ON THE SECURITY OF ADDING CONFIRMERS INTO
DESIGNATED CONFIRMER SIGNATURES
Wataru Senga and Hiroshi Doi
Institute of Information Security, 2-14-1 Tsuruya-cho, Kanagawa-ku, Yokohama-shi, Kanagawa-ken, 221-0835, Japan
Keywords:
Designated confirmer signature, Digital signature, Bilinear groups.
Abstract:
In designated confirmer signature (DCS) scheme, a signature can be verified only by interacting with a semi-
trusted third party, called the confirmer. In previous DCS schemes, a confirmer is designated at the time of the
signature generation. So once the designated confirmer becomes unavailable, no one can verify the validity
of the signature. In this paper, we introduce an extended DCS scheme which the confirmers can be added
after the signature is generated. We give the new model and the security definitions, and propose the concrete
scheme that is provably secure without random oracles.
1 INTRODUCTION
In ordinary digital signatures, anybody can verify the
signature by using the public information. However,
it might be undesirable that everyone can freely ver-
ify the signature according to the usage. To solve
such a problem, Chaum and Antwerpen introduced
the notion of Undeniable Signatures (Chaum and van
Antwerpen, 1990). Undeniable signatures cannot be
verified without the signer’s cooperation unlike ordi-
nary digital signatures. However, if the signer is not
available, the verification of undeniable signatures be-
comes impossible. To overcome this problem, Chaum
proposed the notion of Designated Confirmer Signa-
tures (DCS) (Chaum, 1994), that is, a semi-trusted
third party called the confirmer can convince the ver-
ifier that the signature is valid or invalid instead of a
signer. In the DCS scheme, given a signature σ and
a message m, the confirmer can prove that the signa-
ture is valid or invalid on a message m by executing a
Confirm/Disavow protocol.
In previous DCS schemes, a confirmer is desig-
nated at the time of the signature generation. So once
the designated confirmer becomes unavailable, no one
can verify the validity of the signature. For example,
consider the situation that the president of a company
signs the document and wants to limit the verifiabil-
ity. In such a case, his/her secretary can decide the
appropriate verifier and convince a verifier of the va-
lidity of the signature using the DCS. However, if the
secretary changes the section or retires from the com-
pany, anyone cannot convince a verifier that the sig-
nature is valid or invalid. From the above mentioned
consideration, an extension of DCS scheme which the
confirmers can be added dynamically is a preferable
property.
In this paper we propose an extension of DCS
scheme which the confirmers can be added after the
signature is generated.
1.1 Related Work
After Chaum’s proposal of the notion of DCS, many
DCS schemes have been introduced (Okamoto, 1994;
Michels and Stadler, 1998; Camenisch and Michels,
2000; Goldwasser and Waisbard, 2004; Gentry et al.,
2005; Wang et al., 2007; Zhang et al., 2008).
Okamoto introduced a first formal model of DCS
and showed that DCS and public key encryption are
equivalent (Okamoto, 1994). Michels and Stadler
pointed out that in the Okamoto’s scheme the con-
firmer can forge valid signature on behalf of the
signer. They also proposed new security model
and constructed the concrete scheme (Michels and
Stadler, 1998). Modifying the definitions of Okamoto
(Okamoto, 1994) and Camenish and Michels (Ca-
menisch and Michels, 2000), Goldwasser and Wais-
bard proposed a relaxed security definition and used
strong witness hiding proof of knowledge instead of
generic zero-knowledge proof in their Confirm proto-
col (Goldwasser and Waisbard, 2004). Gentry, Mol-
nar and Ramzan presented a generic transformation
to convert any secure signature scheme into DCS
scheme (GMR scheme) without random oracles or
249
Senga W. and Doi H. (2009).
ON THE SECURITY OF ADDING CONFIRMERS INTO DESIGNATED CONFIRMER SIGNATURES.
In Proceedings of the International Conference on Security and Cryptography, pages 249-256
DOI: 10.5220/0002234702490256
Copyright
c
SciTePress
generic zero-knowledge proofs (Gentry et al., 2005).
Wang, Baek, Wong and Bao proposed the efficient
DCS scheme improving the GMR scheme (Wang
et al., 2007). Zhang, Chen and Wei proposed the sim-
ple and efficient DCS scheme based on bilinear pair-
ing (Zhang et al., 2008).
1.2 Our Contribution
To construct a designated confirmer signature scheme
which the confirmers can be added after the signa-
ture is generated (ADCS for short), introducing tem-
porary public/secret confirmation keys (pck/sck for
short) instead of confirmer’s public/secret keys may
be an effective strategy. According to the above
strategy, anyone given the temporary sck can exe-
cute the Confirm/Disavow protocol. Although the
required properties can be realized by introducing
the pck/sck to the almost all existing DCS (Chaum,
1994; Okamoto, 1994; Michels and Stadler, 1998;
Camenisch and Michels, 2000; Goldwasser and Wais-
bard, 2004; Gentry et al., 2005; Wang et al., 2007), a
verifier cannot know who is the confirmer as long as
auxiliary authentication protocols are not appended.
