schnorr signature. - ist austria: homeckamath/resources/documents/...schnorr signature....
TRANSCRIPT
![Page 1: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/1.jpg)
Schnorr Signature.
Schnorr Signature.
October 31, 2012
![Page 2: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/2.jpg)
Schnorr Signature.
Table of contents
Salient Features
PreliminariesSecurity ProofsRandom Oracle HeuristicPKS and its Security ModelsHardness Assumption
Schnorr SignatureThe ConstructionOracle Replay AttackSecurity ProofForking Lemma
![Page 3: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/3.jpg)
Schnorr Signature.
Salient Features
Schnorr Signature - Salient Features
I Derived from Schnorr identification scheme throughFiat-Shamir transformation
I Based on the DLP
I Security argued using oracle replay attacks
I Uses the random oracle heuristic
![Page 4: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/4.jpg)
Schnorr Signature.
Preliminaries
PRELIMINARIES
![Page 5: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/5.jpg)
Schnorr Signature.
Preliminaries
Security Proofs
Proof through Contradiction
I Consider a protocol P based on a hard problem Π
I Aim: Π is hard =⇒ P is not breakable ≡P is breakable =⇒ Π is not hard
BΠ
CΠ P
AP
I Since Π is assumed to be hard, this leads to a contradiction.
![Page 6: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/6.jpg)
Schnorr Signature.
Preliminaries
Security Proofs
Proof through Contradiction
I Consider a protocol P based on a hard problem Π
I Aim: Π is hard =⇒ P is not breakable
≡P is breakable =⇒ Π is not hard
BΠ
CΠ P
AP
I Since Π is assumed to be hard, this leads to a contradiction.
![Page 7: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/7.jpg)
Schnorr Signature.
Preliminaries
Security Proofs
Proof through Contradiction
I Consider a protocol P based on a hard problem Π
I Aim: Π is hard =⇒ P is not breakable ≡P is breakable =⇒ Π is not hard
BΠ
CΠ P
AP
I Since Π is assumed to be hard, this leads to a contradiction.
![Page 8: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/8.jpg)
Schnorr Signature.
Preliminaries
Security Proofs
Proof through Contradiction
I Consider a protocol P based on a hard problem Π
I Aim: Π is hard =⇒ P is not breakable ≡P is breakable =⇒ Π is not hard
BΠ
CΠ P
AP
I Since Π is assumed to be hard, this leads to a contradiction.
![Page 9: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/9.jpg)
Schnorr Signature.
Preliminaries
Security Proofs
Security Model
I Lays down the schema to be followed for giving security proofs
I Described using a game between a challenger C and anadversary A
CP
AP
I C simulates the protocol environment for AI A wins the game if it solves the challenge given by C
![Page 10: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/10.jpg)
Schnorr Signature.
Preliminaries
Random Oracle Heuristic
Random Oracles
I Heuristic aimed at simplifying security proofs of protocolsinvolving hash functions.
I In proofs, the hash function modelled as a truly randomfunction under the control of the challenger.
I A given oracle access to this function.
PH
CH
PA
P
I Proofs without random oracles preferred.
![Page 11: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/11.jpg)
Schnorr Signature.
Preliminaries
Random Oracle Heuristic
Random Oracles
I Heuristic aimed at simplifying security proofs of protocolsinvolving hash functions.
I In proofs, the hash function modelled as a truly randomfunction under the control of the challenger.
I A given oracle access to this function.
PH
CH
PA
P
I Proofs without random oracles preferred.
![Page 12: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/12.jpg)
Schnorr Signature.
Preliminaries
Random Oracle Heuristic
Random Oracles
I Heuristic aimed at simplifying security proofs of protocolsinvolving hash functions.
I In proofs, the hash function modelled as a truly randomfunction under the control of the challenger.
I A given oracle access to this function.
PH
CH
PA
P
I Proofs without random oracles preferred.
![Page 13: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/13.jpg)
Schnorr Signature.
