Relaxed Security Notions for Signatures of Knowledge
We revisit the definition of signatures of knowledge by Chase and Lysanskaya (Crypto 2006) which correspond to regular signatures but where the signer also proves knowledge of the secret key to the public key through any signature. From a more abstract point of view, the signer holds a secret witness w to a public NP statement x and any signature to a message allows to extract w given some auxiliary trapdoor information. Besides extractability, Chase and Lysanskaya also demand a strong witness-hiding property, called simulatability, akin to the zero-knowledge property of non-interactive proofs. They also show that this property ensures anonymity for delegatable credentials or for ring signatures, for example.
In this work here we discuss relaxed notions for simulatability and when they are sufficient for applications. Namely, in one notion we forgo any explicit witness-hiding notion, beyond some weak requirement that signatures should not help to produce further signatures, analogously to unforgeability of regular signature schemes. This notion suffices for example for devising regular signature schemes with some additional proof-of-possession (POP) or knowledge-of-secret-key (KOSK) property. Our stronger notion resembles the witness-indistinguishability notion of proofs of knowledge and can be used to build anonymous ring signatures. Besides formal definitions we relate all notions and discuss constructions and the aforementioned applications.
KeywordsSignature of Knowledge Anonymity Credential Ring Signature
Unable to display preview. Download preview PDF.
- 1.Adams, C., Farrell, S.: Internet x.509 public key infrastructure certificate. RFC 2510 (March 2009)Google Scholar
- 4.Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: Proceedings of the Annual Symposium on the Theory of Computing (STOC), pp. 103–112. ACM Press, New York (1988)Google Scholar
- 10.Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of the Annual Symposium on Foundations of Computer Science (FOCS), pp. 136–145. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
- 11.Canetti, R.: Universally composable security: A new paradigm for cryptographic protocol. Cryptology ePrint Archive, Report 2000/067, EPRINTURL (2005)Google Scholar
- 14.Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: Proceedings of the Annual Symposium on the Theory of Computing, STOC (1990)Google Scholar
- 15.Guang Zou, X., Sun, S.-H.: Analysis of anonymity on the signatures of knowledge. In: IIH-MSP, pp. 621–624. IEEE Computer Society, Los Alamitos (2006)Google Scholar
- 19.Prafullchandra, H., Schaad, J.: Diffie-Hellman proof-of-possession algorithms. RFC 2875 (July 2000)Google Scholar