Security of Blind Discrete Log Signatures Against ... - Semantic Scholar

Pro eedings Information and Communi ations Se urity, (ICICS 2001, November 13{16, Xian, China) Eds. S. Qing, T. Okamoto, J. Zhou, Springer-Verlag, LNCS 2229, pages 1{12

Se urity of Blind Dis rete Log Signatures Against Intera tive Atta ks Claus Peter S hnorr Fa hberei he Mathematik/Informatik, Universitat Frankfurt, PSF 111932, D-60054 Frankfurt am Main, Germany, s hnorr s.uni-frankfurt.de Abstra t. We present a novel parallel one-more signature forgery against blind Okamoto-S hnorr and blind S hnorr signatures in whi h an atta ker intera ts some l times with a legitimate signer and produ es from these intera tions l + 1 signatures. Se urity against the new atta k requires that the following ROS-problem is intra table: nd an overdetermined, solvable system of linear equations modulo q with random inhomogenities (right sides). There is an inherent weakness in the se urity result of Point heval and Stern. Theorem 26 [PS00℄ does not over atta ks with 4 parallel intera tions for ellipti urves of order 2200 . That would require the intra tability of the ROS-problem, a plausible but novel omplexity assumption. Conversely, assuming the intra tability of the ROS-problem, we show that S hnorr signatures are se ure in the random ora le and generi group model against the one-more signature forgery.

1 Introdu tion and Summary We study the se urity of blind S hnorr signatures and blind Okamoto-S hnorr signatures against the one-more signature forgery in whi h an atta ker intera ts some l times with the legitimate signer and produ es from these l intera tions l + 1 signatures. Let these signatures be based on the dis rete logarithm of an arbitrary group G of prime order q , e.g. an ellipti or hyperellipti urve or a subgroup of units in Zn for a omposite or prime module n. We introdu e the novel parallel atta k that su

eeds in a one-more signature forgery against blind S hnorr signatures and blind Okamoto-S hnorr signatures with the same eÆ ien y. The atta k is in the Random Ora le and Generi Group Model (ROM + GM) explained in Se tion 3. The new atta k merely requires a solution of the ROS-problem, a possibly intra table problem: nd an overdetermined, solvable system of linear equations modulo q with random inhomogenities. Spe i ally, given a system of t  l linear equations modulo q in l unknowns with random inhomogenities (right sides) nd a solvable subsystem of l + 1 equations | a solvable subsystem orresponds to a (l + 1)  l-submatrix of rank l. The new parallel atta k has the interesting feature not to depend on the publi key. Traditional se urity proofs do not seem to work in the presen e of 1

su h an atta k. Usually, traditional se urity proofs use the atta ker to solve a DL-problem or a de isional DiÆe-Hellman-problem asso iated with the publi key. However, the generi parallel atta k uses a solution of the ROS-problem that is not related to the publi key and thus the atta ker annot be used to solve a DL- or a DDH-problem. How ould [PS00,PS96b℄ prove se urity ? Theorem 26 of [PS00℄ only overs ases where solutions of the ROS-problem exist with negligible probability. While Theorem 26 [PS00℄ is optimal in the traditional se urity model, the new atta k points to an inherent weakness of this result. Theorem 26 of [PS00℄ shows that an atta ker mounting a one-more signature forgery with a probability of su

ess " > 4Ql+1 =q an be used to ompute a dis rete logarithm.1 Here Q is the number of hash queries, l is the number intera tions with the signer and q is the prime order of the group G. For an ellipti urve G of order q  2200 and Q = 250 we must have l  3 as "  1. For a subgroup G of units of order  21000 we must have l  20. The se urity for larger values of l is an open problem [PS00℄. Our generi parallel atta k shows that the se urity of blind DL-signatures against one-more signature forgeries requires the intra tability of the ROS-problem. The ROS-problem is related to a NP- omplete problem [H97℄. Conversely, assuming the intra tability of the ROS-problem Theorem 2 gives a pra ti al se urity guarantee for blind S hnorr signatures in the ROM + GM. A generi atta ker performing t generi steps, in luding some l intera tions with the
signer, annot produ e l + 1 signatures with a better probability than 2t =q . For ellipti urves G of order q  2200 this guarantee overs up to t = 2100 generi steps in luding up to 2100 parallel signer intera tions that an be interleaved in an arbitrary way. Blind S hnorr signatures have the same se urity level in the ROM + GM as the double-keyed blind Okamoto-S hnorr signatures, thus redu ing a onsiderable overhead. Our result suggests to use blind S hnorr signatures in onne tion with strong ellipti /hyperellipti urves rather than double-keyed blind Okamoto-S hnorr signatures with subgroups of units. We prove se urity of the most pra ti al s hemes under reasonable assumptions. The less pra ti al s hemes of [P98℄, [AO 00℄ are provably se ure for a polynomial number of intera tions, but some restri tions apply. 2 The se urity proofs of [P98℄, [AO 00℄ do not use the GM. The new atta k does not apply to the less simple signatures of [A01℄. 1

2

In terms of asymptoti bounds the se urity results of Point heval, Stern [PS96b,PS00℄ show that blind Okamoto-S hnorr signatures are se ure against parallel intera tive atta ks provided that the number of intera tions with the signer is poly-logarithmi | polylog(jqj) for the binary length jqj of q. The polylog bound on the number of signer intera tions has not been expli itly mentioned in [P00℄ but it is required as the proof is based on the results of [PS00℄. In [P98℄ a third party | the he ker | has been introdu ed, and it is shown that the resulting three-party signature proto ol is se ure for a polynomial number of syn hronized signer intera tions, where the syn hronization for es the ompletion of ea h step for all the dierent proto ol invo ations before the next step of any other invo ation is started. The [AO 00℄ s heme uses the [P98℄ s heme, thus the same restri tions apply.

2

Is the GM-assumption to strong ? Contrary to laims of previous anonymous referees we are not aware of a pra ti al ryptographi s heme that is se ure in the ROM + GM but is inse ure in reality. [CGH98℄ give a very intri ate example of a se ure s heme in ROM (only) that does not have a se ure implementation. Of

ourse the random hash fun tion must be independent of the generi group [F00℄. Moreover, Fis hlin [F00℄ shows that generi veri er zeroknowledge is provably weaker than bla k-box TM veri er zeroknowledge. There are two reasons [S 01b℄: rstly, generi veri ers are more restri ted than TM-veri ers, se ondly bla kbox simulators are less powerful than generi veri er simulators that ontrol the generi group steps. Fis hlin's result does not amount to a se urity break as we do not know that generi veri er zeroknowledge is weaker than "general" TM-veri er zeroknowledge. The restri tion via the bla k-box mode may be to rigid. The paper is organized as follows. We present in Se tion 2 blind S hnorr signatures and the novel parallel atta k against blind S hnorr and against blind Okamoto-S hnorr signatures. We determine in Theorem 1 the probability for the existen e of a solution for the ROS-problem. In Se tion 3 we des ribe the ROM + GM as introdu ed in [SJ00℄. Assuming the intra tability of the ROS-problem we give in Se tion 4, Theorem 2 a pra ti al se urity guarantee for blind S hnorr signatures in the ROM + GM.

2 Blind S hnorr Signatures and the Parallel Atta k We are interested in blind signatures as required for anomymous digital ash. Blind signatures are generated by an intera tion with the signer who ontrols the se ret signature key. S hnorr signatures refer to an arbitrary group G of prime order q and an arbitrary message spa e M . We des ribe signer intera tions, an intera tive proto ol that enables a user to generate S hnorr signatures of messages of its hoi e. We rst des ribe the setting and the stru ture of the signatures, after whi h we review the proto ol for generation of signatures. We also show how to generate blind signatures of the same type. Signatures will be based on an ideal hash fun tion H : G  M ! Zq , where M is the set of messages.

Private/publi key pairs. The privatex key x of the signer is random in Zq . The publi key is h = g 2 G, a random group element. We have

orresponding x = logg h.

Signatures. A S hnorr signature on a message m is a triple (m; ; z) 2 M  Z2q su h that H (g z h ; m) = . For this paper, we let signatures (m; ; z ) omprise the message. Signing a message m 2 M :

Pi k a random r 2R Zq , ompute g r , := H (g r ; m) and z := r + x. Output the signature: (m; ; z ). The result is a valid signature sin e we have g z h = g r+ x h = g r , and thus H (g z h ; m) = . We

all a signature (m; ; z ) onstru ted by this proto ol a standard signature. 3

A signer intera tion is a three round intera tive proto ol between the signer rand

a user. The signer pi ks a random r 2R Zq and sends the ommitment g to the user. The user sele ts a hallenge 2 Zq and sends . The signer responses by sending z := r + x 2 Zq . We let (r; ; z ) 2 Z3q denote the signer intera tion

onsisting of the signer's random oin r, the user's hallenge and the signer's response z. A signer intera tion (r;r ; z) an be used to generate the standard signature (m; ; z), where := H (g ; m) or a transformation (m; 0; z0 ) of this signature.

Blind Signature Proto ol. We all the signature proto ol blind if it generates a sig0 0

nature (m; ; z ) that is statisti ally independent of the intera tion (r; ; z ) that provides the view of the signer. Lateron, blind signatures annot be identi ed and related to the signer intera tion. The blindness on ept is from [CP92℄. To generate a blind signature (m; 0 ; z 0 ) the user pi ks random numbers ; 2R Zq , and responses to the ommitment gr by sending the hallenge

= H (gr+ h ; m) + 2 Zq . After re eiving z = r + x 2 Zq he omputes z 0 = z + ; 0 = .

