Off-line/on-line signatures revisited: a general unifying paradigm, efficient threshold variants and experimental results

Abstract

The notion of off-line/on-line digital signature scheme was introduced by Even, Goldreich and Micali. Informally such signatures schemes are used to reduce the time required to compute a signature using some kind of preprocessing. Even, Goldreich and Micali show how to realize off-line/on-line digital signature schemes by combining regular digital signatures with efficient one-time signatures. Later, Shamir and Tauman presented an alternative construction (which produces shorter signatures) obtained by combining regular signatures with chameleon hash functions. In this paper, we study off-line/on-line digital signature schemes both from a theoretic and a practical perspective. More precisely, our contribution is threefold. First, we unify the Shamir–Tauman and Even et al. approaches by showing that they can be seen as different instantiations of the same paradigm. We do this by showing that the one-time signatures needed in the Even et al. approach only need to satisfy a weak notion of security. We then show that chameleon hashing is basically a one-time signature which satisfies such a weaker security notion. As a by-product of this result, we study the relationship between one-time signatures and chameleon hashing, and we prove that a special type of chameleon hashing (which we call double-trapdoor) is actually a fully secure one-time signature. Next, we consider the task of building, in a generic fashion, threshold variants of known schemes: Crutchfield et al. proposed a generic way to construct a threshold off-line/on-line signature scheme given a threshold regular one. They applied known threshold techniques to the Shamir–Tauman construction using a specific chameleon hash function. Their solution introduces additional computational assumptions which turn out to be implied by the so-called one-more discrete logarithm assumption. Here, we propose two generic constructions that can be based on any threshold signature scheme, combined with a specific (double-trapdoor) chameleon hash function. Our constructions are efficient and can be proven secure in the standard model using only the traditional discrete logarithm assumption. Finally, we ran experimental tests to measure the difference between the real efficiency of the two known constructions for non-threshold off-line/on-line signatures. Interestingly, we show that, using some optimizations, the two approaches are comparable in efficiency and signature length.

Appendices

Appendix

A Some tools

In this appendix, we summarize some known instantiations for essential building blocks requested in the implemented constructions.

1.1 A.1 Examples of one-time signatures

• Lamport’s scheme [35]: Let \(M\) be the \(m\)-bit message to sign and \(f: \{0,1\}^\ell \rightarrow \{0,1\}^\ell \) be a one-way function. We choose \(2m\, \ell \)-bit strings \(x^0_1, x^1_1, \ldots , x^0_m, x^1_m\) at random as the signing key. The verification key is computed applying \(f\) to each \(x^0_i, x^1_i\) for \(i=1, \ldots , m\): \(f(x^0_1), f(x^1_1), \ldots , f(x^0_m),f(x^1_m)\). To sign a message \(M=\mu _1, \ldots , \mu _m\) the signer reveals \(x^{\mu _1}_1, \ldots , x^{\mu _m}_m\). Given a message \(M\) and its signature \(s=s_1, \ldots , s_m\), the verifier applies \(f\) to the values \(s_1, \ldots , s_m\) from the signature and checks if they are equal to the corresponding images in the verification key. This simple scheme is proved to be secure if \(f\) is a one-way function; it is really fast, but has the drawback of quite large keys and signatures.

• Shortening length of keys and signatures [21]. Even et al. suggest some ideas to improve the efficiency of the above one-time signature scheme. The first idea, which is attributed in [36] to Winternitz, allows to have a secret/public key with \(m+1\) strings instead of \(2m\). This idea was further extended by Even et al. as follows. Let \(M\) be the \(m\)-bit message, we partition the message in blocks of \(t\) bits, where \(t | m\). Let \(f\) be a one-way function as before.⁹ We choose at random \(\frac{m}{t} +1 \,\,\ell \)-bit strings \(x_0, x_1, \ldots , x_{m/t}\) as the signing key. The corresponding verification key is:

  $$\begin{aligned}&\!\!\!\!y_0=f^{(2^t-1)m/t}(x_0);\; \; \; y_1=f^{2^t-1}(x_1), \ldots , \\&\!\!\!\!y_{m/t}=f^{2^t-1}(x_{m/t}) \end{aligned}$$

  To sign a message \(M=\mu _1, \ldots , \mu _{m/t}\), whose \(t\)-bit blocks \(\mu _i\) are interpreted as integers, the signer outputs:

  $$\begin{aligned}&s_0=f^{\sum _{i=1}^{m/t}\mu _i}(x_0), \, s_1=f^{2^t-1-\mu _1}(x_1), \ldots , \\&s_{m/t}=f^{2^t-1-\mu _{m/t}}(x_{m/t}) \end{aligned}$$

