A New and Efficient Fail-stop Signature Scheme

Security of ordinary digital signature schemes relies on a computational assumption. Fail-stop signature schemes provide security for a sender against a forger with unlimited computational power by enabling the sender to provide a proof of forgery, if it occurs. In this paper, we give an efficient fail-stop signature scheme that uses two hard problems, discrete logarithm and factorisation, as the basis of receiver's security. We show that the scheme has provable security against adaptively chosen message attack and is the most efficient scheme with respect to the ratio of the message length to the signature length. The scheme provides an efficient solution to signing messages up to 1881 bits. Keywords Fail-Stop Signature Schemes, Discrete Logarithm, Factorisation, Optimality, Efficiency Publication Details This article was originally pulbished as Susilo, W, Safavi-Naini, R, Gysin, M and Seberry, J, A new and efficient fail-stop signature scheme, The Computer Journal, 43(5), 2000, 430-437. This journal article is available at Research Online: http://ro.uow.edu.au/infopapers/594 A New and EÆ ient Fail{Stop Signature S heme Willy Susilo1, Rei Safavi-Naini1, Mar Gysin2 and Jennifer Seberry1 1 Centre for Computer Se urity Resear h, S hool of IT and CS, University of Wollongong, Wollongong 2522, AUSTRALIA 2S hool of Information Te hnology, Townsville, QLD 4811, AUSTRALIA Email: fwsusilo, reig uow.edu.au, mar s.j u.edu.au, jennie uow.edu.au Se urity of ordinary digital signature s hemes relies on a omputational assumption. Fail-stop signature s hemes provide se urity for a sender against a forger with unlimited omputational power by enabling the sender to provide a proof of forgery, if it o urs. In this paper, we give an eÆ ient fail-stop signature s heme that uses two hard problems, dis rete logarithm and fa torisation, as the basis of re eiver's se urity. We show that the s heme has provable se urity against adaptively hosen message atta k and is the most eÆ ient s heme with respe t to the ratio of the message length to the signature length. The s heme provides an eÆ ient solution to signing messages up to 1881 bits. Keywords: Fail-Stop Signature S hemes, Dis rete Logarithm, Fa torisation, Optimality, EÆ ien y 1. INTRODUCTION Digital signatures, introdu ed in [7℄, are the most important ryptographi primitive for providing authenti ation in ele troni world. The original de nition of digital signature was subsequently revised [8℄ to ensure se urity against a more stringent type of atta k known as adaptive hosen message atta k. Despite the stronger requirement, se urity in digital signature s hemes remains omputational and hen e an enemy with unlimited omputing power an always forge a signature. We refer to this type of signature as an ordinary signature s heme. In an ordinary signature s heme if a forgery o urs the sender must bear its onsequen es and there is no way for him to show that a forgery has o urred. This is unavoidable as if the signer is allowed to disavow a forged signature, sin e there is no way of distinguishing between a forged from one generated by the signer, the signer might also disavow his own signature resulting in vanishing a ountability in the system. This means that the se urity for the signer is omputational and if the underlying omputational assumption is broken a forged signature an be irrefutably reated. On the other hand the se urity of the re eivers is un onditional as veri ation is a publi pro ess. To provide prote tion against forgeries of an enemy with unlimited omputational power, fail-stop signature (FSS) s hemes were proposed [25, 18, 14℄. In a FSS, in the ase of forgery, the presumed signer an provide a proof that a forgery has happened. This is by showing that the underlying omputational assumption of the system is broken. The system will be stopped at this stagehen e the name fail-stop. In this way, a polynomially bounded signer an be prote ted against a forger with unlimited omputational power. We note that an unbounded re eiver an forge a signature but again a proof of forgery shows that the omputational assumption of the system is broken and the system will be stopped. It an be shown that (Theorem 3.2 [14℄) a se ure FSS an be used to onstru t an ordinary digital signature that is se ure in the sense of [8℄ and so a fail-stop signature s heme provides a stronger notion of se urity. In a FSS there are a number of parti ipants: a signer who signs a message that is veri able by everyone with a ess to his publi key, and is prote ted against forgery of an unbounded enemy, one or more re ipients and a entre who is trusted by the re ipient. All the re eivers who take part in the key generation pro ess and are onvin ed about the goodness of the key, are prote ted from repudiation of the signature by the signer. There is