limitations of the meta reduction technique the case of
play

Limitations of the Meta-Reduction Technique: The Case of Schnorr - PowerPoint PPT Presentation

Aug 04, 2023 •333 likes •693 views

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils Fleischhacker 2 1 TU Darmstadt 2 Saarland University, Center for IT-Security, Privacy, and Accountability June 5, 2014 (Informal) Main Results 1

  1. Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils Fleischhacker 2 1 TU Darmstadt 2 Saarland University, Center for IT-Security, Privacy, and Accountability June 5, 2014

  2. (Informal) Main Results 1 ◮ Schnorr Signatures are provably secure under the DLOG assumption in the weakly programmable ROM. ◮ Under the one-more DLOG assumption there does not exist a ”single instance” reduction from the DLOG assumption in the non-programmable ROM. ◮ Eliminating the one-more DLOG assumption from our meta-reduction is highly unlikely. 1 actual results may vary

  3. Schnorr Signatures [Sch90,Schn91] G = � g � , H Kgen (1 κ ) Sign ( sk , m ) Vrfy ( pk , m, σ ) $ $ parse σ as ( c, y ) sk ← Z q ← Z q r ? pk := g sk R := g r = H ( pk − c g y , m ) if c c := H ( R, m ) output 1 return ( sk , pk ) y := r + sk · c else return σ = ( c, y ) output 0

  4. Schnorr Signatures [Sch90,Schn91] G = � g � , H Kgen (1 κ ) Sign ( sk , m ) Vrfy ( pk , m, σ ) $ $ parse σ as ( c, y ) sk ← Z q ← Z q r ? pk := g sk R := g r = H ( pk − c g y , m ) if c c := H ( R, m ) output 1 return ( sk , pk ) y := r + sk · c else return σ = ( c, y ) output 0 ◮ Provably secure under DLOG assumption in the ROM [PS96, PS00]. ◮ Previous impossibility results for algebraic reductions [PV05,GBL08,Seu12].

  5. Random Oracle Model with(out) programmability [FLR+10] A

  6. Random Oracle Model with(out) programmability [FLR+10] A H

  7. Random Oracle Model with(out) programmability [FLR+10] R A H

  8. Random Oracle Model with(out) programmability [FLR+10] R A H

  9. Random Oracle Model with(out) programmability [FLR+10] Prog R Prog ( a, b ) ⇒ A H def H ( a ) = Rand ( b ) Rand

  10. Meta-Reductions [BV98] Π R A EUF - CMA

  11. Meta-Reductions [BV98] M Π Π ’ R A EUF - CMA

  12. Meta-Reductions [BV98] M DL OM DL R A EUF - CMA

  13. Meta-Reductions [BV98] M DL OM DL R A EUF - CMA

  14. EUF-CMA pk ( sk , pk ) ← Kgen (1 κ ) ( m ∗ , σ ∗ )

  15. EUF-CMA pk ( sk , pk ) ← Kgen (1 κ ) m Sign ( sk , m ) σ ( m ∗ , σ ∗ )

  16. EUF-CMA pk ( sk , pk ) ← Kgen (1 κ ) m Sign ( sk , m ) σ ( m ∗ , σ ∗ ) The attacker wins if Vrfy ( pk , m ∗ , σ ∗ ) = 1 and m � = m ∗

  17. Meta-Reductions M DL OM DL R A EUF - CMA

  18. Meta-Reductions M DL OM DL R A EUF - CMA

  19. The One-More discrete log problem [BNPS03] z 1 = g x 1 , z 2 = g x 2 x 1 , x 2

  20. The One-More discrete log problem [BNPS03] z 1 = g x 1 , z 2 = g x 2 z ′ = g x ′ log g y ′ x ′ x 1 , x 2

  21. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 M H

  22. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 z 0 M z 1 R 0 R 1 H

  23. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 z 0 M z 1 pk 0 pk 1 R 0 A 0 A 1 R 1 H

  24. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 z 0 M z 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) H

  25. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 z 0 M z 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) H

  26. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 π δ = sk 0 − sk 1 z 0 M z 1 π = pk 0 pk − 1 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) H

