Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for $${\varSigma }$$ -Protocols

Rotem, Lior; Segev, Gil

doi:10.1007/978-3-030-84242-0_9

Lior Rotem¹⁰ &
Gil Segev¹⁰

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12825))

Included in the following conference series:

Annual International Cryptology Conference

2453 Accesses
9 Citations

Abstract

The Schnorr identification and signature schemes have been amongst the most influential cryptographic protocols of the past three decades. Unfortunately, although the best-known attacks on these two schemes are via discrete-logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier”. In particular, in any group of order p where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t-time attacks on the Schnorr identification and signature schemes have success probability $t^2/p$, whereas existing proofs of security only rule out attacks with success probabilities $(t^2/p)^{1/2}$ and $(q_{\mathsf {H}} \cdot t^2/p)^{1/2}$, respectively, where $q_{\mathsf {H}}$ denotes the number of random-oracle queries issued by the attacker.

We establish tighter security guarantees for identification and signature schemes which result from $\varSigma $-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “d-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the d-th moment of the algorithm’s running time.

In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic-group model, and thus our assumption can be viewed as a highly-plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most $(t^2/p)^{2/3}$ and $(q_\mathsf {H}\cdot t^2/p)^{2/3}$, respectively.

L. Rotem and G. Segev—Supported by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253).

L. Rotem—Supported by the Adams Fellowship Program of the Israel Academy of Sciences and Humanities.

You have full access to this open access chapter, Download conference paper PDF

Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for $\varvec{\Sigma }$-Protocols

Article 06 June 2024

On the Multi-user Security of Short Schnorr Signatures with Preprocessing

The Multi-Base Discrete Logarithm Problem: Tight Reductions and Non-rewinding Proofs for Schnorr Identification and Signatures

1 Introduction

The Schnorr identification and signature schemes [Sch89, Sch91] have been amongst the most influential cryptographic protocols of the past three decades, due to their conceptual simplicity and practical efficiency. Accordingly, the analysis of their security guarantees has attracted much attention over the years. Though from the onset, it was observed that their asymptotic security can be tied to that of the discrete logarithm problem, characterizing their concrete security has remained an elusive feat. On the one hand, to this day there are no known attacks on these schemes that improve upon the existing algorithms for computing discrete logarithms. On the other hand, essentially all known security reductions to the discrete logarithm problem are non-tight, which may lead to significant blowups when setting concrete security parameters (i.e., the group size), and hence to degraded efficiency.^{Footnote 1} Concretely, the known approaches for basing the security of the Schnorr identification and signature schemes on the hardness of the discrete logarithm problem encounter the “square-root barrier”.

The Square-Root Barrier. In order to base the security of the Schnorr identification scheme and signature scheme on the hardness of the discrete logarithm problem, one has to transform any malicious impersonator and any malicious forger, respectively, into a discrete-logarithm algorithm. The existing approaches are based on the classic “forking lemma” of Pointcheval and Stern [PS00] (see also [AAB+02, BN06, BCC+16, KMP16] and the references therein). The difference between the various approaches is reflected by the different trade-offs between the success probability and the running time of their discrete-logarithm algorithms.

For the Schnorr identification scheme, any malicious impersonator that runs in time t and breaks the security of the scheme with probability $\epsilon $, can be transformed for example into a discrete-logarithm algorithm that has success probability roughly $\epsilon ^2$ and runs in time roughly t. Similarly, for the Schnorr signature scheme, any malicious forger that runs in time t, issues $q_{\mathsf {H}}$ random-oracle queries and breaks the security of the scheme with probability $\epsilon $, can be transformed into a discrete-logarithm algorithm that has success probability roughly $\epsilon ^2/q_{\mathsf {H}}$ and runs in time roughly t.

Thus, in any group of order p where Shoup’s generic hardness result for computing discrete logarithms is believed to hold [Sho97], this leads to the bound $\epsilon \le (t^2/p)^{1/2}$ on the security of the Schnorr identification scheme, and to the bound $\epsilon \le (q_{\mathsf {H}} \cdot t^2/p)^{1/2}$ on the security of the Schnorr signature scheme (we refer the reader to Sect. 3 for a variety of other trade-offs that were established over the years, all of which lead to the same square-root bounds, as recently observed by Bellare and Dai [BD20] and by Jaeger and Tessaro [JT20]).

However, the best-known attack on the security the Schnorr identification and signature schemes is via discrete-logarithm computation, which has success probability $t^2/p$ in such groups. For example, for a 256-bit prime p, the success probability of the best-known $2^{80}$-time attack on the Schnorr identification scheme is roughly $2^{-96}$, whereas the square-root bound only rules out attacks with success probability greater than $2^{-48}$ (for the Schnorr signature scheme this gap only increases due to the additional dependency on $q_{\mathsf {H}}$).

A Wider Perspective: Identification and Signatures from $\varSigma $-Protocols. The square-root barrier is encountered not only when proving the security of the Schnorr identification and signatures schemes, but also when proving the security of additional ones, such as the Okamoto identification and signature schemes [Oka92] (see [AAB+02, KMP16] for various other examples). The Schnorr and Okamoto schemes are prime examples of the more general approach of constructing identification schemes based on $\varSigma $-protocols with special soundness, and of constructing signature schemes based on such identification schemes via the Fiat-Shamir paradigm [FS86, AAB+02]. In such schemes, the square-root barrier arises due to the rewinding-based methodology underlying their security proofs, as we further discuss in Sect. 3.

It should be noted that additional approaches were suggested as alternatives to basing the security of the Schnorr identification and signature schemes on the hardness of the discrete logarithm problem. Shoup [Sho97] and Fuchsbauer, Plouviez and Seurin [FPS20] provided tight security proofs in the generic-group model and in the algebraic-group model, respectively, and Bellare and Dai [BD20] provided tight security proofs based on the hardness of their multi-base discrete logarithm problem. These approaches do not encounter the square-root barrier, at the cost of considering either idealized models that considerably restrict attackers, or a newly-introduced interactive problem instead of the long-studied discrete logarithm problem.

1.1 Our Contributions

We establish tighter security guarantees for identification and signature schemes by circumventing the square-root barrier. Our approach applies to schemes that result from $\varSigma $-protocols with special soundness based on the hardness of their underlying relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$, and in particular to the Schnorr and Okamoto identification and signature schemes based on the hardness of the discrete logarithm problem.

We prove our results by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the success probability of any algorithm in the task of producing a witness $w \in \mathcal {W}$ given a random instance $x \in \mathcal {X}$ is dominated by the d-th moment of the algorithm’s running time. In what follows we provide a high-level description of our assumption, and then state our bounds on the security of identification and signature schemes.

Our Assumption: $\boldsymbol{d}$-Moment Hardness. Given a relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$ underlying a $\varSigma $-protocol, and a distribution $\mathcal {D}$ over pairs $(x,w) \in \mathcal {R}$, we put forward the d-moment assumption that considers the task of producing a witness w given an instance x that is sampled via $\mathcal {D}$. Informally, in its most simplistic form, our assumption asks that the success probability of any algorithm A in this task is at most ${\mathbb {E} \left[ (\mathsf {T}_{A, \mathcal {D}})^d \right] }/{\left| \mathcal {W} \right| }$, where $\mathsf {T}_{A,\mathcal {D}}$ denotes the random variable corresponding to A’s running time.^{Footnote 2} We refer the reader to Sect. 3 for a formal statement.

In the specific context of the discrete logarithm problem, instances are of the form $x = (\mathbb {G},p,g,h)$ where $\mathbb {G}$ is a cyclic group of order p that is generated by g, and h is a group element. The relation $\mathcal {R}$ consists of all pairs $((\mathbb {G},p,g,h),w)$ for which $h=g^w$, and the distribution $\mathcal {D}$ consists of a group-generation algorithm that produces the description $(\mathbb {G},p,g)$ of the group, together with a uniformly-distributed group element h.

As recently observed by Jaeger and Tessaro [JT20], already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic-group model [Sho97].^{Footnote 3} Thus, our assumption can be viewed a highly-plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known for the discrete logarithm problem. In such groups, the generic hardness of the problem is used for setting concrete security parameters, and thus the assumption that the discrete logarithm problem is 2-moment hard can be viewed as identifying some of the core essence of the problem’s generic hardness in the form of a standard-model assumption.

Tighter Security for Identification Schemes. Given an identification scheme resulting from a $\varSigma $-protocol for a relation $\mathcal {R}$, we follow the approach underlying the classic “forking lemma” of Pointcheval and Stern [PS00], and show that any attacker can be transformed into an algorithm A that takes as input an instance $x \in \mathcal {X}$ and produces (with a certain probability) a witness $w \in \mathcal {W}$ such that $(x,w) \in \mathcal {R}$. However, unlike existing variants of the forking lemma (see, for example, [AAB+02, BN06, KMP16, BCC+16, JT20]), we design our algorithm A with the goal of optimizing the trade-off between its success probability and the dth moment of its running time. Assuming the d-moment hardness of the relation $\mathcal {R}$, this trade-off leads to the following tighter bound on the success probability of the attacker when considering the standard notion of security against passive impersonation attacks (in Sect. 3 we demonstrate that the existing variants of the forking lemma do not circumvent the square-root barrier when relying on our assumption):

Theorem 1.1

(informal). Let $\mathcal {ID}$ be an identification scheme with special soundness for a relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$. If $\mathcal {R}$ is d-moment hard, then any attacker that runs in time t breaks the security of $\mathcal {ID}$ with probability at most $(t^d/|\mathcal {W}|)^{d/(2d-1)}$.

In particular, our theorem yields the following corollary for the Schnorr and Okamoto identification schemes (Table 1 exemplifies our concrete improvement over the square-root bound for a few typical choices of parameters):

Corollary 1.2

(informal). Assuming that the discrete logarithm problem is 2-moment hard, then any attacker that runs in time t breaks the security of the Schnorr and Okamoto identification schemes with probability at most $(t^2/p)^{2/3}$, where p is the order of the underlying group.

Tighter Security for Signature Schemes. We show that our approach extends to establishing tighter security guarantees for signature schemes that are obtained from identification schemes via the Fiat-Shamir paradigm [FS86]. The generic analysis of the Fiat-Shamir transform in this context [AAB+02], when combined with Theorem 1.1, yields the bound $\epsilon \le q_{\mathsf {H}} \cdot (t^d/|\mathcal {W}|)^{d/(2d-1)}$ on the success probability of any malicious forger that runs in time t and issues $q_{\mathsf {H}}$ random-oracle queries assuming the d-moment hardness of the underlying relation. Although this bound may already be useful on its own, we nevertheless show that it can be further improved by applying our proof technique directly for reducing the dependence on $q_{\mathsf {H}}$:

Theorem 1.3

(informal). Let $\mathcal {ID}$ be an identification protocol with special soundness for a relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$, and let $\mathcal {SIG}_{\mathcal {ID}, \mathsf {H}}$ be its corresponding signature schemes obtained via the Fiat-Shamir transform using the hash function $\mathsf {H}$. If $\mathcal {R}$ is d-moment hard and $\mathsf {H}$ is modeled as a random oracle, then any attacker that runs in time t and issues $q_{\mathsf {H}}$ random-oracle queries breaks the security of $\mathcal {SIG}_{\mathcal {ID}, \mathsf {H}}$ with probability at most $(q_{\mathsf {H}} \cdot t^d/|\mathcal {W}|)^{d/(2d-1)}$.

As above, our theorem yields the following corollary for the Schnorr and Okamoto signature schemes (Table 2 exemplifies our concrete improvement over the square-root bound for a few typical choices of parameters):

Corollary 1.4

(informal). Assuming that the discrete logarithm problem is 2-moment hard, then any attacker that runs in time t and issues $q_{\mathsf {H}}$ random-oracle queries breaks the security of the Schnorr and Okamoto signature schemes with probability at most $( q_{\mathsf {H}} \cdot t^2/p)^{2/3}$, where p is the order of the underlying group.

1.2 Paper Organization

The remainder of this paper is organized as follows. First, in Sect. 2 we present the basic notation and standard cryptographic primitives that are used throughout the paper. In Sect. 3 we formally define our d-moment assumption, and demonstrate that the existing variants of the forking lemma do not circumvent the square-root barrier when relying on our assumption. In Sects. 4 and 5 we present and prove our bounds on the security of identification and signature schemes, respectively, from which in Sect. 6 we derive concrete security bounds for the Schnorr and Okamoto identification and signature schemes.

Table 1. A comparison of the security guarantees for the Schnorr and Okamoto identification schemes provided by the square-root bound and by our bound.

Full size table

Table 2. A comparison of the security guarantees for the Schnorr Okamoto signature schemes provided by the square-root bound and by our bound.

