## Homomorphic Signature Schemes

### Cached

### Download Links

Citations: | 69 - 2 self |

### BibTeX

@MISC{Johnson_homomorphicsignature,

author = {Robert Johnson and David Molnar and Dawn Song and David Wagner},

title = {Homomorphic Signature Schemes},

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

Privacy homomorphisms, encryption schemes that are also homomorphisms relative to some binary operation, have been studied for some time, but one may also consider the analogous problem of homomorphic signature schemes. In this paper we introduce basic definitions of security for homomorphic signature systems, motivate the inquiry with example applications, and describe several schemes that are homomorphic with respect to useful binary operations. In particular, we describe a scheme that allows a signature holder to construct the signature on an arbitrarily redacted submessage of the originally signed message. We present another scheme for signing sets that is homomorphic with respect to both union and taking subsets. Finally, we show that any signature scheme that is homomorphic with respect to integer addition must be insecure.

### Citations

1334 | Random oracles are practical: A paradigm for designing efficient protocols - Bellare, Rogaway - 1993 |

1178 | Probabilistic encryption - Goldwasser, Micali - 1984 |

628 | How to construct random functions - Goldreich, Goldwasser, et al. - 1986 |

624 | Public Key Cryptosystems based on CompositeDegree Residue Classes
- Paillier
- 1999
(Show Context)
Citation Context ...Micali encryption takes the form of a group homomorphism Z/2Z → (Z/nZ) ∗ [17], and others have proposed a number of other public-key encryption schemes that have various useful homomorphic properties =-=[15, 8, 22, 20]-=-. Of particular interest is Sander, Young, and Yung’s slick construction of an encryption algorithm that is both and- and xor-homomorphic [26]; they note that this is the first cryptosystem homomorphi... |

285 | Protocols for public key cryptosystems - Merkle - 1980 |

163 | Collision-free accumulators and fail-stop signature schemes without trees
- Barić, Pfitzmann
- 1997
(Show Context)
Citation Context ...ty of the RSA problem. We assume that RSA behaves as a good trapdoor permutation, as others have suggested before [6, 7]. This assumption appears to be weaker than the so-called Strong RSA assumption =-=[2]-=-. Definition 4. Let Hk = {pq : p and q are safe primes, p �= q, and |p| = |q| = k}. We say RSA is a (t, ɛr)-secure trapdoor permutation if for any adversary A with running time less than t, we have Pr... |

121 | Secure hash-and-sign signatures without the random oracle - Gennaro, Halevi, et al. - 1999 |

120 |
A robust and verifiable cryptographically secure election scheme
- Cohen, Fischer
- 1985
(Show Context)
Citation Context ... used tosimplement completely non-interactive secure circuit evaluation” and called such cryptosystems “algebraic” [14]. Benaloh gave a secure election scheme based on a homomorphic encryption scheme =-=[12]-=-. Cramer and Damgard use homomorphic bit commitments to drastically simplify zero-knowledge proofs [13]. Many other examples exist in which homomorphic properties are used to construct cryptographic p... |

114 | One-way accumulators: a decentralized alternative to digital signatures - Benaloh, Mare - 1993 |

114 |
On data banks and privacy homomorphisms
- Rivest, Adleman, et al.
- 1978
(Show Context)
Citation Context ...e homomorphic cryptosystems have proved to be so useful. Rivest, Adleman, and Dertouzos noted applications of “privacy homomorphisms” to computing on encrypted data soon after the introduction of RSA =-=[25]-=-. Peralta and Boyar showed that an xor-homomorphic bit commitment could be exploited to yield more efficient zero-knowledge proofs of circuit satisfiability [23]. Feigenbaum and Merritt noted that a “... |

74 | Incremental cryptography: The case of hashing and signing - Bellare, Goldreich, et al. - 1994 |

74 |
Algorithms for black-box fields and their application to cryptography (extended abstract
- Boneh, Lipton
- 1996
(Show Context)
Citation Context ...phic on GF (2 64 ) is insecure under chosen ciphertext attack [1]. Boneh and Lipton showed that any deterministic cryptosystem that is a field homomorphism must fall victim to a subexponential attack =-=[10]-=-. They further conjectured that any field-homomorphic cryptosystem, which they called “completely malleable,” would prove to be insecure. Brickell and Yacobi broke a number of candidate constructions ... |

