eprint.iacr.org will be offline for approximately an hour for routine maintenance again at 10pm UTC on Wednesday, April 17.

Paper 2009/406

On-line Non-transferable Signatures Revisited

Jacob C. N. Schuldt and Kanta Matsuura


Undeniable signatures, introduced by Chaum and van Antwerpen, and designated confirmer signatures, introduced by Chaum, allow a signer to control the verifiability of his signatures by requiring a verifier to interact with the signer to verify a signature. An important security requirement for these types of signature schemes is \emph{non-transferability} which informally guarantees that even though a verifier has confirmed the validity of a signature by interacting with the signer, he cannot prove this knowledge to a third party. Recently Liskov and Micali pointed out that the commonly used notion of non-transferability only guarantees security against an off-line attacker which cannot influence the verifier while he interacts with the signer, and that almost all previous schemes relying on interactive protocols are vulnerable to on-line attacks. To address this, Liskov and Micali formalized on-line non-transferable signatures which are resistant to on-line attacks, and proposed a generic construction based on a standard signature scheme and an encryption scheme. In this paper, we revisit on-line non-transferable signatures. Firstly, we extend the security model of Liskov and Micali to cover not only the sign protocol, but also the confirm and disavow protocols executed by the confirmer. Our security model furthermore considers the use of multiple (potentially corrupted or malicious) confirmers, and guarantees security against attacks related to the use of signer specific confirmer keys. We then present a new approach to the construction of on-line non-transferable signatures, and propose a new concrete construction which is provably secure in the standard model. Unlike the construction by Liskov and Micali, our construction does not require the signer to issue ``fake'' signatures to maintain security, and allows the confirmer to both confirm and disavow signatures. Lastly, our construction provides noticeably shorter signatures than the construction by Liskov and Micali.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
non-transferable signaturesstandard modelprovable security.
Contact author(s)
jacob schuldt @ aist go jp
2011-03-07: last of 3 revisions
2009-08-24: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jacob C.  N.  Schuldt and Kanta Matsuura},
      title = {On-line Non-transferable Signatures Revisited},
      howpublished = {Cryptology ePrint Archive, Paper 2009/406},
      year = {2009},
      note = {\url{https://eprint.iacr.org/2009/406}},
      url = {https://eprint.iacr.org/2009/406}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.