on the exact security of schnorr type signatures in the
play

On the Exact Security of Schnorr-Type Signatures in the Random - PowerPoint PPT Presentation

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin ANSSI, France 18 April, EUROCRYPT 2012 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 1 / 28 Introduction Introduction


  1. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  2. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  3. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  4. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  5. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  6. Schnorr Signatures and The Forking Lemma Schnorr signatures G cyclic group of prime order q and G a generator of G secret key: x ∈ r Z q \ { 0 } public key: X = G x Sign ( m ) , m ∈ { 0 , 1 } ∗ : A = G a a ∈ r Z q , A = G a (commitment) − − − − − − − − − → c c = H ( m , A ) (challenge) ← − − − − − − − − − s = a + cx s = a + cx mod q (answer) − − − − − − − − − → signature is ( s , c ) Verif ( m , ( s , c )) : A = G s X − c check H ( m , A ) = c Here H is modeled as a random oracle H Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 5 / 28

  7. Schnorr Signatures and The Forking Lemma Forger adversary against Schnorr signatures we focus on universal forgery under no-message attacks: the adversary is given a message m and a public key X and must return a forgery ( s , c ) for m (it cannot make signature queries) the random tape of the forger will be explicitly denoted ω parameters characterizing a forger F : ( m , X , ω ) F ( s , c ) running time t F success probability ε F ≤ q h → time-to-success ratio ρ F = t F /ε F H maximal number of RO queries q h pictorial representation of a forgery experiment: ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h forgery ( s ℓ , c ℓ ) with s ℓ = DLog ( A ℓ X c ℓ ) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 6 / 28

  8. Schnorr Signatures and The Forking Lemma Forger adversary against Schnorr signatures we focus on universal forgery under no-message attacks: the adversary is given a message m and a public key X and must return a forgery ( s , c ) for m (it cannot make signature queries) the random tape of the forger will be explicitly denoted ω parameters characterizing a forger F : ( m , X , ω ) F ( s , c ) running time t F success probability ε F ≤ q h → time-to-success ratio ρ F = t F /ε F H maximal number of RO queries q h pictorial representation of a forgery experiment: ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h forgery ( s ℓ , c ℓ ) with s ℓ = DLog ( A ℓ X c ℓ ) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 6 / 28

  9. Schnorr Signatures and The Forking Lemma Forger adversary against Schnorr signatures we focus on universal forgery under no-message attacks: the adversary is given a message m and a public key X and must return a forgery ( s , c ) for m (it cannot make signature queries) the random tape of the forger will be explicitly denoted ω parameters characterizing a forger F : ( m , X , ω ) F ( s , c ) running time t F success probability ε F ≤ q h → time-to-success ratio ρ F = t F /ε F H maximal number of RO queries q h pictorial representation of a forgery experiment: ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h forgery ( s ℓ , c ℓ ) with s ℓ = DLog ( A ℓ X c ℓ ) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 6 / 28

  10. Schnorr Signatures and The Forking Lemma Forger adversary against Schnorr signatures we focus on universal forgery under no-message attacks: the adversary is given a message m and a public key X and must return a forgery ( s , c ) for m (it cannot make signature queries) the random tape of the forger will be explicitly denoted ω parameters characterizing a forger F : ( m , X , ω ) F ( s , c ) running time t F success probability ε F ≤ q h → time-to-success ratio ρ F = t F /ε F H maximal number of RO queries q h pictorial representation of a forgery experiment: ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h forgery ( s ℓ , c ℓ ) with s ℓ = DLog ( A ℓ X c ℓ ) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 6 / 28

  11. Schnorr Signatures and The Forking Lemma Forger adversary against Schnorr signatures we focus on universal forgery under no-message attacks: the adversary is given a message m and a public key X and must return a forgery ( s , c ) for m (it cannot make signature queries) the random tape of the forger will be explicitly denoted ω parameters characterizing a forger F : ( m , X , ω ) F ( s , c ) running time t F success probability ε F ≤ q h → time-to-success ratio ρ F = t F /ε F H maximal number of RO queries q h pictorial representation of a forgery experiment: ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h forgery ( s ℓ , c ℓ ) with s ℓ = DLog ( A ℓ X c ℓ ) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 6 / 28

