A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE
∗
Dennis Y. W. Liu, Shuang Chang and Duncan S. Wong
Dept. of Computer Science, City University of Hong Kong, Hong Kong, China
Keywords:
Digital Signature, Nominative Signature, Undeniable Signature.
Abstract:
Nominative signature provides an interesting share of power between a nominator and a nominee in which a
nominative signature, generated jointly by the nominator and the nominee, can only be verified with the aid
of the nominee. In this paper, we propose a new construction of nominative signature which has a higher
network efficiency than the existing one (Liu et al., 2007). In addition, our scheme is the first one supporting
nominee-only conversion. We also enhance the security model of nominative signature for capturing this new
property.
1 INTRODUCTION
Since the introduction of undeniable signature
(Chaum and van Antwerpen, 1990; Chaum, 1990;
Chaum and van Antwerpen, 1992), there have been
many other non-self-authenticating notions intro-
duced. One of them is Nominative Signature (NS)
(Kim et al., 1996; Huang and Wang, 2004; Susilo and
Mu, 2005; Guo et al., 2006; Liu et al., 2007). An
NS scheme allows a nominator A and a nominee B to
jointly generate a signature σ on a message m such
that the validity of σ can only be verified by B. In ad-
dition, only B can convince a (third-party) verifier C
the validity of σ.
Although the notion of NS has been introduced
for over a decade (Kim et al., 1996), it was not un-
til recently that the notion has finally been formalized
(Liu et al., 2007). In the past, besides lacking a formal
definition, the application of NS has also been ques-
tioned. In (Liu et al., 2007), it is shown that NS is a
very useful tool for constructing user certification sys-
tems, which concern about letting a user prove the va-
lidity of his own birth certificate, driving licence and
academic transcripts, issued by authorities. In such a
system, the user (nominee) B does not want a verifier
∗
The work was supported by a grant from CityU (Project
No. 7001844).
C to disseminate B’s certificate s (issued by an author-
ity A – nominator), while B wants to convince C that
s is authentic, that is, signed by A. NS is very suitable
for this type of applications because NS does not al-
low A to prove the validity of B’s certificate s. This
property greatly helps protect the interest of the users.
Related Work. The notion and construction of NS
were first proposed in (Kim et al., 1996). However,
the construction was later found to be flawed (Huang
and Wang, 2004). In (Huang and Wang, 2004), the
notion of convertible NS was introduced. This vari-
ant of NS allows the nominee to convert an NS to a
publicly verifiable one. A new scheme was also pro-
posed. However, it has later been found to be insecure
(Susilo and Mu, 2005; Guo et al., 2006).
In (Liu et al., 2007), the first formal security
model for NS was defined and a proven secure con-
struction was proposed. This security model is cur-
rently the strongest one. However, there is no defi-
nition for the nominee-only conversion from a nomi-
native signature to a standard signature. About their
construction, the signature generation protocol re-
quires to run a three-move Witness Indistinguishable
protocol (Feige and Shamir, 1990; Kurosawa and
Heng, 2005).
Our Results. We propose a new construction which
does not require the key generation protocol to run a
214
Y. W. Liu D., Chang S. and S. Wong D. (2007).
A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE.
In Proceedings of the Second International Conference on Security and Cryptography, pages 214-221
DOI: 10.5220/0002124402140221
Copyright
c
SciTePress
three-move Witness Indistinguishable protocol. The
key generation can be completed in just two message
flows between the nominator and the nominee, and
therefore, has a higher network efficiency than the
current one (Liu et al., 2007). We also extend the se-
curity model for capturing nominee-only conversion.
Paper Organization. We define convertible NS
and propose an enhanced security model in Sec. 2.
We then propose a new NS construction in Sec. 3.
The security analysis is given in Sec. 4. The paper
is concluded in Sec. 5.
2 DEFINITIONS AND SECURITY
MODELS
We extend the definition of NS from (Liu et al., 2007)
to a convertible NS. Specifically, in addition to the
properties captured in the definition of (Liu et al.,
2007), we also allow the nominee, but nobody else,
to convert an NS to a standard signature which can be
self-authenticated.
A nominative signature (NS) consists of five
PPT (probabilistic polynomial-time) algorithms
(
SystemSetup, KeyGen, Ver
nominee
, Convert,
Ver
public
) and three protocols (
SigGen, Confirmation,
Disavowal). On input a security parameter 1
k
, where
k ∈ N,
SystemSetup is first invoked for generating a
list of system parameters denoted by
param. Then,
(pk, sk) ← KeyGen(param) is executed for each
entity in the system. We use A and B to denote
the nominator and the nominee, respectively. Let
(pk
A
,sk
A
) be A’s key pair and (pk
B
,sk
B
) be B’s. To
generate an NS σ on some message m ∈ {0,1}
∗
, A
and B carry out the SigGen protocol.
Signature Space: This is determined by pk
A
and pk
B
.
We emphasize that the signature space has to be ex-
plicitly specified in each actual NS scheme specifica-
tion.
The validity of σ can be determined by B using
Ver
nominee
on input (m,σ, pk
A
,sk
B
). To convince a
third party C on the validity/invalidity of σ, B as
prover and C as verifier carry out a Confirmation or
Disavowal protocol:
Confirmation/Disavowal Protocol: B sets µ to 1 if
valid ← Ver
nominee
(m,σ, pk
A
,sk
B
); otherwise, µ is
set to 0. If µ = 1,
Confirmation protocol is carried
out; otherwise,
Disavowal protocol is carried out.
