on the exact security of schnorr type signatures in the
play

On the Exact Security of Schnorr-Type Signatures in the Random - PowerPoint PPT Presentation

Mar 25, 2023 •278 likes •1.45k views

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin ANSSI, France 18 April, EUROCRYPT 2012 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 1 / 28 Introduction Introduction

  1. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  2. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  3. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  4. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  5. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  6. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  7. Schnorr Signatures and The Forking Lemma Forger adversary against Schnorr signatures we focus on universal forgery under no-message attacks: the adversary is given a message m and a public key X and must return a forgery ( s , c ) for m (it cannot make signature queries) the random tape of the forger will be explicitly denoted ω parameters characterizing a forger F : ( m , X , ω ) F ( s , c ) running time t F success probability ε F ≤ q h → time-to-success ratio ρ F = t F /ε F H maximal number of RO queries q h pictorial representation of a forgery experiment: ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h forgery ( s ℓ , c ℓ ) with s ℓ = DLog ( A ℓ X c ℓ ) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 6 / 28

  8. Schnorr Signatures and The Forking Lemma Forger adversary against Schnorr signatures we focus on universal forgery under no-message attacks: the adversary is given a message m and a public key X and must return a forgery ( s , c ) for m (it cannot make signature queries) the random tape of the forger will be explicitly denoted ω parameters characterizing a forger F : ( m , X , ω ) F ( s , c ) running time t F success probability ε F ≤ q h → time-to-success ratio ρ F = t F /ε F H maximal number of RO queries q h pictorial representation of a forgery experiment: ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h forgery ( s ℓ , c ℓ ) with s ℓ = DLog ( A ℓ X c ℓ ) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 6 / 28

  9. Schnorr Signatures and The Forking Lemma Forger adversary against Schnorr signatures we focus on universal forgery under no-message attacks: the adversary is given a message m and a public key X and must return a forgery ( s , c ) for m (it cannot make signature queries) the random tape of the forger will be explicitly denoted ω parameters characterizing a forger F : ( m , X , ω ) F ( s , c ) running time t F success probability ε F ≤ q h → time-to-success ratio ρ F = t F /ε F H maximal number of RO queries q h pictorial representation of a forgery experiment: ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h forgery ( s ℓ , c ℓ ) with s ℓ = DLog ( A ℓ X c ℓ ) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 6 / 28

  10. Schnorr Signatures and The Forking Lemma Forger adversary against Schnorr signatures we focus on universal forgery under no-message attacks: the adversary is given a message m and a public key X and must return a forgery ( s , c ) for m (it cannot make signature queries) the random tape of the forger will be explicitly denoted ω parameters characterizing a forger F : ( m , X , ω ) F ( s , c ) running time t F success probability ε F ≤ q h → time-to-success ratio ρ F = t F /ε F H maximal number of RO queries q h pictorial representation of a forgery experiment: ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h forgery ( s ℓ , c ℓ ) with s ℓ = DLog ( A ℓ X c ℓ ) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 6 / 28

  11. Schnorr Signatures and The Forking Lemma Forger adversary against Schnorr signatures we focus on universal forgery under no-message attacks: the adversary is given a message m and a public key X and must return a forgery ( s , c ) for m (it cannot make signature queries) the random tape of the forger will be explicitly denoted ω parameters characterizing a forger F : ( m , X , ω ) F ( s , c ) running time t F success probability ε F ≤ q h → time-to-success ratio ρ F = t F /ε F H maximal number of RO queries q h pictorial representation of a forgery experiment: ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h forgery ( s ℓ , c ℓ ) with s ℓ = DLog ( A ℓ X c ℓ ) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 6 / 28

