1

Identity-Based Concurrent Signature Scheme with Improved Accountability

Chih-Hung Wang Department of Computer Science and Information

Engineering National Chiayi University

Chiayi, Taiwan, R.O.C. wangch@mail.ncyu.edu.tw

Chao Chuan Chen Department of Computer Science and Information

Engineering National Chiayi University

Chiayi, Taiwan, R.O.C. s0980418@mail.ncyu.edu.tw

Abstract—In Eurocrypt’04, the concept of the concurrent signature was introduced by Chen, Kulda and Paterson, in which they proposed a somewhat weaker concept to solve the traditional fair exchange problem. Concurrent signatures provide a new idea for fair exchange without the help of the trusted third party. Only two parties interact to produce two signatures. However two signatures are still ambiguous from any third party’s point of view, unless an extra piece of information (called the keystone) is released. Upon the keystone is released by initial signer, both signatures are binding to their true signer and effective concurrently. In this paper, we present an identity-based concurrent signatures scheme from bilinear pairings with improved accountability. Each user uses his/ her ID (IP address, e-mail address) as public key for simplification of the key management and does not need to maintain the certificates of the users. The proposed scheme can resist the message substitute attack and achieve the property of real accountability.

Keywords- fair exchange, concurrent signature, accountability, identity-based, bilinear pairings, network security.

I. INTRODUCTION With the rapid development of Internet, there are more

and more digital messages to exchange via the network. The problem of fair exchange of signature is an important issue and well-studied problem in cryptography. The fair exchange protocol allows two mutually distrustful parties to exchange digital information over network in a fair manner. In an exchange protocol, fairness is a fundamental requirement which means at the end of the protocol, each party can obtains the expected item, or none of them obtains any useful information.

Many previous literatures studied the problem of fair exchange. Early works on solving the problem was based on computational fairness [6]. In this kind of exchange protocols assumed that the two parties have the same computational power and exchange their signatures “little by little”. Though this approach does not require the trusted third party to take part in, it is unrealistic since requires highly interaction with many flows.

An alternative approach asks for the (semi-trusted) third party to play a role as a mediator who can be invoking upon to resolve disputes between the two parties. For efficiency,

most of them use an off-line trusted third party [1, 13]. However, those approaches excessively rely on the trusted third party to handle disputes such that the third party has the full power to control the fair exchange. If he colludes with one party to cheat another one, it will cause damage to the right of the party. In other words, the optimistic fair exchange protocols which excessively rely on the third party are not suitable for practical applications and it is hard to look for an appropriate third party over the Internet.

In 2004, Chen et al. [2] introduced a somewhat weaker concept called concurrent signature to solve the fair exchange problem, which does not require highly interactive and the help of trusted third party. In Chen et al.’s scheme, the two parties interact and produce two signatures that are ambiguous from any third party’s point of view of the two signatures. Until extra information (called the keystone) is released by initial signer, both signatures are binding to their true signers and effective concurrently.

Subsequently, Susilo et al. [15] pointed out that in [2], if the parties involved in protocol are known to be honest entities, any third party can be sure of the true identity of the signing party even before the keystone is released. Then, Susilo et al. proposed a perfect concurrent signature (PCS for short) to strengthen notion of ambiguous. In their scheme, any third party cannot be sure who signs the signatures. Even if he knows the two signers sign the signatures, he still cannot bind the signatures to the identity of the true signer. Thus the property of full ambiguous is achieved. Unfortunately, Wang et al. pointed out that PCS schemes are actually not concurrent signatures, and then gave an scenarios to attack the PCS schemes and proposed further improved perfect concurrent signature (iPCS for short) [17] to resist this attack.

