Keywords

1 Introduction

The Schnorr signature scheme [Sch90, Sch91] is one of the oldest and simplest signature schemes based on prime-order groups. Its adoption was hindered for years by a patent which expired in February 2008, but it is by now widely deployed: EdDSA [BDL+12], a specific instantiation based on twisted Edward curves, is used for example in OpenSSL, OpenSSH, GnuPG and more. Schnorr signatures are also expected to be implemented in Bitcoin [Wui18], enabling multi-signatures supporting public key aggregation, which will result in considerable scalability and privacy enhancements [BDN18, MPSW19].

The security of the Schnorr signature scheme has been analyzed in the random oracle model (ROM) [BR93], an idealized model which replaces cryptographic hash functions by truly random functions. Pointcheval and Stern [PS96b, PS00] proved Schnorr signatures secure in the ROM under the discrete logarithm assumption (DL). The proof, based on the so-called Forking Lemma, proceeds by rewinding the adversary, which results in a loose reduction (the success probability of the DL solver is a factor \(q_{\mathrm h}\) smaller than that of the adversary, where \(q_{\mathrm h}\) is the number of the adversary’s random oracle queries). Using the “meta reduction” technique, a series of works showed that this security loss is unavoidable when the used reductions are either algebraic [PV05, GBL08, Seu12] or generic [FJS19]. Although the security of Schnorr signatures is well understood (in the ROM), the same cannot be said for two related schemes, namely blind Schnorr signatures and Schnorr-signed ElGamal encryption.

A blind signature scheme allows a user to obtain a signature from a signer on a message m in such a way that (i) the signer is unable to recognize the signature later (blindness, which in particular implies that m remains hidden from the signer) and (ii) the user can compute one single signature per interaction with the signer (one-more unforgeability). Blind signature schemes were introduced by Chaum [Cha82] and are a fundamental building block for applications that guarantee user anonymity, e.g. e-cash [Cha82, CFN90, OO92, CHL05, FPV09], e-voting [FOO93], direct anonymous attestation [BCC04], and anonymous credentials [Bra94, CL01, BCC+09, BL13a, Fuc11].

Constructions of blind signature schemes range from very practical schemes based on specific assumptions and usually provably secure in the ROM [PS96a, PS00, Abe01, Bol03, FHS15, HKL19] to theoretical schemes provably secure in the standard model from generic assumptions [GRS+11, BFPV13, GG14].

The blind Schnorr signature scheme derives quite naturally from the Schnorr signature scheme [CP93]. It is one of the most efficient blind signature schemes and increasingly used in practice. Anticipating the implementation of Schnorr signatures in Bitcoin, developers are already actively exploring the use of blind Schnorr signatures for blind coin swaps, trustless tumbler services, and more [Nic19].

While the hardness of computing discrete logarithms in the underlying group  is obviously necessary for the scheme to be unforgeable, Schnorr [Sch01] showed that another problem that he named ROS, which only depends on the order p of the group , must also be hard for the scheme to be secure. Informally, the ROS\(_{\ell }\) problem, parameterized by an integer \(\ell \), asks to find \(\ell +1\) vectors \(\vec {\rho }_i = (\rho _{i,j})_{j \in [\ell ]}\) such that the system of \(\ell +1\) linear equations in unknowns \(c_1,\dots ,c_{\ell }\) over

$$ \textstyle \sum _{j=1}^{\ell } \rho _{i,j} c_j = \mathsf {H}_\mathrm{ros}(\vec {\rho }_i), \quad i \in [\ell +1] $$

has a solution, where is a random oracle. Schnorr showed that an attacker able to solve the ROS\(_{\ell }\) problem can produce \(\ell +1\) valid signatures while interacting (concurrently) only \(\ell \) times with the signer. Slightly later, Wagner [Wag02] showed that the ROS\(_{\ell }\) problem can be reduced to the \((\ell +1)\)-sum problem, which can solved with time and space complexity , where \(\lambda \) is the bit size of p. For example, for \(\lambda = 256\), this attack yields 16 valid signatures after \(\ell =15\) interactions with the signer in time and space close to \(2^{55}\). For \(\ell +1 = 2^{\sqrt{\lambda }}\), the attack has sub-exponential time and space complexity \(O(2^{2\sqrt{\lambda }})\), although the number of signing sessions becomes arguably impractical. Asymptotically, this attack can be thwarted by increasing the group order, but this would make the scheme quite inefficient.

From a provable-security point of view, a number of results [FS10, Pas11, BL13b] indicate that blind Schnorr signatures cannot be proven one-more unforgeable under standard assumptions, not even in the ROM. The only positive result by Schnorr and Jakobsson [SJ99] and Schnorr [Sch01] states that blind Schnorr signatures are secure in the combination of the generic group model and the ROM assuming hardness of the ROS problem.

The recent analysis by Hauck, Kiltz, and Loss [HKL19] of blind signatures derived from linear identification schemes does not apply to Schnorr. The reason is that the underlying linear function family lacks the property of having a pseudo torsion-free element from the kernel (see [HKL19, Def. 3.1]). In particular, F is one-to-one, whereas Hauck et al. reduce blind signature unforgeability to collision resistance of the underlying function family.

The generic group model (GGM) [Nec94, Sho97] is an idealized model for the security analysis of cryptosystems defined over cyclic groups. Instead of receiving concrete group elements, the adversary only gets “handles” for them and has access to an oracle that performs the group operation (denoted additively) on handles. This implies that if the adversary is given a list of (handles of) group elements \((X_1,\ldots ,X_n)\) and later returns (a handle of) a group element Z, then by inspecting its oracle calls one can derive a “representation” \(\vec z =(z_1,\ldots ,z_n)\) such that \(Z = \sum _{i=1}^n z_i X_i\).

Fuchsbauer, Kiltz, and Loss [FKL18] introduced the algebraic group model (AGM), a model that lies between the standard model and the GGM. On the one hand, the adversary has direct access to group elements; on the other hand, it is assumed to only produce new group elements by applying the group operation to received group elements. In particular, with every group element Z that it outputs, the adversary also gives a representation of Z in terms of the group elements it has received so far. While the GGM allows for proving information-theoretic guarantees, security results in the AGM are proved via reductions to computationally hard problems, like in the standard model.

Our starting point is the observation that in the combinationFootnote 1 AGM+ROM Schnorr signatures have a tight security proof under the DL assumption. This is because we can give a reduction which works straight-line, i.e., unlike the forking-lemma-based reduction [PS96b, PS00], which must rewind the adversary, it runs the adversary only once.Footnote 2 Motivated by this, we then turn to blind Schnorr signatures, whose security in the ROM remains elusive, and study their security in the AGM+ROM.

Our first contribution is a rigorous analysis of the security of blind Schnorr signatures in the AGM+ROM. Concretely, we show that any algebraic adversary successfully producing \(\ell +1\) forgeries after at most \(\ell \) interactions with the signer must either solve the one-more discrete logarithm (OMDL) problem or the ROS\(_{\ell }\) problem. Although this is not overly surprising in view of the previous results in the GGM [SJ99, Sch01], this gives a more satisfying characterization of the security of this protocol. Moreover, all previous proofs [SJ99, Sch01] were rather informal; in particular, the reduction solving ROS was not explicitly described. In contrast, we provide precise definitions (in particular for the ROS problem, whose exact specification is central for a security proof) and work out the details of the reductions to both OMDL and ROS, which yields the first rigorous proof.

Nevertheless, the serious threat by Wagner’s attack for standard-size group orders remains. In order to remedy this situation, we propose a simple modification of the scheme which only alters the signing protocol (key generation and signature verification remain the same) and thwarts (in a well-defined way) any attempt at breaking the scheme by solving the ROS problem. The idea is that the signer and the user engage in two parallel signing sessions, of which the signer only finishes one (chosen at random) in the last round. Running this tweak takes thus around twice the time of the original protocol. We show that an algebraic adversary successfully mounting an \((\ell +1)\)-forgery attack against this scheme must either solve the OMDL problem or a modified ROS problem, which appears much harder than the standard ROS problem for large values of \(\ell \), which is precisely when the standard ROS problem becomes tractable.

Our results are especially relevant to applications that impose the signature scheme and for which one then has to design a blind signing protocol. This is the case for blockchain-based systems where modifying the signature scheme used for authorizing transactions is a heavy process that can take years (if possible at all). We see a major motivation for studying blind Schnorr signatures in its real-world relevance for protocols that use Schnorr signatures or will in the near future, such as Bitcoin. For these applications, Wagner’s attack represents a significant risk, which can be thwarted by using our modified signing protocol.

Recall the ElGamal public-key encryption (PKE) scheme [ElG85]: given a cyclic group of prime order p and a generator G, a secret/public key pair is of the form . A message is encrypted as \((X:= xG,M+xY)\) for a random . This scheme is IND-CPA-secure under the decisional Diffie-Hellman (DDH) assumption [TY98], that is, no adversary can distinguish encryptions of two messages. Since the scheme is homomorphic, it cannot achieve IND-CCA2 security, where the adversary can query decryptions of any ciphertext (except of the one it must distinguish). However, ElGamal has been shown to be IND-CCA1-secure (where no decryption queries can be made after receiving the challenge ciphertext) in the AGM under a “q-type” variant of DDH [FKL18].Footnote 3

A natural way to make ElGamal encryption IND-CCA2-secure is to add a proof of knowledge of the randomness x used to encrypt. (Intuitively, this would make the scheme plaintext-aware [BR95].) The reduction of IND-CCA2 security can then extract x to answer decryption queries. Since x together with the first part X of the ciphertext form a Schnorr key pair, a natural idea is to use a Schnorr signature [Jak98, TY98], resulting in (Schnorr-)signed ElGamal encryption. This scheme has a number of attractive properties: ciphertext validity can be checked without knowledge of the decryption key, and one can work homomorphically with the “core” ElGamal ciphertext (a property sometimes called “submission-security” [Wik08]), which is very useful in e-voting.

