## Unconditionally secure digital signature schemes admitting transferability (2000)

Venue: | In Proc. ASIACRYPT’00, Kyoto, December 3–7 |

Citations: | 8 - 5 self |

### BibTeX

@INPROCEEDINGS{Hanaoka00unconditionallysecure,

author = {Goichiro Hanaoka and Junji Shikata and Yuliang Zheng and Hideki Imai},

title = {Unconditionally secure digital signature schemes admitting transferability},

booktitle = {In Proc. ASIACRYPT’00, Kyoto, December 3–7},

year = {2000},

pages = {130--142},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. A potentially serious problem with current digital signature schemes is that their underlying hard problems from number theory may be solved by an innovative technique or a new generation of computing devices such as quantum computers. Therefore while these signature schemes represent an efficient solution to the short term integrity (unforgeability and non-repudiation) of digital data, they provide no confidence on the long term (say of 20 years) integrity of data signed by these schemes. In this work, we focus on signature schemes whose security does not rely on any unproven assumption. More specifically, we establish a model for unconditionally secure digital signatures in a group, and demonstrate practical schemes in that model. An added advantage of the schemes is that they allow unlimited transfer of signatures without compromising the security of the schemes. Our scheme represents the first unconditionally secure signature that admits provably secure transfer of signatures. 1

### Citations

2925 | A Method for Obtaining Digital Signatures and Public-Key
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...for their security on the assumed computational difficulty of computing certain number theoretic problems, such as factoring large campsites or solving discrete logarithms in a large finite field.RSA =-=[20]-=-, Fiat-Shamir [11], ESIGN [19] T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 130–142, 2000. c○ Springer-Verlag Berlin Heidelberg 2000sUnconditionally Secure Digital Signature Schemes Admitting Tran... |

1120 |
A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...Verlag Berlin Heidelberg 2000sUnconditionally Secure Digital Signature Schemes Admitting Transferability 131 and many other schemes are based on the difficulty of factoring.On the other hand, ElGamal =-=[10]-=-, Schnorr [24], DSA [9] and others, are based on discrete logarithms.Progress in computers as well as further refinement of various algorithms has made it possible to solve the number theoretic proble... |

879 | Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer
- Shor
(Show Context)
Citation Context ...importantly, in the past few years there has been significant progress in quantum computers.It has been known that quantum computers can solve both factoring and discrete logarithm problems with ease =-=[25,1]-=-, hence advances in the design and manufacturing of quantum computers poses a real threat to the long term security of all the digital signature schemes based on number theoretic problems. The above d... |

837 | How to Prove Yourself: Practical Solutions to Identification and Signature Problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ... on the assumed computational difficulty of computing certain number theoretic problems, such as factoring large campsites or solving discrete logarithms in a large finite field.RSA [20], Fiat-Shamir =-=[11]-=-, ESIGN [19] T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 130–142, 2000. c○ Springer-Verlag Berlin Heidelberg 2000sUnconditionally Secure Digital Signature Schemes Admitting Transferability 131 an... |

585 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...Heidelberg 2000sUnconditionally Secure Digital Signature Schemes Admitting Transferability 131 and many other schemes are based on the difficulty of factoring.On the other hand, ElGamal [10], Schnorr =-=[24]-=-, DSA [9] and others, are based on discrete logarithms.Progress in computers as well as further refinement of various algorithms has made it possible to solve the number theoretic problems of larger s... |

106 | RIPEMD-160, a strengthened version of RIPEMD
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ... message. In practice, one may use the technique of applying a one-way hashing to a long message prior to signing it.Some examples of one-way hash algorithms are SHA-1 [17], HAVAL [31] and RIPEMD-160 =-=[6]-=-.Although this will lose the unconditional security property of the proposed signature scheme, we note that a good one-way hash function would remain secure even if one employed quantum computers in a... |

70 | Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer
- Chaum, Heijst, et al.
- 1992
(Show Context)
Citation Context ...roved scheme has not addressed the transferability of his signature scheme. In another development, Chaum, Heijst and Pfitmann proposed a different version of unconditionally secure signature schemes =-=[5]-=-.However, its unconditional security was guaranteed only for signers. There have also been attempts to modify unconditionally secure authentication codes [12,26] with the aim of enhancing the codes wi... |

60 | Quantum cryptanalysis of hidden linear functions (ex- tended abstract
- Boneh, Lipton
- 1995
(Show Context)
Citation Context ...importantly, in the past few years there has been significant progress in quantum computers.It has been known that quantum computers can solve both factoring and discrete logarithm problems with ease =-=[25,1]-=-, hence advances in the design and manufacturing of quantum computers poses a real threat to the long term security of all the digital signature schemes based on number theoretic problems. The above d... |

