I have been thinking about this question: if I directly replace the hash function with the message in the BLS signature, does the security of the BLS degenerate from existential unforgeability(EUF) to selective unforgeability(SUF) under the known message attack(KMA)?
The modified BLS signature scheme is defined as below.
$\cdot BilinearGen\to pp:=(G_1,G_2,G_T,e,p,g_1,g_2)$ where the paring type is type-III.
$\cdot KeyGen(pp)\to(pk:=g^x_2\in G_2,sk:=x\in Z_p )$
$\cdot Sign(sk,m)\to\sigma:=m^x\in G_1$ where $m\in G_1$.
$\cdot Verify(\sigma,pk)\to(e(m,pk)?=e(\sigma,g_2) )$
The notion of selective forgery as an attack where the adversary can forge a
valid signature with non-negligible probability for a particular message $m^*$, e.g., let $m^*=g^b_1$, chosen
by the adversary prior to accessing the signing oracle.
Intuitively, the SUF security of the modified version can be reduced to some assumption, such as CDH assumption(An instance can be expressed as $(g^a_1,g^b_1,g_1)$). And I tried but failed as I'm not farmilar with proof without random oracle.
So, my questions are:
- The above modified BLS signature scheme is SUF-KMA security if CDH assumption holds?
For example, the adversary A can be given some message-signature tuples $\{(m_i,\sigma_i)\}_{i\in [n]}$. If A can forge a valid signature on the specified message $m^*=g^b_1$, then there must be another adversary B can sovle the instance of CDH assumption $(g^a_1,g^b_1,g_1)$) by the output of A.
If yes, plz give me some clues or examples to continue the incomplete security proof.
If no, plz tell me why.
