## verification with ID-based signatures (2004)

Venue: | Proceedings of Information Security and Cryptology |

Citations: | 20 - 0 self |

### BibTeX

@INPROCEEDINGS{Yoon04verificationwith,

author = {Hyojin Yoon and Jung Hee Cheon and Yongdae Kim},

title = {verification with ID-based signatures},

booktitle = {Proceedings of Information Security and Cryptology},

year = {2004},

pages = {233--248}

}

### OpenURL

### Abstract

Abstract. An identity (ID)-based signature scheme allows any pair of users to verify each other’s signatures without exchanging public key certificates. With the advent of Bilinear maps, several ID-based signatures based on the discrete logarithm problem have been proposed. While these signatures have an advantage in the fact that the system secret can be shared by several parties using a threshold scheme (thereby overcoming the security problem of RSA-based ID-based signature schemes), they all share the same efficiency disadvantage. To overcome this, some schemes have focused on finding ways to verify multiple signatures at the same time (i.e. the batch verification problem). While they had some success in improving efficiency of verification, each had a slightly diversified definition of batch verification. In this paper, we propose a taxonomy of batch verification against which we analyze security of well-known ID-based signature schemes. We also propose a new ID-based signature scheme that allows for all types of multiple signature batch verification, and prove its security in random oracle model. Key words: ID-based signatures, Batch verifications 1

### Citations

884 | How to Prove Yourself: Practical Solutions of Identification and Signature Problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...osed [9, 29, 30, 21]. While these ID-based signatures have improved key management and key recovery, their disadvantage lies in the fact that the signer’s key is shared with the private key generator =-=[13, 10]-=-. This problem can be alleviated using signatures based ⋆ The first and second authors were supported in part by Korea Telecom. ⋆⋆ The third author is supported in part by DTC Intelligent Storage Cons... |

799 |
Identity-based cryptosystems and signature schemes
- Shamir
- 1985
(Show Context)
Citation Context ...del for public key cryptography, called identity (ID)-based encryption and signature schemes. The goal was to simplify key management procedures of certificate-based public key infrastructures (PKIs) =-=[27]-=-. Since then, several ID-based encryption and signature schemes. based on integer factorization problem, have been proposed [9, 29, 30, 21]. While these ID-based signatures have improved key managemen... |

326 |
Zero knowledge proofs of identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...osed [9, 29, 30, 21]. While these ID-based signatures have improved key management and key recovery, their disadvantage lies in the fact that the signer’s key is shared with the private key generator =-=[13, 10]-=-. This problem can be alleviated using signatures based ⋆ The first and second authors were supported in part by Korea Telecom. ⋆⋆ The third author is supported in part by DTC Intelligent Storage Cons... |

324 | Efficient Identification and Signatures for Smart Cards - Schnorr - 1990 |

313 | Efficient algorithms for pairingbased cryptosystems
- Barreto, Kim, et al.
- 2002
(Show Context)
Citation Context ...irings, they suffer from an efficiency problem that puts restrictions on their use in applications: Their signature verifications are between ten and two hundred times slower than those of DSS or RSA =-=[1]-=-. This problem may be critical in some applications such as electronic commerce and banking service, in which one server may have to verify many signatures simultaneously. To improve the efficiency of... |

300 | Security Arguments for Digital Signatures and Blind Signatures
- Pointcheval, Stern
(Show Context)
Citation Context ...10(qS + 1)(qS + qH1)qH2)/(ℓ − 1), then the CDHP can be solved with probability ≥ 1/9 and within running time ≤ (23qH1qH2T0)/ ( ( )) 1 ɛ0 1 − ℓ where ℓ is a security parameter. Using the forking lemma =-=[26]-=- and [8, Lemma 1], we can prove this theorem. We discuss the rigorous proof of this theorem in the Appendix. 4.2 Security of Batch Verifications In the our ID-based signature scheme, secure batch veri... |

250 | Aggregate and verifiably encrypted signatures from bilinear maps
- Boneh, Gentry, et al.
- 2003
(Show Context)
Citation Context ...lid signature corresponding to the message. Recently, Boneh et al. proposed aggregate signatures (BGLS scheme) using bilinear maps, in which multiple signatures are aggregated into a single signature =-=[3]-=-. They allow for batch verification of type 3, but the efficiency gain is almost half of usual verifications. We note that there have been many efforts that aim at speeding up simultaneous verificatio... |

