A reduction of security notions in designated confirmer signatures

Since the invention of designated confirmer signatures (DCS), a number of schemes with various properties and different underlying mathematical problems have been developed. Although a considerable amount of work has been dedicated to the design of DCS schemes, the confusions of the security notions in the existing DCS models have not been formally discussed and clarified to achieve a proper level of confirmer's security. In order to achieve provable security, we propose a reduced security model and prove that a DCS cryptosystem only requires transcript-simulatability or alternatively invisibility plus non-transferability from a modelling perspective. Accompanied by the reduced DCS model, a generic DCS scheme is also constructed that still retains the feature of full verification, i.e., either the signer or the confirmer can interactively verify arbitrary signatures by providing a convincing proof. Our proposed scheme employs a computationally binding commitment scheme, together with an IND-CCA2 secure public encryption scheme, to achieve a provable security in the standard model. Meanwhile, we present an efficient concrete instantiation by using BLS signatures, CS-Paillier encryption scheme with labels, and Perdesen commitment scheme.