Content uploaded by Willy Susilo
Author content
All content in this area was uploaded by Willy Susilo
Content may be subject to copyright.
Content uploaded by Willy Susilo
Author content
All content in this area was uploaded by Willy Susilo
Content may be subject to copyright.
Content uploaded by Willy Susilo
Author content
All content in this area was uploaded by Willy Susilo
Content may be subject to copyright.
Generic Construction of (Identity-based)
Perfect Concurrent Signatures ⋆
Sherman S.M. Chow1and Willy Susilo2
1Department of Computer Science
Courant Institute of Mathematical Sciences
New York University, NY 10012, USA
schow@cs.nyu.edu
2Center for Information Security Research
School of Information Technology and Computer Science
University of Wollongong, Wollongong 2522, Australia
wsusilo@uow.edu.au
Abstract. The notion of concurrent signatures was recently introduced
by Chen, Kudla and Paterson. In concurrent signature schemes, two en-
tities can produce two signatures that are not binding, until one of the
parties releases an extra piece of information (namely the keystone). Sub-
sequently, it was noted that the concurrent signature scheme proposed
in the seminal paper cannot provide perfect ambiguity. Then, the notion
of perfect concurrent signatures was introduced. In this paper, we define
the notion of identity-based (or ID-based) perfect concurrent signature
schemes. We provide the first generic construction of (ID-based) perfect
concurrent signature schemes from ring signature schemes. Using the
proposed framework, we give two concrete ID-based perfect concurrent
signature schemes based on two major paradigms of ID-based ring sig-
nature schemes. Security proofs are based on the random oracle model.
Keywords: Concurrent Signatures, Perfect Ambiguity, Fair-Exchange,
Ring Signatures, Identity-based Signatures, Bilinear Pairing
1 Introduction
Consider the situation where a customer Alice would like to make a purchase
request of a physical item from a shop owner Bob. One of the ways to do the
transaction is asking Alice to sign firstly a payment instruction to pay Bob the
price of the item. Then, Bob agrees by signing a statement that he authorizes
Alice to pick the item up from the store, which will be sent via an email or other
means upon receiving Alice’s signature. We would like to make sure that both
parties (the customer and the shop owner in our case) get the other party’s item,
⋆This is the revised version of our ICICS 2005 paper. We note that our original
protocol fails to satisfy the fairness requirement due to an attack similar to the one
in [14]. After a slight modification similar to the suggestion attributed to [14], the
attack against the fairness is avoided.
or no party gets the other party’s item at the end of a transaction, that is, the
principle of fair exchange. For purchase occurred in a face-to-face manner, people
have a higher confidence in getting back the other party’s item shortly after
giving out his or her item to be exchanged. However, to achieve fair exchange
over Internet, in which two parties are mutually distrustful, is not a trivial task.
Concurrent signature can help when the full power of fair exchange is not
necessary [6]. A pair of concurrent signatures can be made binding at the same
time, i.e. when Alice picks up the item from Bob’s store. At this time, Alice’s
signature (i.e. payment instruction) will be binding and Bob’s signature (to allow
Alice to pick up the item) will also be binding concurrently.
Subsequently, [13] noted that the concurrent signature scheme proposed in
[6] cannot provide perfect ambiguity if both signers are known to be trustworthy.
With the aim of further anonymizing the signatures before the signatures are
made binding, the notion of perfect concurrent signatures was introduced.
1.1 Related Work
Fair exchange of signature is a fundamental research problem in cryptography.
Fairness in exchanging signatures is normally achieved with the help of a trusted
third party (TTP) (which is often offline [2]). There were some attempts where
a fair exchange of signatures can be achieved with a “semi-trusted” TTP who
can be called upon to handle disputes b etween signers [1, 9]. This type of fair
exchange is also referred to as an optimistic fair exchange. The well-known open
problem in fair exchange is the requirement of a dispute resolving TTP whose
role cannot be replaced by a normal certification authority (CA).
In [12], the notion of ring signatures was formalized and an efficient scheme
based on RSA was proposed. A ring signature scheme allows a signer who knows
at least one piece of secret information (or a trapdoor) to produce a sequence of
nrandom permutations and form them into a ring. This ambiguous signature
can be used to convince any third party that one of the people in the group (who
knows the trapdoor information) has authenticated the message on behalf of the
group. The authentication provides signer ambiguity, in the sense that no one
can identify who has actually signed the message. The ID-based version of ring
signature schemes was introduced in [15]. After that, a number of ID-based ring
signature schemes were proposed. A recent study [7] showed that these schemes
can be classified into two major paradigms, namely, the conversation from non-
ID-based ring signature and the extension from ID-based signature. Please refer
to [7] for a more detailed review of ID-based ring signature schemes.
1.2 Our Contributions
We define the notion of ID-based perfect concurrent signatures, which is the
strongest notion (in terms of privacy) of concurrent signature currently available.
We provide a generic construction of both non-ID-based and ID-based perfect
concurrent signature schemes from ring signatures, which is the first discussion
in the literature. We illustrate our idea by two schemes from each of two major
paradigms of existing ID-based ring signature schemes. Both of them enjoy short
signature length which is only one group element on elliptic curve larger than
most existing ID-based signature schemes, our second scheme is also efficient in
the sense that no pairing operation is required for the generation of signature.
1.3 Paper Organization
The rest of this paper is organized as follows. The next section reviews some
notions that will be used throughout this paper. Section 3 provides a model of
ID-based perfect concurrent signature schemes together with its security require-
ments. We also present a generic construction of (ID-based) perfect concurrent
signature protocol in this section. In Section 4 and Section 5, we provide two
concrete ID-based perfect concurrent signature schemes. Section 6 concludes the
paper and discusses future research direction.
2 Preliminaries
2.1 Basic Concepts on Bilinear Pairings
Let G1,G2be cyclic additive groups generated by P1, P2, respectively, whose
order are a prime q. Let GMbe a cyclic multiplicative group with the same
order q. We assume there is an isomorphism ψ:G2→G1such that ψ(P2) = P1.
