on tight security proofs for schnorr signatures
play

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 - PowerPoint PPT Presentation

Aug 24, 2023 •981 likes •1.35k views

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr 1 Saarland University 2 Horst G ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014 (Informal) main Result The

  1. On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr¨ 1 Saarland University 2 Horst G¨ ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014

  2. (Informal) main Result The security of Schnorr signatures cannot be tightly reduced to any natural assumption using a generic reduction. The result holds unconditionally.

  3. Schnorr Signatures [Sch90,Schn91] G = � g � , H Sign ( x, m ) Kgen (1 κ ) Vrfy ( X, m, σ ) $ r ← Z q parse σ as ( R, y ) $ R := g r x ← Z q X := g x c := H ( R, m ) c := H ( R, m ) = X c · R ? return g y return ( x, X ) y := r + x · c return σ = ( R, y ) ◮ Provably secure under DLOG assumption in the ROM [PS96, PS00]. ◮ Previous impossibility results for tight proofs for DLOG and algebraic reductions [PV05,GBL08,Seu12].

  4. Schnorr Signatures [Sch90,Schn91] G = � g � , H Sign ( x, m ) Kgen (1 κ ) Vrfy ( X, m, σ ) $ r ← Z q parse σ as ( R, y ) $ R := g r x ← Z q X := g x c := H ( R, m ) c := H ( R, m ) = X c · R ? return g y return ( x, X ) y := r + x · c return σ = ( R, y ) ◮ Provably secure under DLOG assumption in the ROM [PS96, PS00]. ◮ Previous impossibility results for tight proofs for DLOG and algebraic reductions [PV05,GBL08,Seu12].

  5. Schnorr Signatures [Sch90,Schn91] G = � g � , H Sign ( x, m ) Kgen (1 κ ) Vrfy ( X, m, σ ) $ r ← Z q parse σ as ( R, y ) $ R := g r x ← Z q X := g x c := H ( R, m ) c := H ( R, m ) = X c · R ? return g y return ( x, X ) y := r + x · c return σ = ( R, y ) ◮ Provably secure under DLOG assumption in the ROM [PS96, PS00]. Not tight! ◮ Previous impossibility results for tight proofs for DLOG and algebraic reductions [PV05,GBL08,Seu12].

  6. Why do we care about tightness? g x R pk, m UUNF − NM Π σ x ′

  7. Why do we care about tightness? g x R pk, m UUNF − NM Π Weaker Definition of Security = Stronger Negative Result σ x ′

  8. Why do we care about tightness? g x R pk, m UUNF − NM Π σ x ′ t

  9. Why do we care about tightness? g x R pk, m UUNF − NM Π σ x ′ f ( t ) = t t

  10. Why do we care about tightness? g x R pk, m UUNF − NM Π σ x ′ f ( t ) = 2 t t

  11. Why do we care about tightness? g x R pk, m q R ′ , m ′ UUNF − NM Π H ( R ′ , m ′ ) σ x ′ f ( t, q ) = q · t t

  12. Meta-Reductions [BV98] Π R UUNF − NM A

  13. Meta-Reductions [BV98] M Π Π ’ R UUNF − NM A

  14. Previous Work on Lower Bounds PV05 1 Bound q 1 / 2 algebraic Reduction (OM)DL Assumption OMDL

  15. Previous Work on Lower Bounds PV05 GBL08 1 1 Bound q 1 / 2 q 2 / 3 algebraic algebraic Reduction (OM)DL (OM)DL Assumption OMDL OMDL

  16. Previous Work on Lower Bounds PV05 GBL08 Seurin12 1 1 O ( 1 Bound q ) q 1 / 2 q 2 / 3 algebraic algebraic algebraic Reduction (OM)DL (OM)DL (OM)DL Assumption OMDL OMDL OMDL

  17. Previous Work on Lower Bounds PV05 GBL08 Seurin12 Our Work 1 1 O ( 1 O ( 1 Bound q ) q ) q 1 / 2 q 2 / 3 algebraic algebraic algebraic generic Reduction representation (OM)DL (OM)DL (OM)DL invariant Assumption OMDL OMDL OMDL none

  18. Algebraic vs. Generic Reductions An algebraic reduction only A generic reduction works regardless of the representation computes group elements using group operations. of the group. φ : G → { 0 , 1 } 2 n � G , g � g x 1 , g x 2 ( x 1 , x 2 ) , g y φ ( g x 1 ) , φ ( g x 2 ) φ ( g a ) , φ ( g b ) , ◦ R O R Ext φ ( g a ◦ g b ) g y y φ ( g y )