168 | Efficient threshold signature, multisignature, and blind signature schemes based on the Gap-Diffie-Hellman-group signature scheme
- Boldyreva
- 2003
(Show Context)
Citation Context ...n multiple messages generated by multiple signers, where each message is signed by a distinct user Type 1 signature was traditionally classified as multisignature and has been studied for a long time =-=[16, 23, 24, 20, 6]-=-. Due to its simplicity, it allows for very efficient batch verification. Type 2 batch verification proposals centered around batch RSA [11, 2] and have been a topic of research since late 80’s. Compr... |

156 | Efficient identity based signature schemes based on pairings
- Hess
- 2003
(Show Context)
Citation Context ... since in this case the secret key can be shared by several parties using a threshold scheme. Several ID-based signatures with these properties that use pairings in elliptic curves have been proposed =-=[14, 25, 8]-=-. In spite of several advantages of ID-based signatures schemes based on pairings, they suffer from an efficiency problem that puts restrictions on their use in applications: Their signature verificat... |

154 | An identity-based signature from gap Diffie-Hellman groups
- Cha, Cheon
- 2003
(Show Context)
Citation Context ... since in this case the secret key can be shared by several parties using a threshold scheme. Several ID-based signatures with these properties that use pairings in elliptic curves have been proposed =-=[14, 25, 8]-=-. In spite of several advantages of ID-based signatures schemes based on pairings, they suffer from an efficiency problem that puts restrictions on their use in applications: Their signature verificat... |

140 | Fast batch verification for modular exponentiation and digital signatures
- Bellare, Garay, et al.
- 1998
(Show Context)
Citation Context ...gnature and has been studied for a long time [16, 23, 24, 20, 6]. Due to its simplicity, it allows for very efficient batch verification. Type 2 batch verification proposals centered around batch RSA =-=[11, 2]-=- and have been a topic of research since late 80’s. Compression of multiple RSA signatures of type 2 into one signature is also called condensed RSA [19]. More precisely, our discussion deals with dif... |

103 | ID-based signatures from pairings on elliptic curves
- Paterson
- 2002
(Show Context)
Citation Context ... since in this case the secret key can be shared by several parties using a threshold scheme. Several ID-based signatures with these properties that use pairings in elliptic curves have been proposed =-=[14, 25, 8]-=-. In spite of several advantages of ID-based signatures schemes based on pairings, they suffer from an efficiency problem that puts restrictions on their use in applications: Their signature verificat... |

49 | Reyzin L. Accountable-Subgroup multisignatures
- Micali, Ohta
- 2001
(Show Context)
Citation Context ...n multiple messages generated by multiple signers, where each message is signed by a distinct user Type 1 signature was traditionally classified as multisignature and has been studied for a long time =-=[16, 23, 24, 20, 6]-=-. Due to its simplicity, it allows for very efficient batch verification. Type 2 batch verification proposals centered around batch RSA [11, 2] and have been a topic of research since late 80’s. Compr... |

44 |
Non-interective public-key cryptography
- Maurer, Yacobi
- 1992
(Show Context)
Citation Context ...ement procedures of certificate-based public key infrastructures (PKIs) [27]. Since then, several ID-based encryption and signature schemes. based on integer factorization problem, have been proposed =-=[9, 29, 30, 21]-=-. While these ID-based signatures have improved key management and key recovery, their disadvantage lies in the fact that the signer’s key is shared with the private key generator [13, 10]. This probl... |

29 |
A Realization Scheme for the Identity-based Cryptosystem.Advances
- Tanaka
- 1987
(Show Context)
Citation Context ...ement procedures of certificate-based public key infrastructures (PKIs) [27]. Since then, several ID-based encryption and signature schemes. based on integer factorization problem, have been proposed =-=[9, 29, 30, 21]-=-. While these ID-based signatures have improved key management and key recovery, their disadvantage lies in the fact that the signer’s key is shared with the private key generator [13, 10]. This probl... |

27 |
K.A public key cryptosystem suitable for digital multi-signature[J].NEC Res and Develop
- Itakura, Nakamura
- 1983
(Show Context)
Citation Context ...n multiple messages generated by multiple signers, where each message is signed by a distinct user Type 1 signature was traditionally classified as multisignature and has been studied for a long time =-=[16, 23, 24, 20, 6]-=-. Due to its simplicity, it allows for very efficient batch verification. Type 2 batch verification proposals centered around batch RSA [11, 2] and have been a topic of research since late 80’s. Compr... |

25 | Efficient ID-based blind signature and proxy signature from bilinear pairings - Zhang - 2003 |

24 |
Public-key Systems based on the Difficulty of Tampering
- Desmedt, Quisquater
- 1987
(Show Context)
Citation Context ...ement procedures of certificate-based public key infrastructures (PKIs) [27]. Since then, several ID-based encryption and signature schemes. based on integer factorization problem, have been proposed =-=[9, 29, 30, 21]-=-. While these ID-based signatures have improved key management and key recovery, their disadvantage lies in the fact that the signer’s key is shared with the private key generator [13, 10]. This probl... |

