No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Multi-Designated Verifiers Signatures Revisited
Abstract
Multi-Designated Verifier Signatures (MDVS) are privacy-oriented signatures that can only be verified by a set of users specified by the signer. We propose two new generic constructions of MDVS from variants of existing cryptographic schemes, which are ring signature from anonymous subset and multi-chameleon hash. We first devise a single add-on protocol which enables many existing identity-based (ID-based) ring signature schemes to support anonymous subset, which gives us three ID-based MDVS schemes. We then construct a multi-chameleon hash from an existing scheme with key exposure freeness. Interestingly, these two techniques can be seen as a multisignature version of Hess's ID-based signature and Schnorr signature respectively.
... Consequently in 2004, Laguillaumie et al. formalized this concept [7]. Up to now, a number of MDVS schemes with various properties in different setting models have been presented in the literature [8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24], ...
... In this paper, we discuss on delegatability of all proposed MDVS shemes in the literature (to the best of our knowledge). Firstly, we provide some applications for nondelegatable (universal) multi-designated verifier signature ND-(U)MDVS schemes and then show that interestingly almost all of the (U)MDVS schemes proposed in the literature up to now, i.e. the proposed schemes in [3,[7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24], are delegatable. Additinally some of these schemes have some faults in satisfying the main security requirements of an MDVS i.e., the unforgeability and the nontransferability. ...
... To the best of our knowledge, the schemes in [3,[7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24], are all the proposed MDVS schemes that have been appeared in the literature so far. In the proposed schemes in [3,7,13,14] and the first scheme in [18], the private keys of the designated verifiers are not used in the verification phase and as a result everyone who achieves the MDVS (for example from the channel) can verify it and this is against the privacy of the signer, which is the main goal of an MDVS scheme [24]. ...
In a designated verifier signature (DVS) scheme, a signer (Alice) generates a signature which can only be verified by a designated verifier (Bob) chosen by her. Moreover, Bob cannot transfer his conviction about Alice’s signature to any third party. A DVS scheme provides the capability of authenticating Alice to Bob without disrupting her privacy. A multi designated verifier signature (MDVS) scheme is an extension of a DVS which consists of multiple designated verifiers. Non-delegatability is an essential property of a DVS scheme in scenarios where the responsibility of a signer (Alice) is important and she must not be able to delegate the signing rights to another entity. In this paper, we discuss on all MDVS schemes proposed up to now (to the best of our knowledge) and show that all of them are delegatable. As a result, proposing a non-delegatable MDVS scheme is an open research problem in the literature.
... This notion was first formalised in 2004 by Laguillaumie and Vergnaud [7]. Since then, a number of MDVS schemes with various properties in different setting models have been proposed [8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23]. These MDVS schemes are categorised in the two following patterns: ...
... a The verification algorithm does not take any private keys of designated verifiers as input [3,7,[12][13][14]. b The verification algorithm takes the private key of a single verifier of the set of all designated verifiers as input [9-11, 14, 16-18, 21, 23]. ...
... Two existing patterns are similar in all algorithms except in the DVer algorithm. These algorithms are defined as follows [7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23]. ...
In a designated verifier signature (DVS) scheme, the validity of the signature can only be checked by a designated entity chosen by the signer. Furthermore, the designated entity cannot convince a third party that the signature is generated by the signer. A multi‐designated verifiers signature (MDVS) scheme is an extension of a DVS which includes multiple designated verifiers. To the best of the authors’ knowledge, there are two existing patterns for an MDVS scheme. In the first pattern, every verifier of the set of designated verifiers can check the validity of the signature independently. In the second pattern, the cooperation of all designated verifiers is required for checking the validity of the signature. In this study, the authors propose a generic new pattern for an MDVS scheme in which a threshold number of the set of designated verifiers can check the validity of the signature. They also present a concrete MDVS scheme with threshold verifiability in the standard model. Moreover, they compare their scheme with other existing MDVS schemes. Finally, they briefly explain scenarios in which the proposed pattern can be applicable.
