Forking lemma

The forking lemma is any of a number of related lemmas in cryptography research. The lemma states that if an adversary (typically a probabilistic Turing machine), on inputs drawn from some distribution, produces an output that has some property with non-negligible probability, then with non-negligible probability, if the adversary is re-run on new inputs but with the same random tape, its second output will also have the property.

This concept was first used by David Pointcheval and Jacques Stern in "Security proofs for signature schemes," published in the proceedings of Eurocrypt 1996.^[1]^[2] In their paper, the forking lemma is specified in terms of an adversary that attacks a digital signature scheme instantiated in the random oracle model. They show that if an adversary can forge a signature with non-negligible probability, then there is a non-negligible probability that the same adversary with the same random tape can create a second forgery in an attack with a different random oracle.^[3] The forking lemma was later generalized by Mihir Bellare and Gregory Neven.^[4] The forking lemma has been used and further generalized to prove the security of a variety of digital signature schemes and other random-oracle based cryptographic constructions.^[2]^[5]^[6]

^ Ernest Brickell, David Pointcheval, Serge Vaudenay, and Moti Yung, "Design Validations for Discrete Logarithm Based Signature Schemes", Third International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2000, Melbourne, Australia, January 18–20, 2000, pp. 276–292.
^ ^a ^b Adam Young and Moti Yung, "Malicious Cryptography: Exposing Cryptovirology", Wiley press, 2004, pp. 344.
^ David Pointcheval and Jacques Stern, "Security Proofs for Signature Schemes", Advances in Cryptology — EUROCRYPT '96, Saragossa, Spain, May 12–16, 1996, pp. 387–398.
^ Mihir Bellare and Gregory Neven, "Multi-Signatures in the Plain Public-Key Model and a General Forking Lemma", Proceedings of the 13th Association for Computing Machinery (ACM) Conference on Computer and Communications Security (CCS), Alexandria, Virginia, 2006, pp. 390–399.
^ Ali Bagherzandi, Jung Hee Cheon, Stanislaw Jarecki: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. CCS '08 : Proceedings of the 15th ACM conference on Computer and communications security, 2008, p.449-458
^ Javier Herranz, Germán Sáez: Forking Lemmas for Ring Signature Schemes. 266-279

[1] Ernest Brickell, David Pointcheval, Serge Vaudenay, and Moti Yung, "Design Validations for Discrete Logarithm Based Signature Schemes", Third International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2000, Melbourne, Australia, January 18–20, 2000, pp. 276–292.

[YoungYung-2] Adam Young and Moti Yung, "Malicious Cryptography: Exposing Cryptovirology", Wiley press, 2004, pp. 344.

[3] David Pointcheval and Jacques Stern, "Security Proofs for Signature Schemes", Advances in Cryptology — EUROCRYPT '96, Saragossa, Spain, May 12–16, 1996, pp. 387–398.

[BellareNeven-4] Mihir Bellare and Gregory Neven, "Multi-Signatures in the Plain Public-Key Model and a General Forking Lemma", Proceedings of the 13th Association for Computing Machinery (ACM) Conference on Computer and Communications Security (CCS), Alexandria, Virginia, 2006, pp. 390–399.

[5] Ali Bagherzandi, Jung Hee Cheon, Stanislaw Jarecki: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. CCS '08 : Proceedings of the 15th ACM conference on Computer and communications security, 2008, p.449-458

[6] Javier Herranz, Germán Sáez: Forking Lemmas for Ring Signature Schemes. 266-279

[1]

[2]

[3]

[4]

[5]

[6]