On the Black-Box impossibility of multi-designated verifiers signature schemes from ring signature schemes

Kyosuke Yamashita; Keisuke Hara

doi:10.1515/jmc-2023-0028

Article Open Access

On the Black-Box impossibility of multi-designated verifiers signature schemes from ring signature schemes

Kyosuke Yamashita and Keisuke Hara

Published/Copyright: February 14, 2024

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information

From the journal Journal of Mathematical Cryptology Volume 18 Issue 1

Abstract

From the work by Laguillaumie and Vergnaud in ICICS’04, it has been widely believed that multi-designated verifiers signature scheme (MDVS) can be constructed from ring signature schemes in general. However, in this article, somewhat surprisingly, we prove that it is impossible to construct an MDVS scheme from a ring signature scheme in a black-box sense (in the standard model). The impossibility stems from the difference between the definitions of unforgeability of the two schemes. To the best of our knowledge, existing works demonstrating the constructions do not provide formal reductions from an MDVS scheme to a ring signature scheme, and thus, the impossibility has been overlooked for a long time.

Keywords: multi-designated verifiers signature; ring signature; black-box separation

MSC 2010: 94A60

1 Introduction

A multi-designated verifiers signature scheme (MDVS) [1] is a special variant of a (standard) digital signature scheme. Its prominent property is the off-the-record (OTR) [2], also known as source hiding, which guarantees that a set of verifiers designated by a signer is able to simulate the signer’s signature. Due to this property, it is useless for non-designated verifiers to verify a signature, as they cannot decide if it is created by a signer or simulated by a set of designated verifiers. As an important application, MDVS is expected to be used in messaging applications [3].

Prior to MDVS, a (single) designated verifier signature scheme (DVS) had been proposed by Lee et al. [4] and Jakobsson et al. [5]. Desmedt asked the question if we can construct MDVS at CRYPTO’03 ramp session. Then, Laguillaumie and Vergnaud [1] demonstrate the first construction of an MDVS scheme based on a ring signature scheme under the computational Diffie–Hellman assumption. Since then, several MDVS schemes have been proposed based on ring signature schemes [1,6–8], and it is widely accepted that an MDVS scheme can be constructed from a ring signature scheme in general.

It seems that the proposed construction has been widely trusted because MDVSs have similarities with ring signature schemes. Roughly, a ring signature scheme is an extension of a digital signature scheme, which provides anonymity for signers, meaning that a verifier who receives a ring signature cannot decide which ring member created the signature. In other words, any ring member is able to create a valid ring signature. Therefore, intuitively, if we regard a ring as a set of a signer and designated verifiers, it seems that we can construct an MDVS scheme from a ring signature scheme.

However, to the best of our knowledge, it is still unclear if such a construction is possible, as the existing works do not provide formal discussion on it. That is, they only propose the constructions in natural language and never show formal security proofs by providing a reduction from an MDVS scheme to a ring signature scheme. For instance, the previous work [1], which proposes an MDVS scheme from a ring signature scheme for the first time, only discusses security as follows: “The unforgeability of MDVS is guaranteed by the unforgeability of the underlying ring signature scheme. The source hiding property comes naturally from the source hiding of the ring signature.”

To the best of our knowledge, it is Zhang et al. [8] who formalize the security definitions of MDVSs for the first time (in 2012), whereas they do not formally demonstrate the reduction from an MDVS scheme to a ring signature scheme. We further mention the recent formalization by Damgård et al. [3] who considers simulation by a subset of designated verifiers and claims that consistency is one of the standard requirements for MDVSs. Since the desirable security requirements for MDVSs are formalized, we are now ready to analyze the reduction formally by following them.

1.1 Our contribution

Somewhat surprisingly, we demonstrate that it is impossible to construct an MDVS scheme from a ring signature scheme in a black-box manner in the standard model (in other words, we prove that there is no generic construction of an MDVS scheme based on a ring signature scheme). This counterintuitive result stems from the difference between the definitions of the unforgeability of MDVSs and ring signature schemes. In particular, a designated verifier in an MDVS scheme can be corrupted in the unforgeability experiment, whereas a ring member in a ring signature scheme cannot be. (For formal definitions, see Section 2.)

While the formal proof is provided in Section 3, we provide its overview here. We follow the meta-reduction paradigm [9] to show the impossibility of deducing MDVS unforgeability from ring signature. If we want to formally show that the MDVS construction is unforgeable, we should demonstrate a reduction algorithm R that, given a probabilistic polynomial time (PPT) adversary A against the unforgeability of the MDVS scheme, breaks the unforgeability of the underlying ring signature scheme. That is, R plays the unforgeability game of the ring signature scheme as an adversary, along with simulating the unforgeability game of the MDVS scheme between A . In this reduction, R should deal with a query made by A that corrupts a designated verifier in the simulated game. If we regard a ring of the ring signature scheme as a set of a signer and designated verifiers of the MDVS scheme, R cannot forward the corruption query to the challenger of the unforgeability game of the ring signature scheme, as it leads to corrupt a ring member. Therefore, R should answer the query without relying on the challenger. However, if this is possible, R is able to break the unforgeability of the ring signature scheme without A , which contradicts the security of the ring signature scheme.

We emphasize that it is an important task to give formal proofs even on a seemingly trivial matter, because it might be the case that it could not be established.

1.2 Related work

The seminal work by Impagliazzo and Rudich [10] demonstrates a separation between a key agreement and a one-way function. This line of research has been successful, and there are a lot of follow-up works [11–14]. We emphasize that a black-box impossibility only rules out a generic construction of a primitive based on another primitive. Thus, if we rely on a concrete assumption, e.g. the RSA assumption and the discrete logarithm assumption, we might be able to circumvent such an impossibility.