  12. Schnorr Signatures and The Forking Lemma Extracting discrete logarithms from a forger given a forger F , one can build a reduction R which solves the DL problem for the public key X = G x using F as a black-box main idea: have the forger output two forgeries ( s 1 , c 1 ) and ( s 2 , c 2 ) for the same message m and the same commitment A = G a , so that: x = s 1 − s 2 s 1 = a + c 1 x and s 2 = a + c 2 x ⇒ mod q c 1 − c 2 ( m , X , ω ) ( s , c ) F H x = DLog ( X ) X R Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 7 / 28

  13. Schnorr Signatures and The Forking Lemma Extracting discrete logarithms from a forger given a forger F , one can build a reduction R which solves the DL problem for the public key X = G x using F as a black-box main idea: have the forger output two forgeries ( s 1 , c 1 ) and ( s 2 , c 2 ) for the same message m and the same commitment A = G a , so that: x = s 1 − s 2 s 1 = a + c 1 x and s 2 = a + c 2 x ⇒ mod q c 1 − c 2 ( m , X , ω ) ( s , c ) F R . H x = DLog ( X ) X R Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 7 / 28

  14. Schnorr Signatures and The Forking Lemma Extracting discrete logarithms from a forger given a forger F , one can build a reduction R which solves the DL problem for the public key X = G x using F as a black-box main idea: have the forger output two forgeries ( s 1 , c 1 ) and ( s 2 , c 2 ) for the same message m and the same commitment A = G a , so that: x = s 1 − s 2 s 1 = a + c 1 x and s 2 = a + c 2 x ⇒ mod q c 1 − c 2 ( m , X , ω ) ( s , c ) F R . H x = DLog ( X ) X R Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 7 / 28

  15. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  16. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  17. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  18. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  19. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  20. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  21. Schnorr Signatures and The Forking Lemma Success probability of the reduction: the Forking Lemma to obtain the first forgery with constant proba.: ⇒ run the forger ≃ 1 /ε F times to obtain the second forgery with constant proba.: ⇒ run the forger ≃ q h /ε F times total running time t R ≃ q h /ε F × t F for constant success proba. ⇒ time-to-success ratio of the reduction: ρ R ≃ q h ρ F ⇒ loses a factor q h no matching attack known! (best known attack = computing discrete log) Question Is there a better reduction with a time-to-success ratio closer to the one of the forger? Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 9 / 28

  22. Schnorr Signatures and The Forking Lemma Success probability of the reduction: the Forking Lemma to obtain the first forgery with constant proba.: ⇒ run the forger ≃ 1 /ε F times to obtain the second forgery with constant proba.: ⇒ run the forger ≃ q h /ε F times total running time t R ≃ q h /ε F × t F for constant success proba. ⇒ time-to-success ratio of the reduction: ρ R ≃ q h ρ F ⇒ loses a factor q h no matching attack known! (best known attack = computing discrete log) Question Is there a better reduction with a time-to-success ratio closer to the one of the forger? Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 9 / 28

  23. Schnorr Signatures and The Forking Lemma Success probability of the reduction: the Forking Lemma to obtain the first forgery with constant proba.: ⇒ run the forger ≃ 1 /ε F times to obtain the second forgery with constant proba.: ⇒ run the forger ≃ q h /ε F times total running time t R ≃ q h /ε F × t F for constant success proba. ⇒ time-to-success ratio of the reduction: ρ R ≃ q h ρ F ⇒ loses a factor q h no matching attack known! (best known attack = computing discrete log) Question Is there a better reduction with a time-to-success ratio closer to the one of the forger? Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 9 / 28

  24. Schnorr Signatures and The Forking Lemma Success probability of the reduction: the Forking Lemma to obtain the first forgery with constant proba.: ⇒ run the forger ≃ 1 /ε F times to obtain the second forgery with constant proba.: ⇒ run the forger ≃ q h /ε F times total running time t R ≃ q h /ε F × t F for constant success proba. ⇒ time-to-success ratio of the reduction: ρ R ≃ q h ρ F ⇒ loses a factor q h no matching attack known! (best known attack = computing discrete log) Question Is there a better reduction with a time-to-success ratio closer to the one of the forger? Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 9 / 28