23 | Attacking and repairing batch verification schemes
- Boyd, Pavlovski
- 2000
(Show Context)
Citation Context ...t the efficiency gain is almost half of usual verifications. We note that there have been many efforts that aim at speeding up simultaneous verifications of modular exponentiations for DSA signatures =-=[22, 18, 2, 7]-=-. These approaches are independent of specific signature schemes, but the efficiency gain over the sum of individual verifications is limited. On the other hand, our approach can give significant impr... |

23 |
A digital multisignature scheme based on the Fiat-Shamir scheme
- Ohta, Okamoto
- 1993
(Show Context)
Citation Context |

21 | Batch Exponentiation - A Fast DLP based Signature Generattion Strategy
- M’Raithi, Naccache
- 1996
(Show Context)
Citation Context ...t the efficiency gain is almost half of usual verifications. We note that there have been many efforts that aim at speeding up simultaneous verifications of modular exponentiations for DSA signatures =-=[22, 18, 2, 7]-=-. These approaches are independent of specific signature schemes, but the efficiency gain over the sum of individual verifications is limited. On the other hand, our approach can give significant impr... |

15 |
An ID-based Cryptosystem based on the Discrete Logarithm Problem
- Tsuji, Itoh
- 1989
(Show Context)
Citation Context |

8 |
Multiprecision integer and rational arithmetic c/c++ library. http: //indigo.ie/∼mscott/#Elliptic
- Ltd
(Show Context)
Citation Context ... gap Diffie-Hellman group. To estimate the performance of our scheme, we first present experimental results for the cost of several cryptographic primitives in Table 1. We used Miracl library v.4.8.2 =-=[17]-=- in P3-977 MHz with 512 Mbytes memory. In MapToPoint and Pairing, we considered a subgroup of order q in a supersingular elliptic curve E over Fp, where p is a 512 bit prime and q is a 160 bit prime. ... |

4 | Forking Lemmas in Ring Signatures’ Scenario
- Herranz, Sáez
- 2003
(Show Context)
Citation Context ... n such that i ̸= j within time T ′ = 144823VqH1 ,k(1+qS)T ɛ . The Lemma 1 can be proved using the similar method with [15, Theorem 2] except the number of signatures in output n ∈ {1, · · · , k}. In =-=[15]-=-, they deal with the ring signature, so the number of signatures i.e. random parts Ri’s are fixed as the number of users in the ring. But in the batch verification of Type 2, the number of signatures ... |

3 |
Can D.S.A be improved? Complexity trade-offs with the
- Naccache, M’Raithi, et al.
- 1994
(Show Context)
Citation Context ...t the efficiency gain is almost half of usual verifications. We note that there have been many efforts that aim at speeding up simultaneous verifications of modular exponentiations for DSA signatures =-=[22, 18, 2, 7]-=-. These approaches are independent of specific signature schemes, but the efficiency gain over the sum of individual verifications is limited. On the other hand, our approach can give significant impr... |

2 |
Short signature from the Weil pairing. Advances in Cryptology - Asiacrypt 2001
- Boneh, Lynn, et al.
- 2001
(Show Context)
Citation Context ...an automorphism over G. Then e is an efficiently computable non-degenerate bilinear map. The Tate pairing has similar properties and is more efficient than the Weil pairing. For the details, refer to =-=[4]-=-. 2.2 Some Problems Let G be a cyclic group of prime order ℓ and P a generator of G. 1. The decisional Diffie-Hellman Problem (DDHP) is to decide whether c = ab in Z/ℓZ for given P, aP, bP, cP ∈ G. If... |

2 |
A preliminary version appeared
- Cryptology, Vol
- 1997
(Show Context)
Citation Context ...gnature and has been studied for a long time [16, 23, 24, 20, 6]. Due to its simplicity, it allows for very efficient batch verification. Type 2 batch verification proposals centered around batch RSA =-=[11, 2]-=- and have been a topic of research since late 80’s. Compression of multiple RSA signatures of type 2 into one signature is also called condensed RSA [19]. More precisely, our discussion deals with dif... |

1 |
Providing Efficient Data Integrity Mechanisms
- Mykletun, Narasimha, et al.
- 2004
(Show Context)
Citation Context ...ication proposals centered around batch RSA [11, 2] and have been a topic of research since late 80’s. Compression of multiple RSA signatures of type 2 into one signature is also called condensed RSA =-=[19]-=-. More precisely, our discussion deals with different notion of batch verification, called screening [2]. That is, we only want to determine whether the signer has at some point authenticated the text... |