At the end, C outputs either
accept or reject while
B has no output.
To convert σ to a standard signature σ
pub
, B
runs Convert(m,σ, pk
A
,sk
B
). After the conversion,
the validity of σ
pub
can be verified by running
Ver
public
(m,σ
pub
, pk
A
, pk
B
).
Correctness. If all the algorithms mentioned above
are executed accordingly, the NS scheme should
satisfy the following requirements. (1) valid ←
Ver
nominee
(m,σ, pk
A
,sk
B
); (2) C outputs
accept at the
end of the
Confirmation protocol; and (3) valid ←
Ver
public
(m,σ
pub
, pk
A
, pk
B
).
On the security of NS, (Liu et al., 2007) defines
(1) unforgeability, (2) invisibility, (3) security against
impersonation and (4) non-repudiation. We will adopt
these definitions. Besides, we also define an addi-
tional security model for capturing the notion of (5)
nominee-only conversion.
Before elaborating the corresponding games, we
first describe some oracles that are to be provided to
adversaries:
•
CreateUser: On input an identity I, it generates a
key pair (pk
I
,sk
I
) using
KeyGen and returns pk
I
.
• Corrupt: On input a public key pk, if pk is gen-
erated by
CreateUser or in {pk
A
, pk
B
}, the corre-
sponding private key is returned; otherwise, ⊥ is
returned. pk is said to be corrupted.
• SignTranscript: On input a message m, two dis-
tinct public keys, pk
1
(the nominator) and pk
2
(the nominee), and one parameter called role ∈
{nil,nominator,nominee},
– if role = nil,
S simulates SigGen and returns
(σ,trans
σ
) where σ is a valid nominative sig-
nature (i.e. valid ← Ver
nominee
(m,σ, pk
1
,sk
2
)
where sk
2
is the corresponding private key of
pk
2
) and trans
σ
is the transcript of the execu-
tion of
SigGen.
– if role = nominator,
S (as nominee with public
key pk
2
) simulates a run of
SigGen with the ad-
versary (which acts as the nominator with pk
1
);
– if role = nominee, S (as nominator with pk
1
)
simulates a run of
SigGen with the adversary
(which acts as the nominee with pk
2
).
•
Confirmation/disavowal: On input a message m,
a nominative signature σ and two public keys
pk
1
(nominator), pk
2
(nominee), let sk
2
be the
corresponding private key of pk
2
, the oracle re-
sponds based on whether a passive attack or an
active/concurrent attack is mounted.
– Passive attack: If Ver
nominee
(m,σ, pk
1
,sk
2
) out-
puts
valid, the oracle returns µ = 1 and a tran-
script of the
Confirmation protocol. Otherwise,
µ = 0 and a transcript of the
Disavowal protocol
are returned.
– Active/concurrent attack: the oracle checks if σ
is valid as in the passive attack. If so, the ora-
cle returns µ = 1 and executes the
Confirmation
A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE
215
protocol with the adversary (acting as a veri-
fier). Otherwise, the oracle returns µ = 0 and
executes the
Disavowal protocol with the adver-
sary. The difference between active and con-
current attack is that the adversary interacts se-
rially with the oracle in the active attack while
it interacts with different instances of the oracle
concurrently in the concurrent attack.
•
OracleConvert: On input (m, σ, pk
1
, pk
2
)
such that valid ← Ver
nominee
(m,σ, pk
1
,sk
2
),
the oracle returns σ
pub
such that valid ←
Ver
public
(m,σ
pub
, pk
1
, pk
2
).
2.1 Unforgeability
Game Unforgeability: Let S be the simulator and F
be a forger.
1. (Initialization) First, param ← SystemSetup(1
k
)
is executed and key pairs (pk
A
,sk
A
) and (pk
B
,sk
B
)
for nominator A and nominee B, respectively, are
generated using
KeyGen. Then F is invoked on
input (param, pk
A
, pk
B
).
2. (Attacking Phase) F can make queries to the or-
acles mentioned above.
3. (Output Phase) F outputs a pair (m
∗
,σ
∗
) as a
forgery of A’s nominative signature on message
m
∗
with B as the nominee.
The forger
F wins the game if valid ←
Ver
nominee
(m
∗
,σ
∗
, pk
A
,sk
B
) and (1)
F does not
corrupt both sk
A
and sk
B
; (2) (m
∗
, pk
A
, pk
B
,role)
has never been queried to
SignTranscript for any
role; (3) (m
∗
,σ
′
, pk
A
, pk
B
) has never been queried
to Confirmation/disavowal for any σ
′
in the signature
space with respect to pk
A
and pk
B
(check Signature
Space on page 2). F ’s advantage is defined to be the
probability that
F wins.
Definition 1 (Liu et al., 2007) An NS scheme is said
to be unforgeable if no PPT forger F has a non-
negligible advantage in
Game Unforgeability.
