Skip to main content
SpringerLink
Log in

How (Not) to design strong-RSA signatures

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

This paper considers strong-RSA signature schemes built from the scheme of Cramer and Shoup. We present a basic scheme encompassing the main features of the Cramer-Shoup scheme. We analyze its security in both the random oracle model and the standard model. This helps us to spot potential security flaws. As a result, we show that a seemingly secure signature scheme (Tan in Int J Security Netw 1(3/4): 237–242, 2006) is universally forgeable under a known-message attack. In a second step, we discuss how to turn the basic scheme into a fully secure signature scheme. Doing so, we rediscover several known schemes (or slight variants thereof).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Barić N., Pfitzmann B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) Advances in Cryptology-EUROCRYPT ’97, volume 1233 of Lecture Notes in Computer Science., pp. 480–494. Springer-Verlag, Berlin (1997)

    Google Scholar 

  2. Bellare M., Rogaway P.: Random oracles are practical: a paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM Press (1993).

  3. Bellare M., Rogaway P.: The exact security of digital signatures: how to sign with RSA and Rabin. In: Maurer, U. (ed.) Advances in Cryptology-EUROCRYPT ’96, volume 1070 of Lecture Notes in Computer Science, pp. 399–416. Springer-Verlag, Berlin (1996)

    Google Scholar 

  4. Camenisch J., Lysyanskaya A.: A signature scheme with efficient protocols. In Security in Communication Networks (SCN 2002), volume 2676 of Lecture Notes in Computer Science, pp. 268–289. Springer-Verlag, Berlin (2002).

  5. Canetti R., Goldreich O., Halevi S.: The random oracle methodology, revisited. In: 30th Annual ACM Symposium on Theory of Computing (STOC ’98), pp. 209–217 (1998).

  6. Cao Z., Liu L.: A strong RSA signature scheme and its applications. In: 8th ACIS International Conference on Software Enginnering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, pp. 111–115. IEEE Computer Society (2007).

  7. Catalano D., Gennaro R.: Cramer-Damgård signatures revisited: efficient flat-tree signatures based on factoring. In: Vaudenay, S. (ed.) Public Key Cryptography-PKC 2005, volume 3386 of Lecture Notes in Computer Science, pp. 313–327. Springer-Verlag, Berlin (2005)

    Chapter  Google Scholar 

  8. Chevallier-Mames B., Joye M.: A practical and tightly secure signature scheme without hash function. In: Abe, M. (ed.) Topics in Cryptology-CT-RSA 2007, volume 4377 of Lecture Notes in Computer Science, pp. 339–356. Springer-Verlag, Berlin (2007)

    Google Scholar 

  9. Coron J.-S., Naccache D.: Security analysis of the Gennaro-Halevi-Rabin signature scheme. In: Preneel, B. (ed.) Advances in Cryptology-EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pp. 91–101. Springer-Verlag, Berlin (2000)

    Google Scholar 

  10. Cramer R., Damgård I.: New generation of secure and practical RSA-based signatures. In: Koblitz, N. (ed.) Advances in Cryptology-CRYPTO ’96, volume 1109 of Lecture Notes in Computer Science, pp. 173–185. Springer-Verlag, Berlin (1996)

    Google Scholar 

  11. Cramer R., Shoup V.: Signature scheme based on the strong RSA assumption. ACM Transactions on Information and System Security, 3(3), 161–185, 2000. An earlier version appears in 6th ACM Conference on Computer and Communications Security, pp. 46–51, ACM Press (1999).

  12. Diffie W., Hellman M.: New directions in cryptography. IEEE Trans Inform Theory IT 22(6), 644–654 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  13. Dodis Y., Oliveira R., Pietrzak K.: On the generic insecurity of the full domain hash. In: Shoup, V. (ed.) Advances in Cryptology-CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pp. 449–466. Springer-Verlag, Berlin (2005)

    Google Scholar 

  14. Dwork C., Naor M.: An efficient existentially unforgeable signature scheme and its applications. In: Desmedt, Y. (ed.) Advances in Cryptology-CRYPTO ’94, volume 839 of Lecture Notes in Computer Science, pp. 234–246. Springer-Verlag, Berlin (1994)

    Google Scholar 

  15. Fischlin M.: The Cramer-Shoup strong-RSA signature scheme revisited. In: Desmedt, Y. (ed.) Public Key Cryptography-PKC 2003, volume 2567 of Lecture Notes in Computer Science, pp. 116–129. Springer-Verlag, Berlin (2003)

    Google Scholar 

  16. Fujisaki E., Okamoto T.: Statistical zero-knowledge protocols to prove modular polynomial equations. In: Kaliski, B. (ed.) Advances in Cryptology-CRYPTO ’97, volume 1294 of Lecture Notes in Computer Science, pp. 16–30. Springer-Verlag, Berlin (1997)

