Practical Short Signature Batch Verification

Journal of Computer Science and Technology, 2013

The concept of batch verifying multiple digital signatures is to find a method by which multiple digital signatures can be verified simultaneously in a lower time complexity than separately verifying all the signatures. In this article, we analyze the complexity of the batch verifying schemes defined by Li, Hwang and Chen in 2010, and propose a new batch verifying multiple digital signature scheme, in two variants: one for RSA -by completing the Harn's schema with an identifying illegal signatures algorithm, and the other adapted for a modified Elliptic Curve Digital Signature Algorithm protocol.

2018

An aggregate signature is a short digital signature which is the output of aggregation process. The signature aggregation is done on k signatures of k distinct messages from k distinct users. As the produced signature size is shorter, so it will be efficient to use the schemes in low-bandwidth communication environment. In this paper, we proposed two identity-based aggregate signature schemes from bilinear pairing operations. The proposed schemes are secure against existential forgery under adaptively chosen message and identity attack in the random oracle model based on the assumption of intractability of the computational Diffie–Hellman problem (CDHP). The efficiency analysis of the proposed identity-based aggregate signature schemes with other established identity-based aggregate signature schemes is also done in this paper.

Ring signature is a group-oriented signature with privacy concerns: any verifier can be convinced that the message has been signed by one of the members in the group, but the actual signer remains unknown. Several ring signature schemes based on bilinear pairings have been proposed. However, computational complexity for pairing computations of these ring signature schemes grows linearly with the size of the ring. In this paper, we propose an efficient ring signature with constant pairing computations and give its exact security proofs in the random oracle model under the Computational co-Diffie–Hellman assumption. We then investigate the performance of our scheme by choosing the Optimal Ate pairing on the BN curve defined over a prime field at a 128-bit security level.

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Digital signatures whose security does not rely on any unproven computational assumption have recently received considerable attention. While these unconditionally secure digital signatures provide a foundation for long term integrity and non-repudiation of data, currently known schemes generally require a far greater amount of memory space for the storage of secret and public keys than a traditional digital signature. The focus of this paper is on methods for reducing memory requirements of unconditionally secure digital signatures. A major contribution of this paper is to propose two novel unconditionally secure digital signature schemes, one called a symmetric construction and other an asymmetric construction, which require a significantly smaller amount of memory. As a specific example, with a typical parameter setting the required memory size for a user is reduced to be approximately 1 10 of that in a previously known scheme. Another contribution of the paper is to show an attack on a multireceiver authentication code which was proposed by Safavi-Naini and Wang. A simple method to fix the problem of the multireceiver authentication code is also proposed. key words: digital signature, unconditional security Manuscript

International Journal of Computer Applications, 2017

This paper introduces a new scheme " A Public Verifiability Signcryption Scheme Without Pairings " , based on elliptic curve discrete logarithm problem (ECDLP) and in addition to achieve the functionality of the Signcryption schemes, unforgeability, confidentiality and nonrepudiation, it achieves forward security and public verifiability directly. Also, it uses a strong encryption key depends on random choose value and the sender's private key, although the proposed scheme is slower than the Zheng's signcryption scheme, it achieves saving in communication overhead reach to 50% with respect to the traditional approach signature then encryption. The proposed scheme has been verified using the Mathematica program.

1987

In this paper we describe simple identification and signature schemes which enable any user to prove his identity and the authenticity of his messages to any other user without shared or public keys. The schemes are provably secure against any known or chosen message attack if factoring is difficult, and typical implementations require only 1% to 4% of the number of modular multiplications required by the RSA scheme. Due to their simplicity, security and speed, these schemes are ideally suited for microprocessor-based devices such as smart cards, personal computers, and remote control systems. 1) Authentication schemes: A can prove to B that he is A , but someone else cannot prove to B that he is A. 2) Identification schemes: A can prove to B that he is A , but B cannot prove to someone 3) Signature schemes: A can prove to B that he is A , but B cannot prove even to himself Authentication schemes are useful only against external threats when A a n d B cooperate. The distinction between identification and signature schemes is subtle, and manifests itself mainly when the proof is interactive and the verifier later wants to prove its existence to a judge: In identification schemes B can create a credible transcript of an imaginary communication by carefully choosing both the questions and the answers in the dialog, while in signature schemes only real communication with A could generate a credible transcript. However, in many commercial and military applications the main problem is to detect forgeries in real time and to deny the service,

