How to prove yourself: practical solutions to identification and signature problems
Proceedings on Advances in cryptology---CRYPTO '86
Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
On the Exact Security of Full Domain Hash
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
Efficient Identification and Signatures for Smart Cards
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Optimal Security Proofs for PSS and Other Signature Schemes
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
On the (In)security of the Fiat-Shamir Paradigm
FOCS '03 Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
Efficiency improvements for signature schemes with tight security reductions
Proceedings of the 10th ACM conference on Computer and communications security
Efficient Signature Schemes with Tight Reductions to the Diffie-Hellman Problems
Journal of Cryptology
Improved Bounds on Security Reductions for Discrete Log Based Signatures
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Security proofs for signature schemes
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
The exact security of digital signatures-how to sign with RSA and Rabin
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
A signature scheme as secure as the Diffie-Hellman problem
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
On the power of claw-free permutations
SCN'02 Proceedings of the 3rd international conference on Security in communication networks
Separation results on the "one-more" computational problems
CT-RSA'08 Proceedings of the 2008 The Cryptopgraphers' Track at the RSA conference on Topics in cryptology
Discrete-Log-Based signatures may not be equivalent to discrete log
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Communication-efficient non-interactive proofs of knowledge with online extractors
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
An efficient CDH-based signature scheme with a tight security reduction
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Efficient identity-based encryption without random oracles
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Black-box reductions and separations in cryptography
AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
Why “fiat-shamir for proofs” lacks a proof
TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography
Hi-index | 0.00 |
The Schnorr signature scheme has been known to be provably secure in the Random Oracle Model under the Discrete Logarithm (DL) assumption since the work of Pointcheval and Stern (EUROCRYPT '96), at the price of a very loose reduction though: if there is a forger making at most qh random oracle queries, and forging signatures with probability εF, then the Forking Lemma tells that one can compute discrete logarithms with constant probability by rewinding the forger O(qh/εF) times. In other words, the security reduction loses a factor O(qh) in its time-to-success ratio. This is rather unsatisfactory since qh may be quite large. Yet Paillier and Vergnaud (ASIACRYPT 2005) later showed that under the One More Discrete Logarithm (OMDL) assumption, any algebraic reduction must lose a factor at least qh1/2 in its time-to-success ratio. This was later improved by Garg et al. (CRYPTO 2008) to a factor qh2/3. Up to now, the gap between qh2/3 and qh remained open. In this paper, we show that the security proof using the Forking Lemma is essentially the best possible. Namely, under the OMDL assumption, any algebraic reduction must lose a factor f(εF)qh in its time-to-success ratio, where f≤1 is a function that remains close to 1 as long as εF is noticeably smaller than 1. Using a formulation in terms of expected-time and queries algorithms, we obtain an optimal loss factor Ω(qh), independently of εF. These results apply to other signature schemes based on one-way group homomorphisms, such as the Guillou-Quisquater signature scheme.