A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE

∗

Dennis Y. W. Liu, Shuang Chang and Duncan S. Wong

Dept. of Computer Science, City University of Hong Kong, Hong Kong, China

Keywords:

Digital Signature, Nominative Signature, Undeniable Signature.

Abstract:

Nominative signature provides an interesting share of power between a nominator and a nominee in which a

nominative signature, generated jointly by the nominator and the nominee, can only be veriﬁed with the aid

of the nominee. In this paper, we propose a new construction of nominative signature which has a higher

network efﬁciency than the existing one (Liu et al., 2007). In addition, our scheme is the ﬁrst one supporting

nominee-only conversion. We also enhance the security model of nominative signature for capturing this new

property.

1 INTRODUCTION

Since the introduction of undeniable signature

(Chaum and van Antwerpen, 1990; Chaum, 1990;

Chaum and van Antwerpen, 1992), there have been

many other non-self-authenticating notions intro-

duced. One of them is Nominative Signature (NS)

(Kim et al., 1996; Huang and Wang, 2004; Susilo and

Mu, 2005; Guo et al., 2006; Liu et al., 2007). An

NS scheme allows a nominator A and a nominee B to

jointly generate a signature σ on a message m such

that the validity of σ can only be veriﬁed by B. In ad-

dition, only B can convince a (third-party) veriﬁer C

the validity of σ.

Although the notion of NS has been introduced

for over a decade (Kim et al., 1996), it was not un-

til recently that the notion has ﬁnally been formalized

(Liu et al., 2007). In the past, besides lacking a formal

deﬁnition, the application of NS has also been ques-

tioned. In (Liu et al., 2007), it is shown that NS is a

very useful tool for constructing user certiﬁcation sys-

tems, which concern about letting a user prove the va-

lidity of his own birth certiﬁcate, driving licence and

academic transcripts, issued by authorities. In such a

system, the user (nominee) B does not want a veriﬁer

∗

The work was supported by a grant from CityU (Project

No. 7001844).

C to disseminate B’s certiﬁcate s (issued by an author-

ity A – nominator), while B wants to convince C that

s is authentic, that is, signed by A. NS is very suitable

for this type of applications because NS does not al-

low A to prove the validity of B’s certiﬁcate s. This

property greatly helps protect the interest of the users.

Related Work. The notion and construction of NS

were ﬁrst proposed in (Kim et al., 1996). However,

the construction was later found to be ﬂawed (Huang

and Wang, 2004). In (Huang and Wang, 2004), the

notion of convertible NS was introduced. This vari-

ant of NS allows the nominee to convert an NS to a

publicly veriﬁable one. A new scheme was also pro-

posed. However, it has later been found to be insecure

(Susilo and Mu, 2005; Guo et al., 2006).

In (Liu et al., 2007), the ﬁrst formal security

model for NS was deﬁned and a proven secure con-

struction was proposed. This security model is cur-

rently the strongest one. However, there is no deﬁ-

nition for the nominee-only conversion from a nomi-

native signature to a standard signature. About their

construction, the signature generation protocol re-

quires to run a three-move Witness Indistinguishable

protocol (Feige and Shamir, 1990; Kurosawa and

Heng, 2005).

Our Results. We propose a new construction which

does not require the key generation protocol to run a

214

Y. W. Liu D., Chang S. and S. Wong D. (2007).

A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE.

In Proceedings of the Second International Conference on Security and Cryptography, pages 214-221

DOI: 10.5220/0002124402140221

Copyright

c

SciTePress

three-move Witness Indistinguishable protocol. The

key generation can be completed in just two message

ﬂows between the nominator and the nominee, and

therefore, has a higher network efﬁciency than the

current one (Liu et al., 2007). We also extend the se-

curity model for capturing nominee-only conversion.

Paper Organization. We deﬁne convertible NS

and propose an enhanced security model in Sec. 2.

We then propose a new NS construction in Sec. 3.

The security analysis is given in Sec. 4. The paper

is concluded in Sec. 5.

2 DEFINITIONS AND SECURITY

MODELS

We extend the deﬁnition of NS from (Liu et al., 2007)

to a convertible NS. Speciﬁcally, in addition to the

properties captured in the deﬁnition of (Liu et al.,

2007), we also allow the nominee, but nobody else,

to convert an NS to a standard signature which can be

self-authenticated.

A nominative signature (NS) consists of ﬁve

PPT (probabilistic polynomial-time) algorithms

(

SystemSetup, KeyGen, Ver

nominee

, Convert,

Ver

public

) and three protocols (

SigGen, Conﬁrmation,

Disavowal). On input a security parameter 1

k

, where

k ∈ N,

SystemSetup is ﬁrst invoked for generating a

list of system parameters denoted by

param. Then,

(pk, sk) ← KeyGen(param) is executed for each

entity in the system. We use A and B to denote

the nominator and the nominee, respectively. Let

(pk

A

,sk

A

) be A’s key pair and (pk

B

,sk

B

) be B’s. To

generate an NS σ on some message m ∈ {0,1}

∗

, A

and B carry out the SigGen protocol.

Signature Space: This is determined by pk

A

and pk

B

.

We emphasize that the signature space has to be ex-

plicitly speciﬁed in each actual NS scheme speciﬁca-

tion.

