One-way functions are necessary and sufficient for secure signatures

Much research in theoretical cryptography has been centered around finding the weakest possible cryptographic assumptions required to implement major primitives. Ever since Diffie and Hellman first suggested that modern cryptography be based on one-way functions (which are easy to compute, but hard to invert) and trapdoor functions (one-way functions which are, however, easy to invert given an associated secret), researchers have been busy trying to construct schemes that only require one of these general assumptions. For example, pseudorandom generators at first could only be constructed from a specific hard problem, such as discrete log IBM2]. Later it was shown how to construct pseudo-random generators given any one-way permutation [Y], and from other weak forms of one-way functions [Le, GKL]. Finally JILL] proved that the existence of any one-way function was a necessary and sufficient condition for the existence of pseudo-random generators. Similarly, the existence of trapdoor permutations can be shown to be necessary and sufficient for secure encryption schemes. However, progress on characterizing the requirements for secure digital signatures has been slower in coming. We will be interested in signature schemes which are secure agMnst existential forgery under adaptive chosen message attacks. This notion of security, as well as the first construction of digital signatures secure in this sense was provided by [GMR]. Their scheme was based on factoring, or more generally, the existence of clawfree pairs. More recently, signatures based on any trap*supported in p a r t b y a N a t i o n a l Science F o u n d a t i o n G r a d u a t e Fellowship, D A R P A c o n t r a c t N00014-80-C-0622, a n d Air Force G r a n t A F S O R - 8 6 - 0 0 7 8