When I posted about RSAL in my last post I was also thinking of a variant scheme that allows some pre-computation. I spent some time (minutes) evaluating its security and now I’m convinced that it’s secure :).
Here it is:
The RSALX Digital signature Scheme
PrecomputeSign() →< A, a, t1, … , t2^d >
-
Chose a random message A of d bits each, where d is the size of the hash function digest.
-
Compute a :=Hash(A )
-
Compute t :=Integer(a).
-
Compute d powers: t1, t2, t4 , t8 ,… , t2^d (mod n)
-
Return < A, a, t1, … , t2^d >
OnlineSign(M, < A, a, t1, … , t2^d >) → (s,A)
-
Let M be the message to sign.
-
Compute z :=Hash(M).
-
Compute m :=ConvertToInteger(z).
-
Compute g := m-1 ( mod φ(n) ).
- Compute s := tg (mod n) by the exponentiation by squaring method but using the precomputed squarings.
-
The signature is (s,A)
Verify(M, (s,A), n)
-
Compute z :=Hash(M).
-
Compute a := Hash(A)
-
Compute t := Integer(a).
-
Compute m :=ConvertToInteger(z)
-
Compute y := sm (mod n).
-
Accept the signature if y=t
Correctness
If the signature is authentic then we have: y = sm = tg*m = t
The scheme security relies on the RSA assumption, and not the strong RSA assumption as one may think. This is because t must be chosen before s as a hash of some random message, so both s and y cannot be chosen together.
“A” values (and consequently t values) should not be reused. If reused then the scheme becomes insecure.
For a 2048 bit modulus, precomputation requires 2048 multiplications and signing on average requires 1024 multiplications and a fast modular inversion (because the value to be inverted is only d-bits long). This implies that this method is almost as fast as RSA for signing, with the benefit of allowing precomputation of two thirds of the work. The drawback is that it produces signatures d bits longer, which is probably not very relevant since d will be much smaller than n.