On Generic Constructions of Designated Confirmer Signatures [chapter]

Laila El Aimani
2009 Lecture Notes in Computer Science  
Designated Confirmer signatures were introduced to limit the verification property inherent to digital signatures. In fact, the verification in these signatures is replaced by a confirmation/denial protocol between the designated confirmer and some verifier. An intuitive way to obtain such signatures consists in first generating a digital signature on the message to be signed, then encrypting the result using a suitable encryption scheme. This approach, referred to as the "encryption of a
more » ... ure" paradigm, requires the constituents (encryption and signature schemes) to meet the highest security notions in order to achieve secure constructions. In this paper, we revisit this method and establish the necessary and sufficient assumptions on the building blocks in order to attain secure confirmer signatures. Our study concludes that the paradigm, used in its basic form, cannot allow a class of encryption schemes, which is vital for the efficiency of the confirmation/denial protocols. Next, we consider a slight variation of the paradigm, proposed in the context of undeniable signatures; we recast it in the confirmer signature framework along with changes that yield more flexibility, and we demonstrate its efficiency by explicitly describing its confirmation/denial protocols when instantiated with building blocks from a large class of signature/encryption schemes. Interestingly, the class of signatures we consider is very popular and has been for instance used to build efficient designated verifier signatures. Okamoto (1994) [35] . The result proposes a construction of confirmer signatures from digital signatures, public key encryption, bit-commitment schemes and pseudo-random functions. The construction was used to prove equivalence between confirmer signatures and public key encryption with respect to existence. Thus, efficiency was not taken into account in the framework. Michels and Stadler (1998) [33]. This approach builds efficient confirmer signatures from signatures obtained from the Fiat-Shamir paradigm and from commitment schemes. Thus, the resulting confirmer signatures can be only proven secure in the random oracle model (ROM), inheriting this property from the use of the Fiat-Shamir paradigm, which constitutes their major shortcoming. Actually, it is well known, according to [41] , that most discrete-logarithm-based signatures obtained from the Fiat-Shamir technique are very unlikely to preserve the same level of security in the standard model. Camenisch and Michels (2000) [8]. The authors present the "encryption of a signature" idea along with a security analysis of the resulting confirmer signatures. In fact, they require existentially unforgeable signatures and indistinguishable encryption in the strongest attack model (EUF-CMA signatures and IND-CCA secure encryption) to achieve unforgeable, invisible, and transcript-simulatable confirmer signatures. The major weakness of the construction lies in the resort, in the confirmation/denial protocols, to general concurrent zero knowledge (ZK) proofs of NP statements. Goldwasser and Waisbard (2004) [24]. This result manages to circumvent partially the weakness of the above construction. In fact, from a large class of digital signatures, the authors propose a transformation to confirmer signatures by encrypting the former items under an IND-CCA secure encryption during the confirmation protocol. They consequently achieve an efficient confirmation, but at the expense of the transcript-simulatability, the invisibility and the length of the resulting signatures. For instance, the signature contains at least twice the number of the confirmation protocol's rounds of encryptions. Moreover, the denial protocol of the construction has still recourse to general concurrent ZK proofs of NP statements. Gentry et al. (2005) [20]. This work gives the possibility of building confirmer signatures from digital signatures, encryption (IND-CCA) and commitment schemes. Although the resulting construction does not use random oracles, it still does not get rid completely of general ZK proofs since the confirmer has to prove in concurrent ZK the knowledge of the decryption of an IND-CCA encryption and of a string used for commitment. Wang et al. (2007) [47] . In this work, the authors present two constructions. The first one fixes some flaws noticed in [20] , however, it still requires concurrent ZK proofs of NP statements. The second construction does not require any encryption, but at the expense of the underlying security assumption. In fact, it has its invisibility resting on the decisional Diffie-Hellman assumption, which rules out using the scheme in bilinear groups and thus benefiting from the attractive features they present such as achieving short group elements. Moreover, the construction suffers also the recourse to the ROM. Finally, these constructions as well as the construction in [20] are not anonymous, as we will point later in this document. Wikström (2007) [14]. The author in his work proposes a new model for convertible confirmer signatures along with a generic construction analyzed in this new model. The construction is similar to the one given in [8] with the exception of considering cryptosystems with labels. Although the construction requires a weaker security notion on the cryptosystem than IND-CCA, namely ∆-IND-CCA, it still resorts to general proofs of NP statements. El Aimani (2008) [15] . This construction is a slight variation of the "encryption of a signature" paradigm which uses cryptosystems from the KEM/DEM paradigm and requires them to be only IND-CPA secure. The author claims that this impacts positively the efficiency of the confirmation/denial protocols by allowing homomorphic schemes in the design. However, such a claim lacks justification since the only illustrations provided in the paper (or in its full version [30] ) are generic constructions from a class of pairing-based signatures, which are used with a specific cryptosystem (El Gamal encryption or the linear Diffie-Hellman KEM/DEM). Furthermore, one of the constructions uses a cryptosystem which operates on messages in Z × p (for some prime p), thus, the resulting signatures will be quite long because of the size contrast between ring cryptography and ellipticcurve cryptography. This seems to violate the main expectation from appealing to elliptic curve cryptography, namely achieve short signatures. Convertible Designated Confirmer Signatures (CDCS) Since their introduction, many definitions and security models for CDCS have emerged. We consider the default model adopted in most confirmer signature proposals [8, 24, 20, 47, 15] . This model was primally described in [8] , where the sign then encrypt technique was first formally introduced. We refer to Appendix A for the necessary cryptographic primitives that will come into use, that are, digital signatures, public key encryption schemes, KEM/DEM mechanisms, and finally Σ protocols. Syntax A CDCS scheme consists of the following procedures: Key generation. Generates probabilistically key pairs (sk S , pk S ) and (sk C , pk C ) for the signer and for the confirmer respectively, consisting of the private and the public key. ConfirmSign. On input sk S , pk C and a message m, outputs a confirmer signature µ, then interacts with the signature recipient to convince him of the validity of the just generated signature.
doi:10.1007/978-3-642-10628-6_23 fatcat:dlwvqylb4rhvlj5z5rebhfr5p4