  25. Schnorr Signatures and The Forking Lemma Success probability of the reduction: the Forking Lemma to obtain the first forgery with constant proba.: ⇒ run the forger ≃ 1 /ε F times to obtain the second forgery with constant proba.: ⇒ run the forger ≃ q h /ε F times total running time t R ≃ q h /ε F × t F for constant success proba. ⇒ time-to-success ratio of the reduction: ρ R ≃ q h ρ F ⇒ loses a factor q h no matching attack known! (best known attack = computing discrete log) Question Is there a better reduction with a time-to-success ratio closer to the one of the forger? Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 9 / 28

  26. Meta-Reductions Outline Schnorr Signatures and The Forking Lemma 1 Meta-Reductions 2 Main Result 3 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 10 / 28

  27. Meta-Reductions The concept of meta-reduction Boneh and Venkatesan (EC ’98) example: If there is an (algebraic) reduction R from factoring to solving the RSA problem with small public exponents, then there is a meta-reduction M factoring RSA moduli directly (using R ) ⇒ algebraic reductions from factoring to breaking low-RSA exponents cannot exist unless factoring is easy here, we will show that an (algebraic) reduction from the Discrete Log (DL) problem to forging Schnorr signatures cannot be tight, unless the One More Discrete Logarithm (OMDL) problem is easy Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 11 / 28

  28. Meta-Reductions The concept of meta-reduction Boneh and Venkatesan (EC ’98) example: If there is an (algebraic) reduction R from factoring to solving the RSA problem with small public exponents, then there is a meta-reduction M factoring RSA moduli directly (using R ) ⇒ algebraic reductions from factoring to breaking low-RSA exponents cannot exist unless factoring is easy here, we will show that an (algebraic) reduction from the Discrete Log (DL) problem to forging Schnorr signatures cannot be tight, unless the One More Discrete Logarithm (OMDL) problem is easy Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 11 / 28

  29. Meta-Reductions The One More Discrete Logarithm (OMDL) problem Definition M solves the OMDL problem if given ( A 0 , A 1 , . . . , A n ) ∈ r G n + 1 , it returns the discrete log of all A i ’s by making at most n calls to a discrete log oracle DLog ( · ) . DLog ( · ) ≤ n DLog ( A 0 ) , . . . , DLog ( A n ) A 0 , . . . , A n M Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 12 / 28

  30. Meta-Reductions Restriction to algebraic reductions Definition An algorithm R is algebraic (w.r.t. G ) if it only applies group operations on group elements (no bit manipulation, e.g. G ⊕ G ′ ). Consequence There exists a procedure Extract which, given the group elements ( G 1 , . . . , G k ) input to R , R ’s code and random tape, and any group element Y output by R , extracts ( α 1 , . . . , α k ) such that: Y = G α 1 1 · · · G α k k NB: all known reductions for DL-based cryptosystems are algebraic (in particular the reduction of [PS96] for Schnorr signatures) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 13 / 28

  31. Meta-Reductions Restriction to algebraic reductions Definition An algorithm R is algebraic (w.r.t. G ) if it only applies group operations on group elements (no bit manipulation, e.g. G ⊕ G ′ ). Consequence There exists a procedure Extract which, given the group elements ( G 1 , . . . , G k ) input to R , R ’s code and random tape, and any group element Y output by R , extracts ( α 1 , . . . , α k ) such that: Y = G α 1 1 · · · G α k k NB: all known reductions for DL-based cryptosystems are algebraic (in particular the reduction of [PS96] for Schnorr signatures) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 13 / 28

