Towards Signature-Only Signature Schemes

摘要

We consider a problem which was stated in a request for comments made by NIST in the FIPS97 document. The question is the following: Can we have a digital signature public key infrastructure where the public (signature verification) keys cannot be abused for performing encryption? This may be applicable in the context of, say, exportable/escrow cryptography. The basic dilemma is that on the one hand, (1) to avoid framing by potentially misbehaving authorities we do not want them to ever learn the ``signing keys'' (e.g., Japan at some point declared a policy where signature keys may be required to be escrowed), and on the other hand (2) if we allow separate inaccessible public signature verification keys, these keys (based on trapdoor functions) can be used as ``shadow public-keys,'' and hence can be used to encrypt data in an unrecoverable manner. Any solution within the ``trapdoor function'' paradigm of Diffie and Hellman does not seem to lead to a solution which will simultaneously satisfy (1) and (2). The cryptographic community so far has paid very limited attention to the problem. In this work, we present the basic issues and suggest a possible methodology and the first scheme that may be used to solve much of the problem. Our solution takes the following steps: (1) it develops the notion of a nested trapdoor which our methodology is based on, (2) we implement this notion based on a novel composite ``double-decker'' exponentiation technique which embeds the RSA problem within it (the technique may be of independent interest), (3) we analyze carefully what can be and what cannot be achieved regarding the open problem by NIST (our analysis is balanced and points out possibilities as well as impossibilities), and (4) we give a secure signature scheme within a public key infrastructure, wherein the published public key can be used for signature verification only (if it is used for encryptions, then the authorities can decrypt the data). The security of our scheme is based on RSA. We then argue how the scheme's key cannot be abused (statically) based on an additional assumption. We also show that further leakages and subliminal leakages when the scheme is in (dynamic) use are not added substantially beyond what is always possible by a simple adversary; we call this notion competitive leakage. We also demonstrate such simple leaking adversary. We hope that our initial work will stimulate further thoughts on the non-trivial issue of signature-only signatures.