On the Multi-User Security of Short Schnorr Signatures Jeremiah - - PowerPoint PPT Presentation

▶

on the multi user security of short schnorr signatures

On the Multi-User Security of Short Schnorr Signatures Jeremiah - - PowerPoint PPT Presentation

Dec 04, 2023 363 likes •1.24k views

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee Department of Computer Science, Purdue University October 10, 2019 Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures

slide-1

SLIDE 1

On the Multi-User Security of Short Schnorr Signatures

Jeremiah Blocki and Seunghoon Lee

Department of Computer Science, Purdue University

October 10, 2019

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 1/33

1/33

slide-2

SLIDE 2

Contents

Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 2/33

2/33

slide-3

SLIDE 3

We are now at...

Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 3/33

3/33

slide-4

SLIDE 4

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-5

SLIDE 5

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-6

SLIDE 6

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-7

SLIDE 7

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-8

SLIDE 8

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-9

SLIDE 9

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-10

SLIDE 10

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-11

SLIDE 11

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-12

SLIDE 12

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-13

SLIDE 13

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-14

SLIDE 14

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-15

SLIDE 15

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-16

SLIDE 16

Motivation: Digital Signatures

pk sk Software update m pk sk σ = Sign(sk, m) (m, σ), pk Vfy(pk, m, σ) = 1 (m′, σ′), pk Vfy(pk, m′, σ′) = 0

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 4/33

4/33

slide-17

SLIDE 17

The Schnorr Signature Scheme

An efficient signature scheme based on discrete logarithms.
Consider a 2k-bit prime q, i.e., q ≈ 22k.

Kg(1k) Sign(sk, m) Vfy(pk, m, σ)

1 : sk ← Zq 1 : r ← Zq; I ← gr 1 : R ← gs · pk−e 2 : pk ← gsk 2 : e ← H(I||m) 2 : if H(R||m) = e then 3 : return (pk, sk) 3 : s ← r + sk · e mod q 3 :

return 1

4 : return σ = (s, e) 4 : else return 0

The verification works for a correct signature σ = (s, e) because

R = gs · pk−e = gs−sk·e = gr = I.

The length of the signature:

2k

the length of s

+ 2k

the hash output

= 4k.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 5/33

5/33

slide-18

SLIDE 18

The “Short” Schnorr Signatures

Kg(1k) Sign(sk, m) Vfy(pk, m, σ)

1 : sk ← Zq 1 : r ← Zq; I ← gr 1 : R ← gs · pk−e 2 : pk ← gsk 2 : e ← H(I||m) 2 : if H(R||m) = e then 3 : return (pk, sk) 3 : s ← r + sk · e mod q 3 :

return 1

4 : return σ = (s, e) 4 : else return 0

s e = H(I||m) σ = 2k bits 2k bits s e σ = 2k bits k bits ↓

truncating the hash output by half

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 6/33

6/33

slide-19

SLIDE 19

Signature Length Comparison

Definition

A signature scheme Π = (Kg, Sign, Vfy) yields k-bits of security if any attacker running in time at most t can forge a signature with probability at most εt = t/2k and this should hold for all t ≤ 2k. Signatures Signature Length1 Security Level Notes RSA-FDH 3072 128 NIST recommendation Schnorr 512 128 Short Schnorr 384 128? Our result BLS 256 128 Computationally expensive iO 128 128 Completely impractical

1Signature lengths and security level are provided in bits

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 7/33

7/33

slide-20

SLIDE 20

Multi-User Security Definition

We consider the multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible
We define the 1-out-of-N signature forgery game SigForgeN

A,Π(k) as follows:

1. Gen(1k) is run N times to obtain keys (pki, ski), 1 ≤ i ≤ N.
2. Adversary A is given pk1, · · · , pkN and access to oracles Sign(skj, ·), 1 ≤ j ≤ N. The adversary

then outputs (m, σ). Let Qj denote the set of all queries that A asked to oracle Sign(skj, ·).

3. A succeeds if and only if there exists some j such that (1) Vfy(pkj, m, σ) = 1 and (2) m ̸∈ Qj. In

this case the output of the experiment is defined to be 1.

Definition

We say that a signature scheme Π = (Kg, Sign, Vfy) is (t, N, ϵ)-MU-UF-CMA secure (multi-user unforgeable against chosen message attack) if for every adversary A running in time at most t, the following bound holds: Pr [ SigForgeN

A,Π(k) = 1

] ≤ ϵ.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 8/33

8/33

slide-21

SLIDE 21

Security Proofs of the Schnorr Signatures

Single-User Security Multi-User Security Original Schnorr

[PS96] – in the ROM
[GMLS02] – flawed

Signatures

[NPSW09] – in the GGM
[KMP16] – in the ROM + GGM
[Seu12, FJS14] – loss of factor qRO

seems to be unavoidable “Short” Schnorr

[SJ00] – in the ROM + GGM
Our result!

Signatures

[NPSW09] – non-tight reduction

[Ber15] - “Key-Prefixed” Schnorr signatures

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 9/33

9/33

slide-22

SLIDE 22

Security Proofs of the Schnorr Signatures

Single-User Security Multi-User Security Original Schnorr

[PS96] – in the ROM
[GMLS02] – flawed

Signatures

[NPSW09] – in the GGM
[KMP16] – in the ROM + GGM
[Seu12, FJS14] – loss of factor qRO

seems to be unavoidable “Short” Schnorr

[SJ00] – in the ROM + GGM
Our result!

Signatures

[NPSW09] – non-tight reduction

[Ber15] - “Key-Prefixed” Schnorr signatures

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 9/33

9/33

slide-23

SLIDE 23

We are now at...

Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 10/33

10/33

slide-24

SLIDE 24

Our Result

We show that the “short” Schnorr signature scheme provides k-bits of security in both the single and multi-user versions of the signature forgery game.

Theorem (informal)

Any attacker running in time t against the short Schnorr signature scheme

1. wins the signature forgery game (UF-CMA) with probability at most O(t/2k), and
2. wins the multi-user signature forgery game (MU-UF-CMA) with probability at most

O((t + N)/2k) (where N denote the number of distinct users/public keys) in the generic group model (of order q ≈ 22k) plus random oracle model. Why is this important? We don’t lose a factor of N in the security reduction!

Example

Suppose that q ≈ 2224 (i.e., k = 112), N = 232, and t = 280.

Naïve approach: ϵMU ≈ N · t/2k = 1
Our result: ϵMU ≈ (t + N)/2k = 2−32

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 11/33

11/33

slide-25

SLIDE 25

We are now at...

Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 12/33

12/33

slide-26

SLIDE 26

The Generic Group Model [Sho97]

τ : G − → G

(multiplicative) cyclic group of prime order q ≈ 22k; G = ⟨g⟩ set of bit strings

f length ℓ = 2k
no need to be a group homomorphism
an adversary has no access to the concrete

representation of the group elements/map τ

Generic Oracles ( ) Initially, is given. Note.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 13/33

13/33

slide-27

SLIDE 27

The Generic Group Model [Sho97]

τ : G − → G

(multiplicative) cyclic group of prime order q ≈ 22k; G = ⟨g⟩ set of bit strings

f length ℓ = 2k
no need to be a group homomorphism
an adversary has no access to the concrete

representation of the group elements/map τ

Generic Oracles (GO) Initially, g = τ(g) is given. a b

Mult(·, ·)

Inv(·) τ(τ −1(a) · τ −1(b)) τ(τ −1(a)−1)

Note. Pow(a, k) = τ(τ −1(a)k)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 13/33

13/33

slide-28

SLIDE 28

The Generic Group Model: Justification

For certain elliptic curve groups the best known attacks are all generic [JMV01, FST10].
Heuristic: experience suggests that protocols with security proofs in the GGM doesn’t have

inherent structural weaknesses and will be secure as long as we instantiate with a reasonable elliptic curve group.

Counterexamples are artificially crafted [Den02].

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 14/33

14/33

slide-29

SLIDE 29

We are now at...

Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 15/33

15/33

slide-30

SLIDE 30

The Known/Partially Known Set in the Global List

We can keep track of group elements with (partially) known discrete-log solutions.

(y, a, b) ∈ L ⇔ y = τ(ga·x+b)

Global List L

Known Set K Partially Known Set PKx

(τ(g), 0, 1) (τ(g), 0, 1) (τ(g), 0, 1) (τ(h), 1, 0) (τ(g2), 0, 2) (τ(g2), 0, 2) (τ(gx+1), 1, 1) (τ(gx+1), 1, 1) (τ(g−1), 0, −1) (τ(g−1), 0, −1) (τ(g−x), −1, 0) (τ(g−x), −1, 0) . . . . . . Public parameters: τ(g), τ(h) = τ(gx)

Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(h)) = τ(gx+1)
Mult(τ(g), τ(h)) = τ(gx+1)
Inv(τ(g)) = τ(g−1)
Inv(τ(g)) = τ(g−1)
Inv(τ(h)) = τ(g−x)
Inv(τ(h)) = τ(g−x)
Mult(τ(gx+1), τ(g−x)) = τ(g)
Mult(τ(gx+1), τ(g−x)) = τ(g)

. . . Event “BRIDGE”: (y, a, b), (y, a′, b′) ∈ L ⇒ ax + b = a′x + b′, with (a, b) ̸= (a′, b′) ∴ x = (a − a′)−1(b′ − b).

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 16/33

16/33

slide-31

SLIDE 31

The Known/Partially Known Set in the Global List

We can keep track of group elements with (partially) known discrete-log solutions.

(y, a, b) ∈ L ⇔ y = τ(ga·x+b)

Global List L

Known Set K Partially Known Set PKx

(τ(g), 0, 1) (τ(g), 0, 1) (τ(g), 0, 1) (τ(h), 1, 0) (τ(g2), 0, 2) (τ(g2), 0, 2) (τ(gx+1), 1, 1) (τ(gx+1), 1, 1) (τ(g−1), 0, −1) (τ(g−1), 0, −1) (τ(g−x), −1, 0) (τ(g−x), −1, 0) . . . . . . Public parameters: τ(g), τ(h) = τ(gx)

Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(h)) = τ(gx+1)
Mult(τ(g), τ(h)) = τ(gx+1)
Inv(τ(g)) = τ(g−1)
Inv(τ(g)) = τ(g−1)
Inv(τ(h)) = τ(g−x)
Inv(τ(h)) = τ(g−x)
Mult(τ(gx+1), τ(g−x)) = τ(g)
Mult(τ(gx+1), τ(g−x)) = τ(g)

. . . Event “BRIDGE”: (y, a, b), (y, a′, b′) ∈ L ⇒ ax + b = a′x + b′, with (a, b) ̸= (a′, b′) ∴ x = (a − a′)−1(b′ − b).

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 16/33

16/33

slide-32

SLIDE 32

The Known/Partially Known Set in the Global List

We can keep track of group elements with (partially) known discrete-log solutions.

(y, a, b) ∈ L ⇔ y = τ(ga·x+b)

Global List L

Known Set K Partially Known Set PKx

(τ(g), 0, 1) (τ(g), 0, 1) (τ(g), 0, 1) (τ(h), 1, 0) (τ(g2), 0, 2) (τ(g2), 0, 2) (τ(gx+1), 1, 1) (τ(gx+1), 1, 1) (τ(g−1), 0, −1) (τ(g−1), 0, −1) (τ(g−x), −1, 0) (τ(g−x), −1, 0) . . . . . . Public parameters: τ(g), τ(h) = τ(gx)

Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(h)) = τ(gx+1)
Mult(τ(g), τ(h)) = τ(gx+1)
Inv(τ(g)) = τ(g−1)
Inv(τ(g)) = τ(g−1)
Inv(τ(h)) = τ(g−x)
Inv(τ(h)) = τ(g−x)
Mult(τ(gx+1), τ(g−x)) = τ(g)
Mult(τ(gx+1), τ(g−x)) = τ(g)

. . . Event “BRIDGE”: (y, a, b), (y, a′, b′) ∈ L ⇒ ax + b = a′x + b′, with (a, b) ̸= (a′, b′) ∴ x = (a − a′)−1(b′ − b).

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 16/33

16/33

slide-33

SLIDE 33

The Known/Partially Known Set in the Global List

We can keep track of group elements with (partially) known discrete-log solutions.

(y, a, b) ∈ L ⇔ y = τ(ga·x+b)

Global List L

Known Set K Partially Known Set PKx

(τ(g), 0, 1) (τ(g), 0, 1) (τ(g), 0, 1) (τ(h), 1, 0) (τ(g2), 0, 2) (τ(g2), 0, 2) (τ(gx+1), 1, 1) (τ(gx+1), 1, 1) (τ(g−1), 0, −1) (τ(g−1), 0, −1) (τ(g−x), −1, 0) (τ(g−x), −1, 0) . . . . . . Public parameters: τ(g), τ(h) = τ(gx)

Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(h)) = τ(gx+1)
Mult(τ(g), τ(h)) = τ(gx+1)
Inv(τ(g)) = τ(g−1)
Inv(τ(g)) = τ(g−1)
Inv(τ(h)) = τ(g−x)
Inv(τ(h)) = τ(g−x)
Mult(τ(gx+1), τ(g−x)) = τ(g)
Mult(τ(gx+1), τ(g−x)) = τ(g)

. . . Event “BRIDGE”: (y, a, b), (y, a′, b′) ∈ L ⇒ ax + b = a′x + b′, with (a, b) ̸= (a′, b′) ∴ x = (a − a′)−1(b′ − b).

