Advertisement

Tightly-Secure Signatures from Five-Move Identification Protocols

  • Eike Kiltz
  • Julian Loss
  • Jiaxin PanEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10626)

Abstract

We carry out a concrete security analysis of signature schemes obtained from five-move identification protocols via the Fiat-Shamir transform. Concretely, we obtain tightly-secure signatures based on the computational Diffie-Hellman (CDH), the short-exponent CDH, and the Factoring (FAC) assumptions. All our signature schemes have tight reductions to search problems, which is in stark contrast to all known signature schemes obtained from the classical Fiat-Shamir transform (based on three-move identification protocols), which either have a non-tight reduction to a search problem, or a tight reduction to a (potentially) stronger decisional problem. Surprisingly, our CDH-based scheme turns out to be (a slight simplification of) the Chevallier-Mames signature scheme (CRYPTO 05), thereby providing a theoretical explanation of its tight security proof via five-move identification protocols.

Keywords

Signatures Five-move identification protocols Fiat-Shamir Tightness 

References

  1. 1.
    Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_28 CrossRefGoogle Scholar
  2. 2.
    Abdalla, M., Ben Hamouda, F., Pointcheval, D.: Tighter reductions for forward-secure signature schemes. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 292–311. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36362-7_19 CrossRefGoogle Scholar
  3. 3.
    Abdalla, M., Fouque, P.-A., Lyubashevsky, V., Tibouchi, M.: Tightly-secure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_34 CrossRefGoogle Scholar
  4. 4.
    Abe, M., Hofheinz, D., Nishimaki, R., Ohkubo, M., Pan, J.: Compact structure-preserving signatures with almost tight security. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 548–580. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63715-0_19 CrossRefGoogle Scholar
  5. 5.
    Yousfi Alaoui, S.M., Dagdelen, Ö., Véron, P., Galindo, D., Cayrel, P.-L.: Extended security arguments for signature schemes. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 19–34. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-31410-0_2 CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Palacio, A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_11 CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Poettering, B., Stebila, D.: From identification to signatures, tightly: a framework and generic transforms. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 435–464. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53890-6_15 CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, November 1993Google Scholar
  9. 9.
    Bellare, M., Rogaway, P.: The exact security of digital signatures: how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68339-9_34 Google Scholar
  10. 10.
    Bernstein, D.J.: Proving tight security for Rabin-Williams signatures. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 70–87. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_5 CrossRefGoogle Scholar
  11. 11.
    Beth, T.: Efficient zero-knowledge identification scheme for smart cards. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 77–84. Springer, Heidelberg (1988).  https://doi.org/10.1007/3-540-45961-8_7 Google Scholar
  12. 12.
    Blazy, O., Kakvi, S.A., Kiltz, E., Pan, J.: Tightly-secure signatures from chameleon hash functions. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 256–279. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46447-2_12 Google Scholar
  13. 13.
    Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) identity-based encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 408–425. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_23 CrossRefGoogle Scholar
  14. 14.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45682-1_30 CrossRefGoogle Scholar
  15. 15.
    Brickell, E.F., McCurley, K.S.: An interactive identification scheme based on discrete logarithms and factoring. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 63–71. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-46877-3_6 Google Scholar
  16. 16.
    Cayrel, P.-L., Lindner, R., Rückert, M., Silva, R.: Improved zero-knowledge identification with lattices. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 1–17. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-16280-0_1 CrossRefGoogle Scholar
  17. 17.
    Cayrel, P.-L., Véron, P., Yousfi Alaoui, S.M.: A zero-knowledge identification scheme based on the q-ary syndrome decoding problem. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 171–186. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19574-7_12 CrossRefGoogle Scholar
  18. 18.
    Chen, J., Wee, H.: Fully, (almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40084-1_25 CrossRefGoogle Scholar
  19. 19.
    Chen, M.-S., Hülsing, A., Rijneveld, J., Samardjiska, S., Schwabe, P.: From 5-pass \(\cal{MQ}\)-based identification to \(\cal{MQ}\)-based signatures. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 135–165. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53890-6_5 CrossRefGoogle Scholar
  20. 20.
    Chevallier-Mames, B.: An efficient CDH-based signature scheme with a tight security reduction. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 511–526. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_31 CrossRefGoogle Scholar
  21. 21.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987).  https://doi.org/10.1007/3-540-47721-7_12 Google Scholar
  22. 22.
    Fleischhacker, N., Jager, T., Schröder, D.: On tight security proofs for schnorr signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 512–531. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_27 Google Scholar
  23. 23.
    Girault, M.: An identity-based identification scheme based on discrete logarithms modulo a composite number. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 481–486. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-46877-3_44 Google Scholar
