Security of Discrete Log Cryptosystems in the Random Oracle and the Generic Model Claus Peter Schnorr Fachbereich Mathematik/Informatik Universit¨atFrankfurt, Germany and Bell Laboratories schnorr@cs.uni-frankfurt.de Markus Jakobsson Information Sciences Laboratory Bell Laboratories Murray Hill, New Jersey 07974 markusj@research.bell-labs.com April 28, 2000 Abstract We introduce novel security proofs that use combinatorial counting arguments rather than reductions to the discrete logarithm or to the Diffie-Hellman problem. Our security results are sharp and clean with no polynomial reduction times involved. We consider a combination of the random oracle model and the generic model. This corresponds to assuming an ideal hash function H given by an oracle and an ideal group of prime order q, where the binary encoding of the group elements is useless for cryptographic attacks In this model, we first show that Schnorr signatures are secure against the one-more signature forgery : A generic adversary performing t generic steps including ℓ sequential interactions with the signer cannot produce ℓ +1 signatures with a better probability than ( t 2 ) /q. We also characterize the different power of sequential and of parallel attacks. Secondly, we prove signed ElGamal encryption is secure against the adaptive chosen ciphertext attack, in which an attacker can arbitrarily use a decryption oracle except for the challenge ciphertext. Moreover, signed ElGamal encryption is secure against the one-more decryption attack: A generic adversary performing t generic steps including ℓ interactions with the decryption oracle cannot distinguish the plaintexts of ℓ + 1 ciphertexts from random strings with a probability exceeding ( t 2 ) /q. 1 Introduction and Summary Proving security for cryptographic primitives like signatures and encryption is a challeng- ing problem in particular for an interactive setting, where an active adversary interferes in the interaction. We introduce novel security proofs for discrete log cryptosystems that use combinatorial counting arguments rather than reductions to the discrete logarithm or to the Diffie-Hellman problem. Our security results are sharp and clean with no polynomial re- duction times involved. Our approach separates in a better way cryptographic weaknesses of the hash function, the group and the cryptographic protocols. This separation is crucial. If an attack is possible for a specific hash function or group we need a stronger hash func- tion or group while keeping the cryptographic protocols. As NIST has proposed strong hash functions and strong groups it makes sense to analyze cryptographic protocols assuming that the hash function and the group have no cryptographic weaknessses. So we merely consider attacks that work for all hash functions and for all groups. If an attack occurs that works 1