Score:2

Quantitative security of signature scheme obtained by Fiat-Shamir tranform

ng flag

I'm looking for a quantitative yet simple proof of the EUF-CMA security of a signature scheme obtained by Fiat-Shamir transform.

Recall the Fiat-Shamir transform starts from a 3-pass identification protocol with messages $(I,r,s)$, where $I$ is the prover's commitment, challenge $r$ is chosen uniformly at random in set $\Omega$ by the verifier, $s$ is the proof. It uses a hash $H$ into $\Omega$.

Generation of key pair $(\mathrm{pk},\mathrm{sk})$ in the signature scheme is as in the identification protocol. To sign message $M$, prover generates $I$ as in the identification protocol, computes $r:=H(I,M)$, then $s$ as in the identification protocol, then signature¹ $\sigma:=(I,s)$. The verification algorithm computes $r:=H(I,M)$ then applies the same verification procedure as the identification protocol, that is check $\mathcal V(\mathrm{pk},r,s)=I$.

By quantitative, I mean we assume an adversary can break the signature scheme with probability at least $\epsilon$ with time/effort $t$, $Q_S$ queries to the signature oracle, $Q_H$ queries to the hash oracle, and obtain some upper bound on the probability than an adversary can break the identification scheme with some time/effort.

I'm fine with a bound that's within a constant factor from optimal; requiring whatever plausible property on the 3-pass identification scheme, such as $I$ being uniformly random in some large enough set; $H$ being modeled as a random oracle; whatever algorithm being random polynomial time or even made deterministic (including using a PRG seeded with $\mathrm{sk}$ and $M$ for the random tape of the algorithm generating $I$, thus making the signature deterministic).

I know a standard reference is David Pointcheval and Jacques Stern's Security Arguments for Digital Signatures and Blind Signatures, in Journal of Cryptology, 2000, but I'd like something simpler and more focused.


¹ The signature can also be $\sigma:=(r,s)$ or $\sigma:=(I,r,s)$, and there's a comparatively simple, tight security reduction between the three.

ckamath avatar
ag flag
What about Theorem 19.7 (Page 733) in the textbook by [Boneh and Shoup](https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_5.pdf#page=736)?
fgrieu avatar
ng flag
@ckamath: Yes, [that theorem 19.7](https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_5.pdf#page=736) is closely related. Mainly, it's proof is more complex than I dream of and manage to fully follow so far. I vaguely hope for a simpler proof even if that's at the cost of a somewhat less tight bound, or as a trampoline. Also, and importantly, this theorem is stated for the Schnorr identification protocol and signature, and I don't follow the proof well enough to decide if it uses the rather special properties of that identification protocol.
ckamath avatar
ag flag
[Theorem 19.14](https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_5.pdf#page=755) generalises Theorem 19.7 to Sigma protocols. I suppose you are looking for a simpler proof of this?
fgrieu avatar
ng flag
@ckamath: [Theorem 19.14](https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_5.pdf#page=755) tells we can built a secure ID protocol from a sigma protocol. I'm rather after a proof of [Theorem 19.16](https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_5.pdf#page=757), one simple enough that I manage to fully understand it.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.