# Other signature schemes

The signature schemes described in this section do not fall naturally into the general settings of § 11.3 (RS A and related signature schemes), § 11.4 (Fiat-Shamir signature schemes), §11.5 (DSA and related signature schemes), or §11.6 (one-time digital signatures).

## Arbitrated digital signatures

11.107 Definition An *arbitrated digital signature scheme* is a digital signature mechanism requiring an unconditionally trusted third party (TTP) as part of the signature generation and verification.

Algorithm 11.109 requires a symmetric-key encryption algorithm *E =* {£*: *к* € *К.) *where *К.* is the key space. Assume that the inputs and outputs of each *Ek* are /-bit strings, and let *h* : {0,1}* —> {0,1}^{;} be a one-way hash function. The TTP selects a key *kr* 6 *K. *which it keeps secret. In order to verify a signature, an entity must share a symmetric key with the TTP.

11.108 Algorithm Key generation for arbitrated signatures

SUMMARY: each entity selects a key and transports it secretly with authenticity to the TTP. Each entity *A* should do the following:

- 1. Select a random secret key
*к a*6*K.* - 2. Secretly and by some authentic means, make
*к a*available to the TTP. - 11.109 Algorithm Signature generation and verification for arbitrated signatures

SUMMARY: entity *A* generates signatures using *Ek _{A}.* Any entity

*В*can verify /l’s signature with the cooperation of the TTP.

- 1.
*Signature generation.*To sign a message m, entity*A*should do the following:- (a)
*A*computes*H = h(m).* - (b)
*A*encrypts*H*with*E*to get*и =**Ek*(Я)._{A} - (c)
*A*sends*и*along with some identification string*I,*to the TTP. - (d) The TTP computes
*Ej7*to get_{A}(u)*H.* - (e) The TTP computes s =
*Ек*and sends .s to_{т}(Н1л)*A.* - (f)
*A’**s*signature for*m*is*s.*

- (a)
- 2.
*Verification.*Any entity*В*can verify A’s signature s on*m*by doing the following:- (a)
*В*computes*v = Ek*_{u}(s). - (b)
*В*sends*v*and some identification string*Iв*to the TTP. - (c) The TTP computes
*Ejf**(u) to get*s.* - (d) The TTP computes
*Ejf^(s)*to get Я||/д. - (e) The TTP computes
*w = Ek*(Я||/д) and sends_{B}*w*to*B.* - (f)
*В*computes*Ef*(w)*to get ЯЦ/д. - (g)
*В*computes*IV*=*h(m)*from*m.* - (h)
*В*accepts the signature if and only if*H'*= Я.

- (a)
- 11.110 Note (
*security> of arbitrated signature scheme*) The security of Algorithm 11.109 is based on the symmetric-key encryption scheme chosen and the ability to distribute keys to participants in an authentic maimer. §13.3 discusses techniques for distributing confidential keys.

11.111 Note *{performance characteristics of arbitrated signatures*) Since symmetric-key algorithms are typically much faster than public-key techniques, signature generation and verification by Algorithm 11.109 are (relatively) very efficient. A drawback is that interaction with the TTP is required, which places a much higher burden on the TTP and requires additional message exchanges between entities and the TTP.