ArticlePDF Available

Efficient signature generation by smart cards

Authors:
Claus Peter Schnorr at Goethe-Universität Frankfurt am Main
Claus Peter Schnorr
Download full-text PDFDownload full-text PDF
Read full-text
Download citation

Abstract

We present a new public-key signature scheme and a corresponding authentication scheme that are based on discrete logarithms in a subgroup of units in p where p is a sufficiently large prime, e.g., p 2512. A key idea is to use for the base of the discrete logarithm an integer in p such that the order of is a sufficiently large prime q, e.g., q 2140. In this way we improve the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures. We present an efficient algorithm that preprocesses the exponentiation of a random residue modulo p.
Smart.Cards.199
1%.pdf
Content uploaded by Claus Peter Schnorr
Author content
All content in this area was uploaded by Claus Peter Schnorr on May 27, 2014
Content may be subject to copyright.
00463533e9c7cd513a0000
00.pdf
Content uploaded by Claus Peter Schnorr
Author content
All content in this area was uploaded by Claus Peter Schnorr on Apr 04, 2014
Content may be subject to copyright.
A preview of the PDF is not available
... These certificates are then sent to the participant through certificate transactions on the blockchain. Certificate holders can subsequently use Schnorr signatures [57] to authenticate certificate ownership in their transactions, which include product information. Within the framework, Maouchi et al. proposed the product-specific stealth addresses (PASTA) protocol. ...
... The signature scheme algorithm Sig used in the framework is Elliptic Curve Schnorr signatures (EC-Schnorr) [57] over the elliptic curve secp256k1 [69] where the size of both PKsig and SKsig are 256 bits and signature has 512 bits. The algorithm uses SHA-256 as the hash function required for the signatures. ...
View
... This subsection describes the registration process for each UC b . In this phase, T R A uses Schnorr's signature protocol [23] to generate the private keys. The subsequent process are executed between UC b and T R A : ...
... This subsection describes the registration process for every SM a . T R A uses Schnorr's signature protocol [23] to generate the private keys. The subsequent process are executed between SM a and T R A , which are given below: ...
Lightweight Authenticated Key Agreement Protocol for Smart Power Grid Systems Using PUF
Article
Full-text available
  • Jun 2024
The Smart Power Grid (SPG) is pivotal in orchestrating and managing demand response in contemporary smart cities, leveraging the prowess of Information and Communication Technologies (ICTs). Within the immersive SPG environment, the ubiquitous deployment of smart meters stands as a testament to their paramount importance in the realm of vigilant monitoring and oversight. These smart meters are installed on high-tension electricity lines and transmit information about electricity outages and other issues to the utility centre. To access services from utility centres, smart meters need to communicate securely over a public channel, even though the network itself is insecure. However, potential attacks from adversaries (Ad) can exploit this communication. Therefore, protecting this communication is of utmost importance. Several privacy-preserving authentication protocols designed for SPG have been introduced in the literature. Nevertheless, a significant number of these protocols exhibit vulnerabilities to diverse security attacks. This article introduces a lightweight and anonymous authentication protocol specifically designed to address these concerns in the SPG environment. Our protocol ensures both security and efficiency, surpassing other comparable protocols in terms of its lightweight nature. By employing both formal and informal analysis, we showcase the robustness of our protocol against significant attacks while remaining lightweight. The proposed protocol provides added security features and incurs 23.8879 % lower computation cost than related protocols. Consequently, our protocol is highly suitable for implementation in the SPG system.
View
... Both schemes set the stage for subsequent advancements and adaptations in digital signature technology. The Schnorr signature scheme, introduced by Claus Schnorr [4], is distinguished by its simplicity and efficiency, particularly in terms of verification speed and shorter signatures. Later, the Edwards-curve digital signature algorithm (EdDSA) was developed to provide stronger security assurances and better performance using twisted Edwards curves [5]. ...
Nonce generation techniques in Schnorr multi-signatures: Exploring EdDSA-inspired approaches
Article
Full-text available
  • Jan 2024
This paper proposes a deterministic nonce generation technique to address the catastrophic issues associated with nonce reuse in message signing and to enhance the efficiency of Schnorr multi-signature schemes. Additionally, this research aims to reduce computational complexity and bandwidth requirements in digital and multi-signature schemes while maintaining robust security against common attacks. The proposed method was inspired by the EdDSA approach. The methodology includes a comprehensive mathematical analysis of digital signature algorithms and a rigorous examination of their vulnerabilities to well-known cryptographic attacks. This analysis evaluates the effectiveness and robustness of the proposed nonce generation technique within the frameworks of the Schnorr digital signature and the two-round MuSig schemes. Techniques and tools employed in this research involve deterministically generating nonces by hashing the private key and subsequently hashing the result with the message. Furthermore, it is proposed to exclude the public nonce R from the challenge calculations and to allow signers to directly prove possession of their secret keys through the aggregated public key, thereby eliminating the need for non-interactive zero-knowledge (NIZK) proofs. The findings demonstrate significant reductions in computational complexity and operational requirements, thereby improving bandwidth efficiency and making this method well-suited for resource-constrained devices. The approach also exhibits strong resistance to various attacks, including nonce reuse, key cancellation, rogue keys, and virtual machine rewinding.
View
... An example of secure signature algorithm can be Schnorr signatures [22]. Definition 6 (Blockchain). ...
Consortium blockchain based secure and efficient data aggregation and dynamic billing system in smart grid
Article
Full-text available
  • Jun 2024
