Withdrawable Signature: How to Call Off a Signature

Abstract

Digital signatures are a cornerstone of security and trust in cryptography, providing authenticity, integrity, and non-repudiation. Despite their benefits, traditional digital signature schemes suffer from inherent immutability, offering no provision for a signer to retract a previously issued signature. This paper introduces the concept of a withdrawable signature scheme, which allows for the retraction of a signature without revealing the signer’s private key or compromising the security of other signatures the signer created before. This property, defined as “withdrawability”, is particularly relevant in decentralized systems, such as e-voting, blockchain-based smart contracts, and escrow services, where signers may wish to revoke or alter their commitment.

The core idea of our construction of a withdrawable signature scheme is to ensure that the parties with a withdrawable signature are not convinced whether the signer signed a specific message. This ability to generate a signature while preventing validity from being verified is a fundamental requirement of our scheme, epitomizing the property of withdrawability. After formally defining security notions for withdrawable signatures, we present two constructions of the scheme based on the pairing and the discrete logarithm. We provide proofs that both constructions are unforgeable under insider corruption and satisfy the criteria of withdrawability. We anticipate our new type of signature will significantly enhance flexibility and security in digital transactions and communications.

This work is partly supported by the Australian Research Council (ARC) Discovery Project DP200100144. W. Susilo is supported by the ARC Laureate Fellowship FL230100033.

Appendices

A Security Definitions of Existing Cryptographic Primitives

Definition 4

(\(\mathrm {EUF\text {-}CMA}\)). Given a signature scheme \(\textsf{DS}=(\textsf{KeyGen},\textsf{Sign},\textsf{Verify})\), and a ppt adversary \(\mathcal {A}\), considering the following game \(\textsf{Exp}^{\mathrm {EUF\text {-}CMA}}_{\mathcal {A}}\):

• Let SP be the system parameters. The challenger \(\mathcal {B}\) runs the key generation algorithm to generate a key pair \((\textsf{pk}, \textsf{sk})\) and sends \(\textsf{pk}\) to the adversary \(\mathcal {A}\). The challenger keeps \(\textsf{sk}\) to respond to signature queries from the adversary.

• \(\mathcal {A}\) is given access to an oracle \(\mathcal {O}^{\textsf{Sign}}_{\textsf{sk}}(\cdot )\) such that \(\mathcal {O}^{\textsf{Sign}}_{\textsf{sk}}(\cdot ): \sigma \leftarrow \textsf{Sign}(m,\textsf{sk})\).

• \(\mathcal {A}\) outputs a message \(m^*\), and returns a forged signature \(\sigma _{m^*}\) on \(m^*\).

• \(\mathcal {A}\) succeeds if \(\sigma _{m^*}\) is a valid signature of the message \(m^*\) and the signature of \(m^*\) has not been queried in the query phase.

A signature scheme is \(\left( t, q_s, \varepsilon \right) \)-secure in the \(\mathrm {EUF\text {-}CMA}\) security model if there exists no adversary who can win the above game in time t with advantage \(\varepsilon \) after it has made \(q_s\) signature queries.

B Security Proofs of Our Withdrawable Signature

We give the detailed proof of Theorem 3 as follows.

Proof

We show how to build a simulator \(\mathcal {B}\) to provide unforgeability under insider corruption for our withdrawable signature scheme based on Schnorr in the random oracle model.

Setup. Simulator \(\mathcal {B}\) has access to algorithm \(\mathcal {C}\), which provides unforgeability in the random oracle for our underlying Schnorr signature scheme \(\mathsf {Sch.DS}\).

\(\mathcal {C}\) executes the \(\mathrm {EUF\text {-}CMA}\) game of \(\mathsf {Sch.DS}\), denoted as \(\textsf{Exp}^{\mathrm {EUF\text {-}CMA}}_{\mathcal {A}}\) which includes a signing oracle \(\mathcal {O}^{\mathsf {Sch.Sign}}_{\textsf{sk}_s}(\cdot )\), where \(\mathcal {O}^{\mathsf {Sch.Sign}}_{\textsf{sk}_s}(\cdot ):\omega \leftarrow \mathsf {Sch.Sign}(m,\textsf{sk}_s)\). \(\mathcal {B}\) first generates \(\mathcal {S}=\{{\textsf{pk}_1,\cdots ,\textsf{pk}_{s-1},\textsf{pk}_{s+1},\cdots ,\textsf{pk}_{\mu }}\}\), \(\mathcal {C}\) generates \((\textsf{pk}_s,\textsf{sk}_s)\leftarrow \textsf{KeyGen}(1^k)\), \(\mathcal {B}\) then gains \(\textsf{pk}_s\) from \(\mathcal {C}\) and sets \(s\in [1,q_\mu ]\).

\(\mathcal {B}\) now can set the public key set of the signer with a specific (designated) verifier as \(\gamma =\{{\textsf{pk}_s,\textsf{pk}_j}\}\) where \(j\ne s\) and provide \(\gamma \) to \(\mathcal {A}\).

