## On Concrete Security Treatment of Signatures Derived from Identification (1998)

Venue: | In Crypto '98, LNCS 1462 |

Citations: | 40 - 1 self |

### BibTeX

@INPROCEEDINGS{Ohta98onconcrete,

author = {Kazuo Ohta and Tatsuaki Okamoto},

title = {On Concrete Security Treatment of Signatures Derived from Identification},

booktitle = {In Crypto '98, LNCS 1462},

year = {1998},

pages = {354--369},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Signature schemes that are derived from three move identification schemes such as the Fiat-Shamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm [1, 2, 12] is useful to prove the security of such a class of signature schemes [4, 12]. This paper presents a new key technique, "ID reduction", to show the concrete security result of this class of signature schemes under the random oracle paradigm. First, we apply this technique to the Schnorr and modified ElGamal schemes, and show the "concrete security analysis" of these schemes. We then apply it to the multi-signature schemes.

### Citations

2949 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...wever, was geared towards feasibility result and thus very inefficient and far from practical. In addition, even the scheme by [7] is much less efficient than typical practical schemes such as the RSA=-=[14]-=- and Schnorr[15] schemes. Therefore, no provably secure scheme as efficient as typical practical schemes has been proposed. To realize provable security and efficiency simultaneously, another paradigm... |

1348 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...re derived from three move identification schemes such as the Fiat-Shamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm =-=[1, 2, 12] is useful-=- to prove the security of such a class of signature schemes [4, 12]. This paper presents a new key technique, "ID reduction", to show the concrete security result of this class of signature ... |

1125 | A public-key cryptosystem and a signature scheme based on discrete logarithms - ElGamal - 1985 |

1053 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1985
(Show Context)
Citation Context ...r, we investigate a specific class of signature schemes that are derived from three move identification schemes, where the identification schemes are perfect zero-knowledge against an honest verifier =-=[6]-=-. This section shows the models and notations of such signature and identification schemes. 2.1 Signature Scheme In the signature scheme, signer P publishes public key K p while keeping secret key K s... |

835 | A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...m Oracle Paradigm The first formal definition of the security for digital signatures ("existentially unforgeable against adaptively chosen-message attacks") was given by Goldwasser, Micali a=-=nd Rivest [7]-=-, and a concrete signature scheme satisfying this security definition was shown by assuming the existence of a claw-free pair of functions [7]. Hereafter, this formal definition and model for signatur... |

703 |
Elliptic Curve Cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...Scheme We discuss here the Schnorr scheme [15] as an example, though similar results can be obtained for the Fiat-Shamir scheme [4, 5] etc. The schemes can also be implemented using an elliptic curve =-=[8]-=-. 4.1 Scheme Key generation: A trusted center publishes two large primes, p and q, such that q j (p0 1), and element g 2 (Z=pZ) 3 of order q. A signer P chooses a secret key s 2 Z=qZ and publishes the... |

332 | The exact security of digital signatures: How to sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...re derived from three move identification schemes such as the Fiat-Shamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm =-=[1, 2, 12] is useful-=- to prove the security of such a class of signature schemes [4, 12]. This paper presents a new key technique, "ID reduction", to show the concrete security result of this class of signature ... |

314 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...to realize a provably secure signature scheme assuming the weakest computational assumption, the existence of a one-way function. This target was finally solved affirmatively by Naor, Yung and Rompel =-=[9, 13]-=-. Their solution, however, was geared towards feasibility result and thus very inefficient and far from practical. In addition, even the scheme by [7] is much less efficient than typical practical sch... |

313 |
Efficient identification and signatures for smart cards
- Schnorr
- 1989
(Show Context)
Citation Context ...d towards feasibility result and thus very inefficient and far from practical. In addition, even the scheme by [7] is much less efficient than typical practical schemes such as the RSA[14] and Schnorr=-=[15]-=- schemes. Therefore, no provably secure scheme as efficient as typical practical schemes has been proposed. To realize provable security and efficiency simultaneously, another paradigm to prove the se... |

312 |
Zero-knowledge proofs of identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...ptotic result of the Fiat-Shamir signature scheme proven in [12] can be trivially obtained just by combining the ID reduction lemma as the first stage reduction and the well-known techniques given by =-=[5]-=- as the second stage reduction. 2 Framework In this paper, we investigate a specific class of signature schemes that are derived from three move identification schemes, where the identification scheme... |

210 | Security proofs for signature schemes
- Pointcheval, Stern
(Show Context)
Citation Context ...re derived from three move identification schemes such as the Fiat-Shamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm =-=[1, 2, 12] is useful-=- to prove the security of such a class of signature schemes [4, 12]. This paper presents a new key technique, "ID reduction", to show the concrete security result of this class of signature ... |

197 | One-way functions are necessary and sufficient for secure signatures - Rompel - 1990 |

22 |
How to Prove Yourself
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...rr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm [1, 2, 12] is useful to prove the security of such a class of signature schemes =-=[4, 12]. This pap-=-er presents a new key technique, "ID reduction", to show the concrete security result of this class of signature schemes under the random oracle paradigm. First, we apply this technique to t... |

22 |
A digital multisignature scheme based on the Fiat-Shamir schemeā, Asiacrypt 91
- Ohta, Okamoto
- 1991
(Show Context)
Citation Context ...ces our results regarding multisignature schemes. Due to the space limitation, we omit a detailed description of the results [11]. x The "two-round type" of multi-signature schemes have been=-= proposed [10]-=-. Our technique can also be applied to these schemes easily. 6.1 The Proposed Multi-Signature Schemes We propose provably secure multi-signature schemes against the most general attack, adaptively cho... |

2 |
The Exact Security of Multi-Signature Schemes
- Ohta, Okamoto
- 1997
(Show Context)
Citation Context ..."one-round type" of multisignature schemes x . This section briefly introduces our results regarding multisignature schemes. Due to the space limitation, we omit a detailed description of th=-=e results [11]. x The &q-=-uot;two-round type" of multi-signature schemes have been proposed [10]. Our technique can also be applied to these schemes easily. 6.1 The Proposed Multi-Signature Schemes We propose provably sec... |