 I love you all and welcome to my talk on our paper on the impossibility of purely algebraic signatures. My name is Dominik Hartmann and this is joint work with Nico Dötling, Dennis Hofheinz, Eike Kils, Sven Schäger and Bogdan Olsson. So, let's get started. We look at digital signatures and as we all know they are an integral part to modern communications and basically ubiquitous. And therefore various assumptions and primitives have been shown to yield digital signatures. For example, we know that one-way functions are sufficient and necessary to build digital signatures and we can also build them from discrete logarithm assumptions. And the random-oracle model, for example schnoir signatures, from pairings like Bonille-Boyant signatures, from lattices and random oracles, e.g. the construction of gentry et al. and hash functions like merkle trees. And it is always interesting to see which assumptions are actually sufficient to build specific primitives. So what we are looking at is whether just a group is enough to actually build signatures because as of right now there are no constructions from just groups. You always need some additional property like a pairing or a random oracle to achieve signatures. So we ask the question, is this inherent? Can we actually build signatures from just groups? And we prove that for a specific class of natural signatures over groups this is actually impossible. So what are our contributions? Firstly, we've defined this class of signatures which we call algebraic signatures over prime-order groups and show that in the generic group model these signatures can't be secure. Secondly, we define simplified algebraic signatures which also capture hidden-order groups and we show that these simplified algebraic signatures can't be secure even in the standard model. And lastly, we show an application of this whole framework and show that BLS signatures can actually be expressed as simplified algebraic signatures if you instantiate them with an algebraic hash function and therefore we also show that BLS signatures can't be implemented securely with an algebraic hash function. Okay, so let's get started. How do these algebraic signatures actually look like? Because this will be the main focus of this talk. So I'll mainly focus on the prime-order group case and just give you the high-level idea for the hidden-order groups and I'll just briefly talk about the application in the end. So how do we model signatures over just a group? Because it is not so clear how exactly do you prevent an adversary from doing things that are not really allowed or should not be allowed in a group or what these things actually are. So a signature that works just over a group should basically only use the group structure and it should also be independent of the group representation because then it could do all sorts of things with this bid representation. For example, hash the group elements or hash into the group and then the security might actually depend on the hash function and not on the group itself. So especially it should not be allowed to encode some other hard problem into group elements or into the structure of group elements and of course we also need a formalization which actually allows for more than just pathological examples so we need a large class of signatures otherwise an impossibility result wouldn't really be all that interesting. And it seems that the right abstraction for this is the generic group model which was introduced by Schub and later a different definition was given by Maurer. So let me recall the generic group model first. In the generic group model we idealize a prime-order group and instead of giving an adversary access to the group representation it only gets labels for group elements which themselves don't have any structure and don't help in computing anything about the group. So in order to actually use the group the adversary also needs oracles which perform the group operations. And generally in the generic group model the runtime of an adversary or an algorithm is generally measured in the number of group operations that it performs. So oracle queries. Later our adversary will actually be efficient in terms of group operations but inefficient outside the groups except the exact interpretation of that will come later. So keep that in mind. I'll talk about this specific runtime measurement in a bit. So as I said there are two variants of the generic group model one by Schub and one by Maurer and they differ in how they assign these labels. In Schub's generic group model every group element gets a random bit string as a label from some domain that is large enough. While in Maurer's generic group model the labels are sequential so whenever a new group element is given to the adversary it just gets the next label like 1, 2, 3. So they aren't random they are just completely meaningless basically and just a sequence of numbers. So why should we choose one over the other? Well in Schub's generic group model we know that this implies signatures. You can actually prove Schnorr signatures secure in this model and it even can be used to build a random oracle. While in Maurer's group model it's not known to imply signatures. So we use Maurer's generic group model because otherwise impossibility results are actually feasible because we know that there actually are signatures in Schub's generic group model. Okay now that we know what we can do in this model we can talk about how to model algebraic signatures. And the idea is of course we have a prime-order group G and we need some parameters n, k, l and kappa and throughout the rest of this work we will call the message base capital M. And how does such an algebraic signature now look like? Of course we have to define key generation, signing and verification and for key generation of course we get a verification key and a secret key and on the secret key we don't have any constraints it's just a bit string and the verification key consists of n group elements and also some random bit string and for making it clear if I'm talking about group elements or exponents I'll write group elements in these brackets and whenever I'm talking about exponents I will leave the brackets out. So for this verification key if I talk about x without the brackets I mean the discrete logarithms of these group elements. But we don't make any constraints on how this key is actually computed so we just say it looks like this but not how you can compute it. Similarly for the signing algorithm we just demand that a signature consists of k group elements and some bit string t of length at most kappa. And lastly the verification algorithm and here is where we actually do make some constraints and that is we say that the verification is actually just checking linear equations namely we have these matrices a and b which can depend on s the bit string from the public key the message m and the bit string t from the verification key and now verification is just checking that a times x is equal to b times y and note that a and b are actually matrices over zp and this is because of the generic group model because as I said we don't want to be able to hash into and out of the group so these matrices can't create new group elements from sm or t and in the generic group model we also can't multiply two group elements so this actually seems to be reasonable constraints in the generic group model to say that we are only allowed to check linear relations between the public key elements and the