On Tight Security Proofs for Schnorr Signatures

Fleischhacker, Nils; Jager, Tibor; Schröder, Dominique

doi:10.1007/s00145-019-09311-5

Cited by 21 publications

(18 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If the probability of breaking the scheme approaches closely to the probability of solving the hard problem, the reduction is considered tight. Tight security reduction not only gives stronger security guarantees, but also allows secure use of smaller sized parameters [28].…”

Section: Our Contributionmentioning

confidence: 99%

An Identity Based-Identification Scheme With Tight Security Against Active and Concurrent Adversaries

Chia

Chin

2020

IEEE Access

View full text Add to dashboard Cite

Identification schemes are used by machines to securely authenticate the identity of other machines or their users over computer networks. As conventional public key schemes require a trusted third party (TTP) or a public file to ensure the corresponding public key matches with the identity, identity-based cryptosystems emerged as a form of certificate-free system. The entity's identity is the public key itself, therefore eliminating the need for a TTP. The identity-based identification (IBI) scheme introduced by Kurosawa and Heng using their transform in 2004 remains as the only IBI derived from the Boneh-Lynn-Shacham (BLS) short signature scheme which has the advantage of shorter keys. We show tight security reduction against active and concurrent attackers (imp-aa/ca) on our scheme that is obtained from the same transform. As the transform will only produce schemes that are only secure against passive attackers (imp-pa), security against imp-aa/ca scheme relies on a strong One-More interactive assumption and therefore resulted in weak security. While the OR-proof method allows schemes secure against imp-pa to be secure against imp-aa/ca, the resulting security against imp-aa/ca will suffer from loose bounds in addition to the user secret keys being doubled in size. Our work avoids both OR-proof and strong interactive assumptions by showing an ad-hoc proof for our construction which utilizes the weaker well-studied co-computational Diffie-Hellman assumption and yet still has tight security against imp-aa/ca. We demonstrate the tight security of our scheme which allows usage of even shorter key sizes.

show abstract

Section: Our Contributionmentioning

confidence: 99%

An Identity Based-Identification Scheme With Tight Security Against Active and Concurrent Adversaries

Chia

Chin

2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Our strategy allows us to retrieve several AGM results (from [ 21 , 22 ]) in the standard model, in the sense that the group can be concretely implemented from falsifiable assumptions. 3 In particular, we show that in our group, the discrete logarithm assumption, the computational Diffie-Hellman assumption, the square Diffie-Hellman assumption, and the linear-combination Diffie-Hellman assumption (see [ 21 ]) are all equivalent, the security of the Schnorr signature scheme [ 37 ] can be tightly reduced to the discrete logarithm assumption escaping impossibility results due to [ 19 ]. 4 …”

Section: Introductionmentioning

confidence: 98%

“…the security of the Schnorr signature scheme [ 37 ] can be tightly reduced to the discrete logarithm assumption escaping impossibility results due to [ 19 ]. 4…”

Section: Introductionmentioning

confidence: 99%

On Instantiating the Algebraic Group Model from Falsifiable Assumptions

Agrikola

Hofheinz

Kästner

2020

Advances in Cryptology – EUROCRYPT 2020

View full text Add to dashboard Cite

We provide a standard-model implementation (of a relaxation) of the algebraic group model (AGM, [Fuchsbauer, Kiltz, Loss, CRYPTO 2018]). Specifically, we show that every algorithm that uses our group is algebraic, and hence “must know” a representation of its output group elements in terms of its input group elements. Here, “must know” means that a suitable extractor can extract such a representation efficiently. We stress that our implementation relies only on falsifiable assumptions in the standard model, and in particular does not use any knowledge assumptions. As a consequence, our group allows to transport a number of results obtained in the AGM into the standard model, under falsifiable assumptions. For instance, we show that in our group, several Diffie-Hellman-like assumptions (including computational Diffie-Hellman) are equivalent to the discrete logarithm assumption. Furthermore, we show that our group allows to prove the Schnorr signature scheme tightly secure in the random oracle model. Our construction relies on indistinguishability obfuscation, and hence should not be considered as a practical group itself. However, our results show that the AGM is a realistic computational model (since it can be instantiated in the standard model), and that results obtained in the AGM are also possible with standard-model groups.

show abstract

“…Another standard solution is to use cryptographic digital signatures, which allow receivers to verify the origin of a message using a 'public' key so that it can be secure in a verifier breach. Although there are many online efficient (computationally secure) digital signature schemes, such as ElGamal signature [7] and Schnorr signature [8,9], they require expensive cryptographic operations like modular exponentiation which is too complex for resourceconstrained CPS devices.…”

Section: Introductionmentioning

confidence: 99%

LiS: Lightweight Signature Schemes for Continuous Message Authentication in Cyber-Physical Systems

Yang

Jin

Tian

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Cyber-Physical Systems (CPS) provide the foundation of our critical infrastructures, which form the basis of emerging and future smart services and improve our quality of life in many areas. In such CPS, sensor data is transmitted over the network to the controller, which will make real-time control decisions according to the received sensor data. Due to the existence of spoofing attacks (more specifically to CPS, false data injection attacks), one has to protect the authenticity and integrity of the transmitted data. For example, a digital signature can be used to solve this issue. However, the resource-constrained field devices like sensors cannot afford conventional signature computation. Thus, we have to seek for an efficient signature mechanism that can support the fast and continuous message authentication in CPS, while being easy to compute on the devices. To this end, we introduce two Lightweight Signature schemes (LiS), which are suitable for continuous message authentication commonly seen in cyber-physical systems. In our constructions, we exploit the efficient hash collision generation property of a chameleon hash function to transform a chameleon hash function into signature schemes. In our schemes, the signature of a message m is the randomness r associated with m in a chameleon hash function, such that they can lead to a hash collision with a given message randomness pair (m ′ , r ′). Thus, the task of a signer is to generate the collision using the private key of the underlying chameleon hash function, and a verifier can verify the signature by checking the hash collision with a known message and randomness pair. We also specifically instantiate the chameleon hash function in such a way that it leads to a fast signing procedure and an optimal storage requirement on the signer side. The optimized signing algorithms are very efficient. Namely, our first scheme requires only three additions and two multiplications, and only one

show abstract

On Tight Security Proofs for Schnorr Signatures

Cited by 21 publications

References 31 publications

An Identity Based-Identification Scheme With Tight Security Against Active and Concurrent Adversaries

An Identity Based-Identification Scheme With Tight Security Against Active and Concurrent Adversaries

On Instantiating the Algebraic Group Model from Falsifiable Assumptions

LiS: Lightweight Signature Schemes for Continuous Message Authentication in Cyber-Physical Systems

Contact Info

Product

Resources

About