Concurrent Signatures from a Variety of Keys

Abstract

Concurrent signatures allow two entities to produce two ambiguous signatures that become binding once an extra piece of information (called the keystone) is released. Such a signature is developed by Chen et al., but it restricts signers to using the same public parameters. We describe and analyse a new concurrent signature that allows users to sign documents even if they use different underlying hard problems when generating their public parameters.

Appendices

A 1-out-of-n Signatures Without Key Separation

1.1 A.1 Description

In this section we present a more efficient 1-out-of-n signature. This signature only works when all the participants use the same underlying commutative group. We will denote the following signature with 1n-NKSS.

• Setup\((\lambda )\): Choose two commutative groups \(\mathbb G\), \(\mathbb H\), a homomorphism \([\cdot ] : \mathbb G \rightarrow \mathbb H\) and a hash function \(H: \{0,1\}^* \rightarrow \mathcal C \subseteq \mathbb N\). Note that we require that \(|\mathbb G| \ge 2^\lambda \). For each user, choose and compute \(y_i \leftarrow [x_i]\). Output the public key \(pk_i = y_i\). The secret key is \(sk_i = x_i\).

• Listing(): Collect the public keys and randomly shuffle them. Store the result into a list \(\mathcal L = \{y_j\}_{j \in [0,n)}\) and output \(\mathcal L\).

• Sign\((m, sk_k, \mathcal L)\): To sign a message \(m \in \{0, 1\}^*\), first generate the random elements and , where \(j \in [0, n) \setminus \{k\}\). Then compute

  $$\begin{aligned} z&\leftarrow [\alpha ] \otimes y_0^{c_0} \otimes \ldots \otimes y_{k-1}^{c_{k-1}} \otimes y_{k+1}^{c_{k+1}} \otimes \ldots \otimes y_{n-1}^{c_{n-1}}\\ c&\leftarrow H(\mathcal L, m, z)\\ c_k&\leftarrow c - c_0 - \ldots - c_{k-1} - c_{k+1} - \ldots -c_{n-1} \bmod c\\ s&\leftarrow \alpha \star x_k^{-c_k}. \end{aligned}$$

  Output the signature \((s, \mathcal W)\), where \(\mathcal W = \{c_j\}_{j \in [0, n)}\).

• Verify\((m, s, \mathcal W, \mathcal L)\): Compute the values \(u \leftarrow \sum _{j=0}^{n-1} c_j\bmod c\) and \(v \leftarrow [s] \otimes (\otimes _{j=0}^{n-1} y_j^{c_j})\). Output \(\mathtt {true}\) if and only if \(u \equiv H(\mathcal L, m, v) \bmod c\). Otherwise, output \(\mathtt {false}\).

Correctness. If the pair \((s, \mathcal W)\) is generated according to the scheme, it is easy to see that

$$\begin{aligned} v = [s] \otimes (\otimes _{j=0}^{n-1} y_j^{c_j}) = [\alpha ] \otimes [x_k]^{-c_k} \otimes (\otimes _{j=0}^{n-1} y_j^{c_j}) = z \end{aligned}$$

and

$$\begin{aligned} u \equiv \sum _{j=0}^{n-1} c_j \equiv c \equiv H(\mathcal L, m, z) \equiv H(\mathcal L, m, v) \bmod c. \end{aligned}$$

1.2 A.2 Security Analysis

Theorem 6’s proof is similar to Theorem 1’s proof and thus is omitted.

Theorem 6

The 1n-NKSS scheme is perfectly signer ambiguous.

Theorem 7

If the following statements are true

• an euf-cmcpa attack on the 1n-NKSS has non-negligible probability of success in the ROM,

• an \(\ell \in \mathbb Z\) is known such that \(\gcd (c_0-c_1, \ell ) = 1\) for all \(c_0, c_1 \in \mathcal C\) with \(c_0 \ne c_1\),

• for all i values, \(u_i \in \mathbb G\) are known such that \([u_i] = y_i^\ell \),

then the homomorphism \([\cdot ]\) can be inverted in polynomial time.

Proof

(sketch). In order to make \(\mathcal A\) work properly we simulate the random oracle that correspond to the hash function (see Algorithm 1 with i always set to 0) and the signing oracle (see Algorithm 3). Note that \(\mathcal A\) requests at most \(q_s\) and \(q_h\) signing and, respectively, random oracle queries.

