Autotomic Signatures

  • David Naccache
  • David Pointcheval
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6805)


Digital signature security is classically defined as an interaction between a signer Open image in new window, a verifier Open image in new window and an attacker \(\mathcal{A}\). \(\mathcal{A}\) submits adaptively to Open image in new window a sequence of messages m1,…,mq to which Open image in new window replies with the signatures U = {σ1,…,σq}. Given U, \(\mathcal{A}\) attempts to produce a forgery, i.e. a pair (m′,σ′) such that Open image in new window and \(\sigma'\not\in U\).

The traditional approach consists in hardening Open image in new window against a large query bound q. Interestingly, this is one specific way to prevent \(\mathcal{A}\) from winning the forgery game. This work explores an alternative option.

Rather than hardening Open image in new window, we weaken \(\mathcal{A}\) by preventing him from influencing Open image in new window’s input: upon receiving mi, Open image in new window will generate a fresh ephemeral signature key-pair Open image in new window, use Open image in new window to sign mi, erase Open image in new window, and output the signature and a certificate on Open image in new window computed using the long-term key Open image in new window. In other words, Open image in new window will only use his permanent secret Open image in new window to sign inputs which are beyond \(\mathcal{A}\)’s control (namely, freshly generated public-keys). As the Open image in new window are ephemeral, q = 1 by construction.

We show that this paradigm, called autotomic signatures, transforms weakly secure signature schemes (secure against generic attacks only) into strongly secure ones (secure against adaptively chosen-message attacks).

As a by-product of our analysis, we show that blending public key information with the signed message can significantly increase security.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical group signatures without random oracles. Cryptology ePrint Archive, Report 2005/385 (2005),
  2. 2.
    Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Boldyreva, A., Fischlin, M., Palacio, A., Warinschi, B.: A Closer Look at PKI: Security and Efficiency. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 458–475. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Coron, J.-S.: On the Exact Security of Full Domain Hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Coron, J.-S.: Optimal Security Proofs for PSS and other Signature Schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Coron, J.-S., Naccache, D.: Security Analysis of the Gennaro-Halevi-Rabin Signature Scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 91–101. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Cramer, R., Shoup, V.: Signature schemes based on the strong RSA assumption. In: ACM CCS 1999, Conference on Computer and Communications Security, pp. 46–51. ACM Press (1999)Google Scholar
  8. 8.
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  9. 9.
    Gennaro, R., Halevi, S., Rabin, T.: Secure Hash-and-Sign Signatures without the Random Oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17(2), 281–308 (1988)MathSciNetMATHCrossRefGoogle Scholar
  11. 11.
    Groth, J.: Fully Anonymous Group Signatures without Random Oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Guillou, L.C., Quisquater, J.-J.: A “Paradoxical” Identity-Based Signature Scheme Resulting from Zero-Knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990)Google Scholar
  13. 13.
    Joux, A.: Can we settle cryptography’s hash? Invited talk at the ACNS 2009 Conference (2009)Google Scholar
  14. 14.
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM CCS 2003, Conference on Computer and Communications Security, pp. 155–164. ACM Press (2003)Google Scholar
  15. 15.
    Krawczyk, H., Rabin, T.: Chameleon signatures. In: ISOC Network and Distributed System Security Symposium – NDSS 2000. The Internet Society (February 2000)Google Scholar
  16. 16.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: 21st Annual ACM Symposium on Theory of Computing, pp. 33–43. ACM Press (1989)Google Scholar
  17. 17.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13(3), 361–396 (2000)MATHCrossRefGoogle Scholar
  18. 18.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signature and public-key cryptosystems. Communications of the Association for Computing Machinery 21(2), 120–126 (1978)MathSciNetMATHCrossRefGoogle Scholar
  19. 19.
    Rogaway, P., Shrimpton, T.: Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. 20.
    Schnorr, C.-P.: Efficient Identification and Signatures for Smart Cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
  21. 21.
    Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in Applying Proof Methodologies to Signature Schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • David Naccache
    • 1
  • David Pointcheval
    • 1
  1. 1.Département d’informatique, Groupe de cryptographieÉcole normale supérieureParis Cedex 05France

Personalised recommendations