IETF Logo Mail Archive

Re: [Cfrg] key as message prefix => multi-key security

Eike Kiltz <eike.kiltz@rub.de> Sat, 21 November 2015 15:33 UTC

Return-Path: <ekiltz@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 327391ACD8A for <cfrg@ietfa.amsl.com>; Sat, 21 Nov 2015 07:33:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.621
X-Spam-Level:
X-Spam-Status: No, score=0.621 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GpoJ42rJ9Q3q for <cfrg@ietfa.amsl.com>; Sat, 21 Nov 2015 07:33:05 -0800 (PST)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A2CD1ACD89 for <cfrg@ietf.org>; Sat, 21 Nov 2015 07:33:05 -0800 (PST)
Received: by lfaz4 with SMTP id z4so85482801lfa.0 for <cfrg@ietf.org>; Sat, 21 Nov 2015 07:33:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=d7GZv/Ay/7XIG3zI6LO+CsmsOiqGIEhNAv84f9s4aq0=; b=i9aQvLlBl3RqjX7tYZbXmuI/tC40E9asUWkvH18tBRXIqdOMS4nBIJZNhJvPnmlwc5 G1fs/Codnj3AgHSIEsV8Yj5tt+IyK9VJGU6KO7VBP84Av0u5Eq8+FZ+kD2gxXw6B8t2s USJZ1PxoHMq5UhJyMDYE/IrhG4yRAo+IOmxANVmXQ6LiyDfrp+/lhAiaWkFHIdpPCOj2 lrC/0HFHIEwmCKnVfslIQMhlUh9/AvlVGFsm8K6/oDy6hB88+fxoEH0srrK7F0nKwGCg Cr1WHPOHNfOUX/aJh4B0oBhTvgXvpvq+UjhTAzgDdg0qs4CFyxI+S0bKo66wMwFryvOC NLBQ==
MIME-Version: 1.0
X-Received: by 10.25.147.209 with SMTP id v200mr8022970lfd.102.1448119983615; Sat, 21 Nov 2015 07:33:03 -0800 (PST)
Sender: ekiltz@gmail.com
Received: by 10.112.165.33 with HTTP; Sat, 21 Nov 2015 07:33:03 -0800 (PST)
In-Reply-To: <20151120074529.15234.qmail@cr.yp.to>
References: <20150930225622.21805.qmail@cr.yp.to> <20151120074529.15234.qmail@cr.yp.to>
Date: Sat, 21 Nov 2015 16:33:03 +0100
X-Google-Sender-Auth: tnpoSbxtmDW0sKrF908pWC4qi8s
Message-ID: <CAKt=43p6X+Byb_a-pin-OVS8RXi82AFpzML80KzeYWKve0aG6A@mail.gmail.com>
From: Eike Kiltz <eike.kiltz@rub.de>
To: cfrg@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/_Ymjl_dqoPEKeOGhYOKKwqb4DbQ>
Subject: Re: [Cfrg] key as message prefix => multi-key security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2015 15:34:32 -0000

Our results are not stated entirely correctly, so let me clarify first.

In our paper
     https://eprint.iacr.org/2015/1122.pdf
we show the following (cf. Figure 2):

1. Strong single-user security of Schnorr signatures tightly implies
strong multi-user security of the same scheme

2. Standard single user security of Schnorr signatures tightly implies strong
multi-user security of the same scheme, assuming a perfect hash
function (aka random oracle). This is the original GMLS theorem,
expect that we make the random oracle requirement.


As I understand the history of this thread, initially the group agreed
that key-prefixing should be avoided for Schnorr due to certain
performance and usability issues, referring to the GMLS theorem
from 2002. (See the message by Struik and Hamburg.)

Next, Dan pointed to the error in the original GMLS proof and gave
a fixed proof of tight security for the key-prefixed variant of Schnorr.
He further argued that a tight reduction for the original Schnorr
scheme without key-prefixing is very unlikely. As a consequence
the group mutually agreed to use the key-prefixed variant, resulting
in the current draft for EdDSA.

Our results show that key-prefixing does not provide any advantage
for multi-user security so we recommend to reconsider this decision.

 -Eike


On Fri, Nov 20, 2015 at 8:45 AM, D. J. Bernstein <djb@cr.yp.to> wrote:
> There's a new paper out on multi-user signature security:
>
>    https://eprint.iacr.org/2015/1122.pdf
>
> The abstract says that "single-user security of Schnorr signatures
> tightly implies multi-user security of the same scheme".
>
> My impression from previous papers is that Kiltz is careful, but I
> haven't had time to look at the details of the new proof yet. The only
> obvious caveats in the theorem statement from a first glance are that
>
>    * the theorem allows a factor of 2 gain in success probability and,
>      more importantly,
>
>    * the theorem actually has to assume "strong unforgeability" rather
>      than the standard notion of unforgeability---there's no limit on
>      how much security this could lose.

v2.23.0 | Report a Bug | By Email