We note that in spite of our result, it is known that a single DVS is equivalent to a ring signature scheme where a ring consists of two members. More precisely, Brendel et al. [15] show the construction of a DVS from a ring signature scheme, and Hashimoto et al. [16] prove the inverse direction. However, we claim that this fact does not contradict our result. This is because the designated verifier in a DVS is not allowed to be corrupted, because a single secret key of the designated verifier is sufficient for a simulator. In other words, it leads to an obvious attack against unforgeability of the DVS scheme. Therefore, our observation does not work for DVSs.

Several constructions of MDVSs from primitives different from ring signatures have been proposed so far. Chow [17] demonstrates a construction from a multi-chameleon hash, whereas he does not define MDVSs formally. Further, Damgård et al. [3] propose two generic constructions of MDVSs; one is from a pseudorandom function, a pseudorandom generator, a key agreement, and an NIZK; and the other is from a functional encryption.

We mention recent works related to MDVSs. They are used as a building block for a multi-designated receivers signed public key encryption scheme [18,19]. Further, new (M)DVSs, a designated verifier linkable ring signature scheme [20] and a claimable designated verifier signature [21] have been proposed.

Finally, ring signature schemes with additional properties have been proposed so far, such as accountable ring signatures [22], linkable ring signatures [23], traceable ring signatures [24], deniable ring signatures [25], claimable ring signatures, and repudiable ring signatures [26]. We might be able to circumvent the impossibility that is exposed by this work by using these ring signature schemes with additional properties. We leave it as an open problem.

2 Preliminaries

Throughout this article, we let λ ∈ N be a security parameter. We abbreviate a probabilistic polynomial time algorithm as a PPT algorithm. We denote a polynomial function and a negligible function by poly ( ⋅ ) and negl ( ⋅ ) , respectively. For any n ∈ N , let [ n ] ≔ { 1 , 2 , ⋯ , n } . A subroutine X of an algorithm Π is denoted by Π . X . A security property is defined by a game (or an experiment) between a challenger and an adversary. If the result of the game is 1, we say that the adversary wins the game.

2.1 Multi-designated verifiers signature

In this section, we recall the definition of multi-designated verifiers signature (MDVS) schemes. Rather than the definition by Zhang et al. [8], we follow the most standard definition of an MDVS from the study by Damgård et al. [3] except for the fact that all designated verifiers are required to participate to simulate a signature^[1]. The work [3] claims that the basic security requirements for an MDVS are unforgeability, OTR, and consistency. Namely, consistency is a property that guarantees that verification results are the same among designated verifiers, which is not required in the study by Zhang et al. [8].

Let ℐ denote a set of users’ identities and we use ℐ in the definition of an MDVS scheme. The formal definition is as follows.^[2]

Definition 2.1

(MDVS) A multi-designated verifiers signature (MDVS) scheme consists of the following six algorithms ( Set , SKG , VKG , Sig , Vrf , Sim ) :

Set ( 1 λ ) → ( pp , msk ) : Given a security parameter 1 λ , it outputs a public parameter pp and a master secret key msk .
SKG ( pp , msk , id S ) → ( spk id S , ssk id S ) : Given a public parameter pp , a master secret key msk , and an identity id S ∈ ℐ , it outputs the signer’s public key spk id S and secret key ssk id S .
VKG ( pp , msk , id V ) → ( vpk id V , vsk id V ) : Given a public parameter pp , a master secret key msk , and an identity id V ∈ ℐ , it outputs the verifier’s public key vpk id V and secret key vsk id V .
Sig ( pp , ssk id S , { vpk id V } id V ∈ D , m ) → σ : Given a public parameter pp , a signer’s secret key ssk id S , a set of verifiers’ public keys { vpk id V } id V ∈ D of designated verifiers D , and a message m ∈ ℳ , it outputs a signature σ .
Vrf ( pp , { vpk id V } id V ∈ D , vsk id ′ , spk id S , m , σ ) → 1 ∕ 0 : Given a public parameter pp , a set of public keys { vpk id V } id V ∈ D of designated verifiers D , a verifier’s secret key vsk id ′ , a signer’s public key spk id S , a message m , and a signature σ , it outputs 1 (meaning accept) or 0 (meaning reject).
Sim ( pp , { vpk id V } id V ∈ D , { vsk id V } id V ∈ D , spk id S , m ) → σ : Given a public parameter pp , a set of public keys { vpk id V } id V ∈ D of designated verifiers D , a set of secret keys { vsk id V } id ∈ D of designated verifiers D , a signer’s public key spk id S , and a message m , it outputs a simulated signature σ .

Definition 2.2

(Correctness) An MDVS scheme Π = ( Set , SKG , VKG , Sig , Vrf , Sim ) satisfies correctness if for any security parameter λ ∈ N , any ( pp , msk ) ← Set ( 1 λ ) , any set of verifiers’ identities D ⊆ ℐ , any verifier’s identity id ′ ∈ D , any signer’s identity id S ∈ ℐ , and any message m ∈ ℳ , it holds that

Vrf ( pp , { vpk id V } id V ∈ D , vsk id ′ , spk id S , m , Sig ( pp , ssk id S , { vpk id V } id V ∈ D , m ) ) = 1 ,

where ( spk id S , ssk id S ) ← SKG ( pp , msk , id S ) and ( vpk id V , vsk id V ) ← VKG ( pp , msk , id V ) for all id V ∈ D .

We require an MDVS scheme to satisfy unforgeability, consistency, and OTR as security requirements, as discussed in the study by Damgård et al. [3]. However, since our article uses only the definition of unforgeability, we formally introduce only it here. The formal definitions of consistency and OTR are provided in Appendix A.1 for completeness.

