Black-Box Separations on Fiat-Shamir-Type Signatures in the Non-Programmable Random Oracle Model Masayuki Fukumitsu Hokkaido Information University, Japan Shingo Hasegawa Tohoku University, Japan 2019/2/22 ISC2015

Fiat-Shamir (FS) Transformation Method of deriving a signature from a 3-move ID scheme e.g.: Schnorr signature [37], Guillou-Quisquater signature [27] [27] L.C. Guillou and J.J. Quisquater, “A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory,” Proc. Eurocrypt’88, pp.123–128, 1988. [37] C. Schnorr, “Efficient Signature Generation by Smart Cards,” J. Cryptology, vol.4, no.3, pp.161–174, 1991. 2019/2/22 ISC2015

Security Proofs of FS-Type Signature Provable security in the random oracle model (ROM) Property of underlying ID scheme Provable Security of the Signature [36] honest-verifier ZK-proof of knowledge ⇒ EUF-CMA [1] imp-pa secure [1] M. Abdalla, J.H. An, M. Bellare, and C. Namprempre, “From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security,” Proc. EUROCRYPT 2002, pp.418–433, 2002. [36] D. Pointcheval and J. Stern, “Security Arguments for Digital Signatures and Blind Signatures,” J. Cryptology, vol.13, no.3, pp.361–396, 2000. 2019/2/22 ISC2015

Security Proofs of FS-Type Signature OM-DL assumption holds ⇒ Schnorr signature Cannot be proven to be EUF-CMA in Standard Model from the DL assumption via an algebraic reduction. Security Proof in Standard Model [34] One-More Discrete Logarithm Such an impossibility is proven for the other FS-type signature e.g. GQ signature [34] P. Paillier and D. Vergnaud, “Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log,” Proc. ASIACRYPT 2005 pp.1–20, 2005. 2019/2/22 ISC2015

Difference between Standard Model and ROM Proving the Security Programming Technique ROM Possible [1, 36] Possible Standard Model Impossible（conditional）[34] Impossible Programming Technique Reduction programs hash values of the random oracle Many functions in Standard Model seems not to satisfy this property completely aims to prove the security of the signatures from the underlying cryptographic assumption. 2019/2/22 ISC2015

Security Proofs in an Intermediate Model An intermediate model between ROM and Standard Model was also introduced [20, 31]. Random Oracle outputs a hash value as in ROM; but is dealt with Independent party ⇒ the programming tech. is prohibited Provable Security ROM Possible [1, 36] NPROM (Non-Programmable ROM) ? Standard Model Impossible（conditional）[34] [20] J.B. Nielsen, “Separating Random Oracle Proofs from Complexity Theoretic Proofs: the Non-Committing Encryption Case,” Proc. CRYPTO 2002. LNCS, pp. 111–126, 2002. [31] M. Fischlin, A. Lehmann, T. Ristenpart, T. Shrimpton, M. Stam, and S. Tessaro, “Random Oracles with(out) Programmability,” Proc. ASIACRYPT 2010, pp.303–320, 2010. 2019/2/22 ISC2015

Impossibility in NPROM Fischlin and Fleischhacker [19] gave an impossibility in NPROM Proving the Security ROM Possible [1, 36] NPROM (Non-Programmable ROM) Impossible（conditional）[19] Standard Model Impossible（conditional）[34] [19] M. Fischlin and N. Fleischhacker, “Limitations of the Meta-reduction Technique: The Case of Schnorr Signatures,” Proc. EUROCRYPT 2013, pp.444–460, 2013. 2019/2/22 ISC2015

Impossibility in the NPROM FF Impossibility Result [19, Theorem 2] OM-DL assumption holds ⇒ Schnorr signature Cannot be proven to be EUF-CMA in NPROM from DL assumption via a single-instance reduction. reduction invokes an forgery once, but rewind it many times Their impossibility is applicable to FS-type signatures if these satisfy the two conditions [19, Remark 3]: the related OM assumption holds one component secret key is related to the cryptographic assumption from which the security of the signature is proven in the ROM 2019/2/22 ISC2015