Nevertheless, both Confirm/Disavow protocol based
on these existing DCS are still complicated.
On the other hand, when we introduce the pck/sck
to ZCW08 (Zhang et al., 2008) scheme, both Con-
firm/Disavow protocols become very simple. In
ZCW08 scheme, it is easy to convert DCS into or-
dinary signature using sck. Furthermore it is easy
to convert ordinary signature into DCS too. So the
ADCS which should be verified using pck
1
can be
easily modified to the ADCS which should be verified
using pck
2
. The illegal transformation may cause the
serious trouble in some applications. So prohibiting
such a transformation may be a preferable feature.
In this paper, we introduce a new model suit-
able for the above scenario and construct a new DCS
scheme. Our scheme is an extension of ZCSM06 sig-
nature scheme (and similar to ZCW08 scheme) and
has the following properties.
1. The Confirm/Disavow protocol is very simple.
2. It is impossible to transform the ADCS verifiable
by pck
1
to the ADCS verifiable by pck
2
.
3. The security of the proposed scheme in this model
can be proved under the k + 1-square roots as-
sumption and l-BDHE assumption without ran-
dom oracles.
2 PRELIMINARIES
We describe the settings and computational assump-
tions used in this paper.
2.1 Bilinear Groups
Let G and G
1
be two (multiplicative) cyclic groups
of prime order p and g be a generator of G. A bilin-
ear map e : G × G → G
1
is said to be an admissible
bilinear pairing if the following three conditions hold:
1. Bilinearity: for all u,v ∈ G and a,b ∈ Z
p
,
e(u
a
,v
b
) = e(u,v)
ab
.
2. Non-degeneracy: e(g,g) 6= 1, i.e. the map does
not send all pairs in G × G to the identity in G
1
.
3. Computability: there is an efficient algorithm to
compute e(u,v) for all u,v ∈ G.
2.2 k+ 1 Square Roots Assumption
The k + 1 square roots problem in (G,G
1
) (Zhang
et al., 2006) is stated as follows: given {k ∈
Z, x ∈
R
Z
p
, g ∈ G, α = g
x
, h
1
,..., h
k
∈ Z
p
,
g
(x+h
1
)
1/2
,..., g
(x+h
k
)
1/2
} as input, output (g
(x+h)
1/2
,
h 6∈ {h
1
,..., h
k
}).
Definition 1. We say that the (k+1,t,ε)- square roots
assumption holds in (G,G
1
) if no t-time algorithm
has advantage at least ε in solving the k + 1 square
roots problem in (G,G
1
).
2.3 l-BDHE Assumption
Let G be a bilinear group of prime order p. The l-
BDHE problem (Boneh et al., 2005) in G is stated
as follows: given (h, g,g
α
,g
α
2
,g
α
l
,g
α
l+2
,..., g
α
2l
) as
input, output e(g,h)
α
l+1
.
Definition 2. We say that the (t,ε,l)-BDHE assump-
tion holds in G if no t-time algorithm has advantage
at least ε in solving the l-BDHE problem in G.
2.4 Zero Knowledge Proofs
In DCS schemes, a confirmer executes interactive
protocol to prove a verifier that the signature is valid
or invalid. We use a zero-knowledge proof of knowl-
edge (ZKPoK) protocol rather than honest-verifier
zero-knowledge protocol so that our scheme should
be secure against arbitrary cheating verifier. In our
scheme, only the simple ZKPoK (e.g. the equality
or inequality of two discrete logarithms) are required.
The special honest verifier ZKPoK of the equality (or
SECRYPT 2009 - International Conference on Security and Cryptography
250
inequality) of two discrete logarithms are well known
(Camenisch and Shoup, 2003; Ogata et al., 2005),
and the transformation techniques from such a special
honest verifier ZKPoK into (concurrent) ZKPoK are
well known too (Cramer et al., 2000; Damg˚ard, 2000;
Gennaro, 2004). Moreover, we need a knowledge ex-
tractor to prove the security in our scheme, and the
fact that any ZKPoK protocol has a knowledge ex-
tractor is well known too. So we omit the description
of the concrete ZKPoK protocols or the knowledge
extractor in this paper.
3 MODEL AND DEFINITIONS
3.1 Outline of Our Model
The model of ADCS consists of a signer S , confirmers
(and candidates for confirmer) C
i
(i = 1,2,...,n) and a
verifier V .
In the previous DCS schemes, a signature is gen-
erated by using confirmer’s public key and signer’s
secret (and public) key. However in ADCS model, a
signer does not know who will become a confirmer
in future, so we cannot use the ordinary DCS genera-
tion. In our construction, we introduce the confirma-
tion key pair (the public confirmation key pck and the
secret confirmation key sck). The secret confirmation
key sck is necessary for the confirmer to confirm or
disavow it.
To construct the scheme efficiently, the confirmer
is regard as very highly trusted authority in our model.
(Note that all designated confirmer signatures can be
converted into ordinary ones by revealing sck.)
