We show that signatures obtained via Fischlin’s transformation are existentially unforgeable even in case the adversary is allowed to get arbitrary (yet bounded) information on the entire state of the signer (including the signing key and the random coins used to generate signatures). A similar fact was already known for the Fiat-Shamir transform, however, Fischlin’s transformation allows for a significantly higher leakage parameter than Fiat-Shamir.
Moreover, in contrast to signatures obtained via Fiat-Shamir, signatures obtained via Fischlin enjoy a tight reduction to the underlying hard problem. We use this observation to show (via simulations) that Fischlin’s transformation, usually considered less efficient, outperforms the Fiat-Shamir transform in verification time for a reasonable choice of parameters. In terms of signing Fiat-Shamir is faster for equal signature sizes. Nonetheless, our experiments show that the signing time of Fischlin’s transformation becomes, e.g., 22% of the one via Fiat-Shamir if one allows the signature size to be doubled.
Category / Keywords: public-key cryptography / Fischlin’s transformation, leakage, tightness, random oracle Original Publication (in the same form): Africacrypt 2014 Date: received 11 Mar 2014 Contact author: oezguer dagdelen at cased de Available format(s): PDF | BibTeX Citation Version: 20140312:183617 (All versions of this report) Short URL: ia.cr/2014/188 Discussion forum: Show discussion | Start new discussion