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 16/33

16/33

slide-34

SLIDE 34

The Known/Partially Known Set in the Global List

We can keep track of group elements with (partially) known discrete-log solutions.

(y, a, b) ∈ L ⇔ y = τ(ga·x+b)

Global List L

Known Set K Partially Known Set PKx

(τ(g), 0, 1) (τ(g), 0, 1) (τ(g), 0, 1) (τ(h), 1, 0) (τ(g2), 0, 2) (τ(g2), 0, 2) (τ(gx+1), 1, 1) (τ(gx+1), 1, 1) (τ(g−1), 0, −1) (τ(g−1), 0, −1) (τ(g−x), −1, 0) (τ(g−x), −1, 0) . . . . . . Public parameters: τ(g), τ(h) = τ(gx)

Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(h)) = τ(gx+1)
Mult(τ(g), τ(h)) = τ(gx+1)
Inv(τ(g)) = τ(g−1)
Inv(τ(g)) = τ(g−1)
Inv(τ(h)) = τ(g−x)
Inv(τ(h)) = τ(g−x)
Mult(τ(gx+1), τ(g−x)) = τ(g)
Mult(τ(gx+1), τ(g−x)) = τ(g)

. . . Event “BRIDGE”: (y, a, b), (y, a′, b′) ∈ L ⇒ ax + b = a′x + b′, with (a, b) ̸= (a′, b′) ∴ x = (a − a′)−1(b′ − b).

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 16/33

16/33

slide-35

SLIDE 35

The Known/Partially Known Set in the Global List

We can keep track of group elements with (partially) known discrete-log solutions.

(y, a, b) ∈ L ⇔ y = τ(ga·x+b)

Global List L

Known Set K Partially Known Set PKx

(τ(g), 0, 1) (τ(g), 0, 1) (τ(g), 0, 1) (τ(h), 1, 0) (τ(g2), 0, 2) (τ(g2), 0, 2) (τ(gx+1), 1, 1) (τ(gx+1), 1, 1) (τ(g−1), 0, −1) (τ(g−1), 0, −1) (τ(g−x), −1, 0) (τ(g−x), −1, 0) . . . . . . Public parameters: τ(g), τ(h) = τ(gx)

Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(h)) = τ(gx+1)
Mult(τ(g), τ(h)) = τ(gx+1)
Inv(τ(g)) = τ(g−1)
Inv(τ(g)) = τ(g−1)
Inv(τ(h)) = τ(g−x)
Inv(τ(h)) = τ(g−x)
Mult(τ(gx+1), τ(g−x)) = τ(g)
Mult(τ(gx+1), τ(g−x)) = τ(g)

. . . Event “BRIDGE”: (y, a, b), (y, a′, b′) ∈ L ⇒ ax + b = a′x + b′, with (a, b) ̸= (a′, b′) ∴ x = (a − a′)−1(b′ − b).

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 16/33

16/33

slide-36

SLIDE 36

The Known/Partially Known Set in the Global List

We can keep track of group elements with (partially) known discrete-log solutions.

(y, a, b) ∈ L ⇔ y = τ(ga·x+b)

Global List L

Known Set K Partially Known Set PKx

(τ(g), 0, 1) (τ(g), 0, 1) (τ(g), 0, 1) (τ(h), 1, 0) (τ(g2), 0, 2) (τ(g2), 0, 2) (τ(gx+1), 1, 1) (τ(gx+1), 1, 1) (τ(g−1), 0, −1) (τ(g−1), 0, −1) (τ(g−x), −1, 0) (τ(g−x), −1, 0) . . . . . . Public parameters: τ(g), τ(h) = τ(gx)

Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(h)) = τ(gx+1)
Mult(τ(g), τ(h)) = τ(gx+1)
Inv(τ(g)) = τ(g−1)
Inv(τ(g)) = τ(g−1)
Inv(τ(h)) = τ(g−x)
Inv(τ(h)) = τ(g−x)
Mult(τ(gx+1), τ(g−x)) = τ(g)
Mult(τ(gx+1), τ(g−x)) = τ(g)

. . . Event “BRIDGE”: (y, a, b), (y, a′, b′) ∈ L ⇒ ax + b = a′x + b′, with (a, b) ̸= (a′, b′) ∴ x = (a − a′)−1(b′ − b).

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 16/33

16/33

slide-37

SLIDE 37

The Known/Partially Known Set in the Global List

We can keep track of group elements with (partially) known discrete-log solutions.

(y, a, b) ∈ L ⇔ y = τ(ga·x+b)

Global List L

Known Set K Partially Known Set PKx

(τ(g), 0, 1) (τ(g), 0, 1) (τ(g), 0, 1) (τ(h), 1, 0) (τ(g2), 0, 2) (τ(g2), 0, 2) (τ(gx+1), 1, 1) (τ(gx+1), 1, 1) (τ(g−1), 0, −1) (τ(g−1), 0, −1) (τ(g−x), −1, 0) (τ(g−x), −1, 0) . . . . . . Public parameters: τ(g), τ(h) = τ(gx)

Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(g)) = τ(g2)
Mult(τ(g), τ(h)) = τ(gx+1)
Mult(τ(g), τ(h)) = τ(gx+1)
Inv(τ(g)) = τ(g−1)
Inv(τ(g)) = τ(g−1)
Inv(τ(h)) = τ(g−x)
Inv(τ(h)) = τ(g−x)
Mult(τ(gx+1), τ(g−x)) = τ(g)
Mult(τ(gx+1), τ(g−x)) = τ(g)

. . . Event “BRIDGE”: (y, a, b), (y, a′, b′) ∈ L ⇒ ax + b = a′x + b′, with (a, b) ̸= (a′, b′) ∴ x = (a − a′)−1(b′ − b).

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 16/33

16/33

slide-38

SLIDE 38

The Known/Partially Known Set in the Global List

We can extend this to the multi-user case.

Public parameters: τ(g), (τ(h1), · · · , τ(hN)) = (τ(gx1), · · · , τ(gxN ))
Instead of scalar a, we will have an N-dimensional vector ⃗

a such that the list L contains a tuple (y,⃗ a, b) such that y = τ(g⃗

a·⃗ x+b)

where ⃗ x = (x1, · · · , xN).

The known set KN contains tuples (y,⃗

0, b), and

The partially known set PKN

{xi}N

i=1 contains tuples (y,⃗

a ̸= ⃗ 0, b).

The event “BRIDGEN” occurs if (y,⃗

a, b), (y,⃗ a′, b′) ∈ L with (⃗ a, b) ̸= (⃗ a′, b′).

Claim

Pr [ BRIDGEN] = O ((t + N)2 q ) . But what if , i.e., “fresh”?

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 17/33

17/33

slide-39

SLIDE 39

The Known/Partially Known Set in the Global List

We can extend this to the multi-user case.

