Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for $$\varvec{\Sigma }$$ -Protocols

IF 2.3 3区计算机科学 Q2 COMPUTER SCIENCE, THEORY & METHODS

Journal of Cryptology Pub Date : 2024-06-06 DOI:10.1007/s00145-024-09506-5

Lior Rotem, Gil Segev

{"title":"Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for $$\\varvec{\\Sigma }$$ -Protocols","authors":"Lior Rotem, Gil Segev","doi":"10.1007/s00145-024-09506-5","DOIUrl":null,"url":null,"abstract":"The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier.” In particular, in any group of order p where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t-time attacks on the Schnorr identification and signature schemes have success probability \$t^2/p\$, whereas existing proofs of security only rule out attacks with success probabilities \$(t^2/p)^{1/2}\$ and \$(q_{\\textsf{H}} \\cdot t^2/p)^{1/2}\$, respectively, where \$q_{\\textsf{H}}\$ denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from \$\\Sigma \$-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “d-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the dth moment of the algorithm’s running time. In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most \$(t^2/p)^{2/3}\$ and \$(q_\\textsf{H}\\cdot t^2/p)^{2/3}\$, respectively.","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"27 1","pages":""},"PeriodicalIF":2.3000,"publicationDate":"2024-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cryptology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s00145-024-09506-5","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier.” In particular, in any group of order p where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t-time attacks on the Schnorr identification and signature schemes have success probability $t^2/p$, whereas existing proofs of security only rule out attacks with success probabilities $(t^2/p)^{1/2}$ and $(q_{\textsf{H}} \cdot t^2/p)^{1/2}$, respectively, where $q_{\textsf{H}}$ denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from $\Sigma $-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “d-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the dth moment of the algorithm’s running time. In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most $(t^2/p)^{2/3}$ and $(q_\textsf{H}\cdot t^2/p)^{2/3}$, respectively.

Abstract Image

查看原文本刊更多论文

Schnorr 识别和签名的更高安全性：$$\varvec{\Sigma }$ -协议的高频分叉定理

施诺尔识别和签名方案是过去 30 年来最具影响力的加密协议之一。遗憾的是，尽管对这两种方案最著名的攻击是通过离散对数计算进行的，但将其安全性建立在离散对数问题硬度基础上的已知方法却遇到了 "平方根障碍"。特别是，在任何阶数为 p 的组中，如果认为 Shoup 对离散对数问题的通用硬度结果成立（并因此用于设置具体的安全参数），那么对施诺尔识别和签名方案的最著名的 t 时间攻击的成功概率为 $t^2/p$、而现有的安全证明只排除了成功概率分别为 $(t^2/p)^{1/2}$ 和 $(q_{\textsf{H}} \cdot t^2/p)^{1/2}$ 的攻击，其中 \(q_{textsf{H}} 表示攻击者发出的随机神谕查询的次数。我们为识别和签名方案建立了更严密的安全保证，这些方案是由（\Sigma \）协议产生的，具有基于其基础关系硬度的特殊健全性，特别是基于离散对数问题的硬度的施诺尔方案。我们通过引入经典分叉阶式的高时刻广义，并假设底层关系是 "d时刻硬"，从而规避了平方根障碍：任何算法在为随机实例生成见证的任务中的成功概率，都受算法运行时间第 d 个时刻的支配。在离散对数问题的具体情境中，Shoup 的原始证明已经表明，离散对数问题在一般组模型中是 2 矩难的，因此，我们的假设可以看作是离散对数假设在任何目前还不知道比一般算法更好的组中的一个非常可信的加强。在这种情况下应用我们的高时刻分叉lemma就会发现，假设离散对数问题具有2时刻硬度，那么任何t时间攻击者破坏施诺识别和签名方案的安全性的概率分别为$(t^2/p)^{2/3}$和$(q_\textsf{H}\cdot t^2/p)^{2/3}$。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Cryptology 工程技术-工程：电子与电气

CiteScore

7.10

自引率

3.30%

发文量

审稿时长

18 months

期刊介绍： The Journal of Cryptology is a forum for original results in all areas of modern information security. Both cryptography and cryptanalysis are covered, including information theoretic and complexity theoretic perspectives as well as implementation, application, and standards issues. Coverage includes such topics as public key and conventional algorithms and their implementations, cryptanalytic attacks, pseudo-random sequences, computational number theory, cryptographic protocols, untraceability, privacy, authentication, key management and quantum cryptography. In addition to full-length technical, survey, and historical articles, the journal publishes short notes.