More Efficient Digital Signatures with Tight Multi-user Security

“…As an instantiation of our approach, we prove that under the strong CDH assumption the classical Burmester-Desmedt protocol is a tightly secure VGKE protocol [12]. Combining with a tightly StCorrCMA-secure signature (for instance, [17]), it yields the first tightly secure GAKE protocol. Alternatively, our transformation can be viewed as a tight improvement on the (non-tight) generic compiler of Katz and Yung [31] where we require the underlying non-authenticated group key exchange protocol to be verifiable.…”

“…For preparation, we assume that a Test session does not contain any valid forgeries. This can be tightly justified by the StCorrCMA security of the underlying signature scheme, which can be instantiated with the recent scheme in [17].…”

“…For complete tightness, all these protocols require tight multiuser security of their underlying signature scheme. We implement the signature scheme in all protocols with the recent efficient scheme from Diemert et al [17] whose signatures contain 3 Z p elements, and whose security is based on the DDH assumption. The implementation of TLS is according to the recent tight proofs in [15,18], and we instantiate the underlying signature scheme with the same DDH-based scheme from [17].…”

“…We detail the comparison with JKRS [28]. Using the DDH-based signature scheme in [17], the communication complexity of our signed DH protocol is (2, 0, 6), while that of JKRS is (5, 1, 3). We suppose the efficiency of our protocol is comparable to JKRS.…”

“…We denote Comm. as the communication complexity of the protocols in terms of the number of group elements, hashes and Z p elements (which is due to the use of the signature scheme in [17]). The column Model lists the AKE security model and distinguishes between multi-bit guessing (MBG) and the single-bit-guessing (SBG) security .…”

Signed (Group) Diffie–Hellman Key Exchange with Tight Security

“…As an instantiation of our approach, we prove that under the strong CDH assumption the classical Burmester-Desmedt protocol is a tightly secure VGKE protocol [12]. Combining with a tightly StCorrCMA-secure signature (for instance, [17]), it yields the first tightly secure GAKE protocol. Alternatively, our transformation can be viewed as a tight improvement on the (non-tight) generic compiler of Katz and Yung [31] where we require the underlying non-authenticated group key exchange protocol to be verifiable.…”

“…For preparation, we assume that a Test session does not contain any valid forgeries. This can be tightly justified by the StCorrCMA security of the underlying signature scheme, which can be instantiated with the recent scheme in [17].…”

“…For complete tightness, all these protocols require tight multiuser security of their underlying signature scheme. We implement the signature scheme in all protocols with the recent efficient scheme from Diemert et al [17] whose signatures contain 3 Z p elements, and whose security is based on the DDH assumption. The implementation of TLS is according to the recent tight proofs in [15,18], and we instantiate the underlying signature scheme with the same DDH-based scheme from [17].…”

“…We detail the comparison with JKRS [28]. Using the DDH-based signature scheme in [17], the communication complexity of our signed DH protocol is (2, 0, 6), while that of JKRS is (5, 1, 3). We suppose the efficiency of our protocol is comparable to JKRS.…”

“…We denote Comm. as the communication complexity of the protocols in terms of the number of group elements, hashes and Z p elements (which is due to the use of the signature scheme in [17]). The column Model lists the AKE security model and distinguishes between multi-bit guessing (MBG) and the single-bit-guessing (SBG) security .…”

Signed (Group) Diffie–Hellman Key Exchange with Tight Security

Signed Diffie-Hellman Key Exchange with Tight Security

Short Identity-Based Signatures with Tight Security from Lattices