## New Generation of Secure and Practical RSA-based Signatures (1996)

Citations: | 38 - 1 self |

### BibTeX

@INPROCEEDINGS{Cramer96newgeneration,

author = {Ronald Cramer and Ivan Damgård},

title = {New Generation of Secure and Practical RSA-based Signatures},

booktitle = {},

year = {1996},

pages = {173--185},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collision-intractability of certain hash-functions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the ...

### Citations

3160 | A Method for Obtaining Digital Signatures and Public Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... extension of their result, see [7]). Though yielding shorter signatures asymptotically, the size grows rapidly in practice as the number of signatures made increases. Starting with the seminal paper =-=[22]-=-, which proposed the RSA-functions as the first implementation of public-key cryptography as envisaged by Diffie and Hellman [9], many practical digital signature schemes have been proposed, for insta... |

2929 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...e number of signatures made increases. Starting with the seminal paper [22], which proposed the RSA-functions as the first implementation of public-key cryptography as envisaged by Diffie and Hellman =-=[9]-=-, many practical digital signature schemes have been proposed, for instance, [11], [12], [24], [14], [20], [16] and [19]. Although many of them are actually used in practice today, these schemes seem ... |

1217 | A Public Key Cryptosystem and a signature scheme based on discrete logarithms - ElGamal - 1985 |

881 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...posed the RSA-functions as the first implementation of public-key cryptography as envisaged by Diffie and Hellman [9], many practical digital signature schemes have been proposed, for instance, [11], =-=[12]-=-, [24], [14], [20], [16] and [19]. Although many of them are actually used in practice today, these schemes seem to have the property that their security is hard to analyze. We certainly do not mean t... |

863 | A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...ollowing of our target scheme. First, relative to some plausible cryptographic assumption, a proof must be given that the scheme is not existentially forgeable under adaptively chosen message attacks =-=[13]-=-. Without attempting to quantify the efficiency needed, we require, secondly, that the amount of computation and the size of the signatures are small, and, finally, that the amount of storage needed i... |

618 |
Efficient Signature Generation for Smart Cards
- Schnorr
(Show Context)
Citation Context ...the RSA-functions as the first implementation of public-key cryptography as envisaged by Diffie and Hellman [9], many practical digital signature schemes have been proposed, for instance, [11], [12], =-=[24]-=-, [14], [20], [16] and [19]. Although many of them are actually used in practice today, these schemes seem to have the property that their security is hard to analyze. We certainly do not mean to sugg... |

321 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ... require, secondly, that the amount of computation and the size of the signatures are small, and, finally, that the amount of storage needed is reasonably limited. In a sequence of results [17], [1], =-=[18]-=- and finally [23], it was established that the existence of one-way functions is necessary and sufficient for the existence secure signatures. This result, however theoretically very important, does n... |

315 |
Wallet databases with observers
- Chaum, Pedersen
- 1993
(Show Context)
Citation Context ...rds as the main players, this assumption about shared access to the list of random numbers may be too demanding, simply because of its storage requirements (in case a user has a wallet with observer (=-=[5]-=-, [6]) as user device, there are solutions, though not as efficient as the scheme presented in this paper, that preserve the off-line property). One can envision a system where the players gain access... |

204 | A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing both Transmission and - Guillou, Quisquater - 1988 |

204 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...y, that the amount of computation and the size of the signatures are small, and, finally, that the amount of storage needed is reasonably limited. In a sequence of results [17], [1], [18] and finally =-=[23]-=-, it was established that the existence of one-way functions is necessary and sufficient for the existence secure signatures. This result, however theoretically very important, does not give rise to a... |

177 | An Introduction to the Theory of Numbers. Fifth edition - Hardy, Wright - 1979 |

155 |
Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes
- Okamoto
- 1992
(Show Context)
Citation Context ...tions as the first implementation of public-key cryptography as envisaged by Diffie and Hellman [9], many practical digital signature schemes have been proposed, for instance, [11], [12], [24], [14], =-=[20]-=-, [16] and [19]. Although many of them are actually used in practice today, these schemes seem to have the property that their security is hard to analyze. We certainly do not mean to suggest here tha... |

46 | An efficient existentially unforgeable signature scheme and its applications
- Dwork, Naor
- 1994
(Show Context)
Citation Context ...en problem to design a secure and truly practical digital signature scheme, that may be used in today's or tomorrow's information systems. Recently, progress has been made in this area. Starting with =-=[10]-=-, it can be concluded that the first two requirements, namely proven security, moderate amount of computation and provision of any reasonable number of small-sized signatures, can be satisfied. The cr... |

