Embed Size (px)
Citation preview
How to Construct Fail-Stop Con�rmer SignatureSchemesRei Safavi-Naini ?, Willy Susilo, and Huaxiong WangCentre for Computer Security ResearchSchool of Information Technology and Computer ScienceUniversity of WollongongWollongong 2522, AUSTRALIAEmail: frei, wsusilo, [email protected]. In a con�rmer signature, veri�cation of a signature requirescollaboration of the con�rmer. A Fail-Stop Con�rmer signature providesprotection against an enemy with unlimited computational power. AFail-Stop Con�rmer signature is a combination of Fail-Stop Signatureand Con�rmer Signature Schemes which was �rst constructed in [15]. Inthis paper we discuss security issues that will arise in naive constructionof such systems.1 IntroductionAn ordinary digital signature [8] is veri�able by anyone who has access to thecorrect public key. If only a single recipient is to verify the signature, a zero-knowledge proof [10] can be used. Undeniable signatures [4] are between thesetwo: an undeniable signature can be veri�ed by everyone but requires the help ofthe signer. The signer is able to reject invalid signatures, but he must not be ableto deny valid signatures. If the signer is unavailable or unwilling to cooperate,the signature would no longer be veri�able. To overcome this shortcoming, thenotion of con�rmer signatures [3] is proposed. In con�rmer signatures, the abilityto verify or deny signatures is transferred to a designated con�rmer. A genericconstruction of a con�rmer signature scheme from a ordinary signature schemeis proposed in [2].Security of traditional signature schemes relies on some computational as-sumptions. This means that if an enemy can solve the underlying hard prob-lem, he can successfully forge a signature and there is no way for the signer toprove that a forgery has occurred. To provide protection against an enemy withunlimited computational power, Fail-Stop Signature (FSS) schemes have beenproposed [25, 17]. An FSS scheme is a signature scheme equipped with an algo-rithm to prove a forgery has happened. To achieve this property, many secretkeys match to the same public key and the sender uses a speci�c one of them. Anunbounded enemy can �nd out the set of all secret keys but cannot determine? This work is in part supported by Australian Research Council Grant NumberA49703076
which secret key is actually used. So in the case of forgery, that is generating asigned message that passes the veri�cation test, the sender can use his secret keyto generate a second signature for the same message which with overwhelmingprobability will be di�erent from the forged one. The two signatures on the samemessage can be used as a proof that the underlying computational assumptionis broken and the system must be stopped - hence the name fail-stop. Thus, FSSschemes provide information-theoretic security for the signer. However securityfor the receiver is computational. An FSS in its basic form is a one-time digitalsignature that can only be used for signing a single message. However, it is pos-sible to extend an FSS scheme to be used for signing multiple messages [5, 23,1]. A Fail-Stop Con�rmer Signature (FSCS) scheme, introduced in [15], com-bines the con�rmer signature property with the fail-stop property. The purposeof FSCS is to provide information-theoretic security for the signer and maintainthe con�rmer property, so that when the signer is unavailable, the con�rmer isable to verify the signature.In this paper, we propose a model of FSCS scheme and show the di�cultiesof constructing one.1.1 Previous WorksCon�rmer Signature Scheme is introduced in [3]. Okamoto presented a formalmodel and proved that the existence of con�rmer signature schemes are equiva-lent to the public-key encryption schemes [16] and presented a practical scheme.However, it is shown [14] that Okamoto's scheme is insecure because the con-�rmer can forge a signature. Michels and Stadler [14] proposed a solution toOkamoto's problem by introducing a new model. However, as pointed out in[2], their model is vulnerable to an adaptive signature-transformation attack(which is similar to security against adaptive chosen-ciphertext attacks [11] forencryption schemes) and that all previous schemes are vulnerable to this attack.Camenisch and Michels presented a