A Signature Scheme with Efficient Protocols

  • Jan Camenisch
  • Anna Lysyanskaya
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2576)

Abstract

Digital signature schemes are a fundamental cryptographic primitive, of use both in its own right, and as a building block in cryptographic protocol design. In this paper, we propose a practical and provably secure signature scheme and show protocols (1) for issuing a signature on a committed value (so the signer has no information about the signed value), and (2) for proving knowledge of a signature on a committed value. This signature scheme and corresponding protocols are a building block for the design of anonymity-enhancing cryptographic systems, such as electronic cash, group signatures, and anonymous credential systems. The security of our signature scheme and protocols relies on the Strong RSA assumption. These results are a generalization of the anonymous credential system of Camenisch and Lysyanskaya.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In M. Bellare, editor, Advances in Cryptology-CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science, pages 255–270. Springer Verlag, 2000.Google Scholar
  2. 2.
    N. Barić and B. Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. In W. Fumy, editor, Advances in Cryptology-EUROCRYPT’ 97, volume 1233 of Lecture Notes in Computer Science, pages 480–494. Springer Verlag, 1997.Google Scholar
  3. 3.
    M. Bellare and O. Goldreich. On defining proofs of knowledge. In E. F. Brickell, editor, Advances in Cryptology-CRYPTO’ 92, volume 740 of Lecture Notes in Computer Science, pages 390–420. Springer-Verlag, 1992.Google Scholar
  4. 4.
    F. Boudot. Efficient proofs that a committed number lies in an interval. In B. Preneel, editor, Advances in Cryptology-EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 431–444. Springer Verlag, 2000.CrossRefGoogle Scholar
  5. 5.
    S. Brands. Rethinking Public Key Infrastructure and Digital Certificates-Building in Privacy. PhD thesis, Eindhoven Institute of Technology, Eindhoven, The Netherlands, 1999.Google Scholar
  6. 6.
    G. Brassard, D. Chaum, and C. Crépeau. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences, 37(2):156–189, Oct. 1988.MATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    J. Camenisch and A. Lysyanskaya. Efficient non-transferable anonymous multishow credential system with optional anonymity revocation. In B. Pfitzmann, editor, Advances in Cryptology-EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 93–118. Springer Verlag, 2001.Google Scholar
  8. 8.
    J. Camenisch and M. Michels. Proving in zero-knowledge that a number n is the product of two safe primes. In J. Stern, editor, Advances in Cryptology-EUROCRYPT’ 99, volume 1592 of Lecture Notes in Computer Science, pages 107–122. Springer Verlag, 1999.Google Scholar
  9. 9.
    J. Camenisch and M. Michels. Separability and efficiency for generic group signature schemes. In M. Wiener, editor, Advances in Cryptology-CRYPTO’ 99, volume 1666 of Lecture Notes in Computer Science, pages 413–430. Springer Verlag, 1999.Google Scholar
  10. 10.
    J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In B. Kaliski, editor, Advances in Cryptology-CRYPTO’ 97, volume 1296 of Lecture Notes in Computer Science, pages 410–424. Springer Verlag, 1997.CrossRefGoogle Scholar
  11. 11.
    J. L. Camenisch. Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem. PhD thesis, ETH Zürich, 1998. Diss. ETH No. 12520, Hartung Gorre Verlag, Konstanz.Google Scholar
  12. 12.
    R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. In Proc. 30th Annual ACM Symposium on Theory of Computing (STOC), pages 209–218, 1998.Google Scholar
  13. 13.
    D. Chaum. Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28(10):1030–1044, Oct. 1985.CrossRefGoogle Scholar
  14. 14.
    D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In M. Odlyzko, editor, Advances in Cryptology-CRYPTO’ 86, volume 263 of Lecture Notes in Computer Science, pages 118–167. Springer-Verlag, 1987.Google Scholar
  15. 15.