2.2 Invisibility
Game Invisibility: The initialization phase is the
same as that of
Game Unforgeability. Let D be a
distinguisher that can query any of the oracles men-
tioned. At some point in the attacking phase,
D out-
puts a message m
∗
and requests for a challenge nom-
inative signature σ
∗
on m
∗
. σ
∗
is generated based on
the outcome of a hidden coin toss b. If b = 1, σ
∗
is
generated using
SigGen. If b = 0, σ
∗
is chosen ran-
domly from the signature space with respect to pk
A
and pk
B
. At the end of the game,
D outputs a guess
b
′
.
D wins if b
′
= b and (1) D does not corrupt sk
B
;
(2) (m
∗
, pk
A
, pk
B
,role) has never been queried to
SignTranscript; (3) (m
∗
,σ
∗
, pk
A
, pk
B
) has never been
queried to
Confirmation/disavowal. D ’s advantage in
this game is defined as |Pr[b
′
= b] −
1
2
|.
Definition 2 (Liu et al., 2007) An NS scheme satis-
fies invisibility if no PPT distinguisher
D has a non-
negligible advantage in
Game Invisibility.
2.3 Security Against Impersonation
Game Impersonation: Let I be an impersonator.
The initialization phase is the same as that of
Game
Unforgeability
. The two other phases are as follows.
• (Preparation Phase)
I may query any of the or-
acles.
I prepares (m
∗
,σ
∗
,µ) where m
∗
is some
message, σ
∗
is in the signature space with respect
to pk
A
and pk
B
and µ is a bit.
• (Impersonation Phase) If µ = 1,
I (as nominee)
executes
Confirmation protocol with the simulator
(as a verifier). If µ = 0,
I executes Disavowal pro-
tocol instead.
I wins if the simulator outputs accept at the Imper-
sonation Phase while
I has never corrupted sk
B
in the
game.
I ’s advantage is defined to be the probability
that
I wins.
Definition 3 (Liu et al., 2007) An NS scheme is se-
cure against impersonation if no PPT impersonator
I has a non-negligible advantage in Game Imperson-
ation
.
2.4 Non-repudiation
Game Non-repudiation: Let B be a cheating nom-
inee which can query any of the oracles. The ini-
tialization phase is the same as that of Game Un-
forgeability
. The two other phases are: (1) (Prepa-
ration Phase)
B prepares (m
∗
,σ
∗
) where m
∗
is a
message and σ
∗
is in the signature space with re-
spect to pk
A
and pk
B
. (2) (Repudiation Phase) If
Ver
nominee
(m
∗
,σ
∗
, pk
A
,sk
B
) =
valid, B executes Dis-
avowal
protocol with the simulator (acting as a ver-
ifier) on (m
∗
,σ
∗
, pk
A
, pk
B
); otherwise, the
Confirma-
tion
protocol is carried out.
B wins the game if the simulator outputs accept in the
repudiation phase.
B ’s advantage is defined to be the
probability that
B wins.
Definition 4 (Liu et al., 2007) An NS scheme is se-
cure against repudiation if no PPT cheating nomi-
nee has a non-negligible advantage in
Game Non-
repudiation
.
We now propose an additional security requirement.
This one is for convertible NS.
SECRYPT 2007 - International Conference on Security and Cryptography
216
2.5 Nominee-only Conversion
This security notion requires that it should be infea-
sible for anyone but the nominee to convert a valid
nominative signature to a publicly-verifiable one. We
consider the following game.
Game Nominee-only Conversion: The initialization
phase is the same as that of
Game Unforgeability. An
adversary
C can query any of the oracles. At the end
of the game,
C outputs (m
∗
,σ
∗
,
˜
σ
pub
).
C wins if valid ← Ver
nominee
(m
∗
,σ
∗
, pk
A
,sk
B
), and
valid ← Ver
public
(m,
˜
σ
pub
, pk
A
, pk
B
). The restric-
tions are (1) C has never corrupted sk
B
; (2)
(m
∗
,σ
∗
, pk
A
, pk
B
) has never been queried to
Oracle-
Convert
; (3) (m
∗
,σ, pk
A
, pk
B
) has never been queried
to
Confirmation/disavowal for any nominative signa-
ture σ.
C ’s advantage is defined as the probability
that
C wins.
Definition 5 An NS satisfies nominee-only conver-
sion if no PPT adversary
C has a non-negligible ad-
vantage in
Game Nominee-only Conversion.
3 OUR CONSTRUCTION
In this section, we propose a new construction, which
has a higher network efficiency than the one in (Liu
et al., 2007) during signature generation and also sup-
ports nominee-only conversion.
3.1 Preliminaries
Ring Signature. Our construction makes use of
a special structure of the ring signature scheme due
to (Rivest et al., 2001) (RST scheme). In the RST
scheme, it is assumed that each ring member has a
one-way trapdoor permutation f and its inverse f
−1
(i.e. the trapdoor). There is a random “glue” value z
in each RST ring signature and the scheme requires
a block cipher SE : {0,1}
k
× {0, 1}
k
→ {0, 1}
k
. We
denote the output of SE(K,m) by SE
K
(m). Let SE
−1
be the decryption algorithm of the block cipher.
