limitations of the meta reduction technique the case of
play

Limitations of the Meta-Reduction Technique: The Case of Schnorr - PowerPoint PPT Presentation

Aug 04, 2023 •333 likes •693 views

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils Fleischhacker 2 1 TU Darmstadt 2 Saarland University, Center for IT-Security, Privacy, and Accountability June 5, 2014 (Informal) Main Results 1

  1. Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils Fleischhacker 2 1 TU Darmstadt 2 Saarland University, Center for IT-Security, Privacy, and Accountability June 5, 2014

  2. (Informal) Main Results 1 ◮ Schnorr Signatures are provably secure under the DLOG assumption in the weakly programmable ROM. ◮ Under the one-more DLOG assumption there does not exist a ”single instance” reduction from the DLOG assumption in the non-programmable ROM. ◮ Eliminating the one-more DLOG assumption from our meta-reduction is highly unlikely. 1 actual results may vary

  3. Schnorr Signatures [Sch90,Schn91] G = � g � , H Kgen (1 κ ) Sign ( sk , m ) Vrfy ( pk , m, σ ) $ $ parse σ as ( c, y ) sk ← Z q ← Z q r ? pk := g sk R := g r = H ( pk − c g y , m ) if c c := H ( R, m ) output 1 return ( sk , pk ) y := r + sk · c else return σ = ( c, y ) output 0

  4. Schnorr Signatures [Sch90,Schn91] G = � g � , H Kgen (1 κ ) Sign ( sk , m ) Vrfy ( pk , m, σ ) $ $ parse σ as ( c, y ) sk ← Z q ← Z q r ? pk := g sk R := g r = H ( pk − c g y , m ) if c c := H ( R, m ) output 1 return ( sk , pk ) y := r + sk · c else return σ = ( c, y ) output 0 ◮ Provably secure under DLOG assumption in the ROM [PS96, PS00]. ◮ Previous impossibility results for algebraic reductions [PV05,GBL08,Seu12].

  5. Random Oracle Model with(out) programmability [FLR+10] A

  6. Random Oracle Model with(out) programmability [FLR+10] A H

  7. Random Oracle Model with(out) programmability [FLR+10] R A H

  8. Random Oracle Model with(out) programmability [FLR+10] R A H

  9. Random Oracle Model with(out) programmability [FLR+10] Prog R Prog ( a, b ) ⇒ A H def H ( a ) = Rand ( b ) Rand

  10. Meta-Reductions [BV98] Π R A EUF - CMA

  11. Meta-Reductions [BV98] M Π Π ’ R A EUF - CMA

  12. Meta-Reductions [BV98] M DL OM DL R A EUF - CMA

  13. Meta-Reductions [BV98] M DL OM DL R A EUF - CMA

  14. EUF-CMA pk ( sk , pk ) ← Kgen (1 κ ) ( m ∗ , σ ∗ )

  15. EUF-CMA pk ( sk , pk ) ← Kgen (1 κ ) m Sign ( sk , m ) σ ( m ∗ , σ ∗ )

  16. EUF-CMA pk ( sk , pk ) ← Kgen (1 κ ) m Sign ( sk , m ) σ ( m ∗ , σ ∗ ) The attacker wins if Vrfy ( pk , m ∗ , σ ∗ ) = 1 and m � = m ∗

  17. Meta-Reductions M DL OM DL R A EUF - CMA

  18. Meta-Reductions M DL OM DL R A EUF - CMA

  19. The One-More discrete log problem [BNPS03] z 1 = g x 1 , z 2 = g x 2 x 1 , x 2

  20. The One-More discrete log problem [BNPS03] z 1 = g x 1 , z 2 = g x 2 z ′ = g x ′ log g y ′ x ′ x 1 , x 2

  21. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 M H

  22. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 z 0 M z 1 R 0 R 1 H

  23. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 z 0 M z 1 pk 0 pk 1 R 0 A 0 A 1 R 1 H

  24. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 z 0 M z 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) H

  25. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 z 0 M z 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) H

  26. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 π δ = sk 0 − sk 1 z 0 M z 1 π = pk 0 pk − 1 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) H

  27. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 π δ = sk 0 − sk 1 z 0 M z 1 π = pk 0 pk − 1 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) y ′ y ′ 0 = y 0 − δ · c 0 1 = y 1 + δ · c 1 H

