The Provable Security of Graph-Based One-Time Signatures and Extensions to Algebraic Signature Schemes

  • Alejandro Hevia
  • Daniele Micciancio
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2501)


Essentially all known one-time signature schemes can be described as special instances of a general scheme suggested by Bleichenbacher and Maurer based on “graphs of one-way functions”. Bleichenbacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, studying the graphs that result in the most efficient schemes (with respect to various efficiency measures, but focusing mostly on key generation time). However, they do not give a proof of security of their generic construction, and they leave open the problem of determining under what assumption security can be formally proved. In this paper we analyze graph based signatures from a security point of view and give sufficient conditions that allow to prove the security of the signature scheme in the standard complexity model (no random oracles). The techniques used to prove the security of graph based one-time signatures are then applied to the construction of a new class of algebraic signature schemes, i.e., schemes where signatures can be combined with a restricted set of operations.


  1. AR00.
    M. Abdalla and L. Reyzin. A new forward-secure digital signature scheme. In ASIACRYPT’2000, LNCS 1976, pages 116–129. Springer-Verlag, 2000.Google Scholar
  2. BC93.
    J. N. E. Bos and D. Chaum. Provable unforgeable signatures. In CRYPTO’92, LNCS 740, pages 1–14. Springer-Verlag, 1993.Google Scholar
  3. BKR94.
    M. Bellare, J. Kilian, and P. Rogaway. The security of the cipher block chaining message authentication code. In CRYPTO’94, LNCS 839. Springer-Verlag, 1994.Google Scholar
  4. BM84.
    M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudorandom bits. In Siam Journal of Computing, 13(4):850–864, 1984.zbMATHCrossRefMathSciNetGoogle Scholar
  5. BM92.
    M. Bellare and S. Micali. How to sign given any trapdoor function. In Journal of Cryptology, 39(1):214–233, 1992.zbMATHMathSciNetGoogle Scholar
  6. BM94.
    D. Bleichenbacher and U. M. Maurer. Directed acyclic graphs, one-way functions and digital signatures. In CRYPTO’94, LNCS 839, pages 75–82. Springer-Verlag, 1994.Google Scholar
  7. BM96a.
    D. Bleichenbacher and U. M. Maurer. On the efficiency of one-time digital signatures. In ASIACRYPT’96, LNCS 1163, pages 145–158. Springer-Verlag, 1996.Google Scholar
  8. BM96b.
    D. Bleichenbacher and U. M. Maurer. Optimal tree-based one-time digital signature schemes. In STACS’96, LNCS 1046, pages 363–374. Springer-Verlag, 1996.Google Scholar
  9. BM99.
    M. Bellare and S. Miner. A forward-secure digital signature scheme. In CRYPTO’99, LNCS 1666, pages 431–448. Springer-Verlag, 1999.Google Scholar
  10. BN02.
    M. Bellare and G. Neven. Transitive Signatures based on Factoring and RSA In ASIA-CRYPT’02, (these proceedings).Google Scholar
  11. BR97.
    M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In CRYPTO’97, LNCS 1294, pages 470–484. Springer-Verlag, 1997.Google Scholar
  12. CLR92.
    T. H. Cormen, C. E. Leiserson, and R. L. Rivest. In Introduction to algorithms. MIT Press and McGraw-Hill Book Company, 6th ed., 1992.Google Scholar
  13. CMR98.
    R. Canetti, D. Micciancio, and O. Reingold. Perfectly one-way probabilistic hash functions. STOC’98, pages 131–140. ACM, 1998.Google Scholar
  14. DN94.
    C. Dwork and M. Naor. An efficient existentially unforgeable signature scheme and its applications. In CRYPTO’94, LNCS 839, pages 234–246. Springer-Verlag, 1994.Google Scholar
  15. EGM96.
    S. Even, O. Goldreich, and S. Micali. On-line/off-line digital signatures. In Journal of Cryptology, 9(1):35–67, 1996.zbMATHMathSciNetCrossRefGoogle Scholar
