Design Validations for Discrete Logarithm Based Signature Schemes
Moti Yung2000, Lecture Notes in Computer Science
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
A number of signature schemes and standards have been recently designed, based on the discrete logarithm problem. Examples of standards are the DSA and the KCDSA. Very few formal design/security validations have already been conducted for both the KCDSA and the DSA, but in the \full" so-called random oracle model. In this paper we try to minimize the use of ideal hash functions for several Discrete Logarithm (DSS-like) signatures (abstracted as generic schemes). Namely, we show that the following holds: \if they can be broken by an existential forgery using an adaptively chosen-message attack then either the discrete logarithm problem can be solved, or some hash function can be distinguished from an ideal one, or multi-collisions can be found." Thus for these signature schemes, either they are equivalent to the discrete logarithm problem or there is an attack that takes advantage of properties of practical hash functions (SHA-1 or whichever high quality cryptographic hash function is used). What is interesting is that the schemes we discuss include KCDSA and slight variations of DSA. Further, since our schemes are very close to their standard counterparts they bene t from their desired properties (e ciency of computation/space, employment of certain mathematical operations and wide applicability to various algebraic structures). We feel that adding variants with strong validation of security is important to this family of signature schemes since, as we have experienced in the recent past, lack of such validation has led to attacks on standard schemes, years after their introduction. In addition, schemes with formal validation which is made public, may ease global standardization since they neutralize much of the suspicions regarding potential knowledge gaps and unfair advantages gained by the scheme designer's country (e.g. the NSA being the designers of DSS).
Related papers
Extended security arguments for signature schemes
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2012
It is known how to transform certain canonical three-pass identification schemes into signature schemes via the Fiat-Shamir transform. Pointcheval and Stern showed that those schemes are existentially unforgeable in the random-oracle model leveraging the, at that time, novel forking lemma. Recently, a number of 5-pass identification protocols have been proposed. Extending the above technique to capture 5-pass identification schemes would allow to obtain novel unforgeable signature schemes. In this paper, we provide an extension of the forking lemma (and the Fiat-Shamir transform) in order to assess the security of what we call ngeneric signature schemes. These include signature schemes that are derived from certain (2n + 1)-pass identification schemes. In doing so, we put forward a generic methodology for proving the security of a number of signature schemes derived from (2n + 1)-pass identification schemes for n ≥ 2. As an application of this methodology, we obtain two new code-based existentially-unforgeable signature schemes, along with a security reduction. In particular, we solve an open problem in multivariate cryptography posed by Sakumoto, Shirai and Hiwatari at CRYPTO 2011.
Security Arguments for Digital Signatures and Blind Signatures
Since the appearance of public-key cryptography in the seminal Diffie-Hellman paper, many new schemes have been proposed and many have been broken. Thus, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years is often considered as a kind of validation procedure. A much more convincing line of research has tried to provide "provable" security for cryptographic protocols. Unfortunately, in many cases, provable security is at the cost of a considerable loss in terms of efficiency. Another way to achieve some kind of provable security is to identify concrete cryptographic objects such as hash functions with ideal random objects and to use arguments from relativized complexity theory. The model underlying this approach is often called the "random oracle model." We use the word "arguments" for security results proved in this model. As usual, these arguments are relative to wellestablished hard algorithmic problems such as factorization or the discrete logarithm.
Designated verifier signature schemes: Attacks, new security notions and a new construction
Automata, Languages and Programming, 2005
We show that the signer can abuse the disavowal protocol in the Jakobsson-Sako-Impagliazzo designated-verifier signature scheme. In addition, we identify a new security property-non-delegatability-that is essential for designated-verifier signatures, and show that several previously proposed designated-verifier schemes are delegatable. We give a rigorous formalisation of the security for designated-verifier signature schemes, and propose a new and efficient designated-verifier signature scheme that is provably unforgeable under a tight reduction to the Decisional Diffie-Hellman problem in the nonprogrammable random oracle model, and non-delegatable under a loose reduction in the programmable random oracle model. As a direct corollary, we also get a new efficient conventional signature scheme that is provably unforgeable under a tight reduction to the Decisional Diffie-Hellman problem in the nonprogrammable random oracle plus common reference string model. Keywords. Designated verifier signature scheme, non-delegatability, nonprogrammable random oracle model, signature scheme.
Universal Designated Multi Verifier Signature Schemes
11th International Conference on Parallel and Distributed Systems (ICPADS'05), 2005
The notion of Universal Designated-Verifier Signatures was put forth by Steinfeld et. al. in Asiacrypt 2003. This notion allows a signature holder to designate the signature to a desired designated-verifier. In this paper, we extend this notion to allow a signature holder to designate the signature to multi verifiers, and hence, we call our scheme as Universal Designated Multi Verifier Signatures. We provide security proofs for our schemes based on the random oracle model.
