Extended security arguments for signature schemes
David Galindo2012, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
The well-known forking lemma by Pointcheval and Stern has been used to prove the security of the so-called generic signature schemes. These signature schemes are obtained via the Fiat-Shamir transform from three-pass identification schemes. A number of five-pass identification protocols have been proposed in the last few years. Extending the forking lemma and the Fiat-Shamir transform would allow to obtain new signature schemes since, unfortunately, these newly proposed schemes fall outside the original framework. In this paper, we provide an extension of the forking lemma in order to assess the security of what we call n-generic signature schemes. These include signature schemes that are derived from certain (2n + 1)-pass identification schemes. We thus obtain a generic methodology for proving the security of a number of signature schemes derived from recently published five-pass identification protocols, and potentially for (2n + 1)-pass identification schemes to come.
Related papers
On concrete security treatment of signatures derived from identification
Lecture Notes in Computer Science, 1998
Signature schemes that are derived from three move identification schemes such as the Fiat-Shamir, Schnorr and modified E1Gamal schemes axe a typical class of the most practical signature schemes. The random oracle paradigm [1, 2, 12] is useful to prove the security of such a class of signature schemes [4, 12]. This paper presents a new key technique, "ID reduction", to show the concrete security result of this class of signature schemes under the random oracle paradigm. First, we apply this technique to the Schnorr and modified E1Gamal schemes, and show the "concrete security analysis" of these schemes. We then apply it to the multi-signature schemes.
Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes
Advances in Cryptology — CRYPTO’ 92
This paper presents a three-move interactive identification scheme and proves it to be as secure as t h e discrete logarithm problem. This provably secure scheme is almost as efficient as t,he Schnorr identification scheme, while the Schnorr scheme is not provably secure. This paper also presents another practical identification scheme which is proven to be as secure as the factoring problem arid is almost as efficient as the Guillou-Quisquater identification scheme: the Guillou-Quisquater scheme is not provably secure. We &so propose practical digital signature schemes based on these identification schemes. T h e signature schemes are almost as efficient as the Schnorr and Giiillou-Quisquater signature schemes, while the securit.y assumptions of our signature schemes are weaker than those of the Schnorr and Guillou-Quisquater.signature schemes. This paper also gives a theoretically generalized result: a threemove identification scheme can be constructed which is a s secure as the random-self-reducible problem. Moreover, this paper proposes a variant which is proven to be a s secure as the difficulty of solving both the discrete logarithm problem and the specific factoring problem simultaneously. Some other variants such as an identity-based variant and an elliptic curve variant are also proposed.
From Identification to Signatures Via the Fiat–Shamir Transform: Necessary and Sufficient Conditions for Security and Forward-Security
IEEE Transactions on Information Theory, 2000
The Fiat-Shamir paradigm for transforming identification schemes into signature schemes has been popular since its introduction because it yields efficient signature schemes, and has been receiving renewed interest of late as the main tool in deriving forward-secure signature schemes. In this paper, minimal (meaning necessary and sufficient) conditions on the identification scheme to ensure security of the signature scheme in the random oracle model are determined, both in the usual and in the forward-secure cases. Specifically, it is shown that the signature scheme is secure (respectively, forward-secure) against chosen-message attacks in the random oracle model if and only if the underlying identification scheme is secure (respectively, forward-secure) against impersonation under passive (i.e., eavesdropping only) attacks, and has its commitments drawn at random from a large space. An extension is proven incorporating a random seed into the Fiat-Shamir transform so that the commitment space assumption may be removed.