  12. Schnorr Signatures and The Forking Lemma Extracting discrete logarithms from a forger given a forger F , one can build a reduction R which solves the DL problem for the public key X = G x using F as a black-box main idea: have the forger output two forgeries ( s 1 , c 1 ) and ( s 2 , c 2 ) for the same message m and the same commitment A = G a , so that: x = s 1 − s 2 s 1 = a + c 1 x and s 2 = a + c 2 x ⇒ mod q c 1 − c 2 ( m , X , ω ) ( s , c ) F H x = DLog ( X ) X R Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 7 / 28

  13. Schnorr Signatures and The Forking Lemma Extracting discrete logarithms from a forger given a forger F , one can build a reduction R which solves the DL problem for the public key X = G x using F as a black-box main idea: have the forger output two forgeries ( s 1 , c 1 ) and ( s 2 , c 2 ) for the same message m and the same commitment A = G a , so that: x = s 1 − s 2 s 1 = a + c 1 x and s 2 = a + c 2 x ⇒ mod q c 1 − c 2 ( m , X , ω ) ( s , c ) F R . H x = DLog ( X ) X R Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 7 / 28

  14. Schnorr Signatures and The Forking Lemma Extracting discrete logarithms from a forger given a forger F , one can build a reduction R which solves the DL problem for the public key X = G x using F as a black-box main idea: have the forger output two forgeries ( s 1 , c 1 ) and ( s 2 , c 2 ) for the same message m and the same commitment A = G a , so that: x = s 1 − s 2 s 1 = a + c 1 x and s 2 = a + c 2 x ⇒ mod q c 1 − c 2 ( m , X , ω ) ( s , c ) F R . H x = DLog ( X ) X R Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 7 / 28

  15. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  16. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  17. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  18. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  19. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  20. Schnorr Signatures and The Forking Lemma Multiple invocations of the forger: forking how does R obtain two forgeries for the same commitment A ? ⇒ “replay attack” run F until it returns a first forgery for some RO query index ℓ ∈ [ 1 .. q h ] replay the attack up to the forgery point, using new random RO answers from this point keep doing this until F returns a new forgery for the same RO query ( m , X , ω ) c 1 c 2 c ℓ A 1 A 2 A 3 A ℓ A q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 8 / 28

  21. Schnorr Signatures and The Forking Lemma Success probability of the reduction: the Forking Lemma to obtain the first forgery with constant proba.: ⇒ run the forger ≃ 1 /ε F times to obtain the second forgery with constant proba.: ⇒ run the forger ≃ q h /ε F times total running time t R ≃ q h /ε F × t F for constant success proba. ⇒ time-to-success ratio of the reduction: ρ R ≃ q h ρ F ⇒ loses a factor q h no matching attack known! (best known attack = computing discrete log) Question Is there a better reduction with a time-to-success ratio closer to the one of the forger? Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 9 / 28

  22. Schnorr Signatures and The Forking Lemma Success probability of the reduction: the Forking Lemma to obtain the first forgery with constant proba.: ⇒ run the forger ≃ 1 /ε F times to obtain the second forgery with constant proba.: ⇒ run the forger ≃ q h /ε F times total running time t R ≃ q h /ε F × t F for constant success proba. ⇒ time-to-success ratio of the reduction: ρ R ≃ q h ρ F ⇒ loses a factor q h no matching attack known! (best known attack = computing discrete log) Question Is there a better reduction with a time-to-success ratio closer to the one of the forger? Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 9 / 28

  23. Schnorr Signatures and The Forking Lemma Success probability of the reduction: the Forking Lemma to obtain the first forgery with constant proba.: ⇒ run the forger ≃ 1 /ε F times to obtain the second forgery with constant proba.: ⇒ run the forger ≃ q h /ε F times total running time t R ≃ q h /ε F × t F for constant success proba. ⇒ time-to-success ratio of the reduction: ρ R ≃ q h ρ F ⇒ loses a factor q h no matching attack known! (best known attack = computing discrete log) Question Is there a better reduction with a time-to-success ratio closer to the one of the forger? Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 9 / 28

  24. Schnorr Signatures and The Forking Lemma Success probability of the reduction: the Forking Lemma to obtain the first forgery with constant proba.: ⇒ run the forger ≃ 1 /ε F times to obtain the second forgery with constant proba.: ⇒ run the forger ≃ q h /ε F times total running time t R ≃ q h /ε F × t F for constant success proba. ⇒ time-to-success ratio of the reduction: ρ R ≃ q h ρ F ⇒ loses a factor q h no matching attack known! (best known attack = computing discrete log) Question Is there a better reduction with a time-to-success ratio closer to the one of the forger? Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 9 / 28