    L. Chen. Access with pseudonyms. In E. D. and J. Golić, editor, Cryptography: Policy and Algorithms, volume 1029 of Lecture Notes in Computer Science, pages 232–243. Springer Verlag, 1995.CrossRefGoogle Scholar
  16. 16.
    R. Cramer and V. Shoup. Signature schemes based on the strong RSA assumption. In Proc. 6th ACM Conference on Computer and Communications Security, pages 46–52. ACM press, nov 1999.Google Scholar
  17. 17.
    I. Damgård. Efficient concurrent zero-knowledge in the auxiliary string model. In B. Preneel, editor, Advances in Cryptology-EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 431–444. Springer Verlag, 2000.CrossRefGoogle Scholar
  18. 18.
    I. Damgård and E. Fujisaki. An integer commitment scheme based on groups with hidden order. http://eprint.iacr.org/2001, 2001.
  19. 19.
    I. B. Damgård. Payment systems and credential mechanism with provable security against abuse by individuals. In S. Goldwasser, editor, Advances in Cryptology-CRYPTO’ 88, volume 403 of Lecture Notes in Computer Science, pages 328–335. Springer Verlag, 1990.Google Scholar
  20. 20.
    W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. on Information Theory, IT-22(6):644–654, Nov. 1976.CrossRefMathSciNetGoogle Scholar
  21. 21.
    A. Fiat and A. Shamir. How to prove yourself: Practical solution to identification and signature problems. In A. M. Odlyzko, editor, Advances in Cryptology-CRYPTO’ 86, volume 263 of Lecture Notes in Computer Science, pages 186–194. Springer Verlag, 1987.Google Scholar
  22. 22.
    E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In B. Kaliski, editor, Advances in Cryptology-CRYPTO’ 97, volume 1294 of Lecture Notes in Computer Science, pages 16–30. Springer Verlag, 1997.CrossRefGoogle Scholar
  23. 23.
    E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In K. Nyberg, editor, Advances in Cryptology-EUROCRYPT’ 98, volume 1403 of Lecture Notes in Computer Science, pages 32–46. Springer Verlag, 1998.CrossRefGoogle Scholar
  24. 24.
    R. Gennaro, S. Halevi, and T. Rabin. Secure hash-and-sign signatures without the random oracle. In J. Stern, editor, Advances in Cryptology-EUROCRYPT’ 99, volume 1592 of Lecture Notes in Computer Science, pages 123–139. Springer Verlag, 1999.Google Scholar
  25. 25.
    S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof-systems. SIAM Journal of Computing, 18(1):186–208, Feb. 1989.MATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, Apr. 1988.MATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    A. Lysyanskaya, R. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In H. Heys and C. Adams, editors, Selected Areas in Cryptography, volume 1758 of Lecture Notes in Computer Science. Springer Verlag, 1999.Google Scholar
  28. 28.
    S. Micali. 6.875: Introduction to cryptography. MIT course taught in Fall 1997.Google Scholar
  29. 29.
    G. L. Miller. Riemann’s hypothesis and tests for primality. Journal of Computer and System Sciences, 13:300–317, 1976.MATHMathSciNetGoogle Scholar
  30. 30.
    M. Naor and M. Yung. Universal one-way hash functions and their cryptographic applications. In Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, pages 33–43, Seattle, Washington, 15–17 May 1989. ACM.Google Scholar
  31. 31.
    M. O. Rabin. Probabilistic algorithm for testing primality. Journal of Number Theory, 12:128–138, 1980.MATHCrossRefMathSciNetGoogle Scholar
  32. 32.
    R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, Feb. 1978.MATHCrossRefMathSciNetGoogle Scholar
  33. 33.
    J. Rompel. One-way functions are necessary and sufficient for secure signatures. In Proc. 22nd Annual ACM Symposium on Theory of Computing (STOC), pages 387–394, Baltimore, Maryland, 1990. ACM.Google Scholar
  34. 34.
    C. P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 4(3):239–252, 1991.CrossRefMathSciNetGoogle Scholar
  35. 35.
    A. Shamir. On the generation of cryptographically strong pseudorandom sequences. In ACM Transaction on Computer Systems, volume 1, pages 38–44, 1983.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Jan Camenisch
    • 1
  • Anna Lysyanskaya
    • 2
  1. 1.IBM Research Zurich Research LaboratoryRüschlikon
  2. 2.Computer Science DepartmentBrown University ProvidenceUSA

Personalised recommendations