Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions

  • Eike Kiltz
  • Krzysztof Pietrzak
  • Mario Szegedy
Conference paper

DOI: 10.1007/978-3-642-40041-4_31

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8042)
Cite this paper as:
Kiltz E., Pietrzak K., Szegedy M. (2013) Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions. In: Canetti R., Garay J.A. (eds) Advances in Cryptology – CRYPTO 2013. Lecture Notes in Computer Science, vol 8042. Springer, Berlin, Heidelberg


In a digital signature scheme with message recovery, rather than transmitting the message m and its signature σ, a single enhanced signature τ is transmitted. The verifier is able to recover m from τ and at the same time verify its authenticity. The two most important parameters of such a scheme are its security and overhead |τ| − |m|. A simple argument shows that for any scheme with “n bits security” |τ| − |m| ≥ n, i.e., the overhead is lower bounded by the security parameter n. Currently, the best known constructions in the random oracle model are far from this lower bound requiring an overhead of n + logqh, where qh is the number of queries to the random oracle. In this paper we give a construction which basically matches the n bit lower bound. We propose a simple digital signature scheme with n + o(logqh) bits overhead, where qh denotes the number of random oracle queries.

Our construction works in two steps. First, we propose a signature scheme with message recovery having optimal overhead in a new ideal model, the random invertible function model. Second, we show that a four-round Feistel network with random oracles as round functions is tightly “public-indifferentiable” from a random invertible function. At the core of our indifferentiability proof is an almost tight upper bound for the expected number of edges of the densest “small” subgraph of a random Cayley graph, which may be of independent interest.


digital signatures indifferentiability Feistel Additive combinatorics Cayley graph 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Eike Kiltz
    • 1
  • Krzysztof Pietrzak
    • 2
  • Mario Szegedy
    • 3
  1. 1.Horst-Görtz Institute for IT SecurityRuhr-Universität BochumGermany
  2. 2.Institute of Science and TechnologyAustria
  3. 3.Rutgers UniversityUSA

Personalised recommendations