Secret Signatures: How to Achieve Business Privacy Efficiently

1
Secret Signatures How to Achieve Business
Privacy Efficiently?
WISA2007

• 2007. 8. 27

Byoungcheon Lee1, Kim-Kwang Raymond Choo2,
Jeongmo Yang1, Seungjae Yoo1
1 Joongbu University, Korea 2 Australian
Institute of Criminology, Australia
2
Outline

• Introduction
• Definition
• DL-based Implementation of Secret Signature
• Proving the Validity of Secret Signature
• Comparison of Features
• Comparison of Efficiency
• Applications
• Conclusion

3
Signature Privacy

• Signature Privacy
• General digital signature is publicly verifiable
  no privacy
• Signer and receiver may wish to keep their
  signature private
• Public provability of signature
• Can prove the validity of signature to public
• If signature privacy is provided, public
  provability becomes a basic security requirement
  to achieve the fairness of business

4
How to Achieve Signature Privacy?

• Sign-then-encrypt
• Encrypt signers signature using receivers
  public key
• Signcryption (Zheng, 1997)
• More efficient implementation of
  sign-then-encrypt
• Special signature schemes limiting the
  verifiability of signature
• Designated-verifier signature (DVS)
• Limited-verifier signature (LVS)
• ? No public provability
• Special signature schemes requiring interaction
  in verification
• Undeniable signature
• Designated confirmer signature
• ? Require interactive protocol in verification
  (not efficient)

5
Secret Signature Scheme (proposed)
Normal Private Business
Secret signature
Given privately only to the receiver
Receiver B
Signer A
Verification using (pkA, skB)
Signing using (pkB, skA)
Dispute case
Public proof
Public proof
Verification using (pkA, pkB)
Public
6
Proposed Secret Signature Scheme

• Secret Signature (SS) provides
• Authentication and non-repudiation
• Signature privacy
• Public Provability
• more efficiently.
• Applications of Secret Signature
• Privacy of signature needs to be maintained
  (normal case)
• Authorship of signature may need to be proven
  publicly later (dispute case)
• Message secrecy is not critical
• Efficiency is required

7
Definition

• Definition 1. Secret signature scheme

1. Setup
2. Key Generation
3. Signing
4. Verification
5. Public Proving
Run by Signer
Run by Receiver
6. Public Verification
8
Security Definition

• Correctness
• Secret signatures generated following the
  protocol are verified to be valid
• Unforgeability
• Anyone except the signer cannot have a
  non-negligible advantage in forging a secret
  signature
• Non-repudiation
• A signer cannot repudiate signature generation
• Signature privacy
• No other entity except the signer and the
  receiver has a non-negligible advantage in
  distinguishing the secret signature
• Public provability of signature
• If the need arises, the validity of secret
  signature can be proven to public both by the
  signer or the receiver

9
Game Unforgeability

• Existential unforgeability under the adaptive
  chosen-message chosen-receiver attack
  (EF-ACMCRA). Assume the existence of a forger F.
• Initialization key generation and signers
  public key pkS is given to F
• Training F is allowed to ask a series of
  SS.Sign() queries for any combination of message
  m and receivers public key chosen by F.
• Output F outputs a forged secret signature

10
Unforgeability

• Definition 2. Unforgeability
• A secret signature scheme is said to be secure
  in the sense of existential unforgeability under
  the adaptive chosen-message chosen-receiver
  attack, if no PPT forger F can have a
  non-negligible advantage in Game Unforgeability

11
Game Invisibility (for Signature Privacy)

• Assume the existence of a distinguisher D.
• Initialization key generation
• At some point D outputs a message m and requests
  a challenge secret signature V. A challenger C
  computes V based on a hidden coin toss b
• If b1, V is generated by SS.Sign()
• If b0, V is chosen randomly in the signature
  space.
• Output D outputs a guess bit b.
• D wins the game, if bb.

12
Invisibility

• Definition 3. Invisibility
• A secret signature scheme is said to provide
  invisibility, if no PPT distinguisher D can have
  a non-negligible advantage in Game Invisibility.
  

13
General Implementation Idea of SS

• Secret signature is a combination of
• 1. Secure signature scheme
• 2. Non-Interactive one-way key agreement
• Signer signs message and agreed key together
• Because of the agreed key, any other entity
  except the signer and the receiver cannot say
  anything about the secret signature

14
DL-based Implementation of SS
1. System Setup
2. Key generation
Signer A
Receiver B
3. Signing
4. Verification
5. Public proving (1) Message proving Expose
W (2) Receiver proving Prove the validity of W
(1) Message proving (2) Receiver proving
Verify the validity of W
6. Public verification
15
Security of the Proposed SS Scheme

• Theorem 1. The proposed SS scheme is EF-ACMCRA
  secure in the random oracle model, if discrete
  logarithm (DL) problem is intractable.
• Theorem 2. The proposed SS scheme provides
  signature privacy (invisibility) in the random
  oracle model, if decisional Diffie-Hellman (DDH)
  problem is intractable.

16
Proving the Validity of Secret Signature
Who is proving the validity? General proof
identity is revealed (distinguishable proof)
Anonymous proof identity is not revealed
(indistinguishable proof) Relation between
17
Proving the Validity of Secret Signature
General Proof
Signer proves
Distinguishable
Receiver proves
Anonymous Proof Both signer and receiver prove
Indistinguishable
18
Comparison of Features 1/2
Secret signature is different from previous works
which provide signature privacy

• Sign-then-encrypt
• Require encryption/decryption for signature
  privacy
• Once decrypted, obtain publicly verifiable
  signature with no specific receiver
• Undeniable signature, designated confirmer
  signature
• Requires interactive protocol in verification
  stage
• Nominative signature
• Requires interactive protocol in signing stage

19
Comparison of Features 2/2

• Designated verifier signature
• The designated verifier cannot prove the validity
  of signature to others (no public provability)
• Limited verifier signature
• Signature proof is not transferable to third
  party
• Convertible limited verifier signature
• Converted signature is not related with the
  receiver any more
• Anonymous signature
• Signer anonymity, No intended receiver
• Signcryption
• Provide confidentiality with encryption

20
Comparison of Efficiency
Signcryption vs. Secret signature
21
Applications

• Secret signature is useful in many applications
  where
• Signature privacy needs to be maintained
• The authorship of signature can be publicly
  proven later
• Message confidentiality is not required
• Efficiency is critical

22
Applications - Private Business Transaction
(1) Contract signing using secret signature
Receiver B
Signer A
(2) Public proof when any argument occurs
23
Applications Public Auction
Auctioneer A
(1) Anonymous bidding using secret signature
(2) Winner announcement - Prove the correctness
of secret signature of winner
(3) Public verification of auction result
Bidder Bi
Any misbehavior of A or Bi can be proven publicly
24
Applications - Paper Submission System

• Paper submission should be Authentic, but
  Anonymous.
• Any argument at a later stage should be proven
  publicly.

• Double submission and repudiation is not
  possible
• - Paper submission is bound to a specific
  conference
• - Yang et als anonymous signature cannot
  satisfy this property

25
Conclusion

• ISSUE
• Signature privacy
• Public provability of signature
• Proposed a new special signature scheme (Secret
  signature) which has
• Authentication and non-repudiation
• Signature privacy
• Public provability of signature
• Advantages
• Efficient cryptographic primitive to achieve
  signature privacy
• It is a very general approach Can be implemented
  in most public key cryptosystems
• Further works
• Combined use of secret signature with other
  primitives