Re: [Cfrg] key as message prefix => multi-key security
Eike Kiltz <eike.kiltz@rub.de> Sat, 21 November 2015 15:33 UTC
Return-Path: <ekiltz@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 327391ACD8A for <cfrg@ietfa.amsl.com>; Sat, 21 Nov 2015 07:33:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.621
X-Spam-Level:
X-Spam-Status: No, score=0.621 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GpoJ42rJ9Q3q for <cfrg@ietfa.amsl.com>; Sat, 21 Nov 2015 07:33:05 -0800 (PST)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A2CD1ACD89 for <cfrg@ietf.org>; Sat, 21 Nov 2015 07:33:05 -0800 (PST)
Received: by lfaz4 with SMTP id z4so85482801lfa.0 for <cfrg@ietf.org>; Sat, 21 Nov 2015 07:33:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=d7GZv/Ay/7XIG3zI6LO+CsmsOiqGIEhNAv84f9s4aq0=; b=i9aQvLlBl3RqjX7tYZbXmuI/tC40E9asUWkvH18tBRXIqdOMS4nBIJZNhJvPnmlwc5 G1fs/Codnj3AgHSIEsV8Yj5tt+IyK9VJGU6KO7VBP84Av0u5Eq8+FZ+kD2gxXw6B8t2s USJZ1PxoHMq5UhJyMDYE/IrhG4yRAo+IOmxANVmXQ6LiyDfrp+/lhAiaWkFHIdpPCOj2 lrC/0HFHIEwmCKnVfslIQMhlUh9/AvlVGFsm8K6/oDy6hB88+fxoEH0srrK7F0nKwGCg Cr1WHPOHNfOUX/aJh4B0oBhTvgXvpvq+UjhTAzgDdg0qs4CFyxI+S0bKo66wMwFryvOC NLBQ==
MIME-Version: 1.0
X-Received: by 10.25.147.209 with SMTP id v200mr8022970lfd.102.1448119983615; Sat, 21 Nov 2015 07:33:03 -0800 (PST)
Sender: ekiltz@gmail.com
Received: by 10.112.165.33 with HTTP; Sat, 21 Nov 2015 07:33:03 -0800 (PST)
In-Reply-To: <20151120074529.15234.qmail@cr.yp.to>
References: <20150930225622.21805.qmail@cr.yp.to> <20151120074529.15234.qmail@cr.yp.to>
Date: Sat, 21 Nov 2015 16:33:03 +0100
X-Google-Sender-Auth: tnpoSbxtmDW0sKrF908pWC4qi8s
Message-ID: <CAKt=43p6X+Byb_a-pin-OVS8RXi82AFpzML80KzeYWKve0aG6A@mail.gmail.com>
From: Eike Kiltz <eike.kiltz@rub.de>
To: cfrg@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/_Ymjl_dqoPEKeOGhYOKKwqb4DbQ>
Subject: Re: [Cfrg] key as message prefix => multi-key security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2015 15:34:32 -0000
Our results are not stated entirely correctly, so let me clarify first. In our paper https://eprint.iacr.org/2015/1122.pdf we show the following (cf. Figure 2): 1. Strong single-user security of Schnorr signatures tightly implies strong multi-user security of the same scheme 2. Standard single user security of Schnorr signatures tightly implies strong multi-user security of the same scheme, assuming a perfect hash function (aka random oracle). This is the original GMLS theorem, expect that we make the random oracle requirement. As I understand the history of this thread, initially the group agreed that key-prefixing should be avoided for Schnorr due to certain performance and usability issues, referring to the GMLS theorem from 2002. (See the message by Struik and Hamburg.) Next, Dan pointed to the error in the original GMLS proof and gave a fixed proof of tight security for the key-prefixed variant of Schnorr. He further argued that a tight reduction for the original Schnorr scheme without key-prefixing is very unlikely. As a consequence the group mutually agreed to use the key-prefixed variant, resulting in the current draft for EdDSA. Our results show that key-prefixing does not provide any advantage for multi-user security so we recommend to reconsider this decision. -Eike On Fri, Nov 20, 2015 at 8:45 AM, D. J. Bernstein <djb@cr.yp.to> wrote: > There's a new paper out on multi-user signature security: > > https://eprint.iacr.org/2015/1122.pdf > > The abstract says that "single-user security of Schnorr signatures > tightly implies multi-user security of the same scheme". > > My impression from previous papers is that Kiltz is careful, but I > haven't had time to look at the details of the new proof yet. The only > obvious caveats in the theorem statement from a first glance are that > > * the theorem allows a factor of 2 gain in success probability and, > more importantly, > > * the theorem actually has to assume "strong unforgeability" rather > than the standard notion of unforgeability---there's no limit on > how much security this could lose.
- [Cfrg] EC signature: next steps Alexey Melnikov
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] EC signature: next steps Watson Ladd
- [Cfrg] EC signature: next steps Dan Brown
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Dan Brown
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- [Cfrg] Side inputs to signature systems D. J. Bernstein
- Re: [Cfrg] Side inputs to signature systems Natanael
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] Side inputs to signature systems Michael Hamburg
- Re: [Cfrg] EC signature: next steps Rene Struik
- Re: [Cfrg] EC signature: next steps David Jacobson
- Re: [Cfrg] EC signature: next steps Mike Hamburg
- Re: [Cfrg] EC signature: next steps William Whyte
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] key as message prefix => multi-key sec… Dan Brown
- [Cfrg] key as message prefix => multi-key security D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Paterson, Kenny
- Re: [Cfrg] key as message prefix => multi-key sec… Sven Schäge
- Re: [Cfrg] key as message prefix => multi-key sec… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] key as message prefix => multi-key sec… William Whyte
- Re: [Cfrg] key as message prefix => multi-key sec… Bill Cox
- Re: [Cfrg] key as message prefix => multi-key sec… Andrey Jivsov
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Eike Kiltz
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Simon Josefsson