For the adversarial model, we classify the can-
didates for confirmer into two groups, namely,
S C
h
(selective honest confirmers) and S C
c
(selective
corrupted confirmers). C
i
∈ S C
h
never reveal the se-
cret key sk
i
, and C
j
∈ S C
c
may reveal the secret key
sk
j
. This classification is similar to the selective ID
secure IBE (Boneh and Boyen, 2004).
3.2 Formal Definitions
We describe the formal definitions of ADCS. Let
negl(λ) denote a negligible function; i.e., one that
grows smaller than 1/λ
c
for all c and all sufficiently
large λ.
Definition 3. A secure ADCS consists of following 8
algorithms:
-KeyGen: takes as input 1
λ
and outputs some pairs
of keys (sk
S
, pk
S
) , (sk
i
, pk
i
) , (sck, pck). sk
S
is a
signing key and pk
S
is a verification key for S . sk
i
is a secret key and pk
i
is a public key for C
i
(i =
1,2,..., n). sck is a secret confirmation key and
pck is a public confirmation key.
-Sign: takes as input (m,sk
S
) and out-
puts an ordinary signature
˜
σ such that
Verify(m,
˜
σ, pk
S
) =Accept.
-Verify: takes as input (m,
˜
σ, pk
S
) and output Accept
if
˜
σ is an output of Sign(m,sk
S
), and output ⊥ oth-
erwise.
-ConfirmedSign: takes as input (m,sk
S
,sck) and out-
puts an ADCS σ on m.
-Extract: releases the secret confirmation key sck.
Once sck is released, all previous ADCSs become
publicly verifiable.
-Designate: takes as input (sck,sk
i
) and outputs
pck
i
, which is public confirmation key for C
i
.
To be designated as a confirmer, C
i
must receive
the secret confirmation key from a signer or an
existing confirmer who have already obtained a
secret confirmation key.
-Confirm: is an interactive protocol between C
i
and
V with common input (m,σ, pk
i
, pck, pck
i
) . The
output is b ∈ {Accept,⊥}.
The protocol must be both complete and sound.
For completeness, we require that there is some
C
i
such that if σ is a valid ADCS on m then
b = Accept. For soundness, we require that for
all confirmers C
′
if σ is an invalid ADCS on m,
then Pr[Confirm(m,σ, pk
i
, pck, pck
i
) = Accept] <
negl(λ).
-Disavow: is an interactive protocol between C
i
and
V with common input (m,σ, pk
i
, pck, pck
i
) . The
output is b ∈ {Accept,⊥}.
The protocol must be both complete and sound.
For completeness, we require that there is some C
i
such that if σ is an invalid ADCS on m then
b = Accept. For soundness, we require that for
all confirmers C
′
if σ is a valid ADCS on m,
then Pr[Disavow(m,σ, pk
i
, pck, pck
i
) = Accept] <
negl(λ).
Actually the Extract algorithm should be rarely
used because the influence is too large in our model.
However, following the formal definitions of previ-
ous DCS (Camenisch and Michels, 2000; Goldwasser
and Waisbard, 2004; Gentry et al., 2005; Wang et al.,
2007; Zhang et al., 2008), we have left the Extract
algorithm.
The primary condition of DCS is that nobody can
confirm the validity of the signature except the con-
firmer. Furthermore, the security requirements are
classified into two categories: security for signers
and security for confirmers. Intuitively, security for
signers guarantees that ADCSs are unforgeable under
ON THE SECURITY OF ADDING CONFIRMERS INTO DESIGNATED CONFIRMER SIGNATURES
251
adaptive chosen message attacks and security for con-
firmers guarantees that no one except for confirmers
can confirm the validity of ADCSs to verifiers.
We describe formal definitions of security for
signers as follows:
Definition 4. (Security for signers) An ADCS scheme
is secure for signers if no probabilistic polynomial
time adversary A has a non-negligible advantage in
the following game:
Game S
1. The challenger B takes as input a security param-
eter 1
λ
and gives (pk
S
, pk
1
,..., pk
n
, pck) to A .
2. The adversary A is permitted to a series of
queries:
ConfirmedSign queries: A submits a message m
and receives an ADCS σ on m.
Extract queries: A receives a secret confirmation
key sck.
Designate queries: A submits C
i
’s public key pk
i
and receives a corresponding public confirma-
tion key pck
i
.
Confirm
(A ,V )
/Disavow
(A ,V )
queries: A executes
Confirm/Disavow protocol in the confirmer role.
Confirm
(C ,A )
/Disavow
(C ,A )
queries: A executes
Confirm/Disavow protocol in the verifier role.
Corrupt
C
queries: A submits a confirmer’s pub-
lic key pk
i
and receives a corresponding secret
key sk
i
.
3. At the end of this game, A outputs a pair (m
∗
,σ
∗
).
