No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Perfect Concurrent Signature Schemes
Abstract
The notion of concurrent signatures was recently introduced by Chen, Kudla and Paterson in their seminal paper in [5]. In concurrent signature schemes, two entities can produce two signatures that are not binding, until an extra piece of information (namely the keystone) is released by one of the parties. Upon release of the keystone, both signatures become binding to their true signers concurrently. In this paper, we extend this notion by introducing a new and stronger notion called perfect concurrent signatures. We require that although both signers are known to be trustworthy, the two signatures are still ambiguous to any third party (c.f. [5]). We provide two secure schemes to realize the new notion based on Schnorr’s signature schemes and bilinear pairing. These two constructions are essentially the same. However, as we shall show in this paper, the scheme based on bilinear pairing is more efficient than the one that is based on Schnorr’s signature scheme.
... Since Chen et al. published their seminal paper in 2004 [8], there has been a number of concurrent signature schemes proposed [30,33,24,9,32,39,29,31]. Some work have the ambiguity model improved [30,24] and the fairness requirement further enhanced [33]. ...
... Since Chen et al. published their seminal paper in 2004 [8], there has been a number of concurrent signature schemes proposed [30,33,24,9,32,39,29,31]. Some work have the ambiguity model improved [30,24] and the fairness requirement further enhanced [33]. Some others focus on extending concurrent signature to multi-party setting [32,31] or identity-based setting [9], or balancing the capability of controlling the release of keystone between the initial signer and the matching signer [39], or evaluating the scenarios for which concurrent signature is free of abused usage [29]. ...
... Ambiguity is an important feature to achieve in many variants of signature schemes [7,38,21,37,19] as well as in concurrent signature. Though the current ambiguity model for concurrent signature [8,30] requires that the ambiguous signatures are non-self-authenticating [20,40] when the keystone is not revealed yet, the ambiguous signatures already leak the following information to the public: given an ambiguous signature σ A or σ B , anyone can tell that at least one of ( A, B) must have involved. Consider the following scenario: suppose X and Y form a coalition to sign a joint statement which is to be verified by a third party Z . ...
A concurrent signature provides an efficient way to exchange digital signatures between parties in a fair manner. Since its introduction in Eurocrypt 2004, removing the random oracle heuristic in the security analysis of a concurrent signature scheme has become an open problem, and the security of all the existing provably secure schemes could have only been done in the random oracle model, while it has been known that the security in the random oracle model may not be guaranteed when the underlying random oracles are replaced by real-life hash functions. In this paper, we solve this open problem by proposing a new concurrent signature scheme, which allows us to prove its security without random oracles. The security model we consider in this paper also slightly differs from previous works. Signatures before revealing the keystone are strongly ambiguous (or anonymous) in the sense that everyone is able to produce signatures that are indistinguishable from those generated honestly by the parties involved in the exchange, while signatures after revealing the keystone remain unforgeable without sacrificing the fairness property. In the multi-user setting and without random oracles, we prove the security of our scheme based on the intractability of Computational Diffie–Hellman (CDH) problem and collision resistance of hash functions.
... It is not obvious to extend a two-party concurrent signature scheme (e.g. [3][4][5]) to this more general multi-party notion. A major difficulty is in the fairness. ...
... Since the introduction of concurrent signature by Chen, Kudla and Paterson [3] in 2004, there have been several other schemes and variants proposed [4,11,12,[5][6][7][8]. In [4], Susilo, Mu and Zhang proposed an enhanced ambiguity requirement and called a scheme satisfying this enhanced requirement as perfect concurrent signature. ...
... Since the introduction of concurrent signature by Chen, Kudla and Paterson [3] in 2004, there have been several other schemes and variants proposed [4,11,12,[5][6][7][8]. In [4], Susilo, Mu and Zhang proposed an enhanced ambiguity requirement and called a scheme satisfying this enhanced requirement as perfect concurrent signature. It requires that the two ambiguous signatures σ A and σ B are indistinguishable in a sense that before releasing ks, the public should not be able to tell if σ A and σ B are generated by A and B, even assuming that A and B honestly produce their respective signatures. ...
Since the introduction of concurrent signature, improved results have been obtained on constructing schemes with enhanced ambiguity, refined security models and better efficiency, while extending concurrent signature to multiple users, that is, allowing n parties (where n≥2n≥2) to perform fair exchange of signatures concurrently, is still one of the most challenging problems that remain unsolved. In the literature, there is a three-party concurrent signature scheme which achieves a weaker form of ambiguity, that an ambiguous signature can either be generated by the real signer or jointly by the other two parties, but not by any single party of the rest. There are also two other multi-party concurrent signature schemes. However, both of them have been found insecure, that they could not achieve unforgeability, ambiguity, and fairness simultaneously. Furthermore, there is no formal security model available for Multi-party Concurrent Signature (MCS). In this paper, we propose an efficient MCS construction and show its security in the random oracle model under our newly proposed security model for MCS. The scheme is also comparable in efficiency to the best existing two-party concurrent signature schemes.
... Susilo et al. further proposed a perfect concurrent signature scheme [18] to strengthen the fuzziness of concurrent signatures. That is, even if it is known that both signers have signed one of the two ambiguous signatures, no third party can infer who signed which signature. ...