another group of parti ipants, the soalled risk-bearers, su h as insuran e ompanies, who will bear a loss if a proof of forgery is a epted and hen e a signature is invalidated. For simpli ity we do not make any distin tion between a re ipient and a risk bearer. In a FSS, the signer and the re ipients are assumed to be polynomially bounded, while the enemy is assumed to have unlimited omputational power [24, 23, 17℄. A system may be designed for one or more re ipients. It is important to note that a 'single re ipient' system only refers to the prote tion provided against signer's repudiation, and signature veri ation ( alled testing in the ontext of FSS) an always be performed by anyone who has a ess to the publi key. That is, a single re ipient system an be seen as an ordinary signature with the added property that a designated re ipient is prote ted against disavowal of the signature by the signer, and the signer is prote ted against an all powerful forger. These kinds of requirements are very ommon in ele troni ommer e systems when a ustomer primarily intera ts with a single nan ial institution, su h as a bank. In this ase, it is reasonable to assume that the bank is more powerful and the ustomer requires prote tion against possible forgeries of the bank. At the same time, the bank must be ensured that the signer annot repudiate his signature. Using a FSS with a single re ipient a hieves both these requirements. In a single re ipient FSS, the role of the trusted entre is played by the re ipient and hen e no trusted entre is required. For a general FSS, eliminating the entre requires a se ure multi-party omputation (for example, [18, 19, 22℄). A FSS in its basi form is a one-time digital signature that an only be used for signing a single message. However, it is possible to extend a FSS s heme to be used for signing multiple messages [5, 24, 16, 1℄. To assess eÆ ien y of a FSS s heme a number of riteria, in luding the lengths of the signature, the se ret key and the publi key, together with the amount of omputation and ommuni ation required for signature generation and veri ation (testing), are used. 1.1. Previous Works The rst onstru tion of fail-stop signature [25℄ uses a one-time signature s heme (similar to [11℄) and results in bit by bit signing of the message and so is very impra ti al. In [15℄ an eÆ ient single-re ipient FSS to prote t lients in an on-line payment system, is proposed. The main disadvantage of this system is that signature generation is a 3-round proto ol between the signer and the re ipient and so is very expensive in terms of ommuniation. The size of the signature is twi e the length of the message. In [24℄, an eÆ ient FSS that uses the diÆ ulty of the dis rete logarithm problem as the underlying assumption is presented. In the ase of a forgery, the presumed signer an solve an instan e of the dis rete logarithm problem, and prove that the underlying assumption is broken. This is the most eÆ ient s heme known so far and will be referred to as vHP s heme. In [14, 17℄, a formal de nition of FSS s hemes is given and a general onstru tion using bundling homomorphism is proposed. The important property of this onstru tion is that it is provably se ure against the most stringent type of atta k, that is adaptive hosen message atta k [9℄. The proof of forgery is by showing two di erent signatures on the same message, the forged one and the one generated by the valid signer. To verify the proof of forgery the two signatures are shown to ollide under the 'bundling homomorphism'. An instan e of this onstru tion uses the diÆ ulty of fa toring as the underlying omputational assumption of the system [23℄. It is shown [14, 17℄ that vHP s heme is in fa t an instantiation of this general onstru tion and so has provable se urity. This ombined with eÆ ien y has made vHP s heme the ben hmark for FSS s hemes. The existen e ondition for FSS is relaxed in [2, 19, 23℄ and it is shown that a FSS only exists if one-way permutations exist. In [22℄, an RSA-based FSS is proposed in whi h the underlying intra tability assumption is the diÆ ulty of fa toring and the proof of forgery is by showing the nontrivial fa tors of the modulus. In this s heme the size of the signature is twi e that of the vHP s heme (four times the size of the message) and ompared with [24℄, has equal or worse performan e in all other aspe ts of interest. The proof of se urity is through a number of theorems that bound the su ess probabilities of di erent atta kers. 1.2. Our Contributions In this paper, we propose a new FSS s heme that is almost as eÆ ient as vHP s heme and its se urity relies on two well-a epted omputational assumptions, Disrete Logarithm and Fa torisation. We introdu e a new measure of eÆ ien y that is related to eÆ ient use of ommuni ation bandwidth and show that our s heme outperforms vHP s heme (and all other