  25. Schnorr Signatures and The Forking Lemma Success probability of the reduction: the Forking Lemma to obtain the first forgery with constant proba.: ⇒ run the forger ≃ 1 /ε F times to obtain the second forgery with constant proba.: ⇒ run the forger ≃ q h /ε F times total running time t R ≃ q h /ε F × t F for constant success proba. ⇒ time-to-success ratio of the reduction: ρ R ≃ q h ρ F ⇒ loses a factor q h no matching attack known! (best known attack = computing discrete log) Question Is there a better reduction with a time-to-success ratio closer to the one of the forger? Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 9 / 28

  26. Meta-Reductions Outline Schnorr Signatures and The Forking Lemma 1 Meta-Reductions 2 Main Result 3 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 10 / 28

  27. Meta-Reductions The concept of meta-reduction Boneh and Venkatesan (EC ’98) example: If there is an (algebraic) reduction R from factoring to solving the RSA problem with small public exponents, then there is a meta-reduction M factoring RSA moduli directly (using R ) ⇒ algebraic reductions from factoring to breaking low-RSA exponents cannot exist unless factoring is easy here, we will show that an (algebraic) reduction from the Discrete Log (DL) problem to forging Schnorr signatures cannot be tight, unless the One More Discrete Logarithm (OMDL) problem is easy Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 11 / 28

  28. Meta-Reductions The concept of meta-reduction Boneh and Venkatesan (EC ’98) example: If there is an (algebraic) reduction R from factoring to solving the RSA problem with small public exponents, then there is a meta-reduction M factoring RSA moduli directly (using R ) ⇒ algebraic reductions from factoring to breaking low-RSA exponents cannot exist unless factoring is easy here, we will show that an (algebraic) reduction from the Discrete Log (DL) problem to forging Schnorr signatures cannot be tight, unless the One More Discrete Logarithm (OMDL) problem is easy Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 11 / 28

  29. Meta-Reductions The One More Discrete Logarithm (OMDL) problem Definition M solves the OMDL problem if given ( A 0 , A 1 , . . . , A n ) ∈ r G n + 1 , it returns the discrete log of all A i ’s by making at most n calls to a discrete log oracle DLog ( · ) . DLog ( · ) ≤ n DLog ( A 0 ) , . . . , DLog ( A n ) A 0 , . . . , A n M Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 12 / 28

  30. Meta-Reductions Restriction to algebraic reductions Definition An algorithm R is algebraic (w.r.t. G ) if it only applies group operations on group elements (no bit manipulation, e.g. G ⊕ G ′ ). Consequence There exists a procedure Extract which, given the group elements ( G 1 , . . . , G k ) input to R , R ’s code and random tape, and any group element Y output by R , extracts ( α 1 , . . . , α k ) such that: Y = G α 1 1 · · · G α k k NB: all known reductions for DL-based cryptosystems are algebraic (in particular the reduction of [PS96] for Schnorr signatures) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 13 / 28

  31. Meta-Reductions Restriction to algebraic reductions Definition An algorithm R is algebraic (w.r.t. G ) if it only applies group operations on group elements (no bit manipulation, e.g. G ⊕ G ′ ). Consequence There exists a procedure Extract which, given the group elements ( G 1 , . . . , G k ) input to R , R ’s code and random tape, and any group element Y output by R , extracts ( α 1 , . . . , α k ) such that: Y = G α 1 1 · · · G α k k NB: all known reductions for DL-based cryptosystems are algebraic (in particular the reduction of [PS96] for Schnorr signatures) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 13 / 28

  32. Meta-Reductions Restriction to algebraic reductions Definition An algorithm R is algebraic (w.r.t. G ) if it only applies group operations on group elements (no bit manipulation, e.g. G ⊕ G ′ ). Consequence There exists a procedure Extract which, given the group elements ( G 1 , . . . , G k ) input to R , R ’s code and random tape, and any group element Y output by R , extracts ( α 1 , . . . , α k ) such that: Y = G α 1 1 · · · G α k k NB: all known reductions for DL-based cryptosystems are algebraic (in particular the reduction of [PS96] for Schnorr signatures) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 13 / 28

  33. Meta-Reductions Meta-reduction: main idea DLog ( · ) ≤ n M DLog ( A 0 ) , . . . , DLog ( A n ) A 0 , . . . , A n ( m , X , ω ) ( s , c ) F ≤ n ≤ q h R . H A 0 DLog ( A 0 ) R n =number of times the reduction runs the forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 14 / 28

