Concurrent signature without random oracles

Theoretical Computer Science 562 (2015) 194–212

Contents lists available at ScienceDirect

Theoretical Computer Science www.elsevier.com/locate/tcs

Concurrent signature without random oracles Xiao Tan a,c,∗ , Qiong Huang b , Duncan S. Wong c a b c

School of Information Science and Engineering, Hangzhou Normal University, China College of Informatics, South China Agricultural University, China Department of Computer Science, City University of Hong Kong, Hong Kong

a r t i c l e

i n f o

Article history: Received 17 May 2014 Accepted 23 September 2014 Available online 30 September 2014 Communicated by G. Ausiello Keywords: Concurrent signature Fair exchange Ambiguity Anonymity Accountability Provable security Multi-user setting

a b s t r a c t A concurrent signature provides an efficient way to exchange digital signatures between parties in a fair manner. Since its introduction in Eurocrypt 2004, removing the random oracle heuristic in the security analysis of a concurrent signature scheme has become an open problem, and the security of all the existing provably secure schemes could have only been done in the random oracle model, while it has been known that the security in the random oracle model may not be guaranteed when the underlying random oracles are replaced by real-life hash functions. In this paper, we solve this open problem by proposing a new concurrent signature scheme, which allows us to prove its security without random oracles. The security model we consider in this paper also slightly differs from previous works. Signatures before revealing the keystone are strongly ambiguous (or anonymous) in the sense that everyone is able to produce signatures that are indistinguishable from those generated honestly by the parties involved in the exchange, while signatures after revealing the keystone remain unforgeable without sacrificing the fairness property. In the multi-user setting and without random oracles, we prove the security of our scheme based on the intractability of Computational Diffie–Hellman (CDH) problem and collision resistance of hash functions. © 2014 Elsevier B.V. All rights reserved.

1. Introduction Concurrent Signature, introduced by Chen, Kudla and Paterson [8], allows untrusted parties to exchange their digital signatures efficiently in a fair manner, that is, either allowing all the parties to get each other’s signatures simultaneously or letting none of them get any counterpart’s signature, in an all-or-nothing fashion. A concurrent signature scheme between two communicating parties, usually being referred to as an initial signer A with a public/private key pair (pk A , sk A ) and a matching signer B with (pk B , sk B ), is typically carried out interactively in the following three phases. (1) Keystone Generation Phase: A sets a secret k called keystone, then generates a keystone-fix f as a commitment of k, and sends f to B. (2) Ambiguous Signature Generation Phase: A generates an ambiguous signature σ A on a message m A with respect to the keystone-fix f , and sends σ A to B. σ A is generated in such a way that no one except B can tell whether σ A is indeed generated correctly by A under the reason that B himself did not generate σ A . After the verification of σ A , B then

*

Corresponding author. E-mail addresses: [email protected] (X. Tan), [email protected] (Q. Huang), [email protected] (D.S. Wong).

http://dx.doi.org/10.1016/j.tcs.2014.09.044 0304-3975/© 2014 Elsevier B.V. All rights reserved.

X. Tan et al. / Theoretical Computer Science 562 (2015) 194–212

195

generates his own ambiguous signature σ B on a message m B with respect to the same keystone-fix f and sends it back to A. (3) Signature Binding Phase: A reveals the keystone k after verifying σ B . The keystone k will bind the authorship of σ A (resp. σ B ) to A (resp. B) concurrently. An ambiguous signature together with the released keystone is referred to as a binding signature (e.g. (k, σ A ) or (k, σ B )). In the Signature Binding Phase, the concurrency of binding upon the reveal of keystone ensures that either both parties get each other’s binding signature, or neither of them does. Since the introduction of concurrent signature [8], it has been considered as a type of fair exchange protocols [13,15,2,18,16]. If we compare concurrent signature with other fair exchange solutions such as timed-release fair exchange [13,15], or optimistic fair exchange (OFE) [2,18,17], we will notice that concurrent signature usually achieves higher computational and communication efficiency, and does not rely on any trusted or semi-trusted third party for dispute resolution or assume computational balance between the parties. It is worth noticing that concurrent signature is not so-called abuse-free. For a typical concurrent signature interaction between an initial signer A and a matching signer B, A has the full control on when and whether to reveal the keystone k in the final Signature Binding Phase. This might give A certain extent of advantage over B in some applications [39]. However, in many other applications as initially proposed in [8], concurrent signature is a very useful tool for realizing fair exchange of signatures. For example, it can be applied for trading new artworks via e-market websites that benefit both art fans and emerging artists. Without loss of generality, suppose two customers X and Y intend to buy an original painting from the seller Z . The fairness should guarantee that both the customers can offer a price for the painting of their own will, and the seller is able to make a deal with the customer who offered a higher price. Then X (resp. Y ) can run a concurrent signature with Z and sign his/her offer as σ X (resp. σY ) independently. After receiving the ambiguous signatures from both X and Y , Z only completes the session with the party whose offer is better. In this application scenario, X and Y are competitors, so they have no motivation to show their own keystone to each other. Besides, Z can always get the keystone from the customer who gave the better offer, because the customer needs to use Z ’s binding signature (say (k, σ Z )) to take the painting from Z . 1.1. Motivation and contributions Since Chen et al. published their seminal paper in 2004 [8], there has been a number of concurrent signature schemes proposed [30,33,24,9,32,39,29,31]. Some work have the ambiguity model improved [30,24] and the fairness requirement further enhanced [33]. Some others focus on extending concurrent signature to multi-party setting [32,31] or identity-based setting [9], or balancing the capability of controlling the release of keystone between the initial signer and the matching signer [39], or evaluating the scenarios for which concurrent signature is free of abused usage [29]. On the security analysis, however, all of those schemes have their security shown under the random oracle assumption [4] only. It is known that the random oracle model is a heuristic methodology which assumes that all the involving parties have oracle access to some truly random functions. However in [6], Canetti et al. pointed out that the random oracle model is potentially having some structural imperfectness. They gave an example showing that a scheme secure in the random oracle model can become insecure if the underlying random oracles are replaced with some real-life hash functions in practice. As a result, for the security analysis of concurrent signature, it has been a well-known yet long-lasting open problem to construct a new concurrent signature scheme, and show its security without random oracles. Ambiguity is an important feature to achieve in many variants of signature schemes [7,38,21,37,19] as well as in concurrent signature. Though the current ambiguity model for concurrent signature [8,30] requires that the ambiguous signatures are non-self-authenticating [20,40] when the keystone is not revealed yet, the ambiguous signatures already leak the following information to the public: given an ambiguous signature σ A or σ B , anyone can tell that at least one of ( A, B) must have involved. Consider the following scenario: suppose X and Y form a coalition to sign a joint statement which is to be verified by a third party Z . For privacy, X and Y do not want to let Z tell whether X and/or Y have/has indeed got involved before the statement was concurrently signed by both of them via a concurrent signature scheme interaction. If X and Y terminate the signing protocol before the Signature Binding Phase, they should be able to disavow that any of them has ever involved in the signing of the statement even after their ambiguous signatures have been revealed to Z . The current ambiguity model available in the literature does not consider this scenario. In this paper, we will also focus on enhancing the ambiguity model in such a way that the model also captures the requirement that nothing about the authorship of ambiguous signatures would be revealed before the keystone is released. In particular, the ambiguous signature should be anonymous in the sense that anybody should have the capability of producing (indistinguishable) ambiguous signatures for any user. On the other hand, in order to preserve unforgeability and fairness, those ambiguous signatures produced by the public should be dummy ones that cannot be converted into valid binding signatures. Most of existing concurrent signature schemes allow A and B to generate multiple ambiguous signatures on different messages with respect to the same keystone-fix. For example, given a keystone-fix f , A can generate an ambiguous signature of either σ A on a message m A , or alternatively, σ A on another message mA . It may cause problems if the pair of exchanged binding signatures {(k, σ A ), (k, σ B )} are to be delivered by A or B for verification by a third party C . In particular, A can show {(k, σ A ), (k, σ B )} to C and convince C that A and B exchanged signatures on the messages mA and m B rather than m A and m B . In [22], Li et al. proposed a new notion called accountability for concurrent signature in order to solve

196


above issue. The idea is to let the keystone k bind to the pair of messages (m A , m B ) that are to be signed by A and B respectively. However, Li et al. only gave an informal description of the security requirement of accountability, but not a formal adversarial model. In this paper we make the following contributions:

• We propose a new ambiguity model which captures the property called anonymity. The model requires that the public is also able to produce ambiguous signatures that are indistinguishable from those generated by the initial signer A and the matching signer B. As outlined above, this new anonymity requirement can protect the privacy of both parties by endowing them the capability of disavowing their involvement. The trade-off for achieving such a strong sense of privacy is that our unforgeability model no longer preserves the unforgeability of ambiguous signature (which is mutually exclusive to anonymity), however, it still preserves the unforgeability of binding signature. This weaker form of unforgeability is sufficient for most of applications, because the target signatures to be exchanged are the binding signatures rather than the ambiguous signatures. • We introduce a novel paradigm of constructing concurrent signature schemes. Based on the paradigm, we propose a new and concrete concurrent signature scheme, and prove its security under our security model. The security model formalizes a set of adversarial games that not only cover unforgeability, ambiguity, fairness, but also captures the notion of accountability. To the best of our knowledge, the proposed scheme is the first concurrent signature of which the security does not rely on random oracle heuristic. 1.2. Our idea Conventional concurrent signature schemes [30,33,39] are mostly based on ring signatures [1]. The ambiguity of the schemes is inherited from the signer ambiguity of ring signature, while the security proof of unforgeability follows the forking lemma [25] which requires the random oracle assumption. In our construction, instead of generating the keystone-fix f in one single unified way, we allow the generation of the keystone-fix in two indistinguishable ways. That is, besides the algorithm KGen for generating normal keystone-fixes, we have another algorithm KSim which generates a fake (or simulated) keystone-fix which is indistinguishable from a normal one generated by KGen. The simulated keystone-fix can be used by any user to produce ambiguous signatures. It is noted that the KSim is constructed so that no one is able to recover a valid keystone from a simulated keystone-fix generated by KSim, for guarantee of that the ambiguous signatures with respect to a simulated keystone-fix cannot be converted into valid binding signatures. This new paradigm needs a strengthened ambiguity model which offers anonymity for the authorship of ambiguous signatures, and a slightly weakened unforgeability model in the sense that the matching signer B cannot identify the authorship of the received ambiguous signature σ A , because every user can simulate σ A using a simulated keystone-fix generated using KSim. However, we stress that this is a trade-off in security formalization, because the ambiguity model and the unforgeability model still integrate seamlessly so that only those ambiguous signatures generated by A and B can become binding signatures upon the releasing of the valid keystone by the initial signer A. Furthermore, the fairness model remains the same as the original model [8] in which the concurrency of binding (σ A becomes bound to A and σ B becomes bound to B simultaneously) is enforced once a valid keystone is revealed. 2. Definitions 2.1. Algorithms As outlined in Section 1, our definition for concurrent signatures is slightly different from previous formalization. In particular, we require that the Setup algorithm specifies an additional function KSim for simulating keystone-fixes, where KSim and the original keystone-fix generation algorithm KGen should map to the same space.1 Furthermore, KGen and KSim should take inputs of the keystone as well as the pair of messages to be signed by the two parties respectively, which is essential for achieving the feature of accountability. Formally, a concurrent signature scheme consists of the following four probabilistic polynomial time (PPT) algorithms. Setup(1κ ). The setup algorithm takes a security parameter κ ∈ N as input, and outputs a set of system parameters param including a message space M, a signature space S , a keystone space K, a keystone-fix space F , and specifies two distinct functions KGen, KSim: K × (M)2 → F as keystone-fix generation algorithm and keystone-fix simulation algorithm, respectively. It also outputs the key pairs {( pki , ski )} of all the users in the system. In the rest of this paper, we use ( pki , ski ) to represent the key pair of user i.

1

For simplicity, in Setup, we also require the two functions to use the same domain.


197

ASign(param, pki , pk j , f , mi , ski ). The ambiguous signature generation algorithm takes param, two public keys pki , pk j , a keystone-fix f ∈ F , a message mi ∈ M, and the corresponding private key ski of pki as inputs, and outputs an ambiguous signature σi = si , f , where si ∈ S . AVer(param, pki , pk j , σi , mi ). The ambiguous signature verification algorithm takes param, two public keys pki , pk j , an ambiguous signature σi , and a message mi ∈ M as inputs, and outputs 1 (accept) or 0 (reject). Ver(param, pki , pk j , k, σi , mi , m j ). The binding signature verification algorithm takes param, two public keys pki , pk j , a keystone k ∈ K, an ambiguous signature σi , and two messages mi , m j ∈ M as inputs, and outputs 1 (accept) or 0 (reject).

Remark. The keystone-fix simulation algorithm KSim allows the public to generate simulated/fake pairs of keystones/ keystone-fixes, which can then be used by anybody to produce simulated/fake ambiguous signatures which looks indistinguishable from the ambiguous signatures generated by honest parties. In other words, KSim is used in conjunction with an ambiguous signature simulation algorithm ASim defined as follows. We stress that ASim should be specified explicitly in a concrete scheme construction following our paradigm.2 ASim(param, pki , pk j , f , mi , k). The ambiguous signature simulation algorithm takes param, two public keys pki , pk j , a fake keystone k ∈ K and fake keystone-fix f ∈ F , a message mi ∈ M, and outputs an ambiguous signature σi .

Definition 1 (Correctness). The correctness of concurrent signature requires that for any param, pki , pk j output by Setup, and mi , m j ∈ M, k ←$ K, we have

σi ← ASign(param, pki , pk j , f , mi , ski ) where f ← KGen(k, mi , m j ) or f ← KGen(k, m j , mi ), then AVer(param, pki , pk j , σi , mi ) = 1, and Ver(param, pki , pk j , k, σi , mi , m j ) = 1; and 2. if σi ← ASim(param, pki , pk j , f , mi , k) where f ← KSim(k, mi , m j ) or f ← KSim(k, m j , mi ), then AVer(param, pki , pk j , σi , mi ) = 1, but Ver(param, pki , pk j , k, σi , mi , m j ) = 0. 1. if

2.2. Protocol Below are the formal description of the three phases (first mentioned in Section 1) in which the initial signer A and the matching signer B interact using the algorithms as defined above. (a) Keystone Generation Phase: A picks k ←$ K, computes f ← KGen(k, m A , m B ), sends f to B. (b) Ambiguous Signature Generation Phase: A generates and sends σ A ← ASign(param, pk A , pk B , f , m A , sk A ) to B. B checks if AVer(param, pk A , pk B , σ A , m A ) = 1. If so, B computes and sends back σ B ← ASign(param, pk B , pk A , f , m B , sk B ) to A. (c) Signature Binding Phase: A checks if AVer(param, pk B , pk A , σ B , m B ) = 1. If so, A sends k to B. The binding signatures (k, σ A ) and (k, σ B ) can then be verified by checking if Ver(param, pk A , pk B , k, σ A , m A , m B ) = 1 and Ver(param, pk B , pk A , k, σ B , m B , m A ) = 1. For saving the communication overhead, we can combine the transmission of f and σ A from A to B in a single round. So there are only three message flows between A and B in each session running. Notice that f is contained in σ A , so A can simply send σ A to B. In Table 1, we illustrate the similarities and differences in the formality of defining concurrent signature between the original one first proposed by Chen et al. [8] and the one we defined in this section. In the table, (a , b ) represents the simulation method for producing indistinguishable ambiguous signatures and the corresponding keystone-fix in phase (a) and phase (b) of the real execution of a concurrent signature protocol. 3. Security models We now formalize the security of concurrent signatures in terms of ambiguity, unforgeability, fairness and accountability in the multi-user setting.

2 In the recently published paper [31], a similar mechanism was proposed to enable generating indistinguishable ambiguous signatures without knowledge of either signer’s private key. The subtle difference from [31] is that our new paradigm achieves this goal by explicitly defining two indistinguishable ways of generating keystones/keystone-fixes.

198


Table 1 The real and simulated executions of concurrent signature. Phases

Original approach

Our approach

(a)

A: k ←$ K, f ← KGen(k) A → B: f

A: k ←$ K, f ← KGen(k, m A , m B ) A → B: f

(b)

A: σ A ← ASign( pk A , pk B , f , m A , sk A ) A → B: σ A B: σ B ← ASign( pk B , pk A , f , m B , sk B ) B → A: σ B

(c)

A → B: k

(a , b )

P : k ←$ K, f ← KGen(k) σ A ← ASign( pk A , pk B , f , m A , skP ) σ B ← ASign( pk B , pk A , f , m B , skP )

U : k ←$ K, f ← KSim(k, m A , m B ) σ A ← ASim( pk A , pk B , f , m A , k) σ B ← ASim( pk B , pk A , f , m B , k)

P ∈ { A , B } denotes the party of either A or B. U denotes any user in the system.

3.1. Ambiguity A secure concurrent signature scheme should prevent an adversary from telling if the entire transcript before the final Signature Binding Phase is generated honestly, or merely simulated by someone else in the system using KSim and ASim. The ambiguity game is defined as follows where a challenger C runs the game against an adversary A.

• Setup Phase:

On input a security parameter κ ∈ N, C runs Setup(1κ ) to produce param, key pairs {( pki , ski )} for all the users in the system, and the specification of KGen and KSim. C sends param, { pki } to A. • Query Phase: A can adaptively make queries to the following oracles. – KGenOracle. The keystone generation oracle takes input of two messages m1 , m2 ∈ M, picks k ←$ K and returns a keystone-fix f ← KGen(k, m1 , m2 ). – KSimOracle. The keystone simulation oracle takes input of two messages m1 , m2 ∈ M, picks k ←$ K and returns a simulated keystone-fix f ← KSim(k, m1 , m2 ). – KReleaseOracle. The keystone release oracle takes input of a keystone-fix f which was output by KGenOracle, returns the corresponding keystone k. – FKReleaseOracle. The fake/simulated keystone release oracle takes input of a keystone-fix f which was output by KSimOracle, returns the corresponding fake/simulated keystone k. – CorruptOracle. The corruption oracle takes a public key pki as input, returns the corresponding private key ski . – ASignOracle. The ambiguous signature generation oracle takes two public keys pki , pk j , a keystone-fix f ∈ F , a message mi ∈ M as input, returns σi ← ASign(param, pki , pk j , f , mi , ski ). – ASimOracle. The ambiguous signature generation oracle takes two public keys pki , pk j , a keystone-fix f ∈ F which is the output of a previous KSimOracle query, a message mi ∈ M as input, returns σi ← ASim(param, pki , pk j , f , mi , k) where k is the simulated keystone corresponding to f . We stress that it is unnecessary to provide an oracle for generating binding signatures, because any binding signature (k, σi ) can be produced using ASignOracle in conjunction with KGenOracle and KReleaseOracle. In particular, A can simply query KGenOracle to get a keystone-fix f and then use it together with ( pki , pk j , mi ) of arbitrary choice to query ASignOracle. The returned ambiguous signature can be converted to a binding signature by querying f to KReleaseOracle. • Challenge Phase: A sends to C two public keys pki ∗ , pk j∗ of user i ∗ and j ∗ , respectively, and two messages mi ∗ , m j∗ ∈ M. C tosses a random bit b ∈ {0, 1}, and performs the following computation. – If b = 0: Pick k∗ ←$ K and compute f ∗ ← KGen(k∗ , mi ∗ , m j ∗ ), σi ∗ = si ∗ , f ∗ ← ASign(param, pki ∗ , pk j ∗ , f ∗ , mi ∗ , ski ∗ ) and σ j∗ = s j∗ , f ∗ ← ASign(param, pk j∗ , pki∗ , f ∗ , m j∗ , sk j∗ ).


