Advertisement

Journal of Cryptology

, Volume 32, Issue 2, pp 566–599 | Cite as

On Tight Security Proofs for Schnorr Signatures

  • Nils FleischhackerEmail author
  • Tibor Jager
  • Dominique Schröder
Article
  • 33 Downloads

Abstract

The Schnorr signature scheme is the most efficient signature scheme based on the discrete logarithm problem and a long line of research investigates the existence of a tight security reduction for this scheme in the random oracle model. Almost all recent works present lower tightness bounds and most recently Seurin EUROCRYPT 2012 showed that under certain assumptions the non-tight security proof for Schnorr signatures in the random oracle by Pointcheval and Stern EUROCRYPT’96 is essentially optimal. All previous works in this direction rule out tight reductions from the (one-more) discrete logarithm problem. In this paper, we introduce a new meta-reduction technique, which shows lower bounds for the large and very natural class of generic reductions. A generic reduction is independent of a particular representation of group elements. Most reductions in state-of-the-art security proofs have this property. It is desirable, because then the reduction applies generically to any concrete instantiation of the group. Our approach shows unconditionally that there is no tight generic reduction from any natural non-interactive computational problem \(\Pi \) defined over algebraic groups to breaking Schnorr signatures, unless solving \(\Pi \) is easy. In an additional application of the new meta-reduction technique, we also unconditionally rule out any (even non-tight) generic reduction from natural non-interactive computational problems defined over algebraic groups to breaking Schnorr signatures in the non-programmable random oracle model.

Keywords

Schnorr signatures Black-box reductions Generic reductions Algebraic reductions Tightness 

Notes

Acknowledgements

We thanks the anonymous reviewers of ASIACRYPT 2014 and the Journal of Cryptology for their helpful comments, which helped us to improve the paper significantly.