  28. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 π δ = sk 0 − sk 1 z 0 M z 1 π = pk 0 pk − 1 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) ( c 1 , y ′ ( c 0 , y ′ 1 ) 0 ) y ′ y ′ 0 = y 0 − δ · c 0 1 = y 1 + δ · c 1 H

  29. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 π δ = sk 0 − sk 1 z 0 M z 1 π = pk 0 pk − 1 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) ( c 1 , y ′ ( c 0 , y ′ 1 ) 0 ) x 0 x 1 y ′ y ′ 0 = y 0 − δ · c 0 1 = y 1 + δ · c 1 x 0 , x 1 H

  30. In the non-programmable ROM Sign ( sk , m ) Vrfy ( pk , m, σ ) $ parse σ as ( c, y ) ← Z q r ? R := g r if c = H ( pk − c g y , m ) c := H ( R, m ) output 1 DL OM y := r + sk · c else z 0 , z 1 return σ = ( c, y ) output 0 π δ = sk 0 − sk 1 M R z 0 M z 1 π = pk 0 pk − 1 1 pk 0 pk 1 m 0 m 1 $ m 0 , m 1 ← { 0 , 1 } κ R 0 A 0 A 1 R 1 m 0 � = m 1 ( c 0 , y 0 ) ( c 1 , y 1 ) ( c 1 , y ′ ( c 0 , y ′ 1 ) 0 ) x 0 x 1 y ′ y ′ 0 = y 0 − δ · c 0 1 = y 1 + δ · c 1 x 0 , x 1 H

  31. Can we do better? ◮ Probably not. ◮ Going one (meta-)level deeper and using a meta-meta-reduction, we can show that removing the one-more discrete log assumption would (constructively) imply an adversary against the signature scheme.

  32. So, what does this mean? Under the One-More Discrete Log Assumption, no single instance reductions from the discrete log Problem can exist for Schnorr signatures, if they do not program the random oracle. A relaxed notion of programmability, however, is sufficient. The result is optimal in the sense that removing the assumption proves to be extremely unlikely.

  33. Open Problems ◮ We rule out DLOG reductions, but what about CDH,... ◮ Possibly even interactive assumptions?

  34. Thank You! Nils Fleischhacker fleischhacker@cs.uni-saarland.de Full version available on eprint http://eprint.iacr.org/2013/140

Recommend

Limitations of the Meta-Reduction Technique Nils Fleischhacker Technische Universit at

Limitations of the Meta-Reduction Technique Nils Fleischhacker Technische Universit at

Preliminaries Meta-Reductions Limitations Conclusion Limitations of the Meta-Reduction Technique Nils Fleischhacker Technische Universit at Darmstadt September 2, 2012 Nils Fleischhacker Technische Universit at Darmstadt Limitations

793 views • 39 slides
Does COUNTER tell the whole story? Case-by-case examples demonstrating the limitations of

Does COUNTER tell the whole story? Case-by-case examples demonstrating the limitations of

Does COUNTER tell the whole story? Case-by-case examples demonstrating the limitations of COUNTER, and suggestions for alternative evaluation metrics CARLI Spring Forum on Collections Data Analysis and Maintenance Governors State University,

467 views • 23 slides
Meta-analytic approaches for multi- stressor dose-response function development: strengths,

Meta-analytic approaches for multi- stressor dose-response function development: strengths,

Meta-analytic approaches for multi- stressor dose-response function development: strengths, limitations, and case studies Jonathan Levy, Sc.D. Professor of Environmental Health Boston University School of Public Health Methods for Research

264 views • 23 slides
Derivation reduction of metarules in meta-interpretive learning Andrew Cropper & Sophie

Derivation reduction of metarules in meta-interpretive learning Andrew Cropper & Sophie

Derivation reduction of metarules in meta-interpretive learning Andrew Cropper & Sophie Tourret Input Output Examples Background knowledge Logic program Bias Biases - Mode declarations (Progol, ILASP, Aleph, XHAIL, ) - Metarules

839 views • 51 slides
Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012 Session Outline Average-Case Problems The Small Integer Solution (SIS)

909 views • 63 slides
Optimal Sensor Placement in General Case Limitations of the . . . Scale Invariance: . . .