Definition 2.3

Security against existentially unforgeable under an adaptive chosen message attack (EUF-CMA) An MDVS scheme Π = ( Set , SKG , VKG , Sig , Vrf , Sim ) is existentially unforgeable under an adaptive chosen-message attack (EUF-CMA) if for any security parameter λ ∈ N , and any PPT adversary A , it holds that Pr [ ExpEUFDVS Π , A ( 1 λ ) = 1 ] ≤ negl ( λ ) , where ExpEUFDVS is defined as follows:

ExpEUFDVS Π , A ( 1 λ ) L VPK ≔ ∅ ; L SPK ≔ ∅ ; L VSK ≔ ∅ ; L SSK ≔ ∅ ; L Sign ≔ ∅ ; L Vrf ≔ ∅ ; ( pp , msk ) ← Set ( 1 λ ) ; ( id S * , D * , m * , σ * ) ← A O SPK , O SSK , O VPK , O VSK , O Sig , O Vrf ( pp ) : output 1 if ( ∃ id ′ ∈ D * ⧹ L VSK s.t. Vrf ( pp , { vpk id V } id V ∈ D * , vsk id ′ , spk id S * , m * , σ * ) = 1 ) ∧ ( id S * ∉ L SSK ) ∧ ( ( D * , id S * , m * ) ∉ L Sign ) otherwise 0

where O SPK , O SSK , O VPK , O VSK , O Sig , and O Vrf work as follows:

Given id S ∈ ℐ , if id S has already been queried previously, then it picks ( id S , spk id S , ssk id S ) from L SPK and returns spk id S . Otherwise, it computes ( spk id S , ssk id S ) ← SKG ( pp , msk , id S ) , returns spk id S , and updates L SPK ≔ L SPK ∪ { ( id S , spk id S , ssk id S ) } .
Given id S ∈ ℐ , if ( id S , spk id S , ssk id S ) ∈ L SPK , then it returns ssk id S , and updates L SSK ≔ L SSK ∪ { id S } . Otherwise, it calls O SPK ( id S ) to generate ( spk id S , ssk id S ) along with updating L SPK ≔ L SPK ∪ { ( id S , spk id S , ssk id S ) } , returns ( spk id S , ssk id S ) , and updates L SSK ≔ L SSK ∪ { id S } . Note that we regard the signer corresponding to id S ∈ L SSK as a corrupted signer.
Given id V ∈ ℐ , if id V has already been queried previously, then it picks ( id V , vpk id V , vsk id V ) from L VPK and returns vpk id V . Otherwise, it computes ( vpk id V , vsk id V ) ← VKG ( pp , msk , id V ) , returns vpk id V , and updates L VPK ≔ L VPK ∪ { ( id V , vpk id V , vsk id V ) } .
Given id V ∈ ℐ , if ( id V , vpk id V , vsk id V ) ∈ L VPK , then it returns vsk id V , and updates L VSK ≔ L VSK ∪ { id V } . Otherwise, it calls O VPK ( id V ) to generate ( vpk id V , vsk id V ) along with L VPK ≔ L VPK ∪ { ( id V , vpk id V , vsk id V ) } , returns ( vpk id V , vsk id V ) , and updates L VSK ≔ L VSK ∪ { id V } . Note that we regard the verifier corresponding to id V ∈ L VSK as a corrupted verifier.
Given D ⊆ ℐ , id S ∈ ℐ , and m ∈ ℳ , it does the followings:
- – If ( id S , ⋅ , ⋅ ) ∉ L SPK , then call O SPK on id S to generate ( spk id S , ssk id S ) .
- – For all id V ∈ D s.t. ( id V , ⋅ , ⋅ ) ∉ L VPK , call O VPK on id V to generate ( vpk id V , vsk id V ) .
- – Return σ ← Sig ( pp , ssk id S , { vpk id V } id V ∈ D , m ) , and update L Sign ≔ L Sign ∪ { ( D , id S , m ) } .
Given id ′ , id S ∈ ℐ , m ∈ ℳ , D ⊆ ℐ where id ′ ∈ D , and σ , it does the followings:
- – If id ′ ∉ D , then return 0.
- – If ( id S , ⋅ , ⋅ ) ∉ L SPK , then call O SPK on id S to generate ( spk id S , ssk id S ) .
- – For all id V ∈ D , if ( id V , ⋅ , ⋅ ) ∉ L VPK , then call O VPK on id V to generate ( vpk id V , vsk id V ) .
- – Return b = Vrf ( pp , { vpk id V } id V ∈ D , vsk id ′ , spk id S , m , σ ) and update L Vrf ≔ L Vrf ∪ { ( D , id ′ , id S , m , σ ) } .

2.2 Ring signature

In this section, we review the definition of ring signature. We follow the strongest definition from the study by Bender et al. [27]. Namely, as security properties for a ring signature, we require unforgeability with respect to insider corruption and anonymity against full key exposure. We remark that this stronger definition makes our result more relevant, as it means an MDVS scheme cannot be obtained from such a stronger ring signature scheme in a black-box manner.

Definition 2.4

(Ring signature) A ring signature scheme consists of four PPT algorithms ( Set , KG , Sig , Vrf ) that work as follows:

Set ( 1 λ ) → pp : Given a security parameter 1 λ , it outputs a public parameter pp .
KG ( pp ) → ( pk , sk ) : Given a public parameter pp , it outputs a public key pk and a secret key sk .
Sig ( pp , sk , { pk i } i ∈ [ n ] , m ) → σ : Given a public parameter pp , a secret key sk , a set of public keys (or a ring) { pk i } i ∈ [ n ] where n = poly ( λ ) , and a message m , it outputs a signature σ . If there is no i ∈ [ n ] s.t. ( pk i , sk ) ← KG ( pp ) , then it returns ⊥ .
Vrf ( pp , { pk i } i ∈ [ n ] , m , σ ) = 1 ∕ 0 : Given a public parameter pp , a set of public keys { pk i } i ∈ [ n ] , where n = poly ( λ ) , a message m , and a signature σ , it outputs 1 (meaning accept) or 0 (meaning reject).

