Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2567)


We propose a robust proactive threshold signature scheme, a multisignature scheme and a blind signature scheme which work in any Gap Diffie-Hellman (GDH) group (where the Computational Diffie- Hellman problem is hard but the Decisional Diffie-Hellman problem is easy). Our constructions are based on the recently proposed GDH signature scheme of Boneh et al. [8]. Due to the instrumental structure of GDH groups and of the base scheme, it turns out that most of our constructions are simpler, more efficient and have more useful properties than similar existing constructions. We support all the proposed schemes with proofs under the appropriate computational assumptions, using the corresponding notions of security.


Signature Scheme Secret Sharing Blind Signature Random Oracle Model Blind Signature Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [1]
    M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. First ACM Conference on Computer and Communications Security, ACM, 1993.Google Scholar
  2. [2]
    M. Bellare, C. Namprempre, D. Pointcheval and M. Semanko, “The One-More-RSA-Inversion Problems and the security of Chaum’s Blind Signature Scheme,” Financial Cryptography 01, Lecture Notes in Computer Science, 2001. 36 35, 43Google Scholar
  3. [3]
    M. Bellare, J. Garay and T. Rabin, “Fast batch verification for modular exponentiation and digital signatures,” Eurocrypt 98, 1998.. 40Google Scholar
  4. [4]
    E. Berlekamp and L. Welch, “Error correction of algebraic block codes,” US Patent 4,633,470. 33Google Scholar
  5. [5]
    A. Boldyreva “Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-group signature scheme,” Full version of this paper. Available at 35, 36, 39, 42, 44
  6. [6]
    D. Boneh and M. Franklin. “Identity-based encryption from the Weil Pairing,” Crypto 01, 2001.Google Scholar
  7. [7]
    D. Boneh, C. Gentry, B. Lynn and H. Shacham, “Aggregate signatures from bilinear maps,” Manuscript. 34Google Scholar
  8. [8]
    D. Boneh, B. Lynn and H. Shacham, “Short signatures from theWeil pairing,” Asiacrypt 01, 2001. 31, 32, 36, 37, 40, 42Google Scholar
  9. [9]
    C. Boyd, “Digital multisignatures,” Cryptography and Coding, 198632Google Scholar
  10. [10]
    J. Camenisch and M. Stadler, “Efficient group signatures for large groups,” Crypto 97, 1997. 34Google Scholar
  11. [11]
    D. Chaum, “Blind signatures for untreaceable payments,” Crypto 82, 1982. 35, 43Google Scholar
  12. [12]
    D. Chaum and E. van Heyst, “Group signatures,” Eurocrypt 91, 1991.Google Scholar
  13. [13]
    R. Canetti and A. Herzberg, “Maintaining security in the presence of transient faults,” Crypto 94, 1994. 32, 34Google Scholar
  14. [14]
    Y. Desmedt, “Society and group oriented cryptography,” Crypto 87, 1987. 32Google Scholar
  15. [15]
    Y. Desmedt, “Threshold cryptography,”, European Transactions on Telecommunications, 5(4), 1994. 32Google Scholar
  16. [16]
    Y. Desmedt and Y. Frankel, “Threshold cryptosystems,” Crypto 89, 1989. 32, 33Google Scholar
  17. [17]
    Y. Desmedt and Y. Frankel, “Shared generation of authenticators and signatures,” Crypto 91, 1991. 33Google Scholar
  18. [18]
    P. Feldman “Ap ractical scheme for non-interactive verifiable secret sharing,” FOCS 87, 1987. 38Google Scholar
  19. [19]
    Y. Frankel, P. Gemmal, P. Mac Kenzie and M. Yung, “Proactive RSA,” Crypto 97, 1997. 33Google Scholar
  20. [20]
    S. Galbraith, J. Malone-Lee, N.P. Smart, “Public key signatures in the multi-user setting”, Information Processing Letters, Vol. 83, Issue 5, 2002.Google Scholar
  21. [21]
    R. Gennaro, S. Jarecki, H. Krawczyk and T. Rabin, “Robust threshold DSS signatures,” Eurocrypt 96, 1996. 33, 38Google Scholar