The signing oracle \(\mathcal O_S\) fails and returns \(\bot \) only if we cannot assign c to \((L_j, m_j, e)\) without causing an inconsistency in \(T_0\). Thus, \(\mathcal O_S\) is successful with probability at least \((1-q_h/q)^{q_s} \ge 1-q_hq_s/q\). The success probability of \(\mathcal A\) in the simulated environment is \((1-q_hq_s/q)\varepsilon \), where \(\varepsilon \) is \(\mathcal A\)’s success probability.

Let \((m, s, \{c_i\}_{i\in [0,n')}, L)\) be \(\mathcal A\)’s forgery, where \(|L| = n'\). Define \(z \leftarrow [s] \otimes (\otimes _{i=0}^{n'-1} y_i^{c_i})\). Due to the ideal randomness of \(\mathcal O_H\), \(\mathcal A\) queries \(\mathcal O_H\) on (L, m, z) with probability \(1-1/c\). Let \(k \in [0, n')\) be the index of the user associated with the forgery. Then, according to Theorem 6, \(\mathcal A\) will guess k with a probability of \(1/n'\). If we invoke \(\mathcal A\) at most \(1/\varepsilon '\) times, where \(\varepsilon ' = n'(1-q_hq_s/q)(1-1/c)\epsilon \), then we will find at least one \((\varTheta , \varOmega , \mathcal O_H)\) for which \(\mathcal A\) knows k with probability 3/5. According to the heavy row lemma we are situated on a heavy row \(\mathcal H\) with probability 1/2.

Define \(\mathcal O_{H'}\) as a random oracle identical to \(\mathcal O_H\) except for the (L, m, z) query to which \(\mathcal O_{H'}\) responds with a random element \(c' \ne c\). We rewind the simulation and run \(\mathcal A\) at most \(2/\varepsilon '\) times, but with access to \(\mathcal O_{H'}\) instead of \(\mathcal O_H\). We will be situated on \(\mathcal H\) with a probability of 3/10. Now we can compute

$$\begin{aligned} \tilde{x}_k = u^a \star ({s'}^{-1} \star s)^b, \end{aligned}$$

where a and b are computed using Euclid’s algorithm such that \(\ell a + (c' - c)b = 1\). As in Theorem 2’s proof, we obtain \([\tilde{x}_k]= y_k\).

The overall success probability is \(9/200 = 3/5 \cdot 3/10\) and \(\mathcal A\) is invoked at most \(3/\varepsilon '\) times.    \(\square \)

B Same Group 1-out-of-n Concurent Signature

1.1 B.1 Description

Based on the 1n-NKSS signature we introduce a more efficient concurrent signature (1n-NKSCS) in the non-separable model. In this case, the scheme only uses two cryptographic hash functions \(H_1, H_2:\{0,1\}^* \rightarrow \mathcal C\). The detailed protocol is presented in Fig. 3.

Fig. 3.

Same group concurrent signature.

Correctness. If the signature \(\langle s_A, e_A, f \rangle \) is generated according to the scheme, it is easy to see that

$$\begin{aligned}{}[s_A] \otimes y_A^{e_A} \otimes y_B^{f} = [t_A] \otimes [x_A]^{-e_A} \otimes y_A^{e_A} \otimes y_B^{f} = [t_A] \otimes y_B^{f}. \end{aligned}$$

Similarly, we can show correctness for Bob’s side.

1.2 B.2 Security Analysis

Theorem 8 is a direct consequence of Theorem 6 and Theorems 9 and 10’s proofs are omitted due to their similarity to Theorems 4 and 5’s proofs.

Theorem 8

The 1n-NKSCS scheme satisfies the concurrent signature ambiguity property in the ROM.

Theorem 9

Let \(i \in \{A, B\}\). If the following statements are true

• an euf-cs attack on the 1n-NKSCS has non-negligible probability of success in the ROM,

• an \(\ell \in \mathbb Z\) is known such that \(\gcd (c_0-c_1, \ell ) = 1\) for all \(c_0, c_1 \in \mathcal C\) with \(c_0 \ne c_1\),

• for all i values, \(u_i \in \mathbb G\) are known such that \([u_i] = y_i^\ell \),

then the homomorphism \([\cdot ]\) can be inverted in polynomial time.

Theorem 10

The 1n-NKSCS scheme is fair in the ROM.