## An Efficient Existentially Unforgeable Signature Scheme and its Applications (1994)

### Cached

### Download Links

- [www.wisdom.weizmann.ac.il]
- [ftp.wisdom.weizmann.ac.il]
- DBLP

### Other Repositories/Bibliography

Venue: | Journal of Cryptology |

Citations: | 46 - 5 self |

### BibTeX

@INPROCEEDINGS{Dwork94anefficient,

author = {Cynthia Dwork and Moni Naor},

title = {An Efficient Existentially Unforgeable Signature Scheme and its Applications},

booktitle = {Journal of Cryptology},

year = {1994},

pages = {234--246},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) for any message m k+1 = 2 fm 1 ; : : : m k g. We present an existentially unforgeable signature scheme that for a reasonable setting of parameters requires at most 6 times the amount of time needed to generate a signature using "plain" RSA (which is not existentially unforgeable). We point out applications where our scheme is desirable. Preliminary version appeared in Crypto'94 y IBM Research Division, Almaden Research Center, 650 Harry Road, San Jose, CA 95120. Research supported by a BSF Grant 32-00032-1. E-mail: dwork@almaden.ibm.com. z Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Re...

### Citations

3188 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1977
(Show Context)
Citation Context ...text of signing faxes. 2 Related Work and Its Influence Since the introduction of the concept of digital signatures by Diffie and Hellman [11] and the first proposals of candidates for implementation =-=[23, 30]-=-, the subject has been widely 2 studied. In this section we briefly summarize the major developments (not necessarily in chronological order), especially those pertaining to the scheme proposed in thi... |

2966 | Hellman: New Directions in Cryptography
- Diffie, Martin
- 1976
(Show Context)
Citation Context ...eme (or any other existentially unforgeable scheme) in the context of signing faxes. 2 Related Work and Its Influence Since the introduction of the concept of digital signatures by Diffie and Hellman =-=[11]-=- and the first proposals of candidates for implementation [23, 30], the subject has been widely 2 studied. In this section we briefly summarize the major developments (not necessarily in chronological... |

869 | Rivest: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...ient existentially unforgeable signature scheme which we believe is the first practical one. For a reasonable choice of parameters it is about 30 times more efficient than the best previous proposals =-=[14, 20, 18]-=-. The security of the scheme relies only on the following RSA assumption: Assumption 1 Let N be the product of two large primes. Then, without knowing the factorization of N , it is computationally in... |

622 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...res and messages; that is, the scheme is not existentially unforgeable. (For recent results concerning the security of the El-Gamal scheme see [6, 27].) The FiatShamir scheme [16] and its descendants =-=[17, 24, 32] are very -=-efficient, since, unlike RSA and related schemes, they do not require modular exponentiation. However, they do require that the "one-way hash" function actually be something stronger, more l... |

405 |
The MD5 Message Digest Algorithm
- Rivest
- 1992
(Show Context)
Citation Context ...azzo-Naor construction is actually collision-intractable (assuming the abovementioned worst-case lattice problems are hard). There are also various proposals for fast one-way hash functions, like MD5 =-=[29]-=- and SHA [1], whose security is not treated formally. This does not mean that they are useless, but the goal of this paper is to provide a solution that is efficient and provably secure. Note that col... |

352 | The Exact Security of Digital Signatures – How to Sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...roof of existential unforgeability for such a scheme is known (unless one resorts to such assumptions as the existence of a publicly accessible (publicly computable) truly random function (see, e.g., =-=[4]-=-)). The implementation of an existentially unforgeable signature scheme suggested in [20] was based on the hardness of factoring and various improvements were suggested in [18]. Constructions based on... |

226 |
A digital signature based on a conventional encryption function
- Merkle
- 1987
(Show Context)
Citation Context ...priori upper bound on the number of messages the scheme can sign. The size of the public key is usually related to this number.) The first such scheme is due to Lamport (described in [11] and used in =-=[14, 22, 25, 31]-=-). This scheme requires as many invocations of a one-way function as there are bits to be signed (some improvements are known). The scheme of Bos and Chaum [7] can be viewed as a fixed-time signature ... |

225 | Security proofs for signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...heme, it is possible to generate other legitimate signatures and messages; that is, the scheme is not existentially unforgeable. (For recent results concerning the security of the El-Gamal scheme see =-=[6, 27]-=-.) The FiatShamir scheme [16] and its descendants [17, 24, 32] are very efficient, since, unlike RSA and related schemes, they do not require modular exponentiation. However, they do require that the ... |

206 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ... of factoring and various improvements were suggested in [18]. Constructions based on more general assumptions (trapdoor permutations, one-to-one oneway functions and one-way functions) were given in =-=[3, 25, 31]-=-. These schemes are all rather inefficient in that they employ a tree whose height is proportional to the logarithm (to a small base) of the total number of messages signed by the system. Signing and ... |