Since Schnorr signatures are extractable in the ROM, one would expect that signed ElGamal can be proved IND-CCA2 under, say, the DDH assumption (in the ROM). However, turning this intuition into a formal proof has remained elusive. The main obstacle is that Schnorr signatures are not straight-line extractable in the ROM [BNW17]. As explained by Shoup and Gennaro [SG02], the adversary could order its random-oracle and decryption queries in a way that makes the reduction take exponential time to simulate the decryption oracle.

Schnorr and Jakobsson [SJ00] showed IND-CCA2 security in the GGM+ROM, while Tsiounis and Yung [TY98] gave a proof under a non-standard “knowledge assumption”, which amounts to assuming that Schnorr signatures are straight-line extractable. On the other hand, impossibility results tend to indicate that IND-CCA2 security cannot be proved in the ROM [ST13, BFW16].

Our second line of contributions is twofold. First, we prove (via a tight reduction) that in the AGM+ROM, Schnorr-signed ElGamal encryption is IND-CCA2-secure under the DDH assumption. While intuitively this should follow naturally from the straight-line extractability of Schnorr proofs of knowledge for algebraic adversaries, the formal proof is technically quite delicate: since messages are group elements, the “basis” of group-element inputs in terms of which the adversary provides representations contains not only the three group elements of the challenge ciphertext but also grows as the adversary queries the decryption oracle.Footnote 4

We finally consider the “hashed” variant of ElGamal (also known as DHIES) [ABR01], in which a key is derived as \(k=\mathsf {H}(xY)\). In the ROM, the corresponding key-encapsulation mechanism (KEM) is IND-CCA2-secure under the strong Diffie-Hellman assumption (i.e., CDH is hard even when given a DDH oracle) [CS03]. We propose to combine the two approaches: concretely, we consider the hashed ElGamal KEM together with a Schnorr signature proving knowledge of the randomness used for encapsulating the key and give a tight reduction of the IND-CCA2 security of this scheme to the DL problem in the AGM+ROM.

2 Preliminaries

We denote the (closed) integer interval from a to b by [ab] and let \([b]:=[1,b]\). A function is negligible (denoted \(\mu = \textsf {negl}\)) if . A function \(\nu \) is overwhelming if \(1-\nu = \textsf {negl}\). The logarithm in base 2 is denoted \(\lg \) and \(x\equiv _p y\) denotes \(x\equiv y\pmod p\). For a non-empty finite set S, sampling an element x from S uniformly at random is denoted . All algorithms are probabilistic unless stated otherwise. By \(y \leftarrow \mathcal {A}(x_1,\ldots ,x_n)\) we denote running algorithm \(\mathcal {A}\) on inputs \((x_1,\ldots ,x_n)\) and uniformly random coins and assigning the output to y. If \(\mathcal {A}\) has oracle access to some algorithm \(\textsc {Oracle}\), we write \(y \leftarrow \mathcal {A}^{\textsc {Oracle}}(x_1,\ldots ,x_n)\). A list \(\vec {z}=(z_1,\ldots ,z_n)\), also denoted \((z_i)_{i \in [n]}\), is a finite sequence. The length of a list \(\vec {z}\) is denoted \(|\vec {z}|\). The empty list is denoted \((\,)\).

A security game \(\text {GAME}_{{\textit{par}}}\) (see e.g. in Fig. 1) indexed by a set of parameters \({\textit{par}}\) consists of a main and oracle procedures. The main procedure has input the security parameter \(\lambda \) and runs an adversary \(\mathcal {A}\), which interacts with the game by calling the provided oracles. When the adversary stops, the game computes its output b, which we write . For truth values we identify with 0 and with 1. Games are either computational or decisional. The advantage of \(\mathcal {A}\) in \(\text {GAME}_{{\textit{par}}}\) is defined as if the game is computational and as if it is decisional, where the probability is taken over the random coins of the game and the adversary. We say that is hard if for any probabilistic polynomial-time (p.p.t.) adversary \(\mathcal {A}\).

A group description is a tuple where p is an odd prime, is an abelian group of order p, and G is a generator of . We will use additive notation for the group law throughout this paper, and denote group elements (including the generator G) with italic uppercase letters. We assume the existence of a p.p.t. algorithm \(\mathsf {GrGen}\) which, on input the security parameter \(1^\lambda \) in unary, outputs a group description where p is of bit-length \(\lambda \). Given an element , we let \(\log _G(X)\) denote the discrete logarithm of X in base G, i.e., the unique such that \(X=xG\). We write \(\log X\) when G is clear from context.

An algebraic security game (w.r.t. \(\mathsf {GrGen}\)) is a game \(\text {GAME}_{\mathsf {GrGen}}\) that (among other things) runs \(\varGamma \leftarrow \mathsf {GrGen}(1^\lambda )\) and runs the adversary on input . An algorithm \(\mathcal {A}_{\mathrm {alg}}\) executed in an algebraic game \(\text {GAME}_{\mathsf {GrGen}}\) is algebraic if for all group elements Z that it outputs, it also provides a representation of Z relative to all previously received group elements: if \(\mathcal {A}_{\mathrm {alg}}\) has so far received (where by convention we let \(X_0 = G\)), then \(\mathcal {A}_{\mathrm {alg}}\) must output Z together with such that \(Z = \sum _{i=0}^n z_i X_i\). We let \(Z_{[\vec {z}]}\) denote such an augmented output. When writing \(\vec {z}\) explicitly, we simply write \(Z_{[z_0,\ldots ,z_n]}\) (rather than \(Z_{[(z_0,\ldots ,z_n)]}\)) to lighten the notation.

Fig. 1.
figure 1

The DL and OMDL problems.

Full size image

The original paper [FKL18] considered the algebraic group model augmented by a random oracle and proved tight security of BLS signatures [BLS04] in this model. The random oracle in that work is of type , and as the outputs are group elements, the adversary’s group element representations could depend on them.

In this work the RO is typically of type . Thus, an algebraic adversary querying \(\mathsf {H}\) on some input (Zm) must also provide a representation for the group-element input Z. In a game that implements the random oracle by lazy sampling, to ease readability, we will define an auxiliary oracle \(\widetilde{\mathsf {H}}\), which is used by the game itself (and thus does not take representations of group elements as input) and implements the same function as \(\mathsf {H}\).

We recall the discrete logarithm (DL) problem in Fig. 1. The one-more discrete logarithm (OMDL) problem, also defined in Fig. 1, is an extension of the DL problem and consists in finding the discrete logarithm of q group elements by making strictly less than q calls to an oracle solving the discrete logarithm problem. It was introduced in [BNPS03] and used for example to prove the security of the Schnorr identification protocol against active and concurrent attacks [BP02].

3 Schnorr Signatures

3.1 Definitions

A signature scheme \(\mathsf {SIG}\) consists of the following algorithms:

  • \({\textit{par}}\leftarrow \mathsf {SIG}{.}\mathsf {Setup}(1^\lambda )\): the setup algorithm takes as input the security parameter \(\lambda \) in unary and outputs public parameters \({\textit{par}}\);

  • \(({\textit{sk}}, {\textit{pk}}) \leftarrow \mathsf {SIG}{.}\mathsf {KeyGen}({\textit{par}})\): the key generation algorithm takes parameters \({\textit{par}}\) and outputs a secret key \({\textit{sk}}\) and a public key \({\textit{pk}}\);

  • \(\sigma \leftarrow \mathsf {SIG}{.}\mathsf {Sign}({\textit{sk}}, m)\): the signing algorithm takes as input a secret key \({\textit{sk}}\) and a message \(m\in \{0,1\}^*\) and outputs a signature \(\sigma \);

  • \(b \leftarrow \mathsf {SIG}{.}\mathsf {Ver}({\textit{pk}}, m, \sigma )\): the (deterministic) verification algorithm takes \({\textit{pk}}\), a message m, and a signature \(\sigma \); it returns 1 if \(\sigma \) is valid and 0 otherwise.

Fig. 2.
figure 2

The EUF-CMA security game for a signature scheme \(\mathsf {SIG}\).

Full size image

Correctness requires that for any \(\lambda \) and any message m, when running \({\textit{par}}\leftarrow \mathsf {SIG}{.}\mathsf {Setup}(1^\lambda )\), \(({\textit{sk}},{\textit{pk}}) \leftarrow \mathsf {SIG}{.}\mathsf {KeyGen}({\textit{par}})\), \(\sigma \leftarrow \mathsf {SIG}{.}\mathsf {Sign}({\textit{sk}}, m)\), and \(b \leftarrow \mathsf {SIG}{.}\mathsf {Ver}({\textit{pk}}, m, \sigma )\), one has \(b=1\) with probability 1. The standard security notion for a signature scheme is existential unforgeability under chosen-message attack (EUF-CMA), formalized via game EUF-CMA, which we recall in Fig. 2. The Schnorr signature scheme [Sch91] is specified in Fig. 3.

Fig. 3.
figure 3

The Schnorr signature scheme \(\mathsf {Sch}[\mathsf {GrGen}]\) based on a group generator \(\mathsf {GrGen}\).

Full size image

3.2 Security of Schnorr Signatures in the AGM

As a warm-up and to introduce some of the techniques used later, we reduce security of Schnorr signatures to hardness of DL in the AGM+ROM.

Theorem 1

Let \(\mathsf {GrGen}\) be a group generator. Let \(\mathcal {A}_{\mathrm {alg}}\) be an algebraic adversary against the EUF-CMA security of the Schnorr signature scheme \(\mathsf {Sch}[\mathsf {GrGen}]\) running in time at most \(\tau \) and making at most \(q_\mathrm{s}\) signature queries and \(q_{\mathrm h}\) queries to the random oracle. Then there exists an algorithm \(\mathcal {B}\) solving the DL problem w.r.t. \(\mathsf {GrGen}\), running in time at most \(\tau + O(q_\mathrm{s}+q_{\mathrm h})\), such that

We start with some intuition for the proof. In the random oracle model, Schnorr signatures can be simulated without knowledge of the secret key by choosing random c and s, setting \(R:=sG-cX\) and then programming the random oracle so that \(\mathsf {H}(R,m)=c\). On the other hand, an adversary that returns a signature forgery \((m^*,(R^*,s^*))\) can be used to compute the discrete logarithm of the public key X. In the ROM this can be proved by rewinding the adversary and using the Forking Lemma [PS96b, PS00], which entails a security loss.

