Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Secure Computation Based on Leaky Correlations: High Resilience Setting Read chapter Read first chapter

2017 | OriginalPaper | Chapter

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with a Counterexample

Authors : Fuchun Guo, Rongmao Chen, Willy Susilo, Jianchang Lai, Guomin Yang, Yi Mu

Published in: Advances in Cryptology – CRYPTO 2017

Publisher: Springer International Publishing

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

Optimal security reductions for unique signatures (Coron, Eurocrypt 2002) and their generalization, i.e., efficiently re-randomizable signatures (Hofheinz et al. PKC 2012 & Bader et al. Eurocrypt 2016) have been well studied in the literature. Particularly, it has been shown that under a non-interactive hard assumption, any security reduction (with or without random oracles) for a unique signature scheme or an efficiently re-randomizable signature scheme must loose a factor of at least \(q_s\) in the security model of existential unforgeability against chosen-message attacks (EU-CMA), where \(q_s\) denotes the number of signature queries. Note that the number \(q_s\) can be as large as \(2^{30}\) in practice. All unique signature schemes and efficiently re-randomizable signature schemes are concluded to be accompanied with loose reductions from these impossibility results.
Somewhat surprisingly, in contrast to previous impossibility results (Coron, Eurocrypt 2002; Hofheinz et al. PKC 2012; Bader et al. Eurocrypt 2016), in this work we show that without changing the assumption type and security model, it is not always the case that any security reduction must loose a factor of at least \(q_s\). As a counterexample, we propose a unique signature scheme with a tight reduction in the EU-CMA security model under the Computational Diffie-Hellman (CDH) assumption. Precisely, in the random oracle model, we can program a security reduction with a loss factor of at most \(nq^{1/{n}}\), where n can be any integer independent of the security parameter for the scheme construction and q is the number of hash queries to random oracles. The loss factor in our reduction can be very small. Considering \(n=25\) and \(q=2^{50}\) as an example, the loss factor is of at most \(nq^{1/{n}}=100\) and therefore our security reduction is tight.
Notice that the previous impossibility results are derived from proofs via a so-called meta-reduction technique. We stress that instead of indicating any flaw in their meta-reduction proofs, our counterexample merely demonstrates that their given meta-reduction proofs fail to capture all security reductions. More precisely, we adopt a reduction called query-based reduction, where the reduction uses a hash query from the adversary to solve an underlying hard problem. We show that the meta-reduction proofs break down in our query-based reduction. The query-based reduction is not a new notion and it has been adopted for encryption proofs, but this work is the first seminal approach for applying query-based reduction in digital signatures.
The given counterexample in this work is of an independent interest as it implies a generic way of constructing a digital signature scheme (including unique signatures) with a tight reduction in the random oracle model from a digital signature scheme with a loose reduction. Although our proposed methodology is somewhat impractical due to the inefficiency of signature length, it introduces a completely new approach for tight proofs that is different from traditional approaches using a random salt.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter LPN Decoded
next chapter Compact Structure-Preserving Signatures with Almost Tight Security
Footnotes
1
Kakvi and Kiltz in [16] proposed a conceptual level FDH (Full Domain Hash) unique signature scheme with a tight reduction. The proposed RSA-FDH scheme is a unique signature, while the reduction uses a fake but indistinguishable public key in the simulation such that the simulated RSA-FDH signatures are no longer unique. We note that both real signature scheme and simulated signature scheme in our counterexample are unique signatures.
 
2
For easy understanding, we assume \(q^{\frac{1}{2}}\) and \(q^{\frac{1}{n}}\) are both integers for the query number q and the given number n in discussions.
 
3
We emphasize that the corresponding security reduction is different when the adopted block signature is changed. In particular, how to simulate a block signature and how to solve a hard problem are dependent on the block signature. However, the reduction method with a tight reduction is the same.
 
4
This can be done via encoding to make sure m does not contain the concatenation notation. For example, each bit \(X\in \{0,1\}\) of message and block signatures will be encoded into “0X” and the concatenation notation is represented using “11” such that the whole bit string as input to the hash function looks like ‘\(0X_10X_20X_3110X_40X_5\)”, where \(X_1X_2X_3\) is the message and \(X_4X_5\) is the block signature. We can force the scheme to use this encoding before hashing and signature generation. In the security proof, if a query made by the adversary does not use this encoding, this query is a query with an invalid structure and the simulator will randomly respond to the hash query because it will not be used in signature query or signature forgery.
 
