Journal of Cryptology

, Volume 28, Issue 1, pp 176–208 | Cite as

Confined Guessing: New Signatures From Standard Assumptions

  • Florian Böhl
  • Dennis Hofheinz
  • Tibor JagerEmail author
  • Jessica Koch
  • Christoph Striecks


We put forward a new technique to construct very efficient and compact signature schemes. Our technique combines several instances of only a mildly secure signature scheme to obtain a fully secure scheme. Since the mild security notion we require is much easier to achieve than full security, we can combine our strategy with existing techniques to obtain a number of interesting new (stateless and fully secure) signature schemes. Concretely, we get (1) A scheme based on the computational Diffie–Hellman (CDH) assumption in pairing-friendly groups. Signatures contain \(\mathbf {O}(1)\) and verification keys \(\mathbf {O}(\log k)\) group elements, where \(k\) is the security parameter. Our scheme is the first fully secure CDH-based scheme with such compact verification keys. (2) A scheme based on the (nonstrong) RSA assumption in which both signatures and verification keys contain \(\mathbf {O}(1)\) group elements. Our scheme is significantly more efficient than existing RSA-based schemes. (3) A scheme based on the Short Integer Solutions (SIS) assumption. Signatures contain \(\mathbf {O}(\log (k)\cdot m)\) and verification keys \(\mathbf {O}(n\cdot m) {\mathbb {Z}}_p\)-elements, where \(p\) may be polynomial in \(k\), and \(n,m\) denote the usual SIS matrix dimensions. Compared to state-of-the-art SIS-based schemes, this gives very small verification keys, at the price of slightly larger signatures. In all cases, the involved constants are small, and the arising schemes provide significant improvements upon state-of-the-art schemes. The only price we pay is a rather large (polynomial) loss in the security reduction. However, this loss can be significantly reduced at the cost of an additive term in signature and verification key size.


Digital signatures CDH assumption Pairing-friendly groups  RSA assumption SIS assumption 



The authors thank Ronald Cramer for his helpful comments, in particular on the presentation of our results, and the anonymous referees for providing valuable feedback.