  Given a message \(M=\mu _1, \ldots , \mu _{m/t}\) and a signature \(s_0, s_1, \ldots , s_{m/t}\) the verifier applies \(f\) to each signature component the proper number times and compares the resulting values with the verification key elements. Namely, it checks:

  $$\begin{aligned} \begin{array}{l} y_0\stackrel{?}{=}f^{(2^t-1)m/t-\sum _{i=1}^{m/t}\mu _i}(s_0);\quad y_1\stackrel{?}{=}f^{\mu _1}(s_1), \ldots , \\ y_{m/t}\stackrel{?}{=}f^{\mu _{m/t}}(s_{m/t}) \end{array} \end{aligned}$$

  It is interesting to note the trade-off: a small \(t\) makes the signature computation more efficient (because the hash chains are shorter), but makes the signature longer (because the number of blocks \(m/t\) is bigger).

• Speed up the signature step (Jakobsson’s [31]): In the previous scheme, the length of the hash chains is exponential in the size of the block; this makes the signature and verification steps computationally expensive for big blocks. The optimization for one-way hash chains traversal proposed by Jakobsson [31] can be applied here: The idea is to store not only the first and last value of the chains, but also some intermediate elements (called pebbles) that permit in the signature procedure to speed up the traversal originating the iterative computation from the nearer pebble in the chain. In [31], it is stated that keeping \(O(\log n)\) number of pebbles, where \(n\) is the chain length, and the traversal time becomes \(O(\log n)\); in our case, the storage and the running time become \(O(t)\), where \(t\) is the size of the block.

1.2 A.2 Examples of obliviously secure signatures

In this section, we recall two signature schemes: one is due to Gennaro et al. [24] and the other to Cramer and Shoup [15]. Their security is based on the Strong RSA Assumption (see Sect. 2.3), and they are the most efficient signature schemes in the literature whose security can be proved without using the random oracle model.

As already claimed in Sect. 2.6, we present simplified versions of these schemes which can be proved to be obliviously secure since that is all we need in our work.

• Simplified GHR Signature: This scheme uses a target-division-intractable hash function \(h^\mathsf{tdi}(\cdot , \cdot )\).

  • Key generation: let \(N=pq\) be an RSA modulus where \(p,q\) are safe primes of identical sizes; select a random element \(s\) in \(\mathbb{Z }_N^*\) and a key \(k\) for the TDI hash function \(h^\mathsf{tdi}(\cdot ,\cdot )\); the public key is \((N,s,k)\) and the secret key is \(\phi (N)=(p-1)(q-1)\).

  • Signature algorithm: given a message \(m\) to sign, compute \(e=h^\mathsf{tdi}(k,m)\) and \(d=e^{-1} \text{ mod } \phi (N)\) and outputs the signature \(\sigma =s^d \text{ mod } N\).

  • Verification algorithm: on input the public key \((N,s,k)\) and the message/signature pair \(m,\sigma \), compute the value \(e=h^\mathsf{tdi}(k,m)\) and check if \(\sigma ^e=s \text{ mod } N\).

• Simplified CS signature:

  • Key generation: generate an RSA modulus \(N=pq\) as in GHR (safe primes), select two random elements \(s,t\) in \(QR_N^*\), where \(QR_N\) is the set of quadratic residues modulo \(N\), and draw a random key \(k\) for a TCR hash function \(h^\mathsf{tcr}(\cdot ,\cdot )\); the public key is \((N,s,t,k)\) and the secret key is \(\phi (N)\).

  • Signature algorithm: given an arbitrary long message \(m\) to sign, generate a random 161-bit prime \(e\) and compute \(d=e^{-1} \text{ mod } \phi (N)\) and \(\sigma =(st^{h^\mathsf{tcr}(k,m)})^d \text{ mod } N\). The signature is \((e,\sigma )\).

  • Verification algorithm: on input the public key \((N,s,t,k)\) and the message/signature pair \(m,(e,\sigma )\), check whether \(\sigma ^e=st^{h^\mathsf{tcr}(k,m)} \text{ mod } N\).

  Cramer and Shoup in  [15] suggest an efficient method for the generation of small primes of 161 bits. This operation is critical for the performance of the scheme since a fresh 161-bit prime number is necessary to sign a message.

1.3 A.3 Examples of chameleon hashing

• Discrete-log based: This construction is from [8]. Let \(G\) be a group of prime order \(q\) where membership test and multiplication can be performed efficiently and in which the discrete logarithm is hard.

