Efficient Fail-Stop Signatures from the Factoring Assumption

  • Atefeh Mashatan
  • Khaled Ouafi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7001)


In this paper, we revisit the construction of fail-stop signatures from the factoring assumption. These signatures were originally proposed to provide information-theoretic-based security against forgeries. In contrast to classical signature schemes, in which signers are protected through a computational conjecture, fail-stop signature schemes protect the signers in an information theoretic sense, i.e., they guarantee that no one, regardless of its computational power, is able to forge a signature that cannot be detected and proven to be a forgery. Such a feature inherently introduced another threat: malicious signers who want to deny a legitimate signature.

Many construction of fail-stop signatures were proposed in the literature, based on the discrete logarithm, the RSA, or the factoring assumptions. Several variants of this latter assumption were used to construct fail-sop signature schemes. Bleumer et al. (EuroCrypt ’90) proposed a fail-stop signature scheme based on the difficulty of factoring large integers and Susilo et al. (The Computer Journal, 2000) showed how to construct a fail-stop signature scheme from the so-called “strong factorization” assumption. A later attempt by Schmidt-Samoa (ICICS ’04) was to propose a fail-stop signature scheme from the p 2 q factoring assumption.

Compared to those proposals, we take a more traditional approach by considering the Rabin function as our starting point. We generalize this function to a new bundling homomorphism while retaining Rabin’s efficient reduction to factoring the modulus of the multiplicative group. Moreover, we preserve the efficiency of the Rabin function as our scheme only requires two, very optimized, modular exponentiations for key generation and verification. This improves on older constructions from factoring assumptions which required either two unoptimized or four exponentiations for key generation and either two unoptimized or three modular exponentiations for verifying.


Fail-stop signature schemes Digital signatures Rabin function Factoring 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barić, N., Pfitzmann, B.: Collision-Free Accumulators and Fail-Stop Signature Schemes without Trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  2. 2.
    Benaloh, J.C., de Mare, M.: One-Way Accumulators: A Decentralized Alternative to Digital Signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  3. 3.
    Bleumer, G., Pfitzmann, B., Waidner, M.: A Remark on Signature Scheme Where Forgery Can Be Proved. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 441–445. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  4. 4.
    Clarkson, J.B.: Dense probabilistic encryption. In: Workshop on Selected Areas of Cryptography, pp. 120–128 (1994)Google Scholar
  5. 5.
    Damgård, I., Pedersen, T.P., Pfitzmann, B.: On the existence of statistically hiding bit commitment schemes and fail-stop signatures. J. Cryptology 10(3), 163–194 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Frobenius, G.: Über einen Fundamentalsatz der Gruppentheorie, II. Sitzungsberichte der Preussischen Akademie Weissenstein (1907)Google Scholar
  7. 7.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Groth, J.: Cryptography in subgroups of zn. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 50–65. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Merkle, R.C.: Protocols for public key cryptosystems. In: IEEE Symposium on Security and Privacy, pp. 122–134 (1980)Google Scholar
  10. 10.
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990)Google Scholar
  11. 11.
    Pedersen, T.P., Pfitzmann, B.: Fail-stop signatures. SIAM J. Comput. 26(2), 291–330 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Pfitzmann, B.: Digital Signature Schemes, General Framework and Fail-Stop Signatures. LNCS, vol. 1100. Springer, Heidelberg (1996)CrossRefzbMATHGoogle Scholar
  13. 13.
    Pollard, J.M.: A monte carlo method for factorization. BIT Numerical Mathematics 15(3), 331–334 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Rivest, R., Silverman, R.: Are ’strong’ primes needed for RSA? Cryptology ePrint Archive, Report 2001/007 (2001),
  15. 15.
    Schmidt-Samoa, K.: Factorization-based fail-stop signatures revisited. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 118–131. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Susilo, W.: Short fail-stop signature scheme based on factorization and discrete logarithm assumptions. Theor. Comput. Sci. 410(8-10), 736–744 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Susilo, W., Safavi-Naini, R., Gysin, M., Seberry, J.: A new and efficient fail-stop signature scheme. Comput. J. 43(5), 430–437 (2000)CrossRefGoogle Scholar
  18. 18.
    van Heijst, E., Pedersen, T.P., Pfitzmann, B.: New Constructions of Fail-Stop Signatures and Lower Bounds. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 15–30. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  19. 19.
    van Heyst, E., Pedersen, T.P.: How to Make Efficient Fail-Stop Signatures. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 366–377. Springer, Heidelberg (1993)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Atefeh Mashatan
    • 1
  • Khaled Ouafi
    • 1
  1. 1.Ecole Polytechnique Fédérale de Lausanne (EPFL)LausanneSwitzerland

Personalised recommendations