Discrete-Log-Based signatures may not be equivalent to discrete log

Authors:
Pascal Paillier;Damien Vergnaud
Affiliations:
Gemplus Card International, Advanced Cryptographic Services, Issy-les-Moulineaux, France;Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Caen, France
Venue:
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Year:
2005

Citing 13
Cited 29

How to prove yourself: practical solutions to identification and signature problems

Proceedings on Advances in cryptology---CRYPTO '86
Meta-ElGamal signature schemes

CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A "Paradoxical" Indentity-Based Signature Scheme Resulting from Zero-Knowledge

CRYPTO '88 Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology
Efficient Identification and Signatures for Smart Cards

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Adapting the Weaknesses of the Random Oracle Model to the Generic Group Model

ASIACRYPT '02 Proceedings of the 8th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Design Validations for Discrete Logarithm Based Signature Schemes

PKC '00 Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
On the (In)security of the Fiat-Shamir Paradigm

FOCS '03 Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
The random oracle methodology, revisited

Journal of the ACM (JACM)
Generic Groups, Collision Resistance, and ECDSA

Designs, Codes and Cryptography
Lower bounds for discrete logarithms and related problems

EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
On the power of claw-free permutations

SCN'02 Proceedings of the 3rd international conference on Security in communication networks

A synthetic indifferentiability analysis of some block-cipher-based hash functions

Designs, Codes and Cryptography
Tweaking TBE/IBE to PKE Transforms with Chameleon Hash Functions

ACNS '07 Proceedings of the 5th international conference on Applied Cryptography and Network Security
Gradually Convertible Undeniable Signatures

ACNS '07 Proceedings of the 5th international conference on Applied Cryptography and Network Security
Improved Bounds on Security Reductions for Discrete Log Based Signatures

CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Cryptanalysis of EC-RAC, a RFID Identification Protocol

CANS '08 Proceedings of the 7th International Conference on Cryptology and Network Security
General Conversion for Obtaining Strongly Existentially Unforgeable Signatures

IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Anonymity from Public Key Encryption to Undeniable Signatures

AFRICACRYPT '09 Proceedings of the 2nd International Conference on Cryptology in Africa: Progress in Cryptology
On Generic Constructions of Designated Confirmer Signatures

INDOCRYPT '09 Proceedings of the 10th International Conference on Cryptology in India: Progress in Cryptology
Decryptable searchable encryption

ProvSec'07 Proceedings of the 1st international conference on Provable security
Separation results on the "one-more" computational problems

CT-RSA'08 Proceedings of the 2008 The Cryptopgraphers' Track at the RSA conference on Topics in cryptology
Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures

PKC'11 Proceedings of the 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography
Efficient CDH-based verifiably encrypted signatures with optimal bandwidth in the standard model

ADHOC-NOW'11 Proceedings of the 10th international conference on Ad-hoc, mobile, and wireless networks
On the security of OAEP

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Another look at “provable security”. II

INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
On related-secret pseudorandomness

TCC'10 Proceedings of the 7th international conference on Theory of Cryptography
Collision-Resistant no more: hash-and-sign paradigm revisited

PKC'06 Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography
Impossibility proofs for RSA signatures in the standard model

CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
A practical and tightly secure signature scheme without hash function

CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
Separating short structure-preserving signatures from non-interactive assumptions

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Another look at tightness

SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
On the joint security of encryption and signature in EMV

CT-RSA'12 Proceedings of the 12th conference on Topics in Cryptology
On the instantiability of hash-and-sign RSA signatures

TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
A pre-computable signature scheme with efficient verification for RFID

ISPEC'12 Proceedings of the 8th international conference on Information Security Practice and Experience
On the exact security of schnorr-type signatures in the random oracle model

EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Practical round-optimal blind signatures without random oracles or non-interactive zero-knowledge proofs

Security and Communication Networks
Black-box reductions and separations in cryptography

AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
On the soundness of restricted universal designated verifier signatures and dedicated signatures: how to prove the possession of an ElGamal/DSA signature

ISC'07 Proceedings of the 10th international conference on Information Security
Optimal reductions of some decisional problems to the rank problem

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Why “fiat-shamir for proofs” lacks a proof

TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography

Quantified Score

Hi-index	0.00

Visualization

Abstract

We provide evidence that the unforgeability of several discrete-log based signatures like Schnorr signatures cannot be equivalent to the discrete log problem in the standard model. This contradicts in nature well-known proofs standing in weakened proof methodologies, in particular proofs employing various formulations of the Forking Lemma in the random oracle Model. Our impossibility proofs apply to many discrete-log-based signatures like ElGamal signatures and their extensions, DSA, ECDSA and KCDSA as well as standard generalizations of these, and even RSA-based signatures like GQ. We stress that our work sheds more light on the provable (in)security of popular signature schemes but does not explicitly lead to actual attacks on these.