The validity of σ can be determined by B using

Ver

nominee

on input (m,σ, pk

A

,sk

B

). To convince a

third party C on the validity/invalidity of σ, B as

prover and C as veriﬁer carry out a Conﬁrmation or

Disavowal protocol:

Conﬁrmation/Disavowal Protocol: B sets µ to 1 if

valid ← Ver

nominee

(m,σ, pk

A

,sk

B

); otherwise, µ is

set to 0. If µ = 1,

Conﬁrmation protocol is carried

out; otherwise,

Disavowal protocol is carried out.

At the end, C outputs either

accept or reject while

B has no output.

To convert σ to a standard signature σ

pub

, B

runs Convert(m,σ, pk

A

,sk

B

). After the conversion,

the validity of σ

pub

can be veriﬁed by running

Ver

public

(m,σ

pub

, pk

A

, pk

B

).

Correctness. If all the algorithms mentioned above

are executed accordingly, the NS scheme should

satisfy the following requirements. (1) valid ←

Ver

nominee

(m,σ, pk

A

,sk

B

); (2) C outputs

accept at the

end of the

Conﬁrmation protocol; and (3) valid ←

Ver

public

(m,σ

pub

, pk

A

, pk

B

).

On the security of NS, (Liu et al., 2007) deﬁnes

(1) unforgeability, (2) invisibility, (3) security against

impersonation and (4) non-repudiation. We will adopt

these deﬁnitions. Besides, we also deﬁne an addi-

tional security model for capturing the notion of (5)

nominee-only conversion.

Before elaborating the corresponding games, we

ﬁrst describe some oracles that are to be provided to

adversaries:

•

CreateUser: On input an identity I, it generates a

key pair (pk

I

,sk

I

) using

KeyGen and returns pk

I

.

• Corrupt: On input a public key pk, if pk is gen-

erated by

CreateUser or in {pk

A

, pk

B

}, the corre-

sponding private key is returned; otherwise, ⊥ is

returned. pk is said to be corrupted.

• SignTranscript: On input a message m, two dis-

tinct public keys, pk

1

(the nominator) and pk

2

(the nominee), and one parameter called role ∈

{nil,nominator,nominee},

– if role = nil,

S simulates SigGen and returns

(σ,trans

σ

) where σ is a valid nominative sig-

nature (i.e. valid ← Ver

nominee

(m,σ, pk

1

,sk

2

)

where sk

2

is the corresponding private key of

pk

2

) and trans

σ

is the transcript of the execu-

tion of

SigGen.

– if role = nominator,

S (as nominee with public

key pk

2

) simulates a run of

SigGen with the ad-

versary (which acts as the nominator with pk

1

);

– if role = nominee, S (as nominator with pk

1

)

simulates a run of

SigGen with the adversary

(which acts as the nominee with pk

2

).

•

Conﬁrmation/disavowal: On input a message m,

a nominative signature σ and two public keys

pk

1

(nominator), pk

2

(nominee), let sk

2

be the

corresponding private key of pk

2

, the oracle re-

sponds based on whether a passive attack or an

active/concurrent attack is mounted.

– Passive attack: If Ver

nominee

(m,σ, pk

1

,sk

2

) out-

puts

valid, the oracle returns µ = 1 and a tran-

script of the

Conﬁrmation protocol. Otherwise,

µ = 0 and a transcript of the

Disavowal protocol

are returned.

– Active/concurrent attack: the oracle checks if σ

is valid as in the passive attack. If so, the ora-

cle returns µ = 1 and executes the

Conﬁrmation

A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE

215

protocol with the adversary (acting as a veri-

ﬁer). Otherwise, the oracle returns µ = 0 and

executes the

Disavowal protocol with the adver-

sary. The difference between active and con-

current attack is that the adversary interacts se-

rially with the oracle in the active attack while

it interacts with different instances of the oracle

concurrently in the concurrent attack.

•

OracleConvert: On input (m, σ, pk

1

, pk

2

)

such that valid ← Ver

nominee

(m,σ, pk

1

,sk

2

),

the oracle returns σ

pub

such that valid ←

Ver

public

(m,σ

pub

, pk

1

, pk

2

).

2.1 Unforgeability

Game Unforgeability: Let S be the simulator and F

be a forger.

1. (Initialization) First, param ← SystemSetup(1

k

)

is executed and key pairs (pk

A

,sk

A

) and (pk

B

,sk

B

)

for nominator A and nominee B, respectively, are

generated using

KeyGen. Then F is invoked on

input (param, pk

A

, pk

B

).

2. (Attacking Phase) F can make queries to the or-

acles mentioned above.

3. (Output Phase) F outputs a pair (m

∗

,σ

∗

) as a

forgery of A’s nominative signature on message

m

∗

with B as the nominee.

The forger

F wins the game if valid ←

Ver

nominee

(m

∗

,σ

∗

, pk

A

,sk

B

) and (1)

F does not

corrupt both sk

A

and sk

B

; (2) (m

∗

, pk

A

, pk

B

,role)

has never been queried to

SignTranscript for any

role; (3) (m

∗

,σ

′

, pk

A

, pk

B

) has never been queried

to Conﬁrmation/disavowal for any σ

′

in the signature

space with respect to pk

A

and pk

B

(check Signature

Space on page 2). F ’s advantage is deﬁned to be the

probability that

F wins.

Deﬁnition 1 (Liu et al., 2007) An NS scheme is said

to be unforgeable if no PPT forger F has a non-

negligible advantage in

Game Unforgeability.

