Cryptology ePrint Archive: Report 2021/1220

Digital Signatures with Memory-Tight Security in the Multi-Challenge Setting

Denis Diemert and Kai Gellert and Tibor Jager and Lin Lyu

Abstract: The standard security notion for digital signatures is "single-challenge" (SC) EUF-CMA security, where the adversary outputs a single message-signature pair and "wins" if it is a forgery. Auerbach et al. (CRYPTO 2017) introduced memory-tightness of reductions and argued that the right security goal in this setting is actually a stronger "multi-challenge" (MC) definition, where an adversary may output many message-signature pairs and "wins" if at least one is a forgery. Currently, no construction from simple standard assumptions is known to achieve full tightness with respect to time, success probability, and memory simultaneously. Previous works showed that memory-tight signatures cannot be achieved via certain natural classes of reductions (Auerbach et al., CRYPTO 2017; Wang et al., EUROCRYPT 2018). These impossibility results may give the impression that the construction of memory-tight signatures is difficult or even impossible.

We show that this impression is false, by giving the first constructions of signature schemes with full tightness in all dimensions in the MC setting. To circumvent the known impossibility results, we first introduce the notion of canonical reductions in the SC setting. We prove a general theorem establishing that every signature scheme with a canonical reduction is already memory-tightly secure in the MC setting, provided that it is strongly unforgeable, the adversary receives only one signature per message, and assuming the existence of a tightly-secure pseudorandom function. We then achieve memory-tight many-signatures-per-message security in the MC setting by a simple additional generic transformation. This yields the first memory-tightly, strongly EUF-CMA-secure signature schemes in the MC setting. Finally, we show that standard security proofs often already can be viewed as canonical reductions. Concretely, we show this for signatures from lossy identification schemes (Abdalla et al., EUROCRYPT 2012), two variants of RSA Full-Domain Hash (Bellare and Rogaway, EUROCRYPT 1996), and two variants of BLS signatures (Boneh et al., ASIACRYPT 2001).

Category / Keywords: public-key cryptography / digital signatures, memory-tightness, provable security

Original Publication (with major differences): IACR-ASIACRYPT-2021

Date: received 17 Sep 2021, last revised 20 Sep 2021

Contact author: denis diemert at uni-wuppertal de, kai gellert at uni-wuppertal de, tibor jager at uni-wuppertal de, lin lyu at uni-wuppertal de

Available format(s): PDF | BibTeX Citation

Note: Update for clickable references

Version: 20210920:124024 (All versions of this report)

Short URL: ia.cr/2021/1220


[ Cryptology ePrint archive ]