Verifiable Decryption. A verifiable decryption (VD)
scheme for a relation ℜ (Camenisch and Shoup,
2003) has an encryption/decryption algorithm pair
(Enc,Dec) associated with a verification protocol
suite which allows a prover who possesses the secret
key of a public key pk to convince a verifier that given
δ and ciphertext ψ encrypted under pk, ψ is the en-
cryption of ω where (ω, δ) ∈ ℜ. In other words, the
prover is the decryptor who holds the secret key sk.
In our NS scheme, we adopt the proofing pro-
tocols for VD of discrete logarithm due to (Ca-
menisch and Shoup, 2003) to implement the Confir-
mation/Disavowal protocols. The protocols of (Ca-
menisch and Shoup, 2003) are special honest veri-
fier zero-knowledge (SHVZK). In our NS scheme,
however, we need concurrent zero-knowledge (CZK)
protocols for security proofs. Therefore, we apply
the standard transformations (Goldreich and Kahan,
1996; Cramer et al., 2000; Damg
˚
ard, 2000; Gennaro,
2004) and convert them to CZK variants in the com-
mon reference string (CRS) model.
3.2 Our Scheme
SystemSetup: It generates a cyclic group G of k-bit
prime order p and a random generator g. As-
sume that each element of G can be encoded
distinctly into a k-bit binary string. Let H :
{0,1}
∗
→ {0, 1}
k
be a hash function. Set param =
(1
k
,SE,G, p,g,H).
KeyGen: For nominator A, it generates ( f
A
, f
−1
A
),
a pair of signing and verification algorithms
(Sig
A
,Ver
A
) and a VD encryption/decryption pair
(Enc
A
,Dec
A
). Set pk
A
= ( f
A
,Ver
A
,Enc
A
) and
sk
A
= ( f
−1
A
,Sig
A
,Dec
A
). Nominee B’s key pair is
generated similarly.
SigGen Protocol: Let m ∈ {0,1}
∗
be a message. The
protocol is carried out as follows.
1. B picks r ∈
R
Z
p
, computes R
B
= g
r
and sends
R
B
to A.
2. (RST scheme) A picks z ∈
R
{0,1}
k
and
computes y
B
= f
B
(R
B
), y
A
= SE
−1
K
(z) ⊕
SE
K
(z ⊕ y
B
), and R
A
= f
−1
A
(y
A
), where K =
H(mkpk
A
kpk
B
). σ
ring
= (z,R
A
,R
B
) forms a
ring signature on “message” K. A sends σ
ring
to B.
3. B checks if z = SE
K
(SE
K
(z ⊕ f
B
(R
B
)) ⊕
f
A
(R
A
)) and R
B
= g
r
. If so, B outputs σ =
(σ
ring
,Enc
B
(r), σ
standard
), where σ
standard
=
Sig
B
(mkσ
ring
kEnc
B
(r)).
(Signature Space.) σ = (σ
1
,σ
2
,σ
3
) is in the signa-
ture space with respect to pk
A
and pk
B
if σ
1
is a valid
ring signature on “message” K, σ
2
is properly formed
with respect to the VD scheme, i.e., σ
2
can be prop-
erly decrypted to some message m, and σ
3
is a valid
standard signature of B on “message” mkσ
1
kσ
2
(i.e.
with respect to Ver
B
). Note that if σ is in the signa-
ture space, it does not imply that σ is a valid NS. The
validity can only be verified by B:
Ver
nominee
: On input (m,σ, pk
A
,sk
B
) where σ =
(σ
ring
,Enc
B
(r), σ
standard
) is in the signature
space, compute r = Dec
B
(Enc
B
(r)) and check if
A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE
217
1. σ
ring
= (z, R
A
,R
B
) is valid , i.e. z =
SE
K
(SE
K
(z⊕ f
B
(R
B
)) ⊕ f
A
(R
A
));
2. Ver
B
(mkσ
ring
kEnc
B
(r), σ
standard
) = 1; and
3. R
B
= g
r
.
If all of them are correct, output
valid; otherwise,
output
invalid.
Confirmation/Disavowal Protocol: On input
(m,σ, pk
A
, pk
B
) where σ is in the signature space,
if valid ← Ver
nominee
(m,σ, pk
A
,sk
B
), B sets µ = 1;
otherwise, sets µ = 0.
• If µ = 1, B proves to C that the decryption of
Enc
B
(r) is a discrete log of R
B
using the corre-
sponding VD protocol.
• If µ = 0, B proves to C that the decryption of
Enc
B
(r) is NOT a discrete log of R
B
using the
corresponding VD protocol.
Convert: On input (m,σ, pk
A
, pk
B
) such that valid ←
Ver
nominee
(m,σ, pk
A
,sk
B
), B outputs a standard
signature σ
pub
= (σ,r).
Verify: On input (m,σ
pub
, pk
A
, pk
B
), check if all of
the followings are valid:
1. σ
ring
= (z,R
A
,R
B
) is valid, i.e. that is, z =
SE
K
(SE
K
(z⊕ f
B
(R
B
)) ⊕ f
A
(R
A
));
2. Ver
B
(mkσ
ring
kEnc
B
(r), σ
standard
) = 1; and
3. if R
B
= g
r
.
Discussion. In the SigGen protocol, there are only
two message flows between A and B. When compared
with (Liu et al., 2007), our construction does not need
a three-move Witness Indistinguishable protocol, and
therefore has a higher network efficiency. It remains
an open problem if a non-interactive
SigGen protocol
can be built, namely, there is only one message flow
between A and B.