2.2 Invisibility

Game Invisibility: The initialization phase is the

same as that of

Game Unforgeability. Let D be a

distinguisher that can query any of the oracles men-

tioned. At some point in the attacking phase,

D out-

puts a message m

∗

and requests for a challenge nom-

inative signature σ

∗

on m

∗

. σ

∗

is generated based on

the outcome of a hidden coin toss b. If b = 1, σ

∗

is

generated using

SigGen. If b = 0, σ

∗

is chosen ran-

domly from the signature space with respect to pk

A

and pk

B

. At the end of the game,

D outputs a guess

b

′

.

D wins if b

′

= b and (1) D does not corrupt sk

B

;

(2) (m

∗

, pk

A

, pk

B

,role) has never been queried to

SignTranscript; (3) (m

∗

,σ

∗

, pk

A

, pk

B

) has never been

queried to

Conﬁrmation/disavowal. D ’s advantage in

this game is deﬁned as |Pr[b

′

= b] −

1

2

|.

Deﬁnition 2 (Liu et al., 2007) An NS scheme satis-

ﬁes invisibility if no PPT distinguisher

D has a non-

negligible advantage in

Game Invisibility.

2.3 Security Against Impersonation

Game Impersonation: Let I be an impersonator.

The initialization phase is the same as that of

Game

Unforgeability

. The two other phases are as follows.

• (Preparation Phase)

I may query any of the or-

acles.

I prepares (m

∗

,σ

∗

,µ) where m

∗

is some

message, σ

∗

is in the signature space with respect

to pk

A

and pk

B

and µ is a bit.

• (Impersonation Phase) If µ = 1,

I (as nominee)

executes

Conﬁrmation protocol with the simulator

(as a veriﬁer). If µ = 0,

I executes Disavowal pro-

tocol instead.

I wins if the simulator outputs accept at the Imper-

sonation Phase while

I has never corrupted sk

B

in the

game.

I ’s advantage is deﬁned to be the probability

that

I wins.

Deﬁnition 3 (Liu et al., 2007) An NS scheme is se-

cure against impersonation if no PPT impersonator

I has a non-negligible advantage in Game Imperson-

ation

.

2.4 Non-repudiation

Game Non-repudiation: Let B be a cheating nom-

inee which can query any of the oracles. The ini-

tialization phase is the same as that of Game Un-

forgeability

. The two other phases are: (1) (Prepa-

ration Phase)

B prepares (m

∗

,σ

∗

) where m

∗

is a

message and σ

∗

is in the signature space with re-

spect to pk

A

and pk

B

. (2) (Repudiation Phase) If

Ver

nominee

(m

∗

,σ

∗

, pk

A

,sk

B

) =

valid, B executes Dis-

avowal

protocol with the simulator (acting as a ver-

iﬁer) on (m

∗

,σ

∗

, pk

A

, pk

B

); otherwise, the

Conﬁrma-

tion

protocol is carried out.

B wins the game if the simulator outputs accept in the

repudiation phase.

B ’s advantage is deﬁned to be the

probability that

B wins.

Deﬁnition 4 (Liu et al., 2007) An NS scheme is se-

cure against repudiation if no PPT cheating nomi-

nee has a non-negligible advantage in

Game Non-

repudiation

.

We now propose an additional security requirement.

This one is for convertible NS.

SECRYPT 2007 - International Conference on Security and Cryptography

216

2.5 Nominee-only Conversion

This security notion requires that it should be infea-

sible for anyone but the nominee to convert a valid

nominative signature to a publicly-veriﬁable one. We

consider the following game.

Game Nominee-only Conversion: The initialization

phase is the same as that of

Game Unforgeability. An

adversary

C can query any of the oracles. At the end

of the game,

C outputs (m

∗

,σ

∗

,

˜

σ

pub

).

C wins if valid ← Ver

nominee

(m

∗

,σ

∗

, pk

A

,sk

B

), and

valid ← Ver

public

(m,

˜

σ

pub

, pk

A

, pk

B

). The restric-

tions are (1) C has never corrupted sk

B

; (2)

(m

∗

,σ

∗

, pk

A

, pk

B

) has never been queried to

Oracle-

Convert

; (3) (m

∗

,σ, pk

A

, pk

B

) has never been queried

to

Conﬁrmation/disavowal for any nominative signa-

ture σ.

C ’s advantage is deﬁned as the probability

that

C wins.

Deﬁnition 5 An NS satisﬁes nominee-only conver-

sion if no PPT adversary

C has a non-negligible ad-

vantage in

Game Nominee-only Conversion.

3 OUR CONSTRUCTION

In this section, we propose a new construction, which

has a higher network efﬁciency than the one in (Liu

et al., 2007) during signature generation and also sup-

ports nominee-only conversion.

3.1 Preliminaries

Ring Signature. Our construction makes use of

a special structure of the ring signature scheme due

to (Rivest et al., 2001) (RST scheme). In the RST

scheme, it is assumed that each ring member has a

one-way trapdoor permutation f and its inverse f

−1

(i.e. the trapdoor). There is a random “glue” value z

in each RST ring signature and the scheme requires

a block cipher SE : {0,1}

k

× {0, 1}

k

→ {0, 1}

k

. We

denote the output of SE(K,m) by SE

K

(m). Let SE

−1

be the decryption algorithm of the block cipher.