Full size table

2 Preliminaries

In this section we present the basic notions and standard cryptographic primitives that are used in this work. For an integer $n \in \mathbb {N}$ we denote by [n] the set $\{1,\ldots , n\}$. For a distribution X we denote by $x \leftarrow X$ the process of sampling a value x from the distribution X. Similarly, for a set $\mathcal {X}$ we denote by $x \leftarrow \mathcal {X}$ the process of sampling a value x from the uniform distribution over $\mathcal {X}$.

$\boldsymbol{\varSigma }$-Protocols. Let $\mathcal {R} = \left\{ \mathcal {R}_\lambda \right\} _{\lambda \in \mathbb {N}}$ be a relation, where $\mathcal {R}_\lambda \subseteq \mathcal {X}_\lambda \times \mathcal {W}_\lambda $ for any $\lambda \in \mathbb {N}$, for sets $\mathcal {X} = \{ \mathcal {X}_\lambda \}_{\lambda \in \mathbb {N}}$ and $\mathcal {W} = \{ \mathcal {W}_\lambda \}_{\lambda \in \mathbb {N}}$. A $\varSigma $-protocol $\varPi $ for the relation $\mathcal {R}$ is a 4-tuple $(\mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$, where $\mathsf {P}_1$ is a probabilistic polynomial-time algorithm, $\mathsf {P}_2$ and $\mathsf {V}$ are deterministic polynomial-time algorithms, and $\mathcal {C}= \{ \mathcal {C}_{x} \}_{x \in \mathcal {X}}$ is an ensemble of efficiently sampleable sets. The protocol $\pi $ is defined as follows:

1.
The algorithm $\mathsf {P}_1$ on input (x, w), where $x \in \mathcal {X}_{\lambda }$ and $w \in \mathcal {W}_{\lambda }$, produces a message $\alpha $ and a state $\mathsf {st}$.
2.
A challenge $\beta $ is sampled uniformly at random from the challenge set $\mathcal {C}_{x}$.
3.
The algorithm $\mathsf {P}_2$ on input $(\mathsf {st}, \beta )$ produces a message $\gamma $.
4.
The algorithm $\mathsf {V}$ on input $( x,\alpha ,\beta ,\gamma )$ determines the output of the protocol by outputting either 0 or 1.

In terms of completeness, we ask that for every $\lambda \in \mathbb {N}$ and for every $(x,w)\in \mathcal {R}_\lambda $, it holds that $\mathsf {V}(x, \alpha , \beta , \mathsf {P}_2(\mathsf {st},\beta )) =1$ with an overwhelming probability over the choice of $(\alpha , \mathsf {st}) \leftarrow \mathsf {P}_1(x,w)$ and $\beta \leftarrow \mathcal {C}_{x}$. In terms of soundness, we consider the following standard special soundness property for $\varSigma $-protocols. Roughly, the property requires that given an instance $x\in \mathcal {X}$ and two accepting transcripts for x which share the same first message $\alpha $ but differ on their second message $\beta $, one can efficiently compute a witness $w\in \mathcal {W}$ such that $(x,w)\in \mathcal {R}$.

Definition 2.1

Let $\varPi = (\mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$ be a $\varSigma $-protocol for a relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$, and let $t=t(\lambda )$ be a function of the security parameter $\lambda \in \mathbb {N}$. Then, $\varPi $ has t-time special soundness if there exists a deterministic t-time algorithm $\mathsf {WitnessExt}$ for which to following holds: For every $\lambda \in \mathbb {N}$, for every instance $x \in \mathcal {X}_\lambda $, and for every $(\alpha , ( \beta , \gamma ), (\beta ', \gamma ') )$ such that $\mathsf {V}(x,\alpha , \beta , \gamma ) = \mathsf {V}(x,\alpha , \beta ', \gamma ') = 1$ and $\beta \ne \beta '$ it holds that $(x,\mathsf {WitnessExt}(x, \alpha , ( \beta , \gamma ), (\beta ', \gamma '))\in \mathcal {R}$.

Identification Schemes. An identification scheme consists of a $\varSigma $-protocol for a relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$ and of an algorithm $\mathsf {Gen}$ that produces a distribution over instances $x \in \mathcal {X}$ together with a corresponding witness $w \in \mathcal {W}$ such that $(x,w) \in \mathcal {R}$. We say that an identification protocol has t-time special soundness if its underlying $\varSigma $-protocol has t-time special soundness.

Additionally, we consider the standard notion of security against passive impersonation attacks, asking that a malicious prover on input an instance x produced by $\mathsf {Gen}$ should not be able to convince the verifier to accept even when given access to an oracle that produces honestly-generated transcripts for the instance x. In what follows, given an identification protocol, we let $\mathsf {Trans}_{x,w}$ denote an oracle that (when queried without any input) runs an honest execution of the protocol on input (x, w) and returns the resulting transcript $(\alpha , \beta , \gamma )$.

Definition 2.2

Let $t = t(\lambda )$ and $\epsilon = \epsilon (\lambda )$ be function of the security parameter $\lambda \in \mathbb {N}$. An identification scheme $\mathcal {ID}= (\mathsf {Gen}, \mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$ is $(t,\epsilon )$-secure against passive impersonation attacks if for any t-time probabilistic prover $\bar{\mathsf {P}} = (\bar{\mathsf {P}}_1, \bar{\mathsf {P}}_2)$ it holds that

$$\begin{aligned} \mathbf {Adv}^\mathsf{PA\text {-}IMP}_{\mathcal {ID},\bar{\mathsf {P}}}(\lambda ) {\mathop {=}\limits ^\mathsf{def}} \Pr \left[ \mathsf{PA\text {-}IMP}_{\mathcal {ID}, \bar{\mathsf {P}}}(\lambda ) = 1 \right] \le \epsilon (\lambda ) \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where the experiment $ \mathsf{PA\text {-}IMP}_{\mathcal {ID}, \bar{\mathsf {P}}}(\lambda )$ is defined as follows:

1.
$(x, w) \leftarrow \mathsf {Gen}(1^\lambda )$.
2.
$(\alpha , \mathsf {st}) \leftarrow \bar{\mathsf {P}}_1^{\mathsf {Trans}_{x,w}}(1^\lambda , x)$.
3.
$\gamma \leftarrow \bar{\mathsf {P}}_2^{\mathsf {Trans}_{x,w}}(\mathsf {st}, \beta )$ for $\beta \leftarrow \mathcal {C}_x$.
4.
If $\mathsf {V}(x, \alpha , \beta , \gamma ) = 1$ then output 1 and otherwise output 0.

In this work we consider identification schemes that are simulatable: There exists an efficient algorithm that on input $x \in \mathcal {X}$, for $(x, w) \leftarrow \mathsf {Gen}(1^\lambda )$, samples a transcript $(\alpha , \beta , \gamma )$ from the distribution of honest executions of the protocol on input (x, w).

Definition 2.3

Let $t = t(\lambda )$ be function of the security parameter $\lambda \in \mathbb {N}$. An identification scheme $\mathcal {ID}= (\mathsf {Gen}, \mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$ is t-time simulatable if there exists a t-time algorithm $\mathsf {Sim}$ such that the distributions $\{ (x, (\alpha , \beta , \gamma ))\}_{\lambda \in \mathbb {N}}$ and $\{ (x, \mathsf {Sim}(1^{\lambda },x))\}_{\lambda \in \mathbb {N}}$ are identical, where $(x, w) \leftarrow \mathsf {Gen}(1^\lambda )$, $(\alpha , \mathsf {st}) \leftarrow \mathsf {P}_1(x,w)$, $\beta \leftarrow \mathcal {C}_x$ and $\gamma \leftarrow \mathsf {P}_2(\mathsf {st},\beta )$.

Note that for any simulatable identification scheme $\mathcal {ID}$ we can thus assume that malicious provers do not query the transcript-generation oracle $\mathsf {Trans}_{x,w}$ as such queries can be internally simulated given the instance x. Specifically, if $\mathcal {ID}$ is $t_{\mathsf {Sim}}$-time simulatable then any malicious prover $\bar{\mathsf {P}}$ that runs in time $t_{\bar{\mathsf {P}}}$ and issues $q_{\bar{\mathsf {P}}}$ queries to the transcript-generation oracle can be simulated by a malicious prover that runs in time $t_{\bar{\mathsf {P}}} + q_{\bar{\mathsf {P}}} \cdot t_{\mathsf {Sim}}$ and does not issue any queries. Such a malicious prover is in fact attacking the $\varSigma $-protocol underlying $\mathcal {ID}$ with respect to the distribution over instances that is determined by $\mathsf {Gen}$.

Finally, for considering the standard transformation of identification schemes to signature schemes via the Fiat-Shamir paradigm, we rely on the following notion of first-message unpredictability (originally referred to as “min-entropy of commitments” by Abdalla et al. [AAB+02]):

Definition 2.4

Let $\delta = \delta (\lambda )$ be function of the security parameter $\lambda \in \mathbb {N}$. An identification scheme $\mathcal {ID}= (\mathsf {Gen}, \mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$ is $\delta $-first-message unpredictable if for any $\lambda \in \mathbb {N}$, for any (x, w) produced by $\mathsf {Gen}(1^\lambda )$ and for any $\alpha ^*$ it holds that $\Pr \left[ \alpha = \alpha ^*\right] \le \delta (\lambda )$, where $(\alpha ,\mathsf {st}) \leftarrow \mathsf {P}_1(x,w)$.

Signature Schemes. A signature scheme is a tuple $\mathcal {SIG}= (\mathsf {KG}, \mathsf {Sign}, \mathsf {Verify})$ of algorithms defined as follows:

The algorithm $\mathsf {KG}$ is a probabilistic algorithm that receives as input the security parameter $\lambda \in \mathbb {N}$ and outputs a pair $(\mathsf {sk},\mathsf {vk})$ of a signing key and a verification key.
The algorithm $\mathsf {Sign}$ is a (possibly) probabilistic algorithm that receives as input a signing key $\mathsf {sk}$ and a message m and outputs a signature $\sigma $.
The algorithm $\mathsf {Verify}$ is a deterministic algorithm that receives as input a verification key $\mathsf {vk}$, a message m and a signature $\sigma $, and outputs a bit $b\in \{0,1\}$.

In terms of correctness, the standard requirement for signature schemes asks that

$$\begin{aligned} \Pr \left[ \mathsf {Verify}_{\mathsf {vk}}(m,\mathsf {Sign}_{\mathsf {sk}}(m)) = 1 \right] = 1 \end{aligned}$$

for every $\lambda \in \mathbb {N}$ and for every message m, where the probability is taken over the choice of $(\mathsf {sk}, \mathsf {vk})\leftarrow \mathsf {KG}(1^\lambda )$ and over the internal randomness of $\mathsf {Sign}$ and $\mathsf {Verify}$. In terms of security, we rely on the following standard notion of existential unforgeability under adaptive chosen-message attack (see, for example, [Gol04]) which naturally generalizes to the random-oracle model by providing all algorithm access to the oracle.

Definition 2.5

Let $t = t(\lambda )$ and $\epsilon = \epsilon (\lambda )$ be function of the security parameter $\lambda \in \mathbb {N}$. A signature scheme $\mathcal {SIG}= (\mathsf {KG}, \mathsf {Sign}, \mathsf {Verify})$ is $(t,\epsilon )$-existentially unforgeable under adaptive chosen-message attacks if for t-time probabilistic algorithm F it holds that

$$\begin{aligned} \mathbf {Adv}^\mathsf{Forge}_{\mathcal {SIG},F}(\lambda ) {\mathop {=}\limits ^\mathsf{def}} \Pr \left[ \mathsf{Forge}_{\mathcal {SIG}, F}(\lambda ) = 1 \right] \le \epsilon (\lambda ) \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where the experiment $ \mathsf{Forge}_{\mathcal {SIG},F}(\lambda )$ is defined as follows:

1.
$(\mathsf {sk}, \mathsf {vk}) \leftarrow \mathsf {KG}(1^\lambda )$.
2.
$(m^*, \sigma ^*) \leftarrow F^{\mathsf {Sign}_{\mathsf {sk}}(\cdot )}(1^\lambda , \mathsf {vk})$. Let $\mathcal {Q}$ denote the set of all messages with which F queried its oracle.
3.
If $\mathsf {Verify}_{\mathsf {vk}}(m^*,\sigma ^*) = 1$ and $m^* \not \in \mathcal {Q}$ then output 1, and otherwise output 0.

3 Our Assumption: d-Moment Hardness

In this section we first formally define the computational assumption on which our approach is based. Then, we demonstrate that the existing approaches for proving the security of identification schemes and signature schemes that are based on $\varSigma $-protocols with special soundness do not yield improved results when relying on our assumption.

