The main difference between confirmer signatures and ordinary digital signatures is that a confirmer signature can be verified only with the assistance of a semitrusted third party, the confirmer. Additionally, the confirmer can selectively convert single confirmer signatures into ordinary signatures. If this is a standard signature such as RSA or DSS, we say that the confirmer signature scheme provides perfect conversion --- a property unmet so far. This paper points out that previous models for confirmer signature schemes are too restricted to address the case where several signers share the same confirmer. More seriously, we show that various proposed schemes (some of which are provably secure in these restricted models) are vulnerable to an adaptive ``re-signing'' attack. We define a new stronger model that covers this kind of attack and provide a generic solution that enjoys perfect conversion. We also exhibit a concrete instance thereof.
By: Jan Camenisch and Markus Michels
Published in: Advances in Cryptology -- Eurocrypt 2000, edited by B. Preneel , Berlin, Springer-Verlag, p.243-58 in 2000
Please obtain a copy of this paper from your local library. IBM cannot distribute this paper externally.
Questions about this service can be mailed to reports@us.ibm.com .