TY - GEN
T1 - Is the notion of divisible on-line/off-line signatures stronger than on-line/off-line signatures?
AU - Au, Man Ho Allen
AU - Susilo, Willy
AU - Mu, Yi
PY - 2009/12/1
Y1 - 2009/12/1
N2 - On-line/Off-line signatures are useful in many applications where the signer has a very limited response time once the message is presented. The idea is to perform the signing process in two phases. The first phase is performed off-line before the message to be signed is available and the second phase is performed on-line after the message to be signed is provided. Recently, in CT-RSA 2009, Gao et al. made a very interesting observation that most of the existing schemes possess the following structure. In the off-line phase, a partial signature, called the off-line token is computed first. Upon completion of the on-line phase, the off-line token constitutes part of the full signature. They considered the "off-line token exposure problem" in which the off-line token is exposed in the off-line phase and introduced a new model to capture this scenario. While intuitively the new requirement appears to be a stronger notion, Gao et al. cannot discover a concrete attack on any of the existing schemes under the new model. They regard clarifying the relationship between the models as an open problem. In this paper, we provide an affirmative answer to this open problem. We construct an On-line/Off-line signature scheme, which is secure under the ordinary security model whilst it is insecure in the new model. Specifically, we present a security proof under the old model and a concrete attack of the scheme under the new model. This illustrates that the new model is indeed stronger.
AB - On-line/Off-line signatures are useful in many applications where the signer has a very limited response time once the message is presented. The idea is to perform the signing process in two phases. The first phase is performed off-line before the message to be signed is available and the second phase is performed on-line after the message to be signed is provided. Recently, in CT-RSA 2009, Gao et al. made a very interesting observation that most of the existing schemes possess the following structure. In the off-line phase, a partial signature, called the off-line token is computed first. Upon completion of the on-line phase, the off-line token constitutes part of the full signature. They considered the "off-line token exposure problem" in which the off-line token is exposed in the off-line phase and introduced a new model to capture this scenario. While intuitively the new requirement appears to be a stronger notion, Gao et al. cannot discover a concrete attack on any of the existing schemes under the new model. They regard clarifying the relationship between the models as an open problem. In this paper, we provide an affirmative answer to this open problem. We construct an On-line/Off-line signature scheme, which is secure under the ordinary security model whilst it is insecure in the new model. Specifically, we present a security proof under the old model and a concrete attack of the scheme under the new model. This illustrates that the new model is indeed stronger.
KW - Divisible on-line/off-line signatures
KW - DOS-EU-CMA
KW - On-line/off-line signatures
KW - OS-EU-CMA
UR - http://www.scopus.com/inward/record.url?scp=77952728276&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-04642-1_12
DO - 10.1007/978-3-642-04642-1_12
M3 - Conference article published in proceeding or book
SN - 364204641X
SN - 9783642046414
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 129
EP - 139
BT - Provable Security - Third International Conference, ProvSec 2009, Proceedings
T2 - 3rd International Conference on Provable Security, ProvSec 2009
Y2 - 11 November 2009 through 13 November 2009
ER -