Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups

Abstract

We describe a short signature scheme that is strongly existentially unforgeable under an adaptive chosen message attack in the standard security model. Our construction works in groups equipped with an efficient bilinear map, or, more generally, an algorithm for the Decision Diffie-Hellman problem. The security of our scheme depends on a new intractability assumption we call Strong Diffie-Hellman (SDH), by analogy to the Strong RSA assumption with which it shares many properties. Signature generation in our system is fast and the resulting signatures are as short as DSA signatures for comparable security. We give a tight reduction proving that our scheme is secure in any group in which the SDH assumption holds, without relying on the random oracle model.

This is a preview of subscription content, log in to check access.

References

  1. [1]

    J.H. An, Y. Dodis, T. Rabin, On the security of joint signature and encryption. In Advances in Cryptology—EUROCRYPT 2002. LNCS, vol. 2332 (Springer, Berlin, 2002), pp. 83–107.

  2. [2]

    P.S.L.M. Barreto, M. Naehrig, Pairing-friendly elliptic curves of prime order. Cryptology ePrint Archive, Report 2005/133, 2005. http://eprint.iacr.org/.

  3. [3]

    P.S.L.M. Barreto, S. Galbraith, C. O’hEigeartaigh, M. Scott, Efficient pairing computation on supersingular Abelian varieties. Cryptology ePrint Archive, Report 2004/375, 2004. http://eprint.iacr.org/.

  4. [4]

    M. Bellare, P. Rogaway, Random oracle are practical: a paradigm for designing efficient protocols. In Proceedings of ACM CCS 1993 (ACM Press, New York, 1993), pp. 62–73.

  5. [5]

    M. Bellare, P. Rogaway, The exact security of digital signatures: how to sign with RSA and Rabin. In Advances in Cryptology—EUROCRYPT 1996. LNCS, vol. 1070 (Springer, Berlin, 1996), pp. 399–416.

  6. [6]

    M. Bellare, P. Rogaway, Collision-resistant hashing: Towards making UOWHFs practical. In Advances in Cryptology—CRYPTO 1997. LNCS, vol. 1294 (Springer, Berlin, 1997), pp. 470–484.

  7. [7]

    I. Blake, G. Seroussi, N. Smart, Elliptic Curves in Cryptography. London Mathematical Society Lecture Notes, vol. 265 (Cambridge University Press, Cambridge, 1999).

  8. [8]

    D. Boneh, X. Boyen, Efficient selective-ID identity based encryption without random oracles. In Advances in Cryptology—EUROCRYPT 2004. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 223–238.

  9. [9]

    D. Boneh, X. Boyen, Short signatures without random oracles. In Advances in Cryptology—EUROCRYPT 2004. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 56–73.

  10. [10]

    D. Boneh, X. Boyen, H. Shacham, Short group signatures. In Advances in Cryptology—CRYPTO 2004. LNCS, vol. 3152 (Springer, Berlin, 2004), pp. 41–55.

  11. [11]

    D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing. J. Crypt. 17(4), 297–319 (2004). Extended abstract in Proceedings of Asiacrypt 2001, LNCS, vol. 2248.

  12. [12]

    D. Brown, R. Gallant, The static Diffie-Hellman problem. Cryptology ePrint Archive, Report 2004/306, 2004. http://eprint.iacr.org/.

  13. [13]

    R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption. In Advances in Cryptology—EUROCRYPT 2004. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 207–222.

  14. [14]

    J.H. Cheon, Security analysis of the strong Diffie-Hellman problem. In Advances in Cryptology—EUROCRYPT 2006. LNCS, vol. 4004 (Springer, Berlin, 2006), pp. 1–13.

  15. [15]

    J.-S. Coron, On the exact security of full domain hash. In Advances in Cryptology—CRYPTO 2000. LNCS, vol. 1880 (Springer, Berlin, 2000), pp. 229–235.

  16. [16]

    J.-S. Coron, D. Naccache, Security analysis of the Gennaro-Halevi-Rabin signature scheme. In Advances in Cryptology—EUROCRYPT 2000. LNCS, vol. 1807 (Springer, Berlin, 2000), pp. 91–101.

  17. [17]

    N. Courtois, M. Daum, P. Felke, On the security of HFE, HFEv- and Quartz. In Proceedings of PKC 2003. LNCS, vol. 2567 (Springer, Berlin, 2003), pp. 337–350.

  18. [18]

    R. Cramer, V. Shoup, Signature schemes based on the strong RS assumption. ACM TISSEC 3(3), 161–185 (2000). Extended abstract in Proceedings of ACM CCS, ACM Press, 1999.

  19. [19]

    Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and keys. In Proceedings of PKC 2005. LNCS, vol. 3386 (Springer, Berlin, 2005), pp. 416–431.

  20. [20]

    M. Fischlin, The Cramer-Shoup strong-RSA signature scheme revisited. In Proceedings of PKC 2003. LNCS, vol. 2567 (Springer, Berlin, 2003), pp. 116–129.

  21. [21]

    S. Galbraith, Pairings. In Advances in Elliptic Curve Cryptography, ed. by I.F. Blake, G. Seroussi, N. Smart, London Mathematical Society Lecture Notes, vol. 317 (Cambridge University Press, Cambridge, 2005), pp. 183–213, chap. IX.

