Designs, Codes and Cryptography

, Volume 33, Issue 3, pp 261–274

Security of Signature Schemes in a Multi-User Setting

  • Alfred Menezes
  • Nigel Smart


This paper initiates the study of the security of signature schemes in the multi-user setting. We argue that the well-accepted notion of security for signature schemes, namely existential unforgeability against adaptive chosen-message attacks, is not adequate for the multi-user setting. We propose an extension of this security notion to the multi-user setting and show that signature schemes proven secure in the single-user setting can, under reasonable constraints, also be proven secure in the multi-user setting.

digital signatures provable security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    C. Adams and S. Farrell, Internet X.509 Public Key Infrastructure: Certificate Management Protocols, RFC 2510, March (1999).Google Scholar
  2. 2.
    ANSI X9.62, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), 1999.Google Scholar
  3. 3.
    M. Bellare, A. Boldyreva and S. Micali, Public-key encryption in a multi-user setting: security proofs and improvements, Advances in Cryptology-Eurocrypt 2000, LNCS Vol. 1807 (2000) pp. 259–274.Google Scholar
  4. 4.
    M. Bellare and P. Rogaway, Entity authentication and key distribution, Advances in Cryptology-Crypto '93, LNCS Vol. 773 (1993) pp. 232–249.Google Scholar
  5. 5.
    M. Bellare and P. Rogaway, Optimal asymmetric encryption-how to encrypt with RSA, Advances in Cryptology-Eurocrypt '94, LNCS Vol. 950 (1994) pp. 92–111.Google Scholar
  6. 6.
    M. Bellare and P. Rogaway, The exact security of digital signatures-how to sign with RSA and Rabin, Advances in Cryptology-Eurocrypt '96, LNCS Vol. 1070 (1996) pp. 399–416.Google Scholar
  7. 7.
    D. Bernstein, A secure public-key signature system with extremely fast verification, preprint (2002).Google Scholar
  8. 8.
    S. Blake-Wilson, D. Johnson and A. Menezes, Key agreement protocols and their security analysis, Proceedings of the 6th IMA International Conference on Cryptography and Coding, LNCS Vol. 1355 (1997) pp. 30–45.Google Scholar
  9. 9.
    S. Blake-Wilson and A Menezes, Unknown key-share attacks on the station-to-station (STS) protocol, Proceedings of PKC '99, LNCS Vol. 1560 (1999) pp. 154–170.Google Scholar
  10. 10.
    J. Boyar, K. Friedl and C. Lund, Practical zero-knowledge proofs: Giving hints and using deficiencies, Journal of Cryptology, Vol. 4 (1991) pp. 185–206.Google Scholar
  11. 11.
    D. Brown, Generic groups, collision resistance, and ECDSA, preprint (2001).Google Scholar
  12. 12.
    J. Camenisch and M. Michels, Proving in zero-knowledge that a number is a product of two safe primes,Advances in Cryptology-Eurocrypt '99, LNCS Vol. 1592 (1999) pp. 107–122.Google Scholar
  13. 13.
    R. Canetti and H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, Advances in Cryptology-Eurocrypt 2001, LNCS Vol. 2045 (2001) pp. 453–474.Google Scholar
  14. 14.
    R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, Advances in Cryptology-Crypto '98, LNCS Vol. 1462 (1998) pp. 13–25.Google Scholar
  15. 15.
    W. Diffie, P. van Oorschot and M. Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography, Vol. 2 (1992) pp. 107–125.Google Scholar
  16. 16.
    R. Gennaro, S. Halevi and T. Rabin, Secure hash-and-sign signatures without the random oracle, Advances in Cryptology-Eurocrypt '99, LNCS Vol. 1592 (1999) pp. 123–139.Google Scholar
  17. 17.
    S. Goldwasser, S. Micali and R. Rivest, A “paradoxical” solution to the signature problem, Proceedings of the IEEE 25th Annual Symposium on Foundations of Computer Science (1984) pp. 441–448.Google Scholar
  18. 18.
    S. Goldwasser, S. Micali and R. Rivest, A digital signature scheme secure against adaptive chosenmessage attacks SIAM J. Computing, Vol. 17 (1988) pp. 281–308.Google Scholar
  19. 19.
    J. van de Graaf and R. Peralta, A simple and secure way to show the validity of your public key, Advances in Cryptology-Crypto '87, LNCS Vol. 293 (1988) pp. 128–134.Google Scholar
  20. 20.
    J. Håstad, Solving simultaneous modular equations of low degree, SIAM Journal on Computing, Vol. 17 (1988) pp. 336–341.Google Scholar
  21. 21.
    D. Johnson, A. Menezes and S. Vanstone, The elliptic curve digital signature algorithm (ECDSA), International J. Information Security, Vol. 1 (2001) pp. 36–63.Google Scholar
  22. 22.
    M. Meyers, C. Adams, D. Solo and D. Kemp, Internet X.509 Certificate Request Message Format, RFC 2511, March (1999).Google Scholar
  23. 23.
    National Institute of Standards and Technology, Digital Signature Standard, FIPS Publication 186–2 (2000).Google Scholar
  24. 24.
    P. Nguyen and I. Shparlinski, The insecurity of the digital signature algorithm with partially known nonces, Journal of Cryptology, Vol. 15 (2002) pp. 151–176.Google Scholar
  25. 25.
    D. Pointcheval and J. Stern, Security arguments for digital signatures and blind signatures, Journal of Cryptology, Vol. 13 (2000) pp. 361–396.Google Scholar
  26. 26.
    M. Rabin, Digitalized signatures and public-key functions as intractable as factorization, MIT Lab. for Computer Science, Technical Report LCS/TR-212, 1979Google Scholar
  27. 27.
    C. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology, Vol. 4 (1991) pp. 161–174.Google Scholar
  28. 28.
    V. Shoup, Lower bounds for discrete logarithms and related problems, Advances in Cryptology-Eurocrypt '97, LNCS Vol. 1233 (1997) pp. 256–266.Google Scholar
  29. 29.
    V. Shoup, On formal models for secure key exchange, Cryptology ePrint Archive Report 1999/012, 1999. Available from Scholar
  30. 30.
    J. Stern, D. Pointcheval, J. Malone-Lee and N. P. Smart, Flaws in applying proof methodologies to signature schemes, Advances in Cryptology-CRYPTO 2002, LCNS Vol. 2442 (2002) pp. 93–110.Google Scholar
  31. 31.
    H. Williams, A modification of the RSA public-key encryption procedure, IEEE Transactions on Information Theory, Vol. 26 (1980) pp. 726–729.Google Scholar

Copyright information

© Kluwer Academic Publishers 2004

Authors and Affiliations

  • Alfred Menezes
  • Nigel Smart

There are no affiliations available

Personalised recommendations