Short Signatures from the Weil Pairing [chapter]

Dan Boneh, Ben Lynn, Hovav Shacham
2001 Lecture Notes in Computer Science  
We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyper-elliptic curves. For standard security parameters, the signature length is about half that of a DSA signature with a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or are sent over a low-bandwidth channel. We survey a number of properties of our signature scheme such as signature aggregation and batch
more » ... fication. * This is the full version of a paper that appeared in Asiacrypt 2001 [13] . † Supported by NSF and the Packard Foundation. model. Other work aims at reducing the length of signature in the RSA setting. For example, Gentry shows how to compress Rabin signatures to two-thirds of their original length. [29] . Another technique proposed for reducing signature length is signatures with message recovery [46, 50] . In such systems one encodes a part of the message into the signature thus shortening the total length of the message-signature pair. For long messages, one can then achieve a DSA signature overhead of 160 bits. However, for very short messages (e.g., 64 bits) the total length remains 320 bits. Using our signature scheme, the signature length is always on the order of 160 bits, however short the message. We also note that Patarin et al. [48, 20] construct short signatures whose security depends on the Hidden Field Equation problem. Our signature scheme uses groups where the CDH problem is hard, but the Decision Diffie-Hellman problem (DDH) is easy. The first example of such groups was given in [34] and was used in [33, 11] . We call such groups Gap Diffie-Hellman groups, or GDH groups for short. We show how to construct a signature scheme from GDH groups, prove security of the scheme, and show how to build GDH groups that lead to short signatures. The signature scheme resembles the undeniable signature scheme of Chaum and Pedersen [15] . Our signature scheme has several useful properties, described in Section 5. For example, signatures generated by different people on different messages can be aggregated into a single signature [12] . The signature also supports standard extensions such as threshold signatures and blind signatures [10]. Notation. We use E/F q to denote an elliptic curve with coefficients in F q . For r ≥ 1, we use E(F q r ) to denote the group of points on E in F q r . We use |E(F q r )| to denote the number of points in E(F q r ). Gap Diffie-Hellman groups and bilinear maps Before presenting the signature scheme, we first review a few concepts related to bilinear maps and Gap Diffie-Hellman groups. We use the following notation: • G 1 and G 2 are two (multiplicative) cyclic groups of prime order p; • g 1 is a generator of G 1 and g 2 is a generator of G 2 ; • ψ is an isomorphism from G 2 to G 1 , with ψ(g 2 ) = g 1 ; and • e is a bilinear map e : G 1 × G 2 → G T . The group G T is described below. One can set G 1 = G 2 , but we allow for the more general case where G 1 = G 2 so that we can take advantage of certain families of non-supersingular elliptic curves as described in Section 4.3. The proofs of security require an efficiently computable isomorphism ψ : G 2 → G 1 . When G 1 = G 2 and g 1 = g 2 one could take ψ to be the identity map. When G 1 = G 2 we will need to describe explicitly an efficiently computable isomorphism ψ : G 2 → G 1 . The map ψ is essential for security. To illustrate this, we give in the next section an example of a bilinear map that engenders an insecure signature scheme precisely because ψ does not exist. With this setup we obtain natural generalizations of the CDH and DDH problems: Computational co-Diffie-Hellman (co-CDH) on (G 1 , G 2 ): Given g 2 , g a 2 ∈ G 2 and h ∈ G 1 as input, compute h a ∈ G 1 .
doi:10.1007/3-540-45682-1_30 fatcat:2klih4ovcjftdcfmnzcl4wyfii