A ring signature scheme ( Set , KG , Sig , Vrf ) satisfies correctness if for any security parameter λ , any pp ← Set ( 1 λ ) , and any message m ∈ ℳ , it holds that

Vrf ( pp , { pk i } i ∈ [ n ] , m , Sig ( pp , sk , { pk i } i ∈ [ n ] , m ) ) = 1 ,

where for any i ∈ [ n ] , pk i is generated by KG , and in particular, there exists i ∈ [ n ] s.t. ( pk i , sk ) ← KG ( pp ) .

Next, we define the unforgeability with respect to insider corruption as follows. Similarly to what we did for MDVSs, anonymity is provided in Appendix A.2, as it is not relevant to our discussion.

Definition 2.5

(Unforgeability with respect to insider corruption) A ring signature scheme Π RS = ( Set , KG , Sig , Vrf ) satisfies unforgeability with respect to insider corruption if for any security parameter λ and any PPT adversary A who is allowed to make at most q = poly ( λ ) queries to oracles, Pr [ ExpEUFRS Π RS , A ( 1 λ ) = 1 ] ≤ negl ( λ ) , where the experiment ExpEUFRS Π RS , A ( 1 λ ) is defined as follows:

ExpEUFRS Π RS , A ( 1 λ ) L PK ≔ ∅ ; L SK ≔ ∅ ; L Sign ≔ ∅ ; pp ← Set ( 1 λ ) ; ( { pk i * } i ∈ [ n ] , m * , σ * ) ← A O PK , O SK , O RSig ( pp ) : output 1 if ( Vrf ( pp , { pk i * } i ∈ [ n ] , m * , σ * ) = 1 ) ∧ ( ∀ i ∈ [ n ] , ( pk i * , sk i * ) ∈ L PK ) ∧ ( ∀ i ∈ [ n ] , ( pk i * , sk i * ) ∉ L SK ) ∧ ( ∀ j ∈ [ n ] , ( pk j * , { pk i * } i ∈ [ n ] ⧹ { j } , m * , σ * ) ∉ L Sign ) , otherwise 0 ,

where n = poly ( λ ) s.t. n ≤ q , and O PK , O SK and O RSig work as follows:

Given pp , it computes ( pk , sk ) ← KG ( pp ) , returns pk , and updates L PK ≔ L PK ∪ { ( pk , sk ) } .
Given pk , if ( pk , sk ) ∈ L PK , then it returns sk , and updates L SK ≔ L SK ∪ { ( pk , sk ) } . Otherwise, it returns ⊥ . Note that we regard L SK as a set of corrupted entities.
Given a signer’s public key pk , a set of public keys { pk i } i ∈ [ n ′ ] , where n ′ = poly ( λ ) , and a message m , it does the followings:
- – If ( pk , sk ) ∉ L PK , then returns ⊥ .
- – If ( pk , { pk i } i ∈ [ n ′ ] , m , σ ) ∈ L Sign , then returns σ .
- – Returns σ ← Sig ( pp , sk , { pk } ∪ { pk i } i ∈ [ n ′ ] , m ) and updates L Sign ≔ L Sign ∪ { ( pk , { pk i } i ∈ [ n ′ ] , m , σ ) } .

In the following, for simplicity, we say that a ring signature scheme satisfies EUF-CMA security if it satisfies the aforementioned definition.

3 Main result

Now we provide the black-box impossibility of an MDVS scheme from a ring signature scheme. Formally, we assume that EUF-CMA security of the MDVS scheme can be based on EUF-CMA security of the ring signature scheme, i.e. there exists a PPT reduction algorithm R that reduces EUF-CMA security of the MDVS scheme to EUF-CMA security of the ring signature scheme. (We remark that all existing constructions follow this reduction.) Then, we demonstrate that such an R contradicts the security of the ring signature scheme.

Shortly, the impossibility stems from the difference between their EUF-CMA security notions. That is, in ExpEUFRS , a public key in the challenge ring should not be corrupted, whereas in ExpEUFDVS , a part of (but not all) designated verifiers can be corrupted. Recall that existing constructions of MDVSs from ring signature schemes regard a ring as a set of a signer and designated verifiers. Thus, the difference between the two security definitions is problematic when we consider such a construction.

Despite the aforementioned intuitive discussion, we should consider the case that a ring and a set of a signer and designated verifiers are distinct. In other words, it might be the case that such a construction is possible. Thus, we should deal with this counterintuitive construction.

Before demonstrating the separation formally, we describe our idea below. We have to deal with the following two cases.

We first prove that if R A breaks EUF-CMA security of the underlying ring signature scheme with non-negligible probability, then A should request R to make a query that corrupts a public key in R * that is output by R A in ExpEUFRS . Intuitively, if this is not the case, we can break EUF-CMA security of the underlying ring signature scheme without corrupting the members in the ring at all, which contradicts the existence of the ring signature scheme.

Secondly, in the case of regarding a ring as a set of a signer and designated verifiers, we follow the meta reduction paradigm [9]: Let A be a PPT adversary that breaks EUF-CMA security of the MDVS scheme with non-negligible probability. Then, we assume that R A breaks EUF-CMA security of the ring signature scheme with non-negligible probability. If A wants to corrupt a designated verifier and makes a corruption query, R should simulate the answer by itself without accessing its corruption oracle, because corrupting a ring member immediately violates the winning condition in ExpEUFRS . However, if such a simulation is possible, then R is able to break EUF-CMA security of the ring signature scheme without A .

Theorem 3.1

Let Π RS = ( Set , KG , Sig , Vrf ) be a ring signature scheme. There is no black-box construction Π MDVS Π RS = ( Set , SKG , VKG , Sig , Vrf , Sim ) of an MDVS scheme based on Π RS , whose EUF-CMA security is reduced to EUF-CMA security of Π RS .