  19. So... GGM? No! φ ( A ) , φ ( B ) ( φ ( i ) , φ ( j ) , ◦ ) O φ ( i ◦ j ) R φ ( C ) , φ ( D )

  20. So... GGM? No! φ ( A ) , φ ( B ) ( φ ( i ) , φ ( j ) , ◦ ) O φ ( i ◦ j ) R A φ ( C ) , φ ( D )

  21. So... GGM? No! A, B φ ( A ) , φ ( B ) ( φ ( i ) , φ ( j ) , ◦ ) O φ ( i ◦ j ) R φ ( X ) , m, ω X, m, ω A ( φ ( R ) , y ) ( R, y ) φ ( C ) , φ ( D ) C, D

  22. So... GGM? No! A, B φ ( A ) , φ ( B ) ( φ ( i ) , φ ( j ) , ◦ ) O φ ( i ◦ j ) R φ ( X ) , m, ω X, m, ω A ( φ ( R ) , y ) ( R, y ) φ ( C ) , φ ( D ) C, D

  23. Ok, so how does it work? Vanilla Reductions proc A ( X, m, ω ) ( R 1 , . . . , R q ) ← G q for all i ∈ [ q ] c i = H ( R i , m ) α ← [ q ] y := log g X c α R α return ( R α , y ) .

  24. Ok, so how does it work? Vanilla Reductions Vanilla Reduction: ◮ Runs A once ◮ Does not rewind Result: ◮ Rules out all generic vanilla reductions ◮ Even tight reductions

  25. Ok, so how does it work? Vanilla Reductions proc A ( X, m, ω ) ( R 1 , . . . , R q ) ← G q for all i ∈ [ q ] c i = H ( R i , m ) α ← [ q ] y := log g X c α R α return ( R α , y ) .

  26. Ok, so how does it work? Vanilla Reductions C 1 , . . . , C u , C ′ L G L E φ ( C 1 ) , . . . , φ ( C u ) , C ′ M C 1 E 1 . . . . . . C u E u O R 1 E u +1 R . . . . . . R q E u + q A

  27. Ok, so how does it work? Vanilla Reductions C 1 , . . . , C u , C ′ L G L E φ ( C 1 ) , . . . , φ ( C u ) , C ′ M C 1 E 1 . . . . . . ( E i , E j , × ) C u E u O R 1 E u +1 E u + q +1 R . . . . . . R q E u + q A E u + q +1 A

  28. Ok, so how does it work? Vanilla Reductions C 1 , . . . , C u , C ′ L G L E φ ( C 1 ) , . . . , φ ( C u ) , C ′ M C 1 E 1 . . . . . . ( E i , E j , × ) C u E u O R 1 E u +1 E u + q +1 R . . . . . . R q E u + q φ ( X ) , m A E u + q +1 A ( φ ( R ) , y )

  29. Ok, so how does it work? Vanilla Reductions C 1 , . . . , C u , C ′ L G L E L V φ ( C 1 ) , . . . , φ ( C u ) , C ′ M C 1 E 1 (1 , 0 , ... ) . . . . . . . . . ( E i , E j , × ) C u E u ( ..., 0 , 1 , 0 , ... ) O R 1 E u +1 ( ..., 0 , 1 , 0 , ... ) E u + q +1 R . . . . . . . . . R q E u + q ( ..., 0 , 1) φ ( X ) , m A E u + q +1 V i + V j A ( φ ( R ) , y )

  30. Ok, so how does it work? Vanilla Reductions proc A ( φ ( X ) , m, ω ) : for all i ∈ [ q ] L G L E L V . . . c i = R . H ( φ ( R i ) , m ) . . . . . . α ← [ q ] R α E u + α V u + α . . . y := log g X c α R α . . . . . . G u + q +1 E u + q +1 V u + q +1

  31. Ok, so how does it work? Vanilla Reductions proc A ( φ ( X ) , m, ω ) : for all i ∈ [ q ] L G L E L V . . . c i = R . H ( φ ( R i ) , m ) . . . . . . α ← [ q ] R α E u + α V u + α . . . R ∗ α := g y X − c α . . . y ← Z p ; . . . G u + q +1 E u + q +1 V u + q +1