Let ˆe:G1×G2→GMbe a bilinear mapping with the following properties:
1. Bilinearity: ˆe(aP, bQ) = ˆe(P, Q)ab for all P∈G1, Q ∈G2, a, b, ∈ZZq.
2. Non-degeneracy: There exists P∈G1, Q ∈G2such that ˆe(P, Q)6= 1.
3. Computability: There exists an efficient algorithm to compute ˆe(P, Q) for all
P∈G1, Q ∈G2.
For simplicity, hereafter, we set G1=G2and P1=P2. We note that our scheme
can be easily modified for a general case, when G16=G2.
A bilinear pairing instance generator is defined as a probabilistic polyno-
mial time algorithm I G that takes as input a security parameter ℓand returns
a uniformly random tuple params = (p, G1,GM,ˆe, P ) of bilinear parameters,
including a prime number pof size ℓ, a cyclic additive group G1of order q, a
multiplicative group GMof order q, a bilinear map ˆe:G1×G1→GMand a
generator Pof G1. For a group Gof prime order, we denote the set G∗=G\{O}
where Ois the identity element of the group.
2.2 Complexity Assumption
Definition 1. Computational Co-Diffie-Hellman (Co-CDH) Problem.
Given a randomly chosen (P1, P2, aP1, bP2), where P1, P2∈G1,a, b ∈ZZ∗
q, and
a, b are unknown, compute abP2∈GM.
Definition 2. Co-CDH Assumption.
If IG is a Co-CDH parameter generator, the advantage AdvIG (A)that an al-
gorithm Ahas in solving the Co-CDH problem is defined to be the probabil-
ity that the algorithm Aoutputs abP2on inputs G1,GM, P1, P2, aP1, bP2, where
(G1,GM)is the output of IG for sufficiently large security parameter ℓ,P1, P2
are random generators of G1and a, b are random elements of ZZ∗
q. The Co-CDH
assumption is that AdvIG (A)is negligible for all efficient algorithms A.
2.3 Review on Concurrent Signatures
In concurrent signatures, there are two parties involved in the protocol, namely
Aand B(or Alice and Bob, respectively). At first, both parties’ signatures are
ambiguous from any third party’s point of view, but they will be simultaneously
binding after an additional information, called a “keystone” is released by one
of the participants. Since one party is required to create a keystone and send
the first message to the other party, we call this party the initial signer. A party
who responds to the initial signature by creating another signature is called a
matching signer. We note that if Alice does not release the keystone, then the
transaction cannot be completed, although Bob would like to do so. Nevertheless,
there are many scenarios where this type of signature schemes is applicable [6].
Similar to the definition in [6], concurrent signatures are digital signature
schemes that consist of the following algorithms:
–SETUP: A probabilistic algorithm that accepts a security parameter ℓ, out-
puts the descriptions of the message space M, the signature space S, the key-
stone space K, the keystone footprint space F, a function KSGEN :K → F
and any other parameters π.
–KEYGEN: A probabilistic algorithm that accepts a security parameter ℓ,
outputs the public key yi; together with the corresponding private key xito
be kept secretly.
–ASIGN: A probabilistic algorithm that accepts (yi, yj, xi, h1, h2, m), where
h1, h2∈ F,yi,yj6=yiare public keys, xiis the private key corresponding to
yi, and m∈ M, outputs a signer-ambiguous signature σ= (s, h1, h2) where
s∈ S, and h1, h2are the sources of randomness used in generating s.
–AVERIFY: An algorithm that accepts S= (σ, yi, yj, m), where σ= (s, h1, h2),
s∈ S,h1, h2∈ F ,yiand yjare public keys, and m∈ M, outputs accept or
reject. The symmetric property of AVERIFY requires AVERIFY(σ′, yj, yi, m)
=AVERIFY(σ, yi, yj, m) for σ′= (s, h2, h1).
–VERIFY: An algorithm that accepts (k , S) where k∈ K is a keystone and Sis
of the form S= (σ, yi, yj, m), where σ= (s, h1, h2) with s∈ S,h1, h2∈ F,
yiand yjare public keys, and m∈ M. The algorithm verifies whether
KSGEN (k)?
=h2holds. If it does not hold, then it terminates with output
reject. Otherwise, it runs AVERIFY(S).
As discussed in the introduction, the concrete construction of concurrent sig-
nature schemes in [6] cannot provide perfect ambiguity in certain situations. In
their scheme, the two signatures have an explicit relationship that can be eas-
ily observable by any third party. Consequently, when the two signers are well
known to be honest that will always conform to the protocol, then any third party
would trust that the signatures are valid. Since the signatures can be identified
even before the keystone is released, it contradicts with the requirement of con-
current signatures. Concurrent signature schemes with perfect ambiguity were
considered in [13]. They presented two schemes based on the discrete logarithm
problem and bilinear pairings. Their constructions are based on the framework
proposed by [6], and they have not considered the generic construction of perfect
concurrent signature schemes.
3 Generic Framework and Security Notions
We note that the algorithms listed out by [6] may not be enough to cater for the
need of perfect ambiguity. In view of this, we provide a new generic framework.
3.1 Building Blocks
Firstly, we provide a formal definition of the algorithm used in our generic con-
struction of perfect concurrent signature schemes, by incorporating some el-
ements from the notion introduced in [6]. Notice that to achieve the perfect
ambiguity, we no longer require the matching signer to use the same keystone
footprint as the initial signer. Beside, a pair of keystones is used instead of a
single one. We also describe the essential properties of these algorithms for the
construction of perfect concurrent signature schemes.
Definition 3. A perfect concurrent signature scheme is a digital signature scheme
that consists of the following algorithms:
–SETUP: A probabilistic algorithm that on input a security parameter ℓ, out-
puts the system parameters params which is the descriptions of the message
space M, the signature space S, the random coin space R, the keystone space
K, the keystone footprint space Fand the encrypted keystone space K′. Note
that we do not include params explicitly as the input in the following de-
scriptions.
