Chapter

Topics in Cryptology — CT-RSA 2002

Volume 2271 of the series Lecture Notes in Computer Science pp 244-262

Date:

Homomorphic Signature Schemes

  • Robert JohnsonAffiliated withUniversity of California at Berkeley
  • , David MolnarAffiliated withShieldIP
  • , Dawn SongAffiliated withUniversity of California at Berkeley
  • , David WagnerAffiliated withUniversity of California at Berkeley

* Final gross prices may vary according to local VAT.

Get Access

Abstract

Privacy homomorphisms, encryption schemes that are also homomorphisms relative to some binary operation, have been studied for some time, but one may also consider the analogous problem of homomorphic signature schemes. In this paper we introduce basic definitions of security for homomorphic signature systems, motivate the inquiry with example applications, and describe several schemes that are homomorphic with respect to useful binary operations. In particular, we describe a scheme that allows a signature holder to construct the signature on an arbitrarily redacted submessage of the originally signed message. We present another scheme for signing sets that is homomorphic with respect to both union and taking subsets. Finally, we show that any signature scheme that is homomorphic with respect to integer addition must be insecure.