... That is, even if it is known that both signers have signed one of the two ambiguous signatures, no third party can infer who signed which signature. However, Wang et al. [19] pointed out that the concurrent signature scheme proposed by Susilo et al. [18] was not actually concurrent, and proposed an attack that enables the original signer to release a carefully prepared keystone. Also, an effective method resisting this attack was proposed by Wang et al. [19] so that the improved scheme was truly perfect for concurrent signature. ...
With the development of Internet technology, the demand for signing electronic contracts has been greatly increased. The electronic contract generated by the participants in an online way enjoys the same legal effect as paper contract. The fairness is the key issue in jointly signing electronic contracts by the involved participants, so that all participants can either get the same copy of the contract or nothing. Most existing solutions only focus on the fairness of electronic contract generation between two participants, where the digital signature can effectively guarantee the fairness of the exchange of electronic contracts and becomes the conventional technology in designing the contract signing protocol. In this paper, an efficient blockchain-based multi-party electronic contract signing (MECS) protocol is presented, which not only offers the fairness of electronic contract generation for multiple participants, but also allows each participant to aggregate validate the signed copy of others. Security analysis shows that the proposed MECS protocol enjoys unforgeability, non-repudiation and fairness of electronic contracts, and performance analysis demonstrates the high efficiency of our construction.
... The idea is that two parties make bilateral ambiguous signatures to bind to their relevant signers concurrently while a secret (i.e., the keystone) is released by one of the two parties. To enhance full anonymity of concurrent signatures, Susilo et al. [31] extend this use of concurrent signatures to perfect concurrent signatures from Schnorr's [29] signature algorithm and bilinear pairings. However, in Susilo et al.'s [31] scheme, the initial signer can create the individual two keystones which cannot properly bind the ambiguous signature to the matching signer, and this may result in not perfect ambiguity. ...
... To enhance full anonymity of concurrent signatures, Susilo et al. [31] extend this use of concurrent signatures to perfect concurrent signatures from Schnorr's [29] signature algorithm and bilinear pairings. However, in Susilo et al.'s [31] scheme, the initial signer can create the individual two keystones which cannot properly bind the ambiguous signature to the matching signer, and this may result in not perfect ambiguity. To surmount the perfect ambiguity problem, various concurrent-signature solutions for the investigation have been suggested, such as anonymously lattice-based group signatures [25], identity-based perfect concurrent signatures [9], 542 The International Arab Journal of Information Technology, Vol. 18, No. 4, July 2021 asymmetrical concurrent signatures [24], tripartite concurrent signatures [32], the fairness of perfect concurrent signatures [38], multi-party concurrent signatures [34], and so on. ...
The idea of concurrent signature schemes is that two parties produce two respective ambiguous signatures that are concurrently bound to their corresponding signatories only while either of the party releases a keystone. The main construct is that both parties need to reach a consensus on the true fairness in mutually exchanging the signatures, and, moreover, the protocols assume that there is no collusion between a trusted third party and any of the parties. However, by collaborating over business interests with the participants as strategic partners, the trusted third party may obtain access to sensitive key data held in escrow, leading them to the collusion attack associated with malicious intentions. To circumvent the misbehavior among the participating individuals, an identity authentication process can be used prior to exchanging or having access to any confidential information. In this paper, we propose a self-certified concurrent signature from bilinear pairings as an alternative solution to strengthen the security level for solving the fair exchange problem. Apart from resisting to the collusion attack, the proposed scheme provides the advanced security properties to prevent from the message substitution, the identity forgery and impersonation, and other generic attacks in an increasingly insecure network environment.
... The efficiency gain in ring signature schemes is also beneficial to cryptographic schemes that are built on top of ring signature. Examples include multi-designated verifiers signature [7], non-interactive deniable ring authentication [10] and perfect concurrent signature [11]. In [5], an separable and anonymous ID-based key issuing protocol was proposed. ...
... Bilinear pairing is an important primitive for many cryptographic schemes1234567891011121314. Here, we describe some of its key properties. ...
Identity-based (ID-based) cryptosystems eliminate the need for validity checking of the certificates and the need for registering for a certificate before getting the public key. These two features are desirable especially for the efficiency and the real spontaneity of ring signature, where a user can anonymously sign a message on behalf of a group of spontaneously conscripted users including the actual signer.
In this paper, we propose a novel construction of ID-based ring signature which only needs two pairing computations for any group size. The proposed scheme is proven to be existential unforgeable against adaptive chosen message-and-identity attack under the random oracle model, using the forking lemma for generic ring signature schemes. We also consider its extension to support the general access structure.
... Ring signatures can be used for whistle blowing [19] or anonymous membership authentication for ad hoc groups [5]. They can be used to derive other primitives such as deniable ring authentication [23] or perfect concurrent signatures [24]. Due to flexibility (forming a ring and signing messages without a group leader) and anonymity property of ring signatures, there have been recently found interesting applications of ring signatures in cryptocurrencies [21]. ...
A blind ring signature scheme is a combination of a ring signature and a blind signature, which allows not only any member of a group of signers to sign on a message on behalf of the group without revealing its identity but also the user who possesses the message to blind it before sending to the group to be signed. Blind ring signature schemes are essential components in e-commercial, e-voting etc. In this paper, we propose the first blind ring signature scheme based on lattices. More precisely, our proposed scheme is proven to be secure in random oracle model under the hardness of the short integer solution (SIS) problem.