199

Table 2 Comparison of signer space of ambiguity models. Models

Signer space

Cardinality

AMB O [8] AMB P [30] AMB† (Section 3.1)

{( A , B ), ( A , A ), ( B , B )} {( A , B ), ( A , A ), ( B , B ), ( B , A )} {( A , B ), (U , U )}

3 4

Signer space refers to the possibility of signers given a pair of ambiguous signatures (σ A , refers to that A issued σ A and B issued σ B . U denotes any user in the system.

∞

σ B ), e.g. ( A, B)

– If b = 1: Pick k∗ ←$ K and compute f ∗ ← KSim(k∗ , mi ∗ , m j ∗ ), σi ∗ = si ∗ , f ∗ ← ASim(param, pki ∗ , pk j ∗ , f ∗ , mi ∗ , k∗ ) and σ j ∗ = s j ∗ , f ∗ ← ASim(param, pk j ∗ , pki ∗ , f ∗ , m j ∗ , k∗ ). Then C sends σi ∗ , σ j ∗ to A. • Output Phase: A continues querying the oracles and outputs a guessing b ∈ {0, 1}, under the restriction that A has never queried KReleaseOracle( f ∗ ) or FKReleaseOracle( f ∗ ). A wins the game if b = b. Definition 2 (Ambiguity). A concurrent signature scheme is said to be ( , t )-ambiguous if for any PPT adversary A which runs in time t and makes polynomially many queries to the oracles, its probability of winning the game above is no better than 1/2 + . Alternatively, we can define the information theoretical security of ambiguity in the sense that it holds unconditionally against any adversary. Definition 3 (Ambiguity ). A concurrent signature scheme is said to be unconditionally ambiguous if for any adversary A which has unbounded computational time and can makes arbitrary number of queries to the oracles, its probability of winning the game above is no better than 1/2. In the ambiguity game, A can query CorruptOracle to get the private key of any user in the system including user i ∗ and j ∗ , implying that the ambiguity holds even against insider adversaries and collusion attacks. In particular, it guarantees that even the matching signer B should not be able to distinguish whether f and σ A are produced by the initial signer A or simulated by someone else before the keystone is released. It is stressed that if the ambiguous signature is simulated by KSim and ASim, then the simulated keystone cannot be used for binding signatures, as guaranteed by the condition (2) of correctness (Definition 1). 3.1.1. Comparison with existing ambiguity models There are two ambiguity models for concurrent signatures in the literature. One is the original ambiguity model AMB O [8], the other one is called the perfect ambiguity model AMB P [30,33]. AMB P is already shown to be a stronger model than AMB O , in the sense that it is more difficult for an adversary to identify the authorship of an ambiguous signature before the keystone is released. Given a pair of ambiguous signatures (σ1 , σ2 ) on a keystone-fix f , AMB P captures the following four possibilities while AMB O only covers the first three: (1) σ1 is produced by A and σ2 is produced by B; (2) both σ1 and σ2 are produced by A; (3) both σ1 and σ2 are produced by B; and (4) σ1 is produced by B and σ2 is produced by A. As we can see, in these four possibilities, at least one of the corresponding parties ( A, B) must have been involved in the generation of ambiguous signatures. This leakage of information may also incur some concerns about the privacy of the parties as we explained in Section 1.1. In our ambiguity model AMB† , we resolve this concern by allowing anybody in the system to produce ambiguous signatures that are indistinguishable from those generated by honest parties. Obviously, Case (1), (2), and (3) above are already covered in AMB† , while Case (4) is not. Table 2 compares the cardinality of signer space among the existing ambiguity models. In 2005, Nguyen proposed a similar property related to anonymity for concurrent signatures [24]. It requires the ambiguous signatures to be indistinguishable from random elements in the signature space. In Appendix A, we show that Nguyen’s scheme does not preserve security in AMB† , which gives an evidence that the security under Nguyen’s model does not imply the security under our model. 3.2. Unforgeability As of conventional digital signature, for unforgeability in the context of concurrent signatures, we require that no PPT adversary A can forge a binding signature for any user i if A neither corrupted ski nor asked user i to generate an ambiguous signature directly leading to the target forgery. This definition implies that if A applied KSim and ASim to produce fake/simulated ambiguous signature, it is still infeasible for A to convert it into a binding signature.

200


Notice that this definition is slightly weaker than the original one [8], in which it additionally requires that A cannot forge an ambiguous signature corresponding to any user i or j if A does not know ski or sk j . Obviously, this additional requirement is mutually exclusive to the ambiguity model we defined which achieves anonymity and allows anybody in the system to produce indistinguishable yet simulated/fake ambiguous signature based on public information only. We stress that in practice, one does not need to concern about whether an ambiguous signature can be forged by a third party or not, because the primary goal of concurrent signature is to concurrently exchange the final binding signature which should be unforgeable. As we can see, there is a security trade-off between the unforgeability model and the ambiguity model under the new paradigm, while these two models still work together seamlessly. The unforgeability is defined in the following game between a challenger C and an adversary A.

• Setup Phase: The same as in the Setup Phase of the Ambiguity Game (Section 3.1).

• Query Phase:

The same as in the Query Phase of the Ambiguity Game, allowing the adversary A to adaptively make queries to all those oracles. • Output Phase: A outputs two public keys pki ∗ , pk j∗ , two messages mi ∗ , m j∗ ∈ M, a keystone k∗ ∈ K, a keystone-fix f ∗ ∈ F , and an ambiguous signature σi ∗ = si ∗ , f ∗ , and wins the game if both the following conditions hold: (1) Ver(param, pki ∗ , pk j ∗ , k∗ , σi ∗ , mi ∗ , m j ∗ ) = 1; (2) A has never queried CorruptOracle( pki ∗ ) or ASignOracle(pki ∗ , pk j ∗ , f ∗ , mi ∗ ). Definition 4 (Unforgeability). A concurrent signature scheme is said to be ( , t )-unforgeable if for any PPT adversary A which runs in time t and makes polynomially many queries to the oracles, its probability of winning in the game above is bounded by . 3.3. Fairness Concurrent binding is the key security requirement that leads towards fairness. There are two aspects in this security requirement: (1) Premature Binding: an adversary should not be able to compute a valid keystone k to make an ambiguous signature σi become binding. Only the initial signer A has the capability of revealing the keystone. (2) Concurrency of Binding: an adversary should not be able to generate two ambiguous signatures σi and σ j such that σi is bound to pki while σ j is not bound to pk j , after the keystone k is released. The fairness game is defined as follows, where a challenger C simulates the game against an adversary A.


• Query Phase:

The same as in the Query Phase of the Ambiguity Game, allowing the adversary A to adaptively make queries to all those oracles. • Output Phase: A generates and sends pki ∗ , pk j∗ , k∗ , mi ∗ , m j∗ , σi ∗ to C , where pki ∗ , pk j∗ are two public keys, k∗ ∈ K, mi ∗ , m j∗ ∈ M, and σi ∗ = si ∗ , f ∗ is an ambiguous signature in which si ∗ ∈ S , f ∗ ∈ F . A wins the game if either of the following conditions holds: (1) Ver(param, pki ∗ , pk j ∗ , k∗ , σi ∗ , mi ∗ , m j ∗ ) = 1 under the restriction that either f ∗ is returned by KGenOracle(mi ∗ , m j ∗ ) and A has never queried KReleaseOracle( f ∗ ), or f ∗ is returned by KSimOracle(mi ∗ , m j ∗ ); (2) A outputs another ambiguous signature σ j ∗ = s j ∗ , f ∗ on the same keystone-fix f ∗ satisfying AVer(param, pki ∗ , pk j ∗ , σi ∗ , mi ∗ ) = 1, AVer(param, pk j ∗ , pki ∗ , σ j ∗ , m j ∗ ) = 1, Ver(param, pki ∗ , pk j ∗ , k∗ , σi ∗ , mi ∗ , m j ∗ ) = 1, but Ver(param, pk j ∗ , pki ∗ , k∗ , σ j ∗ , m j ∗ , mi ∗ ) = 0. Definition 5 (Fairness). A concurrent signature scheme is said to be ( , t)-fair if for any PPT adversary A which runs in time t and makes polynomially many queries to the oracles, its probability of winning in the game above is bounded by . The winning condition (1) in the Fairness Game above ensures that an ambiguous signature becomes bound only if the keystone is released or compromised. The restrictions in condition (1) does not allow A from winning the game in an obvious way: A queries KGenOracle to get a keystone-fix f ∗ , and produces a forged ambiguous signature σi ∗ using ski ∗ , then binds σi ∗ to pki ∗ by querying f ∗ to KReleaseOracle and gets the corresponding k∗ . Notice that A is allowed to query f ∗ to FKReleaseOracle if f ∗ is returned by KSimOracle, so the fairness game captures attacks in which the adversary attempts to obtain a valid keystone from a fake/simulated keystone-fix. The winning condition (2) ensures that the binding of the signatures to their respective signers occurs concurrently.


201

3.4. Accountability Accountability for concurrent signature guarantees that it is infeasible to produce two binding signatures on different messages that are verified for the same keystone/keystone-fix and the same signer. In particular, the keystone/keystone-fix should uniquely determine the pair of messages to be signed by the two parties in the exchange. We formally define accountability by the following adversarial game between a challenger C and an adversary A.