The Assumption. In what follows, we consider relations $\mathcal {R} = \left\{ \mathcal {R}_\lambda \right\} _{\lambda \in \mathbb {N}}$, where $\mathcal {R}_\lambda \subseteq \mathcal {X}_\lambda \times \mathcal {W}_\lambda $ for any $\lambda \in \mathbb {N}$, and distributions $\mathcal {D}= \left\{ \mathcal {D}_\lambda \right\} _{\lambda \in \mathbb {N}}$ where each $\mathcal {D}_{\lambda }$ produces pairs $(x,w) \in \mathcal {R}_{\lambda }$. For any such distribution $\mathcal {D}$ and for any probabilistic algorithm A, we denote by $\mathsf {T}_{A,\mathcal {D}_{\lambda }}$ the random variable corresponding to the running time of A on input x where $(x,w) \leftarrow \mathcal {D}_{\lambda }$.

Definition 3.1

Let $d = d(\lambda )$, $\varDelta = \varDelta (\lambda )$ and $\omega = \omega (\lambda )$ be functions of the security parameter $\lambda \in \mathbb {N}$, and let $\mathcal {R} = \left\{ \mathcal {R}_\lambda \right\} _{\lambda \in \mathbb {N}}$ be a relation, where $\mathcal {R}_\lambda \subseteq \mathcal {X}_\lambda \times \mathcal {W}_\lambda $ for any $\lambda \in \mathbb {N}$. We say that $\mathcal {R}$ is d-moment $(\varDelta ,\omega )$-hard with respect to a distribution $\mathcal {D}= \left\{ \mathcal {D}_\lambda \right\} _{\lambda \in \mathbb {N}}$ if for every algorithm A it holds that

$$\begin{aligned} \Pr \left[ \left( x, A(x) \right) \in \mathcal {R}_{\lambda } \right] \le \frac{\varDelta \cdot \mathbb {E} \left[ (\mathsf {T}_{A, \mathcal {D}_{\lambda }})^d \right] }{\left| \mathcal {W}_\lambda \right| ^\omega }, \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where the probability is taken over the choice of $(x,w) \leftarrow \mathcal {D}_\lambda $ and over the internal randomness of A.

When $\varDelta (\lambda ) = 1$ and $\omega (\lambda ) = 1$ for all $\lambda \in \mathbb {N}$, we will simply say that the relation $\mathcal {R}$ is d-moment hard. As discussed in Sect. 1.1, in the specific context of the discrete logarithm problem the relation $\mathcal {R}$ consists of all pairs $((\mathbb {G},p,g,h),w)$ for which $h=g^w$, and the distribution $\mathcal {D}$ consists of a group-generation algorithm that produces the description $(\mathbb {G},p,g)$ of the group, together with a uniformly-distributed group element h. Given that the discrete logarithm problem is 2-moment hard in the generic-group model [Sho97, JT20], the assumption that the discrete logarithm problem is 2-moment hard (in the standard model) can be viewed as identifying the core essence of the problem’s generic hardness in the form of a standard-model assumption.

Existing Approaches. Extensive research has been devoted over the years for analyzing the security of identification schemes and signature schemes that are based on $\varSigma $-protocols with special soundness. For concreteness, we focus in this discussion on identification schemes as they already capture the main difficulties (the reader is referred to Sect. 5 for a discussion on transforming such schemes into signature schemes via the Fiat-Shamir paradigm [FS86]).

Given an identification scheme that is based on a $\varSigma $-protocol for a relation $\mathcal {R}$, the security of the scheme is proved by showing that any malicious prover $\bar{\mathsf {P}}$ can be transformed into an algorithm A that takes as input an instance $x \in \mathcal {X}$ and produces two accepting transcripts $(\alpha , \beta , \gamma )$ and $(\alpha ,\beta ',\gamma ')$ with $\beta ' \ne \beta $. The special soundness of the $\varSigma $-protocol guarantees that these two transcripts can then be used to retrieve a witness $w \in \mathcal {W}$ such that $(x,w) \in \mathcal {R}$. To the best of our knowledge, all known approaches for the construction of such an algorithm A are based on the following fundamental idea: The algorithm A uses the malicious prover $\bar{\mathsf {P}}$ to obtain an accepting transcript $(\alpha , \beta , \gamma )$, and then rewinds it to the same first message $\alpha $ and feeds it with fresh challenges $\beta '$ with the hope of obtaining an additional accepting transcript $(\alpha ,\beta ',\gamma ')$ with $\beta ' \ne \beta $.

This fundamental idea traces back to the classic “forking lemma” of Pointcheval and Stern [PS00], later generalized and refined by Bellare and Neven [BN06], and by Kiltz, Masny and Pan [KMP16]. The difference between the existing approaches is reflected by the different trade-offs between the success probability of the algorithm A and its running time.

Given a malicious prover $\bar{\mathsf {P}}$ that runs in time t and breaks the security of the identification scheme with probability $\epsilon $, then on one end of the spectrum $\bar{\mathsf {P}}$ is invoked roughly $1/\epsilon $ times, leading to an algorithm A with constant success probability and running time $t/\epsilon $ [KMP16]. On the other end of the spectrum, $\bar{\mathsf {P}}$ is invoked only twice, leading to an algorithm A with success probability roughly $\epsilon ^2$ and running time 2t [BN06]. When the relation $\mathcal {R}$ corresponds to the discrete logarithm problem in a group of order p where Shoup’s generic hardness result is believed to hold, in both cases one obtains the bound $\epsilon \le (t^2/p)^{1/2}$ (which is inferior to our bound $\epsilon \le (t^2/p)^{2/3}$). More generally, if the discrete logarithm problem is d-moment $(\varDelta ,\omega )$-hard for some $d \ge 2$, $\varDelta \ge 1$ and $\omega \le 1$, one obtains the bound $\epsilon \le (\varDelta \cdot t^d/p^\omega )^{1/d}$ in the first case and the bound $\epsilon \le (\varDelta \cdot t^d/p^\omega )^{1/2}$ in the second case (both of which are inferior to our bound $\epsilon \le (\varDelta \cdot t^d/p^\omega )^{d/(2d-1)}$).

An approach that is closer to ours is to optimize the trade-off between the success probability of the algorithm A and its expected running time [PS00, BCC+16, JT20]. In their recent work, Jaeger and Tessaro [JT20] showed that in the generic-group model any algorithm A with an expected running time $\mathbb {E}[\mathsf {T}]$ computes the discrete logarithm of a random group element with probability at most $(\mathbb {E}[\mathsf {T}]^2/p)^{1/2}$ (omitting small constants for simplicity), and this can be used for establishing concrete bounds for algorithms that do not have a strict running time.^{Footnote 4}

In this setting, given a malicious prover $\bar{\mathsf {P}}$ that runs in time t and breaks the security of the identification scheme with probability $\epsilon $, Bootle et al. [BCC+16] suggested the following algorithm A: It invokes $\bar{\mathsf {P}}$ once, and only if successful then it repeatedly rewinds A to the same first message and feeds it with a fresh challenge until it succeeds again.^{Footnote 5} A simple argument shows that A’s success probability is roughly $\epsilon $, and its expected running time is t. A similar algorithm A suggested by Pointcheval and Stern [PS00] has constant success probability and expected running time $t/\epsilon $. In both cases, using the work of Jaeger and Tessaro one again obtains the bound $\epsilon \le (t^2/p)^{1/2}$ as above (which is inferior to our bound $\epsilon \le (t^2/p)^{2/3}$).^{Footnote 6}

4 Tighter Security for $\varSigma $-Protocols and Identification Schemes

In this section we introduce our high-moment forking lemma for establishing tighter security guarantee for $\varSigma $-protocols and identification schemes. We first focus on our result for $\varSigma $-protocols, and then extend it to identification schemes.

Given a $\varSigma $-protocol for a relation $\mathcal {R}$, we follow the approach underlying the forking lemma [PS00], and show that any malicious prover $\bar{\mathsf {P}}$ can be transformed into an algorithm A that takes as input an instance $x \in \mathcal {X}$ and produces (with a certain probability) two accepting transcripts $(\alpha , \beta , \gamma )$ and $(\alpha ,\beta ',\gamma ')$ for x such that $\beta ' \ne \beta $. Assuming that $\varPi $ has special soundness, these two transcripts can then be used to retrieve a witness $w \in \mathcal {W}$ such that $(x,w) \in \mathcal {R}$.

However, unlike existing variants of the forking lemma, we design our algorithm A with the goal of optimizing the trade-off between its success probability and the dth moment of its running time. Assuming that $\mathcal {R}$ is a d-moment $(\varDelta ,\omega )$-hard relation (recall Definition 3.1), this trade-off leads to an upper bound on the success probability of the malicious prover $\bar{\mathsf {P}}$.

At a high level, given a malicious prover that runs in time t and convinces the verifier with probability $\epsilon $, the description of our algorithm A is quite intuitive. First, it invokes the malicious prover to obtain a transcript $(\alpha , \beta , \gamma )$ of the protocol. Then, if this transcript is accepted by the verifier, it rewinds the malicious prover $B \approx 1/\epsilon ^{1/d}$ times, providing it with randomly sampled challenges $\beta _1, \ldots , \beta _B$ and obtaining respective responses $\gamma _1, \ldots , \gamma _B$. If any one of these additional transcripts $(\alpha , \beta _i, \gamma _i)$ is accepted by the verifier and $\beta _i \ne \beta '$, then the algorithm A successfully retrieves a witness.

Ignoring various approximations and other technical challenges, we prove that the algorithm A has success probability roughly $B \cdot \epsilon ^2 \approx \epsilon ^{2 - 1/d}$, and the d-th moment of its running time is at most $\epsilon \cdot t^d/B^d \approx T^d$. Thus, assuming that $\mathcal {R}$ is a d-moment $(\varDelta ,\omega )$-hard relation leads to the bound $\epsilon \le (\varDelta \cdot t^d/|\mathcal {W}|^\omega )^{d/(2d-1)}$ on the probability of a t-time malicious prover to convince the verifier. This should be compared with the approaches discussed in Sect. 3, leading roughly either to success probability $\epsilon ^2$ and dth moment $t^d$, or to success probability $\epsilon $ and dth moment at least $t^d/\epsilon ^{d-1}$, or to constant success probability and dth moment at least $t^d/\epsilon ^d$ – all of which lead to inferior bounds. Formally, we prove the following theorem:

Theorem 4.1

Let $d = d(\lambda )$, $\varDelta = \varDelta (\lambda )$, $\omega = \omega (\lambda )$, $t_\mathsf{W} = t_\mathsf{W}(\lambda )$ and $t_{\bar{\mathsf {P}}} = t_{\bar{\mathsf {P}}}(\lambda )$ be functions of the security parameter $\lambda \in \mathbb {N}$, and let $\varPi = (\mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$ be a $\varSigma $-protocol with $t_\mathsf{W}$-time special soundness for a relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$. If $\mathcal {R}$ is d-moment $(\varDelta ,\omega )$-hard with respect to a distribution $\mathcal {D}$ then for any malicious prover $\bar{\mathsf {P}}$ that runs in time $t_{\bar{\mathsf {P}}}$ it holds that

$$\begin{aligned} \Pr \left[ \mathsf {V}(x,\alpha ,\beta , \gamma ) = 1 \right] \le \left( \frac{\varDelta \cdot \left( 16 (t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W}) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \right) ^{\frac{d}{2d - 1}} + \frac{2}{|\mathcal {C}_{\lambda }|} , \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where the probability is taken over $(x,w)\leftarrow \mathcal {D}_\lambda $, $(\alpha ,\mathsf {st}) \leftarrow \bar{\mathsf {P}}_1(x)$, $\beta \leftarrow \mathcal {C}_{x}$ and $\gamma \leftarrow \bar{\mathsf {P}}_2(\mathsf {st},\beta )$, and where $t_{\mathsf {V}} = t_{\mathsf {V}}(\lambda )$ denotes the running time of the algorithm $\mathsf {V}$, $|\mathcal {C}_{\lambda }|$ denotes the size of the challenge set $\mathcal {C}_x$ for any $x \in \mathcal {X}_{\lambda }$.