generic construction for con�rmer signatureschemes that does not su�er from the adaptive signature-transformation attack.Fail-Stop Signature (FSS) schemes protects the signer information theoreti-cally against an unlimited forger. The �rst construction of FSS [25] uses a one-time signature scheme (similar to [13]) and results in bit by bit signing of themessage, which is impractical. In [18] an e�cient single-recipient FSS to protectclients in an on-line payment system, is proposed. The main disadvantage of thissystem is that signature generation is a 3-round protocol between the signer andthe recipient which makes it expensive from communication point of view. vanHeijst and Pedersen [23] proposed an e�cient FSS that uses the di�culty of dis-crete logarithm problem as the underlying assumption. In the case of a forgery,the presumed signer can solve an instance of the discrete logarithm problem,and prove that the underlying assumption is broken.In [17, 19], a formal de�nition of FSS schemes is given and a general con-struction using bundling homomorphism is proposed. The important property ofthis construction is that it is provably secure against the most stringent type of
attack on signature schemes, that is adaptive chosen message attack [12]. Theproof of forgery is by showing two di�erent signatures on the same message,the forged one and the one generated by the valid signer. To verify the proofof forgery the two signatures are shown to collide under the `bundling homo-morphism'. The scheme by van Heijst and Pedersen [23] is an example of thisconstruction. Heijst, Pedersen and P�tzmann [24] also gave an example of thisconstruction that uses the di�culty of factoring as the underlying computationalassumption of the system [24]. Other works in this area include [23, 24, 22]. Ageneral construction of FSS from authentication codes has been given in [20]and has been used to construct an e�cient FSS to sign long messages [21].A Fail-Stop Con�rmer Signatures (FSCS) combines the property of Con-�rmer Signature and FSS schemes. The �rst construction of FSCS was proposedin [15]. The scheme is an extension of an FSS scheme proposed in [23].1.2 Our ContributionsIn this paper, we de�ne a model of FSCS scheme that has separability property[2], that is, it allows all parties to independently run their key generation algo-rithms (cf. [15]). We propose a generic method for converting an FSS schemeinto an FSCS scheme while maintaining its security properties. We show thatan FSCS can be constructed from an FSS scheme combined with an encryptionscheme. We discuss the security issues that arise in the FSCS scheme becauseof the unbounded enemy. In particular we show that the con�rmer does nothave any signi�cance from security point of view and is mainly to provide non-transferability for the signatures. This shows that a simple combination of FSSand encryption schemes, similar to [2] is insecure.The paper is organized as follows. In the next section, we give a model forFSCS schemes and outline its security requirements. Section 3 proposes a genericconstruction for FSCS schemes from FSS scheme and a secure encryption scheme.In section 4 we discuss the problem that happens in an FSCS model. Section 5concludes the paper.2 FSCS ModelThere exists a signer S, a con�rmer C and a signature veri�er V who are poly-nomially bounded. There is a trusted third party TA whose role is only requiredduring prekey generation (and it can be eliminated by replacing its role with therecipient or the signature veri�er). The enemy E has unlimited computationalpower.A Fail-Stop Con�rmer Signature (FSCS) scheme consists of the following pro-cedures:
{ Prekey Generation:Let PKG(k; �; `) ! (xD ; yD) is a probabilistic algorithm where k and �are the security parameters for the receiver and sender, respectively, and(xD ; yD) is a secret/public key pair for the TA (or trusted dealer). ` is thesecurity parameter of the con�rmer.{ Key Generation:Consists of two probabilistic algorithms: KGS() and KGC(), where KGS()is performed by S and KGC() is performed by C. KGS(k; �; yD)! (xS ; yS)where yD is the public key of TA with the same security level (k; �) ob-tained from the algorithm PKG, and KGC(`; yD)! (xC ; yC). (xS ; yS) is asecret/public key pair for the signer S, and (xC ; yC) is a secret/public keypair for the con�rmer C.{ Signing:A probabilistic algorithm CSig(m;xS ; yS ; yC) ! � that generates a signa-ture for a message m 2 f0; 1g�.{ Confirmation and Disavowal:A signature veri�cation protocol V er() between a con�rmer C and a ver-i�er V . The private input of C is xC and their common input consists ofm; �; yS; yC . The output of this protocol is either 1 (true) or 0 (false).{ Proof of Forgery:A probabilistic algorithm PoF (m; �; ~�) ! f�;?g will be performed by Sto generate a proof of forgery in the case of dispute, where � and ~� de-note two signatures that pass V er(). The output of this protocol is either �(the proof of forgery) or ? (fail). If an enemy has successfully constructed asignature ~� on a message m, in which V er() outputs 1, then with an over-whelming probability the presumed signer S can run PoF (m; �; ~�), where� CSig(m;xS ; yS; yC) to show that the underlying hard assumption ofthe system has been broken.An probabilistic algorithm V erPoF (�; yS ; yC)! f0; 1g that allows everyoneto verify the proof of forgery. It takes as input the proof of forgery � togetherwith the public information (yS ; yC) and returns 1 if the proof of forgery isvalid, or 0 otherwise.{ Selective Convertibility:An algorithm CConv(m; �; yS ; xC ; yC)! fs;?g that allows a con�rmer C toconvert a con�rmer signature � into an ordinary signature, that allows anyoneto verify the signature without the help of the con�rmer. If the conversionfails, the algorithm outputs ?.{ Signature Verification (Ordinary):An algorithm COV er(m; s; yS) ! f0; 1g that allows everyone to verify theordinary signature that is the output of CConv(). It takes as input a messagem, a signature s and the signer's public key yS .Notions of SecurityThe FSS scheme used in FSCS must be provably secure against adaptive chosen-message attack [11]. In this type of attack, the adversary can choose messagesand get the corresponding signatures. His task is to sign a di�erent message that
has not been signed by the original signer such that the signature is identical tothe one that should have been produced by the original signer. An algorithm issecure against adaptive chosen-message attack if the probability of the adversaryproducing such signature is negligible.Security RequirementsIn the following, we de�ne the security requirements for the sender, con�rmerand recipient of FSCS schemes.{ Security for the Sender:Security for the sender S ensures that the con�rmer signature and the con-verted signatures are unforgeable under an adaptive chosen-message attack.The signer S is protected information theoretically against an enemy withunlimited computational power, with security level �. For each message manysignatures can be generated that pass veri�cation test. The chance of an un-bounded enemy to construct the one produced by the true signer is boundedby 2�� , where � is the bundling degree homomorphism [17] which is the rel-evant security parameter. In the case of forgery, the presumed signer S cangenerate a proof of forgery with an overwhelming probability.{ Security for the Confirmer:If the con�rmer's con�rmation is forged, the presumed signer will always beable to generate a proof of forgery with overwhelming probability.{ Security for the Receiver:The receiver is protected computationally against the sender and the con-�rmer, which are polynomially bounded. The sender and the con�rmer can-not falsely con�rm or deny the signature with overwhelming probability. Tobe more precise, the security level for the receiver against the sender is mea-sured by k and the security level against the con�rmer is measured by `.Therefore, for a su�ciently large k and ` and c > 0, we require thatP n� PoF (m; �; ~�)j(� CSig(m;xS; yS ; yC)) ^ (1 V er(m; yS ; yC ; ~�)) ^(~� 6= �) ^ (� is valid)o � (min(k; `))�c{ Collusion Attack against the Sender:The strongest attack in FSCS can be performed by an unbounded enemywho is colluding with the con�rmer against the sender. In this case, theenemy (or the colluding con�rmer) has the knowledge of xC together withhis unbounded ability to solve the hard underlying assumption. Under thisattack, we require that the signer is still protected information theoreticallyfrom the colluding enemy and con�rmer, with appropriate security level (e.g.�).