A Signature Scheme as Secure as the Diffie-Hellman Problem
Lecture Notes in Computer Science, 2003
We show a signature scheme whose security is tightly related to the Computational Diffie-Hellman (CDH) assumption in the Random Oracle Model. Existing discrete-log based signature schemes, such as ElGamal, DSS, and Schnorr signatures, either require non-standard assumptions, or their security is only loosely related to the discrete logarithm (DL) assumption using Pointcheval and Stern's "forking" lemma. Since the hardness of the CDH problem is widely believed to be closely related to the hardness of the DL problem, the signature scheme presented here offers better security guarantees than existing discrete-log based signature schemes. Furthermore, the new scheme has comparable efficiency to existing schemes. The signature scheme was previously proposed in the cryptographic literature on at least two occasions. However, no security analysis was done, probably because the scheme was viewed as a slight modification of Schnorr signatures. In particular, the scheme's tight security reduction to CDH has remained unnoticed until now. Interestingly, this discrete-log based signature scheme is similar to the trapdoor permutation based PSS signatures proposed by Bellare and Rogaway, and has a tight reduction for a similar reason.
Revisiting Security Relations Between Signature Schemes and their Inner Hash Functions
2007
After years of almost full confidence in the security of common hash functions such as MD5 and SHA-1, the cryptographic community is now facing the unprecedented threat of seeing practical security applications succumb to concrete attacks. A way to cope with this crisis is to fasten the development of new hash functions, but another crucial task is to assess the implications these attacks on hash functions may have on cryptographic systems. This paper reports a thorough investigation on how recent attacks on hash functions impact the security of signature schemes. We suggest the notion of probabilistic hash-and-sign signatures and further classify signature schemes into various related categories which allow us to identify completely the nature of security relations between signature schemes and their inner hash functions. We also determine how using iterated hash functions a la Merkle-Damgård impacts the security of deterministic (resp. probabilistic) hash-and-sign signatures. We confirm that the security gain inherent to using the probabilistic hash-and-sign paradigm may be lost completely if instantiated with a Merkle-Damgård hash function and unwise operating mode.
Efficient Designated Confirmer Signatures Without Random Oracles or General Zero-Knowledge Proofs (Extended Abstract
Most prior designated confirmer signature schemes either prove security in the random oracle model (ROM) or use general zeroknowledge proofs for NP statements (making them impractical). By slightly modifying the definition of designated confirmer signatures, Goldwasser and Waisbard presented an approach in which the Confirm and ConfirmedSign protocols could be implemented without appealing to general zero-knowledge proofs for NP statements (their Disavow protocol still requires them). The Goldwasser-Waisbard approach could be instantiated using Cramer-Shoup, GMR, or Gennaro-Halevi-Rabin signatures. In this paper, we provide an alternate generic transformation to convert any signature scheme into a designated confirmer signature scheme, without adding random oracles. Our key technique involves the use of a signature on a commitment and a separate encryption of the random string used for commitment. By adding this "layer of indirection," the underlying protocols in our schemes admit efficient instantiations (i.e., we can avoid appealing to general zero-knowledge proofs for NP statements) and furthermore the performance of these protocols is not tied to the choice of underlying signature scheme. We illustrate this using the Camenisch-Shoup variation on Paillier's cryptosystem and Pedersen commitments. The confirm protocol in our resulting scheme requires 10 modular exponentiations (compared to 320 for Goldwasser-Waisbard) and our disavow protocol requires 41 modular exponentiations (compared to using a general zero-knowledge proof for Goldwasser-Waisbard). Previous schemes use the encryption of a signature paradigm, and thus run into problems when trying to implement the confirm and disavow protocols efficiently.
Universal Designated-Verifier Signatures
2003
Motivated by privacy issues associated with dissemination of signed digital certificates, we define a new type of signature scheme called a ‘Universal Designated-Verifier Signature’ (UDVS). A UDVS scheme can function as a standard publicly-verifiable digital signature but has additional functionality which allows any holder of a signature (not necessarily the signer) to designate the signature to any desired designated-verifier (using the verifier’s public key). Given the designated-signature, the designated-verifier can verify that the message was signed by the signer, but is unable to convince anyone else of this fact. We propose an efficient deterministic UDVS scheme constructed using any bilinear group-pair. Our UDVS scheme functions as a standard Boneh-Lynn-Shacham (BLS) signature when no verifier-designation is performed, and is therefore compatible with the key-generation, signing and verifying algorithms of the BLS scheme. We prove that our UDVS scheme is secure in the sense of our unforgeability and privacy notions for UDVS schemes, under the Bilinear Diffie-Hellman (BDH) assumption for the underlying group-pair, in the random-oracle model. We also demonstrate a general constructive equivalence between a class of unforgeable and unconditionally-private UDVS schemes having unique signatures (which includes the deterministic UDVS schemes) and a class of ID-Based Encryption (IBE) schemes which contains the Boneh-Franklin IBE scheme but not the Cocks IBE scheme.
Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes
Advances in Cryptology — CRYPTO’ 92
This paper presents a three-move interactive identification scheme and proves it to be as secure as t h e discrete logarithm problem. This provably secure scheme is almost as efficient as t,he Schnorr identification scheme, while the Schnorr scheme is not provably secure. This paper also presents another practical identification scheme which is proven to be as secure as the factoring problem arid is almost as efficient as the Guillou-Quisquater identification scheme: the Guillou-Quisquater scheme is not provably secure. We &so propose practical digital signature schemes based on these identification schemes. T h e signature schemes are almost as efficient as the Schnorr and Giiillou-Quisquater signature schemes, while the securit.y assumptions of our signature schemes are weaker than those of the Schnorr and Guillou-Quisquater.signature schemes. This paper also gives a theoretically generalized result: a threemove identification scheme can be constructed which is a s secure as the random-self-reducible problem. Moreover, this paper proposes a variant which is proven to be a s secure as the difficulty of solving both the discrete logarithm problem and the specific factoring problem simultaneously. Some other variants such as an identity-based variant and an elliptic curve variant are also proposed.
A DSA-like digital signature protocol
Journal of Discrete Mathematical Sciences and Cryptography
In this paper we propose a new digital signature protocol inspired by the DSA algorithm. The security and the complexity are analyzed. Our method constitutes an alternative if the classical scheme DSA is broken.
Ring Signatures: Stronger Definitions, and Constructions without Random Oracles
Journal of Cryptology, 2009
Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group signatures, ring signatures are completely "ad-hoc" and do not require any central authority or coordination among the various users (indeed, users do not even need to be aware of each other); furthermore, ring signature schemes grant users fine-grained control over the level of anonymity associated with any particular signature. This paper has two main areas of focus. First, we examine previous definitions of security for ring signature schemes and suggest that most of these prior definitions are too weak, in the sense that they do not take into account certain realistic attacks. We propose new definitions of anonymity and unforgeability which address these threats, and give separation results proving that our new notions are strictly stronger than previous ones. Second, we show the first constructions of ring signature schemes in the standard model. One scheme is based on generic assumptions and satisfies our strongest definitions of security. Two additional schemes are more efficient, but achieve weaker security guarantees and more limited functionality.
A New Idea in Digital Signature Schemes
2006
Since the invention of the first idea of digital signatures relied on public key algorithms many properties are added, and numerous novel schemes are developed. Besides this grow, a novel idea in identification schemes relied on public key algorithms is also presented, that is zero knowledge proof of identity. However, along with this development many remarkable schemes for instance the
Signatures Without Random Oracles or Non-Black Box Assumptions
2006
Universal designated verifier signatures (UDVS) were introduced in 2003 by Steinfeld et al. to allow signature holders to monitor the verification of a given signature in the sense that any plain signature can be publicly turned into a signature which is only verifiable by some specific designated verifier. Privacy issues, like non-dissemination of digital certificates, are the main motivations to study such primitives. In this paper, we propose two fairly efficient UDVS schemes which are secure (in terms of unforgeability and anonymity) in the standard model (i.e. without random oracles). Their security relies on algorithmic assumptions which are much more classical than assumptions involved in the two only known UDVS schemes in standard model to date. The latter schemes, put forth by Zhang et al. in 2005 and Vergnaud in 2006, rely on the Strong Diffie-Hellman assumption and the strange-looking knowledge of exponent assumption (KEA). Our schemes are obtained from Waters's signature and they do not need the KEA assumption. They are also the first random oracle-free constructions with the anonymity property.
A New Approach to Constructing Digital Signature Schemes (Extended Paper)
2019
A new hash-based, server-supported digital signature scheme was proposed recently in [13]. We decompose the concept into forwardresistant tags and a generic cryptographic time-stamping service. Based on the decomposition, we propose more tag constructions which allow efficient digital signature schemes with interesting properties to be built. In particular, the new schemes are more suitable for use in personal signing devices, such as smart cards, which are used infrequently. We define the forward-resistant tags formally and prove that (1) the discussed constructs are indeed tags and (2) combining such tags with time-stamping services gives us signature schemes.