... Several constructions of MDVSs from primitives different from ring signatures have been proposed so far. Chow [17] demonstrates a construction from a multi-chameleon hash, whereas he does not define MDVSs formally. Further, Damgård et al. [3] propose two generic constructions of MDVSs; one is from a pseudorandom function, a pseudorandom generator, a key agreement, and an NIZK; and the other is from a functional encryption. ...
From the work by Laguillaumie and Vergnaud in ICICS’04, it has been widely believed that multi-designated verifiers signature scheme (MDVS) can be constructed from ring signature schemes in general. However, in this article, somewhat surprisingly, we prove that it is impossible to construct an MDVS scheme from a ring signature scheme in a black-box sense (in the standard model). The impossibility stems from the difference between the definitions of unforgeability of the two schemes. To the best of our knowledge, existing works demonstrating the constructions do not provide formal reductions from an MDVS scheme to a ring signature scheme, and thus, the impossibility has been overlooked for a long time.
... In a multi-designated verifiers signature scheme, there exist more than one designated verifier. Since then, various multi-designated verifiers signatures have been proposed, such as multi-designated verifiers signatures [28], identity-based strong multi-designated verifiers signatures [29], and identity-based universal designated multi-verifiers signatures [30]. ...
In a strong designated verifier signature scheme, only the designated verifier can determine the identity of the signer; others cannot identify the signer or the verifier. To date, one strong designated verifier signature scheme from lattices has been proposed, only in the random oracle model. In this paper, we propose the first strong designated verifier signature scheme from lattices in the standard model. The proposed scheme satisfies the requirements of unforgeability, nontransferability, and privacy of the signer's identity. This scheme can be easily extended to an identity-based strong designated verifier signature scheme and an (identity-based) strong multi-designated verifiers signature scheme. Copyright
... The digital signature (DS) protocols are widely used in information systems to solve different practical problems of the messages authentication. A variety of the DS protocols has been proposed in the literature [4,9,19], including multi-signature schemes [1,7,17]. A particular type of the protocols, called blind signature schemes [2], are especially interesting for application in the electronic money systems and in the electronic voting systems. ...
... In section 4 we analyse the security of that MPDVS and of the underlying threshold signature scheme. We conclude in section 5. 1 The way Multi-DVS are defined and formalised imposes that "the participants …have to generate a shared RSA key" [LV04], "in identity-based cryptosystem, it also produces a master secret key (MSK), kept in secret by PKG (private key generator)" [Cho08]. This is not required in our primitive. ...
In this paper we present how multi-party designated verifier signatures can be used as generic solution to provide coercion-freeness in electronic voting schemes. We illustrate the concept of multi-party designated verifier signatures with an enhanced version of Ghodosi and Pieprzyk [GP06]'s threshold signature scheme. The proposed scheme is efficient, secure, allows distributed computations of the signature on the ballot receipt, and can be parameterized to set a threshold on the number of required signers. The security of the designated verifier property is evaluated using the simulation paradigm [Gol00] based on the security analysis of [GHKR08]. Unlike previously provable schemes, ours is ideal, i.e. the bit-length of each secret key share is bounded by the bit-length of the RSA modulus.
... The digital signature (DS) protocols are widely used in information systems to solve different practical problems of the messages authentication. A variety of the DS protocols has been proposed in the literature [4,9,19], including multi-signature schemes [1,7,17]. A particular type of the protocols, called blind signature schemes [2], are especially interesting for application in the electronic money systems and in the electronic voting systems. ...
Using Russian digital signature (DS) standards as the un-derlying scheme there are designed the blind DS protocols that are the first known implementation of the blind DS based on signature standards. There are also proposed blind collective DS protocols based on the DS standards. The last protocols are also the first implementation of the blind multi-signature schemes using the signature verifi-cation equations specified by DS standards.
... In some scenarios, however, the public verifiability of ordinary signatures is not desired, since the signer may wish the recipient of a digital signature could not show the signature to a third party at will. To control the public verifiability, some kinds of digital signatures had been proposed and studied in the literature , such as designated verifier signatures [2, 5, 6, 10], designated confirmer signatures [3, 14], and undeniable signatures [1, 8, 13], etc. Undeniable signatures are like ordinary digital signatures , with the only difference that they are not publicly verifiable. Instead, the validity or invalidity of an undeniable signature can only be verified via the confirmation/disavowal protocol with the help of the signer. ...