s hemes that are based on fa torisation problem). We prove that the su ess han e of an unbounded forger is limited by the re ipient's se urity parameter while signer's se urity against adaptive hosen message atta k is guaranteed to a level determined by the sender's se urity parameter. The proof of forgery is by revealing the non-trivial fa tors of the modulus. We in orporate the idea from [3℄ for the onstru tion of our s heme. Finally, we ompare the optimality and eÆ ien y between our s heme and vHP s heme. The paper is organised as follows. In se tion 2, we present the basi on epts and de nitions of FSS, and brie y review the general onstru tion and its relevant se urity properties. In se tion 3, we present our FSS onstru tion, show that it is an instan e of the general onstru tion [14℄ and hen e provide omplete proof of se urity. In se tion 4, we introdu e the notions of optimality and eÆ ien y, and give a fair omparison between our s heme and the other existing s hemes based on these notions. Finally, se tion 5 on ludes the paper. 2. PRELIMINARIES In this se tion, we brie y re all relevant notions, de nitions and requirements of fail-stop signatures and refer the reader to [18, 17, 14℄ for a more omplete a ount. 2.1. Notations The length of a number n is the length of its binary representation and is denoted by jnj2. pjq means p divides q. The ring of integers modulo a number n is denoted by Zn, and its multipli ative group, whi h ontains only the integers relatively prime to n, by Z n. Let N denote the natural numbers. 2.2. Review of Fail-Stop Signatures S hemes Similar to an ordinary digital signature s heme, a failstop signature s heme onsists of one polynomial time proto ol and two polynomial time algorithms. 1. Key generation: is a two party proto ol between the signer and the entre to generate a pair of se ret key, sk, and publi key, pk. This is di erent from ordinary signature s hemes where key generation is performed by the signer individually and without the involvement of the re eiver. 2. Sign: is the algorithm used for signature generation. For a message m and using the se ret key sk, the signature is given by y = sign(sk;m). 3. Test: is the algorithm for testing a eptability of a signature. For a message m and signature y, and given the publi key pk, the algorithm produ es an ok response if the signature is a eptable under pk. That is test(pk;m; y) ? = ok. A FSS also in ludes two more polynomial time algorithms: 4. Proof: is an algorithm for proving a forgery; 5. Proof-test: is an algorithm for verifying that the proof of forgery is valid. A se ure fail-stop signature s heme must satisfy the following properties [23, 17, 14℄. 1. If the signer signs a message, the re ipient must be able to verify the signature ( orre tness). 2. A polynomially bounded forger annot reate forged signatures that su essfully pass the veriation test (re ipient's se urity). 3. When a forger with an unlimited omputational power su eeds in forging a signature that passes the veri ation test, the presumed signer an onstru t a proof of forgery and onvin es a third party that a forgery has o urred (signer's se urity). 4. A polynomially bounded signer annot reate a signature that he an later prove to be a forgery (nonrepudiability). To a hieve the above properties, for ea h publi key, there exists many mat hing se ret keys su h that different se ret keys reate di erent signatures on the same message. The real signer knows only one of the se ret keys, and an onstru t one of the many possible signatures. An enemy with unlimited omputing power, although an generate all the signatures but annot determine whi h one is generated by the true signer. Thus, it would be possible for the signer to provide a proof of forgery by generating a se ond signature on the message with a forged signature, and use the two signatures to show the underlying omputational assumption of the system is broken, hen e proving the forgery. Se urity of a FSS an be broken if 1) a signer an onstru t a signature that he an later prove to be a forgery, or 2) an unbounded forger su eeds in onstru ting a signature that the signer annot prove that it is forged. These two types of forgeries are ompletely independent and so two di erent se urity parameters, k and , are used to show the level of se urity against the two types of atta ks. More spe i ally, k is the se urity level of the re ipient and is that of the signer. It is proved [14℄ that a se ure FSS is se ure against adaptive hosen message atta k and for all > 0 and large enough k, su ess probability of a polynomially bounded forger is bounded by k . For a FSS with se urity level for the signer, the su ess probability of an unbounded forger is limited by 2 . In the following we brie y re all the general onstru tion given in [14℄ and outline its se urity properties. 