A digital signature scheme secure against adaptive chosen-message attacks
SIAM Journal on Computing - Special issue on cryptography
A remark on signature scheme where forgery can be proved
EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
One-way accumulators: a decentralized alternative to digital signatures
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
SIAM Journal on Computing
Digital Signature Schemes: General Framework and Fail-Stop Signatures
Digital Signature Schemes: General Framework and Fail-Stop Signatures
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
New Constructions of Fail-Stop Signatures and Lower Bounds (Extended Abstract)
CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Short fail-stop signature scheme based on factorization and discrete logarithm assumptions
Theoretical Computer Science
Collision-free accumulators and fail-stop signature schemes without trees
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
How to make efficient fail-stop signatures
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Cryptography in subgroups of Zn
TCC'05 Proceedings of the Second international conference on Theory of Cryptography
Hi-index | 0.00 |
In this paper, we revisit the construction of fail-stop signatures from the factoring assumption. These signatures were originally proposed to provide information-theoretic-based security against forgeries. In contrast to classical signature schemes, in which signers are protected through a computational conjecture, fail-stop signature schemes protect the signers in an information theoretic sense, i.e., they guarantee that no one, regardless of its computational power, is able to forge a signature that cannot be detected and proven to be a forgery. Such a feature inherently introduced another threat: malicious signers who want to deny a legitimate signature. Many construction of fail-stop signatures were proposed in the literature, based on the discrete logarithm, the RSA, or the factoring assumptions. Several variants of this latter assumption were used to construct fail-sop signature schemes. Bleumer et al. (EuroCrypt '90) proposed a failstop signature scheme based on the difficulty of factoring large integers and Susilo et al. (The Computer Journal, 2000) showed how to construct a fail-stop signature scheme from the so-called "strong factorization" assumption. A later attempt by Schmidt-Samoa (ICICS '04) was to propose a fail-stop signature scheme from the p2q factoring assumption. Compared to those proposals, we take a more traditional approach by considering the Rabin function as our starting point. We generalize this function to a new bundling homomorphism while retaining Rabin's efficient reduction to factoring the modulus of the multiplicative group. Moreover, we preserve the efficiency of the Rabin function as our scheme only requires two, very optimized, modular exponentiations for key generation and verification. This improves on older constructions from factoring assumptions which required either two unoptimized or four exponentiations for key generation and either two unoptimized or three modular exponentiations for verifying.