A new type of signature scheme is proposed. It consists of two phases. The first phase is performed off-line, before the message to be signed is even known. The second phase is performed on-line, once the message to be signed is known, and is supposed to be very fast. A method for constructing such on-line/off-line signature schemes is presented. The method uses one-time signature schemes, which are very fast, for the on-line signing. An ordinary signature scheme is used for the off-line stage.
In a practical implementation of our scheme, we use a variant of Rabin's signature scheme (based on factoring) and DES. In the on-line phase all we use is a moderate amount of DES computation and a single modular multiplication. We stress that the costly modular exponentiation operation is performed off-line. This implementation is ideally suited for electronic wallets or smart cards.
Key wordsDigital signatures Integer factorization RSA DES One-time signature schemes Error-correcting codes Chosen message attack
Unable to display preview. Download preview PDF.
- Bellare, M., and Micali, S., How To Sign Given Any Trapdoor Function,Proc. STOC 88, pp. 32–42.Google Scholar
- Damgard, I., Collision-Free Hash Functions and Public-Key Signature Schemes,EuroCrypt 87, LNCS, Vol. 304, Springer-Verlag, Berlin, 1988, pp. 203–216.Google Scholar
- Even, S., Secure Off-Line Electronic Fund Transfer Between Nontrusting Parties, inSmart Card 2000:The Future of IC Cards, D. Chaum and I. Schaumuller-Bichl (eds.), North-Holland, Amsterdam, 1989, pp. 57–66.Google Scholar
- Even, S., Goldreich, O., and Yacobi, Y., Electronic Wallet,Advances in Cryptology: Proc. Crypto 83, D. Chaum (ed.), Plenum, New York, 1984, pp. 383–386.Google Scholar
- Even, S., Goldreich, O., and Micali, S., On-Line/Off-Line Digital Signatures,Advances in Cryptology: Proc. Crypto 89, G. Brassard (ed.), LNCS, Vol. 435, Springer-Verlag, Berlin, 1990, pp. 263–277.Google Scholar
- Goldreich, O., Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme,Advances in Cryptology—Crypto 86, A. M. Odlyzko (ed.), LNCS, Vol. 263, Springer-Verlag, Berlin, 1987, pp. 104–110.Google Scholar
- Hastad, J., Impagliazzo, R., Levin, L. A., and Luby, M., Construction of Pseudorandom Generator from Any One-Way Function, Manuscript, 1993. See preliminary versions by Impagliazzo, Levin, and Luby inProc. 21st STOC and by Hastad inProc. 22nd STOC.Google Scholar
- Levin, L. A., One-Way Functions and Pseudorandom Generators,Combinatorica, Vol. 7, No. 4, 1987, pp. 357–363.Google Scholar
- MacWilliams, F. J., and Sloane, N. J. A.,The Theory of Error-Correcting Codes, North-Holland, Amsterdam, 1977.Google Scholar
- Merkle, R. C., A Digital Signature Based on a Conventional Encryption Function,Advances in Cryptology—Crypto 87, C. Pomerance (ed.), LNCS, Vol. 293, Springer-Verlag, Berlin, 1987, pp. 369–378.Google Scholar
- Naor, M., Bit Commitment Using Pseudorandom Generators,Proc. Crypto 89, pp. 123–132.Google Scholar
- Naor, M., and Yung, M., Universal One-Way Hash Functions and Their Cryptographic Application,Proc. 21st STOC, 1989, pp. 33–43.Google Scholar
- National Bureau of Standards,Federal Information Processing Standards, Publ. 46 (DES 1977).Google Scholar
- Rabin, M. O., Digital Signatures, inFoundations of Secure Computation, R. A. DeMilloet al. (eds.), Academic Press, New York, 1978, pp. 155–168.Google Scholar
- Rabin, M. O., Digitalized Signatures and Public-Key Functions as Intractable as Factorization, Report TR-212, Lab. for Computer Science, MIT, January 1979.Google Scholar
- Rivest, R. L., The MD4 Message Digest Algorithm,Proc. Crypto 90, A. J. Menezes and S. A. Vanstone (eds.), LNCS, Vol. 537, Springer-Verlag, Berlin, 1991, pp. 303–311.Google Scholar
- Rivest, R. L., The MD5 Message-Digest Algorithm, Internet Request for Comments, April 1992.Google Scholar
- Rompel, J., One-Way Functions Are Necessary and Sufficient for Secure Signatures,Proc. 22nd STOC, 1990, pp. 387–394.Google Scholar
- Roth, R., Topics in Coding Theory, Lecture Notes, Computer Science Dept., Technion, Haifa, 1993.Google Scholar
- Yao, A. C., Theory and Applications of Trapdoor Functions,Proc. IEEE Symp. on Foundations of Computer Science, 1982, pp. 80–91.Google Scholar