Schnorr Signature. Schnorr Signature. October 31, 2012 Schnorr Signature. Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption Schnorr Signature The Construction Oracle Replay Attack Security Proof Forking Lemma Schnorr Signature. Salient Features Schnorr Signature - Salient Features I Derived from Schnorr identification scheme through Fiat-Shamir transformation I Based on the DLP I Security argued using oracle replay attacks I Uses the random oracle heuristic Schnorr Signature. Preliminaries PRELIMINARIES I Aim: Π is hard =) P is not breakable ≡ P is breakable =) Π is not hard Π Π P P B C A I Since Π is assumed to be hard, this leads to a contradiction. Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a hard problem Π ≡ P is breakable =) Π is not hard Π Π P P B C A I Since Π is assumed to be hard, this leads to a contradiction. Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a hard problem Π I Aim: Π is hard =) P is not breakable I Since Π is assumed to be hard, this leads to a contradiction. Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a hard problem Π I Aim: Π is hard =) P is not breakable ≡ P is breakable =) Π is not hard Π Π P P B C A Schnorr Signature. Preliminaries Security Proofs Proof through Contradiction I Consider a protocol P based on a hard problem Π I Aim: Π is hard =) P is not breakable ≡ P is breakable =) Π is not hard Π Π P P B C A I Since Π is assumed to be hard, this leads to a contradiction. Schnorr Signature. Preliminaries Security Proofs Security Model I Lays down the schema to be followed for giving security proofs I Described using a game between a challenger C and an adversary A P P C A I C simulates the protocol environment for A I A wins the game if it solves the challenge given by C I Proofs without random oracles preferred. P P P C A H H Schnorr Signature. Preliminaries Random Oracle Heuristic Random Oracles I Heuristic aimed at simplifying security proofs of protocols involving hash functions. I In proofs, the hash function modelled as a truly random function under the control of the challenger. I A given oracle access to this function. P P C A H I Proofs without random oracles preferred. Schnorr Signature. Preliminaries Random Oracle Heuristic Random Oracles I Heuristic aimed at simplifying security proofs of protocols involving hash functions. I In proofs, the hash function modelled as a truly random function under the control of the challenger. I A given oracle access to this function. P H I Proofs without random oracles preferred. Schnorr Signature. Preliminaries Random Oracle Heuristic Random Oracles I Heuristic aimed at simplifying security proofs of protocols involving hash functions. I In proofs, the hash function modelled as a truly random function under the control of the challenger. I A given oracle access to this function. P P P C A H H Schnorr Signature. Preliminaries Random Oracle Heuristic Random Oracles I Heuristic aimed at simplifying security proofs of protocols involving hash functions. I In proofs, the hash function modelled as a truly random function under the control of the challenger. I A given oracle access to this function. P P P C A H H I Proofs without random oracles preferred. Schnorr Signature. Preliminaries PKS and its Security Models PUBLIC-KEY SIGNATURES AND ITS SECURITY MODELS I Key Generation: I Used by the user to generate the public-private key pair (pk; sk) I pk is published and the sk kept secret I Run on a security parameter κ (pk; sk) −K$ (κ) I Signing: I Used by the user to generate signature on some message m I The secret key sk used for signing σ −S$ (sk; m) I Verification: I Outputs 1 if σ is a valid signature on m; else, outputs 0 result V(σ; m; pk) Schnorr Signature. Preliminaries PKS and its Security Models Definition { Public-Key Signature An PKS scheme consists of three PPT algorithms fK; S; Vg - I Signing: I Used by the user to generate signature on some message m I The secret key sk used for signing σ −S$ (sk; m) I Verification: I Outputs 1 if σ is a valid signature on m; else, outputs 0 result V(σ; m; pk) Schnorr Signature. Preliminaries PKS and its Security Models Definition { Public-Key Signature An PKS scheme consists of three PPT algorithms fK; S; Vg - I Key Generation: I Used by the user to generate the public-private key pair (pk; sk) I pk is published and the sk kept secret I Run on a security parameter κ (pk; sk) −K$ (κ) I Verification: I Outputs 1 if σ is a valid signature on m; else, outputs 0 result V(σ; m; pk) Schnorr Signature. Preliminaries PKS and its Security Models Definition { Public-Key Signature An PKS scheme consists of three PPT algorithms fK; S; Vg - I Key Generation: I Used by the user to generate the public-private key pair (pk; sk) I pk is published and the sk kept secret I Run on a security parameter κ (pk; sk) −K$ (κ) I Signing: I Used by the user to generate signature on some message m I The secret key sk used for signing σ −S$ (sk; m) Schnorr Signature. Preliminaries PKS and its Security Models Definition { Public-Key Signature An PKS scheme consists of three PPT algorithms fK; S; Vg - I Key Generation: I Used by the user to generate the public-private key pair (pk; sk) I pk is published and the sk kept secret I Run on a security parameter κ (pk; sk) −K$ (κ) I Signing: I Used by the user to generate signature on some message m I The secret key sk used for signing σ −S$ (sk; m) I Verification: I Outputs 1 if σ is a valid signature on m; else, outputs 0 result V(σ; m; pk) I Challenger C generates key-pair (pk; sk). I Forgery { Adversary A wins ifσ ^ is a valid signature onm ^ . I Adversary's advantage in the game: h i Pr 1 V(^σ; m^ ; pk) j (sk; pk) −K$ (κ); (^σ; m^ ) −A$ (pk) Schnorr Signature. Preliminaries PKS and its Security Models Definition { EU-NMA I Existential unforgeability under no-message attack I Forgery { Adversary A wins ifσ ^ is a valid signature onm ^ . C EU-NMA A I Adversary's advantage in the game: h i Pr 1 V(^σ; m^ ; pk) j (sk; pk) −K$ (κ); (^σ; m^ ) −A$ (pk) Schnorr Signature. Preliminaries PKS and its Security Models Definition { EU-NMA I Existential unforgeability under no-message attack I Challenger C generates key-pair (pk; sk). I Forgery { Adversary A wins ifσ ^ is a valid signature onm ^ . pk C EU-NMA A I Adversary's advantage in the game: h i Pr 1 V(^σ; m^ ; pk) j (sk; pk) −K$ (κ); (^σ; m^ ) −A$ (pk) Schnorr Signature. Preliminaries PKS and its Security Models Definition { EU-NMA I Existential unforgeability under no-message attack I Challenger C generates key-pair (pk; sk). I Adversary's advantage in the game: h i Pr 1 V(^σ; m^ ; pk) j (sk; pk) −K$ (κ); (^σ; m^ ) −A$ (pk) Schnorr Signature. Preliminaries PKS and its Security Models Definition { EU-NMA I Existential unforgeability under no-message attack I Challenger C generates key-pair (pk; sk). I Forgery { Adversary A wins ifσ ^ is a valid signature onm ^ . pk C EU-NMA A (^σ; m^ ) Schnorr Signature. Preliminaries PKS and its Security Models Definition { EU-NMA I Existential unforgeability under no-message attack I Challenger C generates key-pair (pk; sk). I Forgery { Adversary A wins ifσ ^ is a valid signature onm ^ . pk C EU-NMA A (^σ; m^ ) I Adversary's advantage in the game: h i Pr 1 V(^σ; m^ ; pk) j (sk; pk) −K$ (κ); (^σ; m^ ) −A$ (pk) Schnorr Signature. Preliminaries PKS and its Security Models Definition { EU-CMA I Existential unforgeability under chosen-message attack I Challenger C generates key-pair (pk; sk). I Signature Queries { Access to a signing oracle O I Forgery { Adversary A wins if I σ^ is a valid signature onm ^ . I A has not made a signature query onm ^ . pk C EU-CMA A O (^σ; m^ ) I Adversary's advantage in the game: h i Pr 1 V(^σ; m^ ; pk) j (sk; pk) −K$ (κ); (^σ; m^ ) −A$ O (pk) Definition α The DLP in G is to find α given g , where α 2R Zp. An adversary A has advantage in solving the DLP if 0 α 0 Pr α 2R Zp; α A(G; p; g; g ) j α = α ≥ . The (, t)-discrete-log assumption holds in G if no adversary has advantage at least in solving the DLP in time at most t. Schnorr Signature. Preliminaries Hardness Assumption Hardness Assumption: Discrete-log Assumption Discrete-log problem for a group G = hgi and j G j= p ( ; g; p; g α) DLP G DLP C A α Schnorr Signature. Preliminaries Hardness Assumption Hardness Assumption: Discrete-log Assumption Discrete-log problem for a group G = hgi and j G j= p ( ; g; p; g α) DLP G DLP C A α Definition α The DLP in G is to find α given g , where α 2R Zp.