4 SECURITY ANALYSIS
Lemma 1 (Cheating Nominee) Let k ∈ N be a se-
curity parameter. If a (t, ε,Q)-nominee can forge
a valid NS with probability at least ε after running
at most time t and making at most Q queries, there
exists a (t
′
,ε
′
)-adversary which can invert a trap-
door one-way permutation with probability at least
ε
′
= Q
−2
(1 − 2
−k
)ε after running at most time t
′
=
t + Qt
q
+ c where t
q
is the maximum time for simulat-
ing one oracle query and c is some constant.
Lemma 2 (Cheating Nominator) If a (t, ε,Q)-
nominator can forge a valid NS, there exists a
(t
′
,ε
′
)-adversary which can existentially forge a stan-
dard signature under the model of chosen message
attacks (Goldwasser et al., 1988) with probability
at least ε
′
= (1 − 2
−k
Q)ε after running at most time
t
′
= t + Qt
q
+ c, where t
q
is the maximum time for
simulating one oracle query and c is some constant.
Theorem 1 (Unforgeability) The NS scheme pro-
posed above is unforgeable (Def. 1) if there exists
trapdoor one-way permutations and existentially un-
forgeable signature schemes secure against chosen
message attacks (Goldwasser et al., 1988).
This theorem follows directly from Lemma 1 and 2.
Proofs of the lemmas are in Appendix A.
Theorem 2 (Invisibility) If there exists a (t,ε,Q)-
distinguisher
D in Game Invisibility and existentially
unforgeable signature schemes secure against chosen
message attacks (Goldwasser et al., 1988), there ex-
ists a (t
′
,ε
′
)-distinguisher
D
Enc
which has advantage
at least ε
′
= ε to launch an adaptive chosen ciphertext
attack to the encryption algorithm of VD by running
at most time t
′
= t + Qt
q
+ c where t
q
is the maximum
time for simulating one oracle query and c denotes
some constant time for system setup and key genera-
tion.
Theorem 3 (Nominee-only Conversion) The con-
vertible NS scheme proposed satisfies nominee-only
conversion (Def. 5) if there exists trapdoor one-way
permutations and existentially unforgeable signature
schemes against chosen message attacks (Goldwasser
et al., 1988).
All proofs above are in Appendix A.
Both confirmation and disavowal protocols in this
scheme are zero-knowledge. Therefore, the scheme
already satisfies the requirements of security against
impersonation (Def. 2.3). In addition, by using
the technique of Theorem 2, it can be shown that
compromising the security against impersonation of
this scheme reduces to compromising the underlying
zero-knowledge confirmation/disavowal protocols of
VD of discrete logarithm in (Camenisch and Shoup,
2003). We skip the details but readers can readily de-
rive the reduction from the proving technique of The-
orem 2.
The scheme also satisfies the requirement that
nominee cannot repudiate. This follows directly the
soundness property of the underlying VD of discrete
logarithm protocol (Camenisch and Shoup, 2003).
5 CONCLUSION
We proposed a convertible NS scheme which does
not require to run a three-move Witness Indistinguish-
able protocol for signature generation and only two
SECRYPT 2007 - International Conference on Security and Cryptography
218
message flows are required to complete the genera-
tion. This gives our construction an advantage in net-
work efficiency over the one in (Liu et al., 2007).
We also enhanced the security model of (Liu et al.,
2007) for capturing nominee-only conversion. It re-
mains an open problem to construct an NS with a non-
interactive signature generation process.
REFERENCES
Camenisch, J. and Shoup, V. (2003). Practical verifiable
encryption and decryption of discrete logarithms. In
CRYPTO 2003, pages 126–144.
Chaum, D. (1990). Zero-knowledge undeniable signatures.
In Proc. EUROCRYPT 90, pages 458–464. Springer-
Verlag. LNCS 473.
Chaum, D. and van Antwerpen, H. (1990). Undeniable
signatures. In Proc. CRYPTO 89, pages 212–216.
Springer-Verlag. LNCS 435.
Chaum, D. and van Antwerpen, H. (1992). Cryptograph-
ically strong undeniable signatures, unconditionally
secure for the signer. In Proc. CRYPTO 91, pages
470–484. Springer-Verlag. LNCS 576.
Cramer, R., Damg
˚
ard, I., and MacKenzie, P. D. (2000). Effi-
cient zero-knowledge proofs of knowledge without in-
tractability assumptions. In PKC 00, pages 354–372.
Damg
˚
ard, I. (2000). Efficient concurrent zero-knowledge in
the auxiliary string model. In EUROCRYPT00, pages
418–430.
Feige, U. and Shamir, A. (1990). Witness indistinguish-
able and witness hiding protocols. In Proc. 22nd ACM
Symp. on Theory of Computing, pages 416–426.
Gennaro, R. (2004). Multi-trapdoor commitments and their
applications to proofs of knowledge secure under con-
current man-in-the-middle attacks. In CRYPTO 04,
pages 220–236.
Goldreich, O. and Kahan, A. (1996). How to construct
constant-round zero-knowledge proof systems for np.
