Advertisement

Journal of Cryptology

, Volume 21, Issue 2, pp 149–177 | Cite as

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups

  • Dan Boneh
  • Xavier Boyen
Article

Abstract

We describe a short signature scheme that is strongly existentially unforgeable under an adaptive chosen message attack in the standard security model. Our construction works in groups equipped with an efficient bilinear map, or, more generally, an algorithm for the Decision Diffie-Hellman problem. The security of our scheme depends on a new intractability assumption we call Strong Diffie-Hellman (SDH), by analogy to the Strong RSA assumption with which it shares many properties. Signature generation in our system is fast and the resulting signatures are as short as DSA signatures for comparable security. We give a tight reduction proving that our scheme is secure in any group in which the SDH assumption holds, without relying on the random oracle model.

Keywords

Digital signatures Bilinear pairings Strong unforgeability Standard model 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    J.H. An, Y. Dodis, T. Rabin, On the security of joint signature and encryption. In Advances in Cryptology—EUROCRYPT 2002. LNCS, vol. 2332 (Springer, Berlin, 2002), pp. 83–107. CrossRefGoogle Scholar
  2. [2]
    P.S.L.M. Barreto, M. Naehrig, Pairing-friendly elliptic curves of prime order. Cryptology ePrint Archive, Report 2005/133, 2005. http://eprint.iacr.org/.
  3. [3]
    P.S.L.M. Barreto, S. Galbraith, C. O’hEigeartaigh, M. Scott, Efficient pairing computation on supersingular Abelian varieties. Cryptology ePrint Archive, Report 2004/375, 2004. http://eprint.iacr.org/.
  4. [4]
    M. Bellare, P. Rogaway, Random oracle are practical: a paradigm for designing efficient protocols. In Proceedings of ACM CCS 1993 (ACM Press, New York, 1993), pp. 62–73. CrossRefGoogle Scholar
  5. [5]
    M. Bellare, P. Rogaway, The exact security of digital signatures: how to sign with RSA and Rabin. In Advances in Cryptology—EUROCRYPT 1996. LNCS, vol. 1070 (Springer, Berlin, 1996), pp. 399–416. Google Scholar
  6. [6]
    M. Bellare, P. Rogaway, Collision-resistant hashing: Towards making UOWHFs practical. In Advances in Cryptology—CRYPTO 1997. LNCS, vol. 1294 (Springer, Berlin, 1997), pp. 470–484. Google Scholar
  7. [7]
    I. Blake, G. Seroussi, N. Smart, Elliptic Curves in Cryptography. London Mathematical Society Lecture Notes, vol. 265 (Cambridge University Press, Cambridge, 1999). zbMATHGoogle Scholar
  8. [8]
    D. Boneh, X. Boyen, Efficient selective-ID identity based encryption without random oracles. In Advances in Cryptology—EUROCRYPT 2004. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 223–238. Google Scholar
  9. [9]
    D. Boneh, X. Boyen, Short signatures without random oracles. In Advances in Cryptology—EUROCRYPT 2004. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 56–73. Google Scholar
  10. [10]
    D. Boneh, X. Boyen, H. Shacham, Short group signatures. In Advances in Cryptology—CRYPTO 2004. LNCS, vol. 3152 (Springer, Berlin, 2004), pp. 41–55. Google Scholar
  11. [11]
    D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing. J. Crypt. 17(4), 297–319 (2004). Extended abstract in Proceedings of Asiacrypt 2001, LNCS, vol. 2248. zbMATHMathSciNetGoogle Scholar
  12. [12]
    D. Brown, R. Gallant, The static Diffie-Hellman problem. Cryptology ePrint Archive, Report 2004/306, 2004. http://eprint.iacr.org/.
  13. [13]
    R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption. In Advances in Cryptology—EUROCRYPT 2004. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 207–222. Google Scholar
  14. [14]
    J.H. Cheon, Security analysis of the strong Diffie-Hellman problem. In Advances in Cryptology—EUROCRYPT 2006. LNCS, vol. 4004 (Springer, Berlin, 2006), pp. 1–13. CrossRefGoogle Scholar
  15. [15]
    J.-S. Coron, On the exact security of full domain hash. In Advances in Cryptology—CRYPTO 2000. LNCS, vol. 1880 (Springer, Berlin, 2000), pp. 229–235. CrossRefGoogle Scholar
  16. [16]
    J.-S. Coron, D. Naccache, Security analysis of the Gennaro-Halevi-Rabin signature scheme. In Advances in Cryptology—EUROCRYPT 2000. LNCS, vol. 1807 (Springer, Berlin, 2000), pp. 91–101. CrossRefGoogle Scholar
  17. [17]
    N. Courtois, M. Daum, P. Felke, On the security of HFE, HFEv- and Quartz. In Proceedings of PKC 2003. LNCS, vol. 2567 (Springer, Berlin, 2003), pp. 337–350. Google Scholar
  18. [18]
    R. Cramer, V. Shoup, Signature schemes based on the strong RS assumption. ACM TISSEC 3(3), 161–185 (2000). Extended abstract in Proceedings of ACM CCS, ACM Press, 1999. CrossRefGoogle Scholar
  19. [19]
    Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and keys. In Proceedings of PKC 2005. LNCS, vol. 3386 (Springer, Berlin, 2005), pp. 416–431. Google Scholar
  20. [20]
    M. Fischlin, The Cramer-Shoup strong-RSA signature scheme revisited. In Proceedings of PKC 2003. LNCS, vol. 2567 (Springer, Berlin, 2003), pp. 116–129. Google Scholar
  21. [21]