In the AGM+ROM, extraction is straight-line and the security proof thus tight: A valid forgery satisfies \(R^* = s^* G - c^* X\), with \(c^*:= \mathsf {H}(R^*,m^*)\). On the other hand, since the adversary is algebraic, when it made its first query \(\mathsf {H}(R^*,m^*)\), it provided a representation of \(R^*\) in basis (GX), that is \((\gamma ^*,\xi ^*)\) with \(R^* = \gamma ^* G + \xi ^* X\). Together, these equations yield

$$ (\xi ^*+c^*)X = (s^*-\gamma ^*)G. $$

Since \(c^*\) was chosen at random after the adversary chose \(\xi ^*\), the probability that \(\xi ^*+c^*\not \equiv _p 0\) is overwhelming, in which case we can compute the discrete logarithm of X from the above equation.

Proof of Theorem

1. Let \(\mathcal {A}_{\mathrm {alg}}\) be an algebraic adversary in and making at most \(q_\mathrm{s}\) signature queries and \(q_{\mathrm h}\) RO queries. We proceed by a sequence of games specified in Fig. 4.

\(\underline{\mathsf {Game}_0}\). The first game is EUF-CMA (Fig. 2) for the Schnorr signature scheme (Fig. 3) with a random oracle \(\mathsf {H}\). The game maintains a list \(\mathsf {Q}\) of queried messages and \(\mathsf {T}\) of values sampled for \(\mathsf {H}\). To prepare the change to \(\mathsf {Game}_1\), we have written the finalization of the game in an equivalent way: it first checks that \(m^* \notin \mathsf {Q}\) and then runs \(\mathsf {Sch}{.}\mathsf {Ver}({\textit{pk}},m^*,(R^*,s^*))\), which we have written explicitly. Since the adversary is algebraic, it must provide a representation \((\gamma ^*,\xi ^*)\) for its forgery \((m^*,(R^*_{[\gamma ^*,\xi ^*]},s^*)\) such that \(R^* = \gamma ^* G + \xi ^* X\), and similarly for each RO query \(\mathsf {H}(R_{[\gamma ,\xi ]},m)\). By definition,

(1)
Fig. 4.
figure 4

Games in the proof of Theorem 1. \(\mathsf {Game}_0\) is defined by ignoring all boxes; are included in \(\mathsf {Game}_1\) and \(\mathsf {Game}_2\); are only included in \(\mathsf {Game}_2\).

Full size image

\(\underline{\mathsf {Game}_1}\). We introduce an auxiliary table \(\mathsf {U}\) that for each query \(\mathsf {H}(R_{[\gamma ,\xi ]},m)\) stores the representation \((\gamma ,\xi )\) of R. Second, when the adversary returns its forgery \((m^*,(R^*_{[\gamma ^*,\xi ^*]},s^*))\) and previously made a query \(\mathsf {H}(R^*_{[\gamma ',\xi ']},m^*)\) for some \((\gamma ',\xi ')\), then we consider this previous representation of \(R^*\), that is, we set \((\gamma ^*,\xi ^*):=~(\gamma ',\xi ')\). The only actual difference to \(\mathsf {Game}_0\) is that \(\mathsf {Game}_1\) returns 0 in case \(\xi ^* \equiv _p - \mathsf {T}(R^*,m^*)\) (line (I)).

We show that this happens with probability \(1/p\le 1/2^{\lambda -1}\). First note that line (I) is only executed if \(m^* \notin \mathsf {Q}\), as otherwise the game would already have returned 0. Hence \(\mathsf {T}(R^*,m^*)\) can only have been defined either (1) during a call to \(\mathsf {H}\) or (2), if it is still undefined when \(\mathcal {A}_{\mathrm {alg}}\) stops, by the game when defining \(c^*\). In both cases the probability of returning 0 in line (I) is 1/p:

(1) If \(\mathsf {T}(R^*,m^*)\) was defined during a \(\mathsf {H}\) query of the form \(\mathsf {H}(R^*_{[\gamma ',\xi ']},m^*)\) then \(\mathsf {T}(R^*,m^*)\) is drawn uniformly at random and independently from \(\xi '\). Since then \(\mathsf {U}(R^*,m^*)\ne \bot \), the game sets \(\xi ^*:=\xi '\) and hence \(\xi ^* \equiv _p - \mathsf {T}(R^*,m^*)\) holds with probability exactly 1/p. (2) If \(\mathsf {T}(R^*,m^*)\) is only defined after the adversary output \(\xi ^*\) then again we have \(\xi ^* \equiv _p - \mathsf {T}(R^*,m^*)\) with probability 1/p. Hence,

(2)

\(\underline{\mathsf {Game}_2}\). In the final game we use the standard strategy of simulating the \(\textsc {Sign}\) oracle without the secret key x by programming the random oracle. \(\mathsf {Game}_1\) and \(\mathsf {Game}_2\) are identical unless \(\mathsf {Game}_2\) returns 0 in line (II). For each signature query, R is uniformly random, and the size of table \(\mathsf {T}\) is at most \(q_\mathrm{s}+q_{\mathrm h}\), hence the game aborts in line (II) with probability at most \((q_\mathrm{s}+q_{\mathrm h})/p \le (q_\mathrm{s}+q_{\mathrm h})/2^{\lambda -1}\). By summing over the at most \(q_\mathrm{s}\) signature queries, we have

(3)

We now construct an adversary \(\mathcal {B}\) solving DL with the same probability as \(\mathcal {A}_{\mathrm {alg}}\) wins \(\mathsf {Game}_2\). On input and X, the adversary runs \(\mathcal {A}_{\mathrm {alg}}\) on input and simulates \(\mathsf {Game}_2\), which can be done without knowledge of \(\log _G(X)\). Assume that the adversary wins \(\mathsf {Game}_2\) by returning \((m^*,R^*,s^*)\) and let \(c^* := \mathsf {T}(R^*,m^*)\) and \((\gamma ^*,\xi ^*)\) be defined as in the game. Thus, \(\xi ^* \ne -c^* \bmod p\) and \(R^* = \gamma ^*G + \xi ^* X\); moreover, validity of the forgery implies that \(s^*G = R^* + c^*X\). Hence, \((s^*-\gamma ^*)G = (\xi ^*+c^*)X\) and \(\mathcal {B}\) can compute \(\log X=(s^*-\gamma ^*)(\xi ^*+c^*)^{-1} \bmod p\). Combining this with Eqs. (1)–(3), we have

Assuming that scalar multiplications in and assignments in tables \(\mathsf {T}\) and \(\mathsf {U}\) take unit time, the running time of \(\mathcal {B}\) is \(\tau + O(q_\mathrm{s}+q_{\mathrm h})\).    \(\square \)

4 Blind Schnorr Signatures

4.1 Definitions

We start with defining the syntax and security of blind signature schemes and focus on schemes with a 2-round (i.e., 4 messages) signing protocol for concreteness.

A blind signature scheme \(\mathsf {BS}\) consists of the following algorithms:

  • \({\textit{par}}\leftarrow \mathsf {BS}{.}\mathsf {Setup}(1^\lambda )\) and \(({\textit{sk}},{\textit{pk}}) \leftarrow \mathsf {BS}{.}\mathsf {KeyGen}({\textit{par}})\) and \(b \leftarrow \mathsf {BS}{.}\mathsf {Ver}({\textit{pk}},m,\sigma )\) are defined as for regular signature schemes (Sect. 3.1).

  • \((b,\sigma ) \leftarrow \langle \mathsf {BS}{.}\mathsf {Sign}({\textit{sk}}),\mathsf {BS}{.}\mathsf {User}({\textit{pk}},m) \rangle \): an interactive protocol is run between the signer with private input a secret key \({\textit{sk}}\) and the user with private input a public key \({\textit{pk}}\) and a message m; the signer outputs \(b=1\) if the interaction completes successfully and \(b=0\) otherwise, while the user outputs a signature \(\sigma \) if it terminates correctly, and \(\bot \) otherwise. For a 2-round protocol the interaction can be realized by the following algorithms:

    $$\begin{aligned} ({\textit{msg}}_{U,0},{\textit{state}}_{U,0})&\leftarrow \mathsf {BS}{.}\mathsf {User}_0({\textit{pk}},m)\\[-.5ex] ({\textit{msg}}_{S,1},{\textit{state}}_S)&\leftarrow \mathsf {BS}{.}\mathsf {Sign}_1({\textit{sk}},{\textit{msg}}_{U,0})\\[-.5ex] ({\textit{msg}}_{U,1},{\textit{state}}_{U,1})&\leftarrow \mathsf {BS}{.}\mathsf {User}_1({\textit{state}}_{U,0},{\textit{msg}}_{S,1})\\[-.5ex] ({\textit{msg}}_{S,2},b)&\leftarrow \mathsf {BS}{.}\mathsf {Sign}_2({\textit{state}}_S,{\textit{msg}}_{U,1})\\[-.5ex] \sigma&\leftarrow \mathsf {BS}{.}\mathsf {User}_2({\textit{state}}_{U,1},{\textit{msg}}_{S,2}) \end{aligned}$$

    (Typically, \(\mathsf {BS}{.}\mathsf {User}_0\) just initiates the session, and thus \({\textit{msg}}_{U,0}=(\,)\) and \({\textit{state}}_{U,0}=({\textit{pk}},m)\).)

Correctness requires that for any \(\lambda \) and m, when running \({\textit{par}}\leftarrow \mathsf {BS}{.}\mathsf {Setup}(1^\lambda )\), \(({\textit{sk}},{\textit{pk}}) \leftarrow \mathsf {BS}{.}\mathsf {KeyGen}({\textit{par}})\), \((b,\sigma ) \leftarrow \langle \mathsf {BS}{.}\mathsf {Sign}({\textit{sk}}),\mathsf {BS}{.}\mathsf {User}({\textit{pk}},m) \rangle \), and \(b' \leftarrow \mathsf {BS}{.}\mathsf {Ver}({\textit{pk}}, m, \sigma )\), we have \(b=1=b'\) with probability 1.

