On the Impossibility of Tight Cryptographic
Reductions
?Christoph Bader, Tibor Jager??, Yong Li, and Sven Sch¨age? ? ? Horst G¨ortz Institute for IT Security, Ruhr-University Bochum
Abstract. The existence oftightreductions in cryptographic security proofs is an important question, motivated by the theoretical search for cryptosystems whose security guarantees are truly independent of adversarial behavior and the practi-cal necessity of concrete security bounds for the theoretipracti-cally-sound selection of cryptographic parameters. At Eurocrypt 2002, Coron described ameta-reduction technique that allows to prove theimpossibilityof tight reductions for certain digital signature schemes. This seminal result has found many further interesting applications. However, due to a technical subtlety in the argument, the applica-bility of this technique beyond digital signatures in thesingle-usersetting has turned out to be rather limited. We describe a new meta-reduction technique for proving such impossibility results, which improves on known ones in several ways. It enables interesting novel applications, including a formal proof that for certain cryptographic primitives (including public-key encryption/key encapsu-lation mechanisms and digital signatures), the security loss incurred when the primitive is transferred from an idealized single-user setting to the more realistic multi-user setting isimpossibleto avoid, and a lower tightness bound for non-interactive key exchange protocols. Moreover, the technique allows to rule out tight reductions from a very general class of non-interactive complexity assump-tions. Furthermore, the proofs and bounds are simpler than in Coron’s technique and its extensions.
1
Introduction
Provable security. In modern cryptography, new cryptosystems are usually constructed together with a proof of security. Usually this security proof consists of a reduction Λ (in a complexity-theoretic sense), which turns an efficient adversaryAinto a ma-chine ΛA solving a well-studied, assumed-to-be-hard computational problem. Under the assumption that this computational problem is not efficiently solvable, this implies that the cryptosystem is secure. This approach is usually called “provable security”, it is inspired by the analysis of relations between computational problems in complexity theory, and allows to show that breaking the security of a cryptosystem is at least as hard as solving a certain well-defined hard computational problem.
?
This is the full version of an article with the same title that was accepted for publication at Eurocrypt’16.
??
Supported by DFG grant JA 2445/1-1.
? ? ?
The security loss in reduction-based security proofs. The “quality” of a reduction can be measured by comparing the running time and success probability ofΛAto the running time and success probability of attackerA. Ideally, ΛAhas about the same running time and success probability asA. However, most security proofs describe reductions whereΛAhas either a significantly larger running time or a significantly smaller success probability thanA(or both). Thus, the reduction “loses” efficiency and/or efficacy.
Since provable security is inspired by classical complexity theory, security proofs have traditionally been formulated asymptotically. The running time and success prob-ability of Turing machines are modeled as functions in asecurity parameter k ∈ N. LettΛA(k)denote the running time andΛA(k)denote the success probability ofΛA.
Likewise, lettA(k)andA(k)denote the running time and success probability ofA.
Then it holds that
tΛA(k)/ΛA(k) =`(k)·tA(k)/A(k)
for some “loss”`(k). A reductionΛis consideredefficient, if its loss`(k)is bounded by a polynomial. Note that in this approach the concrete size of polynomial ` (i.e., its degree and the size of its coefficients) does not matter. As common in classical complexity theory, it was considered sufficient to show that`is polynomially-bounded.
Concrete security proofs, the notion of tightness, and its relevance. In order to deploy a cryptosystem in practice, the size of cryptographic parameters (like for instance the length of moduli or the size of underlying algebraic groups) has to be selected. However, the asymptotic approach described above does not allow to derive concrete recommen-dations for such parameters, as it only shows that sufficiently large parametersexist. This is because the size of parameters depends on the concrete value of`, the loss of the reduction. A larger loss requires larger parameters.
The more recent approach, termedconcrete security, makes the concrete security loss of a reduction explicit. This allows to derive concrete recommendations for param-eters in a theoretically sound way (see e.g. [7] for a detailed treatment). Ideally,`(k)is constant. In this case the reduction is said to betight.1The existence of cryptosystems whose security is independent of deployment parameters is of course an interesting the-oretical question in its own right. Moreover, it has a strong practical motivation, because the tightness of a reduction directly influences the selection of the size of cryptographic parameters, and thus has a direct impact to the efficiency of cryptosystems. An example is given in Appendix A.
Coron’s result and its refinements. Coron [19] considered the existence of tight reduc-tions forunique2signature schemes in the single user setting, and described a “rewind-ing argument” (cf. Goldwasser et al. [28]), which allowed to prove lower tightness 1When speaking of tight reductions in this paper, we mean tight reductions from non-interactive
computational problems, like integer factorization, the discrete logarithm problem, etc., rather than (often trivial) tight reductions from interactive or contrived non-standard computational problems, which sometimes are very similar to the assumption that the cryptosystem is secure. 2For a unique signature scheme there exists exactly one unique valid signature for each message.
bounds for such signature schemes. In particular, Coron considered “simple”3 reduc-tions, which convert a forgerF breaking the security4 of a unique signature scheme into a machine solving a computationally hard problemΠ. He showed that any such reduction yields an algorithmBsolvingΠ directlywith probabilityB, where
B≥Λ−
F
exp(1)·n ·
1− n
|M|
−1
. (1)
HereΛ is the success probability ofΛ,F is the success probability of the signature forgerFused byΛ,nis the number of signatures queried byF in theEUF-CMA secu-rity experiment, and|M|is the size of the message space. Note that if|M| n, which is a reasonable for signature schemes, then the bound in (1) essentially implies that the success probability ofΛof the reduction can not substantially exceedF/(exp(1)·n), unless there exists an algorithmBsolvingΠefficiently. The latter, however, contradicts the hardness assumption onΠ. This result was later revisited by Kakvi and Kiltz [32], and generalized by Hofheinzet al. [31] to (non-unique) signature schemes with effi-ciently re-randomizable signatures, see also Appendix B.
Limitations of known meta-reductions. Unfortunately, Coron’s result has found only limited applications beyond digital signatures in the single-user setting. Most previous works [19,32,31] consider this setting, the (to our best knowledge) only exception is due to Lewko and Waters [34], which considers hierarchical identity-based encryption. Why isn’t it possible to apply it to other primitives? One reason is that the bound in Equation (1) ceases to be useful for reasonable values ofΛandFifn≈ |M|. This can be easily seen by settingn=|M| −1. The assumption that|M| nis a prerequisite for the arguments in [19,32,31] to work, thus, it is not possible to apply this technique to settings, where the assumption|M| nisnotreasonable.
Therefore Coron’s technique is not applicable when|M|is polynomially-bounded. However, such a situation appears often when considering cryptographic primitives beyond digital signatures in the single-user setting. Consider, for instance, a security model where the adversary is provided withM={pk1, . . . , pkn}, wherepk1, . . . , pkn is a list of public keys. The adversary may learn all but one of the corresponding secret keys, and is considered successful if it “breaks security” with respect to an uncorrupted key. This is a quite common setting, which occurs for instance in security models for signatures or public-key encryption in the multi-user setting with corruptions [3,4], all common security models for authenticated key exchange [9,16,4], and non-interactive key exchange [26] protocols.How can we analyze the existence of inherent tightness bounds in these settings?
Our contributions. We develop a new meta-reduction technique, which is also appli-cable in settings where|M|is polynomially bounded. In comparison to [19,32,31], we 3Intuitively, a “simple” reduction is a reduction which has black-box access to the adversary,
and runs the adversary onlysequentially. Most reductions in cryptographic security proofs are of this type. A more precise definition is given in the body of the paper.
4
achieve the simpler bound
B≥Λ−1/n.
which is independent of|M|.
Our new technique allows to rule out tight reductions from any non-interactive com-plexity assumption (cf. Definition 5). This includes also “decisional” assumptions (like decisional Diffie-Hellman). It avoids the combinatorial lemma of Coron [19, Lemma 1], which has a relatively technical proof. Our approach does not require such a combi-natorial argument, but is more “direct”.
This simplicity allows us to describe a generalized experiment with an abstract com-putable relation that captures the necessary properties for our tightness bounds. Then we explain that the standard security experiments for many cryptographic primitives are specific instances of this abstract experiment.
Technical idea. To describe our technical idea, let us consider the example of digital signatures in the single-user settings, as considered in [19,32,31], for this introduction. As sketched above, the result will later be generalized and applied to other settings as well. We consider a weakened signature security definition, where the security experi-ment proceeds as follows.
1. The adversary receives as input a verification key vkalong with n random but pairwise distinct messagesm1, . . . , mn.
2. The adversary selects an indexj∗, and receives in responsen−1signaturesσifor all messagesmiwithi6=j∗.
3. Finally, the adversary wins the experiment if it outputsσ∗that is a valid signature formj∗with respect toj∗.
Note that this is a very weak security definition, because the adversary is only able to observe signatures of random messages. However, note also that any lower tight-ness bound for such a weaker security definition implies a corresponding bound for any stronger definition. In particular, the above definition is weaker than the standard security definitionexistential unforgeability under chosen message attacksconsidered in [19,32,31], where messages may be adaptively chosen by the adversary.