Optimal Sensor Placement in General Case Limitations of the . . . Scale Invariance: . . .

Outline Case Study Optimal Sensor Placement in General Case Limitations of the . . . Scale Invariance: . . . Environmental Research: Main Result Proof: Part 1 Designing a Sensor Network under Uncertainty Title Page Aline

484 views • 20 slides
Bayesian Meta Analysis and Bias Modeling: A Case Study with Relative Clause Processing in

Bayesian Meta Analysis and Bias Modeling: A Case Study with Relative Clause Processing in

Meta Analysis and Bias Modeling Bayesian Meta Analysis and Bias Modeling: A Case Study with Relative Clause Processing in Mandarin Chinese Shravan Vasishth Department Linguistik, Universit at Potsdam Centre de Recherche en Math ematiques

408 views • 18 slides
Robust Evidence Synthesis Ullrika Sahlin Thursday 9.00-12.30 1 Evidence-based Meta-analysis

Robust Evidence Synthesis Ullrika Sahlin Thursday 9.00-12.30 1 Evidence-based Meta-analysis

Robust Evidence Synthesis Ullrika Sahlin Thursday 9.00-12.30 1 Evidence-based Meta-analysis Statistical technique to combine results from multiple independent studies Consider differences in quality in studies Experi Meta-analysis Observ

611 views • 40 slides
Meta-Modelling as a Means for Improved Communication and Interoperability The Case of Frisco

Meta-Modelling as a Means for Improved Communication and Interoperability The Case of Frisco

Meta-Modelling as a Means for Improved Communication and Interoperability The Case of Frisco Petia Wohed & Birger Andersson EMOI, 13 June 2005, Porto 1 Background of our work There is terminological fuzziness in IS engineering

290 views • 10 slides
Problem Symptom Reduction Technique Identify the real problems MAY 15, 2019 Business

Problem Symptom Reduction Technique Identify the real problems MAY 15, 2019 Business

Aristotelian Problem Symptom Reduction Technique Identify the real problems MAY 15, 2019 Business Solutions Specialist Technical Analyst Business Analyst Business Architect eliciting information root cause analysis problem

649 views • 32 slides
Operationally comparable effect sizes for meta-analysis of single-case research James E.

Operationally comparable effect sizes for meta-analysis of single-case research James E.

Operationally comparable effect sizes for meta-analysis of single-case research James E. Pustejovsky Northwestern University pusto@u.northwestern.edu March 7, 2013 2 Single Case Designs Dunlap, et al. (1994). Choice making to promote

442 views • 27 slides
Cross Translation Unit Test Case Reduction Rka Kovcs / rekanikolett@gmail.com Etvs

Cross Translation Unit Test Case Reduction Rka Kovcs / rekanikolett@gmail.com Etvs

Cross Translation Unit Test Case Reduction Rka Kovcs / rekanikolett@gmail.com Etvs Lornd University / Ericsson Hungary Test Case Reduction magic big file with property of interest small file with the same (e.g. triggers crash)

438 views • 14 slides
Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1.

Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1.

Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1. Introduction 2. Security Analyses of SDN 3. Security Assessment Technique for SDN 3.1 Taxonomy of issues 3.2 Assessment technique 4. Case study of IMECA

223 views • 19 slides
Chapter 5 The Witness Reduction Technique Luke Dalessandro Rahul Krishna December 6, 2006 Luke

Chapter 5 The Witness Reduction Technique Luke Dalessandro Rahul Krishna December 6, 2006 Luke

Outline Chapter 5 The Witness Reduction Technique Luke Dalessandro Rahul Krishna December 6, 2006 Luke Dalessandro, Rahul Krishna Chapter 5 The Witness Reduction Technique Part I: Background Material Outline Part II: Chapter 5 Outline of

904 views • 79 slides
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman (Stanford University) 1 Elliptic curves:

1.09k views • 77 slides
Coping at the User-Level with Resource Limitations in the Cray Message Passing Toolkit MPI at

Coping at the User-Level with Resource Limitations in the Cray Message Passing Toolkit MPI at

