On Directed Transitive Signature

In early 2000’s, Rivest [Riv00,MR02] and Micali [MR02] introduced the notion of transitive signature, which allows a third party to generate a valid signature for a composed edge (vi, vk), from the signatures for two edges (vi, vj) and (vj , vk), and using the public key only. Since then, a number of works, including [MR02,BN02,Hoh03,SFSM05,BN05], have been devoted on transitive signatures. Most of them address the undirected transitive signature problem, and the directed transitive signature is still an open problem. S. Hohenberger [Hoh03] even showed that a directed transitive signature implies a complex mathmatical group, whose existence is still unkown. Recently, a few directed transitive signature schemes [Yi07,Nev08] on directed trees are proposed. The drawbacks of these schemes include: the size of composed signature increases linearly with the number of recursive applications of composition and the creating history of composed edge is not hidden properly. This paper presents DT T S—a Directed -Tree-Transitive Signature scheme, to address these issues. Like previous works [Yi07,Nev08], DT T S is designed only for directed trees, however, it features with constant (composed) signature size and privacy preserving property. G. Neven [Nev08] pointed out constant signature size is an essential requirement of the original directed transitive signature problem raised by Rivest and Micali. In this sense, our scheme DT T S is the first transitive signature scheme on a directed tree. We also prove that DT T S is transitively unforgeable under adaptive chosen message attack in the standard model.