Generic security-amplifying methods of ordinary digital signatures

doi:10.1016/j.ins.2012.03.006

Information Sciences

Volume 201, 15 October 2012, Pages 128-139

https://doi.org/10.1016/j.ins.2012.03.006 Get rights and content

Abstract

Digital signatures are one of the most fundamental primitives in cryptography. In this paper, three new paradigms are proposed to obtain signatures that are secure against existential forgery under adaptively chosen message attacks (fully-secure, in short), from any weakly-secure signature. These transformations are generic, simple, and provably secure in the standard model. In the first paradigm, based on a weakly-secure signature scheme, the construction of a fully-secure signature scheme requires one-time signature additionally. However, the other two are built only on weakly-secure signatures. To the best of our knowledge, it is observed for the first time in this paper that two weakly-secure signature schemes are sufficient to construct a fully-secure signature scheme.

Based on the new proposed paradigms, several efficient instantiations without random oracles are also presented. We also show that these fully-secure signature schemes have many special interesting properties in application.

Introduction

Digital signature plays a central role in cryptography. The standard definition on the security of signature scheme was given by Goldwasser et al. [18]. Compared to the standard security model [18], there are also many weak security models. In fact, in terms of the goals and resources of the adversary, many security models can be formed. However, signatures in these weak security models, such as existentially unforgeable against generic chosen message attack (or, weak chosen message attack) [5], [18], are not sufficient in many practical applications. In this paper, the signatures that is secure against weak chosen message attack are called weakly-secure signatures. In this security model, the adversary is required to submit all signature queries before the signer’s public key is published.

Obviously, because of the limitation of signature queries, the signature that is provably secure in this weak model will be insecure in many practical applications. There are many attempts to design practical and provably secure signature schemes in the standard security model [18]. These methods can be divided into two categories, namely, concrete construction method and generic construction method.

There are many concrete constructions of signature schemes based on some standard assumptions, such as discrete logarithm problem [28], [30], computational Diffie–Hellman problem [6], [17], [34], factoring problem [3]. Some constructions based on other assumptions [29], [36] have also been proposed. Though they are efficient, their security can only be proven in the random oracle model. As we know, Canetti et al. [9] has showed that some popular cryptosystems previously proved secure in the random oracle are actually insecure when the random oracle is instantiated by any real-world hash functions. Over the last decades, several signature schemes were proposed in the standard model based on some stronger complexity assumptions such as [5], [8], [12], [16], [20]. Among them, the most efficient schemes are based on the Strong-RSA assumption [12], [16] and q-strong Diffie–Hellman (q-SDH) assumption [5], which are cryptographically stronger than the computational Diffie–Hellman and RSA assumptions.

There are also many generic constructions of signatures based on the basic cryptographic primitive, such as (trapdoor) one-way functions [1], [22]. Many generic constructions from other cryptographic protocols have also been proposed, such as non-interactive zero-knowledge [19], [11], [15]. Among them, the most famous one is the Fiat–Shamir (FS) transform [15]. However, its security relies on the random oracle model. To avoid the usage of random oracle model, from the Σ protocol, Cramer and Damgård [11] gave another generic transformation. However, this conversion method is not practical because it used the authentication tree. Very recently, Bellare and Shoup [4] showed a simple transform for the construction of standard and strongly secure signatures from the Σ protocol, using the tool of two-tier signatures.

Firstly, we present three new paradigms to transform any weakly-secure signature schemes into fully-secure signature schemes. More precisely, these three paradigms are called sequential composition with one-time signature, sequential composition method, and parallel composition method, respectively. To the best of our knowledge, it is observed for the first time in our paper that only two weakly-secure signature schemes are required to get fully-secure signatures. Therefore, this paper makes contributions towards the goal to obtain efficient constructions with standard assumptions. Motivated from the results of [23], Huang et al. [21] showed how to construct a strongly unforgeable signature from a weakly secure signature and Li et al. [24] showed two generic construction methods to get an unforgeable signature scheme from a weakly-secure signature scheme. Thus, these results have interest from both theoretical and practical perspective. More specifically, these three paradigms are described as follows:

•
Sequential composition with one-time signature: This paradigm requires one weak signature scheme and an ordinary one-time signature. Key pair of the weak signature scheme is generated in key generation algorithm and used to sign the public key of one-time signature, which is generated in signing algorithm.
•
Sequential composition (of weak signatures): This paradigm requires two weak signature schemes sequentially. Key pair in the first weak signature scheme is generated in key generation algorithm. During signing algorithm, another key pair of weak signature is generated. The first secret key is used to sign the other public key, and the other secret key is used to sign a message.
•
Parallel composition (of weak signatures): Two weak signature schemes are also required in this paradigm, however, both of their key pairs should be generated in key generation algorithm, and used to sign two random and related messages.