• Query Phase:

The same as in the Query Phase of the Ambiguity Game, allowing the adversary A to adaptively make queries to all those oracles, and there is no restriction on the queries. • Output Phase: A outputs two public keys pki ∗ , pk j∗ , three messages mi ∗ ,0 , mi ∗ ,1 , m j∗ ∈ M where mi ∗ ,0 = mi ∗ ,1 , a keystone k∗ ∈ K, and two ambiguous signatures σi ∗ ,0 = si ∗ ,0 , f ∗ , σi ∗ ,1 = si ∗ ,1 , f ∗ ∈ S × F on the same keystone-fix f ∗ . We say A wins the game if both of the following conditions hold: (1) Ver(param, pki ∗ , pk j ∗ , k∗ , σi ∗ ,0 , mi ∗ ,0 , m j ∗ ) = 1 and; (2) Ver(param, pki ∗ , pk j ∗ , k∗ , σi ∗ ,1 , mi ∗ ,1 , m j ∗ ) = 1. Definition 6 (Accountability). A concurrent signature scheme is said to be ( , t)-accountable if for any PPT adversary A which runs in time t and makes polynomially many queries to the oracles, its probability of winning in the game above is bounded by . 4. The scheme: CS-w/o-RO In this section, we propose an efficient concurrent signature scheme, and prove its security under the games we defined in Section 3 without relying on the random oracle model. 4.1. Cryptographic tools and assumptions One component in our scheme is collision resistant hash function (Definition 7) which is a widely applied cryptographic tool. Definition 7 (Collision resistant hash function). We say that an extended hash function H : {0, 1}∗ → {0, 1}l is ( , t )-collision resistant, if no PPT machine can find a pair of distinct messages m1 = m2 such that H (m1 ) = H (m2 ) in time t and with probability greater than , where is a negligible function of the security parameter κ ∈ N. In particular, for any PPT adversary A, there exists a negligible function such that for any security parameter κ ∈ N:

Pr (m1 , m2 ) ← A 1κ , H : m1 = m2 ∧ H (m1 ) = H (m2 ) ≤ (κ ) A collision resistant hash function defined above can be constructed from a collision resistant compression function H : {0, 1}l+l → {0, 1}l (typically, l = l) using the Merkle–Damgard construction [23,11]. Though in the last decade few attacks were discovered against some compression functions such as MD5 and SHA1 [35,27,28,34], the SHA2 family and SHA3 (also known as Keccak [5]) are believed to be good candidates of compression function that preserves collision resistance to date. The security of the proposed scheme relies on the hardness of the Computational Diffie–Hellman (CDH) problem (Definition 8) and the Discrete Logarithm (DL) problem (Definition 9). Definition 8 (Computational Diffie–Hellman (CDH) assumption). Let G and G T be two cyclic groups of order q where |q| ≥ κ , and e : G × G → G T is an admissible bilinear map. The Computational Diffie–Hellman problem is that given q, G, G T , e, a generator g of G, and g a , g b ∈ G, compute g ab ∈ G. We say that ( , t )-CDH assumption holds in G if no PPT machine can solve this problem in time t and with probability at least . In particular, for any PPT adversary A, there exists a negligible function such that for any security parameter κ ∈ N:

Pr g ab ∈ G ← A 1κ , q, G, G T , e , g , A , B : A = g a , B = g b ≤ (κ ) Definition 9 (Discrete logarithm (DL) assumption). Let G and G T be two cyclic groups of order q where |q| ≥ κ , and e : G × G → G T is an admissible bilinear map. The Discrete Logarithm problem is that given q, G, G T , e, a generator g of G, and g a ∈ G, compute a ∈ Zq . We say that ( , t )-DL assumption holds in G if no PPT machine can solve this problem in time t and with probability at least . In particular, for any PPT adversary A, there exists a negligible function such that for any security parameter κ ∈ N:

Pr a ∈ Zq ← A 1κ , q, G, G T , e , g , A : A = g a ≤ (κ )

202


As CDH assumption implies DL assumption, so we can just say that the proposed scheme is secure under the CDH assumption and collision resistance of hash function. 4.2. Scheme specification We now describe our proposed concurrent signature scheme, denoted by CS-w/o-RO. Setup(1κ ). Choose an admissible bilinear map e : G × G → G T where G, G T are two multiplicative cyclic groups of prime order q where |q| ≥ κ , a random generator g of G, h1 , h2 ←$ G and two collision-resistant hash functions H : {0, 1}∗ → {0, 1}l , H : {0, 1}∗ → Zq where l ≥ κ . Set the message space M = {0, 1}∗ , the signature space S ∈ (G)2 , the keystone space K = Zq and the keystone-fix space F = G. On input a keystone k ←$ Zq and two messages mi , m j ∈ M, the keystone-fix generation algorithm KGen is defined as f = h1 h2 H (k|mi |m j ) ∈ G

and the keystone-fix simulation algorithm KSim is defined as

f = gk ∈ G Define param := (G, G T , e , g , h1 , h2 , H , H , M, S , K, F , KGen, KSim). Generate the key pair of user i as ski ←$ Zq , pki = (δi , u i , u i1 , u i2 , . . . , u il ), where δi = g ski and u i , u i1 , u i2 , · · ·, u il ←$ G. ASign(param, pki , pk j , f , mi , ski ). Pick r i ←$ Zq , compute

ηi = g r i , M i = H ( pki | pk j | f |mi ),

ζi = f

ski

ui

ri

u it

,

˜i t ∈M

˜ i is the set of indices t such that the string M i ’s t-th bit M i [t ] = 1, and output where M AVer(param, pki , pk j , σi , mi ). Compute M i = H ( pki | pk j | f |mi ), and output 1 if the following equation holds:

e ( g , ζi ) = e (δi , f )e

ηi , u i

u it .

˜i t ∈M

Otherwise, output 0. Ver(param, pki , pk j , k, σi , mi , m j ). Output 1 if both the conditions below hold: (1) f = h1 h2 H (k|mi |m j ) or f = h1 h2 H (k|m j |mi ) . (2) AVer(param, pki , pk j , σi , mi ) = 1. Otherwise, output 0. The following is the ambiguous signature simulation algorithm ASim. ASim(param, pki , pk j , f , mi , k). Pick r i ←$ Zq , compute

ηi = g r i , M i = H ( pki | pk j | f |mi ),

ζi = δi

k

ui

ri

u it

˜i t ∈M

and output

σi = (ζi , ηi ), f .

,

σi = (ζi , ηi ), f .


203

4.3. Security analysis We start the security analysis with a high-level overview first. For unforgeability, we notice that an adversary cannot compute (k∗ , σi ∗ ) if neither ski ∗ nor the logarithm of h1 , h2 to base g is known, and the latter one is due to the hardness of the CDH problem. For ambiguity, we can see that f ∗ can be produced in either one of two indistinguishable ways by KGen or KSim, and σi ∗ , σ j ∗ produced by ASim using a simulated/fake keystone are also indistinguishable from those produced by ASign using ski ∗ and sk j ∗ . For fairness, we have both σi ∗ and σ j ∗ being produced on the same keystone k∗ , which leads to concurrent binding of the ambiguous signatures once after k∗ is released, and the DL assumption in G ensures that it is infeasible to compute k∗ from f ∗ . For accountability, we have the keystone-fix f ∗ generated as the hashing of k∗ with the pair of messages (mi ∗ , m j ∗ ) to be signed, such that the collision resistance of the hash function guarantees this property straightforwardly. Below we give the formal proofs of the proposed concurrent signature scheme CS-w/o-RO with respect to correctness (Definition 1), ambiguity (Definition 3), unforgeability (Definition 4), fairness (Definition 5) and accountability (Definition 6). 4.3.1. Proof for correctness Theorem 1. The proposed concurrent signature scheme CS-w/o-RO is correct.

σi = (ζi , ηi ), f produced by ASign on input of (pki , pk j , f , mi ), we have: ri

Proof. For an ambiguous signature

e ( g , ζi ) = e g , f ski u i

u it

˜i t ∈M

= e g ski , f e g ri , u i u it ˜i t ∈M

= e (δi , f )e ηi , u i

u it

˜i t ∈M

So it can pass the verification of AVer. Moreover, as f ← KGen(k, mi , m j ) or f ← KGen(k, m j , mi ), we have f =

h1 h2 H (k|mi |m j ) or f = h1 h2 H (k|m j |mi ) , hence it is also a valid binding signature. If σi is simulated by KSim and ASim on the same input, we have:

e ( g , ζi ) = e g , δi

k

ui

ri

u it

˜i t ∈M

= e g k , δi e g ri , u i u it

= e (δi , f )e ηi , u i

˜i t ∈M

u it

˜i t ∈M

So it can also pass the verification of AVer. Moreover, no matter f ← KSim(k, mi , m j ) or f ← KSim(k, m j , mi ), we have f = g k which equals to neither h1 h2 H (k|mi |m j ) nor h1 h2 H (k|mi |m j ) , thus it can not serve as a binding signature in this case.

2

4.3.2. Proof for ambiguity Theorem 2. The proposed concurrent signature scheme CS-w/o-RO is unconditionally ambiguous. Proof. We prove that the ambiguity of our scheme holds against an adversary A with unlimited computation power and time, say A can make an arbitrary number of queries to the oracles given in the ambiguity game, provided that A does not query f ∗ to KReleaseOracle or FKReleaseOracle, where σi ∗ , σ j ∗ = si ∗ , f ∗ , s j ∗ , f ∗ is the challenge output by C . In particular, we show that σi ∗ , σ j ∗ leaks no information about by which case this transcript is generated, because in either of the two cases (b = 0 or b = 1), C can produce exactly the same challenge. Let ski ∗ and sk j ∗ be the private keys corresponding to pki ∗ and pk j ∗ , and let kfake = log g f ∗ indicating that f ∗ ← KSim(kfake , mi ∗ , m j ∗ ). Then we verify the consistency of si ∗ = (ζi ∗ , ηi ∗ ) with both ski ∗ and kfake . Since AVer(param, pki ∗ , pk j ∗ , σi ∗ , mi ∗ ) = 1, we have:

