# Off-line/on-line signatures revisited: a general unifying paradigm, efficient threshold variants and experimental results

- 376 Downloads

## Abstract

The notion of off-line/on-line digital signature scheme was introduced by Even, Goldreich and Micali. Informally such signatures schemes are used to reduce the time required to compute a signature using some kind of preprocessing. Even, Goldreich and Micali show how to realize off-line/on-line digital signature schemes by combining regular digital signatures with efficient one-time signatures. Later, Shamir and Tauman presented an alternative construction (which produces shorter signatures) obtained by combining regular signatures with chameleon hash functions. In this paper, we study off-line/on-line digital signature schemes both from a theoretic and a practical perspective. More precisely, our contribution is threefold. First, we unify the Shamir–Tauman and Even et al. approaches by showing that they can be seen as different instantiations of the same paradigm. We do this by showing that the one-time signatures needed in the Even et al. approach only need to satisfy a weak notion of security. We then show that chameleon hashing is basically a one-time signature which satisfies such a weaker security notion. As a by-product of this result, we study the relationship between one-time signatures and chameleon hashing, and we prove that a special type of chameleon hashing (which we call *double-trapdoor*) is actually a fully secure one-time signature. Next, we consider the task of building, in a generic fashion, threshold variants of known schemes: Crutchfield et al. proposed a generic way to construct a threshold off-line/on-line signature scheme given a threshold regular one. They applied known threshold techniques to the Shamir–Tauman construction using a specific chameleon hash function. Their solution introduces additional computational assumptions which turn out to be implied by the so-called one-more discrete logarithm assumption. Here, we propose two generic constructions that can be based on any threshold signature scheme, combined with a specific (double-trapdoor) chameleon hash function. Our constructions are efficient and can be proven secure in the standard model using only the traditional discrete logarithm assumption. Finally, we ran experimental tests to measure the difference between the real efficiency of the two known constructions for non-threshold off-line/on-line signatures. Interestingly, we show that, using some optimizations, the two approaches are comparable in efficiency and signature length.

## Keywords

Off-line/on-line signatures Digital signatures Chameleon hash One-time signatures Threshold signatures## Notes

### Acknowledgments

Emmanuel Bresson, Dario Fiore, and Rosario Gennaro did part of this work while being affiliated with DCSSI Crypto Lab in Paris, Università di Catania and the IBM T.J. Watson Research Center, respectively.

## References

- 1.Bar-Ilan, J., Beaver, D.: Non cryptographic fault tolerant computing in a constant number of rounds of interaction. In: Proceedings of the ACM Symposium on Principles of Distributed Computation, pp. 201–209. ACM Press (1989)Google Scholar
- 2.Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees, advances in cryptology. In: Proceedings of EUROCRYPT ’97, LNCS 1233, pp. 480–494. Springer (1997)Google Scholar
- 3.Bellare, M., Micali, S.: How To Sign Given Any Trapdoor Function. In: Proceedings of STOC 88, pp. 32–42. ACM Press (1988)Google Scholar
- 4.Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J Cryptol
**16**(3), 185–215 (2003)MathSciNetCrossRefzbMATHGoogle Scholar - 5.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of 1st ACM Conference on Computer and Communications Security (CCS 1993), pp. 62–73. ACM Press (1993)Google Scholar
- 6.Ben-or, M., Goldwasser, S., Widgerson, A.: Completeness theorems for non-cryptographic fault tolerant distributed computation. In: Proceedings of 20th Annual Symposium on Theory of Computing, pp. 1–10. ACM Press (1988)Google Scholar
- 7.Berlekamp, E., Welch, L.: Error Correction of Algebraic Block Codes, US Patent 4,633,470 (1986)Google Scholar
- 8.Boyar, J.F., Kurtz, S.A., Krentel, M.W.: A discrete logarithm implementation of perfect zero-knowledge blobs. J Cryptol
**2**(2), 63–76 (1990)MathSciNetCrossRefzbMATHGoogle Scholar - 9.Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J Comput Syst Sci
**37**(2), 156–189 (1988)CrossRefzbMATHGoogle Scholar - 10.Bresson, E., Catalano, D., Gennaro, R.: Improved on-line/off-line threshold signatures. In: Proceedings of Public Key Cryptography—PKC ’07, LNCS 4450, pp. 217–232. Springer (2007)Google Scholar
- 11.Catalano, D., Di Raimondo, M., Fiore, D., Gennaro, R.: Off-line/On-line signatures: theoretical aspects and experimental results. In: Proceedings of Public Key Cryptography—PKC ’08, LNCS 4939, pp. 101–120. Springer (2008)Google Scholar
- 12.Coron, J., Naccache, D.: Security analysis of the Gennaro-Halevi-Rabin signature scheme. Advances in Cryptology. In: Proceedings of EUROCRYPT ’99, LNCS 1807, pp. 91–101. Springer (1999)Google Scholar
- 13.Cramer, R., Damgard, I.: New generation of secure and practical RSA-based signatures. Advances in cryptology. In: Proceedings of CRYPTO ’96, LNCS 1109, pp. 173–185. Springer (1996)Google Scholar
- 14.Crutchfield, C., Molnar, D., Turner, D., Wagner, D.: Generic on-line/off-line threshold signatures. In: Proceedings of Public Key Cryptography—PKC ’06, LNCS 3958, pp. 58–74. Springer (2006)Google Scholar
- 15.Cramer, R., Shoup, V.: Signature scheme based on the strong RSA assumption. In: Proceedings of 6th ACM Conference on Computer and Communications Security (CCS 1999), pp. 46–51. ACM Press (1999)Google Scholar
- 16.Damgård, I., Dupont, K.: Efficient threshold RSA signatures with general moduli and no extra assumptions. In: Proceedings of Public Key Cryptography—PKC ’05, LNCS 3386, pp. 346–361. Springer (2005)Google Scholar
- 17.Desmedt, Y., Frankel, Y.: Threshold cryptosystems. Advances in cryptology. In: Proceedings of CRYPTO ’89, LNCS 435, pp. 307–315. Springer (1990)Google Scholar
- 18.Di Raimondo, M., Gennaro, R.: Provably secure threshold password-authenticated key exchange. Advances in cryptology. In: Proceedings of EUROCRYPT ’03, LNCS 2656, pp. 507–523. Springer (2003)Google Scholar
- 19.Eastlake, D., Jones, P.: US Secure Hash Algorithm 1 (SHA1), RFC, RFC Editor (2001)Google Scholar
- 20.ElGamal, T.: A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans Inf Theory
**31**(4), 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar - 21.Even, S., Goldreich, O., Micali, S.: On-line/Off-line digital signatures. J Cryptol
**9**(1), 35–67 (1996)MathSciNetCrossRefzbMATHGoogle Scholar - 22.Feldman, P.: A Practical scheme for non-interactive verifiable secret sharing. In: Proceedings of 28th FOCS, pp. 427–437 (1987)Google Scholar
- 23.Fiat, A., Shamir, A.: How to prove yourself: practical solutions of identification and signature problems. Advances in cryptology. In: Proceedings of CRYPTO ’86, LNCS 263, pp. 187–194. Springer (1976)Google Scholar
- 24.Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. Advances in cryptology. In: Proceedings of EUROCRYPT ’99, LNCS 1592, pp. 123–139. Springer (1999)Google Scholar
- 25.Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key Generation for Discrete-Log Public-Key Cryptosystems. Advances in Cryptology - proceedings of EUROCRYPT ’99, LNCS 159, pp. 295–310. Springer (1999)Google Scholar
- 26.Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust and efficient sharing of RSA functions. J Cryptol
**13**(2), 273–300 (2000)MathSciNetCrossRefzbMATHGoogle Scholar - 27.Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. Inf Comput
**164**(1), 54–84 (2001)MathSciNetCrossRefzbMATHGoogle Scholar - 28.Gennaro, R., Rabin, M., Rabin, T.: Simplified VSS and fast-track multi-party computations with applications to threshold cryptography. In: Proceedings of 17th ACM Symposium on Principle of Distributed Computing, pp. 101–111. ACM Press (1998)Google Scholar
- 29.Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen message attacks. SIAM J Comput
**17**(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar - 30.Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. Advances in cryptology. In: Proceedings of CRYPTO ’06, LNCS 4117, pp. 41–59. Springer (2006)Google Scholar
- 31.Jakobsson, M.: Fractal hash sequence representation and traversal. In: Proceedings of IEEE International Symposium on Information Theory—ISIT ’02, pp. 437 (2002)Google Scholar
- 32.Koblitz, N., Menezes, A.: Another look at non-standard discrete log and Diffie-Hellman problems, to appear in Journal of Mathematical Cryptology (2008)Google Scholar
- 33.Krawczyk, H., Rabin, T.: Chameleon hashing and signatures. In: Proceedings of Network and Distributed Systems Security Symposium—NDSS ’00, pp. 143–154. Internet Society (2000)Google Scholar
- 34.Kurosawa, K., Schmidt-Samoa, K.: New online/offline signature schemes without random oracles. In: Proceedings of Public Key Cryptography 2006, LNCS 3958, pp. 330–346. Springer (2006) Google Scholar
- 35.Lamport, L.: Constructing digital signatures from a one-way function. Technical Report SRI-CSL-98. SRI International Computer Science Laboratory (1979)Google Scholar
- 36.Merkle, R.C.: A digital signature based on a conventional encryption function. Advances in Cryptology. In: Proceedings of CRYPTO’87, LNCS 293, pp. 369–378. Springer (1987)Google Scholar
- 37.Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic application. In: Proceedings of STOC 89, pp. 33–43. ACM (1989)Google Scholar
- 38.Pedersen, T.: Non-interactive and information-theoretic secure verifiable secret sharing. Advances in cryptology. In: Proceedings of CRYPTO’91, LNCS 576, pp. 129–140. Springer (1992)Google Scholar
- 39.Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J Cryptol
**13**(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar - 40.Rabin, M.O.: Digital Signatures. In: DeMillo, R.A., et al. (eds.) Foundations of secure computation, pp. 155–168. Academic Press, London (1978)Google Scholar
- 41.Rivest, R., Shamir, A., Adelman, L.: A method for obtaining digital signature and public key cryptosystems. Commun ACM
**21**(2), 120–126 (1978)CrossRefzbMATHGoogle Scholar - 42.Rompel, J.: One-way functions are necessary and sufficient for secure signatures. Proc. STOC
**90**, 387–394 (1990)Google Scholar - 43.Shamir, A.: How to share a secret. Commun. ACM
**22**(11), 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar - 44.Shamir, A., Tauman, Y.: Improved on-line/off-line signature schemes. Advances in cryptology. In: Proceedings of CRYPTO ’01, LNCS 2139, pp. 355–367. Springer-Verlag (2001)Google Scholar
- 45.Schnorr, C.P.: Efficient signature generation by smart cards. J Cryptol
**4**(3), 161–174 (1991)MathSciNetCrossRefzbMATHGoogle Scholar - 46.Shoup, V.: Practical threshold signatures. Advances in cryptology. In: Proceedings of EUROCRYPT ’00, LNCS 1807, pp. 207–220. Springer (2000)Google Scholar
- 47.OpenSSL Project http://www.openssl.org
- 48.National Institute for Standards and Technology, Digital Signature Standard (DSS), Technical Report 169 (1991)Google Scholar
- 49.Xu, S., Mu, Y., Susilo, W.: Online/offline signatures and multisignatures for AODV and DSR routing security. Inf Secur Privacy (ACISP 2006)
**4058**, 99–110 (2006)CrossRefGoogle Scholar