J. Cryptology, 9(3).
Goldwasser, S., Micali, S., and Rivest, R. (1988). A dig-
ital signature scheme secure against adaptive chosen-
message attack. SIAM J. Computing, 17(2):281–308.
Guo, L., Wang, G., and Wong, D. (2006). Further dis-
cussions on the security of a nominative signature
scheme. Cryptology ePrint Archive, Report 2006/007.
Huang, Z. and Wang, Y. (2004). Convertible nomina-
tive signatures. In Proc. of Information Security and
Privacy (ACISP’04), pages 348–357. Springer-Verlag.
LNCS 3108.
Kim, S. J., Park, S. J., and Won, D. H. (1996). Zero-
knowledge nominative signatures. In PragoCrypt’96,
International Conference on the Theory and Applica-
tions of Cryptology, pages 380–392.
Kurosawa, K. and Heng, S. (2005). 3-move undeniable sig-
nature scheme. In Proc. EUROCRYPT 2005, pages
181–197. LNCS 3494.
Liu, D. Y. W., Wong, D. S., Huang, X., Wang, G., Huang,
Q., Mu, Y., and Susilo, W. (2007). Nominative sig-
nature: Application, security model and construc-
tion. Cryptology ePrint Archive, Report 2007/069.
http://eprint.iacr.org/2007/069.
Rivest, R., Shamir, A., and Tauman, Y. (2001). How to leak
a secret. In Proc. ASIACRYPT 2001, pages 552–565.
Springer-Verlag. LNCS 2248.
Susilo, W. and Mu, Y. (2005). On the security of nomina-
tive signatures. In Proc. of Information Security and
Privacy (ACISP’05), pages 329–335. Springer-Verlag.
LNCS 3547.
A APPENDIX
A.1 Proof of Lemma 1
Proof. If a (t,ε,Q)-forger
F after obtaining
sk
B
= ( f
−1
B
,Dec
B
,Sig
B
) via
Corrupt can win
Game Unforgeability with at least probability
ε by producing a valid nominative signature
σ
∗
= (σ
ring∗
,Enc
B
(r
∗
),σ
standard∗
) on some message
m
∗
after running at most time t and making at most
Q queries (all kinds of oracle queries which include
game specific oracles and random oracles), we con-
struct a (t
′
,ε
′
)-algorithm
S which inverts a trapdoor
one-way permutation
ˆ
f : {0, 1}
k
→ {0,1}
k
on some
random input ˆy ∈
R
{0,1}
k
with at least probability
ε
′
after running at most time t
′
. We will derive the
values of ε
′
and t
′
in this proof. Let the ring signature
σ
ring∗
on “message” K
∗
be (z
∗
,R
∗
A
,R
∗
B
). Assume that
all hash evaluations and SE/SE
−1
evaluations made
by
F are obtained from oracle access.
Game Simulation:
S first generates param accord-
ing to
SystemSetup, and sets nominator A’s public
key to pk
A
= (
ˆ
f,Ver
A
,Enc
A
) and private key to sk
A
=
(⊥,Sig
A
,Dec
A
) where ⊥ denotes an empty string as
the trapdoor information of
ˆ
f is unavailable to
S . For
nominee B, the public and private keys are all gen-
erated according to
KeyGen. Then F is invoked on
(1
k
, pk
A
, pk
B
). Oracles are also simulated.
For oracle CreateUser, a new key pair is gener-
ated using
KeyGen and the public key is returned. For
oracle
Corrupt, for example, if B is queried, sk
B
is
returned. As restricted by the game and the state-
ment of this lemma, A’s private key cannot be com-
promised by
F . For a SignTranscript query, there are
three cases:
• Case (1): If role =
nil, a nominative signature is
simulated by following
SigGen. There is one ex-
ception: if A is indicated as the nominator (i.e.
pk
1
= pk
A
in Game Unforgeability), S is unable to
A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE
219
follow the protocol to compute an inversion of
ˆ
f.
But thanks to random oracle,
S can do the evalua-
tion of
ˆ
f and assign the appropriate SE/SE
−1
eval-
uations with a randomly generated ‘glue’ value
z ∈
R
{0,1}
k
. This simulation is computationally
indistinguishable from a real simulation due to the
idealness of random oracles.
• Case (2): If role =
nominator, S simulates an ex-
ecution of
SigGen protocol with F . S acts as the
nominee. Similar to Case (1),
S can simply fol-
low the exact execution of
SigGen protocol even
if the nominee is A. This is because when A is the
nominee, A does not require to invert
ˆ
f.
• Case (3): If role =
nominee, S acts as nomina-
tor and simulates an execution of
SigGen protocol
with
F . During the simulation, S follows the ex-
ecution of
SigGen protocol except when the nom-
inator is indicated as A. In this case, we use the
strategy described in Case (1) by assigning appro-
priate SE/SE
−1
evaluations such that
S only needs
to evaluate the forward direction of
ˆ
f. Note that
by following the specification of SigGen protocol,
S acting as A only needs to compute the ring sig-
nature component after receiving the first message
R
˜
B
from
F which is acting as nominee
˜
B. Hence
by randomly generate z ∈
R
{0,1}
ℓ
and properly
adjust the SE/SE
−1
evaluations on (z⊕ f
˜
B
(R
˜
B
))
and z,
S does not need to invert
ˆ
f.
