Paper 2024/934

An Explicit High-Moment Forking Lemma and its Applications to the Concrete Security of Multi-Signatures

Gil Segev, Hebrew University of Jerusalem
Liat Shapira, Hebrew University of Jerusalem
Abstract

In this work we first present an explicit forking lemma that distills the information-theoretic essence of the high-moment technique introduced by Rotem and Segev (CRYPTO '21), who analyzed the security of identification protocols and Fiat-Shamir signature schemes. Whereas the technique of Rotem and Segev was particularly geared towards two specific cryptographic primitives, we present a stand-alone probabilistic lower bound, which does not involve any underlying primitive or idealized model. The key difference between our lemma and previous ones is that instead of focusing on the tradeoff between the worst-case or expected running time of the resulting forking algorithm and its success probability, we focus on the tradeoff between higher moments of its running time and its success probability. Equipped with our lemma, we then establish concrete security bounds for the BN and BLS multi-signature schemes that are significantly tighter than the concrete security bounds established by Bellare and Neven (CCS '06) and Boneh, Drijvers and Neven (ASIACRYPT '18), respectively. Our analysis does not limit adversaries to any idealized algebraic model, such as the algebraic group model in which all algorithms are assumed to provide an algebraic justification for each group element they produce. Our bounds are derived in the random-oracle model based on the standard-model second-moment hardness of the discrete logarithm problem (for the BN scheme) and the computational co-Diffie-Hellman problem (for the BLS scheme). Such second-moment assumptions, asking that the success probability of any algorithm in solving the underlying computational problems is dominated by the second moment of the algorithm's running time, are particularly plausible in any group where no better-than-generic algorithms are currently known.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A minor revision of an IACR publication in CIC 2024
Keywords
Signature schemesforking lemmaconcrete security
Contact author(s)
segev @ cs huji ac il
liat shapira @ cs huji ac il
History
2024-06-12: approved
2024-06-11: received
See all versions
Short URL
https://ia.cr/2024/934
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/934,
      author = {Gil Segev and Liat Shapira},
      title = {An Explicit High-Moment Forking Lemma and its Applications to the Concrete Security of Multi-Signatures},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/934},
      year = {2024},
      url = {https://eprint.iacr.org/2024/934}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.