Factorization-Based Fail-Stop Signatures Revisited

  • Katja Schmidt-Samoa
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3269)


Fail-stop signature (FSS) schemes are important primitives because in a fail-stop signature scheme the signer is protected against unlimited powerful adversaries as follows: Even if an adversary breaks the scheme’s underlying computational hard problem and hence forges a signature, then with overwhelming probability the signer is able to prove that a forgery has occurred (i.e. that the underlying hard problem has been broken). Although there is a practical FSS scheme based on the discrete logarithm problem, no provable secure FSS scheme is known that is based on the pure factorization problem (i.e. the assumption that integer factoring for arbitrary integers is hard). To be more concrete, the most popular factorization based FSS scheme relies on the assumption that factoring a special kind of Blum integers is intractable. All other FSS schemes related to integer factoring are based on even stronger assumptions or insecure.

In this paper, we first cryptanalyze one of those schemes and show how to construct forged signatures that don’t enable the signer to prove forgery. Then we repair the scheme at the expense of a reduced message space. Finally, we develop a new provable secure scheme based on the difficulty of factoring integers of the shape p 2 q for primes p,q.


Fail-stop Signature schemes Provable Security Cryptanalysis of Fail-stop Signature schemes Bundling Homomorphisms 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [AM94]
    Adleman, L., McCurley, K.S.: Open problems in number-theoretic complexity ii. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 291–322. Springer, Heidelberg (1994) Google Scholar
  2. [BDHG99]
    Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring N = p’q for large r. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 326–337. Springer, Heidelberg (1999) Google Scholar
  3. [BP97]
    Baric, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 366–377. Springer, Heidelberg (1997) Google Scholar
  4. [BPW91]
    Bleumer, G., Pfitzmann, B., Waidner, M.: A remark on signature scheme where forgery can be proved. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 441–445. Springer, Heidelberg (1991) Google Scholar
  5. [FKM+]
    Fujisaki, E., Kobayashi, T., Morita, H., Oguro, H., Okamoto, T., Okazaki, S., Pointcheval, D., Uchiyarna, S.: EPOC: Efficient probabilistic public-key encryption Google Scholar
  6. [FOM91]
    Fujioka, A., Okamoto, T., Miyaguchi, S.: ESIGN: An efficient digital signature implementation for smart cards. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 446–457. Springer, Heidelberg (1991) Google Scholar
  7. [GMR88]
    Goldwasscr, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17(2), 281–308 (1988) Google Scholar
  8. [Lcn87]
    Lcnstra Jr., I.W.: Factoring integers with elliptic curves. Ann. of Math. 126, 649–673 (1987) Google Scholar
  9. [LL93]
    Lenstra, A.K., Lenstra Jr., H.W. (eds.): The Development of the Number Field Sieve. Lecture Notes in Mathematics, vol. 1554. Springer, Heidelberg (1993) Google Scholar
  10. [OU98]
    Okamoto, T., Uchiyarna, S.: A new public-key cryptosys-tem as secure as factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–317. Springer, Heidelberg (1998) Google Scholar
  11. [P096]
    Peralta, R., Okamoto, E.: Faster factoring of integers of a special form. TIE ICE: IEICE Transactions on Communica-tions/Eleetrxmicu/Information and Systems (1996) Google Scholar
  12. [PP97]
    Pedersen, T.P., Pfitzmann, B.: Fail-stop signatures. SIAM Journal on Computing 26(2), 291–330 (1997) Google Scholar
  13. [PW90]
    Pfitzmann, B., Waidner, M.: Formal aspects of fail-stop signatures. Technical report, Universitat Karlsruhe (1990) Google Scholar
  14. [Sho99]
    Shoup, V.: On the security of a practical identification scheme. Journal of Cryptology: the journal of the International Association for Cryptologic Research 12(4), 247–260 (1999) Google Scholar
  15. [SS04]
    Schmidt-Samoa, K.: Factorization-based fail-stop signatures revisited. Technical Iteport Ti-7/04, Teclmische Universitat Darmstadt (2004) Google Scholar
  16. [SSN03]
    Susilo, W., Safavi-Naini, R.: An efficient fail-stop signature scheme based on factorization. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 62–74. Springer, Heidelberg (2003) Google Scholar
  17. [SSKGS00]
    Susilo, W., Safavi-Nairn, R., Gysin, M., Seberry, J.: A new and efficient fail-stop signature scheme. The Computer Journal 43(5), 430–437 (2000) Google Scholar
  18. [SSNP99]
    Susilo, W., Safavi-Nairn, R., Pieprzyk, J.: RSA-based fail-stop signature schemes. In: ICPP Workshop, pp. 161–166 (1999) Google Scholar
  19. [Tak98]
    Takagi, T.: Fast RSA-typc cryptosystcm modulo pkq. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998) Google Scholar
  20. [Tak04]
    Takagi, T.: A fast RSA-typc public-key primitive modulo pkq using hensel lifting. IEICE Iransactions E87-A(l), 94–101 (2004) Google Scholar
  21. [vHP93]
    van Heyst, E., Pedersen, T.P.: How to make efficient fail-stop signatures. In: Advances in Cryptology - EUROCRYPT 1992, Berlin. lecture Notes in Computer Science, vol. 1070, pp. 366–377. Springer-, Heidelberg (1993) Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Katja Schmidt-Samoa
    • 1
  1. 1.Fachbereich InformatikTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations