A Provably Secure Nyberg-Rueppel Signature Variant with Applications

This paper analyzes the modified Nyberg-Rueppel signature scheme (mNR), proving it secure in the Generic Group Model (GM). We also show that the security of the mNR signature is equivalent (in the standard model) to that of a twin signature [32], while achieving computational and bandwidth improvements. As a provably secure signature scheme, mNR is very efficient. We demonstrate its practical relevance by providing an application to the construction of a provably secure, self-certified, identity-based scheme (SCID). SCID schemes combine some of the best features of both PKIbased schemes (functionally trusted authorities, public keys revocable without the need to change identifier strings) and ID-based ones (lower bandwidth requirements). The new SCID scheme matches the performance achieved by the most efficient ones based on the discrete logarithm, while requiring only standard security assumptions in the Generic Group Model.

[1]  Scott A. Vanstone,et al.  Postal Revenue Collection in the Digital Age , 2000, Financial Cryptography.

[2]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[3]  Peter,et al.  Security of Discrete Log Cryptosystems in theRandom Oracle + Generic ModelClaus , 1999 .

[4]  Marc Fischlin,et al.  A Note on Security Proofs in the Generic Model , 2000, ASIACRYPT.

[5]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[6]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[7]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[8]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[9]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[10]  Jacques Stern,et al.  Twin signatures: an alternative to the hash-and-sign paradigm , 2001, CCS '01.

[11]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[12]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[13]  M. Michels,et al.  Hidden signature schemes based on the discrete logarithm problem and related concepts , 1995 .

[14]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[15]  Silvio Micali,et al.  On-line/off-line digital signatures , 1996, Journal of Cryptology.

[16]  Giuseppe Ateniese,et al.  Efficient Group Signatures without Trapdoors , 2003, ASIACRYPT.

[17]  Patrick Horster,et al.  Self-certified keys — Concepts and Applications , 1997 .

[18]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1993, IEEE Trans. Inf. Theory.

[19]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[20]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[21]  Dan Boneh,et al.  A Secure Signature Scheme from Bilinear Maps , 2003, CT-RSA.

[22]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[23]  Daniel Bleichenbacher,et al.  Generating EIGamal Signatures Without Knowing the Secret Key , 1996, EUROCRYPT.

[24]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[25]  Ivan Damgård,et al.  Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups , 2002, EUROCRYPT.

[26]  V. Nechaev Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[27]  Marc Joye,et al.  Efficient Generation of Prime Numbers , 2000, CHES.

[28]  Jan Camenisch,et al.  Blind Signatures Based on the Discrete Logarithm Problem , 1994, EUROCRYPT.

[29]  Alexander W. Dent,et al.  Adapting the Weaknesses of the Random Oracle Model to the Generic Group Model , 2002, ASIACRYPT.

[30]  Gerhard Frey,et al.  The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems , 1999, IEEE Trans. Inf. Theory.

[31]  Stanislaw Jarecki,et al.  A Signature Scheme as Secure as the Diffie-Hellman Problem , 2003, EUROCRYPT.

[32]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[33]  Christoph G. Günther,et al.  An Identity-Based Key-Exchange Protocol , 1990, EUROCRYPT.

[34]  Donald Byron Johnson,et al.  Formal Security Proofs for a Signature Scheme with Partial Message Recovery , 2001, CT-RSA.

[35]  Marc Girault,et al.  Self-Certified Public Keys , 1991, EUROCRYPT.

[36]  Markus Jakobsson,et al.  Efficient Oblivious Proofs of Correct Exponentiation , 1999, Communications and Multimedia Security.

[37]  Louis Granboulan PECDSA. How to build a DL-based digital signature scheme with the best proven security , 2002, IACR Cryptol. ePrint Arch..

[38]  Daniel R. L. Brown Generic Groups, Collision Resistance, and ECDSA , 2002, Des. Codes Cryptogr..

[39]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[40]  Rainer A. Rueppel,et al.  A new signature scheme based on the DSA giving message recovery , 1993, CCS '93.

[41]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[42]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[43]  Ueli Maurer,et al.  Directed Acyclic Graphs, One-way Functions and Digital Signatures , 1994, CRYPTO.