On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 - - PowerPoint PPT Presentation

on tight security proofs for schnorr signatures
SMART_READER_LITE
LIVE PREVIEW

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 - - PowerPoint PPT Presentation

Aug 24, 2023 981 likes •1.36k views

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr 1 Saarland University 2 Horst G ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014 (Informal) main Result The

slide-1
SLIDE 1

On Tight Security Proofs for Schnorr Signatures

Nils Fleischhacker1 Tibor Jager2 Dominique Schr¨

  • der1

1Saarland University 2Horst G¨

  • rtz Institute for IT Security, Ruhr-University Bochum

December 9, 2014

slide-2
SLIDE 2

(Informal) main Result The security of Schnorr signatures cannot be tightly reduced to any natural assumption using a generic reduction. The result holds unconditionally.

slide-3
SLIDE 3

Schnorr Signatures [Sch90,Schn91] G = g, H Kgen(1κ) x

$

← Zq X := gx return (x, X) Sign(x, m) r

$

← Zq R := gr c := H(R, m) y := r + x · c return σ = (R, y) Vrfy(X, m, σ) parse σ as (R, y) c := H(R, m) return gy

?

= Xc · R

◮ Provably secure under DLOG assumption in the ROM [PS96,

PS00].

◮ Previous impossibility results for tight proofs for DLOG and

algebraic reductions [PV05,GBL08,Seu12].

slide-4
SLIDE 4

Schnorr Signatures [Sch90,Schn91] G = g, H Kgen(1κ) x

$

← Zq X := gx return (x, X) Sign(x, m) r

$

← Zq R := gr c := H(R, m) y := r + x · c return σ = (R, y) Vrfy(X, m, σ) parse σ as (R, y) c := H(R, m) return gy

?

= Xc · R

◮ Provably secure under DLOG assumption in the ROM [PS96,

PS00].

◮ Previous impossibility results for tight proofs for DLOG and

algebraic reductions [PV05,GBL08,Seu12].

slide-5
SLIDE 5

Schnorr Signatures [Sch90,Schn91] G = g, H Kgen(1κ) x

$

← Zq X := gx return (x, X) Sign(x, m) r

$

← Zq R := gr c := H(R, m) y := r + x · c return σ = (R, y) Vrfy(X, m, σ) parse σ as (R, y) c := H(R, m) return gy

?

= Xc · R

◮ Provably secure under DLOG assumption in the ROM [PS96,

PS00]. Not tight!

◮ Previous impossibility results for tight proofs for DLOG and

algebraic reductions [PV05,GBL08,Seu12].

slide-6
SLIDE 6

Why do we care about tightness? Π UUNF − NM R gx x′ pk, m σ

slide-7
SLIDE 7

Why do we care about tightness? Π UUNF − NM R gx x′ pk, m σ Weaker Definition of Security = Stronger Negative Result

slide-8
SLIDE 8

Why do we care about tightness? Π UUNF − NM R gx x′ pk, m σ t

slide-9
SLIDE 9

Why do we care about tightness? Π UUNF − NM R gx x′ pk, m σ t f(t) = t

slide-10
SLIDE 10

Why do we care about tightness? Π UUNF − NM R gx x′ pk, m σ t f(t) = 2t

slide-11
SLIDE 11

Why do we care about tightness? Π UUNF − NM R gx x′ pk, m σ R′, m′ H(R′, m′) q t f(t, q) = q · t

slide-12
SLIDE 12

Meta-Reductions [BV98]

R A UUNF − NM Π

slide-13
SLIDE 13

Meta-Reductions [BV98]

R M A UUNF − NM Π Π’

slide-14
SLIDE 14

Previous Work on Lower Bounds PV05 Bound

1 q1/2

Reduction algebraic (OM)DL Assumption OMDL

slide-15
SLIDE 15

Previous Work on Lower Bounds PV05 GBL08 Bound

1 q1/2 1 q2/3

Reduction algebraic algebraic (OM)DL (OM)DL Assumption OMDL OMDL

slide-16
SLIDE 16

Previous Work on Lower Bounds PV05 GBL08 Seurin12 Bound

1 q1/2 1 q2/3

O( 1

q)

Reduction algebraic algebraic algebraic (OM)DL (OM)DL (OM)DL Assumption OMDL OMDL OMDL

slide-17
SLIDE 17

Previous Work on Lower Bounds PV05 GBL08 Seurin12 Our Work Bound

1 q1/2 1 q2/3

O( 1

q)

O( 1

q)

Reduction algebraic algebraic algebraic generic (OM)DL (OM)DL (OM)DL representation invariant Assumption OMDL OMDL OMDL none

slide-18
SLIDE 18

Algebraic vs. Generic Reductions An algebraic reduction only computes group elements using group operations. G, g R gx1, gx2 gy Ext (x1, x2), gy y A generic reduction works regardless of the representation

  • f the group.

φ : G → {0, 1}2n R φ(gx1), φ(gx2) φ(gy) O

φ(ga), φ(gb), ◦ φ(ga ◦ gb)

slide-19
SLIDE 19

So... GGM? No!

R O φ(A), φ(B) (φ(i), φ(j), ◦) φ(i ◦ j) φ(C), φ(D)

slide-20
SLIDE 20

So... GGM? No!

