On-line/off-line digital signatures

Abstract

We introduce and exemplify the new concept of ON-LINE/OFF-LINE digital signature schemes. In these schemes the signing of a message is broken into two phases. The first phase is off-line. Though it requires a moderate amount of compu- tation, it presents the advantage that it can be performed leisurely, before the message to be signed is even known. The second phase is on-line. It starts after the message becomes known, it utilizes the precomputation of the first phase and is much faster. A general construction which transforms any (ordinary) digital signature scheme to an on-line/off-line signature scheme is presented, entailing a small overhead. For each message to be signed, the time required for the off-line phase is essentially the same as in the underlying signature scheme; the time required for the on-line phase is essentially negligible. The time required for the verification is essentially the same as in the underlying signature scheme. In a practical implementation of our general construction, we use a variant of Rabin’s signature scheme (based on factoring) and DES. In the on-line phase, all we use is a moderate amount of DES computation. This implementation is ideally suited for electronic wallets or smart cards. On-line/Off-line digital schemes may also become useful in case substantial pro- gress is made on, say, factoring. In this case, the length of the composite numbers used in signature schemes may need to be increased and signing may become imprac- tical even for the legitimate user. In our scheme, all costly computations are per- formed in the off-line stage while the time for the on-line stage remains essentially unchanged. An additional advantage of our method is that in some cases the transformed signature scheme is invulnerable to chosen message attack even if the underlying (ordinary) digital signature scheme is not In particular, it allows us to prove that the existence of signature schemes which are unforgeable by known message attack is a (necessary and) sufficient condition for the existence of signature schemes which are unforgeable by chosen message attack.