# On-Line/Off-Line Digital Signatures

## Abstract

We introduce and exemplify the new concept of ON-LINE/OFF-LINE digital signature schemes. In these schemes the signing of a message is broken into two phases. The first phase is *off-line*. Though it requires a moderate amount of compu- tation, it presents the advantage that it can be performed leisurely, before the message to be signed is even known. The second phase is *on-line*. It starts after the message becomes known, it utilizes the precomputation of the first phase and is much faster.

A general construction which transforms *any* (ordinary) digital signature scheme to an on-line/off-line signature scheme is presented, entailing a small overhead. For each message to be signed, the time required for the off-line phase is essentially the same as in the underlying signature scheme; the time required for the on-line phase is essentially negligible. The time required for the verification is essentially the same as in the underlying signature scheme.

In a practical implementation of our general construction, we use a variant of Rabin’s signature scheme (based on factoring) and DES. In the on-line phase, all we use is a moderate amount of DES computation. This implementation is ideally suited for electronic wallets or smart cards.

On-line/Off-line digital schemes may also become useful in case substantial pro- gress is made on, say, factoring. In this case, the length of the composite numbers used in signature schemes may need to be increased and signing may become imprac- tical even for the legitimate user. In our scheme, all costly computations are per- formed in the off-line stage while the time for the on-line stage remains essentially unchanged.

An additional advantage of our method is that in some cases the transformed signature scheme is invulnerable to chosen message attack even if the underlying (ordinary) digital signature scheme is not In particular, it allows us to prove that the existence of signature schemes which are unforgeable by *known* message attack is a (necessary and) sufficient condition for the existence of signature schemes which are unforgeable by *chosen* message attack.

## Keywords

Signature Scheme Message Space Digital Signature Scheme Probabilistic Polynomial Time Message Attack## References

- [BM88]Bellare, M., and Micali, S., “How to Sign Given Any Trapdoor Function”,
*STOC 88*., pp. 32–42.Google Scholar - [DES77]National Bureau of Standards, Federal Information Processing Standards, Publ. 46 (DES 1977).Google Scholar
- [E]Even, S., “Secure Off-Line Electronic Fund Transfer Between Nontrusting Parties”, to appear in the Proceedings of Smart Card 2000, a conference held in Laxenburg, Austria, Oct. 1987.Google Scholar
- [EGY83]Even, S., Goldreich, O., and Yacobi, Y., “Electronic Wallet”, Advances in Cryptology: Proc. of Crypto 83, D. Chaum (ed), Plenum Press, 1984, pp. 383–386.Google Scholar
- [G86]Goldreich, O., “Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme”,
*Advances in Cryptology-CRYPTO 86*, A.M. Odlyzko (ed), Springer-Verlag, 1987, pp. 104–110.Google Scholar - [GMR84]Goldwasser, S., Micali, S., and Rivest, R.L., “A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks”,
*SIAM J. on Computing*, April 1988, pp. 281–308.Google Scholar - [M]Merkle, R.C., “A Digital Signature Based on a Conventional Encryption Function”,
*Advances in Cryptology-CRYPTO’ 87*, Pomerance (ed), Lecture Notes in Computer Science, Vol. 293, Springer-Verlag, 1987, pp. 369–378.Google Scholar - [NY89]Naor, M., and Yung, M., “Universal One-Way Hash Functions and their Cryptographic Application”,
*21st STOC*, 1989, pp. 33–43.Google Scholar - [R78]Rabin, M.O., “Digital Signatures”, in
*Foundations of Secure Computation*, R.A. DeMillo, et. al. (eds). Academic Press, 1978, pp. 155–168.Google Scholar - [R79]Rabin, M.O., “Digitalized Signatures and Public-Key Functions as Intractable as Factorization”, Lab. for Computer Science, MIT, Report TR-212, January 1979.Google Scholar
- [RSA78]Rivest, R.L., Shamir, A., and Adleman, L., “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”,
*Comm. ACM 21(2)*, 1978, pp. 120–126.zbMATHCrossRefMathSciNetGoogle Scholar - [W80]Williams, H. C, “A Modification of the RSA Public-Key Encryption Procedure”,
*IEEE Trans. Inform. Theory*IT-26(6), 1980, pp. 726–729.CrossRefGoogle Scholar