First Question: Security of Any FS-type Signature in NPROM FS-type Signatures In NPROM Okamoto signature [25] KW signature [32] … FF Conditions [19] Schnorr signature GQ signature … Impossible ? Question Can one prove the impossibility for Any FS-type signatures in NPROM? [25] E.J. Goh, S. Jarecki, J. Katz, N. Wang, “Efficient signature schemes with tight reductions to the Diffie-Hellman problems,” J. Cryptology 20(4), 493–514, 2007. [32] T. Okamoto “Provably secure and practical identification schemes and corresponding signature schemes,” Proc. CRYPTO 1992, pp .31–53,1993. 2019/2/22 ISC2015

First Question: Approach Approach of FF Impossibility Proving the impossibility of the specific FS-type signature by the concrete conditions adopted to them ⇒ Their result is applicable only to some specific signature. on the other hand Our Approach Aim to find some “abstract conditions” to prove the impossibility of any FS-type signature. 2019/2/22 ISC2015

First Result: Impossibility for Any FS-type Signature Find conditions on the underlying ID scheme the type of reductions imp-aa security of ID scheme Key-preserving Reduction Theorem 1 Underlying ID scheme is imp-aa secure ⇒ FS-type signature Cannot be proven to be EUF-KOA in NPROM from the imp-pa security of the ID scheme via a key-preserving reduction. 2019/2/22 ISC2015

First Result: About Our Conditions imp-aa security of the underlying ID scheme most ID schemes are proven to be imp-ca secure Key-Preserving Reduction many reductions are described as key-preserving e.g. Schnorr ID, GQ ID, Okamoto ID [32], KW ID e.g. FS-type signatures in the ROM [1, 36] These conditions seem to be Reasonable. 2019/2/22 ISC2015

First Result: Impossibility for Any FS-type Signature In NPROM FS-type Signatures Our Conditions Impossible FF Conditions [19] Schnorr signature GQ signature … Impossible Okamoto signature [25] KW signature [32] … The security of many FS-type signatures cannot be proven only by ordinary proof techniques. 2019/2/22 ISC2015

Second Question: Impossibility from DL Assumption FF Impossibility Result [19, Theorem 2] OM-DL assumption holds ⇒ Schnorr signature Cannot be proven to be EUF-CMA in NPROM from DL assumption via a single-instance reduction. Their impossibility result is proven from OM-DL assumption. Question [19 ] Can one prove the impossibility even from a weaker assumption e.g. DL assumption? 2019/2/22 ISC2015

Second Question: Impossibility from DL Assumption Advantage of Proving Impossibility from DL Assumption Case: OM-DL assumption does not hold, but DL assumption hold [19, Theorem 2] Desire to Assumption OM-DL assumption DL assumption Provable security of Schnorr Signature ? Remain to Impossible However Impossible to Prove Impossibility from DL Assumption [9] The impossibility from the DL assumption may not hold as far as a non-key-preserving reduction is concerned. 2019/2/22 ISC2015

Second Result: Impossibility from DL Assumption Theorem 4 DL assumption holds ⇒ Schnorr signature Cannot be proven to be EUF-CMA in NPROM from DL assumption via a single-instance key-preserving reduction. [19, Theorem 3] [ours, Theorem 4] Type of reductions Non-Key-Preserving Single-Instance Key-Preserving Proving the impossibility impossible possible 2019/2/22 ISC2015

Second Result: Impossibility from DL Assumption Our incompatibility result indicates that The EUF-CMA security of the Schnorr signature The DL assumption incompatible (Single-instance Key-Preserving Reduction) The security of Schnorr signature is proven in the NPROM from the DL assumption if and only if the DL assumption does not hold. 2019/2/22 ISC2015

Agenda Introduction Preliminaries Impossibility of Proving the Security of FS-Type signatures in the NPROM Security Incompatibility Between the DL Assumption and the EUF-CMA Security of the Schnorr Signature in the NPROM Concluding Remarks 2019/2/22 ISC2015

Digital Signature Scheme A signature is EUF-KOA There is no PPT forger which wins the game 2019/2/22 ISC2015

Digital Signature Scheme A signature is EUF-CMA There is no PPT forger which wins the game 2019/2/22 ISC2015

