{"id":158179,"date":"2008-01-01T00:00:00","date_gmt":"2008-01-01T00:00:00","guid":{"rendered":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/msr-research-item\/improved-bounds-on-security-reductions-for-discrete-log-based-signatures\/"},"modified":"2018-10-16T20:14:22","modified_gmt":"2018-10-17T03:14:22","slug":"improved-bounds-on-security-reductions-for-discrete-log-based-signatures","status":"publish","type":"msr-research-item","link":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/publication\/improved-bounds-on-security-reductions-for-discrete-log-based-signatures\/","title":{"rendered":"Improved Bounds on Security Reductions for Discrete Log Based Signatures"},"content":{"rendered":"<div class=\"asset-content\">\n<p>Despite considerable research efforts, no efficient reduction from the discrete log problem to forging a discrete log based signature (e.g. Schnorr) is currently known. In fact, negative results are known. Paillier and Vergnaud\u00a0[PV05] show that the forgeability of several discrete log based signatures <em class=\"EmphasisTypeItalic \">cannot<\/em> be equivalent to solving the discrete log problem in the standard model, <em class=\"EmphasisTypeItalic \">assuming<\/em> the so-called one-more discrete log assumption and algebraic reductions. They also show, under the same assumptions, that, any security reduction in the Random Oracle Model (ROM) from discrete log to forging a Schnorr signature must lose a factor of at least <span id=\"IEq1\" class=\"InlineEquation\"><span id=\"MathJax-Element-1-Frame\" class=\"MathJax\" tabindex=\"0\" data-mathml=\"<math xmlns=\"http:\/\/www.w3.org\/1998\/Math\/MathML\"><msqrt><msub><mi>q<\/mi><mi>h<\/mi><\/msub><\/msqrt><\/math>\"><span id=\"MathJax-Span-1\" class=\"math\"><span id=\"MathJax-Span-2\" class=\"mrow\"><span id=\"MathJax-Span-3\" class=\"msqrt\"><span id=\"MathJax-Span-4\" class=\"mrow\"><span id=\"MathJax-Span-5\" class=\"msubsup\"><span id=\"MathJax-Span-6\" class=\"mi\">q<\/span><span id=\"MathJax-Span-7\" class=\"mi\">h<\/span><\/span><\/span>\u2212\u2212\u221a<\/span><\/span><\/span><\/span><\/span><span id=\"IEq1\" class=\"InlineEquation\"><\/span> in the success probability. Here <em class=\"EmphasisTypeItalic \">q<\/em> <sub> <em class=\"EmphasisTypeItalic \">h<\/em> <\/sub> is the number of queries the forger makes to the random oracle. The best known positive result, due to Pointcheval and Stern \u00a0[PS00], also in the ROM, gives a reduction that loses a factor of <em class=\"EmphasisTypeItalic \">q<\/em> <sub> <em class=\"EmphasisTypeItalic \">h<\/em> <\/sub>. In this paper, we improve the negative result from [PV05]. In particular, we show that any algebraic reduction in the ROM from discrete log to forging a Schnorr signature must lose a factor of at least <span id=\"IEq2\" class=\"InlineEquation\"><span id=\"MathJax-Element-2-Frame\" class=\"MathJax\" tabindex=\"0\" data-mathml=\"<math xmlns=\"http:\/\/www.w3.org\/1998\/Math\/MathML\"><msubsup><mi>q<\/mi><mi>h<\/mi><mrow class=\"MJX-TeXAtom-ORD\"><mn>2<\/mn><mrow class=\"MJX-TeXAtom-ORD\"><mo>\/<\/mo><\/mrow><mn>3<\/mn><\/mrow><\/msubsup><\/math>\"><span id=\"MathJax-Span-8\" class=\"math\"><span id=\"MathJax-Span-9\" class=\"mrow\"><span id=\"MathJax-Span-10\" class=\"msubsup\"><span id=\"MathJax-Span-11\" class=\"mi\">q<\/span><span id=\"MathJax-Span-12\" class=\"texatom\"><span id=\"MathJax-Span-13\" class=\"mrow\"><span id=\"MathJax-Span-14\" class=\"mn\">2<\/span><span id=\"MathJax-Span-15\" class=\"texatom\"><span id=\"MathJax-Span-16\" class=\"mrow\"><span id=\"MathJax-Span-17\" class=\"mo\">\/<\/span><\/span><\/span><span id=\"MathJax-Span-18\" class=\"mn\">3<\/span><\/span><\/span><span id=\"MathJax-Span-19\" class=\"mi\">h<\/span><\/span><\/span><\/span><\/span><\/span><span id=\"IEq2\" class=\"InlineEquation\"><\/span>, assuming the one-more discrete log assumption. We also hint at certain circumstances (by way of restrictions on the forger) under which this lower bound may be tight. These negative results indicate that huge loss factors may be inevitable in reductions from discrete log to discrete log based signatures.<\/p>\n<\/div>\n<p><!-- .asset-content --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Despite considerable research efforts, no efficient reduction from the discrete log problem to forging a discrete log based signature (e.g. Schnorr) is currently known. In fact, negative results are known. Paillier and Vergnaud\u00a0[PV05] show that the forgeability of several discrete log based signatures cannot be equivalent to solving the discrete log problem in the standard [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","msr-author-ordering":null,"msr_publishername":"Springer","msr_publisher_other":"","msr_booktitle":"","msr_chapter":"","msr_edition":"CRYPTO","msr_editors":"","msr_how_published":"","msr_isbn":"978-3-540-85173-8","msr_issue":"","msr_journal":"","msr_number":"","msr_organization":"","msr_pages_string":"93-107","msr_page_range_start":"93","msr_page_range_end":"107","msr_series":"Lecture Notes in Computer Science","msr_volume":"5157","msr_copyright":"","msr_conference_name":"CRYPTO","msr_doi":"","msr_arxiv_id":"","msr_s2_paper_id":"","msr_mag_id":"","msr_pubmed_id":"","msr_other_authors":"Sanjam Garg, Satyanarayana