  22. [22]

    S. Galbraith, K. Paterson, N. Smart, Pairings for cryptographers. Cryptology ePrint Archive, Report 2006/165, 2006. http://eprint.iacr.org/.

  23. [23]

    R. Gennaro, S. Halevi, T. Rabin, Secure hash-and-sign signatures without the random oracle. In Advances in Cryptology—EUROCRYPT 1999. LNCS, vol. 1592 (Springer, Berlin, 1999), pp. 123–139.

  24. [24]

    GMP Project. The GnuMP multiprecision arithmetic library. http://www.swox.com/gmp/.

  25. [25]

    S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988).

  26. [26]

    R. Granger, N. Smart, On computing products of pairings. Cryptology ePrint Archive, Report 2006/172, 2006. http://eprint.iacr.org/.

  27. [27]

    F. Hess, N.P. Smart, F. Vercauteren, The Eta pairing revisited. Cryptology ePrint Archive, Report 2006/110, 2006. http://eprint.iacr.org/.

  28. [28]

    A. Joux, K. Nguyen, Separating decision Diffie-Hellman from computational Diffie-Hellman in cryptographic groups. J. Cryptol. 16(4), 239–247 (2003).

  29. [29]

    J. Katz, N. Wang, Efficiency improvements for signature schemes with tight security reductions. In Proceedings of ACM CCS 2003 (ACM Press, New York, 2003), pp. 155–164.

  30. [30]

    H. Krawczyk, T. Rabin, Chameleon signatures. In Proceedings of NDSS 2000 (Internet Society, 2000).

  31. [31]

    B. Lynn, The PBC pairing-based cryptography library. http://rooster.stanford.edu/~ben/pbc/.

  32. [32]

    A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms in a finite field. IEEE Trans. Inform. Theory 39(5), 1639–1646 (1993).

  33. [33]

    A.J. Menezes, P.C. Van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1997)

  34. [34]

    V. Miller, The Weil pairing, and its efficient calculation. J. Cryptol. 17(4), 235–261 (2004).

  35. [35]

    S. Mitsunari, R. Sakai, M. Kasahara, A new traitor tracing. IEICE Trans. Fundam. E85-A(2), 481–84 (2002).

  36. [36]

    A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. E84-A(5), 1234–1243 (2001).

  37. [37]

    D. Naccache, J. Stern, Signing on a postcard. In Proceedings of Financial Cryptography—FC 2000. LNCS, vol. 1962 (Springer, Berlin, 2000), pp. 121–135.

  38. [38]

    M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications. In Proceedings of ACM STOC 1989 (ACM Press, New York, 1989), pp. 33–43.

  39. [39]

    J. Patarin, N. Courtois, L. Goubin, QUARTZ, 128-bit long digital signatures. In Proceedings of CT-RSA 2001. LNCS, vol. 2020 (Springer, Berlin, 2001), pp. 282–297.

  40. [40]

    K. Paterson, Cryptography from pairings. In Advances in Elliptic Curve Cryptography, ed. by I.F. Blake, G. Seroussi, N. Smart, London Mathematical Society Lecture Notes, vol. 317 (Cambridge University Press, Cambridge, 2005), pp. 215–251, chap. X.

  41. [41]

    L. Pintsov, S. Vanstone, Postal revenue collection in the digital age. In Proceedings of Financial Cryptography—FC 2000. LNCS, vol. 1962 (Springer, Berlin, 2000), pp. 105–120.

  42. [42]

    A. Sahai, Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In Proceedings of IEEE FOCS 1999 (IEEE Press, New York, 1999).

  43. [43]

    H. Shacham, Implementing pairing-based signature schemes. Presentation at the Pairings in Cryptography workshop—PiC 2005. Dublin, Ireland, 2005.

  44. [44]

    A. Shamir, Y. Tauman, Improved online/offline signature schemes. In Advances in Cryptology—CRYPTO 2001. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 355–367.

  45. [45]

    V. Shoup, Lower bounds for discrete logarithms and related problems. In Advances in Cryptology—EUROCRYPT 1997. LNCS, vol. 1233 (Springer, Berlin, 1997), pp. 256–266.

  46. [46]

    V. Shoup, A composition theorem for universal one-way hash functions. In Advances in Cryptology—EUROCRYPT 2000. LNCS, vol. 1807 (Springer, Berlin, 2000), pp. 445–452.

  47. [47]

    V.D. Tô, R. Safavi-Naini, F. Zhang, New traitor tracing schemes using bilinear map. In Proceedings of DRM Workshop, 2003.

  48. [48]

    F. Zhang, R. Safavi-Naini, W. Susilo, An efficient signature scheme from bilinear pairings and its applications, In Proceedings of PKC 2004. LNCS, vol. 2947 (Springer, Berlin, 2004), pp. 277–290.

Download references

Author information

Correspondence to Xavier Boyen.

Additional information

An extended abstract entitled “Short Signatures Without Random Oracles” (Boneh and Boyen in Advances in Cryptology—EUROCRYPT 2004, LNCS, vol. 3027, pp. 56–73, 2004) appears in Eurocrypt 2004.

Dan Boneh: Supported by NSF and the Packard Foundation.

Communicated by Arjen K. Lenstra

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Boneh, D., Boyen, X. Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups. J Cryptol 21, 149–177 (2008). https://doi.org/10.1007/s00145-007-9005-7

Download citation

Keywords

  • Digital signatures
  • Bilinear pairings
  • Strong unforgeability
  • Standard model