58 |
Codes which detect deception
- Gilbert, MacWilliams, et al.
- 1974
(Show Context)
Citation Context ...f unconditionally secure signature schemes [5].However, its unconditional security was guaranteed only for signers. There have also been attempts to modify unconditionally secure authentication codes =-=[12,26]-=- with the aim of enhancing the codes with extra security properties.It is tempting to transform an unconditionally secure authentication code into a digital signature.There are, however, two technical... |

52 | HAVAL - A One-Way Hashing Algorithm with Variable Length of Output
- Zheng, Pieprzyk, et al.
- 1993
(Show Context)
Citation Context ...g the size of such a message. In practice, one may use the technique of applying a one-way hashing to a long message prior to signing it.Some examples of one-way hash algorithms are SHA-1 [17], HAVAL =-=[31]-=- and RIPEMD-160 [6].Although this will lose the unconditional security property of the proposed signature scheme, we note that a good one-way hash function would remain secure even if one employed qua... |

38 |
Multi-receiver/Multi-sender network security: efficient authenticated multicast/feedback
- Desmedt, Frankle, et al.
(Show Context)
Citation Context ...s are called A 3 -codes [2,7,13,29,14,30].A property shared by both codes is that the receiver of a signature has to be designated. As yet another extension, multi-receiver authentication codes (MRA) =-=[8,21,14]-=- have been extensively studied in the literature.With a MRA scheme, a broadcast message can be verified by any of the receivers.Although earlier MRA schemes required the sender to be designated, the s... |

29 |
Authentication theory/coding theory
- Simmons
- 1985
(Show Context)
Citation Context ...f unconditionally secure signature schemes [5].However, its unconditional security was guaranteed only for signers. There have also been attempts to modify unconditionally secure authentication codes =-=[12,26]-=- with the aim of enhancing the codes with extra security properties.It is tempting to transform an unconditionally secure authentication code into a digital signature.There are, however, two technical... |

23 | New results on multi-receiver authentication codes
- Safavi-Naini, Wang
- 1403
(Show Context)
Citation Context ...s are called A 3 -codes [2,7,13,29,14,30].A property shared by both codes is that the receiver of a signature has to be designated. As yet another extension, multi-receiver authentication codes (MRA) =-=[8,21,14]-=- have been extensively studied in the literature.With a MRA scheme, a broadcast message can be verified by any of the receivers.Although earlier MRA schemes required the sender to be designated, the s... |

15 |
A Fast Signature Scheme Based on Congruential Polynomial Operations
- Okamoto
- 1990
(Show Context)
Citation Context ...med computational difficulty of computing certain number theoretic problems, such as factoring large campsites or solving discrete logarithms in a large finite field.RSA [20], Fiat-Shamir [11], ESIGN =-=[19]-=- T. Okamoto (Ed.): ASIACRYPT 2000, LNCS 1976, pp. 130–142, 2000. c○ Springer-Verlag Berlin Heidelberg 2000sUnconditionally Secure Digital Signature Schemes Admitting Transferability 131 and many other... |

14 |
bound on the probability of deception in authentication with arbitration
- Johansson, Lower
- 1994
(Show Context)
Citation Context ...r forges a sender’s message or the sender claims that a message is forged by the receiver.A 2 -codes have been further improved to require a less trustworthy arbiter.These codes are called A 3 -codes =-=[2,7,13,29,14,30]-=-.A property shared by both codes is that the receiver of a signature has to be designated. As yet another extension, multi-receiver authentication codes (MRA) [8,21,14] have been extensively studied i... |

12 |
Arbitrated unconditionally secure authentication can be unconditionally protected against arbiter’s attacks
- Desmedt, Yung
- 1991
(Show Context)
Citation Context ...r forges a sender’s message or the sender claims that a message is forged by the receiver.A 2 -codes have been further improved to require a less trustworthy arbiter.These codes are called A 3 -codes =-=[2,7,13,29,14,30]-=-.A property shared by both codes is that the receiver of a signature has to be designated. As yet another extension, multi-receiver authentication codes (MRA) [8,21,14] have been extensively studied i... |

12 |
Message authentication with arbitration of transmitter/receiver disputes
- Simmons
- 1987
(Show Context)
Citation Context ...y.These two properties must be removed for an authentication code to be converted into a digital signature. An extension of authentication codes is authentication codes with arbitration or A 2 -codes =-=[27,28,15,16,18,14]-=-.These codes involve a trusted third party called an arbiter.The arbiter can help resolve a dispute when a receiver forges a sender’s message or the sender claims that a message is forged by the recei... |

