Showing papers on "Merkle signature scheme published in 2003"

Aggregate and verifiably encrypted signatures from bilinear maps

Abstract: An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message Mi for i = 1, . . . , n). In this paper we introduce the concept of an aggregate signature, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M. Verifiably encrypted signatures are used in contract-signing protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.

Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme

Abstract: We propose a robust proactive threshold signature scheme, a multisignature scheme and a blind signature scheme which work in any Gap Diffie-Hellman (GDH) group (where the Computational Diffie-Hellman problem is hard but the Decisional Diffie-Hellman problem is easy). Our constructions are based on the recently proposed GDH signature scheme of Boneh et al. [8]. Due to the instrumental structure of GDH groups and of the base scheme, it turns out that most of our constructions are simpler, more efficient and have more useful properties than similar existing constructions. We support all the proposed schemes with proofs under the appropriate computational assumptions, using the corresponding notions of security.

An Identity-Based Signature from Gap Diffie-Hellman Groups

Abstract: In this paper we propose an identity(ID)-based signature scheme using gap Diffie-Hellman (GDH) groups. Our scheme is proved secure against existential forgery on adaptively chosen message and ID attack under the random oracle model. Using GDH groups obtained from bilinear pairings, as a special case of our scheme, we obtain an ID-based signature scheme that shares the same system parameters with the ID-based encryption scheme (BF-IBE) by Boneh and Franklin [BF01], and is as efficient as the BF-IBE. Combining our signature scheme with the BF-IBE yields a complete solution of an ID-based public key system. It can be an alternative for certificate-based public key infrastructures, especially when efficient key management and moderate security are required.

Efficiency improvements for signature schemes with tight security reductions

Abstract: Much recent work has focused on constructing efficient digital signature schemes whose security is tightly related to the hardness of some underlying cryptographic assumption. With this motivation in mind, we show here two approaches which improve both the computational efficiency and signature length of some recently-proposed schemes:Diffie-Hellman signatures. Goh and Jarecki [18] recently analyzed a signature scheme which has a tight security reduction to the computational Diffie-Hellman problem. Unfortunately, their scheme is less efficient in both computation and bandwidth than previous schemes relying on the (related) discrete logarithm assumption. We present a modification of their scheme in which signing is 33% more efficient and signatures are 75% shorter; the security of this scheme is tightly related to the decisional Diffie-Hellman problem.PSS. The probabilistic signature scheme (PSS) designed by Bellare and Rogaway [3] uses a random salt to enable a tight security reduction to, e.g., the RSA problem. Coron [12] subsequently showed that a shorter random salt can be used without impacting the security of the scheme. We show a variant of PSS which avoids the random salt altogether yet has an equally-tight security reduction. This furthermore yields a version of PSS-R (PSS with message recovery) with optimal message length. Our technique may also be used to improve the efficiency of a number of other schemes.

Efficient ID-based blind signature and proxy signature from bilinear pairings

Abstract: Blind signature and proxy signature are very important technologies in secure e-commerce. Identity-based (simply ID-based) public key cryptosystem can be a good alternative for certificate-based public key setting, especially when efficient key management and moderate security are required. In this paper, we propose a new ID-based blind signature scheme and an ID-based partial delegation proxy signature scheme with warrant based on the bilinear pairings. Also we analyze their security and efficiency. We claim that our new blind signature scheme is more efficient than Zhang and Kim's scheme [27] in Asiacrypt2002.

On the (In)security of the Fiat-Shamir paradigm

Abstract: In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identification schemes into digital signature schemes. The idea of the transformation was to replace the random message of the verifier in the identification scheme, with the value of some deterministic hash function evaluated on various quantities in the protocol and on the message to be signed. The Fiat-Shamir methodology for producing digital signature schemes quickly gained popularity as it yields efficient and easy to implement digital signature schemes. The most important question however remained open: are the digital signatures produced by the Fiat-Shamir methodology secure? We answer this question negatively. We show that there exist secure 3-round public-coin identification schemes for which the Fiat-Shamir transformation yields insecure digital signature schemes for any hash function used by the transformation. This is in contrast to the work of Pointcheval and Stern which proved that the Fiat-Shamir methodology always produces digital signatures secure against chosen message attack in the "Random Oracle Model" - when the hash function is modeled by a random oracle. Among other things, we make new usage of Barak's technique for taking advantage of nonblack-box access to a program, this time in the context of digital signatures.

