Realizing Hash-and-Sign Signatures under Standard Assumptions

Susan Hohenberger, Brent Waters
Lecture Notes in Computer Science
Currently, there are relatively few instances of "hash-andsign" signatures in the standard model. Moreover, most current instances rely on strong and less studied assumptions such as the Strong RSA and q-Strong Diffie-Hellman assumptions. In this paper, we present a new approach for realizing hash-and-sign signatures in the standard model. In our approach, a signer associates each signature with an index i that represents how many signatures that signer has issued up to that point. Then, to
more &raquo; ... use of this association, we create simple and efficient techniques that restrict an adversary which makes q signature requests to forge on an index no greater than 2 lg(q) < 2q. Finally, we develop methods for dealing with this restricted adversary. Our approach requires that a signer maintains a small amount of state -a counter of the number of signatures issued. We achieve two new realizations for hashand-sign signatures respectively based on the RSA assumption and the Computational Diffie-Hellman assumption in bilinear groups.
