On Generic Constructions of Designated Confirmer Signatures (The "Encryption of a Signature" Paradigm Revisited)

Designated Confirmer signatures were introduced to limit th e verification property inherent to digital signatures. In fact, the verification in these signature s is replaced by a confirmation/denial protocol between the designated confirmer and some verifier. An intuitive way to obtain such signatures consists in first generating a digital signature on the message to be signed, then encrypting the result using a suitable encryption scheme. This approach, referred to as the “encryption of a si gnature” paradigm, requires the constituents (encryption and signature schemes) to meet the highest securit y not ons in order to achieve secure constructions. In this paper, we revisit this method and establish the neces sary and sufficient assumptions on the building blocks in order to attain secure confirmer signatures. Our st udy concludes that the paradigm, used in its basic form, cannot allow a class of encryption schemes, which is vi tal for the efficiency of the confirmation/denial protocols. Next, we consider a slight variation of the parad igm, proposed in the context of undeniable signatures; we recast it in the confirmer signature framework alon g with changes that yield more flexibility, and we demonstrate its efficiency by explicitly describing its c onfirmation/denial protocols when instantiated with building blocks from a large class of signature/encryption schemes. Interestingly, the class of signatures we consider is very popular and has been for instance used to bui ld efficient designated verifier signatures.

[1]  Reihaneh Safavi-Naini,et al.  Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures , 2008, Public Key Cryptography.

[2]  David Chaum,et al.  Designated Confirmer Signatures , 1994, EUROCRYPT.

[3]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[4]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[5]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[6]  Richard E. Overill,et al.  Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[7]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[8]  Laila El Aimani,et al.  Toward a Generic Construction of Universally Convertible Undeniable Signatures from Pairing-Based Signatures , 2008, INDOCRYPT.

[9]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[10]  Laila El Aimani,et al.  Toward a Generic Construction of Convertible Undeniable Signatures from Pairing-Based Signatures , 2009, IACR Cryptol. ePrint Arch..

[11]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[12]  Craig Gentry,et al.  Efficient Designated Confirmer Signatures Without Random Oracles or General Zero-Knowledge Proofs , 2005, ASIACRYPT.

[13]  Kaoru Kurosawa,et al.  New RSA-Based (Selectively) Convertible Undeniable Signature Schemes , 2009, AFRICACRYPT.

[14]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[15]  Espagne Eurocrypt. . Saragosse Advances in cryptology, EUROCRYPT '96 : International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 12-16, 1996 : proceedings , 1996 .

[16]  Silvio Micali,et al.  How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[17]  Tatsuaki Okamoto,et al.  Designated Confirmer Signatures and Public-Key Encryption are Equivalent , 1994, CRYPTO.

[18]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[19]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[20]  Jan Camenisch,et al.  Confirmer Signature Schemes Secure against Adaptive Adversaries , 2000, EUROCRYPT.

[21]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[22]  Bimal Roy Advances in Cryptology - ASIACRYPT 2005, 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, December 4-8, 2005, Proceedings , 2005, ASIACRYPT.

[23]  Steven D. Galbraith,et al.  Invisibility and Anonymity of Undeniable and Confirmer Signatures , 2003, CT-RSA.

[24]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[25]  Reihaneh Safavi-Naini,et al.  An Efficient Signature Scheme from Bilinear Pairings and Its Applications , 2004, Public Key Cryptography.

[26]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[27]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[28]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[29]  Joonsang Baek,et al.  On the Generic and Efficient Constructions of Secure Designated Confirmer Signatures , 2007, Public Key Cryptography.

[30]  Pascal Paillier,et al.  Impossibility Proofs for RSA Signatures in the Standard Model , 2007, CT-RSA.

[31]  Markus Michels,et al.  Generic Constructions for Secure and Efficient Confirmer Signature Schemes , 1998, EUROCRYPT.

[32]  K. Nyberg Advances in cryptology-EUROCRYPT '98 : International Conference on the Theory and Application of Cryptographic Techniques, Espoo, Finland, May 31-June 4, 1998 : proceedings , 1998 .

[33]  Shafi Goldwasser,et al.  Transformation of Digital Signature Schemes into Designated Confirmer Signature Schemes , 2004, TCC.

[34]  Jorge Luis Villar,et al.  Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption , 2006, ASIACRYPT.

[35]  Chae Hoon Lim,et al.  Modified Maurer-Yacobi's scheme and its applications , 1992, AUSCRYPT.

[36]  Javier Herranz,et al.  KEM/DEM: Necessary and Sufficient Conditions for Secure Hybrid Encryption , 2006 .

[37]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[38]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[39]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[40]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[41]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[42]  Arjen K. Lenstra,et al.  Generating RSA Moduli with a Predetermined Portion , 1998, ASIACRYPT.

[43]  Jacques Stern,et al.  Advances in cryptology-EUROCRYPT '99 : International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, May 2-6, 1999 : proceedings , 1999 .