Optimal generic attack against basic Boneh-Boyen signatures

Abstract

The Boneh-Boyen digital signature scheme is a pairing-based signature scheme that features short signatures consisting of one group element, the minimum possible size. In contrast to earlier short signature schemes such as Boneh-Lynn-Shacham, the Boneh-Boyen scheme achieves security without the use of random oracles, but at the cost of a non-standard mathematical assumption, the q-Strong Diffie-Hellman (or q-SDH) assumption, which is known to be less secure than discrete logarithms against generic attacks. However, unlike discrete logarithms, in which the fastest known generic attacks match the known provable lower bounds for solving generic discrete logarithms, the fastest known generic attacks against Boneh-Boyen prior to this work did not match the provable lower bounds for generically solving q-SDH instances. In this work, we demonstrate that when p-1 has suitably sized divisors (where p is the order of the underlying group used in the scheme), which in particular almost always occurs for cryptographic pairings instantiated from elliptic curves, Boneh-Boyen can indeed be broken in the sense of weak existential forgery under chosen-message attack (the same security definition as what was used in the original Boneh-Boyen paper) in O(p¹ᐟ³) time using generic algorithms, matching the provable lower bound for generically solving q-SDH instances.