Essentially, we argue that once a reduction has started the adversary in Step 1 of the above experiment, and thus has “committed” to a verification keyvkand messages m1, . . . , mn, there can only be a single choice ofj∗ for which this reduction is able
to output valid signaturesσifor alli6=j∗. Thus, for any adversary which choosesj∗ uniformly at random the reduction has probability at most1/n to succeed. We prove this by contradiction, by showing essentially that any reduction which is successful for two distinct choices ofj∗, sayj
0, j1, can be used to construct a machine that breaks the
underlying security assumption directly.
Technically, we proceed in two steps: first we describe an inefficient adversary against the reduction which chooses j∗ uniformly random, and computes the signa-tureσ∗formj∗by exhaustive search. Next, we show that this adversary can efficiently
succeed for two different valuesj0, j1, then it must also be able output the signatures for allnmessages. Therefore we start the reduction and let it run until it reaches a “break point” where it outputs(vk, m1, . . . , mn). Next, we run the reductionn-times, each time starting from the break point and using a different indexj, to search for two values j0, j1such thatj06=j1such that the reduction outputs valid signatures for all-but-one
messages. If indeed there exist two such indicesj0, j1, then we now have learned
sig-natures for all messages(m1, . . . , mn)which are valid w.r.t.vk. Thus, we can run the reduction one last time from the break point, this time to the end, using indexj0(or
equivalentlyj1), and we simulate the inefficient adversary using the fact that we know
a valid signature formj0 (ormj1). Importantly, in the last execution of the reduction
we are able to simulate the inefficient adversary perfectly, so the reduction will help us to break the non-interactive complexity assumption.
We caution that the rigorous proof of the above is more complex than the intuition provided in this introduction, and we have to put restrictions on the signature scheme, which depend on the considered application. For instance, when considering signatures in the single-user setting as above, we have to require that signatures are efficiently re-randomizable. In the generalized setting we will consider other applications, which require different but usually simple-to-check properties, like for instance that for each public keyvkthere exists auniquesecret key. In this way, our result provides simple criteria to check whether a cryptographic construction can have a tight proof at all. At the same time it implicitly provides guidelines for the construction of tightly secure cryptographic schemes, since all tightly secure constructions must circumvent our result in one way or the other.
The fact that we consider a weakened security experiment has several nice features. We think that the approach and its analysis described above are much simpler than previous works, which enables more involved impossibility results. We will show that it achieves a simpler bound and yields a qualitatively stronger result, as it even rules out tight reductions for such weak security experiments. Like previous works, we only consider reductions that execute the adversary sequentially and in a black-box fashion. We stress that most reductions in cryptography have this property.
We generalize the above idea from signature schemes in a single-user setting to abstract relations, which capture the relevant properties required for our impossibility argument to go through. We show that this abstraction allows to apply the result rela-tively easily to other cryptographic primitives, by describing applications to public-key encryption and signatures in the multi-user setting, and non-interactive key exchange.
Overview of Applications. A first, immediate application of our new technique are strengthened versions of the results of [19,32,31], but with significantly simpler proofs and tightness bounds even for weaker security notions (which is a stronger result). In contrast to previous works [19,32,31], the impossibility results hold also for “de-cisional” complexity assumptions.
multi-user setting. Classical security models for standard cryptographic primitives of-ten consider an idealized setting. For instance, the standard IND-CPA and IND-CCA security experiments for public-key encryption consider a setting with only one chal-lenge public key and only a single chalchal-lenge ciphertext. This is of course unrealistic for many practical applications. Public-key encryption is typically used in settings where an attacker sees many public keys and ciphertexts, and is (potentially) able to corrupt secret keys adaptively. Even though there is a reduction from breaking security in the multi-user setting to breaking security in the idealized setting, this reduction comes with a security loss which is linear in the number of users and ciphertexts. We show that under certain conditions (e.g., for schemes where there exists auniquesecret key for each public key) this loss is impossible to avoid. This gives an insight into which properties a cryptosystem must or must not meet in order to allow a tight reduction in the multi-user setting.
Another novel application is the analysis of the existence ofnon-interactivekey ex-change (NIKE) . In non-interactive key exex-change (NIKE) two parties are able to derive a common shared secret. However, in contrast to traditional key exchange protocols, they do not need to exchange any messages. Besides the secret key of one party the key derivation algorithm only requires the availability of the public key of the communica-tion partner. Security is defined solely by requiring indistinguishability of the derived shared secret from a random value. We show how to apply our main result to rule out tight reductions for a large class of NIKE protocols from a standard assumption in any sufficiently strong security model (such as the CKS-heavy model from [26]).
On certified public keys and the results of Kakvi and Kiltz. Several years after the publication of the paper of Coron [19] it has turned out that this paper contains a subtle technical flaw. Essentially, it is implicitly assumed that the value output by the reduction to the adversary is acorrectsignature public key (recall that Coron considered only digital signature schemes in the single-user setting). This misses the fact that a reduction may possibly outputincorrectkeys which are computationally indistinguishable from correct ones. Indeed, such keys lead to the technical problem that a meta-reduction maynotbe able to simulate the adversary constructed in the meta-reduction of Coron correctly.
This flaw was identified and corrected by Kakvi and Kiltz [32]. Essentially, Kakvi and Kiltz enforce that the reduction outputs only public keys which can be efficiently recognized as correct, by introducing the notion ofcertified public keys. A different (but similar in spirit), slightly more general approach is due to Hofheinzet al. [31], who require that signatures areefficiently re-randomizablewith respect to the public key output by from the reduction (regardless of whether this key is correct or not). Both these approaches [32,31] essentially overcome the subtle issue from Coron’s paper by ensuring that the adversaries simulated by the meta-reductions are always able to output
correctly distributedsignatures.
Relation to tightly-secure constructions. There exist various constructions of tightly-secure cryptosystems, which have to avoid our impossibility results in one way or another. The signature schemes constructed in [20,33,37,1,30,10], for example, are tightly-secure in a single-user setting. They avoid our impossibility result because they do not have unique signatures or no efficient re-randomization algorithm is known. The same holds for the signature schemes derived from the IBE schemes of [18,11]. Baderet al.[4] constructed signature schemes with tight security even in the multi-user setting with adaptive secret-key corruptions. Again, our impossibility results are avoided here because signatures are not efficiently re-randomizable. The encryption schemes of Bellare, Boldyreva and Micali [6] are tightly-secure in a multi-user setting, but only without corruptions. We consider impossibility results for the multi-user setting with corruptions. The key encapsulation mechanism presented in [4] is tightly-secure even in a multi-user setting with corruptions. It avoids our impossibility result because it does not have unique secret keys.
More related work. Since their introduction by Boneh and Venkatesan in 1998 [13] meta-reductions have proven to be a versatile tool in many areas of provably secu-rity. Previous works have mainly used meta-reductions to derive impossibility results and efficiency/security bounds on signatures schemes [22,21,35,27,38,5,23,25], blind-signature schemes [24] and encryption systems [36]. In particular, among these results there exist several works that consider the existence of (tight) security proofs for the Schnorr signature scheme [35,27,38,5,25]. The results in [14,15] use meta-reductions to derive relationships among cryptographic one-more type problems. Lewko and Wa-ters [34], building on [31], showed that under certain conditions it is impossible to prove security of hierarchical IBE (HIBE) schemes. To this end, Lewko and Waters extend the approach of [31] from signatures to hierarchical IBE to show that for certain HIBE schemes anexponentialtightness loss is impossible to avoid. Finally, the inexistence of certain meta-reductions was considered in [23].
Outline. We begin with considering essentially the same setting as Coron and follow-up works [19,32,31], namely digital signatures in the single-user setting, as an instructive example. We prove a strengthened variant of the results of [19,32,31]. This allows us to explain how our new technique works in a known setting, which may be helpful for readers already familiar with these works. A generalized, much more abstract version will be presented in Section 4, Section 5 gives many further interesting applications, which seem not achievable using the previous approach of [19,32,31].
2
The New Meta-Reduction Technique
2.1 Preliminaries
Notation. We write[n]to denote the set[n] :={1,2, . . . , n}, and forj∈[n]we write
[n\j]to denote the set[n]\{j}. IfAis a set thena←$Adenotes the action of sampling
the uniform choice ofr. Ifxis a binary string, then|x|denotes its length. IfM is a Turing machine, we denote byMcits description as a bitstring.
If t : N → N and there exists a constant c such that t(k) ≤ kc for all but finitely manyk ∈ N, then we say thatt ∈ poly(k). We denote bypoly−1(k)the set
poly−1(k) := {δ : 1
δ ∈ poly(k)}. We say that : N → [0,1]isnegligibleif for all c∈Nit holds that(k)>k−cis true only for at most finitely manyk ∈
N. We write ∈negl(k)to denote thatis negligible.
Digital Signatures. A digital signature schemeSIG= (Setup,Gen,Sign,Vfy)is a four-tuple ofPPT-TMs:
Public Parameters. The public parameter generation machineΠ←$Setup(1k)takes the security parameterkas input and returns public parametersΠ.