  22. [22]
    R. Gennaro, S. Jarecki, H. Krawczyk and T. Rabin, “Secure distributed key generation for discrete-log based cryptosystems”, Eurocrypt 99, 1999. 38Google Scholar
  23. [23]
    S. Goldwasser, S. Micali and R. Rivest, “Ad igital signature secure against adaptive chosen-message attacks”, SIAM Journal on Computing, 17(2):281–308, 1988. 36, 42zbMATHCrossRefMathSciNetGoogle Scholar
  24. [24]
    L. Harn, “Group-oriented (t,n) threshold digital signature scheme and digital multisignature,” IEE Proc. Computers and Digital Techniques, 141(5), 1994. 33, 34Google Scholar
  25. [25]
    A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk and M. Yung, “Proactive public key and signature systems,” ACM Conference on Computers and Communication Security, 1997. 22:612–613, (1979). 33, 39Google Scholar
  26. [26]
    A. Herzberg, S. Jarecki, H. Krawczyk and M. Yung, “Proactive secret sharing, or: How to cope with perpetual leakage,”, Crypto 95, 1995. 33, 39Google Scholar
  27. [27]
    P. Horster, M. Michels and H. Petersen, “Meta-multisignatures schemes based on the discrete logarithm problem,” IFIP/Sec1995. 34Google Scholar
  28. [28]
    K. Itakura and K. Nakamura, “Apublic key cryptosystem suitable for digital multisignatures,” NEC Research & Development, 71:1–8, 1983. 34Google Scholar
  29. [29]
    A. Joux, “Aon e-round protocol for tripartite Diffie-Hellman,” ANTS-IV conference, vol. 1838. 31, 36Google Scholar
  30. [30]
    A. Joux and K. Nguyen, “Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic groups,” e-print archive, report #2001/03. 31, 36Google Scholar
  31. [31]
    C. Li, T. Hwang and N. Lee, “Threshold-multisignature schemes where suspected forgery implies traceability of adversarial shareholders,” Eurocrypt 94, 1994. 34Google Scholar
  32. [32]
    A. Lysyanskaya, “Unique signatures and verifiiable random functions from the DH-DDH separation”, Crypto 02, 2002. 31Google Scholar
  33. [33]
    S. Micali, K. Ohta and L. Reyzin, “Accountable-subgroup multisignatures,” ACM Conference on Computer and Communications Security, 2001. 34, 35, 40, 41, 44Google Scholar
  34. [34]
    T. Okamoto, “Adigital multisignature schema using bijective public-key cryptosystems,” ACM Transaction on Computer Systems, 6(4): 432–441, 1988. 34CrossRefGoogle Scholar
  35. [35]
    K. Ohta and T. Okamoto, “Adigital multisignature scheme based on the Fiat-Shamir scheme”, Asiacrypt 91, 1991. 34Google Scholar
  36. [36]
    K. Ohta and T. Okamoto, “Multi-signature scheme secure against active insider attacks”, IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, E82-A(1):21–31, 1999. 34Google Scholar
  37. [37]
    R. Ostrovsky and M. Yung, “How to withstand mobile virus attacks,” PODC, 1991. 32Google Scholar
  38. [38]
    T. Pedersen, “Non-interactive and information-theoretic secure verifiable secret sharing,” Eurocrypt 91, 1991. 38Google Scholar
  39. [39]
    D. Pointcheval and J. Stern, “Provably secure blind signature schemes,” Asiacrypt 96, 1996. 42Google Scholar
  40. [40]
    D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, 13(3):361–396, 2000. 42zbMATHCrossRefGoogle Scholar
  41. [41]
    T. Rabin, “Asim plified approach to threshold and proactive RSA,” Crypto 98, 1998. 33Google Scholar
  42. [42]
    R. Rivest, A. Shamir and Y. Tauman, “How to leak a secret”, Asiacrypt 01, 2001. 34Google Scholar
  43. [43]
    A. Shamir, “How to share a secret,” Communications of the ACM, 22:612–613, (1979). 32, 38zbMATHCrossRefMathSciNetGoogle Scholar
  44. [44]
    V. Shoup, “Practical threshold signatures”, Eurocrypt 00, 2000.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.Dept. of Computer Science & EngineeringUniversity of California at San DiegoLa JollaUSA

Personalised recommendations