Limitations of the Meta-reduction Technique: The Case of Schnorr Signatures

Fischlin, Marc; Fleischhacker, Nils

doi:10.1007/978-3-642-38348-9_27

Cited by 43 publications

(27 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, they presented an impossibility result for security proofs based on algebraic reductions and the discrete logarithm problem. In a similar vein, Fischlin and Fleischhacker [11] presented a result about the security of Schnorr signatures in the non-programmable random oracle model. Essentially they prove that in the non-programmable ROM [12] no reduction from the discrete logarithm problem can exist that invokes the adversary only ever on the same input.…”

Section: Contributionmentioning

confidence: 93%

On Tight Security Proofs for Schnorr Signatures

Fleischhacker

Jager

Schröder

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The Schnorr signature scheme is the most efficient signature scheme based on the discrete logarithm problem and a long line of research investigates the existence of a tight security reduction for this scheme in the random oracle model. Almost all recent works present lower tightness bounds and most recently Seurin (Eurocrypt 2012) showed that under certain assumptions the non-tight security proof for Schnorr signatures in the random oracle by Pointcheval and Stern (Eurocrypt 1996) is essentially optimal. All previous works in this direction rule out tight reductions from the (onemore) discrete logarithm problem. In this paper we introduce a new meta-reduction technique, which shows lower bounds for the large and very natural class of generic reductions. A generic reduction is independent of a particular representation of group elements and most reductions in state-of-the-art security proofs have this desirable property. Our approach shows unconditionally that there is no tight generic reduction from any natural non-interactive computational problem Π defined over algebraic groups to breaking Schnorr signatures, unless solving Π is easy.In an additional application of the new meta-reduction technique, we also unconditionally rule out any (even non-tight) generic reduction from natural non-interactive computational problems defined over algebraic groups to breaking Schnorr signatures in the non-programmable random oracle model. MotivationThe security of a cryptosystem is nowadays usually confirmed by giving a security proof. Typically, such a proof describes a reduction from some (assumed-to-be-)hard computational problem to breaking a defined security property of the cryptosystem. A reduction is considered as tight, if the reduction solving the hard computational problem has essentially the same running time and success probability as the attacker on the cryptosystem. Essentially, a tight reduction means that a successful attacker can be turned into an efficient algorithm for the hard computational problem without any significant increase in the run-1

show abstract

Section: Contributionmentioning

confidence: 93%

On Tight Security Proofs for Schnorr Signatures

Fleischhacker

Jager

Schröder

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Interestingly, recently there has been another type of separations based on socalled meta-reduction techniques, originally introduced by Boneh and Venkatenesan [6], and subsequently used in many other places [9,30,22,14,31,15,10,35,12]. Such meta-reductions take an alleged reduction from P to Q and show how to use such a reduction to break the primitive P directly, simulating the adversary for the reduction usually via rewinding techniques.…”

Section: Black-box Separation Techniquesmentioning

confidence: 99%

Notions of Black-Box Reductions, Revisited

Baecher

Brzuska

Fischlin

2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Reductions are the common technique to prove security of cryptographic constructions based on a primitive. They take an allegedly successful adversary against the construction and turn it into a successful adversary against the underlying primitive. To a large extent, these reductions are black-box in the sense that they consider the primitive and/or the adversary against the construction only via the input-output behavior, but do not depend on internals like the code of the primitive or of the adversary. Reingold, Trevisan, and Vadhan (TCC, 2004) provided a widely adopted framework, called the RTV framework from hereon, to classify and relate different notions of black-box reductions.Having precise notions for such reductions is very important when it comes to black-box separations, where one shows that black-box reductions cannot exist. An impossibility result, which clearly specifies the type of reduction it rules out, enables us to identify the potential leverages to bypass the separation. We acknowledge this by extending the RTV framework in several respects using a more fine-grained approach. First, we capture a type of reduction-frequently ruled out by so-called meta-reductions-which escapes the RTV framework so far. Second, we consider notions that are "almost black-box", i.e., where the reduction receives additional information about the adversary, such as its success probability. Third, we distinguish explicitly between efficient and inefficient primitives and adversaries, allowing us to determine how relativizing reductions in the sense of Impagliazzo and Rudich (STOC, 1989) fit into the picture.

show abstract

“…See for a good survey on this topic. Fischlin and Fleischhacker showed a limitation on the meta‐reduction techniques.…”

Section: Introductionmentioning

confidence: 99%

A limitation on security evaluation of cryptographic primitives with fixed keys

Kawai

Hanaoka

Ohta

et al. 2016

Security Comm Networks

View full text Add to dashboard Cite

In this paper, we discuss security of public-key cryptographic primitives in the case that the public key is fixed. In the standard argument, security of cryptographic primitives are evaluated by estimating the average probability of being successfully attacked where keys are treated as random variables. In contrast to this, in practice, a user is mostly interested in the security under his specific public key, which has been already fixed. However, it is obvious that such security cannot be mathematically guaranteed because for any given public key, there always potentially exists an adversary, which breaks its security. Therefore, the best what we can do is just to use a public key such that its effective adversary is not likely to be constructed in the real life and, thus, it is desired to provide a method for evaluating this possibility. The motivation of this work is to investigate (in)feasibility of predicting whether for a given fixed public key, its successful adversary will actually appear in the real life or not. As our main result, we prove that for any digital signature scheme or public key encryption scheme, it is impossible to reduce any fixed key adversary in any weaker security notion than the de facto ones (i.e., existential unforgery against adaptive chosen message attacks or indistinguishability against adaptive chosen ciphertext attacks) to fixed key adversaries in the de facto security notion in a black-box manner. This result means that, for example, for any digital signature scheme, impossibility of extracting the secret key from a fixed public key will never imply existential unforgery against chosen message attacks under the same key as long as we consider only black-box analysis.

show abstract

Limitations of the Meta-reduction Technique: The Case of Schnorr Signatures

Cited by 43 publications

References 27 publications

On Tight Security Proofs for Schnorr Signatures

On Tight Security Proofs for Schnorr Signatures

Notions of Black-Box Reductions, Revisited

A limitation on security evaluation of cryptographic primitives with fixed keys

Contact Info

Product

Resources

About