Fig. 5.
figure 5

The (strong) unforgeability game for a blind signature scheme \(\mathsf {BS}\) with a 2-round signing protocol.

Full size image

The standard security notion for blind signatures demands that no user, after interacting arbitrary many times with a signer and k of these interactions were considered successful by the signer, can produce more than k signatures. Moreover, the adversary can schedule and interleave its sessions with the signer in any arbitrary way.

In game \(\text {UNF}_{\mathsf {BS}}^\mathcal {A}\) defined in Fig. 5 the adversary has access to two oracles \(\textsc {Sign}_1\) and \(\textsc {Sign}_2\) corresponding to the two phases of the interactive protocol. The game maintains two counters \(k_1\) and \(k_2\) (initially set to 0), where \(k_1\) is used as session identifier, and a set \(\mathcal {S}\) of “open” sessions. Oracle \(\textsc {Sign}_1\) takes the user’s first message (which for blind Schnorr signatures is empty), increments \(k_1\), adds \(k_1\) to \(\mathcal {S}\) and runs the first round on the signer’s side, storing its state as \({\textit{state}}_{k_1}\). Oracle \(\textsc {Sign}_2\) takes as input a session identifier j and a user message; if \(j \in \mathcal {S}\), it runs the second round on the signer’s side; if successful, it removes j from \(\mathcal {S}\) and increments \(k_2\), which thus represents the number of successful interactions.

\(\mathsf {BS}\) satisfies unforgeability if is negligible for all p.p.t. adversaries \(\mathcal {A}\). Note that we consider “strong” unforgeability, which only requires that all pairs \((m^*_i,\sigma ^*_i)\) returned by the adversary (rather than all messages \(m^*_i\)) are distinct.

Blindness requires that a signer cannot link a message/signature pair to a particular execution of the signing protocol. Formally, the adversary chooses two messages \(m_0\) and \(m_1\) and the experiment runs the signing protocol acting as the user with the adversary, first obtaining a signature \(\sigma _b\) on \(m_b\) and then \(\sigma _{1-b}\) on \(m_{1-b}\) for a random bit b. If both signatures are valid, the adversary is given \((\sigma _0,\sigma _1)\) and must determine the value of b. A formal definition can be found in the full version [FPS19].

Fig. 6.
figure 6

The signing protocol of the blind Schnorr signature scheme.

Full size image

A blind signature scheme \(\mathsf {BlSch}\) is obtained from the scheme \(\mathsf {Sch}\) in Fig. 3 by replacing \(\mathsf {Sch}{.}\mathsf {Sign}\) with the interactive protocol specified in Fig. 6 (the first message \({\textit{msg}}_{U,0}\) from the user to the signer is empty and is not depicted). Correctness follows since a signature \((R',s')\) obtained by the user after interacting with the signer satisfies \(\mathsf {Sch}{.}\mathsf {Ver}\):

$$\begin{aligned} s'G = sG+\alpha G = (r+cx)G+\alpha G&= R+\alpha G+\beta X+(-\beta +c)X \\&= R'+c'X = R'+\mathsf {H}(R',m)\,X. \end{aligned}$$

Moreover, Schnorr signatures achieve perfect blindness [CP93].

4.2 The ROS Problem

The security of blind Schnorr signatures is related to the ROS (Random inhomogeneities in an Overdetermined, Solvable system of linear equations) problem, which was introduced by Schnorr [Sch01]. Consider the game in Fig. 7, parameterized by a group generator \(\mathsf {GrGen}\),Footnote 5 an integer \(\ell \ge 1\), and a set \(\varOmega \) (we omit \(\mathsf {GrGen}\) and \(\varOmega \) from the notation when they are clear from context). The adversary \(\mathcal {A}\) receives a prime p and has access to a random oracle \(\mathsf {H}_\mathrm{ros}\) taking as input \((\vec {\rho },{\textit{aux}})\) where and \({\textit{aux}}\in \varOmega \). Its goal is to find \(\ell +1\) distinct pairs \((\vec {\rho }_i,{\textit{aux}}_i)_{i \in [\ell +1]}\) together with a solution \((c_j)_{j \in [\ell ]}\) to the linear system \(\textstyle \sum _{j=1}^{\ell } \rho _{i,j}c_j \equiv _p \mathsf {H}_\mathrm{ros}(\vec {\rho _i},{\textit{aux}}_i)\), \(i \in [\ell +1]\).Footnote 6

Fig. 7.
figure 7

The ROS game, where is a random oracle.

Full size image

The lemma below, which refines Schnorr’s observation [Sch01], shows how an algorithm \(\mathcal {A}\) solving the problem can be used to break the one-more unforgeability of blind Schnorr signatures. The proof is deferred to the full version [FPS19] due to space constraints.

Lemma 1

Let \(\mathsf {GrGen}\) be a group generator. Let \(\mathcal {A}\) be an algorithm for game , where , running in time at most \(\tau \) and making at most \(q_{\mathrm h}\) random oracle queries. Then there exists an (algebraic) adversary \(\mathcal {B}\) running in time at most \(\tau + O(\ell +q_{\mathrm h})\), making at most \(\ell \) queries to \(\textsc {Sign}_1\) and \(\textsc {Sign}_2\) and \(q_{\mathrm h}\) random oracle queries, such that

The hardness of ROS critically depends on \(\ell \). In particular, for small values of \(\ell \), ROS is statistically hard, as captured by the following lemma.

Lemma 2

Let \(\mathsf {GrGen}\) be a group generator, \(\ell \ge 1\), and \(\varOmega \) be some arbitrary set. Then for any adversary \(\mathcal {A}\) making at most \(q_{\mathrm h}\) queries to \(\mathsf {H}_\mathrm{ros}\),

Proof

Consider a modified game that is identical to ROS, except that it returns 0 when the adversary outputs \(((\vec {\rho }_i,{\textit{aux}}_i)_{i \in [\ell +1]},(c_j)_{j \in [\ell ]})\) such that for some \(i \in [\ell +1]\) it has not made the query \(\mathsf {H}_\mathrm{ros}(\vec {\rho }_i,{\textit{aux}}_i)\). Games ROS and ROS\(^*\) are identical unless in game ROS the adversary wins and has not made the query \(\mathsf {H}_\mathrm{ros}(\vec {\rho }_i,{\textit{aux}}_i)\) for some i, which happens with probability at most \(1/p \le 1/2^{\lambda -1}\). Hence,

In order to win the modified game ROS\(^*\), \(\mathcal {A}\) must in particular make \(\ell +1\) distinct random oracle queries \((\vec {\rho }_i,{\textit{aux}}_i)_{i \in [\ell +1]}\) such that the system

$$\begin{aligned} \textstyle \sum _{j=1}^{\ell } \rho _{i,j} c_j \equiv _p \mathsf {H}_\mathrm{ros}(\vec {\rho _i},{\textit{aux}}_i), \quad i \in [\ell +1] \end{aligned}$$
(4)

with unknowns \(c_1,\ldots ,c_{\ell }\) has a solution. Consider any subset of \(\ell +1\) queries \((\vec {\rho }_i,{\textit{aux}}_i)_{i \in [\ell +1]}\) made by the adversary to the random oracle and let M denote the \((\ell +1)\times \ell \) matrix whose i-th row is \(\vec {\rho }_i\) and let \(t \le \ell \) denote its rank. Then, Eq. (4) has a solution if and only if the row vector \(\vec {h} := (\mathsf {H}_\mathrm{ros}(\vec {\rho }_i,{\textit{aux}}_i))^\mathrm{T}_{i \in [\ell +1]}\) is in the span of the columns of M. Since \(\vec {h}\) is uniformly random, this happens with probability \(p^t/p^{\ell +1} \le 1/p \le 1/2^{\lambda -1}\). By the union bound,

which concludes the proof.    \(\square \)

On the other hand, the ROS\(_{\ell }\) problem can be reduced the \((\ell +1)\)-sum problem, for which Wagner’s generalized birthday algorithm [Wag02, MS12, NS15] can be used. More specifically, consider the \((\ell +1) \times \ell \) matrix

$$ (\rho _{i,j}) = \left[ {\begin{matrix} 1 &{} 0 &{} \cdots &{} 0 \\ 0 &{} 1 &{} \cdots &{} 0 \\ &{} &{} \ddots &{} \\ 0 &{} \cdots &{} 0 &{} 1 \\ 1 &{} \cdots &{} \cdots &{} 1 \end{matrix}}\right] $$

and let \(\vec {\rho }_i\) denote its i-th line, \(i \in [\ell +1]\). Let . The solving algorithm builds lists \(L_i=(\mathsf {H}_\mathrm{ros}(\vec {\rho }_i,{\textit{aux}}_{i,k}))_{k \in [q]}\) for \(i \in [\ell ]\) and \(L_{\ell +1}=(-\mathsf {H}_\mathrm{ros}(\vec {\rho }_{\ell +1},{\textit{aux}}_{\ell +1,k}))_{k \in [q]}\) for arbitrary values \({\textit{aux}}_{i,k}\) and uses Wagner’s algorithm to find an element \(e_i\) in each list \(L_i\) such that \(\sum _{i=1}^{\ell +1} e_i \equiv _p 0\). Then, it is easily seen that \(((\vec {\rho }_i,{\textit{aux}}_i)_{i \in [\ell +1]},(e_j)_{j \in [\ell ]})\), where \({\textit{aux}}_i\) is such that \(e_i=\mathsf {H}_\mathrm{ros}(\vec {\rho }_i,{\textit{aux}}_i)\), is a solution to the ROS problem. This algorithm makes random oracle queries, runs in time an space , and succeeds with constant probability.

4.3 Security of Blind Schnorr Signatures

We now formally prove that blind Schnorr signatures are unforgeable assuming the hardness of the one-more discrete logarithm problem and the ROS problem.