–KEYGEN: A probabilistic algorithm that is invoked by a participant ID. The
algorithm outputs a public key QID and the corresponding the secret key SID.
–FOOTPRINT: A deterministic algorithm that on input a keystone k∈ K, it
outputs the corresponding keystone footprint f∈ F.
–ASIGN: A probabilistic algorithm that on inputs (IDi,IDj,SIDi, α, f, m), where
α, f ∈ F ,IDi,IDjare the identities of the participants, SIDiis the secret
key associated with IDi, and m∈ M, outputs an ambiguous signature σ=
{Ui, Uj, V }on m.
–ENC-MATCHING-KEYSTONE: A deterministic algorithm that on input a
random factor r∈ R and a public key QIDi, it outputs the matching keystone
kM∈Kand the corresponding encrypted matching keystone KM∈ K′.
–DEC-MATCHING-KEYSTONE: A deterministic algorithm that on inputs an
encrypted matching keystone KM∈ K′and a secret key SIDi, outputs a
matching keystone footprint kM∈ K.
–AVERIFY: A deterministic algorithm that takes as input S= (σ, IDi,IDj, m)
and outputs accept or reject. It should be symmetric in the sense that
AVERIFY(σ, IDi,IDj, m) = AVERIFY(σ′,IDj,IDi, m)for σ′={Uj, Ui, V }.
–VERIFY-CONNECTION: A deterministic algorithm that on input a pair of
signatures σi={Ui, Uj, V }and σj={U′
i, U ′
j, V ′}and a pair of keystone
footprint fIand fM, it outputs accept or reject depending whether Uj=fI
and U′
i=Uj⊗fM, where ⊗is the operator of the group F.
–VERIFY: A deterministic algorithm that takes as input (kI, kM, S, S′), where
(kI, kM)∈ K × K,S= (σ, IDi,IDj, m)and S′= (σ′,IDj,IDi, m′). The algo-
rithm verifies if all of the following return trues.
1. VERIFY-CONNECTION(σ, σ′,FOOTPRINT(kI),FOOTPRINT(kM)),
2. AVERIFY(S), and
3. AVERIFY(S′)
3.2 ID-based Scenario
For ID-based perfect concurrent signature, we need to modify the SETUP algo-
rithm described and replace KEYGEN algorithm by a new EXTRACT algorithm
in the above definition.
Definition 4. An ID-based perfect concurrent signature scheme requires the fol-
lowing algorithms:
–SETUP: A probabilistic algorithm that on input a security parameter ℓ, out-
puts descriptions of the set of participants U, the message space M, the
signature space S, the keystone space K, the keystone footprint space F, and
the encrypted keystone space K′. The algorithm also outputs the public key
of the private key generator (PKG) and the master secret key of the PKG
for the extraction of user’s private key.
–EXTRACT: A deterministic algorithm that is invoked by a participant and the
PKG. On input an ID of a participant, the algorithm outputs a participant’s
secret key SID .
3.3 Generic Construction
In this section, we describe a generic construction of (ID-based) concurrent sig-
nature protocol. We highlight the properties of the algorithm involved. There
are two parties, namely A(Alice) and B(Bob) that are involved in the protocol.
Without losing generality, we assume that Ais the initial signer and Bis the
matching signer. The protocol works as follows.
Firstly, CA/PKG runs the SETUP algorithm to determine the public param-
eters of the scheme. Then, depending on whether the scheme is ID-based, user
invokes the corresponding algorithm to get the public-private key pair.
More specifically, for non-ID-based scenario, both Aand Brun KEYGEN
to generate a public-private key pair (denoted by (QIDA,SIDA) and (QIDB,SIDB)
respectively), register the public key and the identity with the CA, and possi-
bly provides a proof-of-knowledge of the private key to the CA as well. After
authentication (and the checking of the proof-of-knowledge), the CA issues a
digital certificate binding the relation of the purported identity to the user.
For the ID-based scenario, both Aand Bvisit the PKG and engage in the
EXTRACT algorithm to obtain their secret key SIDAand SIDB, respectively. The
identities of Aand Bare available publicly as IDAand IDB, together with public
hash functions H0:{0,1}∗→G1. Hence, the public key QIDican be computed
by anyone (for instance, by computing QIDi=H0(IDi)).
After both users got their corresponding key pair, the protocol is as follows.
1. Apicks a random initial keystone kI∈ K and executes the FOOTPRINT
algorithm using kIas the input to obtain fI∈ F.
A good candidate for FOOTPRINT is a cryptographic hash function, for its
one-wayness, i.e. given yfrom the range of the function, it is hard to invert
the function and find a pre-image x.
2. Aselects a message mA∈ M, together with her identity IDAand B’s
identity IDB, computes her ambiguous signature as σA={UA, UB, V } ←
ASIGN(IDA,IDB,SIDA,OF, fI, mA) where OFdenotes the identity element
of the group F. (OFis used to unify the list of input parameters used by IDA
and IDBfor the ASIGN algorithm, which merely means that Acan skip a
certain group operation inside the ASIGN algorithm that is used to connect
B’s signature with A’s.) Athen sends σAto B.
We require that the ASIGN algorithm to be able to produce ambiguous sig-
nature σsuch that any one can get convinced that either SIDAor SIDBis used
as the input but does not know exactly which one with probability greater
than 1/2. Moreover, there are two parts (which can be implicitly) involved
with the signature such that the first part can be chosen arbitrary while the
value of another part must be depending on the first part. Most of existing
ring signature schemes satisfy these properties.
3. Upon receiving A’s ambiguous signature σA,Bverifies the signature by
testing whether AVERIFY(σA,IDA,IDB, mA)?
=accept holds. Baborts if
the above equation does not hold.
Obviously, the AVERIFY algorithm is simply the one matching with the
ASIGN algorithm.
4. Bselects rfrom the random coin space Rand executes the ENC-MATCHING-
KEYSTONE algorithm using ras the input to obtain a matching keystone
kM∈ K and the encrypted matching keystone footprint KM∈ K′.
