Generic constructions for secure and efficient confirmer signature schemes

Extended abstract
  • Markus Michels
  • Markus Stadler
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1403)


In contrast to ordinary digital signatures, the verification of undeniable signatures and of confirmer signatures requires the cooperation of the signer or of a designated confirmer, respectively. Various schemes have been proposed so far, from practical solutions based on specific number-theoretic assumptions to theoretical constructions using basic cryptographic primitives. To motivate the necessity of new and provably secure constructions for confirmer signatures, we first describe a flaw in a previous realization by Okamoto. We then present two generic constructions for designing provably secure and efficient confirmer variants of many well-known signature schemes, including the schemes by Schnorr, Fiat and Shamir, ElGamal, and the RSA scheme. The constructions employ a new tool called confirmer commitment schemes. In this concept the ability to open the committed value is delegated to a designated confirmer. We present an efficient realization based on the Decision-Diffie-Hellman assumption.


designated confirmer signature schemes undeniable signature schemes commitment schemes provable security 


  1. 1.
    N. Asokan, V. Shoup, and M. Waidner, ”Optimistic fair exchange of digital signatures”, Research Report RZ 2973 (#93019), IBM Research, November, (1997).Google Scholar
  2. 2.
    J. Bellare, P. Rogaway, ”Random Oracles are practical: a paradigm for designing efficient protocols”, Proc. 1st ACM Conference on Computer and Communications Security, ACM Press, (1993), pp. 62–73.Google Scholar
  3. 3.
    J. Boyar, D. Chaum, I. Damgard, T. Pedersen, ”Convertible undeniable signatures”, LNCS 537, Proc. Crypto '90, Springer Verlag, (1991), pp. 189–205.Google Scholar
  4. 4.
    D. Chaum, ”Zero-knowledge undeniable signatures”, LNCS 473, Proc. Eurocrypt '90, Springer Verlag, (1991), pp. 458–464.Google Scholar
  5. 5.
    D. Chaum, ”Some weakness of “Weaknesses of Undeniable Signatures””, LNCS 547, Proc. Eurocrypt '91, Springer Verlag, (1992), pp. 554–556.Google Scholar
  6. 6.
    D. Chaum, ”Designated confirmer signatures”, LNCS 950, Proc. Eurocrypt '94, Springer Verlag, (1995), pp. 86–91.Google Scholar
  7. 7.
    D. Chaum, H. van Antwerpen, ”Undeniable Signatures”, LNCS 435, Proc. Crypto '89, Springer Verlag, (1990), pp. 212–216.Google Scholar
  8. 8.
    D. Chaum, T. Pedersen, ”Wallet databases with observers”, LNCS 740, Proc. Crypto'92, Springer Verlag, (1993), pp. 89–105.Google Scholar
  9. 9.
    J.D. Cohen, M.J. Fischer, ”A robust and verifiable cryptographically secure election scheme”, Proc. 26th FOCS, (1985), pp. 372–382.Google Scholar
  10. 10.
    R. Cramer, I. Damgärd, B. Schoenmakers, “Proofs of partial knowledge and simplified design of witness hiding protocols”, LNCS 839, Proc. Crypto'94, Springer Verlag, (1994), pp. 174–87.Google Scholar
  11. 11.
    I. Damgård, T. Pedersen, ”New convertible undeniable signature schemes”, LNCS 1070, Proc. Eurocrypt'96, Springer Verlag, (1996), pp. 372–386.Google Scholar
  12. 12.
    Y. Desmedt, M. Yung, ”Weaknesses of undeniable signature schemes”, LNCS 547, Proc. Eurocrypt '91, Springer Verlag, (1992), pp. 205–220.Google Scholar
  13. 13.
    T. ElGamal, ”A public key cryptosystem and a signature scheme based on discrete logarithms”, IEEE Transactions on Information Theory, Vol. IT-30, No. 4, July, (1985), pp. 469–472.MathSciNetCrossRefGoogle Scholar