168 |
Generating hard instances of lattice problems
- Ajtai
- 1996
(Show Context)
Citation Context ... schemes based on factoring). In particular, breaking the assumed universal one-way hash property of this family is proved in [21] to be as hard as solving a random subset sum problem. Recently Ajtai =-=[2]-=- showed that breaking such functions implies the ability to solve several worst-case lattice problems. On the other hand, Schnorr and Horner [33] (and ref. therein) provide computational experience in... |

154 | Hiding information and signatures in trapdoor knapsacks
- Merkle, Hellman
- 1978
(Show Context)
Citation Context ...text of signing faxes. 2 Related Work and Its Influence Since the introduction of the concept of digital signatures by Diffie and Hellman [11] and the first proposals of candidates for implementation =-=[23, 30]-=-, the subject has been widely 2 studied. In this section we briefly summarize the major developments (not necessarily in chronological order), especially those pertaining to the scheme proposed in thi... |

143 | An Efficient Off-Line Electronic Cash System Based on the Representation Problem
- Brands
- 1993
(Show Context)
Citation Context ...de computational experience in solving such problems, which implies bounds on the choice of parameters. Collision-intractable hash functions can be constructed based on the discrete logarithm problem =-=[8, 9]-=-. Alternatively, as was pointed out by [19], Ajtai's results imply that the Impagliazzo-Naor construction is actually collision-intractable (assuming the abovementioned worst-case lattice problems are... |

102 |
Collision-resistant hashing: Towards making UOWHFs practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ... functions, and constructions are known to exist under general assumptions [25, 31] (for more reasons why it may be preferable to assume only the existence of universal one-way hash 18 functions, see =-=[5]-=-). In our context, the strings S are just documents. Thus for any fixed document D, if h is chosen at random from the family H of universal one-way hash functions then it is computationally infeasible... |

100 |
Collision free hash function and public key signature scheme Advance
- Damgard
- 1987
(Show Context)
Citation Context ... on long documents, it is quite clear that some sort of one-way hashing should be used. These come in (at least) two flavors: universal one-way hash functions [25] and collision intractable functions =-=[10]-=-. A family H of universal one-way hash functions has the following property: Fix a string S. Let h be chosen at random from the family H of universal one-way hash functions. Then it is computationally... |

85 |
On the Generation of Cryptographically Strong Pseudo-Random Sequences
- Shamir
- 1983
(Show Context)
Citation Context ...p; m p mod N) = m] ! 1 q(`) where the probability is over the choices of N and m and the internal coin flips of F . Intuitively, the security of the scheme rests on the important observations made in =-=[34]-=- and [16] respectively: ffl Having a black box that computes x 1=p 1 mod N for random x does not help in evaluatingsx 1=p 2 mod N , if p 1 and p 2 are relatively prime. ffl For numbers x 1 ; x 2 ; : :... |

83 | E±cient cryptographic schemes provably as secure as subset sum
- Impagliazzo, Naor
- 1989
(Show Context)
Citation Context ...h functions then it is computationally infeasible to find a document D 0 such that h(D) = h(D 0 ). One concrete proposal for constructing universal one-way hash functions, due to Impagliazzo and Naor =-=[21]-=-, is based on the subset sum problem (they also propose some less efficient schemes based on factoring). In particular, breaking the assumed universal one-way hash property of this family is proved in... |

74 | Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer
- Chaum, Heijst, et al.
- 1991
(Show Context)
Citation Context ...de computational experience in solving such problems, which implies bounds on the choice of parameters. Collision-intractable hash functions can be constructed based on the discrete logarithm problem =-=[8, 9]-=-. Alternatively, as was pointed out by [19], Ajtai's results imply that the Impagliazzo-Naor construction is actually collision-intractable (assuming the abovementioned worst-case lattice problems are... |

69 | Attacking the Chor-Rivest cryptosystem by improved lattice reduction
- Hörner, Schnorr
- 1995
(Show Context)
Citation Context ... as solving a random subset sum problem. Recently Ajtai [2] showed that breaking such functions implies the ability to solve several worst-case lattice problems. On the other hand, Schnorr and Horner =-=[33]-=- (and ref. therein) provide computational experience in solving such problems, which implies bounds on the choice of parameters. Collision-intractable hash functions can be constructed based on the di... |

61 |
On-line/o®-line Digital Signatures
- Even, Goldreich, et al.
- 1990
(Show Context)
Citation Context ...ient existentially unforgeable signature scheme which we believe is the first practical one. For a reasonable choice of parameters it is about 30 times more efficient than the best previous proposals =-=[14, 20, 18]-=-. The security of the scheme relies only on the following RSA assumption: Assumption 1 Let N be the product of two large primes. Then, without knowing the factorization of N , it is computationally in... |

