The Fairness of Perfect Concurrent Signatures

In Eurocrypt 2004, Chen, Kudla and Paterson introduced the concept of concurrent signatures, which allow two parties to produce two ambiguous signatures until the initial signer releases an extra piece of information (called keystone). Once the keystone is publicly known, both signatures are bound to their true signers concurrently. In ICICS 2004, Susilo, Mu and Zhang further proposed perfect concurrent signatures to strengthen the ambiguity of concurrent signatures. That is, even if the both signers are known having issued one of the two ambiguous signatures, any third party is still unable to deduce who signed which signature, different from Chen et al.’s scheme. In this paper, we point out that Susilo et al.’s two perfect concurrent signature schemes are actually not concurrent signatures. Specifically, we identify an attack that enables the initial signer to release a carefully prepared keystone that binds the matching signer’s signature, but not the initial signer’s. Therefore, their schemes are unfair for the matching signer. Moreover, we present an effective way to avoid this attack so that the improved schemes are truly perfect concurrent signatures.