In 2005, many studies about concurrent signature schemes have been proposed. For example, Nguyen proposed asymmetric concurrent signature scheme [10]. Their scheme is based on Schnorr and Schnorr-like signature schemes [12]. Susilo and Mu proposed a tripartite concurrent signature [14] which allows three parties to exchange their signatures and after the keystone is released, their signatures are binding concurrently. Chow and Susio first constructed two identity-based PCS scheme [4] based on ID-based ring signature [3]. In [16], Tonien et al. presented the first

2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing

978-0-7695-4372-7/11 $26.00 © 2011 IEEE

DOI 10.1109/IMIS.2011.101

570

2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing

978-0-7695-4372-7/11 $26.00 © 2011 IEEE

DOI 10.1109/IMIS.2011.101

514

2

constructed multi-party concurrent signature to solve the open problem pointed out by [2].

However, in 2007, Huang et al. [8] showed that Chow and Susilo’s two ID-based schemes [4] are unfair. In [4], the initial signer can cheat the matching signer by carefully preparing the communication value. Thus it will cause that the initial signer can sign different messages to cheat the matching signer. Further, they proposed a secure identity-based concurrent signature in a fair manner. Later, Huang and Wang proposed a fair concurrent signature scheme based on identity [7], which can strengthen the property of ambiguity and fairness. Unfortunately, we found that their scheme is insecure and cannot identity the actual signer even if the keystone has been released. In 2010, Ge et al. [5] pointed out Susilo and Mu’s tripartite concurrent signature scheme [14] is not fully ambiguous so that any fourth party can identify who is the true signer even before the keystone is released. In order to overcome this defect, they purposed an improved tripartite concurrent signature scheme [5] based on the ring signature [11].

The property of accountability was first introduced by Li et al. [9]. Accountability means that the signature generated by the signer based on the keystone is the only one ambiguous signature which can pass the verification algorithm. In [9], the authors pointed out many previous literatures do not achieve the security property of accountability and gave an attack on [17]. In 2008, Zhang and Wang also observed a new threat called the message substitute attack on concurrent signatures [18]. The message substitute attack means that any party can generate many ambiguous signatures arbitrarily so that every ambiguous signature contains a different message. Subsequently, they improved this unfair disadvantage.

In this paper, we point out that Zhang and Wang’s scheme [18] does not achieve the security property of accountability. Their improved scheme also suffers from message substitute attack so that after the keystone is released by the initial signer, the matching signer can generate many ambiguous signatures arbitrarily and each ambiguous signature contains a different message, which cannot achieve accountability. Therefore, we proposed a securer method to solve the message substitute attack and extend our approach to an identity-based cryptosystem. The identity-based cryptosystem uses the user’s identity (e.g. IP address, E-mail address) as the public key and simplifies the key management and does not need to maintain the certificates of the users.

II. RELATED WORK

A. Bilinear Pairings and Complexity Assumption Let G1 be a cyclic additive group and G2 be a cyclic

multiplicative group. The two groups have the same order q. P denotes an arbitrary generator of G1 and e: G1

2 →G2 is a bilinear mapping function that satisfies the following properties:

• Bilinear: Let P, Q, R єR G1and a, b єR Zq*. Then the

following equation holds:

e (P, Q+R) = e(P, Q) · e(P, R) e (P+Q,R) = e(P, R) · e(Q, R) e(aP, bP) = e(P, P)ab

• Non-degeneracy: There exists P, Q є G1 such that e(P, Q)≠1.

• Computable: There exists an efficient algorithm to compute e(P, Q), for all P, Q є G1.

In order to demonstrate the security of the cryptography system, it has to assume the recognized computational hard problem as follows.

Computational Diffie-Hellman (CDH) Problem: Given P, aP, bP є G1, where a, b єR Zq

* and P is a generator of G1, compute abP.

B. Review of Zhang and Wang’s scheme The property of accountability is first introduced by Li et

al. [9]. Accountability means that the signature generated by the signer based on the keystone is the only one ambiguous signature which can pass the verify algorithm. In 2008, Zhang and Wang [18] also observed that many previous literatures about concurrent signature [2, 7, 9, 10, 14, 15, 16, 17, 18] are subjected to the message substitute attack. The message substitute attack means that any party can generate many ambiguous signatures arbitrarily, so that every ambiguous signature contains a different message. Subsequently, they improved this unfair disadvantage.

