on the multi user security of short schnorr signatures
play

On the Multi-User Security of Short Schnorr Signatures Jeremiah - PowerPoint PPT Presentation

Dec 04, 2023 •363 likes •1.23k views

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee Department of Computer Science, Purdue University October 10, 2019 Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures

  1. On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee Department of Computer Science, Purdue University October 10, 2019 Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 1/33 1 / 33

  2. Contents Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 2/33 2 / 33

  3. We are now at... Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 3/33 3 / 33

  4. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  5. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  6. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  7. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  8. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  9. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  10. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  11. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  12. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  13. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  14. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  15. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  16. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  17. The Schnorr Signature Scheme the hash output On the Multi-User Security of Short Schnorr Signatures 5/33 3 : Jeremiah Blocki and Seunghoon Lee • An efficient signature scheme based on discrete logarithms. • Consider a 2 k -bit prime q , i.e., q ≈ 2 2 k . Kg (1 k ) Sign ( sk, m ) Vfy ( pk, m, σ ) 1 : R ← g s · pk − e 1 : r ← Z q ; I ← g r 1 : sk ← Z q 2 : pk ← g sk 2 : e ← H ( I || m ) 2 : if H ( R || m ) = e then 3 : return ( pk, sk ) 3 : s ← r + sk · e mod q return 1 4 : return σ = ( s, e ) 4 : else return 0 • The verification works for a correct signature σ = ( s, e ) because R = g s · pk − e = g s − sk · e = g r = I. • The length of the signature: 2 k + 2 k = 4 k . ���� ���� the length of s 5 / 33

  18. The “Short” Schnorr Signatures truncating the hash output by half On the Multi-User Security of Short Schnorr Signatures 6/33 3 : Jeremiah Blocki and Seunghoon Lee Kg (1 k ) Sign ( sk, m ) Vfy ( pk, m, σ ) 1 : R ← g s · pk − e 1 : r ← Z q ; I ← g r 1 : sk ← Z q 2 : pk ← g sk 2 : e ← H ( I || m ) 2 : if H ( R || m ) = e then 3 : return ( pk, sk ) 3 : s ← r + sk · e mod q return 1 4 : return σ = ( s, e ) 4 : else return 0 σ = s e = H ( I || m ) 2 k bits 2 k bits ↓ σ = s e 2 k bits k bits 6 / 33

  19. Signature Length Comparison 384 7/33 On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee 1 Signature lengths and security level are provided in bits Completely impractical 128 128 iO Computationally expensive 128 256 BLS Our result 128? Short Schnorr Definition 128 512 Schnorr NIST recommendation 128 3072 RSA-FDH Notes Security Level Signature Length 1 Signatures A signature scheme Π = ( Kg , Sign , Vfy ) yields k -bits of security if any attacker running in time at most t can forge a signature with probability at most ε t = t/ 2 k and this should hold for all t ≤ 2 k . 7 / 33

  20. Multi-User Security Definition Jeremiah Blocki and Seunghoon Lee Definition 8/33 On the Multi-User Security of Short Schnorr Signatures • We consider the multi-user security in the “1-out-of- N ” setting • The probability that the attacker can forge any one of N signatures is negligible • We define the 1-out-of- N signature forgery game SigForge N A , Π ( k ) as follows: 1. Gen (1 k ) is run N times to obtain keys ( pk i , sk i ) , 1 ≤ i ≤ N . 2. Adversary A is given pk 1 , · · · , pk N and access to oracles Sign ( sk j , · ) , 1 ≤ j ≤ N . The adversary then outputs ( m, σ ) . Let Q j denote the set of all queries that A asked to oracle Sign ( sk j , · ) . 3. A succeeds if and only if there exists some j such that (1) Vfy ( pk j , m, σ ) = 1 and (2) m ̸∈ Q j . In this case the output of the experiment is defined to be 1 . We say that a signature scheme Π = ( Kg , Sign , Vfy ) is ( t, N, ϵ ) -MU-UF-CMA secure (multi-user unforgeable against chosen message attack) if for every adversary A running in time at most t , the following bound holds: [ ] SigForge N Pr A , Π ( k ) = 1 ≤ ϵ. 8 / 33

  21. Security Proofs of the Schnorr Signatures Single-User Security 9/33 On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee [Ber15] - “Key-Prefixed” Schnorr signatures Signatures “Short” Schnorr seems to be unavoidable Signatures Original Schnorr Multi-User Security • [PS96] – in the ROM • [GMLS02] – flawed • [NPSW09] – in the GGM • [KMP16] – in the ROM + GGM • [Seu12, FJS14] – loss of factor q RO • [SJ00] – in the ROM + GGM • Our result! • [NPSW09] – non-tight reduction 9 / 33

  22. Security Proofs of the Schnorr Signatures Single-User Security 9/33 On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee [Ber15] - “Key-Prefixed” Schnorr signatures Signatures “Short” Schnorr seems to be unavoidable Signatures Original Schnorr Multi-User Security • [PS96] – in the ROM • [GMLS02] – flawed • [NPSW09] – in the GGM • [KMP16] – in the ROM + GGM • [Seu12, FJS14] – loss of factor q RO • [SJ00] – in the ROM + GGM • Our result! • [NPSW09] – non-tight reduction 9 / 33

  23. We are now at... Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 10/33 10 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr 1 Saarland University 2 Horst G ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014 (Informal) main Result The

1.35k views • 36 slides
On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin ANSSI, France 18 April, EUROCRYPT 2012 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 1 / 28 Introduction Introduction

1.45k views • 117 slides
Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils Fleischhacker 2 1 TU Darmstadt 2 Saarland University, Center for IT-Security, Privacy, and Accountability June 5, 2014 (Informal) Main Results 1