    S. Galbraith, Pairings. In Advances in Elliptic Curve Cryptography, ed. by I.F. Blake, G. Seroussi, N. Smart, London Mathematical Society Lecture Notes, vol. 317 (Cambridge University Press, Cambridge, 2005), pp. 183–213, chap. IX. Google Scholar
  22. [22]
    S. Galbraith, K. Paterson, N. Smart, Pairings for cryptographers. Cryptology ePrint Archive, Report 2006/165, 2006. http://eprint.iacr.org/.
  23. [23]
    R. Gennaro, S. Halevi, T. Rabin, Secure hash-and-sign signatures without the random oracle. In Advances in Cryptology—EUROCRYPT 1999. LNCS, vol. 1592 (Springer, Berlin, 1999), pp. 123–139. Google Scholar
  24. [24]
    GMP Project. The GnuMP multiprecision arithmetic library. http://www.swox.com/gmp/.
  25. [25]
    S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988). zbMATHCrossRefMathSciNetGoogle Scholar
  26. [26]
    R. Granger, N. Smart, On computing products of pairings. Cryptology ePrint Archive, Report 2006/172, 2006. http://eprint.iacr.org/.
  27. [27]
    F. Hess, N.P. Smart, F. Vercauteren, The Eta pairing revisited. Cryptology ePrint Archive, Report 2006/110, 2006. http://eprint.iacr.org/.
  28. [28]
    A. Joux, K. Nguyen, Separating decision Diffie-Hellman from computational Diffie-Hellman in cryptographic groups. J. Cryptol. 16(4), 239–247 (2003). zbMATHCrossRefMathSciNetGoogle Scholar
  29. [29]
    J. Katz, N. Wang, Efficiency improvements for signature schemes with tight security reductions. In Proceedings of ACM CCS 2003 (ACM Press, New York, 2003), pp. 155–164. Google Scholar
  30. [30]
    H. Krawczyk, T. Rabin, Chameleon signatures. In Proceedings of NDSS 2000 (Internet Society, 2000). Google Scholar
  31. [31]
    B. Lynn, The PBC pairing-based cryptography library. http://rooster.stanford.edu/~ben/pbc/.
  32. [32]
    A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms in a finite field. IEEE Trans. Inform. Theory 39(5), 1639–1646 (1993). zbMATHCrossRefMathSciNetGoogle Scholar
  33. [33]
    A.J. Menezes, P.C. Van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1997) zbMATHGoogle Scholar
  34. [34]
    V. Miller, The Weil pairing, and its efficient calculation. J. Cryptol. 17(4), 235–261 (2004). zbMATHCrossRefGoogle Scholar
  35. [35]
    S. Mitsunari, R. Sakai, M. Kasahara, A new traitor tracing. IEICE Trans. Fundam. E85-A(2), 481–84 (2002). Google Scholar
  36. [36]
    A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. E84-A(5), 1234–1243 (2001). Google Scholar
  37. [37]
    D. Naccache, J. Stern, Signing on a postcard. In Proceedings of Financial Cryptography—FC 2000. LNCS, vol. 1962 (Springer, Berlin, 2000), pp. 121–135. CrossRefGoogle Scholar
  38. [38]
    M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications. In Proceedings of ACM STOC 1989 (ACM Press, New York, 1989), pp. 33–43. Google Scholar
  39. [39]
    J. Patarin, N. Courtois, L. Goubin, QUARTZ, 128-bit long digital signatures. In Proceedings of CT-RSA 2001. LNCS, vol. 2020 (Springer, Berlin, 2001), pp. 282–297. Google Scholar
  40. [40]
    K. Paterson, Cryptography from pairings. In Advances in Elliptic Curve Cryptography, ed. by I.F. Blake, G. Seroussi, N. Smart, London Mathematical Society Lecture Notes, vol. 317 (Cambridge University Press, Cambridge, 2005), pp. 215–251, chap. X. Google Scholar
  41. [41]
    L. Pintsov, S. Vanstone, Postal revenue collection in the digital age. In Proceedings of Financial Cryptography—FC 2000. LNCS, vol. 1962 (Springer, Berlin, 2000), pp. 105–120. CrossRefGoogle Scholar
  42. [42]
    A. Sahai, Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In Proceedings of IEEE FOCS 1999 (IEEE Press, New York, 1999). Google Scholar
  43. [43]
    H. Shacham, Implementing pairing-based signature schemes. Presentation at the Pairings in Cryptography workshop—PiC 2005. Dublin, Ireland, 2005. Google Scholar
  44. [44]
    A. Shamir, Y. Tauman, Improved online/offline signature schemes. In Advances in Cryptology—CRYPTO 2001. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 355–367. CrossRefGoogle Scholar
  45. [45]
    V. Shoup, Lower bounds for discrete logarithms and related problems. In Advances in Cryptology—EUROCRYPT 1997. LNCS, vol. 1233 (Springer, Berlin, 1997), pp. 256–266. Google Scholar
  46. [46]
    V. Shoup, A composition theorem for universal one-way hash functions. In Advances in Cryptology—EUROCRYPT 2000. LNCS, vol. 1807 (Springer, Berlin, 2000), pp. 445–452. CrossRefGoogle Scholar
  47. [47]
    V.D. Tô, R. Safavi-Naini, F. Zhang, New traitor tracing schemes using bilinear map. In Proceedings of DRM Workshop, 2003. Google Scholar
  48. [48]
    F. Zhang, R. Safavi-Naini, W. Susilo, An efficient signature scheme from bilinear pairings and its applications, In Proceedings of PKC 2004. LNCS, vol. 2947 (Springer, Berlin, 2004), pp. 277–290. Google Scholar

Copyright information

© International Association for Cryptologic Research 2007

Authors and Affiliations

  1. 1.Stanford UniversityStanfordUSA
  2. 2.Voltage Security Inc.Palo AltoUSA

Personalised recommendations