on tight security proofs for schnorr signatures
play

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 - PowerPoint PPT Presentation

Aug 24, 2023 •981 likes •1.35k views

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr 1 Saarland University 2 Horst G ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014 (Informal) main Result The

  1. On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr¨ 1 Saarland University 2 Horst G¨ ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014

  2. (Informal) main Result The security of Schnorr signatures cannot be tightly reduced to any natural assumption using a generic reduction. The result holds unconditionally.

  3. Schnorr Signatures [Sch90,Schn91] G = � g � , H Sign ( x, m ) Kgen (1 κ ) Vrfy ( X, m, σ ) $ r ← Z q parse σ as ( R, y ) $ R := g r x ← Z q X := g x c := H ( R, m ) c := H ( R, m ) = X c · R ? return g y return ( x, X ) y := r + x · c return σ = ( R, y ) ◮ Provably secure under DLOG assumption in the ROM [PS96, PS00]. ◮ Previous impossibility results for tight proofs for DLOG and algebraic reductions [PV05,GBL08,Seu12].

  4. Schnorr Signatures [Sch90,Schn91] G = � g � , H Sign ( x, m ) Kgen (1 κ ) Vrfy ( X, m, σ ) $ r ← Z q parse σ as ( R, y ) $ R := g r x ← Z q X := g x c := H ( R, m ) c := H ( R, m ) = X c · R ? return g y return ( x, X ) y := r + x · c return σ = ( R, y ) ◮ Provably secure under DLOG assumption in the ROM [PS96, PS00]. ◮ Previous impossibility results for tight proofs for DLOG and algebraic reductions [PV05,GBL08,Seu12].

  5. Schnorr Signatures [Sch90,Schn91] G = � g � , H Sign ( x, m ) Kgen (1 κ ) Vrfy ( X, m, σ ) $ r ← Z q parse σ as ( R, y ) $ R := g r x ← Z q X := g x c := H ( R, m ) c := H ( R, m ) = X c · R ? return g y return ( x, X ) y := r + x · c return σ = ( R, y ) ◮ Provably secure under DLOG assumption in the ROM [PS96, PS00]. Not tight! ◮ Previous impossibility results for tight proofs for DLOG and algebraic reductions [PV05,GBL08,Seu12].

  6. Why do we care about tightness? g x R pk, m UUNF − NM Π σ x ′

  7. Why do we care about tightness? g x R pk, m UUNF − NM Π Weaker Definition of Security = Stronger Negative Result σ x ′

  8. Why do we care about tightness? g x R pk, m UUNF − NM Π σ x ′ t

  9. Why do we care about tightness? g x R pk, m UUNF − NM Π σ x ′ f ( t ) = t t

  10. Why do we care about tightness? g x R pk, m UUNF − NM Π σ x ′ f ( t ) = 2 t t

  11. Why do we care about tightness? g x R pk, m q R ′ , m ′ UUNF − NM Π H ( R ′ , m ′ ) σ x ′ f ( t, q ) = q · t t

  12. Meta-Reductions [BV98] Π R UUNF − NM A

  13. Meta-Reductions [BV98] M Π Π ’ R UUNF − NM A

  14. Previous Work on Lower Bounds PV05 1 Bound q 1 / 2 algebraic Reduction (OM)DL Assumption OMDL

  15. Previous Work on Lower Bounds PV05 GBL08 1 1 Bound q 1 / 2 q 2 / 3 algebraic algebraic Reduction (OM)DL (OM)DL Assumption OMDL OMDL

  16. Previous Work on Lower Bounds PV05 GBL08 Seurin12 1 1 O ( 1 Bound q ) q 1 / 2 q 2 / 3 algebraic algebraic algebraic Reduction (OM)DL (OM)DL (OM)DL Assumption OMDL OMDL OMDL

  17. Previous Work on Lower Bounds PV05 GBL08 Seurin12 Our Work 1 1 O ( 1 O ( 1 Bound q ) q ) q 1 / 2 q 2 / 3 algebraic algebraic algebraic generic Reduction representation (OM)DL (OM)DL (OM)DL invariant Assumption OMDL OMDL OMDL none