Oracle Simulation. \(\mathcal {B}\) answers the oracle queries as follows.

Corruption Query. The adversary \(\mathcal {A}\) makes secret key queries of public key \(\textsf{pk}_i,i\in [1,\mu ]\) in this phase. If \(\mathcal {A}\) queries for the secret key of \(\textsf{pk}_s\), abort. Otherwise, \(\mathcal {B}\) returns the corresponding \(\textsf{sk}_i\) to \(\mathcal {A}\), and add \(\textsf{sk}_i\) to the corrupted secret key list \(\mathcal{C}\mathcal{O}\).

H-Query. \(\mathcal {C}\) simulates H as a random oracle, \(\mathcal {B}\) then answers the hash queries of H through \(\mathcal {C}\).

Signature Query. \(\mathcal {A}\) outputs a message \(m_i\) and queries for withdrawable signature with corresponding signer \(\textsf{pk}_s\) and specific verifier \(\textsf{pk}_j\). If the signer isn’t \(\textsf{pk}_s\), abort. Otherwise, \(\mathcal {B}\) sets \(m_i\) as the input of \(\mathcal {C}\). \(\mathcal {B}\) then asks the signing output of \(\mathcal {C}\) as \(\omega _i=\mathsf {Sch.Sign}(m_i,\textsf{sk}_s)\). With \(\omega _i\), \(\mathcal {B}\) could response the signature query for the specific verifier \(\textsf{pk}_j\) chosen by \(\mathcal {A}\) as follows:

• \(\mathcal {O}^{\textsf{WSign}}_{\textsf{sk}_s,\gamma }(\cdot )\): With the output of \(\mathcal {C}\), \(\mathcal {B}\) can compute the withdrawable signature \(\sigma _i\leftarrow \mathcal {O}^{\textsf{WSign}}_{\textsf{sk}_s,\gamma }(\cdot )\) for \(\mathcal {A}\) with \(\omega _i=(t_i,z_i)=(H(m_i,u_i),z_i)\) as:

  1. 1.

     Randomly choose \(r_i\overset{{}_\$}{\leftarrow }\mathbb {Z}_p^*\)

  2. 2.

     Compute \(\sigma _{1,i} = g^{z_i}\textsf{pk}_s^{t_i}\), \(\sigma _{2,i}=\textsf{pk}_j^{z_i-r_i\cdot t_i}\), \(\sigma _{3,i}=g^{r_i}\)

  3. 3.

     \(\sigma _i=(\sigma _{1,i},\sigma _{2,i},\sigma _{3,i})\)

• \(\mathcal {O}^{\textsf{Confirm}}_{\textsf{sk}_s,\sigma ,\gamma }(\cdot )\): \(\mathcal {B}\) then queries for the Schnorr signature of \(m_i\) again to \(\mathcal {C}\) and returns a corresponding \(\omega _{s,i}=(t_{s,i},z_{s,i})\) instead. With \(\omega _i\), \(\omega _{s,i}\) and \(\sigma _i\), \(\mathcal {B}\) can compute the confirmed signature \(\widetilde{\sigma }_i\leftarrow \mathcal {O}^{\textsf{Confirm}}_{\textsf{sk}_s,\sigma ,\gamma }(\cdot )\) for \(\mathcal {A}\) as follows:

  1. 1.

     Compute \(\delta _{1,i}=g^{z_{s,i}}\textsf{pk}_s^{t_{s,i}}\), \(\delta _{2,i}=z_{s,i}-r_i\cdot t_{s,i}\).

  2. 2.

     Randomly choose \(e_{j,i},t_{j,i}\overset{{}_\$}{\leftarrow }\mathbb {Z}_p^*\), \(\delta _{4,i}=t_{j,i}\)

  3. 3.

     Compute \(\delta _{5,i}=e_{j,i}-r_i\cdot t_{j,i}\)

  4. 4.

     \(\widetilde{\sigma }_i=(\delta _{1,i},\delta _{2,i},\delta _{3,i},\delta _{4,i},\delta _{5,i})\)

Meanwhile, \(\mathcal {B}\) sets the queried message set as \(\mathcal {M}\leftarrow \mathcal {M}\cup m\) and queried withdrawable signature set as \(\mathcal {W}\leftarrow \mathcal {W}\cup \sigma \).

Forgery. On the forgery phase, \(\mathcal {B}\) returns a withdrawable signature \(\sigma ^*\) for \(\gamma ^*=\{{\textsf{pk}_s,\textsf{pk}_j}\}\) on some \(m^*\) that has not been queried before. Then \(\sigma ^*\) could be transformed into \(\widetilde{\sigma }^*\) under \(\gamma ^*\) correctly. After \(\mathcal {A}\) transforms \(\sigma ^*\) into \(\widetilde{\sigma }^*\), if \(\widetilde{\sigma }^*\) could not be verified through \(\textsf{CVerify}(m^*,\gamma ^*,\sigma ^*,\widetilde{\sigma }^*)\), abort.

