Multi-signatures have seen renewed interest due to their application to blockchains, e.g., BIP 340 (one of the Bitcoin improvement proposals), which has triggered the proposals of several new schemes with improved efficiency. However, many previous works have a “loose” security reduction (a large gap between the difficulty of the security assumption and breaking the scheme) or depend on strong idealized assumptions such as the algebraic group model (AGM). This makes the achieved level of security uncertain when instantiated in groups typically used in practice, and it becomes unclear for developers how secure a given scheme is for a given choice of security parameters. Thus, this leads to the question “what kind of schemes can we construct that achieves tight security based on standard assumptions?”. In this paper, we show a simple two-round tightly-secure pairing-based multi-signature scheme based on the computation Diffie-Hellman problem in the random oracle model. This proposal is the first two-round multi-signature scheme that achieves tight security based on a computational assumption and supports key aggregation. Furthermore, our scheme reduce the signature bit size by 19% compared with the shortest existing tightly-secure DDH-based multi-signature scheme. Moreover, we implemented our scheme in C++ and confirmed that it is efficient in practice; to complete the verification takes less than 1[ms] with a total (computational) signing time of 13[ms] for under 100 signers. The source code of the implementation is published as OSS.

We propose a short signature scheme under the ring-SIS assumption in the standard model. Specifically, by revisiting an existing construction [Ducas and Micciancio, CRYPTO 2014], we demonstrate lattice-based signatures with improved reduction loss. As far as we know, there are no ways to use multiple tags in the signature simulation of security proof in the lattice tag-based signatures. We address the tag-collision possibility in the lattice setting, which improves reduction loss. Our scheme generates tags from messages by constructing a scheme under a mild security condition that is existentially unforgeable against random message attack with auxiliary information. Thus our scheme can reduce the signature size since it does not need to send tags with the signatures. Our scheme has short signature sizes of O(1) and achieves tighter reduction loss than that of Ducas et al.'s scheme. Our proposed scheme has two variants. Our scheme with one property has tighter reduction and the same verification key size of O(log n) as that of Ducas et al.'s scheme, where n is the security parameter. Our scheme with the other property achieves much tighter reduction loss of O(Q/n) and verification key size of O(n), where Q is the number of signing queries.

We propose a new lattice-based digital signature scheme MLWRSign by modifying Dilithium, which is one of the second-round candidates of NIST's call for post-quantum cryptographic standards. To the best of our knowledge, our scheme MLWRSign is the first signature scheme whose security is based on the (module) learning with rounding (LWR) problem. Due to the simplicity of the LWR, the secret key size is reduced by approximately 30% in our scheme compared to Dilithium, while achieving the same level of security. Moreover, we implemented MLWRSign and observed that the running time of our scheme is comparable to that of Dilithium.

We present a constant-size signature scheme under the CDH assumption. It has a tighter security reduction than any other constant-size signature scheme with a security reduction to solving some intractable search problems. Hofheinz, Jager, and Knapp (PKC 2012) presented a constant-size signature scheme under the CDH assumption with a reduction loss of O(q), where q is the number of signing queries. They also proved that the reduction loss of O(q) is optimal in a black-box security proof. To the best of our knowledge, no constant-size signature scheme has been proposed with a tighter reduction (to the hardness of a search problem) than that proposed by Hofheinz et al., even if it is not re-randomizable. We remark that our scheme is not re-randomizable. We achieve the reduction loss of O(q/d), where d is the number of group elements in a public key.