A signature scheme with efficient protocols

Abstract: Digital signature schemes are a fundamental cryptographic primitive, of use both in its own right, and as a building block in cryptographic protocol design. In this paper, we propose a practical and provably secure signature scheme and show protocols (1) for issuing a signature on a committed value (so the signer has no information about the signed value), and (2) for proving knowledge of a signature on a committed value. This signature scheme and corresponding protocols are a building block for the design of anonymity-enhancing cryptographic systems, such as electronic cash, group signatures, and anonymous credential systems. The security of our signature scheme and protocols relies on the Strong RSA assumption. These results are a generalization of the anonymous credential system of Camenisch and Lysyanskaya.

Strong Key-Insulated Signature Schemes

Abstract: Signature computation is frequently performed on insecure devices -- e.g., mobile phones -- operating in an environment where the private (signing) key is likely to be exposed. Strong key-insulated signature schemes are one way to mitigate the damage done when this occurs. In the key-insulated model [6], the secret key stored on an insecure device is refreshed at discrete time periods via interaction with a physically-secure device which stores a "master key". All signing is still done by the insecure device, and the public key remains fixed throughout the lifetime of the protocol. In a strong (t,N)-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods is unable to forge signatures for any of the remaining N-t periods. Furthermore, the physically-secure device (or an adversary who compromises only this device) is unable to forge signatures for any time period.We present here constructions of strong key-insulated signature schemes based on a variety of assumptions. First, we demonstrate a generic construction of a strong (N - 1,N)-key-insulated signature scheme using any standard signature scheme. We then give a construction of a strong (t,N)-signature scheme whose security may be based on the discrete logarithm assumption in the random oracle model. This construction offers faster signing and verification than the generic construction, at the expense of O(t) key update time and key length. Finally, we construct strong (N - 1,N)-key-insulated schemes based on any "trapdoor signature scheme" (a notion we introduce here); our resulting construction in fact serves as an identity-based signature scheme as well. This leads to very efficient solutions based on, e.g., the RSA assumption in the random oracle model.

An efficient strong designated verifier signature scheme

Abstract: This paper proposes a designated verifier signature scheme based on the Schnorr signature and the Zheng signcryption schemes. One of the advantages of the new scheme compared with all previously proposed schemes is that it achieves the “strong designated verifier” property without encrypting any part of the signatures. This is because the designated verifier’s secret key is involved in the verification phase. Another advantage of the proposed scheme is the low communication and computational cost. Generating a signature requires only one modular exponentiation, while this amount is two for the verification. Also, a signature in our scheme is more than four times shorter than those of known designated verifier schemes.

Efficient Verifiably Encrypted Signature and Partially Blind Signature from Bilinear Pairings

Abstract: Verifiably encrypted signatures are used when Alice wants to sign a message for Bob but does not want Bob to possess her signature on the message until a later date. Such signatures are used in optimistic contact signing to provide fair exchange. Partially blind signature schemes are an extension of blind signature schemes that allows a signer to sign a partially blinded message that include pre-agreed information such as expiry date or collateral conditions in unblinded form. These signatures are used in applications such as electronic cash (e-cash) where the signer requires part of the message to be of certain form. In this paper, we propose a new verifiably encrypted signature scheme and a partially blind signature scheme, both based on bilinear pairings. We analyze security and efficiency of these schemes and show that they are more efficient than the previous schemes of their kind.

Forking Lemmas for Ring Signature Schemes

Abstract: Pointcheval and Stern introduced in 1996 some forking lemmas useful to prove the security of a family of digital signature schemes. This family includes, for example, Schnorr’s scheme and a modification of ElGamal signature scheme.