We require that the value of kMis uniquely determined by rand SIDAand
cannot be computed without the knowledge of SIDAor r, All these properties
can be achieved by key encapsulation (KEM), such that ris the randomness
used in encryption, kMis the key produced and KMis the ciphertext. The
value of kMcan be recovered by using the ciphertext KMand the recipient’s
private key SIDA.
5. Bpicks a message mB∈ M to sign. Bproduces the matching keystone
footprint fMby FOOTPRINT(kM) and computes his ambiguous message
σB={U′
A, U ′
B, V ′} ← ASIGN(IDB,IDA,SIDB, UB, fM, mB) This signature
together with the encrypted matching keystone KMis sent to A.Athen use
DEC-MATCHING-KEYSTONE to get the matching keystone kM.
Obviously, DEC-MATCHING-KEYSTONE can be built from the key decap-
sulation algorithm corresponding to ENC-MATCHING-KEYSTONE.
6. Upon receiving B’s ambiguous signature σB,Areproduces the matching
keystone footprint by fM=FOOTPRINT(kM), and verifies the signature by
testing whether
–VERIFY-CONNECTION(σA, σB, fI, fM)?
=accept and
–AVERIFY(σB,IDB,IDA, mB)?
=accept
hold. If not, then Aaborts. Otherwise, Areleases the keystone pair (kI, kM)
to B, and both signatures are binding concurrently.
3.4 Security Notions
As the original model of concurrent signatures in [6], we require a perfect con-
current signatures (either ID-based or not) to satisfy correctness,ambiguity,
unforgeability and fairness. Intuitively, these notions are described as follows.
Note that we follow the definition of ambiguity in [13] instead of the one in [6].
–Correctness: If a signature σhas been generated correctly by invoking ASIGN
algorithm on a message m∈ M,AVERIFY algorithm will return “accept”
with an overwhelming probability, given a signature σon mand a security
parameter ℓ. Moreover, after the keystone-pair (kI, kM)∈ K × K, is released,
then the output of VERIFY algorithm will be “accept” with an overwhelming
probability.
–Ambiguity: We require that given the two ambiguous signatures (σ1, σ2), any
adversary will not be able to distinguish who was the actual signer of the
signatures before the keystone is released. Any adversary can only conclude
that one of the following events has occurred:
1. Both σ1and σ2were generated by the initial signer.
2. Both σ1and σ2were generated by the matching signer.
3. The initial signer generated σ1while the matching signer generated σ2.
4. The matching signer generated σ1while the initial signer generated σ2.
All these cases are equally probable from the adversary’s view.
–Unforgeability: There are two levels of unforgeability to be considered.
•Level 1: When an adversary Adoes not have any knowledge of the respec-
tive secret key SID, then no valid signature that will pass the AVERIFY
algorithm can be produced. Otherwise, one of the underlying hard prob-
lems can be solved by using this adversary’s capability. This requirement
is for the matching signer to get convinced that the signature presented
by the initial signer is indeed originated from her.
•Level 2: Any party cannot frame the other party that he or she has in-
deed signed a message. We require that although both signatures are
ambiguous, any party who would like to frame (or cheat) the others will
not be able to produce a valid keystone with an overwhelming proba-
bility. This means that the first signature can only be generated by the
initial signer and it is unforgeable by anyone else, including the matching
signer. At the same time, the second signature can only originate from
the matching signer, which is unforgeable by any person other than him,
including the initial signer.
–Fairness: We require that any valid ambiguous signatures generated using
the same keystone will all become binding after the keystone is released.
Hence, a matching signer cannot be left in a position where a keystone
binds his signature to him whilst the initial signer’s signature is not binding
to her. This requirement is important for the case like the initial signer
try to present a signature of another message after the matching signer has
verified the validity of the original message and complete his part of protocol.
However, we do not require that the matching signer will definitely receive
the necessary keystone.
Definition 5. An ID-based perfect concurrent signature scheme is secure if it
is existentially unforgeable under a chosen message attack, ambiguous and fair.
4 A Concrete Instantiation
We present a concrete ID-based perfect concurrent signature scheme using the
above general construction, with the ID-based ring signature scheme proposed by
Zhang and Kim [15] and the key encapsulation mechanism of ID-based encryp-
tion scheme proposed by Boneh and Franklin [4]. Using our generic construction
in Section 3, we define the required nine algorithms.
–SETUP: The PKG selects a random number s∈ZZ∗
qand sets Ppub =sP .
It selects three cryptographic hash functions H0:{0,1}∗→G1and H1:
{0,1}∗→ZZq. It publishes system parameters params ={G1,GM,ˆe, q, P,
Ppub, H0, H1},and keeps sas the master secret key. The algorithm also sets
M={0,1}∗,R=F=ZZq,K=GMand K′=G1.
–EXTRACT: The EXTRACT algorithm is defined as follows.
1. A user Uisubmits his or her identity IDito the PKG.
2. After a successful identification, PKG generates Uisecret key as follows.
•Compute QIDi=H0(IDi).
•Compute Ui’s secret key as SIDi=sQIDi.
•Deliver SIDias user Ui’s secret key through a private and authenti-
cated channel.
–FOOTPRINT: This algorithm outputs f=H1(k) as the keystone footprint
for keystone k.
–ASIGN: The ASIGN algorithm accepts the following parameters (IDi,IDj,
SIDi, α, f, m), where SIDiis the secret key associated with QIDi,f∈ F and
m∈ M is the message. The algorithm will perform the following.
1. Select a random point Z∈G∗
1.
2. Set uj←α·f.
3. Compute u0=H1m||(IDi⊕IDj)||ˆe(Z, P )ˆe(ujQIDj, Ppub).
4. Compute V=u−1
0(Z−(u0−uj)SIDi).
5. Output σ= (ui=u0−uj, uj, V ) as the signature on message m.
–ENC-MATCHING-KEYSTONE: For a random coin r∈ R, this algorithm out-
puts KM=rP as the encrypted keystone. It also returns km= ˆe(QIDi, P )r
as the matching keystone.