  32. Meta-Reductions Restriction to algebraic reductions Definition An algorithm R is algebraic (w.r.t. G ) if it only applies group operations on group elements (no bit manipulation, e.g. G ⊕ G ′ ). Consequence There exists a procedure Extract which, given the group elements ( G 1 , . . . , G k ) input to R , R ’s code and random tape, and any group element Y output by R , extracts ( α 1 , . . . , α k ) such that: Y = G α 1 1 · · · G α k k NB: all known reductions for DL-based cryptosystems are algebraic (in particular the reduction of [PS96] for Schnorr signatures) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 13 / 28

  33. Meta-Reductions Meta-reduction: main idea DLog ( · ) ≤ n M DLog ( A 0 ) , . . . , DLog ( A n ) A 0 , . . . , A n ( m , X , ω ) ( s , c ) F ≤ n ≤ q h R . H A 0 DLog ( A 0 ) R n =number of times the reduction runs the forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 14 / 28

  34. Meta-Reductions Meta-reduction: main idea DLog ( · ) ≤ n M DLog ( A 0 ) , . . . , DLog ( A n ) A 0 , . . . , A n ( m , X , ω ) ( s , c ) M . F ≤ n ≤ q h R . H A 0 DLog ( A 0 ) R n =number of times the reduction runs the forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 14 / 28

  35. Meta-Reductions Meta-reduction: the general strategy M receives ( A 0 , A 1 , . . . , A n ) as input and uses A 0 as input to R M uses A i , i = 1 , . . . , n during the i -th simulation of the forger to β qh construct q h commitments A β 1 i , . . . , A i for each simulation, M chooses some forgery index ℓ i (more on the choice later) and uses its discrete log oracle to forge a signature ( s i , c i ) β ℓ i c ℓ i by querying s i = DLog ( A X ) i i if the reduction succeeds in returning a 0 = DLog ( A 0 ) , and unless some bad event happens, M will be able to use a 0 and ( s i , c i ) to compute a i = DLog ( A i ) for i = 1 , . . . , n ( m i , X i , ω i ) c ℓ i c 1 c 2 A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 15 / 28

  36. Meta-Reductions Meta-reduction: the general strategy M receives ( A 0 , A 1 , . . . , A n ) as input and uses A 0 as input to R M uses A i , i = 1 , . . . , n during the i -th simulation of the forger to β qh construct q h commitments A β 1 i , . . . , A i for each simulation, M chooses some forgery index ℓ i (more on the choice later) and uses its discrete log oracle to forge a signature ( s i , c i ) β ℓ i c ℓ i by querying s i = DLog ( A X ) i i if the reduction succeeds in returning a 0 = DLog ( A 0 ) , and unless some bad event happens, M will be able to use a 0 and ( s i , c i ) to compute a i = DLog ( A i ) for i = 1 , . . . , n ( m i , X i , ω i ) c ℓ i c 1 c 2 A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 15 / 28

  37. Meta-Reductions Meta-reduction: the general strategy M receives ( A 0 , A 1 , . . . , A n ) as input and uses A 0 as input to R M uses A i , i = 1 , . . . , n during the i -th simulation of the forger to β qh construct q h commitments A β 1 i , . . . , A i for each simulation, M chooses some forgery index ℓ i (more on the choice later) and uses its discrete log oracle to forge a signature ( s i , c i ) β ℓ i c ℓ i by querying s i = DLog ( A X ) i i if the reduction succeeds in returning a 0 = DLog ( A 0 ) , and unless some bad event happens, M will be able to use a 0 and ( s i , c i ) to compute a i = DLog ( A i ) for i = 1 , . . . , n ( m i , X i , ω i ) c ℓ i c 1 c 2 A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 15 / 28

  38. Meta-Reductions Meta-reduction: the general strategy M receives ( A 0 , A 1 , . . . , A n ) as input and uses A 0 as input to R M uses A i , i = 1 , . . . , n during the i -th simulation of the forger to β qh construct q h commitments A β 1 i , . . . , A i for each simulation, M chooses some forgery index ℓ i (more on the choice later) and uses its discrete log oracle to forge a signature ( s i , c i ) β ℓ i c ℓ i by querying s i = DLog ( A X ) i i if the reduction succeeds in returning a 0 = DLog ( A 0 ) , and unless some bad event happens, M will be able to use a 0 and ( s i , c i ) to compute a i = DLog ( A i ) for i = 1 , . . . , n ( m i , X i , ω i ) c ℓ i c 1 c 2 A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 15 / 28