Here we briefly review Zhang and Wang’s scheme [18]. Due to the limited page space, readers can refer to [15, 1 7] for the basic algorithms of Asign and Averify. Assume that Alice and Bob want to exchange their ambiguous signatures on mA, mB, respectively. First, they run the Setup algorithm to obtain the parameters.

• Setup: A probabilistic algorithm that sets up all keys and parameters. - Select two large primes p, q and a generator g є Zp

* of order q, where q|p-1.

- Generate a one-way hash function H1:{0, 1}*→Zq. - Set signature space S, message space M, keystone

space K and, keystone fix space F where K = M = {0, 1}* and F = Zq

*. - Output xA, YA = Axg mod p and xB, YB = Bxg mod p as

the key pairs (private/public) of initial signer Alice and matching signer Bob, respectively.

Then, Alice and Bob run Asign and Averify algorithms to generate σA and σB, respectively. The detail steps execute as follows:

1) The initial signer performs the following steps: - Choose a random keystone k єR K and set s2 =

H1(k, mA). - Run Asign algorithm to generate σA = (c, s1,

s2)←Asign(YA, YB, xA, s2, mA). - Deliver the ambiguous signature (σA, mA) to Bob.

2) Upon receiving the ambiguous signature (σA, mA), Bob checks whether Averify (σA, YA, YB, mA) = accept. If not, Bob aborts. Otherwise, Bob performs the following steps to generate his ambiguous signature:

571515

3

- Choose a random number t єR Zq and compute modt

Bt Y p= . - Compute Bx t

Ar Y= mod p and k’ = r mod q. - Set s2’ = s2 + H(k’, mA, mB) mod q. - Run Asign algorithm to generate σB = (c’, s1’, s2’

)←Asign(YB, YA, xB, s2’, mB). - Deliver the ambiguous signature (σB, mB, t ) to

Alice. 3) After receiving (σB = (c’, s1’, s2’ ), mB, t ), Alice

performs the following steps: - Compute Axr t= mod p and k’ = r mod q. - Check whether s2’ = s2 + H1(k’, mA, mB) mod q

holds or not. If the equation does not hold, Alice aborts.

- Check whether Averify(σB, YB, YA, mB) = accept. If σB is not a valid signature, Alice aborts. Otherwise, Alice releases the keystone pair (k, k’) to let both signatures σA and σB be binding concurrently.

4) After the keystone pair (k, k’) is released, anyone can verify if the both signatures σA = (c, s1, s2) and σB = (c’, s1’, s2’) are signed by Alice and Bob respectively by the following equations: - s2 = H1(k, mA) and s2’ = s2 + H1(k’, mA, mB) mod q. - Averify(σA = (c, s1, s2), YA, YB, mA) = accept. - Averify(σB = (c’, s1’, s2’), YB, YA, mB) = accept.

If the two equations s2 = H1(k, mA) and Averify(σA = (c, s1, s2), YA, YB, mA) are verified correctly, we can see the signature σA = (c, s1, s2) is generated by Alice. Similarly, if the two equations s2’ = s2 + H1(k’, mA, mB) mod q and Averify(σB = (c’, s1’, s2’) YB, YA, mB) are verified correctly, the signature σB = (c’, s1’, s2’) is generated by Bob.

However, we found this improved method also cannot prevent the message substitute attack. Because the keystone fix does not contain mB, the dishonest matching signer Bob can carry out the message substitute attack on the honest initial signer Alice. Therefore, this is unfair and will cause damage to the right of Alice. In next section, we give an attack scenario on Zhang and Wang’s scheme [18], and then propose a new one with improved security property.

III. THE WEAKNESS OF ZHANG AND WANG’S SCHEME Zhang and Wang’s improved method binds both

keystone and exchanges the messages mA and mB to the keystone fixes s2 and s2’. However, we found that the keystone fix s2 = H1(k, mA) just contains mA. Therefore, it leads to the dishonest matching signer Bob carry out the message substitute attack on the honest initial signer Alice. Thus, Bob can use different messages to generate many different ambiguous signatures so that the keystone (k, k’) released by Alice can not only bind the valid signature generated by Bob but also bind the invalid signatures generated by arbitrary messages.

