A Practical and Tightly Secure Signature Scheme Without Hash Function

  • Benoît Chevallier-Mames
  • Marc Joye
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4377)


In 1999, two signature schemes based on the flexible RSA problem (a.k.a. strong RSA problem) were independently introduced: the Gennaro-Halevi-Rabin (GHR) signature scheme and the Cramer-Shoup (CS) signature scheme. Remarkably, these schemes meet the highest security notion in the standard model. They however differ in their implementation. The CS scheme and its subsequent variants and extensions proposed so far feature a loose security reduction, which, in turn, implies larger security parameters. The security of the GHR scheme and of its twinning-based variant are shown to be tightly based on the flexible RSA problem but additionally (i) either assumes the existence of division-intractable hash functions, or (ii) requires an injective mapping into the prime numbers in both the signing and verification algorithms.

In this paper, we revisit the GHR signature scheme and completely remove the extra assumption made on the hash functions without relying on injective prime mappings. As a result, we obtain a practical signature scheme (and an on-line/off-line variant thereof) whose security is solely and tightly related to the strong RSA assumption.


Digital signatures standard model strong RSA assumption tight reduction Gennaro-Halevi-Rabin signature scheme Cramer-Shoup signature scheme on-line/off-line signatures 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BB04]
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. [BC92]
    Bos, J., Chaum, D.: Provably unforgeable signatures. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 1–14. Springer, Heidelberg (1993)Google Scholar
  3. [BLS04]
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. Journal of Cryptology 17(4), 297–319 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  4. [BM92]
    Bellare, M., Micali, S.: How to sign given any trapdoor permutation. Journal of the ACM 39(1), 214–233 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  5. [BNPS03]
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. Journal of Cryptology 16(3), 185–215 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  6. [BP97]
    Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997)Google Scholar
  7. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM Press, New York (1993)CrossRefGoogle Scholar
  8. [BR96]
    Bellare, M., Rogaway, P.: The exact security of digital signatures: How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  9. [BSW06]
    Boneh, D., Shen, E., Waters, B.: Strongly unforgeable signature schemes based on comptutational Diffie-Hellman. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 229–240. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. [CD96]
    Cramer, R., Damgård, I.: New generation of secure and practical RSA-based signatures. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 173–185. Springer, Heidelberg (1996)Google Scholar
  11. [CG05]
    Catalano, D., Gennaro, R.: Cramer-Damgård signatures revisited: Efficient flat-tree signatures based on factoring. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 313–327. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. [CGH98]
    Canetti, R., Golreich, O., Halevi, S.: The random oracle methodology, revisited. In: 30th Annual ACM Symposium on Theory of Computing, pp. 209–217. ACM Press, New York (1998)Google Scholar
  13. [CL02]
    Camenisch, J.L., Lysyanskaya, A.: A Signature Scheme with Efficient Protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. [CLP05]
    Coron, J.-S., Lefranc, D., Poupard, G.: A new baby-step giant-step algorithm and some applications to cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 47–60. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. [CN00]
    Coron, J.-S., Naccache, D.: Security analysis of the Gennaro-Halevi-Rabin signature scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 91–101. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. [Cor00]
    Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. [CS00]
    Cramer, R., Shoup, V.: Signature scheme based on the strong RSA assumption. ACM Transactions on Information and System Security 3(3), 161–185 (2000)CrossRefGoogle Scholar
  18. [DH76]
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  19. [DN94]
    Dwork, C., Naor, M.: An efficient existentially unforgeable signature scheme and its applications. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 234–246. Springer, Heidelberg (1994)Google Scholar
  20. [EGM96]
    Even, S., Goldreich, O., Micali, S.: On-line/off-line digital signatures. Journal of Cryptology 9(1), 35–67 (1996)zbMATHCrossRefMathSciNetGoogle Scholar
  21. [Fis03]
    Fischlin, M.: The Cramer-Shoup strong-RSA signature scheme revisited. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 116–129. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. [FO97]
    Fujisaki, E., Okamoto, T.: Statistical zero-knowledge protocols to prove modular polynomial equations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997)Google Scholar
  23. [FS87]
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  24. [GHR99]
    Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999)Google Scholar
  25. [GJ03]
    Goh, E.-J., Jarecki, S.: A signature scheme as secure as the Diffie-Hellman problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 401–415. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. [GMR88]
    Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen message attacks. SIAM Journal of Computing 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  27. [Gol86]
    Goldreich, O.: Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 104–110. Springer, Heidelberg (1987)Google Scholar
  28. [JPV00]
    Joye, M., Paillier, P., Vaudenay, S.: Efficient generation of prime numbers. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 340–354. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  29. [KM04]
    Koblitz, N., Menezes, A.: Another look at “provable security”. Cryptology ePrint Archive 2004/152. Journal of Cryptology (to appear, 2004)Google Scholar
  30. [KR00]
    Krawczyk, H., Rabin, T.: Chameleon signatures. In: Symposium on Network and Distributed System Security − NDSS 2000, pp. 143–154. Internet Society (2000)Google Scholar
  31. [KS06]
    Kurosawa, K., Schmidt-Samoa, K.: New online/offline signature schemes without random oracles. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 330–346. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  32. [KW03]
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: 10th ACM Conference on Computer and Communications Security, pp. 155–164. ACM Press, New York (2003)CrossRefGoogle Scholar
  33. [Mer87]
    Merkle, R.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988)Google Scholar
  34. [NPS01]
    Naccache, D., Pointcheval, D., Stern, J.: Twin signatures: An alternative to the hash-and-sign paradigm. In: 8th ACM Conference on Computer and Communications Security, pp. 20–27. ACM Press, New York (2001)CrossRefGoogle Scholar
  35. [NY89]
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: 21st Annual ACM Symposium on Theory of Computing, pp. 33–43. ACM Press, New York (1989)Google Scholar
  36. [PS96]
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)Google Scholar
  37. [PV05]
    Paillier, P., Vergnaud, D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  38. [Rom90]
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: 22nd Annual ACM Symposium on Theory of Computing, pp. 387–394. ACM Press, New York (1990)Google Scholar
  39. [RSA78]
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  40. [ST01]
    Shamir, A., Tauman, Y.: Improved online/offline signature schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  41. [Wat05]
    Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  42. [Zhu01]
    Zhu, H.: New digital signature scheme attaining immunity against adaptive chosen message attack. Chinese Journal of Electronics 10(4), 484–486 (2001)Google Scholar
  43. [Zhu03]
    Zhu, H.: A formal proof of Zhu’s signature scheme. Cryptology ePrint Archive, Report 2003/155 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Benoît Chevallier-Mames
    • 1
  • Marc Joye
    • 2
  1. 1.Gemalto, Security LabsLa Ciotat CedexFrance
  2. 2.Thomson R&D France, Technology Group, Corporate Research, Security LaboratoryCesson-SévignéFrance

Personalised recommendations