Recall that the notion of security against passive impersonations attacks for an identification scheme $\mathcal {ID}= (\mathsf {Gen}, \mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$ is obtained from the experiment considered in Theorem 4.1 for its underlying $\varSigma $-protocol, by additionally providing the malicious prover with access to a transcript-generation oracle (recall Definition 2.2). As discussed in Sect. 2, if $\mathcal {ID}$ is $t_{\mathsf {Sim}}$-time simulatable (recall Definition 2.3), then any malicious prover $\bar{\mathsf {P}}$ that runs in time $t_{\bar{\mathsf {P}}}$ and issues $q_{\bar{\mathsf {P}}}$ queries to the transcript-generation oracle can be simulated by a malicious prover that runs in time $t_{\bar{\mathsf {P}}} + q_{\bar{\mathsf {P}}} \cdot t_{\mathsf {Sim}}$ and does not issue any queries. Thus, Theorem 4.1 immediately yields the following corollary:

Corollary 4.2

Let $d = d(\lambda )$, $\varDelta = \varDelta (\lambda )$, $\omega = \omega (\lambda )$, $t_{\mathsf {Sim}} = t_{\mathsf {Sim}}(\lambda )$, $t_\mathsf{W} = t_\mathsf{W}(\lambda )$, $t_{\bar{\mathsf {P}}} = t_{\bar{\mathsf {P}}}(\lambda )$ and $q_{\bar{\mathsf {P}}} = q_{\bar{\mathsf {P}}}(\lambda )$ be functions of the security parameter $\lambda \in \mathbb {N}$, and let $\mathcal {ID}= (\mathsf {Gen}, \mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$ be a $t_{\mathsf {Sim}}$-time simulatable identification protocol with $t_\mathsf{W}$-time special soundness for a relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$. If $\mathcal {R}$ is d-moment $(\varDelta ,\omega )$-hard with respect to $\mathsf {Gen}$, then for any malicious prover $\bar{\mathsf {P}}$ that runs in time $t_{\bar{\mathsf {P}}}$ and issues $q_{\bar{\mathsf {P}}}$ transcript-generation queries it holds that

$$\begin{aligned} \mathbf {Adv}^\mathsf{PA\text {-}IMP}_{\mathcal {ID},\bar{\mathsf {P}}}(\lambda ) \le \left( \frac{\varDelta \cdot \left( 16(t_{\bar{\mathsf {P}}} + q_{\bar{\mathsf {P}}} \cdot t_{\mathsf {Sim}} + t_\mathsf {V}+ t_\mathsf{W}) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \right) ^{\frac{d}{2d - 1}} + \frac{2}{|\mathcal {C}_{\lambda }|} , \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where $t_{\mathsf {V}} = t_{\mathsf {V}}(\lambda )$ denotes the running time of the algorithm $\mathsf {V}$, and $|\mathcal {C}_{\lambda }|$ denotes the size of the challenge set $\mathcal {C}_x$ for any $x \in \mathcal {X}_{\lambda }$.

In the remainder of this section we prove Theorem 4.1.

Proof of

Theorem 4.1. Let $\bar{\mathsf {P}} = (\bar{\mathsf {P}}_1,\bar{\mathsf {P}}_2)$, and for any $\lambda \in \mathbb {N}$ let $\epsilon = \epsilon (\lambda ) = \Pr \left[ \mathsf {V}(x,\alpha ,\beta , \gamma ) = 1 \right] $, where $(x,w) \leftarrow \mathcal {D}_\lambda $, $(\alpha ,\mathsf {st}) \leftarrow \bar{\mathsf {P}}_1(x)$, $\beta \leftarrow \mathcal {C}_{x}$ and $\gamma = \bar{\mathsf {P}}_2(\mathsf {st},\beta )$ (without loss of generality we assume that $\bar{\mathsf {P}}_2$ is deterministic given $\mathsf {st}$). Let $B = \lceil 1/\epsilon ^{1/d} - 1 \rceil $, and consider the following algorithm A:

The following lemma establishes a lower bound on the success probability of the algorithm A:

Lemma 4.3

For any $\lambda \in \mathbb {N}$ it holds that either $\Pr \left[ (x, A(x)) \in \mathcal {R} \right] \ge B \cdot \epsilon ^2 /8$ or $\epsilon < 2/|\mathcal {C}_{\lambda }|$.

Proof of

Lemma 4.3. Whenever the algorithm A reaches Step 3 the witness extraction algorithm $\mathsf {WitnessExt}$ guarantees that $(x, A(x)) \in \mathcal {R}$. Therefore,

$$\begin{aligned}&\Pr \left[ (x, A(x)) \in \mathcal {R} \right] \\&\quad = \Pr \left[ \mathsf {V}(x, \alpha , \beta _0, \gamma _0) = 1 \ \wedge \ \left( \bigvee _{j=1}^{B} \left\{ \genfrac{}{}{0.0pt}{}{\mathsf {V}(x, \alpha , \beta _{j}, \gamma _{j}) = 1}{\wedge \ \beta _{j} \ne \beta _0} \right\} \right) \right] \\&\quad = \sum _{\mathsf {st}} \left( \Pr \left[ \mathsf {st}\right] \cdot \Pr \left[ \mathsf {V}(x, \alpha , \beta _0, \gamma _0) = 1 \ \wedge \ \left( \bigvee _{j=1}^{B} \left\{ \genfrac{}{}{0.0pt}{}{\mathsf {V}(x, \alpha , \beta _{j}, \gamma _{j}) = 1}{\wedge \ \beta _{j} \ne \beta _0} \right\} \right) \right] \right) \end{aligned}$$

where $(x,w) \leftarrow \mathcal {D}_\lambda $, $(\alpha , \mathsf{st}) \leftarrow \bar{\mathsf {P}}_1(x)$, $\beta _0, \ldots , \beta _B \leftarrow \mathcal {C}_{x}$ and $\gamma _{j} = \bar{\mathsf {P}}_2(\mathsf{st}, \beta _{j})$ for every $j \in \{0, \ldots , B \}$; and we assume without loss of generality that for any $\lambda \in \mathbb {N}$, $x \in \mathcal {X}_{\lambda }$ and for any $(\alpha , \mathsf {st})$ produced by $\mathsf{P}^*_1(x)$ it holds that the state $\mathsf {st}$ consists of $\lambda $, x and $\alpha $ (in addition to any other information determined by $\mathsf{P}^*_1$). In what follows, for every state $\mathsf {st}$, let $\beta ^*_{\mathsf {st}}$ denote the lexicographically first $\beta \in \mathcal {C}_{x}$ for which $\mathsf {V}(x,\alpha , \beta , \bar{\mathsf {P}}_2(\mathsf {st},\beta )) = 1$. If no such $\beta $ exists, let $\beta ^*_{\mathsf {st}} = \bot $. It thus holds that

$$\begin{aligned}&\Pr \left[ (x, A(x)) \in \mathcal {R} \right] \\&\quad = \sum _{\mathsf {st}} \left( \Pr \left[ \mathsf {st}\right] \cdot \Pr \left[ \mathsf {V}(x, \alpha , \beta _0, \gamma _0) = 1 \ \wedge \ \left( \bigvee _{j=1}^{B} \left\{ \genfrac{}{}{0.0pt}{}{\mathsf {V}(x, \alpha , \beta _{j}, \gamma _{j}) = 1}{\wedge \ \beta _{j} \ne \beta ^*_{\mathsf {st}}} \right\} \right) \right] \right) \end{aligned}$$

where for every state $\mathsf {st}$, the probability is taken only over the choice of $\beta _0,\ldots , \beta _B \leftarrow \mathcal {C}_{x}$. Then, for every fixed state $\mathsf {st}$, the events $ \mathsf {V}(x, \alpha , \beta _0, \gamma _0) = 1$ and $\{ \mathsf {V}(x, \alpha , \beta _{j}, \gamma _{j}) = 1 \wedge \beta _{j} \ne \beta ^*_{\mathsf {st}} \}_{j}$ are independent, and therefore

$$\begin{aligned}&\Pr \left[ \bigvee _{j=1}^{B} \left\{ \genfrac{}{}{0.0pt}{}{\mathsf {V}(x, \alpha , \beta _{j}, \gamma _{j}) = 1}{\wedge \ \beta _{j} \ne \beta ^*_{\mathsf {st}} } \right\} \right] \\&\qquad \qquad = 1- \Pr \left[ \bigwedge _{j=1}^{B} \left\{ \genfrac{}{}{0.0pt}{}{\mathsf {V}(x, \alpha , \beta _{j}, \gamma _{j}) = 0}{\vee \ \beta _{j} =\beta ^*_{\mathsf {st}} } \right\} \right] \\&\qquad \qquad = 1- \prod _{j=1}^{B} \Pr \left[ \genfrac{}{}{0.0pt}{}{\mathsf {V}(x, \alpha , \beta _{j}, \gamma _{j}) = 0}{\vee \ \beta _{j} =\beta ^*_{\mathsf {st}} } \right] \\&\qquad \qquad \ge 1- \prod _{j=1}^{B} \min \Bigl \{ 1, \Pr \left[ \mathsf {V}(x, \alpha , \beta _{j}, \gamma _{j}) = 0 \right] + \Pr \left[ \beta _{j} = \beta ^*_{\mathsf {st}} \right] \Bigr \} \\&\qquad \qquad \ge 1- \left( 1- \max \left\{ 0, \epsilon (\mathsf {st}) - \frac{1}{|\mathcal {C}_{\lambda }|} \right\} \right) ^{B}, \end{aligned}$$

where $\epsilon (\mathsf {st}) = \Pr _{\beta } \left[ \mathsf {V}(x, \alpha , \beta , \bar{\mathsf {P}}_2(\mathsf{st}, \beta )) = 1 \right] $ for each $\mathsf {st}$. Denoting

$$\begin{aligned} \widetilde{\epsilon }(\mathsf {st}) = \max \left\{ 0, \epsilon (\mathsf {st}) - 1/|\mathcal {C}_{\lambda }| \right\} \end{aligned}$$

for every $\mathsf {st}$, we obtain

$$\begin{aligned} \Pr \left[ (x, A(x)) \in \mathcal {R} \right]\ge & {} \sum _{\mathsf {st}} \left( \Pr \left[ \mathsf {st}\right] \cdot \epsilon (\mathsf {st}) \cdot \left( 1- \left( 1- \widetilde{\epsilon }(\mathsf {st}) \right) ^{B} \right) \right) \\= & {} \mathbb {E}_{\mathsf {st}} \left[ \widetilde{\epsilon }(\mathsf {st}) \cdot \left( 1- \left( 1- \widetilde{\epsilon }(\mathsf {st}) \right) ^{B} \right) \right] .\\ \end{aligned}$$

The following claim (which is proved in the full version of the paper) provides a lower bound on the above term $\mathbb {E}_{\mathsf {st}} \left[ \widetilde{\epsilon }(\mathsf {st}) \cdot \left( 1- \left( 1- \widetilde{\epsilon }(\mathsf {st}) \right) ^{B} \right) \right] $. Note that this term is the expectation of a non-convex function of $\widetilde{\epsilon }(\mathsf {st})$ over the interval [0, 1], and therefore such a lower bound is not directly implied by Jensen’s inequality.

Claim 4.4

It holds that $\mathbb {E}_{\mathsf {st}} \left[ \widetilde{\epsilon }(\mathsf {st}) \cdot \left( 1- \left( 1- \widetilde{\epsilon }(\mathsf {st}) \right) ^{B} \right) \right] \ge \frac{1}{2}\cdot B \cdot \left( \epsilon - \frac{1}{|\mathcal {C}_{\lambda }|} \right) ^2$.

Given Claim 4.4, it holds that either $\epsilon < 2/|\mathcal {C}_{\lambda }|$ or $\Pr \left[ (x, A(x)) \in \mathcal {R} \right] \ge \frac{1}{2}\cdot B \cdot (\epsilon /2)^2$, and this concludes the proof of Lemma 4.3. $\blacksquare $

The following lemma establishes an upper bound on the dth moment of the running time of the algorithm A (recall that $\mathsf {T}_{A,\mathcal {D}_{\lambda }}$ denotes the random variable corresponding to the running time of A on input x where $(x,w) \leftarrow \mathcal {D}_{\lambda }$):

Lemma 4.5

For any $\lambda \in \mathbb {N}$ it holds that

$$\begin{aligned} \mathbb {E} \left[ (\mathsf {T}_{A,\mathcal {D}_{\lambda }})^d \right] \le 2 (1+B)^d \cdot \left( t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W} \right) ^d \cdot \epsilon . \end{aligned}$$

Proof of

Lemma 4.5. The description of A yields that with probability $1- \epsilon $ it runs in time at most $t_{\bar{\mathsf {P}}} + t_\mathsf {V}$, and with probability $\epsilon $ it runs in time at most $(1+B) \cdot \left( t_{\bar{\mathsf {P}}} + t_\mathsf {V}\right) + t_\mathsf{W}$ (for simplicity we assume that the time required for sampling a uniform $\beta \in \mathcal {C}_x$ is subsumed by $t_{\bar{\mathsf {P}}} + t_\mathsf {V}$). Therefore,

$$\begin{aligned} \mathbb {E} \left[ (\mathsf {T}_{A,\mathcal {D}_{\lambda }})^d \right]\le & {} \left( t_{\bar{\mathsf {P}}} + t_\mathsf {V}\right) ^d \cdot \left( 1 - \epsilon \right) + \left( (1+B) \cdot \left( t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W} \right) \right) ^d \cdot \epsilon \nonumber \\\le & {} \left( t_{\bar{\mathsf {P}}} + t_\mathsf {V}\right) ^d + \left( (1+B) \cdot \left( t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W} \right) \right) ^d \cdot \epsilon \nonumber \\\le & {} 2 (1+B)^d \cdot \left( t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W} \right) ^d \cdot \epsilon . \end{aligned}$$

(1)

where Eq. (1) follows from the fact that $B \ge 1/\epsilon ^{1/d} - 1$ (and thus $1 \le (1+B)^d \cdot \epsilon $).

