*. LNCS, vol. 403 (Springer, Heidelberg, August 1990), pp. 232–243Google Scholar - 56.H. Ong, C.-P. Schnorr, Fast signature generation with a Fiat–Shamir-like scheme, in
*EUROCRYPT’90*. LNCS, vol. 473 (Springer, Heidelberg, 1991), pp. 432–440Google Scholar - 57.P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, in
*EUROCRYPT’99*. LNCS, vol. 1592 (Springer, Heidelberg, 1999), pp. 223–238Google Scholar - 58.C. Peikert, A. Rosen, Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices, in
*TCC 2006*. LNCS, vol. 3876 (Springer, Heidelberg, 2006), pp. 145–166Google Scholar - 59.S. Patel, G.S. Sundaram, An efficient discrete log pseudo random generator, in
*CRYPTO’98*. LNCS, vol. 1462 (Springer, Heidelberg, 1998), pp. 304–317Google Scholar - 60.D. Pointcheval, J. Stern, Security arguments for digital signatures and blind signatures.
*J. Cryptol.***13**(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar - 61.P. Paillier, D. Vergnaud, Discrete-log-based signatures may not be equivalent to discrete log, in
*ASIACRYPT 2005*. LNCS, vol. 3788 (Springer, Heidelberg, 2005), pp. 1–20Google Scholar - 62.C.-P. Schnorr, Efficient identification and signatures for smart cards (abstract) (rump session), in
*EUROCRYPT’89*. LNCS, vol. 434 (Springer, Heidelberg, 1990), pp. 688–689Google Scholar - 63.Y. Seurin, On the exact security of Schnorr-type signatures in the random oracle model, in
*EUROCRYPT 2012*. LNCS, vol. 7237 (Springer, Heidelberg, 2012), pp. 554–571Google Scholar - 64.P.C. van Oorschot, M.J. Wiener, On Diffie–Hellman key agreement with short exponents, in
*EUROCRYPT’96*. LNCS, vol. 1070 (Springer, Heidelberg, 1996), pp. 332–343Google Scholar