Journal of Cryptology

, Volume 9, Issue 1, pp 35–67 | Cite as

On-line/off-line digital signatures

  • Shimon Even
  • Oded Goldreich
  • Silvio Micali


A new type of signature scheme is proposed. It consists of two phases. The first phase is performed off-line, before the message to be signed is even known. The second phase is performed on-line, once the message to be signed is known, and is supposed to be very fast. A method for constructing such on-line/off-line signature schemes is presented. The method uses one-time signature schemes, which are very fast, for the on-line signing. An ordinary signature scheme is used for the off-line stage.

In a practical implementation of our scheme, we use a variant of Rabin's signature scheme (based on factoring) and DES. In the on-line phase all we use is a moderate amount of DES computation and a single modular multiplication. We stress that the costly modular exponentiation operation is performed off-line. This implementation is ideally suited for electronic wallets or smart cards.

Key words

Digital signatures Integer factorization RSA DES One-time signature schemes Error-correcting codes Chosen message attack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Bellare, M., and Micali, S., How To Sign Given Any Trapdoor Function,Proc. STOC 88, pp. 32–42.Google Scholar
  2. [2]
    Biham, E., and Shamir, A., Differential Cryptanalysis of DES-Like Cryptosystems,Journal of Cryptology, Vol. 4, No. 1, 1991, pp. 3–72.CrossRefGoogle Scholar
  3. [3]
    Damgard, I., Collision-Free Hash Functions and Public-Key Signature Schemes,EuroCrypt 87, LNCS, Vol. 304, Springer-Verlag, Berlin, 1988, pp. 203–216.Google Scholar
  4. [4]
    Even, S., Secure Off-Line Electronic Fund Transfer Between Nontrusting Parties, inSmart Card 2000:The Future of IC Cards, D. Chaum and I. Schaumuller-Bichl (eds.), North-Holland, Amsterdam, 1989, pp. 57–66.Google Scholar
  5. [5]
    Even, S., Goldreich, O., and Yacobi, Y., Electronic Wallet,Advances in Cryptology: Proc. Crypto 83, D. Chaum (ed.), Plenum, New York, 1984, pp. 383–386.Google Scholar
  6. [6]
    Even, S., Goldreich, O., and Micali, S., On-Line/Off-Line Digital Signatures,Advances in Cryptology: Proc. Crypto 89, G. Brassard (ed.), LNCS, Vol. 435, Springer-Verlag, Berlin, 1990, pp. 263–277.Google Scholar
  7. [7]
    Goldreich, O., Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme,Advances in Cryptology—Crypto 86, A. M. Odlyzko (ed.), LNCS, Vol. 263, Springer-Verlag, Berlin, 1987, pp. 104–110.Google Scholar
  8. [8]
    Goldwasser, S., Micali, S., and Rivest, R. L., A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks,SIAM Journal on Computing, Vol. 17, No. 2, April 1988, pp. 281–308.CrossRefGoogle Scholar
  9. [9]
    Hastad, J., Impagliazzo, R., Levin, L. A., and Luby, M., Construction of Pseudorandom Generator from Any One-Way Function, Manuscript, 1993. See preliminary versions by Impagliazzo, Levin, and Luby inProc. 21st STOC and by Hastad inProc. 22nd STOC.Google Scholar
  10. [10]
    Levin, L. A., One-Way Functions and Pseudorandom Generators,Combinatorica, Vol. 7, No. 4, 1987, pp. 357–363.Google Scholar
  11. [11]
    MacWilliams, F. J., and Sloane, N. J. A.,The Theory of Error-Correcting Codes, North-Holland, Amsterdam, 1977.Google Scholar
  12. [12]
    Merkle, R. C., A Digital Signature Based on a Conventional Encryption Function,Advances in Cryptology—Crypto 87, C. Pomerance (ed.), LNCS, Vol. 293, Springer-Verlag, Berlin, 1987, pp. 369–378.Google Scholar
  13. [13]
    Naor, M., Bit Commitment Using Pseudorandom Generators,Proc. Crypto 89, pp. 123–132.Google Scholar
  14. [14]
    Naor, M., and Yung, M., Universal One-Way Hash Functions and Their Cryptographic Application,Proc. 21st STOC, 1989, pp. 33–43.Google Scholar
  15. [15]
    National Bureau of Standards,Federal Information Processing Standards, Publ. 46 (DES 1977).Google Scholar
  16. [16]
    Rabin, M. O., Digital Signatures, inFoundations of Secure Computation, R. A. DeMilloet al. (eds.), Academic Press, New York, 1978, pp. 155–168.Google Scholar
  17. [17]
    Rabin, M. O., Digitalized Signatures and Public-Key Functions as Intractable as Factorization, Report TR-212, Lab. for Computer Science, MIT, January 1979.Google Scholar
  18. [18]
    Rivest, R. L., The MD4 Message Digest Algorithm,Proc. Crypto 90, A. J. Menezes and S. A. Vanstone (eds.), LNCS, Vol. 537, Springer-Verlag, Berlin, 1991, pp. 303–311.Google Scholar
  19. [19]
    Rivest, R. L., The MD5 Message-Digest Algorithm, Internet Request for Comments, April 1992.Google Scholar
  20. [20]
    Rivest, R. L., Shamir, A., and Adleman, L., A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,Communications of the ACM, Vol. 21, No. 2, 1978, pp. 120–126.CrossRefGoogle Scholar
  21. [21]
    Rompel, J., One-Way Functions Are Necessary and Sufficient for Secure Signatures,Proc. 22nd STOC, 1990, pp. 387–394.Google Scholar
  22. [22]
    Roth, R., Topics in Coding Theory, Lecture Notes, Computer Science Dept., Technion, Haifa, 1993.Google Scholar
  23. [23]
    Williams, H. C., A Modification of the RSA Public-Key Encryption Procedure,IEEE Transactions on Information Theory, Vol. 26, No. 6, 1980, pp. 726–729.CrossRefGoogle Scholar
  24. [24]
    Yao, A. C., Theory and Applications of Trapdoor Functions,Proc. IEEE Symp. on Foundations of Computer Science, 1982, pp. 80–91.Google Scholar

Copyright information

© International Association for Cryptologic Research 1996

Authors and Affiliations

  • Shimon Even
    • 1
  • Oded Goldreich
    • 2
  • Silvio Micali
    • 3
  1. 1.Computer Science DepartmentTechnion-Israel Institute of TechnologyHaifaIsrael
  2. 2.Department of Applied Mathematics and Computer ScienceWeizmann Institute of ScienceRehovotIsrael
  3. 3.Laboratory for Computer ScienceMassachusetts Institute of TechnologyCambridgeU.S.A.

Personalised recommendations