The Fiat–Shamir Transform for Group and Ring Signature Schemes
Lecture Notes in Computer Science, 2010
The Fiat-Shamir (FS) transform is a popular tool to produce particularly efficient digital signature schemes out of identification protocols. It is known that the resulting signature scheme is secure (in the random oracle model) if and only if the identification protocol is secure against passive impersonators. A similar results holds for constructing ID-based signature schemes out of ID-based identification protocols. The transformation had also been applied to identification protocols with additional privacy properties. So, via the FS transform, ad-hoc group identification schemes yield ring signatures and identity escrow schemes yield group signature schemes. Unfortunately, results akin to those above are not known to hold for these latter settings and the security of the resulting schemes needs to be proved from scratch, or worse, it is often simply assumed. Therefore, the security of the schemes obtained this way does not clearly follow from that of the base identification protocol and needs to be proved from scratch. Even worse, some papers seem to simply assume that the transformation works without proof. In this paper we provide the missing foundations for the use of the FS transform in these more complex settings. We start with defining a formal security model for identity escrow schemes (a concept proposed earlier but never rigorously formalized). Our main result constists of necessary and sufficient conditions for an identity escrow scheme to yield (via the FS transform) a secure group signature schemes. In addition, we discuss several variants of this result that account for the constructions of group signatures that fulfill weaker notions of security. In addition, using the similarity between group and ring signature schemes we give analogous results for the latter primitive.
A New Idea in Digital Signature Schemes
2006
Since the invention of the first idea of digital signatures relied on public key algorithms many properties are added, and numerous novel schemes are developed. Besides this grow, a novel idea in identification schemes relied on public key algorithms is also presented, that is zero knowledge proof of identity. However, along with this development many remarkable schemes for instance the
A New Approach to Constructing Digital Signature Schemes (Extended Paper)
2019
A new hash-based, server-supported digital signature scheme was proposed recently in [13]. We decompose the concept into forwardresistant tags and a generic cryptographic time-stamping service. Based on the decomposition, we propose more tag constructions which allow efficient digital signature schemes with interesting properties to be built. In particular, the new schemes are more suitable for use in personal signing devices, such as smart cards, which are used infrequently. We define the forward-resistant tags formally and prove that (1) the discussed constructs are indeed tags and (2) combining such tags with time-stamping services gives us signature schemes.
Security Proofs for Identity-Based Identification and Signature Schemes
Journal of Cryptology, 2009
This paper provides either security proofs or attacks for a large number of identity-based identification and signature schemes defined either explicitly or implicitly in existing literature. Underlying these is a framework that on the one hand helps explain how these schemes are derived, and on the other hand enables modular security analyses, thereby helping to understand, simplify and unify previous work. We also analyze a generic folklore construction that in particular yields identity-based identification and signature schemes without random oracles.
On the Generic Construction of Identity-Based Signatures with Additional Properties
2006
It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identity-based signature schemes can be constructed from any PKI-based signature scheme. In this paper we consider the following natural extension: is there a generic construction of “identity-based signature schemes with additional properties” (such as identity-based blind signatures, verifiably encrypted signatures, ...) from PKI-based signature schemes with the same properties? Our results show that this is possible for great number of properties including proxy signatures; (partially) blind signatures; verifiably encrypted signatures; undeniable signatures; forward-secure signatures; (strongly) key insulated signatures; online/offline signatures; threshold signatures; and (with some limitations) aggregate signatures. Using well-known results for PKI-based schemes, we conclude that such identity-based signature schemes with additional properties can be constructed, enjoying some better properties than specific schemes proposed until know. In particular, our work implies the existence of identity-based signatures with additional properties that are provably secure in the standard model, do not need bilinear pairings, or can be based on general assumptions.
An Efficient Concept in Digital Signature Schemes using Computational Delegation
Wseas Transactions on Computer Research, 2006
Since the introduction of the first concept of the digital signature scheme using public key cryptography various characteristics are added and many original algorithms are raised. In addition to this grow, a new concept in identification methods using public key algorithms is also introduced, that is zero knowledge protocol. Also, besides this development several significant methods for example the Fiat-Shamir method are established. The Fiat-Shamir scheme is based on a special type of digital signature scheme specifically RSA algorithm, this creates signature for its own, which is defenseless compared with the digital signature established via the RSA scheme. The zero knowledge protocol proofs rights of the digital signature on publicly known messages. The objective of this paper is to introduce an efficient concept in digital signature schemes using computational delegation and is believed to be more efficient than the existing methods.
