ciphergoth: (Default)
Paul Crowley ([personal profile] ciphergoth) wrote2007-03-15 07:24 am
  • Add Memory
  • Share This Entry

Security reductions

For the three or so cryptographers on my friends list:

The Goh-Jarecki-Katz-Wang DDH-based signature scheme not only has a tight reduction to the hardness of DDH - it also has a loose reduction to DL using the forking lemma in the same way as Schnorr. I mention this because it's currently my favourite scheme, and the authors didn't know about the reduction...
Flat | Top-Level Comments Only

[identity profile] cryptodragon.livejournal.com 2007-03-15 09:34 am (UTC)(link)
Thank you, I've just spent the last hour looking over that algorithm rather than sleeping. :)

[identity profile] purplerabbits.livejournal.com 2007-03-15 09:45 am (UTC)(link)
I thought you said forking lemon there for a moment. Which would have made sense. Well, as much sense...

[identity profile] lovelybug.livejournal.com 2007-03-15 10:29 am (UTC)(link)
Quite!

[identity profile] just-becky.livejournal.com 2007-03-15 01:08 pm (UTC)(link)
OOh I love it when you talk dirty! :-D

has a tight reduction to the hardness of DDH
Saucy!

[identity profile] zwol.livejournal.com 2007-03-15 04:58 pm (UTC)(link)
Could I have a reference to that algorithm, please? I am not finding it.

[identity profile] ciphergoth.livejournal.com 2007-03-15 06:03 pm (UTC)(link)
http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf

You may be interested to note that it's carefully engineered to give the same signature for a given message every time, which helps the security reductions...

[identity profile] ciphergoth.livejournal.com 2007-03-16 08:56 am (UTC)(link)
You may be interested to note that it's carefully engineered to give the same signature for a given message every time

although actually, I would not preserve that property in an implementation. The reduction is still pretty tight without it, and without it you can do most of the heavy lifting on signature generation in advance.

[identity profile] strangerover.livejournal.com 2007-03-15 09:11 pm (UTC)(link)
Damn, and I thought that was a start of a Mornington Crescent post...

(Anonymous) 2007-03-16 12:55 am (UTC)(link)
Cute. You may want to write a short eprint note about this, or if you feel like it that's the kind of thing that could be a PKC or RSA paper. I expect others would be interested to see the reduction, too.

[identity profile] ciphergoth.livejournal.com 2007-03-16 08:49 am (UTC)(link)
An eprint note would be about right - it's a very straightforward result, really, the proof is practically identical to the corresponding proof about Schnorr in

http://citeseer.ist.psu.edu/ohta98concrete.html

I'll try to write it up when I have time, which might be a while. I'll also include the other observation I had, which was that if you have a hash function H' which maps the group onto itself, then your public key can be (g^x, H'(g^x)^x), which is a third shorter.

[identity profile] ciphergoth.livejournal.com 2007-03-16 08:52 am (UTC)(link)
BTW please at least sign anonymous posts with a nom. I didn't know that anyone in Microsoft Research read my journal... thanks!

[identity profile] ephermata.livejournal.com 2007-03-17 01:48 am (UTC)(link)
sorry, that was me. I didn't really notice that I wasn't signed in.

Saw this, and thought of you :)

[identity profile] aster13.livejournal.com 2007-03-16 02:43 pm (UTC)(link)
I'm probably just showing up how little i know about cryptography, here (which let's face it, could probably fit on the back of a stamp!) but, in case it's of interest:

http://blog.wired.com/27bstroke6/2007/03/cryptographer_s.html
Flat | Top-Level Comments Only