## Efficient signature schemes with tight reductions to the Diffie-Hellman problems

Venue: | Journal of Cryptology |

Citations: | 10 - 0 self |

### BibTeX

@ARTICLE{Goh_efficientsignature,

author = {Eu-jin Goh and Jonathan Katz and Nan Wang},

title = {Efficient signature schemes with tight reductions to the Diffie-Hellman problems},

journal = {Journal of Cryptology},

year = {},

volume = {20},

pages = {493--514}

}

### OpenURL

### Abstract

We propose and analyze two efficient signature schemes whose security is tightly related to the Diffie-Hellman problems in the random oracle model. Security of our first scheme relies on the hardness of the computational Diffie-Hellman problem; security of our second scheme — which is more efficient than the first — is based on the hardness of the decisional Diffie-Hellman problem, a stronger assumption. Given current state of the art, it is as difficult to solve the Diffie-Hellman problems as it is to solve the discrete logarithm problem in many groups of cryptographic interest. Thus, the signature schemes shown here can currently offer substantially better efficiency (for a given level of provable security) than existing schemes based on the discrete logarithm assumption. The techniques we introduce can be also applied in a wide variety of settings to yield more efficient cryptographic schemes (based on various number-theoretic assumptions) with tight security reductions. 1

### Citations

2925 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...mes with tight security reductions (in the random oracle model) to problems related to the hardness of computing discrete logarithms. Our first scheme relies on the computational Diffie-Hellman (CDH) =-=[16]-=- problem and is based on a scheme previously suggested — but not proven secure — by Chaum, et al. [9, 11]. Our second scheme is more efficient, but its security is based on the stronger decisional Dif... |

2681 | Handbook of Applied Cryptography - Menezes, Oorschot, et al. - 1997 |

1418 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...me fixed value of the security parameter, let ε ′ be an assumed upper bound on the probability of inverting a given trapdoor permutation in some time t ′ . The full domain hash (FDH) signature scheme =-=[1, 2]-=- bounds the success probability of any adversary running in time t ≈ t ′ by ε ≈ (qs + qh)ε ′ , where qs is the number of signatures the adversary obtains from the legitimate signer, and qh represents ... |

1227 | Identity-Based Encryption from the Weil Pairing
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ... schemes [2, 14] as well as the short signature scheme of Boneh, Lynn, and Shacham [5]; they can also be used to improve the security reduction for the Boneh-Franklin identity-based encryption scheme =-=[4]-=-. The ideas used in constructing our second scheme can be applied to yield other signature schemes with tight security reductions to decisional problems, rather than loose security reductions to compu... |

881 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...H if the underlying trapdoor permutation is random self-reducible as is the case for, e.g., RSA. Dodis and Reyzin [17], generalizing Coron’s work, show that a similar result 1 The random oracle model =-=[18, 1]-=- assumes a public, random function which is accessible by all parties. In practice, this oracle is instantiated by a cryptographic hash function. Although security can no longer be guaranteed for any ... |

862 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...us Work The above considerations have sparked a significant amount of research aimed at finding efficient signature schemes with tight security reductions. Though there exist signature schemes (e.g., =-=[22, 15]-=-) with tight security reductions in the so-called standard model, these schemes are generally considered too inefficient for practical use and so recent attention has turned to schemes analyzed in the... |

592 | Short signatures from the weil pairing
- Boneh, Lynn, et al.
(Show Context)
Citation Context ... be used to obtain a tight proof of security while avoiding the need for a random salt in the PSS and PSS-R signature schemes [2, 14] as well as the short signature scheme of Boneh, Lynn, and Shacham =-=[5]-=-; they can also be used to improve the security reduction for the Boneh-Franklin identity-based encryption scheme [4]. The ideas used in constructing our second scheme can be applied to yield other si... |

525 |
Undeniable signatures
- Chaum, Antwerpen
- 1990
(Show Context)
Citation Context ... computing discrete logarithms. Our first scheme relies on the computational Diffie-Hellman (CDH) [16] problem and is based on a scheme previously suggested — but not proven secure — by Chaum, et al. =-=[9, 11]-=-. Our second scheme is more efficient, but its security is based on the stronger decisional Diffie-Hellman (DDH) assumption. See Section 2.2 for formal definitions of these two assumptions. 3 For the ... |

352 | The exact security of digital signatures - How to sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...negligible probability, where both the running time of the adversary and its probability of forgery are measured as a function of some security parameter k. As first emphasized by Bellare and Rogaway =-=[2]-=-, however, such results say nothing about the security of a given scheme in practice for a particular choice of security parameter, and against adversaries investing a particular amount of computation... |

332 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...st widely-used discrete logarithm-based scheme, has no known proof of security. Existing provably-secure schemes based on the discrete logarithm assumption, such as those by Schnorr [29], an El Gamal =-=[20]-=- variant suggested by Pointcheval and Stern [28], and a DSS variant by Brickell et al. [6], rely on (variants of) the forking lemma for their proofs of security and therefore have very loose security ... |

