Lower Bounds on Signatures from Symmetric Primitives

TL;DR

This paper establishes tight lower bounds on the security of one-time signature schemes constructed from symmetric primitives, showing an inherent efficiency gap and that such schemes cannot surpass certain query-based security limits.

Contribution

It proves that any black-box construction of one-time signatures from symmetric primitives has a fundamental security limit proportional to the number of oracle queries.

Findings

Any such signature scheme can be broken with high probability using about 2^{(1+o(1))q} queries.

A modified Lamport scheme achieves near this bound, indicating tightness.

The results extend to random permutation and ideal cipher oracles, highlighting inherent efficiency gaps.

Abstract

We show that every construction of one-time signature schemes from a random oracle achieves black-box security at most $2^{(1+o(1))q}$, where $q$ is the total number of oracle queries asked by the key generation, signing, and verification algorithms. That is, any such scheme can be broken with probability close to $1$ by a (computationally unbounded) adversary making $2^{(1+o(1))q}$ queries to the oracle. This is tight up to a constant factor in the number of queries, since a simple modification of Lamport's one-time signatures (Lamport '79) achieves $2^{(0.812-o(1))q}$ black-box security using $q$ queries to the oracle. Our result extends (with a loss of a constant factor in the number of queries) also to the random permutation and ideal-cipher oracles. Since the symmetric primitives (e.g. block ciphers, hash functions, and message authentication codes) can be constructed by a constant number of queries to the mentioned oracles, as corollary we get lower bounds on the efficiency of signature schemes from symmetric primitives when the construction is black-box. This can be taken as evidence of an inherent efficiency gap between signature schemes and symmetric primitives.