A signature scheme as secure as the Diffie-Hellman problem

Abstract: We show a signature scheme whose security is tightly related to the Computational Diffie-Hellman (CDH) assumption in the Random Oracle Model. Existing discrete-log based signature schemes, such as ElGamal, DSS, and Schnorr signatures, either require non-standard assumptions, or their security is only loosely related to the discrete logarithm (DL) assumption using Pointcheval and Stern's "forking" lemma. Since the hardness of the CDH problem is widely believed to be closely related to the hardness of the DL problem, the signature scheme presented here offers better security guarantees than existing discrete-log based signature schemes. Furthermore, the new scheme has comparable efficiency to existing schemes. The signature scheme was previously proposed in the cryptographic literature on at least two occasions. However, no security analysis was done, probably because the scheme was viewed as a slight modification of Schnorr signatures. In particular, the scheme's tight security reduction to CDH has remained unnoticed until now. Interestingly, this discrete-log based signature scheme is similar to the trapdoor permutation based PSS signatures proposed by Bellare and Rogaway, and has a tight reduction for a similar reason.

The Cramer-Shoup Strong-RSASignature Scheme Revisited

Abstract: We discuss a modification of the Cramer-Shoup strong-RSA signature scheme. Our proposal also presumes the strong RSA assumption, but allows faster signing and verification and produces signatures of roughly half the size. Then we present a stateful version of our scheme where signing (but not verifying) becomes almost as efficient as with RSA-PSS. We also show how to turn our signature schemes into "lightweight" anonymous yet linkable group identification protocols without random oracles.

New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairing.

Abstract: Proxy signatures are very useful tools when one needs to delegate his/her signing capability to other party After Mambo et al’s first scheme was announced, many proxy signature schemes and various types of proxy signature schemes have been proposed Due to the various applications of the bilinear pairings in cryptography, there are many IDbased signature schemes have been proposed In this paper, we address that it is easy to design proxy signature and proxy blind signature from the conventional ID-based signature schemes using bilinear pairings, and give some concrete schemes based on existed ID-based signature schemes At the same time, we introduce a new type of proxy signature – proxy ring signature, and propose the first proxy ring signature scheme based on an existed ID-based ring signature scheme

Accumulating Composites and Improved Group Signing

Abstract: Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group member, while the actual signer can only be identified (and linked) by a designated entity called a group manager. Currently, the most efficient group signature scheme available is due to Camenisch and Lysyanskaya [CL02]. It is obtained by integrating a novel dynamic accumulator with the scheme by Ateniese, et al. [ACJT00].

Efficient group signatures without trapdoors

Abstract: Group signature schemes are fundamental cryptographictools that enable unlinkably anonymous authentication, in the same fashion that digital signatures provide the basis for strong authentication protocols. In this paper we present the first group signature scheme with constant-size parameters that does not require any group member, including group managers, to know trapdoor secrets. This novel type of group signature scheme allows public parameters to be shared among organizations. Such sharing represents a highly desirable simplification over existing schemes, which require each organization to maintain a separate cryptographic domain.

A Separable Threshold Ring Signature Scheme

Abstract: We present a threshold ring signature scheme (spontaneous anonymous threshold signature scheme) that allows the use of both RSA-based and DL-based public keys at the same time. More generally, the scheme supports the mixture of public keys for any trapdoor-one-way type as well as three-move type signature schemes. This kind of ‘separability’ has useful applications in practice as a threshold ring signature is no longer limited to support only one particular type of public keys, as required by all the previous schemes. In the paper, we also show that the signature maintains the anonymity of participating signers unconditionally and is existential unforgeable against chosen message attacks in the random oracle model.