  • Key setup: choose \(g\) at random in \(G\) and compute \(h=g^x \text{ mod } p\), with \(x\) chosen at random in \(\mathbb{Z }_q\); the public key is \(pk=(g,h)\), the secret key is \(x\);

  • Function evaluation: given a message \(m\) and randomness \(r\) in \(\mathbb{Z }_q\), the function is computed as \(\mathsf{C}_{pk}(m,r)=g^mh^r\);

  • Chameleon property: given a commitment \(c=g^mh^r\), the message \(m\), the input randomness \(r\), the trapdoor key \(x\) and a different message \(m^{\prime }\ne m\), we have that \(m+xr=m^{\prime }+xr^{\prime } \text{ mod } q\), so we can compute \(r^{\prime }=r+(m-m^{\prime })x^{-1} \text{ mod } q\).

  As it can be seen, the collision-finding algorithm requires the computation of a single multiplication (once one stores directly the value \(x^{-1} \text{ mod } q\)). A typical implementation of the group \(G\) is to consider a subgroup of order \(q\) in \(Z_p^*\) where \(p,q\) are primes such that \(q | (p-1)\). Reasonable security parameters are \(|p|\) = 1,024 and \(|q|=160\).

• RSA based: This construction is from [13, 15]. Let \(N\) be the product of two large primes \(p,q\) (reasonable security parameter is \(|p|=|q|=512\)); we consider the group \(\mathbb{Z }_N\).

  • Key setup: let \(e\) be a prime number relatively prime to \(\phi (N)=(p-1)(q-1)\), and \(s\) a random element of \(\mathbb{Z }_N^*\). Compute \(d=e^{-1} \text{ mod } \phi (N)\); the public key is \(pk=(N,s,e)\), the secret key is \(\sigma =s^d \text{ mod } N\);

  • Function evaluation: given a message \(m\in [1..e-1]\) and randomness \(r\) in \(\mathbb{Z }_N^*\), the function is computed as \(\mathsf{C}_{pk}(m,r)=s^mr^e \text{ mod } N\);

  • Chameleon property: given a commitment \(c=s^mr^e\), the message \(m\), the input randomness \(r\), the trapdoor key \(\sigma \) and a different message \(m^{\prime }\ne m\), we have that \(s^mr^e=s^{m^{\prime }}{r^{\prime }}^e \text{ mod } N\), so we can compute \(r^{\prime }=r\sigma ^{m-m^{\prime }} \text{ mod } N\).

B On one-time signatures

In Appendix A.1, we presented two one-time signature schemes: Lamport’s and Even et al.’s. The former is faster, but produces long signatures and keys. The latter allows for an efficiency trade-off between the signature/key sizes and time required to generate and to verify a signature tag.

1.1 B.1 Security

Lamport’s scheme is proved secure under the assumption that one-way functions exist. Even et al. solution relies on a seemingly stronger assumption:

Definition 10

(Quasi-inverting) Let \(f: \{0,1\}^* \rightarrow \{0,1\}^*\) be a polynomial-time computable function. Given an image, \(y\), the task of quasi-inverting \(f\) on \(y\) is to find an \(x\) and an \(i=poly(|y|)\) so that \(f^{i+1}(x) = f^i(y)\) (For \(i=0\), the standard notion of inverting is regained).

1.2 B.2 Concrete security analysis

Here, we focus on the security of the two one-time signature schemes presented in Sect. 2.6. In particular, we analyze the efficiency (in terms of signature/key length) of Even et al.’s scheme with respect to Lamport’s one, under the additional requirement that the two schemes should achieve the same security level.

Let \(f:\{0,1\}^\ell \rightarrow \{0,1\}^\ell \) be a one-way function. In both schemes, we assume to sign messages of length \(m\). In the scheme of Even et al., \(t\) represents the block length.

Let \(\mathcal A \) be an adversary that breaks Lamport’s one-time signature scheme with probability \(\epsilon \). It is possible to prove that this leads to an adversary \(\mathcal B \) that inverts \(f\) with probability \(\frac{\epsilon }{2m}\).

Similarly, if \(\mathcal A ^{\prime }\) is an adversary that breaks Even et al. scheme with probability \(\epsilon ^{\prime }\), this leads to an adversary \(\mathcal B ^{\prime }\) that quasi-inverts \(f\) with probability \(\frac{\epsilon ^{\prime }}{(m/t)2^{t+1}}\) (see [21], for details).

