Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme
Total Page:16
File Type:pdf, Size:1020Kb
App eared in Advances in Cryptology Crypto Proceedings AM Odlyzko ed Lecture Note in Computer Science Springer Verlag pages Two Remarks Concerning the GoldwasserMicaliRivest Signature Scheme Repro duced from preprint Oded Goldreich Department of Computer Science and Applied Mathematics Weizmann Institute of Scienve Rehovot Israel ABSTRACT The fo cus of this note is the GoldwasserMicaliRivest Signature Scheme presented in the th POCS The GMR scheme has the salient prop erty that unless factoring is easy it is infeasible to forge any signature even through an adaptive chosen message attack We present two technical contributions with resp ect to the GMR scheme The GMR scheme can be made total ly memoryless That is the signature generated by the signer on message M do es not dep end on the previous signed messages In the original scheme the signature to a message dep ends on the number of messages signed b efore The GMR scheme can be implemented almost as eciently as the RSA The original implementation of the GMR scheme based on factoring can b e sp eededup by a factor 2 3 of jN j Thus b oth signing and verifying take time O jN j log jN j Here N is the mo duli Work done while author was in the Lab oratory for Computer Science MIT Partially supp orted by a Weizmann Postdoctoral Fellowship an IBM Postdoctoral Fellow ship and NSF Grant DCR Introduction In Goldwasser Micali and Rivest presented a signature scheme robust against adaptive chosen message attack GMR no adversary who rst receives signatures to mes sages of his choice can later create a signature of even a single additional message The scheme uses two pairs of trap do or p ermutations and is proven to b e secure in the ab ove sense if these pairs have a certain clawfree prop erty ie it is infeasible to nd x and y such that f x f y It was shown that the intractability assumption of factoring 0 1 implies the clawfree condition and thus a concrete factoringbased implementation was presented The original GMR scheme suers from two aesthetic drawbacks The signature scheme is not completely memoryless That is the signature gener ated by the signer slightly dep ends on the previous signed messages The signing pro cess in the suggested factoringbased implementation is to o slow Let n b e the security parameter ie the length of the mo duli then signing takes more 4 3 than n steps as opp osed to n steps in the RSA In this note we suggest a mo dication of the abstract GMR scheme and a sp eedup in its factoringbased implementation These suggestions eliminate the drawbacks listed ab ove while maintaining the security of the original scheme That is the mo died scheme is totally memoryless and its implementation using factoring is almost as fast as the RSA while b eing much more secure than RSA The rest of this note is organized as follows In Section we briey review the GMR signature scheme The reader is encourage to consult the original pap er GMR for a more complete exp osition of the GMR scheme This reference is also an excellent source for the critical review and a historical account of the problem of obtaining digital signatures In Section we present a mo dication which makes the GMR scheme memoryless In Section we present a sp eedup in the factoringbased implementation of the GMR scheme Our conclusions are presented in Section Overview of the GMR Scheme The GMR scheme is basically a twostage authentication pro cess First the signers entry in the public le is used to authenticate a random point of reference hereafter called REF Next this REF is used to authenticate the message in a bitbybit manner The same REF is never used to authenticate two dierent messages The scheme utilizes two pairs of trap do or clawfree p ermutations denoted f f and g g The f pair is used 0 1 0 1 for the rst stage authentication of the REF while the g pair is used for the second stage authentication of the message The REFs are generated from the public le by using a tree structure hereafter called the REF tree The same REF tree is used to sign all messages The ro ot of the REF tree contains part of the signers entry in the public le Each internal no de in the REF tree has a constant number of children say three Leaves in the REF tree are used to authenticate messages in the second stage of the signing pro cess It was originally prop osed GMR that only the third no de of each internal no de b e a leaf while the other children b e p otential internal no des As we will see in the sequel this particular tree structure for the REF tree is not essential Authentication of the no des in the REF tree is done successively each no de is au thenticated by its father in the tree A crucial detail in the GMR scheme is the manner in which one REF authenticates its children Each REF is partitioned into ve parts its name denoted x the names of its children denoted y y y and a tag denoted t 1 2 3 binding them all together The tag is computed using the rst pair of trap do or clawfree p ermutations f and f through what is called an authentication step 0 1 1 1 1 1 1 Let F x f x for every f g Let F x F f x for every f g and f g 1 The the ve parts of the REF satisfy t F y y y x 1 2 3 The REF tree should not b e confused with the treelike nature of the authentication step The authentication of the message in the second stage consists of a single authentication step that uses the g pair This authentication step binds the message m to b e signed to a leaf in the REF tree The tag t binding the leaf named x with the message m satises 1 1 1 t G m x where G is dened analogously to F based on the p ermutations g 0 and g 1 To sign a new message m the signer identies a leaf that was not used so far named z If no such leaf exists the signer identies an unused internal no de names x ie a no de which is a p otential internal no de but has no children yet randomly selects names for its children y y y computes a tag binding the children to their father ie uses the 1 2 3 1 trap do or information to compute t F y y y x stores the names of the children 1 2 3 and sets x y The signer retrieves or recomputes the tags for all the authentication 3 steps leading from the ro ot of the REF tree to the leaf named z It is crucial that in all signatures pro duced the same names are used for the same no des This completes the rst stage of the signing pro cess Next the signer uses the trap do or information for the 1 pair g and g to compute the tag G m z The signature consists of the list of all 0 1 authentication steps mentioned ab ove corresp onding to a path from the ro ot to a leaf and an extra step authenticating the message by the leaf To verify the validity of a signature the verier checks that the list corresp onds to a path from the ro ot to a leaf and that all tags along this path are valid To validate 1 t F x the verier computes F t and compares it to x Making the GMR Scheme Memoryless As hinted in the outline of the GMR scheme the particular way of using the no des in the REF tree is not essential to the scheme In the original scheme the no des were used in a greedy manner so to minimize the length of the rst signatures The drawback in that suggestion is that it was required to remember the identity of the last no de used for message authentication ie to store the number of messages signed so far Our aim is to eliminate the dep endency of the next signature on the past Thus we suggest to use the REFs in the tree dierently than in the original scheme 2 Let n b e the security parameter and let k log n For message authentication 2 second stage we will use only the REFs in the k th level of the REF tree In other words the REF tree will b e a full binary tree of depth k The key idea is to use a randomly chosen k level leaf in order to authenticate a new message With very high probability we will k never use the same leaf twice in the second stage This is the case since was chosen to b e much larger than the number of messages to b e ever signed The last detail to b e mentioned is that the names of the no des in the REF tree should b e generated using a pseudorandom function applied to the lo cation of the no de rather than randomly This way we guarantee that the same names are always used for the same no des without having to store these names The idea to use pseudorandom functions to eliminate this part of the storage requirement in the GMR scheme was suggested by Leonid Levin Assuming the existence of oneway p ermutations pseudorandom functions can b e eciently constructed GGM Proving that the mo died signature scheme is as secure as the original scheme requires a twostep argument First one should consider a hybrid scheme where the names of the no des in the REF tree are generated randomly as in the original scheme The pro of of security for this scheme is conceptionally identical to the pro of presented in GMR and is only a little more involved in details Next one uses the p olynomially indistinguishability of the pseudorandom functions from random functions to show that the prop osed scheme is as secure as the hybrid scheme Remark the identity of the k level leaf to b e used can b e computed by applying a pseudorandom function to the message to b e signed Thus no coin tosses are required during the signing pro cess One can easily show that the security feature is preserved Sp eedingup the Signing Pro cess in the Factoring Based Implementation The computational b ottleneck in the signingverifying pro cess are resp ectively the 1 computation of F given the trap do or