A wins the game if Confirm
(C ,V )
(m
∗
,σ
∗
, pk
i
,
pck, pck
i
) = Accept such that m
∗
has never been
queried to the ConfirmedSign oracle and that (m
∗
,σ
∗
)
has never been accepted at the Confirm
(C ,A )
queries
earlier. The A ’s advantage Adv
S
(A ) is defined to be
probability that A wins this game.
Now we explain the security for confirmers. In-
formally, an ADCS scheme need to be secure against
forgery and impersonation under adaptive chosen
message attacks (Ogata et al., 2005). In other
word, security for confirmers requires that no one,
except legal confirmers, can generate a valid pair
(m,σ, pk
∗
i
, pck
∗
i
) which will be confirmed in Confirm
protocol(here, m and σ may have already been pro-
duced by legal signer). In an ADCS scheme, the
”legal” confirmers should know both the confirmer’s
secret key sk
i
and the secret confirmation key sck.
Therefore, security for confirmers is divided into the
following two cases, i.e., 1)no one except for having
sk
i
can prove the validity of a DCS, and 2)no one ex-
cept for having sck can prove the validity of a DCS.
We describe formal definitions of security for con-
firmers as follows:
Definition 5. (Security for confirmers) An ADCS
scheme is secure for confirmers if no probabilistic
polynomial time adversary A has a non-negligible
advantage in both of Game C-1 and Game C-2.
Game C-1
1. The adversary A classifies the candidates for con-
firmers (C
1
,..., C
n
) into C
i
(i = 1,...,l) ∈ S C
h
and
C
j
( j = l + 1,...,n) ∈ S C
c
, and notifies the chal-
lenger B .
2. B takes as input a security parameter 1
λ
and gives
(pk
S
, pk
1
,..., pk
n
, pck) to A .
3. A is permitted to a series of queries:
ConfirmedSign queries: A submits a message m
and receives an ADCS σ on m.
Extract queries: A receives a secret confirmation
key sck.
Designate queries: A submits C
i
∈ S C
h
’s pub-
lic key pk
i
and receives a corresponding public
confirmation key pck
i
for C
i
. Note that a query
of pk
j
(C
j
∈ S C
c
) is prohibited.
Confirm
(A ,V )
/Disavow
(A ,V )
queries: A executes
Confirm/Disavow protocol in the confirmer role.
Confirm
(C ,A )
/Disavow
(C ,A )
queries: A executes
Confirm/Disavow protocol in the verifier role
with C
i
∈ S C
h
. It is prohibited that A executes
Confirm/Disavow protocol with C
j
∈ S C
c
.
Corrupt
S
queries: A submits a signer S ’s veri-
fication key pk
S
and receives a corresponding
signing key sk
S
.
Corrupt
C
queries: A submits a confirmer C
j
∈
S C
c
’s public key pk
j
and receives a corre-
sponding secret key sk
S
. Note that a query of
pk
i
(C
i
∈ S C
h
) is prohibited.
4. At the end of this game, A outputs a pair
(m,σ, pk
∗
i
, pck
∗
i
).
A wins the game if Confirm
(A ,V )
(m,σ, pk
∗
i
,
pck, pck
∗
i
) = Accept. The A ’s advantage Adv
C−1
(A )
is defined to be probability that A wins this game.
Game C-2
1. The adversary A classifies the candidates for con-
firmers (C
1
,..., C
n
) into C
i
(i = 1,...,l) ∈ S C
h
and
C
j
( j = l + 1,...,n) ∈ S C
c
, and notifies the chal-
lenger B .
2. B takes as input a security parameter 1
λ
and gives
(pk
S
, pk
1
,..., pk
n
, pck) to A .
3. A is permitted to a series of queries:
SECRYPT 2009 - International Conference on Security and Cryptography
252
ConfirmedSign queries: A submits a message m
and receives an ADCS σ on m.
Designate queries: A submits C
i
∈ S C
h
’s pub-
lic key pk
i
and receives a corresponding public
confirmation key pck
i
for C
i
. Note that a query
of pk
j
(C
j
∈ S C
c
) is prohibited.
Confirm
(A ,V )
/Disavow
(A ,V )
queries: A executes
Confirm/Disavow protocol in the confirmer role.
Confirm
(C ,A )
/Disavow
(C ,A )
queries: A executes
Confirm/Disavow protocol in the verifier role
with C
i
∈ S C
h
. It is prohibited that A executes
Confirm/Disavow protocol with C
j
∈ S C
c
.
Corrupt
S
queries: A submits a signer S ’s veri-
fication key pk
S
and receives a corresponding
signing key sk
S
.
Corrupt
C
queries: A submits a confirmer C
j
∈
S C
c
’s public key pk
j
and receives a corre-
sponding secret key sk
S
. Note that a query of
pk
i
(C
i
∈ S C
h
) is prohibited.
4. At the end of this game, A outputs a pair
(m,σ, pk
∗
i
, pck
∗
i
).
A wins the game if Confirm
(A ,V )
(m,σ, pk
∗
i
,
pck, pck
∗
i
) = Accept. The A ’s advantage Adv
C−2
(A )
is defined to be probability that A wins this game.
