Available online at www.sciencedirect.

com

Computer Standards & Interfaces 31 (2009) 282 – 285

www.elsevier.com/locate/csi

Chameleon hash without key exposure based on Schnorr signature

Wei Gao a,⁎,1 , Fei Li a , Xueli Wang b
a
College of Mathematics and Information, Ludong University, Yantai, 264025, PR China
b
College of Mathematics Science, South China Normal University, Guangzhou, 510630, PR China

Received 13 October 2005; received in revised form 17 December 2007; accepted 20 December 2007
Available online 31 December 2007

Abstract

Based on the famous Schnorr signature scheme, we propose a new chameleon hash scheme which enjoys all advantages of the previous
schemes: collision-resistant, message-hiding, semantic security, and key-exposure-freeness.
© 2007 Elsevier B.V. All rights reserved.

Keywords: Chameleon signature; Chameleon hash; Key-exposure; Digital signature standard

1. Introduction signature on a second message, Alice can prove knowledge of

Chameleon signatures were introduced in [5]. It is con-
structed based on the well established hash-and-sign paradigm,
where it is not a general hash function but a so-called chameleon
hash function that is used to compute the message digest. A
chameleon hash function is a trapdoor one-way hash function
with some special properties. These properties ensure that the
chameleon signature is non-transferable and non-repudiated. In
the model of chameleon signature, assume that Alice wants to
generate a signature which can only be verified by the designated
receiver Bob. For Alice, the party without the trapdoor, a cha-
meleon hash function is collision-resistant. However, for Bob,
the trapdoor's holder, it is easy to find any collision. When Alice
signs not the message itself but its chameleon hash value, Bob
can present any message with this same hash value. In other
words, Bob has the ability to deceive the third party believing
that this signature is for any message.
Because of this possibility, the third party will not believe Bob.
So the non-transferability of the chameleon signature is obtained.
On the other hand, if Bob reuses the hash value to obtain a
⁎ Corresponding author.
E-mail address: sdgaowei@yahoo.com.cn (W. Gao).
1
This work was partially supported by CNSF10771078.
0920-5489/$ - see front matter © 2007 Elsevier B.V. All rights reserved.
doi:10.1016/j.csi.2007.12.001
hash collisions formed by the original signed message and the
claimed signed message. Because computing hash collisions is
infeasible for Alice, such a collision is seen as proof of forgery by
Bob. So the chameleon hash signature is also non-repudiated.
The original chameleon signature scheme [5] suffers from the
problem of key exposure, i.e. that the signature forgery by Bob
will result in exposing the trapdoor of himself. As stated in [1], the
problem of key exposure threatens the claims of non-transfer-
ability provided by the scheme. To solve this problem, we will use
the paradigm proposed in [2] as follows. The public key is divided
into two components, one permanent and the other ephemeral.
The ephemeral part, called the label, is specially formatted strings
that describe the transaction, and which include the signer and
recipient information as well as some nonce or time-stamp. Now
what is disclosed by a pair of collisions is not the main trapdoor but
the ephemeral trapdoor which is inessential for Bob.
In [4], Chen et al. constructed a key-exposure-free cha-
meleon hash scheme based on bilinear pairings. In [2], Ateniese
and Medeiros propose three schemes based on Stong RSA, RSA
[n,n] [6] and SDH (Strong Diffie-Hellman assumption)
respectively. In fact, the ephemeral trapdoor recovered by a
pair of collisions is a kind of signature of the label under the
main trapdoor. So the property key exposure-freeness is due to
the security of the signature applied to the label, such as the
common RSA signature, the short signature based pairing [3].
 W. Gao et al. / Computer Standards & Interfaces 31 (2009) 282–285
