A “Paradoxical” Solution to The Signature Problem

Abstract

We present a general signature scheme which uses any pair of trap-door permutations (f0, f1) for which it is infeasible to find any x, y with f0(x) = f1(y). The scheme possesses the novel property of being robust against an adaptive chosen message attack: no adversary who first asks for and then receives sgnatures for messages of his choice (which may depend on previous signatures seen) can later forge the signature of even a singl additional message. For specific instance of our general scheme, we prove that(1)forging signatures is provably equivalent to factoring (i.e., factoring is polynomial-time reducible to forging signatures, and vice versa) while(2)forging an additional signature, after an adaptive chosen message attack is still equivalent to factoring. Such scheme is “paradoxical” since the above two properties were believed (and even “proven” in the folklore) to be contradictory. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are not too long.