    Google Scholar 

  17. Gennaro R., Halevi S., Rabin T.: Secure hash-and-sign signatures without the random oracle. In: Bellare, M. (ed.) Advances in Cryptology-EUROCRYPT ’99, volume 1592 of Lecture Notes in Computer Science, pp. 123–139. Springer-Verlag, Berlin (1999)

    Google Scholar 

  18. Goldreich O.: Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In: Odlyzko, A. (ed.) Advances in Cryptology-CRYPTO ’86, volume 263 of Lecture Notes in Computer Science, pp. 104–110. Springer-Verlag, Berlin (1986)

    Google Scholar 

  19. Goldwasser S., Micali S., Rivest R.: A digital signature scheme secure against adaptive chosen message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    Article  MathSciNet  MATH  Google Scholar 

  20. Hofheinz D., Kiltz E.: Programmable hash functions and their applications. In: Wagner, D. (ed.) Advances in Cryptology-CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science, pp. 21–38. Springer-Verlag, Berlin (2008)

    Google Scholar 

  21. Joye M., Lin H.-M. et al.: On the TYS signature scheme. In: Gavrilova, M. (ed.) Computational Science and Its Applications-ICCSA 2006, volume 3982 of Lecture Notes in Computer Science, pp. 338–344. Springer-Verlag, Berlin (2006)

    Chapter  Google Scholar 

  22. Katz J., Wang N.: Efficiency improvements for signature schemes with tight security reductions. In: 10th ACM Conference on Computer and Communications Security, pp. 155–164. ACM Press (2003).

  23. Krawczyk H., Rabin T.: Chameleon signatures. In: Symposium on Network and Distributed System Security-NDSS 2000, pp. 143–154. Internet Society (2000).

  24. Kurosawa K., Schmidt-Samoa K. et al.: New online/offline signature schemes without random oracles. In: Yung, M. (ed.) Public Key Cryptography-PKC 2006, volume 3958 of Lecture Notes in Computer Science, pp. 330–346. Springer-Verlag, Berlin (2006)

    Chapter  Google Scholar 

  25. Menezes A., Smart N.: Security of signature schemes in a multi-user setting. Designs Codes Cryptogr. 33(3), 261–274 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  26. Naccache D., Pointcheval D., Stern, J.: Twin signatures: an alternative to the hash-and-sign paradigm. In: 8th ACM Conference on Computer and Communications Security, pp. 20–27. ACM Press (2001).

  27. Naor M., Yung M.: Universal one-way hash functions and their cryptographic applications. In: 21st Annual ACM Symposium on Theory of Computing (STOC ’89), pp. 33–43. ACM Press (1989).

  28. Paillier P.: Impossibility proofs for RSA signatures in the standard model. In: Abe, M. (ed.) Topics in Cryptology-CT-RSA 2007, volume 4377 of Lecture Notes in Computer Science, pp. 31–48. Springer-Verlag, Berlin (2007)

    Google Scholar 

  29. Popescu C.: A modification of the Cramer-Shoup digital signature scheme. Studia Univ. Babeş-Bolyai Informatica XLVII(2), 27–35 (2002).

    Google Scholar 

  30. Rivest R.L., Shamir A., Adleman L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  MATH  Google Scholar 

  31. Tan C.H.: A secure signature scheme. In: Onoe, S., et al. (ed.) 2006 International Conference on Wireless Communications and Mobile Computing (IWCMC 2006), pp. 195–200. ACM Press (2006).

  32. Tan C.H.: A new signature scheme without random oracles. Int. J. Secur. Netw. 1(3/4), 237–242 (2006)

    Article  Google Scholar 

  33. Tan C.H., Yi X., Siew C.K.: A new provably secure signature scheme. IEICE Trans. Fundam. E86-A(10), 2633–2635 (2003)

    Google Scholar 

  34. Yu P., Tate S.R.: Online/offline signature schemes for devices with limited capabilities. In: Malkin, T. (ed.) Topics in Cryptology-CT-RSA 2008, volume 4964 of Lecture Notes in Computer Science, pp. 301–317. Springer-Verlag, Berlin (2008)

    Chapter  Google Scholar 

  35. Zhu H.: New digital signature scheme attaining immunity against adaptive chosen message attack. Chin. J. Electron. 10(4), 484–486 (2001)

    Google Scholar 

  36. Zhu H.: A formal proof of Zhu’s signature scheme. Cryptology ePrint Archive, Report 2003/155 (2003).

Download references

Author information

Authors and Affiliations

  1. Technicolor, Security & Content Protection Labs, 1 avenue de Belle Fontaine, 35576, Cesson-Sévigné Cedex, France

    Marc Joye

Authors
  1. Marc Joye
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marc Joye.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Joye, M. How (Not) to design strong-RSA signatures. Des. Codes Cryptogr. 59, 169–182 (2011). https://doi.org/10.1007/s10623-010-9453-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-010-9453-1

Keywords

Mathematics Subject Classification (2000)

Search

Navigation