Theorem 2

Let \(\mathsf {GrGen}\) be a group generator. Let \(\mathcal {A}_{\mathrm {alg}}\) be an algebraic adversary against the UNF security of the blind Schnorr signature scheme \(\mathsf {BlSch}[\mathsf {GrGen}]\) running in time at most \(\tau \) and making at most \(q_\mathrm{s}\) queries to \(\textsc {Sign}_1\) and \(q_{\mathrm h}\) queries to the random oracle. Then there exist an algorithm \(\mathcal {B}_\mathrm{ros}\) for the ROS\(_{q_\mathrm{s}}\) problem making at most \(q_{\mathrm h}+q_\mathrm{s}+1\) random oracle queries and an algorithm \(\mathcal {B}_\mathrm{omdl}\) for the OMDL problem w.r.t. \(\mathsf {GrGen}\) making at most \(q_\mathrm{s}\) queries to its oracle \(\textsc {DLog}\), both running in time at most \(\tau + O(q_\mathrm{s}+q_{\mathrm h})\), such that

We start with explaining the proof idea. Consider an adversary in the unforgeability game, let X be the public key and \(R_1,\ldots ,R_{\ell }\) be the elements returned by the oracle \(\textsc {Sign}_1\) and let \((R^*_i,s^*_i)\) be the adversary’s forgeries on messages \(m^*_i\). As \(\mathcal {A}_{\mathrm {alg}}\) is algebraic, it must also output a representation \((\gamma _i,\xi _i,\vec \rho _i)\) for \(R^*_i\) w.r.t. the group elements received from the game: \(R^*_i = \gamma _i G + \xi _i X + \textstyle \sum _{j=1}^\ell \rho _{i,j} R_j\). Validity of the forgeries implies another representation, namely \(R^*_i=s^*_iG - c^*_i X\) with \(c^*_i=\mathsf {H}(R^*_i,m^*_i)\). Together, these yield

$$\begin{aligned} (c^*_i + \xi ^*_i) X + \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j}R_j = (s^*_i-\gamma ^*_i)G, \end{aligned}$$
(5)

which intuitively can be used to compute \(\log X\).

However, the reduction also needs to simulate \(\textsc {Sign}_2\) queries, for which, contrary to the proof for standard Schnorr signatures (Theorem 1), it cannot rely on programming the random oracle. In fact, the reduction can only win OMDL, which is an easier game than DL. In particular, the reduction obtains \(X,R_1,\ldots ,R_q\) from its challenger and must compute their logarithms. It can make q logarithm queries, which it uses to simulate the \(\textsc {Sign}_2\) oracle: on input \((j,c_j)\), it simply returns \(s_j \leftarrow \textsc {DLog}(R_j+c_jX)\).

But this means that in Eq. (5) the reduction does not know the logarithms of the \(R_j\)’s; all it knows is \(R_j = s_jG -c_jX\), which, when plugged into Eq. (5) yields

$$ \big (\underbrace{c^*_i + \xi ^*_i - \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j}c_j}_{=:\chi _i} \big ) X = \big (s^*_i-\gamma ^*_i - \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j} s_j \big )G. $$

Thus, if for some i, \(\chi _i\ne 0\), the reduction can compute \(x=\log X\), and derive \(r_j = \log R_j = s_j -c_j\,x\). Together, \(x,r_1,\ldots ,r_q\) constitute an OMDL solution.

On the other hand, we can show that if \(\chi _i=0\) for all i, then the adversary has actually found a solution to the ROS problem (Fig. 7): A reduction to ROS would answer the adversary’s queries \(\mathsf {H}(R_{[\gamma ,\xi ,\vec \rho ]},m)\) by \(\mathsf {H}_\mathrm{ros}(\vec \rho ,(\gamma ,\xi ,m))-\xi \); then \(\chi _i=0\) implies (recall that \(c^*_i = \mathsf {H}(R^*_i,m^*)\))

$$ 0 = \chi _i = {\mathsf {H}(R^*_i,m^*_i) + \xi ^*_i - \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j}c_j} = \mathsf {H}_\mathrm{ros}(\vec \rho ^*_i,(\gamma ^*_i,\xi ^*_i,m^*_i)) - \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j}c_j, $$

meaning \(\big ((\vec {\rho }^{\, *}_i,(\gamma ^*_i,\xi ^*_i,m^*_i))_i, (c_j)_j\big )\) is a solution to ROS.

To simplify the proof we first show the following lemma.

Lemma 3

Let \(\mathsf {GrGen}\) be a group generator and let \(\mathcal {A}\) be an adversary against the UNF security of the blind Schnorr signature scheme \(\mathsf {BlSch}[\mathsf {GrGen}]\) running in time at most \(\tau \) and making at most \(q_\mathrm{s}\) queries to \(\textsc {Sign}_1\) and \(q_{\mathrm h}\) queries to the random oracle. Then there exists an adversary \(\mathcal {B}\) that makes exactly \(q_\mathrm{s}\) queries to \(\textsc {Sign}_1\) and \(q_\mathrm{s}\) queries to \(\textsc {Sign}_2\) that do not return \(\bot \), and returns \(q_\mathrm{s}+1\) forgeries, running in time at most \(\tau + O(q_\mathrm{s})\), such that

Proof

We construct the following adversary that plays game UNF (Fig. 5). On input \({\textit{pk}}\), adversary \(\mathcal {B}\) runs \(\mathcal {A}({\textit{pk}})\) and relays all oracle queries and responses between its challenger and \(\mathcal {A}\). Let q be the number of \(\mathcal {A}\)’s \(\textsc {Sign}_1\) queries, let \(R_1,\ldots , R_q\) be the answers, and let \(\mathcal {C}\) be the completed sessions, that is, the set of values j such that \(\mathcal {A}\) queried \(\textsc {Sign}_2\) on some input \((j,*)\) and \(\textsc {Sign}_2\) did not reply \(\bot \). Let \((m^*_i,(R^*_i,s^*_i))_{i \in [n]}\) be \(\mathcal {A}\)’s output, for which we must have \(k=|\mathcal {C}|<n\) when \(\mathcal {A}\) wins.

\(\mathcal {B}\) then makes \(q_\mathrm{s}-q\) queries to \(\textsc {Sign}_1\) to receive \(R_{q+1},\ldots ,R_{q_\mathrm{s}}\). Next, \(\mathcal {B}\) completes all \(q_\mathrm{s}-k\) open signing sessions for distinct messages by following the protocol in Fig. 6: for every \(j\in \mathcal {S}:=[1,\ldots ,q_\mathrm{s}]\setminus \mathcal {C}\), adversary \(\mathcal {B}\) picks a fresh message \(m_j\notin \{m^*_i\}_{i\in [n]}\cup \{m_i\}_{i\in \mathcal {S}\setminus [j]}\) and , computes \(R'_j:=R_j+\alpha _jG+\beta _jX\), queries \(\mathsf {H}(R',m_j)\) to get \(c'_j\), computes \(c_j:=c'_j+\beta _j\bmod p\) and queries \((j,c_j)\) to \(\textsc {Sign}_2\). Upon receiving \(s_j\), \(\mathcal {B}\) computes \(s'_j:=s_j+\alpha _j\bmod p\), which yields a signature \((R'_j,s'_j)\) on message \(m_j\).

Finally, \(\mathcal {B}\) concatenates \(\mathcal {A}\)’s output with \(q_\mathrm{s}+1-n\le q_\mathrm{s}-k\) signatures: let \(\mathcal {S}=\{j_1,\ldots ,j_{q_\mathrm{s}-k}\}\); then \(\mathcal {B}\) returns \((m^*_i,(R^*_i,s^*_i))_{i \in [n]}\,\Vert \,(m_{j_i},(R'_{j_i},s'_{j_i}))_{i\in [q_\mathrm{s}+1-n]}\). When \(\mathcal {A}\) wins the game, all tuples \((m^*_i,(R^*_i,s^*_i))\) are different; as all remaining messages also differ, all tuples output by \(\mathcal {B}\) are distinct. By correctness of the scheme, \(\mathcal {B}\)’s signatures are valid. Thus whenever \(\mathcal {A}\) wins, then so does \(\mathcal {B}\).    \(\square \)

Proof of Theorem

2. Let \(\mathcal {A}_{\mathrm {alg}}\) be an algebraic adversary making at most \(q_\mathrm{s}\) queries to \(\textsc {Sign}_1\) and \(q_{\mathrm h}\) random oracle queries. By the above lemma, we can assume that \(\mathcal {A}_{\mathrm {alg}}\) makes exactly \(\ell :=q_\mathrm{s}\) queries to \(\textsc {Sign}_1\), closes all sessions, and returns \(\ell +1\) valid signatures. We proceed with a sequence of games defined in Fig. 8.

Fig. 8.
figure 8

Games used in the proof of Theorem 2. \(\mathsf {Game}_0\) ignores all boxes. The in \(\mathsf {Game}_1\) and oracle \(\mathsf {H}\) show how reduction \(\mathcal {B}_\mathrm{ros}\) solves ROS; the in the \(\textsc {Sign}\) oracles show how \(\mathcal {B}_\mathrm{omdl}\) embeds its challenges and simulates \(\mathsf {Game}_1\).

Full size image

\(\underline{\mathsf {Game}_0}\). The first game is the UNF game (Fig. 5) for scheme \(\mathsf {BlSch}[\mathsf {GrGen}]\) played with \(\mathcal {A}_{\mathrm {alg}}\) in the random oracle model. We have written the finalization of the game in a different but equivalent way. In particular, instead of checking that \((m^*_i,(R^*_i,s^*_i)) \ne (m^*_{i'},(R^*_{i'},s^*_{i'}))\) for all \(i\ne i' \in [\ell +1]\), we simply check that \((m^*_i,R^*_i) \ne (m^*_{i'},R^*_{i'})\). This is equivalent since for any pair (mR), there is a single such that (Rs) is a valid signature for m. Hence, if the adversary returns \((m^*_i,(R^*_i,s^*_i))\) and \((m^*_{i'},(R^*_{i'},s^*_{i'}))\) with \((m^*_i,R^*_i) = (m^*_{i'},R^*_{i'})\) and \(s^*_i \ne s^*_{i'}\), at least one of the two forgeries is invalid. Thus,

(6)

\(\underline{\mathsf {Game}_1}\). In \(\mathsf {Game}_1\), we make the following changes (which are analogous to those in the proof of Theorem 1). First, we introduce an auxiliary table \(\mathsf {U}\) that for each query \(\mathsf {H}(R_{[\gamma ,\xi ,\vec {\rho }]},m)\) stores the representation \((\gamma ,\xi ,\vec {\rho })\) of R. Second, when the adversary returns its forgeries \((m^*_i,({R^*_i}_{[\gamma _i,\xi _i,\vec {\rho }_i]},s^*_i))_{i \in [\ell +1]}\), then for each \(i \in [\ell +1]\) for which \(\mathsf {T}(R^*_i,m^*_i)\) is undefined, we emulate a call to \(\mathsf {H}({R^*_i}_{[\gamma _i,\xi _i,\vec {\rho }_i]},m^*_i)\). Again, this does not change the output of the game, since in \(\mathsf {Game}_0\), the value \(\mathsf {T}(R^*_i,m^*_i)\) would be randomly assigned when the game calls \(\widetilde{\mathsf {H}}\) to check the signature. Finally, for each \(i \in [\ell +1]\), we retrieve \((\gamma ^*_i,\xi ^*_i,\vec {\rho }^{\,*}_i) := \mathsf {U}(R^*_i,m^*_i)\) (which is necessarily defined at this point) and return 0 if \(\sum _{i=1}^{\ell } \rho ^*_{i,j}c_j \equiv _p c^*_i + \xi ^*_i\) for all \(i \in [\ell +1]\), where \(c_j\) is the (unique) value submitted to \(\textsc {Sign}_2\) together with j and not answered by \(\bot \).

\(\mathsf {Game}_0\) and \(\mathsf {Game}_1\) are identical unless \(\mathsf {Game}_1\) returns 0 in line (I). We reduce indistinguishability of the games to ROS by constructing an algorithm \(\mathcal {B}_\mathrm{ros}\) solving the ROS\(_{\ell }\) problem whenever \(\mathsf {Game}_1\) stops in line (I). Algorithm \(\mathcal {B}_\mathrm{ros}\), which has access to oracle \(\mathsf {H}_\mathrm{ros}\), runs \(\mathcal {A}_{\mathrm {alg}}\) and simulates \(\mathsf {Game}_1\) in a straightforward way, except for using its \(\mathsf {H}_\mathrm{ros}\) oracle to define the entries of \(\mathsf {T}\).

In particular, consider a query \(\mathsf {H}(R_{[\gamma ,\xi ,\vec {\rho }]},m)\) by \(\mathcal {A}_{\mathrm {alg}}\) such that \(\mathsf {T}(R,m)=\bot \). Then \(\mathcal {B}_\mathrm{ros}\) pads the vector \(\vec \rho \) with 0’s to make it of length \(\ell \) (at this point, not all \(R_1,\ldots ,R_\ell \) are necessarily defined, so \(\vec \rho \) might not be of length \(\ell \)), and assigns \(\mathsf {T}(R,m) := \mathsf {H}_\mathrm{ros}(\vec {\rho },(\gamma ,\xi ,m))-\xi \) (cf. in Fig. 8). Similarly, when \(\mathcal {A}_{\mathrm {alg}}\) returns its forgeries \((m^*_i,({R^*_i}_{[\gamma _i,\xi _i,\vec {\rho }_i]},s^*_i))_{i \in [\ell +1]}\), then for each \(i \in [\ell +1]\) with \(\mathsf {T}(R^*_i,m^*_i) =\bot \), reduction \(\mathcal {B}_\mathrm{ros}\) assigns \(\mathsf {T}(R^*_i,m^*_i) := \mathsf {H}_\mathrm{ros}(\vec {\rho }_i,(\gamma _i,\xi _i,m^*_i))-\xi _i\). Since \(\mathsf {H}_\mathrm{ros}\) returns uniformly random elements in , the simulation is perfect.

If \(\mathsf {Game}_1\) aborts in line (I), \(\mathcal {B}_\mathrm{ros}\) returns \(((\vec {\rho }^{\, *}_i,(\gamma ^*_i,\xi ^*_i,m^*_i))_{i \in [\ell +1]},(c_j)_{j \in [\ell ]})\), where \((\gamma ^*_i,\xi ^*_i,\vec {\rho }^{\, *}_i) := \mathsf {U}(R^*_i,m^*_i)\). We show that this is a valid ROS solution.

First, for all \(i \ne i' \in [\ell +1]\): \((\vec {\rho }^{\, *}_i,(\gamma ^*_i,\xi ^*_i,m^*_i)) \ne (\vec {\rho }^{\, *}_{i'},(\gamma ^*_{i'},\xi ^*_{i'},m^*_{i'})\). Indeed, otherwise we would have \((m^*_i,R^*_i) = (m^*_{i'},R^*_{i'})\) and the game would have returned 0 earlier. Second, since the game returns 0 in line (I), we have \(\textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j} c_j \equiv _p c^*_i + \xi ^*_i\) for all \(i \in [\ell +1]\). Hence, to show that the ROS solution is valid, it is sufficient to show that for all \(i \in [\ell +1]\), \(c^*_i = \mathsf {H}_\mathrm{ros}(\vec {\rho }^{\, *}_i,(\gamma ^*_i,\xi ^*_i,m^*_i)) - \xi ^*_i\). This is clearly the case if \(\mathsf {T}(R^*_i,m^*_i) = \bot \) when the adversary returns its forgeries. Indeed, in that case \((\gamma ^*_i,\xi ^*_i,\vec {\rho }^{\, *}_i) = (\gamma _i,\xi _i,\vec {\rho }_i)\) and

$$ c^*_i = \mathsf {T}(R^*_i,m^*_i) = \mathsf {H}_\mathrm{ros}(\vec {\rho }_i,(\gamma _i,\xi _i,m^*_i))-\xi _i = \mathsf {H}_\mathrm{ros}(\vec {\rho }^{\, *}_i,(\gamma ^*_i,\xi ^*_i,m^*_i)) - \xi ^*_i. $$

Otherwise, \(\mathsf {T}(R^*_i,m^*_i)\) was necessarily assigned during a call to \(\mathsf {H}\), and this call was of the form \(\mathsf {H}({R^*_i}_{[\gamma ^*_i,\xi ^*_i,\vec {\rho }^{\, *}_i]}, m^*_i)\), which implies that \(c^*_i = \mathsf {T}(R^*_i,m^*) = \mathsf {H}_\mathrm{ros}(\vec {\rho }^{\, *}_i,(\gamma ^*_i,\xi ^*_i,m^*_i)) - \xi ^*_i\). Hence,

(7)

Moreover, it is easy to see that \(\mathcal {B}_\mathrm{ros}\) makes at most \(q_{\mathrm h}+\ell +1\) queries to \(\mathsf {H}_\mathrm{ros}\) and runs in time at most \(\tau +O(\ell +q_{\mathrm h})\), assuming scalar multiplications in and table assignments take unit time.

In our last step, we construct an algorithm \(\mathcal {B}_\mathrm{omdl}\) solving OMDL whenever \(\mathcal {A}_{\mathrm {alg}}\) wins \(\mathsf {Game}_1\). Algorithm \(\mathcal {B}_\mathrm{omdl}\), which has access to two oracles \(\textsc {Chal}\) and \(\textsc {DLog}\) (see Fig. 1) takes as input a group description , makes a first query \(X\leftarrow \textsc {Chal}()\), and runs \(\mathcal {A}_{\mathrm {alg}}\) on input , simulating \(\mathsf {Game}_1\) as follows (cf. in Fig. 8). Each time \(\mathcal {A}_{\mathrm {alg}}\) makes a \(\textsc {Sign}_1()\) query, \(\mathcal {B}_\mathrm{omdl}\) queries its \(\textsc {Chal}\) oracle to obtain \(R_j\). It simulates \(\textsc {Sign}_2(j,c)\) without knowledge of x and \(r_j\) by querying \(s_j \leftarrow \textsc {DLog}(R_j+cX)\).

Assume that \(\mathsf {Game}_1\) returns 1, which implies that all forgeries \((R^*_i,s^*_i)\) returned by \(\mathcal {A}_{\mathrm {alg}}\) are valid. We show how \(\mathcal {B}_\mathrm{omdl}\) solves OMDL. First, note that \(\mathcal {B}_\mathrm{omdl}\) made exactly \(\ell \) calls to its oracle \(\textsc {DLog}\) in total (since it makes exactly one call for each (valid) \(\textsc {Sign}_2\) query made by \(\mathcal {A}_{\mathrm {alg}}\)).

Since \(\mathsf {Game}_1\) did not return 0 in line (I), there exists \(i\in [\ell +1]\) such that

$$\begin{aligned} \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j} c_j \not \equiv _p c^*_i + \xi ^*_i. \end{aligned}$$
(8)

For all i, the adversary returned a representation \((\gamma ^*_i,\xi ^*_i,\vec {\rho }^{\,*}_i)\) of \(R^*_i\), thus

$$\begin{aligned} R^*_i = \gamma ^*_i G + \xi ^*_i X + \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j} R_j. \end{aligned}$$
(9)

On the other hand, validity of the i-th forgery yields another representation: \(R^*_i = s^*_i G + c^* _i X.\) Combining these two, we get

$$\begin{aligned} (c^*_i + \xi ^*_i) X + \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j}R_j = (s^*_i-\gamma ^*_i)G. \end{aligned}$$
(10)

Finally, for each \(j\in [\ell ]\), \(s_j\) was computed with a call \(s_j \leftarrow \textsc {DLog}(R_j+c_jX)\), hence

$$\begin{aligned} R_j = s_jG - c_jX. \end{aligned}$$
(11)

Injecting Eq. (11) in Eq. (10), we obtain

$$\begin{aligned} \left( c^*_i + \xi ^*_i - \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j}c_j \right) X = \left( s^*_i-\gamma ^*_i - \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,j} s_j \right) G. \end{aligned}$$
(12)

Since by Eq. (8) the coefficient in front of X is non-zero, this allows \(\mathcal {B}_\mathrm{omdl}\) to compute \(x:=\log X\). Furthermore, from Eq. (11) we have \(r_j:= \log R_j = s_j-c_jx\) for all \(j\in [\ell ]\). By returning \((x,r_1,\ldots ,r_\ell )\), \(\mathcal {B}_\mathrm{omdl}\) solves the OMDL problem whenever \(\mathcal {A}_{\mathrm {alg}}\) wins \(\mathsf {Game}_1\), which implies

(13)

The theorem now follows from Eqs. (6), (7) and (13).    \(\square \)

Fig. 9.
figure 9

The clause blind Schnorr signing protocol.