Undeniable signatures were proposed to limit the publicverification property of ordinary digital signature. In fact, theverification of such signatures cannot be obtained without thehelp of the signer via the confirmation/disavowal protocols. Inthis paper, we reconsider the security of the undeniable signaturescheme proposed by Yuan et al. at ICICS 2007, and point out theirscheme does not satisfy the security model of invisibility theauthors presented.
We study signatures well suited for sensitive applications (e.g. whistleblowing) where both the signer's anonymity and deniability are important. Two independent lines of work have tackled these two goals: ring signatures ensure the signer's anonymity (within a set of signers, called a ring), and — separately — multi designated verifier signatures ensure that all the intended recipients agree on whether a signature is valid, while maintaining the signer's deniability by preventing the intended recipients from convincing an outsider of the validity of the signature. In this paper, we introduce multi designated verifier ring signatures (MDVRS), which simultaneously offer both signer anonymity and deniability. This makes MDVRS uniquely suited for sensitive scenarios.
Following the blueprint of Damgård et al (TCC'20) for multi designated verifier signatures, we introduce provably simulatable designated verifier ring signatures (PSDVRS) as an intermediate building block which we then compile into an MDVRS. We instantiate PSDVRS in a concretely efficient way from discrete logarithm based sigma protocols, encryption and commitments.
This paper considers the problem of balancing traceability and anonymity in designated verifier signatures (DVS), which are a kind of group-oriented signatures. That is, we propose claimable designated verifier signatures (CDVS), where a signer is able to claim that he/she indeed created a signature later. Ordinal DVS does not provide any traceability, which could indicate too strong anonymity. Thus, adding claimability, which can be seen as a sort of traceability, moderates anonymity. We demonstrate two generic constructions of CDVS from (i) ring signatures, (non-ring) signatures, pseudorandom function, and commitment scheme, and (ii) claimable ring signatures (by Park and Sealfon, CRYPTO'19).
When defining a security notion, one typically specifies what dishonest parties cannot achieve. For example, communication is confidential if a third party cannot learn anything about the messages being transmitted, and it is authentic if a third party cannot impersonate the real (honest) sender. For certain applications, however, security crucially relies on giving dishonest parties certain capabilities. As an example, in Designated Verifier Signature (DVS) schemes, one captures that only the designated verifier can be convinced of the authenticity of a message by guaranteeing that any dishonest party can forge signatures which look indistinguishable (to a third party) from original ones created by the sender.
Off-the-Record (OTR) messaging is a two-party message authentication protocol that also provides plausible deniability: there is no record that can later convince a third party what messages were actually sent. The challenge in group OTR, is to enable the sender to sign his messages so that group members can verify who sent a message (signatures should be unforgeable, even by group members). Also, we want the off-the-record property: even if some verifiers are corrupt and collude, they should not be able to prove the authenticity of a message to any outsider. Finally, we need consistency, meaning that if any group member accepts a signature, then all of them do.
A strong multiple designated verifiers signature (SMDVS) enables a signer to convince a set of verifiers by generating one signature, of which the verification needs a private key of a verifier. After a brief survey of current SMDVS schemes, we find no schemes suitable to a broadcast propagation, where the simulation needs only one verifier's private key. Motivated by this discovery, we propose a broadcast SMDVS scheme. The new scheme is proven secure in the random oracle model.
Strong designated verifier signature (SDVS) is characterized by two properties; namely the non-transferability and the privacy of the signer's identity (PSI). Non-transferability prevents anyone else other than the designated verifier to verify the signature, while PSI prevents a third party to distinguish between two different signers. In this paper, we propose a non-delegatable SDVS which uses a trusted third party for the key generation. Our signature scheme does not use bilinear pairings which makes it suitable for the resource constraint applications. Using one-way homomorphic functions, our scheme is presented at an abstract level, the unification of which was noticed by Maurer in the context of zero knowledge proofs of knowledge in Africacrypt 2009. The security of the proposed scheme is proved in the random oracle model, provided that the homomorphism one-wayness and the gap Diffie-Hellman assumptions hold. When a Schnorr-like homomorphism is used to construct our scheme, six exponentiations are needed in the signing step and seven for the verification step. This means a meaningful gap between the performance of our scheme and that of its predecessors which use pairings in their signing and/or verification steps.