Lecture Notes in Computer Science, 2011

After the introduction of designated confirmer signatures (DCS) by Chaum in 1994, considerable researches have been done to build generic schemes from standard digital signatures and construct efficient concrete solutions. In DCS schemes, a signature cannot be verified without the help of either the signer or a semi-trusted third party, called the designated confirmer. If necessary, the confirmer can further convert a DCS into an ordinary signature that is publicly verifiable. However, there is one limit in most existing schemes: the signer is not given the ability to disavow invalid DCS signatures. Motivated by this observation, in this paper we first propose a new variant of DCS model, called designated confirmer signatures with unified verification, in which both the signer and the designated confirmer can run the same protocols to confirm a valid DCS or disavow an invalid signature. Then, we present the first DCS scheme with unified verification and prove its security in the random oracle (RO) model and under a new computational assumption, called Decisional Coefficient Linear (D-co-L) assumption, whose intractability in pairing settings is shown to be equivalent to the well-known Decisional Bilinear Diffie-Hellman (DBDH) assumption. The proposed scheme is constructed by encrypting Boneh, Lynn and Shacham's pairing based short signatures with signed ElGamal encryption. The resulting solution is efficient in both aspects of computation and communication. In addition, we point out that the proposed concept can be generalized by allowing the signer to run different protocols for confirming and disavowing signatures.

Lecture Notes in Computer Science, 2014

In AfricaCrypt 2012, several algorithms are proposed for the batch verification of ECDSA signatures. In this paper, we propose three randomization methods for these batch-verification algorithms. Our first proposal is based on Montgomery ladders, and the second on computing square-roots in the underlying field. Both these techniques use numeric arithmetic only. Our third proposal exploits symbolic computations leading to a seminumeric algorithm. We theoretically and experimentally establish that for standard ECDSA signatures, our seminumeric randomization algorithm in tandem with the batch-verification algorithm S2 gives the best speedup over individual verification. If each ECDSA signature contains an extra bit to uniquely identify the correct y-coordinate of the elliptic-curve point appearing in the signature, then the second numeric randomization algorithm followed by the naive batch-verification algorithm N yields the best performance gains. We detail our study for NIST prime and Koblitz curves.

2006

An aggregate signature is a single short string that convinces any verifier that, for all 1 ≤ i ≤ n, signer S i signed message M i , where the n signers and n messages may all be distinct. The main motivation of aggregate signatures is compactness. However, while the aggregate signature itself may be compact, aggregate signature verification might require potentially lengthy additional information – namely, the (at most) n distinct signer public keys and the (at most) n distinct messages being signed. If the verifier must obtain and/or store this additional information, the primary benefit of aggregate signatures is largely negated. This paper initiates a line of research whose ultimate objective is to find a signature scheme in which the total information needed to verify is minimized. In particular, the verification information should preferably be as close as possible to the theoretical minimum: the complexity of describing which signer(s) signed what message(s). We move toward this objective by developing identity-based aggregate signature schemes. In our schemes, the verifier does not need to obtain and/or store various signer public keys to verify; instead, the verifier only needs a description of who signed what, along with two constant-length “tags”: the short aggregate signature and the single public key of a Private Key Generator. Our scheme is secure in the random oracle model under the computational Diffie-Hellman assumption over pairing-friendly groups against an adversary that chooses its messages and its target identities adaptively.

Lecture Notes in Computer Science, 1998

Many tasks in cryptography (e.g., digital signature verification) call for verification of a basic operation like modular exponentiation in some group: given (g, x, y) check that g~ = y. This is typically done by re-computing 9 = and checking we get y. We would like to do it differently, and faster. The approach we use is hatching. Focusing first on the basic modular exponentiation operation, we provide some probabilistic batch verifiers, or tests, that verify a sequence of modular exponentiations significantly faster than the naive re-computation method. This yields speedups for several verification tasks that involve modular exponentiations. Focusing specifically on digital signatures, we then suggest a weaker notion of (batch) verification which we call "screening." It seems useful for many usages of signatures~ and has the advantage that it can be done very fast; in particular, we show how to screen a sequence of RSA signatures at the cost of one RSA verification plus hashing.