–DEC-MATCHING-KEYSTONE: This algorithm returns ˆe(KM,SIDi).
–AVERIFY. This algorithm accepts (σ, IDi,IDj, m), where σ= (ui, uj, V ). The
algorithm verifies whether
ui+uj
?
=H1m||(IDi⊕IDj)||ˆe(V , P )(ui+uj)ˆe(uiQIDi, Ppub)ˆe(ujQIDj, Ppub)
holds with equality. If so, then output accept. Otherwise, output reject.
–VERIFY-CONNECTION: This algorithm outputs accept if both uj=fIand
u′
i=uj·fMhold, reject otherwise.
–VERIFY. This algorithm does exactly the thing as described in our generic
framework.
Correctness.
The correctness of the above proposed scheme is justified as follows.
ui+uj=H1m||(IDi⊕IDj)||ˆe(V, P )(ui+uj)ˆe(uiQIDi, Ppub )ˆe(ujQIDj, Ppub )
u0=H1m||(IDi⊕IDj)||ˆe((ui+uj)V+uiSIDi, P )ˆe(ujQIDj, Ppub )
=H1m||(IDi⊕IDj)||ˆe(u0V+ (u0−uj)SIDi, P )ˆe(ujQIDj, Ppub )
=H1m||(IDi⊕IDj)||ˆe(Z, P )ˆe(ujQIDj, Ppub)
4.1 Security Consideration
The security proofs are presented in the Appendix.
Theorem 1. (Ambiguity) Before the keystone kis released, both signatures
are ambiguous.
Lemma 1. When the output of VERIFY is accept, then any third party can
be sure who has generated the signature. Any party cannot frame that the other
party has signed a message without his or her consent assuming the one-way
property of the hash function. This guarantees that the signature is unforgeable.
Theorem 2. (Unforgeability) The scheme presented in this section is exis-
tentially unforgeable under a chosen message attack in the random oracle model,
assuming the one-way property of the hash function, the hardness of the discrete
logarithm problem and the Co-CDH assumption.
Theorem 3. (Fairness) For all signatures that are generated with the same
keystone will be binding concurrently when the keystone is released.
Theorem 4. Our ID-based perfect concurrent signature scheme presented in
this scheme is secure in the random oracle model, assuming the hardness of the
discrete logarithm problem.
4.2 Signature Length
In the above scheme, each signature is a three-tuple σi= (u1, u2, V ), where
u1, u2∈ZZqand V∈G1. Using any of the families of curves described in [5],
one can take qto be a 170-bit prime and use a group G1where each element
is 171 bits. For example, G1is derived from the curve E/GF (397) defined by
y2=x3−x+1, which has 923-bit discrete-logarithm security. With these choices,
the total signature length for a pair of signature is 1,022 bits or 128 bytes.
5 A More Efficient Construction
Now we present a more efficient variant of ID-based perfect concurrent signature,
which requires no pairing operation in signing without sacrificing the computa-
tional efficiency of verification or other steps. Again, the construction follows our
idea of generic construction in Section 3. We utilize the ID-based ring signature
scheme proposed by Chow et al. [8] and the key encapsulation mechanism of
ID-based encryption scheme in [4].
–SETUP: Basically it is the same as our first scheme, but the keystone foot-
print space becomes F=G1and we need another cryptographic hash func-
tion H2:{0,1}∗→G1.
–EXTRACT, ENC-MATCHING-KEYSTONE, DEC-MATCHING-KEYSTONE:
The same as our first scheme.
–FOOTPRINT: The same as our first scheme, except H2is used instead of H1.
–ASIGN: The input of this algorithm includes two identities IDiand IDj, a
private key SIDi, a message m, a G1element α, and a G1element f.
1. Compute Uj=α+fand hj=H1(m||(IDi⊕IDj)||Uj).
2. Choose r′i∈RZ∗
q, compute Ui=r′iQIDi−Uj−hjQIDj.
3. Compute hi=H1(m||(IDi⊕IDj)||Ui) and V= (hi+r′i)SIDi.
4. Output the signature σ={Ui, Uj, V }.
–AVERIFY: The input of this algorithm includes two identities IDiand IDj, a
message m, and a ring signature σ={Ui, Uj, V }.
1. Compute hi=H1(m||(IDi⊕IDj)||Ui) and hj=H1(m||(IDi⊕IDj)||Uj).
2. Return accept if ˆe(Ppub , Ui+hiQIDi+Uj+hjQIDj) = ˆe(P, V ), reject
otherwise.
–VERIFY-CONNECTION: This algorithm outputs accept if both UJ=fIand
U′
i=Uj+fMhold, reject otherwise.
–VERIFY: The same as our first scheme.
Correctness.
The correctness of our second scheme is justified as follows.
ˆe(Ppub, Ui+hiQIDi+Uj+hjQIDj)
= ˆe(Ppub, r′iQIDi−Uj−hjQIDj+hiQIDi+Uj+hjQIDj)
= ˆe(sP, (hi+r′i)QIDi) = ˆe(P, (hi+r′i)SIDi)
5.1 Security Consideration
Again, please find the security proofs in the Appendix.
Theorem 5. (Ambiguity) Before the keystone kis released, both signatures
are ambiguous.
Lemma 2. When the output of VERIFY is accept, then any third party can
be sure who has generated the signature. Any party cannot frame that the other
party has signed a message without his or her consent assuming the one-way
property of the hash function. This guarantees that the signature is unforgeable.
Theorem 6. (Unforgeability) The scheme presented in this section is exis-
tentially unforgeable under a chosen message attack in the random oracle model,
assuming the one-way property of the hash function, the hardness of the discrete
logarithm problem and the Co-CDH assumption.
Theorem 7. (Fairness) For all signatures that are generated with the same
keystone will be binding concurrently when the keystone is released.