A Strong Multiple Designated Verifiers Signature (SMDVS) enables a signer to convince a set of verifiers by generating one signature, of which the verification needs the private key of a verifier. After a brief survey of the current SMDVS schemes and attacks, we found that there were reported or applicable attacks on many schemes, and some schemes needed group communications in the signature verification algorithm. We propose a new SMDVS scheme which is secure against current attacks and needs no extra group communications in the verification algorithm. The scheme is proven secure in the random oracle model.
Designated verifier signatures (DVS) allow a signer to create a signature whose validity can only be verified by a specific entity chosen by the signer. In addition, the chosen entity, known as the designated verifier, cannot convince any body that the signature is created by the signer. Multi-designated verifiers signatures (MDVS) are a natural extension of DVS in which the signer can choose multiple designated verifiers. DVS and MDVS are useful primitives in electronic voting and contract signing. In this paper, we investigate various aspects of MDVS and make two contributions. Firstly, we revisit the notion of unforgeability under rogue key attack on MDVS. In this attack scenario, a malicious designated verifier tries to forge a signature that passes through the verification of another honest designated verifier. A common counter-measure involves making the knowledge of secret key assumption (KOSK) in which an adversary is required to produce a proof-of-knowledge of the secret key. We strengthened the existing security model to capture this attack and propose a new construction that does not rely on the KOSK assumption. Secondly, we propose a generic construction of strong MDVS.
Designated verifier signatures (DVS) allow a signer to create a signature whose validity can only be verified by a specific entity chosen by the signer. In addition, the chosen entity, known as the designated verifier, cannot convince any body that the signature is created by the signer. Multidesignated verifiers signatures (MDVS) are a natural extension of DVS in which the signer can choose multiple designated verifiers. DVS and MDVS are useful primitives in electronic voting and contract signing. In this paper, we investigate various aspects of MDVS and make two contributions. Firstly, we revisit the notion of unforgeability under rogue key attack on MDVS. In this attack scenario, a malicious designated verifier tries to forge a signature that passes through the verification of another honest designated verifier. A common counter-measure involves making the knowledge of secret key assumption in which an adversary is required to produce a proof-of-knowledge of the secret key. We strengthened the existing security model to capture this attack and propose a new construction that does not rely on the knowledge of secret key assumption. Secondly, we propose a generic construction of strong MDVS. Copyright © 2013 John Wiley & Sons, Ltd.
A strong designated verifier signature (SDVS) scheme only allows a designated verifier to validate signer's signatures for ensuring confidentiality. At the same time, the designated verifier can not transfer the signature to any third party, since he can also generate another computationally indistinguishable SDVS, which is referred to as non-transferability. A proxy signature scheme is a special type of digital signature schemes, which enables an authorized proxy signer to create a valid proxy signature on behalf of the original one. The resulted proxy signature is publicly verifiable by anyone. In this paper, we elaborate on the merits of SDVS schemes and proxy signature schemes to propose an efficient strong designated verifier proxy signature (SDVPS) scheme in which only a designated verifier can be convinced of the proxy signer's identity. The proposed scheme has crucial benefits in organizational operations and electronic commerce. Compared with related schemes, ours has not only shorter signature length, but also lower computational costs. Moreover, the security requirement of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) is proved in the random oracle model.
A strong multiple designated verifiers signature (SMDVS) enables a signer to convince a set of verifiers by generating one signature, of which the verification needs the private key of a verifier. After a brief survey of the current SMDVS schemes, we find no schemes suitable to the broadcast propagation, where the simulation needs only one verifier's private key. Motivated by this discovery, we propose a broadcast SMDVS scheme. The new scheme is proven secure in the random oracle model.