Proof

Suppose that there exists a PPT adversary A that breaks the EUF-CMA security of Π MDVS Π RS with non-negligible probability, and let R be a PPT reduction algorithm from the EUF-CMA security of Π MDVS Π RS to the EUF-CMA security of Π RS . In other words, R A breaks the EUF-CMA security of Π RS with non-negligible probability. Note that R A plays the experiment ExpEUFRS Π RS , R A ( 1 λ ) as an adversary, while simulating the experiment ExpEUFDVS Π MDVS , A ( 1 λ ) to A as a challenger. We demonstrate that we can construct a PPT reduction algorithm that is able to break EUF-CMA security of Π RS with non-negligible probability. The algorithm R A works in ExpEUFRS Π RS , R A ( 1 λ ) as follows:

The challenger computes a public parameter pp RS ← Π RS . Set ( 1 λ ) and gives it to R .
Given pp RS , R computes ( pp MDVS , msk MDVS ) and gives pp MDVS to A . In other words, R and A play ExpEUFDVS Π MDVS Π RS , A ( 1 λ ) . As already mentioned, R could ask the challenger of ExpEUFRS Π RS , R A ( λ ) to call an oracle if necessary. When A outputs ( id S * , D * , m MDVS * , σ MDVS * ) , R returns ( R * , m RS * , σ RS * ) to the challenger, where R * = { pk i * } i ∈ [ n ] be a set of public keys (or a ring) and n = poly ( λ ) .
The adversary R A wins the game if all the following conditions are satisfied.
- – Π RS . Vrf ( pp RS , R * , m RS * , σ RS * ) = 1 .
- – Every pk i * is created via the oracle O PK .
- – Every pk i * is not queried to O SK .
- – The signature σ RS * is not created via O RSig on ( pk j * , R * , m RS * ) .

The third condition means that every public key in R * should not be corrupted when R A wins the game. Let CorMember be an event that A , during the execution of R A , makes a query that results in the corruption of a public key in R * .

We first argue in Claim 3.1 that if R A wins the game with non-negligible probability under the condition that CorMember does not occur, then Π RS is not EUF-CMA secure. In the proof, we first show that A cannot make a query that necessitates R to call O RSig on ( pk j * , R * , m RS * ) , where pk j * ∈ R * . Now, A does not ask R to make queries that result in the corruption of a public key in R * or a signature with respect to R * . In other words, R A is able to break EUF-CMA security of Π RS by using only somewhat public information, i.e. corrupting public keys that are outside of R * or obtaining signatures with respect to rings rather than R * . However, if EUF-CMA security of Π RS is compromised with non-negligible probability under such conditions, then there must be a PPT algorithm R ′ (without depending on A ) that breaks EUF-CMA security of Π RS with non-negligible probability.

Further, we prove that, if R A wins the game under the condition that CorMember occurs, then we can use the power of R to break EUF-CMA security of Π RS . Our idea is that if CorMember occurs, then R should answer it without asking the challenger to call O SK , since otherwise the third winning condition is immediately violated. In other words, R is able to create a valid secret key (of a ring member) without relying on O SK . Therefore, we can use such an R to break EUF-CMA security of Π RS .

Claim 3.1

If R A breaks EUF-CMA security of Π RS with non-negligible probability without CorMember, then there exists a PPT algorithm R ′ , which does not rely on A , that breaks EUF-CMA security of Π RS with non-negligible probability.

Proof

Although we do not know how Π MDVS Π RS is constructed, we put very natural assumptions on it. Overall, a subroutine of Π RS should be used in a “corresponding” subroutine in Π MDVS Π RS . The public parameter pp MDVS is created based on pp RS . To construct public keys spk id S and vpk id V , public keys generated by O PK should be used. Similarly, secret keys that are created by O PK should be used to create secret keys ssk id S and vsk id V . (We note that it might be the case that multiple underlying keys are used to construct a key of Π MDVS Π RS . However, we do not discuss this point in detail, as we do not know how Π MDVS Π RS is constructed.) Further, during the creation of a signature by Π MDVS Π RS , regardless of whether it is real or simulated, Π RS . Sig is used. Similarly, Π MDVS Π RS . Vrf uses Π RS . Vrf .

While we are under the assumption that CorMember does not happen, it might be the case that R A forges a ring signature by using O RSig . Here, we need to further consider two cases, i.e. if A asks R a query that necessitates the query ( pk j * , R * , m RS * ) where pk j * ∈ R * to O RSig (i.e. Π RS . Sig ) or not.

Firstly, suppose that A makes such a query. In this case, R cannot call O RSig on ( pk j * , R * , m RS * ) as it immediately violates the winning condition of ExpEUFRS Π RS , R A ( 1 λ ) . Therefore, R should somehow compute and return a valid signature to A by itself, which immediately violates the EUF-CMA security of Π RS . Here, R might make a query to O RSig on another input, and return it to A . However, if such a “substitutional” answer, say σ † , works well, then Π RS is no longer EUF-CMA secure. That is, it does not change the view of A , and thus, it holds that Π RS . Vrf ( pp RS , R * , m * , σ † ) = 1 . However, it contradicts the EUF-CMA security of Π RS if there exists a PPT algorithm that finds such a substitution with non-negligible probability. Furthermore, if R computes a substitutional answer without relying on O RSig , such an R is able to break the EUF-CMA security of Π RS without relying on A , which also contradicts the security of Π RS .