In the protocol of Step 2 mentioned above, the keystone fix s2’ = s2 + H1(k’, mA, mB) mod q contains the keystone fix s2 of Alice and H1(k’, mA, mB), where k’ is the keystone

calculated by Bob and mA is the message of Alice. The three parameters s2, mA and k’ remain unchanged and thus Bob can randomly choose many different messages to generate corresponding different ambiguous signatures. Until the keystone (k, k’) is released by the initial signer, those ambiguous signatures become a valid signature and are binding concurrently. The attack for Zhang et al.’s scheme is illustrated in detail as follows:

- For any message B Rm M∈ , Bob computes 2 2 1' ( ', , )modA Bs s H k m m q= + and runs Asign

algorithm to generate: 1 2 2( ', ', ') ( , , , ', )B A B A Bc s s Asign Y Y x s mσ = ← .

Because the ambiguous signature ( , )B Bmσ can pass Averify algorithm, i.e., Averify( 1 2( ', ', ')B c s sσ = , YB, YA, mB) = accept, the ambiguous signature ( , )B Bmσ is also legitimate. After the keystone (k, k’) is released by Alice, if the following equations hold, anyone can verify the signature

Bσ and σA are bound concurrently with the keystone (k, k’). - s2 = H1(k, mA) and 2 's = s2 + H1(k’, mA, Bm )

mod q. - Averify(σA = (c, s1, s2), YA, YB, mA) = accept. - Averify( 1 2( ', ', ')B c s sσ = , YB, YA, Bm ) = accept.

In the message substitute attack described above, Bob gains more advantage than Alice and thus the attack damages the right of Alice. Because the part of the keystone k’ is computed by Bob and the three parameters s2, mA and k’ remain unchanged, Bob can randomly choose a message Bm to generate the corresponding ambiguous signature. Upon the keystone (k, k’) is released by the initial signer, not only the valid signatures Aσ and Bσ are binding concurrently but

Aσ and Bσ also become a valid signature pair and are binding concurrently. But the real legal signature pair is ( Aσ , Bσ ) instead of ( Aσ , Bσ ). Therefore, Bob can use mB to generate a valid ambiguous signature or randomly choose a different message to generate the corresponding ambiguous signature so that those ambiguous signatures can pass Averify algorithm. However, the disadvantage of this design will cause unfair to Alice. In next section, we modify this design and propose a concurrent signature with improved accountability.

IV. CONCURRENT SIGNATURE SCHEME WITH IMPROVED ACCOUNTABILITY

We observed that those previous literatures of concurrent signature [2, 7, 9, 10, 14, 15, 16, 17, 18] are also suffer from the message substitute attack. All the above schemes have the same problem that the keystone fix does not entirely contain the exchange message mA and mB, and thus the message substitute attack will be successful. In this section, we propose a secure method to prevent the message substitute attack and achieve the property of accountability.

Assume that Setup algorithm has been executed and Alice and Bob want to exchange their ambiguous signatures on mA and mB, respectively. For example, Alice wants to

572516

4

purchase an electronic product with Bob over the Internet. First, Alice signs her ambiguous signature on mA and delivers it to Bob. After receiving Alice’s signature, Bob verifies the correctness the signature. If it is correct, Bob signs his ambiguous signature on mB and delivers it to Alice. Upon the keystone being released by the initial signer, the two signatures are binding and become valid signatures concurrently. Thus, Alice and Bob obtain their desired message concurrently.

The concrete steps of the modified method are described as follows:

1) First, the initial signer Alice performs the following steps: - Choose a random keystone k K∈ and set the

keystone fix s2 = H1(k, H1(mA, mB)). - Run Asign algorithm to generate σA = (c, s1, s2)←

Asign(YA, YB, xA, s2, mA). - Deliver the ambiguous signature (σA, mA) to Bob.

2) Upon receiving the ambiguous signature (σA, mA), Bob checks whether Averify (σA, YA, YB, mA) = accept. If not, then Bob aborts. Otherwise, Bob performs the following steps to generate his ambiguous signature: - Choose a random numbert R qt Z∈ and

compute modtBt Y p= .