4 PROPOSED SCHEME
We present a construction of the scheme adding con-
firmer into DCS (ADCS) based on ZCSM06 signature
scheme (Zhang et al., 2006).
4.1 The ZCSM06 Signature Scheme
We describe the ZCSM06 short signature scheme
(Zhang et al., 2006).
Let G be bilinear groups where |G| = p for some
prime p. Let g be a generator of G.
KeyGen: pick random x,y ∈ Z
∗
p
and compute u ← g
x
and v ← g
y
. The verification key is (u,v). The
signing key is (x,y).
Sign: given a signing key (x,y) and a message m ∈
Z
∗
p
, pick a random r ∈ Z
∗
p
and compute ˜s ←
g
(x+my+r)
1/2
. Here (x + my + r)
1/2
is computed
modulo p. In the unlikely event that x + my + r
is not a quadratic residue modulo p we try again
with a different random r. The signature is
˜
σ =
( ˜s,r).
Verify: given a verification key (u,v), a message m,
and a signature
˜
σ = ( ˜s,r), verify that
e( ˜s, ˜s) = e(uv
m
g
r
,g).
If the equality holds the result is valid; otherwise
the result is invalid.
Theorem 1. Suppose the (k + 1,t
′
,ε
′
)-square roots
assumption holds in (G,G
1
). Then the ZCSM06 sig-
nature scheme is (t,q
S
,ε)-secure against existential
forgery under a chosen message attack provided that
q
S
≤ k+ 1, ε = 2ε
′
+ 4q
S
/p ≈ 2ε
′
, t ≤ t
′
− Θ(q
S
T).
4.2 Construction of ADCS Scheme
We describe a construction of ADCS scheme. The
Sign and the Verify algorithm are same as ZCSM06,
and the ConfirmedSign algorithm is similar to ZCW08
(Zhang et al., 2008).
Let G be a bilinear group where |G| = p for some
prime p. Let g be a generator of G.
KeyGen: pick random x, y ∈ Z
∗
p
, random k ∈ Z
∗
p
such that k is a quadratic residue modulo p and
compute u ← g
x
, v ← g
y
, K ← g
k
and b ← g
k
2
.
(sk
S
, pk
S
) = ((x,y),(u,v)), (sck, pck) = (b,K).
Pick random a
i
∈ Z
∗
p
(i = 1, ...,n), and compute
A
i
← g
a
i
(i = 1,..., n). (sk
i
, pk
i
) = (a
i
,A
i
).
Sign: is same as the ZCSM06 signature scheme.
Verify: is same as the ZCSM06 signature scheme.
ConfirmedSign: given (x,y), k, and a message m ∈
Z
∗
p
, pick a random r ∈ Z
∗
p
and compute s ←
K
(x+my+r)
1/2
. In the unlikely event that x+ my+ r
is not a quadratic residue modulo p we try again
with a different random r. The ADCS is σ = (s,r).
Extract: release sck = b. Once b is revealed, every-
one can verify the signature σ on m by
e(s,s) = e(uv
m
g
r
,b).
If the equality holds the result is valid; otherwise
the result is invalid.
Designate: given sck = b and sk
i
= a
i
, computes
B
i
← b
1/a
i
, and discloses pck
i
= B
i
as the pub-
lic confirmation key for C
i
. Any verifier V can
verify the validity of B
i
by
e(K,K) = e(A
i
,B
i
).
Confirm: given a pair (m,σ), C
i
verifies an ADCS by
e(s,s) = e(uv
m
g
r
,B
i
)
a
i
.
If the equality holds, C
i
execute the interactive
ZKPoK protocol with V as follows;
PK{(a
i
) : e(s,s) = e(uv
m
g
r
,B
i
)
a
i
∧
e(g,g)
a
i
= e(A
i
,g)}.
otherwise, C
i
outputs ⊥.
ON THE SECURITY OF ADDING CONFIRMERS INTO DESIGNATED CONFIRMER SIGNATURES
253
Disavow: given a pair (m,σ), C
i
verify an ADCS by
e(s,s) = e(uv
m
g
r
,B
i
)
a
i
.
If the equality does not hold, C
i
execute the inter-
active ZKPoK protocol with V as follows;
PK{(a
i
) : e(s,s) 6= e(uv
m
g
r
,B
i
)
a
i
∧
e(g,g)
a
i
= e(A
i
,g)}.
otherwise, C
i
outputs ⊥.
5 SECURITY
In this section, we prove security of the proposed
scheme.
The security proof of the underlying scheme and
our extension does not use random oracles. So, the
proposed scheme can be proven without random ora-
cles.
Theorem 2. Suppose the ZCSM06 scheme is
(t
′
,q
′
S
,ε)-secure against existential forgery under a
chosen message attack. Then the proposed scheme
is (t,q,ε)-secure for signer provided that t
′
= t +
qT where q is the total number of queries that the
adversary can issue to the oracles , T is a maxi-
mum time required to execute of an exponentiation
in G, ConfirmedSign, Confirm
(A ,V )
, Disavow
(A ,V )
,
Confirm
(C ,A )
, Disavow
(C ,A )
queries.