Key Generation. The key generation machine takes as input public parametersΠand outputs a key pair,(vk, sk)←$Gen(Π).
Signing. The signing machine takes as input a secret key skand a message mand returns a signatureσ←$Sign(sk, m).
Verification. The verification machine, on input a public keyvk, a signatureσand a messagem, outputs0or1,Vfy(vk, m, σ)∈ {0,1}.
Unique and re-randomizable signatures. LetΣ(vk, m) :={σ :Vfy(vk, m, σ) = 1} denote the set of all valid signaturesσw.r.t. a given messagemand verification keyvk.
Definition 1 (Unique signatures).We say that SIG is aunique signature scheme, if
|Σ(vk, m)|= 1for allvkandm.
Definition 2 (Re-randomizable signatures).We say thatSIGistReRand-re-randomizable,
if there exists a TMSIG.ReRandwhich takes as input(vk, m, σ)and outputs a signature
σ0 ←$SIG.ReRand(vk, m, σ)with the following properties.
1. SIG.ReRandruns in time at mosttReRand
2. IfVfy(vk, m, σ) = 1, thenσ0is distributed uniformly overΣ(vk, m).
Remark 1. Note that we do not put any bounds ontReRand. Thus, any signature scheme istReRand-re-randomizable for sufficiently largetReRand. However, there are many ex-amples of signature schemes which are efficiently re-randomizable, like the class of schemes considered in [31]. In particular, all unique signature schemes are efficiently re-randomizable by the Turing machineσ ←$ SIG.ReRand(vk, m, σ)which simply
outputs its inputσ.
Unforgeability under static message attacks. TheUF-SMAsecurity experiment is de-picted in Figure 1.
Definition 3. LetUF-SMAn,SIGA 1k
denote the UF-SMA security experiment depicted in Figure 1, executed with signature schemeSIGand attackerA = (A1,A2). We say thatA(tA, n, A)-breaks theUF-SMA-security ofSIG, if it runs in timetAand
PrhUF-SMAn,SIGA 1k
GameUF-SMAn,SIGA 1k
Π←$SIG.Setup(1k)
;ρA←${0,1}k
(vk, sk)←$
SIG.Gen(Π)
m1, . . . , mn←$ Ms.t.mi6=mjfor alli6=j
σi←$SIG.Sign(sk, mi)for alli∈[n] (j, st)← A1(vk,(mi)i∈[n];ρA)
σj← A2 st,(σi)i∈[n\j]
returnSIG.Vfy(vk, mj, σj)
Fig. 1.TheUF-SMA-security Game with attackerA= (A1,A2).
Remark 2. Observe that the messages in the UF-SMA security experiment from Fig-ure 1 are chosen at random (but pairwise distinct). We do this for simplicity, but stress that for our tightness bound we actually do not have to make any assumption about the distribution of messages, apart from being pairwise distinct. For instance, the messages could alternatively be the lexicographically firstnmessages of the message space, for instance.
Non-interactive complexity assumptions. The following very general definition of non-interactive complexity assumptions is due to Abe et al. [2].
Definition 4. Anon-interactive complexity assumptionN = (T,V,U)consists of three TMs. The instance generation machine (c, w) ←$ T(1k) takes the security
param-eter as input, and outputs a problem instancec and a witnessw.U is a probabilis-tic polynomial-time machine, which takes as input c and outputs a candidate solu-tion s. The verification TM V takes as input (c, w) and a candidate solution s. If V(c, w, s) = 1, then we say thatsis a correct solution to the challengec.
Intuitively,Uis a probabilistic polynomial-time machine which implements a suitable “trivial” attack strategy forN. This algorithm is used to define what “breaking”Nwith non-trivial success probability means, cf. Definition 5 below and [2].
Consider the following experimentNICABN(1k).
1. The experiment runs the instance generator ofN to generate a problem instance
(c, w)←$T(1k). Then it samples uniformly random coinsρ
B←${0,1}kforB. 2. Bis executed on input(c, ρB), it outputs a candidate solutions.
3. The experiment returns whateverV(c, w, s)returns.
Definition 5. We say thatB(t, )-breaks assumptionN, ifΛruns in timet(k)and it holds that
Pr
h
NICABN 1k
⇒1i−PrhNICAUN 1k
⇒1i
≥(k)
Simple reductions from non-interactive complexity assumptions to breakingUF-SMA -security. A reduction from breaking theUF-SMA-security of a signature schemeSIG
to breaking the security of a non-interactive complexity assumptionN = (T,V,U)is a TM, which turns an attackerA= (A1,A2)according to Definition 3 into a TMΛA
according to Definition 5.
Following [19,32,31,34], we will consider a specific class of reductions in the se-quel. We consider reductions havingblack-box accessto the attacker, and which execute the attackeronly onceandwithout rewinding. We will generalize this later to reductions that may execute the attacker several times sequentially. Following [34], we call such reductionssimple. At first sight we heavily constrain the class of reductions to that our result applies. However, as explained in [34], we include reductions that perform hybrid steps. Moreover, most reductions in cryptography are simple.
For preciseness and clarity, we define such a reduction as a triplet of Turing ma-chinesΛ= (Λ1, Λ2, Λ3). From these TMs and an attackerA= (A1,A2), we construct
a Turing machineΛAfor a non-interactive complexity assumption as follows.
1. MachineΛAreceives as input a challengecof the considered non-interactive com-plexity assumption, as well as random coinsρΛ←${0,1}k. It first runsΛ1(c, ρΛ), which returns the input toA1, consisting of a verification keyvk, a sequence of
messages(mi)i∈[n], and random coinsρA, as well as some statestΛ2.
2. ThenΛAexecutes the attackerA1on input(vk,(mi)i∈[n], ρA), which returns an
indexj∗∈[n]and some statestA.
3. TMΛ2receives as inputj∗and statestΛ2, and returns a list of signatures(σi)i∈[n\j∗]
and an updated statestΛ3.
4. The attackerA2is executed on(σi)i∈[n\j∗]and statestA, it returns a signatureσ∗.
5. Finally,ΛArunsΛ3(σ∗, j∗, stΛ3), which produces a candidate solutions, and
out-putss.
Definition 6. We say that a Turing machineΛ= (Λ1, Λ2, Λ3)is a simple(tΛ, n, Λ, A) -reduction from breakingN = (T,V,U)to breaking theUF-SMA-security ofSIG, if for any TMAthat(tA, n, A)-breaks theUF-SMAsecurity ofSIG, TMΛA(tΛ+tA, Λ)
-breaksN.
Definition 7. Let`:N→N. We say that reductionΛloses`, if there exists an adver-saryAthat(tA, n, A)-breaks theUF-SMAsecurity ofSIG, such thatΛA(tΛ+tA, Λ) -breaksN with
tΛ(k) +tA(k)
Λ(k) ≥`(k)· tA(k)
A(k)
.
Remark 3. The quotienttA(k)/A(k)of the running timetA(k)and the success
prob-abilityA(k)of a Turing machineAis called thework factorofA[8]. Thus, the factor
2.2 Bound for Simple Reductions without Rewinding
For simplicity, we will consider reductions that have access to a “perfect” adversaryA, which(tA, A)-breaks the signature scheme withA = 1. We explain in Section 2.4
why the extension to adversaries withA<1is straightforward.
Theorem 1. Let N = (T,V,U) be a non-interactive complexity assumption, n ∈
poly(k)and letSIGbe a signature scheme. For any simple(tΛ, n, Λ,1)-reduction from
breakingN to breaking theUF-SMA-security ofSIG, there exists a Turing machineB
that(tB, B)-breaksNwhere
tB≤n·tΛ+n·(n−1)·tVfy+tReRand and B≥Λ−1/n .
Here,tReRandis the time required to re-randomize a signature, andtVfy is the running
time of the verification machine ofSIG.
Proof. Our proof structure follows the structure of [31] (also used in [34]). That is, we first describe a hypothetical, inefficient adversary, then we show how to simulate it efficiently for certain reductions.
The Hypothetical Adversary. The hypothetical adversaryA = (A1,A2)consists of
two procedures that work as follows.
A1 vk,(mi)i∈[n];ρA. On input a public keyvkand messagesm1, . . . , mn,A1
sam-plesj←$[n]uniformly random and outputs(j, st), wherest= (vk,(m
i)i∈[n], j).
A2((σi)i∈[n\j], st). A2checks whetherSIG.Vfy(vk, mi, σi) = 1for alli ∈ [n\j]. If this holds, then it samples a uniformly random signatureσj ←$ Σ(vk, mj)for mj. Finally, it outputsσj.
Note thatA(tA,1)-breaks theUF-SMA-security ofSIG. Note also that the second step
of this adversary may not be efficiently computable, which is why we call this adversary
hypothetical.
