Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for $$\varvec{\Sigma }$$ -Protocols

IF 2.3 3区 计算机科学 Q2 COMPUTER SCIENCE, THEORY & METHODS Journal of Cryptology Pub Date : 2024-06-06 DOI:10.1007/s00145-024-09506-5
Lior Rotem, Gil Segev
{"title":"Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for $$\\varvec{\\Sigma }$$ -Protocols","authors":"Lior Rotem, Gil Segev","doi":"10.1007/s00145-024-09506-5","DOIUrl":null,"url":null,"abstract":"<p>The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier.” In particular, in any group of order <i>p</i> where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known <i>t</i>-time attacks on the Schnorr identification and signature schemes have success probability <span>\\(t^2/p\\)</span>, whereas existing proofs of security only rule out attacks with success probabilities <span>\\((t^2/p)^{1/2}\\)</span> and <span>\\((q_{\\textsf{H}} \\cdot t^2/p)^{1/2}\\)</span>, respectively, where <span>\\(q_{\\textsf{H}}\\)</span> denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from <span>\\(\\Sigma \\)</span>-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “<i>d</i>-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the <i>d</i>th moment of the algorithm’s running time. In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any <i>t</i>-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most <span>\\((t^2/p)^{2/3}\\)</span> and <span>\\((q_\\textsf{H}\\cdot t^2/p)^{2/3}\\)</span>, respectively.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"27 1","pages":""},"PeriodicalIF":2.3000,"publicationDate":"2024-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cryptology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s00145-024-09506-5","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
引用次数: 0

Abstract

The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier.” In particular, in any group of order p where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t-time attacks on the Schnorr identification and signature schemes have success probability \(t^2/p\), whereas existing proofs of security only rule out attacks with success probabilities \((t^2/p)^{1/2}\) and \((q_{\textsf{H}} \cdot t^2/p)^{1/2}\), respectively, where \(q_{\textsf{H}}\) denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from \(\Sigma \)-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “d-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the dth moment of the algorithm’s running time. In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most \((t^2/p)^{2/3}\) and \((q_\textsf{H}\cdot t^2/p)^{2/3}\), respectively.

Abstract Image

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Schnorr 识别和签名的更高安全性:$$\varvec{\Sigma }$ -协议的高频分叉定理
施诺尔识别和签名方案是过去 30 年来最具影响力的加密协议之一。遗憾的是,尽管对这两种方案最著名的攻击是通过离散对数计算进行的,但将其安全性建立在离散对数问题硬度基础上的已知方法却遇到了 "平方根障碍"。特别是,在任何阶数为 p 的组中,如果认为 Shoup 对离散对数问题的通用硬度结果成立(并因此用于设置具体的安全参数),那么对施诺尔识别和签名方案的最著名的 t 时间攻击的成功概率为 \(t^2/p\)、而现有的安全证明只排除了成功概率分别为 \((t^2/p)^{1/2}\) 和 \((q_{\textsf{H}} \cdot t^2/p)^{1/2}\) 的攻击,其中 \(q_{textsf{H}} 表示攻击者发出的随机神谕查询的次数。我们为识别和签名方案建立了更严密的安全保证,这些方案是由(\Sigma \)协议产生的,具有基于其基础关系硬度的特殊健全性,特别是基于离散对数问题的硬度的施诺尔方案。我们通过引入经典分叉阶式的高时刻广义,并假设底层关系是 "d时刻硬",从而规避了平方根障碍:任何算法在为随机实例生成见证的任务中的成功概率,都受算法运行时间第 d 个时刻的支配。在离散对数问题的具体情境中,Shoup 的原始证明已经表明,离散对数问题在一般组模型中是 2 矩难的,因此,我们的假设可以看作是离散对数假设在任何目前还不知道比一般算法更好的组中的一个非常可信的加强。在这种情况下应用我们的高时刻分叉lemma就会发现,假设离散对数问题具有2时刻硬度,那么任何t时间攻击者破坏施诺识别和签名方案的安全性的概率分别为\((t^2/p)^{2/3}\)和\((q_\textsf{H}\cdot t^2/p)^{2/3}\)。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Journal of Cryptology
Journal of Cryptology 工程技术-工程:电子与电气
CiteScore
7.10
自引率
3.30%
发文量
24
审稿时长
18 months
期刊介绍: The Journal of Cryptology is a forum for original results in all areas of modern information security. Both cryptography and cryptanalysis are covered, including information theoretic and complexity theoretic perspectives as well as implementation, application, and standards issues. Coverage includes such topics as public key and conventional algorithms and their implementations, cryptanalytic attacks, pseudo-random sequences, computational number theory, cryptographic protocols, untraceability, privacy, authentication, key management and quantum cryptography. In addition to full-length technical, survey, and historical articles, the journal publishes short notes.
期刊最新文献
Randomness Recoverable Secret Sharing Schemes Memory-Efficient Attacks on Small LWE Keys Finding Collisions in a Quantum World: Quantum Black-Box Separation of Collision-Resistance and One-Wayness Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of a Prevailing Assumption The Price of Active Security in Cryptographic Protocols
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1