Secure Signature Schemes Based on Interactive Protocols See Back Inner Page for a List of Recent Publications in the Brics Report Series. Copies May Be Obtained by Contacting: Secure Signature Schemes Based on Interactive Protocols

Given only an interactive protocol of a certain type as a primitive, we can build a (non-interactive) signature scheme that is secure in the strongest sense of Goldwasser, Micali and Rivest (see [11]): not existentially forgeable under adaptively chosen message attacks. There are numerous examples of primitives that satisfy our conditions, e.g. Feige-Fiat-Shamir, Schnorr, Guillou-Quisquater, Okamoto and Brickell-Mc.Curley ([9], [17], [12], [15], [3]).A main consequence is that efficient and secure signature schemes can now also be based on computationally difficult problems other than factoring (see [11]), such as the discrete logarithm problem.In fact, the existence of one-way group homomorphisms is a sufficient assumption to support our construction. As we also demonstrate that our construction can be based on claw-free pairs of trapdoor permutations, our results can be viewed as a generalization of [11].

[1]  Oded Goldreich,et al.  Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme , 1986, CRYPTO.

[2]  Søren Riis A Fractal which violates the Axiom of Determinacy , 1994 .

[3]  C. Dwork,et al.  An Eecient Existentially Unforgeable Signature Scheme and Its Applications , 1994 .

[4]  Tatsuaki Okamoto,et al.  Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , 1992, CRYPTO.

[5]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1988, Journal of Cryptology.

[6]  Arne Skou,et al.  Automatic Verification of Real-Timed Systems Using EPSILON , 1994 .

[7]  Martín Abadi,et al.  On Generating Solved Instances of Computational Problems , 1988, CRYPTO.

[8]  Søren Riis Count( $q$) versus the pigeon-hole principle , 1997, Arch. Math. Log..

[9]  Peter D. Mosses,et al.  An Action Semantics for ML Concurrency Primitives , 1994, FME.

[10]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[11]  Ivan Damgård,et al.  Secure Signature Schemes Based on Interactive Protocols , 1994 .

[12]  Ivan Damgård,et al.  Collision Free Hash Functions and Public Key Signature Schemes , 1987, EUROCRYPT.

[13]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[14]  Moni Naor,et al.  An Efficient Existentially Unforgeable Signature Scheme and its Applications , 1994, CRYPTO.

[15]  Ernest F. Brickell,et al.  An Interactive Identification Scheme Based on Discrete Logarithms and Factoring , 1990, EUROCRYPT.

[16]  Martin Tompa,et al.  Random self-reducibility and zero knowledge interactive proofs of possession of information , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[17]  Søren Riis,et al.  Count(q) Does Not Imply Count(p) , 1994, Ann. Pure Appl. Log..

[18]  Ronald J.F. Cramer On shared randomness and the size of secure signatures , 1995 .

[19]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[20]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[21]  Søren Riis Bootstrapping the Primitive Recursive Functions by 47 Colors , 1994 .

[22]  Torben Braüner,et al.  A General Adequacy Result for a Linear Functional Language , 1994, Theoretical Computer Science.

[23]  Torben Braüner,et al.  A Model of Intuitionistic Affine Logic from Stable Domain Theory (Revised and Expanded Version) , 1994 .

[24]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[25]  David Chaum,et al.  Provably Unforgeable Signatures , 1992, CRYPTO.

[26]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.