- Compute Bx tAr Y= mod p and k’ = H1(r, H1(mA,

mB)). - Set s2’ = s2 + H1(k’) mod q. - Run Asign algorithm to generate σB = (c’, s1’, s2’ )

←Asign(YB, YA, xB, s2’, mB). - Deliver the ambiguous signature (σB, mB, t ) to

Alice. 3) After receiving (σB = (c’, s1’, s2’ ), mB, t ), Alice

performs the following steps: - Compute Axr t= mod p and k’ = H1(r, H1(mA,

mB)). - Check whether s2’ = s2 + H1(k’) mod q holds or

not. If the equation does not hold, Alice aborts. - Check whether Averify(σB, YB, YA, mB) = accept. If σB is not a valid signature, then Alice aborts. Otherwise, Alice releases the keystone pair (k, k’) to let the both signatures σA and σB be binding concurrently.

4) After the keystone pair (k, k’) is released, anyone can verify if both signatures σA = (c, s1, s2) and σB = (c’, s1’, s2’) are signed by Alice and Bob respectively by the following equations: - s2 = H1(k, H1(mA, mB)) and s2’ = s2 + H1(k’) mod q. - Averify(σA = (c, s1, s2), YA, YB, mA) = accept. - Averify(σB = (c’, s1’, s2’), YB, YA, mB) = accept.

By this improvement, the protocol described above contains four advantages.

• In the keystone fix s2, we bind the keystone k to the exchanged message mA and mB. By this modification, our method can completely prevent the message substitute attack.

• Before the keystone (k, k’) is released, anyone cannot distinguish that the signatures (σA = (c, s1, s2), YA, YB, mA) and (σB = (c’, s1’, s2’), YB, YA, mB) are signed by the initial signer Alice or the matching signer Bob. Only when the keystone (k, k’) is released, any third party can identify who is the true signer. Thus, our proposed scheme can achieve full ambiguity.

• The structure is similar to [17, 18]. Because our scheme just contains an additional hash function in the keystone fix s2, it will not affect the overall performance.

• By this improvement, the ambiguous signatures (σA, mA) and (σB, mB) generated by Alice and Bob is based on the keystone (k, k’). It is the only one ambiguous signature pair which can pass Verify algorithm and satisfies the secure property of accountability.

V. IDENTITY-BASED CONCURRENT SIGNATURE SCHEME WITH IMPROVED ACCOUNTABILITY

In this section, we propose an identity-based concurrent signature scheme with improved accountability from bilinear pairings. In an identity-based cryptosystem the initial signer and matching signer can use their ID as public information. Thus, it can simplify the key management procedures and does not need to maintain the certificates of the users.

The design is inspired by identity-based ring signature [3] and modified from Huang et al.’s identity-based concurrent signature [8] in the keystone fix generation procedure, since [8] contains subtle methods that have more security properties. The followings are five basic algorithms: Setup, Extract, Asign, Averify and Verify.

A. Basic Algorithms: • Setup: Assume that the private key generator (PKG)

chooses (G1, G2, e, q, P) for bilinear pairings as Section II. PKG chooses a random number s є Zq

* as the master secret key and sets the public key Ppub = sP. PKG publishes system parameters (G1, G2, e, q, P, Ppub, H0, H1), where H1 is defined as before and H0:{0, 1}*→G1. The algorithm also sets the message space M, the keystone space K to be M=K=F=Zq.

• Extract: For each signer Ui, the PKG computes a private key

i iID IDd sQ= where 0 ( )iID iQ H ID= , and

delivers the private key to the signer Ui through a secure channel.

• Asign: The probability algorithm that accepts the input parameters (IDi, IDj, iIDd , fi, m), (i, j є {A, B}) where

iIDd is the secret key associated with Qi, and m є M is the exchange message. (The keystone fixes of the initial and matching signers are similar to the ones described in Section IV; i.e., fA = H1(k, H1(mA, mB)) and fB = fA + H1(k’) mod q.) Asign algorithm performs the following steps (for all i, j є {A, B}): - Choose a random number μ єR G1.