signature group elements. Okay, so for every message we get different matrices and because later in the security game we only have one public key I will mostly omit the s from the matrices because it will be fixed either way so we can also think of it as a function only dependent on m and t and this makes everything a bit shorter and notice that the parameters that we defined above so the n, k and l are the dimensions of the matrices and we will see this later in the performance of our adversary so now that we have defined how our signatures look like we also have to define what security we actually prove impossibility for and since we want to prove an impossibility result the weaker the notion the better so we won't use standard ufcma security but ufqrma security and intuitively this just says that an adversary gets q signatures on random messages and the verification key is not allowed to make any signature queries on chosen messages and in the end has to produce a forgery which of course cannot be contained in the messages that he received in the first place and obviously this is weaker than the standard ufcma security so if we show that even this is impossible then of course this also implies that ufcma security is impossible so it makes our result only stronger ok and now that we have defined how our signatures look like and what security notion we consider we can actually state the main theorem for generic groups and for prime order groups and this is our first impossibility result namely if we have an algebraic signature scheme SICK with parameters n, k, l and kappa then there exists a generic group adversary A that breaks the ufnrma security of the signature scheme with probability 1 over n plus 1 and it only makes a polynomial number of group operation queries but the additional runtime so everything else is exponential in kappa but polynomial in n, k, l and the logarithm of the group order so just as a reminder these are the parameters that we consider so the parameter of the assumption this n is the size of the public key so the width of this matrix A and the other parameters as I said l and k are seen in the other runtime of the adversary ok so now let me give you an overview of how this attack actually works and the main idea is twofold namely first the signature verification is public and also it's a linear equation so whenever we see a valid signature this actually tells us something about the verification key or more specifically about the discrete logarithms of the verification key and we can see that if we knew these discrete logarithms this would also already be enough to compute signatures and we also observe that these possible verification keys they form in a fine subspace of finite dimension of Zp or more precisely the discrete logarithms form this affine subspace so whenever we see a new signature one of two things can happen either we can learn something new about the public key or the discrete logarithms of the public key and in this case the dimension of this affine subspace of possible public verification keys decreases by at least one and since this is a finite dimensional subspace this can only happen a finite amount of time or the other case is that the signature doesn't reveal a new constraint but in this case the forgery is already possible because then we could just take any of the public keys or the discrete logarithms of set public key from the space of possible keys and we could forge with that now the question is how do we compute this set of possible verification keys with just polynomially many group operations and if we know this set how do we actually check that such a verification key works because as I said before these matrices A and B depend on M and T so we have to find a message M and T such that we actually can know whether this public key space that we already know is small enough and these are the two main problems that we have to solve and I'll talk about them one after another so first how can we compute this set of possible public keys and well basically the answer is we can't with just polynomially many group operations but we can compute something that is good enough namely we can compute its dual space so we don't compute the set of possible public keys instead we compute the space of constraints on this public keys space so basically we get linear equations of the form z transposed times x so the discrete logarithms of the public key is equal to zero and each signature might reveal some of these equations and these equations also form in a fine subspace of zp to the n and whenever the space of possible public keys would shrink by one the dimension of this dual space increases by one so now instead of having a decreasing dimension we have an increasing dimension but still the vector space has finite dimension so at some point we know either the whole space or we know at least enough that we can actually forge a signature okay but still there's the problem that we need to know when we actually have enough information and how do we find such a pair m and t that we actually know enough and here we see that these constraints are all in this left kernel so what we do is we check for a new m and t if this left kernel of the matrix B times A is actually already covered by all the constraints that we've seen before so these kj's that we defined on the previous slide and since A and B are zp matrices and these constraints are also a subspace of zp to the n this is checkable without group operations and we show in our paper that if this condition holds then there exists a solution to the verification equation and we can actually find it I won't go into the technical details there but it's basically just linear algebra using the basis extension theorem if you want more details you can look it up in our paper okay so now we can collect these kj's by considering the left kernel of the matrices that we get for the signatures that our challenger gives us and for a new message we can actually check if there is a solution by using this inclusion in the subspace so now we can actually show how our adversary works as in the u of rma game it gets n signatures on messages m1 to mn and for each of these messages we compute this affine subspace of constraints ki and we consider the vector space sum of all of these constraints which we call li or ln for the last of these subspaces and as I said these form a rising inclusion of subspaces and then we just take a random message m star and now we have to try for all possible t if this left kernel of b of m star t star times a of m star t star is actually in the set of all constraints and if we don't find such a t well then we didn't know enough constraints on the public key yet and if we do find such a t then we know that there actually exists a solution to this linear equation system that we need to solve in order to get a signature and we can actually solve this with just polynomially many group operation queries because we can compute a weak inverse of b think about it as just Gaussian elimination and then we get a solution for this equation system and since the verification is defined just in a way that this verification equation has to hold then of course this solution is a valid signature and we can just output it and the adversary will win the only thing left to consider now is the probability that such a t star exists or doesn't exist and this is a simple dimension argument because if we assume that for every message m1 to mn and m star the dimension