204


e ( g , ζi ∗ ) = e δi ∗ , f

∗

ηi ∗ , u i ∗

e

u i∗t

˜ i∗ t ∈M

= e g ski∗ , f ∗ e ηi ∗ , u i ∗ u i∗t

˜ i∗ t ∈M

= e δi ∗ , g kfake e ηi ∗ , u i ∗ u i∗t ˜ i∗ t ∈M

Denote r i ∗ = log g ηi ∗ , we have

ri∗ ri∗ ζi ∗ = f ski∗ u i ∗ u i∗t = δik∗fake u i ∗ u i∗t ˜ i∗ t ∈M

˜ i∗ t ∈M

This implies that σi ∗ could be generated either by ASign using ski ∗ , or by ASim using kfake . Similarly, we can verify the consistency of σ j ∗ with both sk j ∗ and kfake , implying that σ j ∗ could be either generated by ASign using sk j ∗ , or by ASim using kfake . Therefore, any challenge σi ∗ , σ j ∗ could be viewed as the output either by ASign or by ASim. That is, the challenge has the identical distribution independent from the bit b tossed by C . So the probability for any adversary A to output b = b is no better than 1/2, even if A has unlimited computation power and time. In other words, the proposed concurrent signature scheme achieves ambiguity unconditionally. 2 4.3.3. Proof for unforgeability Theorem 3. The proposed concurrent signature scheme CS-w/o-RO is ( , t )-unforgeable, if ( , t )-Computational Diffie Hellman (CDH) assumption holds in G, and H is (ˆ , t )-collision resistant hash function:

≥

(1 − ˆ ) 4q s (l + 1)u

t ≤ t + O

,

qk + q s (l + 2) + q f s (l + 1) tm + (u + 2l + qk + q f k + 4q s + 3q f s )t e ,

where u = u (κ ) denotes the number of users in the system, tm and t e denote the time needed for one multiplication and one exponentiation on G respectively, qk , q f k , q s , q f s denote the number of queries made to KGenOracle, KSimOracle, ASignOracle and ASimOracle respectively. Proof. We construct a PPT algorithm C that simulates the oracles in the unforgeability game, and produces a valid solution to a CDH instance if there exists an ( , t )-adversary A which successfully outputs a forgery. Let the CDH instance be (q, G, G T , e, g, A = g a , B = g b ) where g , A , B ∈ G of order q and e : G × G → G T is an admissible bilinear map. Setup: C sets h1 = g τ where τ ←$ Zq , h2 = A. The other parameters in param are generated in the same way as in Setup algorithm. Let n = 2q s such that n(l + 1) < q. C guesses a value 1 ≤ î ≤ u that A will forge the concurrent signature of user i ∗ = î. For 1 ≤ i ≤ u where i = î, C follows Setup algorithm to produce key pairs {( pki , ski )} for all the users except user î. To generate user î’s public key, C performs the following computations 1. Pick μ , μ1 , μ2 , . . . , μl , ν , ν1 , ν2 , . . . , νl ←$ Zn and w ←$ Zl . 2. Set u ˆ = B −nw +μ g ν , and u ît = B μt g νt for 1 ≤ t ≤ l. i

3. Set pkî = ( B , u ˆ , . . . , u ît ). i

Then C sends param and { pki } for 1 ≤ i ≤ u to A, and keeps {sk j } for 1 ≤ j ≤ u, j = î for answering queries to CorruptOracle later. ˜ is the set of indices t such that M [t ] = 1 Besides, C defines the following functions where M

J ( M ) = μ +

μt − nw ,

˜ t ∈M

L(M ) = ν +

νt .

˜ t ∈M

We have

u ˆ i

u ît = B J ( M ) g L ( M ) .

˜ t ∈M

Query: C initiates two empty lists T k and T f k for recording pairs of keystone/keystone-fix generated by KGenOracle and KSimOracle respectively, and answers the oracle queries as follows:


205

• KGenOracle: On each keystone generation query of two messages m1 , m2 ∈ M, C runs f ← KGen(k, m1 , m2 ) where k ←$ Zq , inserts (k, f ) into T k , then returns f . • KSimOracle: On each keystone simulation query of two messages m1 , m2 ∈ M, C runs f ← KSim(k , m1 , m2 ) where k ←$ Zq , inserts (k , f ) into T f k , then returns f . • KReleaseOracle: For the queried keystone-fix f , C returns k if there is an entry (k, f ) in T f , otherwise C returns ⊥ to indicate that the input is invalid.

• FKReleaseOracle: For the queried keystone-fix f , C returns k if there is an entry (k , f ) in T f k , otherwise C returns ⊥ to indicate that the input is invalid. • CorruptOracle: If the corrupted public key pki = pkî , C returns the corresponding ski which is produced in Setup phase. Otherwise, C aborts. • ASignOracle: For a query ( pki , pk j , f , mi ), if pki = pkî , C runs σi ← ASign(param, pki , pk j , f , mi , ski ) using ski , and returns σi . Otherwise pki = pkî , then C performs the following computations: 1. Compute M î = H ( pki | pk j | f |mi ). 2. If J ( M î ) = 0 mod q, randomly pick rî ∈ Zq , compute:

rˆ i ζî = f − L ( Mî )/ J ( Mî ) u ˆ u ît i

˜ˆ t ∈M i

ηî = f −1/ J (Mî ) g rî and return σî = (ζî , ηî ), f . 3. If J ( M î ) = 0 mod q, C simply aborts. The simulation is perfect for generating the ambiguous signatures under pkî :

ζî = f

− L ( M î )/ J ( M î )

u ˆ i

rˆ i

u ît

˜ˆ t ∈M i

−(τ +ak H )/ J ( Mˆ ) J ( M ) L ( M ) rˆ i = B τ +ak H · B J ( Mî ) g L ( Mî ) · B î g î i r −(τ +ak H )/ J ( Mˆ ) i = f b B J ( Mî ) g L ( Mî ) î r˜ˆ i = f b u ˆ u ît

i

˜ˆ t ∈M i

ηî = f −1/ J (Mî ) g rî = g rî −(τ +ak H )/ J (Mî ) = g r˜i f where we denote k H = logh2 ( h ) (i.e. f = h1 h2 k H = g τ +ak H ) and r˜i = rî − (τ + ak H )/ J ( M î ).

1

As n(l + 1) < q, we have 0 ≤ nw < q and 0 ≤ μ + t ∈ M˜ μt < q. So if J ( M î ) = 0 mod q then it will be true that J ( M î ) = 0 mod n, or equivalently, J ( M î ) = 0 mod n implies J ( M î ) = 0 mod q. Hence we can say that when J ( M î ) = 0 mod n, the simulation for ASignOracle will success without abort. • ASimOracle: For a query ( pki , pk j , f , mi ), if there is an entry (k , f ) in T f k , C runs σi ← ASim(param, pki , pk j , f , mi , k ) and returns σi . Otherwise C returns ⊥ to indicate that the input is invalid. Output: Suppose the forged concurrent signature output by A is σi ∗ = (ζi ∗ , ηi ∗ ), f ∗ } on ( pki ∗ , pk j ∗ , k∗ , mi ∗ , m j ∗ ). When pki ∗ = pkî and J ( M i ∗ ) = 0 mod q where M i ∗ = H ( pki ∗ | pk j ∗ | f ∗ |mi ∗ ), C can solve the CDH instance by computing g ab as:

ζi ∗ L (M i∗ )

B τ ηi ∗

k∗ −1 H

=

B τ +ak∗H (u î

∗ −1 u i ∗ t )ri∗ k H

B τ ( g ri∗ )L ( M i∗ )

=

˜ i∗ t ∈M

B

ak∗

( g L ( M i∗ ) )ri∗ r ( g i∗ )L (M i∗ ) H

k∗ −1 H

= B a = g ab where k∗H = H (k∗ |mi ∗ |m j ∗ ). Otherwise, C aborts when pki ∗ = pkî or J ( M i ∗ ) = 0 mod q.

Now we analyze the probability that C outputs g ab without abort. In particular, if all the four events below happen, C will success in the simulation:

206

• • • •


P ∗ : J ( M i ∗ ) = 0 mod q; P î : for any (pkî , pk j , f , mî ) queried to ASignOracle, J ( M î ) = 0 mod n where M î = H ( pkî | pk j | f |mî ); Q ∗ : pki ∗ = pkî ; Q i : for any pki queried to CorruptOracle, pki = pkî .

Therefore, the probability that C does not abort in the game is

Pr[¬Abort] ≥ Pr P ∗ ∧ P î ∧ Q ∗ ∧ Q i

(1)

Notice that P ∗ ∧ P î and Q ∗ ∧ Q i are independent events. Below we separately analyze the probabilities that either of these two events happens. First, it is easy to see that if the event P ∗ ∧ P î happens, then M î = M i ∗ . Otherwise, we have J ( M î ) = J ( M i ∗ ) = 0 mod q which implies J ( M î ) = 0 mod n, resulting in a contradiction. In particular, Pr[ P ∗ ∧ P î ∧ M i ∗ = M î ] = 0. Let X 1 = pki ∗ | pk j ∗ | f ∗ |mi ∗ , and X 2 = pkî | pk j | f |mî in the event P î , then M i ∗ = H ( X 1 ) and M î = H ( X 2 ). As the adversary is forbidden from querying ( pki ∗ , pk j ∗ , f ∗ , mi ∗ ) to ASignOracle, we have X 1 = X 2 . So if the event M i ∗ = M î happens, then we have successfully found a collision ( X 1 , X 2 ) of the hash function H . Assuming H is (ˆ , t )-collision resistant, we have Pr[ M i ∗ = M î ] ≤ ˆ , and thus

Pr P ∗ ∧ P î = Pr P ∗ ∧ P î ∧ M i ∗ = M î + Pr P ∗ ∧ P î ∧ M i ∗ = M î

= Pr P ∗ ∧ P î ∧ M i ∗ = M î = Pr[ M i ∗ = M î ]Pr P ∗ ∧ P î | M i ∗ = M î ≥ (1 − ˆ )Pr P ∗ ∧ P î | M i ∗ = M î

(2)

When M i ∗ = M î , the event ¬ P î : J ( M î ) = 0 mod n is independent from P ∗ , thus Pr[¬ P î |( P ∗ ∧ M i ∗ = M î )] = qm /n ≤ q s /n. And as J ( M i ∗ ) = 0 mod q implies J ( M i ∗ ) = 0 mod n, we have