  16. GMR88.
    S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. In Siam Journal of Computing, 17(2):281–308, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  17. HPT97.
    R. Hauser, A. Przygienda, and G. Tsudik. Reducing the cost of security in link state routing. In Symposium on Network and Distributed Systems Security (NDSS’ 97), pages 93–99, Internet Society, 1997.Google Scholar
  18. HM02.
    A. Hevia and D. Micciancio. The provable security of Graph-Based One-Time Signatures and extensions to algebraic signature schemes. Full version of this paper, available via http://www-cse.ucsd. edu/users/ahevia.
  19. JMSW02.
    R. Johnson, D. Molnar, D. Song, and D. Wagner. Homomorphic signature schemes. In CT-RSA’ 2002, LNCS 2271, pages 244–262. Springer-Verlag, 2002.Google Scholar
  20. Lam79.
    L. Lamport. Constructing digital signatures from a one way function. Technical Report CSL-98, SRI International, 1979.Google Scholar
  21. Mer82.
    R. C. Merkle. In Secrecy, Authentication, and Public Key Systems, vol. 18 of Computer science. Systems programming. UMI Research Press, 1982.Google Scholar
  22. Mer87.
    R. C. Merkle. A digital signature based on a conventional encryption function. In CRYPTO’87, LNCS 293, pages 369–378. Springer-Verlag, 1987.Google Scholar
  23. Mer90.
    R. C. Merkle. A digital signature based on a conventional encryption function. In CRYPTO’89, LNCS 435, pages 428–446. Springer-Verlag, 1990.Google Scholar
  24. MM82.
    C. H. Meyer and S. M. Matyas. In Cryptography: A New Dimension in Computer Data Security. John Wiley and Sons, New York, 1982.zbMATHGoogle Scholar
  25. MMM02.
    T. Malkin, D. Micciancio, and S. Miner. Efficient generic forward-secure signatures with an unbounded number of time periods. In EURO-CRYPT’2002, LNCS 2332, pages 400–417. Springer-Verlag, 2002.Google Scholar
  26. MR02.
    S. Micali and R. L. Rivest. Transitive signature schemes. In CT-RSA’ 2002, LNCS 2271, pages 236–243. Springer-Verlag, 2002.Google Scholar
  27. NY89.
    M. Naor and M. Yung. Universal one-way hash functions and their cryptographic applications. STOC’89, pages 33–43. ACM, 1989Google Scholar
  28. Per01.
    A. Perrig. The BiBa one-time signature scheme and broadcast authentication protocol. In Proceedings of the 8th ACM conference on Computer and Communications Security, pages 28–37. ACM, 2001.Google Scholar
  29. Rab78.
    M. O. Rabin. Digitalized signatures. In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages 155–168. Academic Press, 1978.Google Scholar
  30. Roh99.
    P. Rohatgi. A compact and fast hybrid signature scheme for multicast packet authentication. In Proceedings of the 6th ACM conference on Computer and communications security, pages 93–100, ACM, 1999.Google Scholar
  31. RSA78.
    R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signature and public-key cryptosystems. In Communications of the ACM, 21(2):120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  32. Sch90.
    C. Schnorr. Efficient identification and signatures for smartcards. In CRYPTO’89, LNCS 435, pages 239–252. Springer-Verlag, 1990.Google Scholar
  33. Vau92.
    S. Vaudenay. One-time identification with low memory. In Eurocode 92, CISM Courses and Lectures, no. 339, pages 217–228, Springer-Verlag, 1992.Google Scholar
  34. Yao82.
    A. Yao. Theory and applications of trapdoor functions. FOCS’82, pages 80–91. IEEE, 1982.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Alejandro Hevia
    • 1
  • Daniele Micciancio
    • 1
  1. 1.Dept. of Computer Science & EngineeringUniversity of CaliforniaLa JollaUSA

Personalised recommendations