Abstract
Concurrent signatures allow two entities to produce two ambiguous signatures that become binding once an extra piece of information (called the keystone) is released. Such a signature is developed by Chen et al., but it restricts signers to using the same public parameters. We describe and analyse a new concurrent signature that allows users to sign documents even if they use different underlying hard problems when generating their public parameters.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Different from the discrete logarithm and \(e^{th}\)-root assumptions.
- 2.
Guillou-Quisquater’s signature is also included in this framework.
- 3.
The original authors give an idea of how to prove that their signature is secure, but do not provide a concrete proof.
- 4.
e.g. for each run we can add a different prefix to the message.
References
Abe, M., Ohkubo, M., Suzuki, K.: 1-out-of-n Signatures from a Variety of Keys. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 415–432. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_26
Asokan, N., Schunter, M., Waidner, M.: Optimistic protocols for fair exchange. In: CCS 1997, pp. 7–17. ACM (1997)
Baum-Waidner, B., Waidner, M.: Round-optimal and abuse-free optimistic multi-party contract signing. In: Montanari, U., Rolim, J.D.P., Welzl, E. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 524–535. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45022-X_44
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993, pp. 62–73. ACM (1993)
Cachin, C., Camenisch, J.: Optimistic fair secure computation. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 93–111. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_6
Chen, L., Kudla, C., Paterson, K.G.: Concurrent signatures. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 287–305. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_18
Ferradi, H., Géraud, R., Maimuţ, D., Naccache, D., Pointcheval, D.: Legally fair contract signing without keystones. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 175–190. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_10
Garay, J., MacKenzie, P., Prabhakaran, M., Yang, K.: Resource fairness and composability of cryptographic protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 404–428. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_21
Garay, J.A., Jakobsson, M., MacKenzie, P.: Abuse-free optimistic contract signing. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 449–466. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_29
Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_6
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_11
Maimuţ, D., Teşeleanu, G.: A unified security perspective on legally fair contract signing protocols. In: Lanet, J.-L., Toma, C. (eds.) SECITC 2018. LNCS, vol. 11359, pp. 477–491. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12942-2_35
Maurer, U.: Unifying zero-knowledge proofs of knowledge. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 272–286. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_17
Micali, S.: Simple and fast optimistic protocols for fair electronic exchange. In: PODC 2003, pp. 12–19. ACM (2003)
Ohta, K., Okamoto, T.: On concrete security treatment of signatures derived from identification. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 354–369. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055741
Pinkas, B.: Fair secure two-party computation. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 87–105. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_6
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A 1-out-of-n Signatures Without Key Separation
1.1 A.1 Description
In this section we present a more efficient 1-out-of-n signature. This signature only works when all the participants use the same underlying commutative group. We will denote the following signature with 1n-NKSS.
-
Setup\((\lambda )\): Choose two commutative groups \(\mathbb G\), \(\mathbb H\), a homomorphism \([\cdot ] : \mathbb G \rightarrow \mathbb H\) and a hash function \(H: \{0,1\}^* \rightarrow \mathcal C \subseteq \mathbb N\). Note that we require that \(|\mathbb G| \ge 2^\lambda \). For each user, choose and compute \(y_i \leftarrow [x_i]\). Output the public key \(pk_i = y_i\). The secret key is \(sk_i = x_i\).
-
Listing(): Collect the public keys and randomly shuffle them. Store the result into a list \(\mathcal L = \{y_j\}_{j \in [0,n)}\) and output \(\mathcal L\).
-
Sign\((m, sk_k, \mathcal L)\): To sign a message \(m \in \{0, 1\}^*\), first generate the random elements and , where \(j \in [0, n) \setminus \{k\}\). Then compute
$$\begin{aligned} z&\leftarrow [\alpha ] \otimes y_0^{c_0} \otimes \ldots \otimes y_{k-1}^{c_{k-1}} \otimes y_{k+1}^{c_{k+1}} \otimes \ldots \otimes y_{n-1}^{c_{n-1}}\\ c&\leftarrow H(\mathcal L, m, z)\\ c_k&\leftarrow c - c_0 - \ldots - c_{k-1} - c_{k+1} - \ldots -c_{n-1} \bmod c\\ s&\leftarrow \alpha \star x_k^{-c_k}. \end{aligned}$$Output the signature \((s, \mathcal W)\), where \(\mathcal W = \{c_j\}_{j \in [0, n)}\).
-
Verify\((m, s, \mathcal W, \mathcal L)\): Compute the values \(u \leftarrow \sum _{j=0}^{n-1} c_j\bmod c\) and \(v \leftarrow [s] \otimes (\otimes _{j=0}^{n-1} y_j^{c_j})\). Output \(\mathtt {true}\) if and only if \(u \equiv H(\mathcal L, m, v) \bmod c\). Otherwise, output \(\mathtt {false}\).
Correctness. If the pair \((s, \mathcal W)\) is generated according to the scheme, it is easy to see that
and
1.2 A.2 Security Analysis
Theorem 6’s proof is similar to Theorem 1’s proof and thus is omitted.
Theorem 6
The 1n-NKSS scheme is perfectly signer ambiguous.