  27. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 π δ = sk 0 − sk 1 z 0 M z 1 π = pk 0 pk − 1 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) y ′ y ′ 0 = y 0 − δ · c 0 1 = y 1 + δ · c 1 H

  28. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 π δ = sk 0 − sk 1 z 0 M z 1 π = pk 0 pk − 1 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) ( c 1 , y ′ ( c 0 , y ′ 1 ) 0 ) y ′ y ′ 0 = y 0 − δ · c 0 1 = y 1 + δ · c 1 H

  29. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 π δ = sk 0 − sk 1 z 0 M z 1 π = pk 0 pk − 1 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) ( c 1 , y ′ ( c 0 , y ′ 1 ) 0 ) x 0 x 1 y ′ y ′ 0 = y 0 − δ · c 0 1 = y 1 + δ · c 1 x 0 , x 1 H

  30. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 π δ = sk 0 − sk 1 M R z 0 M z 1 π = pk 0 pk − 1 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) ( c 1 , y ′ ( c 0 , y ′ 1 ) 0 ) x 0 x 1 y ′ y ′ 0 = y 0 − δ · c 0 1 = y 1 + δ · c 1 x 0 , x 1 H

  31. Can we do better? ◮ Probably not. ◮ Going one (meta-)level deeper and using a meta-meta-reduction, we can show that removing the one-more discrete log assumption would (constructively) imply an adversary against the signature scheme.

  32. So, what does this mean? Under the One-More Discrete Log Assumption, no single instance reductions from the discrete log Problem can exist for Schnorr signatures, if they do not program the random oracle. A relaxed notion of programmability, however, is sufficient. The result is optimal in the sense that removing the assumption proves to be extremely unlikely.

  33. Open Problems ◮ We rule out DLOG reductions, but what about CDH,... ◮ Possibly even interactive assumptions?

  34. Thank You! Nils Fleischhacker fleischhacker@cs.uni-saarland.de Full version available on eprint http://eprint.iacr.org/2013/140

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Limitations of the Meta-Reduction Technique Nils Fleischhacker Technische Universit at

Limitations of the Meta-Reduction Technique Nils Fleischhacker Technische Universit at

Preliminaries Meta-Reductions Limitations Conclusion Limitations of the Meta-Reduction Technique Nils Fleischhacker Technische Universit at Darmstadt September 2, 2012 Nils Fleischhacker Technische Universit at Darmstadt Limitations

793 views • 39 slides
Does COUNTER tell the whole story? Case-by-case examples demonstrating the limitations of

Does COUNTER tell the whole story? Case-by-case examples demonstrating the limitations of

Does COUNTER tell the whole story? Case-by-case examples demonstrating the limitations of COUNTER, and suggestions for alternative evaluation metrics CARLI Spring Forum on Collections Data Analysis and Maintenance Governors State University,

467 views • 23 slides
Meta-analytic approaches for multi- stressor dose-response function development: strengths,

Meta-analytic approaches for multi- stressor dose-response function development: strengths,

Meta-analytic approaches for multi- stressor dose-response function development: strengths, limitations, and case studies Jonathan Levy, Sc.D. Professor of Environmental Health Boston University School of Public Health Methods for Research

264 views • 23 slides
Derivation reduction of metarules in meta-interpretive learning Andrew Cropper & Sophie

Derivation reduction of metarules in meta-interpretive learning Andrew Cropper & Sophie

Derivation reduction of metarules in meta-interpretive learning Andrew Cropper & Sophie Tourret Input Output Examples Background knowledge Logic program Bias Biases - Mode declarations (Progol, ILASP, Aleph, XHAIL, ) - Metarules

839 views • 51 slides
Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012 Session Outline Average-Case Problems The Small Integer Solution (SIS)

909 views • 63 slides
Optimal Sensor Placement in General Case Limitations of the . . . Scale Invariance: . . .

Optimal Sensor Placement in General Case Limitations of the . . . Scale Invariance: . . .

