International Information Security Conference

ISC 2015: Information Security pp 3-20 | Cite as

Black-Box Separations on Fiat-Shamir-Type Signatures in the Non-Programmable Random Oracle Model

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9290)


In recent years, Fischlin and Fleischhacker showed the impossibility of proving the security of specific types of FS-type signatures, the signatures constructed by the Fiat-Shamir transformation, via a single-instance reduction in the non-programmable random oracle model (NPROM, for short).

In this paper, we pose a question whether or not the impossibility of proving the security of any FS-type signature can be shown in the NPROM. For this question, we show that each FS-type signature cannot be proven to be secure via a key-preserving reduction in the NPROM from the security against the impersonation of the underlying identification scheme under the passive attack, as long as the identification scheme is secure against the impersonation under the active attack.

We also show the security incompatibility between the discrete logarithm assumption and the security of the Schnorr signature via a single-instance key-preserving reduction, whereas Fischlin and Fleischhacker showed that such an incompatibility cannot be proven via a non-key-preserving reduction.


Fiat-Shamir transformation The Schnorr signature  Non-programmable random oracle model Meta-reduction 



We would like to thank anonymous reviewers for their valuable comments and suggestions. A part of this work is supported by JSPS KAKENHI Grant Number 15K16001.


  1. 1.
    Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: necessary and sufficient conditions for security and forward-security. IEEE Trans. Inf. Theory 54(8), 3631–3646 (2008). Conference Ver.: Proc. EUROCRYPT 2002, LNCS, vol. 2332, pp. 418–433, 2002MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Abe, M., Groth, J., Ohkubo, M.: Separating short structure-preserving signatures from non-interactive assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 628–646. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  3. 3.
    Baldimtsi, F., Lysyanskaya, A.: On the security of one-witness blind signature schemes. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 82–99. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptology 16(3), 185–215 (2003). Conference Ver.: Proc. Financial Cryptography 2001, LNCS, vol. 2339, 2002MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Bellare, M., Namprempre, C., Neven, G.: Security proofs for identity-based identification and signature schemes. J. Cryptology 22(1), 1–61 (2009)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Bellare, M., Palacio, A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of ACM CCS 1993, Fairfax, Virginia, USA, pp. 62–73. ACM Press, New York (1993)Google Scholar
  8. 8.
    Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  9. 9.
    Bresson, E., Monnerat, J., Vergnaud, D.: Separation results on the “one-more” computational problems. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 71–87. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  10. 10.
    Brown, D.R.L.: What hashes make RSA-OAEP secure? Cryptology ePrint Archive, Report 2006/223 (2006).
  11. 11.
    Camenisch, J., Stadler, M.: Proof systems for general statements about discrete logarithms. Technical report (1997)Google Scholar
  12. 12.
    Chaum, D., Evertse, J.-H., van de Graaf, J.: An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 127–141. Springer, Heidelberg (1988) Google Scholar
  13. 13.
    Chen, Y., Huang, Q., Zhang, Z.: Sakai-Ohgishi-Kasahara identity-based non-interactive key exchange scheme, revisited. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 274–289. Springer, Heidelberg (2014) Google Scholar
  14. 14.
    Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  15. 15.
    Dagdelen, Ö., Fischlin, M., Gagliardoni, T.: The Fiat–Shamir transformation in a quantum world. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 62–81. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  16. 16.
    El Aimani, L.: On generic constructions of designated confirmer signatures. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 343–362. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  17. 17.
    El Aimani, L.: Efficient confirmer signatures from the “signature of a commitment” paradigm. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 87–101. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  18. 18.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) Google Scholar
  19. 19.
    Fischlin, M., Fleischhacker, N.: Limitations of the meta-reduction technique: the case of schnorr signatures. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 444–460. Springer, Heidelberg (2013). Full Ver.: Cryptology ePrint Archive, Report 2013/140 CrossRefGoogle Scholar
  20. 20.
    Fischlin, M., Lehmann, A., Ristenpart, T., Shrimpton, T., Stam, M., Tessaro, S.: Random oracles with(out) programmability. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 303–320. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  21. 21.
    Fleischhacker, N., Jager, T., Schröder, D.: On tight security proofs for schnorr signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 512–531. Springer, Heidelberg (2014) Google Scholar
  22. 22.
    Fukumitsu, M., Hasegawa, S., Isobe, S., Koizumi, E., Shizuya, H.: Toward separating the strong adaptive pseudo-freeness from the strong RSA assumption. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 72–87. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  23. 23.
    Fukumitsu, M., Hasegawa, S., Isobe, S., Shizuya, H.: On the impossibility of proving security of strong-RSA signatures via the RSA assumption. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 290–305. Springer, Heidelberg (2014) Google Scholar
  24. 24.
    Garg, S., Bhaskar, R., Lokam, S.V.: Improved bounds on security reductions for discrete log based signatures. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 93–107. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  25. 25.
    Goh, E.J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight reductions to the Diffie-Hellman problems. J. Cryptology 20(4), 493–514 (2007)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefMATHGoogle Scholar
  27. 27.
    Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988) Google Scholar
  28. 28.
    Hanaoka, G., Matsuda, T., Schuldt, J.C.N.: On the impossibility of constructing efficient key encapsulation and programmable hash functions in prime order groups. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 812–831. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  29. 29.
    Kakvi, S.A., Kiltz, E.: Optimal security proofs for full domain hash, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 537–553. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  30. 30.
    Kawai, Y., Sakai, Y., Kunihiro, N.: On the (im)possibility results for strong attack models for public key cryptsystems. JISIS 1(2/3), 125–139 (2011)Google Scholar
  31. 31.
    Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  32. 32.
    Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993) Google Scholar
  33. 33.
    Paillier, P.: Impossibility proofs for RSA signatures in the standard model. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 31–48. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  34. 34.
    Paillier, P., Vergnaud, D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  35. 35.
    Paillier, P., Villar, J.L.: Trading one-wayness against chosen-ciphertext security in factoring-based encryption. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 252–266. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  36. 36.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptology 13(3), 361–396 (2000)CrossRefMATHGoogle Scholar
  37. 37.
    Schnorr, C.: Efficient signature generation by smart cards. J. Cryptology 4(3), 161–174 (1991)MathSciNetCrossRefMATHGoogle Scholar
  38. 38.
    Seurin, Y.: On the exact security of schnorr-type signatures in the random oracle model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 554–571. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  39. 39.
    Villar, J.L.: Optimal reductions of some decisional problems to the rank problem. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 80–97. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  40. 40.
    Zhang, J., Zhang, Z., Chen, Y., Guo, Y., Zhang, Z.: Black-box separations for one-more (static) CDH and its generalization. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 366–385. Springer, Heidelberg (2014) Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Faculty of Information MediaHokkaido Information UniversityEbetsu, HokkaidoJapan
  2. 2.Graduate School of Information SciencesTohoku UniversitySendai, MiyagiJapan

Personalised recommendations