Generic constructions for secure and efficient confirmer signature schemes

Michels, Markus; Stadler, M.

doi:10.1007/bfb0054142

Cited by 43 publications

(68 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This proposition can be proven by the confirmation signatures [Cha94,MS98]. The merchant M cannot accept an invalid pseudo e-coin except with negligible probability.…”

Section: Proposition 3 (Convertibility) If M Accepts the Pseudo E-cmentioning

confidence: 89%

“…Hence, without confirmer's help, the verifier would not be convinced that both discrete logarithms of a * and b * are equal. The indistinguishability of RCSS can also be proved by Decision-Diffie-Hellman assumption [MS98].…”

Section: Security Of Rcssmentioning

confidence: 99%

“…We also use a = g t mod p and b = y C t mod p, where y C denotes the confirmer's public key, to add the simulatability to the signature. In addition, we slightly modify the hinging method described in the scheme of [Cha94] and [MS98]. The following procedure demonstrates how to pre-determine a single verifier for a signer; however, it is easy to construct an extended scheme to multiple verifiers.…”

Section: Construction Of Rcssmentioning

confidence: 99%

See 2 more Smart Citations

Untraceable Fair Network Payment Protocols with Off-Line TTP

Wang

2003

Advances in Cryptology - ASIACRYPT 2003

View full text Add to dashboard Cite

Abstract. A fair network payment protocol plays an important role in electronic commerce. The fairness concept in payments can be illustrated as that two parties (e.g. customers and merchants) exchange the electronic items (e.g. electronic money and goods) with each other in a fair manner that no one can gain advantage over the other even if there are malicious actions during exchanging process. In the previous works of fair payments, the buyer is usually required to sign a purchase message which can be traced by everyone. The information about where the buyer spent the money and what he purchased would easily be revealed by this way. This paper employs two techniques of off-line untraceable cash and designated confirmer signatures to construct a new fair payment protocol, in which the untraceability (or privacy) property can be achieved. A Restrictive Confirmation Signature Scheme (RCSS) will be introduced and used in our protocol to prevent the interested persons except the off-line TTP (Trusted Third Party) from tracing the buyer's spending behavior.

show abstract

“…This proposition can be proven by the confirmation signatures [Cha94,MS98]. The merchant M cannot accept an invalid pseudo e-coin except with negligible probability.…”

Section: Proposition 3 (Convertibility) If M Accepts the Pseudo E-cmentioning

confidence: 89%

Section: Security Of Rcssmentioning

confidence: 99%

Section: Construction Of Rcssmentioning

confidence: 99%

See 1 more Smart Citation

Untraceable Fair Network Payment Protocols with Off-Line TTP

Wang

2003

Advances in Cryptology - ASIACRYPT 2003

View full text Add to dashboard Cite

show abstract

“…Gentry, Molnar, and Ramzan [13] considered another relaxation based on an observation originally made by Michels and Stadler [18]. Instead of computing a signature of the message directly, the signer computes a "confirmer commitment" of the message, and then sign the commitment.…”

Section: Previous Workmentioning

confidence: 99%

Designated Confirmer Signatures Revisited

Wikström

Theory of Cryptography

View full text Add to dashboard Cite

Abstract. Previous definitions of designated confirmer signatures in the literature are incomplete, and the proposed security definitions fail to capture key security properties, such as unforgeability against malicious confirmers and non-transferability. We propose new definitions.Previous schemes rely on the random oracle model or set-up assumptions, or are secure with respect to relaxed security definitions. We construct a practical scheme that is provably secure with respect to our security definition under the strong RSA-assumption, the decision composite residuosity assumption, and the decision Diffie-Hellman assumption.To achieve our results we introduce several new relaxations of standard notions. We expect these techniques to be useful in the construction and analysis of other efficient cryptographic schemes.

show abstract

“…Michels and Stadler, following Okamoto, adopt a definition that requires "invisibility" of designated confirmer signatures [26,21]; i.e., there exists a simulator who can create a "valid-looking" designated confirmer signature for any message m. Secondly, we must consider whether the Confirm and Disavow protocols are required to be zero-knowledge or instead may satisfy some weaker property. Previous definitions, such as those of Michels and Stadler, have included both these requirements [26]. Subsequent designated confirmer schemes were proposed by Camenisch and Michels [4], and by Camenisch and Shoup [6].…”

Section: Introductionmentioning

confidence: 99%

Efficient Designated Confirmer Signatures Without Random Oracles or General Zero-Knowledge Proofs

Gentry¹,

Molnár

Ramzan³

2005

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Most prior designated confirmer signature schemes either prove security in the random oracle model (ROM) or use general zeroknowledge proofs for NP statements (making them impractical). By slightly modifying the definition of designated confirmer signatures, Goldwasser and Waisbard presented an approach in which the Confirm and ConfirmedSign protocols could be implemented without appealing to general zero-knowledge proofs for NP statements (their Disavow protocol still requires them). The Goldwasser-Waisbard approach could be instantiated using Cramer-Shoup, GMR, or Gennaro-Halevi-Rabin signatures. In this paper, we provide an alternate generic transformation to convert any signature scheme into a designated confirmer signature scheme, without adding random oracles. Our key technique involves the use of a signature on a commitment and a separate encryption of the random string used for commitment. By adding this "layer of indirection," the underlying protocols in our schemes admit efficient instantiations (i.e., we can avoid appealing to general zero-knowledge proofs for NP statements) and furthermore the performance of these protocols is not tied to the choice of underlying signature scheme. We illustrate this using the CamenischShoup variation on Paillier's cryptosystem and Pedersen commitments. The confirm protocol in our resulting scheme requires 10 modular exponentiations (compared to 320 for Goldwasser-Waisbard) and our disavow protocol requires 41 modular exponentiations (compared to using a general zero-knowledge proof for Goldwasser-Waisbard). Previous schemes use the encryption of a signature paradigm, and thus run into problems when trying to implement the confirm and disavow protocols efficiently.

show abstract

Generic constructions for secure and efficient confirmer signature schemes

Cited by 43 publications

References 25 publications

Untraceable Fair Network Payment Protocols with Off-Line TTP

Untraceable Fair Network Payment Protocols with Off-Line TTP

Designated Confirmer Signatures Revisited

Efficient Designated Confirmer Signatures Without Random Oracles or General Zero-Knowledge Proofs

Contact Info

Product

Resources

About