# Other signature schemes

The signature schemes described in this section do not fall naturally into the general settings of § 11.3 (RS A and related signature schemes), § 11.4 (Fiat-Shamir signature schemes), §11.5 (DSA and related signature schemes), or §11.6 (one-time digital signatures).

## Arbitrated digital signatures

11.107 Definition An arbitrated digital signature scheme is a digital signature mechanism requiring an unconditionally trusted third party (TTP) as part of the signature generation and verification.

Algorithm 11.109 requires a symmetric-key encryption algorithm E = {£*: кК.) where К. is the key space. Assume that the inputs and outputs of each Ek are /-bit strings, and let h : {0,1}* —> {0,1}; be a one-way hash function. The TTP selects a key kr 6 K. which it keeps secret. In order to verify a signature, an entity must share a symmetric key with the TTP.

11.108 Algorithm Key generation for arbitrated signatures

SUMMARY: each entity selects a key and transports it secretly with authenticity to the TTP. Each entity A should do the following:

• 1. Select a random secret key к a 6 K.
• 2. Secretly and by some authentic means, make к a available to the TTP.
• 11.109 Algorithm Signature generation and verification for arbitrated signatures

SUMMARY: entity A generates signatures using EkA. Any entity В can verify /l’s signature with the cooperation of the TTP.

• 1. Signature generation. To sign a message m, entity A should do the following:
• (a) A computes H = h(m).
• (b) A encrypts H with E to get и = EkA (Я).
• (c) A sends и along with some identification string I, to the TTP.
• (d) The TTP computes Ej7A (u) to get H.
• (e) The TTP computes s = Ект(Н1л) and sends .s to A.
• (f) A’s signature for m is s.
• 2. Verification. Any entity В can verify A’s signature s on m by doing the following:
• (a) В computes v = Eku(s).
• (b) В sends v and some identification string to the TTP.
• (c) The TTP computes Ejf* (u) to get s.
• (d) The TTP computes Ejf^(s) to get Я||/д.
• (e) The TTP computes w = EkB (Я||/д) and sends w to B.
• (f) В computes Ef*(w) to get ЯЦ/д.
• (g) В computes IV = h(m) from m.
• (h) В accepts the signature if and only if H' = Я.
• 11.110 Note (security> of arbitrated signature scheme) The security of Algorithm 11.109 is based on the symmetric-key encryption scheme chosen and the ability to distribute keys to participants in an authentic maimer. §13.3 discusses techniques for distributing confidential keys.

11.111 Note {performance characteristics of arbitrated signatures) Since symmetric-key algorithms are typically much faster than public-key techniques, signature generation and verification by Algorithm 11.109 are (relatively) very efficient. A drawback is that interaction with the TTP is required, which places a much higher burden on the TTP and requires additional message exchanges between entities and the TTP.