Abstract
The Schnorr signature scheme is an efficient digital signature scheme with short signature lengths, i.e., 4k-bit signatures for k bits of security. A Schnorr signature \(\sigma \) over a group of size \(p\approx 2^{2k}\) consists of a tuple (s, e), where \(e \in \{0,1\}^{2k}\) is a hash output and \(s\in \mathbb {Z}_p\) must be computed using the secret key. While the hash output e requires 2k bits to encode, Schnorr proposed that it might be possible to truncate the hash value without adversely impacting security.
In this paper, we prove that short Schnorr signatures of length 3k bits provide k bits of multi-user security in the (Shoup’s) generic group model and the programmable random oracle model. We further analyze the multi-user security of key-prefixed short Schnorr signatures against preprocessing attacks, showing that it is possible to obtain secure signatures of length \(3k + \log S + \log N\) bits. Here, N denotes the number of users and S denotes the size of the hint generated by our preprocessing attacker, e.g., if \(S=2^{k/2}\), then we would obtain secure 3.75k-bit signatures for groups of up to \(N \le 2^{k/4}\) users.
Our techniques easily generalize to several other Fiat-Shamir-based signature schemes, allowing us to establish analogous results for Chaum-Pedersen signatures and Katz-Wang signatures. As a building block, we also analyze the 1-out-of-N discrete-log problem in the generic group model, with and without preprocessing.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The authors of [KMP16] pointed out that their analysis can be adapted to demonstrate multi-user security of short Schnorr signatures (private communication) though the paper itself never discusses short Schnorr signatures. Furthermore, their proof is in a different version of the generic group model which is not suitable for analyzing preprocessing attacks. See discussion in the full version [BL19].
- 2.
We can compute I without knowledge of x because \(\tau (x)\) is given as public key.
- 3.
Note that \((\vec {a},b)\ne (\vec {c},d)\) implies \(\vec {a}\ne \vec {c}\) since if \(\vec {a}=\vec {c}\) then \(\vec {a}\cdot \vec {x}+b=\vec {a}\cdot \vec {x}+d\) implies \(b=d\) as \(b,d\in {\mathbb {Z}_p} \).
- 4.
See the link: https://engineering.fb.com/2014/04/10/core-data/scaling-the-facebook-data-warehouse-to (Retrieved 2/20/2021).
References
Kilinc Alper, H., Burdges, J.: Two-round trip Schnorr multi-signatures via delinearized witnesses. Cryptology ePrint Archive, Report 2020/1245 (2020). https://eprint.iacr.org/2020/1245
Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM CCS 2008, pp. 449–458. ACM Press, October 2008
Bellare, M., Dai, W.: The multi-base discrete logarithm problem: tight reductions and non-rewinding proofs for Schnorr identification and signatures. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) INDOCRYPT 2020. LNCS, vol. 12578, pp. 529–552. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_24
Bernstein, D.J.: Multi-user Schnorr security, revisited. Cryptology ePrint Archive, Report 2015/996 (2015). http://eprint.iacr.org/2015/996
Bernstein, D.J., Lange, T.: Two grumpy giants and a baby. Cryptology ePrint Archive, Report 2012/294 (2012). http://eprint.iacr.org/2012/294
bibitem[BL19]ch21cryptoeprint:2019:1105 Blocki, J., Lee, S.: On the multi-user security of short Schnorr signatures with preprocessing. Cryptology ePrint Archive, Report 2019/1105 (2019). https://ia.cr/2019/1105
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004). https://doi.org/10.1007/s00145-004-0314-9
Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM CCS 2006, pp. 390–399. ACM Press, October/November 2006
Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003). https://doi.org/10.1007/s00145-002-0120-1
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 1993, pp. 62–73. ACM Press, November 1993
Corrigan-Gibbs, H., Kogan, D.: The discrete-logarithm problem with preprocessing. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 415–447. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_14
Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7
Drijvers, M., et al.: On the security of two-round multi-signatures. In: 2019 IEEE Symposium on Security and Privacy, pp. 1084–1101. IEEE Computer Society Press, May 2019
Dent, A.W.: Adapting the weaknesses of the random oracle model to the generic group model. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 100–109. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_6
Derler, D., Slamanig, D.: Key-homomorphic signatures: definitions and applications to multiparty signatures and non-interactive zero-knowledge. Des. Codes Cryptogr. 87(6), 1373–1413 (2018). https://doi.org/10.1007/s10623-018-0535-9
Fischlin, M.: A note on security proofs in the generic model. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 458–469. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_35
Federal Office for Information Security. Elliptic curve cryptography, version 2.1. Technical Guideline BSI TR-03111, June 2018
Fleischhacker, N., Jager, T., Schröder, D.: On tight security proofs for Schnorr signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 512–531. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_27
