## On the fly authentication and signature schemes based on groups of unknown order (2006)

Venue: | Journal of Cryptology |

Citations: | 18 - 1 self |

### BibTeX

@ARTICLE{Girault06onthe,

author = {Marc Girault and Guillaume Poupard and Jacques Stern},

title = {On the fly authentication and signature schemes based on groups of unknown order},

journal = {Journal of Cryptology},

year = {2006},

volume = {19},

pages = {463--487}

}

### OpenURL

### Abstract

3 E'cole normale supe'rieure, De'partement d'informatique 45 rue d'Ulm, F-75230 Paris Cedex 05,

### Citations

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... proofs in a model where concrete objects are replaced by some ideal substitutes: applying this paradigm to hash functions yields the so-called random oracle model described by Bellare and Rogaway in =-=[3]-=-. Although this approach may not be considered as offering absolute proofs of security for cryptographic schemes, it provides a strong guarantee that their general design is not flawed. Next, the size... |

1041 | Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Rackoff
- 1989
(Show Context)
Citation Context ... a document digitally. Several proposals have addressed those questions, putting forward elegant solutions, many of them based on the concept of zero-knowledge introduced in 1985 by Goldwasser et al. =-=[29]-=-. In order to assess the performances of proposed schemes, three main properties have to be considered. The most important concern is, of course, security. Obviously, a system can be supported by the ... |

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...cheme secure against passive attacks into a signature scheme leads to a secure signature scheme, i.e. a signature for which existential forgery under adaptive chosen message attack is impossible (see =-=[30]-=- and [1] for standard definition of security of digital signature schemes). Accordingly, it is enough to check: 1. That the GPS identification scheme remains zero-knowledge if the bound B is increased... |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ... version of previous proposals of Chaum et al. [11], [10] and Beth [4]. Such a proof can be used as an identification scheme, and also converted into a signature scheme using the Fiat–Shamir paradigm =-=[17]-=-. In these schemes the size of the data is short, and the computation load is quite acceptable. Towards a more precise description, we let p be a prime number. We denote by Z∗ p the set of invertible ... |

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ... , where T is the average running time of an execution of the identification protocol. Proof. The proof of this lemma appears in Appendix B. It is quite similar to the extractor of the Schnorr scheme =-=[43]-=-. We now arrive at the main difference between the Schnorr proof and GPS. If the order of g were known and relatively prime with any integer in the range [1, B − 1], then, exactly as in the Schnorr sc... |

311 |
Efficient identification and signatures for smart cards
- Schnorr
- 1990
(Show Context)
Citation Context ...ort on the performances of a smart card application.s466 M. Girault, G. Poupard, and J. Stern 2. Description of GPS 2.1. Identification Schemes Based on the Discrete Logarithm Problem In 1989 Schnorr =-=[42]-=- proposed a nice proof of knowledge of a discrete logarithm in groups of known prime order. This proof is a more efficient version of previous proposals of Chaum et al. [11], [10] and Beth [4]. Such a... |

310 |
Zero-knowledge Proof of Identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ... identification scheme formally. We first define the security model we use. Next, in order to prove the security of the GPS protocol against active adversaries, we follow the approach of Feige et al. =-=[15]-=-, proving completeness, zero-knowledge and soundness.sOn the Fly Authentication and Signature Schemes 471 3.1. Security Model By means of an identification scheme a prover convinces a verifier of his ... |

280 | Security arguments for digital signatures and blind signatures
- Pointcheval, Stern
(Show Context)
Citation Context ...can prove its security in our model, assuming the sole intractability of computing short discrete logarithms in base g, modulo n. Let us first recall a well known probabilistic lemma (see for example =-=[39]-=-): Lemma 5 (Splitting Lemma). Let A ⊂ X × Y , such that Prx,y[A(x, y)] ≥ ε, and � ={a ∈ X | Pry[A(a, y)] ≥ ε/2} then Prx[x ∈ �] ≥ ε/2. � .sOn the Fly Authentication and Signature Schemes 477 Theorem 6... |

