Presentation is loading. Please wait.

Presentation is loading. Please wait.

Masayuki Fukumitsu Hokkaido Information University, Japan

Published byAnica Крстић Modified over 5 years ago

Similar presentations

Presentation on theme: "Masayuki Fukumitsu Hokkaido Information University, Japan"— Presentation transcript:

1 Black-Box Separations on Fiat-Shamir-Type Signatures in the Non-Programmable Random Oracle Model
Masayuki Fukumitsu Hokkaido Information University, Japan Shingo Hasegawa Tohoku University, Japan 2019/2/22 ISC2015

2 Fiat-Shamir (FS) Transformation
Method of deriving a signature from a 3-move ID scheme e.g.: Schnorr signature [37], Guillou-Quisquater signature [27] [27] L.C. Guillou and J.J. Quisquater, “A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory,” Proc. Eurocrypt’88, pp.123–128, 1988. [37] C. Schnorr, “Efficient Signature Generation by Smart Cards,” J. Cryptology, vol.4, no.3, pp.161–174, 1991. 2019/2/22 ISC2015

3 Security Proofs of FS-Type Signature
Provable security in the random oracle model (ROM) Property of underlying ID scheme Provable Security of the Signature [36] honest-verifier ZK-proof of knowledge EUF-CMA [1] imp-pa secure [1] M. Abdalla, J.H. An, M. Bellare, and C. Namprempre, “From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security,” Proc. EUROCRYPT 2002, pp.418–433, 2002. [36] D. Pointcheval and J. Stern, “Security Arguments for Digital Signatures and Blind Signatures,” J. Cryptology, vol.13, no.3, pp.361–396, 2000. 2019/2/22 ISC2015

4 Security Proofs of FS-Type Signature
OM-DL assumption holds ⇒ Schnorr signature Cannot be proven to be EUF-CMA in Standard Model from the DL assumption via an algebraic reduction. Security Proof in Standard Model [34] One-More Discrete Logarithm Such an impossibility is proven for the other FS-type signature e.g. GQ signature [34] P. Paillier and D. Vergnaud, “Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log,” Proc. ASIACRYPT 2005 pp.1–20, 2005. 2019/2/22 ISC2015

5 Difference between Standard Model and ROM
Proving the Security Programming Technique ROM Possible [1, 36] Possible Standard Model Impossible(conditional)[34] Impossible Programming Technique Reduction programs hash values of the random oracle Many functions in Standard Model seems not to satisfy this property completely aims to prove the security of the signatures from the underlying cryptographic assumption. 2019/2/22 ISC2015

6 Security Proofs in an Intermediate Model
An intermediate model between ROM and Standard Model was also introduced [20, 31]. Random Oracle outputs a hash value as in ROM; but is dealt with Independent party ⇒ the programming tech. is prohibited Provable Security ROM Possible [1, 36] NPROM (Non-Programmable ROM) ? Standard Model Impossible(conditional)[34] [20] J.B. Nielsen, “Separating Random Oracle Proofs from Complexity Theoretic Proofs: the Non-Committing Encryption Case,” Proc. CRYPTO LNCS, pp. 111–126, 2002. [31] M. Fischlin, A. Lehmann, T. Ristenpart, T. Shrimpton, M. Stam, and S. Tessaro, “Random Oracles with(out) Programmability,” Proc. ASIACRYPT 2010, pp.303–320, 2010. 2019/2/22 ISC2015

7 Impossibility in NPROM
Fischlin and Fleischhacker [19] gave an impossibility in NPROM Proving the Security ROM Possible [1, 36] NPROM (Non-Programmable ROM) Impossible(conditional)[19] Standard Model Impossible(conditional)[34] [19] M. Fischlin and N. Fleischhacker, “Limitations of the Meta-reduction Technique: The Case of Schnorr Signatures,” Proc. EUROCRYPT 2013, pp.444–460, 2013. 2019/2/22 ISC2015

8 Impossibility in the NPROM
FF Impossibility Result [19, Theorem 2] OM-DL assumption holds ⇒ Schnorr signature Cannot be proven to be EUF-CMA in NPROM from DL assumption via a single-instance reduction. reduction invokes an forgery once, but rewind it many times Their impossibility is applicable to FS-type signatures if these satisfy the two conditions [19, Remark 3]: the related OM assumption holds one component secret key is related to the cryptographic assumption from which the security of the signature is proven in the ROM 2019/2/22 ISC2015