Pr P ∗ ∧ P î M i ∗ = M î

= Pr P ∗ M i ∗ = M î Pr P î P ∗ ∧ M i ∗ = M î = Pr J ( M i ∗ ) = 0 mod q 1 − Pr ¬ P î P ∗ ∧ M i ∗ = M î qs ≥ Pr J ( M i ∗ ) = 0 mod q ∧ J ( M i ∗ ) = 0 mod n 1 − = 1−

qs n

n

Pr J ( M i ∗ ) = 0 mod n Pr J ( M i ∗ ) = 0 mod q J ( M i ∗ ) = 0 mod n

qs 1 ≥ 1− · · n

n

1 l+1

=

1

(3)

4q s (l + 1)

As it is restricted to query the target public key pki ∗ to CorruptOracle, the event ¬ Q i : pki = pkî could never happen when Q ∗ happens, so Pr[¬ Q i | Q ∗ ] = 0. And we have

Pr Q ∗ ∧ Q i = Pr Q ∗ Pr Q i Q ∗

= Pr[ pki ∗ = pkî ] 1 − Pr ¬ Q i Q ∗ 1 1 ≥ 1 − Pr ¬ Q i Q ∗ = u

(4)

u

Combining the results above, we have

Pr[¬Abort] ≥ Pr P ∗ ∧ P î Pr Q ∗ ∧ Q i

≥

1 − ˆ 4q s (l + 1)u (1−ˆ )

Hence C solves the CDH instance with probability at least 4q (l+1)u if an ( , t )-adversary A outputs a forgery. In the simus lation, it requires approximately u + 2l exponentiations for producing the key pairs in the Setup Phase, one multiplication and one exponentiation for each KGenOracle query, one exponentiation for each KSimOracle query, l + 2 multiplications and four exponentiations for each ASignOracle query, l + 1 multiplications and three exponentiations for each ASimOracle query. Therefore, the running time of C is about t + O ((qk + q s (l + 2) + q f s (l + 1))tm + (u + 2l + qk + q f k + 4q s + 3q f s )t e ). 2


207

4.3.4. Proof for fairness Theorem 4. The proposed concurrent signature scheme CS-w/o-RO is ( , t )-fair, if ( , t )-Discrete Logarithm (DL) assumption holds in G:

≥

qf

,

t ≤ t + O

qk + (q s + q f s )(l + 1) tm + (qk + q f k + 3q s + 3q f s )t e ,

where tm and t e denote the time needed for one multiplication and one exponentiation on G respectively, qk , q f k , q s , q f s denote the number of queries made to KGenOracle, KSimOracle, ASignOracle and ASimOracle respectively. Proof. Suppose there exists a PPT adversary A which ( , t )-breaks the fairness of the proposed scheme, then it wins the game either through condition (1) or condition (2). We analyze these two cases as follows.

• Case 1: If A wins by condition (1) via producing a valid keystone that causes Premature Binding, we construct a PPT algorithm C as below, who plays the fairness game with A and outputs a solution given a DL instance (q, G, G T , e , g , A = g a ). Setup: C sets h1 = A, h2 = g τ where τ ←$ Zq , follows the Setup algorithm to generate the other parameters in param and produce key pairs for all the users, and forwards (param, { pki }) to A. Query: At the beginning of this phase, C guesses a value 1 ≤ z ≤ q f , initiates two empty lists T f , T f k and a counter c = 0. Then it answers the oracle queries as follows. – KGenOracle: On each keystone generation query of a message mi ∈ M and a party index i ∈ {1, . . . , n}, C increments c = c + 1. If c = z, C runs f c ← KGen(k, m1 , m2 ) where kc ←$ Zq , inserts (kc , f c ) into T f , then returns f c . If c = z, C picks ←$ Zq , sets f z = g , and outputs f z . – KSimOracle: On each keystone simulation query of two messages m1 , m2 ∈ M, C runs f ← KSim(k , m1 , m2 ) where k ←$ Zq , inserts (k , f ) into T f k , then returns f . – KReleaseOracle: If the queried keystone-fix f = f z , C returns k if there is an entry (k, f ) in T f , otherwise returns ⊥. C aborts if f = f z . – FKReleaseOracle: For the queried keystone-fix f , C returns k if there is an entry (k , f ) in T f k , otherwise C returns ⊥. – CorruptOracle: On a corrupt query of a public key pki , C returns the corresponding ski which is produced in Setup phase. – ASignOracle: For a query ( pki , pk j , f , mi ), C runs σi ← ASign(param, pki , pk j , f , mi , ski ) and returns σi . – ASimOracle: For a query ( pki , pk j , f , mi ), if there is an entry (k , f ) in T f k , C runs σi ← ASim(param, pki , pk j , f , mi , k ) and returns σi . Otherwise C returns ⊥ to indicate that the input is invalid. Output: A outputs a binding signature (k∗ , σi ∗ = si ∗ , f ∗ ) on (pki ∗ , pk j ∗ , mi ∗ , m j ∗ ) after making a set of queries

∗

∗

adaptively. Then either f ∗ = h1 h2 H (k |mi∗ |m j∗ ) or f ∗ = h1 h2 H (k |m j∗ |mi∗ ) holds. Without loss of generality, we assume ∗ k∗ f ∗ = h1 h2 H (k |mi∗ |m j∗ ) holds, and let k∗H = H (k∗ |mi ∗ |m j ∗ ) so that f ∗ = h1 h2 H . Otherwise, we let k∗H = H (k∗ |m j ∗ |mi ∗ ). Then C follows the steps below: k∗ a+τ k∗ H . 1. If f ∗ was output by KSimOracle, then there must be an entry (k , f ∗ ) in T f k , such that f ∗ = g k = h1 h2 H = g So C outputs a = k − τ k∗H and halts. k∗

a+τ k∗

H . So 2. Otherwise, f ∗ must be output by KGenOracle. If f ∗ = f z , C aborts; if f ∗ = f z , then f ∗ = g = h1 h2 H = g ∗ C outputs a = − τ k H . The above two cases refer to that f ∗ is returned by KSimOracle, and by KGenOracle, respectively. To analyze the success probability of C , we first define the following events: – P ∗ : there exists an entry (k , f ∗ ) in T f k . – Q ∗: f ∗ = f z. – Q i : for any f i queried to KReleaseOracle, f i = f z . C will complete the simulation without abort when either event P ∗ or event Q ∗ ∧ Q i occurs. Since it is not allowed to query f z to KReleaseOracle when f z = f ∗ , we have Pr[¬ Q i | Q ∗ ] = 0. Thus the success probability of C is:

Pr[¬Abort] = Pr P ∗ ∨ Q i ∧ Q ∗

≥ Pr Q i ∧ Q ∗ = Pr Q ∗ Pr Q i Q ∗ = Pr f ∗ = f z 1 − Pr ¬ Q i Q ∗ ≥

1 qf

(5)

In the simulation, for each query to KGenOracle, it requires one exponentiation plus one multiplication when c = z and one exponentiation when c = z. One exponentiation is needed for each query to KSimOracle. l + 1 multiplications and

208


three exponentiations are needed for each ASignOracle query and each ASimOracle query respectively. Therefore, the estimated time complexity of the simulation is t = t + O ((qk + (q s + q f s )(l + 1))tm + (qk + q f k + 3q s + 3q f s )t e ). • Case 2: Otherwise, A breaks the Concurrency of Binding property by the winning condition (2). Since Ver(param, k∗ pki ∗ , pk j ∗ , k∗ , σi ∗ , mi ∗ , m j ∗ ) = 1, we have f ∗ = h1 h2 H where k∗H = H (k∗ |mi ∗ |m j ∗ ) or H (k∗ |m j ∗ |mi ∗ ). Besides, we have AVer(param, pk j ∗ , pki ∗ , σ j ∗ , m∗ ) = 1, so Ver(param, pk j ∗ , pki ∗ , k∗ , σ j ∗ , m∗ ) = 1, according to the construction of the algorithm Ver in Section 4.2. Hence this case never happens in this proposed scheme. Combining the results in Case 1 and Case 2, the theorem follows.

2

4.3.5. Proof for accountability Theorem 5. The proposed concurrent signature scheme CS-w/o-RO is ( , t )-accountable, if H is ( , t )-collision resistant hash function:

≥ ,

t ≤ t + O

qk + (q s + q f s )(l + 1) tm + (qk + q f k + 3q s + 3q f s )t e ,

where tm and t e denote the time needed for one multiplication and one exponentiation on G respectively, qk , q f k , q s , q f s denote the number of queries made to KGenOracle, KSimOracle, ASignOracle and ASimOracle respectively. Proof. Suppose there exists a PPT adversary A which ( , t )-breaks the accountability of the proposed scheme, then we construct an adversary C as below, who plays the accountability game with A and outputs a pair of collisions ( X , X ) for the hash function H . Setup: C follows the Setup algorithm to generate the parameters in param and produce key pairs for the users, and forwards (param, { pki }) to A. Query: C initiates two empty lists T f , T f k and answers the oracle queries as follows.