Proof. Let A be a PPT adversary that has non-
negligible advantage Adv
S
(A ). We construct a sim-
ulator B which forges the ZCSM06 signature using
A .
Let (G,G
1
,e, p,g) be a parameter of bilinear groups.
B is given a pair (g,u = g
x
,v = g
y
) generated by
ZCSM06’s KeyGen algorithm. B picks a random
k ∈ Z
∗
p
and compute K ← g
k
,b ← g
k
2
. B also picks
a random a
i
∈ Z
∗
p
(i = 1,...,n) and compute A
i
←
g
a
i
(i = 1,...n). A is given (g,u, v, K,A
i
)(i = 1,..., n).
A makes queries adaptively, and B responds as fol-
lows:
When A makes a ConfirmedSign query for a mes-
sage m, B queries ZCSM06’s signing oracle with the
same m. Then B obtains
˜
σ = ( ˜s,r), computes s ← ˜s
k
,
and returns σ = (s,r) to A .
When A makes a Confirm
(A ,V )
/ Disavow
(A ,V )
query, B performs the Confirm/Disavow protocol in
the verifier role. B need not know any secret informa-
tion.
When A makes a Confirm
(C ,A )
/ Disavow
(C ,A )
query, B performs the Confirm/Disavow protocol in
the confirmer(prover) role. B can perform the proto-
col because B has all secret information for the con-
firmer.
When A makes a Designate query for a confirmer
C
i
, B returns B
i
= b
1/a
i
to A .
When A makes a Extract query, B returns the se-
cret confirmation key b to A .
When A makes a Corrupt
C
query for a confirmer
C
i
, B returns a
i
to A .
B does not abort during above simulation, and
finally A outputs (m
∗
,s
∗
,r
∗
) such that e(s
∗
,s
∗
) =
e(uv
m
∗
g
r
∗
,b). Let ˜s
∗
← s
∗
1/k
, and B outputs
(m
∗
, ˜s
∗
,r
∗
). Because of e( ˜s
∗
, ˜s
∗
) = e(uv
m
∗
g
r
∗
,g), B
succeeds in forgery on ZCSM06 signature scheme .
Theorem 3. Suppose the (t
′
,ε, 3)-BDHE assumption
holds in G. Then the proposed scheme is (t,q,ε)-
secure for confirmer.
To provide the proof of Theorem 3, we show
Lemma 1 and Lemma 2.
Lemma 1. If there exists a t-time algorithm A which
satisfies Adv
C−1
(A ) ≥ ε, there exists an algorithm
which solves (t
′
,ε, 3)-BDHE problem. Here t
′
= t +
qT where q is the total number of queries that the
adversary can issue to the oracles and T is a max-
imum time required to execute of an exponentiation
in G, ConfirmedSign, Confirm
(A ,V )
, Disavow
(A ,V )
,
Confirm
(C ,A )
, Disavow
(C ,A )
queries.
Proof. Let A be a PPT adversary that has non-
negligible advantage Adv
C−1
(A ). We construct a
simulator B which solves 3-BDHE problem using B .
B is given a random 3-BDHE challenge
(H,G,G
z
,G
z
2
,G
z
3
,G
z
5
,G
z
6
).
A outputs the list of C
i
∈ S C
h
(the identity of se-
lective honest confirmers) and C
j
∈ S C
c
(the identity
of selective corrupted confirmers), and notifies B .
Let g ← G
z
2
and h ← G
z
3
. B picks random val-
ues (x,y) ∈ Z
∗
p
as a signing key and computes (u ←
g
z
,v ← g
y
) as a verification key. B picks a random
value k ∈ Z
∗
p
and computes b ← g
k
2
as a secret con-
firmation key and K ← g
k
as a public confirmation
key. Furthermore, B generates confirmer’s public and
secret key pairs as follows:
• For C
i
∈ S C
h
, B picks random values a
i
(i =
1,...,l) as secret keys and computes A
i
←
(g
z
)
a
i
(i = 1,...,l) as public keys.
• For C
j
∈ S C
c
, B picks random values a
j
( j = l +
1,...,n) as secret keys and computes A
j
← g
a
j
( j =
l + 1,...,n) as public keys.
A is given the (u, v), (A
1
,..., A
l
), (A
l+1
,..., A
n
), K.
A makes queries adaptively, and B responds as fol-
lows:
When A makes a ConfirmedSign query for a mes-
sage m, B picks a random r ∈ Z
∗
p
and computes
s ← K
(x+my+r)
1/2
. Then B returns σ = (s,r) to A .
SECRYPT 2009 - International Conference on Security and Cryptography
254
When A makes a Confirm
(A ,V )
/ Disavow
(A ,V )
query, B performs the Confirm/Disavow protocol in
the verifier role. B need not know any secret informa-
tion.
