Practical Threshold Signatures 211
We present another scheme, Protocol 2, for use in the more general setting
k ≥ t + 1. Protocol 2 can be be proven secure—again, in the random oracle
model—when k = t + 1 under the RSA assumption, and when k > t + 1 under
an additional assumption, namely, an appropriate variant of the Decision Diffie-
Hellman assumption.
As already mentioned, our proofs of security are valid in the so-called “ran-
dom oracle model,” where cryptographic hash functions are replaced by a ran-
dom oracle. This model was used informally by Fiat and Shamir [FS87], and
later was rigorously formalized and more fully exploited in Bellare and Rogaway
[BR93], and thereafter used in numerous papers.
For Protocol 1, we only need random oracles for robustness, if we assume that
ordinary RSA signatures are secure. In fact, Gennaro et al. [GJKR96a] present a
non-interactive share verification scheme that can be analyzed without resorting
to random oracles. One could use their verification scheme in place of the one
we suggest, thus avoiding random oracles in the analysis, but this would have
certain practical drawbacks, requiring a special relationship between the sender
and recipient of a share of a signature. Alternatively, one could use a simple
interactive share verification scheme. The resulting signature scheme would no
longer be truly non-interactive, but it would still not require any coordination
or synchronization among the players. We do not explore these alternatives in
any detail here, as they are quite straightforward.
The analysis of Protocol 2 makes use of the random oracle model in a more
fundamental way. Since this seemed inevitable, we took several liberties in the
design of Protocol 2, so that it is actually a bit simpler and more efficient than
Protocol 1. Thus, even if k = t + 1, Protocol 2 may be an attractive practical
alternative to Protocol 1.
We view a proof of security in the random oracle model as a heuristic argu-
ment that provides strong evidence that a system cannot be broken. All things
being equal, a proof of security in the random oracle model is not as good as
a proof of security in the “real world,” but is much better than no proof at
all. Anyway, it does not seem unreasonable to use the random oracle model,
since that is the only way we know of to justify the security of ordinary RSA
signatures.
Previous Work
Desmedt [Des87] introduces the more general notion of threshold signatures.
Desmedt and Frankel [DF89] present a non-robust threshold ElGamal scheme
[ElG85] based on “secret sharing,” [Sha79] i.e., polynomial interpolation over
a finite field. Their scheme has small share size, but requires synchronized in-
teraction. Harn [Har94] presents a robust threshold ElGamal scheme with small
share size, but again requires synchronized interaction. It seems that the security
of both of the above schemes can be rigorously analyzed in a satisfactory way,
although neither paper does this. Gennaro et al. [GJKR96b] present a robust
threshold DSS scheme with small share size that again requires synchronized
interaction; they also give a rigorous security analysis.
剩余13页未读,继续阅读
区块链之美
- 粉丝: 589
- 资源: 4
我的内容管理
展开
最新资源
- WebLogic集群配置与管理实战指南
- AIX5.3上安装Weblogic 9.2详细步骤
- 面向对象编程模拟试题详解与解析
- Flex+FMS2.0中文教程:开发流媒体应用的实践指南
- PID调节深入解析:从入门到精通
- 数字水印技术:保护版权的新防线
- 8位数码管显示24小时制数字电子钟程序设计
- Mhdd免费版详细使用教程:硬盘检测与坏道屏蔽
- 操作系统期末复习指南:进程、线程与系统调用详解
- Cognos8性能优化指南:软件参数与报表设计调优
- Cognos8开发入门:从Transformer到ReportStudio
- Cisco 6509交换机配置全面指南
- C#入门:XML基础教程与实例解析
- Matlab振动分析详解:从单自由度到6自由度模型
- Eclipse JDT中的ASTParser详解与核心类介绍
- Java程序员必备资源网站大全
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