References

  1. 1.
    M. Abdalla, M. Bellare, P. Rogaway, The oracle Diffie–Hellman assumptions and an analysis of DHIES, in David Naccache, editor, Topics in Cryptology—CT-RSA 2001, Volume 2020 of Lecture Notes in Computer Science, San Francisco, CA, USA (Springer, Heidelberg, 2001), pp. 143–158Google Scholar
  2. 2.
    M. Bellare, C. Namprempre, D. Pointcheval, M. Semanko. The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    M. Bellare, P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols, in V. Ashby, editor, ACM CCS 93: 1st Conference on Computer and Communications Security, Fairfax, Virginia, USA (ACM Press, London, 1993), pp 62–73Google Scholar
  4. 4.
    M. Bellare, P. Rogaway. The exact security of digital signatures: how to sign with RSA and Rabin, in Ueli M. Maurer, editor, Advances in Cryptology—EUROCRYPT’96, Volume 1070 of Lecture Notes in Computer Science, Saragossa, Spain (Springer, Heidelberg, 1996), pp. 399–416Google Scholar
  5. 5.
    D.J. Bernstein. Proving tight security for Rabin–Williams signatures, in Nigel P. Smart, editor, Advances in Cryptology—EUROCRYPT 2008, Volume 4965 of Lecture Notes in Computer Science, Istanbul, Turkey (Springer, Heidelberg, 2008), pp. 70–87Google Scholar
  6. 6.
    D.J. Bernstein. Multi-user schnorr security, revisited. Cryptology ePrint Archive, Report 2015/996. https://eprint.iacr.org/2015/996 (2015)
  7. 7.
    D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in Matthew Franklin, editor, Advances in Cryptology—CRYPTO 2004, Volume 3152 of Lecture Notes in Computer Science, Santa Barbara, CA, USA (Springer, Heidelberg, 2004), pp. 443–459Google Scholar
  8. 8.
    J.-S. Coron, On the exact security of full domain hash, in Mihir Bellare, editor, Advances in Cryptology—CRYPTO 2000, Volume 1880 of Lecture Notes in Computer Science, Santa Barbara, CA, USA (Springer, Heidelberg, 2000), pp. 229–235Google Scholar
  9. 9.
    J.-S. Coron, Optimal security proofs for PSS and other signature schemes, in Lars R. Knudsen, editor, Advances in Cryptology—EUROCRYPT 2002, Volume 2332 of Lecture Notes in Computer Science, Amsterdam, The Netherlands (Springer, Heidelberg, 2002), pp.272–287Google Scholar
  10. 10.
    Y. Dodis, I. Haitner, A. Tentes, On the instantiability of hash-and-sign RSA signatures, in Ronald Cramer, editor, TCC 2012: 9th Theory of Cryptography Conference, Volume 7194 of Lecture Notes in Computer Science, Taormina, Sicily, Italy (Springer, Heidelberg, 2012), pp. 112–132Google Scholar
  11. 11.
    Y. Dodis, R. Oliveira, K. Pietrzak, On the generic insecurity of the full domain hash, in Victor Shoup, editor, Advances in Cryptology—CRYPTO 2005, Volume 3621 of Lecture Notes in Computer Science, Santa Barbara, CA, USA (Springer, Heidelberg, 2005), pp. 449–466Google Scholar
  12. 12.
    Y. Dodis, L. Reyzin, On the power of claw-free permutations, in Stelvio Cimato, Clemente Galdi, and Giuseppe Persiano, editors, SCN 02: 3rd International Conference on Security in Communication Networks, Volume 2576 of Lecture Notes in Computer Science, Amalfi, Italy (Springer, Heidelberg, 2003), pp. 55–73Google Scholar
  13. 13.
    A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in Andrew M. Odlyzko, editor, Advances in Cryptology–CRYPTO’86, Volume 263 of Lecture Notes in Computer Science, Santa Barbara, CA, USA (Springer, Heidelberg, 1987), pp. 186–194Google Scholar
  14. 14.
    M. Fischlin, N. Fleischhacker, Limitations of the meta-reduction technique: the case of Schnorr signatures, in Thomas Johansson and Phong Q. Nguyen, editors, Advances in Cryptology—EUROCRYPT 2013, Volume 7881 of Lecture Notes in Computer Science, Athens, Greece (Springer, Heidelberg, 2013), pp. 444–460Google Scholar
  15. 15.
    M. Fischlin, A. Lehmann, T. Ristenpart, T. Shrimpton, M. Stam, S. Tessaro, Random oracles with(out) programmability, in Masayuki Abe, editor, Advances in Cryptology—ASIACRYPT 2010, Volume 6477 of Lecture Notes in Computer Science, Singapore (Springer, Heidelberg, 2010), pp. 303–320Google Scholar
  16. 16.
    N. Fleischhacker, T. Jager, D. Schröder, On tight security proofs for Schnorr signatures, in Palash Sarkar and Tetsu Iwata, editors, Advances in Cryptology—ASIACRYPT 2014, Part I, Volume 8873 of Lecture Notes in Computer Science, Kaoshiung, Taiwan, R.O.C (Springer, Heidelberg, 2014), pp. 512–531Google Scholar
  17. 17.
