A Signature Scheme as Secure as the Diffie-Hellman Problem

  • Eu-Jin Goh
  • Stanisław Jarecki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2656)


We show a signature scheme whose security is tightly related to the Computational Diffie-Hellman (CDH) assumption in the Random Oracle Model. Existing discrete-log based signature schemes, such as ElGamal, DSS, and Schnorr signatures, either require non-standard assumptions, or their security is only loosely related to the discrete logarithm (DL) assumption using Pointcheval and Stern’s “forking” lemma. Since the hardness of the CDH problem is widely believed to be closely related to the hardness of the DL problem, the signature scheme presented here offers better security guarantees than existing discrete-log based signature schemes. Furthermore, the new scheme has comparable efficiency to existing schemes.

The signature scheme was previously proposed in the cryptographic literature on at least two occasions. However, no security analysis was done, probably because the scheme was viewed as a slight modification of Schnorr signatures. In particular, the scheme’s tight security reduction to CDH has remained unnoticed until now. Interestingly, this discrete-log based signature scheme is similar to the trapdoor permutation based PSS signatures proposed by Bellare and Rogaway, and has a tight reduction for a similar reason.


Signature Schemes Computational Diffie-Hellman Discrete Logarithm Exact Security Tight Reductions Random Oracle Model 


  1. [BGMW92]
    Ernest Brickell, Daniel Gordon, Kevin McCurley, and David Wilson. Fast exponentiation with precomputation. In R.A. Rueppel, editor, Proceedings of Eurocrypt 1992, volume 0658 of LNCS, pages 200–207. Springer-Verlag, May 1992.Google Scholar
  2. [BGR98]
    Mihir Bellare, Juan Garay, and Tal Rabin. Fast batch verification for modular exponentiation and digital signatures. In K. Nyberg, editor, Proceedings of Eurocrypt 1998, volume 1403 of LNCS, pages 236–250. Springer-Verlag, May 1998.Google Scholar
  3. [BL96]
    Dan Boneh and Richard Lipton. Algorithms for black-box fields and their application to cryptography. In Neal Koblitz, editor, Proceedings of Crypto 1996, volume 1109 of LNCS, pages 283–297. Springer-Verlag, May 1996.Google Scholar
  4. [BLS01]
    Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the Weil pairing. In C. Boyd, editor, Proceedings of Asiacrypt 2001, volume 2248 of LNCS, pages 514–532. Springer-Verlag, December 2001.CrossRefGoogle Scholar
  5. [BPVY00]
    Ernest Brickell, David Pointcheval, Serge Vaudenay, and Moti Yung. Design validations for discrete logarithm based signature schemes. In Hideki Imai and Yuliang Zheng, editors, Proceedings of PKC 2000, volume 1751 of LNCS, pages 276–292. Springer-Verlag, January 2000.Google Scholar
  6. [BR93]
    Mihir Bellare and Phillip Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In Proceedings of the 1st ACM conference on Computer and Communications Security, pages 62–73. ACM Press, 1993.Google Scholar
  7. [BR96]
    Mihir Bellare and Phillip Rogaway. The exact security of digital signatures — How to sign with RSA and Rabin. In Ueli Maurer, editor, Proceedings of Eurocrypt 1996, volume 1070 of LNCS, pages 399–416. Springer-Verlag, May 1996.Google Scholar
  8. [CEvdG87]
    David Chaum, Jan-Hendrik Evertse, and Jeroen van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In David Chaum and Wyn Price, editors, Proceedings of Eurocrypt 1987, volume 0304 of LNCS, pages 127–142. Springer-Verlag, May 1987.Google Scholar
  9. [CGH98]
    Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited. In Proceedings of the 30th annual ACM symposium on Theory of Computing, pages 209–218. ACM Press, 1998.Google Scholar
  10. [CP92]
    David Chaum and Torben Pryds Pedersen. Wallet databases with observers. In Ernest Brickell, editor, Proceedings of Crypto 1992, volume 0740 of LNCS, pages 89–105. Springer-Verlag, August 1992.Google Scholar
  11. [CS97]
    Jan Camenisch and Markus Stadler. Proof systems for general statements about discrete logarithms. Technical Report 260, Institute for Theoretical Computer Science, ETH Zurich, March 1997.Google Scholar
  12. [CS00]
    Ronald Cramer and Victor Shoup. Signature schemes based on the strong RSA assumption. ACM Transactions on Information and System Security, 3(3):161–185, 2000.CrossRefGoogle Scholar