R A O φ(A), φ(B) (φ(i), φ(j), ◦) φ(i ◦ j) φ(C), φ(D)

slide-21
SLIDE 21

So... GGM? No!

R A O A, B φ(A), φ(B) (φ(i), φ(j), ◦) φ(i ◦ j) φ(X), m, ω X, m, ω (R, y) (φ(R), y) C, D φ(C), φ(D)

slide-22
SLIDE 22

So... GGM? No!

R A O A, B φ(A), φ(B) (φ(i), φ(j), ◦) φ(i ◦ j) φ(X), m, ω X, m, ω (R, y) (φ(R), y) C, D φ(C), φ(D)

slide-23
SLIDE 23

Ok, so how does it work?

Vanilla Reductions

proc A(X, m, ω) (R1, . . . , Rq) ← Gq for all i ∈ [q] ci = H(Ri, m) α ← [q] y := logg XcαRα return (Rα, y).

slide-24
SLIDE 24

Ok, so how does it work?

Vanilla Reductions

Vanilla Reduction:

◮ Runs A once ◮ Does not rewind

Result:

◮ Rules out all generic

vanilla reductions

◮ Even tight reductions

slide-25
SLIDE 25

Ok, so how does it work?

Vanilla Reductions

proc A(X, m, ω) (R1, . . . , Rq) ← Gq for all i ∈ [q] ci = H(Ri, m) α ← [q] y := logg XcαRα return (Rα, y).

slide-26
SLIDE 26

Ok, so how does it work?

Vanilla Reductions

LG LE C1 E1 . . . . . . Cu Eu R1 Eu+1 . . . . . . Rq Eu+q

A O M R C1, . . . , Cu, C′ φ(C1), . . . , φ(Cu), C′

slide-27
SLIDE 27

Ok, so how does it work?

Vanilla Reductions

LG LE C1 E1 . . . . . . Cu Eu R1 Eu+1 . . . . . . Rq Eu+q A Eu+q+1

A O M R C1, . . . , Cu, C′ φ(C1), . . . , φ(Cu), C′ (Ei, Ej, ×) Eu+q+1

slide-28
SLIDE 28

Ok, so how does it work?

Vanilla Reductions

LG LE C1 E1 . . . . . . Cu Eu R1 Eu+1 . . . . . . Rq Eu+q A Eu+q+1

A O M R C1, . . . , Cu, C′ φ(C1), . . . , φ(Cu), C′ (Ei, Ej, ×) Eu+q+1 φ(X), m (φ(R), y)

slide-29
SLIDE 29

Ok, so how does it work?

Vanilla Reductions

LG LE LV C1 E1 (1, 0, ...) . . . . . . . . . Cu Eu (..., 0, 1, 0, ...) R1 Eu+1 (..., 0, 1, 0, ...) . . . . . . . . . Rq Eu+q (..., 0, 1) A Eu+q+1 Vi + Vj

A O M R C1, . . . , Cu, C′ φ(C1), . . . , φ(Cu), C′ (Ei, Ej, ×) Eu+q+1 φ(X), m (φ(R), y)

slide-30
SLIDE 30

Ok, so how does it work?

Vanilla Reductions

LG LE LV . . . . . . . . . Rα Eu+α Vu+α . . . . . . . . . Gu+q+1 Eu+q+1 Vu+q+1

proc A(φ(X), m, ω) : for all i ∈ [q] ci = R.H(φ(Ri), m) α ← [q] y := logg XcαRα

slide-31
SLIDE 31

Ok, so how does it work?

Vanilla Reductions

LG LE LV . . . . . . . . . Rα Eu+α Vu+α . . . . . . . . . Gu+q+1 Eu+q+1 Vu+q+1

proc A(φ(X), m, ω) : for all i ∈ [q] ci = R.H(φ(Ri), m) α ← [q] y ← Zp ; R∗

α := gyX−cα

slide-32
SLIDE 32

Ok, so how does it work?

Vanilla Reductions

LG LE LV . . . . . . . . . R∗

α

Eu+α Vu+α . . . . . . . . . Gu+q+1 Eu+q+1 Vu+q+1

proc A(φ(X), m, ω) : for all i ∈ [q] ci = R.H(φ(Ri), m) α ← [q] y ← Zp ; R∗

α := gyX−cα

slide-33
SLIDE 33

Ok, so how does it work?

Vanilla Reductions

LG LE LV . . . . . . . . . R∗

α

Eu+α Vu+α . . . . . . . . . Gu+q+1 Eu+q+1 Vu+q+1

proc A(φ(X), m, ω) : for all i ∈ [q] ci = R.H(φ(Ri), m) α ← [q] y ← Zp ; R∗

α := gyX−cα

for j = 1, . . . , |LG| do Gi :=

u+q

  • j=1

V j

i · Gj

return (y, φ(R∗

α))

slide-34
SLIDE 34

Will this not trip up the Reduction? R is only able to notice the reprogramming if there exist i, j such that Gi = Gj before the reprogramming and Gi = Gj after reprogramming, or the other way round. This happens with probability at most 2(u + q + tR)2 p ≤ negl

slide-35
SLIDE 35

Summary & Conclusion The security of Schnorr signatures cannot be reduced to any representation invariant assumption tighter than O(1/q) using a generic fully blackbox reduction.

slide-36
SLIDE 36

Thank You!

Nils Fleischhacker fleischhacker@cs.uni-saarland.de