• KGenOracle: On each keystone generation query of two messages m1 , m2 ∈ M, C runs f ← KGen(k, m1 , m2 ) where k ←$ Zq , inserts (k, f ) into T f , then returns f . • KSimOracle, KReleaseOracle, FKReleaseOracle, CorruptOracle, ASignOracle, ASimOracle: C answers the queries to these oracles in the same way as in the proof of Theorem 4. Output: And within time t and probability , A outputs pki ∗ , pk j ∗ , mi ∗ ,0 , mi ∗ ,1 , m j ∗ , k∗ , σi ∗ ,0 , σi ∗ ,1 such that σi ∗ ,0 = si ∗ ,0 , f ∗ and σi ∗ ,1 = si ∗ ,1 , f ∗ are valid binding signatures for mi ∗ ,0 and mi ∗ ,1 respectively. So either of the following equation holds:

(1) f ∗ = H k∗ |mi ∗ ,0 |m j ∗ = H k∗ |mi ∗ ,1 |m j ∗ (2) f ∗ = H k∗ |mi ∗ ,0 |m j ∗ = H k∗ |m j ∗ |mi ∗ ,1 (3) f ∗ = H k∗ |m j ∗ |mi ∗ ,0 = H k∗ |mi ∗ ,1 |m j ∗ (4) f ∗ = H k∗ |m j ∗ |mi ∗ ,0 = H k∗ |m j ∗ |mi ∗ ,1 Without loss of generality, we assume that the two messages in the concatenated strings k∗ | · | · are divided by a symbol which is not in the message alphabet. Therefore, in either of above equation, the two strings hashed by H are not equal because mi ∗ ,0 = mi ∗ ,1 . As one of above four equations must hold, C can always find a pair of different strings that are hashed to the same f ∗ . For example, if Eq. (1) holds, then C sets X = k∗ |mi ∗ ,0 |m j ∗ and X = k∗ |mi ∗ ,1 |m j ∗ , and outputs ( X , X ) as a collision for H . The probability of C successfully finding a collision is the same as that of A winning the accountability game. In the simulation, it requires one multiplication and one exponentiation for each KGenOracle query, one exponentiation for each KSimOracle query, l + 1 multiplications and three exponentiations are needed for each ASignOracle query and each ASimOracle query respectively. Therefore, the running time of C is about t + O ((qk + (q s + q f s )(l + 1))tm + (qk + q f k + 3q s + 3q f s )t e ). 2 5. Performance and discussions 5.1. Performance comparison Table 3 shows the performance of our proposed concurrent signature scheme when compared with previous works. In the table, “E” denotes the operation of one exponentiation on a cyclic group, “M” denotes the operation of one scalar multiplication on an elliptic curve, and “P” denotes the operation of one pairing on a bilinear map. The three operations dominate


209

Table 3 Performance comparison. Schemes

Signature generation

Verification

Signature size

Keystone fix size

CS [8] iPCS1 [33] iPCS2 [33] ACS [24]* CS-FNBC [39] Ours

2E 2E 2P + 2E 2E 3E 3M

3E 4E 4P + 4E 3E 4E 3P

3|q| 3|q| 3|q|

|q| 2|q| 2|q|

|G| + |q|

3|q| 2|G|

|G| |G| + |q| 2|G|

* [24] defines two signing algorithms for the initial signer and the matching signer respectively, and the table shows the signature size of the initial signer. The signature size of the matching signer is |G| + 2|q|.

the computational cost of the schemes, so for the purpose of conciseness, here we do not take into account some other operations such as hashing, point addition on an elliptic curve or logical operations on binary strings. “Signature Generation” shows the computational complexity of the initial signer in the Ambiguous Signature Generation Phase, while “Verification” shows the cost of verifying an ambiguous signature received from the counterpart. As we can see, the proposed concurrent signature scheme has comparable computational complexity as existing schemes, and it is more efficient than another scheme iPCS2 [33] which is also based on bilinear pairing. 5.2. Discussion about well-formedness of binding signature Concurrent signature ensures that if the initial signer A releases the keystone k, then (k, σ A ) and (k, σ B ) will become valid binding signatures simultaneously. However, there is no guarantee that A will release k. Furthermore, the format of keystone-fix f is not verified by B in the Keystone Generation Phase. Based on these two facts, we show that all the existing models [8,30,39] for concurrent signature failed to capture a specific type of attacks which can be mounted by the initial signer A. As the matching signer B does not check the well-formedness of keystone-fix f , it might be possible for A to find a function KForge and generate a keystone-fix f ← KForge(k ) such that f is indistinguishable from a real keystone-fix f generated by KGen. After receiving σ B from B, A may apply a function FDerive to derive an ill-formed signature σ B bound to pk B such that σ B does not reveal a valid keystone to make σ A become bound to pk A . More precisely, the attack can be described as follows:

A → B : f ← KForge k

A → B : σ A ← ASign param, pk A , pk B , f , m A , sk A

B → A : σ B ← ASign param, pk B , pk A , f , m B , sk B A : σ B ← FDerive k , σ B

such that FVer param, pk B , σ B , mB = 1 where the verification algorithm FVer for the ill-formed signature is distinct from AVer and Ver, but the message mB is related to the original message m B signed by B. The ill-formedness of σ B refers to that it is neither a valid forgery of ambiguous signature (say σ B ) nor a valid forgery of binding signature (say (k, σ B )). Hence this type of attacks is out of the scope of all the existing models of concurrent signature,3 and it does make some applications of concurrent signature become insecure. Take the jointly signed coalition between A and B as an example. A malicious initial signer A may derive and send a matching signer B’s ill-formed signature σ B to C so that C knows that B signed the statement, then even if B sends A’s ambiguous signature σ A to C , it is infeasible for C to verify that the statement is also signed by A because C did not receive the corresponding keystone from A for binding A’s ambiguous signature. The fairness no longer holds for B in this case. To further illustrate this problem, we give a concrete attack against the proposed scheme CS-w/o-RO in Section 4.2. Let KForge: S → F be h2 k on input of a keystone k ←$ Zq . After receiving σ B = (ζ B , η B ), f from B, A applies FDerive which

computes ζ B = ζ B 1/k , ηB = η B 1/k , and outputs σ B = (ζ B , ηB ). We can see that σ B is a Waters’ signature [36] on the message mB = H ( pk A | pk B | f |m B ). In particular, let FVer be the verification algorithm of Waters’ signature. The algorithm checks if the following equation holds on input (param, pk B , σ B , mB ):

e g , ζ B = e (δ B , h2 )e

ηB , u B

u Bt

˜ B t ∈m

3 This does not imply that we have found practical attacks against existing concurrent signature schemes. We only claim that the conventional security models cannot capture this type of potential attacks.

210


˜ B is the set of indices t such that the string mB ’s t-th bit mB [t ] = 1. It is straightforward to see that (mB , σ B ) will where m pass the verification. A partial solution to this attack is to require that A must prove that the keystone-fix f was computed correctly. For example, A may give a witness indistinguishable proof of knowledge (WIPK) [14,3] of the keystone k in the Keystone Generation Phase for ensuring that the keystone-fix f was computed either by KGen or by KSim (to preserve ambiguity). Formally, this WIPK can be written as follows4 :

WIPK k : f ← KGen(k|m A |m B ) ∨ f ← KSim(k|m A |m B )

In this way, A will not be able to compute f using KForge without being detected by B. But when KForge := KGen or KSim, the above solution no longer works. We stress that concurrent signature schemes following the conventional approach (e.g. [8]) also suffer from this type of potential attacks. Fortunately, this type of attack seems not so destructive, because in some applications the exchanged signatures are required to be of a specified format, such that an ill-formed signature is not eligible. For example, in the joint signed coalition example, A and B may append a claim beforehand that their signature on the statement is legitimate only if it is a valid binding signature under a preferred concurrent signature scheme. For provable security, it is desirable if we can get an enhanced security model to capture this type of attacks. We consider this as a new open problem regarding the security models for concurrent signatures. 6. Conclusion and future work A novel paradigm for constructing concurrent signatures was proposed in this paper. The paradigm implies an ambiguity model that offers anonymity for ambiguous signatures’ authorship, which enables both parties to disavow their involvement before the final Signature Binding Phase. By following the new paradigm, we proposed a concrete concurrent signature scheme. This is the first concurrent signature scheme proven secure without relying on the random oracle heuristic. There are two interesting open problems along this research line: (1) improve the security model for concurrent signature to capture a specific type of attacks discussed in Section 5.2; and (2) extend the models we defined in this paper to multi-party (more than two parties) concurrent signature schemes. Acknowledgements This work is supported by the National Natural Science Foundation of China (Nos. 61472146, 61103232), the Research Fund for the Doctoral Program of Higher Education of China (No. 20114404120027) and the Guangdong Natural Science Foundation (No. S2013010011859), and a grant from the RGC of Hong Kong S.A.R., China (No. CityU 123913). Appendix A. Analysis of Nguyen’s scheme Nguyen’s asymmetric concurrent signature scheme [24] is defined by the following seven PPT algorithms. Notice that the scheme is asymmetric in the sense that it uses different ambiguous signature generation algorithms: IASign for the initial signer A and MASign for the matching signer B, and the two algorithms produce signatures in different format. Another distinct characteristic of Nguyen’s scheme is that the two ambiguous signature generation algorithms also generate keystones and keystone-fixes, where B’s keystone-fix f is derived from A’s keystone-fix f corresponding to the same keystone k.

• param ← Setup(1k ). The setup algorithm selects two primes p and q ≥ 2k such that q|( p − 1), and a generator g for the subgroup g in Z∗p of order q. The message space M = {0, 1}∗ , the keystone space S = Zq and the keystone-fix space F = g . Let H : {0, 1}∗ → Zq be a hash function modeled as a random oracle. Define param = ( p , q, g , M, S , F , H ). The key pairs {ski , pki } of the users are generated as ski ←$ Zq , pki = g ski . • σi ← IASign(param, mi , ski ). The initial signer’s ambiguous signature generation algorithm picks r ←$ Zq , computes c = H ( g r , mi ), f = g r +c ·ski , and outputs σi = ( f , c ). Here f is the keystone-fix for the initial signer, the keystone k = r + c · ski is implicitly defined and kept secret. • σ j ← MASign(param, f , m j , sk j ). The matching signer’s ambiguous signature generation algorithm picks r ←$ Zq , com putes f = f sk j , c = H ( g r f , m j ), k1 = (r − c )/sk j , and outputs σ j = ( f , k1 , c ). Here f is the keystone-fix for the matching signer.

• 1/0 ← IAVer(param, σi , pki , mi ). The initial signer’s ambiguous signature verification algorithm outputs 1 if c = c H ( pk− f , mi ); otherwise, it outputs 0. i • 1/0 ← RAVer(param, σ j , pk j , m j ). The matching signer’s ambiguous signature verification algorithm outputs 1 if c = k H ( g c pk j 1 f , m j ); otherwise, it outputs 0. 4

An efficient instantiation of WIPK is ΣOR protocol [10] which is an OR-composition of Σ protocol [26]. Readers may refer to [12] for details.