  13. [DH76]
    Whitfield Diffie and Martin Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644–654, November 1976.zbMATHCrossRefMathSciNetGoogle Scholar
  14. [ElG85]
    Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4):469–472, July 1985.zbMATHCrossRefMathSciNetGoogle Scholar
  15. [FS86]
    Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Andrew Odlyzko, editor, Proceedings of Crypto 1986, volume 0263 of LNCS, pages 186–194. Springer-Verlag, August 1986.Google Scholar
  16. [GHR99]
    Rosario Gennaro, Shai Halevi, and Tal Rabin. Secure hash-and-sign signatures without the random oracle. In Jacques Stern, editor, Proceedings of Eurocrypt 1999, volume 1592 of LNCS, pages 123–139. Springer-Verlag, May 1999.Google Scholar
  17. [GMR88]
    Shafi Goldwasser, Silvio Micali, and Ronald Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  18. [JS99]
    Markus Jakobsson and Claus-Peter Schnorr. Efficient oblivious proofs of correct exponentiation. In Bart Preneel, editor, Proceedings of the IFIP Conference on Communications and Multimedia Security 1999, volume 152, pages 71–86. Kluwer, September 1999.Google Scholar
  19. [LV01]
    Arjen Lenstra and Eric Verheul. Selecting cryptographic key sizes. Journal of Cryptology, 14(4):255–293, 2001.zbMATHMathSciNetGoogle Scholar
  20. [MR02]
    Silvio Micali and Leonid Reyzin. Improving the exact security of digital signature schemes. Journal of Cryptology, 15(1):1–18, 2002.CrossRefMathSciNetGoogle Scholar
  21. [MW99]
    Ueli Maurer and Stefan Wolf. The relationship between breaking the Diffie-Hellman protocol and computing discrete logarithms. SIAM Journal on Computing, 28(5):1689–1721, 1999.zbMATHCrossRefMathSciNetGoogle Scholar
  22. [NIS94]
    NIST. Digital Signature Standard (DSS). Publication 196, Federal Information Processing Standards, November 1994.Google Scholar
  23. [NY89]
    Moni Naor and Moti Yung. Universal one-way hash functions and their cryptographic applications. In Proceedings of the 21st annual ACM symposium on Theory of Computing, pages 33–43. ACM Press, 1989.Google Scholar
  24. [OO98]
    Kazuo Ohta and Tatsuaki Okamoto. On concrete security treatment of signatures derived from identification. In Hugo Krawczyk, editor, Proceedings of Crypto 1998, volume 1462 of LNCS, pages 354–369. Springer-Verlag, August 1998.Google Scholar
  25. [OP01]
    Tatsuaki Okamoto and David Pointcheval. The Gap-Problems: A new class of problems for the security of cryptographic schemes. In Kwangjo Kim, editor, Proceedings of PKC 2001, volume 1992 of LNCS, pages 104–118. Springer-Verlag, February 2001.Google Scholar
  26. [PS96]
    David Pointcheval and Jacques Stern. Security proofs for signature schemes. In Ueli Maurer, editor, Proceedings of Eurocrypt 1996, volume 1070 of LNCS, pages 387–398. Springer-Verlag, May 1996.Google Scholar
  27. [Rom90]
    J. Rompel. One-way functions are necessary and sufficient for secure signatures. In Proceedings of the 22nd annual ACM symposium on Theory of Computing, pages 387–394. ACM Press, 1990.Google Scholar
  28. [Sch89]
    Claus-Peter Schnorr. Efficient identification and signatures for smart cards. In G. Brassard, editor, Proceedings of Crypto 1989, volume 0435 of LNCS, pages 239–252. Springer-Verlag, August 1989.CrossRefGoogle Scholar
  29. [SG98]
    Victor Shoup and Rosario Gennaro. Securing threshold cryptosystems against chosen ciphertext attack. In Kaisa Nyberg, editor, Proceedings of Eurocrypt 1998, volume 1403 of LNCS, pages 1–16. Springer-Verlag, May 1998.Google Scholar
  30. [Sho97]
    Victor Shoup. Lower bounds for discrete logarithms and related problems. In Walter Fumy, editor, Proceedings of Eurocrypt 1997, volume 1233 of LNCS, pages 256–266. Springer-Verlag, May 1997.Google Scholar
  31. [ST01]
    Adi Shamir and Yael Tauman. Improved online/offline signature schemes. In Joe Killian, editor, Proceedings of Crypto 2001, volume 2139 of LNCS, pages 355–367. Springer-Verlag, August 2001.Google Scholar

Copyright information

© International Association for Cryptologic Research 2003

Authors and Affiliations

  • Eu-Jin Goh
    • 1
  • Stanisław Jarecki
    • 1
  1. 1.Computer Science DepartmentStanford UniversityStanford

Personalised recommendations