Fail-Stop Signature (FSS) scheme is a signature scheme which satisfies unforgeability even against a forger with super-polynomial computational power (i.e. even against a forger who can compute acceptable signatures) and non-repudiability against a malicious signer with probabilistic polynomial time computational power (i.e. a PPT malicious signer). In this paper, under some settings, the equivalence relation has been derived between a set of security properties when single FSS scheme is used singly and a security property called Universally Composable (UC) security when plural FSS schemes are concurrently used. Here, UC security is a security property guaranteeing that even when plural schemes are concurrently used, security properties of each scheme (for single scheme usage) are preserved. The above main settings are as follows. Firstly, H-EUC (Externalized UC) security is introduced instead of “conventional” UC security, where a new helper functionality H is constructed appropriately. It is because that we can derive “conventional” UC security cannot hold for FSS schemes when malicious parties (e.g. a forger and a malicious signer) have super-polynomial computational power. In the environment where the above helper functionality H is used, all parties are PPT, but only a forger may compute acceptable signatures by obtaining some additional information from H. Secondly, the definition of unforgeability (in a set of security properties for single FSS scheme usage) is revised to match the above environment. The above equivalence relation derived under the above settings guarantees that even when plural FSS schemes are concurrently used, those security properties for single scheme usage are preserved, provided that some conditions hold. In particular, the equivalence relation in this paper has originality in terms of guaranteeing that unforgeability is preserved even against a forger who is PPT but may compute acceptable signatures. Furthermore, it has been firstly proved in this paper that H-EUC security holds for an existing instantiation of an FSS scheme by Mashatan et al. From this, it can be said that the equivalence relation shown in this paper is practical.

We focus on the construction of the digital signature scheme for local broadcast, which allows the devices with limited resources to securely transmit broadcast message. A multi-group authentication scheme that enables a node to authenticate its membership in multi verifiers by the sum of the secret keys has been proposed for limited resources. This paper presents a transformation which converts a multi-group authentication into a multi-group signature scheme. We show that the multi-group signature scheme converted by our transformation is existentially unforgeable against chosen message attacks (EUF-CMA secure) in the random oracle model if the multi-group authentication scheme is secure against impersonation under passive attacks (IMP-PA secure). In the multi-group signature scheme, a sender can sign a message by the secret keys which multiple certification authorities issue and the signature can validate the authenticity and integrity of the message to multiple verifiers. As a specific configuration example, we show the example in which the multi-group signature scheme by converting an error correcting code-based multi-group authentication scheme.

The Even-Goldreich-Micali framework is a generic method for constructing secure digital signature schemes from weaker signature schemes and one-time signature schemes. Several variations are known due to properties demanded on the underlying building blocks. It is in particular interesting when the underlying signature scheme is a so-called F-signature scheme that admits different message spaces for signing and verification. In this paper we overview these variations in the literature and add a new one to the bucket.

Patarin proposed a crytographic trapdoor called Hidden Field Equation (HFE), a trapdoor based on the Multivariate Quadratic (MQ) and the Isomorphism of Polynomials (IP) problems. The MQ problem was proved by Patarin et al.'s to be NP-complete. Although the basic HFE has been proved to be vulnerable to attacks, its variants obtained by some modifications have been proved to be stronger against attacks. The Quartz digital signature scheme based on the HFEv- trapdoor (a variant of HFE) with particular choices of parameters, has been shown to be stronger against algebraic attacks to recover the private key. Furthermore, it generates reasonably short signatures. However, Joux et al. proved (based on the Birthday Paradox Attack) that Quartz is malleable in the sense that, if an adversary gets a valid pair of message and signature, a valid signature to another related message is obtainable with 250 computations and 250 queries to the signing oracle. Currently, the recommended minimum security level is 2112. Our signature scheme is also based on Quartz but we achieve a 2112 security level against Joux et al.'s attack. It is also more efficient in signature verification and vector initializations. Furthermore, we implemented both the original and our improved Quartz signature and run empirical comparisons.

At CaLC 2001, Howgrave-Graham proposed the polynomial time algorithm for solving univariate linear equations modulo an unknown divisor of a known composite integer, the so-called partially approximate common divisor problem. So far, two forms of multivariate generalizations of the problem have been considered in the context of cryptanalysis. The first is simultaneous modular univariate linear equations, whose polynomial time algorithm was proposed at ANTS 2012 by Cohn and Heninger. The second is modular multivariate linear equations, whose polynomial time algorithm was proposed at Asiacrypt 2008 by Herrmann and May. Both algorithms cover Howgrave-Graham's algorithm for univariate cases. On the other hand, both multivariate problems also become identical to Howgrave-Graham's problem in the asymptotic cases of root bounds. However, former algorithms do not cover Howgrave-Graham's algorithm in such cases. In this paper, we introduce the strategy for natural algorithm constructions that take into account the sizes of the root bounds. We work out the selection of polynomials in constructing lattices. Our algorithms are superior to all known attacks that solve the multivariate equations and can generalize to the case of arbitrary number of variables. Our algorithms achieve better cryptanalytic bounds for some applications that relate to RSA cryptosystems.

Multivariate Public Key Cryptosystems (MPKC) are candidates for post-quantum cryptography. Rainbow is a digital signature scheme in MPKC, whose signature generation and verification are relatively efficient. However, the security of MPKC depends on the difficulty in solving a system of multivariate polynomials, and the key length of MPKC becomes substantially large compared with that of RSA cryptosystems for the same level of security. The size of the secret and public keys in MPKC has been reduced in previous research. The NC-Rainbow is a signature scheme in MPKC, which was proposed in order to reduce the size of secret key of Rainbow. So far, several attacks against NC-Rainbow have been proposed. In this paper, we summarize attacks against NC-Rainbow, containing attacks against the original Rainbow, and analyze the total security of NC-Rainbow. Based on the cryptanalysis, we estimate the security parameter of NC-Rainbow at the several security level.

Multimedia transactions between vehicles are expected to become a promising application in VANETs but security is a fundamental issue that must be resolved before such transactions can become practical and trusted. Existing certificate-based digital signature schemes are ineffective for ensuring the security of multimedia transactions in VANETs. This ineffectiveness exists because there is no guarantee that (1) vehicles can download the latest certificate revocation lists or that (2) vehicles can complete a multimedia transaction before leaving their communication range. These two problems result, respectively, from a lack of infrastructure and from the inconsistent connectivity inherent in VANETs. In this paper, we propose a digital signature approach that combines a certificateless signature scheme and short-lived public keys to alleviate these problems. We then propose a security protocol that uses the proposed signature approach for multimedia transactions between vehicles. The proposed protocol enables vehicles to trade in multimedia resources without an online trust authority. We provide an analytical approach to optimizing the security of the proposed protocol. The security and performance of our protocol are evaluated via simulation and theoretical analysis. Based on these evaluations, we contend that the proposed protocol is practical for multimedia transactions in VANETs in terms of security and performance.

One-time signature schemes have been used as an important cryptographic tool for various applications. To generate a signature on a message, the state-of-the-art one-time signature requires roughly one hash function evaluation and one modular multiplication. We propose a new one-time signature scheme for short messages that needs only one integer multiplication (i.e., without modular reduction or hash function evaluation). Theoretically, our construction is based on a generic transformation from identification protocols secure against active attacks into secure one-time signature schemes for short messages, where the Fiat-Shamir technique is not used. To obtain efficient instantiation of the transformation, we prove that the GPS identification protocol is secure against active attacks, which may be of independent interest.

A sanitizable signature scheme allows a semi-trusted party, designated by a signer, to modify pre-determined parts of a signed message without interacting with the original signer. To date, many sanitizable signature schemes have been proposed based on various cryptographic techniques. However, previous works are usually built upon the paradigm of dividing a message into submessages and applying a cryptographic primitive to each submessage. This methodology entails the computation time (and often signature length) in linear proportion to the number of sanitizable submessages. We present a new approach to constructing sanitizable signatures with constant overhead for signing and verification, irrespective of the number of submessages, both in computational cost and in signature size.

A new signature scheme of MPKC is proposed. It is created by perturbing a traditional encryption scheme in two ways. The proposed perturbation polynomials successfully reinforce the Matsumoto-Imai cryptosystem This new signature scheme has a structure very difficult to cryptanalyze. Along with the security against algebraic attacks, its security against existing attacks is discussed. The experimental data imply that the scheme can create a both lightweight and secure signature system.

By modifying the private key and the public key setting in Boneh-Lynn-Shacham's short signature shcheme, a variation of BLS' short signature scheme is proposed. Based on this variation, we present a very efficient threshold signature scheme where the number of pairing computation for the signaure share verification reduces to half.

