App eared in Advances in Cryptology � Crypto ��� �Proceedings�� �A�M� Odlyzko ed���
Lecture Note in Computer Science ����� Springer Verlag� pages �������� �����
Two Remarks Concerning
the Goldwasser�Micali�Rivest Signature Scheme
�Repro duced from preprint�
Oded Goldreich
Department of Computer Science and Applied Mathematics
Weizmann Institute of Scienve� Rehovot� Israel
ABSTRACT
The fo cus of this note is the Goldwasser�Micali�Rivest Signature Scheme �presented in
the ��th POCS � ������ The GMR scheme has the salient prop erty that� unless factoring
is easy� it is infeasible to forge any signature even through an adaptive chosen message
attack� We present two technical contributions with resp ect to the GMR scheme�
�� The GMR scheme can be made total ly �memoryless �� That is� the signature generated
by the signer on message M do es not dep end on the previous signed messages� �In
the original scheme� the signature to a message dep ends on the number of messages
signed b efore��
�� The GMR scheme can be implemented almost as e�ciently as the RSA� The original
implementation of the GMR scheme based on factoring� can b e sp eeded�up by a factor
2
3
of jN j� Thus� b oth signing and verifying take time O �jN j log jN j�� �Here N is the
mo duli��
Work done while author was in the Lab oratory for Computer Science� MIT�
Partially supp orted by a Weizmann Postdoctoral Fellowship� an IBM Postdoctoral Fellow�
ship� and NSF Grant DCR��������� �
�� Introduction
In ����� Goldwasser� Micali and Rivest presented a signature scheme robust against
adaptive chosen message attack �GMR�� no adversary who �rst receives signatures to mes�
sages of his choice� can later create a signature of even a single additional message � The
scheme uses two pairs of trap do or p ermutations� and is proven to b e secure �in the ab ove
sense� if these pairs have a certain clawfree prop erty �i�e� it is infeasible to �nd x and y
such that f �x� � f �y ��� It was shown that the intractability assumption of factoring
0 1
implies the clawfree condition� and thus a concrete factoring�based implementation was
presented�
The original GMR scheme su�ers from two aesthetic drawbacks�
�� The signature scheme is not completely �memoryless�� That is� the signature gener�
ated by the signer slightly dep ends on the previous signed messages�
�� The signing pro cess in the suggested factoring�based implementation is to o slow� Let
n b e the security parameter �i�e� the length of the mo duli�� then signing takes more
4 3
than n steps �as opp osed to n steps in the RSA��
In this note we suggest a mo di�cation of the abstract GMR scheme� and a sp eed�up in its
factoring�based implementation� These suggestions eliminate the drawbacks listed ab ove�
while maintaining the security of the original scheme� That is� the mo di�ed scheme is
totally �memoryless�� and its implementation using factoring is almost as fast as the RSA
�while b eing much more secure than RSA���
The rest of this note is organized as follows� In Section � we brie�y review the GMR
signature scheme� The reader is encourage to consult the original pap er �GMR� for a more
complete exp osition of the GMR scheme� �This reference is also an excellent source for
the critical review and a historical account of the problem of obtaining digital signatures��
In Section �� we present a mo di�cation which makes the GMR scheme �memoryless��
In Section �� we present a sp eed�up in the factoring�based implementation of the GMR
scheme� Our conclusions are presented in Section ��
�� Overview of the GMR Scheme
The GMR scheme is basically a two�stage authentication pro cess� First the signer�s
entry in the public �le is used to authenticate a random point of reference �hereafter called
REF �� Next this REF is used to authenticate the message in a bit�by�bit manner� The
same REF is never used to authenticate two di�erent messages� The scheme utilizes two
pairs of trap do or clawfree p ermutations� denoted �f � f � and �g � g �� The f �pair is used