Extracting group Signatures from Traitor tracing Schemes

Abstract: Digital Signatures emerge naturally from Public-Key Encryption based on trapdoor permutations, and the duality of the two primitives was noted as early as Diffie-Hellman's seminal work. The present work is centered around the crucial observation that two well known cryptographic primitives whose connection has not been noticed so far in the literature enjoy an analogous duality. The primitives are Group Signature Schemes and Public-Key Traitor Tracing. Based on the observed duality, we introduce new design methodologies for group signatures that convert a traitor tracing scheme into its dual group signature scheme. Our first methodology applies to generic public-key traitor tracing schemes. We demonstrate its power by applying it to the Boneh-Franklin scheme, and obtaining its dual group signature. This scheme is the first provably secure group signature scheme whose signature size is not proportional to the size of the group and is based only on DDH and a random oracle. The existence of such schemes was open. Our second methodology introduces a generic way of turning any group signature scheme with signature size linear in the group size into a group signature scheme with only logarithmic dependency on the group size. To this end it employs the notion of traceability codes (a central component of combinatorial traitor tracing schemes already used in the first such scheme by Chor, Fiat and Naor). We note that our signatures, obtained by generic transformations, are proportional to a bound on the anticipated maximum malicious coalition size. Without the random oracle assumption our schemes give rise to provably secure and efficient Identity Escrow schemes.

Boneh et al.'s k-Element Aggregate Extraction Assumption Is Equivalent to the Diffie-Hellman Assumption

Abstract: In Eurocrypt 2003, Boneh et al. presented a novel cryptographic primitive called aggregate signatures. An aggregate signature scheme is a digital signature that supports aggregation: i.e. given k signatures on k distinct messages from k different users it is possible to aggregate all these signatures into a single short signature.

Extracting group signatures from traitor tracing schemes

Abstract: Digital Signatures emerge naturally from Public-Key Encryption based on trapdoor permutations, and the "duality" of the two primitives was noted as early as Diffie-Hellman's seminal work. The present work is centered around the crucial observation that two well known cryptographic primitives whose connection has not been noticed so far in the literature enjoy an analogous "duality." The primitives are Group Signature Schemes and Public-Key Traitor Tracing. Based on the observed "duality," we introduce new design methodologies for group signatures that convert a traitor tracing scheme into its "dual" group signature scheme. Our first methodology applies to generic public-key traitor tracing schemes. We demonstrate its power by applying it to the Boneh-Franklin scheme, and obtaining its "dual" group signature. This scheme is the first provably secure group signature scheme whose signature size is not proportional to the size of the group and is based only on DDH and a random oracle. The existence of such schemes was open. Our second methodology introduces a generic way of turning any group signature scheme with signature size linear in the group size into a group signature scheme with only logarithmic dependency on the group size. To this end it employs the notion of traceability codes (a central component of combinatorial traitor tracing schemes already used in the first such scheme by Chor, Fiat and Naor). We note that our signatures, obtained by generic transformations, are proportional to a bound on the anticipated maximum malicious coalition size. Without the random oracle assumption our schemes give rise to provably secure and efficient Identity Escrow schemes.

Nonrepudiable proxy multi-signature scheme

Abstract: The concept of proxy signature introduced by Mambo, Usuda, and Okamoto allows a designated person, called a proxy signer, to sign on behalf of an original signer. However, most existing proxy signature schemes do not support nonrepudiation. In this paper, two secure nonrepudiable proxy multi-signature schemes are proposed that overcome disadvantages of the existing schemes. The proposed schemes can withstand public key substitution attack. In addition, the new schemes have some other advantages such as proxy signature key generation and updating using insecure channels. This approach can also be applied to other ElGamal-like proxy signature schemes.

A flexible and scalable authentication scheme for JPEG2000 image codestreams

Abstract: JPEG2000 is an emerging standard for still image compression and is becoming the solution of choice for many digital imaging fields and applications. An important aspect of JPEG2000 is its "compress once, decompress many ways" property [1], i. e., it allows extraction of various sub-images (e.g., images with various resolutions, pixel fidelities, tiles and components) all from a single compressed image codestream. In this paper, we present a flexible and scalable authentication scheme for JPEG2000 images based on the Merkle hash tree and digital signature. Our scheme is fully compatible with JPEG2000 and possesses a "sign once, verify many ways" property. That is, it allows users to verify the authenticity and integrity of different sub-images extracted from a single compressed codestream protected with a single digital signature.