Preliminaries
Random Oracle Heuristic
Random Oracles
I Heuristic aimed at simplifying security proofs of protocolsinvolving hash functions.
I In proofs, the hash function modelled as a truly randomfunction under the control of the challenger.
I A given oracle access to this function.
PH
CH
PA
P
I Proofs without random oracles preferred.
![Page 14: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/14.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
PUBLIC-KEY SIGNATURES AND ITS SECURITY MODELS
![Page 15: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/15.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
Definition – Public-Key SignatureAn PKS scheme consists of three PPT algorithms {K,S ,V} -
I Key Generation:I Used by the user to generate the public-private key pair (pk, sk)I pk is published and the sk kept secretI Run on a security parameter κ
(pk, sk)$←− K(κ)
I Signing:I Used by the user to generate signature on some message mI The secret key sk used for signing
σ$←− S (sk,m)
I Verification:I Outputs 1 if σ is a valid signature on m; else, outputs 0
result← V (σ,m, pk)
![Page 16: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/16.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
Definition – Public-Key SignatureAn PKS scheme consists of three PPT algorithms {K,S ,V} -
I Key Generation:I Used by the user to generate the public-private key pair (pk, sk)I pk is published and the sk kept secretI Run on a security parameter κ
(pk, sk)$←− K(κ)
I Signing:I Used by the user to generate signature on some message mI The secret key sk used for signing
σ$←− S (sk,m)
I Verification:I Outputs 1 if σ is a valid signature on m; else, outputs 0
result← V (σ,m, pk)
![Page 17: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/17.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
Definition – Public-Key SignatureAn PKS scheme consists of three PPT algorithms {K,S ,V} -
I Key Generation:I Used by the user to generate the public-private key pair (pk, sk)I pk is published and the sk kept secretI Run on a security parameter κ
(pk, sk)$←− K(κ)
I Signing:I Used by the user to generate signature on some message mI The secret key sk used for signing
σ$←− S (sk,m)
I Verification:I Outputs 1 if σ is a valid signature on m; else, outputs 0
result← V (σ,m, pk)
![Page 18: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/18.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
Definition – Public-Key SignatureAn PKS scheme consists of three PPT algorithms {K,S ,V} -
I Key Generation:I Used by the user to generate the public-private key pair (pk, sk)I pk is published and the sk kept secretI Run on a security parameter κ
(pk, sk)$←− K(κ)
I Signing:I Used by the user to generate signature on some message mI The secret key sk used for signing
σ$←− S (sk,m)
I Verification:I Outputs 1 if σ is a valid signature on m; else, outputs 0
result← V (σ,m, pk)
![Page 19: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/19.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
Definition – EU-NMA
I Existential unforgeability under no-message attack
I Challenger C generates key-pair (pk, sk).
I Forgery – Adversary A wins if σ is a valid signature on m.
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− A(pk)
]
![Page 20: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/20.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
Definition – EU-NMA
I Existential unforgeability under no-message attack
I Challenger C generates key-pair (pk, sk).
I Forgery – Adversary A wins if σ is a valid signature on m.
C EU-NMA A
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− A(pk)
]
![Page 21: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/21.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
Definition – EU-NMA
I Existential unforgeability under no-message attack
I Challenger C generates key-pair (pk, sk).
I Forgery – Adversary A wins if σ is a valid signature on m.
C EU-NMA Apk
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− A(pk)
]
![Page 22: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/22.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
Definition – EU-NMA
I Existential unforgeability under no-message attack
I Challenger C generates key-pair (pk, sk).
I Forgery – Adversary A wins if σ is a valid signature on m.
C EU-NMA Apk
(σ, m)
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− A(pk)
]
![Page 23: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/23.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
Definition – EU-NMA
I Existential unforgeability under no-message attack
I Challenger C generates key-pair (pk, sk).
I Forgery – Adversary A wins if σ is a valid signature on m.