Full size image

5 The Clause Blind Schnorr Signature Scheme

We present a variation of the blind Schnorr signature scheme that only modifies the signing protocol. The scheme thus does not change the signatures themselves, meaning that it can be very smoothly integrated in existing applications.

The signature issuing protocol is changed so that it prevents the adversary from attacking the scheme by solving the ROS problem using Wagner’s algorithm [Wag02, MS12]. The reason is that, as we show in Theorem 3, the attacker must now solve a modified ROS problem, which we define in Fig. 10.

We start with explaining the modified signing protocol, formally defined in Fig. 9. In the first round the signer and the user execute two parallel runs of the blind signing protocol from Fig. 6, of which the signer only finishes one at random in the last round, that is, it finishes \((\text {Run}_1\,\vee \,\text {Run}_2)\): the clause from which the scheme takes its name.

This minor modification has major consequences. In the attack against the standard blind signature scheme (see Sect. 4.2), the adversary opens \(\ell \) signing sessions, receiving \(R_1,\ldots ,R_\ell \), then searches a solution to the ROS problem and closes the signing sessions by sending \(c_1,\ldots ,c_\ell \). Our modified signing protocol prevents this attack, as now for every opened session the adversary must guess which of the two challenges the signer will reply to. Only if all its guesses are correct is the attack successful. As the attack only works for large values of \(\ell \), this probability vanishes exponentially.

Fig. 10.
figure 10

The modified ROS problem.

Full size image

In Theorem 3 we make this intuition formal; that is, we define a modified ROS game, which we show any successful attacker (which does not solve OMDL) must solve.

We have used two parallel executions of the basic protocol for the sake of simplicity, but the idea can be straightforwardly generalized to \(t>2\) parallel runs, of which the signer closes only one at random in the last round, that is, it closes \((\text {Run}_1\,\vee \ldots \vee \,\text {Run}_t)\). This decreases the probability that the user correctly guesses which challenges will be answered by the signer in \(\ell \) concurrent sessions.

Consider Fig. 10. The difference to the original ROS problem (Fig. 7) is that the queries to the \(\mathsf {H}_\mathrm{ros}\) oracle consist of two vectors \(\vec \rho _0,\vec \rho _1\) and additional \({\textit{aux}}\) information. Analogously, the adversary’s task is to return \(\ell +1\) tuples \((\vec {\rho }_{i,0},\vec {\rho }_{i,1},{\textit{aux}}_i)\), except that the ROS solution \(c^*_1,\ldots ,c^*_\ell \) is selected as follows: for every index \(j\in [\ell ]\) the adversary must query an additional oracle \(\textsc {Select}(j,c_{j,0},c_{j,1})\), which flips a random bit \(b_j\) and sets the j-th coordinate of the solution to \(c^*_j:=c_{j,b_j}\).

Up to now, nothing really changed, as an adversary could always choose \(\vec \rho _{i,0}=\vec \rho _{i,1}\) and \(c_{j,0}=c_{j,1}\) for all indices, and solve the standard ROS problem. What complicates the task for the adversary considerably is the additional winning condition, which demands that in all tuples returned by the adversary, the \(\rho \) values that correspond to the complement of the selected bit must be zero, that is, for all \(i\in [\ell +1]\) and all \(j \in [\ell ]\): \(\rho _{i,1-b_j,j} = 0\). The adversary thus must commit to the solution coordinate \(c^*_j\) before it learns \(b_j\), which then restricts the format of its \(\rho \) values.

We conjecture that the best attack against this modified ROS problem is to guess the \(\ell \) bits \(b_j\) and to solve the standard ROS problem based on this guess using Wagner’s algorithm. Hence, the complexity of the attack is increased by a factor \(2^{\ell }\) and requires time

Fig. 11.
figure 11

Estimated complexity \(\tau \) of conjectured best attack against the modified ROS problem as a function of parameter \(\ell \) for \(\lambda = 256\) (solid line) and \(\lambda = 512\) (dashed line).

Full size image

This estimated complexity is plotted for \(\lambda \in \{256,512\}\) in Fig. 11. This should be compared to the standard Wagner attack with \(\ell +1 = 2^{\sqrt{\lambda }}\) running in time \(2^{32}\) and \(2^{45}\), respectively, for the same values of the security parameter.

We now prove that the Schnorr signature scheme from Fig. 3, with the signing algorithm replaced by the protocol in Fig. 9 is secure under the OMDL assumption for the underlying group and hardness of the modified ROS problem.

Theorem 3

Let \(\mathsf {GrGen}\) be a group generator. Let \(\mathcal {A}_{\mathrm {alg}}\) be an algebraic adversary against the UNF security of the clause blind Schnorr signature scheme \(\mathsf {CBlSch}[\mathsf {GrGen}]\) running in time at most \(\tau \) and making at most \(q_\mathrm{s}\) queries to \(\textsc {Sign}_1\) and \(q_{\mathrm h}\) queries to the random oracle. Then there exist an algorithm \(\mathcal {B}_\mathrm{mros}\) for the MROS\(_{q_\mathrm{s}}\) problem making at most \(q_{\mathrm h}+q_\mathrm{s}+1\) random oracle queries and an algorithm \(\mathcal {B}_\mathrm{omdl}\) for the OMDL problem w.r.t. \(\mathsf {GrGen}\) making at most \(q_\mathrm{s}\) queries to its oracle \(\textsc {DLog}\), both running in time at most \(\tau + O(q_\mathrm{s}+q_{\mathrm h})\), such that

Fig. 12.
figure 12

Games used in the proof of Theorem 3. The show how \(\mathcal {B}_\mathrm{mros}\) solves MROS; the show how \(\mathcal {B}_\mathrm{omdl}\) solves OMDL.

Full size image

The theorem follows by adapting the proof of Theorem 2; we therefore discuss the changes and refer to Fig. 12, which compactly presents all the details.

The proof again proceeds by one game hop, where an adversary behaving differently in the two games is used to break the modified ROS problem; the only change to the proof of Theorem 2 is that when simulating \(\textsc {Sign}_2\), the reduction \(\mathcal {B}_\mathrm{mros}\) calls \(\textsc {Select}(j,c_{j,0},c_{j,1})\) to obtain bit b instead of choosing it itself. By definition, \(\mathsf {Game}_1\) aborts in line (I) if and only if \(\mathcal {B}_\mathrm{mros}\) has found a solution for MROS.

The difference in the reduction to OMDL of the modified game is that the adversary can fail to solve MROS in two ways: (1) its values \(((\rho _{i,b_j,j})_{i,j},(c_j)_j)\) are not a ROS solution; in this case the reduction can solve OMDL as in the proof of Theorem 2; (2) these values are a ROS solution, but for some ij, we have \(\rho _{i,1-b_j,j} \ne 0\). We show that in this case the OMDL reduction can compute the discrete logarithm of one of the values \(R_{j,1-b_j}\).

More in detail, the main difference to Theorem 2 is that the representation of the values \(R^*_i\) in the adversary’s forgery depend on both the \(R_{j,0}\) and the \(R_{j,1}\) values; we can thus write them as

$$ R^*_i = \gamma ^*_i G + \xi ^*_i X + \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,b_j,j} R_{j,b_j} + \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,1-b_j,j} R_{j,1-b_j}~ $$

(this corresponds to Eq. (9) in the proof of Theorem 2). Validity of the forgery implies \(R^*_i = s^*_iG-c^*_iX\), which together with the above yields

$$ (c^*_i + \xi ^*_i) X + \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,b_j,j} R_{j,b_j} = (s^*_i-\gamma ^*_i)G - \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,1-b_j,j} R_{j,1-b_j}~ $$

(cf. Eq. (10)). By definition of \(s_j\), we have \(R_{j,b_j} = s_jG - c_jX\) for all \(j\in [\ell ]\); the above equation becomes thus

$$\begin{aligned}&\big (c^*_i + \xi ^*_i - \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,b_j,j}c_j \big ) X \\ \nonumber&\quad \qquad \qquad \qquad = \big (s^*_i-\gamma ^*_i - \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,b_j,j} s_j \big )G - \textstyle \sum _{j=1}^{\ell } \rho ^*_{i,1-b_j,j} R_{j,1-b_j}~ \end{aligned}$$
(14)

(which corresponds to Eq. (12) in Theorem 2). In Theorem 2, not solving ROS implied that for some i, the coefficient of X in the above equation was non-zero, which allowed computation of \(\log X\).

However, if the adversary sets all these coefficients to 0, it could still fail to solve MROS if \(\rho ^*_{i^*,1-b_{j^*},{j^*}}\ne 0\) for some \(i^*,j^*\) (this is case (2) defined above). In this case \(\mathsf {Game}_1\) does not abort and the OMDL reduction \(\mathcal {B}_\mathrm{omdl}\) must succeed. Since in this case the left-hand side of Eq. (14) is then 0, \(\mathcal {B}_\mathrm{omdl}\) can, after querying \(\textsc {DLog}(R_{j,1-b_j})\) for all \(j\ne j^*\), compute \(\textsc {DLog}(R_{j^*,1-b_{j^*}})\), which breaks OMDL.

We finally note that the above case distinction was merely didactic, as the same OMDL reduction can handle both cases simultaneously, which means that our reduction does not introduce any additional security loss. In particular, the reduction obtains X and all values \((R_{j,0},R_{j,1})\) from its OMDL challenger, then handles case (2) as described, and case (1) by querying \(R_{1,1-b_1},\ldots ,R_{\ell ,1-b_\ell }\) to its \(\textsc {DLog}\) oracle. In both cases it made \(2\ell \) queries to \(\textsc {DLog}\) and computed the discrete logarithms of all \(2\ell +1\) challenges.