255 | Selecting Cryptographic Key Sizes
- Lenstra, Verheul
(Show Context)
Citation Context ...ulo a prime integer seems currently intractable if the size of the modulus is larger than 1536 bits. For more secure applications, |p| =2048 may be appropriate; we refer to specific overviews such as =-=[32]-=- for a more precise analysis. – G = Z∗ n with n an RSA modulus, i.e. a composite integer with two prime factors with almost the same size. The use of a 1536-bit modulus seems adequate to guarantee a h... |

245 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ... without such an additional assumption. This approachs480 M. Girault, G. Poupard, and J. Stern validates the design of the scheme even if we must be careful with this model as shown by Canetti et al. =-=[8]-=-. A generic result due to Abdalla et al. [1] shows that the use of the Fiat–Shamir paradigm to transform an identification scheme secure against passive attacks into a signature scheme leads to a secu... |

168 | Witness indistinguishable and witness hiding protocols
- Feige, Shamir
- 1990
(Show Context)
Citation Context ... and g2 and to prove the knowledge of a “representation” (s1, s2) such that I = g s1 1 gs2 2 mod p. While this protocol is not proven to be zero-knowledge, it nonetheless is witness indistinguishable =-=[16]-=-. As a consequence, provided the computation of the discrete logarithm of g1 in base g2 modulo p is intractable, the scheme is provably secure against active adversaries, even for large challenges (no... |

159 | Concurrent Zero-Knowledge
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ...to the second one but the contrary is not allowed. Notice that such a security model does not take into account concurrent attacks where the attacker performs parallel authentications with the prover =-=[13]-=- or reset attacks where he can reset the prover in a former state [9], [2]. Furthermore, classical man-in-the-middle attacks cannot be performed since we separate interactions with the prover from tho... |

147 |
Provably secure and practical identification schemes and corresponding signature schemes
- Okamoto
- 1993
(Show Context)
Citation Context ...tion and Signature Schemes 467 Order of g KNOWN Order of g UNKNOWN Order of the multiplicative group KNOWN UNKNOWN Chaum, Evertse, van de Graaf and Peralta [11], [10], Beth [4], Schnorr [42], Okamoto =-=[36]-=- Brickell and McCurley [7] Girault [20], Biham and Shulman [6] GPS [21], [40], RDSA [5] Poupard and Stern [41] Fig. 1. Discrete logarithm related schemes classified according to the need for the order... |

110 |
Seif-certified public keys
- Girault
- 2001
(Show Context)
Citation Context ...key has to be stored by the verifier (here the toll). Consequently, the system is much more secure against piracy. Earlier announcements. The GPS scheme was first proposed by Girault at Eurocrypt ’91 =-=[21]-=- as an example of a scheme with self-certified public keys but without security analysis. Then the main results of this paper appeared in a preliminary version at Eurocrypt ’98 [40]. The main technica... |

74 | Resettable Zero-Knowledge
- Canetti, Goldreich, et al.
- 2000
(Show Context)
Citation Context ...security model does not take into account concurrent attacks where the attacker performs parallel authentications with the prover [13] or reset attacks where he can reset the prover in a former state =-=[9]-=-, [2]. Furthermore, classical man-in-the-middle attacks cannot be performed since we separate interactions with the prover from those with the verifier. We can now define what is a secure identificati... |

63 |
Information technology - Security Techniques - Entity authentication mechanisms - Part 3: Entitiy authentication using a public key algorithm
- ISOIEC
- 1993
(Show Context)
Citation Context ... modes of use are described in [25]. Finally, the GPS identification scheme has been standardized by ISO/IEC (International Organization for Standardization/International Electrotechnical Commission) =-=[31]-=-, while the signature scheme is expected in 2007. Paper organization. In this paper we show that GPS achieves a combination of the strongest properties that one can demand in authentication applicatio... |

60 |
On-line/off-fine digital signatures
- Even, Goldreich, et al.
(Show Context)
Citation Context ...ient. However, this attempt for designing on the fly signature schemes is not optimal since it still requires a modular multiplication. Another approach is much more general in character: Even et al. =-=[14]-=- proposed the concept of on-line/off-line digital signature and described a construction to transform any signature scheme in such a way that most of the computations can be done off-line. This was fu... |