323 |
Efficient identification and signatures for smart cards
- Schnorr
- 1990
(Show Context)
Citation Context ...1], perhaps the most widely-used discrete logarithm-based scheme, has no known proof of security. Existing provably-secure schemes based on the discrete logarithm assumption, such as those by Schnorr =-=[29]-=-, an El Gamal [20] variant suggested by Pointcheval and Stern [28], and a DSS variant by Brickell et al. [6], rely on (variants of) the forking lemma for their proofs of security and therefore have ve... |

315 |
Wallet databases with observers
- Chaum, Pedersen
- 1993
(Show Context)
Citation Context ... computing discrete logarithms. Our first scheme relies on the computational Diffie-Hellman (CDH) [16] problem and is based on a scheme previously suggested — but not proven secure — by Chaum, et al. =-=[9, 11]-=-. Our second scheme is more efficient, but its security is based on the stronger decisional Diffie-Hellman (DDH) assumption. See Section 2.2 for formal definitions of these two assumptions. 3 For the ... |

299 | Security Arguments for Digital Signatures and Blind Signatures
- Pointcheval, Stern
(Show Context)
Citation Context ...pdoor permutations, including RSA. Unfortunately, the best known security reduction for schemes constructed using the Fiat-Shamir transformation relies on the “forking lemma” of Pointcheval and Stern =-=[28]-=-, with some improvements in the analysis due to Micali and Reyzin [27]. Applying this lemma results in a very loose security reduction: roughly speaking, given an adversary running in time t and ‘brea... |

255 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...random function which is accessible by all parties. In practice, this oracle is instantiated by a cryptographic hash function. Although security can no longer be guaranteed for any such instantiation =-=[8]-=-, a proof in the random oracle model does seem to indicate that there are no ‘inherent’ weaknesses in the scheme and, in practice, serves as a useful validation tool for cryptographic constructions. 2... |

208 | The Decision Diffie-Hellman Problem
- Boneh
- 1998
(Show Context)
Citation Context ...ithm problems in the group are still believed to be hard [23]. On the other hand, for a number of groups of cryptographic interest, “the best known algorithm for DDH is a full discrete log algorithm” =-=[3]-=-. These include the commonly used group ¡ ⊂ ¢ ∗ p of order q, where p = αq + 1 and p, q are prime with gcd(α, q) = 1. Additionally, Shoup [30] shows that the DDH problem is as hard as the discrete log... |

122 | On the exact security of full domain hash
- Coron
- 2000
(Show Context)
Citation Context ...tes an emphasis on concrete security reductions that give explicit bounds on the adversary’s success probability (i.e., its probability of forging a signature) as a function of its expended resources =-=[2, 13, 27, 14]-=-. It also illustrates the importance of designing schemes with tight security reductions: that is, reductions showing that the success probability of an adversary running in some time t is roughly equ... |

68 | Separating decision Diffie-Hellman from Diffie-Hellman in cryptographic groups
- Joux, Nguyen
- 2001
(Show Context)
Citation Context ... statements is not believed to be true in general. Indeed, there are groups for which the DDH problem is ‘easy’, yet the CDH and discrete logarithm problems in the group are still believed to be hard =-=[23]-=-. On the other hand, for a number of groups of cryptographic interest, “the best known algorithm for DDH is a full discrete log algorithm” [3]. These include the commonly used group ¡ ⊂ ¢ ∗ p of order... |

64 | Proof systems for general statements about discrete logarithms
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ...st review some relevant background. Proving equality of discrete logarithms. Let ¡ be a group of prime order q. We begin by reviewing the standard protocol for proving equality of discrete logarithms =-=[10, 7]-=-, which is based on Schnorr’s proof of knowledge of a discrete logarithm [29]. In the protocol, a prover has values g, h, y1, y2 ∈ ¡ , with g, h �= 1, together with an exponent x ∈ ¢ q such that g x =... |

57 |
de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations
- Chaum, Evertse, et al.
- 1988
(Show Context)
Citation Context ...st review some relevant background. Proving equality of discrete logarithms. Let ¡ be a group of prime order q. We begin by reviewing the standard protocol for proving equality of discrete logarithms =-=[10, 7]-=-, which is based on Schnorr’s proof of knowledge of a discrete logarithm [29]. In the protocol, a prover has values g, h, y1, y2 ∈ ¡ , with g, h �= 1, together with an exponent x ∈ ¢ q such that g x =... |

54 | Optimal security proofs for PSS and other signature schemes
- Coron
- 2002
(Show Context)
Citation Context ...tes an emphasis on concrete security reductions that give explicit bounds on the adversary’s success probability (i.e., its probability of forging a signature) as a function of its expended resources =-=[2, 13, 27, 14]-=-. It also illustrates the importance of designing schemes with tight security reductions: that is, reductions showing that the success probability of an adversary running in some time t is roughly equ... |

