A digital signature scheme secure against adaptive chosen-message attacks
SIAM Journal on Computing - Special issue on cryptography
Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
The random oracle methodology, revisited (preliminary version)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Improved Online/Offline Signature Schemes
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Short Signatures from the Weil Pairing
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Short and Stateless Signatures from the RSA Assumption
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Collision-free accumulators and fail-stop signature schemes without trees
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Secure hash-and-sign signatures without the random oracle
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
A signature scheme with efficient protocols
SCN'02 Proceedings of the 3rd international conference on Security in communication networks
Cryptography in subgroups of Zn
TCC'05 Proceedings of the Second international conference on Theory of Cryptography
Hi-index | 0.00 |
We propose a short signature scheme based on the complexity assumptions related to the RSA modulus. More specifically, the new scheme is secure in the standard model based on the strong RSA subgroup assumption. Most short signature schemes are based on either the discrete logarithm problem (or its variants), or the problems from bilinear mapping. So far we are not aware of any signature schemes in the RSA family can produce a signature shorter than the RSA modulus (in a typical setting, an RSA modulus is 1024 bits). The new scheme can produce a 420-bit signature, much shorter than the RSA modulus. In addition, the new scheme is very efficient. It only needs one modulo exponentiation with a 200-bit exponent to produce a signature. In comparison, most RSA-type signature schemes at least need one modulo exponentiation with 1024- bit exponent, whose cost is more than five times of the new scheme's.