Contributions to Special Variants of Digital Signatures

<p dir="ltr">Digital signatures serve as a fundamental element of security and trust within the field of cryptography, offering the critical properties of authenticity, integrity and non-repudiation. These properties play a pivotal role across a diverse range of applications, including secure communication, financial transactions and the validation of digital documents. Unlike traditional signatures, which are merely digitised representations of handwritten signatures, digital signature schemes rely on the use of a cryptographic key pair: a private (or secret) key and a corresponding public key. The signer utilises the secret key to generate a digital signature for a given message and subsequently publishes the signature. This approach enables anyone in possession of the corresponding public key to verify the signature’s validity. Such verification ensures that the process remains not only secure and accurate but also accessible to the public.</p><p dir="ltr">Despite the considerable benefits associated with traditional digital signature schemes, they possess a significant drawback: their inherent immutability. Once a digital signature has been created and published, it cannot be retracted or invalidated by the signer, as it remains permanently valid and irrevocable. This limitation presents substantial challenges in dynamic and decentralised contexts such as electronic voting systems, blockchain-based smart contracts and escrow services, where the capability to withdraw or modify prior consents is essential.</p><p dir="ltr">To address this fundamental limitation, the thesis seeks to introduce the concept of the <i>withdrawable signature</i>. This novel variant of digital signature is designed to allow signers to securely and efficiently retract previously issued signatures under specific conditions, thereby offering a more adaptable and practical framework for digital signatures in dynamic environments. It is anticipated that this innovative approach will substantially improve both the flexibility and security of digital transactions and communications.</p><p dir="ltr">This thesis presents and examines the concept of the withdrawable signature, a cryptographic primitive that empowers signers to retract their signatures while maintaining the confidentiality of their secret keys and safeguarding the security of other signatures.</p><p dir="ltr">• In Chapter 3, we lay the foundation of the withdrawable signature. The core idea of constructing a withdrawable signature scheme is proposed in this chapter: in a withdrawable signature scheme, instead of directly publishing a <i>conventional</i> digital signature, a signer first generates an unverifiable (withdrawable) signature on their public key, which can only later convert into a standard, verifiable signature by itself. If the signer intends to withdraw the signature, it simply chooses not to perform this conversion. To achieve this “unverifiability”, we utilise the property of the Designated-Verifier Signature (DVS) to construct this withdrawable signature so as to ensure the generated signature can be verified by a certain verifier chosen by the signer only. We then present two constructions, one in the pairing-based setting and the other in the Discrete Logarithm (DL) setting, each accompanied by a formal security analysis.</p><p dir="ltr">• In Chapter 4, we address a limitation of the initial withdrawable signature definition illustrated in Chapter 3: the absence of universal verifiability on the generated withdrawable signature. To overcome this, we extend the definition and revise corresponding security notions, enabling universal verification of withdrawable signatures using the public key set of all potential signers while ensuring that the signer’s public key is included. This property of the generated withdrawable signature is then realised through <i>signer-ambiguity</i>, meaning that while the withdrawable signature can be verified against a group of possible signers, it does not explicitly reveal which individual within the set actually produced it. We propose two types of generic constructions aligned with this extended definition: (i) one from discrete-log-based primitives, including an instantiation using the Schnorr signature and (ii) another based on hash-then-one-way (Type-H) signatures, acknowledging the practical significance of RSA signatures, with RSA serving as a concrete instantiation. Formal security analysis then ensures that our two proposed constructions meet the extended security notions, enhancing the applicability and security of the withdrawable signature in various cryptographic contexts, i.e. digital transactions and communications.</p><p dir="ltr">• In Chapter 5, we then aim to explore the versatility of the withdrawable signature, particularly in outsourcing systems and software ecosystems, respectively. In the first part of this chapter, we extend the withdrawable property and refine the definition of the withdrawable signature to ensure that the signer’s identity can be explicitly clear when generating the withdrawable signature. This can be achieved through <i>message-hiding</i>: the withdrawable signature under a certain signer’s public key can be verifiable through different messages. Unlike the previous approaches than only maintaining <i>signer-ambiguity</i> between the public key set of all potential signers, as was done in Chapter 3 (between the signer and a chosen verifier) and Chapter 4 (among a set of potential signers), our refined definition requires the generated withdrawable signature holds either <i>signer-ambiguity</i> or <i>message-hiding</i>. A new construction based on this definition is proposed, along with a security analysis. We then demonstrate how the withdrawable signature can enable flexible outsourcing systems that support the cancellation of existing service requests. Additionally, we show how a signer can confirm a service request using a withdrawable signature while simultaneously accepting quotes from specific providers within the outsourcing system. Performance evaluations indicate that our proposed scheme achieves acceptable efficiency and security within these systems.</p><p dir="ltr">In the second part of this chapter, motivated by the need for greater flexibility and security in software ecosystems, we first propose the <i>universal withdrawable signature</i>, a variant of the withdrawable signature, which introduces the universality to the withdrawable signature in this chapter. This variant enables any holder of a withdrawable signature, along with its corresponding secret commitment from the signer, to delegate the signature to another user while holding the ability to later confirm the signature using the same commitment. This feature supports applications requiring flexible delegation and management of withdrawable signatures. We provide a detailed system model, formal definitions, security notions and a concrete construction based on one of our withdrawable signature schemes from Chapter 3 and the construction with<i> message-hiding</i> property. We then demonstrate that our proposed scheme is provably secure.</p><p dir="ltr">• In Chapter 6, we aim to further generalise existing constructions of the withdrawable signature in the aforementioned chapters beyond their reliance on pairing and RSA-based assumptions only. Developing generic constructions for the withdrawable signature that are not restricted to a specific cryptographic primitive enhances their flexibility, broadens their applicability across diverse cryptographic settings and ensures compatibility with various security frameworks. This adaptability allows withdrawable signatures to be integrated into a wider range of real-world applications without being constrained by the limitations of a particular underlying assumption. We answer this by proposing two generic constructions derived from three-move-type (Type-T) signatures and pairing-based signatures. We analyse the security of these constructions and offer concrete instantiations. Notably, our generic construction based on Type-T signatures remains independent of any specific cryptographic primitive, reinforcing its versatility and potential for broader adoption.</p><p dir="ltr">This thesis contributes to the advancement of digital signature technology by presenting the withdrawable signature and its variants, conducting comprehensive security analyses and illustrating their practical applications in enhancing both flexibility and security within digital transactions and communication contexts.</p>