  1. 1.
    S. Agrawal, D. Boneh, X. Boyen, Efficient lattice (H)IBE in the standard model, in H. Gilbert, editor, EUROCRYPT 2010, French Riviera. LNCS, vol. 6110 (Springer, Berlin, 2010), pp. 553–572Google Scholar
  2. 2.
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in V. Ashby, editor, ACM CCS 93, Fairfax, Virginia, USA, (ACM Press, New York, 1993), pp. 62–73Google Scholar
  3. 3.
    F. Böhl, D. Hofheinz, T. Jager, J. Koch, J. H. Seo, C. Striecks, Practical signatures from standard assumptions, in EUROCRYPT (2013)Google Scholar
  4. 4.
    D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in M. Franklin, editor, CRYPTO 2004, Santa Barbara, CA, USA. LNCS, vol. 3152 (Springer, Berlin, 2004), pp. 443–459Google Scholar
  5. 5.
    D. Boneh, X. Boyen, Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptol. 21(2), 149–177 (2008)Google Scholar
  6. 6.
    X. Boyen, Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more, in P.Q. Nguyen, D. Pointcheval, editors, PKC 2010, Paris, France. LNCS, vol. 6056 (Springer, Berlin, 2010), pp. 499–517Google Scholar
  7. 7.
    Z. Brakerski, Y.T. Kalai, A framework for efficient signatures, ring signatures and identity based encryption in the standard model. Cryptology ePrint Archive, Report 2010/086 (2010).
  8. 8.
    D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in H. Gilbert, editor, EUROCRYPT 2010, French Riviera. LNCS, vol. 6110 (Springer, Berlin, 2010), pp. 523–552Google Scholar
  9. 9.
    J.-S. Coron, On the exact security of full domain hash, in M. Bellare, editor, CRYPTO 2000, Santa Barbara, CA, USA. LNCS, vol. 1880 (Springer, Berlin, 2000), pp. 229–235Google Scholar
  10. 10.
    R. Cramer, V. Shoup, Signature schemes based on the strong RSA assumption. ACM Trans. Inf. Syst. Secur. 3(3), 161–185 (2000)Google Scholar
  11. 11.
    R. Cramer, I. Damgård, Secure signature schemes based on interactive protocols, in D. Coppersmith, editor, CRYPTO’95, Santa Barbara, CA, USA. LNCS, vol. 963 (Springer, Berlin, 1995), pp. 297–310Google Scholar
  12. 12.
    R. Cramer, I. Damgård, New generation of secure and practical RSA-based signatures, in N. Koblitz, editor, CRYPTO’96, Santa Barbara, CA, USA. LNCS, vol. 1109 (Springer, Berlin, 1996), pp. 173–185Google Scholar
  13. 13.
    R. Cramer, V. Shoup, Signature schemes based on the strong RSA assumption, in ACM CCS 99, Kent Ridge Digital Labs, Singapore (ACM Press, Signapore, 1999), pp. 46–51Google Scholar
  14. 14.
    M. Fischlin, The Cramer-Shoup strong-RSA signature scheme revisited, in Y. Desmedt, editor, PKC 2003, Miami, USA. LNCS, vol. 2567 (Springer, Berlin, 2003), pp. 116–129Google Scholar
  15. 15.
    C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in R.E. Ladner, C. Dwork, editors, 40th ACM STOC, Victoria, British Columbia, Canada (ACM Press, New York, 2008), pp. 197–206Google Scholar
  16. 16.
    S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2): 281–308 (1988)Google Scholar
  17. 17.
    D. Hofheinz, E. Kiltz, Programmable hash functions and their applications, in D. Wagner, editor, CRYPTO 2008, Santa Barbara, CA, USA. LNCS, vol. 5157 (Springer, Berlin, 2008), pp. 21–38Google Scholar
  18. 18.
    D. Hofheinz, T. Jager, E. Kiltz, Short signatures from weaker assumptions, in D. H. Lee, X. Wang, editors, ASIACRYPT 2011, Seoul, South Korea. LNCS, vol. 7073 (Springer, Berlin, 2011), pp. 647–666Google Scholar
  19. 19.
    D. Hofheinz, T. Jager, E. Kiltz, Short signatures from weaker assumptions. Cryptology ePrint Archive, Report 2011/296 (2011).
  20. 20.
    S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in S. Halevi, editor, CRYPTO 2009, Santa Barbara, CA, USA. LNCS, vol. 5677 (Springer, Berlin, 2009), pp. 654–670Google Scholar
  21. 21.
    S. Hohenberger, B. Waters, Realizing hash-and-sign signatures under standard assumptions, in A. Joux, editor, EUROCRYPT 2009, Cologne, Germany. LNCS, vol. 5479 (Springer, Berlin, 2009), pp. 333–350Google Scholar
  22. 22.
    M. Joye, An efficient on-line/off-line signature scheme without random oracles, in M.K. Franklin, L.C.K. Hui, D.S. Wong, editors, CANS 08, Hong-Kong, China, vol. 5339 (Springer, Berlin, 2008), pp. 98–107Google Scholar
  23. 23.
    H. Krawczyk, T. Rabin, Chameleon signatures, in NDSS 2000, San Diego, California, USA (The Internet Society, San Diego, 2000)Google Scholar
  24. 24.
    L. Lamport, Constructing digital signatures from a one-way function. Technical Report SRI-CSL-98, SRI International Computer Science Laboratory (1979)Google Scholar
  25. 25.
    S. Lu, R. Ostrovsky, A. Sahai, H. Shacham, B. Waters, Sequential aggregate signatures and multisignatures without random oracles, in S. Vaudenay, editor, EUROCRYPT 2006, St. Petersburg, Russia. LNCS, vol. 4004 (Springer, Berlin, 2006), pp. 465–485Google Scholar
  26. 26.
    D. Micciancio, O. Regev, Worst-case to average-case reductions based on Gaussian measures, in 45th FOCS, Rome, Italy (IEEE Computer Society Press, Los Alamitos, 2004), pp. 372–381Google Scholar
  27. 27.
    M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications, in 21st ACM STOC (ACM Press, Seattle, 1989), pp. 33-43Google Scholar
  28. 28.
    J. Rompel, One-way functions are necessary and sufficient for secure signatures, in 22nd STOC (ACM Press, Baltimore, 1990), pp. 387–394Google Scholar
  29. 29.
    B. Rosser, Explicit bounds for some functions of prime numbers. Am. J. Math. 63(1): 211–232 (1941)Google Scholar
  30. 30.
    J.H. Seo, Short signatures from Diffie-Hellman: realizing short public key. Cryptology ePrint Archive, Report 2012/480 (2012).
  31. 31.
    A. Shamir, On the generation of cryptographically strong pseudorandom sequences. ACM Trans. Comput. Syst. 1(1): 38–44 (1983)Google Scholar
  32. 32.
    V. Shoup, A computational introduction to number theory and algebra. Cambridge University Press, Cambridge (2008)Google Scholar
  33. 33.
    B. Waters, Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions, in S. Halevi, editor, CRYPTO 2009, Santa Barbara, CA, USA. LNCS, vol. 5677 (Springer, Berlin, 2009), pp. 619–636Google Scholar
  34. 34.
    B.R. Waters, Efficient identity-based encryption without random oracles, in R. Cramer, editor, EUROCRYPT 2005, Aarhus, Denmark. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 114–127Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Florian Böhl
    • 1
  • Dennis Hofheinz
    • 1
  • Tibor Jager
    • 2
    Email author
  • Jessica Koch
    • 1
  • Christoph Striecks
    • 1
  1. 1.Karlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.Ruhr-Universität BochumBochumGermany

Personalised recommendations