An Introduction to Digital Signature Schemes
An Introduction to Digital Signature Schemes, 2010
Today, all types of digital signature schemes emphasis on secure and best verification methods. Different digital signature schemes are used in order for the websites, security organizations, banks and so on to verify user’s validity. Digital signature schemes are categorized to several types such as proxy, on-time, batch and so on. In this paper, different types of schemes are compared based on security level, efficiency, difficulty of algorithm and so on. Results show that best scheme depends on security, complexity and other important parameters. We tried simply to define the schemes and review them in practice.
Public-Key Cryptography Theory and Practice
Viele haben auf die eine oder andere Weise dazu beigetragen, dass diese Dissertation so entstehen konnte, wie sie nun vorliegt. Der Versuch einer vollständigen Aufzählung müsste scheitern; hier seien zunächst die erwähnt, die nicht mit Namen genannt werden können, weil sie als anonyme Gutachter für Konferenzen tätig waren und dabei Anregungen zur Darstellung einiger der hier präsentierten Ergebnisse beigetragen haben. Außerdem zu nennen ist David Hopwood, der in einer früheren Fassung der Ausführungen zur beweisbaren Sicherheit des Mix-Verfahrens (hier in Abschnitt 4.2) eine Lücke aufgespürt hat. Prof. Johannes Buchmann hat es auf bemerkenswerte Weise verstanden, die Arbeitsbedingungen zu schaffen, in denen diese Dissertation gedeihen konnte, und hat wertvolle Anregungen geliefert. Auch alle anderen am Fachgebiet Theoretische Informatik hatten teil daran, eine angenehme und fruchtbare Arbeitsatmosphäre zu schaffen. Danke!
A Comprehensive Analysis of Signature Schemes: Towards Pairing and Non-pairing, Taxonomy and Future Scopes
International Journal of Computing and Digital Systems
The notion of a "Signature scheme" carries possibilities to solve the message and key security problems. A signature scheme aims to secure the channels, IoT nodes, and Blockchain to use public resources and provide high-quality services. The Information and communication system acquires a prominent role in IoT and Blockchain applications. These signature schemes provide trust-free transparency, pseudo-anonymity, equality, motorization, decentralization, and protection. The article contributes a pervasive analysis of the literature pairing, and the non-pairing scheme provides high Security, cost-effectiveness, high service, and several keys for lightweight components. Our proposed approach analyzes the security schemes and differentiates the different security levels. The schemes introduced research contribution and research motivation. Finally, the article presents a well-organized fundamental for future work, segregation analysis of security models and schemes. This article benefits the new researcher with detailed information about signatures and critical security analysis.
A Secure Designated Signature Scheme
Annotation: This paper presents a threshold designated receiver signature scheme that includes certain characteristic in which the signature can be verified by the assistance of the signature recipient only. The aim of the proposed signature scheme is to protect the privacy of the signature recipient. However, in many applications of such signatures, the signed document holds data which is sensitive to the recipient personally and in these applications usually a signer is a single entity but if the document is on behalf of the company the document may need more than one signer. Therefore, the threshold technique is employed to answer this problem. In addition, we introduce its use to shared signature scheme by threshold verification. The resultant scheme is efficient and dynamic.
On Generic Constructions of Designated Confirmer Signatures
Lecture Notes in Computer Science, 2009
Designated Confirmer signatures were introduced to limit the verification property inherent to digital signatures. In fact, the verification in these signatures is replaced by a confirmation/denial protocol between the designated confirmer and some verifier. An intuitive way to obtain such signatures consists in first generating a digital signature on the message to be signed, then encrypting the result using a suitable encryption scheme. This approach, referred to as the "encryption of a signature" paradigm, requires the constituents (encryption and signature schemes) to meet the highest security notions in order to achieve secure constructions. In this paper, we revisit this method and establish the necessary and sufficient assumptions on the building blocks in order to attain secure confirmer signatures. Our study concludes that the paradigm, used in its basic form, cannot allow a class of encryption schemes, which is vital for the efficiency of the confirmation/denial protocols. Next, we consider a slight variation of the paradigm, proposed in the context of undeniable signatures; we recast it in the confirmer signature framework along with changes that yield more flexibility, and we demonstrate its efficiency by explicitly describing its confirmation/denial protocols when instantiated with building blocks from a large class of signature/encryption schemes. Interestingly, the class of signatures we consider is very popular and has been for instance used to build efficient designated verifier signatures.
Efficient strong designated verifier signature schemes without random oracle or with non-delegatability
International Journal of Information Security, 2011
Designated verifier signature (DVS) is a cryptographic primitive that allows a signer to convince a verifier the validity of a statement in a way that the verifier is unable to transfer the conviction to a third party. In DVS, signatures are publicly verifiable. The validity of a signature ensures that it is from either the signer or the verifier. Strong DVS (SDVS) enhances the privacy of the signer so that anyone except the designated verifier cannot verify the signer's signatures.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.