V. Lokam","msr_other_contributors":"","msr_speaker":"","msr_award":"","msr_affiliation":"","msr_institution":"","msr_host":"","msr_version":"","msr_duration":"","msr_original_fields_of_study":"","msr_release_tracker_id":"","msr_s2_match_type":"","msr_citation_count_updated":"","msr_published_date":"2008-01-01","msr_highlight_text":"","msr_notes":"","msr_longbiography":"","msr_publicationurl":"http:\/\/www.springerlink.com\/content\/wm42067ru2684t46\/","msr_external_url":"","msr_secondary_video_url":"","msr_conference_url":"","msr_journal_url":"","msr_s2_pdf_url":"","msr_year":2008,"msr_citation_count":0,"msr_influential_citations":0,"msr_reference_count":0,"msr_s2_match_confidence":0,"msr_microsoftintellectualproperty":true,"msr_s2_open_access":false,"msr_s2_author_ids":[],"msr_pub_ids":[],"msr_hide_image_in_river":0,"footnotes":""},"msr-research-highlight":[],"research-area":[13561,13558],"msr-publication-type":[193716],"msr-publisher":[],"msr-focus-area":[],"msr-locale":[268875],"msr-post-option":[],"msr-field-of-study":[],"msr-conference":[],"msr-journal":[],"msr-impact-theme":[],"msr-pillar":[],"class_list":["post-158179","msr-research-item","type-msr-research-item","status-publish","hentry","msr-research-area-algorithms","msr-research-area-security-privacy-cryptography","msr-locale-en_us"],"msr_publishername":"Springer","msr_edition":"CRYPTO","msr_affiliation":"","msr_published_date":"2008-01-01","msr_host":"","msr_duration":"","msr_version":"","msr_speaker":"","msr_other_contributors":"","msr_booktitle":"","msr_pages_string":"93-107","msr_chapter":"","msr_isbn":"978-3-540-85173-8","msr_journal":"","msr_volume":"5157","msr_number":"","msr_editors":"","msr_series":"Lecture Notes in Computer Science","msr_issue":"","msr_organization":"","msr_how_published":"","msr_notes":"","msr_highlight_text":"","msr_release_tracker_id":"","msr_original_fields_of_study":"","msr_download_urls":"","msr_external_url":"","msr_secondary_video_url":"","msr_longbiography":"","msr_microsoftintellectualproperty":1,"msr_main_download":"457278","msr_publicationurl":"http:\/\/www.springerlink.com\/content\/wm42067ru2684t46\/","msr_doi":"","msr_publication_uploader":[{"type":"file","title":"Improved Bounds on Security Reductions for Discrete Log Based Signatures","viewUrl":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-content\/uploads\/2008\/01\/chp3A10.10072F978-3-540-85174-5_6.pdf","id":457278,"label_id":0},{"type":"url","title":"http:\/\/www.springerlink.com\/content\/wm42067ru2684t46\/","viewUrl":false,"id":false,"label_id":0}],"msr_related_uploader":"","msr_citation_count":0,"msr_citation_count_updated":"","msr_s2_paper_id":"","msr_influential_citations":0,"msr_reference_count":0,"msr_arxiv_id":"","msr_s2_author_ids":[],"msr_s2_open_access":false,"msr_s2_pdf_url":null,"msr_attachments":[{"id":0,"url":"http:\/\/www.springerlink.com\/content\/wm42067ru2684t46\/"}],"msr-author-ordering":[{"type":"text","value":"Sanjam Garg","user_id":0,"rest_url":false},{"type":"user_nicename","value":"rbhaskar","user_id":33364,"rest_url":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/microsoft-research\/v1\/researchers?person=rbhaskar"},{"type":"text","value":"Satyanarayana V. Lokam","user_id":0,"rest_url":false},{"type":"user_nicename","value":"satya","user_id":33532,"rest_url":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/microsoft-research\/v1\/researchers?person=satya"}],"msr_impact_theme":[],"msr_research_lab":[],"msr_event":[],"msr_group":[144887],"msr_project":[],"publication":[],"video":[],"msr-tool":[],"msr_publication_type":"inproceedings","related_content":[],"_links":{"self":[{"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/158179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item"}],"about":[{"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/types\/msr-research-item"}],"version-history":[{"count":1,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/158179\/revisions"}],"predecessor-version":[{"id":524927,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/158179\/revisions\/524927"}],"wp:attachment":[{"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/media?parent=158179"}],"wp:term":[{"taxonomy":"msr-research-highlight","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-research-highlight?post=158179"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=158179"},{"taxonomy":"msr-publication-type","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-publication-type?post=158179"},{"taxonomy":"msr-publisher","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-publisher?post=158179"},{"taxonomy":"msr-focus-area","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-focus-area?post=158179"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=158179"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=158179"},{"taxonomy":"msr-field-of-study","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-field-of-study?post=158179"},{"taxonomy":"msr-conference","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-conference?post=158179"},{"taxonomy":"msr-journal","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-journal?post=158179"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=158179"},{"taxonomy":"msr-pillar","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/en-us\/research\/wp-json\/wp\/v2\/msr-pillar?post=158179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}