Theorem 8. Our ID-based perfect concurrent signature scheme presented in
this scheme is secure in the random oracle model, assuming the hardness of the
discrete logarithm problem.
5.2 Signature Length and Efficiency
In this scheme, each signature is a three-tuple (U1, U2, V ), where U1, U2, V ∈G1.
With the same setting as our first scheme, our second scheme only requires 1,026
bits or 129 bytes for a pair of signatures. Hence, the signature is nearly as short as
that of the first one. This signature length is only one group element on elliptic
curve larger than most existing ID-based signature schemes (for example, see
the review in [3]). Our second scheme inherits the efficiency of the underlying
scheme by Chow et al. [8], such that no pairing operation is needed for signing,
with a normal computational cost for other algorithms of the protocol.
6 Conclusion and Future Research Direction
We introduced the notion of ID-based perfect concurrent signatures, which is an
extension of the notion of concurrent signatures proposed in [6]. We provided the
first generic construction of (ID-based) perfect concurrent signature protocol in
the literature. We presented two concrete constructions of ID-based perfect con-
current signature schemes based on our generic framework. Our second scheme
requires no pairing operation in signing. We also provided a complete security
analysis for our schemes on their ambiguity, fairness and unforgeability.
Recently, a new ID-based ring signature scheme was proposed [10]. Instead
of following the existing paradigms of ID-based ring signature constructions, the
scheme is constructed using a cryptographic primitive known as accumulator
(e.g. see [10]). It would be interesting to see if concurrent signature could be
realized from cryptographic accumulator.
References
1. N. Asokan, Victor Shoup, and Michael Waidner. Optimistic Fair Exchange of
Digital Signatures. IEEE Journal on Selected Areas in Communications, 18, 2000.
2. Feng Bao, Robert H. Deng, and Wenbo Mao. Efficient and Practical Fair Exchange
Protocols. In IEEE Symposium on Security and Privacy 1998, pp. 77–85, 1998.
3. Mihir Bellare, Chanathip Namprempre, and Gregory Neven. Security Proofs for
Identity-Based Identification and Signature Schemes. In Adv in Cryptology - Eu-
rocrypt 2004, LNCS 3027, pp. 268–286, 2004.
4. Dan Boneh and Matt Franklin. Identity-based Encryption from the Weil Pairing.
In Adv in Cryptology - Crypto 01, LNCS 2139, pp. 213–229, 2001.
5. Dan Boneh, Ben Lynn, and Hovav Shacham. Short Signatures from the Weil
Pairing. Adv in Cryptology - Asiacrypt 2001, LNCS 2248, pp. 514–532, 2001.
6. Liqun Chen, Caroline Kudla, and Kenneth G. Paterson. Concurrent Signatures.
In Adv in Cryptology - Eurocrypt 2004, LNCS 3027, pp. 287–305, 2004.
7. Sherman S.M. Chow, Richard W.C. Lui, Lucas C.K. Hui, and Siu Ming Yiu. Iden-
tity Based Ring Signature: Why, How and What Next. EuroPKI 2005, LNCS
3545, pp. 144-161, 2005.
8. Sherman S.M. Chow, Siu Ming Yiu, and Lucas C.K. Hui. Efficient Identity Based
Ring Signature. Applied Crypto and Network Security - ACNS 2005, LNCS 3531,
pp. 499-512, 2005.
9. Yevgeniy Dodis and Leonid Reyzin. Breaking and Repairing Optimistic Fair Ex-
change from PODC 2003. ACM Workshop on Digital Rights Management, 2003.
10. Lan Nguyen. Accumulators from Bilinear Pairings and Applications. Topics in
Cryptology - CT-RSA 2005, LNCS 3376, pp. 275–292, 2005.
11. David Pointcheval and Jacques Stern. Security Proofs for Signature Schemes. Adv
in Cryptology - Eurocrypt 1996, LNCS 1070, pp. 387 – 398, 1996.
12. Ronald L. Rivest, Adi Shamir, and Yael Tauman: How to Leak a Secret. Adv in
Cryptology - Asiacrypt 2001, LNCS 2248, pp. 552 – 565, 2001.
13. Willy Susilo, Yi Mu and Fangguo Zhang. Perfect Concurrent Signature Schemes.
Inf and Comm Security - ICICS 2004, LNCS 3269, pp. 14–26, 2004.
14. Guilin Wang, Feng Bao and Jianying Zhou. The Fairness of Perfect Concurrent
Signature. To appear in Inf and Comm Security - ICICS 2006, also appear at
Cryptology ePrint Archive, Report 2006/226.
15. Fangguo Zhang and Kwangjo Kim. ID-based Blind Signature and Ring Signature
from Pairings. Adv in Cryptology - Asiacrypt 2002, LNCS 2501, pp. 533 – 547.
Appendix
Proof of Theorem 1. The ambiguity of the signatures is clear since from any third
party’s viewpoint, it is either Aor Bwho has generated such signature, but the
third party cannot be sure who has signed the signatures. Both parties could
have generated the signatures by himself or herself. To justify this argument, it
is sufficient for us to show that any party can generate both signatures that are
verifiable with ASIGN algorithm. We first assume that Awould like to generate
both signatures by himself. He will perform the following.
1. Select two random values r1and r2∈ F and two messages m1, m2∈ M.
2. Execute ASIGN(IDA,IDB,SIDA,IZ∗
q, r1, m1) to obtain a signature σ1on m1,
where IZ∗
qdenotes the identity element of the group Z∗
q. Note that σ1=
(u1, u2, V ), where u2is equal to r1.
3. Execute ASIGN(IDA,IDB,SIDA,IZ∗
q, r2, m2) to obtain σ2= (u′
1, u′
2, V ′), where
u′
2is equal to r2
It is clear that both signatures (σ1, σ2) are acceptable by AVERIFY algorithm.
We note that in step 2 above, Aobtains a valid signature for a keystone footprint
r(which is eventually the same as u2). However, in step 3, she “pretends” that
the signature σ2was generated by B. Even she cannot choose the value of u′
1
arbitrary, there exists a value r′∈ F such that (u′
1=u2·r′). Before the release
of keystone, no one can check the validity of this matching keystone footprint r′.
