Publikation: On the (In)Security of the BUFF Transform
Dateien
Datum
Autor:innen
Herausgeber:innen
ISSN der Zeitschrift
Electronic ISSN
ISBN
Bibliografische Daten
Verlag
Schriftenreihe
Auflagebezeichnung
DOI (zitierfähiger Link)
Internationale Patentnummer
Angaben zur Forschungsförderung
Projekt
Open Access-Veröffentlichung
Core Facility der Universität Konstanz
Titel in einer weiteren Sprache
Publikationstyp
Publikationsstatus
Erschienen in
Zusammenfassung
The BUFF transform is a generic transformation for digital signature schemes, with the purpose of obtaining additional security properties beyond standard unforgeability, e.g., exclusive ownership and non-resignability. In the call for additional post-quantum signatures, these were explicitly mentioned by the NIST as “additional desirable security properties”, and some of the submissions indeed refer to the BUFF transform with the purpose of achieving them, while some other submissions follow the design of the BUFF transform without mentioning it explicitly.
In this work, we show the following negative results regarding the non-resignability property in general, and the BUFF transform in particular. In the plain model, we observe by means of a simple attack that any signature scheme for which the message has a high entropy given the signature does not satisfy the non-resignability property (while non-resignability is trivially not satisfied if the message can be efficiently computed from its signature). Given that the BUFF transform has high entropy in the message given the signature, it follows that the BUFF transform does not achieve non-resignability whenever the random oracle is instantiated with a hash function, no matter what hash function.
When considering the random oracle model (ROM), the matter becomes slightly more delicate since prior works did not rigorously define the non-resignability property in the ROM. For the natural extension of the definition to the ROM, we observe that our impossibility result still holds, despite there having been positive claims about the non-resignability of the BUFF transform in the ROM. Indeed, prior claims of the non-resignability of the BUFF transform rely on faulty argumentation.
On the positive side, we prove that a salted version of the BUFF transform satisfies a slightly weaker variant of non-resignability in the ROM, covering both classical and quantum attacks, if the entropy requirement in the (weakened) definition of non-resignability is statistical; for the computational variant, we show yet another negative result.
Zusammenfassung in einer weiteren Sprache
Fachgebiet (DDC)
Schlagwörter
Konferenz
Rezension
Zitieren
ISO 690
DON, Jelle, Serge FEHR, Yu-Hsuan HUANG, Patrick STRUCK, 2024. On the (In)Security of the BUFF Transform. 44th Annual International Cryptology Conference. Santa Barbara, CA, USA, 18. Aug. 2024 - 22. Aug. 2024. In: Advances in Cryptology : CRYPTO 2024, volume 1. Cham: Springer, 2024, S. 246-275. Lecture Notes in Computer Science (LNCS). 14920. ISSN 0302-9743. eISSN 1611-3349. ISBN 978-3-031-68375-6. Verfügbar unter: doi: 10.1007/978-3-031-68376-3_8BibTex
@inproceedings{Don2024theIn-70791, year={2024}, doi={10.1007/978-3-031-68376-3_8}, title={On the (In)Security of the BUFF Transform}, number={14920}, isbn={978-3-031-68375-6}, issn={0302-9743}, publisher={Springer}, address={Cham}, series={Lecture Notes in Computer Science (LNCS)}, booktitle={Advances in Cryptology : CRYPTO 2024, volume 1}, pages={246--275}, author={Don, Jelle and Fehr, Serge and Huang, Yu-Hsuan and Struck, Patrick} }
RDF
<rdf:RDF xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:bibo="http://purl.org/ontology/bibo/" xmlns:dspace="http://digital-repositories.org/ontologies/dspace/0.1.0#" xmlns:foaf="http://xmlns.com/foaf/0.1/" xmlns:void="http://rdfs.org/ns/void#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#" > <rdf:Description rdf:about="https://kops.uni-konstanz.de/server/rdf/resource/123456789/70791"> <dcterms:isPartOf rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/36"/> <dcterms:title>On the (In)Security of the BUFF Transform</dcterms:title> <dc:creator>Don, Jelle</dc:creator> <dc:date rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2024-09-16T08:54:34Z</dc:date> <bibo:uri rdf:resource="https://kops.uni-konstanz.de/handle/123456789/70791"/> <dc:creator>Struck, Patrick</dc:creator> <dc:contributor>Fehr, Serge</dc:contributor> <dc:contributor>Huang, Yu-Hsuan</dc:contributor> <dcterms:issued>2024</dcterms:issued> <dc:contributor>Don, Jelle</dc:contributor> <dc:creator>Huang, Yu-Hsuan</dc:creator> <void:sparqlEndpoint rdf:resource="http://localhost/fuseki/dspace/sparql"/> <dspace:isPartOfCollection rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/36"/> <dc:creator>Fehr, Serge</dc:creator> <dc:language>eng</dc:language> <dcterms:available rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2024-09-16T08:54:34Z</dcterms:available> <foaf:homepage rdf:resource="http://localhost:8080/"/> <dcterms:abstract>The BUFF transform is a generic transformation for digital signature schemes, with the purpose of obtaining additional security properties beyond standard unforgeability, e.g., exclusive ownership and non-resignability. In the call for additional post-quantum signatures, these were explicitly mentioned by the NIST as “additional desirable security properties”, and some of the submissions indeed refer to the BUFF transform with the purpose of achieving them, while some other submissions follow the design of the BUFF transform without mentioning it explicitly. In this work, we show the following negative results regarding the non-resignability property in general, and the BUFF transform in particular. In the plain model, we observe by means of a simple attack that any signature scheme for which the message has a high entropy given the signature does not satisfy the non-resignability property (while non-resignability is trivially not satisfied if the message can be efficiently computed from its signature). Given that the BUFF transform has high entropy in the message given the signature, it follows that the BUFF transform does not achieve non-resignability whenever the random oracle is instantiated with a hash function, no matter what hash function. When considering the random oracle model (ROM), the matter becomes slightly more delicate since prior works did not rigorously define the non-resignability property in the ROM. For the natural extension of the definition to the ROM, we observe that our impossibility result still holds, despite there having been positive claims about the non-resignability of the BUFF transform in the ROM. Indeed, prior claims of the non-resignability of the BUFF transform rely on faulty argumentation. On the positive side, we prove that a salted version of the BUFF transform satisfies a slightly weaker variant of non-resignability in the ROM, covering both classical and quantum attacks, if the entropy requirement in the (weakened) definition of non-resignability is statistical; for the computational variant, we show yet another negative result.</dcterms:abstract> <dc:contributor>Struck, Patrick</dc:contributor> </rdf:Description> </rdf:RDF>