We also show several efficient instantiations without random oracles converted from two weakly-secure signature schemes. The first two paradigm are very efficient in key generation compared to the last. However, the signing algorithm of the last paradigm is more efficient. There is a coincidence that, when instantialized from weak signature scheme [16], the construction will be similar to twin signature scheme [26]. In fact, the last paradigm can be viewed as generalization and extension of the twin signature scheme [26]. Recently, another notion called strongly existential unforgeability was concerned by many contributions, such as [7], [21], [33].

In Section 2, the definitions of variant signatures are given. Then, two previous instantiations of weakly-secure signature schemes are reviewed in Section 3. In Section 4, three generic transformations techniques are proposed. In Section 5, several instantiations from sequential composition with one-time signature scheme are presented. In Section 6, instantiations from sequential composition method are given. In Section 7, we show the two instantiations from parallel composition method. The conclusion is given in Section 8.

Section snippets

Preliminaries

A signature scheme is defined by the following algorithms:

•
Key generation algorithm Gen. On input 1^k, where k is the security parameter, it outputs (pk, sk) as public and secret keys.
•
Signing algorithm Sign. On input a message m and sk, it outputs a signature σ.
•
Verification algorithm Verify. Given public key pk, message m and signature σ, algorithm Verify(pk, m, σ) outputs 1 if σ ← Sign(sk, m). Otherwise, output 0.

In terms of adversary’s goals, it can be divided into four categories: (1) Total break:

Instantiations of weak signatures

It has been shown in [5], [16] that two weakly-secure signature schemes can be constructed, based on the q-SDH assumption and Strong-RSA assumption, respectively, in the standard model.

Fully-secure signatures from weakly-secure signatures

There are two main techniques to get fully-secure signatures from weakly-secure signatures in literature, (1) Random Oracle Model: By using the hash function on the messages for signatures without changing other algorithms, the new signatures can be fully-secure from the back patch property of random oracle [2]. This method was used in [5], [36]; (2) Chameleon Hash Function: By combining weakly-secure signatures with the chameleon hash function, the signer can first sign any value with the weak

Fully-secure signature from weak Boneh–Boyen signature

Next, we describe the fully-secure signature from the weakly-secure signature [5] and $OTS$ . We describe how to get fully-secure signature, denoted by S-WBB-OTS, by using the sequential composition method with one-time signature on the weak Boneh–Boyen signature scheme. The public parameters are similar with the weak Boneh–Boyen signature. Let $OTS = (OGen, OSign, OVerify)$ be a one-time signature. Meanwhile, define a collision-resistant hash function $H : {0, 1}^{*} \to Z_{p}^{*}$ .

1.
Gen: Pick $x \in Z_{p}^{*}$ , compute y = g^x. The

Fully-secure signature from weak Boneh–Boyen signature

We describe how to get fully-secure signature, denoted by S-WBB, by using the sequential composition method on the weak Boneh–Boyen signature scheme. The public parameters are similar with the weak Boneh–Boyen signature, except a collision resistant hash function $H : G_{1} \to Z_{p}^{*}$ is chosen additionally.

1.
Gen: Pick $x \in Z_{p}^{*}$ , compute y = g^x. The public key is y and the secret key is x.
2.
Sign: Given message $m \in Z_{p}^{*}$ , the signer chooses a random $x^{'} \in Z_{p}^{*}$ , computes $y^{'} = g^{x^{'}}$ , and outputs the signature as σ = (A, B, C), where $A = g$

Instantiations from parallel composition method

In the following two instantiations, we will use the concrete relation $R$ given in Section 4.3: $((a, b), c) \in R$ , if and only if a ⊕ b = H(c). The relation should be described in system public parameters, in both following examples.

Conclusion

Three new paradigms are proposed to obtain fully-secure signature scheme from any scheme satisfies only a weak security notion called existentially unforgeable against generic chosen message attacks. The sequential composition (with one-time signature) methods are very efficient in key generation algorithm compared to the parallel composition method. However, if the computation cost in the key generation algorithm of weak signature needs more than the weak signature’s signing algorithm, then,

Acknowledgements

This work is partially supported by the National Natural Science Foundation of China (No. 61100224) and Foundation for Distinguished Young Talents in Higher Education of Guangdong, China. The second author is supported by the National Natural Science Foundation of China (No. 61070168). The third author is supported by the National Natural Science Foundation of China (No. 60970144).