C EU-NMA Apk
(σ, m)
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− A(pk)
]
![Page 24: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/24.jpg)
Schnorr Signature.
Preliminaries
PKS and its Security Models
Definition – EU-CMA
I Existential unforgeability under chosen-message attack
I Challenger C generates key-pair (pk, sk).
I Signature Queries – Access to a signing oracle OI Forgery – Adversary A wins if
I σ is a valid signature on m.I A has not made a signature query on m.
CO
EU-CMA Apk
(σ, m)
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− AO(pk)
]
![Page 25: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/25.jpg)
Schnorr Signature.
Preliminaries
Hardness Assumption
Hardness Assumption: Discrete-log AssumptionDiscrete-log problem for a group G = 〈g〉 and | G |= p
CDLP
ADLP
(G, g, p, gα)
α
DefinitionThe DLP in G is to find α given gα, where α ∈R Zp. An adversaryA has advantage ε in solving the DLP if
Pr[α ∈R Zp;α′ ← A(G, p, g , gα) | α′ = α
]≥ ε.
The (ε, t)-discrete-log assumption holds in G if no adversary hasadvantage at least ε in solving the DLP in time at most t.
![Page 26: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/26.jpg)
Schnorr Signature.
Preliminaries
Hardness Assumption
Hardness Assumption: Discrete-log AssumptionDiscrete-log problem for a group G = 〈g〉 and | G |= p
CDLP
ADLP
(G, g, p, gα)
α
DefinitionThe DLP in G is to find α given gα, where α ∈R Zp. An adversaryA has advantage ε in solving the DLP if
Pr[α ∈R Zp;α′ ← A(G, p, g , gα) | α′ = α
]≥ ε.
The (ε, t)-discrete-log assumption holds in G if no adversary hasadvantage at least ε in solving the DLP in time at most t.
![Page 27: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/27.jpg)
Schnorr Signature.
Schnorr Signature
SCHNORR SIGNATURE
![Page 28: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/28.jpg)
Schnorr Signature.
Schnorr Signature
The Construction
Schnorr Signature
The Setting.
1. We work in group G = 〈g〉 of prime order p.2. A hash function H is used.
H : {0, 1}∗ → Zp
Key Generation. K(κ):
1. Select z ∈R Zp as the secret key sk2. Set Z := g z as the public key pk
Signing. S (m, sk):
1. Let sk = z . Select r ∈R Zp, set R := g r and c := H(m,R).2. The signature on m is σ := (y ,R) where
y := r + zc
![Page 29: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/29.jpg)
Schnorr Signature.
Schnorr Signature
The Construction
Schnorr Signature
The Setting.
1. We work in group G = 〈g〉 of prime order p.2. A hash function H is used.
H : {0, 1}∗ → Zp
Key Generation. K(κ):
1. Select z ∈R Zp as the secret key sk2. Set Z := g z as the public key pk
Signing. S (m, sk):
1. Let sk = z . Select r ∈R Zp, set R := g r and c := H(m,R).2. The signature on m is σ := (y ,R) where
y := r + zc
![Page 30: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/30.jpg)
Schnorr Signature.
Schnorr Signature
The Construction
Schnorr Signature
The Setting.
1. We work in group G = 〈g〉 of prime order p.2. A hash function H is used.
H : {0, 1}∗ → Zp
Key Generation. K(κ):
1. Select z ∈R Zp as the secret key sk2. Set Z := g z as the public key pk
Signing. S (m, sk):
1. Let sk = z . Select r ∈R Zp, set R := g r and c := H(m,R).2. The signature on m is σ := (y ,R) where
y := r + zc
![Page 31: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/31.jpg)
Schnorr Signature.
Schnorr Signature
The Construction
Schnorr Signature
Verification. V (σ,m):
1. Let σ = (y ,R) and c = H(m,R).2. σ is valid if
g y = RZ c
![Page 32: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/32.jpg)
Schnorr Signature.
Schnorr Signature
The Construction
Security of Schnorr Signature: An Intuition
I Consider an adversary A with ability to launchchosen-message attack on the Schnorr signature.