... Ring signature scheme can be used to derive other primitives as well. It had been utilized to construct non-interactive deniable ring authentication [20], perfect concurrent signature [21] and multi-designated verifiers signature [18]. Many reductionist security proofs used the random oracle model [4]. ...
Since the formalization of ring signature by Rivest, Shamir and Tauman in 2001, there are lots of variations appeared in the literature. Almost all of the variations rely on the random oracle model for security proof. In this paper, we propose a ring signature scheme based on bilinear pairings, which is proven to be secure against adaptive chosen message attack without using the random oracle model. It is one of the first in the literature to achieve this security level.
... Ring signature scheme can be used to derive other primitives as well. It had been utilized to construct non-interactive deniable ring authentication [27] , perfect concurrent signa- ture [28] and multi-designated verifiers signature [21]. Many reductionist security proofs used the random oracle model [4] . ...
In this paper, we present the notion and construction of threshold ring signature without random oracles. This is the first scheme in the literature that is proven secure in the standard model. Our scheme extends the Shacham-Waters signature from PKC 2007 in a non-trivial way. We note that our technique is specifically designed to achieve a threshold ring signature in the standard model. Interestingly, we can still maintain the signature size to be the same as the Shacham-Waters signature, while only a tiny computation cost is added.
... Later in this section, we will address two problems associated with the concurrent signature. In order to strength the ambiguity of the signature before keystone is released, there are papers [21] [22] proposed a strong notion, called perfect concurrent signatures. Later, asymmetric concurrent signature [23], tripartite concurrent signature [24], are proposed. ...
In this paper, we propose a notion of contract signatures used in e-commerce applications. This scheme adopts digital multi-signature scheme in public-key cryptography to facilitate fair signature exchange over network. Security proof under the random oracle model of this modified signature scheme is include. This proposed solution allows two parties to produce and exchange two ambiguous signatures which are fully ambiguous for any third party (i.e. 1 out ambiguity). The combination of these two ambiguous signatures forms the contract signature. There is no “keystone” (i.e. a secret key used in the concurrent signature) of the signature. In case anyone releases the contract signature to a verifier, both signers bind to the contract signature.
In this chapter, we discuss the basics of ring signature—a kind of anonymous signature that allows a user to sign on behalf of a self-formed group such that the verifier only knows that the signer is one of the users of this group but cannot find out the identification information (such as public key) of the real signer. We give the security model and a simple construction based on discrete logarithm setting. Then, we cover a variant called linkable ring signature, which provides linkability in addition to the property of a normal ring signature. Finally, we present a commercial application of (linkable) ring signature in blockchain called Ring Confidential Transaction (RingCT), which is the privacy-preserving protocol used in Monero, one of the largest cryptocurrencies in the world.
Concurrent signatures allow two entities to generate two signatures in such a way that both signatures are ambiguous till some information is revealed by one of the parties. This kind of signature is useful in auction protocols and in a wide range of scenarios in which involving participants are mutually distrustful. In this study, to have quantum-attack-resistant concurrent signatures as recommended by National Institute of Standards and Technology (NISTIR 8105), the first concurrent signature scheme based on coding theory is proposed. Then, its security is proved under Goppa Parameterized Bounded Decoding and the Goppa Code Distinguishing assumptions in the random oracle model. In addition, performance evaluation shows that the proposal is approximately as efficient as Dallot scheme. The authors should highlight that their proposal can be a post-quantum candidate for fair exchange of signatures without a trusted third party in an efficient way (without a high degree of interactions).
This paper1 introduces the notion of attribute-based concurrent signatures. This primitive can be considered as an interesting extension of concurrent signatures in the attribute-based setting. It allows two parties fairly exchange their signatures only if each of them has convinced the opposite party possesses certain attributes satisfying a given signing policy. Due to this new feature, this primitive can find useful applications in online contract signing, electronic transactions and so on. We formalize this notion and present a construction which is secure in the random oracle model under the Strong Diffie-Hellman assumption and the eXternal Diffie-Hellman assumption.
Concurrent signature is a novel paradigm, which can achieve fair exchange of signatures between users. Since its appearance, the topic has been widely concerned, while the study of concurrent signature in multi-user setting suffers from some criticism. Almost all known multi-user concurrent signature schemes rely on the hardness assumptions that is insecure against quantum analysis. Furthermore, most of multi-party concurrent signature (MCS) schemes are lack of formal security models. In the paper, in the random oracle model, we propose a construction of lattice-based MCS scheme and prove its security under the hardness of the small integer solution (SIS) problem. Since our proposed scheme is based on the lattice assumptions, which is believed to be quantum-resistant, the mathematical properties make our scheme simpler and more flexible.
