Abstract
We consider a problem which was stated in a request for comments made by NIST in the FIPS97 document. The question is the following: Can we have a digital signature public key infrastructure where the public (signature verification) keys cannot be abused for performing encryption? This may be applicable in the context of, say, exportable/escrow cryptography. The basic dilemma is that on the one hand, (1) to avoid framing by potentially misbehaving authorities we do not want them to ever learn the “signing keys” (e.g., Japan at some point declared a policy where signature keys may be required to be escrowed), and on the other hand (2) if we allow separate inaccessible public signature verification keys, these keys (based on trapdoor functions) can be used as “shadow public-keys,” and hence can be used to encrypt data in an unrecoverable manner. Any solution within the “trapdoor function” paradigm of Diffie and Hellman does not seem to lead to a solution which will simultaneously satisfy (1) and (2).
The cryptographic community so far has paid very limited attention to the problem. In this work, we present the basic issues and suggest a possible methodology and the first scheme that may be used to solve much of the problem. Our solution takes the following steps: (1) it develops the notion of a nested trapdoor which our methodology is based on, (2) we implement this notion based on a novel composite “double-decker” exponentiation technique which embeds the RSA problem within it (the technique may be of independent interest), (3) we analyze carefully what can be and what cannot be achieved regarding the open problem by NIST (our analysis is balanced and points out possibilities as well as impossibilities), and (4) we give a secure signature scheme within a public key infrastructure, wherein the published public key can be used for signature verification only (if it is used for encryptions, then the authorities can decrypt the data). The security of our scheme is based on RSA. We then argue how the scheme’s key cannot be abused (statically) based on an additional assumption. We also show that further leakages and subliminal leakages when the scheme is in (dynamic) use are not added substantially beyond what is always possible by a simple adversary; we call this notion competitive leakage. We also demonstrate such simple leaking adversary.
We hope that our initial work will stimulate further thoughts on the non-trivial issue of signature-only signatures.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
R. Anderson. The GCHQ Protocol and Its Problems. In Advances in Cryptology-Eurocrypt’97, pages 134–148, 1997. Springer-Verlag.
J. Boyar, K. Friedl, C. Lund. Practical zero-knowledge proofs: Giving hints and using Deficiencies. In Journal of Cryptology, 4(3), pages 185–206, 1991.
M. Bellare, P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. newblock In 1st Conf. Computer & Comm. Security, ACM, pages 62–73, 1993.
Burmester, Desmedt, Itoh, Sakurai, Shizuya, Yung. A progress report on Subliminal-Free Channels. In Workshop on Information Hiding, Cambridge U.K., LNCS, pages 157–168, 1996.
R. Canetti, O. Goldreich, S. Halevi. The Random Oracle Methodology, Revisited. In ACM STOC’ 98.
J.-S. Coron. On the Exact Security of Full Domain Hash In Advances in Cryptology-CRYPTO’ 00, pages 229–235, 2000. Springer-Verlag.
Y. Desmedt. Abuses in Cryptography and How to Fight Them. In Advances in Cryptology-CRYPTO’ 89, pages 375–389, 1990. Springer-Verlag.
W. Diffie, M. Hellman. New Directions in Cryptography. In volume IT-22, n. 6 of IEEE Transactions on Information Theory, pages 644–654, Nov. 1976.
T. ElGamal. A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology-CRYPTO’ 84, pages 10–18, 1985. Springer-Verlag.
Y. Frankel, M. Yung. Escrow Encryption Systems Visited: Attacks, Analysis and Designs. In Advances in Cryptology-CRYPTO’ 95, pages 222–235, 1987. Springer-Verlag.
Z. Galil, S. Haber and M. Yung. Minimum-Knowledge Interactive Proof for Decision Problems. In SIAM Journal on Computing, 1988.
S. Goldwasser, S. Micali and R. Rivest. Digital Signature Scheme Secure against Adaptive Chosen Plaintext Attack. In SIAM Journal on Computing 1988.
A. Juels and M. Yung. Manuscript.
J. Kilian and F.T. Leighton. Fair Cryptosystems Revisited. In Advances in Cryptology-CRYPTO’ 95, pages 208–221, 1995. Springer-Verlag.
A. Lenstra. Generating RSA Moduli with Predetermined Portion. In Advances in Cryptology-Asiacrypt’ 98, pages 1–10, 1998. Springer-Verlag.
M. Liskov, R. D. Silverman. A Statistical Limited-Knowledge Proof for Secure RSA Keys. Submitted to the IEEE P1363 Working Group. Available at http://grouper.ieee.org/groups/1363/contrib.htm.
K. Nyberg, R. Rueppel. Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem. In Advances in Cryptology-Eurocrypt’ 94, pages 182–193, 1994. Springer-Verlag.
M. Naor, M. Yung. Universal One-Way Hash Functions and their Cryptographic Applications. STOC’ 89, pages 33–43, 19889. ACM.
T. Okamoto. Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes. In Advances in Cryptology-Crypto’ 92, pages 31–53, 1993. Springer-Verlag.
G. Poupard and J. Stern, Short Proofs of Knowledge of Factoring. In PKC’2000, LNCS 1751 Springer Verlag, pages 147–166, 2000.
M. Rabin. A Public-key and Signature Scheme as Secure as Factoring, MIT Tech. Report, 1978.
R. Rivest, Chaffng and Winnowing: confidentiality without encryption. CryptoBytes 4 (1), 1998, pages 12–17.
R. Rivest, A. Shamir, L. Adleman. A method for obtaining Digital Signatures and Public-Key Cryptosystems. In Communications of the ACM, volume 21, n. 2, pages 120–126, 1978.
G. Simmons. The Subliminal Channels and Digital Signatures. In Advances in Cryptology-Eurocrypt’ 84, pages 51–57, Springer-Verlag.
G. Simmons. Subliminal Communication is Easy Using the DSA. In Advances in Cryptology-Eurocrypt’ 93, Springer-Verlag.
M. Stadler. Publicly Verifiable Secret Sharing. In Advances in Cryptology-Eurocrypt’ 96, pages 190–199.
J. Camenisch, M. Stadler. Efficient Group Signature Schemes for Large Groups. In Advances in Cryptology-Crypto’ 97, pages 410–424.
A. Young, M. Yung. The Dark Side of ‘Black-Box’ Cryptography, or: Should We Trust Capstone? In Advances in Cryptology-CRYPTO’ 96, pages 89–103, Springer-Verlag.
A. Young, M. Yung. Kleptography: Using Cryptography Against Cryptography. In Advances in Cryptology-Eurocrypt’ 97, pages 62–74, Springer-Verlag.
A. Young, M. Yung. Auto-Recoverable and Auto-Certifiable Cryptosystems In Advances in Cryptology-Eurocrypt’ 98, Springer-Verlag.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Young, A., Yung, M. (2000). Towards Signature-Only Signature Schemes. In: Okamoto, T. (eds) Advances in Cryptology — ASIACRYPT 2000. ASIACRYPT 2000. Lecture Notes in Computer Science, vol 1976. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44448-3_9
Download citation
DOI: https://doi.org/10.1007/3-540-44448-3_9
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41404-9
Online ISBN: 978-3-540-44448-0
eBook Packages: Springer Book Archive