211

• 1/0 ← IVer(param, k, σi , pki , mi ). The initial signer’s binding signature verification algorithm outputs 1 if f = g k and IAVer(param, σi , pki , mi ) = 1; otherwise, it outputs 0. • 1/0 ← RVer(param, k, σ j , pk j , m j ). The matching signer’s binding signature verification algorithm outputs 1 if f = pkkj and RAVer(param, σ j , pk j , m j ) = 1; otherwise, it outputs 0. This concurrent signature scheme offers a similar property to ambiguity called anonymity, if both the following conditions hold: (1) If σ A ← IASign(param, m A , sk A ), then σ A is indistinguishable from random elements in the signature space of the initial signer. (2) If σ B ← MASign(param, f , m B , sk B ), then σ B is indistinguishable from random elements in the signature space of the matching signer. However, this property is not well formalized, because the definition above assumes the incomplete view of the adversary, say in either case only one of the two signatures is revealed to the adversary. In reality, it is generally the case that the adversary may get both of σ A and σ B , such that the correspondence between the two signatures may help the adversary to do the distinguishing. In the following, we show that Nguyen’s concurrent signature scheme does not preserve ambiguity in our model AMB† . Theorem 6. Nguyen’s asymmetric concurrent signature is insecure in AMB† . Proof. Since ASign is replaced by IASign and MASign in Nguyen’s scheme, ASim for Nguyen’s scheme could be specified as the algorithms IASim and MASim given below:

• IASim(param, pk A , m A ). Pick r ←$ Zq , compute c = H ( pkrA , m A ), f = pkrA+c , and σ A = ( f , c ). • MASim(param, pk B , m B ). k Pick r , k1 ←$ Zq , compute c = H ( g r pk B1 , m B ), f = g r −c , and σ B = ( f , k1 , c ). Here B’s fake keystone-fix f is derived from A’s fake keystone-fix f . KSim is implicitly defined as f = pkkA on input of a fake keystone k = r + c as in IASim. Then we constructs an adversary A with the knowledge of sk B to win the AMB† game with advantage of 1/2 − 1/2q. A does not need to make any oracle query. Suppose the challenger C outputs σ A = ( f , c ), σ B = ( f , k1 , c ). A simply checks if f sk B = f . If the checking holds, A outputs b = 0; otherwise, A outputs b = 1. We analyze the success probability of A by the following two cases:

• Case 1: (σ A , σ B ) are honestly produced by A and B using IASign and MASign. Then the checking always holds. (r +c )sk B • Case 2: (σ A , σ B ) are generated using IASim and MASim. Then A actually verifies if pk A = g r −c . The equation holds with probability about 1/q, because r , r are uniformly picked from Zq and c , c are outputs of the random oracle H . Therefore, the advantage of A winning the game is non-negligible:

Pr b = b − 1 2 = Pr b = b b = 0 · Pr[b = 0] + Pr b = b b = 1 · Pr[b = 1] − 1 1 1 1 − = + 1− 2 2 q 2 1 1 2 = 1− 2

1 2

q

References [1] [2] [3] [4] [5] [6] [7]

M. Abe, M. Ohkubo, K. Suzuki, 1-Out-of-n signatures from a variety of keys, in: ASIACRYPT 2002, in: LNCS, vol. 2501, Springer, 2002, pp. 415–432. N. Asokan, V. Shoup, M. Waidner, Optimistic fair exchange of signatures, in: EUROCRYPT 1998, in: LNCS, vol. 1403, Springer, 1998, pp. 591–606. M. Bellare, O. Goldreich, On defining proofs of knowledge, in: CRYPTO 1992, in: LNCS, vol. 740, Springer, 1992, pp. 390–420. M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in: CCS 1993, ACM Press, 1993, pp. 62–73. G. Bertoni, J. Daemen, M. Peeters, G.V. Assche, Keccak, in: EUROCRYPT 2013, in: LNCS, vol. 7881, Springer, 2013, pp. 313–314. R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited, in: STOC 1998, ACM Press, 1998, pp. 209–218. S. Chang, D.S. Wong, Y. Mu, Z. Zhang, Certificateless threshold ring signature, Inform. Sci. 179 (20) (2009) 3685–3696.

212


[8] L. Chen, C. Kudla, K. Paterson, Concurrent signatures, in: EUROCRYPT 2004, in: LNCS, vol. 3027, Springer, 2004, pp. 287–305. [9] S. Chow, W. Susilo, Generic construction of identity-based perfect concurrent signatures, in: ICICS 2005, in: LNCS, vol. 3783, Springer, 2005, pp. 194–206. [10] R. Cramer, I. Damgard, B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, in: CRYPTO 1994, in: LNCS, vol. 839, Springer, 1994, pp. 174–187. [11] I. Damgard, A design principle for hash functions, in: CRYPTO 1989, in: LNCS, vol. 435, Springer, 1989, pp. 416–427. [12] I. Damgard, On Σ -protocols, http://www.daimi.au.dk/~ivan/Sigma.pdf, 2010. [13] S. Even, O. Goldreich, A. Lempel, A randomized protocol for signing contracts, Commun. ACM 28 (6) (1985) 637–647. [14] U. Feige, A. Shamir, Witness indistinguishable and witness hiding protocols, in: STOC 1990, ACM Press, 1990, pp. 416–426. [15] J. Garay, C. Pomerance, Timed fair exchange of standard signatures: [extended abstract], in: FC 2003, in: LNCS, vol. 2742, Springer, 2003, pp. 190–207. [16] Q. Huang, D.S. Wong, W. Susilo, Group-oriented fair exchange of signatures, Inform. Sci. 181 (16) (2011) 3267–3283. [17] Q. Huang, D.S. Wong, W. Susilo, The construction of ambiguous optimistic fair exchange from designated confirmer signature without random oracles, Inform. Sci. 228 (2013) 222–238. [18] Q. Huang, G. Yang, D.S. Wong, W. Susilo, Ambiguous optimistic fair exchange, in: ASIACRYPT 2008, in: LNCS, vol. 5350, Springer, 2008, pp. 74–89. [19] J.Y. Hwang, S. Lee, B. Chung, H.S. Cho, D. Nyang, Group signatures with controllable linkability for dynamic membership, Inform. Sci. 222 (2013) 761–778. [20] F. Laguillaumie, D. Vergnaud, Time-selective convertible undeniable signatures with short conversion receipts, Inform. Sci. 180 (12) (2010) 2458–2475. [21] J. Li, K. Kim, Hidden attribute-based signatures without anonymity revocation, Inform. Sci. 180 (9) (2010) 1681–1689. [22] Y. Li, D. He, X. Lu, Accountability of perfect concurrent signature, Cryptology ePrint archive: report 2008/301, http://eprint.iacr.org/2008/301, 2008. [23] R. Merkle, One way hash functions and DES, in: CRYPTO 1989, in: LNCS, vol. 435, Springer, 1989, pp. 428–446. [24] K. Nguyen, Asymmetric concurrent signatures, in: ICICS 2005, in: LNCS, vol. 3783, Springer, 2005, pp. 181–193. [25] D. Pointcheval, J. Stern, Security arguments for digital signatures and blind signatures, J. Cryptology 13 (3) (2000) 361–396. [26] C.P. Schnorr, Efficient signature generation for smart cards, J. Cryptology 4 (3) (1991) 239–252. [27] M. Stevens, A. Lenstra, B. Weger, Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities, in: EUROCRYPT 2007, in: LNCS, vol. 4586, Springer, 2007, pp. 338–354. [28] M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D.A. Osvik, B. Weger, Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate, in: CRYPTO 2009, in: LNCS, vol. 5677, Springer, 2009, pp. 55–69. [29] W. Susilo, M.H. Au, Y. Wang, D.S. Wong, Fairness in concurrent signatures revisited, in: ACISP 2013, in: LNCS, vol. 7959, Springer, 2013, pp. 318–329. [30] W. Susilo, Y. Mu, F. Zhang, Perfect concurrent signatures schemes, in: ICICS 2004, in: LNCS, vol. 3269, Springer, 2004, pp. 14–26. [31] X. Tan, Q. Huang, D.S. Wong, Extending concurrent signature to multiple parties, Theoret. Comput. Sci. 548 (2014) 54–67. [32] D. Tonien, W. Susilo, R. Safavi-Naini, Multi-party concurrent signatures, in: ISC 2006, in: LNCS, vol. 4176, Springer, 2006, pp. 131–145. [33] G. Wang, F. Bao, J. Zhou, The fairness of perfect concurrent signatures, in: ICICS 2006, in: LNCS, vol. 4307, Springer, 2006, pp. 435–451. [34] X.Y. Wang, Y.Q. Yin, H.B. Yu, Finding collisions in the full SHA-1, in: CRYPTO 2005, in: LNCS, vol. 3621, Springer, 2005, pp. 17–36. [35] X.Y. Wang, H.B. Yu, How to break MD5 and other hash functions, in: EUROCRYPT 2005, in: LNCS, vol. 3494, Springer, 2005, pp. 19–35. [36] B. Waters, Efficient identity-based encryption without random oracles, in: EUROCRYPT 2005, in: LNCS, vol. 3494, Springer, 2005, pp. 114–127. [37] J. Yu, R. Hao, F. Kong, X. Cheng, J. Fan, Y. Chen, Forward-secure identity-based signature: security notions and construction, Inform. Sci. 181 (3) (2011) 648–660. [38] H. Yuan, F. Zhang, X. Huang, Y. Mu, W. Susilo, L. Zhang, Certificateless threshold signature scheme from bilinear maps, Inform. Sci. 180 (23) (2010) 4714–4728. [39] T.H. Yuen, D.S. Wong, W. Susilo, Q. Huang, Concurrent signatures with fully negotiable binding control, in: ProvSec 2011, in: LNCS, vol. 6980, Springer, 2011, pp. 170–187. [40] W. Zhao, D. Ye, Certificateless undeniable signatures from bilinear maps, Inform. Sci. 199 (2012) 204–215.