Theorem 7
If the following statements are true
-
an euf-cmcpa attack on the 1n-NKSS has non-negligible probability of success in the ROM,
-
an \(\ell \in \mathbb Z\) is known such that \(\gcd (c_0-c_1, \ell ) = 1\) for all \(c_0, c_1 \in \mathcal C\) with \(c_0 \ne c_1\),
-
for all i values, \(u_i \in \mathbb G\) are known such that \([u_i] = y_i^\ell \),
then the homomorphism \([\cdot ]\) can be inverted in polynomial time.
Proof
(sketch). In order to make \(\mathcal A\) work properly we simulate the random oracle that correspond to the hash function (see Algorithm 1 with i always set to 0) and the signing oracle (see Algorithm 3). Note that \(\mathcal A\) requests at most \(q_s\) and \(q_h\) signing and, respectively, random oracle queries.
The signing oracle \(\mathcal O_S\) fails and returns \(\bot \) only if we cannot assign c to \((L_j, m_j, e)\) without causing an inconsistency in \(T_0\). Thus, \(\mathcal O_S\) is successful with probability at least \((1-q_h/q)^{q_s} \ge 1-q_hq_s/q\). The success probability of \(\mathcal A\) in the simulated environment is \((1-q_hq_s/q)\varepsilon \), where \(\varepsilon \) is \(\mathcal A\)’s success probability.
Let \((m, s, \{c_i\}_{i\in [0,n')}, L)\) be \(\mathcal A\)’s forgery, where \(|L| = n'\). Define \(z \leftarrow [s] \otimes (\otimes _{i=0}^{n'-1} y_i^{c_i})\). Due to the ideal randomness of \(\mathcal O_H\), \(\mathcal A\) queries \(\mathcal O_H\) on (L, m, z) with probability \(1-1/c\). Let \(k \in [0, n')\) be the index of the user associated with the forgery. Then, according to Theorem 6, \(\mathcal A\) will guess k with a probability of \(1/n'\). If we invoke \(\mathcal A\) at most \(1/\varepsilon '\) times, where \(\varepsilon ' = n'(1-q_hq_s/q)(1-1/c)\epsilon \), then we will find at least one \((\varTheta , \varOmega , \mathcal O_H)\) for which \(\mathcal A\) knows k with probability 3/5. According to the heavy row lemma we are situated on a heavy row \(\mathcal H\) with probability 1/2.
Define \(\mathcal O_{H'}\) as a random oracle identical to \(\mathcal O_H\) except for the (L, m, z) query to which \(\mathcal O_{H'}\) responds with a random element \(c' \ne c\). We rewind the simulation and run \(\mathcal A\) at most \(2/\varepsilon '\) times, but with access to \(\mathcal O_{H'}\) instead of \(\mathcal O_H\). We will be situated on \(\mathcal H\) with a probability of 3/10. Now we can compute
where a and b are computed using Euclid’s algorithm such that \(\ell a + (c' - c)b = 1\). As in Theorem 2’s proof, we obtain \([\tilde{x}_k]= y_k\).
The overall success probability is \(9/200 = 3/5 \cdot 3/10\) and \(\mathcal A\) is invoked at most \(3/\varepsilon '\) times. \(\square \)
B Same Group 1-out-of-n Concurent Signature
1.1 B.1 Description
Based on the 1n-NKSS signature we introduce a more efficient concurrent signature (1n-NKSCS) in the non-separable model. In this case, the scheme only uses two cryptographic hash functions \(H_1, H_2:\{0,1\}^* \rightarrow \mathcal C\). The detailed protocol is presented in Fig. 3.
Correctness. If the signature \(\langle s_A, e_A, f \rangle \) is generated according to the scheme, it is easy to see that
Similarly, we can show correctness for Bob’s side.
1.2 B.2 Security Analysis
Theorem 8 is a direct consequence of Theorem 6 and Theorems 9 and 10’s proofs are omitted due to their similarity to Theorems 4 and 5’s proofs.
Theorem 8
The 1n-NKSCS scheme satisfies the concurrent signature ambiguity property in the ROM.
Theorem 9
Let \(i \in \{A, B\}\). If the following statements are true
-
an euf-cs attack on the 1n-NKSCS has non-negligible probability of success in the ROM,
-
an \(\ell \in \mathbb Z\) is known such that \(\gcd (c_0-c_1, \ell ) = 1\) for all \(c_0, c_1 \in \mathcal C\) with \(c_0 \ne c_1\),
-
for all i values, \(u_i \in \mathbb G\) are known such that \([u_i] = y_i^\ell \),
then the homomorphism \([\cdot ]\) can be inverted in polynomial time.
Theorem 10
The 1n-NKSCS scheme is fair in the ROM.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Teşeleanu, G. (2021). Concurrent Signatures from a Variety of Keys. In: Yu, Y., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2021. Lecture Notes in Computer Science(), vol 13007. Springer, Cham. https://doi.org/10.1007/978-3-030-88323-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-88323-2_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88322-5
Online ISBN: 978-3-030-88323-2
eBook Packages: Computer ScienceComputer Science (R0)