  39. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  40. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  41. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  42. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  43. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  44. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  45. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  46. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  47. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  48. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  49. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  50. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  51. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  52. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  53. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  54. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  55. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  56. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  57. Main Result Outline Schnorr Signatures and The Forking Lemma 1 Meta-Reductions 2 Main Result 3 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 19 / 28

  58. Main Result Main theorem Theorem Any algebraic reduction from the DL problem to forging Schnorr signatures must lose a factor q h in its time-to-success ratio, assuming the OMDL problem is hard. for strictly bounded adversaries, factor f ( ε F ) q h with f ( ε F ) close to 1 as long as ε F < 0 . 9 for expected-time and queries adversaries, factor q h independently of ε F proof: new meta-reduction (crucial modification = choice of the forgery index ℓ for the simulated forger) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 20 / 28

  59. Main Result Main theorem Theorem Any algebraic reduction from the DL problem to forging Schnorr signatures must lose a factor q h in its time-to-success ratio, assuming the OMDL problem is hard. for strictly bounded adversaries, factor f ( ε F ) q h with f ( ε F ) close to 1 as long as ε F < 0 . 9 for expected-time and queries adversaries, factor q h independently of ε F proof: new meta-reduction (crucial modification = choice of the forgery index ℓ for the simulated forger) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 20 / 28

  60. Main Result Main theorem Theorem Any algebraic reduction from the DL problem to forging Schnorr signatures must lose a factor q h in its time-to-success ratio, assuming the OMDL problem is hard. for strictly bounded adversaries, factor f ( ε F ) q h with f ( ε F ) close to 1 as long as ε F < 0 . 9 for expected-time and queries adversaries, factor q h independently of ε F proof: new meta-reduction (crucial modification = choice of the forgery index ℓ for the simulated forger) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 20 / 28

  61. Main Result Main theorem Theorem Any algebraic reduction from the DL problem to forging Schnorr signatures must lose a factor q h in its time-to-success ratio, assuming the OMDL problem is hard. for strictly bounded adversaries, factor f ( ε F ) q h with f ( ε F ) close to 1 as long as ε F < 0 . 9 for expected-time and queries adversaries, factor q h independently of ε F proof: new meta-reduction (crucial modification = choice of the forgery index ℓ for the simulated forger) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 20 / 28

  62. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  63. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  64. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  65. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  66. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  67. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  68. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  69. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  70. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  71. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  72. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  73. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  74. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  75. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  76. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  77. Main Result M “almost always” simulates a µ -good forger the size of Γ good defined by M follows a binomial distribution of parameters ( | G | , µ ) ⇒ by a Chernoff bound, | Γ good | ≃ µ | G | with overwhelming probability in that case, the success probability of the simulated forger satisfies: ε F = 1 − ( 1 − µ ) q h by setting µ appropriately, M can simulate a forger achieving the required success probability ε F Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 23 / 28

  78. Main Result M “almost always” simulates a µ -good forger the size of Γ good defined by M follows a binomial distribution of parameters ( | G | , µ ) ⇒ by a Chernoff bound, | Γ good | ≃ µ | G | with overwhelming probability in that case, the success probability of the simulated forger satisfies: ε F = 1 − ( 1 − µ ) q h by setting µ appropriately, M can simulate a forger achieving the required success probability ε F Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 23 / 28

