We show that signatures obtained via Fischlinís transformation are existentially unforgeable even in case the adversary is allowed to get arbitrary (yet bounded) information on the entire state of the signer (including the signing key and the random coins used to generate signatures). A similar fact was already known for the Fiat-Shamir transform, however, Fischlinís transformation allows for a significantly higher leakage parameter than Fiat-Shamir.
Moreover, in contrast to signatures obtained via Fiat-Shamir, signatures obtained via Fischlin enjoy a tight reduction to the underlying hard problem. We use this observation to show (via simulations) that Fischlinís transformation, usually considered less efficient, outperforms the Fiat-Shamir transform in verification time for a reasonable choice of parameters. In terms of signing Fiat-Shamir is faster for equal signature sizes. Nonetheless, our experiments show that the signing time of Fischlinís transformation becomes, e.g., 22% of the one via Fiat-Shamir if one allows the signature size to be doubled.Category / Keywords: public-key cryptography / Fischlinís transformation, leakage, tightness, random oracle Original Publication (in the same form): Africacrypt 2014 Date: received 11 Mar 2014 Contact author: oezguer dagdelen at cased de Available format(s): PDF | BibTeX Citation Version: 20140312:183617 (All versions of this report) Short URL: ia.cr/2014/188 Discussion forum: Show discussion | Start new discussion