When A makes a Confirm
(C ,A )
/ Disavow
(C ,A )
query, B performs the Confirm/Disavow protocol in
the confirmer(prover) role. Note that B can perform
in the verifier role by rewinding since the protocol is
ZKPoK.
When A makes a Designate query for a confirmer
C
i
, B computes B
i
← (G
z
)
k
2
/a
i
= b
1/(za
i
)
, and returns
B
i
to A .
When A makes a Extract query, B returns the se-
cret confirmation key b(= g
k
2
) to A .
When A makes a Corrupt
S
query, B returns x,y to
A .
When A makes a Corrupt
C
query for C
j
∈ S C
c
, B
returns a
j
to A . The query for a confirmer C
i
∈ S C
h
is prohibited.
B does not abort during above simulation, and fi-
nally output a pair (m
∗
,s
∗
,r
∗
,A
i
∗
,B
i
∗
) which is ac-
cepted in Confirm protocol. Here, simulator B can ob-
tain log
g
A
i
∗
= za
i
∗
by using the knowledge extractor
and can get z(because B generated a
i
∗
). B computes
G
z
4
← (G
z
3
)
z
, then outputs e(G
z
4
,H) = e(G,H)
z
4
,
that is, B solves 3-BDHE problem.
Lemma 2. If there exists a t-time algorithm A which
satisfies Adv
C−2
(A ) ≥ ε, there exists an algorithm
which solves (t
′
,ε, 3)-BDHE problem. Here t
′
= t +
qT where q is the total number of queries that the
adversary can issue to the oracles and T is a maxi-
mum time required to execute of an exponentiation in
G or ConfirmedSign or Confirm
(A ,V )
/Disavow
(A ,V )
or
Confirm
(C ,A )
/Disavow
(C ,A )
queries.
Proof. Let A be a PPT adversary that has non-
negligible advantage Adv
game2
(A ). We construct a
simulator B which solves 3-BDHE problem using B .
B is given a random 3-BDHE challenge
(h,g,g
z
,g
z
2
,g
z
3
,g
z
5
,g
z
6
).
A outputs the list of C
i
∈ S C
h
(the identity of se-
lective honest confirmers) and C
j
∈ S C
c
(the identity
of selective corrupted confirmers), and notifies B .
B picks a random pair (x,y) ∈ Z
∗
p
as a signing key
and compute (u ← g
x
,v ← g
y
) as a verification key.
B sets K ← g
z
2
as a public confirmation key. Further-
more, B generates confirmer’s public and secret key
pairs as follows:
• For C
i
∈ S C
h
, B picks random values a
i
(i =
1,...,l) as secret keys and computes A
i
←
(g
z
)
a
i
(i = 1,..., l) as public keys.
• For C
j
∈ S C
c
, B picks random values a
j
( j = l +
1,...,n) as secret keys and computes A
j
← g
a
j
( j =
l + 1,...,n) as public keys.
A is given the (u, v), (A
1
,..., A
l
), (A
l+1
,..., A
n
), K.
A makes queries adaptively, and B responds as fol-
lows:
When A makes a ConfirmedSign query for a mes-
sage m, B picks a random r ∈ Z
∗
p
and computes
s ← K
(x+my+r)
1/2
. Then B returns σ = (s,r) to A .
When A makes a Confirm
(A ,V )
/ Disavow
(A ,V )
query, B performs the Confirm/Disavow protocol in
the verifier role. B need not know any secret informa-
tion.
When A makes a Confirm
(C ,A )
/ Disavow
(C ,A )
query, B performs the Confirm/Disavow protocol in
the confirmer(prover) role. Note that B can perform
in the verifier role by rewinding since the protocol is
ZKPoK. The query that A interacts with C
j
∈ S C
c
is
prohibited.
When A makes a Designate query for a confirmer
C
i
∈ S C
h
, B computes B
i
← (g
z
3
)
1/a
i
, and returns B
i
to A . The query for a confirmer C
i
∈ S C
c
is prohib-
ited.
When A makes a Corrupt
S
query, B returns x,y to
A .
When A makes a Corrupt
C
query for C
j
∈ S C
c
, B
returns a
j
to A . The query for a confirmer C
i
∈ S C
h
is prohibited.
B does not abort during above simulation. Fi-
nally, A output a pair (m
∗
,s
∗
,r
∗
,A
i
∗
,B
i
∗
) which is
accepted in Confirm
(A ,V )
. Note that the equation
e(K,K) = e(A
i
∗
,B
i
∗
) holds.
Here, simulator B can obtain log
g
A
i
∗
using the
knowledge extractor. Let α
i
be log
g
A
i
∗
. e(K,K) =
e(g,g
z
4
) holds. On the other hand, e(A
i
∗
,B
i
∗
) =
e(g
α
i
,B
i
∗
) = e(g,B
α
i
i
∗
) holds.
Hence, B gets B
α
i
i
∗
= g
z
4
and computes e(g
z
4
,h) =
e(g,h)
z
4
. So, B solves 3-BDHE problem.
