Waters Signatures with Optimal Security Reduction

  • Dennis Hofheinz
  • Tibor Jager
  • Edward Knapp
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7293)


Waters signatures (Eurocrypt 2005) can be shown existentially unforgeable under chosen-message attacks under the assumption that the computational Diffie-Hellman problem in the underlying (pairing-friendly) group is hard. The corresponding security proof has a reduction loss of O(ℓ·q), where ℓ is the bitlength of messages, and q is the number of adversarial signature queries. The original reduction could meanwhile be improved to \(O(\sqrt{\ell}\cdot q)\) (Hofheinz and Kiltz, Crypto 2008); however, it is currently unknown whether a better reduction exists. We answer this question as follows:

  1. (a)

    We give a simple modification of Waters signatures, where messages are encoded such that each two encoded messages have a suitably large Hamming distance. Somewhat surprisingly, this simple modification suffices to prove security under the CDH assumption with a reduction loss of O(q).

  2. 1

    We also show that any black-box security proof for a signature scheme with re-randomizable signatures must have a reduction loss of at least Ω(q), or the underlying hardness assumption is false. Since both Waters signatures and our variant from (a) are re-randomizable, this proves our reduction from (a) optimal up to a constant factor.


Understanding and optimizing the security loss of a cryptosystem is important to derive concrete parameters, such as the size of the underlying group. We provide a complete picture for Waters-like signatures: there is an inherent lower bound for the security loss, and we show how to achieve it.


Digital signatures Waters signatures provable security black-box reductions 


  1. 1.
    Attrapadung, N., Furukawa, J., Gomi, T., Hanaoka, G., Imai, H., Zhang, R.: Efficient Identity-Based Encryption with Tight Security Reduction. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 19–36. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Ristenpart, T.: Simulation without the Artificial Abort: Simplified Proof and Improved Concrete Security for Waters’ IBE Scheme. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 407–424. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J.: Proving Tight Security for Rabin-Williams Signatures. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 70–87. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Camenisch, J.L., Lysyanskaya, A.: Signature Schemes and Anonymous Credentials from Bilinear Maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004)Google Scholar
  5. 5.
    Chevallier-Mames, B., Joye, M.: A Practical and Tightly Secure Signature Scheme Without Hash Function. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 339–356. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Coron, J.-S.: On the Exact Security of Full Domain Hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Coron, J.-S.: Optimal Security Proofs for PSS and Other Signature Schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Feller, W.: An Introduction to Probability Theory and Its Applications, 3rd edn., vol. 1. Wiley (1968)Google Scholar
  9. 9.
    Gennaro, R., Halevi, S., Rabin, T.: Secure Hash-and-Sign Signatures without the Random Oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17(2), 281–308 (1988)MathSciNetzbMATHCrossRefGoogle Scholar
  11. 11.
    Guo, F., Mu, Y., Susilo, W.: How to Prove Security of a Signature with a Tighter Security Reduction. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 90–103. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Guo, F., Mu, Y., Susilo, W.: Personal communication (November 2011)Google Scholar
  13. 13.
    Hofheinz, D., Kiltz, E.: Programmable Hash Functions and Their Applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 21–38. Springer, Heidelberg (2008)Google Scholar
  14. 14.
    Hofheinz, D., Kiltz, E.: Programmable hash functions and their applications. Journal of Cryptology 25(3), 484–527 (2012), CrossRefGoogle Scholar
  15. 15.
    Hughes, B.D.: Random Walks and Random Environments. Random Walks, vol. 1. Oxford University Press (1995)Google Scholar
  16. 16.
    Joye, M.: An Efficient On-Line/Off-Line Signature Scheme without Random Oracles. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 98–107. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Kakvi, S.A., Kiltz, E.: Optimal Security Proofs for Full Domain Hash, Revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 537–553. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM CCS 2003: 10th Conference on Computer and Communications Security, October 27-30, pp. 155–164. ACM Press, Washington, D.C. (2003)CrossRefGoogle Scholar
  19. 19.
    Lysyanskaya, A., Rivest, R.L., Sahai, A., Wolf, S.: Pseudonym Systems (Extended Abstract). In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, pp. 184–199. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. 20.
    Schäge, S.: Tight Proofs for Signature Schemes without Random Oracles. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 189–206. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  21. 21.
    Sipser, M., Spielman, D.A.: Expander codes. IEEE Transactions on Information Theory 42(6), 1710–1722 (1996)MathSciNetzbMATHCrossRefGoogle Scholar
  22. 22.
    Waters, B.: Efficient Identity-Based Encryption Without Random Oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Zémor, G.: On expander codes. IEEE Transactions on Information Theory 47(2), 835–837 (2001)zbMATHCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Dennis Hofheinz
    • 1
  • Tibor Jager
    • 1
  • Edward Knapp
    • 2
  1. 1.Institut für Kryptographie und SicherheitKarlsruhe Institute of TechnologyGermany
  2. 2.Department of Combinatorics and OptimizationUniversity of WaterlooCanada

Personalised recommendations