On Fail-Stop Signature Schemes with H-EUC Security

Masahiro NOMURA  Katsuhiro NAKAMURA  

IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E102-A   No.1   pp.125-147
Publication Date: 2019/01/01
Online ISSN: 1745-1337
DOI: 10.1587/transfun.E102.A.125
Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security)
digital signature,  fail-stop signature,  unforgeability,  non-repudiability,  UC security,  

Full Text: PDF(704.3KB)
>>Buy this Article

Fail-Stop Signature (FSS) scheme is a signature scheme which satisfies unforgeability even against a forger with super-polynomial computational power (i.e. even against a forger who can compute acceptable signatures) and non-repudiability against a malicious signer with probabilistic polynomial time computational power (i.e. a PPT malicious signer). In this paper, under some settings, the equivalence relation has been derived between a set of security properties when single FSS scheme is used singly and a security property called Universally Composable (UC) security when plural FSS schemes are concurrently used. Here, UC security is a security property guaranteeing that even when plural schemes are concurrently used, security properties of each scheme (for single scheme usage) are preserved. The above main settings are as follows. Firstly, H-EUC (Externalized UC) security is introduced instead of “conventional” UC security, where a new helper functionality H is constructed appropriately. It is because that we can derive “conventional” UC security cannot hold for FSS schemes when malicious parties (e.g. a forger and a malicious signer) have super-polynomial computational power. In the environment where the above helper functionality H is used, all parties are PPT, but only a forger may compute acceptable signatures by obtaining some additional information from H. Secondly, the definition of unforgeability (in a set of security properties for single FSS scheme usage) is revised to match the above environment. The above equivalence relation derived under the above settings guarantees that even when plural FSS schemes are concurrently used, those security properties for single scheme usage are preserved, provided that some conditions hold. In particular, the equivalence relation in this paper has originality in terms of guaranteeing that unforgeability is preserved even against a forger who is PPT but may compute acceptable signatures. Furthermore, it has been firstly proved in this paper that H-EUC security holds for an existing instantiation of an FSS scheme by Mashatan et al. From this, it can be said that the equivalence relation shown in this paper is practical.