As we all know, the DLP (discrete logarithm problem) as-
sumption is one of most popular tools applied in cryptography. For
examples, there are many digital signature schemes based on DLP
such as DSA/DSS signature, Schnorr signature and ElGamal
signature. Especially, as the standard of digital signatures, the
DSA/DSS signature scheme were published by Nation Institute of
Standards and Technology and widely used in practice. Although
signature schemes based on DLP are so popular, there has been no
chameleon hash scheme with key-exposure-freeness working in
this setting. In other words, when one wants to generate a
chameleon signature using a certain DLP-based scheme such as
DSS, he has to turn to the chameleon hash scheme working in
other algebraic structure such as bilinear groups [2]. In this paper,
we deal with this issue. At price of a round of interaction, we
construct a DLP-based chameleon hash function which can be
seen based on the well-known Schnorr signature [7] and have all
advantages of the previous schemes.
The rest of the paper is organized as follows. Some preliminary
works are given in Section 2. In Section 3, based on Schnorr
signature scheme, we construct a new chameleon hash scheme and
then analyze its security. Its application to chameleon signature is
discussed in Section 4. And the conclusion is Section 5.
2. Preliminary
As formalized in [2], a key-exposure-free chameleon hash is
specified by a tuple (GenKey, Hash, UForge, IForge) of effi-
cient algorithms as follows.
GenKey: on input a security parameter 1 k , outputs a pair
(pk, sk) of a public key and a secret key.
Hash: on inputs the public key pk, a label L, a message m,
chooses an auxiliary random parameter r, and outputs a hash
value h = Hash(pk, L, m, r). UForge(universal forge): on in-
puts the private key sk, the label L, a message m, the ran-
dom parameter r, outputs a collision (m', r') for (m, r), i.e.
Hash(pk, L, m', r') = Hash(pk, L, m, r).
IForge(instance forge): on input a tuple (pk, L, m, r, m', r')
of a public key, a label, and a pairs of collisions, computes
another collision (m", r") for (m, r).
Informally speaking, in the model of a key-exposure-free
chameleon hash scheme, Alice can compute the hash value by
algorithm Hash; Bob can find any new de-commitment (m', r')
for a certain hash value of (m, r) by algorithm UForge ; given a
pair of collisions (m', r'), (m", r"), Alice can obtain a third de-
commitment (m", r") by algorithm IForge.
In [2], the security requirements of a chameleon hash includes:
(1) Collision-resistance: there is no efficient algorithm that
given only pk, L, m, and r, (but not the secret key sk) can
find a second pair m', r' such that h = Hash(pk, L, m, r) =
Hash(PK, L, m', r') with more than negligible probability
over the choices of pk, L, m and r.
(2) Semantic security: let H[X] denote the entropy of a
random variable X , and H[X|Y] the entropy of the variable
X given the value of a random function Y of X . Semantic
283
security means that the conditional entropy H[m|h] of the
message given its chameleon hash value h equals the total
entropy H[m] of the message space.
(3) Message hiding: assume the recipient Bob has computed a
collision using the universal forgery algorithm, i.e., a second
pair (m', r') s.t. h = Hash(pk, L, m, r) = Hash(pk, L, m', r'),
where (m, r) was the original value signed. Then the signer,
Alice, upon seeing the claimed values (m', r'), can suc-
cessfully con-test this invalid claim by releasing a third pair
(m", r") by running IForge, without revealing the original
signed message. Moreover, the entropy of the original value
(m, r) is unchanged by the revelation of the pairs (m', r'),
(m", r"): H[(m, r)|h, (m', r'), (m", r")] =H[(m, r)|h].
(4) Key exposure freeness: if the recipient Bob with public key
pk has never computed a collision under label L, then given
h = Hash(PK, L, m, r) there is no efficient algorithm that can
find a collision (a second pair (m', r') mapping to the same
