On the Impossibility of Purely Algebraic Signatures.

Nico Döttling; Dominik Hartmann; Dennis Hofheinz; Eike Kiltz; Sven Schäge; Bogdan Ursu

doi:10.1007/978-3-030-90456-2_11

On the Impossibility of Purely Algebraic Signatures.

Nico Döttling, Dominik Hartmann, Dennis Hofheinz, Eike Kiltz, Sven Schäge, Bogdan Ursu

Coding Theory and Cryptology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

Abstract

The existence of one-way functions implies secure digital signatures, but not public-key encryption (at least in a black-box setting). Somewhat surprisingly, though, efficient public-key encryption schemes appear to be much easier to construct from concrete algebraic assumptions (such as the factoring of Diffie-Hellman-like assumptions) than efficient digital signature schemes. In this work, we provide one reason for this apparent difficulty to construct efficient signature schemes. Specifically, we prove that a wide range of algebraic signature schemes (in which verification essentially checks a number of linear equations over a group) fall to conceptually surprisingly simple linear algebra attacks. In fact, we prove that in an algebraic signature scheme, sufficiently many signatures can be linearly combined to a signature of a fresh message. We present attacks both in known-order and hidden-order groups (although in hidden-order settings, we have to restrict our definition of algebraic signatures a little). More explicitly, we show: the insecurity of all algebraic signature schemes in Maurer’s generic group model (in pairing-free groups), as long as these schemes do not rely on other cryptographic assumptions, such as hash functions.the insecurity of a natural class of signatures in hidden-order groups, where verification consists of linear equations over group elements. We believe that this highlights the crucial role of public verifiability in digital signature schemes. Namely, while public-key encryption schemes do not require any publicly verifiable structure on ciphertexts, it is exactly this structure on signatures that invites attacks like ours and makes it hard to construct efficient signatures.

Original language	English
Title of host publication	Theory of Cryptography - 19th International Conference, TCC 2021, Proceedings
Editors	Kobbi Nissim, Brent Waters, Brent Waters
Pages	317-349
Number of pages	33
DOIs	https://doi.org/10.1007/978-3-030-90456-2_11
Publication status	Published - 2021

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13044 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Bibliographical note

DBLP License: DBLP's bibliographic metadata records provided through http://dblp.org/ are distributed under a Creative Commons CC0 1.0 Universal Public Domain Dedication. Although the bibliographic metadata records are provided consistent with CC0 1.0 Dedication, the content described by the metadata records is not. Content may be subject to copyright, rights of privacy, rights of publicity and other restrictions.

Access to Document

10.1007/978-3-030-90456-2_11

Cite this

Döttling, N., Hartmann, D., Hofheinz, D., Kiltz, E., Schäge, S., & Ursu, B. (2021). On the Impossibility of Purely Algebraic Signatures. In K. Nissim, B. Waters, & B. Waters (Eds.), Theory of Cryptography - 19th International Conference, TCC 2021, Proceedings (pp. 317-349). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13044 LNCS). https://doi.org/10.1007/978-3-030-90456-2_11

Döttling, Nico ; Hartmann, Dominik ; Hofheinz, Dennis et al. / On the Impossibility of Purely Algebraic Signatures. Theory of Cryptography - 19th International Conference, TCC 2021, Proceedings. editor / Kobbi Nissim ; Brent Waters ; Brent Waters. 2021. pp. 317-349 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{210a4f83c5b14bb0bd2b402d9c39d92a,

title = "On the Impossibility of Purely Algebraic Signatures.",

abstract = "The existence of one-way functions implies secure digital signatures, but not public-key encryption (at least in a black-box setting). Somewhat surprisingly, though, efficient public-key encryption schemes appear to be much easier to construct from concrete algebraic assumptions (such as the factoring of Diffie-Hellman-like assumptions) than efficient digital signature schemes. In this work, we provide one reason for this apparent difficulty to construct efficient signature schemes. Specifically, we prove that a wide range of algebraic signature schemes (in which verification essentially checks a number of linear equations over a group) fall to conceptually surprisingly simple linear algebra attacks. In fact, we prove that in an algebraic signature scheme, sufficiently many signatures can be linearly combined to a signature of a fresh message. We present attacks both in known-order and hidden-order groups (although in hidden-order settings, we have to restrict our definition of algebraic signatures a little). More explicitly, we show: the insecurity of all algebraic signature schemes in Maurer{\textquoteright}s generic group model (in pairing-free groups), as long as these schemes do not rely on other cryptographic assumptions, such as hash functions.the insecurity of a natural class of signatures in hidden-order groups, where verification consists of linear equations over group elements. We believe that this highlights the crucial role of public verifiability in digital signature schemes. Namely, while public-key encryption schemes do not require any publicly verifiable structure on ciphertexts, it is exactly this structure on signatures that invites attacks like ours and makes it hard to construct efficient signatures.",

author = "Nico D{\"o}ttling and Dominik Hartmann and Dennis Hofheinz and Eike Kiltz and Sven Sch{\"a}ge and Bogdan Ursu",

note = "DBLP License: DBLP's bibliographic metadata records provided through http://dblp.org/ are distributed under a Creative Commons CC0 1.0 Universal Public Domain Dedication. Although the bibliographic metadata records are provided consistent with CC0 1.0 Dedication, the content described by the metadata records is not. Content may be subject to copyright, rights of privacy, rights of publicity and other restrictions.",

year = "2021",

doi = "10.1007/978-3-030-90456-2_11",

language = "English",

isbn = "9783030904555",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "317--349",

editor = "Kobbi Nissim and Brent Waters and Brent Waters",

booktitle = "Theory of Cryptography - 19th International Conference, TCC 2021, Proceedings",