On the other hand, the matching signer Bcan also “pretends” that the
σ1was generated by A, if the corresponding initial keystone kIthat making
H1(kI) = u2is not released yet.
Threfore, both signatures are a pair of valid ID-based perfect concurrent
signatures. This shows that even a valid signature is found, from any third
party’s viewpoint, the signature is ambiguous. And the theorem follows.
Proof of Lemma 1. To verify a signature σA(uA, uB, V ) that was generated by
A, any third party will perform the following steps.
–Verify whether the keystone is correct, by testing H1(kI)?
=fI. If it does not
hold, then output reject.
–Verify whether uB=fI.
–Verify whether σ= (uA, uB, V ) is correct, by testing whether
uA+uB
?
=H1m||(IDA⊕IDB)||ˆe(R, P )(uA+uB)ˆe(uAQIDA, Ppub )ˆe(uBQIDB, Ppub )
holds with equality.
Note that in the second verification above, the value ˆe(uBQIDB, Ppub) was already
set before the signature was computed, since uBis the keystone (unless the hash
function H1(·) is invertible, which violates the underlying assumption). Then,
the value of u0(which is set to be uA+uB) needs to be computed afterwards.
Therefore, to obtain a valid verification in the above equation, one must know the
value of SIDAthat will be used to solve the equation V=u−1
0(Z−(u0−u2)SIDA),
for a randomly chosen Z∈G∗
1. Since the only person who knows the secret key
SIDAis A, then any third party can be sure that Ahas indeed generated the
signature.
A similar argument applies to the signature σB= (u′
A, u′
B, V ′) that is gener-
ated by Bby invoking the FOOTPRINT algorithm and VERIFY-CONNECTION
algorithm, for the corresponding keystone kM. To launch a successful framing at-
tack, the party needs to release a valid keystone (kI, kM) and hence, the VERIFY
algorithm will return accept, which means u′
A=fI·fM, or in other words
H1(mB||(IDA⊕IDB)||ˆe(Z, P )ˆe(u′
BQIDB, Ppub))−u′
B=H1(kI)·H1(ˆe(Ppub,QIDj))kM.
Although Z, u′
B, kIand kMcan be chosen arbitrary, it is difficult to make the
equation holds due to the one-way property of the hash function H1(·), so it is
infeasible to compute the associated keystone (kI, kM)∈ K × KHence, framing
attack will not be successful if the underlying hash function used is one way.
Proof of Theorem 2. The proof is similar to the proof of unforgeability of the
Schnorr signature scheme in [11] and the concurrent signatures in [6]. We in-
corporate the forking lemma [11] to provide the proof. We use the notion of
existential unforgeability against a chosen message attach from [6]. Firstly, we
note that it is shown in [11] that if Ais a polynomial time Turing machine that
only accepts public input data only and produces a valid signature (m, u1, h, u2)
in time τand with probability η≥10(QIDj+ 1)(QIDj+qH)/2ℓ, where ℓis the
security parameter, QIDjis the number of signature queries, qHis the number
of hash queries, and (u1, m, u2) are simulatable with indistinguishable probabil-
ity distribution without the knowledge of the secret key, then there exists an
algorithm B, which controls Aand replaces A’s interaction with the signer by
simulation and produces two valid signatures (m, u1, h, u2) and (m, u1, h′, u′
2)
such that h6=h′in expected time τ′= 12068QIDjτ /η.
The game between an adversary Aand a challenger Cis defined as follows.
– Setup:Cruns SETUP for a given security parameter ℓto obtain descriptions
of U,M,S,Kand F. In addition, SETUP also generates the public key Ppub
for the PKG and provides it secret key, sP KG . Finally, it also simulates the
private key generation for all identities by invoking EXTRACT.
– KSGEN Queries:Acan request that Cselects a keystone k∈ K that
it used to generate a keystone footprint f∈ F, by invoking the corre-
sponding algorithm (FOOTPRINT,ENC-MATCHING-KEYSTONE and DEC-
MATCHING-KEYSTONE). Acan also select her own keystone k∈ K and
then compute the keystone footprint by himself.
– KSReveal Queries:Acan request the challenger Cto reveal the keystone
kthat is used to produce a keystone footprint f∈ F in a previous KSGEN
query. If fwas not asked before, then C outputs invalid. Otherwise, C
returns k∈ K.
– ASign Queries:Acan request an ambiguous signature for any input of
the form (IDA,IDB, Ppub , f, m) where QIDA,QIDBare the respective public
keys, together with Ppub,f∈ F and m∈ M.Cresponds with an ambiguous
signature σ= (u0, u1, u2, V ).
– AVerify and Verify Queries:Acannot request an answer for these queries
since he can compute them for himself using the AVERIFY and VERIFY
algorithms.
– Private Key Extraction Queries:Acan request the private key SID
associated with any QID of any participant. In response, Coutputs SID. The
response can be verified by Aby testing whether ˆe(SID , P )?
= ˆe(QID, Ppub )
holds with equality.
– Output: Finally, Aoutputs a tuple σ= (u0, u1, u2, V ) along with (IDA,IDB)
and a message m∈ M. The adversary wins the game if the following equal-
ity AVERIFY(σ, IDA,IDB, m)?
=accept holds and one of the two conditions
below hold:
1. The ASIGN query for (IDA,IDB, m, f ) has never been asked by Aand no
Private Key Extract query was made by Aon either IDAor IDB.
2. The ASIGN query for (IDA,IDB, m, f ) has never been asked by Aand no
Private Key Extract query was made by Aon IDA.
