SLIDE 1 Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures
Marc Fischlin 1 Nils Fleischhacker 2
1TU Darmstadt 2Saarland University, Center for IT-Security, Privacy, and Accountability
June 5, 2014
SLIDE 2 (Informal) Main Results1
◮ Schnorr Signatures are provably secure under the DLOG
assumption in the weakly programmable ROM.
◮ Under the one-more DLOG assumption there does not exist a
”single instance” reduction from the DLOG assumption in the non-programmable ROM.
◮ Eliminating the one-more DLOG assumption from our
meta-reduction is highly unlikely.
1actual results may vary
SLIDE 3 Schnorr Signatures [Sch90,Schn91] G = g, H Kgen(1κ) sk
$
← Zq pk := gsk return (sk, pk) Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
SLIDE 4 Schnorr Signatures [Sch90,Schn91] G = g, H Kgen(1κ) sk
$
← Zq pk := gsk return (sk, pk) Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
◮ Provably secure under DLOG assumption in the ROM [PS96,
PS00].
◮ Previous impossibility results for algebraic reductions
[PV05,GBL08,Seu12].
SLIDE 5 Random Oracle Model
with(out) programmability [FLR+10]
A
SLIDE 6 Random Oracle Model
with(out) programmability [FLR+10]
A H
SLIDE 7 Random Oracle Model
with(out) programmability [FLR+10]
R A H
SLIDE 8 Random Oracle Model
with(out) programmability [FLR+10]
R A H
SLIDE 9 Random Oracle Model
with(out) programmability [FLR+10]
R A H Rand Prog Prog(a, b) ⇒ H(a)
def
= Rand(b)
SLIDE 10 Meta-Reductions [BV98]
R A EUF-CMA Π
SLIDE 11 Meta-Reductions [BV98]
R M A EUF-CMA Π Π’
SLIDE 12 Meta-Reductions [BV98]
R M A EUF-CMA DL DLOM
SLIDE 13 Meta-Reductions [BV98]
R M A EUF-CMA DL DLOM
SLIDE 14
EUF-CMA (sk, pk) ← Kgen(1κ) pk (m∗, σ∗)
SLIDE 15
EUF-CMA Sign(sk, m) m σ (sk, pk) ← Kgen(1κ) pk (m∗, σ∗)
SLIDE 16
EUF-CMA Sign(sk, m) m σ The attacker wins if Vrfy(pk, m∗, σ∗) = 1 and m = m∗ (sk, pk) ← Kgen(1κ) pk (m∗, σ∗)
SLIDE 17 Meta-Reductions
R M A EUF-CMA DL DLOM
SLIDE 18 Meta-Reductions
R M A EUF-CMA DL DLOM
SLIDE 19
The One-More discrete log problem [BNPS03] z1 = gx1, z2 = gx2 x1, x2
SLIDE 20
The One-More discrete log problem [BNPS03] logg y′ z′ = gx′ x′ z1 = gx1, z2 = gx2 x1, x2
SLIDE 21 In the non-programmable ROM
Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
DLOM M z0, z1 H
SLIDE 22 In the non-programmable ROM
Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
R0 R1 DLOM z0 z1 M z0, z1 H
SLIDE 23 In the non-programmable ROM
Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
R0 A0 A1 R1 pk0 pk1 DLOM z0 z1 M z0, z1 H
SLIDE 24 In the non-programmable ROM
Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
R0 A0 A1 R1 pk0 pk1 DLOM m0 m1 (c0, y0) (c1, y1) m0, m1
$
← {0, 1}κ m0 = m1 z0 z1 M z0, z1 H
SLIDE 25 In the non-programmable ROM
Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
R0 A0 A1 R1 pk0 pk1 DLOM m0 m1 (c0, y0) (c1, y1) m0, m1
$
← {0, 1}κ m0 = m1 z0 z1 M z0, z1 H
SLIDE 26 In the non-programmable ROM
Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
R0 A0 A1 R1 DLOM π = pk0pk−1
1
pk0 pk1 m0 m1 (c0, y0) (c1, y1) m0, m1
$
← {0, 1}κ m0 = m1 z0 z1 π δ = sk0 − sk1 M z0, z1 H
SLIDE 27 In the non-programmable ROM
Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
R0 A0 A1 R1 DLOM π = pk0pk−1
1
pk0 pk1 m0 m1 (c0, y0) (c1, y1) y′
0 = y0 − δ · c0
y′
1 = y1 + δ · c1
m0, m1
$
← {0, 1}κ m0 = m1 z0 z1 π δ = sk0 − sk1 M z0, z1 H
SLIDE 28 In the non-programmable ROM
Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
R0 A0 A1 R1 DLOM π = pk0pk−1
1
pk0 pk1 m0 m1 (c0, y0) (c1, y1) y′
0 = y0 − δ · c0
y′
1 = y1 + δ · c1
(c1, y′
1)
(c0, y′
0)
m0, m1
$
← {0, 1}κ m0 = m1 z0 z1 π δ = sk0 − sk1 M z0, z1 H
SLIDE 29 In the non-programmable ROM
Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
R0 A0 A1 R1 DLOM π = pk0pk−1
1
pk0 pk1 m0 m1 (c0, y0) (c1, y1) y′
0 = y0 − δ · c0
y′
1 = y1 + δ · c1
(c1, y′
1)
(c0, y′
0)
m0, m1
$
← {0, 1}κ m0 = m1 z0 z1 π δ = sk0 − sk1 M z0, z1 H x0, x1 x0 x1
SLIDE 30 In the non-programmable ROM
Sign(sk, m) r
$
← Zq R := gr c := H(R, m) y := r + sk · c return σ = (c, y) Vrfy(pk, m, σ) parse σ as (c, y) if c
?
= H(pk−cgy, m)
else
MR R0 A0 A1 R1 DLOM π = pk0pk−1
1
pk0 pk1 m0 m1 (c0, y0) (c1, y1) y′
0 = y0 − δ · c0
y′
1 = y1 + δ · c1
(c1, y′
1)
(c0, y′
0)
m0, m1
$
← {0, 1}κ m0 = m1 z0 z1 π δ = sk0 − sk1 M z0, z1 H x0, x1 x0 x1
SLIDE 31 Can we do better?
◮ Probably not. ◮ Going one (meta-)level deeper and using a
meta-meta-reduction, we can show that removing the
- ne-more discrete log assumption would (constructively) imply
an adversary against the signature scheme.
SLIDE 32
So, what does this mean? Under the One-More Discrete Log Assumption, no single instance reductions from the discrete log Problem can exist for Schnorr signatures, if they do not program the random oracle. A relaxed notion of programmability, however, is sufficient. The result is optimal in the sense that removing the assumption proves to be extremely unlikely.
SLIDE 33
Open Problems
◮ We rule out DLOG reductions, but what about CDH,... ◮ Possibly even interactive assumptions?
SLIDE 34
Thank You!
Nils Fleischhacker fleischhacker@cs.uni-saarland.de Full version available on eprint http://eprint.iacr.org/2013/140