I Let {σ1, . . . , σn} with σi = (ri + zci ,Ri ) on mi be thesignatures that A receives.
1 0 · · · 0 c00 1 · · · 0 c1...
.... . .
......
0 0 · · · 1 cn
×
r1r2...
rnz
=
y1y2...
rn
![Page 33: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/33.jpg)
Schnorr Signature.
Schnorr Signature
The Construction
Security of Schnorr Signature: An Intuition
I Consider an adversary A with ability to launchchosen-message attack on the Schnorr signature.
I Let {σ1, . . . , σn} with σi = (ri + zci ,Ri ) on mi be thesignatures that A receives.
1 0 · · · 0 c00 1 · · · 0 c1...
.... . .
......
0 0 · · · 1 cn
×
r1r2...
rnz
=
y1y2...
rn
![Page 34: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/34.jpg)
Schnorr Signature.
Schnorr Signature
The Construction
Security of Schnorr Signature: An Intuition
I However, A can solve for x if it gets two equations containingthe same r but different c , i.e.
y1 = r + zc1 and y2 = r + zc2
implies
z =y1 − y2c1 − c2
![Page 35: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/35.jpg)
Schnorr Signature.
Schnorr Signature
Oracle Replay Attack
ORACLE REPLAY ATTACK
![Page 36: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/36.jpg)
Schnorr Signature.
Schnorr Signature
Oracle Replay Attack
The Oracle Replay AttackI Recall the random oracle methodology.
CH
PA
PQi
si
PH
QI+1 Qγ Run 0
Q1 Q2 QIs1
sI
sγ
![Page 37: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/37.jpg)
Schnorr Signature.
Schnorr Signature
Oracle Replay Attack
The Oracle Replay AttackI Recall the random oracle methodology.
CH
PA
PQi
si
PH
QI+1 Qγ Run 0
Q1 Q2 QIs1
sI
sγ
![Page 38: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/38.jpg)
Schnorr Signature.
Schnorr Signature
Oracle Replay Attack
The Oracle Replay AttackI Recall the random oracle methodology.
CH
PA
PQi
si
PH
QI+1 Qγ Run 0
Q1 Q2 QI
Q′
I+1 Q′
γ Run 1
s1
sI
s′
I
sγ
s′
γ
I The simulation carried out during Run 1 (from query Qi ) usinga different random function
![Page 39: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/39.jpg)
Schnorr Signature.
Schnorr Signature
Oracle Replay Attack
Security of Schnorr Signature in EU-NMA
I Consider the simpler model of existential unforgeability underno-message attack (EU-NMA)
I C gives the challenge public key pk := (G, g , p, gα) to AI A not allowed signature queries; forges on a message mI A also allowed access to an H-oracle {Q1, . . . , Qγ}
BDLP
CDLP SS
H
ASS
∆ = (G, g , p, gα)
α
pk := ∆
EU-NMA
σ = (y , R)
![Page 40: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/40.jpg)
Schnorr Signature.
Schnorr Signature
Security Proof
Security of Schnorr Signature in EU-NMA
BDLP
CDLP SS
H
ASS
∆ = (G, g , p, gα)
α
pk := ∆
EU-NMA
σ = (y , R)
I Q0I : H(m0, R0) = c0
Q0I+1 Q0γ σ0 = (y0 = r0 + αc0, R0)
Q01 Q02 Q0I
s01
s0I
s0γ
![Page 41: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/41.jpg)
Schnorr Signature.
Schnorr Signature
Security Proof
Security of Schnorr Signature in EU-NMA
BDLP
CDLP SS
H
ASS
∆ = (G, g , p, gα)
α
pk := ∆
EU-NMA
σ = (y , R)
I Q0I : H(m0, R0) = c0 and QφJ : H(m1, R1) = c1
Q0I+1 Q0γ σ0 = (y0 = r0 + αc0, R0)
Q01 Q02 Q0I
Q1I+1 Q1γ σ1 = (y1 = r1 + αc1, R1)
s01
s0I
s1I
s0γ
s1γ
![Page 42: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/42.jpg)
Schnorr Signature.