573517

5

- Compute h = H1(H0(m)||(IDi⊕IDj) ||e(μ, P)e(fi jIDQ , Ppub)).

- Set si = h - fi mod q, sj = fi. - Compute V = h-1(μ - (h - sj) iIDd ). - Output the ambiguous signature σ = (si, sj, V).

• Averify: The algorithm accepts the input parameters (m, σ, IDi, IDj, Ppub), (i, j є {A, B}) where σ = (si, sj, V). Then the algorithm computes:

( , ) ( , ) ( , )i ji j

s si ID pub j ID pubC e V P e s Q P e s Q P+= .

and verifies whether si+sj = H1(H0(m)||(IDi⊕IDj)||C) holds or not. If it holds then the algorithm outputs accept; otherwise, outputs reject.

• Verify: The algorithm accepts (k, k’, δ), where k, k’ є K are the keystones and δ = (mi, mj, σi, σj, IDi, IDj, Ppub), and verifies whether the keystones (k, k’) are valid by checking the following equations: fA= H1(k, H1(mA, mB)) and fB= fA+H1(k’) mod q (see the protocol). If the verifications fail, the algorithm outputs reject; otherwise, it executes Averify(δ) algorithm. If the Averify algorithm outputs accept, the Verify algorithm also outputs accept.

B. Proposed Protocol: Assume that Setup algorithm has been executed and the

initial signer Alice and matching signer Bob run the KeyGen algorithm to obtain their private/public key. Then, Alice and Bob want to exchange their ambiguous signatures on mA and mB, respectively.

1) First, the initial signer Alice performs the following steps: - Choose a random keystone k є K and set the

keystone fix fA = H1(k, H1(mA, mB)). - Run Asign algorithm to generate σA = (sA, sB, V)←

Asign(IDA, IDB, AIDd , fA, mA).

- Deliver the ambiguous signature (σA, mA) to Bob. 2) Upon receiving the ambiguous signature (σA, mA),

Bob checks whether Averify (σA, IDA, IDB, mA) = accept. If not, then Bob aborts. Otherwise, Bob performs the following steps to generate his ambiguous signature: - Choose a random number t єR Zq and compute

modtBt Y p= .

- Compute Bx tAr Y= mod p and k’ = H1(r, H1(mA,

mB)). - Set fB = fA + H1(k’) mod q. - Run Asign algorithm to generate σB = (sB’, sA’, V’)

←Asign(IDB, IDA, BIDd , fB, mB).

- Deliver the ambiguous signature (σB, mB, t ) to Alice.

3) After receiving (σB = (sB’, sA’, V’), mB, t ), Alice performs the following steps: - Compute Axr t= mod p and k’ = H1(r, H1(mA,

mB)).

- Check whether fB = fA + H1(k’) mod q holds or not. If the equation does not holds, Alice aborts.

- Check whether Averify(σB, IDB, IDA, mB) = accept. If σB is not a valid signature, then Alice aborts. Otherwise, Alice release the keystone pair (k, k’) to let both signatures σA, σB be binding concurrently.

4) After the keystone pair (k, k’) is released, anyone can verify if the both signatures σA = (sA, sB, V) and σB = (sB’, sA’, V’) are signed by Alice and Bob respectively by the following equations: - fA = H1(k, H1(mA, mB)) and fB = fA + H1(k’) mod q. - Averify(σA = (sA, sB, V), IDA, IDB, mA) = accept. - Averify(σB = (sB’, sA’, V’), IDB, IDA, mB) = accept.

VI. SECURITY ANALYSIS AND DISCUSSIONS

A. Security analysis In this section, we show that the identity-based

concurrent signature scheme with improved accountability satisfies the correctness, ambiguity, unforgeability, unlinkability, fairness and secure property of accountability.