}

Döttling, N, Hartmann, D, Hofheinz, D, Kiltz, E, Schäge, S & Ursu, B 2021, On the Impossibility of Purely Algebraic Signatures. in K Nissim, B Waters & B Waters (eds), Theory of Cryptography - 19th International Conference, TCC 2021, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13044 LNCS, pp. 317-349. https://doi.org/10.1007/978-3-030-90456-2_11

On the Impossibility of Purely Algebraic Signatures. / Döttling, Nico; Hartmann, Dominik; Hofheinz, Dennis et al.
Theory of Cryptography - 19th International Conference, TCC 2021, Proceedings. ed. / Kobbi Nissim; Brent Waters; Brent Waters. 2021. p. 317-349 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13044 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - On the Impossibility of Purely Algebraic Signatures.

AU - Döttling, Nico

AU - Hartmann, Dominik

AU - Hofheinz, Dennis

AU - Kiltz, Eike

AU - Schäge, Sven

AU - Ursu, Bogdan

N1 - DBLP License: DBLP's bibliographic metadata records provided through http://dblp.org/ are distributed under a Creative Commons CC0 1.0 Universal Public Domain Dedication. Although the bibliographic metadata records are provided consistent with CC0 1.0 Dedication, the content described by the metadata records is not. Content may be subject to copyright, rights of privacy, rights of publicity and other restrictions.

PY - 2021

Y1 - 2021

N2 - The existence of one-way functions implies secure digital signatures, but not public-key encryption (at least in a black-box setting). Somewhat surprisingly, though, efficient public-key encryption schemes appear to be much easier to construct from concrete algebraic assumptions (such as the factoring of Diffie-Hellman-like assumptions) than efficient digital signature schemes. In this work, we provide one reason for this apparent difficulty to construct efficient signature schemes. Specifically, we prove that a wide range of algebraic signature schemes (in which verification essentially checks a number of linear equations over a group) fall to conceptually surprisingly simple linear algebra attacks. In fact, we prove that in an algebraic signature scheme, sufficiently many signatures can be linearly combined to a signature of a fresh message. We present attacks both in known-order and hidden-order groups (although in hidden-order settings, we have to restrict our definition of algebraic signatures a little). More explicitly, we show: the insecurity of all algebraic signature schemes in Maurer’s generic group model (in pairing-free groups), as long as these schemes do not rely on other cryptographic assumptions, such as hash functions.the insecurity of a natural class of signatures in hidden-order groups, where verification consists of linear equations over group elements. We believe that this highlights the crucial role of public verifiability in digital signature schemes. Namely, while public-key encryption schemes do not require any publicly verifiable structure on ciphertexts, it is exactly this structure on signatures that invites attacks like ours and makes it hard to construct efficient signatures.

AB - The existence of one-way functions implies secure digital signatures, but not public-key encryption (at least in a black-box setting). Somewhat surprisingly, though, efficient public-key encryption schemes appear to be much easier to construct from concrete algebraic assumptions (such as the factoring of Diffie-Hellman-like assumptions) than efficient digital signature schemes. In this work, we provide one reason for this apparent difficulty to construct efficient signature schemes. Specifically, we prove that a wide range of algebraic signature schemes (in which verification essentially checks a number of linear equations over a group) fall to conceptually surprisingly simple linear algebra attacks. In fact, we prove that in an algebraic signature scheme, sufficiently many signatures can be linearly combined to a signature of a fresh message. We present attacks both in known-order and hidden-order groups (although in hidden-order settings, we have to restrict our definition of algebraic signatures a little). More explicitly, we show: the insecurity of all algebraic signature schemes in Maurer’s generic group model (in pairing-free groups), as long as these schemes do not rely on other cryptographic assumptions, such as hash functions.the insecurity of a natural class of signatures in hidden-order groups, where verification consists of linear equations over group elements. We believe that this highlights the crucial role of public verifiability in digital signature schemes. Namely, while public-key encryption schemes do not require any publicly verifiable structure on ciphertexts, it is exactly this structure on signatures that invites attacks like ours and makes it hard to construct efficient signatures.

UR - http://www.scopus.com/inward/record.url?scp=85120062047&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-90456-2_11

DO - 10.1007/978-3-030-90456-2_11

M3 - Conference contribution

SN - 9783030904555

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 317

EP - 349

BT - Theory of Cryptography - 19th International Conference, TCC 2021, Proceedings

A2 - Nissim, Kobbi

A2 - Waters, Brent

ER -

Döttling N, Hartmann D, Hofheinz D, Kiltz E, Schäge S, Ursu B. On the Impossibility of Purely Algebraic Signatures. In Nissim K, Waters B, Waters B, editors, Theory of Cryptography - 19th International Conference, TCC 2021, Proceedings. 2021. p. 317-349. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-90456-2_11

On the Impossibility of Purely Algebraic Signatures.

Abstract

Publication series

Bibliographical note

Access to Document

Other files and links

Fingerprint

Cite this