Public parameters: τ(g), (τ(h1), · · · , τ(hN)) = (τ(gx1), · · · , τ(gxN ))
Instead of scalar a, we will have an N-dimensional vector ⃗

a such that the list L contains a tuple (y,⃗ a, b) such that y = τ(g⃗

a·⃗ x+b)

where ⃗ x = (x1, · · · , xN).

The known set KN contains tuples (y,⃗

0, b), and

The partially known set PKN

{xi}N

i=1 contains tuples (y,⃗

a ̸= ⃗ 0, b).

The event “BRIDGEN” occurs if (y,⃗

a, b), (y,⃗ a′, b′) ∈ L with (⃗ a, b) ̸= (⃗ a′, b′).

Claim

Pr [ BRIDGEN] = O ((t + N)2 q ) .

But what if y ̸∈ L, i.e., “fresh”?

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 17/33

17/33

slide-40

SLIDE 40

We are now at...

Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 18/33

18/33

slide-41

SLIDE 41

Restricted Discrete-Log Oracle in the GGM

Consider the generic group model for a cyclic group (G = ⟨g⟩, ·) of prime order q with random injective encoding map τ : G → G. Public parameters: g, (h1, · · · , hN) = (gx1, · · · , gxN ) Pick y = τ(y) τ(g), τ(h1), · · · , τ(hN) If y is “fresh”, y = gz

τ(y) ̸= τ(g), τ(h1), · · · , τ(hN), and τ(y) ̸= (output of prior GO query) τ(g), τ(h1), · · · , τ(hN) Query DLogg(y) z = DLogg(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 19/33

19/33

slide-42

SLIDE 42

Restricted Discrete-Log Oracle in the GGM

Consider the generic group model for a cyclic group (G = ⟨g⟩, ·) of prime order q with random injective encoding map τ : G → G. Public parameters: g, (h1, · · · , hN) = (gx1, · · · , gxN ) Pick y = τ(y) τ(g), τ(h1), · · · , τ(hN) If y is “fresh”, y = gz

τ(y) ̸= τ(g), τ(h1), · · · , τ(hN), and τ(y) ̸= (output of prior GO query) τ(g), τ(h1), · · · , τ(hN) Query DLogg(y) z = DLogg(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 19/33

19/33

slide-43

SLIDE 43

Restricted Discrete-Log Oracle in the GGM

Consider the generic group model for a cyclic group (G = ⟨g⟩, ·) of prime order q with random injective encoding map τ : G → G. Public parameters: g, (h1, · · · , hN) = (gx1, · · · , gxN ) Pick y = τ(y) τ(g), τ(h1), · · · , τ(hN) If y is “fresh”, y = gz

τ(y) ̸= τ(g), τ(h1), · · · , τ(hN), and τ(y) ̸= (output of prior GO query) τ(g), τ(h1), · · · , τ(hN) Query DLogg(y) z = DLogg(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 19/33

19/33

slide-44

SLIDE 44

Restricted Discrete-Log Oracle in the GGM

Consider the generic group model for a cyclic group (G = ⟨g⟩, ·) of prime order q with random injective encoding map τ : G → G. Public parameters: g, (h1, · · · , hN) = (gx1, · · · , gxN ) Pick y = τ(y) τ(g), τ(h1), · · · , τ(hN) If y is “fresh”, y = gz

τ(y) ̸= τ(g), τ(h1), · · · , τ(hN), and τ(y) ̸= (output of prior GO query) τ(g), τ(h1), · · · , τ(hN) Query DLogg(y) z = DLogg(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 19/33

19/33

slide-45

SLIDE 45

Restricted Discrete-Log Oracle in the GGM

Consider the generic group model for a cyclic group (G = ⟨g⟩, ·) of prime order q with random injective encoding map τ : G → G. Public parameters: g, (h1, · · · , hN) = (gx1, · · · , gxN ) Pick y = τ(y) τ(g), τ(h1), · · · , τ(hN) If y is “fresh”, y = gz

τ(y) ̸= τ(g), τ(h1), · · · , τ(hN), and τ(y) ̸= (output of prior GO query) τ(g), τ(h1), · · · , τ(hN) Query DLogg(y) z = DLogg(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 19/33

19/33

slide-46

SLIDE 46

Restricted Discrete-Log Oracle in the GGM

Consider the generic group model for a cyclic group (G = ⟨g⟩, ·) of prime order q with random injective encoding map τ : G → G. Public parameters: g, (h1, · · · , hN) = (gx1, · · · , gxN ) Pick y = τ(y) τ(g), τ(h1), · · · , τ(hN) If y is “fresh”, y = gz

τ(y) ̸= τ(g), τ(h1), · · · , τ(hN), and τ(y) ̸= (output of prior GO query) τ(g), τ(h1), · · · , τ(hN) Query DLogg(y) z = DLogg(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 19/33

19/33

slide-47

SLIDE 47

Restricted Discrete-Log Oracle in the GGM

Consider the generic group model for a cyclic group (G = ⟨g⟩, ·) of prime order q with random injective encoding map τ : G → G. Public parameters: g, (h1, · · · , hN) = (gx1, · · · , gxN ) Pick y = τ(y) τ(g), τ(h1), · · · , τ(hN) If y is “fresh”, y = gz

τ(y) ̸= τ(g), τ(h1), · · · , τ(hN), and τ(y) ̸= (output of prior GO query) τ(g), τ(h1), · · · , τ(hN) Query DLogg(y) z = DLogg(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 19/33

19/33

slide-48

SLIDE 48

Restricted Discrete-Log Oracle in the GGM

Public parameters: g, (h1, · · · , hN) = (gx1, · · · , gxN ) Pick y = τ(y) τ(g), τ(h1), · · · , τ(hN) If y is “fresh”, y = gz

τ(y) ̸= τ(g), τ(h1), · · · , τ(hN), and τ(y) ̸= (output of prior GO query) τ(g), τ(h1), · · · , τ(hN) Query DLogg(y) z = DLogg(y)

Why restricting DLogg(·) to “fresh” queries?

Trivial attack: Pick random r ∈ Zq, compute τ(higr) using Mult oracle and query

DLogg(τ(higr))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 20/33

20/33

slide-49

SLIDE 49

We are now at...

Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 21/33

21/33

slide-50

SLIDE 50

The 1-out-of-N Generic Signature Forgery Game

Multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible

The 1-out-of-N Generic Signature Forgery Game SigForgeGO,N

A,Π (k):

Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G. Signj(·)

Run Kg(1k) N times ski

$

← Zq, pki = τ(gski), 1 ≤ i ≤ N repeat multiple times Succeeds if ∃j s.t. Vfy(pkj, m, σ) = 1 and m was never submitted to Signj(·). SigForgeGO,N

A,Π (k) = 1

τ(g), pk1, · · · , pkN, q a, b, y Mult(a, b), Inv(a), H(y) DLogg(a) if “fresh” mi Signj(mi) Output (m, σ = (s, e))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 22/33

22/33

slide-51

SLIDE 51

The 1-out-of-N Generic Signature Forgery Game

Multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible

The 1-out-of-N Generic Signature Forgery Game SigForgeGO,N

A,Π (k):

Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G. Signj(·)

Run Kg(1k) N times ski

$

← Zq, pki = τ(gski), 1 ≤ i ≤ N repeat multiple times Succeeds if ∃j s.t. Vfy(pkj, m, σ) = 1 and m was never submitted to Signj(·). SigForgeGO,N

A,Π (k) = 1

τ(g), pk1, · · · , pkN, q a, b, y Mult(a, b), Inv(a), H(y) DLogg(a) if “fresh” mi Signj(mi) Output (m, σ = (s, e))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 22/33

22/33

slide-52

SLIDE 52

The 1-out-of-N Generic Signature Forgery Game

Multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible

The 1-out-of-N Generic Signature Forgery Game SigForgeGO,N

A,Π (k):

Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G. Signj(·)

Run Kg(1k) N times ski

$

← Zq, pki = τ(gski), 1 ≤ i ≤ N repeat multiple times Succeeds if ∃j s.t. Vfy(pkj, m, σ) = 1 and m was never submitted to Signj(·). SigForgeGO,N

A,Π (k) = 1

τ(g), pk1, · · · , pkN, q a, b, y Mult(a, b), Inv(a), H(y) DLogg(a) if “fresh” mi Signj(mi) Output (m, σ = (s, e))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 22/33

22/33

slide-53

SLIDE 53

The 1-out-of-N Generic Signature Forgery Game

Multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible

The 1-out-of-N Generic Signature Forgery Game SigForgeGO,N

A,Π (k):

Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G. Signj(·)

Run Kg(1k) N times ski

$

← Zq, pki = τ(gski), 1 ≤ i ≤ N repeat multiple times Succeeds if ∃j s.t. Vfy(pkj, m, σ) = 1 and m was never submitted to Signj(·). SigForgeGO,N

A,Π (k) = 1

τ(g), pk1, · · · , pkN, q a, b, y Mult(a, b), Inv(a), H(y) DLogg(a) if “fresh” mi Signj(mi) Output (m, σ = (s, e))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 22/33

22/33

slide-54

SLIDE 54

The 1-out-of-N Generic Signature Forgery Game

Multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible

The 1-out-of-N Generic Signature Forgery Game SigForgeGO,N

A,Π (k):

Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G. Signj(·)

Run Kg(1k) N times ski

$

← Zq, pki = τ(gski), 1 ≤ i ≤ N repeat multiple times Succeeds if ∃j s.t. Vfy(pkj, m, σ) = 1 and m was never submitted to Signj(·). SigForgeGO,N

A,Π (k) = 1

τ(g), pk1, · · · , pkN, q a, b, y Mult(a, b), Inv(a), H(y) DLogg(a) if “fresh” mi Signj(mi) Output (m, σ = (s, e))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 22/33

22/33

slide-55

SLIDE 55

The 1-out-of-N Generic Signature Forgery Game

Multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible

The 1-out-of-N Generic Signature Forgery Game SigForgeGO,N

A,Π (k):

Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G. Signj(·)

Run Kg(1k) N times ski

$

← Zq, pki = τ(gski), 1 ≤ i ≤ N repeat multiple times Succeeds if ∃j s.t. Vfy(pkj, m, σ) = 1 and m was never submitted to Signj(·). SigForgeGO,N

A,Π (k) = 1

τ(g), pk1, · · · , pkN, q a, b, y Mult(a, b), Inv(a), H(y) DLogg(a) if “fresh” mi Signj(mi) Output (m, σ = (s, e))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 22/33

22/33

slide-56

SLIDE 56

The 1-out-of-N Generic Signature Forgery Game

Multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible

The 1-out-of-N Generic Signature Forgery Game SigForgeGO,N

A,Π (k):

Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G. Signj(·)

Run Kg(1k) N times ski

$

← Zq, pki = τ(gski), 1 ≤ i ≤ N repeat multiple times Succeeds if ∃j s.t. Vfy(pkj, m, σ) = 1 and m was never submitted to Signj(·). SigForgeGO,N

A,Π (k) = 1

τ(g), pk1, · · · , pkN, q a, b, y Mult(a, b), Inv(a), H(y) DLogg(a) if “fresh” mi Signj(mi) Output (m, σ = (s, e))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 22/33

22/33

slide-57

SLIDE 57

The 1-out-of-N Generic Signature Forgery Game

Multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible

The 1-out-of-N Generic Signature Forgery Game SigForgeGO,N

A,Π (k):

Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G. Signj(·)

Run Kg(1k) N times ski

$

← Zq, pki = τ(gski), 1 ≤ i ≤ N repeat multiple times Succeeds if ∃j s.t. Vfy(pkj, m, σ) = 1 and m was never submitted to Signj(·). SigForgeGO,N

A,Π (k) = 1

τ(g), pk1, · · · , pkN, q a, b, y Mult(a, b), Inv(a), H(y) DLogg(a) if “fresh” mi Signj(mi) Output (m, σ = (s, e))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 22/33

22/33

slide-58

SLIDE 58

The 1-out-of-N Generic Signature Forgery Game

Multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible

The 1-out-of-N Generic Signature Forgery Game SigForgeGO,N

A,Π (k):

Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G. Signj(·)

Run Kg(1k) N times ski

$

← Zq, pki = τ(gski), 1 ≤ i ≤ N repeat multiple times Succeeds if ∃j s.t. Vfy(pkj, m, σ) = 1 and m was never submitted to Signj(·). SigForgeGO,N

A,Π (k) = 1

τ(g), pk1, · · · , pkN, q a, b, y Mult(a, b), Inv(a), H(y) DLogg(a) if “fresh” mi Signj(mi) Output (m, σ = (s, e))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 22/33

22/33

slide-59

SLIDE 59

The 1-out-of-N Generic Signature Forgery Game

Multi-user security in the “1-out-of-N” setting
The probability that the attacker can forge any one of N signatures is negligible

The 1-out-of-N Generic Signature Forgery Game SigForgeGO,N

A,Π (k):

Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G. Signj(·)

Run Kg(1k) N times ski

$

← Zq, pki = τ(gski), 1 ≤ i ≤ N repeat multiple times Succeeds if ∃j s.t. Vfy(pkj, m, σ) = 1 and m was never submitted to Signj(·). SigForgeGO,N

A,Π (k) = 1

τ(g), pk1, · · · , pkN, q a, b, y Mult(a, b), Inv(a), H(y) DLogg(a) if “fresh” mi Signj(mi) Output (m, σ = (s, e))

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 22/33

22/33

slide-60

SLIDE 60

Multi-User Security Definition

Definition

We say that a signature scheme Π = (Kg, Sign, Vfy) is (t, N, qRO, qGO, qSign, ϵ)-MU-UF-CMA secure (multi-user unforgeable against chosen message attack) if for every adversary A running in time at most t and making at most qRO (resp. qGO, qSign) queries to the random oracle (resp. generic group, signature oracles), the following bound holds: Pr [ SigForgeGO,N

A,Π (k) = 1

] ≤ ϵ.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 23/33

23/33

slide-61

SLIDE 61

The Multi-User Bridge Game

Recall

The event BRIDGEN occurs if L ever contains two distinct tuples (y1,⃗ a1, b1) and (y2,⃗ a2, b2) such that y1 = y2 but (⃗ a1, b1) ̸= (⃗ a2, b2).