  34. Meta-Reductions Meta-reduction: main idea DLog ( · ) ≤ n M DLog ( A 0 ) , . . . , DLog ( A n ) A 0 , . . . , A n ( m , X , ω ) ( s , c ) M . F ≤ n ≤ q h R . H A 0 DLog ( A 0 ) R n =number of times the reduction runs the forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 14 / 28

  35. Meta-Reductions Meta-reduction: the general strategy M receives ( A 0 , A 1 , . . . , A n ) as input and uses A 0 as input to R M uses A i , i = 1 , . . . , n during the i -th simulation of the forger to β qh construct q h commitments A β 1 i , . . . , A i for each simulation, M chooses some forgery index ℓ i (more on the choice later) and uses its discrete log oracle to forge a signature ( s i , c i ) β ℓ i c ℓ i by querying s i = DLog ( A X ) i i if the reduction succeeds in returning a 0 = DLog ( A 0 ) , and unless some bad event happens, M will be able to use a 0 and ( s i , c i ) to compute a i = DLog ( A i ) for i = 1 , . . . , n ( m i , X i , ω i ) c ℓ i c 1 c 2 A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 15 / 28

  36. Meta-Reductions Meta-reduction: the general strategy M receives ( A 0 , A 1 , . . . , A n ) as input and uses A 0 as input to R M uses A i , i = 1 , . . . , n during the i -th simulation of the forger to β qh construct q h commitments A β 1 i , . . . , A i for each simulation, M chooses some forgery index ℓ i (more on the choice later) and uses its discrete log oracle to forge a signature ( s i , c i ) β ℓ i c ℓ i by querying s i = DLog ( A X ) i i if the reduction succeeds in returning a 0 = DLog ( A 0 ) , and unless some bad event happens, M will be able to use a 0 and ( s i , c i ) to compute a i = DLog ( A i ) for i = 1 , . . . , n ( m i , X i , ω i ) c ℓ i c 1 c 2 A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 15 / 28

  37. Meta-Reductions Meta-reduction: the general strategy M receives ( A 0 , A 1 , . . . , A n ) as input and uses A 0 as input to R M uses A i , i = 1 , . . . , n during the i -th simulation of the forger to β qh construct q h commitments A β 1 i , . . . , A i for each simulation, M chooses some forgery index ℓ i (more on the choice later) and uses its discrete log oracle to forge a signature ( s i , c i ) β ℓ i c ℓ i by querying s i = DLog ( A X ) i i if the reduction succeeds in returning a 0 = DLog ( A 0 ) , and unless some bad event happens, M will be able to use a 0 and ( s i , c i ) to compute a i = DLog ( A i ) for i = 1 , . . . , n ( m i , X i , ω i ) c ℓ i c 1 c 2 A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 15 / 28

  38. Meta-Reductions Meta-reduction: the general strategy M receives ( A 0 , A 1 , . . . , A n ) as input and uses A 0 as input to R M uses A i , i = 1 , . . . , n during the i -th simulation of the forger to β qh construct q h commitments A β 1 i , . . . , A i for each simulation, M chooses some forgery index ℓ i (more on the choice later) and uses its discrete log oracle to forge a signature ( s i , c i ) β ℓ i c ℓ i by querying s i = DLog ( A X ) i i if the reduction succeeds in returning a 0 = DLog ( A 0 ) , and unless some bad event happens, M will be able to use a 0 and ( s i , c i ) to compute a i = DLog ( A i ) for i = 1 , . . . , n ( m i , X i , ω i ) c ℓ i c 1 c 2 A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 15 / 28

  39. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  40. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  41. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  42. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  43. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  44. Meta-Reductions Extraction of DLog ( A i ) by the meta-reduction if the simulation of the forger by M is OK, R returns a 0 = DLog ( A 0 ) (with probability ≃ ε R ) M must then use a 0 and the forged signatures ( s i , c i ) to compute DLog ( A i ) for i = 1 , . . . , n the i -th forgery was computed with s i = DLog ( A β i X c i i ) → computing DLog ( A i ) ⇔ computing DLog ( X i ) how can M retrieve the discrete log of the public keys X i received from the reduction R ? ⇒ restriction to algebraic reductions group elements input to R : G , A 0 procedure Extract yields γ i , γ ′ i such that γ ′ X i = G γ i A 0 = G γ i + a 0 γ ′ i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 16 / 28

