Efficient Designated Confirmer Signatures Without Random Oracles or General Zero-Knowledge Proofs (Extended Abstract) Craig Gentry 1 , David Molnar 2 and Zulfikar Ramzan 1 1 DoCoMo USA Labs, {cgentry,ramzan}@docomolabs-usa.com 2 University of California, Berkeley dmolnar@eecs.berkeley.edu Abstract. Most prior designated confirmer signature schemes either prove security in the random oracle model (ROM) or use general zero- knowledge proofs for NP statements (making them impractical). By slightly modifying the definition of designated confirmer signatures, Gold- wasser and Waisbard presented an approach in which the Confirm and ConfirmedSign protocols could be implemented without appealing to general zero-knowledge proofs for NP statements (their Disavow pro- tocol still requires them). The Goldwasser-Waisbard approach could be instantiated using Cramer-Shoup, GMR, or Gennaro-Halevi-Rabin sig- natures. In this paper, we provide an alternate generic transformation to convert any signature scheme into a designated confirmer signature scheme, with- out adding random oracles. Our key technique involves the use of a sig- nature on a commitment and a separate encryption of the random string used for commitment. By adding this “layer of indirection,” the under- lying protocols in our schemes admit efficient instantiations (i.e., we can avoid appealing to general zero-knowledge proofs for NP statements) and furthermore the performance of these protocols is not tied to the choice of underlying signature scheme. We illustrate this using the Camenisch- Shoup variation on Paillier’s cryptosystem and Pedersen commitments. The confirm protocol in our resulting scheme requires 10 modular expo- nentiations (compared to 320 for Goldwasser-Waisbard) and our disavow protocol requires 41 modular exponentiations (compared to using a gen- eral zero-knowledge proof for Goldwasser-Waisbard). Previous schemes use the encryption of a signature paradigm, and thus run into problems when trying to implement the confirm and disavow protocols efficiently. 1 Introduction Digital signatures allow one party to sign a message and have the resulting message-signature pair be verifiable by anyone. There are, however, situations when the signer may want to limit signature recipient’s ability to present the signature to others. Chaum and van Antwerpen [9] introduced the notion of Undeniable Signatures to help achieve this aim. Such signatures require the