As the keystone fix of signature is only generated by initial signer in traditional concurrent signature scheme, this is vulnerable to the abuse of initial signer for match signer. So it is unfair to match singer. Furthermore, if the generation of keystone fix is not include signed message, it is vulnerable to be attack-ed by tracking message. In order to achieve a better fairness and security protocol for both sides in concurrent signature, the keystone fix is not only generated by the parties together but also bound with the signed message. In this paper, a new perfect concurrent signature scheme is put forward in this paper. The keystone fix of ambiguity signatures is generated by both sides together, so it achieves the truth fairness to both sides. On the other hand, to avoid the traceability attack, each fix-keystone is bound with with signed plaintext respectively. At the same time, the scheme is un-forgeable also based on the difficult problem of discrete logarithm in conic curves, thus comparing with the scheme in reference[1], the scheme in this paper has the properties of more strong fairness and more security.
Multi-party concurrent signatures were first proposed by Tonien et al at ISC2006, but Xie and Tan pointed Tonien et al's scheme doesn't satisfy fairness and they reconstructed multi-party concurrent signature schemes respectively. Through analysis, the multi-party concurrent signature schemes proposed by Xie and Tan don't satisfy fairness either, so a formal security model of fair multi-party concurrent signatures was proposed and a multi-party concurrent signature scheme based on bilinear pairing and multi-party key agreement was also reconstructed. Analysis shows that the new scheme satisfies correctness, unforgeability, ambiguity, concurrency and fairness in the random oracle model assuming the CDH problem is intractable and highly efficient in signature size, computation cost and communication cost compared with other schemes of its kind.
As one of the most important group-oriented signatures, ring signatures were initially formalized by Rivet et al. and allows an entity to conscript a group of ring members at will and sign a message in the name of the group without revealing a real identity. Featured with spontaneity and unconditional anonymity, ring signatures have found widespread applications in fair exchange, electronic commerce, wireless sensor networks and vehicular ad hoc networks. A survey of ring signatures is presented in this book to provide researchers and scholars with a better understanding of this primitive cryptography. To be specific, we survey state-of-the-art ring signature schemes insightfully according to the design philosophies of these schemes. The existing schemes have also been classified in view of various perspectives. Furthermore, the security model and efficiency of existing schemes have been compared. On the other hand, the extensions of ring signature schemes, such as proxy ring signature, threshold ring signature, ring signcryption, deniable ring signature, linkable ring signature and conditional anonymous ring signature, are also investigated. Finally, the challenges and future directions of ring signatures, such as the construction with constant-size, the efficiency and provably-secure construction in the standard model, and new application scenarios have also been given. (Imprint: Nova).
Anonymous authentication protocol allows the system to authenticate a user anonymously. That is, the system knows that the requester is eligible to access, yet does not know his/her actual identity. Anonymous authentication is useful in many privacy-preserving applications such as wireless sensor networks and roaming. However, most of the anonymous authentication protocols are not lightweight. They all require a number of exponentiations or pairings which cannot be executed by lightweight devices such as sensors or RFID. In this paper, we propose a lightweight anonymous authentication protocol for Ad Hoc group. Our protocol contains only lightweight calculations such as hashing or modulus square but not exponentiation or pairing in both prover and verifier sides. The core primitive of our mechanism is a lightweight ring signature scheme. The security of our scheme can be reduced to the classic integer factorization assumption in the random oracle model.
Accountability has been widely used in different perspectives and has many different terms and definitions. Accountability in management focuses on how organizations and persons effectively make use of their individual controls: external control (reward and punishment) and internal control (felt responsibility). Accountability in SOA (Service-Oriented Architecture) focuses on how to disclose the message with security, privacy and liability and how to track evidence of the rendered services. In health care, accountability focuses on how to reveal patient's health record with privacy and security controls. For Internet transaction, accountability is to ensure how each party involves in performing a transaction that satisfies necessary security properties. In this paper, we conduct a survey of different perspectives of accountability to indicate that the definition of accountability for Internet transactions is limited. We study a number of research works which focus on accountability in several aspects and determine their advantages about accountability in Internet transactions.
Fair exchange is essential in E-commerce, and concurrent signature realizes the fair exchange of digital signatures with removing the requirement of a trusted third party. Multi-party concurrent signature is an extension to the multi-user scenario. The security of existing multi-party concurrent signatures is mostly based on traditional hard problems that could be solved efficiently with quantum algorithms in a post-quantum world. Meanwhile, the lattice-based cryptography is considered to be resistant to quantum attack. Wang et al. proposed a lattice-based multi-party concurrent signature. We give the analysis of their proposed signature scheme and find that it is not secure since an inside adversary can forge the signature. Moreover, the initial signer can produce any signatures, instead of a signature on the original messages, if he is malicious.
Internet transaction is increasing significantly due to very fast grown of mobile devices, electronic commerce, and electronic records. Many researchers proposed several protocols to analyze the accountability in Internet transaction. In this paper we propose accountability model and protocol in Internet transaction that have advantages over existing protocols and satisfies essential security properties: Confidentiality, Integrity, Authorization, Authentication, Non-repudiation, Liability and Responsiveness. The protocol is designed using asymmetric cryptography and hash function to ensure that it meets all above accountability properties. The proposed protocol is also analyzed and compared with existing accountability protocols.
