Practical verifiably encrypted signature based on Waters signatures

Waters proposed the first efficient signature scheme that is known to be existentially unforgeable based on the standard computational Diffie-Hellman assumption without random oracles. Lu et al. then proposed the first verifiably encrypted signature (VES) scheme based on Waters signatures. However, the security proofs of Lu et al. and some other VES schemes are built on the certified-key model, in which the key pair of the adjudicator is chosen by the simulator rather than the signature forger. It demands that the adjudicator must be honest enough never to forge signatures. In the real world, it is hard for users to choose such trusted third party. In this study, the authors first show that Lu et al.´s VES is not secure in the chosen-key model by presenting a rogue key attack. Then they present the first VES scheme based on Waters signatures secure in the chosen-key model, where two inside adversaries, malicious adjudicator and malicious verifier, have more powers than ever.