  24. 24.
    Girault, M., Poupard, G., Stern, J.: On the fly authentication and signature schemes based on groups of unknown order. J. Cryptol. 19(4), 463–487 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Goh, E.-J., Jarecki, S.: A signature scheme as secure as the Diffie-Hellman problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 401–415. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_25 CrossRefGoogle Scholar
  26. 26.
    Goh, E.-J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight reductions to the Diffie-Hellman problems. J. Cryptol. 20(4), 493–514 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Guillou, L.C., Quisquater, J.-J.: A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, New York (1990).  https://doi.org/10.1007/0-387-34799-2_16 Google Scholar
  29. 29.
    Hofheinz, D.: Algebraic partitioning: Fully compact and (almost) tightly secure cryptography. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 251–281. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49096-9_11 CrossRefGoogle Scholar
  30. 30.
    Hofheinz, D.: Adaptive partitioning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 489–518. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56617-7_17 CrossRefGoogle Scholar
  31. 31.
    Hofheinz, D., Jager, T.: Tightly secure signatures and public-key encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_35 CrossRefGoogle Scholar
  32. 32.
    Hofheinz, D., Kiltz, E.: The group of signed quadratic residues and applications. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 637–653. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_37 CrossRefGoogle Scholar
  33. 33.
    Kakvi, S.A., Kiltz, E.: Optimal security proofs for full domain hash, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 537–553. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_32 CrossRefGoogle Scholar
  34. 34.
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM CCS 2003, pp. 155–164. ACM Press, October 2003Google Scholar
  35. 35.
    Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53008-5_2 CrossRefGoogle Scholar
  36. 36.
    Koshiba, T., Kurosawa, K.: Short exponent Diffie-Hellman problems. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 173–186. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24632-9_13 CrossRefGoogle Scholar
  37. 37.
    Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10366-7_35 CrossRefGoogle Scholar
  38. 38.
    Micali, S., Reyzin, L.: Improving the exact security of digital signature schemes. Cryptology ePrint Archive, Report 1999/020 (1999). http://eprint.iacr.org/1999/020
  39. 39.
    Micali, S., Reyzin, L.: Improving the exact security of digital signature schemes. J. Cryptol. 15(1), 1–18 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  40. 40.
    Micali, S., Shamir, A.: An improvement of the Fiat-Shamir identification and signature scheme. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 244–247. Springer, New York (1990).  https://doi.org/10.1007/0-387-34799-2_18 Google Scholar
  41. 41.
    Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-48071-4_3 Google Scholar
  42. 42.
    Ong, H., Schnorr, C.P.: Fast signature generation with a Fiat-Shamir-like scheme. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 432–440. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-46877-3_38 Google Scholar
  43. 43.
    Poettering, B., Stebila, D.: Double-authentication-preventing signatures. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 436–453. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11203-9_25 Google Scholar
  44. 44.
    Pointcheval, D.: A new identification scheme based on the perceptrons problem. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 319–328. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-49264-X_26 Google Scholar
  45. 45.
    Pointcheval, D., Poupard, G.: A new NP-complete problem and public-key identification. Des. Codes Cryptogr. 28(1), 5–31 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  46. 46.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar
  47. 47.
    Pollard, J.M.: Monte Carlo methods for index computation mod \(p\). Math. Comput. 32, 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  48. 48.
    Sakumoto, K., Shirai, T., Hiwatari, H.: Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_40 CrossRefGoogle Scholar
  49. 49.
    Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefzbMATHGoogle Scholar
  50. 50.
    Seurin, Y.: On the exact security of Schnorr-type signatures in the random oracle model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 554–571. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_33 CrossRefGoogle Scholar
  51. 51.
    Shamir, A.: An efficient identification scheme based on permuted kernels (extended abstract). In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 606–609. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_54 CrossRefGoogle Scholar
  52. 52.
    Shamir, A., Tauman, Y.: Improved online/offline signature schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_21 CrossRefGoogle Scholar
  53. 53.
    Silva, R., Cayrel, P.-L., Lindner, R.: Zero-knowledge identification based on lattices with low communication costs. In: XI Simposio Brasileiro de Seguranca da Informacao e de Sistemas Computacionais, vol. 8, pp. 95–107 (2011)Google Scholar
  54. 54.
    Stern, J.: Designing identification schemes with keys of short size. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 164–173. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_18 Google Scholar
  55. 55.
    Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48329-2_2 Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Ruhr-Universität BochumBochumGermany
  2. 2.Karlsruher Institut für TechnologieKarlsruheGermany

Personalised recommendations