Skip to Main Content
The authors show how the Fiat-Shamir transform can be used to convert three-move identification protocols into two-tier signature schemes (a primitive that they define) with a proof of security that makes a standard assumption on the hash function rather than modelling it as a random oracle. The result requires security of the starting protocol against concurrent attacks. It is also shown that numerous protocols have the required properties, and thus numerous efficient two-tier schemes are obtained. The first application is an efficient transform of any unforgeable signature scheme into a strongly unforgeable one. (This extends the work of Boneh, Shen and Waters whose transform only applies to a limited class of schemes.) The second application is the new one-time signature schemes that, compared with the one-way function-based ones of the same computational cost, have smaller key and signature sizes.