Validity. For the output of the intera tion (m; 00; z 0 ) 0= (m; z 0 0 r x  r  z

; z + ) we have g h = g + + h + = g + h . Hen e H (g h ; m) = = 0 , and thus (m; 0 ; z 0 ) is a valid signature. Blindness Property. The generated signature (m; ; z + ) is | for a onstant intera tion (r; ; z ) | uniformly distributed over all signatures on message m due to the random ; 2R Zq . Ea h signature (m; 0 ; z 0 ) is produ ed for a unique pair (; ) :  = z 0 z; = 0 . 2.1

A New Parallel Atta k Against Blind S hnorr Signatures

We present a variant of the atta k that does not even use the generator g and the publi key h. We rst present the atta k for S hnorr signatures. Thereafter, we extend it to Okamoto-S hnorr signatures. We show that Okamoto-S hnorr signatures do not prote t better against the atta k than plain S hnorr signatures. The new atta k uses a solution of the following ROS-problem: Find an overdetermined, solvable system of linear equations modulo q with random inhomogenities. Spe i ally, given an ora le random fun tion F : Zlq ! Zq , nd oeÆ ients ak;` 2 Zq and a solvable system of l +1 distin t equations (1) in the unknowns 1 ; :::; l over Zq : ak;1 1 + ::: + ak;l l = F (ak;1 ; :::; ak;l ) for k = 1; :::; t. (1) We evaluate the expe ted number of solvable subsystems onsisting of l + 1 out of t equations (1). Theorem 1. For arbitrary oeÆ ients ak;` 2 Zq , the average number of solvable subsystems of l + 1 out of the t equations (1) is at most l t
=q. For statisti ally independent oeÆ ients ak;` 2R Zq the average number of solvable subsystems is l t
q (1 q + O(q )): +1

+1

1

1

2

4

proof Consider a onstant sele tion of l + 1 out of the t equations (1) with arbitrary oeÆ ients ak;` . Let the subsystem have s linearly independent ve tors (ak;1 ; :::; ak;l ) 2 Zlq . The subsystem is solvable if and only if the rank of the submatrix of the orresponding ve tors (ak;1 ; :::; ak;l , F (ak;1 ; :::; ak;l )) is s. The probability that the subsystem is solvable has a maximum q 1 for s = l. For s = l the l linearly independent equations have a unique solution and that
t solution satis es the remaining equation with probability q 1 . As there are l+1
t sele tions out of t, the average number of solvable subsystems is at most l+1 =q . Next, onsider random oeÆ ients ak;` 2R Zq . Then l ve tors (ak;1 ; :::; ak;l ) are linearly independent with probability (1 q 1 )(1 q 2 )
:::
(1 q l+1 ). Hen e, a onstant sele tion of l + 1 equations (1) is solvable with probability q 1 (1 q 1 + O(q 2 )). Consider two distin t sele tions of l + 1 equations. The solvability of two systems of l + 1 equations is (nearly) statisti ally independent as the systems dier in at least one random value F (ak;1 ; :::; ak;l ). The law of large numbers holds for a sequen e of pairwise independent, identi ally distributed random variables. Therefore, the expe ted number of solvable subsystems with l + 1 t
q 1 (1 q 1 + O(q 2 )). ut equations is l+1 The atta k against S hnorr signatures. The signer sends ommitments g1 = gr1 ; :::; gl = grl . The atta ker A sele ts ak;1 ; :::; ak;l 2 Zq and messages m1 ; :::; mt , and omputes fk = g1ak;1
:::
glak;l and H (fk ; mk ) for k = 1; :::; t. Then A solves l + 1 of the t equations (2) in the unknowns 1 ; ::; l over Zq : P H (fk ; mk ) = l`=1 ak;` ` for k = 1; :::; t. (2) A sends the solutions 1 ; :::; l as hallenges to the signer. The signer sends ba k z` := r` + ` x 2 Zq for ` = 1; ::; l. For ea h solved equation (2), the atta ker gets a valid signature (mk ; 0k ; zk0 ) by setting P P

0 := l ak;` ` = H (fk ; mk ) and z 0 := l ak;` z` . k

`=1

Corre tness. The0 equations (2) imply that 0

k

`=1

0 0 gzk h k = g1ak;1
:::
glak;l = fk and H (gzk h k ; mk ) = 0k . In the ROM the values H (fk ; mk ) are random. The oeÆ ients ak;` sele ted by the atta ker are arbitrary values. The solution ( 1 ; :::; l ) of l + 1 of the t equations (2) does not depend on g; h. As A does not use g; h, A annot help in bla k-box mode to ompute logg h or to solve a DiÆe-Hellman or a de isional DiÆe-Hellman problem related to h.