Secondly, we assume that A never makes a query that necessitates R the query ( pk j * , R * , m RS * ) to O RSig . Suppose that R A breaks EUF-CMA security of Π RS with non-negligible probability under such conditions, i.e. CorMember does not happen and A never makes a query that necessitates R the query ( pk j * , R * , m RS * ) to O RSig . They guarantee that the winning conditions “every pk i * is not queried to O SK ” and “the signature σ RS * is not created via O RSig on ( pk j * , R * , m RS * ) ” are satisfied. Further, by the assumption on the construction of Π MDVS , the winning condition “every pk i * is created via the oracle O PK ” is satisfied. Therefore, R A creates a ring signature along with a message and a ring that passes the verification of Π RS . Vrf without making queries that would result in the violation of the winning conditions at all. However, it indicates the existence of a PPT algorithm R ′ that breaks EUF-CMA security of Π RS with non-negligible probability. This contradicts the assumption that Π RS is EUF-CMA secure.□

Now, we consider the case where CorMember happens. We first observe what happens if CorMember occurs. When A makes a query that necessitates R to corrupt a public key pk i * in R * , R cannot ask the challenger to call O SK on pk i * , because it immediately violates the winning condition for R A . Therefore, R somehow manages to create the corresponding secret key sk i * and returns it to A , without calling O SK . We exploit this power and construct a PPT algorithm R ′ that breaks EUF-CMA security of Π RS , without relying on A , as follows.

Given a public parameter pp RS from the challenger, R ′ creates R * = { pk i * } i ∈ [ n ] via calling O PK , where n = poly ( λ ) .
For each i ∈ [ n ] , R ′ tries to create the secret key sk i * by exploiting the aforementioned capability. Once such a key is obtained, then R ′ moves to the next step.
R ′ chooses a message m * , and computes σ * ← Π RS . Sig ( pp , sk i * , R * , m * ) , where sk i * is the secret key that is obtained in the previous step. Note that this computation is not recorded in L Sign , as it is conducted locally by R ′ .
R ′ returns ( R * , m * , σ * ) to the challenger.

Observe that it holds that Π RS . Vrf ( pp , { pk i * } i ∈ [ n ] , m * , σ * ) = 1 due to the correctness of Π RS if sk i * is a valid secret key. Further, the remaining conditions for R ′ to win ExpEUFRS Π RS , R ′ ( λ ) are satisfied, as every pk i * is created via O PK , every pk i * is not corrupted by O SK , and the signature σ * is not created via O RSig . As R ′ is able to create sk i * with non-negligible probability, R ′ wins ExpEUFRS Π RS , R ′ ( λ ) with non-negligible probability, which contradicts the existence of Π RS .□

4 Conclusion

In this article, we demonstrated that it is impossible to construct an MDVS scheme from a ring signature scheme in a black-box manner, whereas such a construction has been widely believed for a long time. It seems that such folklore has spread due to a lack of formal discussion. Therefore, we claim that having a formal discussion is important even on a seemingly trivial matter.

One of our future works is to consider the construction in the random oracle model, as we showed the impossibility only in the standard model. Further, we might be able to circumvent the impossibility if we consider stronger ring signature schemes.

Acknowledgement

This work has been accepted for presentation at CIFRIS23, the Congress of the Italian association of cryptography “De Componendis Cifris.”

Funding information: This research was in part supported by Grant-in-Aid for Scientific Research (A) (JP23H00468). This research was also partially supported by JST CREST JPMJCR22M1 and JST-AIP JPMJCR22U5, Japan.
Conflict of interest: The authors state no conflict of interest.

Appendix A Omitted security properties for MDVS and ring signature

A.1 Consistency and OTR for MDVS

In this section, we review the definition of consistency and OTR for MDVS. Regarding OTR, compared to the work in the study by Damgård et al. [3], we recall a weaker definition for OTR that a simulator requires all secret keys of designated verifiers for simplicity. In the study by Damgård et al. [3], they define “OTR for any subset,” which means that a part of the secret keys of designated verifiers is sufficient for a simulator. We note that requiring a weaker OTR for MDVS makes our result better, as we want to show a black-box impossibility of an MDVS scheme from a ring signature scheme. That is, even such a weaker MDVS scheme cannot be obtained based on a ring signature scheme in a black-box manner.

Definition A.1

(Consistency) An MDVS scheme Π = ( Set , SKG , VKG , Sig , Vrf , Sim ) is consistent if for any security parameter λ ∈ N , and a stateful PPT adversary A , it holds that Pr [ ExpConst Π , A ( 1 λ ) = 1 ] ≤ negl ( λ ) , where ExpConst Π , A ( 1 λ ) is defined as follows:

ExpConst Π , A ( 1 λ ) L VPK ≔ ∅ ; L SPK ≔ ∅ ; L VSK ≔ ∅ ; L SSK ≔ ∅ ; L Sign ≔ ∅ ; L Vrf ≔ ∅ ; ( pp , msk ) ← Set ( 1 λ ) ; ( id S * , D * , m * , σ * ) ← A O SPK , O SSK , O VPK , O VSK , O Sig , O Vrf ( pp , spk id S , id S ) : output 1 if ( ( spk id S * , ssk id S * ) ∈ L SPK ) ∧ ( ∀ id V ∈ D * , ( vpk id V , vsk id V ∈ L VPK ) ) ∧ ( ∃ id V , id ′ ∈ D * s.t. id V ≠ id ′ ∧ ( vpk id V , vsk id V ) , ( vpk id ′ , vsk id ′ ) ∉ L VSK ∧ Vrf ( pp , { vpk id V } id V ∈ D * , vsk id V , spk id S * , m * , σ * ) = 1 ∧ Vrf ( pp , { vpk id V } id V ∈ D * , vsk id ′ , spk id S * , m * , σ * ) = 0 ) otherwise 0 ,

where O SPK , O SSK , O VPK , O VSK , O Sig , and, O Vrf are defined as in Definition 2.3.