Veriﬁable Decryption. A veriﬁable decryption (VD)

scheme for a relation ℜ (Camenisch and Shoup,

2003) has an encryption/decryption algorithm pair

(Enc,Dec) associated with a veriﬁcation protocol

suite which allows a prover who possesses the secret

key of a public key pk to convince a veriﬁer that given

δ and ciphertext ψ encrypted under pk, ψ is the en-

cryption of ω where (ω, δ) ∈ ℜ. In other words, the

prover is the decryptor who holds the secret key sk.

In our NS scheme, we adopt the prooﬁng pro-

tocols for VD of discrete logarithm due to (Ca-

menisch and Shoup, 2003) to implement the Conﬁr-

mation/Disavowal protocols. The protocols of (Ca-

menisch and Shoup, 2003) are special honest veri-

ﬁer zero-knowledge (SHVZK). In our NS scheme,

however, we need concurrent zero-knowledge (CZK)

protocols for security proofs. Therefore, we apply

the standard transformations (Goldreich and Kahan,

1996; Cramer et al., 2000; Damg

˚

ard, 2000; Gennaro,

2004) and convert them to CZK variants in the com-

mon reference string (CRS) model.

3.2 Our Scheme

SystemSetup: It generates a cyclic group G of k-bit

prime order p and a random generator g. As-

sume that each element of G can be encoded

distinctly into a k-bit binary string. Let H :

{0,1}

∗

→ {0, 1}

k

be a hash function. Set param =

(1

k

,SE,G, p,g,H).

KeyGen: For nominator A, it generates ( f

A

, f

−1

A

),

a pair of signing and veriﬁcation algorithms

(Sig

A

,Ver

A

) and a VD encryption/decryption pair

(Enc

A

,Dec

A

). Set pk

A

= ( f

A

,Ver

A

,Enc

A

) and

sk

A

= ( f

−1

A

,Sig

A

,Dec

A

). Nominee B’s key pair is

generated similarly.

SigGen Protocol: Let m ∈ {0,1}

∗

be a message. The

protocol is carried out as follows.

1. B picks r ∈

R

Z

p

, computes R

B

= g

r

and sends

R

B

to A.

2. (RST scheme) A picks z ∈

R

{0,1}

k

and

computes y

B

= f

B

(R

B

), y

A

= SE

−1

K

(z) ⊕

SE

K

(z ⊕ y

B

), and R

A

= f

−1

A

(y

A

), where K =

H(mkpk

A

kpk

B

). σ

ring

= (z,R

A

,R

B

) forms a

ring signature on “message” K. A sends σ

ring

to B.

3. B checks if z = SE

K

(SE

K

(z ⊕ f

B

(R

B

)) ⊕

f

A

(R

A

)) and R

B

= g

r

. If so, B outputs σ =

(σ

ring

,Enc

B

(r), σ

standard

), where σ

standard

=

Sig

B

(mkσ

ring

kEnc

B

(r)).

(Signature Space.) σ = (σ

1

,σ

2

,σ

3

) is in the signa-

ture space with respect to pk

A

and pk

B

if σ

1

is a valid

ring signature on “message” K, σ

2

is properly formed

with respect to the VD scheme, i.e., σ

2

can be prop-

erly decrypted to some message m, and σ

3

is a valid

standard signature of B on “message” mkσ

1

kσ

2

(i.e.

with respect to Ver

B

). Note that if σ is in the signa-

ture space, it does not imply that σ is a valid NS. The

validity can only be veriﬁed by B:

Ver

nominee

: On input (m,σ, pk

A

,sk

B

) where σ =

(σ

ring

,Enc

B

(r), σ

standard

) is in the signature

space, compute r = Dec

B

(Enc

B

(r)) and check if

A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE

217

1. σ

ring

= (z, R

A

,R

B

) is valid , i.e. z =

SE

K

(SE

K

(z⊕ f

B

(R

B

)) ⊕ f

A

(R

A

));

2. Ver

B

(mkσ

ring

kEnc

B

(r), σ

standard

) = 1; and

3. R

B

= g

r

.

If all of them are correct, output

valid; otherwise,

output

invalid.

Conﬁrmation/Disavowal Protocol: On input

(m,σ, pk

A

, pk

B

) where σ is in the signature space,

if valid ← Ver

nominee

(m,σ, pk

A

,sk

B

), B sets µ = 1;

otherwise, sets µ = 0.

• If µ = 1, B proves to C that the decryption of

Enc

B

(r) is a discrete log of R

B

using the corre-

sponding VD protocol.

• If µ = 0, B proves to C that the decryption of

Enc

B

(r) is NOT a discrete log of R

B

using the

corresponding VD protocol.

Convert: On input (m,σ, pk

A

, pk

B

) such that valid ←

Ver

nominee

(m,σ, pk

A

,sk

B

), B outputs a standard

signature σ

pub

= (σ,r).

Verify: On input (m,σ

pub

, pk

A

, pk

B

), check if all of

the followings are valid:

1. σ

ring

= (z,R

A

,R

B

) is valid, i.e. that is, z =

SE

K

(SE

K

(z⊕ f

B

(R

B

)) ⊕ f

A

(R

A

));

2. Ver

B

(mkσ

ring

kEnc

B

(r), σ

standard

) = 1; and

3. if R

B

= g

r

.