Signcryption is a cryptographic primitive that combines both the function of digital signature and encryption in a logical single step. However, in some occasion there are conflicts of interest between the two entities, so concurrent signature is proposed to ensure fair exchange of the signature without special trusted third party. The notion of concurrent signcryption is defined and the security model is proposed in this paper. And an identity-based concurrent signcryption scheme is established using bilinear based on the framework. The scheme is proved to be secure assuming Bilinear Diffie-Hellman problem and Computational Co-Diffie-Hellman problem are hard in the bilinear context.
A signature scheme is strongly unforgeable if the adversary cannot produce a new signature even on a queried message. Some methods have been proposed to enhance some regular signatures. However, if applied to ring signatures, such methods will break the anonymity, which is the soul of ring signatures. We introduce a modified method which can achieve both strong unforgeability and anonymity in the standard model. Applying this method to Shacham-Waters scheme, we get the first ring signature with strong unforgeability in the stand model.
Ring signature is a primitive that allows an entity to sign a message on behalf of a group of potential signers (called a ring) while preserving unconditional anonymity in the ring. Ring signature has found many applications in fair exchange, electronic transaction protocols, and ad hoc networks. In this paper, a survey of ring signature from a number of perspectives is presented to provide researchers with a better understanding of this primitive. We survey the state of the art of ring signature schemes along with the security model, and compare their security properties and efficiency. Furthermore, the extensions of ring signature schemes with special properties are also investigated.
Concurrent signature, introduced by Chen, Kudla and Paterson, is known to just fall short to solve the long standing fair exchange of signature problem without requiring any trusted third party (TTP). The price for not requiring any TTP is that the initial signer is always having some advantage over the matching signer in controlling whether the protocol completes or not, and hence, whether the two ambiguous signatures will bind concurrently to their true signers or not. In this paper, we examine the notion and classify the advantages of the initial signer into three levels, some of which but not all of them may be known in the literature.
Advantage level 0 is the commonly acknowledged fact that concurrent signature is not abuse-free since an initial signer who holds a keystone can always choose to complete or abort a concurrent signature protocol run by deciding whether to release the keystone or not.
Advantage level 1 refers to the fact that the initial signer can convince a third party that both ambiguous signatures are valid without actually making the signatures publicly verifiable.
Advantage level 2 allows the initial signer to convince a third party that the matching signer agrees to commit to a specific message, and nothing else. We stress that advantage level 2 is not about proving the possession of a keystone. Proving the knowledge of a keystone would make the malicious initial signer accountable as this could only be done by the initial signer.
We remark that the original security models for concurrent signature do not rule out the aforementioned advantages of the initial signer. Indeed, we show that theoretically, the initial signer always enjoys the above advantages for any concurrent signatures. Our work demonstrates a clear gap between the notion of concurrent signature and optimistic fair exchange (OFE) in which no party enjoys advantage level 1. Furthermore, in a variant known as Ambiguous OFE, no party enjoys advantage level 1 and 2.
Data sharing has never been easier with the advances of cloud computing, and an accurate analysis on the shared data provides an array of benefits to both the society and individuals. Data sharing with a large number of participants must take into account several issues, including efficiency, data integrity and privacy of data owner. Ring signature is a promising candidate to construct an anonymous and authentic data sharing system. It allows a data owner to anonymously authenticate his data which can be put into the cloud for storage or analysis purpose. Yet the costly certificate verification in the traditional public key infrastructure (PKI) setting becomes a bottleneck for this solution to be scalable. Identity-based (ID-based) ring signature, which eliminates the process of certificate verification, can be used instead. In this paper, we further enhance the security of ID-based ring signature by providing forward security: If a secret key of any user has been compromised, all previous generated signatures that include this user still remain valid. This property is especially important to any large scale data sharing system, as it is impossible to ask all data owners to re-authenticate their data even if a secret key of one single user has been compromised. We provide a concrete and efficient instantiation of our scheme, prove its security and provide an implementation to show its practicality.
In this paper, we propose a new lattice-based ring signature scheme which security can be reduced to a well-known signature scheme, NTRUSign. This new ring signature greatly decreases the key space and the signature length comparing with the existing lattice-based ring signature schemes. Our scheme is suitable for mobile lightweight devices, such as smart cards, cell phone, and RFID tokens.
A new semi-anonymous non-contact offline mobile payment protocol based on improved concurrent signature is proposed. The customers can keep anonymous to merchants during the regular transactions. However, the merchants can obtain customers' identity information in questionable tractions from the issuer offline without supervision of a third party. The offline transaction needs two interactions and its benefits include fairness, high efficient and no third party. The new protocol's fairness has solved the anti-pull problem in offline non-contact mobile instant payment.
Recently, Susilo et al.'s perfect concurrent signature scheme (PCS1) and Wang et al.'s improved perfect concurrent signature scheme (iPCS1) are proposed, which are considered as good improvements on concurrent signatures, and they adopt the same algorithms. In this paper, we develop generic perfect concurrent signature algorithms of which Susilo et al. and Wang et al.'s algorithms turn out to be a special instance. We also obtain numerous new, efficient variants from the generic algorithms which have not been proposed before. To display the advantage of these variants, a modified privacy-preserving PCS protocol is given. It shows that the new variants adapt to the protocol well and can form concrete privacy-preserving PCS schemes, while the original algorithms do not. Security proofs and efficiency analysis are also given.