SimulatingA. Consider the following TMB, which runs reductionΛ= (Λ1, Λ2, Λ3)
as a subroutine and attempts to breakN.Breceives as inputc←$T(1k). It maintains an arrayAwithnentries, which are all initialized to∅, and proceeds as follows.
1. Bfirst runs(vk,(mi)i∈[n], ρA, stΛ2)←
$Λ1(c;ρ
Λ)for uniformly randomρΛ ←$ {0,1}k.
2. Next,B runsΛ2(j, stΛ2)for each j ∈ [n]. Let((σi,j)i∈[n\j], stΛ3,j)denote the
output of thej-th execution ofΛ2. WheneverΛ2outputs(σi,j)i∈[n\j]such that SIG.Vfy(vk, mi, σi,j) = 1for alli∈[n\j]
then it setsA[i]←σi,jfor alli∈[n\j].
3. Bsamplesj∗←$[n]. Then it proceeds as follows.
– If there exists an indexi∈[n\j∗]such thatSIG.Vfy(vk, mi, σi,j∗)6= 1, then
Bsetsσ∗:=⊥.
– Otherwise, ifSIG.Vfy(vk, mi, σi,j∗) = 1for alli∈[n\j∗], thenBcomputes
σ∗←$SIG.ReRand(vk, m
j∗, A[j∗]).
4. Finally,Brunss← Λ3(σ∗, j∗, stΛ3,j∗)and outputss. Note that the statestΛ3,j∗
Running time ofB. Bessentially runs each part of Turing machineΛ = (Λ1, Λ2, Λ3)
once, plusn−1additional executions ofΛ2. Moreover, it executesSIG.Vfyn(n−1)
times, and the re-randomization TMSIG.ReRandonce. Thus, the total running time of Bis at most
tB≤n·tΛ+n·(n−1)·tVfy+tReRand.
Success probability ofB. To analyze the success probability ofB, let us define an event
bad. Intuitively, this event occurs, ifj∗is theonly(with respect to statestΛ2) value such
thatΛ2(stΛ2, j)outputs signatures which are all valid. More formally, for both
experi-mentsNICABN(1k)andNICA ΛA
N (1k), letstΛ2 denote the (in both experiments unique)
value computed byΛ1(c;ρΛ), and letj∗denote the (in both experiments unique) value given as input toΛ3(σ∗, j∗, stΛ3,j∗). We say thatbadoccurs (in eitherNICA
B
N(1k)or
NICAΛNA(1k)), ifpred(st Λ2, j
∗) = 1∧pred(st
Λ2, j) = 0∀j∈[n\j
∗], where predicate predis defined as
pred(stΛ2, j) = 1
⇐⇒ ^
i∈[n\j]
SIG.Vfy(vk, mi, σi) = 1, where((σi)i∈[n\j], stΛ3)←Λ2(stΛ2, j).
Note thatpredis well-defined, becauseΛ2is a deterministic TM.
Let us writeS(F)shorthand for the eventNICAFN(1k)⇒1to abbreviate our nota-tion. Then, it holds that
Pr[S(B)]−Pr[S(ΛA)]
≤
Pr[S(B)∩ ¬bad]−Pr[S(ΛA)∩ ¬bad]
+ Pr[bad].
(2)
BoundingPr[bad]. Recall that eventbadoccurs only if
pred(stΛ2, j
∗) = 1∧pred(st
Λ2, j) = 0∀j∈[n\j
∗] (3)
wherestΛ2 is the value computed by Λ1(c;ρΛ), and j
∗ is the value given as input
toΛ3(σ∗, j∗, stΛ3,j∗). Suppose that indeedstΛ2 is such that there exist at least one
j∗∈[n]such that (3) holds. We claim that even then we have
Pr[bad]≤1/n . (4)
To see this, note first that for eachstΛ2 there can be at most one value j ∗ that
satisfies (3). Moreover, both the hypothetical adversaryAand the adversary simulated byBchoosej∗←$[n]independently and uniformly random, which yields (4). ProvingPr[S(B)∩ ¬bad] = Pr[S(ΛA)∩ ¬bad]. Note thatBexecutes in particular
1. (vk,(mi)i∈[n], stΛ2)← $Λ
1(c;ρΛ) 2. ((σi,j∗)i∈[n\j∗], stΛ
3)←
$Λ2(j∗, st
Λ2)
3. s←Λ3(σ∗, j∗, stΛ3).
1. Machine Λ2(j∗, stΛ2) outputs ((σi,j∗)i∈[n\j∗], stΛ3,j∗) such that there exists an
indexi∈[n\j∗]withSIG.Vfy(vk, mi, σi,j∗)6= 1.
In this case,Awould computeσ∗:=⊥.Balso setsσ∗:=⊥in this case. 2. TMΛ2(j∗, stΛ2)outputs((σi,j∗)i∈[n\j∗], stΛ3,j∗)such that for alli ∈ [n\j
∗]it
holds that
SIG.Vfy(vk, mi, σi,j∗) = 1.
In this case,Awould output a uniformly random signatureσ∗ ←$ Σ(vk, m
j∗).
Note that in this caseBoutputs a re-randomized signatureσ∗←$SIG.ReRand(vk
, mj∗, A[j∗]), which is a uniformly distributed valid signature formj∗ provided
thatA[j∗]6=∅. The latter happens wheneverbaddoes not occur.
Thus,BsimulatesAperfectly in either case, provided that¬bad. This impliesS(B)∩ ¬bad ⇐⇒ S(ΛA)∩ ¬bad, which yields
Pr[S(B)∩ ¬bad] = Pr[S(ΛA)∩ ¬bad]. (5)
Finishing the proof of Theorem 1. By plugging (4) and (5) into Inequality (2), we obtain
Pr[S(B)]−Pr[S(ΛA)]
≤1/n
which implies
B=|Pr[S(B)]−Pr[S(U)]| ≥ |Pr[S(Λ)]−Pr[S(U)]| −1/n=Λ−1/n .
2.3 Interpretation
Assuming that no adversaryBis able to(tN, N)-break the security ofNICAwithtN=
tB =n·tΛ+n·(n−1)·tVfy+tReRand, we must haveB ≤N. By Theorem 1, we thus must have
Λ≤B+ 1/n≤N+ 1/n
for all reductionsΛ. In particular, the hypothetical adversaryAconstructed in the proof of Theorem 1 is an example of an adversary such that
tΛ+tA
Λ ≥
tA
N+ 1/n = (N+ 1/n)
−1
·tA
1 = (N+ 1/n) −1
· tA A
.
Thus, any reduction Λ from breaking the security of NICA N to breaking the
UF-SMA-security of signature schemeSIGloses (in the sense of Definition 7) at least a factor of` ≥1/(N+ 1/n). In particular, note that` ≈nifNis very small. This yields the following informal theorem.
Theorem 2 (informal). Any simple reduction from breaking the security ofNICAN
to breaking the UF-SMA-security (or any stronger security notion, like EUF-CMA -security, cf. Definition 22) of signature scheme SIG that provides efficient signature re-randomizationloses a factor that is at least linear in the numbernof sign queries issued by the attacker, orN is easy to solve.
TMr-ΛA(c;ρΛ)
stΛ1,1←Λ0(c, ρΛ)
for1≤l≤rdo:
(vkl,(mli)i∈[n], ρA, stΛl,2)←Λl,1(stΛl,1) (jl∗
, stA)← A1(vkl,(mli)i∈[n];ρA)
((σli)i∈[n\jl∗], stΛl,3)←Λl,2(j l∗
, stΛl,2)
σl
jl∗← A2((σil)i∈[n\jl∗], stA)
stΛl+1,1←Λl,3
σl jl∗, jl
∗
, stΛl,3
s←Λ3 stΛr+1,1
returns
Fig. 2.TMr-ΛAthat solves a non-interactive complexity assumption according to Definition 5, constructed from ar-simple reductionr-Λ=Λ0,(Λl,1, Λl,2, Λl,3)l∈[r], Λ3
and an attacker
A= (A1,A2).
2.4 Extension to “non-perfect” adversaries
Note that the proof of Theorem 1 trivially generalizes to(tΛ, n, Λ, A)-reductions with
A<1, that is, reductions that have access to an adversary which has success
probabil-ityA<1. To this end, we first would have to describe a hypothetical adversary, which
has success probabilityA. This is simple, because we can simply let the hypothetical
adversary constructed above toss a biased coinχwithPr[χ = 1] = A, such thatA
outputsσ∗only ifχ= 1. Note that in the proof of Theorem 1 we are even able to simu-late a perfect adversaryA. Therefore we would also be able to simulate the non-perfect adversary sketched above, by tossing a biased coinχand outputtingσ∗only ifχ= 1. This yields the following theorem.