2.3. The General Constru tion The onstru tion is for a single-message fail-stop signature and uses bundling homomorphisms. Bundling homomorphisms an be seen as a spe ial kind of hash fun tions. Definition 2.1. [14℄ A bundling homomorphism h is a homomorphism h : G ! H between two Abelian groups (G; +; 0) and (H; ; 1) that satis es the following.1. Every image h(x) has at least 2 preimages. 2 is alled bundling degree of the homomorphism. 2. It is infeasible to nd ollisions, i.e., two di erent elements that are mapped to the same value by h. To give a more pre ise de nition, we need to onsider two families of groups, G = (GK ;+; 0) and H = (HK ; ; 1), and a family of polynomial-time fun tions indexed by a key, K. The key is determined by the appli ation of a key generation algorithm g(k; ), on two input parameters k and . The two parameters determine the diÆ ulty of nding ollision and the bundling degrees of the homomorphisms, respe tively. Given a pair of input parameters, k; 2 N , rstly, using the key generation algorithm, a key K is al ulated and then, GK , HK and hK are determined. For a formal definition of bundling homomorphisms see De nition 4.1 [14℄. A bundling homomorphism an be used to onstru t a FSS s heme as follows. Let the se urity parameters of the FSS be given as k and . The bundling degree of the homomorphism, , will be obtained as a fun tion of as shown below. 1. Prekey generation: The entre omputes K = g(k; ) and so determines a homomorphism hK , and two groups GK and HK . Let G = GK , H = KK and h = hK . 2. Prekey veri ation: The signer must be assured thatK is a possible output of the algorithm g(k; ). This an be through providing a zero-knowledge proof by the entre or by testing the key by the signer. In any ase the han e of a epting a bad key must be at most 2 . 3. Main key generation genA: the signer generates her se ret key sk := (sk1; sk2) by hoosing sk1 and sk2 randomly in G and omputes pk := (pk1; pk2) where pki := h(ski) for i = 1; 2. 4. The message spa e M is a subset of Z. 5. Signing: The signature on a message m 2M is, s = sign(sk;m) = sk1 +m sk2 where multiplying by m is m times addition in G. 6. Testing the signature: an be performed by he king, pk1 pkm 2 ? = h(s) 7. Proof of forgery: Given an a eptable signature s0 2 G on m su h that s0 6= sign(sk;m), the signer omputes s := sign(sk;m) and proof := (s; s0). 8. Verifying proof of forgery: Given a pair (x; x0) 2 G G, verify that x 6= x0 and h(x) = h(x0). Theorem 4.1 [14℄ proves that for any family of bundling homomorphisms and any hoi e of parameters the general onstru tion: 1. produ es orre t signature; 2. a polynomially bounded signer annot onstru t a valid signature and a proof of forgery; 3. if an a eptable signature s 6= sign(sk;m ) is found the signer an onstru t a proof of forgery. Moreover for two hosen parameters k and , a good prekey K and two messages m;m 2M , with m 6= m , let T := fd 2 Gjh(d) = 1 ^ (m m)d = 0g (1) Theorem 4.2 [14℄ shows that given s = sign(sk;m) and a forged signature s 2 G su h that test(pk;m ; s ) = ok, the probability that s = sign(sk;m ) is at most jT j=2 and so the best han e of su ess for an unrestri ted forger to onstru t an undete table forgery is bounded by jT j=2 . Thus to provide the required level of se urity , we must hoose jT j=2 2 . This general onstru tion is the basis of all known provably se ure onstru tions of FSS. It provides a powerful framework by whi h proving se urity of a s heme is redu ed to spe ifying the underlying homomorphism, and determining the bundling degree and the set T . 3. A NEW AND EFFICIENT FSS SCHEME In this se tion we introdu e a new FSS s heme and show that it is an instan e of the general onstru tion. As will be shown in se tion 4, the s heme outperforms the most eÆ ient known FSS (i.e. vHP s heme) with respe t to the message-length. Proof of forgery is by revealing the se ret fa tors of a modulus and so verifying the proof is very eÆ ient. Firstly, we des ribe our s heme with a single re ipient model, for simpli ity. Then, we extend this model to a multiple re ipient s heme. Model There is only a single re ipient, R who also plays the role of the trusted entre and performs prekey generation of the s heme. Prekey Generation Given the two se urity parameters k and , R hooses two large safe primes p and q. Then, R nds a prime P su h that n = pq divides P 1. Finally R sele ts an element su h that the multipli ative order of modulo P is p (ordP ( ) = p). , n and P are sent to the signer via an authenti ated hannel. (More details on sele tion of these parameters are given below.) Prekey Veri ation If the re eiver is trusted, the prekey will be a epted by the signer S and no prekey veri ation is needed (as in [24℄). On the other hand, if the re eiver is not trusted, a zero-knowledge proof is needed to assure that the prekey is orre t. This issue will be dis ussed in the next se tion (multiple re ipient s heme). Key Generation S hooses k1; k2 2 Zn and omputes 1 = k1 mod P 2 = k2 mod P The private key is (k1; k2) and the publi key is ( 1; 2). Signing a Message x To sign a message x 2 Zn, S omputes y = k1x+ k2 mod n and publishes y as his signature on x. Testing a Signature y passes the test if y ? = x1 2 mod P n . If 6= 1, then has order p. This is in fa t "pushing" the element ~ into a subgroup of order p. 3.1. Se urity Proof We show that this s heme is an instan e of the general onstru tion with the following underlying bundling homomorphism family. Dis rete Logarithm Bundling Homomorphism key generation g: on input k and , two primes p and q with jqj2 = , and jpj2 jqj2, a prime P su h that n divides P 1 and jnj2 = k, and an element of order p is hosen. The key will be K = (p; q; ; P ). families of groups: Let n = pq. De ne GK = Zn and HK = Z P . The homomorphism h(p;q; P ) is h(p;q; ;P ) : Zn ! Z P ; h(p;q; ;P )(x) = x (mod P ) Dis rete Logarithm (DL) Assumption [21℄ Given I = (p; ; ), where p is prime, 2 Z p is a primitive element and 2 Z p , where a (mod p) it is hard to nd a = log . Fa torisation Assumption [20, 21℄ Given n = pq, where p and q are prime, it is hard to nd a non-trivial fa tor of n (without the knowledge of (n) = (p 1)(q 1)). Strong Fa torisation Assumption Given n = pq (where p and q are prime), P = tn + 1 (t 2 Z and P is also prime) and (where ordP ( ) = p), it is hard to nd a non-trivial fa tor of n. This assumption is also used by Bri kell and M Curley [3℄ although there is no proof that knowledge of of order p annot redu e the hardness of fa toring n. Theorem 3.1. Under DL and Strong Fa torisation assumptions, the above onstru tion (Se tion 3.1) is a family of bundling homomorphisms. Proof. To show that the above de nition is a bundling homomorphism, we must show that 1. For any 2 Z P where = (mod P ), there are q preimages in Zn. 2. For a given 2 Z P where = (mod P ), it is diÆ ult to nd su h that = (mod P ). 3. It is hard to nd two values ; ~ 2 Zn that map to the same value. To prove property 1, we note that knowing = (mod P ) for 2 Z n and ordP ( ) = p, there are exa tly q values 0, given by 0 = + ip; i = 0; q 1, for whi h 0 = +ip = . Hen e, there are q preimages of in Z n. Now given = (mod P ), nding is equivalent to solving an instan e of DL problem, whi h is hard (property 2). Property 3 means that it is diÆ ult to nd and ~ su h that = ~ (mod P ). Suppose that there is a probabilisti polynomial-time algorithm ~ A that ould ompute su h a ollision. Then, we onstru t an algorithm ~ D that on input (P; n; ), where njP 1, outputs the non-trivial fa tors of n as follows: First, ~ D runs ~ A, and if ~ A outputs a ollision, i.e. y and ~ y, y 6= ~ y su h that y ~ y (mod P ), then ~ D omputes: y = ~ y mod P y = ~ y mod p y ~ y = ̂p ̂ 2 Z p = g d(y ~ y; n) ~ D is su essful with the same probability as ~ A and almost equally eÆ ient. Hen e, it ontradi ts with the strong fa torisation assumption. Theorem 3.2. Our FSS s heme is se ure for the signer. A ording to the Theorem 4.1 in [14℄, we must nd the size of the set T : T := fd 2 Znj d = 1 ^ (m m)d = 0g or T := fd 2 Znj d = 1 ^ m0d = 0g in Z P . There are exa tly q d's that satisfy the rst equation d = 1 mod P . Sin e m 6= m, we have m0 2 holds. Proof of Forgery If there is a forged signature y0 whi h passes the test, the presumed sender an generate his own signature, namely y, on the same message, and the following equation will hold: y = y0 mod P or y = y0 mod p y y0 = p; 2 Z Hen e, a non-trivial fa tor of n an be found by omputing g d(y y0; n). We note that the probability of y is equal to y0 is 1=q. We make the following remarks on the key generation algorithm. In [10℄, it is shown that for a randomly sele ted n, P su h that n divides P 1 is upper bounded by n log2 2n. Moreover if jnj2 = k, then on average it takes O(log k) probabilisti steps to nd su h a P . An element is sele ted su h that the multipli ative order of modulo P is p (ordP ( ) = p). This element an be easily found, by for example, randomly hoosing an element ~ 2 Z P and al ulating = (~ ) q mod P , for = P 1 f1; 2; n 1g and so there is a unique message (namely, m0 = q) that satis es m0d = 0 (mod n). Hen e, jT j = 1. Together with theorem 4.2 [14℄, this implies that it suÆ es to hoose = in the proposed s heme, as we did in se tion 3. 