(Strong) multidesignated verifiers signatures secure against rogue key attack

Man Ho Au, Guomin Yang, Willy Susilo, Yunmei Zhang
2013 Concurrency and Computation  
2014). (Strong) multidesignated verifiers signatures secure against rogue key attack. Concurrency and Computation: Practice and Experience, 26 (8), 1574-1592. (Strong) multidesignated verifiers signatures secure against rogue key attack Abstract Designated verifier signatures (DVS) allow a signer to create a signature whose validity can only be verified by a specific entity chosen by the signer. In addition, the chosen entity, known as the designated verifier, cannot convince any body that the
more » ... ignature is created by the signer. Multidesignated verifiers signatures (MDVS) are a natural extension of DVS in which the signer can choose multiple designated verifiers. DVS and MDVS are useful primitives in electronic voting and contract signing. In this paper, we investigate various aspects of MDVS and make two contributions. Firstly, we revisit the notion of unforgeability under rogue key attack on MDVS. In this attack scenario, a malicious designated verifier tries to forge a signature that passes through the verification of another honest designated verifier. A common counter-measure involves making the knowledge of secret key assumption in which an adversary is required to produce a proof-of-knowledge of the secret key. We strengthened the existing security model to capture this attack and propose a new construction that does not rely on the knowledge of secret key assumption. Secondly, we propose a generic construction of strong MDVS. SUMMARY Designated verifier signatures (DVS) allow a signer to create a signature whose validity can only be verified by a specific entity chosen by the signer. In addition, the chosen entity, known as the designated verifier, cannot convince any body that the signature is created by the signer. Multi-designated verifiers signatures (MDVS) are a natural extension of DVS in which the signer can choose multiple designated verifiers. DVS and MDVS are useful primitives in electronic voting and contract signing. In this paper, we investigate various aspects of MDVS and make two contributions. Firstly, we revisit the notion of unforgeability under rogue key attack on MDVS. In this attack scenario, a malicious designated verifier tries to forge a signature that passes through the verification of another honest designated verifier. A common counter-measure involves making the knowledge of secret key assumption (KOSK) in which an adversary is required to produce a proof-of-knowledge of the secret key. We strengthened the existing security model to capture this attack and propose a new construction that does not rely on the KOSK assumption. Secondly, we propose a generic construction of strong MDVS. (STRONG) MULTI-DESIGNATED VERIFIERS SIGNATURES SECURE AGAINST ROGUE KEY ATTACK 3 Setup C invokes Setup(1 λ ) and subsequently Gen() to obtain (param, (pk S , sk S ), {(pk Vi , sk Vi )} i∈ [n] ). Denote the set {pk Vi } i∈[n] by V. (param, pk S , V) is given to A. Query A is allowed to make the following queries: (STRONG) MULTI-DESIGNATED VERIFIERS SIGNATURES SECURE AGAINST ROGUE KEY ATTACK 5 Challenge At some point A submits a message m * . C flips a fair coin b and returns (σ * , V) ← Sign(sk S b , V, m). Query A continues to make verification and signature queries. Output A submits a bit b ′ and wins if and only if b ′ = b. A's advantage in the game PSI is defined as the probability that A wins the game minus 1/2. Definition 6 (Privacy of signer's identity) A MDVS scheme is said to possess privacy of signer's identity if no PPT adversary has nonnegligible advantage in game PSI. A strong MDVS scheme is a MDVS scheme that possesses privacy of signer's identity. ROUGE KEY ATTACK IN MDVS AND ITS SOLUTION † Since the adversary cannot corrupt all the verifiers, it does not know the value x V , which is equal to ∑ i∈ [n] x V i . ‡ While rogue key attack on MDVS is discussed in [16] , no formal security model has been proposed to capture such an attack. (STRONG) MULTI-DESIGNATED VERIFIERS SIGNATURES SECURE AGAINST ROGUE KEY ATTACK 7 § We abuse the notation and assume a full domain hash. In the following when we write c = H(X, Y ) where X and Y may be elements from different domains, we assume a suitable encoding scheme is employed to convert X, Y into a bit-string. We require the one-way security of WE, which is formally defined as the following game between a challenger C and an adversary A. Setup C invokes WE.Setup(1 λ ) and subsequently WE.Gen() to obtain (param WE , WE.pk, WE.sk). (STRONG) MULTI-DESIGNATED VERIFIERS SIGNATURES SECURE AGAINST ROGUE KEY ATTACK 11 for randomly picked values ℓ 1 , . . . ℓ n implies (Ur 1 ) ℓ1 · · · (Ur n ) ℓn = D ℓ1 1 · · · D ℓn n for all possible values of ℓ i with overwhelming probability. This implies D i = Ur i and thus all receivers decrypt to the same value. Next, we show that our construction of BE is one-way secure under the divisible computational Diffie-Hellman assumption (which is equivalent to the CDH assumption). Setup S sets param as (G, g, p), randomly picks w ∈ R Z p and two hash functions H S , H V . Parse pk S and pk V as (Y S := Z, H S ) and (Y V := Z w , H V ) respectively. S gives (param, pk S , V) to A.
doi:10.1002/cpe.3094 fatcat:4cilfw2jgrcprmhsrl66yfd7jq