$\blacksquare $

Equipped with Lemmas 4.3 and 4.5, the assumption that $\mathcal {R}$ is a d-moment $(\varDelta ,\omega )$-hard relation with respect to the distribution $\mathcal {D}$ implies that either $\epsilon < 2/|\mathcal {C}_{\lambda }|$ or

$$\begin{aligned} \frac{B \cdot \epsilon ^2 }{8}\le & {} \Pr \left[ \left( x, \mathsf{A}(x) \right) \in \mathcal {R} \right] \\\le & {} \frac{\varDelta \cdot \mathbb {E} \left[ (\mathsf {T}_{A,\mathcal {D}_{\lambda }})^d \right] }{\left| \mathcal {W}_\lambda \right| ^\omega } \\\le & {} \frac{\varDelta \cdot 2 (1+B)^d \cdot \left( t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W} \right) ^d \cdot \epsilon }{\left| \mathcal {W}_\lambda \right| ^\omega } \\\le & {} \frac{\varDelta \cdot 2^{d+1} B^d \cdot \left( t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W} \right) ^d \cdot \epsilon }{\left| \mathcal {W}_\lambda \right| ^\omega } \\\le & {} \frac{\varDelta \cdot B^d \cdot \left( 2(t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W}) \right) ^d \cdot \epsilon }{\left| \mathcal {W}_\lambda \right| ^\omega } \end{aligned}$$

Our choice of $B = \lceil 1/\epsilon ^{1/d} - 1 \rceil $ guarantees that $B^{d-1} \le \epsilon ^{1 - 1/d}$, and therefore

$$\begin{aligned} \epsilon ^{2 - \frac{1}{d}} \le \frac{ \epsilon }{B^{d-1}} \le \frac{\varDelta \cdot 8 \cdot \left( 2(t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W}) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \end{aligned}$$

leading to

$$\begin{aligned} \epsilon \le \left( \frac{\varDelta \cdot 8 \cdot \left( 2(t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W}) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \right) ^{\frac{d}{2d - 1}} . \end{aligned}$$

Therefore, overall we obtain

$$\begin{aligned} \epsilon\le & {} \max \left\{ \left( \frac{\varDelta \cdot 8 \cdot \left( 2(t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W}) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \right) ^{\frac{d}{2d - 1}} , \frac{2}{|\mathcal {C}_{\lambda }|} \right\} \\\le & {} \left( \frac{\varDelta \cdot \left( 16(t_{\bar{\mathsf {P}}} + t_\mathsf {V}+ t_\mathsf{W}) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \right) ^{\frac{d}{2d - 1}} + \frac{2}{|\mathcal {C}_{\lambda }|}. \end{aligned}$$

$\blacksquare $

5 Tighter Security for Signature Schemes

In this section we show that our approach extends to establishing tighter security guarantees for signature schemes that are obtained from identification schemes via the Fiat-Shamir paradigm [FS86]. The generic analysis of the Fiat-Shamir transform in this context [AAB+02] shows that if any malicious prover that runs in time t breaks the security of the identification scheme with probability at most $\epsilon $, then any malicious forger that runs in time roughly t and issues $q_{\mathsf {H}}$ random-oracle queries breaks the security of the signature scheme with probability at most roughly $q_{\mathsf {H}} \cdot \epsilon $. Therefore, given our result from Sect. 4, if the relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$ underlying the identification scheme is a d-moment $(\varDelta ,\omega )$-hard relation, then any such forger breaks the security of the signature scheme with probability at most roughly $q_{\mathsf {H}} \cdot (\varDelta \cdot t^d/|\mathcal {W}|^\omega )^{d/(2d-1)}$.

Here, we show that the latter bound can be further improved by applying our proof technique directly, showing that any forger as above breaks the security of the signature scheme with probability at most roughly $ (q_{\mathsf {H}} \cdot \varDelta \cdot t^d/|\mathcal {W}|^\omega )^{d/(2d-1)}$. Note that some dependency on $q_\mathsf {H}$ seems to be unavoidable, at least for a very large class of reductions which includes in particular all reductions based on the underlying paradigm of the forking lemma [PV05, GBL08, Seu12, FJS14]. In what follows, we first recall the standard transformation from identification schemes to signature schemes via the Fiat-Shamir paradigm [FS86, AAB+02], and then state and prove our result.

Let $\mathcal {ID}= (\mathsf {Gen}, \mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$ be an identification scheme for a relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$, and let $\mathsf {H}$ be a hash function mapping triplets of the form $(x, m,\alpha )$ to challenges in $\mathcal {C}_x$. The Fiat-Shamir paradigm then defines the following signature scheme $\mathcal {SIG}_{\mathcal {ID}, \mathsf {H}} = (\mathsf {KG}, \mathsf {Sign}, \mathsf {Verify})$:

$\mathsf {KG}(1^\lambda )$ samples $(x,w) \leftarrow \mathsf {Gen}(1^\lambda )$ and outputs $\mathsf {sk}= (x,w)$ and $\mathsf {vk}= x$.
$\mathsf {Sign}(\mathsf {sk},m)$ parses $\mathsf {sk}= (x,w)$ and outputs $\sigma = (\alpha , \beta , \gamma )$, where $(\alpha ,\mathsf {st}) \leftarrow \mathsf {P}_1(x,w)$, $\beta = \mathsf {H}(\mathsf {vk}, m, \alpha )$ and $\gamma \leftarrow \mathsf {P}_2(\mathsf {st}, \beta )$.
$\mathsf {Verify}(\mathsf {vk},m,\sigma )$ parses $\sigma = (\alpha , \beta , \gamma )$, and outputs 1 if and only $\mathsf {V}(\mathsf {vk}, \alpha , \beta , \gamma ) = 1$ and $\beta = \mathsf {H}(\mathsf {vk},m,\alpha )$.

Note that the value $\beta $ in fact does not have to be included in the signature $\sigma = (\alpha , \beta , \gamma )$ as it can be computed given $\mathsf {vk}$, m and $\alpha $. Alternatively, in some identification protocols, for any x, $\beta $ and $\gamma $ there is a unique and efficiently computable $\alpha $ for which $\mathsf {V}(x, \alpha , \beta ,\gamma ) = 1$, and in such cases the value $\alpha $ does not have to be included in the signature $\sigma = (\alpha , \beta , \gamma )$.

We prove the following theorem (the reader is referred to Sect. 2 for the standard notions of $t_{\mathsf {Sim}}$-time simulatability, $t_\mathsf{W}$-time special soundness, and $\delta $-first-message unpredictability for identification protocols):

Theorem 5.1

Let $d = d(\lambda )$, $\varDelta = \varDelta (\lambda )$, $\omega = \omega (\lambda )$, $t_{\mathsf {Sim}} = t_{\mathsf {Sim}}(\lambda )$, $t_\mathsf{W} = t_\mathsf{W}(\lambda )$, $\delta = \delta (\lambda )$, $t_{F} = t_{F}(\lambda )$, $q_{\mathsf {H}} = q_{\mathsf {H}}(\lambda )$ and $q_{\mathsf {Sign}} = q_{\mathsf {Sign}}(\lambda )$ be functions of the security parameter $\lambda \in \mathbb {N}$, and let $\mathcal {ID}= (\mathsf {Gen}, \mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$ be a $t_{\mathsf {Sim}}$-time simulatable identification protocol with $t_\mathsf{W}$-time special soundness and $\delta $-first-message unpredictability for a relation $\mathcal {R} \subseteq \mathcal {X} \times \mathcal {W}$. If $\mathcal {R}$ is d-moment $(\varDelta ,\omega )$-hard with respect to $\mathsf {Gen}$, and the hash function $\mathsf {H}$ is modeled as a random oracle, then for every $t_F$-time algorithm F that issues $q_{\mathsf {H}}$ oracle queries and $q_{\mathsf {Sign}}$ signing queries it holds that

$$\begin{aligned} \mathbf {Adv}^\mathsf{Forge}_{\mathcal{SIG}_{\mathcal {ID},\mathsf {H}},F}(\lambda )\le & {} \left( \frac{q_{\mathsf {H}} \cdot \varDelta \cdot \left( 16(t_{F} + q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_\mathsf {V}+ t_\mathsf{W} ) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \right) ^{\frac{d}{2d - 1}} \\&\quad + 2\cdot \left( \frac{q_{\mathsf {H}}^2 + 1}{|\mathcal {C}_{\lambda }|} + q_{\mathsf {Sign}} \cdot q_{\mathsf {H}}^2 \cdot \delta \right) \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where $t_{\mathsf {V}} = t_{\mathsf {V}}(\lambda )$ denotes the running time of the algorithm $\mathsf {V}$ and $|\mathcal {C}_{\lambda }|$ denotes the size of the challenge set $\mathcal {C}_x$ for any $x \in \mathcal {X}_{\lambda }$.

At a high level, the proof of Theorem 5.1 follows a similar outline to that Theorem 4.1, while carefully handling additional technical challenges that arise when considering the unforgeability of signatures schemes in the random oracle model, as to minimize the increase in the adversary’s success probability. Concretely, let F be a forger that runs in time t, issues at most $q_\mathsf {H}$ random-oracle queries and produces a successful forgery with probability $\epsilon $. Our algorithm A invokes the forger to obtain a message-signature pair $(m,\sigma = (\alpha , \beta , \gamma ))$, while simulating the random oracle and the signing oracle using the simulatability of the underlying $\varSigma $-protocol. Then, it checks that this pair is a valid one and that the forger queried the random oracle for the hash value of $(x,m,\alpha )$. If so, it rewinds the forger $B \approx 1/\epsilon ^{1/d}$ times to the point just before $(x,m,\alpha )$ was queried, simulating a fresh random oracle from that point on each time, and obtaining respective message-signature pairs $(m_1,\sigma _1=(\alpha _1,\beta _1,\gamma _1)), \ldots , (m_B, \sigma _B =(\alpha _B,\beta _B,\gamma _B))$. If any one of these additional pairs $(m_i, \sigma _i)$ is a valid one, and in addition $\alpha _i = \alpha $ and $\beta _i \ne \beta $, then the algorithm A successfully retrieves a witness.

Technical challenges and approximations omitted, we prove that the algorithm A has success probability roughly $B \cdot \epsilon ^2 / q_{\mathsf {H}} \approx \epsilon ^{2 - 1/d}/ q_{\mathsf {H}}$, and the d-th moment of its running time is at most $\epsilon \cdot t^d/B^d \approx T^d$. Thus, assuming that $\mathcal {R}$ is a d-moment $(\varDelta ,\omega )$-hard relation leads to the bound $\epsilon \le (q_\mathsf {H}\cdot \varDelta \cdot t^d/|\mathcal {W}|^\omega )^{d/(2d-1)}$ on the advantage of a t-time forger which issues $q_\mathsf {H}$ random oracle queries in breaking the existential unforgeability of the signature schemes via an adaptive-chosen message attack.

Proof of

Theorem 5.1. For any $\lambda \in \mathbb {N}$ let $\epsilon = \epsilon (\lambda ) = \mathbf {Adv}^\mathsf{Forge}_{\mathcal {SIG}_{\mathcal {ID},\mathsf {H}},F}(\lambda )$, and $B = \lceil 1/\epsilon ^{1/d} - 1 \rceil $. We make the following assumptions about the forger F without loss of generality:

F does not issue the same query twice to $\mathsf {H}$, as F can always store the answers received from the oracle.
After querying the signing oracle $\mathsf {Sign}(\mathsf {sk},\cdot )$ on a message m and receiving a signature $\sigma = (\alpha ,\beta ,\gamma )$, F does not query $\mathsf {H}$ on $(\mathsf {vk}, m, \alpha )$. This is without loss of generality, since in the real experiment $\mathsf{Forge}_{\mathcal {SIG}_{\mathcal {ID}, \mathsf {H}}, F}(\lambda )$, it is always the case $\mathsf {H}(\mathsf {vk}, m, \alpha ) = \beta $, and hence F can just store this value.
If $F^{\mathsf {H}, \mathsf {Sign}(\mathsf {sk}, \cdot )}(\mathsf {vk})$ outputs a pair $(m, \sigma = (\alpha ,\beta ,\gamma ))$ and F queried $\mathsf {H}$ for $y = \mathsf {H}(\mathsf {vk},m,\alpha )$, then $\beta = y$. If this is not the case, then it necessarily holds that $\mathsf {Verify}(\mathsf {vk}, m,\sigma ) = 0$ and thus $\mathsf{Forge}_{\mathcal {SIG}_{\mathcal {ID}, \mathsf {H}}, F}(\lambda ) = 0$.
F never outputs a message m on which it has queried $\mathsf {Sign}(\mathsf {sk},\cdot )$.