The concept of concurrent signatures was first introduced by Chen, Kudla and Paterson in Eurocryptpsila04, which allows two entities to produce two ambiguous signatures until an extra piece of information (called keystone) is released by one of the parties. Once the keystone is released, both signatures become binding to their true signers concurrently. According to the literatures there are mainly two different methods to realize the concurrent signature schemes. The first one is based on the variants of Schnorrpsilas signature scheme, and the second one is using bilinear pairing. In this paper, we present a new concurrent signature scheme, which is based on the signature scheme of Finite Automaton Public Key Cryptosystem 3 (FAPKC3, for short) which proposed by Renji Tao and Shihua Chen in 1997, and then prove its security under the security model given by Chen et al.. Finally, we briefly discuss our schemepsilas performance.
Concurrent signatures were introduced as an alternative approach to solving the problem of fair exchange of signatures by Chen et al.(1), in which two entities can produce two signatures that are not binding, until the keystone is released by one of the parties. Recently, Huang et al.(10) proposed a more ambiguity and stronger fairness concurrent signature scheme based on identity. However, we will show that their scheme did not satisfy the strong unforgeability properties, and was vulnerable to forgery attack. Then, we propose an improved scheme to prevent such attack.
Linkable ring signatures have found many attractive applications. One of the recent important
extensions is a linkable threshold ring signature (LTRS) scheme. Unfortunately, the existing LTRS
schemes are only secure in the random oracle model (ROM). In this paper, we make the following
contributions. First, we construct the first LTRS scheme that is secure without requiring the ROM.
Further, we enhance the security of a threshold ring signature (for both linkable or non-linkable)
by providing a stronger definition of anonymity. This strengthened notion makes threshold ring
signature schemes more suitable in real life. Finally, we provide efficient schemes that outperform
the existing schemes in the literature. Our scheme is particularly suitable for electronic commerce
or electronic government where anonymity and accountability are the most concerned factors.
In this paper, we propose a new ID-based event-oriented linkable ring signature scheme, with an option as revocable-iff-linked. With this option, if a user generates two linkable ring signatures in the same event, everyone can compute his identity from these two signatures. We are the first in the literature to propose such a secure construction in an ID-based setting. Even compared with other existing non ID-based schemes, we enjoy significant efficiency improvement, including constant signature size and linking complexity.
Our scheme can be also regarded as a normal ID-based ring signature. We are also the first to propose such a scheme with constant signature size and enhanced privacy, namely the signer is anonymous even to the PKG who has the master secret key.
We prove the security of our scheme in the random oracle model, using DL, DDL and q-SDH assumptions.
Concurrent signature was introduced as an alternative approach to solving the problem of fair exchange of signatures. It allows two entities to produce two signatures in such a way that, the signer of each signature is ambiguous from a third party's point of view until the release of a secret, known as the keystone. Once the keystone is released, both signatures become binding to their respective signers concurrently. Certificate-based public key cryptography was introduced to remove the use of certificate to ensure the authentication of the user's public key in the traditional public key cryptography and to overcome the key escrow problem in the identity-based public key cryptography. Combining the concept of concurrent signature with the concept of certificate-based cryptography, in this paper, we propose a certificate-based perfect concurrent signature scheme assuming the hardness of Computational Diffie-Hellman Problem.
Certificateless public key cryptography was introduced to remove the use of certificate to ensure the authentication of the user's public key in the traditional certificate-based public key cryptography and overcome he key escrow problem in the identity-based public key cryptography. Concurrent signatures were introduced as an alternative approach to solving the problem of fair exchange of signatures. Combining the concept of certificateless cryptography with the concept of concurrent signature, in this paper, we present a notion of certificateless concurrent signature with a formal security model and propose a provably secure scheme assuming the hardness of computational Diffie-Hellman Problem.
In Eurocrypt'04, the concept of the concurrent signature was introduced by Chen, Kulda and Paterson, in which they proposed a somewhat weaker concept to solve the traditional fair exchange problem. Concurrent signatures provide a new idea for fair exchange without the help of the trusted third party. Only two parties interact to produce two signatures. However two signatures are still ambiguous from any third party's point of view, unless an extra piece of information (called the keystone) is released. Upon the keystone is released by initial signer, both signatures are binding to their true signer and effective concurrently. In this paper, we present an identity-based concurrent signatures scheme from bilinear pairings with improved accountability. Each user uses his/ her ID (IP address, e-mail address) as public key for simplification of the key management and does not need to maintain the certificates of the users. The proposed scheme can resist the message substitute attack and achieve the property of real accountability.
This paper describes a user study about the influence of efficiency on modality selection (speech vs. virtual keyboard/ speech vs. physical keyboard) and perceived mental effort. Efficiency was varied in terms of interaction steps. Based on previous research it was hypothesized that the number of necessary interaction steps determines the preference for a specific modality. Moreover the relationship between perceived mental effort, modality selection and efficiency was investigated. Results showed that modality selection is strongly dependent on the number of necessary interaction steps. Task duration and modality selection showed no correlation. Also a relationship between mental effort and modality selection was not observed.