The new atta k is generi , it works for arbitrary groups with an eÆ ient multipli ation. We all it the generi , parallel atta k. The atta k is intrinsi parallel. Theorem 1 shows that the number l of parallel intera tions with the t
=q for signer must be at least logarithmi in q . Otherwise, the probability l+1 the existen e of a solvable subsystem of l + 1 equations (2) is negligible.

The atta k against Okamoto-S hnorr signatures. We follow the notation of [PS00℄. There are two publi keys h and y = g r h s for random se ret keys r; s 2R Zq 5

while logg h is unknown. A signature of message m is a tuple (m; "; ; ) 2 M  Z3q satisfying H (g  h y " ; m) = ". The signer pi ks random t` ; u` 2R Zq and sends ommitments g` = g t` hu` for ` = 1; ::; l. The atta ker A sele ts oeÆ ients ak;` 2 Zq and messages m1 ; :::; mt , and omputes fk = g1ak;1
:::
glak;l and H (fk ; mk ) for k = 1; :::; t. A solves l + 1 of the t linear equations (2) modulo q in the unknowns 1 ; :::; l . A sends the solutions 1 ; :::; l as hallenges to the signer. The signer sends ba k R` := t` + ` r, S` := u` + ` s 2 Zq for ` = 1; ::; l. For ea h solved equation (2) A gets a valid signature (mk ; "k ; k ; k ) by setting P P P "k = H (fk ; mk ) = l`=1 ak;` ` , k = l`=1 ak;` R` , k = l`=1 ak;` S` .

Corre tness. From the equations (2) we get that Q

gk hk y"k = l`=1 g`ak;` = fk and H (gk hk y"k ; mk ) = "k . Con lusion. The generi parallel atta k A does not use the publi g; h; y. Thus,

it is impossible to use a su

essful atta ker to solve a DL- DH- or DDH-problem. The generi , parallel atta k has been ex luded in Theorem 26 [PS00℄ by assuming that the atta ker
has a probability of su

ess 4t(l+1) =q whi h is greater than the t =q for the existen e of a solvable subsystem of l + 1 equations probability l+1 (2). The se ond part of Theorem 1 shows that solutions to the ROS-problem are very likely to exist for l = 4; t = 250 and q  2200 . The generi parallel atta k is possible for l = 4 parallel intera tions, t = 250 hash queries for ellipti urves of order q  2200 . A meaningful se urity guarantee for ellipti urves of order  2200 requires that solvable subsystems of l + 1 equations (2) are hard to nd.

3 The Random Ora le and the Generi Group Model The Random Ora le Model (ROM). Let G be a group of prime order q with generator g , a range M of messages, and let Zq denote the eld of integers modulo q . Let H be an ideal hash fun tion with range Zq , modelled as an ora le that given an input (query) in G  M , outputs a random number in Zq . Formally, H is a random fun tion H : G  M ! Zq hosen at random over all fun tions of that type with uniform probability distribution.

Generi algorithms for G do not use the binary en odings of the group elements, as they a

ess group elements only for group operations and equality tests. Ne haev [Ne94℄ proves that the dis rete logarithm problem is hard in su h a model, see [S 01a℄ for a stronger result. The generi model of algorithms was further elaborated on by Shoup [Sh97℄. We present the Shoup model in a slightly dierent setup3 and we extend it to algorithms that intera t with a de ryption ora le. En ryptions are for the The Generi Group Model (GM).

3

We ount the same generi steps as in [Sh97℄; however, we allow arbitrary multivariate exponentiations while Shoup merely uses multipli ation and division. The te hni al setup in [Sh97℄ looks dierent as groups G are additive and asso iated with a random inje tive en oding  : G ! S of the group G into a set S of bit strings | the generi algorithm performs arbitrary omputations on these bit strings. Addi-

6

private/publi key pair (x; h), where x is random in Zq and h = g x . We des ribe the extended generi model in detail, rst fo using on non-intera tive algorithms and thereafter on algorithms intera ting with ora les for hashing and signing. The data of a generi algorithm is partitioned into group elements in G and non-group data. The generi steps for group elements are multivariate exponentiations:  mex: Zdq  Gd ! G; (a1 ; :::; ad ; g1 ; :::; gd ) 7! Qi giai with d  0. The ases d = 2; a1 = 1; a2 = 1 present multipli ation/division. The ase d = 0 presents inputs in G | e.g., g , h are inputs for the DL- omputation. A (non-intera tive) generi algorithm is a sequen e of t generi steps4 f1 ; : : : ; ft0 2 G (inputs) 1  t0 < t, Q fi = ji =11 fjaj for i = t0 + 1; : : : ; t, where (a1 ; : : : ; ai 1 ) 2 Zqi 1 depends arbitrarily on i, the non-group input and the set COi 1 := f(j; `) j fj = f` ; 1  j < `  i 1g of previous ollisions of group elements.