As long as the event BRIDGEN has not occurred we can (essentially) view x1, . . . , xN as

uniformly random values that that yet to be selected.

More precisely, the values x1, . . . , xN are selected subject to a few constraints, e.g., if we

know f1 = τ(g⃗

a1·⃗ x+b1) ̸= f2 = τ(g⃗ a2·⃗ x+b2) then we have the constraint that

⃗ a1 · ⃗ x + b1 ̸= ⃗ a2 · ⃗ x + b2.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 24/33

24/33

slide-62

SLIDE 62

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-63

SLIDE 63

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-64

SLIDE 64

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-65

SLIDE 65

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-66

SLIDE 66

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-67

SLIDE 67

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-68

SLIDE 68

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-69

SLIDE 69

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-70

SLIDE 70

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-71

SLIDE 71

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-72

SLIDE 72

The Multi-User Bridge Game

Submit GO queries Initialize L = ((τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0), 1 ≤ i ≤ N)

The 1-out-of-N Generic BRIDGEN-Finding Game BridgeChalGO,N

A

(k): Consider G = ⟨g⟩ of prime order q ≈ 22k and τ : G → G.

Add (y,⃗ 0, by) ∈ L Add (Mult(y1, y2), ⃗ a1 + ⃗ a2, b1 + b2) ∈ L Add (Inv(y), −⃗ a, −b) ∈ L If (y,⃗ a1, b1), (y,⃗ a1, b1) ∈ L with (⃗ a1, b1) ̸= (⃗ a2, b2) x1, · · · , xN

$

← Zq repeat multiple times BridgeChalGO,N

A

(k) = 1 τ(g), τ(gxi), 1 ≤ i ≤ N, q if y is “fresh” by = DLogg(y) if y1, y2, y ∈ L Mult(y1, y2), Inv(y)

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 25/33

25/33

slide-73

SLIDE 73

The Multi-User Bridge Game

Theorem

The probability an attacker A running in time t wins the 1-out-of-N generic BRIDGEN-finding game (even with access to the restricted DLog oracle) is at most Pr [ BridgeChalGO,N

A

(k) = 1 ] ≤ tN + 3t(t + 1)/2 q − (N + 3t + 1)2 − N = O ((t + N)2 q ) where q is the order of the group G.

Corollary

For any attacker A running in time t′ = t + 2 log q we have Pr [ 1ofNDLogGO,N

A

(k) = 1 ] ≤ tN + 3t(t + 1)/2 q − (N + 3t + 1)2 − N = O ((t + N)2 q ) where q is the order of the group G.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 26/33

26/33

slide-74

SLIDE 74

We are now at...

Introduction The (Short) Schnorr Signature Scheme Our Result Technical Ingredients The Generic Group Model The Known/Partially Known Set in the Global List Restricted Discrete-Log Oracle in the GGM Multi-User Security of Short Schnorr Signatures Security Games Security Reduction

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 27/33

27/33

slide-75

SLIDE 75

Main Theorem

Theorem

In the generic group model of prime order q ≈ 22k and the programmable random oracle model the short Schnorr signature scheme is (t, N, qRO, qGO, qSign, ϵ)-MU-UF-CMA secure with ϵ =

tN+3t(t+2)/2 q−(N+3t+1)2−N + t2 q + t+1 2k = O

( t+N

2k

) .

Our result provides k-bits of multi-user security of “short” Schnorr signatures since usually

t ≫ N (t ≈ 280, N ≈ 232).

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 28/33

28/33

slide-76

SLIDE 76

Proof Sketch: Security Reduction

Given: g = τ(g), τ(hi) = τ(gxi), 1 ≤ i ≤ N, q Initialize L = {(τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0) for 1 ≤ i ≤ N}, Hresp = {} /* begin simulation */

Asig Mult(·) Inv(·) DLogg(·) H(·) σ = (s, e), m Signj(·)

1 :

Pick si, ei randomly

2 :

Compute τ(gsi), τ(gxjei) = τ(τ −1(hj)ei)

3 :

Compute Ii = τ(gsi · g−xjei)

4 :

if H(Ii||mi) previously queried then

5 :

return ⊥

6 :

else

7 :

Program H(Ii||mi) := ei

8 :

return σi = (si, ei)

Signj(mi) without secret key xj (1 ≤ j ≤ N)

/* end simulation */ Compute: Iσ = τ(gs · g−xe), eσ = H(Iσ||m) and check if (Iσ,⃗ a, b) ∈ L if no such triple exists then return ⊥ If ⃗ a has only one nonzero element a and if a + e = 0 then return ⊥ Otherwise we find a BRIDGEN instance

Reduction Abridge {mi}N

i=1

{σi}N

i=1

Probability of outputting ⊥ ≤ qSign × qRO + qSign q = O (t2 q ) ≤ qRO + qSign q − |L| + 1 2k = O ( t 2k ) ≤ qRO 2k = O ( t 2k ) comes with “short” Schnorr signatures

∴ Pr

[

SigForgeGO,N

Asig,Π(k) = 1

]

≤ Pr

[

BridgeChalGO,N

Abridge(k) = 1

]

+ O

( t

2k

)

≤ O

( t + N

2k

)

.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 29/33

29/33

slide-77

SLIDE 77

Proof Sketch: Security Reduction

Given: g = τ(g), τ(hi) = τ(gxi), 1 ≤ i ≤ N, q Initialize L = {(τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0) for 1 ≤ i ≤ N}, Hresp = {} /* begin simulation */

Asig Mult(·) Inv(·) DLogg(·) H(·) σ = (s, e), m Signj(·)

1 :

Pick si, ei randomly

2 :

Compute τ(gsi), τ(gxjei) = τ(τ −1(hj)ei)

3 :

Compute Ii = τ(gsi · g−xjei)

4 :

if H(Ii||mi) previously queried then

5 :

return ⊥

6 :

else

7 :

Program H(Ii||mi) := ei

8 :

return σi = (si, ei)

Signj(mi) without secret key xj (1 ≤ j ≤ N)

