Generic security-amplifying methods of ordinary digital signatures☆
Introduction
Digital signature plays a central role in cryptography. The standard definition on the security of signature scheme was given by Goldwasser et al. [18]. Compared to the standard security model [18], there are also many weak security models. In fact, in terms of the goals and resources of the adversary, many security models can be formed. However, signatures in these weak security models, such as existentially unforgeable against generic chosen message attack (or, weak chosen message attack) [5], [18], are not sufficient in many practical applications. In this paper, the signatures that is secure against weak chosen message attack are called weakly-secure signatures. In this security model, the adversary is required to submit all signature queries before the signer’s public key is published.
Obviously, because of the limitation of signature queries, the signature that is provably secure in this weak model will be insecure in many practical applications. There are many attempts to design practical and provably secure signature schemes in the standard security model [18]. These methods can be divided into two categories, namely, concrete construction method and generic construction method.
There are many concrete constructions of signature schemes based on some standard assumptions, such as discrete logarithm problem [28], [30], computational Diffie–Hellman problem [6], [17], [34], factoring problem [3]. Some constructions based on other assumptions [29], [36] have also been proposed. Though they are efficient, their security can only be proven in the random oracle model. As we know, Canetti et al. [9] has showed that some popular cryptosystems previously proved secure in the random oracle are actually insecure when the random oracle is instantiated by any real-world hash functions. Over the last decades, several signature schemes were proposed in the standard model based on some stronger complexity assumptions such as [5], [8], [12], [16], [20]. Among them, the most efficient schemes are based on the Strong-RSA assumption [12], [16] and q-strong Diffie–Hellman (q-SDH) assumption [5], which are cryptographically stronger than the computational Diffie–Hellman and RSA assumptions.
There are also many generic constructions of signatures based on the basic cryptographic primitive, such as (trapdoor) one-way functions [1], [22]. Many generic constructions from other cryptographic protocols have also been proposed, such as non-interactive zero-knowledge [19], [11], [15]. Among them, the most famous one is the Fiat–Shamir (FS) transform [15]. However, its security relies on the random oracle model. To avoid the usage of random oracle model, from the Σ protocol, Cramer and Damgård [11] gave another generic transformation. However, this conversion method is not practical because it used the authentication tree. Very recently, Bellare and Shoup [4] showed a simple transform for the construction of standard and strongly secure signatures from the Σ protocol, using the tool of two-tier signatures.
Firstly, we present three new paradigms to transform any weakly-secure signature schemes into fully-secure signature schemes. More precisely, these three paradigms are called sequential composition with one-time signature, sequential composition method, and parallel composition method, respectively. To the best of our knowledge, it is observed for the first time in our paper that only two weakly-secure signature schemes are required to get fully-secure signatures. Therefore, this paper makes contributions towards the goal to obtain efficient constructions with standard assumptions. Motivated from the results of [23], Huang et al. [21] showed how to construct a strongly unforgeable signature from a weakly secure signature and Li et al. [24] showed two generic construction methods to get an unforgeable signature scheme from a weakly-secure signature scheme. Thus, these results have interest from both theoretical and practical perspective. More specifically, these three paradigms are described as follows:
- •
Sequential composition with one-time signature: This paradigm requires one weak signature scheme and an ordinary one-time signature. Key pair of the weak signature scheme is generated in key generation algorithm and used to sign the public key of one-time signature, which is generated in signing algorithm.
- •
Sequential composition (of weak signatures): This paradigm requires two weak signature schemes sequentially. Key pair in the first weak signature scheme is generated in key generation algorithm. During signing algorithm, another key pair of weak signature is generated. The first secret key is used to sign the other public key, and the other secret key is used to sign a message.
- •
Parallel composition (of weak signatures): Two weak signature schemes are also required in this paradigm, however, both of their key pairs should be generated in key generation algorithm, and used to sign two random and related messages.
We also show several efficient instantiations without random oracles converted from two weakly-secure signature schemes. The first two paradigm are very efficient in key generation compared to the last. However, the signing algorithm of the last paradigm is more efficient. There is a coincidence that, when instantialized from weak signature scheme [16], the construction will be similar to twin signature scheme [26]. In fact, the last paradigm can be viewed as generalization and extension of the twin signature scheme [26]. Recently, another notion called strongly existential unforgeability was concerned by many contributions, such as [7], [21], [33].
In Section 2, the definitions of variant signatures are given. Then, two previous instantiations of weakly-secure signature schemes are reviewed in Section 3. In Section 4, three generic transformations techniques are proposed. In Section 5, several instantiations from sequential composition with one-time signature scheme are presented. In Section 6, instantiations from sequential composition method are given. In Section 7, we show the two instantiations from parallel composition method. The conclusion is given in Section 8.
