Abstract. We revisit the security of Fiat-Shamir signatures in the non-programmable random oracle model. The well-known proof by Pointcheval and Stern for such signature schemes (Journal of Cryptology, 2000) relies on the ability to re-program the random oracle, and it has been unknown if this property is inherent. Pailler and Vergnaud (Asiacrypt 2005) gave some first evidence of the hardness by showing via meta-reduction techniques that algebraic reductions cannot succeed in reducing key-only attacks against unforgeability to the discrete-log assumptions. We also use meta-reductions to show that the security of Schnorr signatures cannot be proven equivalent to the discrete logarithm problem without programming the random oracle. Our result also holds under the one-more discrete logarithm assumption but applies to a large class of reductions, we call single-instance reductions, subsuming those used in previous proofs of security in the (programmable) random oracle model. In contrast to algebraic reductions, our class allows arbitrary operations, but can only invoke a single resettable adversary instance, making our class incomparable to algebraic reductions.Our main result, however, is about meta-reductions and the question if this technique can be used to further strengthen the separations above. Our answer is negative. We present, to the best of our knowledge for the first time, limitations of the meta-reduction technique in the sense that finding a meta-reduction for general reductions is most likely infeasible. In fact, we prove that finding a meta-reduction against a potential reduction is equivalent to finding a "meta-meta-reduction" against the strong existential unforgeability of the signature scheme. This means that the existence of a meta-reduction implies that the scheme must be insecure (against a slightly stronger attack) in the first place.
The Schnorr signature scheme is the most efficient signature scheme based on the discrete logarithm problem and a long line of research investigates the existence of a tight security reduction for this scheme in the random oracle model. Almost all recent works present lower tightness bounds and most recently Seurin (Eurocrypt 2012) showed that under certain assumptions the non-tight security proof for Schnorr signatures in the random oracle by Pointcheval and Stern (Eurocrypt 1996) is essentially optimal. All previous works in this direction rule out tight reductions from the (onemore) discrete logarithm problem. In this paper we introduce a new meta-reduction technique, which shows lower bounds for the large and very natural class of generic reductions. A generic reduction is independent of a particular representation of group elements. Most reductions in state-of-the-art security proofs have this property. It is desirable, because then the reduction applies generically to any concrete instantiation of the group. Our approach shows unconditionally that there is no tight generic reduction from any natural non-interactive computational problem Π defined over algebraic groups to breaking Schnorr signatures, unless solving Π is easy. In an additional application of the new meta-reduction technique, we also unconditionally rule out any (even non-tight) generic reduction from natural non-interactive computational problems defined over algebraic groups to breaking Schnorr signatures in the non-programmable random oracle model.
Energy is the most limiting factor in wireless sensor networks. Harvesting solar energy is a feasible solution to overcome the energy-constraint in some applications. It enables a theoretically infinite network lifetime, sustaining a mode of operation termed energy neutral consumption rate The challenge arises, how can the harvested energy be utilized to maximize the performance of the sensor network. Considering a field monitoring application the performance is measured as the sustained sampling rate of the sensors. Maximizing the sampling rate needs to take the spatio-temporal distribution of load and energy into account, to prevent the overloading of nodes. In [1] they introduced a optimal, theoretical solution based on perfect global knowledge. In this paper we propose the solar-aware distributed flow (SDF) approach. SDF enables each node to predict the harvested energy, calculate a sustainable flow and control its local neighborhood. To the best of our knowledge it is the first practical solution. Extensive simulations confirmed that SDF achieves over 80% of the theoretical optimum, while introducing negligible overhead.
In a sanitizable signature scheme the signer allows a designated third party, called the sanitizer, to modify certain parts of the message and adapt the signature accordingly. Ateniese et al. (ESORICS 2005) introduced this primitive and proposed five security properties which were formalized by Brzuska et al. (PKC 2009). Subsequently, Brzuska et al. (PKC 2010 suggested an additional security notion, called unlinkability which says that one cannot link sanitized message-signature pairs of the same document. Moreover, the authors gave a generic construction based on group signatures that have a certain structure. However, the special structure required from the group signature scheme only allows for inefficient instantiations. Here, we present the first efficient instantiation of unlinkable sanitizable signatures. Our construction is based on a novel type of signature schemes with re-randomizable keys. Intuitively, this property allows to re-randomize both the signing and the verification key separately but consistently. This allows us to sign the message with a re-randomized key and to prove in zero-knowledge that the derived key originates from either the signer or the sanitizer. We instantiate this generic idea with Schnorr signatures and efficient Σ-protocols, which we convert into non-interactive zero-knowledge proofs via the Fiat-Shamir transformation. Our construction is at least one order of magnitude faster than instantiating the generic scheme of Brzuska et al. with the most efficient group signature schemes. Definition of Sanitizable SignaturesThe following definition of sanitizable signature schemes is taken in verbatim from [BFF + 09, BFLS10]. Definition 1 (Sanitizable Signature Scheme).A sanitizable signature scheme SanS = (KGen sig , KGen san , Sign, Sanit, Verify, Proof, Judge) consists of seven algorithms:Key Generation. There are two key generation algorithms, one for the signer and one for the sanitizer. Both create a pair of keys, a private and the corresponding public key:and (sk san , pk san ) ← KGen san (1 κ ).Signing. The signing algorithm takes as input a message m ∈ {0, 1} * , a signer secret key sk sig , a sanitizer public key pk san , as well as a description Adm of the admissible modifications to m by the sanitizer and outputs a signature σ. We assume that Adm can be recovered from any signature:σ ← Sign(m, sk sig , pk san , Adm).Sanitizing. The sanitizing algorithm takes as input a message m ∈ {0, 1} * , a description Mod of the desired modifications to m, a signature σ, the signer's public key pk sig , and a sanitizer secret key sk san . It modifies the message m according to the modification instruction Mod and outputs a new signature σ for the modified message m = Mod(m) or possibly ⊥ in case of an error:{(m , σ ), ⊥} ← Sanit(m, Mod, σ, pk sig , sk san ).Verification. The verification algorithm takes as input a message m, a candidate signature σ, a signer public key pk sig , as well as a sanitizer public key pk san and outputs a bit b:b ← Verify(m, σ, pk sig , pk san ).Proof. The p...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.