FAIL-STOP SIGNATURES #
Abstract:
Abstract. Fail-stop signatures can briefly be characterized as digital signatures that allow the signer to prove that a given forged signature is indeed a forgery. After such a proof has been published, the system can be stopped. This type of security is strictly stronger than that achievable with ordinary digital signatures as introduced by Di#e and Hellman in 1976 and formally defined by Goldwasser, Micali, and Rivest in 1988, which was widely regarded as the strongest possible definition. This paper formally defines fail-stop signatures and shows their relation to ordinary digital signatures. A general construction and actual schemes derived from it follow. They are e#cient enough to be used in practice. Next, we prove lower bounds on the e#ciency of any fail-stop signature scheme. In particular, we show that the number of secret random bits needed by the signer, the only parameter where the complexity of all our constructions deviates from ordinary digital signatures by more than a small constant factor, cannot be reduced significantly.
Citations
| 357 | Undeniable signatures – Chaum, Antwerpen |
| 124 | Verifiable Secret-Ballot Elections – Benaloh - 1987 |
| 75 | One-way accumulators: A decentralized alternative to digital sinatures – Benaloh, Mare - 1993 |
| 25 | How to sign given any trapdoor permutation – Bellare, Micali - 1992 |
| 18 | A Remark on a Signature Scheme where Forgery can be Proved – Bleumer, Pfitzmann, et al. - 1991 |
| 5 | Purdy: A Voting Scheme; unpublished manuscript, presented at the rump session of Crypto ’88 – Bos, Chaum, et al. - 1988 |
| 1 | Convertible undeniable signatures,in – Boyar, Chaum, et al. - 1991 |