Def.

 

Typi al non-group inputs are various integers in Zq ontained in given iphertexts or signatures. COt is the set of all ollisions of the algorithm. Some group inputs fi depend on random oin ips, e.g., the random publi key h = g x depends on the random se ret key x 2R Zq . The probability spa e

onsists of the random group elements of the input. The logarithms logg fi of the random inputs fi play the role of se ret parameters. Information about the se ret parameters an only be revealed by ollisions. E.g., g a = fib implies logg fi = a=b. We let the non-group input and the generator g not depend on random bits. The output of a generi algorithm onsists of  non-group data that depend arbitrarily on the non-group input and on the set COt of all ollisions,  group elements f1 ; : : : ; fd where the integers 1 ; : : : ; d 2 f1; : : : ; tg depend arbitrarily on the non-group input and on COt . Next, we elaborate on intera tive, generi algorithms. We ount the following generi steps :  group operations, mex : Zdq  Gd ! G; (a1 ; :::; ad ; g1 ; :::; gd ) 7! Qi giai ,  queries to the hash ora le H ,  intera tions with a signature ora le (signer for short). A generi adversary A | mounting a one-more signature forgery | is an intera tive algorithm that intera ts with a signer. It performs some t generi

4

tion/subtra tion is done by an ora le that omputes (fi fj ) when given (fi ); (fj ) and the spe i ed sign bit. As the en oding  is random it ontains only the information about whi h group elements oin ide | this is what we all the set of ollisions. Shoup's random en oding allows for an eÆ ient sorting of group elements. We do not need su h eÆ ient sorting as equality tests are for free. We an allow that the number t of generi steps varies with the input. We an let the algorithm de ide after ea h step whether to terminate depending arbitrarily on the given non-group data.

7

steps resulting in t0  t group elements f1 ; :::; ft0 . A iteratively sele ts the next generi step | a group operation, a query to H , an intera tion with the signer | depending arbitrarily on the non-group input and on previous ollisions of group elements. The input onsists of the generator g , the publi key h 2 G, the group order q, a olle tion of messages and iphertexts and so on, all of whi h an be broken down into group elements and non-group data. The omputed group elements f1 ; :::; ft0 2 G are the group elements ontained in the input, su h as g; h. When ounting the number of group operations, we

ount ea h input as one operation. As a signer intera tion is ounted as a generi step the number t0 of group elements is bounded by the number t of generi steps, t0  t. We have t = t0 for a non-intera tive A. The given non-group data onsists of the non-group data ontained in the input, the previous hash replies H (Q) of queries Q, and the set of previous

ollisions of group elements. Signer intera tions are des ribed in Se tion 2. A's output and transmission to the signer onsists of non-group data NG and previously omputed group elements f , where NG and  , 1    t0 , depend arbitrarily on given non-group data. A's transmission to the hash ora le H depends arbitrarily on given group elements and given non-group data. The probability spa e onsists of the random H , the random input group elements and the random oin ips of the signer. The restri tion of the generi model is that A an use group elements only for generi group operations, equality tests and for queries to the hash ora le, whereas non-group data an be arbitrarily used without harge. The omputed group elements f1 ; :::; ft0 are given as expli it multipli ative ombinations of given group elements. Let g` = g r` for ` = 1; :::; l be the group elements that A gets from the signer. A omputed fj 2 G is of the form fj = g aj; 1 haj;0 g1aj;1
:::
glaj;l , where the exponents aj; 1 ; :::; aj;l 2 Zq depend arbitrarily on given nongroup data. A an arbitrarily use the oeÆ ients aj; 1 ; :::; aj;l from this expli it representation of fj . A generi adversary does not use internal oin ips, this is not a restri tion as internal oin ips would be useless.5 Trivial ollisions. We all a ollision (i; j ) 2 COt trivial if fi = fj holds with probability 1, i.e., if it holds for all hoi es of the se ret data su h as the se ret key x and the random bits r of the en ipherer. We write fi  fj for a trivial ollision. Trivial ollisions do not release any information about the se ret data while non-trivial ollisions an ompletely release some se ret data. Trivial

ollisions an be ex luded from COt . Therefore, we ignore trivial ollisions. 5

A ould sele t interior oin ips that maximize the probability of su

ess | there is always a hoi e for the internal oin ips that does not de rease A's probability of su

ess. Moreover, it would be useless for A to generate random group elements | in parti ular ones with unknown DL. Using one generi step, A ould repla e random elements in G by some deterministi ga where a 2 Zq is hosen as to maximize the

probability of su

ess.

