Generic construction for tightly-secure signatures from discrete log

Abstract Tightly secure signature plays a significant role in the research of cryptography and has been studied extensively in the literature. In this paper, we present a generic construction for tightly-secure signatures from the discrete log (DL) assumption in the existential-unforgeability against key only attacks (EUF-KOA) security model, where the adversary is allowed to obtain only the public key, but not any sample signature. Moreover, the generic construction can also be extended into the multi-user setting with corruptions (MU-C) model. Roughly speaking, given any signature scheme, we can efficiently convert it into a signature scheme that features tight security under the DL assumption in the MU-EUF-KOA-C security model with random oracles. Our transformation shows it is easy to construct a DL-equivalent signature in the EUF-KOA security model, although many known DL-based signatures are not equivalent to DL. If the given signature scheme is key-re-randomizable, the transformed scheme is also key-re-randomizable. Hence, our result provides a supplement to Bader et al.'s work (EUROCRYPT 2016).

[1]  Tibor Jager,et al.  Waters Signatures with Optimal Security Reduction , 2012, Public Key Cryptography.

[2]  Miles E. Smid,et al.  Response to Comments of the NIST Proposed Digital Signature Standard , 1992, CRYPTO.

[3]  N. Smart,et al.  Security of Signature Schemes in a Multi-User Setting , 2004, Des. Codes Cryptogr..

[4]  Hovav Shacham Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model) , 2018, Financial Cryptography.

[5]  Tibor Jager,et al.  On the Impossibility of Tight Cryptographic Reductions , 2016, IACR Cryptol. ePrint Arch..

[6]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[7]  Yannick Seurin,et al.  On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model , 2012, IACR Cryptol. ePrint Arch..

[8]  Eike Kiltz,et al.  Optimal Security Proofs for Signatures from Identification Schemes , 2016, CRYPTO.

[9]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[10]  Ronald L. Rivest,et al.  Responses to NIST's proposal , 1992, CACM.

[11]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[12]  Mihir Bellare,et al.  The Multi-Base Discrete Logarithm Problem: Tight Reductions and Non-rewinding Proofs for Schnorr Identification and Signatures , 2020, INDOCRYPT.

[13]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[14]  Brent Waters,et al.  Realizing Hash-and-Sign Signatures under Standard Assumptions , 2009, EUROCRYPT.

[15]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[16]  Eike Kiltz,et al.  Tightly-Secure Signatures from Five-Move Identification Protocols , 2017, ASIACRYPT.

[17]  Fuchun Guo,et al.  Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample , 2017, IACR Cryptol. ePrint Arch..

[18]  Stanislaw Jarecki,et al.  A Signature Scheme as Secure as the Diffie-Hellman Problem , 2003, EUROCRYPT.

[19]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[20]  Eike Kiltz,et al.  Programmable Hash Functions and Their Applications , 2008, CRYPTO.

[21]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[22]  Craig Gentry,et al.  Practical Identity-Based Encryption Without Random Oracles , 2006, EUROCRYPT.

[23]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[24]  Raghav Bhaskar,et al.  Improved Bounds on Security Reductions for Discrete Log Based Signatures , 2008, CRYPTO.

[25]  Tibor Jager,et al.  Tightly-Secure Authenticated Key Exchange , 2015, IACR Cryptol. ePrint Arch..

[26]  Tibor Jager,et al.  On Tight Security Proofs for Schnorr Signatures , 2014, ASIACRYPT.

[27]  Tibor Jager,et al.  Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange , 2018, IACR Cryptol. ePrint Arch..

[28]  Patrick Horster,et al.  Meta-ElGamal signature schemes , 1994, CCS '94.

[29]  Mohammad Dakhilalian,et al.  Short tightly secure signatures for signing a vector of group elements: A new approach , 2019, Theor. Comput. Sci..

[30]  Chae Hoon Lim,et al.  The Korean certificate-based digital signature algorithm , 1999 .

[31]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[32]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[33]  Dawu Gu,et al.  A generic construction of tightly secure signatures in the multi-user setting , 2019, Theor. Comput. Sci..

[34]  Jean-Sébastien Coron,et al.  Optimal Security Proofs for PSS and Other Signature Schemes , 2002, EUROCRYPT.