Otherwise, if \(\widetilde{\sigma }^*=(\delta _1^*,\delta _2^*,\delta _3^*,\delta _4^*,\delta _5^*)\) is valid, \(\mathcal {B}\) then could obtain a forged signature \(\omega ^*\) for \(\textsf{pk}_s\) on \(m^*\). Since \(\mathcal {B}\) is capable of directly computing \(r^*\cdot t_s^*\), the forged signature \(\omega ^*\) can be determined as: \(\omega ^*=\delta _2^*+r^*\cdot t_s^*\cdot \).

Therefore, we can use \(\mathcal {A}\) to break the unforgeability in the \(\mathrm {EUF\text {-}CMA}\) model of our underlying signature scheme \(\mathsf {Sch.DS}\), which contradicts the property of our underlying signature scheme.

Probability of Successful Simulation. All queried signatures \(\omega _i\) are simulatable, and the forged signature is reducible because the message \(m^*\) cannot be chosen for a signature query as it will be used for the signature forgery. Therefore, the probability of successful simulation is \(\frac{1}{2q_{H}-1}\).   \(\square \)

We give the proof of Theorem 4 as follows.

Proof

In our proof of Theorem 4, \(\mathcal {B}\) sets the challenge public key set as \(\gamma =\{{\textsf{pk}_0,\textsf{pk}_1}\}\) and associated secret key set \(\delta =\{{\textsf{sk}_0,\textsf{sk}_1}\}\). The signer is denoted as \(\textsf{pk}_b\) where \(b\overset{{}_\$}{\leftarrow }\{{0,1}\}\), and the specific verifier is denoted as \(\textsf{pk}_{1-b}\).

Oracle Simulation. \(\mathcal {B}\) answers the oracle queries as follows.

H-Query. The adversary \(\mathcal {A}\) makes hash queries in this phase where \(\mathcal {B}\) simulates H as a random oracle.

Signature Query. \(\mathcal {A}\) outputs a message \(m_i\) and queries the withdrawable signature for corresponding signer \(\textsf{pk}_s\) and specific verifier \(\textsf{pk}_j\), \(\mathcal {B}\) responses the signature queries of \(\mathcal {A}\) as follows:

• \(\mathcal {O}^{\textsf{WSign}}_{\textsf{sk}_b,\gamma }(\cdot )\): \(e_i\overset{{}_\$}{\leftarrow }\mathbb {Z}_p^*\), \(t_i=H(m_i,g^{e_i})\), \(\sigma _{b,i}=\left( g^{e_i},\textsf{pk}_{1-b}^{z_{b,i}}\right) =\left( g^{e_i},\textsf{pk}_{1-b}^{e_i-\textsf{sk}_b\cdot t_i}\right) \)

Meanwhile, \(\mathcal {B}\) sets \(\mathcal {M}\leftarrow \mathcal {M}\cup m_i\).

Challenge. In the challenge phase, \(\mathcal {A}\) gives \(\mathcal {B}\) a message \(m^*\), where \(m^*\notin \mathcal {M}\). \(\mathcal {B}\) now computes the challenge withdrawable signature of \(m^*\) as \(\sigma ^*_b\) for \(\mathcal {A}\) where \(b\overset{{}_\$}{\leftarrow }\{{0,1}\}\) and \(r^*\overset{{}_\$}{\leftarrow }\mathbb {Z}_p^*\) as follows:

$$\begin{aligned} \sigma ^*_{0}=\left( g^{e^*},\textsf{pk}_1^{z_0^*-r^*\cdot t^*}\right) &=\left( g^{e^*},g^{\textsf{sk}_1(e^*-\textsf{sk}_0\cdot t^*-r^*\cdot t^*)}\right) \\ \sigma ^*_{1}=\left( g^{e^*},\textsf{pk}_s^{z_1^*-r^*\cdot t^*}\right) &=\left( g^{e^*},(g^{e^*})^{\textsf{sk}_1}\textsf{pk}_0^{-\textsf{sk}_1\cdot t^*}g^{-\textsf{sk}_1\cdot r^*\cdot t^*}\right) \\ &=\left( g^{e^*},g^{\textsf{sk}_1(e^*-\textsf{sk}_0\cdot t^*-r^*\cdot t^*)}\right) =\sigma ^*_{0}. \end{aligned}$$

Guess. \(\mathcal {A}\) outputs a guess \(b'\) of b. The simulator outputs true if \(b'=b\). Otherwise, false.

Probability of Breaking the Withdrawability Property. It’s easy to see that \(\sigma ^*_{0}\) and \(\sigma ^*_{1}\) have the same distributions, hence they are indistinguishable. Therefore, the adversary \(\mathcal {A}\) only has a probability 1/2 of guessing the signer’s identity correctly.

Probability of Successful Simulation. There is no abort in our simulation, therefore, the probability of successful simulation is 1.    \(\square \)