Transformation of Digital Signature Schemes into Designated Confirmer Signature Schemes [chapter]

Shafi Goldwasser, Erez Waisbard
2004 Lecture Notes in Computer Science  
Since designated confirmer signature schemes were introduced by Chaum and formalized by Okamoto, a number of attempts have been made to design designated confirmer signature schemes which are efficient and at the same time provably secure under standard cryptographic assumptions. Yet, there has been a consistent gap in security claims and analysis between all generic theoretical proposals and any concrete implementation proposal one can envision using in practice. In this paper we propose a
more » ... fication of Okamoto's definition of security which still captures security against chosen message attack, and yet enables the design of concrete and reasonably efficient designated confirmer signature schemes which can be proved secure without resorting to random oracle assumptions as previously done. In particular, we present simple transformations of the digital signature schemes of Cramer-Shoup, Goldwasser-Micali-Rivest and Gennaro-Halevi-Rabin into secure designated confirmer signature schemes. We prove security of the schemes obtained under the same security assumption made by the digital signature scheme transformed and an encryption scheme we use as a tool. Protocol I: Zero-knowledge proof of knowledge of the ith root: On common input w, i, N such that w = s i mod N , and auxiliary secret input s to the prover. 1. The prover picks r ∈ R Z * n , computes v = r i mod N and sends v to the verifier. 2. The verifier picks b ∈ R {0, 1} and sends b to the prover. 3. The prover sends t = rs b mod N to the verifier. 4. The verifier accepts iff t i ≡ vw b (mod N ). (To achieve lower soundness probability the protocol may be repeated.) Theorem 9 Protocol I is a perfect zero-knowledge proof of knowledge of s. Protocol II: Strong WHPOK of Cramer-Shoup signatures. On common input message m, a Cramer-Shoup public key (N, h, x, e ) and an auxiliary secret input to the prover (e, y, y ) (a Cramer-Shoup signature of m).
doi:10.1007/978-3-540-24638-1_5 fatcat:6kpb5tvyerh2nacnz334ipqvf4