A New Transitive Signature Scheme based on RSA-based Security Assumptions
A transitive signature scheme allows a signer to publish a graph in an authenticated and cost-saving manner. The resulting authenticated graph is indeed the transitive closure of the graph constructed by edges which are explicitly signed by the signer. A property of the transitive signature scheme enables such scenario is called composability which means that by knowing signatures on two edges of a triangle, one can infer to a valid signature on the other edge of the triangle without knowledge of the signer's secret key thereby saving the signer from signing one sig- nature. Several transitive signature schemes have been proposed so far (1{3). Their security assumptions are based on the intractability of computing discrete logarithm, inverting RSA function, factoring and solving Di-e-Hellman problem. In this paper, we will present another transitive signature scheme based the Guillou-Quisquater (GQ for short) signature scheme. The security of our proposed can be proven under th...
An Introduction to Digital Signature Schemes
An Introduction to Digital Signature Schemes, 2010
Today, all types of digital signature schemes emphasis on secure and best verification methods. Different digital signature schemes are used in order for the websites, security organizations, banks and so on to verify user’s validity. Digital signature schemes are categorized to several types such as proxy, on-time, batch and so on. In this paper, different types of schemes are compared based on security level, efficiency, difficulty of algorithm and so on. Results show that best scheme depends on security, complexity and other important parameters. We tried simply to define the schemes and review them in practice.
A Schnorr-Like Lightweight Identity-Based Signature Scheme
2009
The use of concatenated Schnorr signatures [Sch91] for the hierarchical delegation of public keys is a well-known technique. In this paper we carry out a thorough analysis of the identity-based signature scheme that this technique yields. The resulting scheme is of interest since it is intuitive, simple and does not require pairings. We prove that the scheme is secure against existential forgery on adaptive chosen message and adaptive identity attacks using a variant of the Forking Lemma [PS00]. The security is proven in the Random Oracle Model under the discrete logarithm assumption. Next, we provide an estimation of its performance, including a comparison with the state of the art on identity-based signatures. We draw the conclusion that the Schnorrlike identity-based signature scheme is arguably the most efficient such scheme known to date.
A New Signature Scheme without Random Oracles and Its Applications
2008
In this paper, we propose a new signature scheme that is existentially unforgeable under a chosen message attack without random oracle. The security of our scheme depends on a new complexity assumption called the k+1 square roots assumption. We also discuss the relationship between the k+1 square roots assumption and some related problems and provide some conjectures. Moreover, the k+1 square roots assumption can be used to construct shorter signatures under the random oracle model. As some applications, a new chameleon hash signature scheme and a on-line/off-line signature scheme and a new efficient anonymous credential scheme based on the proposed signature scheme are presented.
Security Analysis and Efficient Implementation of Code-based Signature Schemes
Proceedings of the 5th International Conference on Information Systems Security and Privacy, 2019
In this paper, we derive code-based signature schemes using Fiat-Shamir transformation on code-based zeroknowledge identification schemes, namely the Stern scheme, the Jain-Krenn-Pietrzak-Tentes scheme, and the Cayrel-Veron-El Yousfi scheme. We analyze the security of these code-based signature schemes and derive the security parameters to achieve the 128-bit level security. Furthermore, we implement these signature schemes and compare their performance on a PC.
Further Remarks on Identity-based RSA Multi-signature
RSA is a popular public key cryptology for encryption and signing messages. In 2008, Harn and Ren introduced a new identity-based RSA multi-signature scheme by adopting Shamir's signature scheme. But, we find that there are some flaws in their proposal: First, the original signer's signing secret key can be derived. Second, the verification equation will never hold even if the received signature and message are legal. Third, transmission environments are not taken into consideration. This manuscript will thoroughly make discussions on Harn and Ren's scheme by showing the mentioned flaws.