  32. Ok, so how does it work? Vanilla Reductions proc A ( φ ( X ) , m, ω ) : for all i ∈ [ q ] L G L E L V . . . c i = R . H ( φ ( R i ) , m ) . . . . . . α ← [ q ] R ∗ E u + α V u + α α . . . R ∗ α := g y X − c α . . . y ← Z p ; . . . G u + q +1 E u + q +1 V u + q +1

  33. Ok, so how does it work? Vanilla Reductions proc A ( φ ( X ) , m, ω ) : for all i ∈ [ q ] L G L E L V . . . c i = R . H ( φ ( R i ) , m ) . . . . . . α ← [ q ] R ∗ E u + α V u + α α . . . R ∗ α := g y X − c α . . . y ← Z p ; . . . G u + q +1 E u + q +1 V u + q +1 for j = 1 , . . . , |L G | do u + q V j � G i := i · G j j =1 return ( y, φ ( R ∗ α ))

  34. Will this not trip up the Reduction? R is only able to notice the reprogramming if there exist i, j such that G i = G j before the reprogramming and G i � = G j after reprogramming, or the other way round. This happens with probability at most 2( u + q + t R ) 2 ≤ negl p

  35. Summary & Conclusion The security of Schnorr signatures cannot be reduced to any representation invariant assumption tighter than O (1 /q ) using a generic fully blackbox reduction.

  36. Thank You! Nils Fleischhacker fleischhacker@cs.uni-saarland.de

Recommend

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee Department of Computer Science, Purdue University October 10, 2019 Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures

1.23k views • 86 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin

On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model Yannick Seurin ANSSI, France 18 April, EUROCRYPT 2012 Yannick Seurin (ANSSI) Exact Security of Schnorr Signatures EUROCRYPT 2012 1 / 28 Introduction Introduction

1.45k views • 117 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at Chicago Thanks to: NSF CCR9983950 NSF DMS0140542 NSF ITR0716498 Alfred P. Sloan Foundation Warning: Springer mangled the

589 views • 19 slides
Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures Marc Fischlin 1 Nils Fleischhacker 2 1 TU Darmstadt 2 Saarland University, Center for IT-Security, Privacy, and Accountability June 5, 2014 (Informal) Main Results 1

693 views • 34 slides
Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on joint work with G. Maxwell, A. Poelstra, and P. Wuille)

1.82k views • 171 slides
Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23

Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23

Threshold Signatures and Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23 Schnorr Signatures P = xG R = kG e = H ( P , R , m ) sG = kG + exG 2 / 23 Schnorr Signatures P = xG R = kG e = H ( P , R , m )

371 views • 23 slides
The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford University Eurocrypt 1 May 2018 Tel Aviv, Israel 38 Signatures (DSA and Schnorr) 39 DH key Signatures exchange (DSA and Schnorr) 40

1.63k views • 134 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Short Proofs Are Narrow (Well, Sort of), But Are They Tight? Jakob Nordstr om jakobn@kth.se

Short Proofs Are Narrow (Well, Sort of), But Are They Tight? Jakob Nordstr om jakobn@kth.se

Short Proofs Are Narrow (Well, Sort of), But Are They Tight? Jakob Nordstr om jakobn@kth.se Theory Group KTH Computer Science and Communication PhD Student Seminar in Theoretical Computer Science April 3rd, 2006 Short Proofs Are Narrow

1.52k views • 128 slides
Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of

Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of

Signature sizes: RSA signatures are big. a call to action D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Signature sizes: RSA signatures are big. a call to action 1990 Schnorr signatures D. J.

355 views • 21 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1 , David Derler 2 , Daniel Slamanig 2 , Raphael

345 views • 21 slides
Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in Bitcoin MimbleWimble cryptocurrency ECC math Schnorrs signatures scheme Pedersen Commitments Motivation Bitcoin is decentralized

430 views • 40 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-10 1 Outline Recap: one-time signatures From EUF-naCMA security to EUF-CMA security Interlude: proof strategies Security proof

336 views • 20 slides
Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University @claudiorlandi Based on joint work with: Meliisa Chase (Microsoft) David Derler (TU Graz) Tore Frederiksen (BIU) Irene Giacomelli

1.21k views • 77 slides
Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee KAIST Outline Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm Our Contribution - Tight security proof of

394 views • 24 slides
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER SEBASTIAN RAMACHER STEVEN GOLDFEDER CHRISTIAN RECHBERGER JONATHAN KATZ DANIEL SLAMANIG VLAD KOLESNIKOV XIAO WANG CLAUDIO ORLANDI

577 views • 37 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

686 views • 64 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

743 views • 58 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides

More recommend