A Novel Efficient Group Signature Scheme with Forward Security

Abstract: A group signature scheme allows a group member to sign a message anonymously on behalf of the group. In case of a dispute, the group manager can reveal the actual identity of signer. In this paper, we propose a novel group signature satisfying the regular requirements. Furthermore, it also achieves the following advantages: (1) the size of signature is independent of the number of group members; (2) the group public key is constant; (3) Addition and Revocation of group members are convenient; (4) it enjoys forward security; (5) The total computation cost of signature and verification requires only 7 modular exponentiations. Hence, our scheme is very practical in many applications, especially for the dynamic large group applications.

Cryptanalysis of Nonrepudiable Threshold Proxy Signature Schemes with Known Signers

Abstract: Sun's nonrepudiation threshold proxy signature scheme is not secure against the collusion attack In order to guard against the attack, Hwang et al proposed another threshold proxy signature scheme However, a new attack is proposed to work on both Hwang et al's and Sun's schemes By executing this attack, one proxy signer and the original signer can forge any valid proxy signature Therefore, both Hwang et al's scheme and Sun's scheme were insecure

Multiple-time signature schemes against adaptive chosen message attacks

Abstract: Multiple-time signatures are digital signature schemes where the signer is able to sign a predetermined number of messages. They are interesting cryptographic primitives because they allow to solve many important cryptographic problems, and at the same time offer substantial efficiency advantage over ordinary digital signature schemes like RSA. Multiple-time signature schemes have found numerous applications, in ordinary, on-line/off-line, forward-secure signatures, and multicast/stream authentication. We propose a multiple-time signature scheme with very efficient signing and verifying. Our construction is based on a combination of one-way functions and cover-free families, and it is secure against the adaptive chosen-message attack.

A Formal Proof of Zhu's Signature Scheme.

Abstract: Following from the remarkable works of Cramer and Shoup [5], three trapdoor hash signature variations have been presented in the literature: the first variation was presented in CJE’01 by Zhu [14], the second variation was presented in SCN’02 by Camenisch and Lysyanskaya [3] and the third variation was presented in PKC’03 by Fischlin [7]. All three mentioned trapdoor hash signature schemes have similar structure and the security of the last two modifications is rigorously proved. We point out that the distribution of variables derived from Zhu’s signing oracle is different from that generated by Zhu’s signing algorithm since the signing oracle in Zhu’s simulator is defined over Z, instead of Zn. Consequently the proof of security of Zhu’s signature scheme should be studied more precisely. We also aware that the proof of Zhu’s signature scheme is not a trivial work which is stated below: – the technique presented by Cramer and Shoup [5] cannot be applied directly to prove the security of Zhu’s signature scheme since the structure of Cramer-Shoup’s trap-door hash scheme is double deck that is easy to simulate a signing query as the order of subgroup G is a public parameter; – the technique presented by Camenisch and Lysyanskaya [3] cannot be applied directly since there are extra security parameters l and ls guide the statistical closeness of the simulated distributions to the actual distribution; – the technique presented by Fischlin cannot be applied directly to Zhu’s signature scheme as the security proof of Fischlin’s signature relies on a set of pairs (αi, αi ⊕H(mi)) while the security proof of Zhu’s signature should rely on a set of pairs (αi, H(mi)). In this report, we provide an interesting random argument technique to show that Zhu’s signature scheme immune to adaptive chosen-message attack under the assumptions of the strong RSA problem as well as the existence of collision free hash functions.

Aggregate and verifiably encrypted signatures from bilinear maps

Abstract: An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1,...,n). In this paper we introduce the concept of an aggregate signature, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M. Verifiably encrypted signatures are used in contract-signing protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.