  18. Algebraic vs. Generic Reductions An algebraic reduction only A generic reduction works regardless of the representation computes group elements using group operations. of the group. φ : G → { 0 , 1 } 2 n � G , g � g x 1 , g x 2 ( x 1 , x 2 ) , g y φ ( g x 1 ) , φ ( g x 2 ) φ ( g a ) , φ ( g b ) , ◦ R O R Ext φ ( g a ◦ g b ) g y y φ ( g y )

  19. So... GGM? No! φ ( A ) , φ ( B ) ( φ ( i ) , φ ( j ) , ◦ ) O φ ( i ◦ j ) R φ ( C ) , φ ( D )

  20. So... GGM? No! φ ( A ) , φ ( B ) ( φ ( i ) , φ ( j ) , ◦ ) O φ ( i ◦ j ) R A φ ( C ) , φ ( D )

  21. So... GGM? No! A, B φ ( A ) , φ ( B ) ( φ ( i ) , φ ( j ) , ◦ ) O φ ( i ◦ j ) R φ ( X ) , m, ω X, m, ω A ( φ ( R ) , y ) ( R, y ) φ ( C ) , φ ( D ) C, D

  22. So... GGM? No! A, B φ ( A ) , φ ( B ) ( φ ( i ) , φ ( j ) , ◦ ) O φ ( i ◦ j ) R φ ( X ) , m, ω X, m, ω A ( φ ( R ) , y ) ( R, y ) φ ( C ) , φ ( D ) C, D

  23. Ok, so how does it work? Vanilla Reductions proc A ( X, m, ω ) ( R 1 , . . . , R q ) ← G q for all i ∈ [ q ] c i = H ( R i , m ) α ← [ q ] y := log g X c α R α return ( R α , y ) .

  24. Ok, so how does it work? Vanilla Reductions Vanilla Reduction: ◮ Runs A once ◮ Does not rewind Result: ◮ Rules out all generic vanilla reductions ◮ Even tight reductions

  25. Ok, so how does it work? Vanilla Reductions proc A ( X, m, ω ) ( R 1 , . . . , R q ) ← G q for all i ∈ [ q ] c i = H ( R i , m ) α ← [ q ] y := log g X c α R α return ( R α , y ) .

  26. Ok, so how does it work? Vanilla Reductions C 1 , . . . , C u , C ′ L G L E φ ( C 1 ) , . . . , φ ( C u ) , C ′ M C 1 E 1 . . . . . . C u E u O R 1 E u +1 R . . . . . . R q E u + q A

  27. Ok, so how does it work? Vanilla Reductions C 1 , . . . , C u , C ′ L G L E φ ( C 1 ) , . . . , φ ( C u ) , C ′ M C 1 E 1 . . . . . . ( E i , E j , × ) C u E u O R 1 E u +1 E u + q +1 R . . . . . . R q E u + q A E u + q +1 A

  28. Ok, so how does it work? Vanilla Reductions C 1 , . . . , C u , C ′ L G L E φ ( C 1 ) , . . . , φ ( C u ) , C ′ M C 1 E 1 . . . . . . ( E i , E j , × ) C u E u O R 1 E u +1 E u + q +1 R . . . . . . R q E u + q φ ( X ) , m A E u + q +1 A ( φ ( R ) , y )

  29. Ok, so how does it work? Vanilla Reductions C 1 , . . . , C u , C ′ L G L E L V φ ( C 1 ) , . . . , φ ( C u ) , C ′ M C 1 E 1 (1 , 0 , ... ) . . . . . . . . . ( E i , E j , × ) C u E u ( ..., 0 , 1 , 0 , ... ) O R 1 E u +1 ( ..., 0 , 1 , 0 , ... ) E u + q +1 R . . . . . . . . . R q E u + q ( ..., 0 , 1) φ ( X ) , m A E u + q +1 V i + V j A ( φ ( R ) , y )