In what follows, we restrict to the case where \(f\) is a one-way permutation (so that quasi-inverting \(f\) is equivalent to inverting \(f\)). We assume that no adversary can invert \(f\) with probability better than \(1/2^\ell \). For the case of Lamport’s scheme, this leads to \(\frac{\epsilon }{2m}=\frac{1}{2^\ell }\) which means that one cannot forge signatures with probability better than \(\epsilon =\frac{2m}{2^\ell }\). Similarly for Even et al.’s scheme, we have that \(\frac{\epsilon ^{\prime }}{(m/t)2^{t+1}}=\frac{1}{2^{\ell ^{\prime }}}\), implies a security for the signature scheme which is \(\epsilon ^{\prime }=\frac{m 2^{t+1-\ell ^{\prime }}}{t}\). Thus, in order for the two schemes to achieve the same security level, it has to be the case that \(\epsilon ^{\prime }=\epsilon \), which means \(\frac{2m}{2^\ell }=\frac{m 2^{t+1-\ell ^{\prime }}}{t}\).

Thus, to achieve the same security level, for the two schemes, one has to consider a larger security parameter for the Even et al. scheme.

$$\begin{aligned} \ell ^{\prime }=\ell +t-log(t) \end{aligned}$$

(2)

1.3 B.3 Signature length

In Lamport’s scheme, signatures have length \(d=m\ell \). In Even et al.’s, on the other hand, the signature length is \(d^{\prime }=((m/t)+1)\ell ^{\prime }\). From Eq. (2) we get:

$$\begin{aligned} d^{\prime }=\frac{m\ell }{t}+m+\ell +t-\left( \frac{m}{t}+1\right) log(t) \end{aligned}$$

(3)

Now, we want to establish for which choice of \(t\) we have \(d^{\prime }<d\). That is, for which choice of \(t\) Even et al. signatures are shorter than Lamport’s ones.

Now from \(\frac{m\ell }{t}+m+\ell +t-\left( \frac{m}{t}+1\right) log(t)< m\ell \) one easily derives that if \(m,\ell >2\) then \(t>1\) is the required condition.

1.4 B.4 Experimental results

The relation among the variables involved in Eq. (3) is analyzed through the tabulation of realistic values. We fix the security parameter for the Lamport’s scheme \(\ell =80\) and we assume to deal with messages of \(m=2\ell \) bits length. For different values of \(t\), we determine the corresponding values for the Even et al.’s parameters \(\ell ^{\prime },d^{\prime }\) using the above relations. All these values are reported in Table 8; the signature length gain \((d-d^{\prime })\) obtained using the EGM scheme instead of the Lamport’s one is emphasized too (a negative value means that the use of the EGM construction is self-defeating).

Table 8 Experimental results with parameters \(\ell =80, m=2\ell \)

We observe that the EGM solution is a winning solution for each real cases: The necessary augment of the security parameter \(\ell ^{\prime }\) is minimal.

C About the DLP1 reduction

Koblitz et al. [32] analyze the relations among different variants of the Discrete Log Problem. The One-More Discrete Log Problem (see Sect. 2.2), used by Crutchfield et al. [14], as well as the variant named Discrete Log Problem 1 (DLP1) are also considered. Both the problems are similar, but in the latter, the adversary \(\mathcal{A}\) has access to a challenge oracle that outputs random values like \(y_i=g^{x_i}\) and to a Discrete Log oracle that given \(y_i\) outputs \(x_i\) (it is bound to the \(y_i\) values). \(\mathcal{A}\) is challenged to output the discrete-log of a \(y_j\) that was not queried before. It is straightforward to see that Discrete Log Problem reduces to DLP1 and that DLP1 reduces to the One-More Discrete Problem.

The work of Koblitz et al. contains a remark about the paper of Crutchfield et al. [14]: they claim that their security proof could be done using the weaker DLP1 assumption. They also argue about the possible equivalence between the Discrete Log Problem and the DLP1 using an informal and non-tight reduction from the second to the first one. It is useful to look at this relation to well understand the implications of using the DLP1 assumption in a signature context. The obvious way to bring off this reduction follows: Given the input \(Y\) for the Discrete Log Problem and assuming that the adversary \(\mathcal{A}\) for the DLP1 will ask at most \(t\) challenges \(y_i\), we can beat on the specific challenge \(y_{\bar{j}}\) (with \(\bar{j}\) chosen at random) using as input for \(\mathcal{A}\, y_1=g^{x_1},y_2=g^{x_2},\ldots ,y_{\bar{j}}=Y,\ldots , y_t=g^{x_t}\), where \(x_i\) are random known values. Running \(\mathcal{A}\) on these inputs we have the probability of \(1\over t\) to guess the challenge that he will solve. This is a non-tight but formally correct reduction.

All our proofs in Sect. 4 are tight, and in a typical signature environment, we can estimate the previous loss factor \(t\) in about \(2^{40}\). This strengthens the value of our contribution in filling the gap of an efficient way to create threshold versions from existent off-line/on-line signature schemes using standard assumptions like the discrete-log one.