Schnorr Signature
Security Proof
Security of Schnorr Signature in EU-NMA
BDLP
CDLP SS
H
ASS
∆ = (G, g , p, gα)
α
pk := ∆
EU-NMA
σ = (y , R)
I J = I =⇒ m1 = m0 ∧ R1 = R0
Q0I+1 Q0γ σ0 = (y0 = r0 + αc0,R0)
Q01 Q02 Q0I
Q1I+1 Q1γ σ1 = (y1 = r0 + αc1,R0)
s01
s0I
s1I
s0γ
s1γ
![Page 43: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/43.jpg)
Schnorr Signature.
Schnorr Signature
Security Proof
Security of Schnorr Signature in EU-NMA
BDLP
CDLP SS
H
ASS
∆ = (G, g , p, gα)
α
pk := ∆
EU-NMA
σ = (y , R)
I J = I =⇒ m1 = m0 ∧ R1 = R0 and α = (y0 − y1)/(c0 − c1)
Q0I+1 Q0γ σ0 = (y0 = r0 + αc0,R0)
Q01 Q02 Q0I
Q1I+1 Q1γ σ1 = (y1 = r0 + αc1,R0)
s01
s0I
s1I
s0γ
s1γ
![Page 44: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/44.jpg)
Schnorr Signature.
Schnorr Signature
Security Proof
Security in the Full Model
BDLP
CDLP SS
O ,H
ASS
∆ = (G, g , p, gα)
α
pk := ∆
EU-CMA
σ = (y , R)
Signature query. O(m)
I Signature for m is of form σ = (r + αc , g r ), wherec = H(m, g r ).
I But, we don’t know α!I Problem solved using Boneh-Boyen algebraic technique:
I Select c , s ∈R Zp and set r = −αc + s.I Program the random oracle to set c = H(m, g r ) and send
(s, g r ) as the signature.
![Page 45: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/45.jpg)
Schnorr Signature.
Schnorr Signature
Security Proof
Security in the Full Model
BDLP
CDLP SS
O ,H
ASS
∆ = (G, g , p, gα)
α
pk := ∆
EU-CMA
σ = (y , R)
Signature query. O(m)
I Signature for m is of form σ = (r + αc , g r ), wherec = H(m, g r ).
I But, we don’t know α!I Problem solved using Boneh-Boyen algebraic technique:
I Select c , s ∈R Zp and set r = −αc + s.I Program the random oracle to set c = H(m, g r ) and send
(s, g r ) as the signature.
![Page 46: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/46.jpg)
Schnorr Signature.
Schnorr Signature
Security Proof
Security in the Full Model
BDLP
CDLP SS
O ,H
ASS
∆ = (G, g , p, gα)
α
pk := ∆
EU-CMA
σ = (y , R)
Signature query. O(m)
I Signature for m is of form σ = (r + αc , g r ), wherec = H(m, g r ).
I But, we don’t know α!
I Problem solved using Boneh-Boyen algebraic technique:I Select c , s ∈R Zp and set r = −αc + s.I Program the random oracle to set c = H(m, g r ) and send
(s, g r ) as the signature.
![Page 47: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/47.jpg)
Schnorr Signature.
Schnorr Signature
Security Proof
Security in the Full Model
BDLP
CDLP SS
O ,H
ASS
∆ = (G, g , p, gα)
α
pk := ∆
EU-CMA
σ = (y , R)
Signature query. O(m)
I Signature for m is of form σ = (r + αc , g r ), wherec = H(m, g r ).
I But, we don’t know α!I Problem solved using Boneh-Boyen algebraic technique:
I Select c , s ∈R Zp and set r = −αc + s.I Program the random oracle to set c = H(m, g r ) and send
(s, g r ) as the signature.