  30. Ok, so how does it work? Vanilla Reductions proc A ( φ ( X ) , m, ω ) : for all i ∈ [ q ] L G L E L V . . . c i = R . H ( φ ( R i ) , m ) . . . . . . α ← [ q ] R α E u + α V u + α . . . y := log g X c α R α . . . . . . G u + q +1 E u + q +1 V u + q +1

  31. Ok, so how does it work? Vanilla Reductions proc A ( φ ( X ) , m, ω ) : for all i ∈ [ q ] L G L E L V . . . c i = R . H ( φ ( R i ) , m ) . . . . . . α ← [ q ] R α E u + α V u + α . . . R ∗ α := g y X − c α . . . y ← Z p ; . . . G u + q +1 E u + q +1 V u + q +1

  32. Ok, so how does it work? Vanilla Reductions proc A ( φ ( X ) , m, ω ) : for all i ∈ [ q ] L G L E L V . . . c i = R . H ( φ ( R i ) , m ) . . . . . . α ← [ q ] R ∗ E u + α V u + α α . . . R ∗ α := g y X − c α . . . y ← Z p ; . . . G u + q +1 E u + q +1 V u + q +1

  33. Ok, so how does it work? Vanilla Reductions proc A ( φ ( X ) , m, ω ) : for all i ∈ [ q ] L G L E L V . . . c i = R . H ( φ ( R i ) , m ) . . . . . . α ← [ q ] R ∗ E u + α V u + α α . . . R ∗ α := g y X − c α . . . y ← Z p ; . . . G u + q +1 E u + q +1 V u + q +1 for j = 1 , . . . , |L G | do u + q V j � G i := i · G j j =1 return ( y, φ ( R ∗ α ))

  34. Will this not trip up the Reduction? R is only able to notice the reprogramming if there exist i, j such that G i = G j before the reprogramming and G i � = G j after reprogramming, or the other way round. This happens with probability at most 2( u + q + t R ) 2 ≤ negl p

  35. Summary & Conclusion The security of Schnorr signatures cannot be reduced to any representation invariant assumption tighter than O (1 /q ) using a generic fully blackbox reduction.

  36. Thank You! Nils Fleischhacker fleischhacker@cs.uni-saarland.de

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee Department of Computer Science, Purdue University October 10, 2019 Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures

1.23k views • 86 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin ANSSI, France 18 April, EUROCRYPT 2012 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 1 / 28 Introduction Introduction

1.45k views • 117 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at Chicago Thanks to: NSF CCR9983950 NSF DMS0140542 NSF ITR0716498 Alfred P. Sloan Foundation Warning: Springer mangled the

589 views • 19 slides
Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils Fleischhacker 2 1 TU Darmstadt 2 Saarland University, Center for IT-Security, Privacy, and Accountability June 5, 2014 (Informal) Main Results 1

693 views • 34 slides
Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on joint work with G. Maxwell, A. Poelstra, and P. Wuille)

1.82k views • 171 slides
Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23

Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23

Threshold Signatures and Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23 Schnorr Signatures P = xG R = kG e = H ( P , R , m ) sG = kG + exG 2 / 23 Schnorr Signatures P = xG R = kG e = H ( P , R , m )

371 views • 23 slides
The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford University Eurocrypt 1 May 2018 Tel Aviv, Israel 38 Signatures (DSA and Schnorr) 39 DH key Signatures exchange (DSA and Schnorr) 40

1.63k views • 134 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Short Proofs Are Narrow (Well, Sort of), But Are They Tight? Jakob Nordstr om jakobn@kth.se

Short Proofs Are Narrow (Well, Sort of), But Are They Tight? Jakob Nordstr om jakobn@kth.se

Short Proofs Are Narrow (Well, Sort of), But Are They Tight? Jakob Nordstr om jakobn@kth.se Theory Group KTH Computer Science and Communication PhD Student Seminar in Theoretical Computer Science April 3rd, 2006 Short Proofs Are Narrow

1.52k views • 128 slides
Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of

Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of

Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Signature sizes: RSA signatures are big. a call to action 1990 Schnorr signatures D. J.