ID Scheme An ID scheme is imp-pa secure [1, 5, 6] [Transcript Oracle] [5] M. Bellare, C. Namprempre, and G. Neven, “Security Proofs for Identity-Based Identification and Signature Schemes,” J. Cryptology, vol.22, no.1, pp.1–61, 2009. [6] M. Bellare and A. Palacio, “GQ and Schnorr Identification Schemes: Proofs of Security Against Impersonation under Active and Concurrent Attacks,” Proc. EUROCRYPTO 2002, LNCS, vol.2442, pp.162–177, 2002. 2019/2/22 ISC2015

An ID scheme is imp-aa secure [1, 5. 6] [Prover Oracle] 2019/2/22 ISC2015

Fiat-Shamir Transformation [18] [18] A. Fiat and A. Shamir, “How to Prove Yourself: Practical Solutions to Identification and Signature Problems,” Proc. CRYPTO’86, pp.186–194, 1987 2019/2/22 ISC2015

Agenda Introduction Preliminaries Impossibility of Proving the Security of FS-Type signatures in the NPROM Security Incompatibility Between the DL Assumption and the EUF-CMA Security of the Schnorr Signature in the NPROM Concluding Remarks 2019/2/22 ISC2015

Statement of Our Impossibility Result Theorem 1 “An FS-type signature is proven to be EUF-KOA in NPROM from the imp-pa security of the underlying ID scheme via a key-preserving reduction” ⇒ The ID scheme is not imp-aa secure. 2019/2/22 ISC2015

Statement of Our Impossibility Result “An FS-type signature is proven to be EUF-KOA in NPROM from the imp-pa security of the underlying ID scheme via a key-preserving reduction” There exists the PPT reduction. 2019/2/22 2019/2/22 ISC2015

Statement of Our Impossibility Result In the NPROM hash value is obtained from the random oracle ※ is Prohibited to simulate RO 2019/2/22 ISC2015

Proof Sketch of Theorem 1 Idea Assumption: There exists a key-preserving reduction that wins the imp-pa game by accessing a winning EF-KOA forger Goal: Construct a meta-reduction that wins the imp-aa game 2019/2/22 ISC2015

Proof Sketch of Theorem 1 Hypothetical Forger 2019/2/22 ISC2015

Proof Sketch of Theorem 1 Construction of simulate How to Simulate? simulate 2019/2/22 ISC2015

Proof Sketch of Theorem 1 [Prover Oracle] simulate [Prover Oracle] simulate 2019/2/22 ISC2015

Agenda Introduction Preliminaries Impossibility of Proving the Security of FS-Type signatures in the NPROM Security Incompatibility Between the DL Assumption and the EUF-CMA Security of the Schnorr Signature in the NPROM Concluding Remarks 2019/2/22 ISC2015

Impossibility Result from DL Assumption Theorem 4 “Schnorr signature is proven to be EUF-CMA in NPROM from the DL assumption via a single-instance key-preserving reduction” ⇒ The DL assumption does not hold. It can be proven in a similar manner to [19, Theorem 2]. 2019/2/22 ISC2015

Agenda Introduction Preliminaries Impossibility of Proving the Security of FS-Type signatures in the NPROM Security Incompatibility Between the DL Assumption and the EUF-CMA Security of the Schnorr Signature in the NPROM Concluding Remarks 2019/2/22 ISC2015

First Result: Impossibility for Any FS-type Signature FS-type Signatures In NPROM Our Conditions Impossible FF Conditions [19] Schnorr signature GQ signature … Impossible Okamoto signature [25] KW signature [32] … The security of many FS-type signatures cannot be proven only by ordinary proof techniques. 2019/2/22 ISC2015

Second Result: Impossibility from DL Assumption Theorem 4 DL assumption holds ⇒ Schnorr signature Cannot be proven to be EUF-CMA in NPROM from DL assumption via a single-instance key-preserving reduction. [19, Theorem 3] [ours, Theorem 4] Type of reductions Non-Key-Preserving Single-Instance Key-Preserving Proving the impossibility impossible possible 2019/2/22 ISC2015