50 |
bounds for discrete logarithms and related problems
- Lower
- 1997
(Show Context)
Citation Context ... decisional Diffie-Hellman (DDH) assumption. See Section 2.2 for formal definitions of these two assumptions. 3 For the Schnorr signature scheme, a tight reduction is known in the generic group model =-=[30]-=-. This model considers only algorithms which are oblivious to the representation of group elements. For certain groups, however, there are known algorithms (e.g., the index-calculus method) that do no... |

30 | A signature scheme as secure as the Diffie-Hellman problem
- Goh, Jarecki
- 2003
(Show Context)
Citation Context ...equently, asymptotic security reductions by themselves do not enable practically-meaningful ∗ This paper combines results that appeared in “A Signature Scheme as Secure as the Diffie-Hellman Problem” =-=[21]-=- presented at Eurocrypt 2003 and “Efficiency Improvements for Signature Schemes with Tight Security Reductions” [24] presented at ACM CCCS 2003. † eujin@cs.stanford.edu. Computer Science Department, S... |

27 | The Diffie-Hellman protocol
- Maurer, Wolf
(Show Context)
Citation Context ...a variety of well-studied cryptographic groups it is currently not known how to solve the Diffie-Hellman problems any faster than what can be achieved by solving the discrete logarithm problem itself =-=[3, 25]-=-. Moreover, there is some theoretical evidence that in certain groups the computational Diffie-Hellman assumption may be equivalent to the discrete logarithm assumption [30, 3, 25]. For such groups, t... |

26 | Design validations for discrete logarithm based signature schemes
- Brickell, Pointcheval, et al.
(Show Context)
Citation Context ...ovably-secure schemes based on the discrete logarithm assumption, such as those by Schnorr [29], an El Gamal [20] variant suggested by Pointcheval and Stern [28], and a DSS variant by Brickell et al. =-=[6]-=-, rely on (variants of) the forking lemma for their proofs of security and therefore have very loose security reductions. 3 (The work of Micali and Reyzin, mentioned earlier, cannot be applied to any ... |

26 | Secure signature schemes based on interactive protocols - Cramer, Damg̊ard |

26 |
of Commerce/National Institute of Standards and Technology
- Department
- 2000
(Show Context)
Citation Context ...rapdoor permutations, there has been significantly less progress designing signature schemes with tight security reductions to the hardness of computing discrete logarithms (or related problems). DSS =-=[31]-=-, perhaps the most widely-used discrete logarithm-based scheme, has no known proof of security. Existing provably-secure schemes based on the discrete logarithm assumption, such as those by Schnorr [2... |

24 |
Efficiency improvements for signature schemes with tight security reductions
- Katz, Wang
- 2003
(Show Context)
Citation Context ...sults that appeared in “A Signature Scheme as Secure as the Diffie-Hellman Problem” [21] presented at Eurocrypt 2003 and “Efficiency Improvements for Signature Schemes with Tight Security Reductions” =-=[24]-=- presented at ACM CCCS 2003. † eujin@cs.stanford.edu. Computer Science Department, Stanford University. ‡ stasio@ics.uci.edu. School of Information and Computer Sciences, UC Irvine. Work done while at... |

23 | On the Power of Claw-Free Permutations
- Dodis, Reyzin
- 2003
(Show Context)
Citation Context ...ently, Coron [13] showed how to achieve the better security reduction ε ≈ qsε ′ for FDH if the underlying trapdoor permutation is random self-reducible as is the case for, e.g., RSA. Dodis and Reyzin =-=[17]-=-, generalizing Coron’s work, show that a similar result 1 The random oracle model [18, 1] assumes a public, random function which is accessible by all parties. In practice, this oracle is instantiated... |

18 | Communication-efficient non-interactive proofs of knowledge with online extractors
- Fischlin
(Show Context)
Citation Context ...n schemes. Using their transformation, Micali and Reyzin show signature schemes with tight security reductions based on some specific trapdoor permutations, including RSA. A recent result of Fischlin =-=[19]-=- shows an alternate way of modifying the Fiat-Shamir transformation so as to obtain a tight security reduction; the schemes resulting from this approach, however, are relatively inefficient. Signature... |

13 | Improving the exact security of digital signature schemes
- Micali, Reyzin
(Show Context)
Citation Context ...tes an emphasis on concrete security reductions that give explicit bounds on the adversary’s success probability (i.e., its probability of forging a signature) as a function of its expended resources =-=[2, 13, 27, 14]-=-. It also illustrates the importance of designing schemes with tight security reductions: that is, reductions showing that the success probability of an adversary running in some time t is roughly equ... |

9 | An Efficient CDH-based Signature Scheme With a Tight Security Reduction
- Chevallier-Mames
- 2005
(Show Context)
Citation Context ... knowledge of their square roots), one obtains a tight security reduction to the hardness of deciding quadratic residuosity modulo N. 1.4 Subsequent Work In work building on our own, Chevallier-Mames =-=[12]-=- shows a signature scheme whose efficiency and security are roughly equivalent to our Scheme 1 with the exception that all exponentiations during signing can be done off-line. 2 Definitions and Prelim... |