An FSCS scheme must satisfy the following security requirements.{ Unforgeability of Signatures:There exists no polynomial time algorithm which on input yS ; yC outputswith non-negligible probability an arbitrary correct message-signature pair(m; ~�) where ~� 6= � for � CSig(m;xS ; yS ; yC) and ? PoF (m; �; ~�).{ Consistency of Verification:If the con�rmer is honest, for all V er() between a con�rmer C and a veri�erV and all (correct and incorrect) message-signature pairs (m; �) the followingequation must holdV er(m; yS ; yC ; �) = (1 if � ?= CSig(m;xS ; yS; yC)0 otherwiseInformally, this means that the honest con�rmer will always con�rm cor-rectly.{ Non-transferability of Verification:The veri�cation protocol V er() must be a minimum knowledge bi-proof (ac-cording to the de�nition of [9]). Receiving the con�rmation from C, theveri�er V cannot reuse this proof to show someone else that the signature isvalid.De�nition 1. A (k; �; `)-secure FSCS scheme is an FSCS scheme in which thesecurity level for the signer against an unbounded forger is �, security level forthe con�rmer is `, and the recipient is protected computationally against thesender and the con�rmer with security level min(k; `).3 A Generic Construction for FSCS schemesIn this section, we propose a generic construction for a FSCS scheme from an FSSscheme. This is an extension of the construction proposed in [2] -IN WHATWAYIT IS AN EXTENSION? PROBABLY YOU CAN SAY 'a variation' RATHERTHAN EXTENSION?? .Let SIG = (SPKG;SKG;Sig; V er) denote an FSS scheme, where SPKGis the prekey generation algorithm, SKG is the key generation algorithm, Sigis the signing algorithm and V er is the veri�cation algorithm [17]. Let ENC =(EKG;Enc;Dec) denote a public key encryption scheme. On input a securitylevel, EKG outputs a key pair (x0; y0) where x0 is a secret key and y0 is thecorresponding public key. On input y0 and a messagem, Enc outputs a ciphertextc, and on input the secret key x0 and a ciphertext c, Dec outputs m. If c is notvalid Dec outputs ?.Given an FSS scheme and a secure encryption scheme, an FSCS can beconstructed as follows:1. The key generators are chosen as{ PKG(k; �) 4= SPKG(k; �);
{ KGS(k; �; yD) 4= SKG(k; �; yD), and{ KGC(`) 4= EKG(`).2. The signer signs a message m 2 f0; 1g� by constructing s := Sig(m;xS ; yS)and � := Enc(s; yC). The con�rmer signature on m is given by �.3. The con�rmation and disavowal protocol V er() between the con�rmer anda veri�er is as follows:Receiving the con�rmer signature �, the con�rmer C decrypts � to obtain ~s :=Dec(�; xC). If V er(m; ~s; yS) = 1, then C declares the signature valid. Thisis through a concurrent zero-knowledge [7] protocol between the con�rmerand the veri�er that proves to the veri�er that \ 1 = Dec(�; 2; yC) andV er(m; 1) = 1, and 2 is the secret key corresponding to yC". Otherwise,the con�rmer declares the signature invalid and proves in concurrent zero-knowledge that \( 1 = Dec(�; 2) and V er(m; 1; yS) = 0, where 2 is thesecret key corresponding to yC , or decryption fails)". CHECK???4. The protocol to prove forgery is run by S in the case that there is a signa-ture �̂ on a message m that passes the veri�cation test performed with thecon�rmer C.S generates his signature on the same message s := Sig(m;xS ; yS) andpublishes it as the proof of forgery.The proof of forgery veri�cation can be performed as follows:{ Verify that V er(s; yS) ?= 1.{ Compute � = Enc(s; yC) and verify that � ?6= �̂.The above conditions show that � is di�erent from �̂ and both of the sig-natures pass the veri�cation test. If the above conditions hold, the proof offorgery is valid and the scheme has to be stopped at this stage.5. The selective conversion algorithm CConv(m; �; yS ; xC ; yC) outputs s :=Dec(�; xC) if V er(m;Dec(�; xC); yS) = 1. Otherwise, outputs ?.6. The public veri�cation algorithm for converted signatures is de�ned asCOV er(m; s; yS) 4= V er(m; s; yS)3.1 Properties of the Signature and Encryption SchemesThe above construction is based on a generic construction proposed in [2] anduses an FSS that is secure against adaptive chosen-message attack with a deter-ministic public key encryption scheme.??? I CANNOT UNDERSTAND THE FOLLOWING (BETWEEN ??): WHATARE YOU TRYING TO SAY: IF WE USE A PROBABLISTIC ALGORITHMTHENTHE SIGNER CAN DENY HIS SIGNATURE? CAN YOUWRIT ETHISCLREALY? IF SOMETHING ELSE WHAT??In constrast to the construction in [2], we do not require to have an encryp-tion scheme which is secure against adaptive chosen-ciphertext attacks whichwill lead to a probabilistic public key encryption scheme (for instance [6]). If aprobabilistic public key encryption scheme is used, then the signer can alwaysdeny his own signature using the scenario as follows. Firstly, the signer willproduce the following.
