Concurrent signature without random oracles

A concurrent signature provides an efficient way to exchange digital signatures between parties in a fair manner. Since its introduction in Eurocrypt 2004, removing the random oracle heuristic in the security analysis of a concurrent signature scheme has become an open problem, and the security of all the existing provably secure schemes could have only been done in the random oracle model, while it has been known that the security in the random oracle model may not be guaranteed when the underlying random oracles are replaced by real-life hash functions. In this paper, we solve this open problem by proposing a new concurrent signature scheme, which allows us to prove its security without random oracles. The security model we consider in this paper also slightly differs from previous works. Signatures before revealing the keystone are strongly ambiguous (or anonymous) in the sense that everyone is able to produce signatures that are indistinguishable from those generated honestly by the parties involved in the exchange, while signatures after revealing the keystone remain unforgeable without sacrificing the fairness property. In the multi-user setting and without random oracles, we prove the security of our scheme based on the intractability of Computational Diffie-Hellman (CDH) problem and collision resistance of hash functions.

[1]  Yi Mu,et al.  Certificateless threshold signature scheme from bilinear maps , 2010, Inf. Sci..

[2]  Jianying Zhou,et al.  The Fairness of Perfect Concurrent Signatures , 2006, ICICS.

[3]  Willy Susilo,et al.  Generic Construction of (Identity-based) Perfect Concurrent Signatures , 2006, IACR Cryptol. ePrint Arch..

[4]  Xiao Tan,et al.  Extending concurrent signature to multiple parties , 2014, Theor. Comput. Sci..

[5]  Yi Mu,et al.  Perfect Concurrent Signature Schemes , 2004, ICICS.

[6]  Dongvu Tonien,et al.  Multi-party Concurrent Signatures , 2006, ISC.

[7]  Jonathan Katz,et al.  Ring Signatures: Stronger Definitions, and Constructions without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[8]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[9]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[10]  Fabien Laguillaumie,et al.  Time-selective convertible undeniable signatures with short conversion receipts , 2010, Inf. Sci..

[11]  Yang Wang,et al.  Fairness in Concurrent Signatures Revisited , 2013, ACISP.

[12]  Yi Mu,et al.  Certificateless Threshold Ring Signature , 2009, Inf. Sci..

[13]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[14]  Yi Mu,et al.  Tripartite Concurrent Signatures , 2005, SEC.

[15]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[16]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[17]  Jin Li,et al.  Hidden attribute-based signatures without anonymity revocation , 2010, Inf. Sci..

[18]  Oded Goldreich,et al.  A Simple Protocol for Signing Contracts , 1983, CRYPTO.

[19]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[20]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[21]  Khanh Nguyen,et al.  Asymmetric Concurrent Signatures , 2005, ICICS.

[22]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[23]  Masayuki Abe,et al.  1-out-of-n Signatures from a Variety of Keys , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[24]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[25]  Jung Yeon Hwang,et al.  Group signatures with controllable linkability for dynamic membership , 2013, Inf. Sci..

[26]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[27]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[28]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[29]  Juan A. Garay,et al.  Timed Fair Exchange of Standard Signatures: [Extended Abstract] , 2003, Financial Cryptography.

[30]  Giuseppe Ateniese,et al.  Efficient verifiable encryption (and fair exchange) of digital signatures , 1999, CCS '99.

[31]  Qiong Huang,et al.  The construction of ambiguous optimistic fair exchange from designated confirmer signature without random oracles , 2013, Inf. Sci..

[32]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[33]  Guomin Yang,et al.  Ambiguous Optimistic Fair Exchange , 2008, ASIACRYPT.

[34]  Wei Zhao,et al.  Certificateless undeniable signatures from bilinear maps , 2012, Inf. Sci..

[35]  N. Asokan,et al.  Optimistic Fair Exchange of Digital Signatures (Extended Abstract) , 1998, EUROCRYPT.

[36]  Xianhui Lu,et al.  Accountability of Perfect Concurrent Signature , 2008, IACR Cryptol. ePrint Arch..

[37]  Tsz Hon Yuen,et al.  Concurrent Signatures with Fully Negotiable Binding Control , 2011, ProvSec.

[38]  Rong Hao,et al.  Forward-secure identity-based signature: Security notions and construction , 2011, Inf. Sci..

[39]  Qiong Huang,et al.  Group-oriented fair exchange of signatures , 2011, Inf. Sci..

[40]  Michael Waidner,et al.  Round-Optimal and Abuse Free Optimistic Multi-party Contract Signing , 2000, ICALP.

[41]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[42]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[43]  Kenneth G. Paterson,et al.  Concurrent Signatures , 2004, EUROCRYPT.

[44]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.