We present a new public-key signature scheme and a corresponding authentication scheme that are based on discrete logarithms in a subgroup of units in
p
where p is a sufficiently large prime, e.g., p 2512. A key idea is to use for the base of the discrete logarithm an integer in
p
such that the order of is a sufficiently large prime q, e.g., q 2140. In this way we improve the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures. We present an efficient algorithm that preprocesses the exponentiation of a random residue modulo p.
Chameleon signatures were introduced by Krawczyk and Rabin, being non-interactive signature schemes that provide non-transferability. However, that first construction employs a chameleon hash that suffers from a key exposure problem: The non-transferability property requires willingness of the recipient in consequentially exposing a secret key, and therefore invalidating all signatures issued to the same recipients public key. To address this key-revocation issue, and its attending problems of key redistribution, storage of state information, and greater need for interaction, an identity-based scheme was proposed in[1], while a fully key-exposure free construction, based on the elliptic curves with pairings, appeared later in[7].
Herein we provide several constructions of exposure-free chameleon hash functions based on different cryptographic assumptions, such as the RSA and the discrete logarithm assumptions. One of the schemes is a novel construction that relies on a single trapdoor and therefore may potentially be realized over a large set of cryptographic groups (where the discrete logarithm is hard).
Keywords: Digital signatures, undeniable signatures, collision-resistant hashing, trapdoor commitments, chameleon signatures, chameleon hashing.
We introduce Ad hoc Anonymous Identification schemes, a new multi-user cryptographic primitive that allows participants from a user population to form ad-hoc groups, and then prove membership anonymously in such groups. Our schemes are based on the notion of accumulator with one-way domain, a natural extension of cryptographic accumulators we introduce in this work. We provide a formal model for Ad hoc Anonymous Identification schemes and design secure such schemes both generically (based on any accumulator with one-way domain) and for a specific efficient implementation of such an accumulator based on the Strong RSA Assumption. A salient feature of our approach is that all the identification protocols take time independent of the size of the ad-hoc group. All our schemes and notions can be generally and efficiently amended so that they allow the recovery of the signer’s identity by an authority, if the latter is desired.
Using the Fiat-Shamir transform, we also obtain constant-size, signer-ambiguous group and ring signatures (provably secure in the Random Oracle Model). For ring signatures, this is the first such constant-size scheme, as all the previous proposals had signature size proportional to the size of the ring. For group signatures, we obtain schemes comparable in performance with state-of-the-art schemes, with the additional feature that the role of the group manager during key registration is extremely simple and essentially passive: all it does is accept the public key of the new member (and update the constant-size public key of the group).
Designated verifier signatures were introduced in the middle of the 90’s by Jakobsson, Sako and Impagliazzo, and independenty
patended by Chaum as private signatures. In this setting, a signature can only be verified by a unique and specific user.
At Crypto’03, Desmedt suggested the problem of generalizing the designated verifier signatures. In this case, a signature
should be intended to a specific set of different verifiers. In this article, we provide a formal definition of multi-designated
verifiers signatures and give a rigorous treatment of the security model for such a scheme. We propose a construction based
on ring signatures, which meets our definition, but does not achieve the privacy of signer’s identity property. Finally, we propose a very efficient bi-designated verifiers signature scheme based on bilinear maps, which protects
the anonymity of signers.
Keywordsmulti-designated verifiers signatures-ring signatures-bilinear maps-privacy of signer’s identity-exact security
The notion of concurrent signatures was recently introduced by Chen, Kudla and Paterson. In concurrent signature schemes, two entities can produce two signatures that are not binding, until an extra piece of information (namely the keystone) is released by one of the parties. Subsequently, it was noted that the concurrent signature scheme proposed in the seminal paper cannot provide perfect ambiguity. Then, the notion of perfect concurrent signatures was introduced. In this paper, we define the notion of identity-based(or ID-based)
perfectconcurrent
signatureschemes. We provide the first generic construction of (ID-based) perfect concurrent signature schemes from ring signature schemes. Using the proposed framework, we give two concrete ID-based perfect concurrent signature schemes based on two major paradigms of ID-based ring signature schemes. Security proofs are based on the random oracle model.
At the conference Asiacrypt 2001, Rivest, Shamir and Tauman firstly addressed the concept of ring signature. We propose an identity-based ring signature scheme from bilinear pairings. As compared with the Zhang-Kim scheme (presented at the conference Asiacrypt 2002), our scheme is more efficient in computation and requires fewer pairing operations.
At Crypto'89, Chaum and van Antwerpen first introduced the concept of undeniable signatures, which has a special property such that a signature cannot be verified without the signer's cooperation. In 1996, Jakobsson, Sako, and Impagliazzo proposed a not-interactive unde- niable signature scheme by employing a new primitive called designated verifier proofs. However, this paper shows that their scheme is insecure by demonstrating a simple attack that allows a dishonest signer to con- vince a designated verifier receiving invalid signatures. In addition, two intuitive countermeasures are presented.
Identity-based (ID-based) cryptosystems eliminate the need for validity checking of the certificates and the need for registering for a certificate before getting the public key. These two features are desirable especially for the efficiency and the real spontaneity of ring signature, where a user can anonymously sign a message on behalf of a group of spontaneously conscripted users including the actual signer.
In this paper, we propose a novel construction of ID-based ring signature which only needs two pairing computations for any group size. The proposed scheme is proven to be existential unforgeable against adaptive chosen message-and-identity attack under the random oracle model, using the forking lemma for generic ring signature schemes. We also consider its extension to support the general access structure.
We develop an efficient identity based signature scheme based on pairings whose security relies on the hardness of the Diffie-Hellman
problem in the random oracle model. We describe how this scheme is obtained as a special version of a more general generic
scheme which yields further new provably secure identity based signature schemes if pairings are used. The generic scheme
also includes traditional public key signature schemes.We further discuss issues of key escrow and the distribution of keys
to multiple trust authorities. The appendix contains a brief description of the relevant properties of supersingular elliptic
curves and the Weil and Tate pairings.
Chameleon signatures are based on well established hash-and-sign paradigm, where a chameleon hash function is used to compute the cryptographic message digest. Chameleon signatures simultaneously provide the properties of non-repudiation and non-transferability for the signed message, i.e., the designated recipient is capable of verifying the validity of the signature, but cannot disclose the contents of the signed information to convince any third party without the signer’s consent.
One disadvantage of the initial chameleon signatures is that signature forgery results in the signer recovering the recipient’s trapdoor information, i.e., private key. Therefore, the signer can use this information to deny other signatures given to the recipient. This creates a strong disincentive for the recipient to forge signatures, partially undermining the concept of non-transferability. In this paper, we first propose a novel chameleon hashing scheme in the gap Diffie-Hellman group to solve the problem of key exposure. We can prove that the recipient’s trapdoor information will never be compromised under the assumption of Computation Diffie-Hellman Problem (CDHP) is intractable. Moreover, we use the proposed chameleon hashing scheme to design a chameleon signature scheme.
This paper gives a solid and inspiring survey of ID-based ring signatures from a number of perspectives. It is well known
that ID-based cryptosystems provide some advantages that traditional public key infrastructure (PKI) cannot achieve. What
advantages do ID-based ring signature schemes possess that PKI-based schemes do not? Many ID-based ring signature schemes
have been proposed. What is the design philosophy behind existing ID-based ring signature schemes? This paper summarizes the
study of ID-based ring signature schemes in the literature, investigates their relationships with other existing cryptographic
schemes, describes the extension of ID-based ring signature schemes and the related supporting protocol, reviews the state-of-the-art
and discusses a number of interesting open problems.
KeywordsIdentity based cryptography-ring signature-spontaneous anonymous group signature-PKI-bilinear pairings
Formal models and security proofs are especially important for multisignatures: in contrast to threshold signatures, no precise definitions were ever provided for such schemes, and some proposals were subsequently broken.In this paper, we formalize and implement a variant of multi-signature schemes, Accountable-Subgroup Multisignatures (ASM). In essence, ASM schemes enable any subgroup, S, of a given group, G, of potential signers, to sign efficiently a message M so that the signature provably reveals the identities of the signers in S to any verifier.Specifically, we provide:The first formal model of security for multisignature schemes that explicitly includes key generation (without relying on trusted third parties);A protocol, based on Schnorr's signature scheme [33], that is both provable and efficient:Only three rounds of communication are required per signature.The signing time per signer is the same as for the single-signer Schnorr scheme, regardless of the number of signers.The verification time is only slightly greater than that for the single-signer Schnorr scheme.The signature length is the same as for the single signer Schnorr scheme, regardless of the number of signers.Our proof of security relies on random oracles and the hardness of the Discrete Log Problem.
