1-out-of-n Signatures from a Variety of Keys

  • Masayuki Abe
  • Miyako Ohkubo
  • Koutarou Suzuki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2501)


This paper addresses how to use public-keys of several different signature schemes to generate 1-out-of-n signatures. Previously known constructions are for either RSA-keys only or DL-type keys only. We present a widely applicable method to construct a 1-out-of-n signature scheme that allows mixture use of different flavors of keys at the same time. The resulting scheme is more efficient than previous schemes even if it is used only with a single type of keys. With all DL-type keys, it yields shorter signatures than the ones of the previously known scheme based on the witness indistinguishable proofs by Cramer, et al. With all RSA-type keys, it reduces both computational and storage costs compared to that of the Ring signatures by Rivest, et al.


Hash Function Signature Scheme Random Oracle Random Oracle Model Signing Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Abe and F. Hoshino. Remarks on mix-network based on permutation network. PKC 2001, LNCS 1992, pp. 317–324. Springer-Verlag, 2001.Google Scholar
  2. 2.
    D. Boneh, B. Lynn, and H. Shacham. Short signatures from the weil pairing. Asiacrypt 2001, LNCS 2248, pp. 514–532. Springer-Verlag, 2001.CrossRefGoogle Scholar
  3. 3.
    M. Bellare, and P. Rogaway. Random Oracles are practical: a paradigm for designing efficient protocols. 1st ACM CCCS, pp. 62–73. ACM, 1993.Google Scholar
  4. 4.
    E. Bresson, J. Stern, and M. Szydlo. Threshold ring signatures and applications to ad-hoc groups. CRYPTO 2002, LNCS 2442, pp. 465–480. Springer-Verlag, 2002.Google Scholar
  5. 5.
    J. Camenisch. Efficient and generalized group signatures. EUROCRYPT’ 97, LNCS 1233, pp. 465–479. Springer-Verlag, 1997.Google Scholar
  6. 6.
    J. Camenisch and M. Michels. Proving in zero-knowledge that a number is the product of two safe primes. EUROCRYPT’ 99, LNCS 1592, pp. 107–122. Springer-Verlag, 1999.Google Scholar
  7. 7.
    C. Chan, Y. Frankel, and Y. Tsiounis. Easy come-easy go divisible cash. EURO-CRYPT’ 98, LNCS 1403, pp. 561–575. Springer-Verlag, 1998.CrossRefGoogle Scholar
  8. 8.
    D. Chaum and E. Van Heyst. Group signatures. EUROCRYPTr’91, LNCS 547, pp. 257–265. Springer-Verlag, 1991.Google Scholar
  9. 9.
    R. Cramer, I. Damgℴard, and B. Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols. CRYPTO’ 94, LNCS 839, pp. 174–187. Springer-Verlag, 1994.Google Scholar
  10. 10.
    R. Cramer, M. Franklin, B. Schoenmakers, and M. Yung. Multi-authority secret-ballot elections with linear work. EUROCRYPT’ 96, LNCS 1070, pp. 72–83. Springer-Verlag, 1996.Google Scholar
  11. 11.
    R. Cramer, R. Gennaro, and B. Schoenmakers. A secure and optimally efficient multi-authority election scheme. EUROCRYPT’ 97, LNCS 1233, pp. 103–118. Springer-Verlag, 1997.Google Scholar
  12. 12.
    U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity. J. Cryptology, 1:77–94, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    U. Feige and A. Shamir. Witness indistinguishable and witness hiding protocols. STOC’90, pp. 416–426, 1990.Google Scholar
  14. 14.
    A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. CRYPTO’ 86, LNCS 263, pp. 186–199. Springer-Verlag, 1987.Google Scholar
  15. 15.
    S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing, 17(2):281–308, April 1988.Google Scholar
  16. 16.
    L. C. Guillou and J.-J. Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. EUROCRYPT’ 88, LNCS 330 of Lecture Notes in Computer Science, pp. 123–128. Springer-Verlag, 1988.Google Scholar
  17. 17.
    M. Jakobsson, K. Sako, and R. Impagliazzo. Designated verifier proofs and their applications. EUROCRYPT’ 96, LNCS 1070, pp. 143–154. Springer-Verlag, 1996.Google Scholar
  18. 18.
    M.Naor. Deniable ring authentication. CRYPTO 2002, LNCS 2442, pp. 481–498. Springer-Verlag, 2002.Google Scholar
  19. 19.
    K. Ohta and T. Okamoto. On concrete security treatment of signatures derived from identification. CRYPTO’ 98, LNCS 1462, pp. 354–369. Springer-Verlag, 1998.Google Scholar
  20. 20.
    D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. J. Cryptology, 2000.Google Scholar
  21. 21.
    R. Rivest, A. Shamir, and Y. Tauman. How to leak a secret. Asiacrypt 2001, LNCS 2248, pp. 552–565. Springer-Verlag, 2001.CrossRefGoogle Scholar
  22. 22.
    A. De Santis, G. Di Crescenzo, G. Persiano, and M. Yung. On monotone formula closure of SZK. FOCS’94, pp. 454–465, 1994.Google Scholar
  23. 23.
    C. P. Schnorr. Efficient signature generation for smart cards. J. Cryptology, 4(3):239–252, 1991.CrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Masayuki Abe
    • 1
  • Miyako Ohkubo
    • 2
  • Koutarou Suzuki
    • 1
  1. 1.NTT LaboratoriesKanagawa-kenJapan
  2. 2.Chuo UniversityTokyoJapan

Personalised recommendations