  45. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  46. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  47. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  48. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  49. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  50. Meta-Reductions A bad event which makes the meta-reduction fail two simulations may share some common history (under control of R !) as in the Forking Lemma M fails if it forges two signatures for the same commitment because it will make a useless call to DLog ( · ) → event Bad happens NB: this is exactly the event which makes the reduction succeed in the Forking Lemma unless Pr [ Bad ] ≃ 1, we get a contradiction since otherwise M is an efficient and successful algorithm for the OMDL problem β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 17 / 28

  51. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  52. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  53. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  54. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  55. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  56. Meta-Reductions Simulation of the forger: choice of the forgery index how should the meta-reduction choose the forgery index ℓ i for the i -th execution? cannot choose ℓ 1 = 1, ℓ 2 = 2, etc. (the reduction would “notice” that a simulation is ongoing) natural choice: draw ℓ i uniformly at random in [ 1 .. q h ] independently for each execution i = 1 , . . . , n this is what was done in previous work [PV05,GBL08] straightforward analysis [PV05]: Pr [ Bad ] ≃ n 2 n ≃ q 1 / 2 ⇒ for Pr [ Bad ] ≃ 1 h q h more careful analysis [GBL08]: Pr [ Bad ] ≃ n 3 / 2 n ≃ q 2 / 3 ⇒ for Pr [ Bad ] ≃ 1 h q h Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 18 / 28

  57. Main Result Outline Schnorr Signatures and The Forking Lemma 1 Meta-Reductions 2 Main Result 3 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 19 / 28

  58. Main Result Main theorem Theorem Any algebraic reduction from the DL problem to forging Schnorr signatures must lose a factor q h in its time-to-success ratio, assuming the OMDL problem is hard. for strictly bounded adversaries, factor f ( ε F ) q h with f ( ε F ) close to 1 as long as ε F < 0 . 9 for expected-time and queries adversaries, factor q h independently of ε F proof: new meta-reduction (crucial modification = choice of the forgery index ℓ for the simulated forger) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 20 / 28

  59. Main Result Main theorem Theorem Any algebraic reduction from the DL problem to forging Schnorr signatures must lose a factor q h in its time-to-success ratio, assuming the OMDL problem is hard. for strictly bounded adversaries, factor f ( ε F ) q h with f ( ε F ) close to 1 as long as ε F < 0 . 9 for expected-time and queries adversaries, factor q h independently of ε F proof: new meta-reduction (crucial modification = choice of the forgery index ℓ for the simulated forger) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 20 / 28

  60. Main Result Main theorem Theorem Any algebraic reduction from the DL problem to forging Schnorr signatures must lose a factor q h in its time-to-success ratio, assuming the OMDL problem is hard. for strictly bounded adversaries, factor f ( ε F ) q h with f ( ε F ) close to 1 as long as ε F < 0 . 9 for expected-time and queries adversaries, factor q h independently of ε F proof: new meta-reduction (crucial modification = choice of the forgery index ℓ for the simulated forger) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 20 / 28

  61. Main Result Main theorem Theorem Any algebraic reduction from the DL problem to forging Schnorr signatures must lose a factor q h in its time-to-success ratio, assuming the OMDL problem is hard. for strictly bounded adversaries, factor f ( ε F ) q h with f ( ε F ) close to 1 as long as ε F < 0 . 9 for expected-time and queries adversaries, factor q h independently of ε F proof: new meta-reduction (crucial modification = choice of the forgery index ℓ for the simulated forger) Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 20 / 28

  62. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  63. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  64. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  65. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  66. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  67. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  68. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  69. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  70. Main Result A thought experiment consider the following hypothetic forger F : G is partitioned into two sets: Γ good of size µ | G | : F can compute discrete logs efficiently for this set Γ bad of size ( 1 − µ ) | G | : F cannot compute discrete logs for this set to forge a signature for m , F makes arbitrary RO queries H ( m , A i ) = c i and returns a forgery for the first query such that A i X c i ∈ Γ good (or fails to forge if there is no such query) success probability of F if it makes q h RO queries: for each RO query, A i X c i is unif. random in G ⇒ A i X c i ∈ Γ good with proba. µ hence ε F = 1 − ( 1 − µ ) q h we will call such a F a µ -good forger Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 21 / 28

  71. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  72. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  73. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  74. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  75. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  76. Main Result The new meta-reduction we define a meta-reduction M which simulates a µ -good forger M builds Γ good and Γ bad dynamically and randomly during the simulation as follows: for each RO query R . H ( m , A ) = c , define Z = AX c if Z / ∈ Γ good ∪ Γ bad , draw a random coin δ Z with Pr [ δ Z = 1 ] = µ and Pr [ δ Z = 0 ] = 1 − µ and add Z to Γ good if δ Z = 1 or to Γ bad if δ Z = 0. discrete logs of elements of Γ good are obtained thanks to the discrete log oracle of M the forgery index ℓ i is distributed according to a (truncated) geometric distribution of parameter µ Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 22 / 28

