A new construction of designated confirmer signature and its application to optimistic fair exchange



Publication Details

Huang, Q., Wong, D. S. & Susilo, W. (2010). A new construction of designated confirmer signature and its application to optimistic fair exchange. In The 4th International Conference on Pairing-Based Cryptography (Pairing 2010), 13-15 Dec 2010, Yamanaka Hot Spring, Japan. Lecture Notes in Computer Science, 6487 41-61.


Designated confirmer signature (DCS) extends undeniable signature so that a party called confirmer can also confirm/disavow nonself- authenticating signatures on the signer’s behalf. Previous DCS constructions, however, can only let the signer confirm her own signatures but not disavow an invalid one. Only confirmer is able to disavow. In this work, we propose a new suite of security models for DCS by adding the formalization that the signer herself can do both confirmation and disavowal. We also propose a new DCS scheme and prove its security in the standard model. The new DCS scheme is efficient. A signature in this new DCS consists of only three group elements (i.e. 60 bytes altogether for 80-bit security). This is much shorter than any of the existing schemes; it is less than 12% in size of the Camenisch-Michels DCS scheme (Eurocrypt 2000); and it also compares favorably with those proven in the random oracle model, for example, it is less than 50% in size of the Wang et al.’s DCS scheme (PKC 2007). This new DCS scheme also possesses a very efficient signature conversion algorithm. In addition, the scheme can be easily extended to support multiple confirmers (and threshold conversion). To include an additional confirmer, the signer needs to add only one group element into the signature. Due to the highly efficient properties of this new DCS scheme, we are able to build a practical ambiguous optimistic fair exchange (AOFE) scheme which has short partial and full signatures. A partial signature consists of three elements in an elliptic curve group and four in Zp (altogether 140 bytes), and a full signature has only three group elements (altogether 60 bytes), which are about 70% and 21% in size when compared with Garay et al.’s scheme (Crypto 1999), respectively.

Please refer to publisher version or contact your library.



Link to publisher version (DOI)