Definition A.2

(OTR) An MDVS scheme Π = ( Set , SKG , VKG , Sig , Vrf , Sim ) is off-the-record (OTR) if for any security parameter λ ∈ N , and a stateful PPT adversary A , it holds that Pr [ ExpOTR Π , A ( 1 λ ) = 1 ] ≤ negl ( λ ) where ExpOTR Π , A ( 1 λ ) is defined as follows:

ExpOTR Π , A ( 1 λ ) L VPK ≔ ∅ ; L SPK ≔ ∅ ; L VSK ≔ ∅ ; L SSK ≔ ∅ ; L Sign ≔ ∅ ; L Vrf ≔ ∅ ; ( pp , msk ) ← Set ( 1 λ ) ; ( spk id S , ssk id S ) ← SKG ( pp , msk , id S ) ; ( D * , m * ) ← A O SPK , O SSK , O VPK , O VSK , O Sig , O Vrf ( pp , spk id S , id S ) ; σ 0 ← Sig ( pp , ssk id S , { vpk id } id ∈ D * , m * ) ; σ 1 ← Sim ( pp , { vpk id } id ∈ D * , { vsk id } id ∈ D * , spk id S , m * ) ; b ← { 0 , 1 } ; b ′ ← A O SPK , O SSK , O VPK , O VSK , O Sig , O Vrf ( σ b ) ; abort the experiment if ( id S ∈ L SSK ) ∨ ( ∀ id V ∈ D * , id V ∈ L VSK ) ∨ ( ( ⋅ , ⋅ , ⋅ , ⋅ , σ b ) ∈ L Vrf ) : output 1 if ( b ′ = b ) , otherwise 0 ,

where O SPK , O SSK , O VPK , O VSK , O Sig , and O Vrf are defined as in Definition 2.3.

A.2 Anonymity for ring signature

Here, we recall the definition of anonymity against full key exposure of a ring signature scheme as follows.

Definition A.3

(Anonymity) A ring signature scheme Π RS = ( Set , KG , Sig , Vrf ) satisfies anonymity if for any security parameter λ , and any PPT adversary A who is allowed to make at most q queries to oracles, ∣ Pr [ ExpAno Π RS , A ( 1 λ ) = 1 ] − 1 ∕ 2 ∣ ≤ negl ( λ ) , where ExpAno Π RS , A ( 1 λ ) is defined as follows:

ExpAno Π RS , A ( 1 λ ) L PK ≔ ∅ ; L SK ≔ ∅ ; L Sign ≔ ∅ ; pp ← Set ( 1 λ ) ; ( m * , pk 0 , pk 1 , { pk i * } i ∈ [ n ] ) ← A O PK , O SK , O RSig ( pp ) ; abort the experiment if ( pk 0 , sk 0 ) , ( pk 1 , sk 1 ) ∉ L PK ; b ← { 0 , 1 } ; σ b ← Sig ( pp , sk b , { pk 0 , pk 1 } ∪ { pk i * } i ∈ [ n ] , m * ) ; b ′ ← A O PK , O SK , O RSig ( σ b ) : output 1 if b ′ = b , otherwise 0 ,

where n = poly ( λ ) s.t. n ≤ q , and the oracles O SK and O RSig are defined as in Definition 2.5.

References

[1] Laguillaumie F, Vergnaud D. Multi-designated verifiers signatures. In: Lopez J, Qing S, Okamoto E, editors. Information and communications security. Berlin, Heidelberg: Springer Berlin Heidelberg; 2004. p. 495–507. 10.1007/978-3-540-30191-2_38Search in Google Scholar

[2] Borisov N, Goldberg I, Brewer E. Off-the-record communication, or, why not to use PGP. In: Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society. WPES ’04. New York, NY, USA: Association for Computing Machinery; 2004. p. 77–84. 10.1145/1029179.1029200Search in Google Scholar

[3] Damgård I, Haagh H, Mercer R, Nitulescu A, Orlandi C, Yakoubov S. Stronger security and constructions of multi-designated verifier signatures. In: Pass R, Pietrzak K, editors. Theory of Cryptography. Cham: Springer International Publishing; 2020. p. 229–60. 10.1007/978-3-030-64378-2_9Search in Google Scholar

[4] Lee B, Choo KKR, Yang J, Yoo S. Secret signatures: how to achieve business privacy efficiently? In: Kim S, Yung M, Lee HW, editors. Information security applications. Berlin, Heidelberg: Springer; 2007. p. 30–47. 10.1007/978-3-540-77535-5_3Search in Google Scholar

[5] Jakobsson M, Sako K, Impagliazzo R. Designated verifier proofs and their applications. In: Maurer U, editor. Advances in cryptology – EUROCRYPT ’96. Berlin Heidelberg: Springer; 1996. p. 143–54. 10.1007/3-540-68339-9_13Search in Google Scholar

[6] Laguillaumie F, Vergnaud D. Multi-designated verifiers signatures: anonymity without encryption. Inform Process Lett. 2007;102(2):127–32. 10.1016/j.ipl.2006.08.015Search in Google Scholar

[7] Vergnaud D. New extensions of pairing-based signatures into universal designated verifier signatures. In: Bugliesi M, Preneel B, Sassone V, Wegener I, editors. Automata, Languages and Programming. Berlin Heidelberg: Springer; 2006. p. 58–69. 10.1007/11787006_6Search in Google Scholar

[8] Zhang Y, Au MH, Yang G, Susilo W. (Strong) Multi-designated verifiers signatures secure against Rogue key attack. In: Xu L, Bertino E, Mu Y, editors. Network and System Security Berlin Heidelberg: Springer; 2012. p. 334–47. 10.1007/978-3-642-34601-9_25Search in Google Scholar

[9] Gennaro R, Trevisan L. Lower bounds on the efficiency of generic cryptographic constructions. In: Proceedings of the 41st Annual Symposium on Foundations of Computer Science. FOCS ’00. USA: IEEE Computer Society; 2000. p. 305. 10.1109/SFCS.2000.892119Search in Google Scholar