Section snippets
Preliminaries
A signature scheme is defined by the following algorithms:
- •
Key generation algorithm Gen. On input 1k, where k is the security parameter, it outputs (pk, sk) as public and secret keys.
- •
Signing algorithm Sign. On input a message m and sk, it outputs a signature σ.
- •
Verification algorithm Verify. Given public key pk, message m and signature σ, algorithm Verify(pk, m, σ) outputs 1 if σ ← Sign(sk, m). Otherwise, output 0.
In terms of adversary’s goals, it can be divided into four categories: (1) Total break:
Instantiations of weak signatures
It has been shown in [5], [16] that two weakly-secure signature schemes can be constructed, based on the q-SDH assumption and Strong-RSA assumption, respectively, in the standard model.
Fully-secure signatures from weakly-secure signatures
There are two main techniques to get fully-secure signatures from weakly-secure signatures in literature, (1) Random Oracle Model: By using the hash function on the messages for signatures without changing other algorithms, the new signatures can be fully-secure from the back patch property of random oracle [2]. This method was used in [5], [36]; (2) Chameleon Hash Function: By combining weakly-secure signatures with the chameleon hash function, the signer can first sign any value with the weak
Fully-secure signature from weak Boneh–Boyen signature
Next, we describe the fully-secure signature from the weakly-secure signature [5] and . We describe how to get fully-secure signature, denoted by S-WBB-OTS, by using the sequential composition method with one-time signature on the weak Boneh–Boyen signature scheme. The public parameters are similar with the weak Boneh–Boyen signature. Let be a one-time signature. Meanwhile, define a collision-resistant hash function .
- 1.
Gen: Pick , compute y = gx. The
Fully-secure signature from weak Boneh–Boyen signature
We describe how to get fully-secure signature, denoted by S-WBB, by using the sequential composition method on the weak Boneh–Boyen signature scheme. The public parameters are similar with the weak Boneh–Boyen signature, except a collision resistant hash function is chosen additionally.
- 1.
Gen: Pick , compute y = gx. The public key is y and the secret key is x.
- 2.
Sign: Given message , the signer chooses a random , computes , and outputs the signature as σ = (A, B, C), where
Instantiations from parallel composition method
In the following two instantiations, we will use the concrete relation given in Section 4.3: , if and only if a ⊕ b = H(c). The relation should be described in system public parameters, in both following examples.
Conclusion
Three new paradigms are proposed to obtain fully-secure signature scheme from any scheme satisfies only a weak security notion called existentially unforgeable against generic chosen message attacks. The sequential composition (with one-time signature) methods are very efficient in key generation algorithm compared to the parallel composition method. However, if the computation cost in the key generation algorithm of weak signature needs more than the weak signature’s signing algorithm, then,
Acknowledgements
This work is partially supported by the National Natural Science Foundation of China (No. 61100224) and Foundation for Distinguished Young Talents in Higher Education of Guangdong, China. The second author is supported by the National Natural Science Foundation of China (No. 61070168). The third author is supported by the National Natural Science Foundation of China (No. 60970144).
References (36)
- et al.
Two extensions of the ring signature scheme of Rivest–Shamir–Taumann
Information Sciences
(2012) - et al.
Efficient certificateless proxy signature scheme with provable security
Information Sciences
(2012) - et al.
Forward-secure identity-based signature: security notions and construction
Information Sciences
(2011) - et al.(1992)
- et al.
Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, CCS
(1993) - et al.
The exact security of digital signatures-how to sign with RSA and Rabin
- et al.
Two-tier signatures, strongly unforgeable signatures, and Fiat–Shamir without random oracles
- et al.
Short signatures without random oracles
- et al.
Short signatures from the Weil pairing
- et al.
Strongly unforgeable signatures based on computational Diffie–Hellman
Signature schemes and anonymous credentials from bilinear maps
Security analysis of the Gennaro–Halevi–Rabin signature scheme
Secure signature schemes based on interactive protocols
Signature schemes based on the strong RSA assumption
ACM TISSEC
On-line/off-line digital signatures
Journal of Cryptology
How to prove yourself: practical solutions to identification and signature problems
Secure Hash-and-Sign signatures without the random oracle
Cited by (12)
Keyed hash function based on a dynamic lookup table of functions
2012, Information SciencesA universal designated multi verifiers content extraction signature scheme
2020, International Journal of Computational Science and EngineeringShuffle dense networks for biometric authentication
2019, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)Anonymous multi-receiver broadcast encryption scheme with strong security
2017, International Journal of Embedded SystemsImage encryption algorithm with compound chaotic maps
2015, Journal of Ambient Intelligence and Humanized ComputingA new certificate-based digital signature scheme in bilinear group
2014, International Journal of Embedded Systems