Discussion. In the SigGen protocol, there are only

two message ﬂows between A and B. When compared

with (Liu et al., 2007), our construction does not need

a three-move Witness Indistinguishable protocol, and

therefore has a higher network efﬁciency. It remains

an open problem if a non-interactive

SigGen protocol

can be built, namely, there is only one message ﬂow

between A and B.

4 SECURITY ANALYSIS

Lemma 1 (Cheating Nominee) Let k ∈ N be a se-

curity parameter. If a (t, ε,Q)-nominee can forge

a valid NS with probability at least ε after running

at most time t and making at most Q queries, there

exists a (t

′

,ε

′

)-adversary which can invert a trap-

door one-way permutation with probability at least

ε

′

= Q

−2

(1 − 2

−k

)ε after running at most time t

′

=

t + Qt

q

+ c where t

q

is the maximum time for simulat-

ing one oracle query and c is some constant.

Lemma 2 (Cheating Nominator) If a (t, ε,Q)-

nominator can forge a valid NS, there exists a

(t

′

,ε

′

)-adversary which can existentially forge a stan-

dard signature under the model of chosen message

attacks (Goldwasser et al., 1988) with probability

at least ε

′

= (1 − 2

−k

Q)ε after running at most time

t

′

= t + Qt

q

+ c, where t

q

is the maximum time for

simulating one oracle query and c is some constant.

Theorem 1 (Unforgeability) The NS scheme pro-

posed above is unforgeable (Def. 1) if there exists

trapdoor one-way permutations and existentially un-

forgeable signature schemes secure against chosen

message attacks (Goldwasser et al., 1988).

This theorem follows directly from Lemma 1 and 2.

Proofs of the lemmas are in Appendix A.

Theorem 2 (Invisibility) If there exists a (t,ε,Q)-

distinguisher

D in Game Invisibility and existentially

unforgeable signature schemes secure against chosen

message attacks (Goldwasser et al., 1988), there ex-

ists a (t

′

,ε

′

)-distinguisher

D

Enc

which has advantage

at least ε

′

= ε to launch an adaptive chosen ciphertext

attack to the encryption algorithm of VD by running

at most time t

′

= t + Qt

q

+ c where t

q

is the maximum

time for simulating one oracle query and c denotes

some constant time for system setup and key genera-

tion.

Theorem 3 (Nominee-only Conversion) The con-

vertible NS scheme proposed satisﬁes nominee-only

conversion (Def. 5) if there exists trapdoor one-way

permutations and existentially unforgeable signature

schemes against chosen message attacks (Goldwasser

et al., 1988).

All proofs above are in Appendix A.

Both conﬁrmation and disavowal protocols in this

scheme are zero-knowledge. Therefore, the scheme

already satisﬁes the requirements of security against

impersonation (Def. 2.3). In addition, by using

the technique of Theorem 2, it can be shown that

compromising the security against impersonation of

this scheme reduces to compromising the underlying

zero-knowledge conﬁrmation/disavowal protocols of

VD of discrete logarithm in (Camenisch and Shoup,

2003). We skip the details but readers can readily de-

rive the reduction from the proving technique of The-

orem 2.

The scheme also satisﬁes the requirement that

nominee cannot repudiate. This follows directly the

soundness property of the underlying VD of discrete

logarithm protocol (Camenisch and Shoup, 2003).

5 CONCLUSION

We proposed a convertible NS scheme which does

not require to run a three-move Witness Indistinguish-

able protocol for signature generation and only two

SECRYPT 2007 - International Conference on Security and Cryptography

218

message ﬂows are required to complete the genera-

tion. This gives our construction an advantage in net-

work efﬁciency over the one in (Liu et al., 2007).

We also enhanced the security model of (Liu et al.,

2007) for capturing nominee-only conversion. It re-

mains an open problem to construct an NS with a non-

interactive signature generation process.

REFERENCES

Camenisch, J. and Shoup, V. (2003). Practical veriﬁable

encryption and decryption of discrete logarithms. In

CRYPTO 2003, pages 126–144.

Chaum, D. (1990). Zero-knowledge undeniable signatures.

In Proc. EUROCRYPT 90, pages 458–464. Springer-

Verlag. LNCS 473.

Chaum, D. and van Antwerpen, H. (1990). Undeniable

signatures. In Proc. CRYPTO 89, pages 212–216.

Springer-Verlag. LNCS 435.

Chaum, D. and van Antwerpen, H. (1992). Cryptograph-

ically strong undeniable signatures, unconditionally

secure for the signer. In Proc. CRYPTO 91, pages

470–484. Springer-Verlag. LNCS 576.

Cramer, R., Damg

˚

ard, I., and MacKenzie, P. D. (2000). Efﬁ-

cient zero-knowledge proofs of knowledge without in-

tractability assumptions. In PKC 00, pages 354–372.

Damg

˚

ard, I. (2000). Efﬁcient concurrent zero-knowledge in

the auxiliary string model. In EUROCRYPT00, pages

418–430.

Feige, U. and Shamir, A. (1990). Witness indistinguish-

able and witness hiding protocols. In Proc. 22nd ACM

Symp. on Theory of Computing, pages 416–426.

Gennaro, R. (2004). Multi-trapdoor commitments and their

applications to proofs of knowledge secure under con-

current man-in-the-middle attacks. In CRYPTO 04,

pages 220–236.

Goldreich, O. and Kahan, A. (1996). How to construct

constant-round zero-knowledge proof systems for np.

