On the (In)Security of the BUFF Transform

Jelle Don; Serge Fehr; Yu-Hsuan Huang; Patrick Struck

Paper 2023/1634

On the (In)Security of the BUFF Transform

Jelle Don, Centrum Wiskunde & Informatica

Serge Fehr, Centrum Wiskunde & Informatica, Leiden University

Yu-Hsuan Huang, Centrum Wiskunde & Informatica

Patrick Struck, University of Konstanz

Abstract

The BUFF transform is a generic transformation for digital signature schemes, with the purpose of obtaining additional security properties beyond standard unforgeability, e.g., exclusive ownership and non-resignability. In the call for additional post-quantum signatures, these were explicitly mentioned by the NIST as ``additional desirable security properties'', and some of the submissions indeed refer to the BUFF transform with the purpose of achieving them, while some other submissions follow the design of the BUFF transform without mentioning it explicitly. In this work, we show the following negative results regarding the non-resignability property in general, and the BUFF transform in particular. In the plain model, we observe by means of a simple attack that any signature scheme for which the message has a high entropy given the signature does not satisfy the non-resignability property (while non-resignability is trivially not satisfied if the message can be efficiently computed from its signature). Given that the BUFF transform has high entropy in the message given the signature, it follows that the BUFF transform does not achieve non-resignability whenever the random oracle is instantiated with a hash function, no matter what hash function. When considering the random oracle model (ROM), the matter becomes slightly more delicate since prior works did not rigorously define the non-resignability property in the ROM. For the natural extension of the definition to the ROM, we observe that our impossibility result still holds, despite there having been positive claims about the non-resignability of the BUFF transform in the ROM. Indeed, prior claims of the non-resignability of the BUFF transform rely on faulty argumentation. On the positive side, we prove that a salted version of the BUFF transform satisfies a slightly weaker variant of non-resignability in the ROM, covering both classical and quantum attacks, if the entropy requirement in the (weakened) definition of non-resignability is statistical; for the computational variant, we show yet another negative result.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint.
Keywords: digital signatures random oracle model security definitions
Contact author(s): jelle don @ cwi nl
serge fehr @ cwi nl
yhh @ cwi nl
patrick struck @ uni-konstanz de
History: 2024-02-21: last of 2 revisions; 2023-10-20: received; See all versions
Short URL: https://ia.cr/2023/1634
License: CC BY

BibTeX

@misc{cryptoeprint:2023/1634,
      author = {Jelle Don and Serge Fehr and Yu-Hsuan Huang and Patrick Struck},
      title = {On the (In)Security of the BUFF Transform},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1634},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/1634}},
      url = {https://eprint.iacr.org/2023/1634}
}