2

I read here that assuming we have a Fiat-Shamir (FS) signature $\Sigma$ that is secure based on the hardness of a particular hard problem $\Pi$. Then, the security proof of $\Sigma$ in the classical ROM indicates that the reduction algorithm can break the underlying problem $\Pi$ with advantage $Q^{-1} \cdot \epsilon^2$, where $Q$ is the number of hash evaluations an adversary can perform and $\epsilon$ is the advantage of an adversary in breaking the security of $\Sigma$. Hence, if we let adversary about $2^{40}$ hash evaluations, and target for 128-bits of security for $\Sigma$ (i.e., $\epsilon = 2^{128}$), then one would need to set the parameters of $\Pi$ to achieve $296$-bits of security. And apparently the loss is even bigger in QROM setting. But where does this security loss come from? More precisely, why one can break $\Pi$ with an advantage of $Q^{-1} \cdot \epsilon^2$?

  • It's not that we know actual attacks with that advantage. It's merely that we can't prove that they don't exist. – Maeher Nov 22 '20 at 21:13
  • @Maeher But I'm more interested about where does $Q^{-1} \cdot \epsilon^2$ comes from. I don't know from where that is obtained. –  Nov 22 '20 at 22:29
  • The simple answer (I don't have time to write a proper one right now) is that in the security proof the reduction needs to correctly guess which one of $Q$ queries is the important one. And in general it can only do so by guessing randomly. – Maeher Nov 22 '20 at 22:46
  • @Maeher Okay, that explains the $Q^{-1}$ part, you have $\frac{1}{Q}$ to guess correctly, but why $\epsilon^2$? –  Nov 23 '20 at 09:14
  • 1
    This was formally argued in [PS00], and that this is (close to) optimal was later shown in [Seu12]. The intuitive reason for the $\varepsilon^2$ factor is that the reduction must run the adversary successfully twice and the $Q$ factor is, as Maeher points out, down to the fact that the reduction has to basically guess the index of the query (Forking Lemma). – ckamath Nov 23 '20 at 14:57
  • 1
    You can find a detailed explanation in this answer. – ckamath Nov 23 '20 at 15:02
  • @Occams_Trimmer Thank you. If you write this as an answer, I can accept. –  Nov 23 '20 at 22:23

0 Answers0