2

I read here that assuming we have a Fiat-Shamir (FS) signature $\Sigma$ that is secure based on the hardness of a particular hard problem $\Pi$. Then, the security proof of $\Sigma$ in the classical ROM indicates that the reduction algorithm can break the underlying problem $\Pi$ with advantage $Q^{-1} \cdot \epsilon^2$, where $Q$ is the number of hash evaluations an adversary can perform and $\epsilon$ is the advantage of an adversary in breaking the security of $\Sigma$. Hence, if we let adversary about $2^{40}$ hash evaluations, and target for 128-bits of security for $\Sigma$ (i.e., $\epsilon = 2^{128}$), then one would need to set the parameters of $\Pi$ to achieve $296$-bits of security. And apparently the loss is even bigger in QROM setting. But where does this security loss come from? More precisely, why one can break $\Pi$ with an advantage of $Q^{-1} \cdot \epsilon^2$?

0 Answers0