Our scheme is based on the ring signature [11] and identity-based ring signature [3] while the construction is based on Wang et al.’s scheme [17]. Therefore, the proposed scheme satisfies the properties of ambiguity and unlinkbility. We omit the proof of ambiguity and unlinkbility. For the details please refer to [3, 11, 17]. Since the unforgeability of our identity-based concurrent signature is the same as Chow et al.’s scheme, the proof of unforgeability can be referred to [3]. Next, we prove the correctness and the secure property of accountability in the following theorems. Theorem 1. (Correctness) Our proposed scheme satisfies correctness that is proven as follows.

( )1 0

1 0

1 0

1 0

( ( ) ( , ) ( , ) ( , ))

( ( ) (( ) , ) ( , ))

( ( ) ( ( ) , ) ( , ))

( ( ) ( , ) (

i ji j

i j

i j

i js s

i j i ID pub j ID pub

i j i j i ID j ID pub

i j j ID j ID pub

i j j ID

s s

H H m ID ID e V P e s Q P e s Q P

H H m ID ID e s s V s d P e s Q P

H H m ID ID e hV h s d P e s Q P

H H m ID ID e P e s Qμ

+

+

= ⊕

= ⊕ + +

= ⊕ + −

= ⊕ , ))j pubP h=

Thus, the proposed scheme satisfies the property of correctness. Theorem 2. (Accountability) The proposed identity-based concurrent signature scheme with improved accountability satisfies the security property of accountability. Accountability means that the ambiguous signatures (σA, mA) and (σB, mB) are the unique ambiguous signatures pair binding with the keystone (k, k’) which can pass Verify algorithm. It provides the fairness to both signers.

Proof: Except for the valid ambiguous signature (σB, mB), Bob

wants to sign another ambiguous signature ( Bσ , Bm ) on a different message Bm and cheat the initial signer Alice. However, in our protocol, upon the keystone being released, Alice’s valid signature (σA, mA) and the invalid ambiguous

574518

6

signature ( Bσ , Bm ) cannot become a binding pair. Owing to the exchanged messages mA and mB being put into the keystone fix, after the keystone (k, k’) is released, any third party can verify the correctness of the ambiguous signature ( Bσ , Bm ) by checking if the following equations hold or not.

- fA = H1(k, H1(mA, mB)). - fB= fA + H1(k’) mod q.

Obviously, ( Bσ , Bm ) cannot pass the above verifications; that means Bob cannot use the message Bm to generate an ambiguous signature ( Bσ , Bm ) that can pass Verify algorithm and thus the message substitute attack cannot be successfully performed. Therefore, the two ambiguous signatures generated by Alice and Bob must be a unique pair. The proposed scheme satisfies the security property of accountability.

B. Discussion In this section, we compare the previous scheme [2, 4, 7,

8, 9, 10, 14, 15, 16, 17, 18] with our proposed scheme in terms of the secure property of accountability and the identity-based cryptosystem (as show in Table 1.).

Based on our improvement concurrent signature scheme, it not only resists the message substitute attack but also satisfies the secure property of accountability. Because many pervious schemes use the certificate-based public key system, they require the key management procedures and need to maintain the certificates of the users. Due to the identity-based cryptosystem used in our scheme, it can simplify the key management procedures and do not need to maintain the certificates of the users. Hence, our proposed scheme is superior to others scheme.

TABLE I. COMPARISON AMONG OUR SCHEME AND OTHERS

Accountability Identity-based Ours Yes Yes Chen et al. [2] No No Chow and Susilo [4] No Yes Huang and Wang [7] No Yes Huang et al. [8] No Yes Li et al. [9] No No Nguyen [10] No No Susilo and Mu [14] No No Susilo et al. [15] No No Tonien et al. [16] No No Wang et al. [17] No No Zhang et al. [18] No No

VII. CONCLUSIONS In this paper, we resolve the problem of the message

substitute attack. Since we put the exchange messages into the keystone fix, Alice or Bob does not carry out this attack. By this improvement, our scheme satisfies the security property of accountability.

Further, we extend our scheme to the identity-based concurrent signature from bilinear pairings. The proposed scheme uses his/her identity as a certified public key, thus can eliminate the certificates of the users and management

loadings of the systems. In this way our proposed scheme is more efficient.

