Designated confirmer signatures: modelling, design and analysis

Digital signatures are one of the most significant achievements of public-key cryptography and constitute a fundamental tool to ensure data authentication. However, the public verifiability of digital signatures may have undesirable consequences when manipulating sensitive and private information. Undeniable signatures, whose verification requires the cooperation of the signer in an interactive way, were invented due to such considerations. Whereafter, designated confirmer signatures (DCS) were introduced as an improved cryptographic primitive when the signer becomes unavailable in undeniable signatures. This thesis is mainly devoted to the modelling, design and analysis of designated confirmer signatures. By exploiting the existing security notions, we theoretically analyse the relations among unimpersonation, invisibility, non-transferability and transcript-simulatability. To this end, we develop formal proofs to demonstrate the implications of those properties. After providing the theoretical results related to the security model, we develop both concrete and generic DCS constructions that adapts to a full verification setting. On one hand, by supporting the signer’s ability to disavow, we can achieve an efficient designated confirmer signature by using bilinear maps, and such a construction is secure in the random oracle model under a new computational assumption. On the other hand, we build a generic transformation that is inspired by Gentry, Molnar, Ramzan’s DCS scheme. The new generic DCS scheme is proved to be secure in the standard model, and can be implemented to obtain an efficient instantiation

Designated Confirmer Signatures With Unified Verification

After the introduction of designated confirmer signatures (DCS) by Chaum in 1994, considerable researches have been done to build generic schemes from standard digital signatures and construct efficient concrete solutions. In DCS schemes, a signature cannot be verified without the help of either the signer or a semi-trusted third party, called the designated confirmer. If necessary, the confirmer can further convert a DCS into an ordinary signature that is publicly verifiable. However, there is one limit in most existing schemes: the signer is not given the ability to disavow invalid DCS signatures. Motivated by this observation, in this paper we first propose a new variant of DCS model, called designated confirmer signatures with unified verification, in which both the signer and the designated confirmer can run the same protocols to confirm a valid DCS or disavow an invalid signature. Then, we present the first DCS scheme with unified verification and prove its security in the random oracle (RO) model and under a new computational assumption, called Decisional Co-efficient Linear (D-co-L) assumption, whose intractability in pairing settings is shown to be equivalent to the well-known Decisional Bilinear Diffie-Hellman (DBDH) assumption. The proposed scheme is constructed by encrypting Boneh, Lynn and Shacham’s pairing based short signatures with signed ElGamal encryption. The resulting solution is efficient in both aspects of computation and communication. In addition, we point out that the proposed concept can be generalized by allowing the signer to run different protocols for confirming and disavowing signatures

On the invisibility of designated confirmer signatures

As an important cryptographic primitive, designated con- rmer signatures are introduced to control the public veria- bility of signatures. That is, only the signer or a semi-trusted party, called designated conrmer, can interactively assist a verier to check the validity of a designated conrmer sig- nature. The central security property of a designated con- rmer signature scheme is called invisibility, which requires that even an adaptive adversary cannot determine the valid- ity of an alleged signature without direct cooperation from either the signer or the designated conrmer. However, in the literature researchers have proposed two other related properties, called impersonation and transcript simulatabil- ity, though the relations between them are not clear. In this paper, we rst explore the relations among these three invisi- bility related concepts and conclude that invisibility, imper- sonation and transcript simulatability forms an increasing stronger order. After that, we turn to study the invisibil- ity of two designated conrmer signature schemes recently presented by Zhang et al. and Wei et al. By demonstrating concrete and eective attacks, we show that both of those two scheme fail to meet invisibility, the central security prop- erty of designated conrmer signatures

on the invisibility of designated confirmer signatures

ACM Spec. Interest Group Secur., Audit, Control (SIGSAC)As an important cryptographic primitive, designated confirmer signatures are introduced to control the public verifiability of signatures. That is, only the signer or a semi-trusted party, called designated confirmer, can interactively assist a verifier to check the validity of a designated confirmer signature. The central security property of a designated confirmer signature scheme is called invisibility, which requires that even an adaptive adversary cannot determine the validity of an alleged signature without direct cooperation from either the signer or the designated confirmer. However, in the literature researchers have proposed two other related properties, called impersonation and transcript simulatability, though the relations between them are not clear. In this paper, we first explore the relations among these three invisibility related concepts and conclude that invisibility, impersonation and transcript simulatability forms an increasing stronger order. After that, we turn to study the invisibility of two designated confirmer signature schemes recently presented by Zhang et al. and Wei et al. By demonstrating concrete and effective attacks, we show that both of those two scheme fail to meet invisibility, the central security property of designated confirmer signatures. Copyright 2011 ACM

Improvement of provably secure self-certified proxy convertible authenticated encryption scheme

By integrating self-certified public-key systems and the designated verifier proxy signature with message recovery, Wu and Lin proposed the first self-certified proxy convertible authenticated encryption (SP-CAE) scheme and its variants based on discrete logarithm problem (DLP) in 2009. Though their schemes are claimed provably secure, we demonstrate that their schemes are existentially forgeable under adaptive chosen warrants, unconfidentiable and verifiable under adaptive chosen messages and designated verifiers. Then we propose a provably secure SP-CAE scheme in the random oracle model

Replication-Competent Infectious Hepatitis B Virus Vectors Carrying Substantially Sized Transgenes by Redesigned Viral Polymerase Translation