Evaluation of Code-based Signature Schemes
IACR Cryptol. ePrint Arch., 2019
Code-based cryptographic schemes recently raised to prominence as quantum-safe alternatives to the currently employed numbertheoretic constructions, which do not resist quantum attacks. In this article, we discuss the Courtois-Finiasz-Sendrier signature scheme and derive code-based signature schemes using the Fiat-Shamir transformation from code-based zero-knowledge identification schemes, namely the Stern scheme, the Jain-Krenn-Pietrzak-Tentes scheme, and the CayrelVeron-El Yousfi scheme. We analyze the security of these code-based signature schemes and derive the security parameters to achieve the 80bit and 128-bit level of classical security. To derive the secure parameters, we have studied the hardness of Syndrome Decoding Problem. Furthermore, we implement the signature schemes, based on the Fiat-Shamir transform, which were mentioned above, and compare their performance on a PC.
Generic Constructions for Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures
IET Information Security, 2009
We give a generic construction for universal designated-verifier signature schemes from a large class, C, of signature schemes. The resulting schemes are efficient and have two important properties. Firstly, they are provably DV-unforgeable, non-transferable and also non-delegatable. Secondly, the signer and the designated verifier can independently choose their cryptographic settings. We also propose a generic construction for identity-based signature schemes from any signature scheme in C and prove that the construction is secure against adaptive chosen message and identity attacks. We discuss possible extensions of our constructions to hierarchical identity-based signatures, identity-based universal designated verifier signatures, and identitybased ring signatures from any signature in C.
Identity-based Signature Proven Secure Under the Computation Linear Assumption
DEStech Transactions on Engineering and Technology Research, 2017
In this paper, we propose a new assumption, i.e., computation linear assumption, then we provide a new identity-based signature algorithm based on this assumption, use the bilinear pairings technique. We proof the security of this scheme based on the computation linear assumption. The scheme is proposed under the standard model. as well, the task is to output 1 2 3 ( ) 1 CLIN can be view as a computation "version" of decisional Linear assumption (DLIN) proposed by Boneh, Boyen, and Shacham [5]. DLIN can be briefly described as: given 1 2 , , , , c c g f v g f , where , , g f v is a group generator of prime order group . The task is to distinguish the value 1 2 c c v from a random element in . Identity-Based Encryption (IBE), which has been firstly presented by Shamir [6], is an influential paradigm for embedding identity information into the encrypted data. In IBE, a message can be encrypted in terms of one's identity, and only the user who retain the private key corresponded to the very identity the message encrypted on can recover the ciphertext correctly. However, Shamir did not give out a practical scheme about IBE. An efficient and secure IBE construction leaves to be an open problem until the emergence of the work from Boneh and Franklin [2] and Cock . After that, many types of IBEs are proposed to adapt all kinds of scenarios: such as IBE that without random oracle [8][9]. IBE gives rise to the appearance of a brand new cryptography primitive: which is called identitybased signature (IBS). IBS enables the user, who holds a private key corresponded with a special identity, to generate a valid signature based on a message that, everyone who knows the public parameter, can verify the correctness of the signature. Boneh and Franklin proposed the first '
The Exact Security of an Identity Based Signature and its Applications
2004
This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the Sakai-Ogishi-Kasahara IBS that was recently proven secure by Bellare, Namprempre and Neven through a general framework applying to a large family of schemes. We show that
Identity-Based Deterministic Signature Scheme without Forking-Lemma
Lecture Notes in Computer Science, 2011
Since the discovery of identity based cryptography, a number of identity based signature schemes were reported in the literature. Although, a lot of identity based signature schemes were proposed, the only identity based deterministic signature scheme was given by Javier Herranz. This signature scheme uses Schnorr signature scheme for generating the private key of the users and uses BLS short signature scheme for generating users signature. The security of this scheme was proved in the random oracle model using forking lemma. In this paper, we introduce a new identity based deterministic signature scheme and prove the security of the scheme in the random oracle model, without the aid of forking lemma. Hence, our scheme offers tighter security reduction to the underlying hard problem than the existing identity based deterministic signature scheme.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.