More on stand-alone and setup-free verifiably committed signatures

Abstract

Two notions regarding fair exchange protocols have been introduced and formalized in the literature -one is verifiably encrypted signatures; the other is verifiably committed signatures. Thus it is always interesting to explore relationship between two notions. In this paper, we first show that the existence of verifiably encrypted signatures implies the existence of the verifiably committed signatures while the existence of verifiably committed signatures does not imply the existence of verifiably encrypted signatures. As a result, the notion of verifiably committed signatures is a general extension of the notion of verifiably encrypted signatures. The state-of-the-art verifiably committed signature that enjoys the off-line, setup-free and stand-alone properties is due to Zhu and Bao [21]. The main criticism of their paper is the use of Boudot's protocol which is pretty expensive indeed. This paper further makes contributions regarding the removal of Boudot's protocol from their construction [21]. To cope with this challenge problem, we provide a general construction of stand-alone and setup-free verifiably committed signatures from Schnorr's signature without the help of Boudot's protocol. We show that our implementation is provably secure in the random oracle model assuming that the underlying Schnorr's signature scheme is secure against adaptive chosen message attack and Paillier's encryption scheme is one-way. Since Cramer-Shoup's trapdoor hash signature is of ad hoc structure, we can embed the discrete logarithm structure where Schnorr's signature is defined into Cramer-Shoup's scheme and then apply the proved result to the verifiably committed signature of [21]. © Springer-Verlag Berlin Heidelberg 2006.