3.2. Multiple Re ipient S heme Although we have restri ted ourselves to single re ipient, but it is not diÆ ult to extend the s heme to multiple re ipients. In fa t, the only di eren e in that ase is to in lude a trusted enter and provide zeroknowledge proofs that show that the hosen parameters of the prekey have the orre t forms. That is we need to ensure that n, P and , have the desired forms. Using [4℄, an element n an be proven to be an RSA modulus n = pq, where both p and q are safe primes. Then, P is tested for primality. This an be done by using various primality testing algorithms su h as the Miller-Rabin probabilisti primality test [21℄ whi h runs in polynomial time. Finally it is veri ed that n divides P 1. Although it is easy to show that the order of is a multiple of p (without knowing p, for example by verifying n ? = 1 (mod P )), but showing that the order is stri tly p needs more e ort. We an a hieve the zero knowledge proof of ordP ( ) = p by ombining the idea mentioned in se tion 3.2 and 4.2 of [4℄. More pre isely, the prover has to prove that he knows p that satis es p = 1 mod P , and p is a prime number. On the other hand, after verifying this proof, the re eiver (or the sender in the ontext of this paper) only needs to he k whether n ? = 1 mod P , and hen e, proving that p = 1 mod P . 4. OPTIMALITY AND EFFICIENCY The aim of this se tion is to ompare eÆ ien y of our proposed s heme with those of the best known FSS s hemes. EÆ ien y of a fail-stop signature system has been measured in terms of three length parameters: the lengths of the se ret key, the publi key and the signature, and the amount of omputation required in ea h ase. Later in this se tion, we introdu e a new measure, eÆ ien y with respe t to message length whi h orresponds to eÆ ient use of ommuni ation hannel. Pedersen and P tzmann [14℄ proved that if the se urity level of the sender is and N messages are to be signed, then the size of length parameters are lower bounded by (N+1)( 1), and 2 1, respe tively. These bounds do not depend on the se urity level of the re eiver whi h is measured by the parameter k and determines the size of the of the underlying hard problem(s). Definition 4.1. [14℄ A FSS s heme with se urity parameters k and is alled optimal with respe t to se ret key length, publi key length or the signature length, if the lower bound on the orresponding parameter is satis ed with equality. A Comparison To ompare two FSS's we x the level of se urity provided by the two s hemes and nd the size of the three length parameters, and the number of operations (for example multipli ation) required for signing and testing. Table 1 gives the results of omparison of four FSS s hemes when the se urity levels of the re eiver and the sender are given by k and , respe tively. In this omparison, the rst two s hemes ( rst and se ond olumn of the table) are hosen be ause they have provable seurity. The rst s heme, referred to as vHP in this paper, is the most eÆ ient provably se ure s heme. The third s heme, although does not have a omplete se urity proof (although it is not diÆ ult to onstru t su h a proof), is in luded be ause it has an expli it proof of forgery by revealing the se ret fa tors of a modulus. Column four orresponds to the s heme proposed in this paper. We use the same value of and k for all the systems and determine the size of the three length parameters. The hard underlying problem in all four s hemes are DL, Subgroup DL [12℄ and/or Fa torisation. This means the same level of re eiver's se urity (given by the value of parameter k) translates into into di erent size primes and moduli. In parti ular, the se urity level of a 151 bits subgroup dis rete logarithm with basi primes of at least 1881 bits, is the same as fa torisation of a 1881 bits RSA modulus [12℄. To nd the required size of primes in vHP s heme, assuming se urity parameters (k; ) are given, rst K = max(k; ) is found and then the prime q is hosen su h that jqj2 K. The bundling degree in this s heme is q and the value of p is hosen su h that qjp 1 and (p 1)=q be upper-bounded by a polynomial in K (page 237 and 238 [17℄). The size of jpj2 must be hosen a ording to standard dis rete logarithm problem, whi h for adequate se urity must be at least 1881 bits [12℄. However, the size of jqj2 an be hosen as low as 151 bits [12℄. Sin e jpj2 and jqj2 are to some extent independent, we use K̂ to denote jpj2. In our proposed s heme bundling degree and hen e se urity level of the sender is jqj2. The se urity of the re eiver is determined by the diÆ ulty of DL in Z P and fa torisation of n. Assume jpj2 jqj2 jnj2 2 . Then we rst nd Nk whi h is the modulus size for whi h fa torisation has diÆ ulty k. Now sin e P n, DL in Z P will have diÆ ulty k [12℄ and we hoose K = max (Nk 2 ; ), jqj2 = K jpj2 and P n. With these hoi es the sender and re eiver level of se urity is at least and k, respe tively. For example for (k; ) = (151; 151), we rst nd N151 = 1881 [12℄ and hoose K = max (1881=2; 151) = 941 whi h results in jpj2 jqj2 941 and jnj2 jP j2 1882. Sin e jP j2 an be hosen mu h greater than jnj2, we use K̂ to denote jP j2, and so when jP j2 jnj2, we have K̂ 2K. 2( 1)In the fa torisation s heme of [14℄, the se urity levelof the sender, satis es = + where is thebundling degree and 2 is the size of the message spa e.The se urity parameter of the re eiver, k, is determinedby