In some applications, a short private exponent d is chosen to improve the decryption or signing process for RSA public key cryptosystem. However, in a typical RSA, if the private exponent d is selected first, the public exponent e should be of the same order of magnitude as φ(N). Sun et al. devised three RSA variants using unbalanced prime factors p and q to lower the computational cost. Unfortunately, Durfee & Nguyen broke the illustrated instances of the first and third variants by solving small roots to trivariate modular polynomial equations. They also indicated that the instances with unbalanced primes p and q are more insecure than the instances with balanced p and q. This investigation focuses on designing a new RSA variant with balanced p and q, and short exponents d and e, to improve the security of an RSA variant against the Durfee & Nguyen's attack, and the other existing attacks. Furthermore, the proposed variant (Scheme A) is also extended to another RSA variant (Scheme B) in which p and q are balanced, and a trade-off between the lengths of d and e is enable. In addition, we provide the security analysis and feasibility analysis of the proposed schemes.

In a seminal paper of identity based encryption (IBE), Boneh and Franklin [6] mentioned an interesting transform from an IBE scheme to a signature scheme, which was observed by Moni Naor. In this paper, we give formal security treatments for this transform and discover several implications and separations among security notions of IBE and transformed signature. For example, we show for such a successful transform, one-wayness of IBE is an essential condition. Additionally, we give a sufficient and necessary condition for converting a semantically secure IBE scheme into an existentially unforgeable signature scheme. Our results help establish strategies on design and automatic security proof of signature schemes from (possibly weak) IBE schemes. We also show some separation results which strongly support that one-wayness, rather than semantic security, of IBE captures an essential condition to achieve secure signature.

In this paper, a generalized Montgomery multiplication algorithm in GF(2m) using the Toeplitz matrix-vector representation is presented. The hardware architectures derived from this algorithm provide low-complexity bit-parallel systolic multipliers with trinomials and pentanomials. The results reveal that our proposed multipliers reduce the space complexity of approximately 15% compared with an existing systolic Montgomery multiplier for trinomials. Moreover, the proposed architectures have the features of regularity, modularity, and local interconnection. Accordingly, they are well suited to VLSI implementation.

Unforgeability of digital signatures is closely related to the security of hash functions since hashing messages, such as hash-and-sign paradigm, is necessary in order to sign (arbitrarily) long messages. Recent successful collision finding attacks against practical hash functions would indicate that constructing practical collision resistant hash functions is difficult to achieve. Thus, it is worth considering to relax the requirement of collision resistance for hash functions that is used to hash messages in signature schemes. Currently, the most efficient strongly unforgeable signature scheme in the standard model which is based on the CDH assumption (in bilinear groups) is the Boneh-Shen-Waters (BSW) signature proposed in 2006. In their scheme, however, a collision resistant hash function is necessary to prove its security. In this paper, we construct a signature scheme which has the same properties as the BSW scheme but does not rely on collision resistant hash functions. Instead, we use a target collision resistant hash function, which is a strictly weaker primitive than a collision resistant hash function. Our scheme is, in terms of the signature size and the computational cost, as efficient as the BSW scheme.

A digital signature does not allow any alteration of the document to which it is attached. Appropriate alteration of some signed documents, however, should be allowed because there are security requirements other than the integrity of the document. In the disclosure of official information, for example, sensitive information such as personal information or national secrets is masked when an official document is sanitized so that its nonsensitive information can be disclosed when it is requested by a citizen. If this disclosure is done digitally by using the current digital signature schemes, the citizen cannot verify the disclosed information because it has been altered to prevent the leakage of sensitive information. The confidentiality of official information is thus incompatible with the integrity of that information, and this is called the digital document sanitizing problem. Conventional solutions such as content extraction signatures and digitally signed document sanitizing schemes with disclosure condition control can either let the sanitizer assign disclosure conditions or hide the number of sanitized portions. The digitally signed document sanitizing scheme we propose here is based on the aggregate signature derived from bilinear maps and can do both. Moreover, the proposed scheme can sanitize a signed document invisibly, that is, no one can distinguish whether the signed document has been sanitized or not.