J. Cryptology, 9(3).

Goldwasser, S., Micali, S., and Rivest, R. (1988). A dig-

ital signature scheme secure against adaptive chosen-

message attack. SIAM J. Computing, 17(2):281–308.

Guo, L., Wang, G., and Wong, D. (2006). Further dis-

cussions on the security of a nominative signature

scheme. Cryptology ePrint Archive, Report 2006/007.

Huang, Z. and Wang, Y. (2004). Convertible nomina-

tive signatures. In Proc. of Information Security and

Privacy (ACISP’04), pages 348–357. Springer-Verlag.

LNCS 3108.

Kim, S. J., Park, S. J., and Won, D. H. (1996). Zero-

knowledge nominative signatures. In PragoCrypt’96,

International Conference on the Theory and Applica-

tions of Cryptology, pages 380–392.

Kurosawa, K. and Heng, S. (2005). 3-move undeniable sig-

nature scheme. In Proc. EUROCRYPT 2005, pages

181–197. LNCS 3494.

Liu, D. Y. W., Wong, D. S., Huang, X., Wang, G., Huang,

Q., Mu, Y., and Susilo, W. (2007). Nominative sig-

nature: Application, security model and construc-

tion. Cryptology ePrint Archive, Report 2007/069.

http://eprint.iacr.org/2007/069.

Rivest, R., Shamir, A., and Tauman, Y. (2001). How to leak

a secret. In Proc. ASIACRYPT 2001, pages 552–565.

Springer-Verlag. LNCS 2248.

Susilo, W. and Mu, Y. (2005). On the security of nomina-

tive signatures. In Proc. of Information Security and

Privacy (ACISP’05), pages 329–335. Springer-Verlag.

LNCS 3547.

A APPENDIX

A.1 Proof of Lemma 1

Proof. If a (t,ε,Q)-forger

F after obtaining

sk

B

= ( f

−1

B

,Dec

B

,Sig

B

) via

Corrupt can win

Game Unforgeability with at least probability

ε by producing a valid nominative signature

σ

∗

= (σ

ring∗

,Enc

B

(r

∗

),σ

standard∗

) on some message

m

∗

after running at most time t and making at most

Q queries (all kinds of oracle queries which include

game speciﬁc oracles and random oracles), we con-

struct a (t

′

,ε

′

)-algorithm

S which inverts a trapdoor

one-way permutation

ˆ

f : {0, 1}

k

→ {0,1}

k

on some

random input ˆy ∈

R

{0,1}

k

with at least probability

ε

′

after running at most time t

′

. We will derive the

values of ε

′

and t

′

in this proof. Let the ring signature

σ

ring∗

on “message” K

∗

be (z

∗

,R

∗

A

,R

∗

B

). Assume that

all hash evaluations and SE/SE

−1

evaluations made

by

F are obtained from oracle access.

Game Simulation:

S ﬁrst generates param accord-

ing to

SystemSetup, and sets nominator A’s public

key to pk

A

= (

ˆ

f,Ver

A

,Enc

A

) and private key to sk

A

=

(⊥,Sig

A

,Dec

A

) where ⊥ denotes an empty string as

the trapdoor information of

ˆ

f is unavailable to

S . For

nominee B, the public and private keys are all gen-

erated according to

KeyGen. Then F is invoked on

(1

k

, pk

A

, pk

B

). Oracles are also simulated.

For oracle CreateUser, a new key pair is gener-

ated using

KeyGen and the public key is returned. For

oracle

Corrupt, for example, if B is queried, sk

B

is

returned. As restricted by the game and the state-

ment of this lemma, A’s private key cannot be com-

promised by

F . For a SignTranscript query, there are

three cases:

• Case (1): If role =

nil, a nominative signature is

simulated by following

SigGen. There is one ex-

ception: if A is indicated as the nominator (i.e.

pk

1

= pk

A

in Game Unforgeability), S is unable to

A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE

219

follow the protocol to compute an inversion of

ˆ

f.

But thanks to random oracle,

S can do the evalua-

tion of

ˆ

f and assign the appropriate SE/SE

−1

eval-

uations with a randomly generated ‘glue’ value

z ∈

R

{0,1}

k

. This simulation is computationally

indistinguishable from a real simulation due to the

idealness of random oracles.

• Case (2): If role =

nominator, S simulates an ex-

ecution of

SigGen protocol with F . S acts as the

nominee. Similar to Case (1),

S can simply fol-

low the exact execution of

SigGen protocol even

if the nominee is A. This is because when A is the

nominee, A does not require to invert

ˆ

f.

• Case (3): If role =

nominee, S acts as nomina-

tor and simulates an execution of

SigGen protocol

with

F . During the simulation, S follows the ex-

ecution of

SigGen protocol except when the nom-

inator is indicated as A. In this case, we use the

strategy described in Case (1) by assigning appro-

priate SE/SE

−1

evaluations such that

S only needs

to evaluate the forward direction of

ˆ

f. Note that

by following the speciﬁcation of SigGen protocol,

S acting as A only needs to compute the ring sig-

nature component after receiving the ﬁrst message

R

˜

B

from

F which is acting as nominee

˜

B. Hence

by randomly generate z ∈

R

{0,1}

ℓ

and properly

adjust the SE/SE

−1

evaluations on (z⊕ f

˜

B

(R

˜

B

))

and z,

S does not need to invert

ˆ

f.