Consider the following algorithm A (which uses the algorithms $\mathsf {Sim}$ and $\mathsf {WitnessExt}$ provided by the simulatability and special soundness of $\mathcal {ID}$, respectively):

The following lemma establishes a lower bound on the success probability of the algorithm A:

Lemma 5.2

For any $\lambda \in \mathbb {N}$ it holds that either

$$ \Pr \left[ (x, A(x)) \in \mathcal {R} \right] \ge \frac{B \cdot \epsilon ^2}{8 \cdot q_{\mathsf {H}}} $$

or

$$\begin{aligned} \epsilon < 2\cdot \left( \frac{q_{\mathsf {H}}^2+1}{|\mathcal {C}_\lambda |} + q_{\mathsf {Sign}} \cdot q_{\mathsf {H}}^2 \cdot \delta \right) . \end{aligned}$$

Proof of

Lemma 5.2. Denote by $I_0$ the random variable corresponding to the index of the $\mathsf {H}$-query in which F queries $\mathsf {H}$ with $(\mathsf {vk}, m_0, \alpha _0)$ in its invocation in Step 2. If in this invocation F does not query $\mathsf {H}$ with $(\mathsf {vk}, m_0, \alpha _0)$ or if $\beta _0 \ne y_{0,I_0}$, then we set $I_0 = 0$. Similarly, for each $j \in [B]$ denote by $I_j$ the random variable corresponding to the index of the $\mathsf {H}$-query in which F queries $\mathsf {H}$ with $(\mathsf {vk}, m_j, \alpha _j)$ in its invocation in the jth iteration of Step 4. If in this invocation F does not query $(\mathsf {vk}, m_j, \alpha _j)$ or if $\beta _j \ne y_{j,I_j}$, then we set $I_j = 0$.

For every $i\in [q_{\mathsf {Sign}}]$ let $\mathsf{Bad}_{0,i}$ denote the event in which A aborts in the ith $\mathsf {Sign}$-query of F in its invocation in Step 2. That is, if we denote by m the ith $\mathsf {Sign}$-query of F in its invocation in Step 2, then $\mathsf{Bad}_{0,i}$ is the event in which F already queried $\mathsf {H}$ with $(\mathsf {vk}, m, \alpha '_i)$ in an earlier stage of this invocation, and the response was different than $\beta '_i$. For every $j\in [B]$ and $i \in [q_{\mathsf {Sign}}]$, let $\mathsf{Bad}_{j,i}$ be defined analogously with respect to the jth invocation of F in Step 4, and let $\mathsf{Bad}_\ell = \bigvee _{i\in [q_{\mathsf {Sign}}]} \mathsf{Bad}_{\ell ,i}$ for every $\ell \in \{ 0,\ldots , B \}$. Since transcripts sampled using $\mathsf {Sim}$ are distributed identically as honestly-generated transcripts, then by the $\delta $-first-message unpredictability of the identification scheme $\mathcal {ID}$, it holds that

$$\begin{aligned} \Pr \left[ \mathsf{Bad}_\ell \right]\le & {} \sum _{i=1}^{q_{\mathsf {Sign}}} \mathsf{Bad}_{\ell , i} \\\le & {} \sum _{i=1}^{q_{\mathsf {Sign}}} q_{\mathsf {H}} \cdot \delta \\\le & {} q_{\mathsf {Sign}} \cdot q_{\mathsf {H}} \cdot \delta . \end{aligned}$$

Whenever A reaches Step 4c, it is guaranteed that it invokes the witness extraction algorithm on two accepting transcripts with distinct challenges. Therefore,

It thus holds that

where $(x,w)\leftarrow \mathsf {Gen}(1^{\lambda })$, and the values $r, \{ \{y_{j,\ell }\}_{\ell \in [q_{\mathsf {H}}]}, m_j, \alpha _j, \beta _j, \gamma _j \}_{j\in \{0,\ldots ,B \}}$ and $\{ (\alpha '_\ell , \beta '_\ell ,\gamma '_\ell ) \}_{\ell \in [q_{\mathsf {Sign}}]}$ are distributed as in the description of A.

For every $y_{0,1},\ldots , y_{0,i-1}$ let us denote $\mathbf {y}[i-1]= (y_{0,1},\ldots , y_{0,i-1})$ and $\mathbf {\tau } = \{ (\alpha '_\ell , \beta '_\ell ,\gamma '_\ell ) \}_{\ell \in [q_{\mathsf {Sign}}]}$. For every i, x, r, $\mathbf {\tau }$ and $\mathbf {y}[i-1]$, denote by $(y_{i}^*(i,x,r, \mathbf {\tau }, \mathbf {y}[i-1]), \ldots , y_{q_{\mathsf {H}}}^*(i,x,r,\mathbf {\tau },\mathbf {y}[i-1]))$ the lexicographically first tuple of $q_{\mathsf {H}}-i+1$ values in $\mathcal {C}_{x}$ for which the following holds: In the simulation ${F}^{\mathsf {H}, \mathsf {Sign}(\mathsf {sk},\cdot )}(x; r)$ (where the oracles are simulated to F as in the description of A using the values $\mathbf {\tau }$ and $\mathbf {y}[i-1], y_{i}^*(i,x,r, \mathbf {\tau }, \mathbf {y}[i-1]), \ldots , y_{q_{\mathsf {H}}}^*(i,x,r,\mathbf {\tau },\mathbf {y}[i-1])$), F outputs $(m,\alpha ,\beta ,\gamma )$ such that:

$\mathsf{V}(x,m,\alpha ,\beta ,\gamma ) = 1$;
F’s ith query to $\mathsf {H}$ is $(x,m,\alpha )$;
For every $\ell \in [q_{\mathsf {Sign}}]$: If $m_\ell $ is the $\ell $th query of F to $\mathsf {Sign}(\mathsf {sk},\cdot )$, then F does not query $\mathsf {H}$ on $(x, m_\ell , \alpha '_\ell )$ before its $\ell $th query to $\mathsf {Sign}(\mathsf {sk},\cdot )$.

Then, it holds that

For every fixing of i, x, r, $\{ (\alpha '_\ell , \beta '_\ell , \gamma '_\ell ) \}_{\ell \in [q_{\mathsf {Sign}}]}$ and $y_{0,1},\ldots , y_{0,i-1}$, the event $ \mathsf{V}(x, m_0, \alpha _0,\beta _0,\gamma _0)) = 1 \ \wedge \ I_0 = i \ \wedge \ \overline{\mathsf{Bad}_0}$ and the events

$$\begin{aligned} \left\{ \genfrac{}{}{0.0pt}{}{\mathsf{V}(x, m_j, \alpha _j , \beta _j , \gamma _j) = 1\wedge \ I_j = i \ \wedge \ \overline{\mathsf{Bad}_j}}{\wedge \ \forall \ell \in \{ i,\ldots , q \} \ : \ y_{j,i} \ne y_{i}^*(i,x,r,\mathbf {\tau },\mathbf {y}[i-1])} \right\} _{j \in [B]} \end{aligned}$$

are independent. Therefore,

and for every $j\in [B]$ the union bound implies that

$$\begin{aligned}&\Pr \left[ \genfrac{}{}{0.0pt}{}{\mathsf{V}(x, m_j, \alpha _j , \beta _j , \gamma _j) = 0 \ \vee \ I_j \ne i \ \vee \ \mathsf{Bad}_j }{\vee \ \exists \ell \in \{ i,\ldots , q \} \ : \ y_{j,i} = y_{i}^*(i,x,r,\mathbf {\tau },\mathbf {y}[i-1])} \right] \\&\qquad \le \min \Bigg \{1, \ \Pr \left[ \mathsf{V}(x, m_j, \alpha _j , \beta _j , \gamma _j) = 0 \ \vee \ I_j \ne i \right] \\&\qquad \qquad \quad + \Pr \left[ \exists \ell \in \{ i,\ldots , q \} \ : \ y_{j,i} = y_{i}^*(i,x,r,\mathbf {\tau },\mathbf {y}[i-1]) \right] + \Pr \left[ \mathsf{Bad}_j \right] \Bigg \}\\&\qquad \le \min \Bigg \{ 1 , \ 1 - \Pr \left[ \mathsf{V}(x, m_j, \alpha _j , \beta _j , \gamma _j) = 1 \ \wedge \ I_j = i \right] \\&\qquad \qquad \quad + \frac{q_{\mathsf {H}}}{|\mathcal {C}_\lambda |} + q_{\mathsf {Sign}}\cdot q_{\mathsf {H}}\cdot \delta \Bigg \}. \end{aligned}$$

For every i, x, r, $\{ (\alpha '_\ell , \beta '_\ell , \gamma '_\ell ) \}_{\ell \in [q_{\mathsf {Sign}}]}$ and $y_{0,1},\ldots , y_{0,i-1}$ denote

$$\begin{aligned}&\widetilde{\epsilon }_i(x,r,\mathbf {\tau },\mathbf {y}[i-1]) \\&\quad = \max \left\{ 0 , \ \Pr \left[ \mathsf{V}(\mathsf {vk},m_0, \alpha _0 , \beta _0 , \gamma _0) = 1 \ \wedge \ I_0 = i \right] - \frac{q_{\mathsf {H}}}{|\mathcal {C}_\lambda |} - q_{\mathsf {Sign}}\cdot q_{\mathsf {H}}\cdot \delta \right\} . \end{aligned}$$

Then, we obtain that

where the expectation is taken over the choice of ${x,r},{y_{0,1},\ldots ,y_{0,i-1}}$ and of $\{ (\alpha '_\ell , \beta '_\ell , \gamma '_\ell ) \}_{\ell \in [q_{\mathsf {Sign}}]}$.

For each $i\in [q_{\mathsf {H}}]$, denote $\epsilon _i = \Pr \left[ \mathsf{V}(x, m_0, \alpha _0 , \beta _0 , \gamma _0) = 1 \ \wedge \ I_0 = i \right] $ and $\widetilde{\epsilon }_i = \mathbb {E}_{} \left[ \widetilde{\epsilon }_i(x,r,\mathbf {\tau },\mathbf {y}[i-1]) \right] $. The following claim (which is proved in the full version of the paper) provides a lower bound on each of the terms in the above sum (note that each term is the expectation of a non-convex function, and therefore such a lower bound is not directly implied by Jensen’s inequality)

Claim 5.3

For every $i \in [q_{\mathsf {H}}]$ it holds that

$$\begin{aligned} \mathbb {E}_{} \left[ \widetilde{\epsilon }_i(x,r,\mathbf {\tau },\mathbf {y}[i-1]) \cdot \left( 1 - \left( 1 - \widetilde{\epsilon }_i(x,r,\mathbf {\tau },\mathbf {y}[i-1]) \right) ^B \right) \right] \ge \frac{1}{2} \cdot B \cdot \widetilde{\epsilon }_i^2 . \end{aligned}$$

Claim 5.3 together with Jensen’s inequality imply that

$$\begin{aligned}&\Pr \left[ (x, A(x)) \in \mathcal {R} \right] \\&\qquad \ge \frac{1}{2} \cdot B \cdot \sum _{i=1}^{q_{\mathsf {H}}} \widetilde{\epsilon }_i^2. \\&\qquad \ge \frac{1}{2\cdot q_{\mathsf {H}}} \cdot B \cdot \left( \sum _{i=1}^{q_{\mathsf {H}}} \widetilde{\epsilon }_i\right) ^2 \\&\qquad \ge \frac{1}{2\cdot q_{\mathsf {H}}} \cdot B \cdot \left( \sum _{i=1}^{q_{\mathsf {H}}} \left( \epsilon _i - \frac{q_{\mathsf {H}}}{|\mathcal {C}_\lambda |} - q_{\mathsf {Sign}}\cdot q_{\mathsf {H}}\cdot \delta \right) \right) ^2 \\&\qquad = \frac{B}{2\cdot q_{\mathsf {H}}} \cdot \left( \Pr \left[ \mathsf{V}(x, m_0, \alpha _0 , \beta _0 , \gamma _0) = 1 \ \wedge \ I_0 > 0 \right] - \frac{q_{\mathsf {H}}^2}{|\mathcal {C}_\lambda |} - q_{\mathsf {Sign}} \cdot q_{\mathsf {H}}^2 \cdot \delta \right) ^2. \end{aligned}$$