The concrete tripartite concurrent signature scheme designed by Susilo et al. is found being unambiguity. In other words, any fourth party can identify who is the real signer of the publicly available valid signatures before the keystone is released. In order to overcome this flaw, we proposed an improved concrete tripartite concurrent signature (iCTCS) scheme based on the ring signature. Every user can choose his keystone to guarantee the fairness in the proposed scheme. However, the performance analysis results show that the iCTCS scheme is existentially unforgeable under a chosen message attack in the random oracle, and satisfies correctness, ambiguity and fairness.
This paper presents a new fair document exchange protocol based on bilinear pairing with off-line trusted third party (TTP). In such a fair exchange scenario, each party owns a valuable message. The protocol is executed with the help of verifiable encrypted message, which could be verified and decrypted by different parties, respectively. Once a party verifies that the exchangeable message could be decrypted by TTP, he firstly sends his own message in that TTP has already provided fairness. Furthermore, to pass verification, each message should be wrapped into a commit message and be certified by an authority. We give an efficient and secure construction by using bilinear pairing. Eventually, we analyze the secure issues and compare our protocol's efficiency with others.
Based on strong designated verifiers signatures, a new fair concurrent signature scheme is proposed. Compared with the previous concurrent signature schemes, even if a keystone must be chosen by the initial signer, the matching signer will easily get the keystone through an extraction algorithm. Due to the property of strong designate verifying, the initial signer couldn't make use of the keystone prepared carefully to deceive the matching signer. Then the matching signer is able to participate actively the signature scheme. Besides, there aren't bilinear operations in the keystone algorithm to deliver the keystone efficiently. Therefore the efficiency of our signature scheme is also improved.
The concept of concurrent signatures was introduced by Chen, Kudla and Paterson at Eurocrypt 2004, which allows two parties
to produce two ambiguous signatures until the initial signer releases an extra piece of information (called keystone). Once
the keystone is released, both signatures are bound to their true signers concurrently. However, Susilo, Mu and Zhang pointed
out the original concurrent signature is not ambiguous to any third party if both signers are known to be trustworthy, and
further proposed perfect concurrent signatures to strengthen the ambiguity of concurrent signatures in ICICS 2004. Unfortunately,
Susilo et al.’s schemes are unfair for the matching signer because they enable the initial signer to release a carefully prepared keystone
that binds the matching signer’s signature, but not the initial signer’s. Therefore, we present a fair identity based concurrent
signature in an effective way to correct these flaws in ambiguity and fairness. Moreover, our scheme is more efficient than
other concurrent signature schemes based on the bilinear paring.
We propose a fair novel concurrent signature scheme. It resolves the existing problems in traditional concurrent signature schemes, that is initial signer (A) has some advantages over matching signer (B), such as A could show B's ambiguous signature and the keystone to a third party in private to demonstrate B's binding signature but B can not, or A could keep the keystone secret and B do not have power to force A to release it. In our scheme, the keystones were produced by both A and B, that is to say, the two participants in our scheme have equal positions, no one has any priority than the other, so our scheme can achieve the fairness of both sides.
The concept of concurrent signatures was introduced by Chen et al. in Eurocrypt 2004 which allows two entities to produce two signatures in such a way that, the signer of each signature is ambiguous from any third party¿s point of view until the release of a secret, known as the keystone. Once the keystone is released, both signatures become binding to their respective signers concurrently. In the previous concurrent signature schemes, the roles of participants are asymmetrical, one party, which is called initial signer, needs to create the keystone fix and send the first ambiguous signature, the other party, which is called matching signer, responds to this initial signer by creating another ambiguous signature with the same keystone fix. This work mode may cause some unfairness. In this paper, we construct a perfect concurrent signature protocol for symmetric participants and prove its security. In our concept, the roles of participants are symmetrical. The keystone can not be decided by any participant and the two ambiguous signatures can be published in any order.
At first, an convertible ID-based two-party ring signature scheme is designed, in such a scheme, after releasing of a converting information by the real signer, a ring signature can be transformed into a standard signature which can be verified publicly. And then, based on this ring signature, a convertible perfect concurrent signature protocol is proposed. Different from a general concurrent signature, there is an extra procedure called “ACONVERT” in this protocol, which can transform the exchanged ring signature into a common form, so it realizes the fair exchange of signature. At last, the security of the protocol is analyzed.
Since the introduction of concurrent signatures, the authorship binding of concurrent signatures has always been initiator-controlled, that is, only the initiator of a concurrent signature exchange can control "whether" and "when" to convert the exchanging ambiguous signatures to publicly verifiable ones concurrently. This binding control is not negotiable. In some applications however, this limitation is undesirable, and instead, as of optimistic fair exchange does, letting the responder control "whether" and "when" to have exchanged ambiguous signatures bound is needed. This motivates us towards constructing a new concurrent signature variant which supports negotiation between the original initiator-controlled binding and a new responder-controlled binding. In this paper, we formalize the notion and propose the first construction, which allows either the initiator or the responder to control "whether" and "when" the binding of the exchanging ambiguous signatures will take place concurrently. The scheme is backward compatible to the original concurrent signature and is also comparable in performance to the existing ones.