45 |
How to sign given any trapdoor function
- Bellare, Micali
- 1992
(Show Context)
Citation Context ... of factoring and various improvements were suggested in [18]. Constructions based on more general assumptions (trapdoor permutations, one-to-one oneway functions and one-way functions) were given in =-=[3, 25, 31]-=-. These schemes are all rather inefficient in that they employ a tree whose height is proportional to the logarithm (to a small base) of the total number of messages signed by the system. Signing and ... |

39 |
Gamal,”A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- El
- 1984
(Show Context)
Citation Context ...s extensive pre-computation, "between" signing of different documents, but the on-line computation required for signing is very efficient. The size of a signature is rather large. The El-Gam=-=al scheme [13]-=- signature scheme relies on no cleanly specified function; moreover, given a legitimately signed document in that scheme, it is possible to generate other legitimate signatures and messages; that is, ... |

29 |
Two remarks concerning the goldwasser-micali-rivest signature scheme
- Goldreich
- 1987
(Show Context)
Citation Context ...ient existentially unforgeable signature scheme which we believe is the first practical one. For a reasonable choice of parameters it is about 30 times more efficient than the best previous proposals =-=[14, 20, 18]-=-. The security of the scheme relies only on the following RSA assumption: Assumption 1 Let N be the product of two large primes. Then, without knowing the factorization of N , it is computationally in... |

24 |
How to Prove Yourself
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ... other legitimate signatures and messages; that is, the scheme is not existentially unforgeable. (For recent results concerning the security of the El-Gamal scheme see [6, 27].) The FiatShamir scheme =-=[16] and its d-=-escendants [17, 24, 32] are very efficient, since, unlike RSA and related schemes, they do not require modular exponentiation. However, they do require that the "one-way hash" function actua... |

23 |
Cryptanalysis of MD5 compress," Presented at the rump session of Eurocrypt'96
- Dobbertin
- 1996
(Show Context)
Citation Context ... not treated formally. This does not mean that they are useless, but the goal of this paper is to provide a solution that is efficient and provably secure. Note that collisions have been found in MD5 =-=[12]-=-. A nice property for the one-way hash function to have is that it is easy to compute it on the fly, without storing D. All the above proposals enjoy this property, or can be easily adapted to have it... |

19 |
Provable unforgeable signatures
- Bos, Chaum
- 1993
(Show Context)
Citation Context ...scribed in [11] and used in [14, 22, 25, 31]). This scheme requires as many invocations of a one-way function as there are bits to be signed (some improvements are known). The scheme of Bos and Chaum =-=[7]-=- can be viewed as a fixed-time signature scheme. In this scheme the size of the public information needed grows at least as fast as the square root of the number of messages the scheme should be able ... |

15 |
An Improvement of the Fiat–Shamir Identification and Signature Scheme. Crypto
- Micali, Shamir
- 1988
(Show Context)
Citation Context ...res and messages; that is, the scheme is not existentially unforgeable. (For recent results concerning the security of the El-Gamal scheme see [6, 27].) The FiatShamir scheme [16] and its descendants =-=[17, 24, 32] are very -=-efficient, since, unlike RSA and related schemes, they do not require modular exponentiation. However, they do require that the "one-way hash" function actually be something stronger, more l... |

8 |
Generating El Gamal Signatures without Knowing the Secret Key
- Bleichenbacher
- 1996
(Show Context)
Citation Context ...heme, it is possible to generate other legitimate signatures and messages; that is, the scheme is not existentially unforgeable. (For recent results concerning the security of the El-Gamal scheme see =-=[6, 27]-=-.) The FiatShamir scheme [16] and its descendants [17, 24, 32] are very efficient, since, unlike RSA and related schemes, they do not require modular exponentiation. However, they do require that the ... |

4 |
Universal One Way Hash Functions and Their Cryptographic Applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ... of factoring and various improvements were suggested in [18]. Constructions based on more general assumptions (trapdoor permutations, one-to-one oneway functions and one-way functions) were given in =-=[3, 25, 31]-=-. These schemes are all rather inefficient in that they employ a tree whose height is proportional to the logarithm (to a small base) of the total number of messages signed by the system. Signing and ... |

3 |
Rabin Digital Signatures and Public Key Functions as Intractable as Factoring
- O
- 1979
(Show Context)
Citation Context ...eaningful forgery. However, as seen from the claim check and FAX examples outlined in the Introduction, there are indeed real-world applications for existential unforgeability. The RSA [30] and Rabin =-=[28]-=- schemes are known not to have this desirable property. Note that common ways of applying these schemes, involving signing h(m) where h is some hash function with mysterious powers, are not known to b... |