    S.D. Galbraith, J. Malone-Lee, N.P. Smart. Public key signatures in the multi-user setting. Inf. Process. Lett., 83(5), 263–266 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    S. Garg, R. Bhaskar, S.V. Lokam, Improved bounds on security reductions for discrete log based signatures, in David Wagner, editor, Advances in Cryptology—CRYPTO 2008, Volume 5157 of Lecture Notes in Computer Science, Santa Barbara, CA, USA (Springer, Heidelberg, 2008), pp. 93–107Google Scholar
  19. 19.
    S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput., 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    S. A. Kakvi, E. Kiltz, Optimal security proofs for full domain hash, revisited, in David Pointcheval and Thomas Johansson, editors, Advances in Cryptology—EUROCRYPT 2012, Volume 7237 of Lecture Notes in Computer Science, Cambridge, UK (Springer, Heidelberg, 2012), pp. 537–553Google Scholar
  21. 21.
    E. Kiltz, D. Masny, J. Pan, Optimal security proofs for signatures from identification schemes, in Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology—CRYPTO 2016, Part II, Volume 9815 of Lecture Notes in Computer Science, Santa Barbara, CA, USA (Springer, Heidelberg, 2016), pp. 33–61Google Scholar
  22. 22.
    U.M. Maurer, Abstract models of computation in cryptography (invited paper), in Nigel P. Smart, editor, 10th IMA International Conference on Cryptography and Coding, Volume 3796 of Lecture Notes in Computer Science, Cirencester, UK (Springer, Heidelberg, 2005), pp. 1–12Google Scholar
  23. 23.
    G. Neven, N. Smart, B. Warinschi. Hash function requirements for Schnorr signatures. J. Math. Cryptol., 3(1), 69–87 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    P. Paillier, D. Vergnaud, Discrete-log-based signatures may not be equivalent to discrete log, in Bimal K. Roy, editor, Advances in Cryptology—ASIACRYPT 2005, Volume 3788 of Lecture Notes in Computer Science, Chennai, India (Springer, Heidelberg, 2005), pp. 1–20.Google Scholar
  25. 25.
    D. Pointcheval, J. Stern, Security proofs for signature schemes, in Ueli M. Maurer, editor, Advances in Cryptology—EUROCRYPT’96, Volume 1070 of Lecture Notes in Computer Science, Saragossa, Spain (Springer, Heidelberg, 1996), pp. 387–398Google Scholar
  26. 26.
    O. Reingold, L. Trevisan, S. P. Vadhan, Notions of reducibility between cryptographic primitives, in Moni Naor, editor, TCC 2004: 1st Theory of Cryptography Conference, Volume 2951 of Lecture Notes in Computer Science, Cambridge, MA, USA (Springer, Heidelberg, 2004), pp. 1–20Google Scholar
  27. 27.
    A. Rupp, G. Leander, E. Bangerter, A.W. Dent, A.-R. Sadeghi, Sufficient conditions for intractability over black-box groups: generic lower bounds for generalized DL and DH problems, in Josef Pieprzyk, editor, Advances in Cryptology—ASIACRYPT 2008, Volume 5350 of Lecture Notes in Computer Science, Melbourne, Australia (Springer, Heidelberg, 2008), pp. 489–505Google Scholar
  28. 28.
    S. Schäge, Tight proofs for signature schemes without random oracles, in Kenneth G. Paterson, editor, Advances in Cryptology—EUROCRYPT 2011, Volume 6632 of Lecture Notes in Computer Science, Tallinn, Estonia (Springer, Heidelberg, 2011), pp. 189–206Google Scholar
  29. 29.
    C.-P. Schnorr, Efficient identification and signatures for smart cards, in Gilles Brassard, editor, Advances in Cryptology—CRYPTO’89, Volume 435 of Lecture Notes in Computer Science, Santa Barbara, CA, USA (Springer, Heidelberg, 1990), pp. 239–252Google Scholar
  30. 30.
    C.-P. Schnorr. Efficient signature generation by smart cards. J. Cryptol., 4(3), 161–174 (1991)CrossRefzbMATHGoogle Scholar
  31. 31.
    Y. Seurin, On the exact security of Schnorr-type signatures in the random oracle model, in David Pointcheval and Thomas Johansson, editors, Advances in Cryptology—EUROCRYPT 2012, Volume 7237 of Lecture Notes in Computer Science, Cambridge, UK (Springer, Heidelberg, 2012), pp. 554–571Google Scholar
  32. 32.
    V. Shoup, Lower bounds for discrete logarithms and related problems, in Walter Fumy, editor, Advances in Cryptology—EUROCRYPT’97, Volume 1233 of Lecture Notes in Computer Science, Konstanz, Germany (Springer, Heidelberg, 1997), pp. 256–266Google Scholar
  33. 33.
    B.R. Waters, Efficient identity-based encryption without random oracles, in Ronald Cramer, editor, Advances in Cryptology—EUROCRYPT 2005, Volume 3494 of Lecture Notes in Computer Science, Aarhus, Denmark (Springer, Heidelberg, 2005), pp. 114–127Google Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Nils Fleischhacker
    • 1
    Email author
  • Tibor Jager
    • 2
  • Dominique Schröder
    • 3
  1. 1.Ruhr University BochumBochumGermany
  2. 2.Paderborn UniversityPaderbornGermany
  3. 3.Friedrich-Alexander-University Erlangen-NürnbergNürnbergGermany

Personalised recommendations