Impossibility on the Schnorr Signature from the One-more DL Assumption in the Non-programmable Random Oracle Model

The Schnorr signature is one of the representative signature schemes and its security was widely discussed. In the random oracle model (ROM), it is provable from the DL assumption, whereas there is a negative circumstantial evidence in the standard model. Fleischhacker, Jager and Schröder showed that the tight security of the Schnorr signature is unprovable from a strong cryptographic assumption, such as the One-More DL (OM-DL) assumption and the computational and decisional Diffie-Hellman assumption, in the ROM via a generic reduction as long as the underlying cryptographic assumption holds. However, it remains open whether or not the impossibility of the provable security of the Schnorr signature from a strong assumption via a non-tight and reasonable reduction. In this paper, we show that the security of the Schnorr signature is unprovable from the OM-DL assumption in the non-programmable ROM as long as the OM-DL assumption holds. Our impossibility result is proven via a non-tight Turing reduction.

[1]  Marc Fischlin,et al.  Signatures from Sequential-OR Proofs , 2020, IACR Cryptol. ePrint Arch..

[2]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[3]  Georg Fuchsbauer,et al.  Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model , 2020, EUROCRYPT.

[4]  Yannick Seurin,et al.  On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model , 2012, IACR Cryptol. ePrint Arch..

[5]  Tibor Jager,et al.  On the Impossibility of Tight Cryptographic Reductions , 2016, IACR Cryptol. ePrint Arch..

[6]  Tibor Jager,et al.  On Tight Security Proofs for Schnorr Signatures , 2014, ASIACRYPT.

[7]  Marc Fischlin,et al.  Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures , 2013, IACR Cryptol. ePrint Arch..

[8]  Masayuki Fukumitsu,et al.  Impossibility on the Provable Security of the Fiat-Shamir-Type Signatures in the Non-programmable Random Oracle Model , 2016, ISC.

[9]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[10]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[11]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[12]  Masayuki Fukumitsu,et al.  The RSA Group Is Adaptive Pseudo-Free under the RSA Assumption , 2014, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[13]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[14]  Rafael Pass,et al.  Limits of provable security from standard assumptions , 2011, STOC '11.

[15]  Emmanuel Bresson,et al.  Separation Results on the "One-More" Computational Problems , 2008, CT-RSA.

[16]  Eike Kiltz,et al.  Optimal Security Proofs for Full Domain Hash, Revisited , 2012, Journal of Cryptology.

[17]  Masayuki Fukumitsu,et al.  Impossibility of the Provable Security of the Schnorr Signature from the One-More DL Assumption in the Non-programmable Random Oracle Model , 2017, ProvSec.

[18]  Raghav Bhaskar,et al.  Improved Bounds on Security Reductions for Discrete Log Based Signatures , 2008, CRYPTO.

[19]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[20]  Chanathip Namprempre,et al.  From Identification to Signatures Via the Fiat–Shamir Transform: Necessary and Sufficient Conditions for Security and Forward-Security , 2008, IEEE Transactions on Information Theory.

[21]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[22]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[23]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[24]  Mihir Bellare,et al.  GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks , 2002, CRYPTO.

[25]  Marc Fischlin,et al.  Random Oracles with(out) Programmability , 2010, ASIACRYPT.

[26]  Masayuki Fukumitsu,et al.  Black-Box Separations on Fiat-Shamir-Type Signatures in the Non-Programmable Random Oracle Model , 2015, ISC.

[27]  Masayuki Fukumitsu,et al.  One-More Assumptions Do Not Help Fiat-Shamir-type Signature Schemes in NPROM , 2020, CT-RSA.

[28]  Zhenfeng Zhang,et al.  Black-Box Separations for One-More (Static) CDH and Its Generalization , 2014, ASIACRYPT.

[29]  Jean-Sébastien Coron,et al.  Optimal Security Proofs for PSS and Other Signature Schemes , 2002, EUROCRYPT.