693 views • 34 slides
On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 , Julian Loss 3 , Gregory Neven 1 , Igors Stepanovs 4 1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD Multi-signatures (pk 1 ,sk

635 views • 27 slides
Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on joint work with G. Maxwell, A. Poelstra, and P. Wuille)

1.82k views • 171 slides
Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23

Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23

Threshold Signatures and Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23 Schnorr Signatures P = xG R = kG e = H ( P , R , m ) sG = kG + exG 2 / 23 Schnorr Signatures P = xG R = kG e = H ( P , R , m )

371 views • 23 slides
The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford University Eurocrypt 1 May 2018 Tel Aviv, Israel 38 Signatures (DSA and Schnorr) 39 DH key Signatures exchange (DSA and Schnorr) 40

1.63k views • 134 slides
Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of

Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of

Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Signature sizes: RSA signatures are big. a call to action 1990 Schnorr signatures D. J.

355 views • 21 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand,

Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand,

Introduction Multi-scale Analysis Approach Experimental Framework Results and Analysis Conclusion Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand, Jean-Marc Vincent INRIA Mescal, CNRS LIG

583 views • 27 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in Bitcoin MimbleWimble cryptocurrency ECC math Schnorrs signatures scheme Pedersen Commitments Motivation Bitcoin is decentralized

430 views • 40 slides
Pairing-based Short Signatures Final Presentation Amit Markel Leonid Nemirovskiy Supervisor .

Pairing-based Short Signatures Final Presentation Amit Markel Leonid Nemirovskiy Supervisor .

Project in Computer Security at Technion Pairing-based Short Signatures Final Presentation Amit Markel Leonid Nemirovskiy Supervisor . Barukh Ziv 26 / 10 / 2014 Introduction Introduction / abstract Recent progress in research and

369 views • 25 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-10 1 Outline Recap: one-time signatures From EUF-naCMA security to EUF-CMA security Interlude: proof strategies Security proof

336 views • 20 slides
Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 ,

Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 ,

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 , Julian Loss 3 , Gregory Neven 1 , Igors Stepanovs 4 1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD To appear at S&P 2019,

393 views • 27 slides
The F word: FRAUD Agenda About Internal Audit Audit team Internal Audit office overview

The F word: FRAUD Agenda About Internal Audit Audit team Internal Audit office overview

The F word: FRAUD Agenda About Internal Audit Audit team Internal Audit office overview Fraud and Fraud Schemes Define fraud Learn about different types of fraud and fraud schemes Fraud reporting methods Audit Team Corby

509 views • 32 slides
Spamming Botnets: Signatures and Characteris5cs Xie et al.

Spamming Botnets: Signatures and Characteris5cs Xie et al.

Spamming Botnets: Signatures and Characteris5cs Xie et al. Presented by Kyle Mar5n <kyle.mar5n@knights.ucf.edu> The Problems Botnets The Problems

823 views • 36 slides
Demystifying the Clinical Fellowship Experience and 4 th Y ear Experience S ession Reminders:

Demystifying the Clinical Fellowship Experience and 4 th Y ear Experience S ession Reminders:

Demystifying the Clinical Fellowship Experience and 4 th Y ear Experience S ession Reminders: Please silence your cell phones Email nsslhaexp@asha.org for all session handouts Complete your session evaluation form & leave it

620 views • 42 slides
Oak Ridge National Laboratory: Research and Development Capabilities Presented at Mo-99

Oak Ridge National Laboratory: Research and Development Capabilities Presented at Mo-99

Oak Ridge National Laboratory: Research and Development Capabilities Presented at Mo-99 Topical Meeting Montreal, Quebec Chris Bryan Research Reactors Division Oak Ridge National Laboratory September 12, 2017 ORNL is managed by

510 views • 19 slides
Topics Covered * Preparing the Self-study Paula Maxwell, PhD,

Topics Covered * Preparing the Self-study Paula Maxwell, PhD,

10/20/14 Writing the Self-Study and Conducting a Successful Site Visit CAATE Accreditation Conference October 17-18, 2014 Tampa, FL Paula

165 views • 12 slides
Expert Group Meeting on THE BEST PRACTICES IN IMPLEMENTATION OF MOBILE IDENTIFICATION (mID)

Expert Group Meeting on THE BEST PRACTICES IN IMPLEMENTATION OF MOBILE IDENTIFICATION (mID)

Expert Group Meeting on THE BEST PRACTICES IN IMPLEMENTATION OF MOBILE IDENTIFICATION (mID) 18-19 October 2016 Warsaw, Poland Ministry of Digital Affairs Expert Group Meeting on mID 1 PRESENTATION GUIDELINES: Each expert is asked to

697 views • 42 slides
Investor Presentation March 2014 All figures as at end of 4Q-2013, unless otherwise stated

Investor Presentation March 2014 All figures as at end of 4Q-2013, unless otherwise stated

Investor Presentation March 2014 All figures as at end of 4Q-2013, unless otherwise stated Outline 1. SODIC Achievements 1. Egypt Real Estate Market Update A. Fundamentals Intact B. Mitigating Inflationary Pressures 2. SODIC Updates A. 2013

709 views • 34 slides
Exploration Edge Fraser MacCorquodale General Manager - Exploration Disclaimer Forward Looking

Exploration Edge Fraser MacCorquodale General Manager - Exploration Disclaimer Forward Looking

NEWCREST Exploration Edge Fraser MacCorquodale General Manager - Exploration Disclaimer Forward Looking Statements This presentation includes forward looking statements. Forward looking statements can generally be identified by the use of

472 views • 16 slides

More recommend