Observe that when F outputs a pair $(m,\sigma = (\alpha ,\beta ,\gamma ))$ without querying $\mathsf {H}$ on $(\mathsf {vk},m,\alpha )$, the view of F at termination is independent of the value $\mathsf {H}(\mathsf {vk},m,\alpha )$. Hence, the probability that it outputs a value $\beta $ such that $\mathsf {H}(\mathsf {vk},m,\alpha ) = \beta $ (which is a necessary condition for F to win the experiment) is at most $1/|\mathcal {C}_\lambda |$. Therefore,

$$\begin{aligned} \Pr \left[ \mathsf{V}(x, m_0, \alpha _0,\beta _0,\gamma _0) = 1 \ \wedge \ I_0 > 0 \right] \ge \epsilon - \frac{1}{|\mathcal {C}_\lambda |}, \end{aligned}$$

which implies that

$$\begin{aligned} \Pr \left[ (x,A(x))\in \mathcal {R} \right]\ge & {} \frac{1}{2\cdot q_{\mathsf {H}}} \cdot B \cdot \left( \epsilon - \frac{q_{\mathsf {H}}^2+1}{|\mathcal {C}_\lambda |} - q_{\mathsf {Sign}} \cdot q_{\mathsf {H}}^2 \cdot \delta \right) ^2. \end{aligned}$$

Then, either $\epsilon < 2\cdot \left( \frac{q_{\mathsf {H}}^2+1}{|\mathcal {C}_\lambda |} + q_{\mathsf {Sign}} \cdot q_{\mathsf {H}}^2 \cdot \delta \right) $, or

$$\begin{aligned} \Pr \left[ (x,A(x))\in \mathcal {R} \right]\ge & {} \frac{1}{8\cdot q_{\mathsf {H}}} \cdot B \cdot \epsilon ^2. \end{aligned}$$

$\blacksquare $

The following lemma establishes an upper bound on the dth moment of the running time of the algorithm A (recall that $\mathsf {T}_{A,\mathsf {KG}(1^{\lambda })}$ denotes the random variable corresponding to the running time of A on input x where $(x,w) \leftarrow \mathsf {KG}(1^{\lambda })$):

Lemma 5.4

For any $\lambda \in \mathbb {N}$ it holds that

$$\begin{aligned} \mathbb {E} \left[ (\mathsf {T}_{A,\mathsf {KG}(1^{\lambda })})^d \right] \le 2 (1+B)^d \cdot \left( q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}+ t_\mathsf{W} \right) ^d \cdot \epsilon . \end{aligned}$$

Proof of

Lemma 5.4. The description of A yields that with probability $1-\epsilon $ it runs in time at most $q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}$, and with probability $\epsilon $ it runs in time at most $q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ (1+B) \cdot \left( t_{F} + t_\mathsf {V}\right) + t_\mathsf{W}$ (for simplicity we assume that the time required for sampling a uniform $\beta \in \mathcal {C}_x$ is subsumed by $t_{F} + t_\mathsf {V}$). Therefore,

$$\begin{aligned} \mathbb {E} \left[ (\mathsf {T}_{A,\mathsf {KG}(1^{\lambda })})^d \right]\le & {} \left( q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}\right) ^d \cdot \left( 1 - \epsilon \right) \nonumber \\&\quad + \left( q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ (1+B) \cdot \left( t_{F} + t_\mathsf {V}\right) + t_\mathsf{W} \right) ^d \cdot \epsilon \nonumber \\\le & {} \left( q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}\right) ^d \nonumber \\&\quad + \left( (1+B) \cdot \left( q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}+ t_\mathsf{W} \right) \right) ^d \cdot \epsilon \nonumber \\\le & {} 2 (1+B)^d \cdot \left( q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}+ t_\mathsf{W} \right) ^d \cdot \epsilon . \end{aligned}$$

(2)

where Eq. (2) follows from the fact that $B \ge 1/\epsilon ^{1/d} - 1$ (and thus $1 \le (1+B)^d \cdot \epsilon $).

$\blacksquare $

Lemma 5.2 and Lemma 5.4, together with the assumption that $\mathcal {R}$ is a d-moment $(\varDelta ,\omega )$-hard relation imply that either $\epsilon < 2\cdot \big ( (q_{\mathsf {H}}^2+1)/|\mathcal {C}_\lambda | +$$ q_{\mathsf {Sign}} \cdot q_{\mathsf {H}}^2 \cdot \delta \big )$ or

$$\begin{aligned} \frac{B \cdot \epsilon ^2 }{8\cdot q_{\mathsf {H}}}\le & {} \Pr \left[ \left( x, \mathsf{A}(x) \right) \in \mathcal {R} \right] \\\le & {} \frac{\varDelta \cdot \mathbb {E} \left[ (\mathsf {T}_{A,\mathsf {KG}(1^{\lambda })})^d \right] }{\left| \mathcal {W}_\lambda \right| ^\omega } \\\le & {} \frac{\varDelta \cdot 2 (1+B)^d \cdot \left( q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}+ t_\mathsf{W} \right) ^d \cdot \epsilon }{\left| \mathcal {W}_\lambda \right| ^\omega } \\\le & {} \frac{\varDelta \cdot 2^{d+1} B^d \cdot \left( q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}+ t_\mathsf{W} \right) ^d \cdot \epsilon }{\left| \mathcal {W}_\lambda \right| ^\omega } \\\le & {} \frac{\varDelta \cdot B^d \cdot \left( 2(q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}+ t_\mathsf{W} ) \right) ^d \cdot \epsilon }{\left| \mathcal {W}_\lambda \right| ^\omega } \end{aligned}$$

Our choice of $B = \lceil 1/\epsilon ^{1/d} - 1 \rceil $ guarantees that $B^{d-1} \le \epsilon ^{1 - 1/d}$, and therefore

$$\begin{aligned} \epsilon ^{2 - \frac{1}{d}} \le \frac{ \epsilon }{B^{d-1}} \le \frac{8 \cdot q_{\mathsf {H}} \cdot \varDelta \cdot \left( 2(q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}+ t_\mathsf{W} ) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \end{aligned}$$

which yields

$$\begin{aligned} \epsilon \le \left( \frac{8 \cdot q_{\mathsf {H}} \cdot \varDelta \cdot \left( 2(q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}+ t_\mathsf{W} ) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \right) ^{\frac{d}{2d - 1}} . \end{aligned}$$

Therefore, overall we obtain

$$\begin{aligned} \epsilon\le & {} \max \left\{ \begin{array}{c} \left( \frac{8 \cdot q_{\mathsf {H}} \cdot \varDelta \cdot \left( 2(q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}+ t_\mathsf{W} ) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \right) ^{\frac{d}{2d - 1}}, \\ 2\cdot \left( \frac{q_{\mathsf {H}}^2 + 1}{|\mathcal {C}_{\lambda }|} + q_{\mathsf {Sign}} \cdot q_{\mathsf {H}}^2 \cdot \delta \right) \end{array} \right\} \\\le & {} \left( \frac{ q_{\mathsf {H}} \cdot \varDelta \cdot \left( 16(q_{\mathsf {Sign}}\cdot t_\mathsf {Sim}+ t_{F} + t_\mathsf {V}+ t_\mathsf{W} ) \right) ^d }{\left| \mathcal {W}_\lambda \right| ^\omega } \right) ^{\frac{d}{2d - 1}} \\&\quad + 2\cdot \left( \frac{q_{\mathsf {H}}^2 + 1}{|\mathcal {C}_{\lambda }|} + q_{\mathsf {Sign}} \cdot q_{\mathsf {H}}^2 \cdot \delta \right) . \end{aligned}$$

$\blacksquare $

6 Implications to the Schnorr and Okamoto Schemes

In this section we derive concrete security bounds for the Schnorr identification and signature schemes and for the Okamoto identification and signature schemes based on Corollary 4.2 and Theorem 5.1, assuming the 2-moment hardness of the discrete logarithm problem. In the description of the schemes, we rely on the existence of a group generation algorithm $\mathsf {GroupGen}$, which takes as input the security parameter $1^\lambda $ and outputs a description $(\mathbb {G},p,g)$ of a cyclic group $\mathbb {G}$ of prime order p, where g is a generator of the group. We focus on the typical case where the security parameter $\lambda \in \mathbb {N}$ determines a lower bound on the size of the group and thus $p \ge 2^\lambda $, and we denote by $t_\mathsf{exp} = t_\mathsf{exp}(\lambda )$ the time required for a single exponentiation in the group $\mathbb {G}$, where $(\mathbb {G}, p, g) \leftarrow \mathsf {GroupGen}(1^\lambda )$. Moreover, we assume for simplicity that the time required for multiplication in $\mathbb {G}$, for sampling elements in $\mathbb {Z}_p$, and for arithmetic computations in $\mathbb {Z}_p$ is subsumed by $t_\mathsf{exp}$.

6.1 The Schnorr Identification and Signature Schemes

We start by recalling the definition of the Schnorr identification scheme $\mathcal {ID}_\mathsf{Schnorr} = (\mathsf {Gen}, \mathsf {P}_1, \mathsf {P}_2, \mathsf {V}, \mathcal {C})$ which is defined as follows:

Note that the scheme’s challenge space $\mathcal {C} = \mathcal {C}_x$ is $\mathbb {Z}_p$ for any $x = ((\mathbb {G}, p ,g), g^w)$ produced by $\mathsf {Gen}$, and that $\mathcal {ID}_\mathsf{Schnorr}$ has a challenge space of size $|\mathcal {C}_\lambda | \ge 2^{\lambda }$ and $\delta $-first message unpredictability for $\delta = \delta (\lambda ) = 2^{-\lambda }$. Additionally, the verifier $\mathsf {V}$ preforms two exponentiations in the group $\mathbb {G}$ which yields a total running time of $t_{\mathsf {V}} = t_{\mathsf {V}}(\lambda ) = 2t_\mathsf{exp}(\lambda )$. The following well-known claim establishes the special soundness and simulatability of $\mathcal {ID}_\mathsf{Schnorr}$.

Claim 6.1

$\mathcal {ID}_\mathsf{Schnorr}$ is simulatable and has special soundness.

For completeness, in the full version of the paper we present the simulator $\mathsf{Sim}$ establishing the simulatability of the scheme, and the extractor $\mathsf {WitnessExt}$ which establishes its special soundness. The simulator $\mathsf{Sim}$ runs in time $t_\mathsf{Sim} = 2t_\mathsf{exp}$, and the extractor $\mathsf {WitnessExt}$ performs only arithmetic operations in the ring $\mathbb {Z}_p$, and hence for our purposes its running time is dominated by that of the other algorithms under consideration. Given Claim 6.1 and the above observations, we obtain the following theorem, establishing concrete security bounds for the Schnorr identification scheme, as an immediate implication of Corollary 4.2.

Theorem 6.2

Let $t_{\bar{\mathsf {P}}} = t_{\bar{\mathsf {P}}}(\lambda )$ and $q_{\bar{\mathsf {P}}} = q_{\bar{\mathsf {P}}}(\lambda )$ be functions of the security parameter $\lambda \in \mathbb {N}$. If the discrete logarithm problem is 2-moment hard with respect to $\mathsf {Gen}$, then for any malicious prover $\bar{\mathsf {P}}$ that runs in time $t_{\bar{\mathsf {P}}}$ and issues $q_{\bar{\mathsf {P}}}$ transcript-generation queries it holds that

$$\begin{aligned} \mathbf {Adv}^\mathsf{PA\text {-}IMP}_{\mathcal {ID}_\mathsf{Schnorr},\bar{\mathsf {P}}}(\lambda ) \le \left( \frac{ \left( 16(t_{\bar{\mathsf {P}}} + 2(q_{\bar{\mathsf {P}}}+1) \cdot t_{\exp } \right) ^2 }{2^\lambda } \right) ^{\frac{2}{3}} + \frac{2}{2^\lambda } , \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$.

Recall that Schnorr signatures are obtained from $\mathcal {ID}_\mathsf{Schnorr}$ via the Fiat-Shamir transform relative to hash function $\mathsf {H}$, as described in Sect. 5. Hence, we obtain the following theorem, establishing concrete security bounds for the Schnorr signature scheme, as a corollary of Theorem 5.1.

Theorem 6.3

Let $t_{F} = t_{F}(\lambda )$, $q_{\mathsf {H}} = q_{\mathsf {H}}(\lambda )$ and $q_{\mathsf {Sign}} = q_{\mathsf {Sign}}(\lambda )$ be functions of the security parameter $\lambda \in \mathbb {N}$. If the discrete logarithm problem is 2-moment hard with respect to $\mathsf {Gen}$, and the hash function $\mathsf {H}$ is modeled as a random oracle, then for every $t_F$-time algorithm F that issues $q_{\mathsf {H}}$ oracle queries and $q_{\mathsf {Sign}}$ signing queries it holds that

$$\begin{aligned} \mathbf {Adv}^\mathsf{Forge}_{\mathcal{SIG}_{\mathcal {ID}_\mathsf{Schnorr},\mathsf {H}},F}(\lambda )\le & {} \left( \frac{q_{\mathsf {H}} \cdot \left( 16(t_{F} + 2(q_{\mathsf {Sign}} + 1)\cdot t_\mathsf{exp}) \right) ^2 }{2^\lambda } \right) ^{\frac{2}{3}} \\&+ 2\cdot \left( \frac{ (q_{\mathsf {Sign}} + 1) \cdot q_{\mathsf {H}}^2 + 1}{2^\lambda } \right) \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$.