1. Construct s := Sig(m;xS; yS)2. Construct � = EncP (s; yC ; r) where EncP denote the probabilistic encryp-tion scheme and r is randomly selected.3. Publish � as an FSCS on m.Then the signer can always deny his own signature � by publishing s. The ver-i�er (who does not know r) can select any other r̂ (which with overwhelmingprobability will be di�erent from r) and veri�es the proof of forgery by testing{ V er(s; yS) ?= 1{ ~� = EncP (s; yC ; ~r) and verify that ~� ?6= �.??????However, we note that by having the probabilistic encryption scheme, the un-bounded enemy will always be able to compromise the secret key of the combiner.HOW ?? WHAT DOES IT HAVE TO DO WITH PROBABLISTIC ALGO-RITHM?? ENEMY CAN ALWAYS FIND CONFIRMER KEY AS YOU SAIDIN SECTION 4. DO YOU NEED THIS?? In fact, this is the strongest attackin FSCS as mentioned in section 2 and although this attack is performed, thesigner is still protected information theoretically against the unbounded forger.Theorem 1. The above construction satis�es the security requirements men-tioned in section 2.Proof (sketch).{ Security for the Sender:The signature on m, s := Sig(m;xS ; yS), is obtained from an FSS that issecure against adaptive chosen message attack, with � as the security levelof the signer. In the case of dispute, the proof of forgery PoF can alwaysbe generated with an overwhelming probability. The output of the selectiveconversion algorithm CConv() is an FSS that has the same property as theoriginal FSS signature.{ Security for the Receiver:In the above construction, with overwhelming probability the sender cannotdeny his signature and an honest con�rmer cannot falsely con�rm a signature. The security level of the system for the receiver against the sender is k andagainst the con�rmer is `. Since the signer is computationally bounded, hecannot �nd another secret key that matches with his public key and use it tocreate a signature that could be used for a proof of forgery (hence denyinghis own signature). In fact the chance of �nding such a key is � k�c wherek is as de�ned above, and c > 0.4 Security Problems in FSCSThe enemy in FSCS is unbounded and can solve the underlying hard problem(s)of the system. Hence he can always create a signature that will be con�rmed.
On the other hand this signature can be shown to be a forgery with a very highprobability. This means that the con�rmer's role is strictly limited to makingthe signature untransferable and does not have any signi�cance from the securitypoint of view.On the other hand an unlimited enemy can �nd the secret key of the con�rmerand fully impersonate him, not only generate false signatures but also run a falseveri�cation protocol with the recipient of a signature generated by the senderand reject the signature. That is, correctly generated signatures may be rejected.Both above security aws exist in the scheme proposed in [15]. It seems thatthere is no easy way of correcting these problems as they are direct result ofassuming the enemy has unlimited computational power.5 ConclusionIn this paper we de�ned a model for Fail-Stop Con�rmer signature (FSCS)schemes and proposed a generic construction for FSCS schemes using a com-bination of Fail Stop Signature schemes and encryption schemes. However asdiscussed above, the resulting system will have security aws that are not easilycorrectable. These aws exist in a construction proposed in [15] and so modellingand constructing a secure FSCS remains an interesting open problem.References1. N. Bari�c and B. P�tzmann. Collision-Free Accumulators and Fail-Stop SignatureSchemes without Trees. Advances in Cryptology - Eurocrypt '97, Lecture Notes inComputer Science 1233, pages 480{494, 1997.2. J. Camenisch and M. Michels. Con�rmer signature schemes secure against adaptiveadversaries. Advances in Cryptology - Eurocrypt 2000, Lecture Notes in ComputerScience 1807, 2000.3. D. Chaum. Designated Con�rmer Signatures. Advances in Cryptology - Eurocrypt'94, Lecture Notes in Computer Science 950, pages 86 { 91, 1994.4. D. Chaum and H. van Antwerpen. Undeniable signatures. Advances in Cryptology- Crypto '89, Lecture Notes in Computer Science 435, pages 212{216, 1990.5. D. Chaum, E. van Heijst, and B. P�tzmann. Cryptographically strong undeniablesignatures, unconditionally secure for the signer. Interner Bericht, Fakult�at f�urInformatik, 1/91, 1990.6. R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secureagainst Adaptive Chosen Ciphertext Attack. Advances in Cryptology - Crypto '98,Lecture Notes in Computer Science 1642, pages 13 - 25, 1998.7. I. B. Damg�ard. E�cient concurrent zero-knowledge in the auxiliary string model.Advances in Cryptology - Eurocrypt 2000, Lecture Notes in Computer Science 1807,2000.8. W. Di�e and M. Hellman. New directions in cryptography. IEEE IT, 22:644{654,1976.9. A. Fujioka, T. Okamoto, and K. Ohta. Interactive bi-proof systems and undeni-able signature schemes. Advances in Cryptology - Eurocrypt '91, Lecture Notes inComputer Science 547, pages 243 { 256, 1992.