Theorem 3. Let N = (T,V,U) be a non-interactive complexity assumption, n ∈
poly(k)and let SIG be a signature scheme. For any simple(tΛ, n, Λ, A)-reduction from breaking theUF-SMA-security ofSIGto breakingN, there exists a Turing ma-chineBthat(tB, B)-breaksNwhere
tB≤n·tΛ+n·(n−1)·tVfy+tReRand and B≥Λ−1/n .
Here,tReRand is the time to re-randomize a given valid signature over a message and
tVfyis the time needed to execute the verification machine ofSIG.
3
Bound for Reductions with Sequential Rewinding
Theorem 1 applies only to reductions that run the forger only once. Here we show that under assumptions similar to that in Theorem 1 the work factor of any reduction that is allowed to run or rewind the adversary r times sequentially cannot decrease significantly belownr ifN is hard.
r-Λ=Λ0,(Λl,1, Λl,2, Λl,3)l∈[r], Λ3
. Let nowA= (A1,A2)be an attacker against
theUF-SMA-security ofSIG. From these TMs we construct a Turing machiner-ΛA that solves aNICANas depicted in Figure 2. We shortly explain Figure 2 here. Λ0. r-Λinputs a challengecof the considered non-interactive complexity assumption
and random coinsρΛ. It processes these inputs by runningΛ0which outputs a state
stΛ.
Λl= (Λl,1, Λl,2, Λl,3). Now, for eachl∈[r], we have a triplet of TMsΛl= (Λl,1, Λl,2, Λl,3)
that has black box access to attackerA = (A1,A2). Note that the statestΛ may be passed over fromΛl,3toΛl+1,1(andΛ3) while the statestAofA2may not be
passed over to the next execution ofA1.
Λl,1. Λl,1inputs the current statestΛl,1and outputs a public keyvk
l, distinct mes-sagesmli, i∈[n], a random tapeρAforA1and a statestΛl,2. Next,A1is run
on input vkl,(m i)i∈[n]
;ρA)and returns a statestAand an indexjl.
Λl,2. On input index jl and statestΛl,2, Λl,2 returns signatures σ
l i
i∈[n\j] and
statestΛl,2. Now,A2is run on
σl i
i∈[n\jl], stA
and returnsσl jl.
Λl,3. Λl,3inputs the signature output byAl,2and the current statestΛl,2. It returns
the statestΛl+1,1.
Λ3. Finally,Λ3inputs the current state ofr-Λand returnss.r-Λis considered
success-ful ifV(c, w, s) = 1.
Definition 8. We say that a Turing machiner-Λ = Λ0,(Λl,1, Λl,2, Λl,3)l∈[r], Λ3
is anr-simple(tΛ, n, Λ, A)-reduction from breakingN = (T,V,U)to breaking the UF-SMA-security ofSIG, if for any TMAthat(tA, n, A)-breaks theUF-SMAsecurity ofSIG, TMr-ΛA(as constructed above)(tΛ+r·tA, Λ)-breaksN.
Definition 9. Let`:N→N. We say that anr-simple reductionΛfrom breaking a
non-interactive complexity assumptionN to breaking theUF-SMAsecurity of a signature schemeSIGloses`if there exists an adversaryAthat(tA, n, A)-breaks such thatΛA (tΛ+r·tA, Λ)-breaksN where
tΛ(k) +r·tA(k)
Λ ≥`(k)· tA(k)
A(k)
.
Theorem 4. Let N = (T,V,U)be a non-interactive complexity assumption,n, r ∈
poly(k)and letSIGbe a signature scheme. Then for anyr-simple(tΛ, n, Λ,1)
-reduc-tionΛfrom breakingN to breaking theUF-SMA-security ofSIGthere exists a TMB
that(tB, B)-breaksNwhere
tB≤r·n·tΛ+r·n·(n−1)·tVfy+r·tReRand
B≥Λ− r n.
Here,tReRand is the time to re-randomize a given valid signature over a message and
Proof. The proof is structured as the proof of Theorem 1. Namely, we consider again our hypothetical attackerA(cf. Page 11) that breaks theUF-SMA-security ofSIG. Since Aworks exactly as in the proof of Theorem 1, we do not describe it here again but we start directly with our analysis. We stress however, once again, thatA(tA,1)-breaks
N.
Next, we show how to simulateA. Roughly speaking, we will apply the technique from the proof of Theorem 1rtimes.
SimulatingArtimes sequentially. As in the proof of Theorem 1, we describe a TM Bthat runs TMr-Λ= (Λ0,(Λl,1, Λl,2, Λl,3), Λ3)as a subroutine. Recall that the goal of Bis to breakN and thatB is called on inputc ←$ T(1k)and random tapeρ.B proceeds as follows:
i. RunstΛ1,1 ←Λ0(c, ρΛ)for uniformlyρΛ. IfΛ0does not outputstΛ1,1,Baborts.
Note that, since the input toΛ0is fixed (including random coinsρΛ), we may view
Λ0(and all following subroutines ofΛ) as deterministic.
ii. For1≤l≤r,Bperforms the following steps (that bare similarity with the simu-lation in the proof of Theorem 1).
Roundl. Initialize an arrayAlthat hasnentries, all initialized to∅.
a) RunΛl,1(stΛl,1). If Λoutputs
vkl, mlii∈[n], ρA, stΛl,2
, continue. Other-wise stop.
b) Next, run σi,jl i
∈[n\j], stΛl,3
←Λl,2(j, stΛl,2)for eachj∈[n]. In case all
signatures returned byΛl,2are valid, i.e., if ^
i∈[n\j]
SIG.Vfy(vkl, mli, σli,j) = 1
setAl[i]←σl
i,jfor alli∈[n\j].
c) Samplejl∗←$[n]. We distinguish between two cases:
1) If for anyi∈[n\jl∗]it holds thatSIG.Vfy(vkl, ml
i, σi,jl l∗)6= 1, setσ∗←
⊥.
2) Otherwise, i.e., ifSIG.Vfy(vkl, ml
i, σi,jl l∗) = 1 for all i ∈ [n\jl∗] set
σ∗←$SIG.ReRand(vkl, ml
jl∗, Al[jl∗]).
d) RunstΛl+1,1 ←Λl,3(σ ∗, st
Λl,3).
iii. Finally,Brunss←Λ3(stΛr+1,1)and returnss.
Analysis. Let us first note that the running time ofB is essentially bounded by the running time ofr-Λplus the running time to executeΛl,2n−1times, the time to run SIG.Vfyforn·(n−1)times and the time to runSIG.ReRandfor all1 ≤l ≤r. We thus obtain an upper bound on the total running timetofΛby
Success probability ofB. Similar to the proof of Theorem 1 we define eventsbad(l), l ∈ [r] to analyze the success probability of B. Informally, bad(l) occurs if, given stΛl,2,j
l∗is theonlyvalue such thatΛ
l,2(j, stΛl,2)outputs signatures that are all valid.
As before, let us denote bystΛl,2 the unique state computed byΛl,1and letj
l∗denote
the unique value input toΛl,1 σ∗, jl∗, stΛl,3
. We note thatstΛl,2 as well asj
l∗ are
well-defined in both experimentsNICABN(1k)andNICAΛA N (1k). We say thatbad(l)occurs ifpred(stΛl,2, j
l∗) = 1∧pred(st
Λl,2, j) = 0∀j ∈[n\j
l∗]
where
pred(stΛl,2, j) = 1
⇔^SIG.Vfy(vkl, mli, σ l i) = 1 :
σli
i∈[n\j], stΛl,3
←Λl,2(stΛl,2, j)
Now, we define eventbad=W
l∈[r]bad(l).
Let us denote byS(F)denote the eventNICAFN(1k)⇒1. As in the proof of Theo-rem 1 (cf. page12) we obtain:
PrS r-ΛA−Pr [S(B)]≤Pr[S(ΛA)∩ ¬bad]−Pr[S(B)∩ ¬bad] + Pr[bad] (6)
BoundingPr[bad]. Recall that eventbadoccurs only if there exists anyl ∈ [r]such thatbad(l)occurs, i.e.,
pred(stΛl,2, j
l∗) = 1∧pred(st
Λl,2, j) = 0∀j∈[n\j
l∗] (7)
wherestΛl,2is the value computed byΛl,1(c;stΛl,1), andj
l∗is the value given as input
toΛl,3(σ∗, jl∗, stΛl,3). We claim that then we havePr[bad(l)] ≤ 1/n. To see this,
note first that forbad(l)to occur it is necessary that there is only one valuejl∗ that
satisfies pred(stΛl,2, j
l∗). Moreover,baddoes only occur if this indexjl∗ is input to
Λl,3. Note that both the hypothetical adversaryAand the adversary simulated by B
choosejl∗independently and uniformly random, which yields the claim. Now, by the
union bound, we obtain
Pr[bad]≤r/n (8)
Pr[S(B)∩ ¬bad] = Pr[S(ΛA)∩ ¬bad]. Note thatBexecutes in particular: 1) stΛ1,1 ←Λ0(c;ρΛ)
2a) (vkl,(ml
i)i∈[n], stΛl,2)← $Λ
l,1(c, stΛl,1)
2b) ((σi,jl∗)i∈[n\jl∗], stΛl,3)← $Λ
l,2(jl∗, stΛl,3)
2c) stΛl+1,1 ←Λl,3(σ
∗, jl∗, st
Λl,3)
3) s←Λ3(stΛr+1,1)
where steps 2a) - 2c) are carried out for eachl∈[r]. We show that if¬bad(l)occurs, thenBsimulates the hypothetical adversaryAperfectly forΛl= (Λl,1, Λl,2, Λl,3). To this end, consider the distribution ofσ∗that is input toΛl,3in following two cases.
