Efficient Confirmer Signatures from the "Signature of a Commitment" Paradigm

Generic constructions of designated confirmer signatures follow one of the following two strategies; either produce a digital signature on the message to be signed, then encrypt the resulting signature, or produce a commitment on the message, encrypt the string used to generate the commitment and finally sign the latter. We study the second strategy by determining the exact security property needed in the encryption to achieve secure constructions. This study infers the exclusion of a useful type of encryption from the design due to an intrinsic weakness in the paradigm. Next, we propose a simple method to remediate to this weakness and we get efficient constructions which can be used with any digital signature.

[1]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[2]  Bimal Roy Advances in Cryptology - ASIACRYPT 2005, 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, December 4-8, 2005, Proceedings , 2005, ASIACRYPT.

[3]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[4]  Serge Vaudenay,et al.  Chaum's Designated Confirmer Signature Revisited , 2005, ISC.

[5]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[6]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[7]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[8]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[9]  David Chaum,et al.  Designated Confirmer Signatures , 1994, EUROCRYPT.

[10]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[11]  Richard E. Overill,et al.  Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[12]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[13]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, Journal of Cryptology.

[14]  K. Nyberg Advances in cryptology-EUROCRYPT '98 : International Conference on the Theory and Application of Cryptographic Techniques, Espoo, Finland, May 31-June 4, 1998 : proceedings , 1998 .

[15]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[16]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[17]  Steven D. Galbraith,et al.  Invisibility and Anonymity of Undeniable and Confirmer Signatures , 2003, CT-RSA.

[18]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[19]  Ivan Damgård,et al.  New Convertible Undeniable Signature Schemes , 1996, EUROCRYPT.

[20]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[21]  Shafi Goldwasser,et al.  Transformation of Digital Signature Schemes into Designated Confirmer Signature Schemes , 2004, TCC.

[22]  Jorge Luis Villar,et al.  Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption , 2006, ASIACRYPT.

[23]  Chae Hoon Lim,et al.  Modified Maurer-Yacobi's scheme and its applications , 1992, AUSCRYPT.

[24]  Douglas Wikström Designated Confirmer Signatures Revisited , 2007, TCC.

[25]  Colin Boyd,et al.  Off-Line Fair Payment Protocols Using Convertible Signatures , 1998, ASIACRYPT.

[26]  Espagne Eurocrypt. . Saragosse Advances in cryptology, EUROCRYPT '96 : International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 12-16, 1996 : proceedings , 1996 .

[27]  Ivan Damgård,et al.  Non-interactive Zero-Knowledge from Homomorphic Encryption , 2006, TCC.

[28]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[29]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[30]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[31]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[32]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[33]  Jan Camenisch,et al.  Confirmer Signature Schemes Secure against Adaptive Adversaries , 2000, EUROCRYPT.

[34]  Joonsang Baek,et al.  On the Generic and Efficient Constructions of Secure Designated Confirmer Signatures , 2007, Public Key Cryptography.

[35]  Pascal Paillier,et al.  Impossibility Proofs for RSA Signatures in the Standard Model , 2007, CT-RSA.

[36]  Markus Michels,et al.  Generic Constructions for Secure and Efficient Confirmer Signature Schemes , 1998, EUROCRYPT.

[37]  Tatsuaki Okamoto,et al.  Designated Confirmer Signatures and Public-Key Encryption are Equivalent , 1994, CRYPTO.

[38]  Jan Camenisch,et al.  A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks , 2009, IACR Cryptol. ePrint Arch..

[39]  Laila El Aimani,et al.  On Generic Constructions of Designated Confirmer Signatures (The "Encryption of a Signature" Paradigm Revisited) , 2009, IACR Cryptol. ePrint Arch..

[40]  Craig Gentry,et al.  Efficient Designated Confirmer Signatures Without Random Oracles or General Zero-Knowledge Proofs , 2005, ASIACRYPT.