6 CONCLUSIONS
In this paper, we have shown new designated con-
firmer signature scheme, named ADCS, which the
confirmers can be added after the signature is gen-
erated. For this purpose we gave the new model and
the security definitions. Our concrete scheme shown
in Section.4 accomplishes the security for signers and
the security for confirmers in the standard model.
Note that our model has some restrictions (e.g.
S C
h
and S C
c
should be decided before the adversar-
ial game). It may be an interesting work to remove
the restrictions.
ON THE SECURITY OF ADDING CONFIRMERS INTO DESIGNATED CONFIRMER SIGNATURES
255
In our scenario, the confirmers have broad powers
which can freely transfer their ability of signature ver-
ification. For some practical purposes, the following
improvement might be an interesting work too.
• The person who can designate new confirmers is
not the confirmer but the original signer (or an al-
ternative authority).
• The number of times of Designate by the confirm-
ers is limited.
The above extensions are open problems.
ACKNOWLEDGEMENTS
We are grateful to Ryoichi Sasaki and Taiichi Saito
for helpful discussions and suggestions on this work.
We would also like to thank the anonymous reviewers
for their insightful comments.
REFERENCES
Boneh, D. and Boyen, X. (2004). Efficient selective-id
secure identity-based encryption without random or-
acles. In EUROCRYPT 2004, volume 3027 of LNCS,
pages 223–238. Springer-Verlag.
Boneh, D., Boyen, X., and Goh, E.-J. (2005). Hierarchical
identity based encryption with constant size cipher-
text. In EUROCRYPT 2005, volume 3494 of LNCS,
pages 440–456. Springer-Verlag.
Camenisch, J. and Michels, M. (2000). Confirmer signature
schemes secure against adaptive adversaries. In EU-
ROCRYPT 2000, volume 1807 of LNCS, pages 243–
258. Springer-Verlag.
Camenisch, J. and Shoup, V. (2003). Practical verifiable
encryption and decryption of discrete logarithms. In
CRYPTO 2003, volume 2729 of LNCS, pages 126–
144. Springer-Verlag.
Chaum, D. (1994). Designated confirmer signatures. In
EUROCRYPT 1994, volume 950 of LNCS, pages 86–
91. Springer-Verlag.
Chaum, D. and van Antwerpen, H. (1990). Undeniable
signatures. In CRYPTO 1989, volume 435 of LNCS,
pages 212–216. Springer-Verlag.
Cramer, R., Damg˚ard, I., and MacKenzie, P. (2000). Effi-
cient zero-knowledge proofs of knowledge without in-
tractability assumptions. In PKC 2000, volume 1751
of LNCS, pages 354–373. Springer-Verlag.
Damg˚ard, I. (2000). Efficient concurrent zero-knowledge in
the auxiliary string model. InEUROCRYPT 2000, vol-
ume 1807 of LNCS, pages 418–430. Springer-Verlag.
Gennaro, R. (2004). Multi-trapdoor commitments and their
applications to proofs of knowledge secure under con-
current man-in-the-middle attacks. In CRYPTO 2004,
volume 3152 of LNCS, pages 220–236. Springer-
Verlag.
Gentry, C., Molnar, D., and Ramzan, Z. (2005). Effi-
cient designated confirmer signatures without random
oracles or general zero-knowledge proofs. In ASI-
ACRYPT 2005, volume 3788 of LNCS, pages 662–
681. Springer-Verlag.
Goldwasser, S. and Waisbard, E. (2004). Transformation
of digital signature schemes into designated confirmer
signature schemes. In TCC 2004, volume 2951 of
LNCS, pages 77–100. Springer-Verlag.
Michels, M. and Stadler, M. (1998). Generic constructions
for secure and efficient confirmer signature schemes.
In EUROCRYPT 1998, volume 1403 of LNCS, pages
406–421. Springer-Verlag.
Ogata, W., Kurosawa, K., and Heng, S.-H. (2005). The
security of the fdh variant of chaum’s undeniable sig-
nature scheme. In PKC 2005, volume 3386 of LNCS,
pages 328–345. Springer-Verlag.
Okamoto, T. (1994). Designated confirmer signatures and
public-key encryption are equivalent. In CRYPTO
1994, volume 839 of LNCS, pages 61–74. Springer-
Verlag.
Wang, G., Baek, J., Wong, D. S., and Bao, F. (2007). On
the generic and efficient constructions of secure des-
ignated confirmer signatures. In PKC 2007, volume
4450 of LNCS, pages 43–60. Springer-Verlag.
Zhang, F., Chen, X., Susilo, W., and Mu, Y. (2006). A
new signature scheme without random oracles from
bilinear pairings. In VIETCRYPT 2006, volume 4341
of LNCS, pages 67–80. Springer-Verlag.
Zhang, F., Chen, X., and Wei, B. (2008). Efficient desig-
nated confirmer signature from bilinear pairings. In
ASIACCS ’08: Proceedings of the 2008 ACM sympo-
sium on Information, computer and communications
security, pages 363–368. ACM.
SECRYPT 2009 - International Conference on Security and Cryptography
256