1. TMΛl,2(jl∗, stΛl,2)outputs((σi,jl∗)i∈[n\jl∗], stΛl,3)such that there exists an index
i ∈ [n\jl∗]withSIG.Vfy(vkl, ml
i, σi,jl∗) 6= 1. In this case,Awould compute
2. Turing machineΛl,2(jl∗, stΛl,2)outputs((σi,jl∗)i∈[n\jl∗]stΛl,3)such that SIG.Vfy(vkl, mli, σli,jl∗) = 1
for alli ∈ [n\jl∗].In this case, Awould output a uniformly random signature σ∗ ←$ Σ(vkl, ml
jl∗). Note that in this caseBoutputs a re-randomized signature
σ∗←$SIG.ReRand(vkl, ml
jl∗, Al[jl∗]), which is a uniformly distributed valid
sig-nature formljl∗provided thatA
l[jl∗]6=∅. The latter happens wheneverbad(l)does
not occur.
Thus,BsimulatesAperfectly forΛprovided that¬bad. This impliesS(B)∩¬bad ⇐⇒
S(ΛA)∩ ¬bad, which yields
Pr[S(B)∩ ¬bad] = Pr[S(ΛA)∩ ¬bad] (9)
Finishing the proof. By plugging (8) and (9) into Inequality (6), we obtain
Pr[S(ΛA)]−Pr[S(B)]≤r/n =⇒ B≥Λ−r/n
3.1 Interpretation
Assuming that no adversaryBis able to(tN, N)-break the security ofNICAwithtN=
tB=r·n·tΛ+r·n·(n−1)·tVfy+r·tReRand, we must haveB≤N. By Theorem 4,
we thus must have
Λ≤B+r/n≤N+r/n
for all reductionsΛ. In particular, the hypothetical adversaryAconstructed in the proof of Theorem 1 is an example of an adversary such that
tΛ+r·tA
Λ ≥
r·tA
N+r/n= (N+r/n)
−1
·r·tA
1 = (N+r/n) −1
·r·tA A
.
Thus, any reduction Λ from breaking the security of NICA N to breaking the
UF-SMA-security of signature schemeSIGloses (in the sense of Definition 7) at least a factor of`≥r/(N+r/n). In particular, note that`≈nifNis very small.
4
A Generalized Meta-Reduction
In this section we state and prove our main result, which generalizes the results from Section 2. Essentially, we observe that for the proof to work we do not need all struc-tural elements a signature scheme possesses. In particular we do not require dedicated parameter generation-, key generation- and sign-algorithms. Instead, we consider an abstract security experiment with the following properties:
2. The adversary is provided with statementsy1, . . . , ynat the beginning of the secu-rity experiment and has access to an oracle that when queriedyi returnsxisuch thatR(xi, yi), i∈[n].
3. If the adversary is able to outputxj such thatR(xj, yj)and it did not query its oracle onyj, this is sufficient to win the security game.
Remark 5. To show the usefulness of such an abstract experiment, we note that for instance the security experiments for public key encryption or key encapsulation mech-anisms in the multi-user setting with corruptions [4], or digital signature schemes in the multi-user (MU) setting with corruptions [3,4], naturally satisfy these properties as follows. Essentially, we define a relationR(sk, pk)over pairs of public keys and secret keys such thatR(sk, pk) = 1wheneversk“matches“pk. The adversary is provided with public keys at the beginning of the experiment, and is able to obtain secret keys corresponding to public keys of its choice. Finally, if the adversary is able to output an uncorrupted secret key, it is clearly able to compute a signature over a message that was not signed before (i.e., winning the signature security game) or decrypt the challenge ciphertext (i.e., winning the PKE/KEM security game). Thus, all three requirements are satisfied. Details on how to apply the result to, e.g., digital signatures and PKE/KEMs in the multi user setting with corruptions we refer to Section 5.
4.1 Definitions
Re-randomizable relations. LetR⊆X×Y be a relation. For(x, y)withR(x, y) = 1
we callxthewitnessandythestatement. We useX(R, y)to denote the set X(R, y) :={x:R(x, y) = 1}
of all witnesses xfor statement y with respect to R. We denote by L(R) := {y :
∃xs.t.R(x, y) = 1} ⊆Y the language consisting of statements inR.
In the sequel we will considercomputablerelations. We will therefore identify a re-lationRwith a machineRbthat computesR. We say that a relationRistVfy-computable, if there is a deterministic Turing machineRbthat runs in time at mosttVfy(|x|+|y|)such
thatRb(x, y) =R(x, y).
Definition 10. LetR:={Ri}i∈I be a family of computable relations. We say thatR
istReRand-re-randomizable if there is a probabilistic Turing machineR.ReRandthat
inputs(Rbi, y, x), runs in time at mosttReRand, and outputsx0 which is uniformly
dis-tributed overX(R, yi)wheneverRi(x, y) = 1, with probability1.
GameUF-SSAn,RA 1 k
R=Ri←$R
y1, . . . , yn ←$ L(R)s.t.yi 6= yjfor all
i6=j
xi←$X(R, yi)for alli∈[n] (j, st)← A1(R,b (yi)i∈[n];ρA)
xj← A2 st,(xi)i∈[n\j]
returnR(xj, yj)
Fig. 3.TheUF-SSA-security Game with attackerA= (A1,A2).
Witness unforgeability under static statement attacks. We will consider a weak security experiment for computable relations, which is inspired by theUF-SMA-security exper-iment considered in Section 2, but abstract and general enough to be applicable in other useful settings. Jumping slightly ahead, we will show in Section 5 that this includes applications to signatures, public-key encryption, key encapsulation mechanisms in the multi-user setting, and non-interactive key exchange.
The security experiment is described in Figure 3. It is parametrized by a familyR of computable relations,R={Ri}i∈I, and the numbernof statements the adversary A= (A1,A2)is provided with. These statements need to be pairwise distinct.Amay non-adaptivelyask for witnesses forall but onestatement, and is considered successful if it manages to output a “valid” witness for the remaining statement.
Definition 11. Let R = {Ri}i∈I be a family of computable relations. We say that
an adversary A = (A1,A2) (t, n, )-breaks the witness unforgeability under static
statement attacksofRif it runs in timetand
Pr [UF-SSAnR(A)⇒1]≥
whereUF-SSAnR(A)is the security game depicted in Figure 3.
Simple reductions from non-interactive complexity assumptions to breakingUF-SSA -security. Informally, a reduction from breaking theUF-SSA-security of a family of relationsRto breaking the security of a non-interactive complexity assumptionN = (T,U,V)is a Turing machine Γ, which turns an attacker A = (A1,A2) againstR
according to Definition 11 into a TMΓAthat breaksNaccording to Definition 5. As in Section 2, we will only consider simple reductions, i.e., reductions that haveblack-box
access to the attacker and that may run the attacker at mostrtimessequentially. We define a reduction from breaking the security ofRto breakingNas an(3r+ 2) -tuple of TMsΓ = Γ0,(Γl,1, Γl,2, Γl,3)l∈[r], Γ3
TMr-ΓA(c;ρΛ)
stΓ ←Γ0(c, ρΓ)
for1≤l≤rdo:
c
Rl, yl i
i∈[n], ρA, stΓ
←Γl,1(stΓ)
jl, stA← A1
c
Rl, yl i
i∈[n];ρA
xli
i∈[n\jl], stΓ
←Γl,2 jl, stΓ
xl j← A2
xl i
i∈[n\jl], stA
stΓ←Γl,3 xlj, stΓ
s←Γ3(stΓ)
returns
Fig. 4.TMr-ΓAthat solves a non-interactive complexity assumption according to Definition 5, constructed from ar-simple reductionr-Γ = Γ0,(Γl,1, Γl,2, Γl,3)l∈[r], Γ3
and an attacker
A= (A1,A2).
Definition 12. We say that a TMr-Γ =Γ0,(Γl,1, Γl,2, Γl,3)l∈[r], Γ3
is anr-simple
(tΓ, n, Γ, A)-reduction from breakingN = (T,V,U)to breaking theUF-SSA-security of of a family of relationsR, if for any TMAthat(tA, n, A)-breaks theUF-SSA secu-rity ofR, TMr-ΓA(cf. Figure 4)(tΛ+r·tA, Λ)-breaksN.
