Security of BLS and BGLS signatures in a multi-user setting

Traditional single-user security models do not necessarily capture the power of real-world attackers. A scheme that is secure in the single-user setting may not be as secure in the multi-user setting. Inspired by the recent analysis of Schnorr signatures in the multi-user setting, we analyse Boneh-Lynn-Shacham (BLS) signatures and Boneh-Gentry-Lynn-Shacham (BGLS) aggregate signatures in the multi-user setting. We obtain a tight reduction from the security of key-prefixed BLS in the multi-user model to normal BLS in the single-user model. We introduce a multi-user security model for general aggregate signature schemes, in contrast to the original “chosen-key” security model of BGLS that is analogous to the single-user setting of a signature scheme. We obtain a tight reduction from the security of multi-user key-prefixed BGLS to the security of multi-user key-prefixed BLS. Finally, we apply a technique of Katz and Wang to present a tight security reduction from a variant of multi-user key-prefixed BGLS to the computational co-Diffie-Hellman (co-CDH) problem. All of our results for BLS and BGLS use type III pairings.

[1]  Eike Kiltz,et al.  Schnorr Signatures in the Multi-User Setting , 2015, IACR Cryptol. ePrint Arch..

[2]  Sanjit Chatterjee,et al.  Another Look at Tightness , 2011, IACR Cryptol. ePrint Arch..

[3]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[4]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[5]  Tibor Jager,et al.  On the Impossibility of Tight Cryptographic Reductions , 2016, IACR Cryptol. ePrint Arch..

[6]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[7]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[8]  Eike Kiltz,et al.  Optimal Security Proofs for Signatures from Identification Schemes , 2016, CRYPTO.

[9]  Chanathip Namprempre,et al.  Unrestricted Aggregate Signatures , 2007, ICALP.

[10]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[11]  Alfred Menezes,et al.  Security of Signature Schemes in a Multi-User Setting , 2004, Des. Codes Cryptogr..

[12]  Edward Knapp On Pairing-Based Signature and Aggregate Signature Schemes , 2009 .

[13]  Steven D. Galbraith,et al.  Public key signatures in the multi-user setting , 2002, Inf. Process. Lett..

[14]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[15]  Fedor V. Fomin,et al.  40th International Colloquium on Automata, Languages and Programming , 2015, Inf. Comput..

[16]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[17]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[18]  Sanjit Chatterjee,et al.  Comparing two pairing-based aggregate signature schemes , 2010, Des. Codes Cryptogr..

[19]  Daniel J. Bernstein Multi-user Schnorr security, revisited , 2015, IACR Cryptol. ePrint Arch..