  79. Main Result M “almost always” simulates a µ -good forger the size of Γ good defined by M follows a binomial distribution of parameters ( | G | , µ ) ⇒ by a Chernoff bound, | Γ good | ≃ µ | G | with overwhelming probability in that case, the success probability of the simulated forger satisfies: ε F = 1 − ( 1 − µ ) q h by setting µ appropriately, M can simulate a forger achieving the required success probability ε F Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 23 / 28

  80. Main Result Probability of event Bad event Bad happens only if some execution forks from a previous one at β ℓ i the forgery point, and the new answer c ′ is such that Z ′ = A X c ′ is i i fresh and is put in Γ good ⇒ probability less than µ for each execution probability of Bad : n Pr [ Bad ] ≤ n µ ≤ g ( ε F ) q h hence to have Pr [ Bad ] ≃ 1 one must have n ≃ g ( ε F ) q h and so ρ R /ρ F ≃ f ( ε F ) q h β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 24 / 28

  81. Main Result Probability of event Bad event Bad happens only if some execution forks from a previous one at β ℓ i the forgery point, and the new answer c ′ is such that Z ′ = A X c ′ is i i fresh and is put in Γ good ⇒ probability less than µ for each execution probability of Bad : n Pr [ Bad ] ≤ n µ ≤ g ( ε F ) q h hence to have Pr [ Bad ] ≃ 1 one must have n ≃ g ( ε F ) q h and so ρ R /ρ F ≃ f ( ε F ) q h β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 24 / 28

  82. Main Result Probability of event Bad event Bad happens only if some execution forks from a previous one at β ℓ i the forgery point, and the new answer c ′ is such that Z ′ = A X c ′ is i i fresh and is put in Γ good ⇒ probability less than µ for each execution probability of Bad : n Pr [ Bad ] ≤ n µ ≤ g ( ε F ) q h hence to have Pr [ Bad ] ≃ 1 one must have n ≃ g ( ε F ) q h and so ρ R /ρ F ≃ f ( ε F ) q h β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 24 / 28

  83. Main Result Probability of event Bad event Bad happens only if some execution forks from a previous one at β ℓ i the forgery point, and the new answer c ′ is such that Z ′ = A X c ′ is i i fresh and is put in Γ good ⇒ probability less than µ for each execution probability of Bad : n Pr [ Bad ] ≤ n µ ≤ g ( ε F ) q h hence to have Pr [ Bad ] ≃ 1 one must have n ≃ g ( ε F ) q h and so ρ R /ρ F ≃ f ( ε F ) q h β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 24 / 28

  84. Main Result Probability of event Bad event Bad happens only if some execution forks from a previous one at β ℓ i the forgery point, and the new answer c ′ is such that Z ′ = A X c ′ is i i fresh and is put in Γ good ⇒ probability less than µ for each execution probability of Bad : n Pr [ Bad ] ≤ n µ ≤ g ( ε F ) q h hence to have Pr [ Bad ] ≃ 1 one must have n ≃ g ( ε F ) q h and so ρ R /ρ F ≃ f ( ε F ) q h β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 24 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee Department of Computer Science, Purdue University October 10, 2019 Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures

1.23k views • 86 slides
On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr 1 Saarland University 2 Horst G ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014 (Informal) main Result The

1.35k views • 36 slides
Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils Fleischhacker 2 1 TU Darmstadt 2 Saarland University, Center for IT-Security, Privacy, and Accountability June 5, 2014 (Informal) Main Results 1

693 views • 34 slides
Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on joint work with G. Maxwell, A. Poelstra, and P. Wuille)

1.82k views • 171 slides
Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23

Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23

Threshold Signatures and Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23 Schnorr Signatures P = xG R = kG e = H ( P , R , m ) sG = kG + exG 2 / 23 Schnorr Signatures P = xG R = kG e = H ( P , R , m )

371 views • 23 slides
The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford University Eurocrypt 1 May 2018 Tel Aviv, Israel 38 Signatures (DSA and Schnorr) 39 DH key Signatures exchange (DSA and Schnorr) 40

1.63k views • 134 slides
Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and

Message Authentication Code HtM Construction Contributions Conclusion Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and Ashwin Jha and Mridul Nandi Indian Statistical Institute, Kolkata 27th

463 views • 42 slides
Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of

Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of

Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Signature sizes: RSA signatures are big. a call to action 1990 Schnorr signatures D. J.