Outline Case Study Optimal Sensor Placement in General Case Limitations of the . . . Scale Invariance: . . . Environmental Research: Main Result Proof: Part 1 Designing a Sensor Network under Uncertainty Title Page Aline

484 views • 20 slides
Bayesian Meta Analysis and Bias Modeling: A Case Study with Relative Clause Processing in

Bayesian Meta Analysis and Bias Modeling: A Case Study with Relative Clause Processing in

Meta Analysis and Bias Modeling Bayesian Meta Analysis and Bias Modeling: A Case Study with Relative Clause Processing in Mandarin Chinese Shravan Vasishth Department Linguistik, Universit at Potsdam Centre de Recherche en Math ematiques

408 views • 18 slides
Robust Evidence Synthesis Ullrika Sahlin Thursday 9.00-12.30 1 Evidence-based Meta-analysis

Robust Evidence Synthesis Ullrika Sahlin Thursday 9.00-12.30 1 Evidence-based Meta-analysis

Robust Evidence Synthesis Ullrika Sahlin Thursday 9.00-12.30 1 Evidence-based Meta-analysis Statistical technique to combine results from multiple independent studies Consider differences in quality in studies Experi Meta-analysis Observ

611 views • 40 slides
Meta-Modelling as a Means for Improved Communication and Interoperability The Case of Frisco

Meta-Modelling as a Means for Improved Communication and Interoperability The Case of Frisco

Meta-Modelling as a Means for Improved Communication and Interoperability The Case of Frisco Petia Wohed & Birger Andersson EMOI, 13 June 2005, Porto 1 Background of our work There is terminological fuzziness in IS engineering

290 views • 10 slides
Problem Symptom Reduction Technique Identify the real problems MAY 15, 2019 Business

Problem Symptom Reduction Technique Identify the real problems MAY 15, 2019 Business

Aristotelian Problem Symptom Reduction Technique Identify the real problems MAY 15, 2019 Business Solutions Specialist Technical Analyst Business Analyst Business Architect eliciting information root cause analysis problem

649 views • 32 slides
Operationally comparable effect sizes for meta-analysis of single-case research James E.

Operationally comparable effect sizes for meta-analysis of single-case research James E.

Operationally comparable effect sizes for meta-analysis of single-case research James E. Pustejovsky Northwestern University pusto@u.northwestern.edu March 7, 2013 2 Single Case Designs Dunlap, et al. (1994). Choice making to promote

442 views • 27 slides
Cross Translation Unit Test Case Reduction Rka Kovcs / rekanikolett@gmail.com Etvs

Cross Translation Unit Test Case Reduction Rka Kovcs / rekanikolett@gmail.com Etvs

Cross Translation Unit Test Case Reduction Rka Kovcs / rekanikolett@gmail.com Etvs Lornd University / Ericsson Hungary Test Case Reduction magic big file with property of interest small file with the same (e.g. triggers crash)

438 views • 14 slides
Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1.

Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1.

Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1. Introduction 2. Security Analyses of SDN 3. Security Assessment Technique for SDN 3.1 Taxonomy of issues 3.2 Assessment technique 4. Case study of IMECA

223 views • 19 slides
Chapter 5 The Witness Reduction Technique Luke Dalessandro Rahul Krishna December 6, 2006 Luke

Chapter 5 The Witness Reduction Technique Luke Dalessandro Rahul Krishna December 6, 2006 Luke

Outline Chapter 5 The Witness Reduction Technique Luke Dalessandro Rahul Krishna December 6, 2006 Luke Dalessandro, Rahul Krishna Chapter 5 The Witness Reduction Technique Part I: Background Material Outline Part II: Chapter 5 Outline of

904 views • 79 slides
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman (Stanford University) 1 Elliptic curves:

1.09k views • 77 slides
Coping at the User-Level with Resource Limitations in the Cray Message Passing Toolkit MPI at

Coping at the User-Level with Resource Limitations in the Cray Message Passing Toolkit MPI at

Introduction Limitations in Cray MPT Application Case Studies Conclusions Coping at the User-Level with Resource Limitations in the Cray Message Passing Toolkit MPI at Scale: How Not to Spend Your Summer Vacation Richard T. Mills 1 , Forrest

460 views • 20 slides
Supergravity in Phenomenology and Cosmology Supergravity in Phenomenology and Cosmology CMSSM -

Supergravity in Phenomenology and Cosmology Supergravity in Phenomenology and Cosmology CMSSM -