the diÆ ulty of fa toring the modulus n. Now fora given pair of se urity parameters, (k; ), the size ofmodulus Nk is determined by k but determining re-quires knowledge of the size of the message spa e. As-sume = jpj2 jqj2 = Nk=2. This means that= + Nk=2. Now the eÆ ien y parameters of thesystem an be given as shown in the table. In parti u-lar the size of se ret and publi keys are 2( +Nk) and2Nk respe tively.In RSA-based FSS s heme [22℄, = j (n)j2, and se-urity of the re eiver is determined by the diÆ ulty offa toring n. This means that jnj2. To design a sys-tem with se urity parameters (k; ), rst Nk, the mod-ulus size that provides se urity level k for the re eiver isdetermined and then K = max( ; jNkj2). The modulusn is hosen su h that jnj2 = K. With this hoi e, thesystem provides adequate se urity for the sender andthe re eiver. DL[24℄ Fa t[14℄ RSA[22℄ Our FSSPK(mult)4K2K4K4KSign2K21(mult)Test3K2K +3K4K(mult)Length of4K4K + 24K4KSK(bits)Length ofPK(bits)2K̂2K2K2K̂Length of2K2K +4K2Ka signature(bits)PrekeyLength K + 3K̂3K3K2(K + K̂)Length ofKKK2Ka message(bits)Min size of1519411881941K(bits)[12℄Min size of 1881n/an/a1881K̂(bits)[12℄UnderlyingDLFa tRSADLhard& Fa tProblemTable 1. Comparison of omputation (number ofmultipli ations) and eÆ ien y parametersThe table shows that be ause of the subgroup DLproblem, K in vHP s heme an be as low as 151 bits,while in our s heme it must be at least 941 bits. K̂ invHP and our s heme must be at least 1881 bits [12℄.Table 2 shows that performan e of vHP and ours heme are nearly the same with respe t to the lowerbounds given in [14℄, and in fa t both s hemes are nearly(nearly a hieving the bounds) optimal with respe t tothe signature length.DL[24℄ Our FSS Lower BoundLength of SK 4K = 4 4K = 4Length of PK2K̂2K̂Signature Length 2K = 2 2K = 22 1Table 2. Comparison between vHP, our s heme andoptimal lower bound for N = 1EÆ ien y with respe t to the message-lengthIn pra ti e, we also need to onsider relative lengths ofthe message and the signature. If the length of the sig-nature and the message are denoted by jyj2 and jxj2respe tively, ̂ = jyj2=jxj2 is a measure of ommuni a-tion eÆ ien y of the s heme. For example ̂ = 1 meansthat to authenti ate one bit information, one bit extra(signature) must be sent over the hannel.Now in our s heme messages and signatures are bothfrom Zn and so ̂ = 1. In vHP s heme messages andsignatures belong to subgroups of size q and 2jqj2 re-spe tively. This means that ̂ = 2 and so to authen-ti ate one bit message 2 bits signature must be used.In the fa torisation s heme of [14℄, messages are bits,and signatures are k+ + bits. Assuming that k = ,then ̂ > 2. In the RSA based FSS in [22℄, messages be-long to Zn and signature are of size 4jnj2. This meansthat ̂ = 4.Table 3 summarises these results.DL[24℄ Fa t[14℄ RSA[22℄ Our FSŜ2> 241Table 3. Comparison of ommuni ation eÆ ien y withrespe t to the message-lengthSigning Long MessagesTables 1 and 3 show that the size of the input to the sig-nature algorithm in vHP and our s heme areK and 2K,that is at least 151 and 1882 bits ([12℄), respe tively. Formessages longer than these sizes hash-then-en rypt [14℄method an be used. This has two impa ts.To prove forgery, rather than showing that the un-derlying assumption of the s heme is broken it willbe shown that a ollision for the ollision-resistanthash fun tion used for hashing is found.The hash fun tion must be based on a omputa-tional assumption. Hash fun tions with this prop-erty, developed in [5, 6℄, require on average onemodular multipli ation for one bit of the messageand so drasti ally redu e the speed of signaturegeneration and testing. The above points imply that signing a message oflength ` bits, 151 < ` < 1882, using vHP requires onaverage ` more modular multipli ations ompared toour s heme.4.1. Multiple MessagesWe an extend our s heme to sign more than one mes-sage without hanging the key using the method in [24℄.Suppose t 1 messages are to be signed.The signer hooses a se ret key k0; k1; ; kt 1 2 Zn,and publishes the orresponding publi key( 0; 1; 2; ; t 1) = ( k0 ; k1 ; k2 ; ; kt 1)where i 2 ZP ; i = 0; 1 t 1.To sign a message x 2 Zn, S omputesy = k0 + k1x+ k2x2 + + kt 1xt 1 mod nThe signature y passes the veri ation test ify ?