An Explicit High-Moment Forking Lemma and its Applications to the Concrete Security of Multi-Signatures

CryptoDB

An Explicit High-Moment Forking Lemma and its Applications to the Concrete Security of Multi-Signatures

Authors:	Gil Segev , School of Computer Science and Engineering, Hebrew University of Jerusalem Liat Shapira , School of Computer Science and Engineering, Hebrew University of Jerusalem
Download:	DOI: 10.62056/a6qj89n4e URL: https://cic.iacr.org//p/1/2/2 Search ePrint Search Google
Abstract:	In this work we first present an explicit forking lemma that distills the information-theoretic essence of the high-moment technique introduced by Rotem and Segev (CRYPTO '21), who analyzed the security of identification protocols and Fiat-Shamir signature schemes. Whereas the technique of Rotem and Segev was particularly geared towards two specific cryptographic primitives, we present a stand-alone probabilistic lower bound, which does not involve any underlying primitive or idealized model. The key difference between our lemma and previous ones is that instead of focusing on the tradeoff between the worst-case or expected running time of the resulting forking algorithm and its success probability, we focus on the tradeoff between higher moments of its running time and its success probability. Equipped with our lemma, we then establish concrete security bounds for the BN and BLS multi-signature schemes that are significantly tighter than the concrete security bounds established by Bellare and Neven (CCS '06) and Boneh, Drijvers and Neven (ASIACRYPT '18), respectively. Our analysis does not limit adversaries to any idealized algebraic model, such as the algebraic group model in which all algorithms are assumed to provide an algebraic justification for each group element they produce. Our bounds are derived in the random-oracle model based on the standard-model second-moment hardness of the discrete logarithm problem (for the BN scheme) and the computational co-Diffie-Hellman problem (for the BLS scheme). Such second-moment assumptions, asking that the success probability of any algorithm in solving the underlying computational problems is dominated by the second moment of the algorithm's running time, are particularly plausible in any group where no better-than-generic algorithms are currently known.

Authors:

Gil Segev , School of Computer Science and Engineering, Hebrew University of Jerusalem
Liat Shapira , School of Computer Science and Engineering, Hebrew University of Jerusalem

Download:

DOI: 10.62056/a6qj89n4e

URL: https://cic.iacr.org//p/1/2/2

Search ePrint

Search Google

Abstract:

In this work we first present an explicit forking lemma that distills the information-theoretic essence of the high-moment technique introduced by Rotem and Segev (CRYPTO '21), who analyzed the security of identification protocols and Fiat-Shamir signature schemes. Whereas the technique of Rotem and Segev was particularly geared towards two specific cryptographic primitives, we present a stand-alone probabilistic lower bound, which does not involve any underlying primitive or idealized model. The key difference between our lemma and previous ones is that instead of focusing on the tradeoff between the worst-case or expected running time of the resulting forking algorithm and its success probability, we focus on the tradeoff between higher moments of its running time and its success probability.
Equipped with our lemma, we then establish concrete security bounds for the BN and BLS multi-signature schemes that are significantly tighter than the concrete security bounds established by  Bellare and Neven (CCS '06) and Boneh, Drijvers and Neven (ASIACRYPT '18), respectively. Our analysis does not limit adversaries to any idealized algebraic model, such as the algebraic group model in which all algorithms are assumed to provide an algebraic justification for each group element they produce. Our bounds are derived in the random-oracle model based on the standard-model second-moment hardness of the discrete logarithm problem (for the BN scheme) and the computational co-Diffie-Hellman problem (for the BLS scheme). Such second-moment assumptions, asking that the success probability of any algorithm in solving the underlying computational problems is dominated by the second moment of the algorithm's running time, are particularly plausible in any group where no better-than-generic algorithms are currently known. 

BibTeX

@article{cic-2024-34395,
  title={An Explicit High-Moment Forking Lemma   and its Applications to the   Concrete Security of Multi-Signatures},
  journal={cic},
  publisher={International Association for Cryptologic Research},
  volume={1, Issue 2},
  url={https://cic.iacr.org//p/1/2/2},
  doi={10.62056/a6qj89n4e},
  author={Gil Segev and Liat Shapira},
  year=2024
}

International Association for Cryptologic Research

International Associationfor Cryptologic Research

CryptoDB

An Explicit High-Moment Forking Lemma and its Applications to the Concrete Security of Multi-Signatures

BibTeX

International Association
for Cryptologic Research