0 1 0 1
for the �rst stage �authentication of the REF�� while the g �pair is used for the second stage
�authentication of the message��
The REFs are generated from the public �le by using a tree structure �hereafter called
the REF tree �� The same REF tree is used to sign all messages� The ro ot of the REF
tree contains part of the signer�s �entry in the� public �le� Each internal no de in the
REF tree has a constant number of children �say three�� Leaves in the REF tree are used
to authenticate messages �in the second stage of the signing pro cess�� It was originally
prop osed �GMR� that only the third no de of each internal no de b e a leaf� while the other
children b e p otential internal no des� As we will see in the sequel� this particular tree �
structure �for the REF tree� is not essential�
Authentication of the no des in the REF tree is done successively� each no de is au�
thenticated by its father in the tree� A crucial detail in the GMR scheme is the manner
in which one REF authenticates its children� Each REF is partitioned into �ve parts� its
�name� �denoted x�� the names of its children �denoted y � y � y �� and a �tag� �denoted t�
1 2 3
binding them all together� The tag is computed using the �rst pair of �trap do or� clawfree
p ermutations f and f � through what is called an authentication step �
0 1
�1 �1 �1 �1 �1
Let F ��� x� � f �x�� for every � � f�� �g� Let F ���� x� � F ��� f �x��� for
� �
every � � f�� �g and � � f�� �g�
�1
The the �ve parts of the REF satisfy t � F �y y y � x��
1 2 3
�The REF tree should not b e confused with the tree�like nature of the authentication step��
The authentication of the message� in the second stage� consists of a single authentication
step that uses the g �pair� This authentication step binds the message m �to b e signed� to
a leaf in the REF tree� The tag t binding the leaf named x with the message m satis�es
�1 �1 �1
t � G �m� x�� where G is de�ned analogously to F based on the p ermutations g
0
and g �
1
To sign a new message� m� the signer identi�es a leaf that was not used so far �named
z �� If no such leaf exists� the signer identi�es an unused internal no de names x �i�e� a no de
which is a p otential internal no de but has no children yet�� randomly selects names for
its children �y � y � y �� computes a tag binding the children to their father �i�e� uses the
1 2 3
�1
trap do or information to compute t � F �y � y � y � x��� stores the names of the children�
1 2 3
and sets x � y � The signer retrieves �or recomputes� the tags for all the authentication
3
steps leading from the ro ot of the REF tree to the leaf named z � �It is crucial that� in all
signatures pro duced� the same names are used for the same no des�� This completes the
�rst stage of the signing pro cess� Next the signer uses the trap do or information �for the
�1
pair g and g � to compute the tag G �m� z �� The signature consists of the list of all
0 1
authentication steps mentioned ab ove �corresp onding to a path from the ro ot to a leaf and
an extra step authenticating the message by the leaf ��
To verify the validity of a signature� the veri�er checks that the list corresp onds to
a path from the ro ot to a leaf� and that all tags along this path are valid� To validate
�1
t � F ��� x�� the veri�er computes F ��� t� and compares it to x�
�� Making the GMR Scheme Memoryless
As hinted in the outline of the GMR scheme� the particular way of using the no des in
the REF tree is not essential to the scheme� In the original scheme� the no des were used
in a �greedy� manner so to minimize the length of the �rst signatures� The drawback in
that suggestion is that it was required to remember the identity of the last no de used for
message authentication �i�e� to store the number of messages signed so far�� Our aim is to
eliminate the dep endency of the next signature on the past� Thus� we suggest to use the
REFs in the tree di�erently than in the original scheme�
2
Let n b e the security parameter� and let k � �log n� � For message authentication
2
�second stage�� we will use only the REFs in the k th level of the REF tree� In other words�
the REF tree will b e a full binary tree of depth k � The key idea is to use a randomly chosen �
�k �level� leaf in order to authenticate a new message� With very high probability� we will
k
never use the same leaf twice �in the second stage�� This is the case since � was chosen
to b e much larger than the number of messages to b e ever signed�
The last detail to b e mentioned is that the names of the no des in the REF tree should
b e generated using a pseudorandom function �applied to the lo cation of the no de�� rather
than randomly� This way� we guarantee that the same names are always used for the same
no des� without having to store these names� �The idea to use pseudorandom functions
to eliminate this part of the storage requirement in the GMR scheme was suggested by
Leonid Levin�� Assuming the existence of one�way p ermutations� pseudorandom functions
can b e e�ciently constructed �GGM��
Proving that the mo di�ed signature scheme is as secure as the original scheme requires
a two�step argument� First� one should consider a hybrid scheme where the names of the
no des in the REF tree are generated randomly as in the original scheme� The pro of of
security for this scheme is conceptionally identical to the pro of presented in �GMR�� and is
only a little more involved in details� Next� one uses the p olynomially indistinguishability
of the pseudorandom functions �from random functions�� to show that the prop osed scheme
is as secure as the hybrid scheme�
Remark� the identity of the �k �level� leaf to b e used can b e computed by applying a
pseudorandom function to the message to b e signed� Thus� no coin tosses are required
during the signing pro cess� One can easily show that the security feature is preserved�
�� Sp eeding�up the Signing Pro cess in the Factoring Based Implementation
The computational b ottleneck in the signing�verifying pro cess are� resp ectively� the
�1
computation of F ��� �� given the trap do or and the computation of F ��� ��� In the factoring�
�1 4
based implementation presented in �GMR�� F ��� �� was computed in jN j steps� while
3
F ��� �� was computed in jN j steps� where N is the mo dulus in use� In this section we show
�1 3
how to compute F in jN j steps�
In the implementation based on factoring� N � pq is the pro duct of two primes
satisfying p � q � � �mod �� and p � q �mod ��� This way� each quadratic residue mo d
N has a unique square ro ot which is a quadratic residue itself� and neither �� nor ��
is a quadratic residue mo d N � f and f are de�ned to b e p ermutations over the set of
0 1
quadratic residues mo d N �
2
f �x� � x �mod N �
0
and
2
f �x� � � � x �mod N � �
1
p
�1
x denote the square ro ot of x which is a quadratic residue mo d N � Thus� f �x� � Let
0
p
p
p
�1
x and f �x� � x�� � Note that � � � �mod N �� This observation is the key for
1
proving that� unless factoring is easy� the p ermutations f and f de�ned ab ove constitute
0 1
a pair of �trap do or� clawfree p ermutations� For more details see �GMR��
�1
Recall the de�nition of F ��� x�
� �
� �
�1 �1 �1 �1
� f F �� � � � � � � x� � f � � � f �x� � � �
1 2 n
� � �
2 1 n �
�1
The obvious way to compute F ��� x� is by successively taking square ro ots� This
results in ��j�j� exp onentiations� We present an alternative and faster way for computing
�1
F ��� x�� This way requires only a constant number of exp onentiations� and is based on
the following observation�
Let M denote the length of �� and i��� denote the integer naturally enco ded by the
m m
string �� Let R �� � z � denote the � th ro ot of z mo dulo N �i�e� the quadratic
N
p
residue obtained from z by rep eating the � op erator m times�� Then
m
R �� � x�
N
�1
�mod N � � F ��� x� �
m i(�)
�R �� � ���
N
�See example in the App endix��
m