Now, we show how to build an algorithm Bwho will simulate the challenger
Cin the above attack to answer A’s request. We assume there is a PPT attacker
Awho can produce a valid signature σon a message mwithout knowing the
appropriate secret keys of the signers. The purpose of Bis to solve a Co-CDH
problem, given aP and bP to compute abP . The simulation is as follows. Firstly,
the public key Ppub is set to be bP . The adversary Ais allowed to query KSGEN
and KSReveal queries many times. On answering ASign query, Bsimulates
the signing oracle by accepting (IDA,IDB, α, f , m) and outputs a signature, if
possible. Now, set Q∗=aP and a target message m∗∈ M. If the ASign query
is asked on Q∗, then terminate the simulation. The probability of the attack
fails in this case is bounded by 1
q2. After a subsequent queries, Aoutputs a
valid signature σon a message m∗with Q∗. The attack is restarted again for a
second round using the same method, and eventually Aoutputs a second valid
signature σ′on the same target message. When this collision happens, we obtain
two signatures on the same keystone footprint. That means, for a pair (σ, σ′),
where σ= (u1, u2, V ) and σ′= (u′
1, u′
2, V ′), we obtain
ˆe(R, P )u0ˆe(u1QID∗, Ppub) = ˆe(R′, P )u′
0ˆe(u′
1QID∗, Ppub)
where u0=u1+u2and u′
0=u′
1+u′
2. Rearranging the above equation, we obtain
u0R+u1SID∗=u′
0R+u′
1SID∗
and hence
SID∗= (u1−u′
1)−1(u′
0R′−u0R)
Since we let Ppub =bP and Q∗=aP , then SID∗=abP , which is the solution of
the Co-CDH problem. Hence, we obtain the contradiction.
With Lemma 1, we achieve the second level of the unforgeability as well.
Proof of Theorem 3. The proof can be deduced from the proof of Lemma 1.
Suppose the initial signer selects a keystone kI∈ K and then signs a message
m1∈ M to produce a signature σ1. Then, the matching signer signs a message
m2∈ M using the matching keystone, kM∈ K, to produce a signature σ2. Now,
consider a scenario where the initial signer tries to cheat by producing another
message m′6=m1and signs it, to produce a signature σ′. When the keystone
kIis released, then all messages (m1, m2, m′) will be binding concurrently. The
matching signer will not be left in a situation where his signature is still binding
on m2, but the initial signer’s signature is not binding to m1anymore. It is
because the matching signer only complete the rest of the protocol ( i.e. sign
his message) after he received the signature from A, so he can always present
this signature if Apurports that the message she signed is another one. This
guarantees the fairness of the scheme.
Proof of Theorem 4. The proof can be derived from Theorem 1, 2, and 3.
Proof of Theorem 5. As in the proof of Theorem 1, it is sufficient to show that
any party can generate a pair of concurrent signatures that is valid and it will be
accepted under AVERIFY algorithm. Let us assume that Bwould like to produce
such signature. Bwill perform the following.
1. Randomly choose r2∈RF.
2. Generate σB={U′
A, U ′
B, V ′}using ASIGN algorithm, with IFand r2as
input.
3. Randomly choose kM∈RK.
4. Compute UB=U′
A−H1(ˆe(QIDB, Ppub)kM).
5. Generate σA={UA, UB, V }like ASIGN algorithm, except that UBis not
chosen randomly but using the above computed value.
The essential idea of the above procedure is before the release of the initial
keystone that determining the value of UB, the matching signer can firstly gen-
erate the second signature, making a UBthat satisfy the VERIFY-CONNECTION
algorithm, and use that particular value of UBas part of the first signature. For
Ato create a signature that makes AVERIFY algorithm returns true even if takes
SIDAto sign but the public key to be verified is QIDB, the same idea in the proof
of Theorem 1 can be applied.
The probability that this pair of signatures was generated by a single party
himself or herself is 1
4, which is uniform. This is due to the following possibilities.
1) The signatures were generated by Alice, 2) The signatures were generated by
Bob, 3) σ1was generated by Alice, and σ2was generated by Bob, or 4) σ1was
generated by Bob, and σ2was generated by Alice. Hence, from any third party’s
viewpoint, the signature is indistinguishable.
Proof of Lemma 2. It is not possible for an adversary to find the pre-image ksuch
that UB=H2(kI) if UBis created by the formula r′AQIDA−UB−hBQIDB. For
the second signature, we argue that Acannot be the actual signer by considering
the following three cases. Case 1: If we fix the value of UBfirstly, then computing
kMsatisfying the equation U′
A=UB+H1(ˆe(QIDB, Ppub)kM) involving solving
discrete logarithm problem in G2and breaking the one-way property of H1(·).
Case 2: If we fix kMfirst, it involves finding the pre-image kIagain. Case 3:
This case requires more attention as the signature scheme used in this scheme
is different from that of the previous scheme. Aneeds to make the equation
r′AQIDA−U′
B−h′
BQIDB=UB+H1(ˆe(QIDB, Ppub)kM) hold. For Ato give V′,
knowledge of r′is necessary, so the problem becomes making U′
B+h′
BQIDBequals
to a fixed value, which is difficult as h′
B=H1(mB||(IDA⊕IDB)||UB).
Proof of Theorem 6. Notice that our scheme is very similar to the two-party
version of the ID-based ring signature scheme in [8], the difference is only the
way to choose the random factors of non-participating signer. The scheme in [8]
is proven existentially unforgeable against adaptive chosen-message-and-identity
attack, under the random oracle model. As can be concluded from the proof of
unforgeability in [8], if an adversary other than Aand Bcan create either one
of the signature, the Co-CDH problem can be solved by using this adversary.
The difference in the way of choosing the random factors does not affect the
security proof for the unforgeability. However, we remark that it has effects on
the ambiguity of the signatures before the release of the keystone. We can only
achieve the computational signer ambiguity (because of the use of the matching
keystone) instead of the information theoretic security achieved by the scheme
in [8] under random oracle model.
Proof of Theorem 7. Since both schemes use the same underlying generic con-
struction framework, the discussion of the fairness of both schemes are essentially
the same, given the result of the Lemma 2.
Proof of Theorem 8. The proof can be derived from Theorem 5, 6, and 7.