/* end simulation */ Compute: Iσ = τ(gs · g−xe), eσ = H(Iσ||m) and check if (Iσ,⃗ a, b) ∈ L if no such triple exists then return ⊥ If ⃗ a has only one nonzero element a and if a + e = 0 then return ⊥ Otherwise we find a BRIDGEN instance

Reduction Abridge {mi}N

i=1

{σi}N

i=1

Probability of outputting ⊥ ≤ qSign × qRO + qSign q = O (t2 q ) ≤ qRO + qSign q − |L| + 1 2k = O ( t 2k ) ≤ qRO 2k = O ( t 2k ) comes with “short” Schnorr signatures

∴ Pr

[

SigForgeGO,N

Asig,Π(k) = 1

]

≤ Pr

[

BridgeChalGO,N

Abridge(k) = 1

]

+ O

( t

2k

)

≤ O

( t + N

2k

)

.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 29/33

29/33

slide-78

SLIDE 78

Proof Sketch: Security Reduction

Given: g = τ(g), τ(hi) = τ(gxi), 1 ≤ i ≤ N, q Initialize L = {(τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0) for 1 ≤ i ≤ N}, Hresp = {} /* begin simulation */

Asig Mult(·) Inv(·) DLogg(·) H(·) σ = (s, e), m Signj(·)

1 :

Pick si, ei randomly

2 :

Compute τ(gsi), τ(gxjei) = τ(τ −1(hj)ei)

3 :

Compute Ii = τ(gsi · g−xjei)

4 :

if H(Ii||mi) previously queried then

5 :

return ⊥

6 :

else

7 :

Program H(Ii||mi) := ei

8 :

return σi = (si, ei)

Signj(mi) without secret key xj (1 ≤ j ≤ N)

/* end simulation */ Compute: Iσ = τ(gs · g−xe), eσ = H(Iσ||m) and check if (Iσ,⃗ a, b) ∈ L if no such triple exists then return ⊥ If ⃗ a has only one nonzero element a and if a + e = 0 then return ⊥ Otherwise we find a BRIDGEN instance

Reduction Abridge {mi}N

i=1

{σi}N

i=1

Probability of outputting ⊥ ≤ qSign × qRO + qSign q = O (t2 q ) ≤ qRO + qSign q − |L| + 1 2k = O ( t 2k ) ≤ qRO 2k = O ( t 2k ) comes with “short” Schnorr signatures

∴ Pr

[

SigForgeGO,N

Asig,Π(k) = 1

]

≤ Pr

[

BridgeChalGO,N

Abridge(k) = 1

]

+ O

( t

2k

)

≤ O

( t + N

2k

)

.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 29/33

29/33

slide-79

SLIDE 79

Proof Sketch: Security Reduction

Given: g = τ(g), τ(hi) = τ(gxi), 1 ≤ i ≤ N, q Initialize L = {(τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0) for 1 ≤ i ≤ N}, Hresp = {} /* begin simulation */

Asig Mult(·) Inv(·) DLogg(·) H(·) σ = (s, e), m Signj(·)

1 :

Pick si, ei randomly

2 :

Compute τ(gsi), τ(gxjei) = τ(τ −1(hj)ei)

3 :

Compute Ii = τ(gsi · g−xjei)

4 :

if H(Ii||mi) previously queried then

5 :

return ⊥

6 :

else

7 :

Program H(Ii||mi) := ei

8 :

return σi = (si, ei)

Signj(mi) without secret key xj (1 ≤ j ≤ N)

/* end simulation */ Compute: Iσ = τ(gs · g−xe), eσ = H(Iσ||m) and check if (Iσ,⃗ a, b) ∈ L if no such triple exists then return ⊥ If ⃗ a has only one nonzero element a and if a + e = 0 then return ⊥ Otherwise we find a BRIDGEN instance

Reduction Abridge {mi}N

i=1

{σi}N

i=1

Probability of outputting ⊥ ≤ qSign × qRO + qSign q = O (t2 q ) ≤ qRO + qSign q − |L| + 1 2k = O ( t 2k ) ≤ qRO 2k = O ( t 2k ) comes with “short” Schnorr signatures

∴ Pr

[

SigForgeGO,N

Asig,Π(k) = 1

]

≤ Pr

[

BridgeChalGO,N

Abridge(k) = 1

]

+ O

( t

2k

)

≤ O

( t + N

2k

)

.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 29/33

29/33

slide-80

SLIDE 80

Proof Sketch: Security Reduction

Given: g = τ(g), τ(hi) = τ(gxi), 1 ≤ i ≤ N, q Initialize L = {(τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0) for 1 ≤ i ≤ N}, Hresp = {} /* begin simulation */

Asig Mult(·) Inv(·) DLogg(·) H(·) σ = (s, e), m Signj(·)

1 :

Pick si, ei randomly

2 :

Compute τ(gsi), τ(gxjei) = τ(τ −1(hj)ei)

3 :

Compute Ii = τ(gsi · g−xjei)

4 :

if H(Ii||mi) previously queried then

5 :

return ⊥

6 :

else

7 :

Program H(Ii||mi) := ei

8 :

return σi = (si, ei)

Signj(mi) without secret key xj (1 ≤ j ≤ N)

/* end simulation */ Compute: Iσ = τ(gs · g−xe), eσ = H(Iσ||m) and check if (Iσ,⃗ a, b) ∈ L if no such triple exists then return ⊥ If ⃗ a has only one nonzero element a and if a + e = 0 then return ⊥ Otherwise we find a BRIDGEN instance

Reduction Abridge {mi}N

i=1

{σi}N

i=1

Probability of outputting ⊥ ≤ qSign × qRO + qSign q = O (t2 q ) ≤ qRO + qSign q − |L| + 1 2k = O ( t 2k ) ≤ qRO 2k = O ( t 2k ) comes with “short” Schnorr signatures

∴ Pr

[

SigForgeGO,N

Asig,Π(k) = 1

]

≤ Pr

[

BridgeChalGO,N

Abridge(k) = 1

]

+ O

( t

2k

)

≤ O

( t + N

2k

)

.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 29/33

29/33

slide-81

SLIDE 81

Proof Sketch: Security Reduction

Given: g = τ(g), τ(hi) = τ(gxi), 1 ≤ i ≤ N, q Initialize L = {(τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0) for 1 ≤ i ≤ N}, Hresp = {} /* begin simulation */

Asig Mult(·) Inv(·) DLogg(·) H(·) σ = (s, e), m Signj(·)

1 :

Pick si, ei randomly

2 :

Compute τ(gsi), τ(gxjei) = τ(τ −1(hj)ei)

3 :

Compute Ii = τ(gsi · g−xjei)

4 :

if H(Ii||mi) previously queried then

5 :

return ⊥

6 :

else

7 :

