Optimal Security Proofs for Signatures from Identification Schemes [chapter]

Eike Kiltz, Daniel Masny, Jiaxin Pan
2016 Lecture Notes in Computer Science  
We perform a concrete security treatment of digital signature schemes obtained from canonical identification schemes via the Fiat-Shamir transform. If the identification scheme is rerandomizable and satisfies the weakest possible security notion (key-recoverability), then the implied signature scheme is unforgeability against chosen-message attacks in the multi-user setting in the random oracle model. The reduction loses a factor of roughly Q h , the number of hash queries. Previous security
more » ... uctions incorporated an additional multiplicative loss of N , the number of users in the system. As an important application of our framework, we obtain a concrete security treatment for Schnorr signatures. Our analysis is done in small steps via intermediate security notions, and all our implications have relatively simple proofs. Furthermore, for each step we show the optimality of the given reduction via a meta-reduction. Identification scheme ID Signature scheme SIG[ID] Figure 1: Overview of our notions and results for canonical identification schemes ID and their implied signature schemes SIG[ID]. X Z − → Y means that X-security implies Y-security under condition Z. Trivial implications are denoted with green arrows. All implications are tight except the one marked with red. The conditions are: rew. (reduction rewinds), loss Q (reduction loses a factor of Q), PRO (reduction is in the programmable random oracle model), SS (reduction uses special soundness), and RSR (reduction uses random self-reducibility for tightness). All implications from top to bottom require HVZK. X Z −→ Y means that X-security does not imply Y-security unless they fulfill condition Z. The conditions are: non-rew. (reduction does not rewind), loss < Q (reduction loses a factor smaller than Q), and NPRO (reduction is in the non-programmable random oracle model). We certainly do not claim any novelty of the above lemmas, nor a new proof technique. For example, the implication IMP-KOA → UF-CMA is already explicitly contained in [32] (and implicitly in the seminal paper by Pointcheval and Stern [36]). However, by our specific choice of the intermediate security notions, all four proofs are extremely simple and intuitive. In fact, none of our proofs requires the full power of the Forking Lemma [36] . Lemma 3.4 (KR-KOA → PIMP-KOA) is the only proof using rewinding and its analysis contains a simple application of Jensen's inequality. If ID is RSR, the implication is tight. We view identifying the intermediate security notions that allow for simple proofs as a conceptual contribution. In particular, IMP-KOA and PIMP-KOA security can be seen as the tightness barrier for identification schemes in the sense that PIMP-KOA is the weakest notion for ID that is tightly equivalent to MU-UF-CMA security of SIG[ID]. One particular advantage of our modular approach is that we are able to prove optimality of all four implications via meta-reductions (Lemmas 4.1, 4.3, 4.5, and 4.6). Lemma 4.3 proving the impossibility of a tight reduction between PIMP-KOA and IMP-KOA security is a generalization of Seurin's impossibility result to canonical identification schemes [38]; Lemmas 4.5 and 4.6 proving the impossibility of a reduction in the non-programmable random oracle model between PIMP-KOA, UF-KOA, and UF-CMA can be considered as a fine-grained version of a general impossibility result by Fukumitsu and Hasegawa [19] who only consider the implication IMP-PA → UF-CMA; Lemma 4.1 involves a new meta-reduction. All our impossibility results assume the reductions to be key-preserving [35] and are conditional in the sense that the existence of a reduction would imply that ID does not satisfy some other natural security property (e.g., Lemma 4.1 requires IMP-AA security, where AA stands for active attack). From Single-User to Multi-User Security for Signatures. Our second main theorem can be informally stated as follows. Theorem 1.2. If ID is UF-KOA-secure against any adversary B having success ratio SR(B), then it is MU-UF-CMA-secure in the random oracle model against any adversary C having success ratio SR(C) ≈ SR(B)/4, independent of the number of users N in the multi-user scenario. This theorem improves the bound of previous generic reductions [20] by a factor of N . Following our modular approach, the theorem is proved in two steps via Lemmas 3.8 and 3.9. It makes use of the RSR property, meaning that from a given public key pk we can derive properly distributed pk 1 , . . . , pk N such that any signature σ which is valid under pk can be transformed into a signature σ i which is valid under pk i and vice-versa. Lemma 3.8 uses the RSR property to prove that UF-KOA tightly implies MU-UF-KOA. Lemma 3.9 is our main technical contribution and proves MU-UF-KOA → MU-UF-CMA in the programmable random oracle model, again with a tight reduction. One is tempted to believe that
doi:10.1007/978-3-662-53008-5_2 fatcat:gxdadpjgwvbcheiefdlhzrdv5m