Paper 2013/418

On Tight Security Proofs for Schnorr Signatures

Nils Fleischhacker, Tibor Jager, and Dominique Schröder

Abstract

The Schnorr signature scheme is the most efficient signature scheme based on the discrete logarithm problem and a long line of research investigates the existence of a tight security reduction for this scheme in the random oracle model. Almost all recent works present lower tightness bounds and most recently Seurin (Eurocrypt 2012) showed that under certain assumptions the non-tight security proof for Schnorr signatures in the random oracle by Pointcheval and Stern (Eurocrypt 1996) is essentially optimal. All previous works in this direction rule out tight reductions from the (one-more) discrete logarithm problem. In this paper we introduce a new meta-reduction technique, which shows lower bounds for the large and very natural class of generic reductions. A generic reduction is independent of a particular representation of group elements. Most reductions in state-of-the-art security proofs have this property. It is desirable, because then the reduction applies generically to any concrete instantiation of the group. Our approach shows unconditionally that there is no tight generic reduction from any natural non-interactive computational problem $\Pi$ defined over algebraic groups to breaking Schnorr signatures, unless solving $\Pi$ is easy. In an additional application of the new meta-reduction technique, we also unconditionally rule out any (even non-tight) generic reduction from natural non-interactive computational problems defined over algebraic groups to breaking Schnorr signatures in the non-programmable random oracle model.

Note: Preliminary version published at ASIACRYPT 2014. Final version for the Journal of Cryptology, significantly revised. Corrected proof of Theorem 17, simpler and better bounds, additional explanations and clarifications.

Metadata
Available format(s)
PDF
Publication info
A major revision of an IACR publication in JOC 2019
Keywords
Schnorr signaturesblack-box reductionsgeneric reductionsalgebraic reductionstightness.
Contact author(s)
tibor jager @ rub de
History
2019-01-06: last of 3 revisions
2013-06-25: received
See all versions
Short URL
https://ia.cr/2013/418
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/418,
      author = {Nils Fleischhacker and Tibor Jager and Dominique Schröder},
      title = {On Tight Security Proofs for Schnorr Signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2013/418},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/418}},
      url = {https://eprint.iacr.org/2013/418}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.