References (36)

Q. Dong et al.
Two extensions of the ring signature scheme of Rivest–Shamir–Taumann
Information Sciences
(2012)
S. Seo et al.
Efficient certificateless proxy signature scheme with provable security
Information Sciences
(2012)
J. Yu et al.
Forward-secure identity-based signature: security notions and construction
Information Sciences
(2011)
M. Bellare et al.
(1992)
M. Bellare et al.
Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, CCS
(1993)
M. Bellare et al.
The exact security of digital signatures-how to sign with RSA and Rabin
M. Bellare et al.
Two-tier signatures, strongly unforgeable signatures, and Fiat–Shamir without random oracles
D. Boneh et al.
Short signatures without random oracles
D. Boneh et al.
Short signatures from the Weil pairing
D. Boneh et al.
Strongly unforgeable signatures based on computational Diffie–Hellman

J. Camenisch et al.

Signature schemes and anonymous credentials from bilinear maps

R. Canetti, O. Goldreich, S. Halevi, The Random Oracle Methodology, Revisited, STOC 1998, ACM, 1998, pp....

J.-S. Coron et al.

Security analysis of the Gennaro–Halevi–Rabin signature scheme

R. Cramer et al.

Secure signature schemes based on interactive protocols

R. Cramer et al.

Signature schemes based on the strong RSA assumption

ACM TISSEC

(2000)

S. Even et al.

On-line/off-line digital signatures

Journal of Cryptology

(1996)

A. Fiat et al.

How to prove yourself: practical solutions to identification and signature problems

R. Gennaro et al.

Secure Hash-and-Sign signatures without the random oracle

Cited by (12)

Keyed hash function based on a dynamic lookup table of functions
2012, Information Sciences
In this paper, we present a novel keyed hash function based on a dynamic lookup table of functions. More specifically, we first exploit the piecewise linear chaotic map (PWLCM) with secret keys used for producing four 32-bit initial buffers and then elaborate the lookup table of functions used for selecting composite functions associated with messages. Next, we convert the divided message blocks into ASCII code values, check the equivalent indices and then find the associated composite functions in the lookup table of functions. For each message block, the four buffers are reassigned by the corresponding composite function and then the lookup table of functions is dynamically updated. After all the message blocks are processed, the final 128-bit hash value is obtained by cascading the last reassigned four buffers. Finally, we evaluate our hash function and the results demonstrate that the proposed hash algorithm has good statistical properties, strong collision resistance, high efficiency, and better statistical performance compared with existing chaotic hash functions.
A universal designated multi verifiers content extraction signature scheme
2020, International Journal of Computational Science and Engineering
Shuffle dense networks for biometric authentication
2019, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Anonymous multi-receiver broadcast encryption scheme with strong security
2017, International Journal of Embedded Systems
Image encryption algorithm with compound chaotic maps
2015, Journal of Ambient Intelligence and Humanized Computing
A new certificate-based digital signature scheme in bilinear group
2014, International Journal of Embedded Systems

View all citing articles on Scopus

^☆: An extended abstract of this paper has appeared in the proceedings of the ACNS’08 [24].

View full text

Generic security-amplifying methods of ordinary digital signatures☆

Abstract

Introduction

Section snippets

Preliminaries

Instantiations of weak signatures

Fully-secure signatures from weakly-secure signatures

Fully-secure signature from weak Boneh–Boyen signature

Fully-secure signature from weak Boneh–Boyen signature

Instantiations from parallel composition method

Conclusion

Acknowledgements

Information Sciences

Information Sciences

Information Sciences

Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, CCS

The exact security of digital signatures-how to sign with RSA and Rabin

Two-tier signatures, strongly unforgeable signatures, and Fiat–Shamir without random oracles

Short signatures without random oracles

Short signatures from the Weil pairing

Strongly unforgeable signatures based on computational Diffie–Hellman

Signature schemes and anonymous credentials from bilinear maps

Security analysis of the Gennaro–Halevi–Rabin signature scheme

Secure signature schemes based on interactive protocols

Signature schemes based on the strong RSA assumption

ACM TISSEC

On-line/off-line digital signatures

Journal of Cryptology

How to prove yourself: practical solutions to identification and signature problems

Secure Hash-and-Sign signatures without the random oracle