Digital Signatures Do Not Guarantee Exclusive Ownership

  • Thomas Pornin
  • Julien P. Stern
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3531)


Digital signature systems provide a way to transfer trust from the public key to the signed data; this is used extensively within PKIs. However, some applications need a transfer of trust in the other direction, from the signed data to the public key. Such a transfer is cryptographically robust only if the signature scheme has a property which we name exclusive ownership. In this article, we show that the usual signature algorithms (such as RSA[3] and DSS[4]) do not have that property. Moreover, we describe several constructs which may be used to transform a signature scheme into another signature scheme which provides exclusive ownership.


Hash Function Signature Scheme Random Oracle Discrete Logarithm Valid Signature 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Housley, R., Polk, W., Ford, W., Solo, D.: Internet, X.: 509 Public Key Infrastructure, Certificate and Certificate Revocation List (CRL) Profile,RFC 3280 (April 2002)Google Scholar
  2. 2.
    Pornin, T., Stern, J.P.: On the Soundness of Certificate Validation in X.509 and PKIX. To appear in EuroPKI (2005)Google Scholar
  3. 3.
    Jonsson, J., Kaliski, B.: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 3447 (February 2003)Google Scholar
  4. 4.
    Digital Signature Standard, National Institute of Standards and Technology (NIST), FIPS 186-2 (2000)Google Scholar
  5. 5.
    Christianson, R., Low, M.R.: Key-spoofing attacks on nested signature blocks. Electronics Letters 31(13), 1043–1044 (1995)CrossRefGoogle Scholar
  6. 6.
    Goldwasser, S., Micali, S., Rivest, R.: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM Journal on Computing 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in applying proof methodologies to signature schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 120–126 (February 1978)Google Scholar
  9. 9.
    Quisquater, J.-J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters 18(21), 905–907 (1982)CrossRefGoogle Scholar
  10. 10.
    Schnorr, G.P.: Efficient signature generation by smart cards. Journal of Cryptology 4, 161–174 (1991)zbMATHCrossRefGoogle Scholar
  11. 11.
    El-Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  12. 12.
    Bellare, M., Rogaway, P.: Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In: Proceedings of the 1st CCS, pp. 62–73. ACM Press, New York (1993)Google Scholar
  13. 13.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Thomas Pornin
    • 1
  • Julien P. Stern
    • 1
  1. 1.Cryptolog InternationalParisFrance

Personalised recommendations