We define the loss of anr-simple reductionr-Γ from breakingN to breaking the
UF-SSA-security of a family of computable relationsRsimilar to Definition 9.
4.2 Main Result
In this Section we establish the following result that generalizes Theorem 4.
Theorem 5. Let N = (T,V,U)be a non-interactive complexity assumption,n, r ∈
poly(k)and letRbe a family of computable relations. Then for anyr-simple(tΓ, n, Γ,1)
-reductionΓ from breakingN to breaking theUF-SSA-security ofRthere exists a TM
Bthat(tB, B)-breaksNwhere
tB≤r·n·tΓ +r·n·(n−1)·tVfy+r·tReRand
B≥Γ − r n.
Here,tReRandis the time to re-randomize a given valid witness andtVfyis the maximum
time needed to computeR∈ R.
The proof of Theorem 5 is nearly identical to the proof of Theorem 4, and therefore omitted. Also the interpretation of Theorem 5 is nearly identical to the interpretation described in Section 2.3. Assuming that no adversaryB is able to(tN, N)-break the security ofNICAwithtN =tB =r·n·tΛ+r·n·(n−1)·tVfy+r·tReRand, we must haveB≤N. Thus, ifRis efficiently computable and re-randomizable, the loss
5
New Applications
5.1 Signatures in the Multi-User Setting
Definitions. The syntax of digital signature schemes is defined in Section 2. Here, we define additional properties of signature schemes that are required to establish our re-sult. LetSIG= (Setup,Gen,Sign,Vfy)be a signature scheme. In the sequel we require
perfect correctness, i.e., that for allk ∈ N, all Π ←$ Setup(1k), all (vk, sk) ←$
Gen(Π)and allmit holds that:
PrhSIG.Vfy(vk, m, σ) = 1 :σ←$SIG.Sign(sk, m)i= 1.
Moreover, letΠ ←$ Setup(1k)and let us recall thatΠ is contained in vk. We require an additional deterministic TMSKCheckΠthat takes as input stringsskandpk and outputs 0 or 1 such that:
SKCheckΠ(pk, sk) = 1 ⇐⇒
Pr
Vfy(pk, m, σ) = 1 :m←$|M| ∧σ←$Sign(sk, m) = 1.
That is, SKCheck takes inputssk andpk and returns1 if and only ifpk is a valid public key andskis a corresponding secret key. Since we require perfect correctness for signature schemes, we haveSKCheck(vk, sk) = 1whenever(vk, sk)←$Gen(Π).
Definition 13 (Key re-randomization). We say that a signature encryption scheme SIGistReRand-key re-randomizable if there exists a Turing machineSIG.ReRandthat runs in time at mosttReRand, takes as input Π(vk, sk)and returnsskuniformly dis-tributed over{sk:SKCheckΠ(vk, sk) = 1}wheneverSKCheckΠ(vk, sk) = 1.
Example 2. If we consider, for example, the Waters signature scheme [40], a public key consists among others of elementsg, g1, g2 ∈ G whereg1 =gα. The key generation
algorithm outputs a corresponding secret key assk=gα
2. However, there may be other
secret keys that might be accepted bySKCheck.
To investigate this issue we shortly recall the signing and verification algorithms of [40]. The signing algorithm, when given as input a secret key and a message returns σ = (σ1, σ2) = (gr, sk ·(H(m))
r
)whereris uniformly random chosen fromZp. Verification returnse(g1, g2) =?e(g, σ2)·e(σ1, H(m))−1=e(g, sk)·e(g, H(m))r·
e(g, H(m))−r.
We observe that by definition ofSKCheckwe must haveSKCheck(vk, sk) = 1⇔ e(g1, g2) = e(g, sk). Thus there is an efficientSKCheckprocedure. Moreover, since
GameMU-EUF-CMA-Cn,µSIG(A)
Π ←$SIG.Setup(1k) O.Sign(m, i)
(vki, ski)←$SIG.Gen(Π) if|Qi| ≥µreturn⊥
ρA←${0,1}k Qi←Qi∪ {m}
QCorrupt=Q1=. . .=Qn← ∅ returnσ←$SIG.Sign(ski, m) (∗i, m∗, σ∗)← AO.Sign(·,·),O.Corrupt(·)(vki)
i∈[n];ρA
O.Corrupt(i)
returnvki∗∈/QCorrupt∧m∗∈/Qi∗∧SIG.Vfy(vki∗, m∗, σ∗)QCorrupt←QCorrupt∪ {vki}
returnski
Fig. 5.MU-EUF-CMA-C-security Game. The attacker has access to a signing oracleO.Signand a corrupt oracleO.Corrupt.
Security definition. TheMU-EUF-CMA-C-security game is depicted in Figure 5. Here the adversaryAis provided with public keysvk1, . . . , vknof the signature scheme. It may now adaptively issuesignandcorrupt-queries. To issue a sign query it specifies a messagemand a public keyvki, i∈[n]and obtains a valid signatureσovermthat is valid with respect tovki. In order to issue a corrupt query,Aspecifies an indexi∈[n]
and obtains a secret keyski that “matches”vki. Finally,Aoutputs a triplet(i, m, σ) and is considered successful if it did neither issue a corrupt query forinor a sign query for(m, vki)and at the same timeσis valid overmwith respect tovki.
Definition 14 (MU-EUF-CMA-C-security).We say that an adversary(t, n, µ, )-breaks theMU-EUF-CMA-C-security of a signature schemeSIGif it runs in timetand
Pr [MU-EUF-CMA-Cn,µSIG(A)⇒1]≥ .
Definition 15. We say that a Turing machine r-Γ is an r-simple (tΛ, n, µ, Λ, A) -reduction from breakingN = (T,V,U)to breaking theMU-EUF-CMA-C-security of SIG, if for any TMAthat(tA, n, µ, A)-breaks theMU-EUF-CMA-Csecurity ofSIG, TMΛA(tΛ+r·tA, Λ)-breaksN.
The loss of anr-simple reductionΓfrom breakingNto breaking theMU-EUF-CMA-C -security ofSIGis defined similar to definition 7.
Defining a suitable relation. LetSIG= (Setup,Gen,Sign,Vfy)be a signature scheme and let I be the range of Setup. We set RSIG = {RΠ}Π∈I where RΠ(x, y) :=
SKCheckΠ(y, x). Now, ifSIGistReRand-key re-randomizable thenRSIGistReRand re-randomizable.
UF-SSAsecurity forRSIGis weaker thanMU-EUF-CMA-C-security forSIG. Let now
SIGbe a perfectly correct signature scheme and letRSIGbe derived fromSIGas de-scribed in Section 5.1.
Proof. We constructBthat (t0, n,0, 0)-breaks theMU-EUF-CMA-C-security ofSIG, given black box access toAas follows:
1. Bis called on input a set of public key(vk)i∈[n]and random tapeρ. Recall thatΠ are contained invk. First,Bsamples andρA, the random coins ofA. After that, it
runs(j, stA)← A1
Π,(vk)i∈[n], ρA
.
2. Bwill issue a corrupt-query to oracleO.Corruptfor alli∈ [n\j]. It will obtain skisuch thatSKCheckΠ(vki, ski). Next,Brunsskj ←$A2
(ski)i∈[n\j], stA
. Note thatSKCheckΠ(vkj, skj) = 1with probability.
3. Bsamplesm←$Mand computesσ←$SIG.Sign(sk
j, m)and outputs(j, m, σ). Note thatvkj ∈/ QCorrupt andm /∈Qj. Moreover, by the property ofSKCheckwe haveSIG.Vfy(vkj, m, σ) = 1.
Tightness Bound.
Theorem 6 (informal).Any simple reduction from breaking the security of aNICAN
to breaking theMU-EUF-CMA-C-security of a perfectly correct signature schemeSIG (cf. Definition 15) that provides efficient key re-randomizationand that supports an efficientSKCheckloses a factor that is linear in the number of public keys the attacker is provided with and that it may corrupt, orNis easy to solve.
We prove the Theorem via the following technical Theorem, which follows imme-diately from Theorem 5.
Theorem 7. Let N = (T,V,U)be a non-interactive complexity assumption,n, r ∈
poly(k)and letRSIG be a family of computable relations as described above. Then for anyr-simple(tΓ, n, Γ,1)-reductionΓ from breakingN to breaking theUF-SSA
-security ofRSIGthere exists a TMBthat(tB, B)-breaksNwhere
tB≤r·n·tΓ+r·n·(n−1)·tVfy+r·tReRand
B≥Γ−
r n .
Here,tReRandis the time to re-randomize a given valid witness andtVfyis the maximum
time needed to computeR∈ RSIG.
5.2 Public-Key Encryption in the Multi-User Setting
Our main result also applies to public key encryption in the multi-user setting with corruptions (and a similar result for key encapsulation mechanisms is straightforward).