digest h). This must remain true even if the adversary has
oracle access to UForge(sk,·,·,·) and is allowed polynomially
many queries on triples (Li, mi, ri) of his choice, except that
Li is not allowed to equal the challenge label L.
Remark 1. In this paper, we slightly modify the above definition:
we let Hash is a protocol with only one round between the signer
Alice and the designated receiver Bob. But this modification has a
very little effect on other parts of the above definition. And all these
effects are trivial and can be easily understood from the context.
3. Chameleon Hash based on Schnorr signature
Since the Schnorr signature [7] is so well-known, we omit
the details its description. Now we present the four polynomial-
time algorithms (or simple protocols) of our chameleon hash
scheme:
• GenKey: on input the security parameter 1k ,
(1) generate a multiplicative group  of prime order q;
(2) select an element g a , g ≠ 1;
(3) randomly choose x a q* as the private key, and sets
the public key y = g x.
In the following, we assume the message m a q. And a
semantically secure encryption (ENC (·), DEC (·)) with the
secret key x' only known by the intended receiver Bob will
be used. A cryptographic hash function H is also public.
• Hash: the Hash protocol is run between the signer Alice
and the designated receiver Bob. Bob does as follows:
(1) randomly chooses t1 a q*;
t
(2) computes r1 = g 1;
(3) encrypts t1: e = Enc(t1);
(4) sends authentically (r1, e) to the signer.
Given the public key y, the label L, the auxiliary message
(r1, e) from Bob and the message m a q, Alice computes
the hash value as follows:
(1) computes c1 = H (L; r1);
c
(2) computes S1 = r1y 1;
(3) randomly choose r2 a q;
r
(4) computes S2 = gmS12.
284 W. Gao et al. / Computer Standards & Interfaces 31 (2009) 282–285
(5) set Hash(y, L, m, r2) = S2.
Note that for s1 = logg S1 = t1 + xc1, (r1, s1) forms a Schnorr
signature on the label L.
• UForge: on input the secret key (x, x'), the label L, the
message m and its random string r2, and the ephemeral
auxiliary parameters (r1, e) and the message m', does the
following: 0
(1) compute t' = Dec(x', e) and check g t1 ¼ r1 . If no,
return failure.
(2) computes the ephemeral trapdoor s1 =t'1 +xH (L, r1)
mod q;
(3) set r'2 = s1− 1(m − m') + r2 mod q.
0 0 s1 ðmm0 Þþr2 0 0
Note that S20 ¼ gm0 S1r2 ¼ gm S11 ¼ g m gðmm Þ S1r2 ¼
gm S12 ¼ S2 . Thus, the pair (m′, r2′ ) forms a collision of
r signature, DSS, Schnorr signature) with the same public
(m, r2).
• IForge: on inputs a pair of collisions (m, r2), (m, r2) and
the ephemeral auxiliary parameters (r1, e), first recover
s1 = (m − m')(r'2 − r2) − 1 mod q.
Next, as in UForge, with such ephemeral trapdoor s1 for the
label L and r1, e, one can forge another pair (m", r") which has
the hash value equal to Hash(y, L, m, r2).
Remark 2. To compute the ephemeral trapdoor s1 in UForge,
the receiver Bob need to know the random number t1 (s1 = t1 +
xH(L; r1)). At price of encrypting t1 and padding the ciphertext
e in the auxiliary part of the chameleon hash, the receiver can
avoid to store it for future use. And the encryption scheme can
be DES with the secret key known by the receiver.
Below, we discuss the security of the above chameleon hash
scheme:
Theorem 3.1. The above chameleon hash scheme enjoys all
advantages of the previous schemes: collision-resistant, mes-
sage hiding, semantic security, and key-exposure-free.
Proof.
(1) Collision-resistance and key-exposure-freeness. As in
the algorithm IForge, exposing a pair of collisions allows
anybody to extract the secret key s1 associated to the label
L. As (r1, s1) is a secure Schnorr signature on L, and
computing collisions is equivalent to breaking this
signature scheme, we conclude that finding collisions is
hard without knowledge of the ephemeral trap-door.
Finally, notice that since revealing collisions is equiva-
lent to computing Schnorr signatures, the scheme is safe