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
International Organization for Standardization and International Electrotechnical Commission. It security techniques - digital signatures with appendix - part 3: Discrete logarithm based mechanisms. ISO/IEC 14888–3, November 2018
Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23(2), 224–280 (2010). https://doi.org/10.1007/s00145-009-9048-z
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press, October 2013
Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15(1), 19–46 (2002). https://doi.org/10.1007/s00145-001-0011-x
Galbraith, S., Malone-Lee, J., Smart, N.P.: Public key signatures in the multi-user setting. Inf. Process. Lett. 83(5), 263–266 (2002)
Galbraith, S.D., Wang, P., Zhang, F.: Computing elliptic curve discrete logarithms with improved baby-step giant-step algorithm. Cryptology ePrint Archive, Report 2015/605 (2015). http://eprint.iacr.org/2015/605
Hao, F.: Schnorr Non-interactive Zero-Knowledge Proof. RFC 8235, September 2017
Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001). https://doi.org/10.1007/s102070100002
Jager, T., Schwenk, J.: On the equivalence of generic group models. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 200–209. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88733-1_14
Koblitz, N., Menezes, A.: Another look at generic groups (2007)
Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_2
Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM CCS 2003, pp. 155–164. ACM Press, October 2003
Liang, B., Mitrokotsa, A.: Fast and adaptively secure signatures in the random oracle model from indistinguishability obfuscation. Cryptology ePrint Archive, Report 2017/969 (2017). http://eprint.iacr.org/2017/969
Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple Schnorr multi-signatures with applications to bitcoin. Des. Codes Cryptogr. 87(9), 2139–2164 (2019). https://doi.org/10.1007/s10623-019-00608-x
Menezes, A., Vanstone, S.A., Okamoto, T.: Reducing elliptic curve logarithms to logarithms in a finite field. In: 23rd ACM STOC, pp. 80–89. ACM Press, May 1991
Nechaev, V.I.: Complexity of a determinate algorithm for the discrete logarithm. Math. Notes 55, 165–172 (1994). https://doi.org/10.1007/BF02113297
Nick, J., Ruffing, T., Seurin, Y.: MuSig2: simple two-round Schnorr multi-signatures. Cryptology ePrint Archive, Report 2020/1261 (2020). https://eprint.iacr.org/2020/1261
Nick, J., Ruffing, T., Seurin, Y., Wuille, P.: MuSig-DN: Schnorr multi-signatures with verifiably deterministic nonces. Cryptology ePrint Archive, Report 2020/1057 (2020). https://eprint.iacr.org/2020/1057
Neven, G., Smart, N., Warinschi, B.: Hash function requirements for Schnorr signatures. J. Math. Cryptol. 3, 05 (2009)
Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over \(GF(p)\) and its cryptographic significance (corresp.). IEEE Trans. Inf. Theor. 24(1), 106–110 (2006)
Pollard, J.M.: Monte Carlo methods for index computation mod \(p\). Math. Comput. 32, 918–924 (1978)
Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_33
Ramchen, K., Waters, B.: Fully secure and fast signing from obfuscation. In: Ahn, G.-J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 659–673. ACM Press, November 2014
Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Seurin, Y.: On the Exact security of Schnorr-type signatures in the random oracle model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 554–571. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_33
Shanks, D.: Class number, a theory of factorization, and genera. In: 1969 Number Theory Institute (Proceedings of Symposia in Pure Mathematics, Vol. XX, State University of New York, Stony Brook, N.Y., 1969), pp. 415–440 (1971)
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Schnorr, C.-P., Jakobsson, M.: Security of signed ElGamal encryption. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 73–89. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_7
Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12(3), 193–196 (1999). https://doi.org/10.1007/s001459900052
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 475–484. ACM Press, May/June 2014
Wang, P., Zhang, F.: Computing elliptic curve discrete logarithms with the negation map. Cryptology ePrint Archive, Report 2011/008 (2011). http://eprint.iacr.org/2011/008
Acknowledgements
Jeremiah Blocki was supported in part by the National Science Foundation under NSF CAREER Award CNS-2047272 and NSF Awards CNS-1704587 and CNS-1755708 and CCF-1910659. Seunghoon Lee was supported in part by NSF Award CNS-1755708 and by the Center for Science of Information (NSF CCF-0939370). The opinions in this paper are those of the authors and do not necessarily reflect the position of the National Science Foundation.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Blocki, J., Lee, S. (2022). On the Multi-user Security of Short Schnorr Signatures with Preprocessing. In: Dunkelman, O., Dziembowski, S. (eds) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol 13276. Springer, Cham. https://doi.org/10.1007/978-3-031-07085-3_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-07085-3_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-07084-6
Online ISBN: 978-3-031-07085-3
eBook Packages: Computer ScienceComputer Science (R0)