355 views • 21 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

439 views • 33 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Schnorr Signature &amp; MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature &amp; MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature &amp; MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in Bitcoin MimbleWimble cryptocurrency ECC math Schnorrs signatures scheme Pedersen Commitments Motivation Bitcoin is decentralized

430 views • 40 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-10 1 Outline Recap: one-time signatures From EUF-naCMA security to EUF-CMA security Interlude: proof strategies Security proof

336 views • 20 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

686 views • 64 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

743 views • 58 slides
Recommendation on Data Missing Not at Random A Doubly Robust Joint Learning Approach Rating

Recommendation on Data Missing Not at Random A Doubly Robust Joint Learning Approach Rating

Recommendation on Data Missing Not at Random A Doubly Robust Joint Learning Approach Rating Matrix Item 1 Item 2 Item 3 ... Item M User 1 4 ... User 2 2 ... User 3 5 ... 5 ... ... ... ... ... ... User N 2 ... 1 Rating

911 views • 26 slides
(Still) Exploiting TCP Timestamps Veit N. Hailperin 1 1 scip AG Hack in Paris, June 2015 Veit N.

(Still) Exploiting TCP Timestamps Veit N. Hailperin 1 1 scip AG Hack in Paris, June 2015 Veit N.

(Still) Exploiting TCP Timestamps Veit N. Hailperin 1 1 scip AG Hack in Paris, June 2015 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 1 / 47 About Me Security Consultant &amp; Researcher @ scip AG @fenceposterror

623 views • 47 slides
Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016

Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016

Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016 http://tinyurl.com/randomized-practical Some random examples Building atomic bombs Truncated SVD Dimensionality reduction Kernel methods for big data Nonlinear

970 views • 81 slides
To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as

To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as

Fully Personalized PageRank Similarity Search To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as Sarl os, E otv os University and Computer and Automation Institute, Hungarian Academy of

571 views • 22 slides
Computation for Mali licious Adversaries and an Honest Majority Jun Furukawa*, Yehuda Lindell**,

Computation for Mali licious Adversaries and an Honest Majority Jun Furukawa*, Yehuda Lindell**,

Hig igh-Throughput Secure Three-Party Computation for Mali licious Adversaries and an Honest Majority Jun Furukawa*, Yehuda Lindell**, Ariel Nof** and Or Weinstein** *NEC corporation, Israel **Bar-Ilan University, Israel Eurocrypt 2017

699 views • 54 slides
Improved Bounds on the Dot Product under Random Projection and Random Sign Projection Ata Kab

Improved Bounds on the Dot Product under Random Projection and Random Sign Projection Ata Kab

Improved Bounds on the Dot Product under Random Projection and Random Sign Projection Ata Kab an School of Computer Science The University of Birmingham Birmingham B15 2TT, UK http://www.cs.bham.ac.uk/ axk KDD 2015, Sydney, 10-13

280 views • 23 slides
to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

CrashMonkey: A Framework to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram University of Texas at Austin Crash Consistency File-system updates change multiple blocks on storage Data blocks, inodes,

499 views • 46 slides
Thresholds in random CSPs Nike Sun (Berkeley) Counting complexity and phase transitions Simons

Thresholds in random CSPs Nike Sun (Berkeley) Counting complexity and phase transitions Simons

Thresholds in random CSPs Nike Sun (Berkeley) Counting complexity and phase transitions Simons Institute, Berkeley 28 January 2016 Plan for the talk Introduction: random k -SAT model Threshold conjecture, Friedguts theorem Statistical

1.67k views • 142 slides

More recommend