Two remarks concerning the Goldwasser-Micali-Rivest signature scheme
Proceedings on Advances in cryptology---CRYPTO '86
A digital signature scheme secure against adaptive chosen-message attacks
SIAM Journal on Computing - Special issue on cryptography
A remark on signature scheme where forgery can be proved
EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
Information Theory and Reliable Communication
Information Theory and Reliable Communication
Unconditional Byzantine Agreement for any Number of Faulty Processors
STACS '92 Proceedings of the 9th Annual Symposium on Theoretical Aspects of Computer Science
A Digital Signature Based on a Conventional Encryption Function
CRYPTO '87 A Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology
A Simple and Secure Way to Show the Validity of Your Public Key
CRYPTO '87 A Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology
Unconditionally Secure Digital Signatures
CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer
CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Collision free hash functions and public key signature schemes
EUROCRYPT'87 Proceedings of the 6th annual international conference on Theory and application of cryptographic techniques
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Fail-Stop Threshold Signature Schemes Based on Elliptic Curves
ACISP '99 Proceedings of the 4th Australasian Conference on Information Security and Privacy
How to Construct Fail-Stop Confirmer Signature Schemes
ACISP '01 Proceedings of the 6th Australasian Conference on Information Security and Privacy
On the Existence of Statistically Hiding Bit Commitment Schemes and Fail-Stop Signatures
CRYPTO '93 Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology
Fail-Stop Signature for Long Messages
INDOCRYPT '00 Proceedings of the First International Conference on Progress in Cryptology
Threshold Fail-Stop Signature Schemes Based on Discrete Logarithm and Factorization
ISW '00 Proceedings of the Third International Workshop on Information Security
Provably secure fail-stop signature schemes based on RSA
International Journal of Wireless and Mobile Computing
Short fail-stop signature scheme based on factorization and discrete logarithm assumptions
Theoretical Computer Science
Collision-free accumulators and fail-stop signature schemes without trees
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
An efficient fail-stop signature scheme based on factorization
ICISC'02 Proceedings of the 5th international conference on Information security and cryptology
Efficient fail-stop signatures from the factoring assumption
ISC'11 Proceedings of the 14th international conference on Information security
| Hi-index | 0.00 |
With a fail-stop signature scheme, the supposed signer of a forged signature can prove to everybody else that it was a forgery. Thus the signer is secure even against computationally unrestricted forgers. Until recently, efficient constructions were only known for restricted cases, but at Eurocrypt '92, van Heijst and Pedersen presented an efficient general scheme, where the unforgeability is based on the discrete logarithm.We present a similar scheme based on factoring: Signing a message block requires approximately one modular exponentiation, and testing it requires a little more than two exponentiations. It is useful to have such alternative constructions in case one of the unproven assumptions is broken.With all fail-stop signatures so far, the size of the secret key is linear in the number of messages to be signed. In one sense, we prove that this cannot be avoided: The signer needs so many secretly chosen random bits. However, this does not imply that these bits ever have to be secredy stored at the same time: We present a practical construction with only logarithmic secret storage and a less practical one where the amount of secret storage is constant.We also prove rather small lower bounds for the length of public keys and signatures. All three lower bounds are within a small factor of what can be achieved with one of the known schemes.Finally, we prove that with unconditionally secure signatures, like those presented by Chaum and Roijakkers at Crypto '90, the length of a signature is at least linear in the number of participants who can test it. This shows that such schemes cannot be as efficient as fail-stop signatures.