REFERENCES [1] N. Asokan, V. Shoup, and M. Waidner, “Optimistic fair exchange of

digital signatures,” Selected Areas in Communications, vol. 18, Apr. 2000, pp. 591-610.

[2] L. Chen, C. Kudla, and K. Paterson, “Concurrent signature,” in Advances in Cryptology – EUROCRYPT 2004, Lecture Notes in Computer Science, vol. 3027, Springer-Verlag, Berlin, 2004, pp. 287-305

[3] S.M. Chow, W.C. Lui, C.K. Hui and S. M. Yiu, “Identity Based Ring Signature: Why, How and What Next,” in European PKI 2005, Lecture Notes in Computer Science, vol. 3545, Springer-Verlag, Berlin, 2005, pp. 144-161.

[4] S. Chow and W. Susilo, “Generic construction of (identity-based) perfect concurrent signatures,” in Information and Communications Security (ICICS 2005), Lecture Notes in Computer Science, vol. 3783, Springer-Verlag, Berlin, 2005, pp. 194-206.

[5] H. Ge, Y. Sun, L. Gu, S. Zheng, and Y. Yang, “Improved tripartite concurrent signature,” in Computer Technology and Development (ICCTD 2010), 2010, pp. 586-590.

[6] O. Goldreich, “A simple protocol for signing contracts,” in Advances in Cryptology – Crypto1983, Springer Berlin, 1984, pp. 133-136.

[7] X. Huang and L. Wang, “A Fair Concurrent Signature Scheme Based on Identity,” in High Performance Computing and Applications (HPCA 2009), Lecture Notes in Computer Science, vol. 5938, 2010, pp. 198-205.

[8] Z. Huang, K. Chen, and Y. Wang, “Analysis and Improvements of Two Identity-Based Perfect Concurrent Signature Schemes,” Informatica, vol.18, Sep. 2007, pp. 375-394.

[9] Y. Li, D. He, and X. Lu, “Accountability of Perfect Concurrent Signature,” in Computer and Electrical Engineering (ICCEE 2008), Dec.2008, pp. 773-777.

[10] K. Nguyen, “Asymmetric Concurrent Signatures,” in Information and Communications Security (ICICS 2005), Lecture Notes in Computer Science, vol.3783, Springer-Verlag, Berlin, 2005, pp. 181-193.

[11] R. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” in Advances in Cryptology - ASIACRYPT 2001, Lecture Notes in Computer Science, vol. 2248, Springer-Verlag, Berlin, 2001, pp. 552-565.

[12] C.P. Schnorr, “Efficient signature generation by smart cards” Cryptology, vol. 4, 1991, pp. 161-174.

[13] Z. Shao, “Certificate-based verifiably encrypted signatures from pairings,” Information Sciences, vol.178, May 2008, pp.2360-2373.

[14] W. Susilo and Y. Mu, “Tripartite concurrent signatures,” in The 20th IFIP International Information Security Conference(IFIP/SEC 2005), Springer-Verlag, Berlin, 2005, pp.425-441.

[15] W. Susilo, Y. Mu, and F. Zhang, “Perfect concurrent signature schemes,” in Information and Communications Security (ICICS 2004), Lecture Notes in Computer Science, vol. 3269, Springer-Verlag, Berlin, 2004, pp. 14-26.

[16] D. Tonien, W. Susilo and R. Safavi-Naini, “Multi-party Concurrent Signatures,” in Information Security (ISC 2006), Lecture Notes in Computer Science, vol. 4176, Springer-Verlag, Berlin, 2006, pages 131-145.

[17] G. Wang, F. Bao, and J. Zhou, “The fairness of perfect concurrent signatures,” in Information and Communications Security (ICICS 2006), Lecture Notes in Computer Science, vol. 4307, Springer-Verlag, Berlin, pp. 435-451.

[18] Y. Zhang and X. Wang, “Message Substitute Attack on ConcurrentSignatures Protocol and its Improvement,” in Electronic Commerce and Security (ISECS 2008), IEEE press, 2008, pp. 497-501.

575519