A simple transitive signature scheme for directed trees

Transitive signatures allow a signer to authenticate edges in a graph, in such a way that anyone, given the public key and two signatures on adjacent edges (i,j) and (j,k), can compute a third signature on edge (i,k). A number of schemes have been proposed for undirected graphs, but the case of directed graphs remains an open problem. At CT-RSA 2007, Yi presented a scheme for directed trees based on RSA and a standard signature scheme. We present a new, conceptually simple, and generic construction from standard signatures only. Apart from not relying on any RSA-related security assumptions, our scheme outperforms that of Yi in both computation time and (worst-case) signature length. Our results indicate that the setting envisaged by Yi is much simpler than the general one of directed transitive signatures, which remains an open problem.