For
Confirmation/disavowal and OracleConvert
queries, since S has all parties’ private key com-
ponent Dec,
S can always carry out the confirma-
tion/disavowal protocols and perform the standard
signature conversion.
Reduction: We follow the argument of the “gap”
technique used in the soundness proof of the ring sig-
nature of (Rivest et al., 2001). The “gap” technique is
based on an observation that the valid ring signature
σ
ring∗
forged by F must have a gap somewhere be-
tween two cyclically consecutive occurrences of SE,
and F must be forced to fill in this gap by comput-
ing the inverse of the corresponding trapdoor one-
way permutation. Since F has to query S for the
results of SE and SE
−1
evaluations,
S can make use
of the queries of the two SE/SE
−1
evaluations, which
form the gap, to assign the desired ˆy. If F makes at
most Q queries, the probability that
S guesses cor-
rectly the two SE/SE
−1
queries is at least Q
−2
. In
σ
ring∗
, there are only two possible gaps. One is at
y
2
= f
B
(R
∗
B
) and the other one at y
1
=
ˆ
f(R
∗
A
). If
the gap is at y
2
, then with at most 2
−k
probability
that f
−1
B
(y
2
) is of the form g
r
∗
where r
∗
∈
R
Z
p
since
y
2
is uniformly distributed over {0,1}
k
. Therefore,
with probability (1 − 2
−k
), the gap is at y
1
.
S ’s goal
is to set y
1
to ˆy. As described above, S randomly
picks two SE/SE
−1
queries as the guess of the two
SE/SE
−1
queries for forming the gap. Once
F out-
puts σ
ring∗
= (z
∗
,R
∗
A
,R
∗
B
),
S outputs R
∗
A
as the result
of
ˆ
f
−1
( ˆy).
Hence if the advantage of F in Game Unforge-
ability
is ε, the probability that S inverts the trapdoor
one-way permutation is at least Q
−2
(1 − 2
−k
)ε. If
each random oracle query takes at most time t
q
to fin-
ish, the simulation time of the game for
F is at most
t + Qt
q
+ c where c denotes some constant time for
system setup and key generation.
A.2 Proof of Lemma 2
Proof. If a (t,ε,Q)-forger
F after obtaining
via oracle
Corrupt the nominator A’s private
key sk
A
= ( f
−1
A
,Sig
A
,Enc
A
) and is able to win
Game Unforgeability with probability at least ε
by producing a valid nominative signature σ
∗
=
(σ
ring∗
,Enc
B
(r
∗
),σ
standard∗
) on some message m
∗
af-
ter running at most time t and making at most
Q queries, where σ
standard∗
is a standard signature
of nominee B on “message” m
∗
kσ
ring∗
kEnc
B
(r
∗
),
we construct a (t
′
,ε
′
)-algorithm
S to forge a sig-
nature with respect to a standard signature scheme
(Sig
∗
,Ver
∗
) with probability at least ε
′
, in the model
of existential forgery against chosen message attacks
(Goldwasser et al., 1988) after running at most time
t
′
. By forging a standard signature,
S is given a prob-
lem instance Ver
∗
but not Sig
∗
and
S is to output a
pair ( ˜m,
˜
σ) such that Ver
∗
( ˜m,
˜
σ) = 1 after adaptively
querying a signing oracle. The restriction is that ˜m
has never been queried to the signing oracle.
In the simulation of
Game Unforgeability, S sets
the public key of nominee B to pk
B
= ( f
B
,Ver
∗
,Enc
B
)
and private key to sk
B
= ( f
−1
B
,⊥,Dec
B
). The simula-
tion is similar to that in the proof of Lemma 1 with the
exception that for each query of B’s standard signa-
ture, the query will be forwarded to the signing oracle
of Sig
∗
by
S and the answer is relayed back.
First, we show that with probability at most 2
−k
Q,
the ring signature σ
ring∗
in σ
∗
is an output of oracle
SignTranscript. As restricted by Game Unforgeability,
(m
∗
, pk
A
, pk
B
,role) should have never been queried
to oracle
SignTranscript. Hence if oracle SignTran-
script
has output a nominative signature which con-
tains the ring signature σ
ring∗
, it should be a valid
ring signature for some message, say
ˆ
K, with respect
to ring members identified by pk
1
and pk
2
. Since
S
simulates all the hash functions and SE/SE
−1
evalu-
ations by picking returning values uniformly at ran-
dom from the corresponding spaces, the chance that
at least there is one valid output of
SignTranscript that
SECRYPT 2007 - International Conference on Security and Cryptography
220
contains σ
ring∗
is at most 2
−k
Q.
Hence when
F outputs a forgery, σ
standard∗
must
be a forgery with respect to (Sig
∗
,Ver
∗
) on message
˜m = m
∗
kσ
ring∗
kEnc
B
(r)
∗
with exceptional probabil-
ity of at most 2
−k
Q. If the advantage of
F in Game
Unforgeability
is ε, the probability that S existen-
tially forges a signature with respect to (Sig
∗
,Ver
∗
)
is at least ε
′
= (1 − 2
−k
Q)ε. Similar to the proof
of Lemma 1, the running time of
S is at most t
′
=
t + Qt
q
+ c.