10. S. Goldwasser, S. Micali, and C. Racko�. The knowledge complexity of interactiveproof-systems. SIAM Journal of Computing, 18(1):186{208, 1989.11. S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secureagainst adaptive chosen-message attacks. SIAM Journal of Computing, 17/2:281{308, 1988.12. S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secureagainst adaptive chosen-message attacks. SIAM Journal of Computing, 17:281{308, 1998.13. L. Lamport. Constructing digital signatures from a one-way function. PSRI In-ternational CSL-98, 1979.14. M. Michels and M. Stadler. Generic constructions for secure and e�cient con-�rmer signature schemes. Advances in Cryptology - Eurocrypt '98, Lecture Notesin Computer Science 1403, pages 406 { 421, 1998.15. Y. Mu and V. Varadharajan. Fail-Stop Con�rmer Signatures. Information Securityand Privacy, ACISP 2000, Lecture Notes in Computer Science 1841, pages 368 {377, 2000.16. T. Okamoto. Designated con�rmer signatures and public-key encryption are equiv-alent. Advances in Cryptology - Crypto '94, Lecture Notes in Computer Science839, pages 61 { 74, 1994.17. T. P. Pedersen and B. P�tzmann. Fail-stop signatures. SIAM Journal on Com-puting, 26/2:291{330, 1997.18. B. P�tzmann. Fail-stop signatures: Principles and applications. Proc. Compsec'91, 8th world conference on computer security, audit and control, pages 125{134,1991.19. B. P�tzmann. Digital Signature Schemes { General Framework and Fail-Stop Sig-natures. Lecture Notes in Computer Science 1100, Springer-Verlag, 1996.20. R. Safavi-Naini and W. Susilo. A general construction for Fail-Stop Signatureusing Authentication Codes. Proceedings of Workshop on Cryptography and Com-binatorial Number Theory (CCNT '99), Birkh�auser, pages 343{356, 2001.21. R. Safavi-Naini, W. Susilo, and H. Wang. Fail-Stop Signatures for Long Messages.The First International Conference on Cryptology in India, Indocrypt 2000, LectureNotes in Computer Science 1977, pages 165 { 177, 2000.22. W. Susilo, R. Safavi-Naini, M. Gysin, and J. Seberry. A New and E�cient Fail-Stop Signature schemes. The Computer Journal vol. 43 Issue 5, pages 430 { 437,2000.23. E. van Heijst and T. Pedersen. How to make e�cient fail-stop signatures. Advancesin Cryptology - Eurocrypt '92, pages 337{346, 1992.24. E. van Heijst, T. Pedersen, and B. P�tzmann. New constructions of fail-stopsignatures and lower bounds. Advances in Cryptology - Crypto '92, Lecture Notesin Computer Science 740, pages 15{30, 1993.25. M. Waidner and B. P�tzmann. The dining cryptographers in the disco: Uncondi-tional sender and recipient untraceability with computationally secure serviceabil-ity. Advances in Cryptology - Eurocrypt '89, Lecture Notes in Computer Science434, 1990.