Figure 12 presents the unforgeability game and \(\mathsf {Game}_1\), which aborts if the adversary solved MROS. The gray and dark gray comments also precisely define how a reduction \(\mathcal {B}_\mathrm{mros}\) solves MROS whenever \(\mathsf {Game}_1\) aborts in line (I), and how a reduction \(\mathcal {B}_\mathrm{omdl}\) solves OMDL whenever \(\mathcal {A}_{\mathrm {alg}}\) wins \(\mathsf {Game}_1\).

Blindness of the “clause” variant in Fig. 9 follows via a hybrid argument from blindness of the standard scheme (Fig. 6). In the game defining blindness the adversary impersonates a signer and selects two messages \(m_0\) and \(m_1\). The game flips a bit b, runs the signing protocol with the adversary for \(m_b\) and then for \(m_{1-b}\). If both sessions terminate, the adversary is given the resulting signatures and must determine b.

In the blindness game for scheme \(\mathsf {CBlSch}\), the challenger runs two instances of the issuing protocol from \(\mathsf {BlSch}\) for \(m_b\) of which the signer finishes one, as determined by its message \((\beta _b,s_b)\) in the third round (\(\beta _b\) corresponds to b in Fig. 9), and then two instances for \(m_{1-b}\).

If \(b=0\), the challenger thus asks the adversary for signatures on \(m_0,m_0,m_1\) and then \(m_1\). We define a hybrid game where the order of the messages is \(\underline{m_1},m_0,\underline{m_0}, m_1\); this game thus lies between the blindness games for \(b=0\) and \(b=1\), where the messages are \(m_1,m_1,m_0,m_0\). The original games differ from the hybrid game by exactly one message pair; intuitively, they are thus indistinguishable by blindness of \(\mathsf {BlSch}\).

A technical detail is that the above argument only works when \(\beta _0=\beta _1\), as otherwise both reductions (between each original game and the hybrid game) abort one session and do not get any signatures from its challenger. The reductions thus guess the values \(\beta _0\) and \(\beta _1\) (and return a random bit if the guess turns out wrong). The hybrid game then replaces the \(\beta _0\)-th message of the first two and the \(\beta _1\)-th of the last two (as opposed to the ones underlined as above). Following this argument, in the full version [FPS19] we prove the following:

Theorem 4

Let \(\mathcal {A}\) be a p.p.t. adversary against blindness of the scheme \(\mathsf {CBlSch}\). Then there exist two p.p.t. algorithms \(\mathcal {B}_1\) and \(\mathcal {B}_2\) against blindness of \(\mathsf {BlSch}\) such that

Since the (standard) blind Schnorr signature scheme is perfectly blind [CP93], by the above, our variant also satisfies perfect blindness.

6 Schnorr-Signed ElGamal Encryption

A public key for the ElGamal public-key encryption (PKE) scheme is a group element . Messages are group elements and to encrypt M under Y, one samples a random and derives an ephemeral key \(K := xY\) to blind the message: \(C:= xY+M\). Given in addition the value \(X := xG\), the receiver that holds \(y=\log Y\) can derive \(K := yX\) and recover \(M:=C-K\).

Fig. 13.
figure 13

The DDH problem.

Full size image
Fig. 14.
figure 14

The Schnorr-Signed ElGamal PKE scheme \(\mathsf {SEG}[\mathsf {GrGen}]\).

Full size image

Under the decisional Diffie-Hellman (DDH) assumption (see Fig. 13), ciphertexts of different messages are computationally indistinguishable: replacing K by a random value \(K'\) makes the ciphertext C perfectly hide the message. In the AGM, ElGamal, viewed as a key-encapsulation mechanism (KEM) was shown to satisfy CCA1-security (where the adversary can only make decryption queries before seeing the challenge key) under a parametrized variant of DDH [FKL18].

The idea of Schnorr-signed ElGamal is to accompany the ciphertext by a proof of knowledge of the randomness \(x=\log X\) used to encrypt, in particular, a Schnorr signature on the pair (XC) under the public key X. The scheme is detailed in Fig. 14. (Note that we changed the argument order in the hash function call compared to Sect. 3 so that it is the same as in ciphertexts.)

The strongest security notion for PKE is indistinguishability of ciphertexts under adaptive chosen-ciphertext attack (IND-CCA2), where the adversary can query decryptions of ciphertexts of its choice even after receiving the challenge. The (decisional) game IND-CCA2 is defined in Fig. 15.

When ephemeral keys are hashed (that is, defined as \(k:= \mathsf {H}'(xY)\)) and the scheme is viewed as a KEM, then CCA2-security can be reduced to the strong Diffie-Hellman (SDH) assumptionFootnote 7 [ABR01, CS03] in the ROM. In the full version [FPS19] we show that when key hashing is applied to the Schnorr-signed ElGamal scheme from Fig. 14, then in the AGM+ROM we can directly reduce CCA2-security of the corresponding KEM to the DL assumption (Fig. 1); in particular, we do so using a tight security proof (note that SDH is equivalent to DL in the AGM [FKL18] but the reduction from DL to SDH is non-tight). Here we prove that the Schnorr-signed ElGamal PKE is IND-CCA2-secure in the AGM+ROM under the DDH assumption.

Fig. 15.
figure 15

The IND-CCA2 security game for a PKE scheme \(\mathsf {PKE}\).

Full size image

Theorem 5

Let \(\mathsf {GrGen}\) be a group generator. Let \(\mathcal {A}_{\mathrm {alg}}\) be an algebraic adversary against the IND-CCA2 security of the Schnorr-signed ElGamal PKE scheme \(\mathsf {SEG}[\mathsf {GrGen}]\) making at most \(q_\mathrm{d}\) decryption queries and \(q_{\mathrm h}\) queries to the random oracle. Then there exist two algorithms \(\mathcal {B}_1\) and \(\mathcal {B}_2\) solving respectively the DL problem and the DDH problem w.r.t. \(\mathsf {GrGen}\), such that

We start with the proof idea. The full proof can be found in the full version [FPS19]. Let Y be the public key, let \(P_0\) and \(P_1\) denote the challenge plaintexts, and let \((X^*=x^*G, C^*=x^*Y+P_b, R^*, s^*)\) be the challenge ciphertext. Under the DDH assumption, given Y and \(X^*\), the value \(x^*Y\) looks random. We can thus replace \(x^*Y\) by a random group element \(Z^*\), which perfectly hides \(P_b\) and leads to a game where the adversary gains no information about the challenge bit b.

It remains to show how the reduction can simulate the game without knowledge of \(\log X^*\) (needed to sign the challenge ciphertext) and \(\log Y\) (needed to answer decryption queries). The Schnorr signature under \(X^*\) contained in the challenge ciphertext can be simulated by programming the random oracle \(\mathsf {H}\) as for Theorem 1.

Decryption queries leverage the fact that the Schnorr signature contained in a queried ciphertext (XCRs) proves knowledge of x with \(X=xG\). Thus, intuitively, the reduction should be able to answer a query by extracting x and returning \(M=C-xY\). However, this extraction is a lot trickier than in the proof of Theorem 1: During the game the adversary obtains group elements Y, \(X^*\), \(C^*\), and \(R^*\), as well as the answers \(M_1,\ldots ,M_{q_\mathrm{d}}\) to its queries to \(\textsc {Dec}\). The adversary’s representations of group elements can thus depend on all these elements. In particular, since \(\textsc {Dec}\) on input \((X,C,\ldots )\) computes \(M:= C-yX\), by successive calls to \(\textsc {Dec}\), the adversary can obtain arbitrary powers of y.

In our proof we first show that from a representation given by the adversary, we can always (efficiently) derive a representation in basis

$$(G,X^*,Y=yG,\ldots ,y^{q_\mathrm{d}+1}G,x^*yG,\ldots ,x^*y^{q_\mathrm{d}+1}G). $$

Now consider a decryption query (XCRs), each group element represented as

$$\begin{aligned} X = \gamma _x G + \xi _x X^* + \textstyle \sum _{i=1}^{q_d+1} \upsilon ^{(i)}_x y^iG + \sum _{i=1}^{q_d+1} \zeta ^{(i)}_x x^*y^iG, \qquad R = \gamma _r G + \ldots \end{aligned}$$
(15)

We show that each query falls into one of three categories:

  1. (1)

    The choice of \(c=\mathsf {H}(X,C,R)\) was unlucky, which only happens with negligible probability

  2. (2)

    The representation of X is independent of Y, that is, \(X=\gamma _x G + \xi _x X^*\). Then xY (and hence the answer \(M=C-xY\) to the query) can be computed as \(xY:= \gamma _x Y + \xi _x Z^*\) (where \(Z^*:= x^*Y\) is known by the reduction).

  3. (3)

    Otherwise we show that the adversary has computed \(\log Y\) If the \(\textsc {Dec}\) query was valid then \(sG=R+cX\), which, by plugging in the representations (15) yields

$$ 0 =(\gamma _r +c \gamma _x -s) G + (\xi _r + c\xi _x) X^* + \sum _{i=1}^{q_d+1} \big (\underbrace{(\upsilon _r^{(i)}+x^*\zeta _r^{(i)})+c\,(\overbrace{\upsilon _x^{(i)}+x^*\zeta _x^{(i)}}^{=:\beta ^{(i)}})}_{=:\alpha ^{(i)}}\big ) y^iG $$

If \(\beta ^{(i)}\equiv _p 0\) for all i, we are in case (2). If \(\beta ^{(j)}\not \equiv _p 0\) for some j and \(\alpha ^{(i)}\equiv _p 0\) for all i, then \(c \equiv _p -(\upsilon _r^{(j)}+x^*\zeta _r^{(j)}) \cdot (\beta ^{(j)})^{-1}\) was an unlucky choice (made after the adversary chose its representations from (15)) (case (1)). Otherwise \(\alpha ^{(j)}\equiv _p 0\) for some j and

$$ 0 = \gamma _r +c \gamma _x -s + (\xi _r + c\xi _x) x^* + \textstyle \sum _{i=1}^{q_d+1} \alpha ^{(i)} y^i $$

can be solved for y. (Note that the reduction to DL chooses \(x^*\) itself.)