11 |
et al, Factorization of a 512-bit RSA modulus
- Cavallar
(Show Context)
Citation Context ...umber theoretic problems of larger sizes.As an example, in August 1999, a team of researchers from around the world succeeded in cracking an 512-bit RSA composite by the use of the Number Field Sieve =-=[3]-=- over the Internet.One can safely predict that even larger composites will be factored in the future.In addition, one cannot rule out the possibility of the emergence of innovative algorithms that sol... |

10 | New bounds on authentication code with arbitration
- Kurosawa
- 1994
(Show Context)
Citation Context ...y.These two properties must be removed for an authentication code to be converted into a digital signature. An extension of authentication codes is authentication codes with arbitration or A 2 -codes =-=[27,28,15,16,18,14]-=-.These codes involve a trusted third party called an arbiter.The arbiter can help resolve a dispute when a receiver forges a sender’s message or the sender claims that a message is forged by the recei... |

9 | Multi-receiver authentication codes: models, bounds, constructions, and extensions
- Safavi-Naini, Wang
(Show Context)
Citation Context ...scheme, a broadcast message can be verified by any of the receivers.Although earlier MRA schemes required the sender to be designated, the so-called MRA with dynamic sender or DMRA have been proposed =-=[22,23]-=- to relax the requirement of a designated sender.It is important to note that these schemes make sense only in broadcasting.If MRA or DMRA is used for point-to-point authentication, then the sender ca... |

8 |
Near optimal unconditionally secure authentication, EUROCRYPT’94
- Taylor
- 1995
(Show Context)
Citation Context ...r forges a sender’s message or the sender claims that a message is forged by the receiver.A 2 -codes have been further improved to require a less trustworthy arbiter.These codes are called A 3 -codes =-=[2,7,13,29,14,30]-=-.A property shared by both codes is that the receiver of a signature has to be designated. As yet another extension, multi-receiver authentication codes (MRA) [8,21,14] have been extensively studied i... |

6 |
Unconditionally secure digital signatures
- Chaum, Roijakkers
(Show Context)
Citation Context ...ul property of our proposed scheme is that a public key of a user can be associated with the user’s unique name, resulting in an identity-based signature scheme. 1.1 Related Work Chaum and Roijakkers =-=[4]-=- made the first attempt to construct an unconditionally secure signature scheme using cryptographic protocols.Their basic scheme was impractical, as it could only sign a single bit message.Furthermore... |

5 |
Authentication codes with multiple arbiters
- Brickell, Stinson
- 1988
(Show Context)
Citation Context |

5 | Further results on asymmetric authentication schemes
- Johansson
- 1999
(Show Context)
Citation Context ...ignature scheme to have transferability, i.e., its security is not compromised when a signature is transferred among users.Recently an improved version of Chaum-Roijakkers scheme has been proposed in =-=[14]-=-.However, the author of this improved scheme has not addressed the transferability of his signature scheme. In another development, Chaum, Heijst and Pfitmann proposed a different version of unconditi... |

5 |
Secure hash standard. FIPS
- NIST
(Show Context)
Citation Context ...ly increasing the size of such a message. In practice, one may use the technique of applying a one-way hashing to a long message prior to signing it.Some examples of one-way hash algorithms are SHA-1 =-=[17]-=-, HAVAL [31] and RIPEMD-160 [6].Although this will lose the unconditional security property of the proposed signature scheme, we note that a good one-way hash function would remain secure even if one ... |

4 |
Broadcast authentication in group communication
- Safavi-Naini, Wang
- 1999
(Show Context)
Citation Context ...scheme, a broadcast message can be verified by any of the receivers.Although earlier MRA schemes required the sender to be designated, the so-called MRA with dynamic sender or DMRA have been proposed =-=[22,23]-=- to relax the requirement of a designated sender.It is important to note that these schemes make sense only in broadcasting.If MRA or DMRA is used for point-to-point authentication, then the sender ca... |

3 |
A Cartesian construction for unconditionally secure authentication codes that permit arbitration
- Simmons
- 1990
(Show Context)
Citation Context ...y.These two properties must be removed for an authentication code to be converted into a digital signature. An extension of authentication codes is authentication codes with arbitration or A 2 -codes =-=[27,28,15,16,18,14]-=-.These codes involve a trusted third party called an arbiter.The arbiter can help resolve a dispute when a receiver forges a sender’s message or the sender claims that a message is forged by the recei... |

2 |
A 2 -code = affine resolvable
- Obana, Kurosawa
- 1997
(Show Context)
Citation Context |

2 | A 3 -codes under collusion attacks
- Wang, Safavi-Naini
- 1999
(Show Context)
Citation Context |