Supergravity in Phenomenology and Cosmology Supergravity in Phenomenology and Cosmology CMSSM - supergravity inspired m 0 , m 1/2 , A 0 , tan Supergravity in Phenomenology and Cosmology CMSSM - supergravity inspired m 0 , m 1/2 , A 0 , tan

399 views • 13 slides
Expedient Non-Malleability Notions for Hash Functions CT-RSA 2011 Paul Baecher, Marc Fischlin,

Expedient Non-Malleability Notions for Hash Functions CT-RSA 2011 Paul Baecher, Marc Fischlin,

Expedient Non-Malleability Notions for Hash Functions CT-RSA 2011 Paul Baecher, Marc Fischlin, Dominique Schr oder Darmstadt University of Technology, supported by DFG Emmy Noether Program Introduction: Non-Malleability Introduced

819 views • 22 slides
M6S2 - P-values Professor Jarad Niemi STAT 226 - Iowa State University October 30, 2018

M6S2 - P-values Professor Jarad Niemi STAT 226 - Iowa State University October 30, 2018

M6S2 - P-values Professor Jarad Niemi STAT 226 - Iowa State University October 30, 2018 Professor Jarad Niemi (STAT226@ISU) M6S2 - P-values October 30, 2018 1 / 18 Outline Review of statistical hypotheses Null vs alternative One-sided vs

489 views • 18 slides
Analysis on Keller-Segel Models in Chemotaxis Li CHEN Universit at Mannheim 03.2019, Potsdam

Analysis on Keller-Segel Models in Chemotaxis Li CHEN Universit at Mannheim 03.2019, Potsdam

Keller-Segel model with linear diffusion Keller-Segel equation with nonlinear diffusion in multi-D Keller-Segel model with nonlinear nonlocal reaction Analysis on Keller-Segel Models in Chemotaxis Li CHEN Universit at Mannheim 03.2019,

432 views • 26 slides
E XTREMAL CASE 1 Extremal Case 1 : There exists a balanced partition of V ( G ) into V 1 and V 2

E XTREMAL CASE 1 Extremal Case 1 : There exists a balanced partition of V ( G ) into V 1 and V 2

S OME RECENT APPLICATIONS OF S ZEMERDI S R EGULARITY L EMMA Weihua He Department of Applied Mathematics, Guangdong University of Technology O UTLINE 1 S ZEMERDI S R EGULARITY L EMMA 2 L OCATING VERTICES ON H AMILTONIAN CYCLES 3 S KETCH

456 views • 41 slides
Exact Lifted Inference with Distinct Soft Evidence on Every Object Hung Hai Bui, Tuyen N. Huynh,

Exact Lifted Inference with Distinct Soft Evidence on Every Object Hung Hai Bui, Tuyen N. Huynh,

Exact Lifted Inference with Distinct Soft Evidence on Every Object Hung Hai Bui, Tuyen N. Huynh, Rodrigo de Salvo Braz Artificial Intelligence Center SRI International Menlo Park, CA, USA July 26, 2012 AAAI 2012 1/18 Outline 1 Outline 2

728 views • 18 slides
Last time on Types ... I Modified ML with polymorphic types anywhere Identity, Generalisation and

Last time on Types ... I Modified ML with polymorphic types anywhere Identity, Generalisation and

Last time on Types ... I Modified ML with polymorphic types anywhere Identity, Generalisation and Specialisation ` x : if ( x : ) 2 ( id ) ` M : if / 2 ftv ( ) ( gen ) ` M : 8 ( ) ` M : 8 ( ) ( spec ) `

381 views • 22 slides
Direction Finding Using Sparse Linear Arrays with Missing Data Mianzhi Wang, Zhen Zhang, and Arye

Direction Finding Using Sparse Linear Arrays with Missing Data Mianzhi Wang, Zhen Zhang, and Arye

CSSIP Direction Finding Using Sparse Linear Arrays with Missing Data Mianzhi Wang, Zhen Zhang, and Arye Nehorai Preston M. Green Department of Electrical & Systems Engineering Washington University in St. Louis March 8, 2017 1 CSSIP

462 views • 29 slides

More recommend