A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks

We present a digital signature scheme based on the computational difficulty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) cannot later forge the signature of even a single additional message. This may be somewhat surprising, since in the folklore the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "claw-free" pair of permutations--a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.

[1]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2]  Volker Strassen,et al.  A Fast Monte-Carlo Test for Primality , 1977, SIAM J. Comput..

[3]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[4]  Adi Shamir A Fast Signature Scheme , 1978 .

[5]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.

[6]  Ralph C. Merkle,et al.  Secrecy, authentication, and public key systems , 1979 .

[7]  Stephen M. Matyas Digital Signatures - An Overview , 1979, Comput. Networks.

[8]  Gideon Yuval,et al.  How to Swindle Rabin , 1979, Cryptologia.

[9]  Karl J. Lieberherr Uniform Complexity and Digital Signatures , 1981, ICALP.

[10]  Justin M. Reyneri,et al.  Coin flipping by telephone , 1984, IEEE Trans. Inf. Theory.

[11]  Karl J. Lieberherr,et al.  Uniform Complexity and Digital Signatures , 1981, Theor. Comput. Sci..

[12]  A logarithmic time sort for linear size networks , 1982, STOC 1983.

[13]  Adi Shamir,et al.  A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem , 1984, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[14]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[15]  Silvio Micali,et al.  Strong signature schemes , 1983, STOC '83.

[16]  Manuel Blum,et al.  How to exchange (secret) keys , 1983, TOCS.

[17]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[18]  Adi Shamir,et al.  Efficient Signature Schemes Based on Polynomial Equations , 1984, CRYPTO.

[19]  Adi Shamir,et al.  An efficient signature scheme based on quadratic equations , 1984, STOC '84.

[20]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[21]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[22]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[23]  Ernest F. Brickell,et al.  An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi , 1985, CRYPTO.

[24]  Gary L. Miller,et al.  Breaking the Ong-Schnorr-Shamir Signature Scheme for Quadratic Number Fields , 1986, CRYPTO.

[25]  Tatsuski Okamoto,et al.  A Fast Signature Scheme Based on Quadratic Inequalities , 1985, 1985 IEEE Symposium on Security and Privacy.

[26]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[27]  Joe Kilian,et al.  Almost all primes can be quickly certified , 1986, STOC '86.

[28]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[29]  Leslie G. Valiant,et al.  A logarithmic time sort for linear size networks , 1982, STOC.

[30]  Silvio Micali,et al.  A fair protocol for signing contracts , 1990, IEEE Trans. Inf. Theory.