71 | Non-interactive CryptoComputing for NC1
- Sander, Young, et al.
- 1999
(Show Context)
Citation Context ...yone can compute f(x · y) without any need for the private key. Somewhat surprisingly, this property has a wide range of applications, including secure voting protocols [8] and multiparty computation =-=[26]-=-. In a series of talks, Rivest suggested the investigation of homomorphic signature schemes. For instance, the RSA signature scheme is a group homomorphism, as m d 1 · m d 2 = (m1 · m2) d . This prope... |

67 | A New Public-Key Cryptosystem Based on Higher Residues
- Naccache, Stern
(Show Context)
Citation Context ...Micali encryption takes the form of a group homomorphism Z/2Z → (Z/nZ) ∗ [17], and others have proposed a number of other public-key encryption schemes that have various useful homomorphic properties =-=[15, 8, 22, 20]-=-. Of particular interest is Sander, Young, and Yung’s slick construction of an encryption algorithm that is both and- and xor-homomorphic [26]; they note that this is the first cryptosystem homomorphi... |

55 | Dense Probabilistic Encryption - Benaloh - 1994 |

50 | Transitive signature schemes - Micali, Rivest |

45 | The exact security of digital signatures-how to sign with rsa and rabin - Bellare, Rogaway - 1996 |

36 | Processing Encrypted Data - Ahituv, Lapid, et al. - 1987 |

23 | On privacy homomorphisms - Brickell, Yacobi - 1987 |

8 | Algorithms for black-box and their application to cryptography - Boneh, Lipton - 1996 |

8 | A robust and veri cryptographically secure election scheme - Cohen, Fischer - 1985 |

8 | R.Peralta: Short Discreet Proofs - Boyar |

7 | Incremental Cryptography with Application to Virus Protection - Bellare, Goldreich, et al. - 1995 |

3 | Two new signature schemes. Presented at Cambridge seminar; see http://www.cl.cam.ac.uk/Research/Security/seminars/2000/rivest-tss.pdf - Rivest - 2001 |

3 | Baric and Birgit Pfitzmann, “Collision-free accumulators and fail-stop signature schemes without trees - Niko - 1997 |

3 | 16. Rosario Gennaro, Shai Halevi, and Tal Rabin. Secure hash-and-sign signatures without the random oracle - Goldwasser, Micali - 1998 |

2 |
knowledge proofs for finite field arithmetic -- or, can zero knowledge be for free
- Zero
- 1998
(Show Context)
Citation Context ...“algebraic” [14]. Benaloh gave a secure election scheme based on a homomorphic encryption scheme [12]. Cramer and Damgard use homomorphic bit commitments to drastically simplify zero-knowledge proofs =-=[13]-=-. Many other examples exist in which homomorphic properties are used to construct cryptographic protocols. The initial promise of privacy homomorphisms was tempered by a string of negative results. Ah... |

1 | Baric and Birgit P Collision-free accumulators and fail-stop signature schemes without trees - Niko - 1997 |

1 | knowledge proofs for arithmetic { or, can zero knowledge be for free - Zero - 1998 |

1 | E#cient probabilistic encryption - EPOC - 1991 |

1 |
questions, talk abstracts, and summary of discussions
- Open
- 1991
(Show Context)
Citation Context ... and Merritt noted that a “cryptosystem which is a ring homomorphism on Z/2Z could be used tosimplement completely non-interactive secure circuit evaluation” and called such cryptosystems “algebraic” =-=[14]-=-. Benaloh gave a secure election scheme based on a homomorphic encryption scheme [12]. Cramer and Damgard use homomorphic bit commitments to drastically simplify zero-knowledge proofs [13]. Many other... |

1 |
EPOC : Efficient probabilistic encryption
- Fujisaki, Okamoto, et al.
- 1998
(Show Context)
Citation Context ...Micali encryption takes the form of a group homomorphism Z/2Z → (Z/nZ) ∗ [17], and others have proposed a number of other public-key encryption schemes that have various useful homomorphic properties =-=[15, 8, 22, 20]-=-. Of particular interest is Sander, Young, and Yung’s slick construction of an encryption algorithm that is both and- and xor-homomorphic [26]; they note that this is the first cryptosystem homomorphi... |