TY - JOUR
T1 - Tighter Security for Schnorr Identification and Signatures
T2 - A High-Moment Forking Lemma for Σ-Protocols
AU - Rotem, Lior
AU - Segev, Gil
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2024.
PY - 2024/7
Y1 - 2024/7
N2 - The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier.” In particular, in any group of order p where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t-time attacks on the Schnorr identification and signature schemes have success probability t2/p, whereas existing proofs of security only rule out attacks with success probabilities (t2/p)1/2 and (qH·t2/p)1/2, respectively, where qH denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from Σ-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “d-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the dth moment of the algorithm’s running time. In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most (t2/p)2/3 and (qH·t2/p)2/3, respectively.
AB - The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier.” In particular, in any group of order p where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t-time attacks on the Schnorr identification and signature schemes have success probability t2/p, whereas existing proofs of security only rule out attacks with success probabilities (t2/p)1/2 and (qH·t2/p)1/2, respectively, where qH denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from Σ-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “d-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the dth moment of the algorithm’s running time. In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most (t2/p)2/3 and (qH·t2/p)2/3, respectively.
KW - Forking Lemma
KW - Identification Schemes
KW - Sigma Protocols
KW - Signatures
UR - http://www.scopus.com/inward/record.url?scp=85195611217&partnerID=8YFLogxK
U2 - 10.1007/s00145-024-09506-5
DO - 10.1007/s00145-024-09506-5
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85195611217
SN - 0933-2790
VL - 37
JO - Journal of Cryptology
JF - Journal of Cryptology
IS - 3
M1 - 26
ER -