8

4 Se urity of Signatures against Intera tive Atta ks Assuming the intra tability of the ROS-problem and the ROM + GM we give in Theorem 2 a pra ti al se urity guarantee for blind S hnorr signatures against one-more signature forgeries. This se tion refers to a generi adversary A performing some t generi steps | in luding some l intera tions (r1 ; 1 ; z1 ); :::; (rl ; l ; zl ) with the signer | produ ing some t0 group elements and some t00 queries to the hash ora le. We let r = (r1 ; :::; rl ) denote the signers random oins. Let f1 = g; f2 = h = g x , f3 ; :::ft0 2 G denote the group elements of A's omputation. The generi A omputes fj = g aj; 1 haj;0 g1aj;1
:::
glaj;l , where g1 = g r1 ; :::; gl = g rl are the signer's

ommitments and the exponents aj;` 2 Zq depend arbitrarily on the previously

omputed non-group data. As ea h signer intera tion yields one group element gr` we have that t00 = t t0  0 is the number of intera tions with the hash ora le. We rst present the basi Lemma 1 and 2 that extend results of [SJ00℄ from a non-intera tive atta ker to an adversary using a hash ora le and a signature ora le.

Collisions among f ; :::; ft0 o

ur at most with probability t0
=q. The probability refers to the random h; H and the random oins r of the signer. Proof. We show for i < j that Prx;r;H [fi = fj ℄  q under the ondition that

Lemma 1.

1

2

1

there is no prior ollision of group elements. So let us assume that there is no su h prior ollision. The main point is to show that fi ; fj are either statisti ally independent or fi =fj is onstant with fi 6= fj . Considering x and r1 ; :::; rl P as indeterminates over Zq , logg fj = aj; 1 + aj;0 x + l`=1 aj;` r` is a linear polynomial in Zq [x; r1 ; :::; rl ℄. For a non-intera tive A, where l = 0 and r = (r1 ; :::; rl ) is empty we have fi = fj i ai; 1 aj; 1 + (ai;0 aj;0 ) x = 0. Therefore, x is statisti ally independent of the ai;` ; aj;` , and thus Prx;H [fi = fj ℄  1q .6 Next, onsider an intera tive A. We all r` , g r` prior to fj if the value aj;` depends on the signer's response z` = r` + ` x, otherwise r` is subsequent to fj . When given fj = g aj; 1 haj;0 g1aj;1
:::
glaj;l the probability spa e | from A's point of view | onsists of x; H and the r` subsequent to fj . The r` = z` ` x prior to fj are linear fun tions in x, with given oeÆ ients z` ; ` . Consider logg fj = P aj; 1 + aj;0 x + l`=1 aj;` r` as a linear fun tion in x and the r` subsequent to fj . The oeÆ ients aj;` ; ` ; z` 2 Zq depend on x; H; r only via prior r` and prior hash values. Thus x is statisti ally independent of the given oeÆ ients. Therefore, the values of the fun tion logg fi logg fj are either onstant or uniformly distributed over Zq . The ase that logg fi logg fj = 0 for all x and all r` subsequent to fj has been ex luded as fi 6 fj . This shows that Prx;r;H [fi = fj ℄  1q , whi h 0
implies the laim of Lemma 1 as there are t2 pairs i < j . ut 6

The equality fi = fj holds with zero probability if ai; 1 6= aj; fj 6 fi we annot have that (ai; 1 ; ai;0 ) = (aj; 1 ; aj;0 ).

9

1

and ai;0 = aj;0 . As

Lemma 2. If there are no ollisions among f ; :::; ft0 the random x is statisti ally independent of the omputed non-group data ex ept that the random oins (r; x) leading to ollisions are ex luded. Proof. The random x enters into the generi omputation only via the the ranx 1

dom values z` = r` + ` x, random hash values and h = g . In a signer intera tion A gets the pair (gr` ; z` ). Due to the random r` the distribution of z` does not depend on h = g x . The probability distribution of the non-group data generated from hash values and signer responses does not depend on x. Therefore, x is statisti ally independent of all non-group data (h = g x is NOT statisti ally independent of (g r` ; z` ), however g r` enters into the omputation of non-group data only by ollisions of group elements and via random hash values). ut Theorem 2 shows that S hnorr signatures are se ure against the one-more signature forgery in the ROM + GM. Theorem 2 overs blind signatures as required for anonymous ele troni ash. This is the rst sharp se urity result for simple DL-signatures in the intera tive setting.