![Page 48: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/48.jpg)
Schnorr Signature.
Schnorr Signature
Security Proof
FORKING LEMMA
![Page 49: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/49.jpg)
Schnorr Signature.
Schnorr Signature
Forking Lemma
Forking Algorithm
I The oracle replay attack formalised through the forkingalgorithm
Algorithm 1 FY (x)
Pick coins ρ for Y at random
s01 , . . . , s0γ ∈R S; (I0, σ0)
$←− Y (x , s01 , . . . , s0γ ; ρ) [Run 0]
s1I0 , . . . , s1γ ∈R S; (I1, σ1)
$←− Y (x , s01 , . . . , s0I0−1, s
1I0, . . . , s1γ ; ρ) [Run 1]
if (I0 > 0 ∧ I1 = I0 ∧ s1I0 6= s0I0) thenreturn (1, σ0, σ1)
elsereturn (0,⊥,⊥)
end if
![Page 50: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/50.jpg)
Schnorr Signature.
Schnorr Signature
Forking Lemma
The Forking LemmaI The forking lemma gives a lower bound on the success
probability of the oracle replay attack (frk) in terms of thesuccess probability of the adversary during a particular run(acc).
I To be precise,
frk ≥ acc
(acc
γ− 1
p
)
QI+1 Qγ Run 0
Q1 Q2 QI
Q′
I+1 Q′
γ Run 1
s1
sI
s′
I
sγ
s′
γ
![Page 51: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/51.jpg)
Schnorr Signature.
Schnorr Signature
Forking Lemma
The Forking LemmaI The forking lemma gives a lower bound on the success
probability of the oracle replay attack (frk) in terms of thesuccess probability of the adversary during a particular run(acc).
I To be precise,
frk ≥ acc
(acc
γ− 1
p
)
QI+1 Qγ Run 0
Q1 Q2 QI
Q′
I+1 Q′
γ Run 1
s1
sI
s′
I
sγ
s′
γ
![Page 52: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/52.jpg)
Schnorr Signature.
Schnorr Signature
Forking Lemma
The Forking LemmaI The forking lemma gives a lower bound on the success
probability of the oracle replay attack (frk) in terms of thesuccess probability of the adversary during a particular run(acc).
I To be precise,
frk ≥ acc
(acc
γ− 1
p
)
QI+1 Qγ Run 0
Q1 Q2 QI
Q′
I+1 Q′
γ Run 1
s1
sI
s′
I
sγ
s′
γ
![Page 53: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/53.jpg)
Schnorr Signature.
Schnorr Signature
Forking Lemma
Theorem
TheoremIf A is an adversary with advantage ε against the Schnorrsignature scheme, in the setting (G, g , p), then we can constructan algorithm B that solves the DLP with advantage
ε′ ≥ ε(ε
γ− 1
p
)provided H is modelled as a random oracle with an upper bound ofqH queries.
![Page 54: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/54.jpg)
Schnorr Signature.
Schnorr Signature
Forking Lemma
Related Literature
1. Mihir Bellare and Gregory Neven. Multi-signatures in theplain public-key model and a general forking lemma.
2. David Pointcheval and Jacques Stern. Security arguments fordigital signatures and blind signatures.
3. Sanjam Garg, Raghav Bhaskar, and Satyanarayana V. Lokam.Improved bounds on security reductions for discrete log basedsignatures.
4. Yannick Seurin. On the exact security of Schnorr-typesignatures in the random oracle model.
![Page 55: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/55.jpg)
Schnorr Signature.
Schnorr Signature
Forking Lemma
QUESTIONS?
![Page 56: Schnorr Signature. - IST Austria: Homeckamath/Resources/Documents/...Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a](https://reader030.vdocuments.site/reader030/viewer/2022040922/5e9c5e2700a8b4714a0d0f58/html5/thumbnails/56.jpg)
Schnorr Signature.
Schnorr Signature
Forking Lemma
THANK YOU!