  14. 14.
    A. Fiat, A. Shamir, ”How to prove yourself: Practical solutions to identification and signature problems”, LNCS 263, Proc. Crypto '86, Springer Verlag, (1987), pp. 186–194.Google Scholar
  15. 15.
    A. Fujioka, T. Okamoto, K. Ohta, ”Interactive Bi-Proof Systems and undeniable signature schemes”, LNCS 547, Proc. Eurocrypt '91, Springer Verlag, (1992), pp. 243–256.Google Scholar
  16. 16.
    R. Gennaro, H. Krawczyk, T. Rabin, ”RSA-based undeniable signatures”, LNCS 1294, Proc. Crypto'97, Springer Verlag, (1997), pp. 132–149.Google Scholar
  17. 17.
    S. Goldwasser, S. Micali, ”Probabilistic Encryption”, Journal of Computer and System Sciences, vol. 28, no. 2, (1984), pp. 270–299.MATHMathSciNetCrossRefGoogle Scholar
  18. 18.
    S. Goldwasser, S. Micali, C. Rackoff, ”The Knowledge Complexity of Interactive Proof Systems”, SIAM Journal on Computing, vol. 18, no. 1, (1989), pp. 186–208.MATHMathSciNetCrossRefGoogle Scholar
  19. 19.
    L.C. Guillou, J.-J. Quisquater, ”A paradoxical identity based signature scheme resulting from zero-knowledge”, LNCS 403, Proc. Crypto'88, Springer Verlag, (1989), pp. 465–473.Google Scholar
  20. 20.
    M. Jakobsson, ”Blackmailing using undeniable signatures”, LNCS 950, Proc. Eurocrypt'94, Springer Verlag, (1995), pp. 425–427.Google Scholar
  21. 21.
    M. Michels, H. Petersen, P. Horster, ”Breaking and repairing a convertible undeniable signature scheme”, Proc. 3rd ACM Conference on Computer and Communications Security, ACM Press, (1996), pp. 148–152.Google Scholar
  22. 22.
    M. Michels, M. Stadler, ”Efficient convertible undeniable signature schemes”, Proc. 4th Annual Workshop on Selected Areas in Cryptography (SAC'97), (1997), pp. 231–243.Google Scholar
  23. 23.
    K. Ohta, T. Okamoto, ”A modification of the Fiat-Shamir scheme”, LNCS 403, Crypto'88, (1989), pp. 232–244.MathSciNetGoogle Scholar
  24. 24.
    J. Feige, A. Fiat, A. Shamir, ”Zero-Knowledge proofs of identity”, Journal of Cryptology, Vol. 1, No. 1, (1988), pp. 77–94.MATHMathSciNetCrossRefGoogle Scholar
  25. 25.
    K. Kurusawa, K. Katayama, W. Ogata, S. Tsujii, ”General public key residue cryptosystem and mental poker protocols, LNCS 473, Proc. Eurocrypt'90, Springer Verlag, (1991), pp. 374–387.Google Scholar
  26. 26.
    T. Okamoto, ”Designated confirmer signatures and public-key encryption are equivalent”, LNCS 839, Proc. Crypto'94, Springer Verlag, (1994), pp. 61–74.Google Scholar
  27. 27.
    T.P.Pedersen, ”Distributed provers with applications to undeniable signatures”, LNCS 547, Proc. Eurocrypt '91, Springer Verlag, (1992), pp. 221–242.Google Scholar
  28. 28.
    S. J. Park, K. H. Lee, D. H. Won, ”An entrusted undeniable signature scheme”, Proc. Japan-Korea Workshop on Information Security and Cryptography, (1995), pp. 120–126.Google Scholar
  29. 29.
    D. Pointcheval, J. Stern, ”Security proofs for signature”, LNCS 1070, Proc. Eurocrypt'96, Springer Verlag, (1996), pp. 387–398.Google Scholar
  30. 30.
    R. Rivest, A. Shamir, L. Adleman, ”A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, CACM, vol. 21, no. 2, (1978), pp. 120–126.MATHMathSciNetGoogle Scholar
  31. 31.
    C. P. Schnorr, ”Efficient signature generation for smart cards”, Journal of Cryptology, Vol. 4, (1991), pp. 161–174.MATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Markus Michels
    • 1
  • Markus Stadler
    • 1
  1. 1.UbilabUBSBZurichSwitzerland

Personalised recommendations