## Concurrent Signatures (2004)

Venue: | In Adv in Cryptology - Eurocrypt 2004, LNCS 3027 |

Citations: | 17 - 1 self |

### BibTeX

@INPROCEEDINGS{Chen04concurrentsignatures,

author = {Liqun Chen and Caroline Kudla and Kenneth G. Paterson},

title = {Concurrent Signatures},

booktitle = {In Adv in Cryptology - Eurocrypt 2004, LNCS 3027},

year = {2004},

pages = {287--305},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We introduce the concept of concurrent signatures. These allow two entities to produce two signatures in such a way that, from the point of view of any third party, both signatures are ambiguous with respect to the identity of the signing party until an extra piece of information (the keystone) is released by one of the parties. Upon release of the keystone, both signatures become binding to their true signers concurrently. Concurrent signatures fall just short of providing a full solution to the problem of fair exchange of signatures, but we discuss some applications in which concurrent signatures suffice. Concurrent signatures are highly efficient and require neither a trusted arbitrator nor a high degree of interaction between parties. We provide a model of security for concurrent signatures, and a concrete scheme which we prove secure in the random oracle model under the discrete logarithm assumption.

### Citations

1766 | How to share a secret
- Shamir
(Show Context)
Citation Context ...σB〉 amount to a simultaneously binding pair of signatures on A and B’s messages. We call these pairs concurrent signatures. We point out that Rivest et al. in their pioneering work on ring signatures =-=[RST01]-=- considered the situation in which an anonymous signer A wants to have the option of later proving his authorship of a ring signature. Their solution was to choose the bits hB pseudo-randomly and late... |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...eme of Section 4. The proofs of Lemmas 1 and 3 are proved in Appendix A. The proof of Lemma 2 issroutine, and the details are left to the reader. Our proofs of security are in the random oracle model =-=[BR93]-=-. Lemma 1. The concurrent signature scheme of Section 4 is existentially unforgeable under a chosen message attack in the random oracle model, assuming the hardness of the discrete logarithm problem. ... |

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...bility of a concurrent signature scheme under a chosen message attack in the multi-party setting. To do this, we extend the definition of existential unforgeability against a chosen message attack of =-=[GMR88]-=- to the multi-party setting. Our extension is similar to that of [B03] and is strong enough to capture an adversary who can simulate and observe concurrent signature protocol runs between any pair of ... |

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...such schemes and protocols to be secure. Security is defined via the notions of unforgeability, ambiguity and fairness. Because our concrete scheme is ultimately based on the Schnorr signature scheme =-=[S91]-=-, we are able to directly relate its security to the hardness of thesdiscrete logarithm problem in an appropriate group. In doing this, we make use of the forking lemma methodology of [PS96,PS00]; for... |

471 | A randomized protocol for signing contracts - Even, Goldreich, et al. - 1985 |

280 | Security arguments for digital signatures and blind signatures - Pointcheval, Stern |

237 | Aggregate and verifiably encrypted signatures from bilinear maps
- Boneh, Gentry, et al.
- 2003
(Show Context)
Citation Context ...e non-separable ring signature scheme of [AOS02]. This scheme is, in turn, an adaptation of the Schnorr signature scheme. A second concrete scheme can be built from the short ring signature scheme of =-=[BGLS03]-=- using our ideas. An earlier version of our scheme used the designated verifier signatures of [JSI96] instead, however it achieved slightly weaker ambiguity properties than our concrete scheme. We giv... |

209 | Security proofs for signature schemes - Pointcheval, Stern - 1996 |

137 | V.: Practical verifiable encryption and decryption of discrete logarithms - Camenisch, Shoup - 2003 |

135 | Designated verifier proofs and their applications
- Jakobsson, Sako, et al.
- 1996
(Show Context)
Citation Context ...ns. 1.2 Technical Approach We briefly explain how a concurrent signature protocol can be built using the ambiguity property enjoyed by ring signatures [RST01,AOS02] and designated verifier signatures =-=[JSI96]-=-. This introduces the key technical idea of our paper. A two-party ring signature has the property that it could have been produced by either of the two parties. A similar property is shared by design... |

75 | ID-based blind signature and ring signature from pairings - Zhang, Kim |

63 | Abuse-Free Optimistic Contract Signing - Garay, Jakobsson, et al. - 1999 |

51 | 1-out-of-n signatures from a variety of keys
- Abe, Ohkubo, et al.
- 2002
(Show Context)
Citation Context ...sages. We note that any suitably ambiguous signature scheme can be used to produce a concurrent signature protocol. We choose to base our concrete scheme on the non-separable ring signature scheme of =-=[AOS02]-=-. This scheme is, in turn, an adaptation of the Schnorr signature scheme. A second concrete scheme can be built from the short ring signature scheme of [BGLS03] using our ideas. An earlier version of ... |

50 | Multipurpose identity-based signcryption (a Swiss army knife for identity-based cryptography
- Boyen
- 2003
(Show Context)
Citation Context ... the multi-party setting. To do this, we extend the definition of existential unforgeability against a chosen message attack of [GMR88] to the multi-party setting. Our extension is similar to that of =-=[B03]-=- and is strong enough to capture an adversary who can simulate and observe concurrent signature protocol runs between any pair of participants. It is defined using the following game between an advers... |

30 | Breaking and repairing optimistic fair exchange from PODC 2003 - Dodis, Reyzin - 2003 |

27 | Constructing Fair-Exchange Protocols for E-Commerce Via - Park, Chong, et al. |

21 | Timed Fair Exchange of Standard Signatures
- Garay, Pomerance
- 2003
(Show Context)
Citation Context ...e remainder of A’s signature, while it may be infeasible for A to do the same. Even if the fairness of such protocols could be guaranteed, they may still be too interactive for many applications. See =-=[GP03]-=- for further details and references for such protocols. An alternative approach to solving the problem of fair exchange of signatures involves the use of a (semi-trusted) third party or arbitrator T w... |

13 | Timed commitments (extended abstract - Boneh, Naor - 2000 |

12 | Round-optimal and abuse free optimistic multi-party contract signing - Baum-Waidner, Waidner - 2000 |

10 | Threshold ring signatures for ad-hoc groups - Bresson, Stern, et al. - 2002 |

6 | Optimistic fair exchange of signatures - Asokan, Shoup, et al. - 2000 |