Relaxed Security Notions for Signatures of Knowledge

  • Marc Fischlin
  • Cristina Onete
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6715)


We revisit the definition of signatures of knowledge by Chase and Lysanskaya (Crypto 2006) which correspond to regular signatures but where the signer also proves knowledge of the secret key to the public key through any signature. From a more abstract point of view, the signer holds a secret witness w to a public NP statement x and any signature to a message allows to extract w given some auxiliary trapdoor information. Besides extractability, Chase and Lysanskaya also demand a strong witness-hiding property, called simulatability, akin to the zero-knowledge property of non-interactive proofs. They also show that this property ensures anonymity for delegatable credentials or for ring signatures, for example.

In this work here we discuss relaxed notions for simulatability and when they are sufficient for applications. Namely, in one notion we forgo any explicit witness-hiding notion, beyond some weak requirement that signatures should not help to produce further signatures, analogously to unforgeability of regular signature schemes. This notion suffices for example for devising regular signature schemes with some additional proof-of-possession (POP) or knowledge-of-secret-key (KOSK) property. Our stronger notion resembles the witness-indistinguishability notion of proofs of knowledge and can be used to build anonymous ring signatures. Besides formal definitions we relate all notions and discuss constructions and the aforementioned applications.


Signature of Knowledge Anonymity Credential Ring Signature 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adams, C., Farrell, S.: Internet x.509 public key infrastructure certificate. RFC 2510 (March 2009)Google Scholar
  2. 2.
    Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  3. 3.
    Bender, A., Katz, J., Morselli, R.: Ring signatures: Stronger definitions, and constructions without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 60–79. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: Proceedings of the Annual Symposium on the Theory of Computing (STOC), pp. 103–112. ACM Press, New York (1988)Google Scholar
  5. 5.
    Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Bresson, E., Stern, J.: Efficient revocation in group signatures. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 190–206. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Camenisch, J.: Efficient and generalized group signatures. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 465–479. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  8. 8.
    Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups (extended abstract). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  9. 9.
    Canetti, R.: Security and composition of multi-party cryptographic protocols. Journal of Cryptology 13, 143–202 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of the Annual Symposium on Foundations of Computer Science (FOCS), pp. 136–145. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  11. 11.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocol. Cryptology ePrint Archive, Report 2000/067, EPRINTURL (2005)Google Scholar
  12. 12.
    Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Dwork, C., Naor, M.: Zaps and their applications. SIAM J. Comput. 36(6), 1513–1543 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: Proceedings of the Annual Symposium on the Theory of Computing, STOC (1990)Google Scholar
  15. 15.
    Guang Zou, X., Sun, S.-H.: Analysis of anonymity on the signatures of knowledge. In: IIH-MSP, pp. 621–624. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  16. 16.
    Katz, J.: Digital Signatures. Springer, Heidelberg (2010)CrossRefzbMATHGoogle Scholar
  17. 17.
    Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Mykletun, E., Narasimha, M., Tsudik, G.: Signature bouquets: Immutability for aggregated/condensed signatures. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 160–176. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Prafullchandra, H., Schaad, J.: Diffie-Hellman proof-of-possession algorithms. RFC 2875 (July 2000)Google Scholar
  20. 20.
    Ristenpart, T., Yilek, S.: The power of proofs-of-possession: Securing multiparty signatures against rogue-key attacks. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 228–245. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Shahandashti, S.F., Safavi-Naini, R.: Construction of universal designated-verifier signatures and identity-based signatures from standard signatures. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 121–140. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Marc Fischlin
    • 1
  • Cristina Onete
    • 1
  1. 1.Darmstadt University of Technology & CASEDGermany

Personalised recommendations