= 0x1 x22xt 1t 1 mod PUsing theorem 4.4 of [13℄, it an be proved that thesigner has un onditional se urity after issuing signa-tures on t 1 di erent messages.5. CONCLUSIONSIn this paper, we proposed a new fail-stop signatures heme that uses two omputational assumptions. Ituses dis rete logarithm and fa torisation as the under-lying assumptions for re ipient's se urity, and fa tori-sation as the underlying assumption for the proof offorgery. If either of the two assumptions is broken, asignature an be easily forged and so the se urity of thesystem will be lost.The proof of forgery is by revealing the non-trivialfa tors of the modulus and so results in a fast veri-ation pro ess. We showed that the s heme an beextended for signing multiple messages.We ompared our s heme with the best known FSSs heme, namely the vHP s heme, and two other s hemeswhi h are based on the diÆ ulty of fa torisation. Theomparison learly shows that our s heme is more ef-ient than the other fa torisation based s hemes, andits performan e is very similar to the vHP s heme.We introdu ed a new measure of eÆ ien y for FSSthat is related to eÆ ient use of ommuni ation han-nel and showed that with respe t to this measure, ours heme has better performan e than vHP s heme andthe FSS s hemes based on fa torisation. We showedthat ompared to vHP s heme, our s heme is more ef-ient for signing messages of up to 1881 bits.REFERENCES[1℄ N. Bari' and B. P tzmann. Collision-free a umula-tors and fail-stop signature s hemes without trees. Ad-van es in Cryptology Euro rypt '97, Le ture Notes inComputer S ien e 1233, pages 480{494, 1997.[2℄ G. Bleumer, B. P tzmann, and M. Waidner. A remarkon a signature s heme where forgery an be proved.Advan es in Cryptology Euro rypt '90, Le ture Notesin Computer S ien e 437, pages 441{445, 1991.[3℄ E.F. Bri kell and K.S. M Curley. An Intera tive Identi-ation S heme based on Dis rete Logarithms and Fa -toring. Advan es in Cryptology Euro rypt '90, Le tureNotes in Computer S ien e 437, pages 63 { 71, 1991.[4℄ J. Camenis h and M. Mi hels. Proving in zero-knowledge that a number is the produ t of two safeprimes. Advan es in Cryptology Euro rypt '99, Le -ture Notes in Computer S ien e 1592, 1999.[5℄ D. Chaum, E. van Heijst, and B. P tzmann. Crypto-graphi ally strong undeniable signatures, un ondition-ally se ure for the signer. Interner Beri ht, Fakultatfur Informatik, 1/91, 1990.[6℄ I. B. Damg ard. Collision free hash fun tions and pub-li key signature s heme. Advan es in Cryptology Eu-ro rypt '87, Le ture Notes in Computer S ien e 304,pages 203 216, 1988.[7℄ W. DiÆe and M. Hellman. New dire tions in ryptog-raphy. IEEE IT, 22:644{654, 1976.[8℄ S. Goldwasser, S. Mi ali, and R. L. Rivest. A digi-tal signature s heme se ure against adaptive hosen-message atta ks. SIAM Journal of Computing,17/2:281{308, 1988.[9℄ S. Goldwasser, S. Mi ali, and R. L. Rivest. A digi-tal signature s heme se ure against adaptive hosen-message atta ks. SIAM Journal of Computing, 17:281{308, 1998.[10℄ S. S. Wagsta Jr. Greatest of the least primes in arith-meti progression having a given modulus. Mathemat-i s of omputation, 33 (147):1073{1080, July 1979.[11℄ L. Lamport. Constru ting digital signatures from aone-way fun tion. PSRI International CSL-98, 1979.[12℄ A.K. Lenstra, E.R. Verheul, Sele ting CryptographiKey Sizes, online: http://www. ryptosavvy. om/. Ex-tended abstra t appeared in Commer ial Appli ations,Pri e Waterhouse Coopers, CCE Quarterly Journals, 3,3{9, 1999.[13℄ T. Pedersen. Non-intera tive and information-theoretise ure variable se ret sharing. Advan es in CryptologyCrypto '91, pages 129{140, 1991.[14℄ T. P. Pedersen and B. P tzmann. Fail-stop signatures.SIAM Journal on Computing, 26/2:291{330, 1997.[15℄ B. P tzmann. Fail-stop signatures: Prin iples and ap-pli ations. Pro . Compse '91, 8th world onferen e onomputer se urity, audit and ontrol, pages 125{134,1991.[16℄ B. P tzmann. Fail-stop signatures without trees.Hildesheimer Informatik-Beri hte, Institut fur Infor-matik, 16/94, 1994.[17℄ B. P tzmann. Digital Signature S hemes { GeneralFramework and Fail-Stop Signatures. Le ture Notes inComputer S ien e 1100, Springer-Verlag, 1996.[18℄ B. P tzmann and M. Waidner. Formal aspe ts of fail-stop signatures. Interner Beri ht, Fakultat fur Infor-matik, 22/90, 1990.[19℄ B. P tzmann and M. Waidner. Fail-stop signaturesand their appli ation. SECURICOM 91, 9th World-wide Congress on Computer and Communi ations Se-urity and Prote tion, pages 145{160, 1991. [20℄ R. L. Rivest, A. Shamir, and L. Adleman. A method forobtaining digital signatures and publi -key ryptosys-tems. Comm. of the ACM, 21, no. 2:120{126, 1978.[21℄ D. R. Stinson. Cryptography: Theory and Pra ti e.CRC Press, Bo a Raton, New York, 1995.[22℄ W. Susilo, R. Safavi-Naini, and J. Pieprzyk. RSA-based fail-stop signature s hemes. International Work-shop on Se urity (IWSEC '99), IEEE Comp.So .Press,pages 161{166, 1999.[23℄ E. van Heijst, T. Pedersen, and B. P tzmann. Newonstru tions of fail-stop signatures and lower bounds.Advan es in Cryptology Crypto '92, Le ture Notes inComputer S ien e 740, pages 15{30, 1993.[24℄ E. van Heyst and T. Pedersen. How to make eÆ ientfail-stop signatures. Advan es in Cryptology Euro-rypt '92, pages 337{346, 1992.[25℄ M. Waidner and B. P tzmann. The dining ryptogra-phers in the dis o: Un onditional sender and re ipientuntra eability with omputationally se ure servi eabil-ity. Advan es in Cryptology Euro rypt '89, Le tureNotes in Computer S ien e 434, 1990.