Let a generi adversary A be given the generator g, the publi key an ora le for H . Let A intera t with the signer some l times and perform t generi steps in luding l signer intera tions. If A su

eeds in a parallel atta k to produ e l + 1 signatures with a better probability of su

ess than t
=q then A must solve the ROS-problem : solve l + 1 distin t equations (2) in the unknowns

; :::; l 2 Zq . The probability spa e onsists of h, H and the random oins of the signer. Proof. In the intera tion (r`; `; z`) the signer orre tly transmits g` := gr` and

Theorem 2.

h,

2

1

responds to A's hallenge ` by z` = r` + ` x. It is assumed that A outputs distin t triples (mi ; 0i ; zi0 ) 2 M  Z2q for i = 1; :::; l + 1. We study the probability that the l + 1 outputs are all signatures. Let there be t00 (distin t) queries to the hash ora le resulting in independent hash values H (fk ; mk ) 2 Zq for k = 1; :::; t00 for an arbitrary fun tion k 7! k that sele ts fk from 0 the 0 omputed group elements fj . Lemma 3 shows that the group element g zi h i orresponding to a 0 0 signature (mi ; 0i ; zi0 ) must be among f1 ; :::; ft00 . We let fi = g zi h i .

Let the output 0(mi; 0i; zi0 ) be a signature with a better probability than q . Then we have that i = H (fi ; mi) for some hash queryPsatisfying fi = 0 0 gzi h i . Moreover, 0i ; zi0 ; i satisfy the equations zi0 = ai ; + l` ai ;` z` and Lemma 3. 1

1

Pl

=1

H (fi ; mi ) = ai ;0 + `=1 ai ;` ` : (3) Conversely, given a solution ( 1; :::; l ) of equation (3) one easily gets a signature (mi ; 0i ; zi0 ) for ea h solved equation. Proof. The rst laim0 0follows from the equation 0i = H (gzi0 h 0i ; mi) required for signatures (mi ; i ; zi ). In the ROM this equation ne essitates that A sele ts

0i from given hash values H (fk ; mk ) | otherwise the equality only holds with probability 1q as the hash value is random. W.l.o.g. let 0i = H (fi ; mi ) where 10

0 0 fi = gzi h i holds for the output (mPi ; 0i ; zi0 ) whi h determines i . 7 The equal 0 0 tions g zi h i = fi = g ai ; 1 +ai ;0 x+ `=1 ai ;` r` and r` = z` ` x imply 0 0 zi0 = logg gzi h i + 0i x P Pl zi0 = ai ; 1 + l ai ;` z` + ( ai ;0 ai ;` ` + 0i )x; (4) `=1

P If 0i = ai ;0 + l`=1 ai ;` ` then

`=1

A an easily ompute the orre t zi0

. In this ase, theP equation (4) does not depend on the se ret key x and we have zi0 = ai ; 1 + l`=1 ai ;` z` , where the signers responses z1 ; :::; zl and the oeÆ ients ai ; 1 ; : : : ; ai ;l are known to A. Conversely, A must sele t 1 ; :::; l as to zero the oeÆ ient of the se ret key x in (4). Otherwise, Equation (4) holds with probability 1q as x is by Lemma 2 statisti ally independent of the non-group data zi0 ; ai ;1 ; :::; ai ;l ; 1 ; :::; l , and thus A's probability of su

ess is not better than 1q . This proves that A must solve the equation ut

We see that the parallel atta ker A an only su

eed in either of four ases:  A solves l + 1 out of t00 distin t equations P H (fi ; mi ) = ai ;0 + l`=1 ai ;` ` : (3) 0 0 Ea h solved equation (3) yields a orresponding signature (mi ; i ; zi ) by P setting zi0 = ai ; 1 + l`=1 ai ;` z` . This is the generi , parallel atta k.  For some i, 1  i  l + 1 equation (3) does not hold but equation (4) holds. This event has probability 1q .

 

0


There is a ollision of group elements. This event has probability  t2 =q . There is a ollision of hash values H (fi ; mi ) = H (fj ; mj ), where mi = mj , fi 6= fj and ai ;0 = aj ;0 ; :::; ai ;l = aj ;l . In this ase the equations 00
(3) with indi es i and j oin ide. This event has probability  t2 =q . 0


00





W.l.o.g. we an assume that t0 ; t00  1, and thus t2 + t2 +1  2t . We
see that A su

eeds in the last three ases with no better probability than 2t =q. This
proves Theorem 2 as A does not su

eed with a better probability than 2t =q , ex ept that A solves l + 1 out of t00 distin t equations (3). ut

Se urity against sequential atta ks. It an be seen from the above proof that a sequential
atta k annot su

eed in the GM + ROM with a better probability than 2t =q . Here, the intra tability of the ROS-problem is not needed. This

hara terizes the dierent power of sequential and of parallel atta ks. For a sequen e of l sequential atta ks, ea h with a single signer intera tion, A sele ts the oeÆ ients ai;` in (3) su h that there is for ea h k at most one non-zero oeÆ ient ak;` with `  1. 7

0 0 For simpli ity we abbreviate fi = gzi h i even though that equation only holds a posteriori. The output (mi ; 0i ; zi0 ) de nes i ex ept that there is a ollision H (fi ; mi ) = H (fj ; mj ) with mi = mj .