Ring signatures allow a user to sign anonymously on behalf of a group of spontaneously conscripted members. Two ring signatures
are linked if they are issued by the same signer. We introduce the notion of Escrowed Linkability of ring signatures, such that only a Linking Authority can link two ring signatures; otherwise two ring signatures remain unlinkable to anyone. We give an efficient instantiation,
and discuss the applications of escrowed linkability, like spontaneous traceable signature and anonymous verifiably encrypted
signature. Moreover, we propose the first short identity-based linkable ring signatures from bilinear pairings. All proposals are provably secure under the random oracle model.
The Full Domain Hash (FDH) scheme is a RSA-based signature scheme in which the message is hashed onto the full domain of the
RSA function. The FDH scheme is provably secure in the random oracle model, assuming that inverting RSA is hard. In this paper
we exhibit a slightly di.erent proof which provides a tighter security reduction. This in turn improves the e.ciency of the
scheme since smaller RSA moduli can be used for the same level of security. The same method can be used to obtain a tighter
security reduction for Rabin signature scheme, Paillier signature scheme, and the Gennaro-Halevi-Rabin signature scheme.
On the key exposure problem in chameleon hashes Security in Communication Networks
- G Ateniese
G. Ateniese, "On the key exposure problem in chameleon hashes," Security in Communication Networks, 4th International Conference, SCN 2004, LNCS 3352, pp. 165–179, C. Blundo and S. Cimato, Editors, Springer-Verlag, Amalfi, Italy, Sep. 8-10, 2004, Revised Selected Papers, Amalfi, Italy, 2005.
An identitybased ring signature scheme from bilinear pairings Cryptology ePrint Archive Available at http://eprint
- Chih-Yin
- Lin
- Tzong-Chen
- Wu
Chih-Yin Lin and Tzong-Chen Wu, "An identitybased ring signature scheme from bilinear pairings," Cryptology ePrint Archive, Report 2003/117, 2003. Available at http://eprint.iacr.org
Accumulators from bilinear pairings and applications Topics in Cryptology -CT-RSA 2005, The Cryptographers' Track at the RSA Conference
- L Nguyen
L. Nguyen, "Accumulators from bilinear pairings and applications," Topics in Cryptology -CT-RSA 2005, The Cryptographers' Track at the RSA Conference 2005, LNCS 3376, pp. 275-292, A. J. Menezes Editor, Springer-Verlag, San Francisco, CA, USA, Feb. 14-18, 2005.
How to Leak a Secret advances in Cryptology -Asiacrypt '01
- R L Rivest
- A Shamir
- Y Tauman
R. L. Rivest, A. Shamir, and Y. Tauman, "How to Leak a Secret," advances in Cryptology -Asiacrypt '01, 7th International Conference on the Theory and Application of Cryptology and Information Security, LNCS 2248, pp. 552-565, C. Boyd, Editor, Springer-Verlag, Gold Coast, Australia, Dec. 9-13, 2001.
Non-interactive deniable ring authentication Information Security and Cryptology -ICISC 2003
- W Susilo
- Y Mu
W. Susilo and Y. Mu, "Non-interactive deniable ring authentication," Information Security and Cryptology -ICISC 2003, 6th International Conference, LNCS 2971, pp. 386-401, J. I. Lim and D. H. Lee, Editors, Springer-Verlag, Seoul, Korea, Nov. 27-28, 2003, Revised Papers, Seoul, Korea, 2004.
