On the Key Exposure Problem in Chameleon Hashes

  • Giuseppe Ateniese
  • Breno de Medeiros
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3352)


Chameleon signatures were introduced by Krawczyk and Rabin, being non-interactive signature schemes that provide non-transferability. However, that first construction employs a chameleon hash that suffers from a key exposure problem: The non-transferability property requires willingness of the recipient in consequentially exposing a secret key, and therefore invalidating all signatures issued to the same recipient’s public key. To address this key-revocation issue, and its attending problems of key redistribution, storage of state information, and greater need for interaction, an identity-based scheme was proposed in [1], while a fully key-exposure free construction, based on the elliptic curves with pairings, appeared later in [7].

Herein we provide several constructions of exposure-free chameleon hash functions based on different cryptographic assumptions, such as the RSA and the discrete logarithm assumptions. One of the schemes is a novel construction that relies on a single trapdoor and therefore may potentially be realized over a large set of cryptographic groups (where the discrete logarithm is hard).


Digital signatures undeniable signatures collision-resistant hashing trapdoor commitments chameleon signatures chameleon hashing 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ateniese, G., de Medeiros, B.: Identity-based chameleon hash and applications. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 164–180. Springer, Heidelberg (2004), Available online at CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: PSS: Provably secure encoding method for digital signature. IEEE P1363a: Provably secure signatures (1998),
  3. 3.
    Boneh, D., Boyen, X.: Short Signatures Without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Brassard, G., Chaum, D., Crepeau, C.: Minimum disclosure proofs of knowledge. Journal of Computer an Systems Sciences 37(2), 156–189 (1988)zbMATHMathSciNetCrossRefGoogle Scholar
  5. 5.
    Catalano, D., Gennaro, R., Howgrave-Graham, N., Nguyen, P.Q.: Paillier’s Cryptosystem Revisited. In: ACM CCS (2001)Google Scholar
  6. 6.
    Chaum, D., Antwerpen, H.: Undeniable signatures. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 212–216. Springer, Heidelberg (1990)Google Scholar
  7. 7.
    Chen, X., Zhang, F., Kim, K.: Chameleon hashing without key exposure. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 87–98. Springer, Heidelberg (2004), Available online at, CrossRefGoogle Scholar
  8. 8.
    Damgård, I.: Practical and provable secure release of a secret and exchange of signature. Journal of Cryptology 8, 201–222 (1995)zbMATHCrossRefGoogle Scholar
  9. 9.
    Even, S., Goldreich, O., Micali, S.: On-line/off-line Digital Signatures. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 263–277. Springer, Heidelberg (1990)Google Scholar
  10. 10.
    Fischlin, M.: Trapdoor commitment schemes and their applications. Ph.D. thesis (2001)Google Scholar
  11. 11.
    Gennaro, R.: Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle attacks. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 220–236. Springer, Heidelberg (2004)Google Scholar
  12. 12.
    Krawczyk, H., Rabin, T.: Chameleon signatures. In: Proceedings of NDSS 2000, pp. 143–154 (2000)Google Scholar
  13. 13.
    MacKenzie, P., Yang, K.: On Simulation-Sound Trapdoor Commitments. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 382–400. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Naccache, D., Pointcheval, D., Stern, J.: Twin signatures: an alternative to the hash-and-sign paradigm. In: Proc. of the 8th ACM Conference on Computer and Communication Security (ACM CCS), pp. 20–27. ACM Press, New York (2001)CrossRefGoogle Scholar
  15. 15.
    Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993)Google Scholar
  16. 16.
    Paillier, P.: Public key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  17. 17.
    Pedersen, T.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–149. Springer, Heidelberg (1992)Google Scholar
  18. 18.
    RSA Labs: RSA Crypt. Std: EMSAPSS – PKCS#1 v2.1., pp. 26–28, 32–37 (2002)Google Scholar
  19. 19.
    RSA Labs: RSA Crypt. Std: EMSAPKCS1-v1_5 - PKCS#1 v2.1. pp. 29–33, 37–38 (2002)Google Scholar
  20. 20.
    Shamir, A., Kalai, Y.: Improved Online/Offline Signature Schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Giuseppe Ateniese
    • 1
  • Breno de Medeiros
    • 2
  1. 1.Information Security Institute and Department of Computer ScienceThe Johns Hopkins University 
  2. 2.Department of Computer ScienceFlorida State University 

Personalised recommendations