11

Referen es [A01℄ [AO00℄ [CP92℄ [BL96℄ [BR93℄

M. Abe : A Se ure Three-move Blind Signature S heme for Polynomially Many Signatures. Pro . Euro rypt'01, LNCS 2045, pp. 136{151, 2001. M. Abe and T. Okamoto : Provably Se ure Partially Blind Signatures. Pro . Crypto'00, LNCS 1880, pp. 271{286, 2000. D. Chaum and T.P. Pedersen Wallet Databases with Observers. Pro . Crypto'92, LNCS 740, pp. 89{105, 1992. D. Boneh and R.J. Lipton : Algorithms for bla k-box elds and their appli ation in ryptography. Pro . Crypto'96, LNCS 1109, pp. 283{297, 1996. M. Bellare and P. Rogaway : Random Ora les are Pra ti al: a Paradigms

for Designing EÆ ient Proto ols. Pro . 1st ACM Conferen e on Computer Communi ation Se urity, pp. 62{73, 1993. [CGH98℄ R. Canetti, O. Goldrei h and S. Halevi : The Random Ora le Methodology, Revisited. Pro . STOC'98, ACM Press, pp. 209{218, 1998. [F00℄ M. Fis hlin : A Note on Se urity Proofs in the Generi Model. Pro . Asia rypt'00, LNCS 1976, Springer-Verlag, pp. 458{469, 2000. [FFS88℄ U. Feige, A. Fiat and A. Shamir : Zero-knowledge proofs of identity. Journal of Cryptology, 1 , pp. 77{94, 1988. [FS87℄ A. Fiat and A. Shamir : How to Prove Yourself: Pra ti al Solutions of Identi ation and Signature Problems. Pro . Crypto'86, LNCS 263, pp. 186{194, 1987. [H97℄ J. H astad : Some Optimal Inapproximability Results. Pro . ACM Symposium on Theory of Computing 1997, ACM Press, pp. 1{10, 1997. [Ne94℄ V.I. Ne haev : Complexity of a Determinate Algorithm for the Dis rete Logarithm. Mathemati al Notes 55, pp. 165-172, 1994. [O92℄ T. Okamoto : Provably Se ure Identi ation S hemes and Corresponding Signature S hemes. Pro . Crypto'92, LNCS 740, Springer-Verlag, pp. 31{53, 1992. [P98℄ D. Point heval : Strengthened Se urity for Blind Signatures. Pro . Euro rypt'98 LNCS 1403, Springer Verlag, pp. 391{405, 1998. [P00℄ D. Point heval : The Composite Dis rete Logarithm and Se ure Authenti ation. Pro . PKC'2000, LNCS 1751, Springer-Verlag, pp. 113{128, 2000. [PS96a℄ D. Point heval and J. Stern : Se urity Proofs for Signature S hemes. Pro . Euro rypt'96, LNCS 1070, Springer-Verlag, pp. 387{398, 1996. [PS96b℄ D. Point heval and J. Stern : Provably Se ure Blind Signature S hemes. Pro . Asia rypt'96, LNCS 1163, Springer Verlag, pp. 387{393, 1996. [PS00℄ D. Point heval and J. Stern : Se urity Arguments for Digital Signatures and Blind Signatures. Journal of Ctyptology, 13, 3, pp. 361{396, 2000. [S 91℄ C.P. S hnorr : EÆ ient Signature Generation for Smart Cards. Journal of Cryptology 4, pp. 161{174, 1991. [SJ00℄ C.P. S hnorr and M. Jakobsson : Se urity of Signed ElGamal En ryption. Pro . Asia rypt'00, LNCS, Springer-Verlag, 2000. [S 01a℄ C.P. S hnorr : Small Generi Hard ore Subsets for the Dis rete Logarithm: Short Se ret DL-Keys. Information and Pro essing Letters, 79, pp. 93{98, 2001. [S 01b℄ C.P. S hnorr : Se urity of DL-En ryption and Signatures Against Generi Atta ks, a Survey. Pro . of Publi -Key Cryptography and Computational Number Theory Conferen e, Warsaw Sept. 2000, Eds. K. Alster, H.C. Williams, J. Urbanowi z. De Gruyter GMBH, July, 2001. [Sh97℄ V. Shoup : Lower Bounds for Dis rete Logarithms and Related Problems. Pro . Euro rypt'97, LNCS 1233, Springer-Verlag, pp. 256-266, 1997.

12