Off-Line/On-Line Signatures: Theoretical Aspects and Experimental Results [chapter]

Dario Catalano, Mario Di Raimondo, Dario Fiore, Rosario Gennaro
<span title="">2008</span> <i title="Springer Berlin Heidelberg"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/2w3awgokqne6te4nvlofavy5a4" style="color: black;">Lecture Notes in Computer Science</a> </i> &nbsp;
Off-line/On-line digital signatures were introduced by Even, Goldreich and Micali in [12]. In these signatures the signing process is divided in two parts. First An extended abstract of this paper appears in the proceedings of PKC 2008 a computationally intensive part is performed off-line, i.e. before the message being signed is known. This off-line part produces some temporary data which is stored and then used at the time the message to be signed is known. At that point, the computation of
more &raquo; ... e actual signature requires very little effort. The original construction in [12] was based on combining two different types of digital signatures: many-times (or "regular") signatures and one-time signatures [24, 21, 2, 22, 26]. While the former can be used to sign a polynomial number of messages, in the latter a private key can be used to sign only a single message. Because of this limitation, one-time signatures can be constructed more efficiently. The construction in [12] goes as following. The signer generates a pair (VK, SK) of keys for a regular signature scheme: she publishes VK and keeps SK as a secret. In the off-line part she generates vk a one-time public verification key, and signs it with SK: let S be the resulting signature. Then when the message m is available, the signer computes its signature s with the one-time signing key sk. The final signature is (vk, S, s). The construction in [12] utilizes one-way functions based one-time signatures, such as the ones introduced by Lamport [20]. While these signatures are very fast to compute and verify, the signature string can be very long, and it grows quadratically with the length of the message being signed. To address these issues Shamir and Tauman in [27] offered an alternative construction which combines regular signatures with chameleon hashing [18]. A chameleon hash function is defined by a public key pk and a secret trapdoor tk. The function C pk (·, ·) takes two arguments a message m and a random string r. The function is collision-resistant, unless one knows the trapdoor tk. But knowledge of tk allows to find arbitrary collisions, i.e. given c = C pk (m, r) and an arbitrary different message m , the holder of the trapdoor can find r such that c = C pk (m , r ). For many chameleon hash functions, this collision-finding procedure is very efficient, requiring only a single modular multiplication. The Shamir-Tauman idea is to construct off-line/on-line signatures as follows. The signer's public key is VK, like before, and pk. The off-line part would consists of computing c = C pk (a, r ) for some arbitrary a, r and then computes S the signature of c using SK. On input the actual message m the signer (who knows the trapdoor tk as part of the signing key) computes r such that c = C pk (m, r) and outputs (S, r). The verifier re-computes c as C pk (m, r) and verifies S on it. As we will see later in the examples of chameleon hashing, the length of r grows only linearly in the length of the message m, so the Shamir-Tauman approach provides shorter signatures.
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1007/978-3-540-78440-1_7">doi:10.1007/978-3-540-78440-1_7</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/fjlh72x6qvd47k253geexmvt2u">fatcat:fjlh72x6qvd47k253geexmvt2u</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20170810084837/http://www.dariofiore.it//wp-content/uploads/pkc08-full.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/68/ab/68abb7733db16b98bc478d92ae837046b1069128.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1007/978-3-540-78440-1_7"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> springer.com </button> </a>