D3.2: A study on PKI and biometrics

Title: SIGNATURE SCHEMES WITH ADDITIONAL PROPERTIES

Undeniable Signatures

Undeniable Signatures provide more privacy than ordinary ones since a recipient can show an ordinary received signature to anybody else, even if there is no need to do so. For example, if Alice lent Bob money and in the process received a signed promissory, usually there is only a need to show the signature in the case of a dispute. However, Alice can show the promissory around infringing the privacy of Bob who may want to keep the fact that he borrowed money private. 

In contrast, undeniable signatures cannot be shown to third parties without the help of the signer. If, however, the signer is forced to either deny or acknowledge a valid signature, e.g., in court, he cannot deny it. Undeniable (or invisible) signatures were introduced in [ChAn90]. 

Designated confirmer signatures (or sometimes simply ‘confirmer signatures’) are a variant of undeniable signature schemes that can be verified only with some help of a semi-trusted designated confirmer. They were introduced by Chaum [CHA95] as an improvement of convertible undeniable signatures. The main difference to convertible undeniable signatures is that the capability to confirm a signature does not lie solely with the signer, which has several advantages. Designated confirmer signatures improve the availability and reliability of the confirmation services for verifiers. Verifiers can rely on a designated confirmer instead of having to rely on the signers themselves. 

Designated confirmer signatures are a useful tool to construct protocols for contract signing [ASW98]. The trusted third party in contract signing takes the role of a designated confirmer. Each participant produces a designated confirmer signature of his statement and distributes it to all other participants and to the trusted third party. After the trusted third party has collected the statements and corresponding designated confirmer signatures from all participants, they convert them into ordinary digital signatures and circulates them to all participants according to a predefined policy. Designated confirmer signatures are also useful for constructing verifiable signature sharing schemes [FR95]. 

Blind Signature Schemes

Blind signatures are issued by the signer although the signer does not actually see the content of the message he signs. However, the signer has the guarantee of signing just one message at a time. An important application is untraceable payment schemes in which the bank signs so-called electronic coins using a blind signature scheme and sells them. Later, the owner of a coin can pay with it, and the payee can deposit the coin at the bank again. The bank cannot trace the payment, because it had not actually seen the coin in the first place. 

Construction of blind signatures also requires the recipient to transform what the signer really does into the form of a signed message. The efficient construction relies on the multiplicative structure of RSA or similar basic signature schemes; in a sense, they employ selective forgery after a chosen-message attack, but in a positive way.  

Group-Oriented Signature Schemes

Sometimes people sign on behalf of a group or an organisation. In this case, it may be useful if the group has a public key. Thus, the recipients do not need to know which individuals belong to the group. If the group members trust each other, they can simply generate one secret key and disseminate it within the group. However the task gets more difficult if one of the following additional requirements have to be met: 

• A certain quorum of group members is needed to produce a signature. This maybe a simple threshold or a more complicated rule, e.g., two directors, or one director and two vice-directors etc. 

• Provisions are needed to deanonymise a particular signer later under certain circumstances.  

Other issues include: Whether a group centre is needed, to which extent it has to be trusted, and how it has to take part and whether it is explicitly required that the specific signer within the group remains anonymous from the recipient (unless the specific deanonymiser is made within the group) and whether members can dynamically enter or leave the group. 

Schemes where a quorum is needed are often called threshold signature schemes. Schemes where anonymity is guaranteed, but deanonymisation is possible under certain circumstances, are typically called group signature schemes. 

Identity-Based Signature Schemes

In identity-based signature schemes, the public keys are simply the digital partial identities of their owners. The best known scheme is given in [FIA87]. There, a trusted third party generates all the secret keys, which are used to sign messages with respect to their identities. This is necessary otherwise there would be no difference between the signer and the other participants.  

From the applications point of view, identity-based signature schemes are no different from the ordinary digital signature schemes. In addition they include key distribution via certificates by one centre. The only advantage of identity-based schemes is that the length of the authentication information is halved.  

One-Time Signature Schemes

One-time digital signatures can be used to sign, at most, one message otherwise signatures can be forged. Thus, a new public key is required for each message that is signed. The public information necessary to verify one-time signatures is often referred to as validation parameters. Most, but not all, one-time digital signatures have the advantage that signature generation and verification are very efficient. One-time signature schemes are useful in applications such as chip cards, where low computational complexity is required. 

Fail-Stop Signature Schemes

A fail-stop signature scheme contains all the components of an ordinary digital signature scheme, and, as long as the cryptographic assumption is not broken, it works in the same way. However, if someone succeeds in forging a signature, in spite of the assumption, the supposed signer can prove that it is a forgery. More precisely, if the forged signature is shown to him in order to make him responsible for it, he can prove the underlying assumption has been broken [PFIT96]. 

Self-Certified Signature Schemes

In these schemes, a signer computes a temporary signing key with his long-term signing key and its certification information together, and generates a signature on a message and certification information using the temporary signing key in a highly combined and unforgeable manner. Then, a verifier verifies both the signer’s signature on the message and related certification information together. Examples are [PET97] and [LEE02]. 

Signcryption

In contrast to current standard methods used to achieve privacy and authenticity, i.e. signature followed by encryption, signcryption addresses a question on the cost of secure and authenticated message delivery/storage, namely, whether it is possible to transport/store messages of varying length in a secure and authenticated way with an expense less than that required by signature followed by encryption.  

Signcryption schemes fulfil simultaneously both the functions of digital signature and public key encryption in a logically single step, and with a cost significantly smaller than that required by signature followed by encryption. Examples are [ZEH97] and [NAL03].