On the transferability of private signatures

In some situations, a user wants to sign a message in such a way that only a designated verifier is convinced of the validity of the signature, whereas other users cannot distinguish whether the signer has signed this message at all. In some cases, the signer may want to preserve this level of privacy forever, which means that the initial verifier should not be able to convince anyone else of the fact that the signer signed the message. In some other cases, the signer may want to give the initial verifier the possibility to transfer his conviction to someone else (maybe to everybody), when/if desired. In this paper we review this notion of private signatures, focusing on the level of transferability desired by the signer. We first consider the two extreme cases (non-transferability and complete transferability) which can be generically and efficiently solved by using very basic cryptographic primitives, as we show in this paper. Then we consider a case with partial transferability, for which we propose a generic solution based on the primitive of distributed ring signatures.

[1]  David Pointcheval,et al.  About the Security of Ciphers (Semantic Security and Pseudo-Random Permutations) , 2004, Selected Areas in Cryptography.

[2]  Yuliang Zheng,et al.  Digital Signcryption or How to Achieve Cost(Signature & Encryption) << Cost(Signature) + Cost(Encryption) , 1997, CRYPTO.

[3]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[4]  Yi Mu,et al.  Short Designated Verifier Signature Scheme and Its Identity-based Variant , 2008, Int. J. Netw. Secur..

[5]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[6]  Germán Sáez,et al.  Distributed Ring Signatures from General Dual Access Structures , 2006, Des. Codes Cryptogr..

[7]  Jacques Stern,et al.  Threshold Ring Signatures for Ad-hoc Groups , 2002, CRYPTO 2002.

[8]  Germán Sáez,et al.  Ring Signature Schemes for General Ad-Hoc Access Structures , 2004, ESAS.

[9]  Javier Herranz,et al.  Aggregate designated verifier signatures and application to secure routing , 2007, Int. J. Secur. Networks.

[10]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[11]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[12]  Fagen Li,et al.  ID-based Signcryption Scheme with (t, n) Shared Unsigncryption , 2006, Int. J. Netw. Secur..

[13]  Jianhong Zhang,et al.  A novel ID-based designated verifier signature scheme , 2008, Inf. Sci..

[14]  David Chaum,et al.  Designated Confirmer Signatures , 1994, EUROCRYPT.

[15]  Olivier Markowitch,et al.  An Efficient Strong Designated Verifier Signature Scheme , 2003, ICISC.

[16]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[17]  Bin Wang,et al.  A non-interactive deniable authentication scheme based on designated verifier proofs , 2009, Inf. Sci..

[18]  Chih-Hung Wang,et al.  A new ring signature scheme with signer-admission property , 2007, Inf. Sci..

[19]  Jacques Stern,et al.  Threshold Ring Signatures and Applications to Ad-hoc Groups , 2002, CRYPTO.

[20]  Jonathan Katz,et al.  Ring Signatures: Stronger Definitions, and Constructions without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[21]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[22]  Fabien Laguillaumie,et al.  Multi-designated Verifiers Signatures , 2004, ICICS.

[23]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.