5
The word “contain” here means that a group element can be extracted from another group element. For example, \(H(x)=(g^b)^z\) where \(z\in \mathbb {Z}^*_p\) is a random number chosen by the simulator. Then, we have \(g^{ab}\) can be extracted from \(H(x)^{\alpha }\) by computing \((H(x)^{\alpha })^{\frac{1}{z}}\).
 
6
The adversary can forge a valid signature via randomly choosing group elements as the forged signature without making the corresponding hash queries. However, the success probability is less than 1 / p. The actual probability of making such a hash query is \(\epsilon -1/{p}\). Since 1 / p is negligible compared to \(\epsilon \), we simplify the probability \(\epsilon -1/{p}\) into \(\epsilon \).
 
Literature
1.
Abdalla, M., Bellare, M., Rogaway, P.: The oracle diffie-hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). doi:10.​1007/​3-540-45353-9_​12 CrossRef
2.
Abdalla, M., Fouque, P.-A., Lyubashevsky, V., Tibouchi, M.: Tightly-secure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012). doi:10.​1007/​978-3-642-29011-4_​34 CrossRef
3.
Bader, C., Jager, T., Li, Y., Schäge, S.: On the impossibility of tight cryptographic reductions. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 273–304. Springer, Heidelberg (2016). doi:10.​1007/​978-3-662-49896-5_​10 CrossRef
4.
Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). doi:10.​1007/​3-540-68339-9_​34
5.
6.
Blazy, O., Kakvi, S.A., Kiltz, E., Pan, J.: Tightly-secure signatures from chameleon hash functions. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 256–279. Springer, Heidelberg (2015). doi:10.​1007/​978-3-662-46447-2_​12
7.
8.
9.
Chevallier-Mames, B., Joye, M.: A practical and tightly secure signature scheme without hash function. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 339–356. Springer, Heidelberg (2006). doi:10.​1007/​11967668_​22 CrossRef
10.
11.
Goh, E., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight reductions to the diffie-hellman problems. J. Cryptol. 20(4), 493–514 (2007)MathSciNetCrossRefMATH
12.
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefMATH
13.
Guo, F., Susilo, W., Mu, Y., Chen, R., Lai, J., Yang, G.: Iterated random oracle: a universal approach for finding loss in security reduction. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 745–776. Springer, Heidelberg (2016). doi:10.​1007/​978-3-662-53890-6_​25 CrossRef
14.
15.
Hofheinz, D., Jager, T., Knapp, E.: Waters signatures with optimal security reduction. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 66–83. Springer, Heidelberg (2012). doi:10.​1007/​978-3-642-30057-8_​5 CrossRef
16.
Kakvi, S.A., Kiltz, E.: Optimal security proofs for full domain hash, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 537–553. Springer, Heidelberg (2012). doi:10.​1007/​978-3-642-29011-4_​32 CrossRef
17.
Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) CCS 2003, pp. 155–164. ACM (2003)
18.
Luu, L., Narayanan, V., Zheng, C., Baweja, K., Gilbert, S., Saxena, P.: A secure sharding protocol for open blockchains. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM Conference on Computer and Communications Security 2016, pp. 17–30. ACM (2016)
19.
20.
Zhang, F., Safavi-Naini, R., Susilo, W.: An efficient signature scheme from bilinear pairings and its applications. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 277–290. Springer, Heidelberg (2004). doi:10.​1007/​978-3-540-24632-9_​20 CrossRef
Metadata
Title
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with a Counterexample
Authors
Fuchun Guo
Rongmao Chen
Willy Susilo
Jianchang Lai
Guomin Yang
Yi Mu
Copyright Year
2017
Book
Advances in Cryptology – CRYPTO 2017

Print ISBN: 978-3-319-63714-3

Electronic ISBN: 978-3-319-63715-0

Copyright Year: 2017

DOI
https://doi.org/10.1007/978-3-319-63715-0_18

Premium Partner

    Image Credits