Camenisch-Lysyanskaya Signature Method

The Camenisch-Lysyanskaya signature method , often referred to as the CL signature method, is a cryptographic method for creating digital signatures. It was developed by the cryptographers Jan Camenisch and Anna Lysyanskaya and published in 2002.^[1]

Procedure[edit]

In the following, the signature method will be described in detail. The description differs in detail from the original representation, and follows the representation of Camenisch and Groß.^[2]

Used parameters[edit]

First, the following parameters are set:

${\ell _{n}}$ : Length of RSA module used; typical values are 1536 or 2048.
${\ell _{m}}$ : Maximum length of messages to sign.
$L$ : Number of messages signable with a signature.
${\ell _{e}}$ : Safety parameters; got to ${>\ell _{m}+2}$ be.
${\ell _{v}}$ : Safety parameters; typical values are 80 or 128.

Key Generation[edit]

The key generation will now go through the following steps:

You choose two big primes ${p,q}$ same bit length ${\ell _{n}/2}$ for which ${\frac {p-1}{2}},{\frac {q-1}{2}}$ are also great. One defines ${n=pq}$ , (See Sophie Germain prime.)
You choose random $S,Z,R_{1},\dots ,R_{L}\in QR_{n}$ , in which $QR_{n}$ the quadratic residue modulo $n$ describes.

The private signature key is ${p,q}$ , the public verification key consists of $(n,S,Z,R_{1},\dots ,R_{L})$ .

Sign a message[edit]

A tuple of news $(m_{1},\dots ,m_{L})\in (-2^{\ell _{m}},2^{\ell _{m}})^{L}$ is signed as follows:

You choose a random prime number $e$ with length $\ell _{e}>\ell _{m}+2$ , and $v\in (0,2^{\ell _{n}+\ell _{m}+\ell _{v}})$ .
You calculate ${A=\left({\frac {Z}{S^{v}\prod _{i=1}^{L}R_{i}^{m_{i}}}}\right)^{1/e}\mod n}$

The signature then exists $(e,A,v)$ .

Verifying a Signature[edit]

A signature ${(e,A,v)}$ for a tuple ${(m_{1},\dots ,m_{L})}$ is valid if:

${m_{i}\in (-2^{\ell _{m}},2^{\ell _{m}})}$ for all ${i=1,\dots ,L}$
${2^{\ell _{e}-1}<e<2^{\ell _{e}}}$ , as
${Z=A^{e}S^{v}\prod _{i=1}^{L}R_{i}^{m_{i}}\mod n}$ ,

Security[edit]

The procedure is safe under the strong RSA assumption. This states that for a random module $n$ the form described above, and a random one ${{\displaystyle }y\in \mathbb {Z} _{n}^{*}}$ it is not possible to efficiently ${x\in \mathbb {Z} _{n}^{*}}$ as well as one ${1<e\in \mathbb {N} }$ to find so ${y=x^{e}\mod n}$ applies.

Use[edit]

Because of their characteristics, CL signatures are often used as building blocks for anonymous authentication protocols, such as Idemix or Direct Anonymous Attestation .

References[edit]

↑ Camenisch, Jan; Lysyanskaya, Anna (2002-09-11). "A Signature Scheme with Efficient Protocols". Security in Communication Networks. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg: 268–289. doi:10.1007/3-540-36413-7_20. ISBN 3540364137.
↑ Camenisch, Jan; Groß, Thomas (2008-10-27). "Efficient attributes for anonymous credentials". ACM: 345–356. doi:10.1145/1455770.1455814. ISBN 9781595938107.

This article "Camenisch-Lysyanskaya Signature Method" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Camenisch-Lysyanskaya Signature Method. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.

[1] Camenisch, Jan; Lysyanskaya, Anna (2002-09-11). "A Signature Scheme with Efficient Protocols". Security in Communication Networks. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg: 268–289. doi:10.1007/3-540-36413-7_20. ISBN 3540364137.

[2] Camenisch, Jan; Groß, Thomas (2008-10-27). "Efficient attributes for anonymous credentials". ACM: 345–356. doi:10.1145/1455770.1455814. ISBN 9781595938107.

[1]

[2]