Signature Schemes Based on the (Strong) RSA Assumption

The signature schemes described in the previous chapter have the advantage of being based on very weak cryptographic assumptions, but have the drawback of being incredibly inefficient. (Even the Lamport scheme, which could conceivably be used, has very large public keys and signatures.) It is natural to wonder whether relying on stronger, more specific assumptions might yield more efficient schemes. Unfortunately, progress in this direction has been limited: only a handful of schemes are known that are more efficient than the “generic” constructions of the previous chapter and, of these, even fewer are efficient enough to compete with the signature schemes currently used in practice.1 In fact, and somewhat disappointingly, the only schemes we currently have that come close to the efficiency of signature schemes currently in use are based on relatively “new” cryptographic assumptions discussed in this and the following chapter. (Admittedly, this point is debatable and depends to some extent on what one takes as his measure of efficiency.)