Introduction Limitations in Cray MPT Application Case Studies Conclusions Coping at the User-Level with Resource Limitations in the Cray Message Passing Toolkit MPI at Scale: How Not to Spend Your Summer Vacation Richard T. Mills 1 , Forrest

460 views • 20 slides
Programme Reduction - applications Prove non-decidable properties of TMs Theorem 11.7

Programme Reduction - applications Prove non-decidable properties of TMs Theorem 11.7

Programme Reduction - applications Prove non-decidable properties of TMs Theorem 11.7 Acc- = {e(T) | L(T) } is not recursive Reduction technique Describe non-decidable properties of other universal Proof: Show Acc

135 views • 13 slides
Limitations of Realistic A Faster Method: . . . Monte-Carlo Techniques Monte-Carlo: . . . Proof

Limitations of Realistic A Faster Method: . . . Monte-Carlo Techniques Monte-Carlo: . . . Proof

Need for Data Processing Need to Take . . . Case of Interval . . . How to Compute the . . . Limitations of Realistic A Faster Method: . . . Monte-Carlo Techniques Monte-Carlo: . . . Proof : Case of . . . in Estimating Interval General Case

452 views • 21 slides
SLIMBRIDGE CASE STUDY, INFILTRATION REDUCTION Case Study Presentation WWT Networks Conference

SLIMBRIDGE CASE STUDY, INFILTRATION REDUCTION Case Study Presentation WWT Networks Conference

SLIMBRIDGE CASE STUDY, INFILTRATION REDUCTION Case Study Presentation WWT Networks Conference 2019 Client Severn Trent Water Principle D&B Contractor nmcn Mike Wood Stantec & Severn Trent Steve Wood nmcn Alex Finlyson

757 views • 21 slides
A Step-by-Step Guide to Planning and Conducting Your First Nominal Group Technique Session

A Step-by-Step Guide to Planning and Conducting Your First Nominal Group Technique Session

A Step-by-Step Guide to Planning and Conducting Your First Nominal Group Technique Session The benefits & limitations of Nominal Group Technique (NGT) When to use NGT How to prepare for and conduct your first NGT session NGT is

635 views • 44 slides
META-NET and META Hans Uszkoreit Co-funded, by, the, 7th, Framework, Programme, of, the,

META-NET and META Hans Uszkoreit Co-funded, by, the, 7th, Framework, Programme, of, the,

META-NET and META Hans Uszkoreit Co-funded, by, the, 7th, Framework, Programme, of, the, European, Commission, through, the, contract, T4ME,, grant, agreement, no.:, 249119. Language Technology Everywhere spell checker in Microsoft Word

624 views • 33 slides
THE CLIMATE REDUCTION POTENTIAL OF ELECTRIFICATION FOR TRANSPORT AND BUILDINGS CASE STUDY FOR

THE CLIMATE REDUCTION POTENTIAL OF ELECTRIFICATION FOR TRANSPORT AND BUILDINGS CASE STUDY FOR

THE CLIMATE REDUCTION POTENTIAL OF ELECTRIFICATION FOR TRANSPORT AND BUILDINGS CASE STUDY FOR A FLEXIBLE APPROACH DAMIEN SIESS, Corporate Strategy Director THE FRENCH UNION OF ELECTRICITY UFEs membership Key figures 40 bn 200 000

319 views • 5 slides
Use of meta-rankings on a Group Decision Support System Presenter: Jos G. Robledo-Hernndez

Use of meta-rankings on a Group Decision Support System Presenter: Jos G. Robledo-Hernndez

Use of meta-rankings on a Group Decision Support System Presenter: Jos G. Robledo-Hernndez Thesis adviser: PhD Laura Plazola-Zamora Why use DSS? Higher decision quality Improved communication Cost reduction Increased

617 views • 29 slides
Spatial coupling: Algorithm and Proof Technique Workshop on Local Algorithms - WOLA 2018 Boston,

Spatial coupling: Algorithm and Proof Technique Workshop on Local Algorithms - WOLA 2018 Boston,

Spatial coupling: Algorithm and Proof Technique Workshop on Local Algorithms - WOLA 2018 Boston, June 15th, 2018 1 Physics inspiration: nucleation, crystallization, meta-stability 2 Supercooled water Heat packs Sodium acetate , C 2 H 3 NaO 2

838 views • 45 slides

More recommend