Is the Notion of Divisible On-Line/Off-Line Signatures Stronger than On-Line/Off-Line Signatures?

On-line/Off-line signatures are useful in many applications where the signer has a very limited response time once the message is presented. The idea is to perform the signing process in two phases. The first phase is performed off-line before the message to be signed is available and the second phase is performed on-line after the message to be signed is provided. Recently, in CT-RSA 2009, Gao et al. made a very interesting observation that most of the existing schemes possess the following structure. In the off-line phase, a partial signature, called the off-line token is computed first. Upon completion of the on-line phase, the off-line token constitutes part of the full signature. They considered the "off-line token exposure problem" in which the off-line token is exposed in the off-line phase and introduced a new model to capture this scenario. While intuitively the new requirement appears to be a stronger notion, Gao et al. cannot discover a concrete attack on any of the existing schemes under the new model. They regard clarifying the relationship between the models as an open problem. In this paper, we provide an affirmative answer to this open problem. We construct an On-line/Off-line signature scheme, which is secure under the ordinary security model whilst it is insecure in the new model. Specifically, we present a security proof under the old model and a concrete attack of the scheme under the new model. This illustrates that the new model is indeed stronger.

[1]  David A. Wagner,et al.  Generic On-Line/Off-Line Threshold Signatures , 2006, Public Key Cryptography.

[2]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[3]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[4]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[5]  Willy Susilo,et al.  Online/Offline Signatures and Multisignatures for AODV and DSR Routing Security , 2006, IACR Cryptol. ePrint Arch..

[6]  Aggelos Kiayias,et al.  Public Key Cryptography - PKC 2006 , 2006, Lecture Notes in Computer Science.

[7]  Stephen R. Tate,et al.  An Online/Offline Signature Scheme Based on the Strong RSA Assumption , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[8]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[9]  Fuchun Guo,et al.  Optimal Online/Offline Signature: How to Sign a Message without Online Computation , 2008, ProvSec.

[10]  Richard J. Lipton,et al.  Algorithms for Black-Box Fields and their Application to Cryptography (Extended Abstract) , 1996, CRYPTO.

[11]  Yael Tauman Kalai,et al.  Improved Online/Offline Signature Schemes , 2001, CRYPTO.

[12]  Mihir Bellare,et al.  GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks , 2002, CRYPTO.

[13]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[14]  Yvo Desmedt Public Key Cryptography — PKC 2003 , 2002, Lecture Notes in Computer Science.

[15]  Yi Mu,et al.  Efficient Generic On-Line/Off-Line Signatures Without Key Exposure , 2007, ACNS.

[16]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[17]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[18]  Emmanuel Bresson,et al.  Improved On-Line/Off-Line Threshold Signatures , 2007, Public Key Cryptography.

[19]  Stephen R. Tate,et al.  Online/Offline Signature Schemes for Devices with Limited Computing Capabilities , 2008, CT-RSA.

[20]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[21]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[22]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[23]  Kaoru Kurosawa,et al.  New Online/Offline Signature Schemes Without Random Oracles , 2006, Public Key Cryptography.

[24]  Zhang,et al.  [Lecture Notes in Computer Science] Provable Security Volume 5848 || Is the Notion of Divisible On-Line/Off-Line Signatures Stronger than On-Line/Off-Line Signatures? , 2009 .

[25]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[26]  Mihir Bellare,et al.  A Note on Negligible Functions , 2002, Journal of Cryptology.

[27]  Silvio Micali,et al.  On-Line/Off-Line Digital Schemes , 1989, CRYPTO.

[28]  Dongqing Xie,et al.  Divisible On-Line/Off-Line Signatures , 2009, CT-RSA.