Program H(Ii||mi) := ei

8 :

return σi = (si, ei)

Signj(mi) without secret key xj (1 ≤ j ≤ N)

/* end simulation */ Compute: Iσ = τ(gs · g−xe), eσ = H(Iσ||m) and check if (Iσ,⃗ a, b) ∈ L if no such triple exists then return ⊥ If ⃗ a has only one nonzero element a and if a + e = 0 then return ⊥ Otherwise we find a BRIDGEN instance

Reduction Abridge {mi}N

i=1

{σi}N

i=1

Probability of outputting ⊥ ≤ qSign × qRO + qSign q = O (t2 q ) ≤ qRO + qSign q − |L| + 1 2k = O ( t 2k ) ≤ qRO 2k = O ( t 2k ) comes with “short” Schnorr signatures

∴ Pr

[

SigForgeGO,N

Asig,Π(k) = 1

]

≤ Pr

[

BridgeChalGO,N

Abridge(k) = 1

]

+ O

( t

2k

)

≤ O

( t + N

2k

)

.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 29/33

29/33

slide-82

SLIDE 82

Proof Sketch: Security Reduction

Given: g = τ(g), τ(hi) = τ(gxi), 1 ≤ i ≤ N, q Initialize L = {(τ(g),⃗ 0, 1), (τ(gxi), ⃗ ei, 0) for 1 ≤ i ≤ N}, Hresp = {} /* begin simulation */

Asig Mult(·) Inv(·) DLogg(·) H(·) σ = (s, e), m Signj(·)

1 :

Pick si, ei randomly

2 :

Compute τ(gsi), τ(gxjei) = τ(τ −1(hj)ei)

3 :

Compute Ii = τ(gsi · g−xjei)

4 :

if H(Ii||mi) previously queried then

5 :

return ⊥

6 :

else

7 :

Program H(Ii||mi) := ei

8 :

return σi = (si, ei)

Signj(mi) without secret key xj (1 ≤ j ≤ N)

/* end simulation */ Compute: Iσ = τ(gs · g−xe), eσ = H(Iσ||m) and check if (Iσ,⃗ a, b) ∈ L if no such triple exists then return ⊥ If ⃗ a has only one nonzero element a and if a + e = 0 then return ⊥ Otherwise we find a BRIDGEN instance

Reduction Abridge {mi}N

i=1

{σi}N

i=1

Probability of outputting ⊥ ≤ qSign × qRO + qSign q = O (t2 q ) ≤ qRO + qSign q − |L| + 1 2k = O ( t 2k ) ≤ qRO 2k = O ( t 2k ) comes with “short” Schnorr signatures

∴ Pr

[

SigForgeGO,N

Asig,Π(k) = 1

]

≤ Pr

[

BridgeChalGO,N

Abridge(k) = 1

]

+ O

( t

2k

)

≤ O

( t + N

2k

)

.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 29/33

29/33

slide-83

SLIDE 83

Conclusion and Future Work

Our Contributions

We showed that the short Schnorr signatures provides k-bits of security in both single and

multi-user settings under the programmable ROM and the GGM.

Breaking multi-user security of short Schnorr signatures in “1-out-of-N” setting is not easier

than breaking a single instance.

The short Schnorr signature is still secure even if we allow a restricted discrete-log oracle in

the GGM.

We provide a new proof technique which keeps track of the known and the partially known

set in a global list. Future Work

Security of (short) Schnorr signatures against preprocessing attacks [CK18].
Preprocessing attacks are used to criticize non-standard generic group models proposed

earlier [SJ00, KMP16].

Preprocessing phase is not doable in both non-standard models, whereas it is clearly captured by

the original model.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 30/33

30/33

slide-84

SLIDE 84

References I

Daniel J. Bernstein, Multi-user Schnorr security, revisited, Cryptology ePrint Archive, Report 2015/996, 2015, http://eprint.iacr.org/2015/996. Henry Corrigan-Gibbs and Dmitry Kogan, The discrete-logarithm problem with preprocessing, EUROCRYPT 2018, Part II (Jesper Buus Nielsen and Vincent Rijmen, eds.), LNCS, vol. 10821, Springer, Heidelberg, April / May 2018, pp. 415–447. Alexander W. Dent, Adapting the weaknesses of the random oracle model to the generic group model, ASIACRYPT 2002 (Yuliang Zheng, ed.), LNCS, vol. 2501, Springer, Heidelberg, December 2002, pp. 100–109. Nils Fleischhacker, Tibor Jager, and Dominique Schröder, On tight security proofs for Schnorr signatures, ASIACRYPT 2014, Part I (Palash Sarkar and Tetsu Iwata, eds.), LNCS, vol. 8873, Springer, Heidelberg, December 2014, pp. 512–531. David Freeman, Michael Scott, and Edlyn Teske, A taxonomy of pairing-friendly elliptic curves, Journal of Cryptology 23 (2010),

no. 2, 224–280.
S. Galbraith, J. Malone-Lee, and N. P. Smart, Public key signatures in the multi-user setting, Inf. Process. Lett. 83 (2002), no. 5,

263–266. Don Johnson, Alfred Menezes, and Scott Vanstone, The elliptic curve digital signature algorithm (ecdsa), International Journal of Information Security 1 (2001), no. 1, 36–63. Eike Kiltz, Daniel Masny, and Jiaxin Pan, Optimal security proofs for signatures from identification schemes, CRYPTO 2016, Part II (Matthew Robshaw and Jonathan Katz, eds.), LNCS, vol. 9815, Springer, Heidelberg, August 2016, pp. 33–61. Gregory Neven, Nigel P. Smart, and Bogdan Warinschi, Hash function requirements for schnorr signatures, Journal of Mathematical Cryptology 3 (2009).

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 31/33

31/33

slide-85

SLIDE 85

References II

David Pointcheval and Jacques Stern, Security proofs for signature schemes, EUROCRYPT’96 (Ueli M. Maurer, ed.), LNCS, vol. 1070, Springer, Heidelberg, May 1996, pp. 387–398. Yannick Seurin, On the exact security of Schnorr-type signatures in the random oracle model, EUROCRYPT 2012 (David Pointcheval and Thomas Johansson, eds.), LNCS, vol. 7237, Springer, Heidelberg, April 2012, pp. 554–571. Victor Shoup, Lower bounds for discrete logarithms and related problems, EUROCRYPT’97 (Walter Fumy, ed.), LNCS, vol. 1233, Springer, Heidelberg, May 1997, pp. 256–266. Claus-Peter Schnorr and Markus Jakobsson, Security of signed ElGamal encryption, ASIACRYPT 2000 (Tatsuaki Okamoto, ed.), LNCS, vol. 1976, Springer, Heidelberg, December 2000, pp. 73–89.

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 32/33

32/33

slide-86

SLIDE 86

Questions?

Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures 33/33

33/33