  77. Main Result M “almost always” simulates a µ -good forger the size of Γ good defined by M follows a binomial distribution of parameters ( | G | , µ ) ⇒ by a Chernoff bound, | Γ good | ≃ µ | G | with overwhelming probability in that case, the success probability of the simulated forger satisfies: ε F = 1 − ( 1 − µ ) q h by setting µ appropriately, M can simulate a forger achieving the required success probability ε F Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 23 / 28

  78. Main Result M “almost always” simulates a µ -good forger the size of Γ good defined by M follows a binomial distribution of parameters ( | G | , µ ) ⇒ by a Chernoff bound, | Γ good | ≃ µ | G | with overwhelming probability in that case, the success probability of the simulated forger satisfies: ε F = 1 − ( 1 − µ ) q h by setting µ appropriately, M can simulate a forger achieving the required success probability ε F Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 23 / 28

  79. Main Result M “almost always” simulates a µ -good forger the size of Γ good defined by M follows a binomial distribution of parameters ( | G | , µ ) ⇒ by a Chernoff bound, | Γ good | ≃ µ | G | with overwhelming probability in that case, the success probability of the simulated forger satisfies: ε F = 1 − ( 1 − µ ) q h by setting µ appropriately, M can simulate a forger achieving the required success probability ε F Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 23 / 28

  80. Main Result Probability of event Bad event Bad happens only if some execution forks from a previous one at β ℓ i the forgery point, and the new answer c ′ is such that Z ′ = A X c ′ is i i fresh and is put in Γ good ⇒ probability less than µ for each execution probability of Bad : n Pr [ Bad ] ≤ n µ ≤ g ( ε F ) q h hence to have Pr [ Bad ] ≃ 1 one must have n ≃ g ( ε F ) q h and so ρ R /ρ F ≃ f ( ε F ) q h β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 24 / 28

  81. Main Result Probability of event Bad event Bad happens only if some execution forks from a previous one at β ℓ i the forgery point, and the new answer c ′ is such that Z ′ = A X c ′ is i i fresh and is put in Γ good ⇒ probability less than µ for each execution probability of Bad : n Pr [ Bad ] ≤ n µ ≤ g ( ε F ) q h hence to have Pr [ Bad ] ≃ 1 one must have n ≃ g ( ε F ) q h and so ρ R /ρ F ≃ f ( ε F ) q h β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 24 / 28

  82. Main Result Probability of event Bad event Bad happens only if some execution forks from a previous one at β ℓ i the forgery point, and the new answer c ′ is such that Z ′ = A X c ′ is i i fresh and is put in Γ good ⇒ probability less than µ for each execution probability of Bad : n Pr [ Bad ] ≤ n µ ≤ g ( ε F ) q h hence to have Pr [ Bad ] ≃ 1 one must have n ≃ g ( ε F ) q h and so ρ R /ρ F ≃ f ( ε F ) q h β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 24 / 28

  83. Main Result Probability of event Bad event Bad happens only if some execution forks from a previous one at β ℓ i the forgery point, and the new answer c ′ is such that Z ′ = A X c ′ is i i fresh and is put in Γ good ⇒ probability less than µ for each execution probability of Bad : n Pr [ Bad ] ≤ n µ ≤ g ( ε F ) q h hence to have Pr [ Bad ] ≃ 1 one must have n ≃ g ( ε F ) q h and so ρ R /ρ F ≃ f ( ε F ) q h β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 24 / 28

  84. Main Result Probability of event Bad event Bad happens only if some execution forks from a previous one at β ℓ i the forgery point, and the new answer c ′ is such that Z ′ = A X c ′ is i i fresh and is put in Γ good ⇒ probability less than µ for each execution probability of Bad : n Pr [ Bad ] ≤ n µ ≤ g ( ε F ) q h hence to have Pr [ Bad ] ≃ 1 one must have n ≃ g ( ε F ) q h and so ρ R /ρ F ≃ f ( ε F ) q h β ℓ i + 1 β ℓ i + 2 β qh A A A i + 1 i + 1 i + 1 ( m i , X i , ω i ) c 1 c 2 c ℓ i A β 1 A β 2 A β 3 β ℓ i β qh A A i i i i i Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 24 / 28

Recommend


More recommend