Definitions. A public key encryption schemePKEis a four tuple ofPPT-TMsPKE= (Setup,Gen,Enc,Dec):
GameMU-IND-CPA-Cn,µPKE(A)
Π←$
PKE.Setup(1k) O.Encrypt(m0, m1, i∗) (pki, ski)←$PKE.Gen(Π) if|m0| 6=|m1|return⊥
ρA←${0,1}k b←${0,1}
QCorrupt← ∅ returnc←$ Enc(pk i, mb)
b0← AO.Encrypt(·,·,·),O.Corrupt(·)
(pki)i∈[n];ρA
O.Corrupt(i)
returnb=b0∧pki∗∈/QCorrupt QCorrupt←QCorrupt∪ {pki}
returnski
Fig. 6. MU-IND-CPA-C-security Game. The attacker has access to an encryption oracle
O.Encryptwhich may be queried only once and a corrupt oracleO.Corrupt.
Key Generation. The key generation machine inputs public parameters and returns a key pair as(pk, sk)←$Gen(Π). We assumepkto containΠ.
Encryption. The encryption machine takes as input a public keypkand a messagem and returns a ciphertext, i.e.,c←$Enc(pk, m).
Decryption. The decryption machine returns a messagemwhen input a ciphertextc and a secret keysk. We require perfect correctness, i.e., that for allk ∈ N, all Π←$Setup(1k)and all(pk, sk)←$Gen(Π)it holds that
PrhDec(sk,Enc(pk, m)) =m:m←$Mi= 1
Security definition. As in theMU-EUF-CMA-C-security game for digital signatures, the adversary is provided withnpublic keyspk1, . . . , pknat the beginning of the ex-periment. It may now adaptively issuecorruptand onetest-query. To issue a corrupt query, it specifies an indexi ∈ [n] and obtainsski that works forpki. A test-query may be issued only once throughout the security game. Here, the adversary specifies an indexi∗ ∈[n]and two messagesm0, m1of equal length and obtains an encryption of
mb, whereb←$ {0,1}. The adversary terminates outputting a bitb0 and is successful
if it did not issue a corrupt query fori∗andb=b0. The security experiment is depicted in Figure 6.
Definition 16 (MU-IND-CPA-C-security).We say that an adversary(t, n, µ, )-breaks theMU-IND-CPA-C-security of a public key encryption schemePKEif it runs in time
tand
Pr [MU-IND-CPA-Cn,µPKE(A)⇒1]≥.
Definition 17. We say that a Turing machine r-Γ is an r-simple (tΛ, n, µ, Λ, A) -reduction from breakingN = (T,V,U)to breaking theMU-IND-CPA-C-security of PKE, if for any TMAthat(tA, n, µ, A)-breaks theMU-IND-CPA-Csecurity ofPKE, TMΛA(tΛ+r·tA, Λ)-breaksN.
Remark 6. For simplicity, we considerchosen-plaintextsecurity in the multi-user set-ting. The result generalizes easily to other security notions for public-key encryption, likechosen-ciphertextsecurity, for example.
Additional properties. Similar to the case of digital signatures in the multi user setting we require an additional TMSKCheckΠwhereΠ ←$Setup(1k).
SKCheckΠ(pk, sk) = 1 ⇐⇒ Pr
h
Dec(sk,Enc(pk, m)) =m:m←$Mi= 1.
That is,SKChecktakes inputsskandpkand returns1if and only ifpkis aPKEpublic key andskis a secret key corresponding to public keypk.
Definition 18 (Key re-randomization).We say that a public key encryption scheme PKEistReRand-key re-randomizable if there exists a Turing machinePKE.ReRandthat
runs in time at mosttReRand, takes as input(Π, pk, sk)and returnsskuniformly dis-tributed over{sk:SKCheckΠ(vk, sk) = 1}ifSKCheckΠ(pk, sk) = 1.
Example 3. Let us consider the linear encryption scheme from [12]. Here, a public key is a tuple of group elements g, h, k ∈ G whereG is a group of prime order p. A corresponding secret key, as generated by the key generation machine, consists of α, β ∈ Zpsuch thath= gαandk = gβ. For further investigation we recall the en-cryption and deen-cryption procedures. The enen-cryption machine outputsc= (c2, c1, c0) = (hs, kt, gs+t·m)wheres, tare chosen uniformly random from
Zp. Decryption returns m ← c0·c−β
−1
1 ·c
−α−1
2 . Now suppose some tuple(α0, β0)that will be accepted by SKCheck. By definition ofSKCheckthe following holds for allmands, t←$
Zp:
0 =s+t−log(k)·t·β0−1−log(h)·s·α0−1
=t· 1−log(k)·β0−1+s· 1−log(h)·α0−1.
We conclude that for SKCheckto accept a proposed secret key,(α0, β0)must satisfy α0= log(h)andβ0 = log(k). Thus, secret keys are unique and in particular efficiently re-randomizable. Moreover, there is an efficientSKCheck-procedure that, given a pur-ported key(α0, β0)returnsh=?gα0∧k=?gβ0.
Defining a suitable relation. LetPKE= (Setup,Gen,Enc,Dec)be a public key en-cryption scheme and letIbe the range ofSetup. To define a suitable relation, we set RPKE={RΠ}Π∈I whereRΠ(x, y) :=SKCheckΠ(y, x)andIis the range ofSetup.
Next, we show that any adversary that breaks theUF-SSA-security ofRPKE then there is an attacker that breaks theMU-IND-CPA-C-security ofPKE.
Claim. If there is an attackerAthat(t, n, )-breaks theUF-SSA-security ofRPKEthen there is an attackerBthat(t0, n,0, 0)-breaks theMU-IND-CPA-C-security ofPKEwith
t0=O(t)and0≥.
1. Bis called on input a public key(pk)i∈[n] and random tapeρ. Recall thatΠ is contained inpk. First,Bsamples andρA, the random coins ofA. After that, it runs (j, stA)← A1
Π,(pk)i∈[n], ρA
.
2. Bwill issue a corrupt-query to oracleO.Corruptfor alli∈ [n\j]. It will obtain skisuch thatSKCheckΠ(vki, ski). Next,Brunsskj ←$A2
(ski)i∈[n\j], stA
. Note thatSKCheckΠ(vkj, skj) = 1with probability.
3. Next, B samples m0 6= m1 ←$ M such that |m0| = |m1| and issues query (m0, m1, j)to oracleO.Encryptwhich will respond withc ←$ Enc(pkj, mb).B runsm ← Dec(skj, c)and returns b0 ← m =? m1. Note thatpkj ∈/ QCorrupt. Moreover, by the perfect correctness of PKEand the property of SKCheck, we have thatb0=bwheneverAis successful.
Tightness Bound.
Theorem 8 (informal).Any simple reduction from breaking the security of aNICAN
to breaking theMU-IND-CPA-C-security of a perfectly correct public key encryption schemePKE(cf. Definition 16) that providesefficient key re-randomizationand that supports an efficientSKCheckloses a factor that is linear in the number of public keys the attacker is provided with and that it may corrupt, orNis easy to solve.
We prove the above Theorem via the following technical Theorem, which is a direct application of Theorem 5.
Theorem 9. Let N = (T,V,U)be a non-interactive complexity assumption,n, r ∈
poly(k)and letRPKE be a family of computable relations as described above. Then
for anyr-simple(tΓ, n, Γ,1)-reductionΓ from breakingN to breaking theUF-SSA
-security ofRPKEthere exists a TMBthat(tB, B)-breaksNwhere
tB≤r·n·tΓ+r·n·(n−1)·tVfy+r·tReRand
B≥Γ−
r n.
Here,tReRandis the time to re-randomize a given valid witness andtVfyis the maximum
time needed to computeR∈ RPKE.
5.3 Non-Interactive Key Exchange
In this section we will show how to apply our main result to non-interactive key ex-change (NIKE) [26]. This case differs from the cases considered before in that we will have to define a relation R(x, y), which is not efficiently verifiable, given justxand y. Instead, we will need additional information, which will be available in the NIKE security experiment. Formally, we consider againUF-SSA-security for some relationR but modelA2 as an oracle machine. The responses of the oracle may depend on the
output of A1. We explain that this makes it possible to extend the range of covered
![Fig. 2. TM r-ΛA that solves a non-interactive complexity assumption according to Definition 5,constructed from a r-simple reduction r-Λ =�Λ0, (Λl,1, Λl,2, Λl,3)l∈[r] , Λ3�and an attackerA = (A1, A2).](https://thumb-us.123doks.com/thumbv2/123dok_us/7937994.1317894/14.612.197.420.114.242/interactive-complexity-assumption-according-denition-constructed-reduction-attackera.webp)
![Fig. 4. TM r-Γ A that solves a non-interactive complexity assumption according to Definition 5,constructed from a r-simple reduction r-Γ =�Γ0, (Γl,1, Γl,2, Γl,3)l∈[r] , Γ3�and an attackerA = (A1, A2).](https://thumb-us.123doks.com/thumbv2/123dok_us/7937994.1317894/21.612.197.420.115.256/interactive-complexity-assumption-according-denition-constructed-reduction-attackera.webp)
