Efficient designated confirmer signature and DCS-based ambiguous optimistic fair exchange

Designated confirmer signature (DCS) extends the undeniable signature so that a party called confirmer can also confirm/disavow nonself-authenticating signatures on the signer's behalf. Previous DCS schemes, however, can let a signer confirm a valid signature but not disavow an invalid one, while only a confirmer can. It remains open to construct a DCS which also allows the signer to disavow. In this work, we propose new security models for formalizing the signer's ability to disavow. We propose a new DCS scheme and prove its security without random oracles. The new DCS scheme is efficient and also convertible. A signature in this new DCS consists of only three bilinear group elements. This is much shorter than any of the existing schemes. In addition, the scheme can be extended to support multiple confirmers and threshold conversion. Adding a confirmer incurs the addition of only one group element in a signature. Furthermore, we propose an efficient construction of ambiguous optimistic fair exchange (AOFE) of digital signatures based on the new DCS scheme. A partial AOFE signature consists of three elements in an elliptic curve group and four in group ${\BBZ}-p$, and a full signature has only three group elements, which are shorter than those in Garay 's scheme (Crypto 1999) and Huang 's scheme (Asiacrypt 2008). © 2006 IEEE.