355 views • 21 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1 , David Derler 2 , Daniel Slamanig 2 , Raphael

345 views • 21 slides
Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in Bitcoin MimbleWimble cryptocurrency ECC math Schnorrs signatures scheme Pedersen Commitments Motivation Bitcoin is decentralized

430 views • 40 slides
Inter-procedural Control Flow Analysis Using Constraint-based Approach cs6463 1 The Dynamic

Inter-procedural Control Flow Analysis Using Constraint-based Approach cs6463 1 The Dynamic

Inter-procedural Control Flow Analysis Using Constraint-based Approach cs6463 1 The Dynamic Dispatch Problem Which function is called by p(x)? int myFunc ( int (*p)(int), ) { return p(x); } P is a function pointer. What

364 views • 20 slides
Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2

Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2

Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2 Workshop, FLoC, Seattle, August 16, 2006 1 Introduction ACL2 provides a powerful congruence-based rewriting capability. However, some have

537 views • 19 slides
Reducing Metadata Leakage from Encrypted Files and Communication with PURBs Kirill Nikitin * ,

Reducing Metadata Leakage from Encrypted Files and Communication with PURBs Kirill Nikitin * ,

Reducing Metadata Leakage from Encrypted Files and Communication with PURBs Kirill Nikitin * , Ludovic Barman * , Wouter Lueks, Matthew Underwood, Jean-Pierre Hubaux, and Bryan Ford cole polytechnique fdrale de Lausanne (EPFL) @ni_kirill

992 views • 67 slides
Q2 Fiscal Year 2021 Financial Review 1 | DocuSign PUBLIC DocuSign PUBLIC DocuSign PUBLIC Safe

Q2 Fiscal Year 2021 Financial Review 1 | DocuSign PUBLIC DocuSign PUBLIC DocuSign PUBLIC Safe

Q2 Fiscal Year 2021 Financial Review 1 | DocuSign PUBLIC DocuSign PUBLIC DocuSign PUBLIC Safe Harbor This presentation contains forward- looking statements that are based on our managements beliefs and assumptions and on informat ion

298 views • 15 slides
Amenable actions of the infinite permutation group Lecture III Juris Stepr ans York

Amenable actions of the infinite permutation group Lecture III Juris Stepr ans York

Amenable actions of the infinite permutation group Lecture III Juris Stepr ans York University Young Set Theorists Meeting March 2011, Bonn Juris Stepr ans Amenable actions It will be shown in Lecture III that if the natural

404 views • 18 slides
MATH529 Fundamentals of Optimization Fundamentals of Constrained Optimization II Marco A.

MATH529 Fundamentals of Optimization Fundamentals of Constrained Optimization II Marco A.

MATH529 Fundamentals of Optimization Fundamentals of Constrained Optimization II Marco A. Montes de Oca Mathematical Sciences, University of Delaware, USA 1 / 33 Multiple equality constraints: Example A motor company makes cars, trucks and

1.09k views • 33 slides
Some extremal problems for Fourier transform on hyperboloid 6th Workshop on Fourier Analysis and

Some extremal problems for Fourier transform on hyperboloid 6th Workshop on Fourier Analysis and

Some extremal problems for Fourier transform on hyperboloid 6th Workshop on Fourier Analysis and Related Fields P ecs, Hungary 2431 August 2017 D. V. Gorbachev, V. I. Ivanov, O. I. Smirnov Tula State University, Tula, Russia 1 / 36

1.16k views • 36 slides
Environments Liam OConnor CSE, UNSW (and data61) Term 3 2019 1 Environments Closures

Environments Liam OConnor CSE, UNSW (and data61) Term 3 2019 1 Environments Closures

Environments Closures Refinement Environments Liam OConnor CSE, UNSW (and data61) Term 3 2019 1 Environments Closures Refinement Where were at We refined the abstract M-Machine to a C-Machine, with explicit stacks: s e s v

141 views • 13 slides

More recommend