A Strongly Unforgeable Signature under the CDH Assumption without Collision Resistant Hash Functions

T. MATSUDA, N. ATTRAPADUNG, G. HANAOKA, K. MATSUURA, H. IMAI
2008 IEICE transactions on information and systems  
Unforgeability of digital signatures is closely related to the security of hash functions since hashing messages, such as hash-andsign paradigm, is necessary in order to sign (arbitrarily) long messages. Recent successful collision finding attacks against practical hash functions would indicate that constructing prrcate that constructing prtical collision resistant hash functions is difficult to achieve. Thus, it is worth considering to relax the requirement of collision resistance for hash
more » ... tions that is used to hash messages in signature schemes. Currently, the most efficient strongly unforgeable signature scheme in the standard model which is based on the CDH assumption (in bilinear groups) is the Boneh-Shen-Waters (BSW) signature proposed in 2006. In their scheme, however, a collision resistant hash function is necessary to prove its security. In this paper, we construct a signature scheme which has the same properties as the BSW scheme but does not rely on collision resistant hash functions. Instead, we use a target collision resistant hash function, which is a strictly weaker primitive than a collision resistant hash function. Our scheme is, in terms of the signature size and the computational cost, as efficient as the BSW scheme. key words: digital signature, strong unforgeability, target collision resistant hash function, standard model [19], Mironov constructed modified versions of DSA, signatures.Unforgeability of the modified DSA and PSS-RSA are proven in the random oracle model, and the modified Cramer-Shoup signature is proven in the standard model. The sizes of signatures obtained from the modified schemes are the same as the original ones for DSA and PSS-RSA, and shorter by a hash-key than the original one for the Cramer-Shoup scheme. The main idea to obtain the modified schemes is to reuse randomness generated in a signing algorithm as a hash-key of a TCRHF. In other words, the randomness plays a dou-
doi:10.1093/ietisy/e91-d.5.1466 fatcat:5p5yjm4w65fr5gbpp3scavu7ii