For a large website adopting Web server cluster, how to organize and distribute web documents is a challenging problem. In this paper, we propose a strategy to distribute web documents in web server cluster, whose aim is to reduce system 's average response time. The strategy uses queuing model to analyze cluster system, and translates the document distribution problem into a 0-1 integer programming problem. Aimed at such kind of 0-1 integer programming problem, we propose a chaotic searching algorithm to solve it. The chaotic searching algorithm lets many isolated chaotic variables search in their tracks, so the corresponding 0-1 distribution matrix built by these variables can experience every possible distribution, thereby it can find the global optimal solution in enough long time. Simulation tests show that the chaotic searching algorithm can find the global optimal solution.
In this paper, we address the question of providing security proofs for sig- nature schemes in the so-called random oracle model (1). In particular, we establish the generality of this technique against adaptively chosen message attacks. Our main application achieves such a security proof for a slight variant of the El Gamal signa- ture scheme (3) where committed values are hashed together with the message. This is a rather surprising result since the original El Gamal is, as RSA (11), subject to existential forgery.
We introduce the concept of concurrent signatures. These allow two entities to produce two signatures in such a way that, from the point of view of any third party, both signatures are ambiguous with respect to the identity of the signing party until an extra piece of information (the keystone) is released by one of the parties. Upon release of the keystone, both signatures become binding to their true signers concurrently.
Concurrent signatures fall just short of providing a full solution to the problem of fair exchange of signatures, but we discuss some applications in which concurrent signatures suffice. Concurrent signatures are highly efficient and require neither a trusted arbitrator nor a high degree of interaction between parties. We provide a model of security for concurrent signatures, and a concrete scheme which we prove secure in the random oracle model under the discrete logarithm assumption.
This paper addresses how to use public-keys of several different signature schemes to generate 1-out-of-n signatures. Previously known constructions are for either RSA-keys only or DL-type keys only. We present a widely applicable
method to construct a 1-out-of-n signature scheme that allows mixture use of different flavors of keys at the same time. The resulting scheme is more efficient
than previous schemes even if it is used only with a single type of keys. With all DL-type keys, it yields shorter signatures
than the ones of the previously known scheme based on the witness indistinguishable proofs by Cramer, et al. With all RSA-type
keys, it reduces both computational and storage costs compared to that of the Ring signatures by Rivest, et al.
Thesis (doctoral)--Swiss Federal Institute of Technology Zurich, 1998.
Since the appearance of public-key cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years is often considered as a kind of validation procedure. A much more convincing line of research has tried to provide "provable" security for cryptographic protocols. Unfortunately, in many cases, provable security is at the cost of a considerable loss in terms of efficiency. Another way to achieve some kind of provable security is to identify concrete cryptographic objects, such as hash functions, with ideal random objects and to use arguments from relativized complexity theory. The model underlying this approach is often called the "random oracle model." We use the word "arguments" for security results proved in this model. As usual, these arguments are relative to wellestablished hard algorithmic problems such as factorization or the discrete logarithm. In this paper we offer security arguments for a large class of known signature schemes. Moreover, we give for the first time an argument for a very slight variation of the wellknown El Gamal signature scheme. In spite of the existential forgery of the original scheme, we prove that our variant resists existential forgeries even against an adaptively chosen-message attack. This is provided that the discrete logarithm problem is hard to solve. Next, we study the security of blind signatures which are the most important ingredient for anonymity in off-line electronic cash systems. We first define an appropriate notion of security related to the setting of electronic cash. We then propose new schemes for which one can provide security arguments.
In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature.Unlike
group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination:any
user can choose any set of possible signers that includes himself,and sign any message by using his secret key and the others’
public keys,without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritativ secrets
in an anonymous way, to sign casual email in a way which can only be verified by its intended recipient, and to solve other
problems in multiparty computations. The main contribution of this paper is a new construction of such signatures which is
unconditionally signer-ambiguous, provably secure in the random oracle model,and exceptionally efficient:adding each ring
member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption.
We describe a generic protocol for fair exchange of electronic goods with non-repudiation. Goods can be signatures (i.e., non-repudiation tokens of public data), confidential data, or payments. The protocol does not involve a third party in the exchange in the fault-less case but only for recovery. Many commercial transactions can be modelled as a sequence of exchanges of electronic goods involving two or more parties. An exchange among several parties begins with an understanding about what item each party will contribute to the exchange and what it expects to receive at the end of it. A desirable requirement for exchange is fairness. A fair exchange should guarantee that at the end of the exchange, either each party has received what it expects to receive or no party has received anything. One example for fair exchange is non-repudiation of message transmission which is, in essence, a fair exchange of the message and a non-repudiation of receipt token for the message. In several draft documents, ISO (ISO1, ISO2, ISO3) defines non- repudiation services for transmission of messages and describes protocols that provide th em. In particular they define: • non-repudiation of origin which guarantees that the originator of a message cannot later falsely repudiate having originated that message, and • non-repudiation of receipt which guarantees that the recipient of a message cannot falsely repudiate having received that message (the ISO draft documents use the term "non-repudiation of delivery").
The concept of group signatures was introduced by Chaum et al. at Eurocrypt ’91. It allows a member of a group to sign messages anonymously on behalf of the group. In case of a later dispute a designated group manager can revoke the anonymity and identify the originator of a signature. In this paper we propose a new efficient group signature scheme. Furthermore we present a model and the first realization of generalized group signatures. Such a scheme allows to define coalitions of group members that are able to sign on the group’s behalf.