On the invisibility of designated confirmer signatures
As an important cryptographic primitive, designated con- rmer signatures are introduced to control the public veria- bility of signatures. That is, only the signer or a semi-trusted party, called designated conrmer, can interactively assist a verier to check the validity of a designated conrmer sig- nature. The central security property of a designated con- rmer signature scheme is called invisibility, which requires that even an adaptive adversary cannot determine the valid- ity of an alleged signature without direct cooperation from either the signer or the designated conrmer. However, in the literature researchers have proposed two other related properties, called impersonation and transcript simulatabil- ity, though the relations between them are not clear. In this paper, we rst explore the relations among these three invisi- bility related concepts and conclude that invisibility, imper- sonation and transcript simulatability forms an increasing stronger order. After that, we turn to study the invisibil- ity of two designated conrmer signature schemes recently presented by Zhang et al. and Wei et al. By demonstrating concrete and eective attacks, we show that both of those two scheme fail to meet invisibility, the central security prop- erty of designated conrmer signatures.