New identity-based ring sig-nature schemes 6th International Confer-ence, ICICS 2004
- J Herranz
J. Herranz and G. S´ aez, “New identity-based ring sig-nature schemes,” Proceedings of the Information and Communications Security, 6th International Confer-ence, ICICS 2004, LNCS 3269, pp. 27-39, J. Lopez, S. Qing, and E. Okamoto, Editors, Springer-Verlag, Malaga, Spain, Oct. 27-29, 2004.
Des-ignated verifier proofs and their applications,” Ad-vances in Cryptology - Eurocrypt
- M Jakobsson
- K Sako
- R Impagliazzo
M. Jakobsson, K. Sako, and R. Impagliazzo, “Des-ignated verifier proofs and their applications,” Ad-vances in Cryptology - Eurocrypt ’96, International Conference on the Theory and Application of Crypto-graphic Techniques, LNCS 1070, pp. 143-154, U. M. Maurer, Editor, Springer-Verlag, Saragossa, Spain, May 12-16, 1996.
Efficient Identity Based Signature Schemes based on Pairings Selected Areas in Cryptogra-phy, 9th Annual International Workshop, SAC 2002
- F Hess
- K Nyberg
- H M Heys
F. Hess, “Efficient Identity Based Signature Schemes based on Pairings,” Selected Areas in Cryptogra-phy, 9th Annual International Workshop, SAC 2002, LNCS 2595, pp. 310-324, K. Nyberg and H. M. Heys, Editors, Springer-Verlag, St. John’s, Newfoundland, Canada, Aug. 15-16, 2002. rInternational Journal of Network Security, Vol.7, No.3, PP.348–357, Nov. 2008 356
Chameleon hash-ing without key exposure Proceedings of Infor-mation Security
- X Chen
- F Zhang
- K Kim
X. Chen, F. Zhang, and K. Kim, “Chameleon hash-ing without key exposure,” Proceedings of Infor-mation Security, 7th International Conference, ISC 2004, LNCS 3225, pp. 87-98, K. Zhang and Y. Zheng, Editors, Springer-Verlag, Palo Alto, CA, USA, Sep. 27-29, 2004.
Private signature and proof systems United States Patents
- D Chaum
D. Chaum, " Private signature and proof systems, "
United States Patents, no. 5, pp. 493-614, 1996.
ID-based blind signature and ring signature from pairings Advances in Cryptology -Asiacrytp '02
- F Zhang
- K Kim
F. Zhang and K. Kim, " ID-based blind signature and
ring signature from pairings, " Advances in Cryptology -Asiacrytp '02, 8th International Conference on
the Theory and Application of Cryptology and Information Security, LNCS 2501, pp. 533-547, Y. Zheng,
Editor, Springer-Verlag, Queenstown, New Zealand,
Dec. 1-5, 2002.
Identity-based strong multidesignated verifiers signatures Third European PKI Workshop: Theory and Practice
- S S M Chow
S. S. M. Chow, " Identity-based strong multidesignated verifiers signatures, " Proceedings of the
Public Key Infrastructure, Third European PKI
Workshop: Theory and Practice, EuroPKI 2006,
LNCS 4043, pp. 257-259, A. S. Atzeni and A. Lioy,
Editors, Springer-Verlag, Turin, Italy, June 19-20,
2006.
An identitybased ring signature scheme from bilinear pairings Accountablesubgroup multisignatures: Extended abstract
- Chih-Yin Lin
- Tzong-Chen Wu
- S Micali
- K Ohta
- L Reyzin
Chih-Yin Lin and Tzong-Chen Wu, " An identitybased ring signature scheme from bilinear pairings, "
Cryptology ePrint Archive, Report 2003/117, 2003.
Available at http://eprint.iacr.org
[18] S. Micali, K. Ohta, and L. Reyzin, " Accountablesubgroup multisignatures: Extended abstract, " Proceedings of the CCS '01: 8th ACM conference on
Computer and Communications Security, pp. 245-
254, New York, NY, USA, ACM Press, 2001.
Verifier-designated signatures
- Y Desmedt
Y. Desmedt, " Verifier-designated signatures, " 2006.
(http://web.archive.org/web/20060904033040/
www.cs.fsu.edu/∼desmedt/lectures/verifierdesignated-signatures.pdf)