from key exposure as the Schnorr signature scheme is
resistant against active attacks.
(2) Semantic security. For a message m and fixed r1 , the
value h = Hash(y, L, m, r2) is uniquely determined by the
value r2 , and vice-versa. Therefore, the conditional pro-
bability c(m|h) = c(m|r2). And c(m|r2)) = c(m) since m
and r2 are independent variables. So c(m|h) = c(m) which
indicates that the chameleon hash value h disclose no
information about the message m, i.e. that the conditional
entropy H (m|h) is equal to the total entropy H (m).
(3) Message hiding. Let h be the hash value. As stated in [2],
it is sufficient to show that, once a collision is revealed,
a person who does not know the trapdoor can compute
a de-commitment to h under any message m" of her
choice. In fact, as in IForge, given (m', r') and (m, r) with
the same chameleon hash value, one can get another
collision (m", r") for any message m".
4. Chameleon Hash signature and Its relevance
to standards
Using the general paradigm [5,2] of chameleon-hash-
and-sign to construct chameleon signature, we can use the
above chameleon hash and some discrete-logarithm-
assumption-based signature schemes (such as ElGamal
setting to construct a chameleon signature with message
hiding and key-exposure-freeness. Because of the generality
of the framework of the construction, we omit the details
here.
As we all know, DSS (Digital Signature Standard),
published in 2000 by U.S. Department Of Commerce/
National Institute of Standards and Technology, is the most
popular standard of digital signature and widely used in
practice. The algebraic structure for DSS is a large prime
finite field F p. However, all previous chameleon hash
schemes [2,4] with full security are based on algebraic
structures different from Fp, such as bilinear groups and the
RSA ring. The application of the chameleon hash in practice
is greatly restricted since all existing schemes can not easily
cooperate with the DSS signature standard. Now, the
proposed chameleon hash scheme in this paper works in the
finite field Fp, and is constructed based on the popular
Schnorr signature. So it will be very convenient to construct a
chameleon signature by modularly combining the DSS signa-
ture standard and our chameleon hash scheme. Of course, it
will largely extend the application area of chameleon
signatures in practice.
5. Conclusion
In this paper, based on Schnorr signature, we propose a new
chameleon hash scheme. And we show that it enjoys the
advantages of the previous schemes: collision-resistant, mes-
sage hiding, semantic security, and key-exposure-freeness. Now
in the setting of the popular discrete logarithm based public
cryptography, our chameleon hash scheme can be naturally
implemented. So with this scheme, some popular signature
scheme such as DSS, ElGamal signature, Schnorr signature and
their variants can be easily transformed into the corresponding
chameleon hash signature.
References
[1] G. Ateniese, Medeiros B. de, ‘Identity-based chameleon hash and applica-
tions’, Financial Cryptography, (FC04), LNCS, Springer-Verlag, 2004.
[2] G. Ateniese, Medeiros B. de, dOn the Key Exposure Problem in Chameleon
HashesT, the Fourth Conference on Security in Communication Networks
(SCNT04), LNCS, Springer-Verlag, Amalfi, 2004.
 W. Gao et al. / Computer Standards & Interfaces 31 (2009) 282–285 285

[3] D. Boneh, X. Boyen, dShort signatures without random oraclesT, Advances in
Cryptology C EUROCRYPT 04, LNCS3027, Springer-Verlag, 2004, pp. 56–73.
[4] Chen, X., Zhang, F., Kim, K.: dChameleon Hashing without Key ExposureT.
ISC04, Sep. 27-29, Palo Alto, USA.
[5] H. Krawczyk, T. Rabin, dChameleon signaturesT, Proc. of NDSS 2000,
2000, pp. 143–154.
[6] P. Paillier, dPublic key cryptosystems based on composite degree residuosity
classesT, Advances in Cryptology-EUROCRYPT99. LNCS, Springer-
Verlag, 1592, pp. 223–238.
[7] C. Schnorr, dEfficient identification and signatures for smartcardsT,
CRYPTO 1989, LNCS 435, Springer-Verlag, 1990, pp. 239–252.