[10] Impagliazzo R, Rudich S. Limits on the provable consequences of one-way permutations. In: Goldwasser S, editor. Advances in Cryptology – CRYPTO’ 88. New York, NY: Springer; 1990. p. 8–26. 10.1007/0-387-34799-2_2Search in Google Scholar

[11] Gertner Y, Kannan S, Malkin T, Reingold O, Viswanathan M. The relationship between public key encryption and oblivious transfer. In: Proceedings 41st Annual Symposium on Foundations of Computer Science; 2000. p. 325–35. 10.1109/SFCS.2000.892121Search in Google Scholar

[12] Mahmoody M, Mohammed A, Nematihaji S. On the impossibility of virtual black-box obfuscation in idealized models. In: Kushilevitz E, Malkin T, editors. Theory of cryptography. Berlin, Heidelberg: Springer; 2016. p. 18–48. 10.1007/978-3-662-49096-9_2Search in Google Scholar

[13] Pass R. Unprovable security of perfect NIZK and non-interactive non-malleable commitments. In: Sahai A, editor. Theory of cryptography. Berlin, Heidelberg: Springer; 2013. p. 334–54. 10.1007/978-3-642-36594-2_19Search in Google Scholar

[14] Simon DR. Finding collisions on a one-way street: Can secure hash functions be based on general assumptions? In: Nyberg K, editor. Advances in Cryptology – EUROCRYPT’98. Berlin, Heidelberg: Springer; 1998. p. 334–45. 10.1007/BFb0054137Search in Google Scholar

[15] Brendel J, Fiedler R, Günther F, Janson C, Stebila D. Post-quantum asynchronous deniable key exchange and the signal Handshake. In: Hanaoka G, Shikata J, Watanabe Y, editors. Public-Key Cryptography - PKC 2022. Cham: Springer International Publishing; 2022. p. 3–34. 10.1007/978-3-030-97131-1_1Search in Google Scholar

[16] Hashimoto K, Katsumata S, Kwiatkowski K, Prest T. An efficient and generic construction for signal’s handshake (X3DH): post-quantum, state leakage secure, and deniable. In: Garay JA, editor. Public-Key Cryptography - PKC 2021. Cham: Springer International Publishing; 2021. p. 410–40. 10.1007/978-3-030-75248-4_15Search in Google Scholar

[17] Chow S. Multi-designated verifiers signatures revisited. Int J Network Security. 2008;01:7. Search in Google Scholar

[18] Chakraborty S, Hofheinz D, Maurer U, Rito G. Deniable authentication when signing keys leak. In: Hazay C, Stam M, editors. Advances in cryptology - EUROCRYPT 2023. Cham: Springer Nature Switzerland; 2023. p. 69–100. 10.1007/978-3-031-30620-4_3Search in Google Scholar

[19] Maurer U, Portmann C, Rito G. Multi-designated receiver signed public key encryption. In: Dunkelman O, Dziembowski S, editors. Advances in cryptology - EUROCRYPT 2022. Cham: Springer International Publishing; 2022. p. 644–73. 10.1007/978-3-031-07085-3_22Search in Google Scholar

[20] Behrouz P, Grontas P, Konstantakatos V, Pagourtzis A, Spyrakou M. Designated-verifier linkable ring signatures. In: Park JH, Seo SH, editors. Information security and cryptology - ICISC 2021. Cham: Springer International Publishing; 2022. p. 51–70. 10.1007/978-3-031-08896-4_3Search in Google Scholar

[21] Yamashita K, Hara K, Watanabe Y, Yanai N, Shikata J. Designated verifier signature with claimability. In: Proceedings of the 10th ACM Asia Public-Key Cryptography Workshop. APKC ’23. New York, NY, USA: Association for Computing Machinery; 2023. p. 21–32. 10.1145/3591866.3593071Search in Google Scholar

[22] Xu S, Yung M. Accountable ring signatures: a smart card approach. In: Smart card research and advanced applications VI; 2004. p. 271–86. 10.1007/1-4020-8147-2_18Search in Google Scholar

[23] Liu JK, Wei VK, Wong DS. Linkable spontaneous anonymous group signature for Ad Hoc groups. In: Wang H, Pieprzyk J, Varadharajan V, editors. Information security and privacy. Berlin, Heidelberg: Springer; 2004. p. 325–35. 10.1007/978-3-540-27800-9_28Search in Google Scholar

[24] Fujisaki E, Suzuki K. Traceable ring signature. In: Public Key Cryptography - PKC 2007; 2007. p. 181–200. 10.1007/978-3-540-71677-8_13Search in Google Scholar

[25] Komano Y, Ohta K, Shimbo A, Kawamura S. Toward the fair anonymous signatures: deniable ring signatures. In: Pointcheval D, editor. Topics in cryptology - CT-RSA 2006. Berlin Heidelberg: Springer; 2006. p. 174–91. 10.1007/11605805_12Search in Google Scholar

[26] Park S, Sealfon A. It wasn’t me! repudiability and unclaimability of ring signatures. In: Annual International Cryptology Conference. Springer; 2019. p. 159–90. 10.1007/978-3-030-26954-8_6Search in Google Scholar

[27] Bender A, Katz J, Morselli R. Ring signatures: stronger definitions, and constructions without random oracles. In: Halevi S, Rabin T, editors. Theory of Cryptography. Berlin, Heidelberg: Springer; 2006. p. 60–79. 10.1007/11681878_4Search in Google Scholar

Received: 2023-09-04

Revised: 2023-10-27

Accepted: 2023-11-10

Published Online: 2024-02-14

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2023-0028

Keywords for this article

multi-designated verifiers signature; ring signature; black-box separation

Creative Commons

BY 4.0