59 | On Di e-Hellman key agreement with short exponents
- Oorschot, Wiener
- 1996
(Show Context)
Citation Context ... randomly chosen. It should ne noted that there exist parameters for which the computation of “short” exponents, typically of 160 bits, can be done very easily using partial Pohlig–Hellman techniques =-=[45]-=- if the order of g is known and if it has many small prime factors. Accordingly, we advise the use of modulus n which is the product of two strong primes, i.e. primes p such that (p − 1)/2 is also pri... |

56 |
de Graaf, "An improved protocol for demonstrating possesion of discrete logarithms and some generalizations
- Chaum, Evertse, et al.
- 1988
(Show Context)
Citation Context ...blem In 1989 Schnorr [42] proposed a nice proof of knowledge of a discrete logarithm in groups of known prime order. This proof is a more efficient version of previous proposals of Chaum et al. [11], =-=[10]-=- and Beth [4]. Such a proof can be used as an identification scheme, and also converted into a signature scheme using the Fiat–Shamir paradigm [17]. In these schemes the size of the data is short, and... |

46 | Improved online/offline signature schemes. CRYPTO ’01, LNCS 2139, pp.355–367, Springer-Verlag, 2001. 14 Proof of Theorem 1 The completeness is clear. We prove the soundness. Suppose that (m, τ) is not a valid U-pair. Then we can write E(β, σ) = H(m) + τN
- Shamir, Tauman
(Show Context)
Citation Context ...-line digital signature and described a construction to transform any signature scheme in such a way that most of the computations can be done off-line. This was further improved by Shamir and Tauman =-=[44]-=-. In this paper we study an interactive zero-knowledge identification scheme, called GPS for short, and a derived signature scheme. They combine provable security based on the discrete logarithm probl... |

39 |
An Interactive Identification Scheme Based on Discrete Logarithms and Factoring
- Brickell, McCurley
- 1991
(Show Context)
Citation Context ...467 Order of g KNOWN Order of g UNKNOWN Order of the multiplicative group KNOWN UNKNOWN Chaum, Evertse, van de Graaf and Peralta [11], [10], Beth [4], Schnorr [42], Okamoto [36] Brickell and McCurley =-=[7]-=- Girault [20], Biham and Shulman [6] GPS [21], [40], RDSA [5] Poupard and Stern [41] Fig. 1. Discrete logarithm related schemes classified according to the need for the order of the group and/or of th... |

33 |
Demonstrating Possession of a Discrete Logarithm without Revealing it
- Chaum, Evertse, et al.
- 1987
(Show Context)
Citation Context ...hm Problem In 1989 Schnorr [42] proposed a nice proof of knowledge of a discrete logarithm in groups of known prime order. This proof is a more efficient version of previous proposals of Chaum et al. =-=[11]-=-, [10] and Beth [4]. Such a proof can be used as an identification scheme, and also converted into a signature scheme using the Fiat–Shamir paradigm [17]. In these schemes the size of the data is shor... |

32 | From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security
- Abdalla, An, et al.
- 2002
(Show Context)
Citation Context ... approachs480 M. Girault, G. Poupard, and J. Stern validates the design of the scheme even if we must be careful with this model as shown by Canetti et al. [8]. A generic result due to Abdalla et al. =-=[1]-=- shows that the use of the Fiat–Shamir paradigm to transform an identification scheme secure against passive attacks into a signature scheme leads to a secure signature scheme, i.e. a signature for wh... |

28 | Identification protocols secure against reset attacks
- Bellare, Fischlin, et al.
- 2001
(Show Context)
Citation Context ...ity model does not take into account concurrent attacks where the attacker performs parallel authentications with the prover [13] or reset attacks where he can reset the prover in a former state [9], =-=[2]-=-. Furthermore, classical man-in-the-middle attacks cannot be performed since we separate interactions with the prover from those with the verifier. We can now define what is a secure identification pr... |

28 |
Efficient Zero-knowledge Identification Scheme for Smart Cards
- Beth
- 1988
(Show Context)
Citation Context ...chnorr [42] proposed a nice proof of knowledge of a discrete logarithm in groups of known prime order. This proof is a more efficient version of previous proposals of Chaum et al. [11], [10] and Beth =-=[4]-=-. Such a proof can be used as an identification scheme, and also converted into a signature scheme using the Fiat–Shamir paradigm [17]. In these schemes the size of the data is short, and the computat... |