9 First Question: Security of Any FS-type Signature in NPROM
FS-type Signatures In NPROM Okamoto signature [25] KW signature [32] … FF Conditions [19] Schnorr signature GQ signature … Impossible ? Question Can one prove the impossibility for Any FS-type signatures in NPROM? [25] E.J. Goh, S. Jarecki, J. Katz, N. Wang, “Efficient signature schemes with tight reductions to the Diffie-Hellman problems,” J. Cryptology 20(4), 493–514, 2007. [32] T. Okamoto “Provably secure and practical identification schemes and corresponding signature schemes,” Proc. CRYPTO 1992, pp .31–53,1993. 2019/2/22 ISC2015

10 First Question: Approach
Approach of FF Impossibility Proving the impossibility of the specific FS-type signature by the concrete conditions adopted to them ⇒ Their result is applicable only to some specific signature. on the other hand Our Approach Aim to find some “abstract conditions” to prove the impossibility of any FS-type signature. 2019/2/22 ISC2015

11 First Result: Impossibility for Any FS-type Signature
Find conditions on the underlying ID scheme the type of reductions imp-aa security of ID scheme Key-preserving Reduction Theorem 1 Underlying ID scheme is imp-aa secure ⇒ FS-type signature Cannot be proven to be EUF-KOA in NPROM from the imp-pa security of the ID scheme via a key-preserving reduction. 2019/2/22 ISC2015

12 First Result: About Our Conditions
imp-aa security of the underlying ID scheme most ID schemes are proven to be imp-ca secure Key-Preserving Reduction many reductions are described as key-preserving e.g. Schnorr ID, GQ ID, Okamoto ID [32], KW ID e.g. FS-type signatures in the ROM [1, 36] These conditions seem to be Reasonable. 2019/2/22 ISC2015

13 First Result: Impossibility for Any FS-type Signature
In NPROM FS-type Signatures Our Conditions Impossible FF Conditions [19] Schnorr signature GQ signature … Impossible Okamoto signature [25] KW signature [32] … The security of many FS-type signatures cannot be proven only by ordinary proof techniques. 2019/2/22 ISC2015

14 Second Question: Impossibility from DL Assumption
FF Impossibility Result [19, Theorem 2] OM-DL assumption holds ⇒ Schnorr signature Cannot be proven to be EUF-CMA in NPROM from DL assumption via a single-instance reduction. Their impossibility result is proven from OM-DL assumption. Question [19 ] Can one prove the impossibility even from a weaker assumption e.g. DL assumption? 2019/2/22 ISC2015

15 Second Question: Impossibility from DL Assumption
Advantage of Proving Impossibility from DL Assumption Case: OM-DL assumption does not hold, but DL assumption hold [19, Theorem 2] Desire to Assumption OM-DL assumption DL assumption Provable security of Schnorr Signature ? Remain to Impossible However Impossible to Prove Impossibility from DL Assumption [9] The impossibility from the DL assumption may not hold as far as a non-key-preserving reduction is concerned. 2019/2/22 ISC2015

16 Second Result: Impossibility from DL Assumption
Theorem 4 DL assumption holds ⇒ Schnorr signature Cannot be proven to be EUF-CMA in NPROM from DL assumption via a single-instance key-preserving reduction. [19, Theorem 3] [ours, Theorem 4] Type of reductions Non-Key-Preserving Single-Instance Key-Preserving Proving the impossibility impossible possible 2019/2/22 ISC2015

17 Second Result: Impossibility from DL Assumption
Our incompatibility result indicates that The EUF-CMA security of the Schnorr signature The DL assumption incompatible (Single-instance Key-Preserving Reduction) The security of Schnorr signature is proven in the NPROM from the DL assumption if and only if the DL assumption does not hold. 2019/2/22 ISC2015

18 Agenda Introduction Preliminaries
Impossibility of Proving the Security of FS-Type signatures in the NPROM Security Incompatibility Between the DL Assumption and the EUF-CMA Security of the Schnorr Signature in the NPROM Concluding Remarks 2019/2/22 ISC2015