For

Conﬁrmation/disavowal and OracleConvert

queries, since S has all parties’ private key com-

ponent Dec,

S can always carry out the conﬁrma-

tion/disavowal protocols and perform the standard

signature conversion.

Reduction: We follow the argument of the “gap”

technique used in the soundness proof of the ring sig-

nature of (Rivest et al., 2001). The “gap” technique is

based on an observation that the valid ring signature

σ

ring∗

forged by F must have a gap somewhere be-

tween two cyclically consecutive occurrences of SE,

and F must be forced to ﬁll in this gap by comput-

ing the inverse of the corresponding trapdoor one-

way permutation. Since F has to query S for the

results of SE and SE

−1

evaluations,

S can make use

of the queries of the two SE/SE

−1

evaluations, which

form the gap, to assign the desired ˆy. If F makes at

most Q queries, the probability that

S guesses cor-

rectly the two SE/SE

−1

queries is at least Q

−2

. In

σ

ring∗

, there are only two possible gaps. One is at

y

2

= f

B

(R

∗

B

) and the other one at y

1

=

ˆ

f(R

∗

A

). If

the gap is at y

2

, then with at most 2

−k

probability

that f

−1

B

(y

2

) is of the form g

r

∗

where r

∗

∈

R

Z

p

since

y

2

is uniformly distributed over {0,1}

k

. Therefore,

with probability (1 − 2

−k

), the gap is at y

1

.

S ’s goal

is to set y

1

to ˆy. As described above, S randomly

picks two SE/SE

−1

queries as the guess of the two

SE/SE

−1

queries for forming the gap. Once

F out-

puts σ

ring∗

= (z

∗

,R

∗

A

,R

∗

B

),

S outputs R

∗

A

as the result

of

ˆ

f

−1

( ˆy).

Hence if the advantage of F in Game Unforge-

ability

is ε, the probability that S inverts the trapdoor

one-way permutation is at least Q

−2

(1 − 2

−k

)ε. If

each random oracle query takes at most time t

q

to ﬁn-

ish, the simulation time of the game for

F is at most

t + Qt

q

+ c where c denotes some constant time for

system setup and key generation.

A.2 Proof of Lemma 2

Proof. If a (t,ε,Q)-forger

F after obtaining

via oracle

Corrupt the nominator A’s private

key sk

A

= ( f

−1

A

,Sig

A

,Enc

A

) and is able to win

Game Unforgeability with probability at least ε

by producing a valid nominative signature σ

∗

=

(σ

ring∗

,Enc

B

(r

∗

),σ

standard∗

) on some message m

∗

af-

ter running at most time t and making at most

Q queries, where σ

standard∗

is a standard signature

of nominee B on “message” m

∗

kσ

ring∗

kEnc

B

(r

∗

),

we construct a (t

′

,ε

′

)-algorithm

S to forge a sig-

nature with respect to a standard signature scheme

(Sig

∗

,Ver

∗

) with probability at least ε

′

, in the model

of existential forgery against chosen message attacks

(Goldwasser et al., 1988) after running at most time

t

′

. By forging a standard signature,

S is given a prob-

lem instance Ver

∗

but not Sig

∗

and

S is to output a

pair ( ˜m,

˜

σ) such that Ver

∗

( ˜m,

˜

σ) = 1 after adaptively

querying a signing oracle. The restriction is that ˜m

has never been queried to the signing oracle.

In the simulation of

Game Unforgeability, S sets

the public key of nominee B to pk

B

= ( f

B

,Ver

∗

,Enc

B

)

and private key to sk

B

= ( f

−1

B

,⊥,Dec

B

). The simula-

tion is similar to that in the proof of Lemma 1 with the

exception that for each query of B’s standard signa-

ture, the query will be forwarded to the signing oracle

of Sig

∗

by

S and the answer is relayed back.

First, we show that with probability at most 2

−k

Q,

the ring signature σ

ring∗

in σ

∗

is an output of oracle

SignTranscript. As restricted by Game Unforgeability,

(m

∗

, pk

A

, pk

B

,role) should have never been queried

to oracle

SignTranscript. Hence if oracle SignTran-

script

has output a nominative signature which con-

tains the ring signature σ

ring∗

, it should be a valid

ring signature for some message, say

ˆ

K, with respect

to ring members identiﬁed by pk

1

and pk

2

. Since

S

simulates all the hash functions and SE/SE

−1

evalu-

ations by picking returning values uniformly at ran-

dom from the corresponding spaces, the chance that

at least there is one valid output of

SignTranscript that

SECRYPT 2007 - International Conference on Security and Cryptography

220

contains σ

ring∗

is at most 2

−k

Q.

Hence when

F outputs a forgery, σ

standard∗

must

be a forgery with respect to (Sig

∗

,Ver

∗

) on message

˜m = m

∗

kσ

ring∗

kEnc

B

(r)

∗

with exceptional probabil-

ity of at most 2

−k

Q. If the advantage of

F in Game

Unforgeability

is ε, the probability that S existen-

tially forges a signature with respect to (Sig

∗

,Ver

∗

)

is at least ε

′

= (1 − 2

−k

Q)ε. Similar to the proof

of Lemma 1, the running time of

S is at most t

′

=

t + Qt

q

+ c.