28 | An improved pseudo-random generator based on the discrete logarithm problem
- Gennaro
- 2008
(Show Context)
Citation Context ...to the so-called discrete logarithm with short exponent problem. Among other studies, this problem has been used in [45] in the context of the Diffie–Hellman key agreement scheme and also in [37] and =-=[19]-=- in the context of provably secure pseudorandom generators. Of course, if S is chosen greater than or equal to the order of g then the security assumption is reduced to the ordinary intractability of ... |

28 |
An identity-based identification scheme based on discrete logarihtms modulo a composite number
- Girault
- 1991
(Show Context)
Citation Context ... g KNOWN Order of g UNKNOWN Order of the multiplicative group KNOWN UNKNOWN Chaum, Evertse, van de Graaf and Peralta [11], [10], Beth [4], Schnorr [42], Okamoto [36] Brickell and McCurley [7] Girault =-=[20]-=-, Biham and Shulman [6] GPS [21], [40], RDSA [5] Poupard and Stern [41] Fig. 1. Discrete logarithm related schemes classified according to the need for the order of the group and/or of the base g to b... |

28 | Security analysis of a practical “on the fly” authentication and signature generation
- Poupard, Stern
- 1998
(Show Context)
Citation Context ...t at Eurocrypt ’91 [21] as an example of a scheme with self-certified public keys but without security analysis. Then the main results of this paper appeared in a preliminary version at Eurocrypt ’98 =-=[40]-=-. The main technical differences are a more precise security model and a complete proof of security. Many technicalities have been streamlined and we only assume the intractability of computing discre... |

22 |
On the Length of Cryptographic Hash-Values used in Identification Schemes
- Girault, Stern
- 1994
(Show Context)
Citation Context ...82 M. Girault, G. Poupard, and J. Stern Using the notion of t-collision-free hash functions, i.e. functions such that it is infeasible to find t distinct values with the same image, Girault and Stern =-=[27]-=- have precisely analyzed the consequences of such a modification on the security of identification schemes. This result can still be improved [22] if we consider that an attacker cannot perform more t... |

20 | Sundaram: “An efficient discrete log pseudo random generator
- Patel, S
- 1998
(Show Context)
Citation Context ...ecisely, to the so-called discrete logarithm with short exponent problem. Among other studies, this problem has been used in [45] in the context of the Diffie–Hellman key agreement scheme and also in =-=[37]-=- and [19] in the context of provably secure pseudorandom generators. Of course, if S is chosen greater than or equal to the order of g then the security assumption is reduced to the ordinary intractab... |

18 | The composite discrete logarithm and secure authentication
- Pointcheval
- 2000
(Show Context)
Citation Context ...n further to a very simple operation, it is natural to eliminate the second modulus q by performing the operations y = r + sc in Z. This was first proposed by Girault in [21] and analysed in [40] and =-=[38]-=-. The security analysis of this protocol is precisely the subject of the presents468 M. Girault, G. Poupard, and J. Stern paper in a more general setting. Note that in [23], the on-line operation is r... |

17 | On the fly signatures based on factoring
- Poupard, Stern
- 1999
(Show Context)
Citation Context ...NOWN Chaum, Evertse, van de Graaf and Peralta [11], [10], Beth [4], Schnorr [42], Okamoto [36] Brickell and McCurley [7] Girault [20], Biham and Shulman [6] GPS [21], [40], RDSA [5] Poupard and Stern =-=[41]-=- Fig. 1. Discrete logarithm related schemes classified according to the need for the order of the group and/or of the base g to be known by provers and verifiers. passive adversaries who just observe ... |

6 |
Can DSA be improved
- Naccache, M’raïhi, et al.
- 1995
(Show Context)
Citation Context ...alculations that have to be done on-line during authentication or signature computation. The latter is often the bottleneck of many applications, especially when smart cards are used. Naccache et al. =-=[33]-=- proposed to precompute use & throw coupons in order to make the DSA signature process much more efficient. However, this attempt for designing on the fly signature schemes is not optimal since it sti... |

