International Journal of Information Security

, Volume 12, Issue 6, pp 439–465 | Cite as

Off-line/on-line signatures revisited: a general unifying paradigm, efficient threshold variants and experimental results

  • Emmanuel Bresson
  • Dario Catalano
  • Mario Di Raimondo
  • Dario Fiore
  • Rosario Gennaro
Regular Contribution


The notion of off-line/on-line digital signature scheme was introduced by Even, Goldreich and Micali. Informally such signatures schemes are used to reduce the time required to compute a signature using some kind of preprocessing. Even, Goldreich and Micali show how to realize off-line/on-line digital signature schemes by combining regular digital signatures with efficient one-time signatures. Later, Shamir and Tauman presented an alternative construction (which produces shorter signatures) obtained by combining regular signatures with chameleon hash functions. In this paper, we study off-line/on-line digital signature schemes both from a theoretic and a practical perspective. More precisely, our contribution is threefold. First, we unify the Shamir–Tauman and Even et al. approaches by showing that they can be seen as different instantiations of the same paradigm. We do this by showing that the one-time signatures needed in the Even et al. approach only need to satisfy a weak notion of security. We then show that chameleon hashing is basically a one-time signature which satisfies such a weaker security notion. As a by-product of this result, we study the relationship between one-time signatures and chameleon hashing, and we prove that a special type of chameleon hashing (which we call double-trapdoor) is actually a fully secure one-time signature. Next, we consider the task of building, in a generic fashion, threshold variants of known schemes: Crutchfield et al. proposed a generic way to construct a threshold off-line/on-line signature scheme given a threshold regular one. They applied known threshold techniques to the Shamir–Tauman construction using a specific chameleon hash function. Their solution introduces additional computational assumptions which turn out to be implied by the so-called one-more discrete logarithm assumption. Here, we propose two generic constructions that can be based on any threshold signature scheme, combined with a specific (double-trapdoor) chameleon hash function. Our constructions are efficient and can be proven secure in the standard model using only the traditional discrete logarithm assumption. Finally, we ran experimental tests to measure the difference between the real efficiency of the two known constructions for non-threshold off-line/on-line signatures. Interestingly, we show that, using some optimizations, the two approaches are comparable in efficiency and signature length.


Off-line/on-line signatures Digital signatures Chameleon hash One-time signatures Threshold signatures 



Emmanuel Bresson, Dario Fiore, and Rosario Gennaro did part of this work while being affiliated with DCSSI Crypto Lab in Paris, Università di Catania and the IBM T.J. Watson Research Center, respectively.


  1. 1.
    Bar-Ilan, J., Beaver, D.: Non cryptographic fault tolerant computing in a constant number of rounds of interaction. In: Proceedings of the ACM Symposium on Principles of Distributed Computation, pp. 201–209. ACM Press (1989)Google Scholar
  2. 2.
    Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees, advances in cryptology. In: Proceedings of EUROCRYPT ’97, LNCS 1233, pp. 480–494. Springer (1997)Google Scholar
  3. 3.
    Bellare, M., Micali, S.: How To Sign Given Any Trapdoor Function. In: Proceedings of STOC 88, pp. 32–42. ACM Press (1988)Google Scholar
  4. 4.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J Cryptol 16(3), 185–215 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of 1st ACM Conference on Computer and Communications Security (CCS 1993), pp. 62–73. ACM Press (1993)Google Scholar
  6. 6.
    Ben-or, M., Goldwasser, S., Widgerson, A.: Completeness theorems for non-cryptographic fault tolerant distributed computation. In: Proceedings of 20th Annual Symposium on Theory of Computing, pp. 1–10. ACM Press (1988)Google Scholar
  7. 7.
    Berlekamp, E., Welch, L.: Error Correction of Algebraic Block Codes, US Patent 4,633,470 (1986)Google Scholar
  8. 8.
    Boyar, J.F., Kurtz, S.A., Krentel, M.W.: A discrete logarithm implementation of perfect zero-knowledge blobs. J Cryptol 2(2), 63–76 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J Comput Syst Sci 37(2), 156–189 (1988)CrossRefzbMATHGoogle Scholar
  10. 10.
    Bresson, E., Catalano, D., Gennaro, R.: Improved on-line/off-line threshold signatures. In: Proceedings of Public Key Cryptography—PKC ’07, LNCS 4450, pp. 217–232. Springer (2007)Google Scholar
  11. 11.
    Catalano, D., Di Raimondo, M., Fiore, D., Gennaro, R.: Off-line/On-line signatures: theoretical aspects and experimental results. In: Proceedings of Public Key Cryptography—PKC ’08, LNCS 4939, pp. 101–120. Springer (2008)Google Scholar
  12. 12.
    Coron, J., Naccache, D.: Security analysis of the Gennaro-Halevi-Rabin signature scheme. Advances in Cryptology. In: Proceedings of EUROCRYPT ’99, LNCS 1807, pp. 91–101. Springer (1999)Google Scholar
  13. 13.
    Cramer, R., Damgard, I.: New generation of secure and practical RSA-based signatures. Advances in cryptology. In: Proceedings of CRYPTO ’96, LNCS 1109, pp. 173–185. Springer (1996)Google Scholar
  14. 14.
    Crutchfield, C., Molnar, D., Turner, D., Wagner, D.: Generic on-line/off-line threshold signatures. In: Proceedings of Public Key Cryptography—PKC ’06, LNCS 3958, pp. 58–74. Springer (2006)Google Scholar
  15. 15.
    Cramer, R., Shoup, V.: Signature scheme based on the strong RSA assumption. In: Proceedings of 6th ACM Conference on Computer and Communications Security (CCS 1999), pp. 46–51. ACM Press (1999)Google Scholar
  16. 16.
    Damgård, I., Dupont, K.: Efficient threshold RSA signatures with general moduli and no extra assumptions. In: Proceedings of Public Key Cryptography—PKC ’05, LNCS 3386, pp. 346–361. Springer (2005)Google Scholar
  17. 17.
    Desmedt, Y., Frankel, Y.: Threshold cryptosystems. Advances in cryptology. In: Proceedings of CRYPTO ’89, LNCS 435, pp. 307–315. Springer (1990)Google Scholar
  18. 18.
    Di Raimondo, M., Gennaro, R.: Provably secure threshold password-authenticated key exchange. Advances in cryptology. In: Proceedings of EUROCRYPT ’03, LNCS 2656, pp. 507–523. Springer (2003)Google Scholar
  19. 19.
    Eastlake, D., Jones, P.: US Secure Hash Algorithm 1 (SHA1), RFC, RFC Editor (2001)Google Scholar
  20. 20.
    ElGamal, T.: A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans Inf Theory 31(4), 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Even, S., Goldreich, O., Micali, S.: On-line/Off-line digital signatures. J Cryptol 9(1), 35–67 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Feldman, P.: A Practical scheme for non-interactive verifiable secret sharing. In: Proceedings of 28th FOCS, pp. 427–437 (1987)Google Scholar
  23. 23.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions of identification and signature problems. Advances in cryptology. In: Proceedings of CRYPTO ’86, LNCS 263, pp. 187–194. Springer (1976)Google Scholar
  24. 24.
    Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. Advances in cryptology. In: Proceedings of EUROCRYPT ’99, LNCS 1592, pp. 123–139. Springer (1999)Google Scholar
  25. 25.
    Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key Generation for Discrete-Log Public-Key Cryptosystems. Advances in Cryptology - proceedings of EUROCRYPT ’99, LNCS 159, pp. 295–310. Springer (1999)Google Scholar
  26. 26.
    Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust and efficient sharing of RSA functions. J Cryptol 13(2), 273–300 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. Inf Comput 164(1), 54–84 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Gennaro, R., Rabin, M., Rabin, T.: Simplified VSS and fast-track multi-party computations with applications to threshold cryptography. In: Proceedings of 17th ACM Symposium on Principle of Distributed Computing, pp. 101–111. ACM Press (1998)Google Scholar
  29. 29.
    Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen message attacks. SIAM J Comput 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. Advances in cryptology. In: Proceedings of CRYPTO ’06, LNCS 4117, pp. 41–59. Springer (2006)Google Scholar
  31. 31.
    Jakobsson, M.: Fractal hash sequence representation and traversal. In: Proceedings of IEEE International Symposium on Information Theory—ISIT ’02, pp. 437 (2002)Google Scholar
  32. 32.
    Koblitz, N., Menezes, A.: Another look at non-standard discrete log and Diffie-Hellman problems, to appear in Journal of Mathematical Cryptology (2008)Google Scholar
  33. 33.
    Krawczyk, H., Rabin, T.: Chameleon hashing and signatures. In: Proceedings of Network and Distributed Systems Security Symposium—NDSS ’00, pp. 143–154. Internet Society (2000)Google Scholar
  34. 34.
    Kurosawa, K., Schmidt-Samoa, K.: New online/offline signature schemes without random oracles. In: Proceedings of Public Key Cryptography 2006, LNCS 3958, pp. 330–346. Springer (2006) Google Scholar
  35. 35.
    Lamport, L.: Constructing digital signatures from a one-way function. Technical Report SRI-CSL-98. SRI International Computer Science Laboratory (1979)Google Scholar
  36. 36.
    Merkle, R.C.: A digital signature based on a conventional encryption function. Advances in Cryptology. In: Proceedings of CRYPTO’87, LNCS 293, pp. 369–378. Springer (1987)Google Scholar
  37. 37.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic application. In: Proceedings of STOC 89, pp. 33–43. ACM (1989)Google Scholar
  38. 38.
    Pedersen, T.: Non-interactive and information-theoretic secure verifiable secret sharing. Advances in cryptology. In: Proceedings of CRYPTO’91, LNCS 576, pp. 129–140. Springer (1992)Google Scholar
  39. 39.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J Cryptol 13(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar
  40. 40.
    Rabin, M.O.: Digital Signatures. In: DeMillo, R.A., et al. (eds.) Foundations of secure computation, pp. 155–168. Academic Press, London (1978)Google Scholar
  41. 41.
    Rivest, R., Shamir, A., Adelman, L.: A method for obtaining digital signature and public key cryptosystems. Commun ACM 21(2), 120–126 (1978)CrossRefzbMATHGoogle Scholar
  42. 42.
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. Proc. STOC 90, 387–394 (1990)Google Scholar
  43. 43.
    Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
  44. 44.
    Shamir, A., Tauman, Y.: Improved on-line/off-line signature schemes. Advances in cryptology. In: Proceedings of CRYPTO ’01, LNCS 2139, pp. 355–367. Springer-Verlag (2001)Google Scholar
  45. 45.
    Schnorr, C.P.: Efficient signature generation by smart cards. J Cryptol 4(3), 161–174 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  46. 46.
    Shoup, V.: Practical threshold signatures. Advances in cryptology. In: Proceedings of EUROCRYPT ’00, LNCS 1807, pp. 207–220. Springer (2000)Google Scholar
  47. 47.
    OpenSSL Project
  48. 48.
    National Institute for Standards and Technology, Digital Signature Standard (DSS), Technical Report 169 (1991)Google Scholar
  49. 49.
    Xu, S., Mu, Y., Susilo, W.: Online/offline signatures and multisignatures for AODV and DSR routing security. Inf Secur Privacy (ACISP 2006) 4058, 99–110 (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Emmanuel Bresson
    • 1
  • Dario Catalano
    • 2
  • Mario Di Raimondo
    • 2
  • Dario Fiore
    • 3
  • Rosario Gennaro
    • 4
  1. 1.EADS/Emiraje Systems LLCAbu DhabiUAE
  2. 2.Dipartimento di Matematica e InformaticaUniversità di CataniaCataniaItaly
  3. 3.Max Planck Institute for Software SystemsSaarbruckenGermany
  4. 4.The City College of CUNYNew YorkUSA

Personalised recommendations