Computing R �� � z � reduces to computing it mo dulo each of the factors �i�e� computing
N
m m
R �� � z � and R �� � z � and applying the Chinese Reminder Theorem� Rather than com�
p q
p
m
puting R �� � z � by successive applications of � � we compute it by one exp onentiation�
p
�Pre��compute� inv ��� � �p � ����� the �inverse� of � mo dulo ��p� � p � ���
p
inv (2)
p
�Note that R ��� z � � z ��
p
m m m
�Pre��compute� inv �� � � �inv ���� mod p � �� the �inverse� of � mo dulo ��p��
p p
m
inv (2 )
p
Compute r � z �mod p��
p
m
�Clearly� r � R �� � z ���
p p
�1
Thus� computing F reduces to a constant number of mo dular exp onentiations�
�� Conclusions
Incorp orating the two mo di�cations into the GMR signature scheme� we get a scheme
which is as secure as the original one� and is b oth �memoryless� and �practical�� �It is
imp ortant to note that assuming the intractability of factoring� pseudorandom functions
3
f can b e implemented� and that evaluating f �� � can b e done in n � j� j steps� Also note
2
that the length of the argument to f is k � �log n� ��
2
The �dep endency on the past� in the original GMR scheme has nothing to do with
the resolution of the �Paradox� mentioned in �GMR�� The paradox is resolved by observing
that the adversary is uniform� while the real signer is �non�uniform�� For further discussion
see �GMR��
Throughout this note� we have implicitly assumed that the length of the message to
b e signed is linear in the security parameter �n�� However� the GMR scheme works also
if this is not the case� while the running time �naturally� increases� In case we are using
the factoring�based implementation and the message has length m � n� the signing time
increases by an additive term of O �m � n� and the veri�cation time increases by an additive
2
term of O �m � n �� A di�erent approach suggested recently by Damgard is to �rst hash
the message using collision free hash functions and then to sign the hashed value �D��
Interestingly� Damgard also shows that such hash functions can b e constructed based on
the existence of any pair of clawfree p ermutations� �
ACKNOWLEDGEMENTS
Section � is joint work with Sha� Goldwasser� I would like to thank her for the
collab oration� and for the p ermission to present the result here� I would also like to thank
Louis Guillou for suggesting a simpli�cation in the presentation of this result�
I am grateful to Sha� Goldwasser� Silvio Micali and Ron Rivest for many illuminating
discussions concerning their signature scheme�
REFERENCES
�D� Damgard� I�B�� �Collision Free Hash Functions and Public Key Signature Schemes��
manuscript� �����
�DH� Di�e� W� and M�E� Hellman� �New Directions in Cryptography�� IEEE Trans�
Inform� Theory � Vol� IT���� No� �� November ����� pp� ��������
�GGM� Goldreich� O�� S� Goldwasser and S� Micali� �How to Construct Random Func�
th
tions�� Proc� �� Symp� on Foundation of Computer Science � ����� pp� ��������
To app ear in J� ACM �
�GMR� Goldwasser� S�� S� Micali and R�L� Rivest� �A Paradoxical Solution to the Signature
th
Problem�� Proc� �� Symp� on Foundation of Computer Science � ����� pp� ����
���� A b etter version is available from the authors�
�RSA� Rivest� R�L�� A� Shamir and L� Adleman� �A Metho d for Obtaining Digital Signa�
tures and Public Key Cryptosystems�� Comm� ACM � Vol� ��� February ����� pp�
�������� �
APPENDIX
�1
Recall the de�nition of F ��� x�
� �
� �
�1 �1 �1 �1
� � � f �x� � � � f F �� � � � � � � x� � f
1 2 n
� � �
n 2 1
and
p
p
�1 �1
x and f �x� � x�� � f �x� �
1 0
p
where z is the square ro ot of z which is a quadratic residue mo dulo N � Let us consider
the case where the length of � is �� we get�
q
2
� �
p
R �� � x�
N
�1 �1
�1
f �x� � F ���� x� � f �mod N � x �
0 0
2 0
�R �� � ���
N
q
2
p
� �
R �� � x�
N
�1 �1
�1
�x� � f F ���� x� � f �mod N � x�� �
1 0
2 1
�R �� � ���
N
q
2
� �
p
R �� � x�
N
�1 �1 �1
x�� � F ���� x� � f f �x� � �mod N �
1 0
2 2
�R �� � ���
N
q
2
p
� �
R �� � x�
N
�1 �1
�1
�mod N � � f �x� � x���� � F ���� x� � f
1 1
2 3
�R �� � ���
N �