5 |
Low-size coupons for low-cost ic cards
- Girault
(Show Context)
Citation Context ...istinct values with the same image, Girault and Stern [27] have precisely analyzed the consequences of such a modification on the security of identification schemes. This result can still be improved =-=[22]-=- if we consider that an attacker cannot perform more than a fixed number of on-line operations during the authentication process. In this setting, if we want a security level of 32 bits, we can choose... |

4 | A Signature Scheme Based on the Intractability of Computing Roots
- Biehl, Buchmann, et al.
- 2002
(Show Context)
Citation Context ...cative group KNOWN UNKNOWN Chaum, Evertse, van de Graaf and Peralta [11], [10], Beth [4], Schnorr [42], Okamoto [36] Brickell and McCurley [7] Girault [20], Biham and Shulman [6] GPS [21], [40], RDSA =-=[5]-=- Poupard and Stern [41] Fig. 1. Discrete logarithm related schemes classified according to the need for the order of the group and/or of the base g to be known by provers and verifiers. passive advers... |

2 | On the security of RDSA - Fouque, Poupard - 2003 |

2 |
Public Key Authentication with one Single (on-line) Addition
- Girault, Lefranc
(Show Context)
Citation Context ...1] and analysed in [40] and [38]. The security analysis of this protocol is precisely the subject of the presents468 M. Girault, G. Poupard, and J. Stern paper in a more general setting. Note that in =-=[23]-=-, the on-line operation is reduced to a single, but much longer, addition. Other schemes. A variant of GPS, called RDSA, has been proposed in [5] and analyzed in [18]. We can also note that the scheme... |

2 |
Some Modes of Use of the GPS Identification Scheme
- Girault, Poupard, et al.
- 2002
(Show Context)
Citation Context ...hms with short exponents. The GPS scheme has been submitted to the European NESSIE project and labelled by this project as a strong cryptographic primitive [34]. Various modes of use are described in =-=[25]-=-. Finally, the GPS identification scheme has been standardized by ISO/IEC (International Organization for Standardization/International Electrotechnical Commission) [31], while the signature scheme is... |

2 |
Portfolio of recommanded cryptographic primitives, 2003. Available from http://www.cryptonessie.org
- consortium
(Show Context)
Citation Context ...intractability of computing discrete logarithms with short exponents. The GPS scheme has been submitted to the European NESSIE project and labelled by this project as a strong cryptographic primitive =-=[34]-=-. Various modes of use are described in [25]. Finally, the GPS identification scheme has been standardized by ISO/IEC (International Organization for Standardization/International Electrotechnical Com... |

1 | From Identification to Signatures viathe Fiat-Shamir Transform: Minimizing Assuptions for Security and Forward-Security - Abdalla, An, et al. - 1993 |

1 |
User-Defined Divisibility of Ecash and a Practical Implementation
- Biham, Shulman
- 2000
(Show Context)
Citation Context ...OWN Order of the multiplicative group KNOWN UNKNOWN Chaum, Evertse, van de Graaf and Peralta [11], [10], Beth [4], Schnorr [42], Okamoto [36] Brickell and McCurley [7] Girault [20], Biham and Shulman =-=[6]-=- GPS [21], [40], RDSA [5] Poupard and Stern [41] Fig. 1. Discrete logarithm related schemes classified according to the need for the order of the group and/or of the base g to be known by provers and ... |

1 | ECC: Do We Need to Count
- Coron, Handschuh, et al.
- 1999
(Show Context)
Citation Context ... use of the base g = 2 for efficiency reasons. – G can also be derived from an elliptic curve. Analogs of GPS in the elliptic curve setting can be defined in a straightforward manner; see for example =-=[12]-=-. – Much more sophisticated mathematical structures can also be used; the only constraint is the intractability of the discrete logarithm with short exponent problem in such groups. An example of such... |

1 |
On-Line/Off-Line RSA-Like
- Girault, Paillès
- 2003
(Show Context)
Citation Context ...m where the order of the group and the order of the base are secrets owned by the prover. More recently, another factorization-based scheme has been proposed, in which the key pair is an RSA key pair =-=[24]-=-. 2.2. GPS Identification Scheme We now describe precisely the GPS identification scheme. The security analysis appears in the next section. Choice of the underlying mathematical structure. The GPS id... |