Short Transitive Signatures for Directed Trees

A transitive signature scheme allows us to sign a graph in such a way that, given signatures on edges (a,b) and (b,c), it is possible to compute the signature on edge (a,c) without the signer's secret. Constructions for undirected graphs are known but the case of directed graphs remains open. A first solution for the particular case of directed trees (DTTS) was given by Yi at CT-RSA 2007. In Yi's construction, the signature for an edge is O(n log(n logn)) bits long in the worst case where n is the number of nodes. A year later in Theoretical Computer Science 396, Neven proposed a simpler scheme where the signature size is reduced to O(n logn) bits. Although this construction is more efficient, O(n logn)-bit long signatures still remain impractical for large n. In this work, we propose a new DTTS scheme such that, for any value λ≥1 and security parameter κ: (a) edge signatures are only O(κλ) bits long, (b) signing or verifying an edge signature requires O(λ) cryptographic operations, and (c) computing (without the secret key) an edge signature in the transitive closure of the tree requires O(λn1/λ) cryptographic operations. To the best of our knowledge this is the first construction with such a trade off. Our construction relies on hashing with common-prefix proofs, a new variant of collision resistance hashing. A family $\cal H$ provides hashing with common-prefix proofs if for any $H \in \cal H$ , given two strings X and Y equal up to position i, a prover can convince anyone that X[1..i] is a prefix of Y by sending only H(X),H(Y), and a small proof. We believe that this new primitive will lead to other interesting applications.

[1]  Jia Xu On Directed Transitive Signature , 2009, IACR Cryptol. ePrint Arch..

[2]  Xun Yi Directed Transitive Signature Scheme , 2007, CT-RSA.

[3]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[4]  Claudio Soriente,et al.  An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials , 2009, IACR Cryptol. ePrint Arch..

[5]  Edward Fredkin,et al.  Trie memory , 1960, Commun. ACM.

[6]  Mihir Bellare,et al.  Transitive signatures: new schemes and proofs , 2005, IEEE Transactions on Information Theory.

[7]  Mahmoud Salmasizadeh,et al.  A Provably Secure Short Transitive Signature Scheme from Bilinear Group Pairs , 2004, SCN.

[8]  Silvio Micali,et al.  Transitive Signature Schemes , 2002, CT-RSA.

[9]  M. V. Wilkes,et al.  The Art of Computer Programming, Volume 3, Sorting and Searching , 1974 .

[10]  Dan Boneh,et al.  Homomorphic Signatures for Polynomial Functions , 2011, EUROCRYPT.

[11]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[12]  Lan Nguyen,et al.  Accumulators from Bilinear Pairings and Applications , 2005, CT-RSA.

[13]  Susan Rae Hohenberger,et al.  The cryptographic impact of groups with infeasible inversion , 2003 .

[14]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[15]  Richard Cole,et al.  Two Simplified Algorithms for Maintaining Order in a List , 2002, ESA.

[16]  Mihir Bellare,et al.  Incremental Cryptography: The Case of Hashing and Signing , 1994, CRYPTO.

[17]  Jonathan Katz,et al.  Signing a Linear Subspace: Signature Schemes for Network Coding , 2009, IACR Cryptol. ePrint Arch..

[18]  Paul F. Dietz Maintaining order in a linked list , 1982, STOC '82.

[19]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[20]  Javier Herranz,et al.  Constant Size Ciphertexts in Threshold Attribute-Based Encryption , 2010, Public Key Cryptography.

[21]  Gregory Neven A simple transitive signature scheme for directed trees , 2008, Theor. Comput. Sci..

[22]  Michael T. Goodrich,et al.  An Efficient Dynamic and Distributed Cryptographic Accumulator , 2002, ISC.