A.3 Proof of Theorem 2

Proof. We show that if there exists a distinguisher

D with advantage ε in Game Invisibility, then we can

construct a distinguisher

D

Enc

for the encryption al-

gorithm (Enc, Dec) of the VD scheme with advantage

ε

′

which is a polynomial in ε.

To simulate

Game Invisibility, D

Enc

carries out

similar simulations to that described in the proof

of Lemma 1.

S sets the public key of nominee B

to pk

B

= ( f

B

,Ver

∗

,Enc) and private key to sk

B

=

( f

−1

B

,Sig

∗

,⊥).

For a

Conﬁrmation/disavowal query with B as the

nominee, although

D

Enc

does not have Dec

B

,

D

Enc

can carry out the conﬁrmation/disavowal protocols as

D

Enc

is always the one who generates the querying

nominative signature (regardless its validity). This

is because of the security of the underlying signature

scheme. Since

D does not get access to Sig

∗

, under

the security of the signature scheme, the challenging

nominative signature must have the third component

generated by

D

Enc

. In this case, it is also

D

Enc

who

prepares the second component. Therefore,

D

Enc

can

always carry out the conﬁrmation/disavowal proto-

cols.

For an

OracleConvert query on input

(m,σ, pk

1

, pk

2

),

D

Enc

simulates it according to

Convert but with one exception. If pk

2

= pk

B

, that

is, the nominee of the query is indicated as B,

D

Enc

does not know Dec. Similar to the above, it must

be D

Enc

who generates σ, due to the unforgeability

of Sig

∗

. The simulator maintains a list L containing

pairs of (σ,r) where R

B

= g

r

, r ∈

R

Z

p

. When

D

Enc

receives a

Convert query, it searches L and

locates the corresponding r. The output will then be

σ

pub

= (σ,r).

At some point in the attacking phase,

D outputs a

message m

∗

and requests a challenge nominative sig-

nature σ

∗

on m

∗

. Let r

0

, r

1

selected by D

Enc

be the

challenge messages and Enc

B

(r

b

) for b ∈ {1,0} is the

return value of the encryption oracle for

D

Enc

. The

challenge σ

∗

is generated based on the outcome of a

hidden coin toss b

′

. If b

′

= 1, σ

∗

is generated by run-

ning

SigGen using Enc

B

(r

b

) and r

1

. If b

′

= 0, σ

∗

is

generated by running

SigGen using Enc

B

(r

b

) and r

0

.

At the end of the simulation, there are two cases:

• If b

′

= 0, if D outputs 0, then D

Enc

outputs 0,

otherwise

D

Enc

outputs 1.

• If b

′

= 1, if

D outputs 1, then D

Enc

outputs 1 also,

otherwise

D

Enc

outputs 0.

If

D has advantage ε, then D

Enc

will have advantage

ε

′

= ε. Similar to Lemma 1, the running time of

D

Enc

will be at most t

′

= t + Qt

q

+ c.

A.4 Proof of Theorem 3

Proof. By Theorem 1, the scheme is unforgeable

with respect to Def. 1 if there exist trapdoor one-way

permutation and standard signature scheme which is

existentially unforgeable against chosen message at-

tacks. In

Game Nominee-only Conversion, adversary

C can corrupt A’s private key but not B’s private key.

Hence if

C wins and outputs a triple (m

∗

,σ

∗

,

˜

σ

pub

)

such that valid ← Ver

nominee

(m

∗

,σ

∗

, pk

A

,sk

B

) and

valid ← Ver

public

(m

∗

,

˜

σ

pub

, pk

A

, pk

B

), σ

∗

must be gen-

erated by the game simulator via a

SignTranscript

query rather than by C with negligible exceptional

probability. The game simulation is the same as that

in the proof of Theorem 2.

We now show that if there exists a (t, ε,Q)-

adversary

C in Game Nominee-Only conversion, then

there exists a (t

′

,ε

′

)-distinguisher

D

Enc

which has ad-

vantage at least ε

′

= ε to launch an adaptive chosen

ciphertext attack to the underlying encryption scheme

by running at most time t

′

= t + Qt

q

+c where t

q

is the

maximum time for simulating one oracle query and c

denotes some constant time for system setup and key

generation.

Let r

0

, r

1

be the challenge message selected by

D

Enc

and Enc

B

(r

b

), for b ∈ {1,0}, is the return value

of the encryption oracle.

D

Enc

randomly picks a

query to

SignTranscript and uses r

i

where i ∈

R

{1,0}

and Enc

B

(r

b

) for generating

˜

σ. Let E be the event that

D

Enc

does not abort when

C outputs (m

∗

,σ

∗

,

˜

σ

pub

)

where

˜

σ = σ

∗

. Obviously, Pr[E] is at least 1/Q.

For event E, if the probability that C wins in Game

Nominee-only conversion

is ε, D

Enc

will win with

probability

ε

2

. For event

E, the probability that D

Enc

wins is

1

2

only since

D

Enc

has to make the guess.

Therefore, the probability that

D

Enc

wins is equal to

Pr[E](

ε

2

) + Pr[

E]

1

2

. Since Pr[E] is at least 1/Q, the

winning probability of

D

Enc

is at least

ε

2Q

+

1

2

. Sim-

ilar to Lemma 2, the running time of

D

Enc

is at most

t + Qt

q

+ c.

A MORE EFFICIENT CONVERTIBLE NOMINATIVE SIGNATURE

221