6.2 The Okamoto Identification and Signature Schemes

The Okamoto identification scheme $\mathcal {ID}_\mathsf{Okamoto}$ is defined as follows:

Observe that the scheme’s challenge space $\mathcal {C} = \mathcal {C}_x$ is $\mathbb {Z}_p$ for any $x = ((\mathbb {G}, p ,g), g^w)$ produced by $\mathsf {Gen}$, and that $\mathcal {ID}_\mathsf{Okamoto}$ has a challenge space of size $|\mathcal {C}_\lambda | \ge 2^{\lambda }$ and $\delta $-first message unpredictability for $\delta = \delta (\lambda ) = 2^{-\lambda }$. Moreover, the verifier $\mathsf {V}$ preforms three exponentiations in the group $\mathbb {G}$ which yields a total running time of $t_{\mathsf {V}} = t_{\mathsf {V}}(\lambda ) = 3t_\mathsf{exp}(\lambda )$.

Note that the instance-witness relation induced by $\mathsf {Gen}$ consists of all pairs of the form $((\mathbb {G},p,g_1,g_2, h), (w_1,w_2))$ for which $h = g_1^{w_1} \cdot g_2^{w_2}$. We denote this relation by $\mathcal {R}_{2\mathsf{DLog}}$. The following claim establishes the special soundness (with respect to the relation $\mathcal {R}_{2\mathsf{Dlog}}$) and simulatability of $\mathcal {ID}_\mathsf{Okamoto}$.

Claim 6.4

$\mathcal {ID}_\mathsf{Okamoto}$ is simulatable and has special soundness.

For completeness, in the full version of the paper we present the simulator $\mathsf{Sim}$ establishing the simulatability of the scheme, and the extractor $\mathsf {WitnessExt}$ which establishes its special soundness. The simulator $\mathsf{Sim}$ runs in time $t_\mathsf{Sim} = 3t_\mathsf{exp}$, and the extractor $\mathsf {WitnessExt}$ performs only arithmetic operations in the ring $\mathbb {Z}_p$, and hence for our purposes its running time is dominated by that of the other algorithms under consideration.

Let $\mathcal {D}= \{ \mathcal {D}_{\lambda } \}_{\lambda \in \mathbb {N}}$ be the distribution which outputs pairs of the form $((\mathbb {G},p,g,h),w)$ where $(\mathbb {G},p,g) \leftarrow \mathsf {GroupGen}(1^\lambda )$, $w\leftarrow \mathbb {Z}_p$ and $h = g^w$. It is well-known that the hardness of the relation $\mathcal {R}_{2\mathsf{DLog}}$ with respect to $\mathsf {Gen}$ is tightly implied by the hardness of the discrete logarithm relation with respect to $\mathcal {D}$. That is, for any algorithm A there exists an algorithm B such that $\mathsf {T}_{A, \mathsf {Gen}}$ and $\mathsf {T}_{B, \mathcal {D}}$ are identically distributed^{Footnote 7} and

It immediately follows that if the discrete logarithm relation is 2-moment hard, then the $\mathcal {R}_{2\mathsf{DLog}}$ relation is 2-moment $(\varDelta =1, \omega = 1/2)$-hard, where the parameter $\omega = 1/2$ comes from the fact that the witness space $\mathcal {W}_\lambda $ of $\mathcal {R}_{2\mathsf{DLog}}$ is of size $p^2$ where p is the order of the group. Hence, the following theorem which establishes concrete security bounds for the Okamoto identification scheme follows immediately from Corollary 4.2.

Theorem 6.5

Let $t_{\bar{\mathsf {P}}} = t_{\bar{\mathsf {P}}}(\lambda )$ and $q_{\bar{\mathsf {P}}} = q_{\bar{\mathsf {P}}}(\lambda )$ be functions of the security parameter $\lambda \in \mathbb {N}$. If the discrete logarithm problem is 2-moment hard with respect to $\mathsf {Gen}$, then for any malicious prover $\bar{\mathsf {P}}$ that runs in time $t_{\bar{\mathsf {P}}}$ and issues $q_{\bar{\mathsf {P}}}$ transcript-generation queries it holds that

$$\begin{aligned} \mathbf {Adv}^\mathsf{PA\text {-}IMP}_{\mathcal {ID}_\mathsf{Okamoto},\bar{\mathsf {P}}}(\lambda ) \le \left( \frac{ \left( 16(t_{\bar{\mathsf {P}}} + 3(q_{\bar{\mathsf {P}}}+1) \cdot t_{\exp } \right) ^2 }{2^\lambda } \right) ^{\frac{2}{3}} + \frac{2}{2^\lambda } , \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$.

The Okamoto signature scheme is obtained from $\mathcal {ID}_\mathsf{Okamoto}$ via the Fiat-Shamir transform relative to hash function $\mathsf {H}$, as described in Sect. 5. Therefore, the following theorem which establishes concrete security bounds for the Okamoto signature scheme, is an immediate corollary of Theorem 5.1.

Theorem 6.6

Let $t_{F} = t_{F}(\lambda )$, $q_{\mathsf {H}} = q_{\mathsf {H}}(\lambda )$ and $q_{\mathsf {Sign}} = q_{\mathsf {Sign}}(\lambda )$ be functions of the security parameter $\lambda \in \mathbb {N}$. If the discrete logarithm problem is 2-moment hard with respect to $\mathsf {Gen}$, and the hash function $\mathsf {H}$ is modeled as a random oracle, then for every $t_F$-time algorithm F that issues $q_{\mathsf {H}}$ oracle queries and $q_{\mathsf {Sign}}$ signing queries it holds that

$$\begin{aligned} \mathbf {Adv}^\mathsf{Forge}_{\mathcal{SIG}_{\mathcal {ID}_\mathsf{Okamoto},\mathsf {H}},F}(\lambda )\le & {} \left( \frac{q_{\mathsf {H}} \cdot \left( 16(t_{F} + 3(q_{\mathsf {Sign}} + 1)\cdot t_\mathsf{exp}) \right) ^2 }{2^\lambda } \right) ^{\frac{2}{3}} \\&+ 2\cdot \left( \frac{ (q_{\mathsf {Sign}} + 1) \cdot q_{\mathsf {H}}^2 + 1}{2^\lambda } \right) \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$.

Notes

1.
These exclude reductions in the generic-group model [Sho97] and algebraic-group model [FKL18], as discussed below.
2.
More generally, our assumption asks that the latter probability is at most $\varDelta \cdot {\mathbb {E} \left[ (\mathsf {T}_{A, \mathcal {D}})^d \right] }/{\left| \mathcal {W} \right| ^{\omega }}$ for functions $\varDelta $ and $\omega $ of the security parameter. Looking ahead, the Schnorr identification and signature schemes will correspond to $\varDelta = \omega = 1$, whereas the Okamoto identification and signature scheme will correspond to $\varDelta = 1$ and $\omega = 1/2$.
3.
In fact, Shoup proved the following stronger statement: For any $t \ge 0$, the success probability of any algorithm in computing the discrete logarithm of a uniformly-distributed group element, conditioned on running in time at most t, is at most $t^2/p$. This implies, in particular, 2-moment hardness (with $\varDelta = \omega = 1$).
4.
More generally, if the discrete logarithm problem is d-moment hard for some $d \ge 2$, their approach shows that any algorithm A with an expected running time $\mathbb {E}[\mathsf {T}]$ computes the discrete logarithm of a random group element with probability at most $(\mathbb {E}[\mathsf {T}]^d/p)^{1/d}$.
5.
The rewinding technique of Bootle et al. is actually a more general one that is motivated by recent protocols with a generalized special soundness property (for which the classic forking lemma is insufficient).
6.
More generally, if the discrete logarithm problem is d-moment $(\varDelta ,\omega )$-hard, then using the expected-time rewinding techniques of Bootle et al. and of Pointcheval and Stern one obtains the bound $\epsilon \le (\varDelta \cdot t^d/p^\omega )^{1/d}$ (which is inferior to our bound $\epsilon \le (\varDelta \cdot t^d/p^\omega )^{d/(2d-1)}$).
7.
To be precise, the running time $\mathsf {T}_{B, \mathcal {D}}$ of B is distributed as $\mathsf {T}_{A, \mathsf {Gen}} + 2t_\mathsf{exp}$, since B performs two exponentiations and invokes A once. For simplicity of presentation, we assume that the term $2t_\mathsf{exp}$ is subsumed by $\mathsf {T}_{A, \mathsf {Gen}}$.

References

Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_28
Chapter Google Scholar
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12
Chapter MATH Google Scholar
Bellare, M., Dai, W.: The multi-base discrete logarithm problem: tight reductions and non-rewinding proofs for schnorr identification and signatures. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) INDOCRYPT 2020. LNCS, vol. 12578, pp. 529–552. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_24
Chapter Google Scholar
Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 390–399 (2006)
Google Scholar
Fleischhacker, N., Jager, T., Schröder, D.: On tight security proofs for schnorr signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 512–531. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_27
Chapter Google Scholar
Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_2
Chapter Google Scholar
Fuchsbauer, G., Plouviez, A., Seurin, Y.: Blind schnorr signatures and signed ElGamal encryption in the algebraic group model. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 63–95. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_3
Chapter Google Scholar
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Chapter Google Scholar
Garg, S., Bhaskar, R., Lokam, S.V.: Improved bounds on security reductions for discrete log based signatures. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 93–107. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_6
Chapter Google Scholar
Goldreich, O.: Foundations of Cryptography - Volume 2: Basic Applications. Cambridge University Press, Cambridge (2004)
Google Scholar
Jaeger, J., Tessaro, S.: Expected-time cryptography: generic techniques and applications to concrete soundness. In: Proceedings of the 18th Theory of Cryptography Conference, pp. 414–443 (2020)
Google Scholar
Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_2
Chapter Google Scholar
Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_3
Chapter Google Scholar
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13, 361–396 (2000)
Article Google Scholar
Paillier, P., Vergnaud, D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_1
Chapter Google Scholar
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Chapter Google Scholar
Schnorr, C.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)
Article Google Scholar
Seurin, Y.: On the exact security of Schnorr-type signatures in the random Oracle model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 554–571. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_33
Chapter MATH Google Scholar
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

School of Computer Science and Engineering, Hebrew University of Jerusalem, 91904, Jerusalem, Israel
Lior Rotem & Gil Segev

Authors

Lior Rotem
View author publications
You can also search for this author in PubMed Google Scholar
Gil Segev
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lior Rotem .

Editor information

Editors and Affiliations

Columbia University, New York City, NY, USA
Tal Malkin
University of Michigan, Ann Arbor, MI, USA
Chris Peikert

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Rotem, L., Segev, G. (2021). Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for ${\varSigma }$-Protocols. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12825. Springer, Cham. https://doi.org/10.1007/978-3-030-84242-0_9

Download citation

DOI: https://doi.org/10.1007/978-3-030-84242-0_9
Published: 11 August 2021
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84241-3
Online ISBN: 978-3-030-84242-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for \({\varSigma }\)-Protocols

Abstract

Similar content being viewed by others

Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for \(\varvec{\Sigma }\)-Protocols

On the Multi-user Security of Short Schnorr Signatures with Preprocessing

The Multi-Base Discrete Logarithm Problem: Tight Reductions and Non-rewinding Proofs for Schnorr Identification and Signatures

1 Introduction

1.1 Our Contributions

Theorem 1.1

Corollary 1.2

Theorem 1.3

Corollary 1.4

1.2 Paper Organization

2 Preliminaries

Definition 2.1

Definition 2.2

Definition 2.3

Definition 2.4

Definition 2.5

3 Our Assumption: d-Moment Hardness

Definition 3.1

4 Tighter Security for \(\varSigma \)-Protocols and Identification Schemes

Theorem 4.1

Corollary 4.2

Proof of

Lemma 4.3

Proof of

Claim 4.4

Lemma 4.5

Proof of

5 Tighter Security for Signature Schemes

Theorem 5.1

Proof of

Lemma 5.2

Proof of

Claim 5.3

Lemma 5.4

Proof of

6 Implications to the Schnorr and Okamoto Schemes

6.1 The Schnorr Identification and Signature Schemes

Claim 6.1

Theorem 6.2

Theorem 6.3

6.2 The Okamoto Identification and Signature Schemes

Claim 6.4

Theorem 6.5

Theorem 6.6

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation