Designs, Codes and Cryptography

, Volume 59, Issue 1–3, pp 169–182

How (Not) to design strong-RSA signatures

Article

Abstract

This paper considers strong-RSA signature schemes built from the scheme of Cramer and Shoup. We present a basic scheme encompassing the main features of the Cramer-Shoup scheme. We analyze its security in both the random oracle model and the standard model. This helps us to spot potential security flaws. As a result, we show that a seemingly secure signature scheme (Tan in Int J Security Netw 1(3/4): 237–242, 2006) is universally forgeable under a known-message attack. In a second step, we discuss how to turn the basic scheme into a fully secure signature scheme. Doing so, we rediscover several known schemes (or slight variants thereof).

Keywords

Digital signature Strong RSA assumption Cramer-Shoup signature scheme Standard model 

Mathematics Subject Classification (2000)

11T71 94A60 14G50 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Barić N., Pfitzmann B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) Advances in Cryptology-EUROCRYPT ’97, volume 1233 of Lecture Notes in Computer Science., pp. 480–494. Springer-Verlag, Berlin (1997)Google Scholar
  2. 2.
    Bellare M., Rogaway P.: Random oracles are practical: a paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM Press (1993).Google Scholar
  3. 3.
    Bellare M., Rogaway P.: The exact security of digital signatures: how to sign with RSA and Rabin. In: Maurer, U. (ed.) Advances in Cryptology-EUROCRYPT ’96, volume 1070 of Lecture Notes in Computer Science, pp. 399–416. Springer-Verlag, Berlin (1996)Google Scholar
  4. 4.
    Camenisch J., Lysyanskaya A.: A signature scheme with efficient protocols. In Security in Communication Networks (SCN 2002), volume 2676 of Lecture Notes in Computer Science, pp. 268–289. Springer-Verlag, Berlin (2002).Google Scholar
  5. 5.
    Canetti R., Goldreich O., Halevi S.: The random oracle methodology, revisited. In: 30th Annual ACM Symposium on Theory of Computing (STOC ’98), pp. 209–217 (1998).Google Scholar
  6. 6.
    Cao Z., Liu L.: A strong RSA signature scheme and its applications. In: 8th ACIS International Conference on Software Enginnering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, pp. 111–115. IEEE Computer Society (2007).Google Scholar
  7. 7.
    Catalano D., Gennaro R.: Cramer-Damgård signatures revisited: efficient flat-tree signatures based on factoring. In: Vaudenay, S. (ed.) Public Key Cryptography-PKC 2005, volume 3386 of Lecture Notes in Computer Science, pp. 313–327. Springer-Verlag, Berlin (2005)CrossRefGoogle Scholar
  8. 8.
    Chevallier-Mames B., Joye M.: A practical and tightly secure signature scheme without hash function. In: Abe, M. (ed.) Topics in Cryptology-CT-RSA 2007, volume 4377 of Lecture Notes in Computer Science, pp. 339–356. Springer-Verlag, Berlin (2007)Google Scholar
  9. 9.
    Coron J.-S., Naccache D.: Security analysis of the Gennaro-Halevi-Rabin signature scheme. In: Preneel, B. (ed.) Advances in Cryptology-EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pp. 91–101. Springer-Verlag, Berlin (2000)Google Scholar
  10. 10.
    Cramer R., Damgård I.: New generation of secure and practical RSA-based signatures. In: Koblitz, N. (ed.) Advances in Cryptology-CRYPTO ’96, volume 1109 of Lecture Notes in Computer Science, pp. 173–185. Springer-Verlag, Berlin (1996)Google Scholar
  11. 11.
    Cramer R., Shoup V.: Signature scheme based on the strong RSA assumption. ACM Transactions on Information and System Security, 3(3), 161–185, 2000. An earlier version appears in 6th ACM Conference on Computer and Communications Security, pp. 46–51, ACM Press (1999).Google Scholar
  12. 12.
    Diffie W., Hellman M.: New directions in cryptography. IEEE Trans Inform Theory IT 22(6), 644–654 (1976)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Dodis Y., Oliveira R., Pietrzak K.: On the generic insecurity of the full domain hash. In: Shoup, V. (ed.) Advances in Cryptology-CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pp. 449–466. Springer-Verlag, Berlin (2005)Google Scholar
  14. 14.
    Dwork C., Naor M.: An efficient existentially unforgeable signature scheme and its applications. In: Desmedt, Y. (ed.) Advances in Cryptology-CRYPTO ’94, volume 839 of Lecture Notes in Computer Science, pp. 234–246. Springer-Verlag, Berlin (1994)Google Scholar
  15. 15.
    Fischlin M.: The Cramer-Shoup strong-RSA signature scheme revisited. In: Desmedt, Y. (ed.) Public Key Cryptography-PKC 2003, volume 2567 of Lecture Notes in Computer Science, pp. 116–129. Springer-Verlag, Berlin (2003)Google Scholar
  16. 16.
    Fujisaki E., Okamoto T.: Statistical zero-knowledge protocols to prove modular polynomial equations. In: Kaliski, B. (ed.) Advances in Cryptology-CRYPTO ’97, volume 1294 of Lecture Notes in Computer Science, pp. 16–30. Springer-Verlag, Berlin (1997)Google Scholar
  17. 17.
    Gennaro R., Halevi S., Rabin T.: Secure hash-and-sign signatures without the random oracle. In: Bellare, M. (ed.) Advances in Cryptology-EUROCRYPT ’99, volume 1592 of Lecture Notes in Computer Science, pp. 123–139. Springer-Verlag, Berlin (1999)Google Scholar
  18. 18.
    Goldreich O.: Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In: Odlyzko, A. (ed.) Advances in Cryptology-CRYPTO ’86, volume 263 of Lecture Notes in Computer Science, pp. 104–110. Springer-Verlag, Berlin (1986)Google Scholar
  19. 19.
    Goldwasser S., Micali S., Rivest R.: A digital signature scheme secure against adaptive chosen message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    Hofheinz D., Kiltz E.: Programmable hash functions and their applications. In: Wagner, D. (ed.) Advances in Cryptology-CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science, pp. 21–38. Springer-Verlag, Berlin (2008)Google Scholar
  21. 21.
    Joye M., Lin H.-M. et al.: On the TYS signature scheme. In: Gavrilova, M. (ed.) Computational Science and Its Applications-ICCSA 2006, volume 3982 of Lecture Notes in Computer Science, pp. 338–344. Springer-Verlag, Berlin (2006)CrossRefGoogle Scholar
  22. 22.
    Katz J., Wang N.: Efficiency improvements for signature schemes with tight security reductions. In: 10th ACM Conference on Computer and Communications Security, pp. 155–164. ACM Press (2003).Google Scholar
  23. 23.
    Krawczyk H., Rabin T.: Chameleon signatures. In: Symposium on Network and Distributed System Security-NDSS 2000, pp. 143–154. Internet Society (2000).Google Scholar
  24. 24.
    Kurosawa K., Schmidt-Samoa K. et al.: New online/offline signature schemes without random oracles. In: Yung, M. (ed.) Public Key Cryptography-PKC 2006, volume 3958 of Lecture Notes in Computer Science, pp. 330–346. Springer-Verlag, Berlin (2006)CrossRefGoogle Scholar
  25. 25.
    Menezes A., Smart N.: Security of signature schemes in a multi-user setting. Designs Codes Cryptogr. 33(3), 261–274 (2004)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Naccache D., Pointcheval D., Stern, J.: Twin signatures: an alternative to the hash-and-sign paradigm. In: 8th ACM Conference on Computer and Communications Security, pp. 20–27. ACM Press (2001).Google Scholar
  27. 27.
    Naor M., Yung M.: Universal one-way hash functions and their cryptographic applications. In: 21st Annual ACM Symposium on Theory of Computing (STOC ’89), pp. 33–43. ACM Press (1989).Google Scholar
  28. 28.
    Paillier P.: Impossibility proofs for RSA signatures in the standard model. In: Abe, M. (ed.) Topics in Cryptology-CT-RSA 2007, volume 4377 of Lecture Notes in Computer Science, pp. 31–48. Springer-Verlag, Berlin (2007)Google Scholar
  29. 29.
    Popescu C.: A modification of the Cramer-Shoup digital signature scheme. Studia Univ. Babeş-Bolyai Informatica XLVII(2), 27–35 (2002).Google Scholar
  30. 30.
    Rivest R.L., Shamir A., Adleman L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefMATHGoogle Scholar
  31. 31.
    Tan C.H.: A secure signature scheme. In: Onoe, S., et al. (ed.) 2006 International Conference on Wireless Communications and Mobile Computing (IWCMC 2006), pp. 195–200. ACM Press (2006).Google Scholar
  32. 32.
    Tan C.H.: A new signature scheme without random oracles. Int. J. Secur. Netw. 1(3/4), 237–242 (2006)CrossRefGoogle Scholar
  33. 33.
    Tan C.H., Yi X., Siew C.K.: A new provably secure signature scheme. IEICE Trans. Fundam. E86-A(10), 2633–2635 (2003)Google Scholar
  34. 34.
    Yu P., Tate S.R.: Online/offline signature schemes for devices with limited capabilities. In: Malkin, T. (ed.) Topics in Cryptology-CT-RSA 2008, volume 4964 of Lecture Notes in Computer Science, pp. 301–317. Springer-Verlag, Berlin (2008)CrossRefGoogle Scholar
  35. 35.
    Zhu H.: New digital signature scheme attaining immunity against adaptive chosen message attack. Chin. J. Electron. 10(4), 484–486 (2001)Google Scholar
  36. 36.
    Zhu H.: A formal proof of Zhu’s signature scheme. Cryptology ePrint Archive, Report 2003/155 (2003).Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Technicolor, Security & Content Protection LabsCesson-Sévigné CedexFrance

Personalised recommendations