In a smart grid, collected electricity consumption periodically from smart meters allow entities to bill the customers, power company to operate the grid successfully, and users to control the use of their appliances. However, energy consumptions of users should be protected since the data provides the user’s daily habit that an adversary uses the data to extract useful information about the users. Moreover, users’ identities should not be disclosed to untrusted entities since the untrusted entities map identities to their real identities. In this paper, we propose a system that protects users’ data privacy using multi-pseudorandom identities and a randomization technique. Moreover, the proposed work provides fast authentication for smart meters to send their readings to data aggregators. Furthermore, the proposed work is based on consortium blockchain to eliminate a single point of failure and provides transparency of messages and operations. In addition, we use dynamic billing and pricing mechanism for the users to see their bills.
View
View
View
Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for $$\varvec{\Sigma }$$-Protocols
Article
  • Jun 2024
The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the “square-root barrier.” In particular, in any group of order p where Shoup’s generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t-time attacks on the Schnorr identification and signature schemes have success probability \(t^2/p\), whereas existing proofs of security only rule out attacks with success probabilities \((t^2/p)^{1/2}\) and \((q_{\textsf{H}} \cdot t^2/p)^{1/2}\), respectively, where \(q_{\textsf{H}}\) denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from \(\Sigma \)-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr’s schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is “d-moment hard”: The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the dth moment of the algorithm’s running time. In the concrete context of the discrete logarithm problem, already Shoup’s original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most \((t^2/p)^{2/3}\) and \((q_\textsf{H}\cdot t^2/p)^{2/3}\), respectively.
View
PkT-SIN: A Secure Communication Protocol for Space Information Networks With Periodic k -Time Anonymous Authentication
Article
  • Jan 2024
Space Information Network (SIN) enables universal Internet connectivity for any object, even in remote and extreme environments where deploying a cellular network is difficult. Access authentication is crucial for ensuring user access control in SIN and preventing unauthorized entities from gaining access to network services. However, due to the complex communication environment in SIN, including exposed links and higher signal delay, designing a secure and efficient authentication scheme presents a significant challenge. In this paper, we propose a secure communication protocol for SIN with periodic k -time anonymous authentication (named PkT-SIN) that allows satellite users to anonymously authenticate to ground stations at most k times in each single time period. An efficient handover mechanism is designed to ensure seamless communication for satellite users to communicate with different satellites and ground stations, taking into account the dynamic topology of SIN. As a core component of PkT-SIN, we propose a novel primitive, periodic k -time keyed-verification anonymous credential (PkT-KVAC), that enables users to derive k tokens from a credential for anonymous and unlinkable authentication. On the other hand, a verifier can always recognize a reused token from a dishonest user. PkT-KVAC is of independent contribution to anonymous authentication in pay-per-use business scenarios. Formal security proofs confirm that PkT-SIN and PkT-KVAC have desired security features. The supremacy of their computing features is demonstrated through comprehensive comparison and rigorous performance analysis.
View
View
View
View
View
View
View
View
Monte Carlo Methods for Index Computation mod p)
Article
  • Jul 1978
We describe some novel methods to compute the index of any integer relative to a given primitive root of a prime $p$. Our first method avoids the use of stored tables and apparently requires $O(p^{1/2})$ operations. Our second algorithm, which may be regarded as a method of catching kangaroos, is applicable when the index is known to lie in a certain interval; it requires $O(w^{1/2})$ operations for an interval of width $w$, but does not have complete certainty of success. It has several possible areas of application, including the factorization of integers.
View
Discrete Logarithms in GF(p)
Article
  • Nov 1986
Several related algorithms are presented for computing logarithms in fieldsGF(p),p a prime. Heuristic arguments predict a running time of exp((1+o(1)) $\sqrt {\log p \log \log p} $ ) for the initial precomputation phase that is needed for eachp, and much shorter running times for computing individual logarithms once the precomputation is done. The running time of the precomputation is roughly the same as that of the fastest known algorithms for factoring integers of size aboutp. The algorithms use the well known basic scheme of obtaining linear equations for logarithms of small primes and then solving them to obtain a database to be used for the computation of individual logarithms. The novel ingredients are new ways of obtaining linear equations and new methods of solving these linear equations by adaptations of sparse matrix methods from numerical analysis to the case of finite rings. While some of the new logarithm algorithms are adaptations of known integer factorization algorithms, others are new and can be adapted to yield integer factorization algorithms.
View
View
View
Digitalized Signatures and Public-Key Functions as Intractable as Factorization
Article
  • Jan 1979
We introduce a new class of public-key functions involving a number n = pq having two large prime factors. As usual, the key n is public, while p and q are the private key used by the issuer for production of signatures and function inversion. These functions can be used for all the applications involving public-key functions proposed by Diffie and Hellman, including digitalized signatures. We prove that for any given n, if we can invert the function y = E (x1) for even a small percentage of the values y then we can factor n. Thus, as long as factorization of large numbers remains practically intractable, for appropriate chosen keys not even a small percentage of signatures are forgeable. Breaking the RSA function is at most hard as factorization, but is not known to be equivalent to factorization even in the weak sense that ability to invert all function values entails ability to factor the key. Computation time for these functions, i.e. signature verification, is several hundred times faster than for the RSA scheme. Inversion time, using the private key, is comparable. The almost-everywhere intractability of signature-forgery for our functions (on the assumption that factoring is intractable) is of great practical significance and seems to be the first proved result of this kind.
View