on the multi user security of short schnorr signatures
play

On the Multi-User Security of Short Schnorr Signatures Jeremiah - PowerPoint PPT Presentation

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee Department of Computer Science, Purdue University October 10, 2019 Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures


  1. On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee Department of Computer Science, Purdue University October 10, 2019 Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 1/33 1 / 33

  2. Contents Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 2/33 2 / 33

  3. We are now at... Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 3/33 3 / 33

  4. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  5. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  6. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  7. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  8. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  9. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  10. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  11. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  12. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  13. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  14. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  15. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  16. Motivation: Digital Signatures Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33 Software update m σ = Sign ( sk, m ) pk ( m, σ ) , pk Vfy ( pk, m, σ ) = 1 sk ( m ′ , σ ′ ) , pk Vfy ( pk, m ′ , σ ′ ) = 0 pk sk 4 / 33

  17. The Schnorr Signature Scheme the hash output On the Multi-User Security of Short Schnorr Signatures 5/33 3 : Jeremiah Blocki and Seunghoon Lee • An efficient signature scheme based on discrete logarithms. • Consider a 2 k -bit prime q , i.e., q ≈ 2 2 k . Kg (1 k ) Sign ( sk, m ) Vfy ( pk, m, σ ) 1 : R ← g s · pk − e 1 : r ← Z q ; I ← g r 1 : sk ← Z q 2 : pk ← g sk 2 : e ← H ( I || m ) 2 : if H ( R || m ) = e then 3 : return ( pk, sk ) 3 : s ← r + sk · e mod q return 1 4 : return σ = ( s, e ) 4 : else return 0 • The verification works for a correct signature σ = ( s, e ) because R = g s · pk − e = g s − sk · e = g r = I. • The length of the signature: 2 k + 2 k = 4 k . ���� ���� the length of s 5 / 33

  18. The “Short” Schnorr Signatures truncating the hash output by half On the Multi-User Security of Short Schnorr Signatures 6/33 3 : Jeremiah Blocki and Seunghoon Lee Kg (1 k ) Sign ( sk, m ) Vfy ( pk, m, σ ) 1 : R ← g s · pk − e 1 : r ← Z q ; I ← g r 1 : sk ← Z q 2 : pk ← g sk 2 : e ← H ( I || m ) 2 : if H ( R || m ) = e then 3 : return ( pk, sk ) 3 : s ← r + sk · e mod q return 1 4 : return σ = ( s, e ) 4 : else return 0 σ = s e = H ( I || m ) 2 k bits 2 k bits ↓ σ = s e 2 k bits k bits 6 / 33

  19. Signature Length Comparison 384 7/33 On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee 1 Signature lengths and security level are provided in bits Completely impractical 128 128 iO Computationally expensive 128 256 BLS Our result 128? Short Schnorr Definition 128 512 Schnorr NIST recommendation 128 3072 RSA-FDH Notes Security Level Signature Length 1 Signatures A signature scheme Π = ( Kg , Sign , Vfy ) yields k -bits of security if any attacker running in time at most t can forge a signature with probability at most ε t = t/ 2 k and this should hold for all t ≤ 2 k . 7 / 33

  20. Multi-User Security Definition Jeremiah Blocki and Seunghoon Lee Definition 8/33 On the Multi-User Security of Short Schnorr Signatures • We consider the multi-user security in the “1-out-of- N ” setting • The probability that the attacker can forge any one of N signatures is negligible • We define the 1-out-of- N signature forgery game SigForge N A , Π ( k ) as follows: 1. Gen (1 k ) is run N times to obtain keys ( pk i , sk i ) , 1 ≤ i ≤ N . 2. Adversary A is given pk 1 , · · · , pk N and access to oracles Sign ( sk j , · ) , 1 ≤ j ≤ N . The adversary then outputs ( m, σ ) . Let Q j denote the set of all queries that A asked to oracle Sign ( sk j , · ) . 3. A succeeds if and only if there exists some j such that (1) Vfy ( pk j , m, σ ) = 1 and (2) m ̸∈ Q j . In this case the output of the experiment is defined to be 1 . We say that a signature scheme Π = ( Kg , Sign , Vfy ) is ( t, N, ϵ ) -MU-UF-CMA secure (multi-user unforgeable against chosen message attack) if for every adversary A running in time at most t , the following bound holds: [ ] SigForge N Pr A , Π ( k ) = 1 ≤ ϵ. 8 / 33

  21. Security Proofs of the Schnorr Signatures Single-User Security 9/33 On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee [Ber15] - “Key-Prefixed” Schnorr signatures Signatures “Short” Schnorr seems to be unavoidable Signatures Original Schnorr Multi-User Security • [PS96] – in the ROM • [GMLS02] – flawed • [NPSW09] – in the GGM • [KMP16] – in the ROM + GGM • [Seu12, FJS14] – loss of factor q RO • [SJ00] – in the ROM + GGM • Our result! • [NPSW09] – non-tight reduction 9 / 33

  22. Security Proofs of the Schnorr Signatures Single-User Security 9/33 On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee [Ber15] - “Key-Prefixed” Schnorr signatures Signatures “Short” Schnorr seems to be unavoidable Signatures Original Schnorr Multi-User Security • [PS96] – in the ROM • [GMLS02] – flawed • [NPSW09] – in the GGM • [KMP16] – in the ROM + GGM • [Seu12, FJS14] – loss of factor q RO • [SJ00] – in the ROM + GGM • Our result! • [NPSW09] – non-tight reduction 9 / 33

  23. We are now at... Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 10/33 10 / 33

Recommend


More recommend