of the constraint space increases by at least one well then in the end we would have a vector space of dimension n plus 1 but it is a subspace of zp to the n which has dimension n so this can't happen so there are at least two messages which are subsequent where the dimension does not increase and since all messages are random with probability at least 1 over n plus 1 this is mn and our message m star and if that is the case then there will be such a t star and we will be successful and this is where the success probability of our adversary comes from okay and this is it for prime order groups now as I said on to the interpretation the attack that I just described is only pseudo efficient that is it needs polynomially many group operations but it is exponential in kappa for operations outside of the group because it has to brute force search over all possible strings t so this is an efficient attack as long as this kappa is small or there is some smart way of finding t star which is not exponential of course this might not always be the case but there are two other possibilities namely either kappa is large and t star is hard to find even with the secret key but if that would be the case well then even an honest signer that knows the secret key wouldn't be able to reliably find it and then he couldn't produce valid signatures and then the signature scheme simply wouldn't be correct so this is unlikely and the other option is that kappa is large and t star is only easy to find with the secret key which is some arbitrary bit string but then the security of the signature scheme relies on finding a suitable t star and then it must rely on some other hardness assumption which is somehow encoded in this bit string in the secret key so by ignoring the computation that we do outside the group what we actually do is something similar to an impagliato-routage style oracle separation there the adversary is normally provided with an oracle of the assumption that we think is not sufficient to show something and a p-space oracle which allows it to solve all other problems basically also there the interpretation is that this p-space oracle allows it to bypass all other external hardness assumptions and only focus on the hardness of this assumption that you get an oracle for and we do almost the same here just that we don't give a p-space oracle but we say that our adversary is unbounded outside of our generic group so even though this doesn't necessarily give you a concrete attack on such signature schemes it is still a reasonable attack for an impossibility result ok, now on to hidden-order groups and the core idea here is similar but there are some new challenges because first of all we can't compute inverse group elements or rather we can't compute inverse exponents and since we need to invert these matrices to do Gaussian elimination and they consist of exponents we can't do this because we don't know the group order so this doesn't work and additionally there is no generic group model for hidden-order groups so the whole oracle separation approach also doesn't really apply so we have to make some simplifications and come up with different ways to show impossibilities here and this is where the definition of simplified algebraic signatures comes in now we define everything over a group of potentially unknown order n and we only have parameters n, k and l and key generation and signing is similar but we omit the bit strings for the verification key this isn't actually a constraint because now we actually get the representation of the group elements so we could encode this string s into the group elements for the signature this is actually a constraint because this string t was an important part of the previous definition and here we don't have it so this is why these are simplified algebraic signatures and the verification equation then of course also is simplified now a only depends on the verification key m because we don't have t and b can only depend on the verification key and not on the message which is a constraint on the proof that we use later so here is also a small simplification note however that a and b depend on the whole verification key and not just on some bit string because as I said we are not in a generic model but the adversary gets to see also the representation and can actually use it okay so let me state the impossibility result for these simplified algebraic signatures and it is actually pretty similar to the previous one again let sik be a simplified algebraic signature scheme with parameters as before over group g this time of potentially unknown order and now we are in the standard model so we say that now there exists a polynomial time adversary in the dimensions of the matrices and this adversary wins the u of q s r m a game with probability 1 over q s plus 1 so again the probability of winning corresponds to the parameter of the assumption and here q s is larger than before namely it is n times l squared times t max where t max is polynomial in the logarithm of the group order which is the size of the public key plus the message length it is still all polynomial but it has to be a bit larger because now instead of working over a field we work over the integers and there we have to bound the size that the integers might take and to do this efficiently we have to use more signatures and what is the proof idea here we want to combine previous signatures into new signature and due to the constraints we can just do linear combinations of previously seen signatures this is why this matrix B can only depend on the verification key and not on the message but as I said the problem is now we have to work over the integers because in an unknown order group we can't invert so we can't work over it as a regular vector space or field and to solve this is the so-called Hermite normal form short h and f and if we compute this over the matrices a of vk mi for all the mi for enough signatures in a specific form which I won't go into detail here then we can use this to find a linear combination of this a vk m star and we can do this efficiently and this h and f has some nice properties which allows us to accurately bound the number of signatures that we actually need with a similar dimension argument and some properties of the h and f so as I said we also cover BLS signatures and for this we define plain algebraic signatures which also include pairings although they are pretty much similar made to the setting with algebraic hash functions and I won't go into the details here if you want to learn more then you can look at our paper and then we apply our impossibility result for simplified algebraic signatures to these plain algebraic signatures in the standard model and of course there are still some open questions as I said algebraic signatures are a bit limited for example we don't consider inequalities because they could also be checked in a generic group model and another open question is can we remove the simplifications we made in the hidden-order group setting and of course similar results for short purely hash based signatures would also be interesting because now we talked about signatures just from groups and we know that with groups and random or hash functions in general we can build short signatures but from groups we can't and from hashes we only know long signatures so this would also be an interesting question thank you all for your attention and if you have any questions feel free to ask them at the conference bye