IEEE Transactions on Information Theory vol:51 issue:6 pages:2133-2151
We present novel realizations of the transitive signature primitive introduced by Micali and Rivest, enlarging the set of assumptions on which this primitive can be based, an also providing performance improvements over existing schemes More specifically, we propose new schemes based: on factoring the hardness of the one-more discrete logarithm problem, an gap Diffie-Hellman (DH) groups. All these schemes are prove transitively unforgeable under adaptive chosen-message attacin the standard (not random-oracle) model. We also provide a answer to an open question raised by Micali and Rivest regarding the security of their Rivest-Shamir-Adleman (RSA)-based scheme, showing that it is transitively unforgeable under adaptive chosen-message attack assuming the security of RSA under one-more inversion. We then present hash-based modification of, the RSA, factoring, and gap-Diffie-Hellman based scheme that eliminate the need for "node certificates" and thereby yield shorter signatures. These modifications remain provably secure under the same assumptions as the starting scheme, in the random oracle model.