A.3 Proof of Theorem 2
Proof. We show that if there exists a distinguisher
D with advantage ε in Game Invisibility, then we can
construct a distinguisher
D
Enc
for the encryption al-
gorithm (Enc, Dec) of the VD scheme with advantage
ε
′
which is a polynomial in ε.
To simulate
Game Invisibility, D
Enc
carries out
similar simulations to that described in the proof
of Lemma 1.
S sets the public key of nominee B
to pk
B
= ( f
B
,Ver
∗
,Enc) and private key to sk
B
=
( f
−1
B
,Sig
∗
,⊥).
For a
Confirmation/disavowal query with B as the
nominee, although
D
Enc
does not have Dec
B
,
D
Enc
can carry out the confirmation/disavowal protocols as
D
Enc
is always the one who generates the querying
nominative signature (regardless its validity). This
is because of the security of the underlying signature
scheme. Since
D does not get access to Sig
∗
, under
the security of the signature scheme, the challenging
nominative signature must have the third component
generated by
D
Enc
. In this case, it is also
D
Enc
who
prepares the second component. Therefore,
D
Enc
can
always carry out the confirmation/disavowal proto-
cols.
For an
OracleConvert query on input
(m,σ, pk
1
, pk
2
),
D
Enc
simulates it according to
Convert but with one exception. If pk
2
= pk
B
, that
is, the nominee of the query is indicated as B,
D
Enc
does not know Dec. Similar to the above, it must
be D
Enc
who generates σ, due to the unforgeability
of Sig
∗
. The simulator maintains a list L containing
pairs of (σ,r) where R
B
= g
r
, r ∈
R
Z
p
. When
D
Enc
receives a
Convert query, it searches L and
locates the corresponding r. The output will then be
σ
pub
= (σ,r).
At some point in the attacking phase,
D outputs a
message m
∗
and requests a challenge nominative sig-
nature σ
∗
on m
∗
. Let r
0
, r
1
selected by D
Enc
be the
challenge messages and Enc
B
(r
b
) for b ∈ {1,0} is the
return value of the encryption oracle for
D
Enc
. The
challenge σ
∗
is generated based on the outcome of a
hidden coin toss b
′
. If b
′
= 1, σ
∗
is generated by run-
ning
SigGen using Enc
B
(r
b
) and r
1
. If b
′
= 0, σ
∗
is
generated by running
SigGen using Enc
B
(r
b
) and r
0
.
At the end of the simulation, there are two cases:
• If b
′
= 0, if D outputs 0, then D
Enc
outputs 0,
otherwise
D
Enc
outputs 1.
• If b
′
= 1, if
D outputs 1, then D
Enc
outputs 1 also,
otherwise
D
Enc
outputs 0.
If
D has advantage ε, then D
Enc
will have advantage
ε
′
= ε. Similar to Lemma 1, the running time of
D
Enc
will be at most t
′
= t + Qt
q
+ c.
A.4 Proof of Theorem 3
Proof. By Theorem 1, the scheme is unforgeable
with respect to Def. 1 if there exist trapdoor one-way
permutation and standard signature scheme which is
existentially unforgeable against chosen message at-
tacks. In
Game Nominee-only Conversion, adversary
C can corrupt A’s private key but not B’s private key.
Hence if
C wins and outputs a triple (m
∗
,σ
∗
,
˜
σ
pub
)
such that valid ← Ver
nominee
(m
∗
,σ
∗
, pk
A
,sk
B
) and
valid ← Ver
public
(m
∗
,
˜
σ
pub
, pk
A
, pk
B
), σ
∗
must be gen-
erated by the game simulator via a
SignTranscript
query rather than by C with negligible exceptional
probability. The game simulation is the same as that
in the proof of Theorem 2.
We now show that if there exists a (t, ε,Q)-
adversary
C in Game Nominee-Only conversion, then
there exists a (t
′
,ε
′
)-distinguisher
D
Enc
which has ad-
vantage at least ε
′
= ε to launch an adaptive chosen
ciphertext attack to the underlying encryption scheme
by running at most time t
′
= t + Qt
q
+c where t
q
is the
maximum time for simulating one oracle query and c
denotes some constant time for system setup and key
generation.
Let r
0
, r
1
be the challenge message selected by
D
Enc
and Enc
B
(r
b
), for b ∈ {1,0}, is the return value
of the encryption oracle.
D
Enc
randomly picks a
query to
SignTranscript and uses r
i
where i ∈
R
{1,0}
and Enc
B
(r
b
) for generating
˜
σ. Let E be the event that
D
Enc
does not abort when
C outputs (m
∗
,σ
∗
,
˜
σ
pub
)
where
˜
σ = σ
∗
. Obviously, Pr[E] is at least 1/Q.
For event E, if the probability that C wins in Game
Nominee-only conversion
is ε, D
Enc
will win with
probability
ε
2
. For event
E, the probability that D
Enc
wins is
1
2
only since
D
Enc
has to make the guess.
Therefore, the probability that
D
Enc
wins is equal to
Pr[E](
ε
2
) + Pr[
E]
1
2
. Since Pr[E] is at least 1/Q, the
winning probability of
D
Enc
is at least
ε
2Q
+
1
2
. Sim-
ilar to Lemma 2, the running time of
D
Enc
is at most
t + Qt
q
+ c.
A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE
221
