Security Arguments for Digital Signatures and Blind Signatures

Since the appearance of public-key cryptography in the seminal Diffie—Hellman paper, many new schemes have been proposed and many have been broken. Thus, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years is often considered as a kind of validation procedure. A much more convincing line of research has tried to provide ``provable' security for cryptographic protocols. Unfortunately, in many cases, provable security is at the cost of a considerable loss in terms of efficiency. Another way to achieve some kind of provable security is to identify concrete cryptographic objects, such as hash functions, with ideal random objects and to use arguments from relativized complexity theory. The model underlying this approach is often called the ``random oracle model.' We use the word ``arguments' for security results proved in this model. As usual, these arguments are relative to well-established hard algorithmic problems such as factorization or the discrete logarithm. In this paper we offer security arguments for a large class of known signature schemes. Moreover, we give for the first time an argument for a very slight variation of the well-known El Gamal signature scheme. In spite of the existential forgery of the original scheme, we prove that our variant resists existential forgeries even against an adaptively chosen-message attack. This is provided that the discrete logarithm problem is hard to solve. Next, we study the security of blind signatures which are the most important ingredient for anonymity in off-line electronic cash systems. We first define an appropriate notion of security related to the setting of electronic cash. We then propose new schemes for which one can provide security arguments. Received 24 October 1997 and revised 22 May 1998