Large provably fast and secure digital signature schemes based on secure hash functions

US 5,432,852 A
Filed: 09/29/1993
Issued: 07/11/1995
Est. Priority Date: 09/29/1993
Status: Expired due to Term

First Claim

Patent Images

1. A method for generating a digital signature of a message, comprising the steps of:

(a) choosing a secret key including a set of pseudoramdom integers;

(b) generating a verification key by evaluating at least once a one-way function on a string that is derived at least in part from one or more of the pseudorandom integers and security information associated with a signer; and

(c) releasing, as the digital signature of the messages, information that enables a verifier to compute a string such that when the one-way function is applied to the string computed by the verifier, some part of the verification key is derived.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention describes new digital signature schemes that are provably secure against any adaptive chosen-message attack. The scheme, which is based on selection of a hash function from a space of such functions, has a very short public key, fast signing, a reasonable signature length and high security. Several algorithmic techniques are provided for enhancing the efficiency of the signature scheme in terms of time and memory.

164 Citations

12 Claims

1. A method for generating a digital signature of a message, comprising the steps of:
- (a) choosing a secret key including a set of pseudoramdom integers;
  
  (b) generating a verification key by evaluating at least once a one-way function on a string that is derived at least in part from one or more of the pseudorandom integers and security information associated with a signer; and
  
  (c) releasing, as the digital signature of the messages, information that enables a verifier to compute a string such that when the one-way function is applied to the string computed by the verifier, some part of the verification key is derived.
- View Dependent Claims (2)
- - 2. The method as described in claim 1 wherein the security information includes at least one of the following items:
    - an identifier for the signer, an identifier for the verification key within a set of verification keys, and positional information of the pseudorandom value within a set of pseudorandom values in the secret key.

3. A method for generating a digital signature of a message, comprising the steps of:
- (a) generating a plurality of secret keys and their corresponding verification keys, each secret key and its corresponding verification key being used or digitally signing a single message; and
  
  (b) authenticating the verification keys by means of a directed acyclic graph according to the following steps;
  
  (i) associating the verification keys to some nodes of the directed acyclic graph;
  
  (ii) publishing the values associated with some of the nodes of the directed acyclic graph such that each verification key to be authenticated has a directed path from its node to a node whose value is published, each directed edge of the directed acyclic graph corresponding to obtaining the value associated to its end-node from the value associated to its start node and security information associated with a signer by an operation that includes evaluating a one-way function at least once.
- View Dependent Claims (4)
- - 4. The method for digitally signing as described in claim 3 wherein a signer recomputes secret signing keys prior to signing a message by running an efficient algorithm on a short secret seed value such that less than log N additional signing keys need to be reconstructed before signing the message.

5. A method of digitally signing a message comprising the steps of:
- (a) hashing the message to a second string by means of a pseudorandom one-way hash function;
  
  (b) authenticating the one-way hash function; and
  
  (c) digitally signing the second string to generate a digital signature of the message.
- View Dependent Claims (6, 7, 8)
- - 6. The method as described in claim 5 wherein the one-way nash function is selected by means of a fixed hash function by:
    - (a) choosing an auxiliary value;
      
      (b) selecting the one-way hash function to be a function that hashes the message by evaluating the fixed hash function on the message together with the auxiliary value; and
      
      (c) authenticating the auxiliary value.
  - 7. The method as described in claim 6 wherein the auxiliary value is chosen to include security information.
  - 8. The method as described in claim 6 wherein the auxiliary value is chosed include a pseudorandom number.

9. A method for providing secure digital signing using a collection of hash functions, where K_s.sup.(i) denotes a secret key of an ith 1-time scheme, K_p.sup.(i) denotes a public key of an ith 1-time scheme for 1<
- i<
  
  N, and K_s =(K_s.sup.(1) . . . K_s.sup.(N)) denotes a secret key of an N-time scheme, wherein a 1-time scheme creates a digital signature that is used with only a single message, comprising the steps of;
  
  generating a directed acyclic graph having a plurality of nodes, each node having a value associated therewith, the value derived at least in part by evaluation a one-way function association with one or more predecessor nodes;
  
  generating a public key for an N-time digital signature scheme from one or more values of the directed acyclic graph; and
  
  generating a signature of a message, the signature comprising a 1-time signature for the message produced by an ith 1-time scheme, the public key K_p.sup.(i) and a predetermined value derived from the directed acyclic graph.

10. A method to enhance the security of a digital signature scheme, comprising the steps of:
- (a) combining a message to be signed with an auxiliary value to produce a string;
  
  (b) digitally signing the string; and
  
  (c) authenticating the auxiliary value.
- View Dependent Claims (11, 12)
- - 11. The method as described in claim 10 wherein the auxiliary value is chosen to include security information.
  - 12. The method as described in claim 10 wherein the auxiliary value is chosed include a pseudorandom number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Frank T. Leighton, Silvio Micali
Original Assignee
Frank T. Leighton, Silvio Micali
Inventors
Leighton, Frank T., Micali, Silvio
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US08/128,514
Time in Patent Office

650 Days
Field of Search

380/21, 380/23, 380/25, 380/30, 380/43, 380/49
US Class Current

380/30
CPC Class Codes

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 9/0836   using tree structure or hie...

H04L 9/3013   involving the discrete loga...

H04L 9/302   involving the integer facto...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

Large provably fast and secure digital signature schemes based on secure hash functions

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

164 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Large provably fast and secure digital signature schemes based on secure hash functions

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

164 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links