45 |
How to sign given any trapdoor function
- Bellare, Micali
- 1988
(Show Context)
Citation Context ...d, we require, secondly, that the amount of computation and the size of the signatures are small, and, finally, that the amount of storage needed is reasonably limited. In a sequence of results [17], =-=[1]-=-, [18] and finally [23], it was established that the existence of one-way functions is necessary and sufficient for the existence secure signatures. This result, however theoretically very important, ... |

26 | Secure signature schemes based on interactive protocols
- Cramer, Damg̊ard
(Show Context)
Citation Context ...scheme also uses a tree structure. Intractability of factoring is a sufficient assumption for the existence of the family of functions required for their scheme (for an extension of their result, see =-=[7]-=-). Though yielding shorter signatures asymptotically, the size grows rapidly in practice as the number of signatures made increases. Starting with the seminal paper [22], which proposed the RSA-functi... |

23 |
Improved privacy in wallets with observers
- Cramer, Pedersen
- 1993
(Show Context)
Citation Context ...s the main players, this assumption about shared access to the list of random numbers may be too demanding, simply because of its storage requirements (in case a user has a wallet with observer ([5], =-=[6]-=-) as user device, there are solutions, though not as efficient as the scheme presented in this paper, that preserve the off-line property). One can envision a system where the players gain access to t... |

19 | Provably unforgeable signatures - Bos, Chaum - 1993 |

15 |
de Mare: One-Way Accumulators: A Decentralized Alternative to
- Benaloh, M
(Show Context)
Citation Context ... are trusted, this solution has only the on-line character as the main disadvantage. Otherwise, one also has to employ mechanisms for ensuring the integrity of the supplied data (one-way accumulators =-=[2]-=- seem to allow for an efficient approach). Our contribution is the design of a secure signature scheme where the size of the signatures is (d + 1)k bits, while l d signatures can be made. The integers... |

10 |
Two Remarks Concerning the GMR Signature Scheme
- Goldreich
- 1986
(Show Context)
Citation Context ...e observes that the signatures are redundant, i.e., part of the signature can be recalculated from another part. See also Section 3. 2 The dynamic storage can be reduced by applying a suggestion from =-=[3]-=-. primes. By storing the differences between consecutive primes, this requires hardly any storage. In [10], this particular choice for the list of primes has also been proposed. But there, the players... |

3 | Efficient and provable security amplifications
- Cramer, Damgard, et al.
- 1995
(Show Context)
Citation Context ...n prove secure against random message attacks. Such a scheme can be efficiently transformed to a scheme that is secure against active attacks, as is desired here, by means of a technique described in =-=[8]-=-. The loss of efficiency is a factor of two (twice as much computation, signature size twice as large). But we can do better in this case, if we add one prime q with a special purpose to the list: it ... |

2 |
Merkle: A Certified Digital Signature
- C
- 1979
(Show Context)
Citation Context ... needed, we require, secondly, that the amount of computation and the size of the signatures are small, and, finally, that the amount of storage needed is reasonably limited. In a sequence of results =-=[17]-=-, [1], [18] and finally [23], it was established that the existence of one-way functions is necessary and sufficient for the existence secure signatures. This result, however theoretically very import... |

1 |
Fail-Stop Signatures Without Trees, Hildesheimer Informatik-Berichte 16/94
- Pfitzmann
- 1994
(Show Context)
Citation Context ... are an RSA-assumption and the factoring assumption (or more precisely, the existence of a particular family of claw-free trapdoor permutations), respectively. For efficient fail-stop signatures, see =-=[21]-=-. These schemes yield practically much smaller signatures compared to, for instance, [13]. The reason is that, instead of binary authentication trees, these schemes allow the use of trees with much la... |

1 | Chaum: Provably Unforgeable Signatures, Proceeding of Crypto '92 - Bos, D |

1 |
Cramer: Shared Randomness and the Size of Secure Signatures
- F
- 1995
(Show Context)
Citation Context ...secure and truly practical digital signature scheme, that may be used in today's or tomorrow's information systems. Recently, progress has been made in this area. By the work of [8], and subsequently =-=[10]-=-, it can be concluded that the first two requirements, namely proven security, moderate amount of computation and provision of any reasonable number of small-sized signatures, can be satisfied. The cr... |

1 |
Efficient and Provable Security Amplifications, CWI
- Cramer, Pedersen
- 1995
(Show Context)
Citation Context ...essage attacks. Such a scheme can be efficiently transformed to a scheme that is 3. Description of the Scheme 5 secure against active attacks, as is desired here, by means of a technique described in =-=[11]-=-. The loss of efficiency is a factor of two (twice as much computation, signature size twice as large). But we can do better in this case, if we add one prime q (q ? n) with a special purpose to the l... |