Attacking and Repairing Batch Verification Schemes

Batch verification can provide large computational savings when several signatures, or other constructs, are verified together. Several batch verification algorithms have been published in recent years, in particular for both DSA-type and RSA signatures. We describe new attacks on several of these published schemes. A general weakness is explained which applies to almost all known batch verifiers for discrete logarithm based signature schemes. It is shown how this weakness can be eliminated given extra properties about the underlying group structure. A new general batch verifier for exponentiation in any cyclic group is also described as well as a batch verifier for modified RSA signatures.

[1]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[2]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[3]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[4]  Yacov Yacobi,et al.  Batch Diffie-Hellman Key Agreement Systems and their Application to Portable Communications , 1992, EUROCRYPT.

[5]  David M'Raïhi,et al.  Can D.S.A. be Improved? Complexity Trade-Offs with the Digital Signature Standard , 1994, EUROCRYPT.

[6]  Chae Hoon Lim,et al.  Security of interactive DSA batch verification , 1994 .

[7]  Sung-Ming Yen,et al.  Improved Digital Signature Suitable for Batch Verification , 1995, IEEE Trans. Computers.

[8]  Lein Harn DSA type secure interactive batch verification protocols , 1995 .

[9]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[10]  David M'Raïhi,et al.  Batch exponentiation: a fast DLP-based signature generation strategy , 1996, CCS '96.

[11]  Hugo Krawczyk,et al.  RSA-Based Undeniable Signatures , 1997, Journal of Cryptology.

[12]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[13]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[14]  L. Harn Batch verifying multiple DSA-type digital signatures , 1998 .

[15]  Jean-Sébastien Coron,et al.  On the Security of RSA Screening , 1999, Public Key Cryptography.

[16]  Colin Boyd,et al.  Detachable Electronic Coins , 1999, ICICS.

[17]  Vijay Varadharajan,et al.  How to Prove That a Committed Number Is Prime , 1999, ASIACRYPT.

[18]  Jan Camenisch,et al.  Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes , 1998, EUROCRYPT.

[19]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[20]  Hung-Min Sun,et al.  On the Design of RSA With Short Secret Exponent , 2002, J. Inf. Sci. Eng..