<div><p>Viral vectors are engineered virus variants able to deliver nonviral genetic information into cells, usually by the same routes as the parental viruses. For several virus families, replication-competent vectors carrying reporter genes have become invaluable tools for easy and quantitative monitoring of replication and infection, and thus also for identifying antivirals and virus susceptible cells. For hepatitis B virus (HBV), a small enveloped DNA virus causing B-type hepatitis, such vectors are not available because insertions into its tiny 3.2 kb genome almost inevitably affect essential replication elements. HBV replicates by reverse transcription of the pregenomic (pg) RNA which is also required as bicistronic mRNA for the capsid (core) protein and the reverse transcriptase (Pol); their open reading frames (ORFs) overlap by some 150 basepairs. Translation of the downstream Pol ORF does not involve a conventional internal ribosome entry site (IRES). We reasoned that duplicating the overlap region and providing artificial IRES control for translation of both Pol and an in-between inserted transgene might yield a functional tricistronic pgRNA, without interfering with envelope protein expression. As IRESs we used a 22 nucleotide element termed Rbm3 IRES to minimize genome size increase. Model plasmids confirmed its activity even in tricistronic arrangements. Analogous plasmids for complete HBV genomes carrying 399 bp and 720 bp transgenes for blasticidin resistance (BsdR) and humanized <i>Renilla</i> green fluorescent protein (hrGFP) produced core and envelope proteins like wild-type HBV; while the hrGFP vector replicated poorly, the BsdR vector generated around 40% as much replicative DNA as wild-type HBV. Both vectors, however, formed enveloped virions which were infectious for HBV-susceptible HepaRG cells. Because numerous reporter and effector genes with sizes of around 500 bp or less are available, the new HBV vectors should become highly useful tools to better understand, and combat, this important pathogen.</p> </div

Infection of HepaRG cells by recombinant HBV vector particles.

<p>Differentiated HepaRG cells were inoculated with viral particles from culture supernatants of HepG2 cells transfected with the indicated plasmids, or with patient serum-derived HBV, at a nominal moi of 100 vge per cell; the hrGFP HBV vector particles had to be used at 10 vge/cell. (A) <i>De novo</i> production of vector-specified RNAs. Eight days post inoculation, total cellular RNA was analyzed by Northern blotting with a HBV-specific probe. The positions of authentic and vector-derived pgRNAs and of the unmodified sgRNAs are indicated. (B,C). Secretory antigen expression. Supernatants from HepaRG cells inoculated with wild-type HBV (▪) or BsdR-HBV vector particles (▴) were analyzed at the indicated time points post inoculation for HBsAg (B) and HBeAg (C). (D) GFP expression in hrGFP-HBV vector inoculated cells indicates successful infection and allows assessment of virus-neutralizing activity. Development of GFP fluorescence in HepaRG cells inoculated with untreated (panel D1) or Hepatitis B immunoglobulin (HBIG) pretreated pCH-hrGFP derived particles (D3) was monitored by fluorescence microscopy. Images were taken at 6 days post inoculation. Merged images of the fluorescent signals with bright field phase contrast are shown in panels D2 and D4, respectively.</p

The 22-nt Rbm3 IRES directs downstream reporter gene expression from bicistronic and tricistronic HBV pgRNA mimics.

<p>(A) EGFP as reporter. <i>Left</i>: Schematic representation of the expression cassettes used. The upstream part is identical to the HBV vector pCH-9/3093 <a href="http://www.plosone.org/article/info:doi/10.1371/journal.pone.0060306#pone.0060306-Sun1" target="_blank">[40]</a>, <a href="http://www.plosone.org/article/info:doi/10.1371/journal.pone.0060306#pone.0060306-Liu1" target="_blank">[21]</a> in which the CMV-IE promoter drives transcription of authentic pgRNA starting at nt position 3100. In constructs I - III the sequence following the end of the core gene was replaced by the indicated control elements and a gene for EGFP; in construct IV, the EGFP gene was fused to the authentic Pol translation start. pC denotes the preC region; its start codon (nt positions 3096–3098) is not part of the pgRNA. BsdR, blasticidin resistance. <i>Right</i>: EGFP fluorescence in HepG2 cells transfected with constructs I - IV on day 4 post transfection. All micrographs were taken under identical conditions. Comparable results were obtained in Huh7 cells. (B) RLuc as reporter. The constructs are based on the HBV expression vector pHBV1.3 <a href="http://www.plosone.org/article/info:doi/10.1371/journal.pone.0060306#pone.0060306-Ren1" target="_blank">[46]</a> in which pgRNA transcription is driven by the authentic HBV core promoter which overlaps with coding information for the RNase H (RH) domain of Pol and HBx (X), and which also generates precore mRNA, thus giving rise to genuine HBeAg. No significant differences in HBeAg levels between constructs I, II, and III were detected by HBeAg ELISA (n = 3; <i>P</i>>0.05). Histograms on the right show relative RLuc activities in HepG2 and Huh7 cells compared to firefly luciferase activities from cotransfected pGL3 control vector, as determined by the dual luciferase assay. Values for the EMCV IRES construct were set as 100%. Mean values from three independent experiments are shown; error bars indicate standard deviation (SD). All differences between the groups were significant, with <i>P</i><0.01 for all pairs except III vs. IV (<i>P</i><0.05).</p