19 Digital Signature Scheme
A signature is EUF-KOA There is no PPT forger which wins the game 2019/2/22 ISC2015

20 Digital Signature Scheme
A signature is EUF-CMA There is no PPT forger which wins the game 2019/2/22 ISC2015

21 ID Scheme An ID scheme is imp-pa secure [1, 5, 6] [Transcript Oracle]
[5] M. Bellare, C. Namprempre, and G. Neven, “Security Proofs for Identity-Based Identification and Signature Schemes,” J. Cryptology, vol.22, no.1, pp.1–61, 2009. [6] M. Bellare and A. Palacio, “GQ and Schnorr Identification Schemes: Proofs of Security Against Impersonation under Active and Concurrent Attacks,” Proc. EUROCRYPTO 2002, LNCS, vol.2442, pp.162–177, 2002. 2019/2/22 ISC2015

22 An ID scheme is imp-aa secure [1, 5. 6]
[Prover Oracle] 2019/2/22 ISC2015

23 Fiat-Shamir Transformation [18]
[18] A. Fiat and A. Shamir, “How to Prove Yourself: Practical Solutions to Identification and Signature Problems,” Proc. CRYPTO’86, pp.186–194, 1987 2019/2/22 ISC2015

24 Agenda Introduction Preliminaries
Impossibility of Proving the Security of FS-Type signatures in the NPROM Security Incompatibility Between the DL Assumption and the EUF-CMA Security of the Schnorr Signature in the NPROM Concluding Remarks 2019/2/22 ISC2015

25 Statement of Our Impossibility Result
Theorem 1 “An FS-type signature is proven to be EUF-KOA in NPROM from the imp-pa security of the underlying ID scheme via a key-preserving reduction” ⇒ The ID scheme is not imp-aa secure. 2019/2/22 ISC2015

26 Statement of Our Impossibility Result
“An FS-type signature is proven to be EUF-KOA in NPROM from the imp-pa security of the underlying ID scheme via a key-preserving reduction” There exists the PPT reduction. 2019/2/22 2019/2/22 ISC2015

27 Statement of Our Impossibility Result
In the NPROM hash value is obtained from the random oracle ※ is Prohibited to simulate RO 2019/2/22 ISC2015

28 Proof Sketch of Theorem 1
Idea Assumption: There exists a key-preserving reduction that wins the imp-pa game by accessing a winning EF-KOA forger Goal: Construct a meta-reduction that wins the imp-aa game 2019/2/22 ISC2015

29 Proof Sketch of Theorem 1
Hypothetical Forger 2019/2/22 ISC2015

30 Proof Sketch of Theorem 1
Construction of simulate How to Simulate? simulate 2019/2/22 ISC2015

31 Proof Sketch of Theorem 1
[Prover Oracle] simulate [Prover Oracle] simulate 2019/2/22 ISC2015

32 Agenda Introduction Preliminaries
Impossibility of Proving the Security of FS-Type signatures in the NPROM Security Incompatibility Between the DL Assumption and the EUF-CMA Security of the Schnorr Signature in the NPROM Concluding Remarks 2019/2/22 ISC2015

33 Impossibility Result from DL Assumption
Theorem 4 “Schnorr signature is proven to be EUF-CMA in NPROM from the DL assumption via a single-instance key-preserving reduction” ⇒ The DL assumption does not hold. It can be proven in a similar manner to [19, Theorem 2]. 2019/2/22 ISC2015

34 Agenda Introduction Preliminaries
Impossibility of Proving the Security of FS-Type signatures in the NPROM Security Incompatibility Between the DL Assumption and the EUF-CMA Security of the Schnorr Signature in the NPROM Concluding Remarks 2019/2/22 ISC2015

35 First Result: Impossibility for Any FS-type Signature
FS-type Signatures In NPROM Our Conditions Impossible FF Conditions [19] Schnorr signature GQ signature … Impossible Okamoto signature [25] KW signature [32] … The security of many FS-type signatures cannot be proven only by ordinary proof techniques. 2019/2/22 ISC2015

36 Second Result: Impossibility from DL Assumption
Theorem 4 DL assumption holds ⇒ Schnorr signature Cannot be proven to be EUF-CMA in NPROM from DL assumption via a single-instance key-preserving reduction. [19, Theorem 3] [ours, Theorem 4] Type of reductions Non-Key-Preserving Single-Instance Key-Preserving Proving the impossibility impossible possible 2019/2/22 ISC2015

Download ppt "Masayuki Fukumitsu Hokkaido Information University, Japan"

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Course summary COS 433: Crptography -Spring 2010 Boaz Barak.

Course summary COS 433: Crptography -Spring 2010 Boaz Barak.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Anonymous Credentials Gergely Alpár Collis – November 24, 2011.

Anonymous Credentials Gergely Alpár Collis – November 24, 2011.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Similar presentations

Ads by Google